Branch data Line data Source code
1 : : /* GIO - GLib Input, Output and Streaming Library
2 : : *
3 : : * Copyright © 2010 Red Hat, Inc
4 : : * Copyright © 2015 Collabora, Ltd.
5 : : *
6 : : * SPDX-License-Identifier: LGPL-2.1-or-later
7 : : *
8 : : * This library is free software; you can redistribute it and/or
9 : : * modify it under the terms of the GNU Lesser General Public
10 : : * License as published by the Free Software Foundation; either
11 : : * version 2.1 of the License, or (at your option) any later version.
12 : : *
13 : : * This library is distributed in the hope that it will be useful,
14 : : * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 : : * Lesser General Public License for more details.
17 : : *
18 : : * You should have received a copy of the GNU Lesser General
19 : : * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
20 : : */
21 : :
22 : : #include "config.h"
23 : : #include "glib.h"
24 : :
25 : : #include "gdtlsclientconnection.h"
26 : : #include "ginitable.h"
27 : : #include "gioenumtypes.h"
28 : : #include "gsocket.h"
29 : : #include "gsocketconnectable.h"
30 : : #include "gtlsbackend.h"
31 : : #include "gtlscertificate.h"
32 : : #include "glibintl.h"
33 : :
34 : : /**
35 : : * GDtlsClientConnection:
36 : : *
37 : : * `GDtlsClientConnection` is the client-side subclass of
38 : : * [iface@Gio.DtlsConnection], representing a client-side DTLS connection.
39 : : *
40 : : * Since: 2.48
41 : : */
42 : 2 : G_DEFINE_INTERFACE (GDtlsClientConnection, g_dtls_client_connection,
43 : : G_TYPE_DTLS_CONNECTION)
44 : :
45 : : static void
46 : 1 : g_dtls_client_connection_default_init (GDtlsClientConnectionInterface *iface)
47 : : {
48 : : /**
49 : : * GDtlsClientConnection:validation-flags:
50 : : *
51 : : * What steps to perform when validating a certificate received from
52 : : * a server. Server certificates that fail to validate in any of the
53 : : * ways indicated here will be rejected unless the application
54 : : * overrides the default via #GDtlsConnection::accept-certificate.
55 : : *
56 : : * GLib guarantees that if certificate verification fails, at least one
57 : : * flag will be set, but it does not guarantee that all possible flags
58 : : * will be set. Accordingly, you may not safely decide to ignore any
59 : : * particular type of error. For example, it would be incorrect to mask
60 : : * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates,
61 : : * because this could potentially be the only error flag set even if
62 : : * other problems exist with the certificate. Therefore, there is no
63 : : * safe way to use this property. This is not a horrible problem,
64 : : * though, because you should not be attempting to ignore validation
65 : : * errors anyway. If you really must ignore TLS certificate errors,
66 : : * connect to #GDtlsConnection::accept-certificate.
67 : : *
68 : : * Since: 2.48
69 : : *
70 : : * Deprecated: 2.74: Do not attempt to ignore validation errors.
71 : : */
72 : 1 : g_object_interface_install_property (iface,
73 : : g_param_spec_flags ("validation-flags", NULL, NULL,
74 : : G_TYPE_TLS_CERTIFICATE_FLAGS,
75 : : G_TLS_CERTIFICATE_VALIDATE_ALL,
76 : : G_PARAM_READWRITE |
77 : : G_PARAM_CONSTRUCT |
78 : : G_PARAM_STATIC_STRINGS));
79 : :
80 : : /**
81 : : * GDtlsClientConnection:server-identity:
82 : : *
83 : : * A #GSocketConnectable describing the identity of the server that
84 : : * is expected on the other end of the connection.
85 : : *
86 : : * If the %G_TLS_CERTIFICATE_BAD_IDENTITY flag is set in
87 : : * #GDtlsClientConnection:validation-flags, this object will be used
88 : : * to determine the expected identify of the remote end of the
89 : : * connection; if #GDtlsClientConnection:server-identity is not set,
90 : : * or does not match the identity presented by the server, then the
91 : : * %G_TLS_CERTIFICATE_BAD_IDENTITY validation will fail.
92 : : *
93 : : * In addition to its use in verifying the server certificate,
94 : : * this is also used to give a hint to the server about what
95 : : * certificate we expect, which is useful for servers that serve
96 : : * virtual hosts.
97 : : *
98 : : * Since: 2.48
99 : : */
100 : 1 : g_object_interface_install_property (iface,
101 : : g_param_spec_object ("server-identity", NULL, NULL,
102 : : G_TYPE_SOCKET_CONNECTABLE,
103 : : G_PARAM_READWRITE |
104 : : G_PARAM_CONSTRUCT |
105 : : G_PARAM_STATIC_STRINGS));
106 : :
107 : : /**
108 : : * GDtlsClientConnection:accepted-cas: (type GLib.List) (element-type GLib.ByteArray)
109 : : *
110 : : * A list of the distinguished names of the Certificate Authorities
111 : : * that the server will accept client certificates signed by. If the
112 : : * server requests a client certificate during the handshake, then
113 : : * this property will be set after the handshake completes.
114 : : *
115 : : * Each item in the list is a #GByteArray which contains the complete
116 : : * subject DN of the certificate authority.
117 : : *
118 : : * Since: 2.48
119 : : */
120 : 1 : g_object_interface_install_property (iface,
121 : : g_param_spec_pointer ("accepted-cas", NULL, NULL,
122 : : G_PARAM_READABLE |
123 : : G_PARAM_STATIC_STRINGS));
124 : 1 : }
125 : :
126 : : /**
127 : : * g_dtls_client_connection_new:
128 : : * @base_socket: the #GDatagramBased to wrap
129 : : * @server_identity: (nullable): the expected identity of the server
130 : : * @error: #GError for error reporting, or %NULL to ignore.
131 : : *
132 : : * Creates a new #GDtlsClientConnection wrapping @base_socket which is
133 : : * assumed to communicate with the server identified by @server_identity.
134 : : *
135 : : * Returns: (transfer full) (type GDtlsClientConnection): the new
136 : : * #GDtlsClientConnection, or %NULL on error
137 : : *
138 : : * Since: 2.48
139 : : */
140 : : GDatagramBased *
141 : 0 : g_dtls_client_connection_new (GDatagramBased *base_socket,
142 : : GSocketConnectable *server_identity,
143 : : GError **error)
144 : : {
145 : : GObject *conn;
146 : : GTlsBackend *backend;
147 : :
148 : 0 : backend = g_tls_backend_get_default ();
149 : 0 : conn = g_initable_new (g_tls_backend_get_dtls_client_connection_type (backend),
150 : : NULL, error,
151 : : "base-socket", base_socket,
152 : : "server-identity", server_identity,
153 : : NULL);
154 : 0 : return G_DATAGRAM_BASED (conn);
155 : : }
156 : :
157 : : /**
158 : : * g_dtls_client_connection_get_validation_flags:
159 : : * @conn: the #GDtlsClientConnection
160 : : *
161 : : * Gets @conn's validation flags
162 : : *
163 : : * This function does not work as originally designed and is impossible
164 : : * to use correctly. See #GDtlsClientConnection:validation-flags for more
165 : : * information.
166 : : *
167 : : * Returns: the validation flags
168 : : *
169 : : * Since: 2.48
170 : : *
171 : : * Deprecated: 2.74: Do not attempt to ignore validation errors.
172 : : */
173 : : GTlsCertificateFlags
174 : 0 : g_dtls_client_connection_get_validation_flags (GDtlsClientConnection *conn)
175 : : {
176 : 0 : GTlsCertificateFlags flags = G_TLS_CERTIFICATE_NO_FLAGS;
177 : :
178 : 0 : g_return_val_if_fail (G_IS_DTLS_CLIENT_CONNECTION (conn), 0);
179 : :
180 : 0 : g_object_get (G_OBJECT (conn), "validation-flags", &flags, NULL);
181 : 0 : return flags;
182 : : }
183 : :
184 : : /**
185 : : * g_dtls_client_connection_set_validation_flags:
186 : : * @conn: the #GDtlsClientConnection
187 : : * @flags: the #GTlsCertificateFlags to use
188 : : *
189 : : * Sets @conn's validation flags, to override the default set of
190 : : * checks performed when validating a server certificate. By default,
191 : : * %G_TLS_CERTIFICATE_VALIDATE_ALL is used.
192 : : *
193 : : * This function does not work as originally designed and is impossible
194 : : * to use correctly. See #GDtlsClientConnection:validation-flags for more
195 : : * information.
196 : : *
197 : : * Since: 2.48
198 : : *
199 : : * Deprecated: 2.74: Do not attempt to ignore validation errors.
200 : : */
201 : : void
202 : 0 : g_dtls_client_connection_set_validation_flags (GDtlsClientConnection *conn,
203 : : GTlsCertificateFlags flags)
204 : : {
205 : 0 : g_return_if_fail (G_IS_DTLS_CLIENT_CONNECTION (conn));
206 : :
207 : 0 : g_object_set (G_OBJECT (conn), "validation-flags", flags, NULL);
208 : : }
209 : :
210 : : /**
211 : : * g_dtls_client_connection_get_server_identity:
212 : : * @conn: the #GDtlsClientConnection
213 : : *
214 : : * Gets @conn's expected server identity
215 : : *
216 : : * Returns: (transfer none): a #GSocketConnectable describing the
217 : : * expected server identity, or %NULL if the expected identity is not
218 : : * known.
219 : : *
220 : : * Since: 2.48
221 : : */
222 : : GSocketConnectable *
223 : 0 : g_dtls_client_connection_get_server_identity (GDtlsClientConnection *conn)
224 : : {
225 : 0 : GSocketConnectable *identity = NULL;
226 : :
227 : 0 : g_return_val_if_fail (G_IS_DTLS_CLIENT_CONNECTION (conn), 0);
228 : :
229 : 0 : g_object_get (G_OBJECT (conn), "server-identity", &identity, NULL);
230 : 0 : if (identity)
231 : 0 : g_object_unref (identity);
232 : 0 : return identity;
233 : : }
234 : :
235 : : /**
236 : : * g_dtls_client_connection_set_server_identity:
237 : : * @conn: the #GDtlsClientConnection
238 : : * @identity: a #GSocketConnectable describing the expected server identity
239 : : *
240 : : * Sets @conn's expected server identity, which is used both to tell
241 : : * servers on virtual hosts which certificate to present, and also
242 : : * to let @conn know what name to look for in the certificate when
243 : : * performing %G_TLS_CERTIFICATE_BAD_IDENTITY validation, if enabled.
244 : : *
245 : : * Since: 2.48
246 : : */
247 : : void
248 : 0 : g_dtls_client_connection_set_server_identity (GDtlsClientConnection *conn,
249 : : GSocketConnectable *identity)
250 : : {
251 : 0 : g_return_if_fail (G_IS_DTLS_CLIENT_CONNECTION (conn));
252 : :
253 : 0 : g_object_set (G_OBJECT (conn), "server-identity", identity, NULL);
254 : : }
255 : :
256 : : /**
257 : : * g_dtls_client_connection_get_accepted_cas:
258 : : * @conn: the #GDtlsClientConnection
259 : : *
260 : : * Gets the list of distinguished names of the Certificate Authorities
261 : : * that the server will accept certificates from. This will be set
262 : : * during the TLS handshake if the server requests a certificate.
263 : : * Otherwise, it will be %NULL.
264 : : *
265 : : * Each item in the list is a #GByteArray which contains the complete
266 : : * subject DN of the certificate authority.
267 : : *
268 : : * Returns: (element-type GByteArray) (transfer full): the list of
269 : : * CA DNs. You should unref each element with g_byte_array_unref() and then
270 : : * the free the list with g_list_free().
271 : : *
272 : : * Since: 2.48
273 : : */
274 : : GList *
275 : 0 : g_dtls_client_connection_get_accepted_cas (GDtlsClientConnection *conn)
276 : : {
277 : 0 : GList *accepted_cas = NULL;
278 : :
279 : 0 : g_return_val_if_fail (G_IS_DTLS_CLIENT_CONNECTION (conn), NULL);
280 : :
281 : 0 : g_object_get (G_OBJECT (conn), "accepted-cas", &accepted_cas, NULL);
282 : 0 : return accepted_cas;
283 : : }
|