Hello community,
here is the log from the commit of package glib-networking for openSUSE:Factory
checked in at 2020-06-08 23:47:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/glib-networking (Old)
and /work/SRC/openSUSE:Factory/.glib-networking.new.3606 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glib-networking"
Mon Jun 8 23:47:38 2020 rev:71 rq:811418 version:2.64.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/glib-networking/glib-networking.changes
2020-04-23 18:26:19.899616221 +0200
+++
/work/SRC/openSUSE:Factory/.glib-networking.new.3606/glib-networking.changes
2020-06-08 23:48:25.854178629 +0200
@@ -1,0 +2,8 @@
+Fri May 29 04:05:54 UTC 2020 - Bjørn Lie <[email protected]>
+
+- Update to version 2.64.3:
+ + Revert warning when server-identity property is unset.
+ + Fix CVE-2020-13645, fail connections when server identity is
+ unset.
+
+-------------------------------------------------------------------
Old:
----
glib-networking-2.64.2.tar.xz
New:
----
glib-networking-2.64.3.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ glib-networking.spec ++++++
--- /var/tmp/diff_new_pack.p2Ba1v/_old 2020-06-08 23:48:27.414183442 +0200
+++ /var/tmp/diff_new_pack.p2Ba1v/_new 2020-06-08 23:48:27.414183442 +0200
@@ -18,7 +18,7 @@
%define gio_real_package %(rpm -q --qf '%%{name}' --whatprovides gio)
Name: glib-networking
-Version: 2.64.2
+Version: 2.64.3
Release: 0
Summary: Network-related GIO modules for glib
License: LGPL-2.1-or-later
++++++ glib-networking-2.64.2.tar.xz -> glib-networking-2.64.3.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/glib-networking-2.64.2/NEWS
new/glib-networking-2.64.3/NEWS
--- old/glib-networking-2.64.2/NEWS 2020-04-14 16:53:39.059792300 +0200
+++ new/glib-networking-2.64.3/NEWS 2020-05-29 01:31:58.211539700 +0200
@@ -1,3 +1,9 @@
+2.64.3 - May 28, 2020
+=====================
+
+- Revert warning when server-identity property is unset (#130)
+- Fix CVE-2020-13645, fail connections when server identity is unset (#135)
+
2.64.2 - April 14, 2020
=======================
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/glib-networking-2.64.2/meson.build
new/glib-networking-2.64.3/meson.build
--- old/glib-networking-2.64.2/meson.build 2020-04-14 16:53:39.060792400
+0200
+++ new/glib-networking-2.64.3/meson.build 2020-05-29 01:31:58.212539700
+0200
@@ -1,6 +1,6 @@
project(
'glib-networking', 'c',
- version: '2.64.2',
+ version: '2.64.3',
license: 'LGPL2.1+',
meson_version: '>= 0.50.0',
default_options: ['c_std=c99']
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/glib-networking-2.64.2/po/zh_CN.po
new/glib-networking-2.64.3/po/zh_CN.po
--- old/glib-networking-2.64.2/po/zh_CN.po 2020-04-14 16:53:39.070792700
+0200
+++ new/glib-networking-2.64.3/po/zh_CN.po 2020-05-29 01:31:58.222540000
+0200
@@ -1,18 +1,18 @@
# Chinese (China) translation for glib-networking.
-# Copyright (C) 2011-2018 glib-networking's COPYRIGHT HOLDER
+# Copyright (C) 2011-2019 glib-networking's COPYRIGHT HOLDER
# This file is distributed under the same license as the glib-networking
package.
# Funda Wang <[email protected]>, 2011
# YunQiang Su <[email protected]>, 2012.
# Mingcong Bai <[email protected]>, 2017.
# liushuyu <[email protected]>, 2018.
-# Dingzhong Chen <[email protected]>, 2018, 2019.
+# Dingzhong Chen <[email protected]>, 2018-2019.
#
msgid ""
msgstr ""
"Project-Id-Version: glib-networking master\n"
"Report-Msgid-Bugs-To: https://gitlab.gnome.org/GNOME/glib-networking/issues\n";
-"POT-Creation-Date: 2019-04-03 23:04+0000\n"
-"PO-Revision-Date: 2019-04-10 16:54+0800\n"
+"POT-Creation-Date: 2019-09-07 15:14+0000\n"
+"PO-Revision-Date: 2019-09-10 23:25+0800\n"
"Last-Translator: Dingzhong Chen <[email protected]>\n"
"Language-Team: Chinese (China) <[email protected]>\n"
"Language: zh_CN\n"
@@ -20,173 +20,174 @@
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=1; plural=0;\n"
-"X-Generator: Gtranslator 2.91.7\n"
+"X-Generator: Gtranslator 3.32.1\n"
#: proxy/libproxy/glibproxyresolver.c:159
msgid "Proxy resolver internal error."
msgstr "代理服务器解析器内部错误。"
-#: tls/base/gtlsconnection-base.c:282 tls/base/gtlsinputstream-base.c:74
-#: tls/base/gtlsoutputstream-base.c:74 tls/gnutls/gtlsconnection-gnutls.c:740
-#: tls/gnutls/gtlsinputstream-gnutls.c:78
-#: tls/gnutls/gtlsinputstream-gnutls.c:141
-#: tls/gnutls/gtlsoutputstream-gnutls.c:78
-#: tls/gnutls/gtlsoutputstream-gnutls.c:143
+#: tls/base/gtlsconnection-base.c:490 tls/base/gtlsinputstream.c:78
+#: tls/base/gtlsinputstream.c:141 tls/base/gtlsoutputstream.c:78
+#: tls/base/gtlsoutputstream.c:143
msgid "Connection is closed"
msgstr "连接被关闭"
-#: tls/base/gtlsconnection-base.c:355 tls/base/gtlsconnection-base.c:1015
-msgid "Operation would block"
-msgstr "操作被阻塞"
+#. Cannot perform a blocking operation during a handshake on the
+#. * same thread that triggered the handshake. The only way this can
+#. * occur is if the application is doing something weird in its
+#. * accept-certificate callback. Allowing a blocking op would stall
+#. * the handshake (forever, if there's no timeout). Even a close
+#. * op would deadlock here.
+#.
+#: tls/base/gtlsconnection-base.c:560
+msgid "Cannot perform blocking operation during TLS handshake"
+msgstr "无法在 TLS 握手期间执行阻塞操作"
+
+#: tls/base/gtlsconnection-base.c:623 tls/base/gtlsconnection-base.c:1160
+msgid "Socket I/O timed out"
+msgstr "套接字 I/O 超时"
-#: tls/base/gtlsconnection-base.c:809
-#: tls/gnutls/gtlsclientconnection-gnutls.c:454
+#: tls/base/gtlsconnection-base.c:787
msgid "Server required TLS certificate"
msgstr "服务器需要 TLS 证书"
+#: tls/base/gtlsconnection-base.c:1381
+msgid "Peer does not support safe renegotiation"
+msgstr "对等端不支持安全再协商"
+
+#: tls/base/gtlsconnection-base.c:1509 tls/gnutls/gtlsconnection-gnutls.c:419
+#: tls/openssl/gtlsconnection-openssl.c:184
+#, c-format
+msgid "Unacceptable TLS certificate"
+msgstr "无法接受的 TLS 证书"
+
+#: tls/base/gtlsconnection-base.c:1930
+#, c-format
+msgid "Receive flags are not supported"
+msgstr "不支持接收标志"
+
+#: tls/base/gtlsconnection-base.c:2074
+#, c-format
+msgid "Send flags are not supported"
+msgstr "不支持发送标志"
+
#: tls/gnutls/gtlscertificate-gnutls.c:178
-#: tls/openssl/gtlscertificate-openssl.c:177
+#: tls/openssl/gtlscertificate-openssl.c:170
#, c-format
msgid "Could not parse DER certificate: %s"
msgstr "无法分析 DER 证书:%s"
#: tls/gnutls/gtlscertificate-gnutls.c:199
-#: tls/openssl/gtlscertificate-openssl.c:197
+#: tls/openssl/gtlscertificate-openssl.c:190
#, c-format
msgid "Could not parse PEM certificate: %s"
msgstr "无法分析 PEM 证书:%s"
#: tls/gnutls/gtlscertificate-gnutls.c:230
-#: tls/openssl/gtlscertificate-openssl.c:216
+#: tls/openssl/gtlscertificate-openssl.c:209
#, c-format
msgid "Could not parse DER private key: %s"
msgstr "无法分析 DER 私钥:%s"
#: tls/gnutls/gtlscertificate-gnutls.c:261
-#: tls/openssl/gtlscertificate-openssl.c:235
+#: tls/openssl/gtlscertificate-openssl.c:228
#, c-format
msgid "Could not parse PEM private key: %s"
msgstr "无法分析 PEM 私钥:%s"
#: tls/gnutls/gtlscertificate-gnutls.c:297
-#: tls/openssl/gtlscertificate-openssl.c:273
+#: tls/openssl/gtlscertificate-openssl.c:263
msgid "No certificate data provided"
msgstr "没有提供证书数据"
-#: tls/gnutls/gtlsconnection-gnutls.c:405
-#: tls/openssl/gtlsclientconnection-openssl.c:536
-#: tls/openssl/gtlsserverconnection-openssl.c:425
+#: tls/gnutls/gtlsconnection-gnutls.c:224
+#: tls/openssl/gtlsclientconnection-openssl.c:520
+#: tls/openssl/gtlsserverconnection-openssl.c:399
#, c-format
msgid "Could not create TLS connection: %s"
msgstr "无法创建 TLS 连接:%s"
-#. Cannot perform a blocking operation during a handshake on the
-#. * same thread that triggered the handshake. The only way this can
-#. * occur is if the application is doing something weird in its
-#. * accept-certificate callback. Allowing a blocking op would stall
-#. * the handshake (forever, if there's no timeout). Even a close
-#. * op would deadlock here.
-#.
-#: tls/gnutls/gtlsconnection-gnutls.c:811
-msgid "Cannot perform blocking operation during TLS handshake"
-msgstr "无法在 TLS 握手期间执行阻塞操作"
-
-#: tls/gnutls/gtlsconnection-gnutls.c:874
-#: tls/gnutls/gtlsconnection-gnutls.c:1488
-msgid "Socket I/O timed out"
-msgstr "套接字 I/O 超时"
-
-#: tls/gnutls/gtlsconnection-gnutls.c:1019
-#: tls/gnutls/gtlsconnection-gnutls.c:1052
-#: tls/openssl/gtlsconnection-openssl.c:150
-msgid "Peer failed to perform TLS handshake"
-msgstr "执行 TLS 握手失败"
+#: tls/gnutls/gtlsconnection-gnutls.c:353
+#: tls/gnutls/gtlsconnection-gnutls.c:364
+#: tls/gnutls/gtlsconnection-gnutls.c:388
+#: tls/openssl/gtlsconnection-openssl.c:151
+#, c-format
+msgid "Peer failed to perform TLS handshake: %s"
+msgstr "执行 TLS 握手失败:%s"
-#: tls/gnutls/gtlsconnection-gnutls.c:1037
-#: tls/openssl/gtlsconnection-openssl.c:238
+#: tls/gnutls/gtlsconnection-gnutls.c:375
+#: tls/openssl/gtlsconnection-openssl.c:260
msgid "Peer requested illegal TLS rehandshake"
msgstr "请求了无效的 TLS 再握手"
-#: tls/gnutls/gtlsconnection-gnutls.c:1058
+#: tls/gnutls/gtlsconnection-gnutls.c:396
msgid "TLS connection closed unexpectedly"
msgstr "TLS 连接被异常关闭"
-#: tls/gnutls/gtlsconnection-gnutls.c:1072
-#: tls/openssl/gtlsconnection-openssl.c:175
+#: tls/gnutls/gtlsconnection-gnutls.c:411
+#: tls/openssl/gtlsconnection-openssl.c:176
msgid "TLS connection peer did not send a certificate"
msgstr "TLS 连接的对方未发送证书"
-#: tls/gnutls/gtlsconnection-gnutls.c:1078
-#: tls/gnutls/gtlsconnection-gnutls.c:2169
-#: tls/openssl/gtlsconnection-openssl.c:420
-#, c-format
-msgid "Unacceptable TLS certificate"
-msgstr "无法接受的 TLS 证书"
-
-#: tls/gnutls/gtlsconnection-gnutls.c:1084
+#: tls/gnutls/gtlsconnection-gnutls.c:427
#, c-format
msgid "Peer sent fatal TLS alert: %s"
msgstr "对方发送了致命 TLS 警报:%s"
-#: tls/gnutls/gtlsconnection-gnutls.c:1096
+#: tls/gnutls/gtlsconnection-gnutls.c:437
msgid "Protocol version downgrade attack detected"
msgstr "检测到协议降级攻击"
-#: tls/gnutls/gtlsconnection-gnutls.c:1103
+#: tls/gnutls/gtlsconnection-gnutls.c:446
#, c-format
msgid "Message is too large for DTLS connection; maximum is %u byte"
msgid_plural "Message is too large for DTLS connection; maximum is %u bytes"
msgstr[0] "消息对于 DTLS 连接太长;最大为 %u 字节"
-#: tls/gnutls/gtlsconnection-gnutls.c:1110
+#: tls/gnutls/gtlsconnection-gnutls.c:455
msgid "The operation timed out"
msgstr "操作超时"
-#: tls/gnutls/gtlsconnection-gnutls.c:1990
-msgid "Peer does not support safe renegotiation"
-msgstr "对等端不支持安全再协商"
+#: tls/gnutls/gtlsconnection-gnutls.c:790
+#, c-format
+msgid "Error performing TLS handshake: %s"
+msgstr "执行 TLS 握手时出错:%s"
-#: tls/gnutls/gtlsconnection-gnutls.c:2017
-#: tls/gnutls/gtlsconnection-gnutls.c:2067
+#: tls/gnutls/gtlsconnection-gnutls.c:893
+#: tls/openssl/gtlsconnection-openssl.c:269
+#: tls/openssl/gtlsconnection-openssl.c:319
msgid "Error performing TLS handshake"
msgstr "执行 TLS 握手时出错"
-#: tls/gnutls/gtlsconnection-gnutls.c:2519
-#: tls/gnutls/gtlsconnection-gnutls.c:2611
+#: tls/gnutls/gtlsconnection-gnutls.c:939
+#: tls/gnutls/gtlsconnection-gnutls.c:999
+#: tls/openssl/gtlsconnection-openssl.c:426
msgid "Error reading data from TLS socket"
msgstr "从 TLS 套接字读取数据时出错"
-#: tls/gnutls/gtlsconnection-gnutls.c:2641
-#, c-format
-msgid "Receive flags are not supported"
-msgstr "不支持接收标志"
-
#. flags
-#: tls/gnutls/gtlsconnection-gnutls.c:2718
-#: tls/gnutls/gtlsconnection-gnutls.c:2790
+#: tls/gnutls/gtlsconnection-gnutls.c:1021
+#: tls/gnutls/gtlsconnection-gnutls.c:1085
+#: tls/openssl/gtlsconnection-openssl.c:470
msgid "Error writing data to TLS socket"
msgstr "向 TLS 套接字写入数据时出错"
-#: tls/gnutls/gtlsconnection-gnutls.c:2760
+#: tls/gnutls/gtlsconnection-gnutls.c:1055
#, c-format
msgid "Message of size %lu byte is too large for DTLS connection"
msgid_plural "Message of size %lu bytes is too large for DTLS connection"
msgstr[0] "%lu 字节大小的消息对于 DTLS 连接太大了"
-#: tls/gnutls/gtlsconnection-gnutls.c:2762
+#: tls/gnutls/gtlsconnection-gnutls.c:1057
#, c-format
msgid "(maximum is %u byte)"
msgid_plural "(maximum is %u bytes)"
msgstr[0] "(最大为 %u 字节)"
-#: tls/gnutls/gtlsconnection-gnutls.c:2821
+#: tls/gnutls/gtlsconnection-gnutls.c:1104
#, c-format
-msgid "Send flags are not supported"
-msgstr "不支持发送标志"
-
-#: tls/gnutls/gtlsconnection-gnutls.c:2924
-msgid "Error performing TLS close"
-msgstr "执行 TLS 关闭时出错"
+msgid "Error performing TLS close: %s"
+msgstr "执行 TLS 关闭时出错:%s"
#: tls/gnutls/gtlsdatabase-gnutls.c:553
msgid ""
@@ -194,63 +195,68 @@
"trust"
msgstr "无法载入系统信任存储:GnuTLS 未配置系统信任库"
-#: tls/gnutls/gtlsdatabase-gnutls.c:558
+#: tls/gnutls/gtlsdatabase-gnutls.c:558 tls/openssl/gtlsdatabase-openssl.c:187
#, c-format
msgid "Failed to load system trust store: %s"
msgstr "无法载入系统信任存储:%s"
#: tls/gnutls/gtlsserverconnection-gnutls.c:137
-#: tls/openssl/gtlsserverconnection-openssl.c:91
+#: tls/openssl/gtlsserverconnection-openssl.c:90
msgid "Certificate has no private key"
msgstr "证书没有私钥"
-#: tls/openssl/gtlsclientconnection-openssl.c:417
-#: tls/openssl/gtlsclientconnection-openssl.c:483
-#: tls/openssl/gtlsserverconnection-openssl.c:305
-#: tls/openssl/gtlsserverconnection-openssl.c:365
+#: tls/openssl/gtlsclientconnection-openssl.c:410
+#: tls/openssl/gtlsclientconnection-openssl.c:467
+#: tls/openssl/gtlsserverconnection-openssl.c:288
+#: tls/openssl/gtlsserverconnection-openssl.c:339
#, c-format
msgid "Could not create TLS context: %s"
msgstr "无法创建 TLS 上下文:%s"
-#: tls/openssl/gtlsconnection-openssl.c:183
-msgid "Digest too big for RSA key"
-msgstr "摘要对于 RSA 密钥太大了"
-
-#: tls/openssl/gtlsconnection-openssl.c:247
-#: tls/openssl/gtlsconnection-openssl.c:380
+#: tls/openssl/gtlsconnection-openssl.c:192
#, c-format
-msgid "Error performing TLS handshake: %s"
-msgstr "执行 TLS 握手时出错:%s"
+msgid "Unacceptable TLS certificate authority"
+msgstr "无法接受的 TLS 证书颁发机构"
-#: tls/openssl/gtlsconnection-openssl.c:390
-msgid "Server did not return a valid TLS certificate"
-msgstr "服务器未返回有效的 TLS 证书"
+#: tls/openssl/gtlsconnection-openssl.c:200
+msgid "Digest too big for RSA key"
+msgstr "摘要对于 RSA 密钥太大了"
-#: tls/openssl/gtlsconnection-openssl.c:504
-#, c-format
-msgid "Error reading data from TLS socket: %s"
-msgstr "从 TLS 套接字读取数据时出错:%s"
+#: tls/openssl/gtlsconnection-openssl.c:507
+msgid "Error performing TLS close"
+msgstr "执行 TLS 关闭时出错"
-#: tls/openssl/gtlsconnection-openssl.c:530
-#, c-format
-msgid "Error writing data to TLS socket: %s"
-msgstr "向 TLS 套接字写入数据时出错:%s"
+#: tls/openssl/gtlsdatabase-openssl.c:227
+msgid "Could not create CA store"
+msgstr "无法创建 CA 存储"
-#: tls/openssl/gtlsconnection-openssl.c:556
+#: tls/openssl/gtlsfiledatabase-openssl.c:454
#, c-format
-msgid "Error performing TLS close: %s"
-msgstr "执行 TLS 关闭时出错:%s"
+msgid "Failed to load file path: %s"
+msgstr "无法载入文件路径:%s"
-#: tls/openssl/gtlsserverconnection-openssl.c:102
+#: tls/openssl/gtlsserverconnection-openssl.c:101
#, c-format
msgid "There is a problem with the certificate: %s"
msgstr "证书存在问题:%s"
-#: tls/openssl/gtlsserverconnection-openssl.c:110
+#: tls/openssl/gtlsserverconnection-openssl.c:109
#, c-format
msgid "There is a problem with the certificate private key: %s"
msgstr "证书私钥存在问题:%s"
+#~ msgid "Operation would block"
+#~ msgstr "操作被阻塞"
+
+#~ msgid "Server did not return a valid TLS certificate"
+#~ msgstr "服务器未返回有效的 TLS 证书"
+
+#~ msgid "Error reading data from TLS socket: %s"
+#~ msgstr "从 TLS 套接字读取数据时出错:%s"
+
+#~ msgid "Error writing data to TLS socket: %s"
+#~ msgstr "向 TLS 套接字写入数据时出错:%s"
+
#~ msgid ""
#~ "This is the last chance to enter the PIN correctly before the token is "
#~ "locked."
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/glib-networking-2.64.2/tls/base/gtlsconnection-base.c
new/glib-networking-2.64.3/tls/base/gtlsconnection-base.c
--- old/glib-networking-2.64.2/tls/base/gtlsconnection-base.c 2020-04-14
16:53:39.072792800 +0200
+++ new/glib-networking-2.64.3/tls/base/gtlsconnection-base.c 2020-05-29
01:31:58.224540000 +0200
@@ -1233,24 +1233,23 @@
verify_peer_certificate (GTlsConnectionBase *tls,
GTlsCertificate *peer_certificate)
{
- GSocketConnectable *peer_identity;
+ GSocketConnectable *peer_identity = NULL;
GTlsDatabase *database;
- GTlsCertificateFlags errors;
+ GTlsCertificateFlags errors = 0;
gboolean is_client;
is_client = G_IS_TLS_CLIENT_CONNECTION (tls);
- if (!is_client)
- peer_identity = NULL;
- else if (!g_tls_connection_base_is_dtls (tls))
- peer_identity = g_tls_client_connection_get_server_identity
(G_TLS_CLIENT_CONNECTION (tls));
- else
- peer_identity = g_dtls_client_connection_get_server_identity
(G_DTLS_CLIENT_CONNECTION (tls));
+ if (is_client)
+ {
+ if (!g_tls_connection_base_is_dtls (tls))
+ peer_identity = g_tls_client_connection_get_server_identity
(G_TLS_CLIENT_CONNECTION (tls));
+ else
+ peer_identity = g_dtls_client_connection_get_server_identity
(G_DTLS_CLIENT_CONNECTION (tls));
- if (is_client && !peer_identity)
- g_warning ("GTlsClientConnection certificate verification will fail
because its server-identity property is NULL. Fix your application!");
-
- errors = 0;
+ if (!peer_identity)
+ errors |= G_TLS_CERTIFICATE_BAD_IDENTITY;
+ }
database = g_tls_connection_get_database (G_TLS_CONNECTION (tls));
if (!database)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/glib-networking-2.64.2/tls/tests/connection.c
new/glib-networking-2.64.3/tls/tests/connection.c
--- old/glib-networking-2.64.2/tls/tests/connection.c 2020-04-14
16:53:39.078792800 +0200
+++ new/glib-networking-2.64.3/tls/tests/connection.c 2020-05-29
01:31:58.230540000 +0200
@@ -2444,6 +2444,74 @@
g_assert_error (test->server_error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS);
}
+static void
+test_connection_missing_server_identity (TestConnection *test,
+ gconstpointer data)
+{
+ GIOStream *connection;
+ GError *error = NULL;
+
+ test->database = g_tls_file_database_new (tls_test_file_path
("ca-roots.pem"), &error);
+ g_assert_no_error (error);
+ g_assert_nonnull (test->database);
+
+ /* We pass NULL instead of test->identity when creating the client
+ * connection. This means verification must fail with
+ * G_TLS_CERTIFICATE_BAD_IDENTITY.
+ */
+ connection = start_async_server_and_connect_to_it (test,
G_TLS_AUTHENTICATION_NONE);
+ test->client_connection = g_tls_client_connection_new (connection, NULL,
&error);
+ g_assert_no_error (error);
+ g_assert_nonnull (test->client_connection);
+ g_object_unref (connection);
+
+ g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection),
test->database);
+
+ /* All validation in this test */
+ g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION
(test->client_connection),
+
G_TLS_CERTIFICATE_VALIDATE_ALL);
+
+ read_test_data_async (test);
+ g_main_loop_run (test->loop);
+ wait_until_server_finished (test);
+
+ g_assert_error (test->read_error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE);
+
+#ifdef BACKEND_IS_GNUTLS
+ g_assert_error (test->server_error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS);
+#elif defined(BACKEND_IS_OPENSSL)
+ /* FIXME: This is not OK. There should be a NOT_TLS errors. But some times
+ * we either get no error or BROKEN_PIPE
+ */
+#endif
+
+ g_clear_error (&test->read_error);
+ g_clear_error (&test->server_error);
+
+ g_clear_object (&test->client_connection);
+ g_clear_object (&test->server_connection);
+
+ /* Now do the same thing again, this time ignoring bad identity. */
+
+ connection = start_async_server_and_connect_to_it (test,
G_TLS_AUTHENTICATION_NONE);
+ test->client_connection = g_tls_client_connection_new (connection, NULL,
&error);
+ g_assert_no_error (error);
+ g_assert_nonnull (test->client_connection);
+ g_object_unref (connection);
+
+ g_tls_connection_set_database (G_TLS_CONNECTION (test->client_connection),
test->database);
+
+ g_tls_client_connection_set_validation_flags (G_TLS_CLIENT_CONNECTION
(test->client_connection),
+ G_TLS_CERTIFICATE_VALIDATE_ALL
& ~G_TLS_CERTIFICATE_BAD_IDENTITY);
+
+ read_test_data_async (test);
+ g_main_loop_run (test->loop);
+ wait_until_server_finished (test);
+
+ g_assert_no_error (test->read_error);
+ g_assert_no_error (test->server_error);
+}
+
int
main (int argc,
char *argv[])
@@ -2530,6 +2598,8 @@
setup_connection, test_sync_op_during_handshake,
teardown_connection);
g_test_add ("/tls/" BACKEND "/connection/socket-timeout", TestConnection,
NULL,
setup_connection, test_socket_timeout, teardown_connection);
+ g_test_add ("/tls/" BACKEND "/connection/missing-server-identity",
TestConnection, NULL,
+ setup_connection, test_connection_missing_server_identity,
teardown_connection);
ret = g_test_run ();
