1 /* GIO - GLib Input, Output and Streaming Library
3 * Copyright © 2010 Red Hat, Inc
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2 of the License, or (at your option) any later version.
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General
16 * Public License along with this library; if not, write to the
17 * Free Software Foundation, Inc., 59 Temple Place, Suite 330,
18 * Boston, MA 02111-1307, USA.
24 #include "gtlsconnection.h"
25 #include "gcancellable.h"
26 #include "gioenumtypes.h"
27 #include "gio-marshal.h"
29 #include "gtlsbackend.h"
30 #include "gtlscertificate.h"
31 #include "gtlsclientconnection.h"
35 * SECTION:gtlsconnection
36 * @short_description: TLS connection type
39 * #GTlsConnection is the base TLS connection class type, which wraps
40 * a #GIOStream and provides TLS encryption on top of it. Its
41 * subclasses, #GTlsClientConnection and #GTlsServerConnection,
42 * implement client-side and server-side TLS, respectively.
50 * Abstract base class for the backend-specific #GTlsClientConnection
51 * and #GTlsServerConnection types.
56 G_DEFINE_ABSTRACT_TYPE (GTlsConnection, g_tls_connection, G_TYPE_IO_STREAM)
58 static void g_tls_connection_get_property (GObject *object,
62 static void g_tls_connection_set_property (GObject *object,
66 static void g_tls_connection_finalize (GObject *object);
68 static gboolean g_tls_connection_certificate_accumulator (GSignalInvocationHint *ihint,
70 const GValue *handler_return,
80 static guint signals[LAST_SIGNAL] = { 0 };
85 PROP_REQUIRE_CLOSE_NOTIFY,
86 PROP_REHANDSHAKE_MODE,
91 struct _GTlsConnectionPrivate {
92 GTlsCertificate *certificate, *peer_certificate;
96 g_tls_connection_class_init (GTlsConnectionClass *klass)
98 GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
100 g_type_class_add_private (klass, sizeof (GTlsConnectionPrivate));
102 gobject_class->get_property = g_tls_connection_get_property;
103 gobject_class->set_property = g_tls_connection_set_property;
104 gobject_class->finalize = g_tls_connection_finalize;
107 * GTlsConnection:base-io-stream:
109 * The #GIOStream that the connection wraps
113 g_object_class_install_property (gobject_class, PROP_BASE_IO_STREAM,
114 g_param_spec_object ("base-io-stream",
116 P_("The GIOStream that the connection wraps"),
119 G_PARAM_CONSTRUCT_ONLY |
120 G_PARAM_STATIC_STRINGS));
122 * GTlsConnection:require-close-notify:
124 * Whether or not proper TLS close notification is required.
125 * See g_tls_connection_set_require_close_notify().
129 g_object_class_install_property (gobject_class, PROP_REQUIRE_CLOSE_NOTIFY,
130 g_param_spec_boolean ("require-close-notify",
131 P_("Require close notify"),
132 P_("Whether to require proper TLS close notification"),
135 G_PARAM_STATIC_STRINGS));
137 * GTlsConnection:rehandshake-mode:
139 * The rehandshaking mode. See
140 * g_tls_connection_set_rehandshake_mode().
144 g_object_class_install_property (gobject_class, PROP_REHANDSHAKE_MODE,
145 g_param_spec_enum ("rehandshake-mode",
146 P_("Rehandshake mode"),
147 P_("When to allow rehandshaking"),
148 G_TYPE_TLS_REHANDSHAKE_MODE,
149 G_TLS_REHANDSHAKE_SAFELY,
151 G_PARAM_STATIC_STRINGS));
153 * GTlsConnection:certificate:
155 * The connection's certificate; see
156 * g_tls_connection_set_certificate().
160 g_object_class_install_property (gobject_class, PROP_CERTIFICATE,
161 g_param_spec_object ("certificate",
163 P_("The connection's certificate"),
164 G_TYPE_TLS_CERTIFICATE,
166 G_PARAM_STATIC_STRINGS));
168 * GTlsConnection:peer-certificate:
170 * The connection's peer's certificate, after it has been set during
175 g_object_class_install_property (gobject_class, PROP_PEER_CERTIFICATE,
176 g_param_spec_object ("peer-certificate",
177 P_("Peer Certificate"),
178 P_("The connection's peer's certificate"),
179 G_TYPE_TLS_CERTIFICATE,
181 G_PARAM_STATIC_STRINGS));
184 * GTlsConnection::need-certificate:
185 * @conn: a #GTlsConnection
187 * Emitted during the TLS handshake if a certificate is needed and
188 * one has not been set via g_tls_connection_set_certificate().
190 * For server-side connections, a certificate is always needed, and
191 * the connection will fail if none is provided.
193 * For client-side connections, the signal will be emitted only if
194 * the server has requested a certificate; you can call
195 * g_tls_client_connection_get_accepted_cas() to get a list of
196 * Certificate Authorities that the server will accept certificates
197 * from. If you do not return a certificate (and have not provided
198 * one via g_tls_connection_set_certificate()) then the server may
199 * reject the handshake, in which case the operation will eventually
200 * fail with %G_TLS_ERROR_CERTIFICATE_REQUIRED.
202 * Note that if this signal is emitted as part of asynchronous I/O
203 * in the main thread, then you should not attempt to interact with
204 * the user before returning from the signal handler. If you want to
205 * let the user choose a certificate to return, you would have to
206 * return %NULL from the signal handler on the first attempt, and
207 * then after the connection attempt returns a
208 * %G_TLS_ERROR_CERTIFICATE_REQUIRED, you can interact with the
209 * user, create a new connection, and call
210 * g_tls_connection_set_certificate() on it before handshaking (or
211 * just connect to the signal again and return the certificate the
214 * If you are doing I/O in another thread, you do not
215 * need to worry about this, and can simply block in the signal
216 * handler until the UI thread returns an answer.
218 * Return value: the certificate to send to the peer, or %NULL to
219 * send no certificate. If you return a certificate, the signal
220 * emission will be stopped and further handlers will not be called.
224 signals[NEED_CERTIFICATE] =
225 g_signal_new (I_("need-certificate"),
226 G_TYPE_TLS_CONNECTION,
228 G_STRUCT_OFFSET (GTlsConnectionClass, need_certificate),
229 g_tls_connection_certificate_accumulator, NULL,
230 _gio_marshal_OBJECT__VOID,
231 G_TYPE_TLS_CERTIFICATE, 0);
234 * GTlsConnection::accept-certificate:
235 * @conn: a #GTlsConnection
236 * @peer_cert: the peer's #GTlsCertificate
237 * @errors: the problems with @peer_cert.
239 * Emitted during the TLS handshake after the peer certificate has
240 * been received. You can examine @peer_cert's certification path by
241 * calling g_tls_certificate_get_issuer() on it.
243 * For a client-side connection, @peer_cert is the server's
244 * certificate, and the signal will only be emitted if the
245 * certificate was not acceptable according to @conn's
246 * #GTlsClientConnection:validation_flags. If you would like the
247 * certificate to be accepted despite @errors, return %TRUE from the
248 * signal handler. Otherwise, if no handler accepts the certificate,
249 * the handshake will fail with %G_TLS_ERROR_BAD_CERTIFICATE.
251 * For a server-side connection, @peer_cert is the certificate
252 * presented by the client, if this was requested via the server's
253 * #GTlsServerConnection:authentication_mode. On the server side,
254 * the signal is always emitted when the client presents a
255 * certificate, and the certificate will only be accepted if a
256 * handler returns %TRUE.
258 * As with #GTlsConnection::need_certificate, you should not
259 * interact with the user during the signal emission if the signal
260 * was emitted as part of an asynchronous operation in the main
263 * Return value: %TRUE to accept @peer_cert (which will also
264 * immediately end the signal emission). %FALSE to allow the signal
265 * emission to continue, which will cause the handshake to fail if
266 * no one else overrides it.
270 signals[ACCEPT_CERTIFICATE] =
271 g_signal_new (I_("accept-certificate"),
272 G_TYPE_TLS_CONNECTION,
274 G_STRUCT_OFFSET (GTlsConnectionClass, accept_certificate),
275 g_signal_accumulator_true_handled, NULL,
276 _gio_marshal_BOOLEAN__OBJECT_FLAGS,
278 G_TYPE_TLS_CERTIFICATE,
279 G_TYPE_TLS_CERTIFICATE_FLAGS);
283 g_tls_connection_init (GTlsConnection *conn)
285 conn->priv = G_TYPE_INSTANCE_GET_PRIVATE (conn, G_TYPE_TLS_CONNECTION, GTlsConnectionPrivate);
289 g_tls_connection_finalize (GObject *object)
291 GTlsConnection *conn = G_TLS_CONNECTION (object);
293 if (conn->priv->certificate)
294 g_object_unref (conn->priv->certificate);
295 if (conn->priv->peer_certificate)
296 g_object_unref (conn->priv->peer_certificate);
298 G_OBJECT_CLASS (g_tls_connection_parent_class)->finalize (object);
302 g_tls_connection_get_property (GObject *object,
307 GTlsConnection *conn = G_TLS_CONNECTION (object);
311 case PROP_CERTIFICATE:
312 g_value_set_object (value, conn->priv->certificate);
315 case PROP_PEER_CERTIFICATE:
316 g_value_set_object (value, conn->priv->peer_certificate);
320 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
326 g_tls_connection_set_property (GObject *object,
331 GTlsConnection *conn = G_TLS_CONNECTION (object);
335 case PROP_CERTIFICATE:
336 g_tls_connection_set_certificate (conn, g_value_get_object (value));
340 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
346 * g_tls_connection_set_certificate:
347 * @conn: a #GTlsConnection
348 * @certificate: the certificate to use for @conn
350 * This sets the certificate that @conn will present to its peer
351 * during the TLS handshake. If this is not set,
352 * #GTlsConnection::need-certificate will be emitted during the
353 * handshake if needed.
358 g_tls_connection_set_certificate (GTlsConnection *conn,
359 GTlsCertificate *certificate)
361 g_return_if_fail (G_IS_TLS_CONNECTION (conn));
362 g_return_if_fail (G_IS_TLS_CERTIFICATE (certificate));
364 if (conn->priv->certificate)
365 g_object_unref (conn->priv->certificate);
366 conn->priv->certificate = certificate ? g_object_ref (certificate) : NULL;
367 g_object_notify (G_OBJECT (conn), "certificate");
371 * g_tls_connection_get_certificate:
372 * @conn: a #GTlsConnection
374 * Gets @conn's certificate, as set by
375 * g_tls_connection_set_certificate() or returned from one of the
378 * Return value: @conn's certificate, or %NULL
383 g_tls_connection_get_certificate (GTlsConnection *conn)
385 g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), NULL);
387 return conn->priv->certificate;
391 * g_tls_connection_get_peer_certificate:
392 * @conn: a #GTlsConnection
394 * Gets @conn's peer's certificate after it has been set during the
397 * Return value: @conn's peer's certificate, or %NULL
402 g_tls_connection_get_peer_certificate (GTlsConnection *conn)
404 g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), NULL);
406 return conn->priv->peer_certificate;
410 * g_tls_connection_set_require_close_notify:
411 * @conn: a #GTlsConnection
412 * @require_close_notify: whether or not to require close notification
414 * Sets whether or not @conn requires a proper TLS close notification
415 * before closing the connection. If this is %TRUE (the default), then
416 * calling g_io_stream_close() on @conn will send a TLS close
417 * notification, and likewise it will expect to receive a close
418 * notification before the connection is closed when reading, and will
419 * return a %G_TLS_ERROR_EOF error if the connection is closed without
420 * proper notification (since this may indicate a network error, or
421 * man-in-the-middle attack).
423 * In some protocols, the application will know whether or not the
424 * connection was closed cleanly based on application-level data
425 * (because the application-level data includes a length field, or is
426 * somehow self-delimiting); in this case, the close notify is
427 * redundant and sometimes omitted. (TLS 1.1 explicitly allows this;
428 * in TLS 1.0 it is technically an error, but often done anyway.) You
429 * can use g_tls_connection_set_require_close_notify() to tell @conn to
430 * allow an "unannounced" connection close, in which case it is up to
431 * the application to check that the data has been fully received.
436 g_tls_connection_set_require_close_notify (GTlsConnection *conn,
437 gboolean require_close_notify)
439 g_return_if_fail (G_IS_TLS_CONNECTION (conn));
441 g_object_set (G_OBJECT (conn),
442 "require-close-notify", require_close_notify,
447 * g_tls_connection_get_require_close_notify:
448 * @conn: a #GTlsConnection
450 * Tests whether or not @conn requires a proper TLS close notification
451 * before closing the connection. See
452 * g_tls_connection_set_require_close_notify() for details.
454 * Return value: %TRUE if @conn requires a proper TLS close
460 g_tls_connection_get_require_close_notify (GTlsConnection *conn)
462 gboolean require_close_notify;
464 g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), TRUE);
466 g_object_get (G_OBJECT (conn),
467 "require-close-notify", &require_close_notify,
469 return require_close_notify;
473 * g_tls_connection_set_rehandshake_mode:
474 * @conn: a #GTlsConnection
475 * @mode: the rehandshaking mode
477 * Sets how @conn behaves with respect to rehandshaking requests.
479 * %G_TLS_REHANDSHAKE_NEVER means that it will never agree to
480 * rehandshake after the initial handshake is complete. (For a client,
481 * this means it will refuse rehandshake requests from the server, and
482 * for a server, this means it will close the connection with an error
483 * if the client attempts to rehandshake.)
485 * %G_TLS_REHANDSHAKE_SAFELY means that the connection will allow a
486 * rehandshake only if the other end of the connection supports the
487 * TLS <literal>renegotiation_info</literal> extension. This is the
488 * default behavior, but means that rehandshaking will not work
489 * against older implementations that do not support that extension.
491 * %G_TLS_REHANDSHAKE_UNSAFELY means that the connection will allow
492 * rehandshaking even without the
493 * <literal>renegotiation_info</literal> extension. On the server side
494 * in particular, this is not recommended, since it leaves the server
495 * open to certain attacks. However, this mode is necessary if you
496 * need to allow renegotiation with older client software.
501 g_tls_connection_set_rehandshake_mode (GTlsConnection *conn,
502 GTlsRehandshakeMode mode)
504 g_return_if_fail (G_IS_TLS_CONNECTION (conn));
506 g_object_set (G_OBJECT (conn),
507 "rehandshake-mode", mode,
512 * g_tls_connection_get_rehandshake_mode:
513 * @conn: a #GTlsConnection
515 * Gets @conn rehandshaking mode. See
516 * g_tls_connection_set_rehandshake() for details.
518 * Return value: @conn's rehandshaking mode
523 g_tls_connection_get_rehandshake_mode (GTlsConnection *conn)
525 GTlsRehandshakeMode mode;
527 g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), G_TLS_REHANDSHAKE_NEVER);
529 g_object_get (G_OBJECT (conn),
530 "rehandshake-mode", &mode,
536 * g_tls_connection_handshake:
537 * @conn: a #GTlsConnection
538 * @cancellable: a #GCancellable, or %NULL
539 * @error: a #GError, or %NULL
541 * Attempts a TLS handshake on @conn.
543 * On the client side, it is never necessary to call this method;
544 * although the connection needs to perform a handshake after
545 * connecting (or after sending a "STARTTLS"-type command) and may
546 * need to rehandshake later if the server requests it,
547 * #GTlsConnection will handle this for you automatically when you try
548 * to send or receive data on the connection. However, you can call
549 * g_tls_connection_handshake() manually if you want to know for sure
550 * whether the initial handshake succeeded or failed (as opposed to
551 * just immediately trying to write to @conn's output stream, in which
552 * case if it fails, it may not be possible to tell if it failed
553 * before or after completing the handshake).
555 * Likewise, on the server side, although a handshake is necessary at
556 * the beginning of the communication, you do not need to call this
557 * function explicitly unless you want clearer error reporting.
558 * However, you may call g_tls_connection_handshake() later on to
559 * renegotiate parameters (encryption methods, etc) with the client.
561 * #GTlsConnection::accept_certificate and
562 * #GTlsConnection::need_certificate may be emitted during the
565 * Return value: success or failure
570 g_tls_connection_handshake (GTlsConnection *conn,
571 GCancellable *cancellable,
574 g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), FALSE);
576 return G_TLS_CONNECTION_GET_CLASS (conn)->handshake (conn, cancellable, error);
580 * g_tls_connection_handshake_async:
581 * @conn: a #GTlsConnection
582 * @io_priority: the <link linkend="io-priority">I/O priority</link>
584 * @cancellable: a #GCancellable, or %NULL
585 * @callback: callback to call when the handshake is complete
586 * @user_data: the data to pass to the callback function
588 * Asynchronously performs a TLS handshake on @conn. See
589 * g_tls_connection_handshake() for more information.
594 g_tls_connection_handshake_async (GTlsConnection *conn,
596 GCancellable *cancellable,
597 GAsyncReadyCallback callback,
600 g_return_if_fail (G_IS_TLS_CONNECTION (conn));
602 return G_TLS_CONNECTION_GET_CLASS (conn)->handshake_async (conn, io_priority,
604 callback, user_data);
608 * g_tls_connection_handshake_finish:
609 * @conn: a #GTlsConnection
610 * @result: a #GAsyncResult.
611 * @error: a #GError pointer, or %NULL
613 * Finish an asynchronous TLS handshake operation. See
614 * g_tls_connection_handshake() for more information.
616 * Return value: %TRUE on success, %FALSE on failure, in which
617 * case @error will be set.
622 g_tls_connection_handshake_finish (GTlsConnection *conn,
623 GAsyncResult *result,
626 g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), FALSE);
628 return G_TLS_CONNECTION_GET_CLASS (conn)->handshake_finish (conn, result, error);
634 * Gets the TLS error quark.
636 * Return value: a #GQuark.
641 g_tls_error_quark (void)
643 return g_quark_from_static_string ("g-tls-error-quark");
648 g_tls_connection_certificate_accumulator (GSignalInvocationHint *ihint,
650 const GValue *handler_return,
653 GTlsCertificate *cert;
655 cert = g_value_get_object (handler_return);
657 g_value_set_object (return_accu, cert);
663 * g_tls_connection_emit_need_certificate:
664 * @conn: a #GTlsConnection
666 * Used by #GTlsConnection implementations to emit the
667 * #GTlsConnection::need-certificate signal.
669 * Returns: a new #GTlsCertificate
674 g_tls_connection_emit_need_certificate (GTlsConnection *conn)
676 GTlsCertificate *cert = NULL;
678 g_signal_emit (conn, signals[NEED_CERTIFICATE], 0,
684 * g_tls_connection_emit_accept_certificate:
685 * @conn: a #GTlsConnection
686 * @peer_cert: the peer's #GTlsCertificate
687 * @errors: the problems with @peer_cert
689 * Used by #GTlsConnection implementations to emit the
690 * #GTlsConnection::accept-certificate signal.
692 * Return value: %TRUE if one of the signal handlers has returned
693 * %TRUE to accept @peer_cert
698 g_tls_connection_emit_accept_certificate (GTlsConnection *conn,
699 GTlsCertificate *peer_cert,
700 GTlsCertificateFlags errors)
702 gboolean accept = FALSE;
704 g_signal_emit (conn, signals[ACCEPT_CERTIFICATE], 0,
705 peer_cert, errors, &accept);
710 * g_tls_connection_set_peer_certificate:
711 * @conn: a #GTlsConnection
712 * @certificate: the peer certificate
714 * Used by #GTlsConnection implementations to set the connection's
720 g_tls_connection_set_peer_certificate (GTlsConnection *conn,
721 GTlsCertificate *certificate)
723 if (conn->priv->peer_certificate)
724 g_object_unref (conn->priv->peer_certificate);
725 conn->priv->peer_certificate = certificate ? g_object_ref (certificate) : NULL;
726 g_object_notify (G_OBJECT (conn), "peer-certificate");