1 /* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
3 * gtlsclientconnection-openssl.c
5 * Copyright (C) 2015 NICE s.r.l.
7 * This file is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This file is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 * In addition, when the library is used with OpenSSL, a special
21 * exception applies. Refer to the LICENSE_EXCEPTION file for details.
23 * Authors: Ignacio Casal Quinteiro
32 #include "openssl-include.h"
33 #include "gtlsconnection-base.h"
34 #include "gtlsclientconnection-openssl.h"
35 #include "gtlsbackend-openssl.h"
36 #include "gtlscertificate-openssl.h"
37 #include "gtlsdatabase-openssl.h"
38 #include <glib/gi18n-lib.h>
40 struct _GTlsClientConnectionOpenssl
42 GTlsConnectionOpenssl parent_instance;
44 GTlsCertificateFlags validation_flags;
45 GSocketConnectable *server_identity;
48 STACK_OF (X509_NAME) *ca_list;
58 PROP_VALIDATION_FLAGS,
64 static void g_tls_client_connection_openssl_initable_interface_init (GInitableIface *iface);
66 static void g_tls_client_connection_openssl_client_connection_interface_init (GTlsClientConnectionInterface *iface);
68 static GInitableIface *g_tls_client_connection_openssl_parent_initable_iface;
70 G_DEFINE_TYPE_WITH_CODE (GTlsClientConnectionOpenssl, g_tls_client_connection_openssl, G_TYPE_TLS_CONNECTION_OPENSSL,
71 G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
72 g_tls_client_connection_openssl_initable_interface_init)
73 G_IMPLEMENT_INTERFACE (G_TYPE_TLS_CLIENT_CONNECTION,
74 g_tls_client_connection_openssl_client_connection_interface_init)
75 G_IMPLEMENT_INTERFACE (G_TYPE_DTLS_CLIENT_CONNECTION,
79 g_tls_client_connection_openssl_finalize (GObject *object)
81 GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
83 g_clear_object (&openssl->server_identity);
85 SSL_free (openssl->ssl);
86 SSL_CTX_free (openssl->ssl_ctx);
87 SSL_SESSION_free (openssl->session);
89 G_OBJECT_CLASS (g_tls_client_connection_openssl_parent_class)->finalize (object);
93 get_server_identity (GTlsClientConnectionOpenssl *openssl)
95 if (G_IS_NETWORK_ADDRESS (openssl->server_identity))
96 return g_network_address_get_hostname (G_NETWORK_ADDRESS (openssl->server_identity));
97 else if (G_IS_NETWORK_SERVICE (openssl->server_identity))
98 return g_network_service_get_domain (G_NETWORK_SERVICE (openssl->server_identity));
104 g_tls_client_connection_openssl_get_property (GObject *object,
109 GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
115 case PROP_VALIDATION_FLAGS:
116 g_value_set_flags (value, openssl->validation_flags);
119 case PROP_SERVER_IDENTITY:
120 g_value_set_object (value, openssl->server_identity);
124 g_value_set_boolean (value, openssl->use_ssl3);
127 case PROP_ACCEPTED_CAS:
129 if (openssl->ca_list)
131 for (i = 0; i < sk_X509_NAME_num (openssl->ca_list); ++i)
135 size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), NULL);
140 ca = g_malloc (size);
141 size = i2d_X509_NAME (sk_X509_NAME_value (openssl->ca_list, i), &ca);
143 accepted_cas = g_list_prepend (accepted_cas, g_byte_array_new_take (
149 accepted_cas = g_list_reverse (accepted_cas);
151 g_value_set_pointer (value, accepted_cas);
155 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
160 g_tls_client_connection_openssl_set_property (GObject *object,
165 GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (object);
169 case PROP_VALIDATION_FLAGS:
170 openssl->validation_flags = g_value_get_flags (value);
173 case PROP_SERVER_IDENTITY:
174 if (openssl->server_identity)
175 g_object_unref (openssl->server_identity);
176 openssl->server_identity = g_value_dup_object (value);
180 openssl->use_ssl3 = g_value_get_boolean (value);
184 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
189 g_tls_client_connection_openssl_complete_handshake (GTlsConnectionBase *tls,
190 gboolean handshake_succeeded,
191 gchar **negotiated_protocol,
192 GTlsProtocolVersion *protocol_version,
193 gchar **ciphersuite_name,
196 GTlsClientConnectionOpenssl *client = G_TLS_CLIENT_CONNECTION_OPENSSL (tls);
198 if (G_TLS_CONNECTION_BASE_CLASS (g_tls_client_connection_openssl_parent_class)->complete_handshake)
199 G_TLS_CONNECTION_BASE_CLASS (g_tls_client_connection_openssl_parent_class)->complete_handshake (tls,
206 /* It may have changed during the handshake, but we have to wait until here
207 * because we can't emit notifies on the handshake thread.
209 g_object_notify (G_OBJECT (client), "accepted-cas");
212 static GTlsCertificateFlags
213 verify_ocsp_response (GTlsClientConnectionOpenssl *openssl,
214 GTlsCertificate *peer_certificate)
217 OCSP_RESPONSE *resp = NULL;
218 GTlsDatabase *database;
220 unsigned char *p = NULL;
222 ssl = g_tls_connection_openssl_get_ssl (G_TLS_CONNECTION_OPENSSL (openssl));
223 len = SSL_get_tlsext_status_ocsp_resp (ssl, &p);
226 resp = d2i_OCSP_RESPONSE (NULL, (const unsigned char **)&p, len);
228 return G_TLS_CERTIFICATE_GENERIC_ERROR;
231 database = g_tls_connection_get_database (G_TLS_CONNECTION (openssl));
233 /* If there's no database, then G_TLS_CERTIFICATE_UNKNOWN_CA must be flagged,
234 * and this function is only called if there are no flags.
238 /* Note we have to call this even if resp is NULL, because it will check
239 * whether Must-Staple is set.
241 return g_tls_database_openssl_verify_ocsp_response (G_TLS_DATABASE_OPENSSL (database),
246 static GTlsCertificateFlags
247 g_tls_client_connection_openssl_verify_peer_certificate (GTlsConnectionBase *tls,
248 GTlsCertificate *certificate,
249 GTlsCertificateFlags flags)
251 GTlsClientConnectionOpenssl *openssl = G_TLS_CLIENT_CONNECTION_OPENSSL (tls);
254 flags = verify_ocsp_response (openssl, certificate);
260 g_tls_client_connection_openssl_get_ssl (GTlsConnectionOpenssl *connection)
262 return G_TLS_CLIENT_CONNECTION_OPENSSL (connection)->ssl;
266 g_tls_client_connection_openssl_class_init (GTlsClientConnectionOpensslClass *klass)
268 GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
269 GTlsConnectionBaseClass *base_class = G_TLS_CONNECTION_BASE_CLASS (klass);
270 GTlsConnectionOpensslClass *openssl_class = G_TLS_CONNECTION_OPENSSL_CLASS (klass);
272 gobject_class->finalize = g_tls_client_connection_openssl_finalize;
273 gobject_class->get_property = g_tls_client_connection_openssl_get_property;
274 gobject_class->set_property = g_tls_client_connection_openssl_set_property;
276 base_class->complete_handshake = g_tls_client_connection_openssl_complete_handshake;
277 base_class->verify_peer_certificate = g_tls_client_connection_openssl_verify_peer_certificate;
279 openssl_class->get_ssl = g_tls_client_connection_openssl_get_ssl;
281 g_object_class_override_property (gobject_class, PROP_VALIDATION_FLAGS, "validation-flags");
282 g_object_class_override_property (gobject_class, PROP_SERVER_IDENTITY, "server-identity");
283 g_object_class_override_property (gobject_class, PROP_USE_SSL3, "use-ssl3");
284 g_object_class_override_property (gobject_class, PROP_ACCEPTED_CAS, "accepted-cas");
288 g_tls_client_connection_openssl_init (GTlsClientConnectionOpenssl *openssl)
293 g_tls_client_connection_openssl_copy_session_state (GTlsClientConnection *conn,
294 GTlsClientConnection *source)
299 g_tls_client_connection_openssl_client_connection_interface_init (GTlsClientConnectionInterface *iface)
301 iface->copy_session_state = g_tls_client_connection_openssl_copy_session_state;
304 static int data_index = -1;
306 G_LOCK_DEFINE_STATIC(data_index);
307 #define DATA_INDEX_LOCK(m) G_LOCK(m)
308 #define DATA_INDEX_UNLOCK(m) G_UNLOCK(m)
310 #define DATA_INDEX_LOCK(m)
311 #define DATA_INDEX_UNLOCK(m)
315 handshake_thread_retrieve_certificate (SSL *ssl,
319 GTlsClientConnectionOpenssl *client;
320 GTlsConnectionBase *tls;
321 GTlsCertificate *cert;
324 DATA_INDEX_LOCK(data_index);
326 client = SSL_get_ex_data (ssl, data_index);
327 DATA_INDEX_UNLOCK(data_index);
330 TIZEN_LOGE("SSL_get_ex_data(%p) returns NULL.", ssl);
333 tls = G_TLS_CONNECTION_BASE (client);
335 TIZEN_LOGI("ssl[%p] client[%p] tls[%p] data_index[%d]", ssl, client, tls, idx);
337 client->ca_list = SSL_get_client_CA_list (client->ssl);
339 cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (client));
342 if (g_tls_connection_base_handshake_thread_request_certificate (tls))
343 cert = g_tls_connection_get_certificate (G_TLS_CONNECTION (client));
350 key = g_tls_certificate_openssl_get_key (G_TLS_CERTIFICATE_OPENSSL (cert));
354 /* increase ref count */
355 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
356 CRYPTO_add (&key->references, 1, CRYPTO_LOCK_EVP_PKEY);
358 EVP_PKEY_up_ref (key);
362 *x509 = X509_dup (g_tls_certificate_openssl_get_cert (G_TLS_CERTIFICATE_OPENSSL (cert)));
368 g_tls_connection_base_handshake_thread_set_missing_requested_client_certificate (tls);
374 set_cipher_list (GTlsClientConnectionOpenssl *client,
377 const gchar *cipher_list;
379 cipher_list = g_getenv ("G_TLS_OPENSSL_CIPHER_LIST");
382 if (!SSL_CTX_set_cipher_list (client->ssl_ctx, cipher_list))
384 char error_buffer[256];
385 ERR_error_string_n (ERR_get_error (), error_buffer, sizeof (error_buffer));
386 g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
387 _("Could not set TLS cipher list: %s"),
397 set_max_protocol (GTlsClientConnectionOpenssl *client,
400 #ifdef SSL_CTX_set_max_proto_version
403 proto = g_getenv ("G_TLS_OPENSSL_MAX_PROTO");
406 gint64 version = g_ascii_strtoll (proto, NULL, 0);
408 if (version > 0 && version < G_MAXINT)
410 if (!SSL_CTX_set_max_proto_version (client->ssl_ctx, (int)version))
412 char error_buffer[256];
413 ERR_error_string_n (ERR_get_error (), error_buffer, sizeof (error_buffer));
414 g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
415 _("Could not set MAX protocol to %d: %s"),
416 (int)version, error_buffer);
426 #ifdef SSL_CTX_set1_sigalgs_list
428 set_signature_algorithm_list (GTlsClientConnectionOpenssl *client)
430 const gchar *signature_algorithm_list;
432 signature_algorithm_list = g_getenv ("G_TLS_OPENSSL_SIGNATURE_ALGORITHM_LIST");
433 if (!signature_algorithm_list)
436 SSL_CTX_set1_sigalgs_list (client->ssl_ctx, signature_algorithm_list);
440 #ifdef SSL_CTX_set1_curves_list
442 set_curve_list (GTlsClientConnectionOpenssl *client)
444 const gchar *curve_list;
446 curve_list = g_getenv ("G_TLS_OPENSSL_CURVE_LIST");
450 SSL_CTX_set1_curves_list (client->ssl_ctx, curve_list);
455 g_tls_client_connection_openssl_initable_init (GInitable *initable,
456 GCancellable *cancellable,
459 GTlsClientConnectionOpenssl *client = G_TLS_CLIENT_CONNECTION_OPENSSL (initable);
461 const char *hostname;
462 char error_buffer[256];
464 client->session = SSL_SESSION_new ();
466 client->ssl_ctx = SSL_CTX_new (g_tls_connection_base_is_dtls (G_TLS_CONNECTION_BASE (client))
467 #if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
468 ? DTLS_client_method ()
469 : TLS_client_method ());
471 ? DTLSv1_client_method ()
472 : SSLv23_client_method ());
474 if (!client->ssl_ctx)
476 ERR_error_string_n (ERR_get_error (), error_buffer, sizeof (error_buffer));
477 g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
478 _("Could not create TLS context: %s"),
483 if (!set_cipher_list (client, error))
486 if (!set_max_protocol (client, error))
489 /* Only TLS 1.2 or higher */
490 options = SSL_OP_NO_TICKET |
491 SSL_OP_NO_COMPRESSION |
492 #ifdef SSL_OP_NO_TLSv1_1
498 SSL_CTX_set_options (client->ssl_ctx, options);
500 SSL_CTX_clear_options (client->ssl_ctx, SSL_OP_LEGACY_SERVER_CONNECT);
502 hostname = get_server_identity (client);
506 X509_VERIFY_PARAM *param;
508 param = X509_VERIFY_PARAM_new ();
509 X509_VERIFY_PARAM_set1_host (param, hostname, 0);
510 SSL_CTX_set1_param (client->ssl_ctx, param);
511 X509_VERIFY_PARAM_free (param);
514 SSL_CTX_add_session (client->ssl_ctx, client->session);
516 SSL_CTX_set_client_cert_cb (client->ssl_ctx, handshake_thread_retrieve_certificate);
518 #ifdef SSL_CTX_set1_sigalgs_list
519 set_signature_algorithm_list (client);
522 #ifdef SSL_CTX_set1_curves_list
523 set_curve_list (client);
526 client->ssl = SSL_new (client->ssl_ctx);
529 ERR_error_string_n (ERR_get_error (), error_buffer, sizeof (error_buffer));
530 g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
531 _("Could not create TLS connection: %s"),
536 DATA_INDEX_LOCK(data_index);
537 if (data_index == -1) {
538 data_index = SSL_get_ex_new_index (0, (void *)"gtlsclientconnection", NULL, NULL, NULL);
540 SSL_set_ex_data (client->ssl, data_index, client);
541 DATA_INDEX_UNLOCK(data_index);
543 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
544 if (hostname && !g_hostname_is_ip_address (hostname))
545 SSL_set_tlsext_host_name (client->ssl, hostname);
548 SSL_set_connect_state (client->ssl);
550 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
551 !defined(OPENSSL_NO_OCSP)
552 SSL_set_tlsext_status_type (client->ssl, TLSEXT_STATUSTYPE_ocsp);
555 if (!g_tls_client_connection_openssl_parent_initable_iface->
556 init (initable, cancellable, error))
563 g_tls_client_connection_openssl_initable_interface_init (GInitableIface *iface)
565 g_tls_client_connection_openssl_parent_initable_iface = g_type_interface_peek_parent (iface);
567 iface->init = g_tls_client_connection_openssl_initable_init;