1 /* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
3 * gtlsconnection-openssl.c
5 * Copyright (C) 2015 NICE s.r.l.
7 * This file is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This file is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 * In addition, when the library is used with OpenSSL, a special
21 * exception applies. Refer to the LICENSE_EXCEPTION file for details.
23 * Authors: Ignacio Casal Quinteiro
31 #include "openssl-include.h"
33 #include "gtlsconnection-openssl.h"
34 #include "gtlsbackend-openssl.h"
35 #include "gtlscertificate-openssl.h"
36 #include "gtlsdatabase-openssl.h"
40 #include <glib/gi18n-lib.h>
42 #define DTLS_MESSAGE_MAX_SIZE 65536
44 typedef struct _GTlsConnectionOpensslPrivate
51 gboolean shutting_down;
52 } GTlsConnectionOpensslPrivate;
54 typedef int (*GTlsOpensslIOFunc) (SSL *ssl, gpointer user_data);
56 typedef struct _ReadRequest
62 typedef struct _WriteRequest
68 static void g_tls_connection_openssl_initable_iface_init (GInitableIface *iface);
70 G_DEFINE_ABSTRACT_TYPE_WITH_CODE (GTlsConnectionOpenssl, g_tls_connection_openssl, G_TYPE_TLS_CONNECTION_BASE,
71 G_ADD_PRIVATE (GTlsConnectionOpenssl)
72 G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
73 g_tls_connection_openssl_initable_iface_init))
76 g_tls_connection_openssl_finalize (GObject *object)
78 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (object);
79 GTlsConnectionOpensslPrivate *priv;
81 priv = g_tls_connection_openssl_get_instance_private (openssl);
83 g_free (priv->dtls_rx);
84 g_free (priv->dtls_tx);
85 g_mutex_clear (&priv->ssl_mutex);
87 G_OBJECT_CLASS (g_tls_connection_openssl_parent_class)->finalize (object);
90 static GTlsSafeRenegotiationStatus
91 g_tls_connection_openssl_handshake_thread_safe_renegotiation_status (GTlsConnectionBase *tls)
93 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
96 ssl = g_tls_connection_openssl_get_ssl (openssl);
98 return SSL_get_secure_renegotiation_support (ssl) ? G_TLS_SAFE_RENEGOTIATION_SUPPORTED_BY_PEER
99 : G_TLS_SAFE_RENEGOTIATION_UNSUPPORTED;
102 static GTlsConnectionBaseStatus
103 end_openssl_io (GTlsConnectionOpenssl *openssl,
104 GIOCondition direction,
108 const char *err_prefix,
111 GTlsConnectionBase *tls = G_TLS_CONNECTION_BASE (openssl);
112 GTlsConnectionOpensslPrivate *priv;
113 int err_code, err, err_lib, reason;
114 GError *my_error = NULL;
115 GTlsConnectionBaseStatus status;
118 priv = g_tls_connection_openssl_get_instance_private (openssl);
120 ssl = g_tls_connection_openssl_get_ssl (openssl);
122 err_code = SSL_get_error (ssl, ret);
124 status = g_tls_connection_base_pop_io (tls, direction, ret > 0, &my_error);
126 if ((err_code == SSL_ERROR_WANT_READ ||
127 err_code == SSL_ERROR_WANT_WRITE) &&
131 g_error_free (my_error);
132 return G_TLS_CONNECTION_BASE_TRY_AGAIN;
135 if (err_code == SSL_ERROR_ZERO_RETURN)
136 return G_TLS_CONNECTION_BASE_OK;
138 if (status == G_TLS_CONNECTION_BASE_OK ||
139 status == G_TLS_CONNECTION_BASE_WOULD_BLOCK ||
140 status == G_TLS_CONNECTION_BASE_TIMED_OUT)
143 g_propagate_error (error, my_error);
147 /* This case is documented that it may happen and that is perfectly fine */
148 if (err_code == SSL_ERROR_SYSCALL &&
149 (priv->shutting_down && (!my_error || g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_BROKEN_PIPE))))
151 g_clear_error (&my_error);
152 return G_TLS_CONNECTION_BASE_OK;
155 err = ERR_get_error ();
156 err_lib = ERR_GET_LIB (err);
157 reason = ERR_GET_REASON (err);
159 if (g_tls_connection_base_is_handshaking (tls) && !g_tls_connection_base_ever_handshaked (tls))
161 if (reason == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE && my_error)
163 g_propagate_error (error, my_error);
164 return G_TLS_CONNECTION_BASE_ERROR;
166 else if (reason == SSL_R_BAD_PACKET_LENGTH ||
167 reason == SSL_R_UNKNOWN_ALERT_TYPE ||
168 reason == SSL_R_DECRYPTION_FAILED ||
169 reason == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC ||
170 reason == SSL_R_BAD_PROTOCOL_VERSION_NUMBER ||
171 reason == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE ||
172 reason == SSL_R_UNKNOWN_PROTOCOL)
174 g_clear_error (&my_error);
175 g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS,
176 _("Peer failed to perform TLS handshake: %s"), ERR_reason_error_string (err));
177 return G_TLS_CONNECTION_BASE_ERROR;
181 #ifdef SSL_R_SHUTDOWN_WHILE_IN_INIT
182 /* XXX: this error happens on ubuntu when shutting down the connection, it
183 * seems to be a bug in a specific version of openssl, so let's handle it
186 if (reason == SSL_R_SHUTDOWN_WHILE_IN_INIT)
188 g_clear_error (&my_error);
189 return G_TLS_CONNECTION_BASE_OK;
193 if (reason == SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
194 #ifdef SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED
195 || reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED
199 g_clear_error (&my_error);
200 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED,
201 _("TLS connection peer did not send a certificate"));
205 if (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)
207 g_clear_error (&my_error);
208 g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
209 _("Unacceptable TLS certificate"));
210 return G_TLS_CONNECTION_BASE_ERROR;
213 if (reason == SSL_R_TLSV1_ALERT_UNKNOWN_CA)
215 g_clear_error (&my_error);
216 g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
217 _("Unacceptable TLS certificate authority"));
218 return G_TLS_CONNECTION_BASE_ERROR;
221 if (err_lib == ERR_LIB_RSA && reason == RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY)
223 g_clear_error (&my_error);
224 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
225 _("Digest too big for RSA key"));
226 return G_TLS_CONNECTION_BASE_ERROR;
229 #ifdef SSL_R_NO_RENEGOTIATION
230 if (reason == SSL_R_NO_RENEGOTIATION)
232 g_clear_error (&my_error);
233 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
234 _("Secure renegotiation is disabled"));
235 return G_TLS_CONNECTION_BASE_REHANDSHAKE;
240 g_propagate_error (error, my_error);
242 if (ret == 0 && err == 0 && err_lib == 0 && err_code == SSL_ERROR_SYSCALL
243 && (direction == G_IO_IN || direction == G_IO_OUT))
245 /* SSL_ERROR_SYSCALL usually means we have no bloody idea what has happened
246 * but when ret for read or write is 0 and all others error codes as well
247 * - this is normally Early EOF condition
249 if (!g_tls_connection_get_require_close_notify (G_TLS_CONNECTION (openssl)))
250 return G_TLS_CONNECTION_BASE_OK;
252 if (error && !*error)
253 *error = g_error_new (G_TLS_ERROR, G_TLS_ERROR_EOF, _("%s: The connection is broken"), err_prefix);
255 else if (error && !*error)
256 *error = g_error_new (G_TLS_ERROR, G_TLS_ERROR_MISC, "%s: %s", err_prefix, err_str);
258 return G_TLS_CONNECTION_BASE_ERROR;
261 static GTlsConnectionBaseStatus
262 perform_openssl_io (GTlsConnectionOpenssl *openssl,
263 GIOCondition direction,
264 GTlsOpensslIOFunc perform_func,
265 gpointer perform_data,
267 GCancellable *cancellable,
270 const char *err_prefix)
272 GTlsConnectionBaseStatus status;
273 GTlsConnectionBase *tls;
274 GTlsConnectionOpensslPrivate *priv;
279 tls = G_TLS_CONNECTION_BASE (openssl);
280 priv = g_tls_connection_openssl_get_instance_private (openssl);
281 ssl = g_tls_connection_openssl_get_ssl (openssl);
284 deadline = g_get_monotonic_time () + timeout;
290 GIOCondition io_needed;
295 g_tls_connection_base_push_io (tls, direction, 0, cancellable);
297 if (g_tls_connection_base_is_dtls (tls))
298 DTLSv1_handle_timeout (ssl);
300 ret = perform_func (ssl, perform_data);
302 switch (SSL_get_error (ssl, ret))
304 case SSL_ERROR_WANT_READ:
307 case SSL_ERROR_WANT_WRITE:
308 io_needed = G_IO_OUT;
315 ERR_error_string_n (SSL_get_error (ssl, ret), error_str,
317 status = end_openssl_io (openssl, direction, ret, TRUE, error, err_prefix,
320 if (status != G_TLS_CONNECTION_BASE_TRY_AGAIN)
323 if (g_tls_connection_base_is_dtls (tls) && DTLSv1_get_timeout (ssl, &tv))
324 io_timeout = (tv.tv_sec * G_USEC_PER_SEC) + tv.tv_usec;
330 gint64 remaining = MAX (deadline - g_get_monotonic_time (), 0);
332 if (io_timeout != -1)
333 io_timeout = MIN (io_timeout, remaining);
335 io_timeout = remaining;
341 g_tls_bio_wait_available (priv->bio, io_needed, io_timeout, cancellable);
344 if (status == G_TLS_CONNECTION_BASE_TRY_AGAIN)
348 status = G_TLS_CONNECTION_BASE_WOULD_BLOCK;
349 g_clear_error (error);
350 g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK,
351 "Operation would block");
353 else if (timeout > 0)
355 status = G_TLS_CONNECTION_BASE_TIMED_OUT;
356 g_clear_error (error);
357 g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_TIMED_OUT,
358 _("Socket I/O timed out"));
369 _openssl_alpn_select_cb (SSL *ssl,
370 const unsigned char **out,
371 unsigned char *outlen,
372 const unsigned char *in,
376 GTlsConnectionBase *tls = arg;
377 int ret = SSL_TLSEXT_ERR_NOACK;
378 gchar **advertised_protocols = NULL;
381 logbuf = g_strndup ((const gchar *)in, inlen);
382 g_tls_log_debug (tls, "ALPN their protocols: %s", logbuf);
385 g_object_get (G_OBJECT (tls),
386 "advertised-protocols", &advertised_protocols,
389 if (!advertised_protocols)
392 if (g_strv_length (advertised_protocols) > 0)
394 GByteArray *protocols = g_byte_array_new ();
399 for (i = 0; advertised_protocols[i]; i++)
401 guint8 len = strlen (advertised_protocols[i]);
402 g_byte_array_append (protocols, &len, 1);
403 g_byte_array_append (protocols,
404 (guint8 *)advertised_protocols[i],
407 logbuf = g_strndup ((const gchar *)protocols->data, protocols->len);
408 g_tls_log_debug (tls, "ALPN our protocols: %s", logbuf);
411 /* pointer to memory inside in[0..inlen] is returned on success
412 * pointer to protocols->data is returned on failure */
413 ret = SSL_select_next_proto (&spd, &slen,
415 protocols->data, protocols->len);
416 if (ret == OPENSSL_NPN_NEGOTIATED)
418 logbuf = g_strndup ((const gchar *)spd, slen);
419 g_tls_log_debug (tls, "ALPN selected protocol %s", logbuf);
422 ret = SSL_TLSEXT_ERR_OK;
428 g_tls_log_debug (tls, "ALPN no matching protocol");
429 ret = SSL_TLSEXT_ERR_NOACK;
432 g_byte_array_unref (protocols);
435 g_strfreev (advertised_protocols);
440 g_tls_connection_openssl_prepare_handshake (GTlsConnectionBase *tls,
441 gchar **advertised_protocols)
445 TIZEN_LOGI("tls[%p]", tls);
446 if (!advertised_protocols)
449 ssl = g_tls_connection_openssl_get_ssl (G_TLS_CONNECTION_OPENSSL (tls));
451 if (G_IS_TLS_SERVER_CONNECTION (tls))
453 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
455 g_tls_log_debug (tls, "Setting ALPN Callback on %p", ctx);
456 SSL_CTX_set_alpn_select_cb (ctx, _openssl_alpn_select_cb, tls);
461 if (g_strv_length (advertised_protocols) > 0)
463 GByteArray *protocols = g_byte_array_new ();
466 for (i = 0; advertised_protocols[i]; i++)
468 guint8 len = strlen (advertised_protocols[i]);
469 g_byte_array_append (protocols, &len, 1);
470 g_byte_array_append (protocols, (guint8 *)advertised_protocols[i], len);
472 ret = SSL_set_alpn_protos (ssl, protocols->data, protocols->len);
474 g_tls_log_debug (tls, "Error setting ALPN protocols: %d", ret);
477 gchar *logbuf = g_strndup ((const gchar *)protocols->data, protocols->len);
479 g_tls_log_debug (tls, "Setting ALPN protocols to %s", logbuf);
482 g_byte_array_unref (protocols);
486 static GTlsCertificateFlags
487 g_tls_connection_openssl_verify_chain (GTlsConnectionBase *tls,
488 GTlsCertificate *chain,
489 const gchar *purpose,
490 GSocketConnectable *identity,
491 GTlsInteraction *interaction,
492 GTlsDatabaseVerifyFlags flags,
493 GCancellable *cancellable,
496 GTlsDatabase *database;
497 GTlsCertificateFlags errors = 0;
498 gboolean is_client = G_IS_TLS_CLIENT_CONNECTION (tls);
500 database = g_tls_connection_get_database (G_TLS_CONNECTION (tls));
503 errors |= g_tls_database_verify_chain (database,
505 is_client ? G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER : G_TLS_DATABASE_PURPOSE_AUTHENTICATE_CLIENT,
507 g_tls_connection_get_interaction (G_TLS_CONNECTION (tls)),
508 G_TLS_DATABASE_VERIFY_NONE,
514 TIZEN_LOGE("SSL Handshake - Unknown CA");
515 errors |= G_TLS_CERTIFICATE_UNKNOWN_CA;
516 errors |= g_tls_certificate_verify (chain, identity, NULL);
522 static GTlsProtocolVersion
523 glib_protocol_version_from_openssl (int protocol_version)
525 switch (protocol_version)
528 return G_TLS_PROTOCOL_VERSION_SSL_3_0;
530 return G_TLS_PROTOCOL_VERSION_TLS_1_0;
532 return G_TLS_PROTOCOL_VERSION_TLS_1_1;
534 return G_TLS_PROTOCOL_VERSION_TLS_1_2;
536 return G_TLS_PROTOCOL_VERSION_TLS_1_3;
538 return G_TLS_PROTOCOL_VERSION_DTLS_1_0;
539 case DTLS1_2_VERSION:
540 return G_TLS_PROTOCOL_VERSION_DTLS_1_2;
542 return G_TLS_PROTOCOL_VERSION_UNKNOWN;
547 g_tls_connection_openssl_complete_handshake (GTlsConnectionBase *tls,
548 gboolean handshake_succeeded,
549 gchar **negotiated_protocol,
550 GTlsProtocolVersion *protocol_version,
551 gchar **ciphersuite_name,
555 SSL_SESSION *session;
556 unsigned int len = 0;
557 const unsigned char *data = NULL;
559 if (!handshake_succeeded)
562 TIZEN_LOGI("tls[%p]", tls);
564 ssl = g_tls_connection_openssl_get_ssl (G_TLS_CONNECTION_OPENSSL (tls));
565 session = SSL_get_session (ssl);
567 SSL_get0_alpn_selected (ssl, &data, &len);
569 g_tls_log_debug (tls, "negotiated ALPN protocols: [%d]%p", len, data);
573 g_assert (!*negotiated_protocol);
574 *negotiated_protocol = g_strndup ((gchar *)data, len);
577 *protocol_version = glib_protocol_version_from_openssl (SSL_SESSION_get_protocol_version (session));
578 *ciphersuite_name = g_strdup (SSL_get_cipher_name (ssl));
582 perform_rehandshake (SSL *ssl,
585 GTlsConnectionBase *tls = user_data;
586 int ret = 1; /* always look on the bright side of life */
588 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
589 if (SSL_version(ssl) >= TLS1_3_VERSION)
590 ret = SSL_key_update (ssl, SSL_KEY_UPDATE_REQUESTED);
591 else if (SSL_get_secure_renegotiation_support (ssl) && !(SSL_get_options(ssl) & SSL_OP_NO_RENEGOTIATION))
592 /* remote and local peers both can rehandshake */
593 ret = SSL_renegotiate (ssl);
595 g_tls_log_debug (tls, "Secure renegotiation is not supported");
597 ret = SSL_renegotiate (ssl);
603 static GTlsConnectionBaseStatus
604 g_tls_connection_openssl_handshake_thread_request_rehandshake (GTlsConnectionBase *tls,
606 GCancellable *cancellable,
609 /* On a client-side connection, SSL_renegotiate() itself will start
610 * a rehandshake, so we only need to do something special here for
611 * server-side connections.
613 if (!G_IS_TLS_SERVER_CONNECTION (tls))
614 return G_TLS_CONNECTION_BASE_OK;
616 return perform_openssl_io (G_TLS_CONNECTION_OPENSSL (tls), G_IO_IN | G_IO_OUT,
617 perform_rehandshake, tls, timeout, cancellable,
618 NULL, error, _("Error performing TLS handshake"));
621 static GTlsCertificate *
622 g_tls_connection_openssl_retrieve_peer_certificate (GTlsConnectionBase *tls)
625 STACK_OF (X509) *certs;
626 GTlsCertificateOpenssl *chain;
629 ssl = g_tls_connection_openssl_get_ssl (G_TLS_CONNECTION_OPENSSL (tls));
631 peer = SSL_get_peer_certificate (ssl);
635 certs = SSL_get_peer_cert_chain (ssl);
642 chain = g_tls_certificate_openssl_build_chain (peer, certs);
647 return G_TLS_CERTIFICATE (chain);
651 openssl_get_binding_tls_unique (GTlsConnectionOpenssl *tls,
655 SSL *ssl = g_tls_connection_openssl_get_ssl (tls);
656 gboolean is_client = G_IS_TLS_CLIENT_CONNECTION (tls);
657 gboolean resumed = SSL_session_reused (ssl);
660 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
661 if (SSL_version (ssl) >= TLS1_3_VERSION)
663 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_GENERAL_ERROR,
664 _("The request is invalid."));
669 /* This is a drill */
674 g_byte_array_set_size (data, len);
675 if ((resumed && is_client) || (!resumed && !is_client))
676 len = SSL_get_peer_finished (ssl, data->data, data->len);
678 len = SSL_get_finished (ssl, data->data, data->len);
679 } while (len > data->len);
683 g_byte_array_set_size (data, len);
686 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_NOT_AVAILABLE,
687 _("Channel binding data tls-unique is not available"));
692 openssl_get_binding_tls_server_end_point (GTlsConnectionOpenssl *tls,
696 SSL *ssl = g_tls_connection_openssl_get_ssl (tls);
697 gboolean is_client = G_IS_TLS_CLIENT_CONNECTION (tls);
699 const EVP_MD *algo = NULL;
703 crt = SSL_get_peer_certificate (ssl);
705 crt = SSL_get_certificate (ssl);
709 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_NOT_AVAILABLE,
710 _("X.509 Certificate is not available on the connection"));
714 if (!OBJ_find_sigid_algs (X509_get_signature_nid (crt), &algo_nid, NULL))
717 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_GENERAL_ERROR,
718 _("Unable to obtain certificate signature algorithm"));
722 /* This is a drill */
734 algo_nid = NID_sha256;
737 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_NOT_SUPPORTED,
738 _("Current X.509 certificate uses unknown or unsupported signature algorithm"));
744 g_byte_array_set_size (data, EVP_MAX_MD_SIZE);
745 algo = EVP_get_digestbynid (algo_nid);
746 if (X509_digest (crt, algo, data->data, &(data->len)))
755 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_GENERAL_ERROR,
756 _("Failed to generate X.509 certificate digest"));
760 #define RFC5705_LABEL_DATA "EXPORTER-Channel-Binding"
761 #define RFC5705_LABEL_LEN 24
763 openssl_get_binding_tls_exporter (GTlsConnectionOpenssl *tls,
767 SSL *ssl = g_tls_connection_openssl_get_ssl (tls);
769 guint8 *context = (guint8 *)"";
775 g_byte_array_set_size (data, 32);
776 ret = SSL_export_keying_material (ssl,
777 data->data, data->len,
778 RFC5705_LABEL_DATA, RFC5705_LABEL_LEN,
780 1 /* use context */);
786 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_NOT_SUPPORTED,
787 _("TLS Connection does not support TLS-Exporter feature"));
789 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_GENERAL_ERROR,
790 _("Unexpected error while exporting keying data"));
796 g_tls_connection_openssl_get_channel_binding_data (GTlsConnectionBase *tls,
797 GTlsChannelBindingType type,
801 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
803 /* XXX: remove the cast once public enum supports exporter */
806 case G_TLS_CHANNEL_BINDING_TLS_UNIQUE:
807 return openssl_get_binding_tls_unique (openssl, data, error);
809 case G_TLS_CHANNEL_BINDING_TLS_SERVER_END_POINT:
810 return openssl_get_binding_tls_server_end_point (openssl, data, error);
813 return openssl_get_binding_tls_exporter (openssl, data, error);
816 /* Anyone to implement tls-unique-for-telnet? */
817 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_NOT_IMPLEMENTED,
818 _("Requested channel binding type is not implemented"));
823 static GTlsConnectionBaseStatus
824 g_tls_connection_openssl_handshake_thread_handshake (GTlsConnectionBase *tls,
826 GCancellable *cancellable,
829 GTlsConnectionBaseStatus status;
832 status = perform_openssl_io (G_TLS_CONNECTION_OPENSSL (tls),
834 (GTlsOpensslIOFunc) SSL_do_handshake,
835 NULL, timeout, cancellable, &ret, error,
836 _("Error reading data from TLS socket"));
840 if (!g_tls_connection_base_handshake_thread_verify_certificate (tls))
842 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
843 _("Unacceptable TLS certificate"));
844 return G_TLS_CONNECTION_BASE_ERROR;
852 g_tls_connection_openssl_push_io (GTlsConnectionBase *tls,
853 GIOCondition direction,
855 GCancellable *cancellable)
857 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
858 GTlsConnectionOpensslPrivate *priv;
861 priv = g_tls_connection_openssl_get_instance_private (openssl);
863 G_TLS_CONNECTION_BASE_CLASS (g_tls_connection_openssl_parent_class)->push_io (tls, direction,
864 timeout, cancellable);
866 if (direction & G_IO_IN)
868 error = g_tls_connection_base_get_read_error (tls);
869 g_tls_bio_set_read_cancellable (priv->bio, cancellable);
870 g_clear_error (error);
871 g_tls_bio_set_read_error (priv->bio, error);
874 if (direction & G_IO_OUT)
876 error = g_tls_connection_base_get_write_error (tls);
877 g_tls_bio_set_write_cancellable (priv->bio, cancellable);
878 g_clear_error (error);
879 g_tls_bio_set_write_error (priv->bio, error);
882 g_mutex_lock (&priv->ssl_mutex);
885 static GTlsConnectionBaseStatus
886 g_tls_connection_openssl_pop_io (GTlsConnectionBase *tls,
887 GIOCondition direction,
891 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
892 GTlsConnectionOpensslPrivate *priv;
894 priv = g_tls_connection_openssl_get_instance_private (openssl);
896 g_mutex_unlock (&priv->ssl_mutex);
898 if (direction & G_IO_IN)
899 g_tls_bio_set_read_cancellable (priv->bio, NULL);
901 if (direction & G_IO_OUT)
902 g_tls_bio_set_write_cancellable (priv->bio, NULL);
904 return G_TLS_CONNECTION_BASE_CLASS (g_tls_connection_openssl_parent_class)->pop_io (tls, direction,
909 perform_read (SSL *ssl,
912 ReadRequest *req = user_data;
914 return SSL_read (ssl, req->buffer, req->count);
917 static GTlsConnectionBaseStatus
918 g_tls_connection_openssl_read (GTlsConnectionBase *tls,
923 GCancellable *cancellable,
926 GTlsConnectionBaseStatus status;
927 ReadRequest req = { buffer, count };
930 status = perform_openssl_io (G_TLS_CONNECTION_OPENSSL (tls), G_IO_IN,
931 perform_read, &req, timeout, cancellable, &ret,
932 error, _("Error reading data from TLS socket"));
934 *nread = MAX (ret, 0);
938 static GTlsConnectionBaseStatus
939 g_tls_connection_openssl_read_message (GTlsConnectionBase *tls,
940 GInputVector *vectors,
944 GCancellable *cancellable,
947 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
948 GTlsConnectionOpensslPrivate *priv;
949 GTlsConnectionBaseStatus status;
951 gsize bytes_copied, bytes_remaining;
956 priv = g_tls_connection_openssl_get_instance_private (openssl);
959 priv->dtls_rx = g_malloc (DTLS_MESSAGE_MAX_SIZE);
961 status = g_tls_connection_openssl_read (tls, priv->dtls_rx,
962 DTLS_MESSAGE_MAX_SIZE, timeout,
963 &bytes_read, cancellable, error);
964 if (status != G_TLS_CONNECTION_BASE_OK)
968 bytes_remaining = bytes_read;
969 for (i = 0; i < num_vectors && bytes_remaining > 0; i++)
971 GInputVector *vector = &vectors[i];
974 n = MIN (bytes_remaining, vector->size);
976 memcpy (vector->buffer, priv->dtls_rx + bytes_copied, n);
979 bytes_remaining -= n;
982 *nread = bytes_copied;
988 perform_write (SSL *ssl,
991 WriteRequest *req = user_data;
993 return SSL_write (ssl, req->buffer, req->count);
996 static GTlsConnectionBaseStatus
997 g_tls_connection_openssl_write (GTlsConnectionBase *tls,
1002 GCancellable *cancellable,
1005 GTlsConnectionBaseStatus status;
1006 WriteRequest req = { buffer, count };
1009 status = perform_openssl_io (G_TLS_CONNECTION_OPENSSL (tls), G_IO_OUT,
1010 perform_write, &req, timeout, cancellable, &ret,
1011 error, _("Error writing data to TLS socket"));
1013 *nwrote = MAX (ret, 0);
1017 static GTlsConnectionBaseStatus
1018 g_tls_connection_openssl_write_message (GTlsConnectionBase *tls,
1019 GOutputVector *vectors,
1023 GCancellable *cancellable,
1026 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
1027 GTlsConnectionOpensslPrivate *priv;
1028 gsize bytes_copied, bytes_available;
1031 priv = g_tls_connection_openssl_get_instance_private (openssl);
1034 priv->dtls_tx = g_malloc (DTLS_MESSAGE_MAX_SIZE);
1037 bytes_available = DTLS_MESSAGE_MAX_SIZE;
1038 for (i = 0; i < num_vectors && bytes_available > 0; i++)
1040 GOutputVector *vector = &vectors[i];
1043 n = MIN (vector->size, bytes_available);
1045 memcpy (priv->dtls_tx + bytes_copied, vector->buffer, n);
1048 bytes_available -= n;
1051 return g_tls_connection_openssl_write (tls, priv->dtls_tx, bytes_copied,
1052 timeout, nwrote, cancellable, error);
1055 static GTlsConnectionBaseStatus
1056 g_tls_connection_openssl_close (GTlsConnectionBase *tls,
1058 GCancellable *cancellable,
1061 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
1062 GTlsConnectionOpensslPrivate *priv;
1064 priv = g_tls_connection_openssl_get_instance_private (openssl);
1066 priv->shutting_down = TRUE;
1068 TIZEN_LOGI("tls[%p]", tls);
1070 return perform_openssl_io (G_TLS_CONNECTION_OPENSSL (tls),
1072 (GTlsOpensslIOFunc) SSL_shutdown,
1073 NULL, timeout, cancellable, NULL, error,
1074 _("Error performing TLS close"));
1078 g_tls_connection_openssl_class_init (GTlsConnectionOpensslClass *klass)
1080 GObjectClass *object_class = G_OBJECT_CLASS (klass);
1081 GTlsConnectionBaseClass *base_class = G_TLS_CONNECTION_BASE_CLASS (klass);
1083 object_class->finalize = g_tls_connection_openssl_finalize;
1085 base_class->prepare_handshake = g_tls_connection_openssl_prepare_handshake;
1086 base_class->verify_chain = g_tls_connection_openssl_verify_chain;
1087 base_class->complete_handshake = g_tls_connection_openssl_complete_handshake;
1088 base_class->handshake_thread_safe_renegotiation_status = g_tls_connection_openssl_handshake_thread_safe_renegotiation_status;
1089 base_class->handshake_thread_request_rehandshake = g_tls_connection_openssl_handshake_thread_request_rehandshake;
1090 base_class->handshake_thread_handshake = g_tls_connection_openssl_handshake_thread_handshake;
1091 base_class->retrieve_peer_certificate = g_tls_connection_openssl_retrieve_peer_certificate;
1092 base_class->get_channel_binding_data = g_tls_connection_openssl_get_channel_binding_data;
1093 base_class->push_io = g_tls_connection_openssl_push_io;
1094 base_class->pop_io = g_tls_connection_openssl_pop_io;
1095 base_class->read_fn = g_tls_connection_openssl_read;
1096 base_class->read_message_fn = g_tls_connection_openssl_read_message;
1097 base_class->write_fn = g_tls_connection_openssl_write;
1098 base_class->write_message_fn = g_tls_connection_openssl_write_message;
1099 base_class->close_fn = g_tls_connection_openssl_close;
1102 static int data_index = -1;
1105 g_tls_connection_openssl_initable_init (GInitable *initable,
1106 GCancellable *cancellable,
1109 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (initable);
1110 GTlsConnectionOpensslPrivate *priv;
1111 GTlsConnectionBase *tls = G_TLS_CONNECTION_BASE (initable);
1112 GIOStream *base_io_stream;
1113 GDatagramBased *base_socket;
1117 "base-io-stream", &base_io_stream,
1118 "base-socket", &base_socket,
1121 /* Ensure we are in TLS mode or DTLS mode. */
1122 g_return_val_if_fail (!!base_io_stream != !!base_socket, FALSE);
1124 priv = g_tls_connection_openssl_get_instance_private (openssl);
1126 ssl = g_tls_connection_openssl_get_ssl (openssl);
1129 if (data_index == -1) {
1130 data_index = SSL_get_ex_new_index (0, (void *)"gtlsconnection", NULL, NULL, NULL);
1132 SSL_set_ex_data (ssl, data_index, openssl);
1135 priv->bio = g_tls_bio_new_from_iostream (base_io_stream);
1137 priv->bio = g_tls_bio_new_from_datagram_based (base_socket);
1139 SSL_set_bio (ssl, priv->bio, priv->bio);
1141 g_clear_object (&base_io_stream);
1142 g_clear_object (&base_socket);
1148 g_tls_connection_openssl_initable_iface_init (GInitableIface *iface)
1150 iface->init = g_tls_connection_openssl_initable_init;
1154 g_tls_connection_openssl_init (GTlsConnectionOpenssl *openssl)
1156 GTlsConnectionOpensslPrivate *priv;
1158 priv = g_tls_connection_openssl_get_instance_private (openssl);
1160 g_mutex_init (&priv->ssl_mutex);
1164 g_tls_connection_openssl_get_ssl (GTlsConnectionOpenssl *openssl)
1166 g_return_val_if_fail (G_IS_TLS_CONNECTION_OPENSSL (openssl), NULL);
1168 return G_TLS_CONNECTION_OPENSSL_GET_CLASS (openssl)->get_ssl (openssl);
1171 GTlsConnectionOpenssl *
1172 g_tls_connection_openssl_get_connection_from_ssl (SSL *ssl)
1174 g_return_val_if_fail (ssl, NULL);
1176 return SSL_get_ex_data (ssl, data_index);