Branch data Line data Source code
1 : : /* GIO - GLib Input, Output and Streaming Library
2 : : *
3 : : * Copyright © 2010 Red Hat, Inc
4 : : *
5 : : * SPDX-License-Identifier: LGPL-2.1-or-later
6 : : *
7 : : * This library is free software; you can redistribute it and/or
8 : : * modify it under the terms of the GNU Lesser General Public
9 : : * License as published by the Free Software Foundation; either
10 : : * version 2.1 of the License, or (at your option) any later version.
11 : : *
12 : : * This library is distributed in the hope that it will be useful,
13 : : * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 : : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 : : * Lesser General Public License for more details.
16 : : *
17 : : * You should have received a copy of the GNU Lesser General
18 : : * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
19 : : */
20 : :
21 : : #include "config.h"
22 : : #include "glib.h"
23 : :
24 : : #include "gtlsclientconnection.h"
25 : : #include "ginitable.h"
26 : : #include "gioenumtypes.h"
27 : : #include "gsocket.h"
28 : : #include "gsocketconnectable.h"
29 : : #include "gtlsbackend.h"
30 : : #include "gtlscertificate.h"
31 : : #include "glibintl.h"
32 : :
33 : : /**
34 : : * GTlsClientConnection:
35 : : *
36 : : * `GTlsClientConnection` is the client-side subclass of
37 : : * [class@Gio.TlsConnection], representing a client-side TLS connection.
38 : : *
39 : : * Since: 2.28
40 : : */
41 : :
42 : 4 : G_DEFINE_INTERFACE (GTlsClientConnection, g_tls_client_connection, G_TYPE_TLS_CONNECTION)
43 : :
44 : : static void
45 : 3 : g_tls_client_connection_default_init (GTlsClientConnectionInterface *iface)
46 : : {
47 : : /**
48 : : * GTlsClientConnection:validation-flags:
49 : : *
50 : : * What steps to perform when validating a certificate received from
51 : : * a server. Server certificates that fail to validate in any of the
52 : : * ways indicated here will be rejected unless the application
53 : : * overrides the default via #GTlsConnection::accept-certificate.
54 : : *
55 : : * GLib guarantees that if certificate verification fails, at least one
56 : : * flag will be set, but it does not guarantee that all possible flags
57 : : * will be set. Accordingly, you may not safely decide to ignore any
58 : : * particular type of error. For example, it would be incorrect to mask
59 : : * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates,
60 : : * because this could potentially be the only error flag set even if
61 : : * other problems exist with the certificate. Therefore, there is no
62 : : * safe way to use this property. This is not a horrible problem,
63 : : * though, because you should not be attempting to ignore validation
64 : : * errors anyway. If you really must ignore TLS certificate errors,
65 : : * connect to #GTlsConnection::accept-certificate.
66 : : *
67 : : * Since: 2.28
68 : : *
69 : : * Deprecated: 2.72: Do not attempt to ignore validation errors.
70 : : */
71 : 3 : g_object_interface_install_property (iface,
72 : : g_param_spec_flags ("validation-flags", NULL, NULL,
73 : : G_TYPE_TLS_CERTIFICATE_FLAGS,
74 : : G_TLS_CERTIFICATE_VALIDATE_ALL,
75 : : G_PARAM_READWRITE |
76 : : G_PARAM_CONSTRUCT |
77 : : G_PARAM_STATIC_STRINGS |
78 : : G_PARAM_DEPRECATED));
79 : :
80 : : /**
81 : : * GTlsClientConnection:server-identity:
82 : : *
83 : : * A #GSocketConnectable describing the identity of the server that
84 : : * is expected on the other end of the connection.
85 : : *
86 : : * If the %G_TLS_CERTIFICATE_BAD_IDENTITY flag is set in
87 : : * #GTlsClientConnection:validation-flags, this object will be used
88 : : * to determine the expected identify of the remote end of the
89 : : * connection; if #GTlsClientConnection:server-identity is not set,
90 : : * or does not match the identity presented by the server, then the
91 : : * %G_TLS_CERTIFICATE_BAD_IDENTITY validation will fail.
92 : : *
93 : : * In addition to its use in verifying the server certificate,
94 : : * this is also used to give a hint to the server about what
95 : : * certificate we expect, which is useful for servers that serve
96 : : * virtual hosts.
97 : : *
98 : : * Since: 2.28
99 : : */
100 : 3 : g_object_interface_install_property (iface,
101 : : g_param_spec_object ("server-identity", NULL, NULL,
102 : : G_TYPE_SOCKET_CONNECTABLE,
103 : : G_PARAM_READWRITE |
104 : : G_PARAM_CONSTRUCT |
105 : : G_PARAM_STATIC_STRINGS));
106 : :
107 : : /**
108 : : * GTlsClientConnection:use-ssl3:
109 : : *
110 : : * SSL 3.0 is no longer supported. See
111 : : * g_tls_client_connection_set_use_ssl3() for details.
112 : : *
113 : : * Since: 2.28
114 : : *
115 : : * Deprecated: 2.56: SSL 3.0 is insecure.
116 : : */
117 : 3 : g_object_interface_install_property (iface,
118 : : g_param_spec_boolean ("use-ssl3", NULL, NULL,
119 : : FALSE,
120 : : G_PARAM_READWRITE |
121 : : G_PARAM_CONSTRUCT |
122 : : G_PARAM_STATIC_STRINGS |
123 : : G_PARAM_DEPRECATED));
124 : :
125 : : /**
126 : : * GTlsClientConnection:accepted-cas: (type GLib.List) (element-type GLib.ByteArray)
127 : : *
128 : : * A list of the distinguished names of the Certificate Authorities
129 : : * that the server will accept client certificates signed by. If the
130 : : * server requests a client certificate during the handshake, then
131 : : * this property will be set after the handshake completes.
132 : : *
133 : : * Each item in the list is a #GByteArray which contains the complete
134 : : * subject DN of the certificate authority.
135 : : *
136 : : * Since: 2.28
137 : : */
138 : 3 : g_object_interface_install_property (iface,
139 : : g_param_spec_pointer ("accepted-cas", NULL, NULL,
140 : : G_PARAM_READABLE |
141 : : G_PARAM_STATIC_STRINGS));
142 : 3 : }
143 : :
144 : : /**
145 : : * g_tls_client_connection_new:
146 : : * @base_io_stream: the #GIOStream to wrap
147 : : * @server_identity: (nullable): the expected identity of the server
148 : : * @error: #GError for error reporting, or %NULL to ignore.
149 : : *
150 : : * Creates a new #GTlsClientConnection wrapping @base_io_stream (which
151 : : * must have pollable input and output streams) which is assumed to
152 : : * communicate with the server identified by @server_identity.
153 : : *
154 : : * See the documentation for #GTlsConnection:base-io-stream for restrictions
155 : : * on when application code can run operations on the @base_io_stream after
156 : : * this function has returned.
157 : : *
158 : : * Returns: (transfer full) (type GTlsClientConnection): the new
159 : : * #GTlsClientConnection, or %NULL on error
160 : : *
161 : : * Since: 2.28
162 : : */
163 : : GIOStream *
164 : 0 : g_tls_client_connection_new (GIOStream *base_io_stream,
165 : : GSocketConnectable *server_identity,
166 : : GError **error)
167 : : {
168 : : GObject *conn;
169 : : GTlsBackend *backend;
170 : :
171 : 0 : backend = g_tls_backend_get_default ();
172 : 0 : conn = g_initable_new (g_tls_backend_get_client_connection_type (backend),
173 : : NULL, error,
174 : : "base-io-stream", base_io_stream,
175 : : "server-identity", server_identity,
176 : : NULL);
177 : 0 : return G_IO_STREAM (conn);
178 : : }
179 : :
180 : : /**
181 : : * g_tls_client_connection_get_validation_flags:
182 : : * @conn: the #GTlsClientConnection
183 : : *
184 : : * Gets @conn's validation flags
185 : : *
186 : : * This function does not work as originally designed and is impossible
187 : : * to use correctly. See #GTlsClientConnection:validation-flags for more
188 : : * information.
189 : : *
190 : : * Returns: the validation flags
191 : : *
192 : : * Since: 2.28
193 : : *
194 : : * Deprecated: 2.72: Do not attempt to ignore validation errors.
195 : : */
196 : : GTlsCertificateFlags
197 : 0 : g_tls_client_connection_get_validation_flags (GTlsClientConnection *conn)
198 : : {
199 : 0 : GTlsCertificateFlags flags = G_TLS_CERTIFICATE_NO_FLAGS;
200 : :
201 : 0 : g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0);
202 : :
203 : 0 : g_object_get (G_OBJECT (conn), "validation-flags", &flags, NULL);
204 : 0 : return flags;
205 : : }
206 : :
207 : : /**
208 : : * g_tls_client_connection_set_validation_flags:
209 : : * @conn: the #GTlsClientConnection
210 : : * @flags: the #GTlsCertificateFlags to use
211 : : *
212 : : * Sets @conn's validation flags, to override the default set of
213 : : * checks performed when validating a server certificate. By default,
214 : : * %G_TLS_CERTIFICATE_VALIDATE_ALL is used.
215 : : *
216 : : * This function does not work as originally designed and is impossible
217 : : * to use correctly. See #GTlsClientConnection:validation-flags for more
218 : : * information.
219 : : *
220 : : * Since: 2.28
221 : : *
222 : : * Deprecated: 2.72: Do not attempt to ignore validation errors.
223 : : */
224 : : void
225 : 0 : g_tls_client_connection_set_validation_flags (GTlsClientConnection *conn,
226 : : GTlsCertificateFlags flags)
227 : : {
228 : 0 : g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn));
229 : :
230 : 0 : g_object_set (G_OBJECT (conn), "validation-flags", flags, NULL);
231 : : }
232 : :
233 : : /**
234 : : * g_tls_client_connection_get_server_identity:
235 : : * @conn: the #GTlsClientConnection
236 : : *
237 : : * Gets @conn's expected server identity
238 : : *
239 : : * Returns: (nullable) (transfer none): a #GSocketConnectable describing the
240 : : * expected server identity, or %NULL if the expected identity is not
241 : : * known.
242 : : *
243 : : * Since: 2.28
244 : : */
245 : : GSocketConnectable *
246 : 0 : g_tls_client_connection_get_server_identity (GTlsClientConnection *conn)
247 : : {
248 : 0 : GSocketConnectable *identity = NULL;
249 : :
250 : 0 : g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0);
251 : :
252 : 0 : g_object_get (G_OBJECT (conn), "server-identity", &identity, NULL);
253 : 0 : if (identity)
254 : 0 : g_object_unref (identity);
255 : 0 : return identity;
256 : : }
257 : :
258 : : /**
259 : : * g_tls_client_connection_set_server_identity:
260 : : * @conn: the #GTlsClientConnection
261 : : * @identity: a #GSocketConnectable describing the expected server identity
262 : : *
263 : : * Sets @conn's expected server identity, which is used both to tell
264 : : * servers on virtual hosts which certificate to present, and also
265 : : * to let @conn know what name to look for in the certificate when
266 : : * performing %G_TLS_CERTIFICATE_BAD_IDENTITY validation, if enabled.
267 : : *
268 : : * Since: 2.28
269 : : */
270 : : void
271 : 0 : g_tls_client_connection_set_server_identity (GTlsClientConnection *conn,
272 : : GSocketConnectable *identity)
273 : : {
274 : 0 : g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn));
275 : :
276 : 0 : g_object_set (G_OBJECT (conn), "server-identity", identity, NULL);
277 : : }
278 : :
279 : : /**
280 : : * g_tls_client_connection_get_use_ssl3:
281 : : * @conn: the #GTlsClientConnection
282 : : *
283 : : * SSL 3.0 is no longer supported. See
284 : : * g_tls_client_connection_set_use_ssl3() for details.
285 : : *
286 : : * Returns: %FALSE
287 : : *
288 : : * Since: 2.28
289 : : *
290 : : * Deprecated: 2.56: SSL 3.0 is insecure.
291 : : */
292 : : gboolean
293 : 0 : g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn)
294 : : {
295 : 0 : gboolean use_ssl3 = FALSE;
296 : :
297 : 0 : g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0);
298 : :
299 : 0 : g_object_get (G_OBJECT (conn), "use-ssl3", &use_ssl3, NULL);
300 : 0 : return FALSE;
301 : : }
302 : :
303 : : /**
304 : : * g_tls_client_connection_set_use_ssl3:
305 : : * @conn: the #GTlsClientConnection
306 : : * @use_ssl3: a #gboolean, ignored
307 : : *
308 : : * Since GLib 2.42.1, SSL 3.0 is no longer supported.
309 : : *
310 : : * From GLib 2.42.1 through GLib 2.62, this function could be used to
311 : : * force use of TLS 1.0, the lowest-supported TLS protocol version at
312 : : * the time. In the past, this was needed to connect to broken TLS
313 : : * servers that exhibited protocol version intolerance. Such servers
314 : : * are no longer common, and using TLS 1.0 is no longer considered
315 : : * acceptable.
316 : : *
317 : : * Since GLib 2.64, this function does nothing.
318 : : *
319 : : * Since: 2.28
320 : : *
321 : : * Deprecated: 2.56: SSL 3.0 is insecure.
322 : : */
323 : : void
324 : 0 : g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn,
325 : : gboolean use_ssl3)
326 : : {
327 : 0 : g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn));
328 : :
329 : 0 : g_object_set (G_OBJECT (conn), "use-ssl3", FALSE, NULL);
330 : : }
331 : :
332 : : /**
333 : : * g_tls_client_connection_get_accepted_cas:
334 : : * @conn: the #GTlsClientConnection
335 : : *
336 : : * Gets the list of distinguished names of the Certificate Authorities
337 : : * that the server will accept certificates from. This will be set
338 : : * during the TLS handshake if the server requests a certificate.
339 : : * Otherwise, it will be %NULL.
340 : : *
341 : : * Each item in the list is a #GByteArray which contains the complete
342 : : * subject DN of the certificate authority.
343 : : *
344 : : * Returns: (element-type GByteArray) (transfer full): the list of
345 : : * CA DNs. You should unref each element with g_byte_array_unref() and then
346 : : * the free the list with g_list_free().
347 : : *
348 : : * Since: 2.28
349 : : */
350 : : GList *
351 : 0 : g_tls_client_connection_get_accepted_cas (GTlsClientConnection *conn)
352 : : {
353 : 0 : GList *accepted_cas = NULL;
354 : :
355 : 0 : g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), NULL);
356 : :
357 : 0 : g_object_get (G_OBJECT (conn), "accepted-cas", &accepted_cas, NULL);
358 : 0 : return accepted_cas;
359 : : }
360 : :
361 : : /**
362 : : * g_tls_client_connection_copy_session_state:
363 : : * @conn: a #GTlsClientConnection
364 : : * @source: a #GTlsClientConnection
365 : : *
366 : : * Possibly copies session state from one connection to another, for use
367 : : * in TLS session resumption. This is not normally needed, but may be
368 : : * used when the same session needs to be used between different
369 : : * endpoints, as is required by some protocols, such as FTP over TLS.
370 : : * @source should have already completed a handshake and, since TLS 1.3,
371 : : * it should have been used to read data at least once. @conn should not
372 : : * have completed a handshake.
373 : : *
374 : : * It is not possible to know whether a call to this function will
375 : : * actually do anything. Because session resumption is normally used
376 : : * only for performance benefit, the TLS backend might not implement
377 : : * this function. Even if implemented, it may not actually succeed in
378 : : * allowing @conn to resume @source's TLS session, because the server
379 : : * may not have sent a session resumption token to @source, or it may
380 : : * refuse to accept the token from @conn. There is no way to know
381 : : * whether a call to this function is actually successful.
382 : : *
383 : : * Using this function is not required to benefit from session
384 : : * resumption. If the TLS backend supports session resumption, the
385 : : * session will be resumed automatically if it is possible to do so
386 : : * without weakening the privacy guarantees normally provided by TLS,
387 : : * without need to call this function. For example, with TLS 1.3,
388 : : * a session ticket will be automatically copied from any
389 : : * #GTlsClientConnection that has previously received session tickets
390 : : * from the server, provided a ticket is available that has not
391 : : * previously been used for session resumption, since session ticket
392 : : * reuse would be a privacy weakness. Using this function causes the
393 : : * ticket to be copied without regard for privacy considerations.
394 : : *
395 : : * Since: 2.46
396 : : */
397 : : void
398 : 0 : g_tls_client_connection_copy_session_state (GTlsClientConnection *conn,
399 : : GTlsClientConnection *source)
400 : : {
401 : 0 : g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn));
402 : 0 : g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (source));
403 : 0 : g_return_if_fail (G_TLS_CLIENT_CONNECTION_GET_INTERFACE (conn)->copy_session_state != NULL);
404 : :
405 : 0 : G_TLS_CLIENT_CONNECTION_GET_INTERFACE (conn)->copy_session_state (conn,
406 : : source);
407 : : }
|