Branch data Line data Source code
1 : : /* GIO - GLib Input, Output and Streaming Library
2 : : *
3 : : * Copyright © 2010 Red Hat, Inc
4 : : * Copyright © 2015 Collabora, Ltd.
5 : : *
6 : : * SPDX-License-Identifier: LGPL-2.1-or-later
7 : : *
8 : : * This library is free software; you can redistribute it and/or
9 : : * modify it under the terms of the GNU Lesser General Public
10 : : * License as published by the Free Software Foundation; either
11 : : * version 2.1 of the License, or (at your option) any later version.
12 : : *
13 : : * This library is distributed in the hope that it will be useful,
14 : : * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 : : * Lesser General Public License for more details.
17 : : *
18 : : * You should have received a copy of the GNU Lesser General
19 : : * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
20 : : */
21 : :
22 : : #include "config.h"
23 : : #include "glib.h"
24 : :
25 : : #include "gdtlsconnection.h"
26 : : #include "gcancellable.h"
27 : : #include "gioenumtypes.h"
28 : : #include "gsocket.h"
29 : : #include "gtlsbackend.h"
30 : : #include "gtlscertificate.h"
31 : : #include "gtlsconnection.h"
32 : : #include "gdtlsclientconnection.h"
33 : : #include "gtlsdatabase.h"
34 : : #include "gtlsinteraction.h"
35 : : #include "glibintl.h"
36 : : #include "gmarshal-internal.h"
37 : :
38 : : /**
39 : : * GDtlsConnection:
40 : : *
41 : : * `GDtlsConnection` is the base DTLS connection class type, which wraps
42 : : * a [iface@Gio.DatagramBased] and provides DTLS encryption on top of it. Its
43 : : * subclasses, [iface@Gio.DtlsClientConnection] and
44 : : * [iface@Gio.DtlsServerConnection], implement client-side and server-side DTLS,
45 : : * respectively.
46 : : *
47 : : * For TLS support, see [class@Gio.TlsConnection].
48 : : *
49 : : * As DTLS is datagram based, `GDtlsConnection` implements
50 : : * [iface@Gio.DatagramBased], presenting a datagram-socket-like API for the
51 : : * encrypted connection. This operates over a base datagram connection, which is
52 : : * also a `GDatagramBased` ([property@Gio.DtlsConnection:base-socket]).
53 : : *
54 : : * To close a DTLS connection, use [method@Gio.DtlsConnection.close].
55 : : *
56 : : * Neither [iface@Gio.DtlsServerConnection] or [iface@Gio.DtlsClientConnection]
57 : : * set the peer address on their base [iface@Gio.DatagramBased] if it is a
58 : : * [class@Gio.Socket] — it is up to the caller to do that if they wish. If they
59 : : * do not, and [method@Gio.Socket.close] is called on the base socket, the
60 : : * `GDtlsConnection` will not raise a `G_IO_ERROR_NOT_CONNECTED` error on
61 : : * further I/O.
62 : : *
63 : : * Since: 2.48
64 : : */
65 : 20 : G_DEFINE_INTERFACE (GDtlsConnection, g_dtls_connection, G_TYPE_DATAGRAM_BASED)
66 : :
67 : : enum {
68 : : ACCEPT_CERTIFICATE,
69 : : LAST_SIGNAL
70 : : };
71 : :
72 : : static guint signals[LAST_SIGNAL] = { 0 };
73 : :
74 : : enum {
75 : : PROP_BASE_SOCKET = 1,
76 : : PROP_REQUIRE_CLOSE_NOTIFY,
77 : : PROP_REHANDSHAKE_MODE,
78 : : PROP_DATABASE,
79 : : PROP_INTERACTION,
80 : : PROP_CERTIFICATE,
81 : : PROP_PEER_CERTIFICATE,
82 : : PROP_PEER_CERTIFICATE_ERRORS,
83 : : PROP_PROTOCOL_VERSION,
84 : : PROP_CIPHERSUITE_NAME,
85 : : };
86 : :
87 : : static void
88 : 3 : g_dtls_connection_default_init (GDtlsConnectionInterface *iface)
89 : : {
90 : : /**
91 : : * GDtlsConnection:base-socket:
92 : : *
93 : : * The #GDatagramBased that the connection wraps. Note that this may be any
94 : : * implementation of #GDatagramBased, not just a #GSocket.
95 : : *
96 : : * Since: 2.48
97 : : */
98 : 3 : g_object_interface_install_property (iface,
99 : : g_param_spec_object ("base-socket", NULL, NULL,
100 : : G_TYPE_DATAGRAM_BASED,
101 : : G_PARAM_READWRITE |
102 : : G_PARAM_CONSTRUCT_ONLY |
103 : : G_PARAM_STATIC_STRINGS));
104 : : /**
105 : : * GDtlsConnection:database: (nullable)
106 : : *
107 : : * The certificate database to use when verifying this TLS connection.
108 : : * If no certificate database is set, then the default database will be
109 : : * used. See g_tls_backend_get_default_database().
110 : : *
111 : : * When using a non-default database, #GDtlsConnection must fall back to using
112 : : * the #GTlsDatabase to perform certificate verification using
113 : : * g_tls_database_verify_chain(), which means certificate verification will
114 : : * not be able to make use of TLS session context. This may be less secure.
115 : : * For example, if you create your own #GTlsDatabase that just wraps the
116 : : * default #GTlsDatabase, you might expect that you have not changed anything,
117 : : * but this is not true because you may have altered the behavior of
118 : : * #GDtlsConnection by causing it to use g_tls_database_verify_chain(). See the
119 : : * documentation of g_tls_database_verify_chain() for more details on specific
120 : : * security checks that may not be performed. Accordingly, setting a
121 : : * non-default database is discouraged except for specialty applications with
122 : : * unusual security requirements.
123 : : *
124 : : * Since: 2.48
125 : : */
126 : 3 : g_object_interface_install_property (iface,
127 : : g_param_spec_object ("database", NULL, NULL,
128 : : G_TYPE_TLS_DATABASE,
129 : : G_PARAM_READWRITE |
130 : : G_PARAM_STATIC_STRINGS));
131 : : /**
132 : : * GDtlsConnection:interaction: (nullable)
133 : : *
134 : : * A #GTlsInteraction object to be used when the connection or certificate
135 : : * database need to interact with the user. This will be used to prompt the
136 : : * user for passwords where necessary.
137 : : *
138 : : * Since: 2.48
139 : : */
140 : 3 : g_object_interface_install_property (iface,
141 : : g_param_spec_object ("interaction", NULL, NULL,
142 : : G_TYPE_TLS_INTERACTION,
143 : : G_PARAM_READWRITE |
144 : : G_PARAM_STATIC_STRINGS));
145 : : /**
146 : : * GDtlsConnection:require-close-notify:
147 : : *
148 : : * Whether or not proper TLS close notification is required.
149 : : * See g_dtls_connection_set_require_close_notify().
150 : : *
151 : : * Since: 2.48
152 : : */
153 : 3 : g_object_interface_install_property (iface,
154 : : g_param_spec_boolean ("require-close-notify", NULL, NULL,
155 : : TRUE,
156 : : G_PARAM_READWRITE |
157 : : G_PARAM_CONSTRUCT |
158 : : G_PARAM_STATIC_STRINGS));
159 : : /**
160 : : * GDtlsConnection:rehandshake-mode:
161 : : *
162 : : * The rehandshaking mode. See
163 : : * g_dtls_connection_set_rehandshake_mode().
164 : : *
165 : : * Since: 2.48
166 : : *
167 : : * Deprecated: 2.60: The rehandshake mode is ignored.
168 : : */
169 : 3 : g_object_interface_install_property (iface,
170 : : g_param_spec_enum ("rehandshake-mode", NULL, NULL,
171 : : G_TYPE_TLS_REHANDSHAKE_MODE,
172 : : G_TLS_REHANDSHAKE_NEVER,
173 : : G_PARAM_READWRITE |
174 : : G_PARAM_CONSTRUCT |
175 : : G_PARAM_STATIC_STRINGS |
176 : : G_PARAM_DEPRECATED));
177 : : /**
178 : : * GDtlsConnection:certificate:
179 : : *
180 : : * The connection's certificate; see
181 : : * g_dtls_connection_set_certificate().
182 : : *
183 : : * Since: 2.48
184 : : */
185 : 3 : g_object_interface_install_property (iface,
186 : : g_param_spec_object ("certificate", NULL, NULL,
187 : : G_TYPE_TLS_CERTIFICATE,
188 : : G_PARAM_READWRITE |
189 : : G_PARAM_STATIC_STRINGS));
190 : : /**
191 : : * GDtlsConnection:peer-certificate: (nullable)
192 : : *
193 : : * The connection's peer's certificate, after the TLS handshake has
194 : : * completed or failed. Note in particular that this is not yet set
195 : : * during the emission of #GDtlsConnection::accept-certificate.
196 : : *
197 : : * (You can watch for a #GObject::notify signal on this property to
198 : : * detect when a handshake has occurred.)
199 : : *
200 : : * Since: 2.48
201 : : */
202 : 3 : g_object_interface_install_property (iface,
203 : : g_param_spec_object ("peer-certificate", NULL, NULL,
204 : : G_TYPE_TLS_CERTIFICATE,
205 : : G_PARAM_READABLE |
206 : : G_PARAM_STATIC_STRINGS));
207 : : /**
208 : : * GDtlsConnection:peer-certificate-errors:
209 : : *
210 : : * The errors noticed while verifying
211 : : * #GDtlsConnection:peer-certificate. Normally this should be 0, but
212 : : * it may not be if #GDtlsClientConnection:validation-flags is not
213 : : * %G_TLS_CERTIFICATE_VALIDATE_ALL, or if
214 : : * #GDtlsConnection::accept-certificate overrode the default
215 : : * behavior.
216 : : *
217 : : * GLib guarantees that if certificate verification fails, at least
218 : : * one error will be set, but it does not guarantee that all possible
219 : : * errors will be set. Accordingly, you may not safely decide to
220 : : * ignore any particular type of error. For example, it would be
221 : : * incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow
222 : : * expired certificates, because this could potentially be the only
223 : : * error flag set even if other problems exist with the certificate.
224 : : *
225 : : * Since: 2.48
226 : : */
227 : 3 : g_object_interface_install_property (iface,
228 : : g_param_spec_flags ("peer-certificate-errors", NULL, NULL,
229 : : G_TYPE_TLS_CERTIFICATE_FLAGS,
230 : : 0,
231 : : G_PARAM_READABLE |
232 : : G_PARAM_STATIC_STRINGS));
233 : : /**
234 : : * GDtlsConnection:advertised-protocols: (nullable)
235 : : *
236 : : * The list of application-layer protocols that the connection
237 : : * advertises that it is willing to speak. See
238 : : * g_dtls_connection_set_advertised_protocols().
239 : : *
240 : : * Since: 2.60
241 : : */
242 : 3 : g_object_interface_install_property (iface,
243 : : g_param_spec_boxed ("advertised-protocols", NULL, NULL,
244 : : G_TYPE_STRV,
245 : : G_PARAM_READWRITE |
246 : : G_PARAM_STATIC_STRINGS));
247 : : /**
248 : : * GDtlsConnection:negotiated-protocol:
249 : : *
250 : : * The application-layer protocol negotiated during the TLS
251 : : * handshake. See g_dtls_connection_get_negotiated_protocol().
252 : : *
253 : : * Since: 2.60
254 : : */
255 : 3 : g_object_interface_install_property (iface,
256 : : g_param_spec_string ("negotiated-protocol", NULL, NULL,
257 : : NULL,
258 : : G_PARAM_READABLE |
259 : : G_PARAM_STATIC_STRINGS));
260 : :
261 : : /**
262 : : * GDtlsConnection:protocol-version:
263 : : *
264 : : * The DTLS protocol version in use. See g_dtls_connection_get_protocol_version().
265 : : *
266 : : * Since: 2.70
267 : : */
268 : 3 : g_object_interface_install_property (iface,
269 : : g_param_spec_enum ("protocol-version", NULL, NULL,
270 : : G_TYPE_TLS_PROTOCOL_VERSION,
271 : : G_TLS_PROTOCOL_VERSION_UNKNOWN,
272 : : G_PARAM_READABLE |
273 : : G_PARAM_STATIC_STRINGS));
274 : :
275 : : /**
276 : : * GDtlsConnection:ciphersuite-name: (nullable)
277 : : *
278 : : * The name of the DTLS ciphersuite in use. See g_dtls_connection_get_ciphersuite_name().
279 : : *
280 : : * Since: 2.70
281 : : */
282 : 3 : g_object_interface_install_property (iface,
283 : : g_param_spec_string ("ciphersuite-name", NULL, NULL,
284 : : NULL,
285 : : G_PARAM_READABLE |
286 : : G_PARAM_STATIC_STRINGS));
287 : :
288 : : /**
289 : : * GDtlsConnection::accept-certificate:
290 : : * @conn: a #GDtlsConnection
291 : : * @peer_cert: the peer's #GTlsCertificate
292 : : * @errors: the problems with @peer_cert.
293 : : *
294 : : * Emitted during the TLS handshake after the peer certificate has
295 : : * been received. You can examine @peer_cert's certification path by
296 : : * calling g_tls_certificate_get_issuer() on it.
297 : : *
298 : : * For a client-side connection, @peer_cert is the server's
299 : : * certificate, and the signal will only be emitted if the
300 : : * certificate was not acceptable according to @conn's
301 : : * #GDtlsClientConnection:validation_flags. If you would like the
302 : : * certificate to be accepted despite @errors, return %TRUE from the
303 : : * signal handler. Otherwise, if no handler accepts the certificate,
304 : : * the handshake will fail with %G_TLS_ERROR_BAD_CERTIFICATE.
305 : : *
306 : : * GLib guarantees that if certificate verification fails, this signal
307 : : * will be emitted with at least one error will be set in @errors, but
308 : : * it does not guarantee that all possible errors will be set.
309 : : * Accordingly, you may not safely decide to ignore any particular
310 : : * type of error. For example, it would be incorrect to ignore
311 : : * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired
312 : : * certificates, because this could potentially be the only error flag
313 : : * set even if other problems exist with the certificate.
314 : : *
315 : : * For a server-side connection, @peer_cert is the certificate
316 : : * presented by the client, if this was requested via the server's
317 : : * #GDtlsServerConnection:authentication_mode. On the server side,
318 : : * the signal is always emitted when the client presents a
319 : : * certificate, and the certificate will only be accepted if a
320 : : * handler returns %TRUE.
321 : : *
322 : : * Note that if this signal is emitted as part of asynchronous I/O
323 : : * in the main thread, then you should not attempt to interact with
324 : : * the user before returning from the signal handler. If you want to
325 : : * let the user decide whether or not to accept the certificate, you
326 : : * would have to return %FALSE from the signal handler on the first
327 : : * attempt, and then after the connection attempt returns a
328 : : * %G_TLS_ERROR_BAD_CERTIFICATE, you can interact with the user, and
329 : : * if the user decides to accept the certificate, remember that fact,
330 : : * create a new connection, and return %TRUE from the signal handler
331 : : * the next time.
332 : : *
333 : : * If you are doing I/O in another thread, you do not
334 : : * need to worry about this, and can simply block in the signal
335 : : * handler until the UI thread returns an answer.
336 : : *
337 : : * Returns: %TRUE to accept @peer_cert (which will also
338 : : * immediately end the signal emission). %FALSE to allow the signal
339 : : * emission to continue, which will cause the handshake to fail if
340 : : * no one else overrides it.
341 : : *
342 : : * Since: 2.48
343 : : */
344 : 3 : signals[ACCEPT_CERTIFICATE] =
345 : 3 : g_signal_new (I_("accept-certificate"),
346 : : G_TYPE_DTLS_CONNECTION,
347 : : G_SIGNAL_RUN_LAST,
348 : : G_STRUCT_OFFSET (GDtlsConnectionInterface, accept_certificate),
349 : : g_signal_accumulator_true_handled, NULL,
350 : : _g_cclosure_marshal_BOOLEAN__OBJECT_FLAGS,
351 : : G_TYPE_BOOLEAN, 2,
352 : : G_TYPE_TLS_CERTIFICATE,
353 : : G_TYPE_TLS_CERTIFICATE_FLAGS);
354 : 3 : g_signal_set_va_marshaller (signals[ACCEPT_CERTIFICATE],
355 : : G_TYPE_FROM_INTERFACE (iface),
356 : : _g_cclosure_marshal_BOOLEAN__OBJECT_FLAGSv);
357 : 3 : }
358 : :
359 : : /**
360 : : * g_dtls_connection_set_database:
361 : : * @conn: a #GDtlsConnection
362 : : * @database: (nullable): a #GTlsDatabase
363 : : *
364 : : * Sets the certificate database that is used to verify peer certificates.
365 : : * This is set to the default database by default. See
366 : : * g_tls_backend_get_default_database(). If set to %NULL, then
367 : : * peer certificate validation will always set the
368 : : * %G_TLS_CERTIFICATE_UNKNOWN_CA error (meaning
369 : : * #GDtlsConnection::accept-certificate will always be emitted on
370 : : * client-side connections, unless that bit is not set in
371 : : * #GDtlsClientConnection:validation-flags).
372 : : *
373 : : * There are nonintuitive security implications when using a non-default
374 : : * database. See #GDtlsConnection:database for details.
375 : : *
376 : : * Since: 2.48
377 : : */
378 : : void
379 : 0 : g_dtls_connection_set_database (GDtlsConnection *conn,
380 : : GTlsDatabase *database)
381 : : {
382 : 0 : g_return_if_fail (G_IS_DTLS_CONNECTION (conn));
383 : 0 : g_return_if_fail (database == NULL || G_IS_TLS_DATABASE (database));
384 : :
385 : 0 : g_object_set (G_OBJECT (conn),
386 : : "database", database,
387 : : NULL);
388 : : }
389 : :
390 : : /**
391 : : * g_dtls_connection_get_database:
392 : : * @conn: a #GDtlsConnection
393 : : *
394 : : * Gets the certificate database that @conn uses to verify
395 : : * peer certificates. See g_dtls_connection_set_database().
396 : : *
397 : : * Returns: (transfer none) (nullable): the certificate database that @conn uses or %NULL
398 : : *
399 : : * Since: 2.48
400 : : */
401 : : GTlsDatabase*
402 : 0 : g_dtls_connection_get_database (GDtlsConnection *conn)
403 : : {
404 : 0 : GTlsDatabase *database = NULL;
405 : :
406 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), NULL);
407 : :
408 : 0 : g_object_get (G_OBJECT (conn),
409 : : "database", &database,
410 : : NULL);
411 : 0 : if (database)
412 : 0 : g_object_unref (database);
413 : 0 : return database;
414 : : }
415 : :
416 : : /**
417 : : * g_dtls_connection_set_certificate:
418 : : * @conn: a #GDtlsConnection
419 : : * @certificate: the certificate to use for @conn
420 : : *
421 : : * This sets the certificate that @conn will present to its peer
422 : : * during the TLS handshake. For a #GDtlsServerConnection, it is
423 : : * mandatory to set this, and that will normally be done at construct
424 : : * time.
425 : : *
426 : : * For a #GDtlsClientConnection, this is optional. If a handshake fails
427 : : * with %G_TLS_ERROR_CERTIFICATE_REQUIRED, that means that the server
428 : : * requires a certificate, and if you try connecting again, you should
429 : : * call this method first. You can call
430 : : * g_dtls_client_connection_get_accepted_cas() on the failed connection
431 : : * to get a list of Certificate Authorities that the server will
432 : : * accept certificates from.
433 : : *
434 : : * (It is also possible that a server will allow the connection with
435 : : * or without a certificate; in that case, if you don't provide a
436 : : * certificate, you can tell that the server requested one by the fact
437 : : * that g_dtls_client_connection_get_accepted_cas() will return
438 : : * non-%NULL.)
439 : : *
440 : : * Since: 2.48
441 : : */
442 : : void
443 : 0 : g_dtls_connection_set_certificate (GDtlsConnection *conn,
444 : : GTlsCertificate *certificate)
445 : : {
446 : 0 : g_return_if_fail (G_IS_DTLS_CONNECTION (conn));
447 : 0 : g_return_if_fail (G_IS_TLS_CERTIFICATE (certificate));
448 : :
449 : 0 : g_object_set (G_OBJECT (conn), "certificate", certificate, NULL);
450 : : }
451 : :
452 : : /**
453 : : * g_dtls_connection_get_certificate:
454 : : * @conn: a #GDtlsConnection
455 : : *
456 : : * Gets @conn's certificate, as set by
457 : : * g_dtls_connection_set_certificate().
458 : : *
459 : : * Returns: (transfer none) (nullable): @conn's certificate, or %NULL
460 : : *
461 : : * Since: 2.48
462 : : */
463 : : GTlsCertificate *
464 : 0 : g_dtls_connection_get_certificate (GDtlsConnection *conn)
465 : : {
466 : : GTlsCertificate *certificate;
467 : :
468 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), NULL);
469 : :
470 : 0 : g_object_get (G_OBJECT (conn), "certificate", &certificate, NULL);
471 : 0 : if (certificate)
472 : 0 : g_object_unref (certificate);
473 : :
474 : 0 : return certificate;
475 : : }
476 : :
477 : : /**
478 : : * g_dtls_connection_set_interaction:
479 : : * @conn: a connection
480 : : * @interaction: (nullable): an interaction object, or %NULL
481 : : *
482 : : * Set the object that will be used to interact with the user. It will be used
483 : : * for things like prompting the user for passwords.
484 : : *
485 : : * The @interaction argument will normally be a derived subclass of
486 : : * #GTlsInteraction. %NULL can also be provided if no user interaction
487 : : * should occur for this connection.
488 : : *
489 : : * Since: 2.48
490 : : */
491 : : void
492 : 0 : g_dtls_connection_set_interaction (GDtlsConnection *conn,
493 : : GTlsInteraction *interaction)
494 : : {
495 : 0 : g_return_if_fail (G_IS_DTLS_CONNECTION (conn));
496 : 0 : g_return_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction));
497 : :
498 : 0 : g_object_set (G_OBJECT (conn), "interaction", interaction, NULL);
499 : : }
500 : :
501 : : /**
502 : : * g_dtls_connection_get_interaction:
503 : : * @conn: a connection
504 : : *
505 : : * Get the object that will be used to interact with the user. It will be used
506 : : * for things like prompting the user for passwords. If %NULL is returned, then
507 : : * no user interaction will occur for this connection.
508 : : *
509 : : * Returns: (transfer none) (nullable): The interaction object.
510 : : *
511 : : * Since: 2.48
512 : : */
513 : : GTlsInteraction *
514 : 0 : g_dtls_connection_get_interaction (GDtlsConnection *conn)
515 : : {
516 : 0 : GTlsInteraction *interaction = NULL;
517 : :
518 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), NULL);
519 : :
520 : 0 : g_object_get (G_OBJECT (conn), "interaction", &interaction, NULL);
521 : 0 : if (interaction)
522 : 0 : g_object_unref (interaction);
523 : :
524 : 0 : return interaction;
525 : : }
526 : :
527 : : /**
528 : : * g_dtls_connection_get_peer_certificate:
529 : : * @conn: a #GDtlsConnection
530 : : *
531 : : * Gets @conn's peer's certificate after the handshake has completed
532 : : * or failed. (It is not set during the emission of
533 : : * #GDtlsConnection::accept-certificate.)
534 : : *
535 : : * Returns: (transfer none) (nullable): @conn's peer's certificate, or %NULL
536 : : *
537 : : * Since: 2.48
538 : : */
539 : : GTlsCertificate *
540 : 0 : g_dtls_connection_get_peer_certificate (GDtlsConnection *conn)
541 : : {
542 : : GTlsCertificate *peer_certificate;
543 : :
544 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), NULL);
545 : :
546 : 0 : g_object_get (G_OBJECT (conn), "peer-certificate", &peer_certificate, NULL);
547 : 0 : if (peer_certificate)
548 : 0 : g_object_unref (peer_certificate);
549 : :
550 : 0 : return peer_certificate;
551 : : }
552 : :
553 : : /**
554 : : * g_dtls_connection_get_peer_certificate_errors:
555 : : * @conn: a #GDtlsConnection
556 : : *
557 : : * Gets the errors associated with validating @conn's peer's
558 : : * certificate, after the handshake has completed or failed. (It is
559 : : * not set during the emission of #GDtlsConnection::accept-certificate.)
560 : : *
561 : : * Returns: @conn's peer's certificate errors
562 : : *
563 : : * Since: 2.48
564 : : */
565 : : GTlsCertificateFlags
566 : 0 : g_dtls_connection_get_peer_certificate_errors (GDtlsConnection *conn)
567 : : {
568 : : GTlsCertificateFlags errors;
569 : :
570 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), 0);
571 : :
572 : 0 : g_object_get (G_OBJECT (conn), "peer-certificate-errors", &errors, NULL);
573 : 0 : return errors;
574 : : }
575 : :
576 : : /**
577 : : * g_dtls_connection_set_require_close_notify:
578 : : * @conn: a #GDtlsConnection
579 : : * @require_close_notify: whether or not to require close notification
580 : : *
581 : : * Sets whether or not @conn expects a proper TLS close notification
582 : : * before the connection is closed. If this is %TRUE (the default),
583 : : * then @conn will expect to receive a TLS close notification from its
584 : : * peer before the connection is closed, and will return a
585 : : * %G_TLS_ERROR_EOF error if the connection is closed without proper
586 : : * notification (since this may indicate a network error, or
587 : : * man-in-the-middle attack).
588 : : *
589 : : * In some protocols, the application will know whether or not the
590 : : * connection was closed cleanly based on application-level data
591 : : * (because the application-level data includes a length field, or is
592 : : * somehow self-delimiting); in this case, the close notify is
593 : : * redundant and may be omitted. You
594 : : * can use g_dtls_connection_set_require_close_notify() to tell @conn
595 : : * to allow an "unannounced" connection close, in which case the close
596 : : * will show up as a 0-length read, as in a non-TLS
597 : : * #GDatagramBased, and it is up to the application to check that
598 : : * the data has been fully received.
599 : : *
600 : : * Note that this only affects the behavior when the peer closes the
601 : : * connection; when the application calls g_dtls_connection_close_async() on
602 : : * @conn itself, this will send a close notification regardless of the
603 : : * setting of this property. If you explicitly want to do an unclean
604 : : * close, you can close @conn's #GDtlsConnection:base-socket rather
605 : : * than closing @conn itself.
606 : : *
607 : : * Since: 2.48
608 : : */
609 : : void
610 : 0 : g_dtls_connection_set_require_close_notify (GDtlsConnection *conn,
611 : : gboolean require_close_notify)
612 : : {
613 : 0 : g_return_if_fail (G_IS_DTLS_CONNECTION (conn));
614 : :
615 : 0 : g_object_set (G_OBJECT (conn),
616 : : "require-close-notify", require_close_notify,
617 : : NULL);
618 : : }
619 : :
620 : : /**
621 : : * g_dtls_connection_get_require_close_notify:
622 : : * @conn: a #GDtlsConnection
623 : : *
624 : : * Tests whether or not @conn expects a proper TLS close notification
625 : : * when the connection is closed. See
626 : : * g_dtls_connection_set_require_close_notify() for details.
627 : : *
628 : : * Returns: %TRUE if @conn requires a proper TLS close notification.
629 : : *
630 : : * Since: 2.48
631 : : */
632 : : gboolean
633 : 0 : g_dtls_connection_get_require_close_notify (GDtlsConnection *conn)
634 : : {
635 : : gboolean require_close_notify;
636 : :
637 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), TRUE);
638 : :
639 : 0 : g_object_get (G_OBJECT (conn),
640 : : "require-close-notify", &require_close_notify,
641 : : NULL);
642 : 0 : return require_close_notify;
643 : : }
644 : :
645 : : /**
646 : : * g_dtls_connection_set_rehandshake_mode:
647 : : * @conn: a #GDtlsConnection
648 : : * @mode: the rehandshaking mode
649 : : *
650 : : * Since GLib 2.64, changing the rehandshake mode is no longer supported
651 : : * and will have no effect. With TLS 1.3, rehandshaking has been removed from
652 : : * the TLS protocol, replaced by separate post-handshake authentication and
653 : : * rekey operations.
654 : : *
655 : : * Since: 2.48
656 : : *
657 : : * Deprecated: 2.60. Changing the rehandshake mode is no longer
658 : : * required for compatibility. Also, rehandshaking has been removed
659 : : * from the TLS protocol in TLS 1.3.
660 : : */
661 : : G_GNUC_BEGIN_IGNORE_DEPRECATIONS
662 : : void
663 : 0 : g_dtls_connection_set_rehandshake_mode (GDtlsConnection *conn,
664 : : GTlsRehandshakeMode mode)
665 : : {
666 : 0 : g_return_if_fail (G_IS_DTLS_CONNECTION (conn));
667 : :
668 : 0 : g_object_set (G_OBJECT (conn),
669 : : "rehandshake-mode", G_TLS_REHANDSHAKE_SAFELY,
670 : : NULL);
671 : : }
672 : : G_GNUC_END_IGNORE_DEPRECATIONS
673 : :
674 : : /**
675 : : * g_dtls_connection_get_rehandshake_mode:
676 : : * @conn: a #GDtlsConnection
677 : : *
678 : : * Gets @conn rehandshaking mode. See
679 : : * g_dtls_connection_set_rehandshake_mode() for details.
680 : : *
681 : : * Returns: %G_TLS_REHANDSHAKE_SAFELY
682 : : *
683 : : * Since: 2.48
684 : : *
685 : : * Deprecated: 2.64. Changing the rehandshake mode is no longer
686 : : * required for compatibility. Also, rehandshaking has been removed
687 : : * from the TLS protocol in TLS 1.3.
688 : : */
689 : : G_GNUC_BEGIN_IGNORE_DEPRECATIONS
690 : : GTlsRehandshakeMode
691 : 0 : g_dtls_connection_get_rehandshake_mode (GDtlsConnection *conn)
692 : : {
693 : : GTlsRehandshakeMode mode;
694 : :
695 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), G_TLS_REHANDSHAKE_SAFELY);
696 : :
697 : : /* Continue to call g_object_get(), even though the return value is
698 : : * ignored, so that behavior doesn’t change for derived classes.
699 : : */
700 : 0 : g_object_get (G_OBJECT (conn),
701 : : "rehandshake-mode", &mode,
702 : : NULL);
703 : 0 : return G_TLS_REHANDSHAKE_SAFELY;
704 : : }
705 : : G_GNUC_END_IGNORE_DEPRECATIONS
706 : :
707 : : /**
708 : : * g_dtls_connection_handshake:
709 : : * @conn: a #GDtlsConnection
710 : : * @cancellable: (nullable): a #GCancellable, or %NULL
711 : : * @error: a #GError, or %NULL
712 : : *
713 : : * Attempts a TLS handshake on @conn.
714 : : *
715 : : * On the client side, it is never necessary to call this method;
716 : : * although the connection needs to perform a handshake after
717 : : * connecting, #GDtlsConnection will handle this for you automatically
718 : : * when you try to send or receive data on the connection. You can call
719 : : * g_dtls_connection_handshake() manually if you want to know whether
720 : : * the initial handshake succeeded or failed (as opposed to just
721 : : * immediately trying to use @conn to read or write, in which case,
722 : : * if it fails, it may not be possible to tell if it failed before
723 : : * or after completing the handshake), but beware that servers may reject
724 : : * client authentication after the handshake has completed, so a
725 : : * successful handshake does not indicate the connection will be usable.
726 : : *
727 : : * Likewise, on the server side, although a handshake is necessary at
728 : : * the beginning of the communication, you do not need to call this
729 : : * function explicitly unless you want clearer error reporting.
730 : : *
731 : : * Previously, calling g_dtls_connection_handshake() after the initial
732 : : * handshake would trigger a rehandshake; however, this usage was
733 : : * deprecated in GLib 2.60 because rehandshaking was removed from the
734 : : * TLS protocol in TLS 1.3. Since GLib 2.64, calling this function after
735 : : * the initial handshake will no longer do anything.
736 : : *
737 : : * #GDtlsConnection::accept_certificate may be emitted during the
738 : : * handshake.
739 : : *
740 : : * Returns: success or failure
741 : : *
742 : : * Since: 2.48
743 : : */
744 : : gboolean
745 : 0 : g_dtls_connection_handshake (GDtlsConnection *conn,
746 : : GCancellable *cancellable,
747 : : GError **error)
748 : : {
749 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE);
750 : :
751 : 0 : return G_DTLS_CONNECTION_GET_INTERFACE (conn)->handshake (conn, cancellable,
752 : : error);
753 : : }
754 : :
755 : : /**
756 : : * g_dtls_connection_handshake_async:
757 : : * @conn: a #GDtlsConnection
758 : : * @io_priority: the [I/O priority](iface.AsyncResult.html#io-priority) of the request
759 : : * @cancellable: (nullable): a #GCancellable, or %NULL
760 : : * @callback: callback to call when the handshake is complete
761 : : * @user_data: the data to pass to the callback function
762 : : *
763 : : * Asynchronously performs a TLS handshake on @conn. See
764 : : * g_dtls_connection_handshake() for more information.
765 : : *
766 : : * Since: 2.48
767 : : */
768 : : void
769 : 0 : g_dtls_connection_handshake_async (GDtlsConnection *conn,
770 : : int io_priority,
771 : : GCancellable *cancellable,
772 : : GAsyncReadyCallback callback,
773 : : gpointer user_data)
774 : : {
775 : 0 : g_return_if_fail (G_IS_DTLS_CONNECTION (conn));
776 : :
777 : 0 : G_DTLS_CONNECTION_GET_INTERFACE (conn)->handshake_async (conn, io_priority,
778 : : cancellable,
779 : : callback, user_data);
780 : : }
781 : :
782 : : /**
783 : : * g_dtls_connection_handshake_finish:
784 : : * @conn: a #GDtlsConnection
785 : : * @result: a #GAsyncResult.
786 : : * @error: a #GError pointer, or %NULL
787 : : *
788 : : * Finish an asynchronous TLS handshake operation. See
789 : : * g_dtls_connection_handshake() for more information.
790 : : *
791 : : * Returns: %TRUE on success, %FALSE on failure, in which
792 : : * case @error will be set.
793 : : *
794 : : * Since: 2.48
795 : : */
796 : : gboolean
797 : 0 : g_dtls_connection_handshake_finish (GDtlsConnection *conn,
798 : : GAsyncResult *result,
799 : : GError **error)
800 : : {
801 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE);
802 : :
803 : 0 : return G_DTLS_CONNECTION_GET_INTERFACE (conn)->handshake_finish (conn,
804 : : result,
805 : : error);
806 : : }
807 : :
808 : : /**
809 : : * g_dtls_connection_shutdown:
810 : : * @conn: a #GDtlsConnection
811 : : * @shutdown_read: %TRUE to stop reception of incoming datagrams
812 : : * @shutdown_write: %TRUE to stop sending outgoing datagrams
813 : : * @cancellable: (nullable): a #GCancellable, or %NULL
814 : : * @error: a #GError, or %NULL
815 : : *
816 : : * Shut down part or all of a DTLS connection.
817 : : *
818 : : * If @shutdown_read is %TRUE then the receiving side of the connection is shut
819 : : * down, and further reading is disallowed. Subsequent calls to
820 : : * g_datagram_based_receive_messages() will return %G_IO_ERROR_CLOSED.
821 : : *
822 : : * If @shutdown_write is %TRUE then the sending side of the connection is shut
823 : : * down, and further writing is disallowed. Subsequent calls to
824 : : * g_datagram_based_send_messages() will return %G_IO_ERROR_CLOSED.
825 : : *
826 : : * It is allowed for both @shutdown_read and @shutdown_write to be TRUE — this
827 : : * is equivalent to calling g_dtls_connection_close().
828 : : *
829 : : * If @cancellable is cancelled, the #GDtlsConnection may be left
830 : : * partially-closed and any pending untransmitted data may be lost. Call
831 : : * g_dtls_connection_shutdown() again to complete closing the #GDtlsConnection.
832 : : *
833 : : * Returns: %TRUE on success, %FALSE otherwise
834 : : *
835 : : * Since: 2.48
836 : : */
837 : : gboolean
838 : 0 : g_dtls_connection_shutdown (GDtlsConnection *conn,
839 : : gboolean shutdown_read,
840 : : gboolean shutdown_write,
841 : : GCancellable *cancellable,
842 : : GError **error)
843 : : {
844 : : GDtlsConnectionInterface *iface;
845 : :
846 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE);
847 : 0 : g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable),
848 : : FALSE);
849 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
850 : :
851 : 0 : if (!shutdown_read && !shutdown_write)
852 : 0 : return TRUE;
853 : :
854 : 0 : iface = G_DTLS_CONNECTION_GET_INTERFACE (conn);
855 : 0 : g_assert (iface->shutdown != NULL);
856 : :
857 : 0 : return iface->shutdown (conn, shutdown_read, shutdown_write,
858 : : cancellable, error);
859 : : }
860 : :
861 : : /**
862 : : * g_dtls_connection_shutdown_async:
863 : : * @conn: a #GDtlsConnection
864 : : * @shutdown_read: %TRUE to stop reception of incoming datagrams
865 : : * @shutdown_write: %TRUE to stop sending outgoing datagrams
866 : : * @io_priority: the [I/O priority](iface.AsyncResult.html#io-priority) of the request
867 : : * @cancellable: (nullable): a #GCancellable, or %NULL
868 : : * @callback: callback to call when the shutdown operation is complete
869 : : * @user_data: the data to pass to the callback function
870 : : *
871 : : * Asynchronously shut down part or all of the DTLS connection. See
872 : : * g_dtls_connection_shutdown() for more information.
873 : : *
874 : : * Since: 2.48
875 : : */
876 : : void
877 : 0 : g_dtls_connection_shutdown_async (GDtlsConnection *conn,
878 : : gboolean shutdown_read,
879 : : gboolean shutdown_write,
880 : : int io_priority,
881 : : GCancellable *cancellable,
882 : : GAsyncReadyCallback callback,
883 : : gpointer user_data)
884 : : {
885 : : GDtlsConnectionInterface *iface;
886 : :
887 : 0 : g_return_if_fail (G_IS_DTLS_CONNECTION (conn));
888 : 0 : g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
889 : :
890 : 0 : iface = G_DTLS_CONNECTION_GET_INTERFACE (conn);
891 : 0 : g_assert (iface->shutdown_async != NULL);
892 : :
893 : 0 : iface->shutdown_async (conn, TRUE, TRUE, io_priority, cancellable,
894 : : callback, user_data);
895 : : }
896 : :
897 : : /**
898 : : * g_dtls_connection_shutdown_finish:
899 : : * @conn: a #GDtlsConnection
900 : : * @result: a #GAsyncResult
901 : : * @error: a #GError pointer, or %NULL
902 : : *
903 : : * Finish an asynchronous TLS shutdown operation. See
904 : : * g_dtls_connection_shutdown() for more information.
905 : : *
906 : : * Returns: %TRUE on success, %FALSE on failure, in which
907 : : * case @error will be set
908 : : *
909 : : * Since: 2.48
910 : : */
911 : : gboolean
912 : 0 : g_dtls_connection_shutdown_finish (GDtlsConnection *conn,
913 : : GAsyncResult *result,
914 : : GError **error)
915 : : {
916 : : GDtlsConnectionInterface *iface;
917 : :
918 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE);
919 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
920 : :
921 : 0 : iface = G_DTLS_CONNECTION_GET_INTERFACE (conn);
922 : 0 : g_assert (iface->shutdown_finish != NULL);
923 : :
924 : 0 : return iface->shutdown_finish (conn, result, error);
925 : : }
926 : :
927 : : /**
928 : : * g_dtls_connection_close:
929 : : * @conn: a #GDtlsConnection
930 : : * @cancellable: (nullable): a #GCancellable, or %NULL
931 : : * @error: a #GError, or %NULL
932 : : *
933 : : * Close the DTLS connection. This is equivalent to calling
934 : : * g_dtls_connection_shutdown() to shut down both sides of the connection.
935 : : *
936 : : * Closing a #GDtlsConnection waits for all buffered but untransmitted data to
937 : : * be sent before it completes. It then sends a `close_notify` DTLS alert to the
938 : : * peer and may wait for a `close_notify` to be received from the peer. It does
939 : : * not close the underlying #GDtlsConnection:base-socket; that must be closed
940 : : * separately.
941 : : *
942 : : * Once @conn is closed, all other operations will return %G_IO_ERROR_CLOSED.
943 : : * Closing a #GDtlsConnection multiple times will not return an error.
944 : : *
945 : : * #GDtlsConnections will be automatically closed when the last reference is
946 : : * dropped, but you might want to call this function to make sure resources are
947 : : * released as early as possible.
948 : : *
949 : : * If @cancellable is cancelled, the #GDtlsConnection may be left
950 : : * partially-closed and any pending untransmitted data may be lost. Call
951 : : * g_dtls_connection_close() again to complete closing the #GDtlsConnection.
952 : : *
953 : : * Returns: %TRUE on success, %FALSE otherwise
954 : : *
955 : : * Since: 2.48
956 : : */
957 : : gboolean
958 : 0 : g_dtls_connection_close (GDtlsConnection *conn,
959 : : GCancellable *cancellable,
960 : : GError **error)
961 : : {
962 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE);
963 : 0 : g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable),
964 : : FALSE);
965 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
966 : :
967 : 0 : return G_DTLS_CONNECTION_GET_INTERFACE (conn)->shutdown (conn, TRUE, TRUE,
968 : : cancellable, error);
969 : : }
970 : :
971 : : /**
972 : : * g_dtls_connection_close_async:
973 : : * @conn: a #GDtlsConnection
974 : : * @io_priority: the [I/O priority](iface.AsyncResult.html#io-priority) of the request
975 : : * @cancellable: (nullable): a #GCancellable, or %NULL
976 : : * @callback: callback to call when the close operation is complete
977 : : * @user_data: the data to pass to the callback function
978 : : *
979 : : * Asynchronously close the DTLS connection. See g_dtls_connection_close() for
980 : : * more information.
981 : : *
982 : : * Since: 2.48
983 : : */
984 : : void
985 : 0 : g_dtls_connection_close_async (GDtlsConnection *conn,
986 : : int io_priority,
987 : : GCancellable *cancellable,
988 : : GAsyncReadyCallback callback,
989 : : gpointer user_data)
990 : : {
991 : 0 : g_return_if_fail (G_IS_DTLS_CONNECTION (conn));
992 : 0 : g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable));
993 : :
994 : 0 : G_DTLS_CONNECTION_GET_INTERFACE (conn)->shutdown_async (conn, TRUE, TRUE,
995 : : io_priority,
996 : : cancellable,
997 : : callback, user_data);
998 : : }
999 : :
1000 : : /**
1001 : : * g_dtls_connection_close_finish:
1002 : : * @conn: a #GDtlsConnection
1003 : : * @result: a #GAsyncResult
1004 : : * @error: a #GError pointer, or %NULL
1005 : : *
1006 : : * Finish an asynchronous TLS close operation. See g_dtls_connection_close()
1007 : : * for more information.
1008 : : *
1009 : : * Returns: %TRUE on success, %FALSE on failure, in which
1010 : : * case @error will be set
1011 : : *
1012 : : * Since: 2.48
1013 : : */
1014 : : gboolean
1015 : 0 : g_dtls_connection_close_finish (GDtlsConnection *conn,
1016 : : GAsyncResult *result,
1017 : : GError **error)
1018 : : {
1019 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE);
1020 : 0 : g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
1021 : :
1022 : 0 : return G_DTLS_CONNECTION_GET_INTERFACE (conn)->shutdown_finish (conn, result,
1023 : : error);
1024 : : }
1025 : :
1026 : : /**
1027 : : * g_dtls_connection_emit_accept_certificate:
1028 : : * @conn: a #GDtlsConnection
1029 : : * @peer_cert: the peer's #GTlsCertificate
1030 : : * @errors: the problems with @peer_cert
1031 : : *
1032 : : * Used by #GDtlsConnection implementations to emit the
1033 : : * #GDtlsConnection::accept-certificate signal.
1034 : : *
1035 : : * Returns: %TRUE if one of the signal handlers has returned
1036 : : * %TRUE to accept @peer_cert
1037 : : *
1038 : : * Since: 2.48
1039 : : */
1040 : : gboolean
1041 : 0 : g_dtls_connection_emit_accept_certificate (GDtlsConnection *conn,
1042 : : GTlsCertificate *peer_cert,
1043 : : GTlsCertificateFlags errors)
1044 : : {
1045 : 0 : gboolean accept = FALSE;
1046 : :
1047 : 0 : g_signal_emit (conn, signals[ACCEPT_CERTIFICATE], 0,
1048 : : peer_cert, errors, &accept);
1049 : 0 : return accept;
1050 : : }
1051 : :
1052 : : /**
1053 : : * g_dtls_connection_set_advertised_protocols:
1054 : : * @conn: a #GDtlsConnection
1055 : : * @protocols: (array zero-terminated=1) (nullable): a %NULL-terminated
1056 : : * array of ALPN protocol names (eg, "http/1.1", "h2"), or %NULL
1057 : : *
1058 : : * Sets the list of application-layer protocols to advertise that the
1059 : : * caller is willing to speak on this connection. The
1060 : : * Application-Layer Protocol Negotiation (ALPN) extension will be
1061 : : * used to negotiate a compatible protocol with the peer; use
1062 : : * g_dtls_connection_get_negotiated_protocol() to find the negotiated
1063 : : * protocol after the handshake. Specifying %NULL for the the value
1064 : : * of @protocols will disable ALPN negotiation.
1065 : : *
1066 : : * See [IANA TLS ALPN Protocol IDs](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids)
1067 : : * for a list of registered protocol IDs.
1068 : : *
1069 : : * Since: 2.60
1070 : : */
1071 : : void
1072 : 0 : g_dtls_connection_set_advertised_protocols (GDtlsConnection *conn,
1073 : : const gchar * const *protocols)
1074 : : {
1075 : : GDtlsConnectionInterface *iface;
1076 : :
1077 : 0 : iface = G_DTLS_CONNECTION_GET_INTERFACE (conn);
1078 : 0 : if (iface->set_advertised_protocols == NULL)
1079 : 0 : return;
1080 : :
1081 : 0 : iface->set_advertised_protocols (conn, protocols);
1082 : : }
1083 : :
1084 : : /**
1085 : : * g_dtls_connection_get_negotiated_protocol:
1086 : : * @conn: a #GDtlsConnection
1087 : : *
1088 : : * Gets the name of the application-layer protocol negotiated during
1089 : : * the handshake.
1090 : : *
1091 : : * If the peer did not use the ALPN extension, or did not advertise a
1092 : : * protocol that matched one of @conn's protocols, or the TLS backend
1093 : : * does not support ALPN, then this will be %NULL. See
1094 : : * g_dtls_connection_set_advertised_protocols().
1095 : : *
1096 : : * Returns: (nullable): the negotiated protocol, or %NULL
1097 : : *
1098 : : * Since: 2.60
1099 : : */
1100 : : const gchar *
1101 : 0 : g_dtls_connection_get_negotiated_protocol (GDtlsConnection *conn)
1102 : : {
1103 : : GDtlsConnectionInterface *iface;
1104 : :
1105 : 0 : iface = G_DTLS_CONNECTION_GET_INTERFACE (conn);
1106 : 0 : if (iface->get_negotiated_protocol == NULL)
1107 : 0 : return NULL;
1108 : :
1109 : 0 : return iface->get_negotiated_protocol (conn);
1110 : : }
1111 : :
1112 : : /**
1113 : : * g_dtls_connection_get_channel_binding_data:
1114 : : * @conn: a #GDtlsConnection
1115 : : * @type: #GTlsChannelBindingType type of data to fetch
1116 : : * @data: (out callee-allocates)(optional)(transfer none): #GByteArray is
1117 : : * filled with the binding data, or %NULL
1118 : : * @error: a #GError pointer, or %NULL
1119 : : *
1120 : : * Query the TLS backend for TLS channel binding data of @type for @conn.
1121 : : *
1122 : : * This call retrieves TLS channel binding data as specified in RFC
1123 : : * [5056](https://tools.ietf.org/html/rfc5056), RFC
1124 : : * [5929](https://tools.ietf.org/html/rfc5929), and related RFCs. The
1125 : : * binding data is returned in @data. The @data is resized by the callee
1126 : : * using #GByteArray buffer management and will be freed when the @data
1127 : : * is destroyed by g_byte_array_unref(). If @data is %NULL, it will only
1128 : : * check whether TLS backend is able to fetch the data (e.g. whether @type
1129 : : * is supported by the TLS backend). It does not guarantee that the data
1130 : : * will be available though. That could happen if TLS connection does not
1131 : : * support @type or the binding data is not available yet due to additional
1132 : : * negotiation or input required.
1133 : : *
1134 : : * Returns: %TRUE on success, %FALSE otherwise
1135 : : *
1136 : : * Since: 2.66
1137 : : */
1138 : : gboolean
1139 : 2 : g_dtls_connection_get_channel_binding_data (GDtlsConnection *conn,
1140 : : GTlsChannelBindingType type,
1141 : : GByteArray *data,
1142 : : GError **error)
1143 : : {
1144 : : GDtlsConnectionInterface *iface;
1145 : :
1146 : 2 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE);
1147 : 2 : g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
1148 : :
1149 : 2 : iface = G_DTLS_CONNECTION_GET_INTERFACE (conn);
1150 : 2 : if (iface->get_binding_data == NULL)
1151 : : {
1152 : 2 : g_set_error_literal (error, G_TLS_CHANNEL_BINDING_ERROR,
1153 : : G_TLS_CHANNEL_BINDING_ERROR_NOT_IMPLEMENTED,
1154 : : _("TLS backend does not implement TLS binding retrieval"));
1155 : 2 : return FALSE;
1156 : : }
1157 : :
1158 : 0 : return iface->get_binding_data (conn, type, data, error);
1159 : : }
1160 : :
1161 : : /**
1162 : : * g_dtls_connection_get_protocol_version:
1163 : : * @conn: a #GDTlsConnection
1164 : : *
1165 : : * Returns the current DTLS protocol version, which may be
1166 : : * %G_TLS_PROTOCOL_VERSION_UNKNOWN if the connection has not handshaked, or
1167 : : * has been closed, or if the TLS backend has implemented a protocol version
1168 : : * that is not a recognized #GTlsProtocolVersion.
1169 : : *
1170 : : * Returns: The current DTLS protocol version
1171 : : *
1172 : : * Since: 2.70
1173 : : */
1174 : : GTlsProtocolVersion
1175 : 0 : g_dtls_connection_get_protocol_version (GDtlsConnection *conn)
1176 : : {
1177 : : GTlsProtocolVersion protocol_version;
1178 : : GEnumClass *enum_class;
1179 : : GEnumValue *enum_value;
1180 : :
1181 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), G_TLS_PROTOCOL_VERSION_UNKNOWN);
1182 : :
1183 : 0 : g_object_get (G_OBJECT (conn),
1184 : : "protocol-version", &protocol_version,
1185 : : NULL);
1186 : :
1187 : : /* Convert unknown values to G_TLS_PROTOCOL_VERSION_UNKNOWN. */
1188 : 0 : enum_class = g_type_class_peek_static (G_TYPE_TLS_PROTOCOL_VERSION);
1189 : 0 : enum_value = g_enum_get_value (enum_class, protocol_version);
1190 : 0 : return enum_value ? protocol_version : G_TLS_PROTOCOL_VERSION_UNKNOWN;
1191 : : }
1192 : :
1193 : : /**
1194 : : * g_dtls_connection_get_ciphersuite_name:
1195 : : * @conn: a #GDTlsConnection
1196 : : *
1197 : : * Returns the name of the current DTLS ciphersuite, or %NULL if the
1198 : : * connection has not handshaked or has been closed. Beware that the TLS
1199 : : * backend may use any of multiple different naming conventions, because
1200 : : * OpenSSL and GnuTLS have their own ciphersuite naming conventions that
1201 : : * are different from each other and different from the standard, IANA-
1202 : : * registered ciphersuite names. The ciphersuite name is intended to be
1203 : : * displayed to the user for informative purposes only, and parsing it
1204 : : * is not recommended.
1205 : : *
1206 : : * Returns: (nullable): The name of the current DTLS ciphersuite, or %NULL
1207 : : *
1208 : : * Since: 2.70
1209 : : */
1210 : : gchar *
1211 : 0 : g_dtls_connection_get_ciphersuite_name (GDtlsConnection *conn)
1212 : : {
1213 : : gchar *ciphersuite_name;
1214 : :
1215 : 0 : g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), NULL);
1216 : :
1217 : 0 : g_object_get (G_OBJECT (conn),
1218 : : "ciphersuite-name", &ciphersuite_name,
1219 : : NULL);
1220 : :
1221 : 0 : return g_steal_pointer (&ciphersuite_name);
1222 : : }
|