Skip to content

Commit

Permalink
Remove direct openssl backend, available via env GIO_USE_TLS
Browse files Browse the repository at this point in the history
  • Loading branch information
@rufferson
rufferson committed May 17, 2020
1 parent aa31ef0 commit 71d67e4
Show file tree
Hide file tree
Showing 8 changed files with 6 additions and 2,442 deletions.
78 changes: 2 additions & 76 deletions configure.ac
View file
Expand Up @@ -128,81 +128,10 @@ AC_DEFINE([GLIB_VERSION_MAX_ALLOWED], [GLIB_VERSION_2_44], [Prevent post 2.44 AP
AC_SUBST(GLIB_CFLAGS)
AC_SUBST(GLIB_LIBS)

dnl Choose an SSL/TLS backend (default gnutls)
AC_ARG_WITH([tls],
AC_HELP_STRING([--with-tls=BACKEND],
[which TLS backend to use (gnutls, openssl, or auto) @<:@default=auto@:>@]),
[],
[with_tls=auto])


AS_CASE([$with_tls],
[gnutls], [PKG_CHECK_MODULES(TLS, [gnutls >= 2.8.2 ])],
[openssl], [USING_OPENSSL=yes
AC_DEFINE(USING_OPENSSL, 1, [Define if using openssl])
PKG_CHECK_MODULES(TLS, [openssl >= 0.9.8g])],
[auto], [PKG_CHECK_MODULES(TLS, [gnutls >= 2.8.2 ],
[with_tls=gnutls],
[USING_OPENSSL=yes
AC_DEFINE(USING_OPENSSL, 1, [Define if using openssl])
PKG_CHECK_MODULES(TLS, [openssl >= 0.9.8g],[with_tls=openssl],
AC_MSG_ERROR([Neither gnutls nor openssl found]))])],
[*], AC_MSG_ERROR([Must have a TLS backend (gnutls or openssl)]))

PKG_CHECK_MODULES(TLS, [gnutls >= 3.0], [ HAVE_TLS=yes ], [ HAVE_TLS=no ])
AC_SUBST(TLS_CFLAGS)
AC_SUBST(TLS_LIBS)
AM_CONDITIONAL(USING_OPENSSL, test x$USING_OPENSSL = xyes)

AC_ARG_ENABLE([prefer-stream-ciphers],
AC_HELP_STRING([--enable-prefer-stream-ciphers],
[prefer stream ciphers over block ciphers to save bandwidth (at the possible expense of security)]),
[prefer_stream_ciphers=$enableval], [prefer_stream_ciphers=no])

if test x$prefer_stream_ciphers = xyes; then
AC_DEFINE(ENABLE_PREFER_STREAM_CIPHERS, [],
[Prefer stream ciphers over block ones to save bandwidth])
if test $with_tls = gnutls; then
# The *-ALL priority strings require gnutls 2.12.0.
# We do this check here and not earlier to avoid accidentally falling
# back to openssl because of the use of --enable-prefer-stream-ciphers.
PKG_CHECK_MODULES(GNUTLS_FOR_STREAM_CIPHERS, [gnutls >= 2.12.0],[],
AC_MSG_ERROR([gnutls 2.12.0 is needed to use --enable-prefer-stream-ciphers]))
fi
fi


# -----------------------------------------------------------
# Make CA certificates path configurable
# Stolen from GIO's TLS
# -----------------------------------------------------------
AC_MSG_CHECKING([location of system Certificate Authority list])
AC_ARG_WITH(ca-certificates,
[AC_HELP_STRING([--with-ca-certificates=@<:@path@:>@],
[path to system Certificate Authority list])])
if test "$with_ca_certificates" = "no"; then
AC_MSG_RESULT([disabled])
else
if test -z "$with_ca_certificates"; then
for f in /etc/pki/tls/certs/ca-bundle.crt \
/etc/ssl/certs/ca-certificates.crt; do
if test -f "$f"; then
with_ca_certificates="$f"
fi
done
if test -z "$with_ca_certificates"; then
AC_MSG_ERROR([could not find. Use --with-ca-certificates=path to set, or --without-ca-certificates to disable])
fi
fi

AC_MSG_RESULT($with_ca_certificates)
AC_DEFINE_UNQUOTED([GTLS_SYSTEM_CA_CERTIFICATES], ["$with_ca_certificates"], [path to system Certificate Authority list])
fi

if test -n "$with_ca_certificates"; then
if ! test -f "$with_ca_certificates"; then
AC_MSG_WARN([Specified certificate authority file '$with_ca_certificates' does not exist])
fi
fi
AM_CONDITIONAL(HAVE_TLS, test x$HAVE_TLS = xyes)


GLIB_GENMARSHAL=`$PKG_CONFIG --variable=glib_genmarshal glib-2.0`
Expand Down Expand Up @@ -309,9 +238,6 @@ Configure summary:
Debug................: ${enable_debug}

Features:
TLS Backend..........: ${with_tls}
Prefer stream ciphers: ${prefer_stream_ciphers}
System CA certs......: ${with_ca_certificates}
SASL2 Tests..........: ${HAVE_LIBSASL2}
gtk-doc documentation: ${enable_gtk_doc}
libiphb integration..: ${have_iphb}
Expand Down
4 changes: 2 additions & 2 deletions examples/Makefile.am
View file
@@ -1,9 +1,8 @@
EXAMPLES =

if ! USING_OPENSSL
if HAVE_TLS
EXAMPLES += wocky-dump-certificates
endif

EXAMPLES += wocky-send-message
EXAMPLES += wocky-receive-messages
EXAMPLES += wocky-register
Expand All @@ -13,6 +12,7 @@ INCLUDES := -I$(top_builddir)/wocky

wocky_dump_certificates_SOURCES = dump-certificates.c
wocky_dump_certificates_CFLAGS = $(TLS_CFLAGS) $(AM_CFLAGS)

wocky_dump_certificates_LDADD = $(TLS_LIBS) $(LDADD)

wocky_send_message_SOURCES = send-message.c
Expand Down
21 changes: 2 additions & 19 deletions wocky/Makefile.am
View file
Expand Up @@ -37,15 +37,6 @@ built_sources = \

BUILT_SOURCES = $(built_headers) $(built_sources)

OPENSSL_SRC = \
wocky-openssl.c \
wocky-openssl-dh512.c \
wocky-openssl-dh1024.c \
wocky-openssl-dh2048.c \
wocky-openssl-dh4096.c

GNUTLS_SRC = wocky-tls.c

handwritten_headers = \
wocky.h \
wocky-auth-handler.h \
Expand Down Expand Up @@ -168,6 +159,7 @@ handwritten_sources = \
wocky-session.c \
wocky-stanza.c \
wocky-utils.c \
wocky-tls.c \
wocky-tls-common.c \
wocky-tls-handler.c \
wocky-tls-connector.c \
Expand All @@ -177,14 +169,6 @@ handwritten_sources = \
wocky-xmpp-reader.c \
wocky-xmpp-writer.c

if USING_OPENSSL
handwritten_sources += $(OPENSSL_SRC)
EXTRA_DIST += $(GNUTLS_SRC)
else
handwritten_sources += $(GNUTLS_SRC)
EXTRA_DIST += $(OPENSSL_SRC)
endif

libwocky_la_SOURCES = $(handwritten_sources) $(built_sources) \
$(handwritten_headers) $(built_headers)

Expand Down Expand Up @@ -234,7 +218,7 @@ wocky-signals-marshal.list: $(handwritten_sources) Makefile.am


AM_CFLAGS = $(ERROR_CFLAGS) $(GCOV_CFLAGS) \
@GLIB_CFLAGS@ @LIBXML2_CFLAGS@ @SQLITE_CFLAGS@ @TLS_CFLAGS@ \
@GLIB_CFLAGS@ @LIBXML2_CFLAGS@ @SQLITE_CFLAGS@ \
@LIBIPHB_CFLAGS@ \
@SOUP_CFLAGS@ \
-DG_LOG_DOMAIN=\"wocky\" \
Expand All @@ -246,7 +230,6 @@ libwocky_la_LIBADD = \
@GLIB_LIBS@ \
@LIBXML2_LIBS@ \
@SQLITE_LIBS@ \
@TLS_LIBS@ \
@LIBIPHB_LIBS@ \
@SOUP_LIBS@ \
$(NULL)
Expand Down
45 changes: 0 additions & 45 deletions wocky/wocky-openssl-dh1024.c
View file

This file was deleted.

56 changes: 0 additions & 56 deletions wocky/wocky-openssl-dh2048.c
View file

This file was deleted.

77 changes: 0 additions & 77 deletions wocky/wocky-openssl-dh4096.c
View file

This file was deleted.

40 changes: 0 additions & 40 deletions wocky/wocky-openssl-dh512.c
View file

This file was deleted.

2 comments on commit 71d67e4

@Thaodan
Copy link

@Thaodan Thaodan commented on 71d67e4 Oct 9, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain how that works if I want to use openssl?

@rufferson
Copy link
Collaborator Author

@rufferson rufferson commented on 71d67e4 Oct 9, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technically you shouldn't as both backends are supposed to provide equivalent functionality (and I have tested their interoperability).
If you want nevertheless you need to ensure that

  • Your glib-networking GIO-TLS backend has openssl
  • Pass GIO_USE_TLS=openssl environment variable to telepathy-gable DBus invocation script (or start it manually)

Gio team encourages downstream packagers not to include openssl backend on linux (only on windows where it is the only choice anyway) because it had many tests commented out (they were mostly failing). I have landed several commits to unlock all tests (and correct the code to fix the missing functionality) which proves now at least test suite passes. There are still couple of glitches remaining - which is on my todo. Technically I believe Gio team can withdraw the request to shun openssl backend - will raise that.
But till then you'll likely need to build glib-networking manually with openssl support and then:

$ G_MESSAGES_DEBUG=all GABBLE_DEBUG=all GABBLE_PERSIST=1 WOCKY_DEBUG=all LD_LIBRARY_PATH=/opt/data/lib/lib GIO_USE_TLS=openssl /opt/data/lib/libexec/telepathy-gabble 
(process:1016754): tp-glib/proxy-DEBUG: 19:02:02.041: tp_proxy_dispose: 0x556c2f55a1c0
(process:1016754): tp-glib/proxy-DEBUG: 19:02:02.043: tp_proxy_invalidate: 0x556c2f55a1c0: Proxy unreferenced
(process:1016754): tp-glib/proxy-DEBUG: 19:02:02.043: tp_proxy_finalize: 0x556c2f55a1c0
(process:1016754): gabble-DEBUG: 19:02:02.043: gabble_plugin_loader_probe (plugin-loader.c:141): probing /opt/data/lib/lib/telepathy/gabble-0/plugins
** (process:1016754): DEBUG: 19:02:02.044: gabble_plugin_create: loaded
(process:1016754): gabble-DEBUG: 19:02:02.044: plugin_loader_try_to_load (plugin-loader.c:104): loaded 'Gateway registration plugin' version 0.18.999.1 (/opt/data/lib/lib/telepathy/gabble-0/plugins/libgateways.so), implementing these sidecars: org.freedesktop.Telepathy.Gabble.Plugin.Gateways
** (process:1016754): DEBUG: 19:02:02.044: gabble_plugin_create: loaded
(process:1016754): gabble-DEBUG: 19:02:02.044: plugin_loader_try_to_load (plugin-loader.c:104): loaded 'XMPP console' version 0.18.999.1 (/opt/data/lib/lib/telepathy/gabble-0/plugins/libconsole.so), implementing these sidecars: org.freedesktop.Telepathy.Gabble.Plugin.Console
(telepathy-gabble:1016754): tp-glib-DEBUG: 19:02:02.045: started version 0.18.999.1 (telepathy-glib version 0.24.1)
(telepathy-gabble:1016754): tp-glib/params-DEBUG: 19:03:09.046: tp_base_protocol_sanitize_parameters: using specified value for account: "ruff@lightwitch.org"
...
(telepathy-gabble:1016754): wocky-DEBUG: 19:03:11.155: _end_element_ns: Received stanza
* proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'
(telepathy-gabble:1016754): wocky-DEBUG: 19:03:11.156: starttls_recv_cb: wocky-tls-connector.c:364: Received STARTTLS response
(telepathy-gabble:1016754): GLib-GIO-DEBUG: 19:03:11.165: _g_io_module_get_default: Found default implementation openssl (GTlsBackendOpenssl) for ?gio-tls-backend?
(telepathy-gabble:1016754): wocky-DEBUG: 19:03:11.166: wocky_tls_session_add_ca: wocky-tls.c:101: adding CA CERT path '/home/ruff/.config/telepathy/certs'
(telepathy-gabble:1016754): wocky-DEBUG: 19:03:11.166: wocky_tls_session_add_ca: wocky-tls.c:105: CA file '/home/ruff/.config/telepathy/certs': stat failed)
(telepathy-gabble:1016754): wocky-DEBUG: 19:03:11.167: wocky_tls_session_add_ca: wocky-tls.c:101: adding CA CERT path '/etc/ssl/certs/ca-certificates.crt'
(telepathy-gabble:1016754): wocky-DEBUG: 19:03:11.192: wocky_tls_session_add_ca: wocky-tls.c:140: + /etc/ssl/certs/ca-certificates.crt: 138 certs from file
(telepathy-gabble:1016754): wocky-DEBUG: 19:03:11.216: starttls_recv_cb: wocky-tls-connector.c:394: Starting client TLS handshake 0x556c2f595390
...

P.S. Despite failed unit-tests openssl worked quite ok with wocky. It had problem with error reporting consistency (one of the main reasons for failed tests) and then had unimplemented ALPN and resumption. Now remaining glitches are mostly with error reporting for abnormal handshake termination.

Please sign in to comment.