From f813d3d82ec4366b5349fc42eca4e1fbb2a332c5 Mon Sep 17 00:00:00 2001 From: Carlos Garcia Campos Date: Thu, 18 Feb 2021 15:21:04 +0100 Subject: session: Remove ssl-use-system-ca-file property SoupSession:tls-database is enough. When not set the default will be used. Also ensure that we don't get the default tls database and proxy resolver unless the property getters are called. --- libsoup/soup-connection.c | 16 +++-- libsoup/soup-session.c | 151 +++++++++++---------------------------- libsoup/soup-socket-properties.c | 37 ++++++++-- libsoup/soup-socket-properties.h | 21 +++--- tests/session-test.c | 14 ---- tests/ssl-test.c | 6 +- 6 files changed, 99 insertions(+), 146 deletions(-) diff --git a/libsoup/soup-connection.c b/libsoup/soup-connection.c index c47e962e..ecbd8693 100644 --- a/libsoup/soup-connection.c +++ b/libsoup/soup-connection.c @@ -399,11 +399,13 @@ new_socket_client (SoupConnection *conn) G_CALLBACK (re_emit_socket_event), conn, 0); - if (props->proxy_resolver) { - g_socket_client_set_proxy_resolver (client, props->proxy_resolver); - g_socket_client_add_application_proxy (client, "http"); - } else - g_socket_client_set_enable_proxy (client, FALSE); + if (!props->proxy_use_default) { + if (props->proxy_resolver) { + g_socket_client_set_proxy_resolver (client, props->proxy_resolver); + g_socket_client_add_application_proxy (client, "http"); + } else + g_socket_client_set_enable_proxy (client, FALSE); + } if (props->io_timeout) g_socket_client_set_timeout (client, props->io_timeout); if (props->local_addr) @@ -442,13 +444,15 @@ new_tls_connection (SoupConnection *conn, priv->cancellable, error, "base-io-stream", connection, "server-identity", priv->remote_connectable, - "database", priv->socket_props->tlsdb, "require-close-notify", FALSE, "interaction", priv->socket_props->tls_interaction, NULL); if (!tls_connection) return NULL; + if (!priv->socket_props->tlsdb_use_default) + g_tls_connection_set_database (G_TLS_CONNECTION (tls_connection), priv->socket_props->tlsdb); + g_signal_connect_object (tls_connection, "accept-certificate", G_CALLBACK (tls_connection_accept_certificate), conn, G_CONNECT_SWAPPED); diff --git a/libsoup/soup-session.c b/libsoup/soup-session.c index 37db0cdc..d4fb5988 100644 --- a/libsoup/soup-session.c +++ b/libsoup/soup-session.c @@ -102,7 +102,6 @@ typedef struct { GProxyResolver *proxy_resolver; gboolean proxy_use_default; - GUri *proxy_uri; SoupSocketProperties *socket_props; @@ -176,7 +175,6 @@ enum { PROP_PROXY_RESOLVER, PROP_MAX_CONNS, PROP_MAX_CONNS_PER_HOST, - PROP_SSL_USE_SYSTEM_CA_FILE, PROP_TLS_DATABASE, PROP_ASYNC_CONTEXT, PROP_TIMEOUT, @@ -303,7 +301,6 @@ soup_session_finalize (GObject *object) g_hash_table_destroy (priv->features_cache); g_clear_object (&priv->proxy_resolver); - g_clear_pointer (&priv->proxy_uri, g_uri_unref); g_clear_pointer (&priv->socket_props, soup_socket_properties_unref); @@ -319,89 +316,66 @@ ensure_socket_props (SoupSession *session) if (priv->socket_props) return; - if (priv->proxy_use_default) { - priv->proxy_resolver = g_object_ref (g_proxy_resolver_get_default ()); - priv->proxy_use_default = FALSE; - } - if (priv->tlsdb_use_default) { - priv->tlsdb = g_tls_backend_get_default_database (g_tls_backend_get_default ()); - priv->tlsdb_use_default = FALSE; - } - - priv->socket_props = soup_socket_properties_new (priv->proxy_resolver, - priv->local_addr, - priv->tlsdb, + priv->socket_props = soup_socket_properties_new (priv->local_addr, priv->tls_interaction, priv->io_timeout, priv->idle_timeout); + if (!priv->proxy_use_default) + soup_socket_properties_set_proxy_resolver (priv->socket_props, priv->proxy_resolver); + if (!priv->tlsdb_use_default) + soup_socket_properties_set_tls_database (priv->socket_props, priv->tlsdb); } static void -set_tlsdb (SoupSession *session, GTlsDatabase *tlsdb) +set_tlsdb (SoupSession *session, + GTlsDatabase *tlsdb) { SoupSessionPrivate *priv = soup_session_get_instance_private (session); - GTlsDatabase *system_default; priv->tlsdb_use_default = FALSE; if (tlsdb == priv->tlsdb) return; - g_object_freeze_notify (G_OBJECT (session)); - - system_default = g_tls_backend_get_default_database (g_tls_backend_get_default ()); - if (system_default) { - if (priv->tlsdb == system_default || tlsdb == system_default) { - g_object_notify (G_OBJECT (session), "ssl-use-system-ca-file"); - } - g_object_unref (system_default); - } - - if (priv->tlsdb) - g_object_unref (priv->tlsdb); - priv->tlsdb = tlsdb; - if (priv->tlsdb) - g_object_ref (priv->tlsdb); - + g_clear_object (&priv->tlsdb); + priv->tlsdb = tlsdb ? g_object_ref (tlsdb) : NULL; g_object_notify (G_OBJECT (session), "tls-database"); - g_object_thaw_notify (G_OBJECT (session)); } -static void -set_use_system_ca_file (SoupSession *session, gboolean use_system_ca_file) +static GTlsDatabase * +get_tlsdb (SoupSession *session) { SoupSessionPrivate *priv = soup_session_get_instance_private (session); - GTlsDatabase *system_default; - priv->tlsdb_use_default = FALSE; - - system_default = g_tls_backend_get_default_database (g_tls_backend_get_default ()); - - if (use_system_ca_file) - set_tlsdb (session, system_default); - else if (priv->tlsdb == system_default) - set_tlsdb (session, NULL); + if (priv->tlsdb_use_default && !priv->tlsdb) + priv->tlsdb = g_tls_backend_get_default_database (g_tls_backend_get_default ()); - g_clear_object (&system_default); + return priv->tlsdb; } static void -set_proxy_resolver (SoupSession *session, GUri *uri, +set_proxy_resolver (SoupSession *session, GProxyResolver *g_resolver) { SoupSessionPrivate *priv = soup_session_get_instance_private (session); - g_clear_object (&priv->proxy_resolver); - g_clear_pointer (&priv->proxy_uri, g_uri_unref); + priv->proxy_use_default = FALSE; + if (priv->proxy_resolver == g_resolver) + return; - if (uri) { - char *uri_string; + g_clear_object (&priv->proxy_resolver); + priv->proxy_resolver = g_resolver ? g_object_ref (g_resolver) : NULL; + g_object_notify (G_OBJECT (session), "proxy-resolver"); +} + +static GProxyResolver * +get_proxy_resolver (SoupSession *session) +{ + SoupSessionPrivate *priv = soup_session_get_instance_private (session); - priv->proxy_uri = soup_uri_copy_with_normalized_flags (uri); - uri_string = g_uri_to_string (uri); - priv->proxy_resolver = g_simple_proxy_resolver_new (uri_string, NULL); - g_free (uri_string); - } else if (g_resolver) - priv->proxy_resolver = g_object_ref (g_resolver); + if (!priv->proxy_use_default) + return priv->proxy_resolver; + + return g_proxy_resolver_get_default (); } static void @@ -419,8 +393,7 @@ soup_session_set_property (GObject *object, guint prop_id, socket_props_changed = TRUE; break; case PROP_PROXY_RESOLVER: - set_proxy_resolver (session, NULL, - g_value_get_object (value)); + set_proxy_resolver (session, g_value_get_object (value)); socket_props_changed = TRUE; break; case PROP_MAX_CONNS: @@ -429,10 +402,6 @@ soup_session_set_property (GObject *object, guint prop_id, case PROP_MAX_CONNS_PER_HOST: priv->max_conns_per_host = g_value_get_int (value); break; - case PROP_SSL_USE_SYSTEM_CA_FILE: - set_use_system_ca_file (session, g_value_get_boolean (value)); - socket_props_changed = TRUE; - break; case PROP_TLS_DATABASE: set_tlsdb (session, g_value_get_object (value)); socket_props_changed = TRUE; @@ -501,17 +470,13 @@ soup_session_get_property (GObject *object, guint prop_id, { SoupSession *session = SOUP_SESSION (object); SoupSessionPrivate *priv = soup_session_get_instance_private (session); - GTlsDatabase *tlsdb; switch (prop_id) { case PROP_LOCAL_ADDRESS: g_value_set_object (value, priv->local_addr); break; case PROP_PROXY_RESOLVER: - g_mutex_lock (&priv->conn_lock); - ensure_socket_props (session); - g_mutex_unlock (&priv->conn_lock); - g_value_set_object (value, priv->proxy_resolver); + g_value_set_object (value, get_proxy_resolver (session)); break; case PROP_MAX_CONNS: g_value_set_int (value, priv->max_conns); @@ -519,19 +484,8 @@ soup_session_get_property (GObject *object, guint prop_id, case PROP_MAX_CONNS_PER_HOST: g_value_set_int (value, priv->max_conns_per_host); break; - case PROP_SSL_USE_SYSTEM_CA_FILE: - tlsdb = g_tls_backend_get_default_database (g_tls_backend_get_default ()); - g_mutex_lock (&priv->conn_lock); - ensure_socket_props (session); - g_mutex_unlock (&priv->conn_lock); - g_value_set_boolean (value, priv->tlsdb == tlsdb); - g_clear_object (&tlsdb); - break; case PROP_TLS_DATABASE: - g_mutex_lock (&priv->conn_lock); - ensure_socket_props (session); - g_mutex_unlock (&priv->conn_lock); - g_value_set_object (value, priv->tlsdb); + g_value_set_object (value, get_tlsdb (session)); break; case PROP_TLS_INTERACTION: g_value_set_object (value, priv->tls_interaction); @@ -2205,11 +2159,11 @@ soup_session_class_init (SoupSessionClass *session_class) * * A #GProxyResolver to use with this session. * - * By default, in a plain #SoupSession, this is set to the - * default #GProxyResolver, but you can set it to %NULL if you - * don't want to use proxies, or set it to your own - * #GProxyResolver if you want to control what proxies get - * used. + * If no proxy resolver is set, then the default proxy resolver + * will be used. See g_proxy_resolver_get_default(). + * You can set it to %NULL if you don't want to use proxies, or + * set it to your own #GProxyResolver if you want to control + * what proxies get used. * */ g_object_class_install_property ( @@ -2262,37 +2216,14 @@ soup_session_class_init (SoupSessionClass *session_class) G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS)); - /** - * SoupSession:ssl-use-system-ca-file: - * - * Setting this to %TRUE is equivalent to setting - * #SoupSession:tls-database to the default system CA database. - * (and likewise, setting #SoupSession:tls-database to the - * default database by hand will cause this property to - * become %TRUE). - * - * Setting this to %FALSE (when it was previously %TRUE) will - * clear the #SoupSession:tls-database field. - * - **/ - g_object_class_install_property ( - object_class, PROP_SSL_USE_SYSTEM_CA_FILE, - g_param_spec_boolean ("ssl-use-system-ca-file", - "Use system CA file", - "Use the system certificate database", - TRUE, - G_PARAM_READWRITE | - G_PARAM_STATIC_STRINGS)); /** * SoupSession:tls-database: * * Sets the #GTlsDatabase to use for validating SSL/TLS * certificates. * - * Note that setting the - * #SoupSession:ssl-use-system-ca-file property will cause - * this property to be set to a #GTlsDatabase corresponding to - * the indicated file or system default. + * If no certificate database is set, then the default database will be + * used. See g_tls_backend_get_default_database(). * **/ g_object_class_install_property ( diff --git a/libsoup/soup-socket-properties.c b/libsoup/soup-socket-properties.c index 5ceecd76..c41948c9 100644 --- a/libsoup/soup-socket-properties.c +++ b/libsoup/soup-socket-properties.c @@ -11,23 +11,21 @@ #include "soup.h" SoupSocketProperties * -soup_socket_properties_new (GProxyResolver *proxy_resolver, - GInetSocketAddress *local_addr, - GTlsDatabase *tlsdb, +soup_socket_properties_new (GInetSocketAddress *local_addr, GTlsInteraction *tls_interaction, guint io_timeout, guint idle_timeout) { SoupSocketProperties *props; - props = g_slice_new (SoupSocketProperties); + props = g_slice_new0 (SoupSocketProperties); g_atomic_ref_count_init (&props->ref_count); - props->proxy_resolver = proxy_resolver ? g_object_ref (proxy_resolver) : NULL; - props->local_addr = local_addr ? g_object_ref (local_addr) : NULL; + props->proxy_use_default = TRUE; + props->tlsdb_use_default = TRUE; - props->tlsdb = tlsdb ? g_object_ref (tlsdb) : NULL; + props->local_addr = local_addr ? g_object_ref (local_addr) : NULL; props->tls_interaction = tls_interaction ? g_object_ref (tls_interaction) : NULL; props->io_timeout = io_timeout; @@ -57,5 +55,30 @@ soup_socket_properties_unref (SoupSocketProperties *props) g_slice_free (SoupSocketProperties, props); } +void +soup_socket_properties_set_proxy_resolver (SoupSocketProperties *props, + GProxyResolver *proxy_resolver) +{ + props->proxy_use_default = FALSE; + + if (props->proxy_resolver == proxy_resolver) + return; + + g_clear_object (&props->proxy_resolver); + props->proxy_resolver = proxy_resolver ? g_object_ref (proxy_resolver) : NULL; +} + +void +soup_socket_properties_set_tls_database (SoupSocketProperties *props, + GTlsDatabase *tlsdb) +{ + props->tlsdb_use_default = FALSE; + + if (props->tlsdb == tlsdb) + return; + + g_clear_object (&props->tlsdb); + props->tlsdb = tlsdb ? g_object_ref (tlsdb) : NULL; +} G_DEFINE_BOXED_TYPE (SoupSocketProperties, soup_socket_properties, soup_socket_properties_ref, soup_socket_properties_unref) diff --git a/libsoup/soup-socket-properties.h b/libsoup/soup-socket-properties.h index 8f77a43d..c458efe9 100644 --- a/libsoup/soup-socket-properties.h +++ b/libsoup/soup-socket-properties.h @@ -10,9 +10,11 @@ typedef struct { GProxyResolver *proxy_resolver; + gboolean proxy_use_default; GInetSocketAddress *local_addr; GTlsDatabase *tlsdb; + gboolean tlsdb_use_default; GTlsInteraction *tls_interaction; guint io_timeout; @@ -25,14 +27,17 @@ typedef struct { GType soup_socket_properties_get_type (void); #define SOUP_TYPE_SOCKET_PROPERTIES (soup_socket_properties_get_type ()) -SoupSocketProperties *soup_socket_properties_new (GProxyResolver *proxy_resolver, - GInetSocketAddress *local_addr, - GTlsDatabase *tlsdb, - GTlsInteraction *tls_interaction, - guint io_timeout, - guint idle_timeout); +SoupSocketProperties *soup_socket_properties_new (GInetSocketAddress *local_addr, + GTlsInteraction *tls_interaction, + guint io_timeout, + guint idle_timeout); -SoupSocketProperties *soup_socket_properties_ref (SoupSocketProperties *props); -void soup_socket_properties_unref (SoupSocketProperties *props); +SoupSocketProperties *soup_socket_properties_ref (SoupSocketProperties *props); +void soup_socket_properties_unref (SoupSocketProperties *props); + +void soup_socket_properties_set_proxy_resolver (SoupSocketProperties *props, + GProxyResolver *proxy_resolver); +void soup_socket_properties_set_tls_database (SoupSocketProperties *props, + GTlsDatabase *tlsdb); #endif /* __SOUP_SOCKET_PROPERTIES_H__ */ diff --git a/tests/session-test.c b/tests/session-test.c index 9053f37b..dc503e73 100644 --- a/tests/session-test.c +++ b/tests/session-test.c @@ -317,20 +317,6 @@ do_property_tests (void) g_object_unref (tlsdb); g_object_unref (session); } - - session = g_object_new (SOUP_TYPE_SESSION, - "ssl-use-system-ca-file", FALSE, - NULL); - test_session_properties ("Session with :ssl-use-system-ca-file FALSE", session, - default_proxy_resolver, NULL); - g_object_unref (session); - - session = g_object_new (SOUP_TYPE_SESSION, - "ssl-use-system-ca-file", TRUE, - NULL); - test_session_properties ("Session with :ssl-use-system-ca-file TRUE", session, - default_proxy_resolver, default_tlsdb); - g_object_unref (session); } static gint diff --git a/tests/ssl-test.c b/tests/ssl-test.c index 2845494b..ecd173dd 100644 --- a/tests/ssl-test.c +++ b/tests/ssl-test.c @@ -44,9 +44,13 @@ do_strictness_test (gconstpointer data) session = soup_test_session_new (NULL); if (!test->with_ca_list) { + GTlsDatabase *tlsdb; + + tlsdb = g_tls_backend_get_default_database (g_tls_backend_get_default ()); g_object_set (G_OBJECT (session), - "ssl-use-system-ca-file", TRUE, + "tls-database", tlsdb, NULL); + g_object_unref (tlsdb); } msg = soup_message_new_from_uri ("GET", uri); -- cgit v1.2.1