Document potential footgun with GTlsCertificateFlags

Once upon a time, we tried to return all possible certificate errors, but it never actually worked reliably and nowadays we have given up. This needs to be documented because a reasonable developer would not expect it. Because mistakes could be security-critical, I decided to copy the same warning in several different places rather than relying only on cross-referencese.
2025-08-21 16:38:54 +02:00 · 2021-08-04 14:57:05 -05:00
parent 42f5a3ec20
commit 780af9cff3
5 changed files with 68 additions and 13 deletions
--- a/gio/gdtlsconnection.c
+++ b/gio/gdtlsconnection.c
@@ -223,6 +223,14 @@ g_dtls_connection_default_init (GDtlsConnectionInterface *iface)
   * #GDtlsConnection::accept-certificate overrode the default
   * behavior.
   *
   * GLib guarantees that if certificate verification fails, at least
   * one error will be set, but it does not guarantee that all possible
   * errors will be set. Accordingly, you may not safely decide to
   * ignore any particular type of error. For example, it would be
   * incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow
   * expired certificates, because this could potentially be the only
   * error flag set even if other problems exist with the certificate.
   *
   * Since: 2.48
   */
  g_object_interface_install_property (iface,
@@ -314,6 +322,15 @@ g_dtls_connection_default_init (GDtlsConnectionInterface *iface)
   * signal handler. Otherwise, if no handler accepts the certificate,
   * the handshake will fail with %G_TLS_ERROR_BAD_CERTIFICATE.
   *
   * GLib guarantees that if certificate verification fails, this signal
   * will be emitted with at least one error will be set in @errors, but
   * it does not guarantee that all possible errors will be set.
   * Accordingly, you may not safely decide to ignore any particular
   * type of error. For example, it would be incorrect to ignore
   * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired
   * certificates, because this could potentially be the only error flag
   * set even if other problems exist with the certificate.
   *
   * For a server-side connection, @peer_cert is the certificate
   * presented by the client, if this was requested via the server's
   * #GDtlsServerConnection:authentication_mode. On the server side,
--- a/gio/gioenums.h
+++ b/gio/gioenums.h
@@ -1588,10 +1588,16 @@ typedef enum {
 *   flags
 *
 * A set of flags describing TLS certification validation. This can be
- * used to set which validation steps to perform (eg, with
+ * used to describe why a particular certificate was rejected (for
- * g_tls_client_connection_set_validation_flags()), or to describe why
+ * example, in #GTlsConnection::accept-certificate).
- * a particular certificate was rejected (eg, in
+ *
- * #GTlsConnection::accept-certificate).
+ * GLib guarantees that if certificate verification fails, at least one
 * flag will be set, but it does not guarantee that all possible flags
 * will be set. Accordingly, you may not safely decide to ignore any
 * particular type of error. For example, it would be incorrect to mask
 * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates,
 * because this could potentially be the only error flag set even if
 * other problems exist with the certificate.
 *
 * Since: 2.28
 */
--- a/gio/gtlscertificate.c
+++ b/gio/gtlscertificate.c
@@ -959,8 +959,13 @@ g_tls_certificate_get_issuer (GTlsCertificate  *cert)
 * @trusted_ca is %NULL, that bit will never be set in the return
 * value.
 *
- * (All other #GTlsCertificateFlags values will always be set or unset
+ * GLib guarantees that if certificate verification fails, at least one
- * as appropriate.)
+ * error will be set in the return value, but it does not guarantee
 * that all possible errors will be set. Accordingly, you may not safely
 * decide to ignore any particular type of error. For example, it would
 * be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow
 * expired certificates, because this could potentially be the only
 * error flag set even if other problems exist with the certificate.
 *
 * Because TLS session context is not used, #GTlsCertificate may not
 * perform as many checks on the certificates as #GTlsConnection would.
--- a/gio/gtlsconnection.c
+++ b/gio/gtlsconnection.c
@@ -248,6 +248,14 @@ g_tls_connection_class_init (GTlsConnectionClass *klass)
   * #GTlsConnection::accept-certificate overrode the default
   * behavior.
   *
   * GLib guarantees that if certificate verification fails, at least
   * one error will be set, but it does not guarantee that all possible
   * errors will be set. Accordingly, you may not safely decide to
   * ignore any particular type of error. For example, it would be
   * incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow
   * expired certificates, because this could potentially be the only
   * error flag set even if other problems exist with the certificate.
   *
   * Since: 2.28
   */
  g_object_class_install_property (gobject_class, PROP_PEER_CERTIFICATE_ERRORS,
@@ -339,6 +347,15 @@ g_tls_connection_class_init (GTlsConnectionClass *klass)
   * signal handler. Otherwise, if no handler accepts the certificate,
   * the handshake will fail with %G_TLS_ERROR_BAD_CERTIFICATE.
   *
   * GLib guarantees that if certificate verification fails, this signal
   * will be emitted with at least one error will be set in @errors, but
   * it does not guarantee that all possible errors will be set.
   * Accordingly, you may not safely decide to ignore any particular
   * type of error. For example, it would be incorrect to ignore
   * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired
   * certificates, because this could potentially be the only error flag
   * set even if other problems exist with the certificate.
   *
   * For a server-side connection, @peer_cert is the certificate
   * presented by the client, if this was requested via the server's
   * #GTlsServerConnection:authentication_mode. On the server side,
@@ -655,6 +672,8 @@ g_tls_connection_get_peer_certificate (GTlsConnection *conn)
 * certificate, after the handshake has completed or failed. (It is
 * not set during the emission of #GTlsConnection::accept-certificate.)
 *
 * See #GTlsConnection:peer-certificate-errors for more information.
 *
 * Returns: @conn's peer's certificate errors
 *
 * Since: 2.28
--- a/gio/gtlsdatabase.c
+++ b/gio/gtlsdatabase.c
@@ -485,13 +485,21 @@ g_tls_database_class_init (GTlsDatabaseClass *klass)
 * used.
 *
 * If @chain is found to be valid, then the return value will be 0. If
- * @chain is found to be invalid, then the return value will indicate
+ * @chain is found to be invalid, then the return value will indicate at
- * the problems found. If the function is unable to determine whether
+ * least one problem found. If the function is unable to determine
- * @chain is valid or not (eg, because @cancellable is triggered
+ * whether @chain is valid (for example, because @cancellable is
- * before it completes) then the return value will be
+ * triggered before it completes) then the return value will be
- * %G_TLS_CERTIFICATE_GENERIC_ERROR and @error will be set
+ * %G_TLS_CERTIFICATE_GENERIC_ERROR and @error will be set accordingly.
- * accordingly. @error is not set when @chain is successfully analyzed
+ * @error is not set when @chain is successfully analyzed but found to
- * but found to be invalid.
+ * be invalid.
 *
 * GLib guarantees that if certificate verification fails, at least one
 * error will be set in the return value, but it does not guarantee
 * that all possible errors will be set. Accordingly, you may not safely
 * decide to ignore any particular type of error. For example, it would
 * be incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow
 * expired certificates, because this could potentially be the only
 * error flag set even if other problems exist with the certificate.
 *
 * Prior to GLib 2.48, GLib's default TLS backend modified @chain to
 * represent the certification path built by #GTlsDatabase during