From: "Ludovic Courtès" <ludo@gnu.org>
To: 56867@debbugs.gnu.org
Cc: guile-devel@gnu.org
Subject: [bug#56867] [PATCH] download: Do not wrap TLS port on GnuTLS >= 3.7.7.
Date: Thu, 04 Aug 2022 16:20:12 +0200 [thread overview]
Message-ID: <87pmhgks4j.fsf@gnu.org> (raw)
In-Reply-To: <20220801090749.11655-1-ludo@gnu.org> ("Ludovic Courtès"'s message of "Mon, 1 Aug 2022 11:07:49 +0200")
[-- Attachment #1: Type: text/plain, Size: 1953 bytes --]
Ludovic Courtès <ludo@gnu.org> skribis:
> The custom input/output port wrapping the TLS session record port would
> introduce overhead, and it would also prevent its uses in a non-blocking
> context--e.g., with Fibers. The port close mechanism added in GnuTLS
> 3.7.7 allows us to get rid of that wrapper.
>
> * guix/build/download.scm (wrap-record-port-for-gnutls<3.7.7): New
> procedure, with code formerly in 'tls-wrap'.
> (tls-wrap): Check for 'set-session-record-port-close!' and use it when
> available; otherwise call 'wrap-record-port-for-gnutls<3.7.7'.
I synchronized Guile's copy of this code:
317b06bf8 web: 'tls-wrap' retries handshake upon non-fatal errors.
c01ca10b3 web: Do not wrap TLS port on GnuTLS >= 3.7.7.
I realized that’s not enough to make it possible to use non-blocking
ports though.
First, I noticed that GnuTLS doesn’t implement ‘write_wait_fd’, only
‘read_wait_fd’ (not sure how problematic that is):
--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(web client)
scheme@(guile-user)> (define p (open-socket-for-uri "https://guix.gnu.org"))
scheme@(guile-user)> ((@@ (ice-9 suspendable-ports) wait-for-writable) p)
ice-9/boot-9.scm:1685:16: In procedure raise-exception:
In procedure write_wait_fd: unimplemented
Entering a new prompt. Type `,bt' for a backtrace or `,q' to continue.
scheme@(guile-user) [1]> ,q
scheme@(guile-user)> ,use(gnutls)
scheme@(guile-user)> (gnutls-version)
$1 = "3.7.7"
scheme@(guile-user)> ((@@ (ice-9 suspendable-ports) wait-for-readable) p)
$2 = 1
--8<---------------cut here---------------end--------------->8---
Second, ‘open-socket-for-uri’ creates a blocking socket and uses that as
the backing file descriptor of the TLS session.
We’d need a way to pass flags for the ‘socket’ call made by
‘open-socket-for-uri’ so we can pass O_NONBLOCK, maybe as show below:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch, Size: 1488 bytes --]
diff --git a/module/web/client.scm b/module/web/client.scm
index a08c4203c..9273a45ad 100644
--- a/module/web/client.scm
+++ b/module/web/client.scm
@@ -320,7 +320,8 @@ host name without trailing dot."
(read-response port))
(define* (open-socket-for-uri uri-or-string
- #:key (verify-certificate? #t))
+ #:key (verify-certificate? #t)
+ (flags 0))
"Return an open input/output port for a connection to URI-OR-STRING.
When VERIFY-CERTIFICATE? is true, verify HTTPS server certificates."
(define uri
@@ -373,10 +374,18 @@ When VERIFY-CERTIFICATE? is true, verify HTTPS server certificates."
(when (and https? (current-https-proxy))
(setup-http-tunnel s uri))
- (if https?
- (tls-wrap s (uri-host uri)
- #:verify-certificate? verify-certificate?)
- s)))
+ (let ((port (if https?
+ (tls-wrap s (uri-host uri)
+ #:verify-certificate? verify-certificate?)
+ s)))
+ (unless (zero? flags)
+ ;; FLAGS might contain O_NONBLOCK. Thus, set it as a last step
+ ;; because 'handshake' otherwise throws an exception for
+ ;; GNUTLS_E_AGAIN.
+ (let ((initial-flags (fcntl s F_GETFL)))
+ (fcntl s F_SETFL (logior initial-flags flags))))
+
+ port)))
(define (extend-request r k v . additional)
(let ((r (set-field r (request-headers)
[-- Attachment #3: Type: text/plain, Size: 392 bytes --]
… which lets us do that:
--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> ,use(web client)
scheme@(guile-user)> (define p (open-socket-for-uri "https://guix.gnu.org" #:flags O_NONBLOCK))
scheme@(guile-user)> (http-get "https://guix.gnu.org" #:port p)
--8<---------------cut here---------------end--------------->8---
Thoughts?
Ludo’.
next prev parent reply other threads:[~2022-08-04 14:21 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-01 9:07 [bug#56867] [PATCH] download: Do not wrap TLS port on GnuTLS >= 3.7.7 Ludovic Courtès
2022-08-01 9:15 ` Ludovic Courtès
2022-08-01 9:56 ` Maxime Devos
2022-08-02 7:59 ` Ludovic Courtès
2022-08-04 19:37 ` Maxime Devos
2022-08-05 8:31 ` Ludovic Courtès
2022-08-05 10:17 ` Maxime Devos
2022-08-03 15:57 ` bug#56867: " Ludovic Courtès
2022-08-04 14:20 ` Ludovic Courtès [this message]
[not found] ` <87v8r86p7s.fsf@kolabnow.com>
2022-08-04 16:19 ` [bug#56867] " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87pmhgks4j.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=56867@debbugs.gnu.org \
--cc=guile-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).