unofficial mirror of guile-devel@gnu.org 
 help / color / mirror / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: 56867@debbugs.gnu.org
Cc: guile-devel@gnu.org
Subject: [bug#56867] [PATCH] download: Do not wrap TLS port on GnuTLS >= 3.7.7.
Date: Thu, 04 Aug 2022 16:20:12 +0200	[thread overview]
Message-ID: <87pmhgks4j.fsf@gnu.org> (raw)
In-Reply-To: <20220801090749.11655-1-ludo@gnu.org> ("Ludovic Courtès"'s message of "Mon, 1 Aug 2022 11:07:49 +0200")

[-- Attachment #1: Type: text/plain, Size: 1953 bytes --]

Ludovic Courtès <ludo@gnu.org> skribis:

> The custom input/output port wrapping the TLS session record port would
> introduce overhead, and it would also prevent its uses in a non-blocking
> context--e.g., with Fibers.  The port close mechanism added in GnuTLS
> 3.7.7 allows us to get rid of that wrapper.
>
> * guix/build/download.scm (wrap-record-port-for-gnutls<3.7.7): New
> procedure, with code formerly in 'tls-wrap'.
> (tls-wrap): Check for 'set-session-record-port-close!' and use it when
> available; otherwise call 'wrap-record-port-for-gnutls<3.7.7'.

I synchronized Guile's copy of this code:

  317b06bf8 web: 'tls-wrap' retries handshake upon non-fatal errors.
  c01ca10b3 web: Do not wrap TLS port on GnuTLS >= 3.7.7.

I realized that’s not enough to make it possible to use non-blocking
ports though.

First, I noticed that GnuTLS doesn’t implement ‘write_wait_fd’, only
‘read_wait_fd’ (not sure how problematic that is):

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(web client)
scheme@(guile-user)> (define p (open-socket-for-uri "https://guix.gnu.org"))
scheme@(guile-user)> ((@@ (ice-9 suspendable-ports) wait-for-writable) p)
ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure write_wait_fd: unimplemented

Entering a new prompt.  Type `,bt' for a backtrace or `,q' to continue.
scheme@(guile-user) [1]> ,q
scheme@(guile-user)> ,use(gnutls)
scheme@(guile-user)> (gnutls-version)
$1 = "3.7.7"
scheme@(guile-user)> ((@@ (ice-9 suspendable-ports) wait-for-readable) p)
$2 = 1
--8<---------------cut here---------------end--------------->8---

Second, ‘open-socket-for-uri’ creates a blocking socket and uses that as
the backing file descriptor of the TLS session.

We’d need a way to pass flags for the ‘socket’ call made by
‘open-socket-for-uri’ so we can pass O_NONBLOCK, maybe as show below:


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 1488 bytes --]

diff --git a/module/web/client.scm b/module/web/client.scm
index a08c4203c..9273a45ad 100644
--- a/module/web/client.scm
+++ b/module/web/client.scm
@@ -320,7 +320,8 @@ host name without trailing dot."
   (read-response port))
 
 (define* (open-socket-for-uri uri-or-string
-                              #:key (verify-certificate? #t))
+                              #:key (verify-certificate? #t)
+                              (flags 0))
   "Return an open input/output port for a connection to URI-OR-STRING.
 When VERIFY-CERTIFICATE? is true, verify HTTPS server certificates."
   (define uri
@@ -373,10 +374,18 @@ When VERIFY-CERTIFICATE? is true, verify HTTPS server certificates."
     (when (and https? (current-https-proxy))
       (setup-http-tunnel s uri))
 
-    (if https?
-        (tls-wrap s (uri-host uri)
-                  #:verify-certificate? verify-certificate?)
-        s)))
+    (let ((port (if https?
+                    (tls-wrap s (uri-host uri)
+                              #:verify-certificate? verify-certificate?)
+                    s)))
+      (unless (zero? flags)
+        ;; FLAGS might contain O_NONBLOCK.  Thus, set it as a last step
+        ;; because 'handshake' otherwise throws an exception for
+        ;; GNUTLS_E_AGAIN.
+        (let ((initial-flags (fcntl s F_GETFL)))
+          (fcntl s F_SETFL (logior initial-flags flags))))
+
+      port)))
 
 (define (extend-request r k v . additional)
   (let ((r (set-field r (request-headers)

[-- Attachment #3: Type: text/plain, Size: 392 bytes --]


… which lets us do that:

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(web client)
scheme@(guile-user)> (define p (open-socket-for-uri "https://guix.gnu.org" #:flags O_NONBLOCK))
scheme@(guile-user)> (http-get "https://guix.gnu.org" #:port p)
--8<---------------cut here---------------end--------------->8---

Thoughts?

Ludo’.

  parent reply	other threads:[~2022-08-04 14:20 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-01  9:07 [bug#56867] [PATCH] download: Do not wrap TLS port on GnuTLS >= 3.7.7 Ludovic Courtès
2022-08-01  9:15 ` Ludovic Courtès
2022-08-01  9:56 ` Maxime Devos
2022-08-02  7:59   ` Ludovic Courtès
2022-08-04 19:37     ` Maxime Devos
2022-08-05  8:31       ` Ludovic Courtès
2022-08-05 10:17         ` Maxime Devos
2022-08-03 15:57 ` bug#56867: " Ludovic Courtès
2022-08-04 14:20 ` Ludovic Courtès [this message]
2022-08-04 14:46   ` bug#56005: [bug#56867] " Thiago Jung Bauermann via Bug reports for GNU Guix
2022-08-04 16:19     ` Ludovic Courtès
2022-08-04 17:31   ` bug#56867: " Chris Vine

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/guile/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87pmhgks4j.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=56867@debbugs.gnu.org \
    --cc=guile-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).