luc14n0/glib
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/glib.git synced 2025-09-05 23:48:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Document potential footgun with GTlsCertificateFlags

Browse Source 
Once upon a time, we tried to return all possible certificate errors,
but it never actually worked reliably and nowadays we have given up.
This needs to be documented because a reasonable developer would not
expect it.

Because mistakes could be security-critical, I decided to copy the same
warning in several different places rather than relying only on
cross-referencese.
This commit is contained in:
Michael Catanzaro
2021-08-04 14:57:05 -05:00
committed by Philip Withnall
parent 42f5a3ec20
commit 780af9cff3
5 changed files with 68 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
gio/gdtlsconnection.c
View File

@@ -223,6 +223,14 @@ g_dtls_connection_default_init (GDtlsConnectionInterface *iface)
* #GDtlsConnection::accept-certificate overrode the default
* behavior.
*
* GLib guarantees that if certificate verification fails, at least
* one error will be set, but it does not guarantee that all possible
* errors will be set. Accordingly, you may not safely decide to
* ignore any particular type of error. For example, it would be
* incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow
* expired certificates, because this could potentially be the only
* error flag set even if other problems exist with the certificate.
*
* Since: 2.48
*/
g_object_interface_install_property (iface,
@@ -314,6 +322,15 @@ g_dtls_connection_default_init (GDtlsConnectionInterface *iface)
* signal handler. Otherwise, if no handler accepts the certificate,
* the handshake will fail with %G_TLS_ERROR_BAD_CERTIFICATE.
*
* GLib guarantees that if certificate verification fails, this signal
* will be emitted with at least one error will be set in @errors, but
* it does not guarantee that all possible errors will be set.
* Accordingly, you may not safely decide to ignore any particular
* type of error. For example, it would be incorrect to ignore
* %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired
* certificates, because this could potentially be the only error flag
* set even if other problems exist with the certificate.
*
* For a server-side connection, @peer_cert is the certificate
* presented by the client, if this was requested via the server's
* #GDtlsServerConnection:authentication_mode. On the server side,