/* GIO - GLib Input, Output and Streaming Library * * Copyright © 2010 Red Hat, Inc * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General * Public License along with this library; if not, see <http://www.gnu.org/licenses/>. */ #include "config.h" #include "glib.h" #include "gtlsclientconnection.h" #include "ginitable.h" #include "gioenumtypes.h" #include "gsocket.h" #include "gsocketconnectable.h" #include "gtlsbackend.h" #include "gtlscertificate.h" #include "glibintl.h" /** * SECTION:gtlsclientconnection * @short_description: TLS client-side connection * @include: gio/gio.h * * #GTlsClientConnection is the client-side subclass of * #GTlsConnection, representing a client-side TLS connection. */ /** * GTlsClientConnection: * * Abstract base class for the backend-specific client connection * type. * * Since: 2.28 */ G_DEFINE_INTERFACE (GTlsClientConnection, g_tls_client_connection, G_TYPE_TLS_CONNECTION) static void g_tls_client_connection_default_init (GTlsClientConnectionInterface *iface) { /** * GTlsClientConnection:validation-flags: * * What steps to perform when validating a certificate received from * a server. Server certificates that fail to validate in all of the * ways indicated here will be rejected unless the application * overrides the default via #GTlsConnection::accept-certificate. * * Since: 2.28 */ g_object_interface_install_property (iface, g_param_spec_flags ("validation-flags", P_("Validation flags"), P_("What certificate validation to perform"), G_TYPE_TLS_CERTIFICATE_FLAGS, G_TLS_CERTIFICATE_VALIDATE_ALL, G_PARAM_READWRITE | G_PARAM_CONSTRUCT | G_PARAM_STATIC_STRINGS)); /** * GTlsClientConnection:server-identity: * * A #GSocketConnectable describing the identity of the server that * is expected on the other end of the connection. * * If the %G_TLS_CERTIFICATE_BAD_IDENTITY flag is set in * #GTlsClientConnection:validation-flags, this object will be used * to determine the expected identify of the remote end of the * connection; if #GTlsClientConnection:server-identity is not set, * or does not match the identity presented by the server, then the * %G_TLS_CERTIFICATE_BAD_IDENTITY validation will fail. * * In addition to its use in verifying the server certificate, * this is also used to give a hint to the server about what * certificate we expect, which is useful for servers that serve * virtual hosts. * * Since: 2.28 */ g_object_interface_install_property (iface, g_param_spec_object ("server-identity", P_("Server identity"), P_("GSocketConnectable identifying the server"), G_TYPE_SOCKET_CONNECTABLE, G_PARAM_READWRITE | G_PARAM_CONSTRUCT | G_PARAM_STATIC_STRINGS)); /** * GTlsClientConnection:use-ssl3: * * If %TRUE, forces the connection to use a fallback version of TLS * or SSL, rather than trying to negotiate the best version of TLS * to use. This can be used when talking to servers that don't * implement version negotiation correctly and therefore refuse to * handshake at all with a modern TLS handshake. * * Despite the property name, the fallback version is usually not * SSL 3.0, because SSL 3.0 is generally disabled by the #GTlsBackend. * #GTlsClientConnection will use the next-highest available version * as the fallback version. * * Since: 2.28 * * Deprecated: 2.56: SSL 3.0 is insecure, and this property does not * generally enable or disable it, despite its name. */ g_object_interface_install_property (iface, g_param_spec_boolean ("use-ssl3", P_("Use fallback"), P_("Use fallback version of SSL/TLS rather than most recent version"), FALSE, G_PARAM_READWRITE | G_PARAM_CONSTRUCT | G_PARAM_STATIC_STRINGS | G_PARAM_DEPRECATED)); /** * GTlsClientConnection:accepted-cas: (type GLib.List) (element-type GLib.ByteArray) * * A list of the distinguished names of the Certificate Authorities * that the server will accept client certificates signed by. If the * server requests a client certificate during the handshake, then * this property will be set after the handshake completes. * * Each item in the list is a #GByteArray which contains the complete * subject DN of the certificate authority. * * Since: 2.28 */ g_object_interface_install_property (iface, g_param_spec_pointer ("accepted-cas", P_("Accepted CAs"), P_("Distinguished names of the CAs the server accepts certificates from"), G_PARAM_READABLE | G_PARAM_STATIC_STRINGS)); } /** * g_tls_client_connection_new: * @base_io_stream: the #GIOStream to wrap * @server_identity: (nullable): the expected identity of the server * @error: #GError for error reporting, or %NULL to ignore. * * Creates a new #GTlsClientConnection wrapping @base_io_stream (which * must have pollable input and output streams) which is assumed to * communicate with the server identified by @server_identity. * * See the documentation for #GTlsConnection:base-io-stream for restrictions * on when application code can run operations on the @base_io_stream after * this function has returned. * * Returns: (transfer full) (type GTlsClientConnection): the new * #GTlsClientConnection, or %NULL on error * * Since: 2.28 */ GIOStream * g_tls_client_connection_new (GIOStream *base_io_stream, GSocketConnectable *server_identity, GError **error) { GObject *conn; GTlsBackend *backend; backend = g_tls_backend_get_default (); conn = g_initable_new (g_tls_backend_get_client_connection_type (backend), NULL, error, "base-io-stream", base_io_stream, "server-identity", server_identity, NULL); return G_IO_STREAM (conn); } /** * g_tls_client_connection_get_validation_flags: * @conn: the #GTlsClientConnection * * Gets @conn's validation flags * * Returns: the validation flags * * Since: 2.28 */ GTlsCertificateFlags g_tls_client_connection_get_validation_flags (GTlsClientConnection *conn) { GTlsCertificateFlags flags = 0; g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0); g_object_get (G_OBJECT (conn), "validation-flags", &flags, NULL); return flags; } /** * g_tls_client_connection_set_validation_flags: * @conn: the #GTlsClientConnection * @flags: the #GTlsCertificateFlags to use * * Sets @conn's validation flags, to override the default set of * checks performed when validating a server certificate. By default, * %G_TLS_CERTIFICATE_VALIDATE_ALL is used. * * Since: 2.28 */ void g_tls_client_connection_set_validation_flags (GTlsClientConnection *conn, GTlsCertificateFlags flags) { g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn)); g_object_set (G_OBJECT (conn), "validation-flags", flags, NULL); } /** * g_tls_client_connection_get_server_identity: * @conn: the #GTlsClientConnection * * Gets @conn's expected server identity * * Returns: (transfer none): a #GSocketConnectable describing the * expected server identity, or %NULL if the expected identity is not * known. * * Since: 2.28 */ GSocketConnectable * g_tls_client_connection_get_server_identity (GTlsClientConnection *conn) { GSocketConnectable *identity = NULL; g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0); g_object_get (G_OBJECT (conn), "server-identity", &identity, NULL); if (identity) g_object_unref (identity); return identity; } /** * g_tls_client_connection_set_server_identity: * @conn: the #GTlsClientConnection * @identity: a #GSocketConnectable describing the expected server identity * * Sets @conn's expected server identity, which is used both to tell * servers on virtual hosts which certificate to present, and also * to let @conn know what name to look for in the certificate when * performing %G_TLS_CERTIFICATE_BAD_IDENTITY validation, if enabled. * * Since: 2.28 */ void g_tls_client_connection_set_server_identity (GTlsClientConnection *conn, GSocketConnectable *identity) { g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn)); g_object_set (G_OBJECT (conn), "server-identity", identity, NULL); } /** * g_tls_client_connection_get_use_ssl3: * @conn: the #GTlsClientConnection * * Gets whether @conn will force the lowest-supported TLS protocol * version rather than attempt to negotiate the highest mutually- * supported version of TLS; see g_tls_client_connection_set_use_ssl3(). * * Returns: whether @conn will use the lowest-supported TLS protocol version * * Since: 2.28 * * Deprecated: 2.56: SSL 3.0 is insecure, and this function does not * actually indicate whether it is enabled. */ gboolean g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn) { gboolean use_ssl3 = FALSE; g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0); g_object_get (G_OBJECT (conn), "use-ssl3", &use_ssl3, NULL); return use_ssl3; } /** * g_tls_client_connection_set_use_ssl3: * @conn: the #GTlsClientConnection * @use_ssl3: whether to use the lowest-supported protocol version * * If @use_ssl3 is %TRUE, this forces @conn to use the lowest-supported * TLS protocol version rather than trying to properly negotiate the * highest mutually-supported protocol version with the peer. This can * be used when talking to broken TLS servers that exhibit protocol * version intolerance. * * Be aware that SSL 3.0 is generally disabled by the #GTlsBackend, so * the lowest-supported protocol version is probably not SSL 3.0. * * Since: 2.28 * * Deprecated: 2.56: SSL 3.0 is insecure, and this function does not * generally enable or disable it, despite its name. */ void g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn, gboolean use_ssl3) { g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn)); g_object_set (G_OBJECT (conn), "use-ssl3", use_ssl3, NULL); } /** * g_tls_client_connection_get_accepted_cas: * @conn: the #GTlsClientConnection * * Gets the list of distinguished names of the Certificate Authorities * that the server will accept certificates from. This will be set * during the TLS handshake if the server requests a certificate. * Otherwise, it will be %NULL. * * Each item in the list is a #GByteArray which contains the complete * subject DN of the certificate authority. * * Returns: (element-type GByteArray) (transfer full): the list of * CA DNs. You should unref each element with g_byte_array_unref() and then * the free the list with g_list_free(). * * Since: 2.28 */ GList * g_tls_client_connection_get_accepted_cas (GTlsClientConnection *conn) { GList *accepted_cas = NULL; g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), NULL); g_object_get (G_OBJECT (conn), "accepted-cas", &accepted_cas, NULL); return accepted_cas; } /** * g_tls_client_connection_copy_session_state: * @conn: a #GTlsClientConnection * @source: a #GTlsClientConnection * * Copies session state from one connection to another. This is * not normally needed, but may be used when the same session * needs to be used between different endpoints as is required * by some protocols such as FTP over TLS. @source should have * already completed a handshake, and @conn should not have * completed a handshake. * * Since: 2.46 */ void g_tls_client_connection_copy_session_state (GTlsClientConnection *conn, GTlsClientConnection *source) { g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn)); g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (source)); g_return_if_fail (G_TLS_CLIENT_CONNECTION_GET_INTERFACE (conn)->copy_session_state != NULL); G_TLS_CLIENT_CONNECTION_GET_INTERFACE (conn)->copy_session_state (conn, source); }