Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
|
|
Add CI pipeline for code verification
|
|
|
|
|
|
|
|
|
|
|
|
Before glib-networking 2.64 (commit ab80ee34) GnuTLS backend uses quite
aggressive resumption thus causing many tests to fail due to resuming
previous successful TLS connection. Since session_id used for resumption
includes target port, this patch disperses ports for TLS tests to ensure
each test starts from scratch and does not reuses previous connection.
|
|
|
|
|
|
SASL SCRAM SHA2 and TLS channel binding
|
|
|
|
|
|
tls-unique binding type does not work properly with TLSv1.3 thus
new bindign type tls-exporter is proposed as a new default binding
type for TLSv1.3. As of Sept 2020 it is not yet adopted as a draft
standard therefore it is not yet publicly available in Glib API.
This commit uses hidden experimental tls-exporter tls binding type
in glib-networking.
|
|
* Set default biding type to tls-unique - if it's not supported by
GIO (Glib or Glib-networking) will just keep binding in disabled state.
* Add ability to override default binding type via env var
WOCKY_CHANNEL_BINDING_TYPE - accepts enum nicks: disabled, none,
tls-unique, tls-server-end-point.
* Add plain simple (and by default disabled) fallback to
tls-server-end-point. To enable set the ENV var above to corresponding
value.
* Since we cannot be sure the certificate digest is correct (sha256)
we rather use DISABLED versus NONE in fallback mode.
|
|
* Enable all SHA1 and SHA2 Hashing algorithms in SCRAM mechanism
ordered from highest to lowest, with PLUS version above.
* Shift default SCRAM algorithm from SHA1 to SHA256.
* Upgrade tests to expect now preferred/default SHA256 method
|
|
Move to Glib GChecksum and GHmac implementation, add hash-algo
property to select algorithm, default to SHA1 to preserve compatibility
|
|
* Set default biding type to disabled - binding data and type should
be set by auth handler from available at TLS layer
* When binding type is disabled gs2_flags is set to 'n' which preserves
existing functionality
|
|
Bump the glib api implementation to the latest version
|
|
tests/wocky-connector-test is a bit racy when it checks connection
failure conditions. Partially because it races with IO events, partially
because it races with internal events (test-stream). Add more retries
to reduce internal race and handle cancellabe race explicitly.
|
|
* Switch to G_ADD_PRIVATE and *_get_instance_private to define
and assign object instance's private struct.
* Switch to GTask from deprecated GSimpleAsyncResult for async
operations. GTask has a bit different asynchronous execution
order.
* Fix tests for new GTask order and concurrency.
|
|
|
|
* Clean up Dan's FIXME comments (it's still not FIXed in GIO)
* Move verification where it supposed to be - GTlsDatabase
|
|
|
|
|
|
* Update test certificate to use SHA2 to avoid INSECURE error
* Add certificate refresh dependency to Makefile
* Add SASL SCRAM worng password test workaround
* Suppress CRL verification tests as not supported by GIO-TLS
* Fix summarise-tests.py to handle deprecations and new syntax
|
|
|
|
|
|
|
|
|
|
A few minor things, marked DANWFIXME, are unimplemented
https://bugs.freedesktop.org/show_bug.cgi?id=31447
|
|
GTlsConnection can only wrap pollable input/output streams, so
implement that here to make some of the test cases work.
https://bugs.freedesktop.org/show_bug.cgi?id=31447
|
|
to match gio TLS, and because there's not much use in the separation
anyway
https://bugs.freedesktop.org/show_bug.cgi?id=31447
|
|
This is how gio TLS does it, among other reasons because it lets you
use the SNI extension to tell the server which certificate it should
present.
https://bugs.freedesktop.org/show_bug.cgi?id=31447
|
|
|
|
* Localize variables in wocky-connector.c and wocky-jabber-auth.c
* Add fallthrough marker to wocky-jingle-session.c
* remove double const in wocky-data-form.c
* fix pointer dereference in wocky-sasl-digest-md5.c
|
|
|
|
|
|
openssl: fix build with openssl >= 1.1.0
|
|
|
|
|
|
This is no longer needed, as the code that it tests is in GIO,
not wocky. It is the responsibility of GIO maintainers to test it.
https://bugs.freedesktop.org/show_bug.cgi?id=94031
|
|
|
|
The previous attempt only updated it for 1 year, by mistake
https://bugs.freedesktop.org/show_bug.cgi?id=79548
|
|
operations
|
|
before teardown
This is to fix an assertion failure that happens in the
"/connector+ssl/econnreset/client-open" test. In this test, the server closes
the connection and the client catches up immediately and closes too.
When the client closes, it forcibly terminates the server, but in most
cases the server's socket close operation doesn't have a chance to finish
before server teardown is called, so the teardown function hits cancel
on the GCancellable that is linked with the operation and finally
the operation ends up repording an "Operation cancelled" error.
By running the GMainLoop once before calling teardown, we ensure
that the socket close operation has a chance to finish gracefully.
|
|
Since g_type_init() is deprecated in more recent glib versions, also
remove all calls of it to fix compilation. g_type_init() is not necessary
to be called anymore, it is a no-op.
https://bugs.freedesktop.org/show_bug.cgi?id=94031
Reviewed-by: Diane Trout <diane@ghic.org>
|
|
The wocky http proxy has now moved in GIO, so we no longer need
to maintain it here. I have kept the unit test for the moment,
to verify that the code in gio works the same as the one that
we used to ship in wocky.
There was one difference in the code from GIO, though. It includes
"Basic" as part of the authorization string. According to RFC this
is correct, so it looks like the wocky proxy client code was doing
this wrong. I have updated the test to reflect that.
Additionally, this commit removes support for building GIO proxy
support depending on whether GIO is recent enough or not.
We can now safely depend unconditionally on a recent enough version.
https://bugs.freedesktop.org/show_bug.cgi?id=94031
Reviewed-by: Diane Trout <diane@ghic.org>
|