1 /* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
3 * gtlsconnection-openssl.c
5 * Copyright (C) 2015 NICE s.r.l.
7 * This file is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This file is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public License
18 * along with this program. If not, see <http://www.gnu.org/licenses/>.
20 * In addition, when the library is used with OpenSSL, a special
21 * exception applies. Refer to the LICENSE_EXCEPTION file for details.
23 * Authors: Ignacio Casal Quinteiro
31 #include "openssl-include.h"
33 #include "gtlsconnection-openssl.h"
34 #include "gtlsbackend-openssl.h"
35 #include "gtlscertificate-openssl.h"
36 #include "gtlsdatabase-openssl.h"
40 #include <glib/gi18n-lib.h>
42 #define DTLS_MESSAGE_MAX_SIZE 65536
44 typedef struct _GTlsConnectionOpensslPrivate
51 gboolean shutting_down;
52 } GTlsConnectionOpensslPrivate;
54 typedef int (*GTlsOpensslIOFunc) (SSL *ssl, gpointer user_data);
56 typedef struct _ReadRequest
62 typedef struct _WriteRequest
68 static void g_tls_connection_openssl_initable_iface_init (GInitableIface *iface);
70 G_DEFINE_ABSTRACT_TYPE_WITH_CODE (GTlsConnectionOpenssl, g_tls_connection_openssl, G_TYPE_TLS_CONNECTION_BASE,
71 G_ADD_PRIVATE (GTlsConnectionOpenssl)
72 G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
73 g_tls_connection_openssl_initable_iface_init))
76 g_tls_connection_openssl_finalize (GObject *object)
78 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (object);
79 GTlsConnectionOpensslPrivate *priv;
81 priv = g_tls_connection_openssl_get_instance_private (openssl);
83 g_free (priv->dtls_rx);
84 g_free (priv->dtls_tx);
85 g_mutex_clear (&priv->ssl_mutex);
87 G_OBJECT_CLASS (g_tls_connection_openssl_parent_class)->finalize (object);
90 static GTlsSafeRenegotiationStatus
91 g_tls_connection_openssl_handshake_thread_safe_renegotiation_status (GTlsConnectionBase *tls)
93 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
96 ssl = g_tls_connection_openssl_get_ssl (openssl);
98 return SSL_get_secure_renegotiation_support (ssl) ? G_TLS_SAFE_RENEGOTIATION_SUPPORTED_BY_PEER
99 : G_TLS_SAFE_RENEGOTIATION_UNSUPPORTED;
102 static GTlsConnectionBaseStatus
103 end_openssl_io (GTlsConnectionOpenssl *openssl,
104 GIOCondition direction,
108 const char *err_prefix,
111 GTlsConnectionBase *tls = G_TLS_CONNECTION_BASE (openssl);
112 GTlsConnectionOpensslPrivate *priv;
113 int err_code, err, err_lib, reason;
114 GError *my_error = NULL;
115 GTlsConnectionBaseStatus status;
118 priv = g_tls_connection_openssl_get_instance_private (openssl);
120 ssl = g_tls_connection_openssl_get_ssl (openssl);
122 err_code = SSL_get_error (ssl, ret);
124 status = g_tls_connection_base_pop_io (tls, direction, ret > 0, &my_error);
126 if ((err_code == SSL_ERROR_WANT_READ ||
127 err_code == SSL_ERROR_WANT_WRITE) &&
131 g_error_free (my_error);
132 return G_TLS_CONNECTION_BASE_TRY_AGAIN;
135 if (err_code == SSL_ERROR_ZERO_RETURN)
136 return G_TLS_CONNECTION_BASE_OK;
138 if (status == G_TLS_CONNECTION_BASE_OK ||
139 status == G_TLS_CONNECTION_BASE_WOULD_BLOCK ||
140 status == G_TLS_CONNECTION_BASE_TIMED_OUT)
143 g_propagate_error (error, my_error);
147 /* This case is documented that it may happen and that is perfectly fine */
148 if (err_code == SSL_ERROR_SYSCALL &&
149 (priv->shutting_down && (!my_error || g_error_matches (my_error, G_IO_ERROR, G_IO_ERROR_BROKEN_PIPE))))
151 g_clear_error (&my_error);
152 return G_TLS_CONNECTION_BASE_OK;
155 err = ERR_get_error ();
156 err_lib = ERR_GET_LIB (err);
157 reason = ERR_GET_REASON (err);
159 if (g_tls_connection_base_is_handshaking (tls) && !g_tls_connection_base_ever_handshaked (tls))
161 if (reason == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE && my_error)
163 g_propagate_error (error, my_error);
164 return G_TLS_CONNECTION_BASE_ERROR;
166 else if (reason == SSL_R_BAD_PACKET_LENGTH ||
167 reason == SSL_R_UNKNOWN_ALERT_TYPE ||
168 reason == SSL_R_DECRYPTION_FAILED ||
169 reason == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC ||
170 reason == SSL_R_BAD_PROTOCOL_VERSION_NUMBER ||
171 reason == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE ||
172 reason == SSL_R_UNKNOWN_PROTOCOL)
174 g_clear_error (&my_error);
175 g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_NOT_TLS,
176 _("Peer failed to perform TLS handshake: %s"), ERR_reason_error_string (err));
177 return G_TLS_CONNECTION_BASE_ERROR;
181 #ifdef SSL_R_SHUTDOWN_WHILE_IN_INIT
182 /* XXX: this error happens on ubuntu when shutting down the connection, it
183 * seems to be a bug in a specific version of openssl, so let's handle it
186 if (reason == SSL_R_SHUTDOWN_WHILE_IN_INIT)
188 g_clear_error (&my_error);
189 return G_TLS_CONNECTION_BASE_OK;
193 if (reason == SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE
194 #ifdef SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED
195 || reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED
199 g_clear_error (&my_error);
200 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_CERTIFICATE_REQUIRED,
201 _("TLS connection peer did not send a certificate"));
205 if (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)
207 g_clear_error (&my_error);
208 g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
209 _("Unacceptable TLS certificate"));
210 return G_TLS_CONNECTION_BASE_ERROR;
213 if (reason == SSL_R_TLSV1_ALERT_UNKNOWN_CA)
215 g_clear_error (&my_error);
216 g_set_error (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
217 _("Unacceptable TLS certificate authority"));
218 return G_TLS_CONNECTION_BASE_ERROR;
221 if (err_lib == ERR_LIB_RSA && reason == RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY)
223 g_clear_error (&my_error);
224 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
225 _("Digest too big for RSA key"));
226 return G_TLS_CONNECTION_BASE_ERROR;
229 #ifdef SSL_R_NO_RENEGOTIATION
230 if (reason == SSL_R_NO_RENEGOTIATION)
232 g_clear_error (&my_error);
233 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_MISC,
234 _("Secure renegotiation is disabled"));
235 return G_TLS_CONNECTION_BASE_REHANDSHAKE;
240 g_propagate_error (error, my_error);
242 if (ret == 0 && err == 0 && err_lib == 0 && err_code == SSL_ERROR_SYSCALL
243 && (direction == G_IO_IN || direction == G_IO_OUT))
245 /* SSL_ERROR_SYSCALL usually means we have no bloody idea what has happened
246 * but when ret for read or write is 0 and all others error codes as well
247 * - this is normally Early EOF condition
249 if (!g_tls_connection_get_require_close_notify (G_TLS_CONNECTION (openssl)))
250 return G_TLS_CONNECTION_BASE_OK;
252 if (error && !*error)
253 *error = g_error_new (G_TLS_ERROR, G_TLS_ERROR_EOF, _("%s: The connection is broken"), err_prefix);
255 else if (error && !*error)
256 *error = g_error_new (G_TLS_ERROR, G_TLS_ERROR_MISC, "%s: %s", err_prefix, err_str);
258 return G_TLS_CONNECTION_BASE_ERROR;
261 static GTlsConnectionBaseStatus
262 perform_openssl_io (GTlsConnectionOpenssl *openssl,
263 GIOCondition direction,
264 GTlsOpensslIOFunc perform_func,
265 gpointer perform_data,
267 GCancellable *cancellable,
270 const char *err_prefix)
272 GTlsConnectionBaseStatus status;
273 GTlsConnectionBase *tls;
274 GTlsConnectionOpensslPrivate *priv;
279 tls = G_TLS_CONNECTION_BASE (openssl);
280 priv = g_tls_connection_openssl_get_instance_private (openssl);
281 ssl = g_tls_connection_openssl_get_ssl (openssl);
284 deadline = g_get_monotonic_time () + timeout;
290 GIOCondition io_needed;
295 g_tls_connection_base_push_io (tls, direction, 0, cancellable);
297 if (g_tls_connection_base_is_dtls (tls))
298 DTLSv1_handle_timeout (ssl);
300 ret = perform_func (ssl, perform_data);
302 switch (SSL_get_error (ssl, ret))
304 case SSL_ERROR_WANT_READ:
307 case SSL_ERROR_WANT_WRITE:
308 io_needed = G_IO_OUT;
315 ERR_error_string_n (SSL_get_error (ssl, ret), error_str,
317 status = end_openssl_io (openssl, direction, ret, TRUE, error, err_prefix,
320 if (status != G_TLS_CONNECTION_BASE_TRY_AGAIN)
323 if (g_tls_connection_base_is_dtls (tls) && DTLSv1_get_timeout (ssl, &tv))
324 io_timeout = (tv.tv_sec * G_USEC_PER_SEC) + tv.tv_usec;
330 gint64 remaining = MAX (deadline - g_get_monotonic_time (), 0);
332 if (io_timeout != -1)
333 io_timeout = MIN (io_timeout, remaining);
335 io_timeout = remaining;
341 g_tls_bio_wait_available (priv->bio, io_needed, io_timeout, cancellable);
344 if (status == G_TLS_CONNECTION_BASE_TRY_AGAIN)
348 status = G_TLS_CONNECTION_BASE_WOULD_BLOCK;
349 g_clear_error (error);
350 g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_WOULD_BLOCK,
351 "Operation would block");
353 else if (timeout > 0)
355 status = G_TLS_CONNECTION_BASE_TIMED_OUT;
356 g_clear_error (error);
357 g_set_error_literal (error, G_IO_ERROR, G_IO_ERROR_TIMED_OUT,
358 _("Socket I/O timed out"));
369 _openssl_alpn_select_cb (SSL *ssl,
370 const unsigned char **out,
371 unsigned char *outlen,
372 const unsigned char *in,
376 GTlsConnectionBase *tls = arg;
377 int ret = SSL_TLSEXT_ERR_NOACK;
378 gchar **advertised_protocols = NULL;
381 logbuf = g_strndup ((const gchar *)in, inlen);
382 g_tls_log_debug (tls, "ALPN their protocols: %s", logbuf);
385 g_object_get (G_OBJECT (tls),
386 "advertised-protocols", &advertised_protocols,
389 if (!advertised_protocols)
392 if (g_strv_length (advertised_protocols) > 0)
394 GByteArray *protocols = g_byte_array_new ();
399 for (i = 0; advertised_protocols[i]; i++)
401 guint8 len = strlen (advertised_protocols[i]);
402 g_byte_array_append (protocols, &len, 1);
403 g_byte_array_append (protocols,
404 (guint8 *)advertised_protocols[i],
407 logbuf = g_strndup ((const gchar *)protocols->data, protocols->len);
408 g_tls_log_debug (tls, "ALPN our protocols: %s", logbuf);
411 /* pointer to memory inside in[0..inlen] is returned on success
412 * pointer to protocols->data is returned on failure */
413 ret = SSL_select_next_proto (&spd, &slen,
415 protocols->data, protocols->len);
416 if (ret == OPENSSL_NPN_NEGOTIATED)
418 logbuf = g_strndup ((const gchar *)spd, slen);
419 g_tls_log_debug (tls, "ALPN selected protocol %s", logbuf);
422 ret = SSL_TLSEXT_ERR_OK;
428 g_tls_log_debug (tls, "ALPN no matching protocol");
429 ret = SSL_TLSEXT_ERR_NOACK;
432 g_byte_array_unref (protocols);
435 g_strfreev (advertised_protocols);
440 g_tls_connection_openssl_prepare_handshake (GTlsConnectionBase *tls,
441 gchar **advertised_protocols)
445 if (!advertised_protocols)
448 ssl = g_tls_connection_openssl_get_ssl (G_TLS_CONNECTION_OPENSSL (tls));
450 if (G_IS_TLS_SERVER_CONNECTION (tls))
452 SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
454 g_tls_log_debug (tls, "Setting ALPN Callback on %p", ctx);
455 SSL_CTX_set_alpn_select_cb (ctx, _openssl_alpn_select_cb, tls);
460 if (g_strv_length (advertised_protocols) > 0)
462 GByteArray *protocols = g_byte_array_new ();
465 for (i = 0; advertised_protocols[i]; i++)
467 guint8 len = strlen (advertised_protocols[i]);
468 g_byte_array_append (protocols, &len, 1);
469 g_byte_array_append (protocols, (guint8 *)advertised_protocols[i], len);
471 ret = SSL_set_alpn_protos (ssl, protocols->data, protocols->len);
473 g_tls_log_debug (tls, "Error setting ALPN protocols: %d", ret);
476 gchar *logbuf = g_strndup ((const gchar *)protocols->data, protocols->len);
478 g_tls_log_debug (tls, "Setting ALPN protocols to %s", logbuf);
481 g_byte_array_unref (protocols);
485 static GTlsCertificateFlags
486 g_tls_connection_openssl_verify_chain (GTlsConnectionBase *tls,
487 GTlsCertificate *chain,
488 const gchar *purpose,
489 GSocketConnectable *identity,
490 GTlsInteraction *interaction,
491 GTlsDatabaseVerifyFlags flags,
492 GCancellable *cancellable,
495 GTlsDatabase *database;
496 GTlsCertificateFlags errors = 0;
497 gboolean is_client = G_IS_TLS_CLIENT_CONNECTION (tls);
499 database = g_tls_connection_get_database (G_TLS_CONNECTION (tls));
502 errors |= g_tls_database_verify_chain (database,
504 is_client ? G_TLS_DATABASE_PURPOSE_AUTHENTICATE_SERVER : G_TLS_DATABASE_PURPOSE_AUTHENTICATE_CLIENT,
506 g_tls_connection_get_interaction (G_TLS_CONNECTION (tls)),
507 G_TLS_DATABASE_VERIFY_NONE,
513 errors |= G_TLS_CERTIFICATE_UNKNOWN_CA;
514 errors |= g_tls_certificate_verify (chain, identity, NULL);
520 static GTlsProtocolVersion
521 glib_protocol_version_from_openssl (int protocol_version)
523 switch (protocol_version)
526 return G_TLS_PROTOCOL_VERSION_SSL_3_0;
528 return G_TLS_PROTOCOL_VERSION_TLS_1_0;
530 return G_TLS_PROTOCOL_VERSION_TLS_1_1;
532 return G_TLS_PROTOCOL_VERSION_TLS_1_2;
534 return G_TLS_PROTOCOL_VERSION_TLS_1_3;
536 return G_TLS_PROTOCOL_VERSION_DTLS_1_0;
537 case DTLS1_2_VERSION:
538 return G_TLS_PROTOCOL_VERSION_DTLS_1_2;
540 return G_TLS_PROTOCOL_VERSION_UNKNOWN;
545 g_tls_connection_openssl_complete_handshake (GTlsConnectionBase *tls,
546 gboolean handshake_succeeded,
547 gchar **negotiated_protocol,
548 GTlsProtocolVersion *protocol_version,
549 gchar **ciphersuite_name,
553 SSL_SESSION *session;
554 unsigned int len = 0;
555 const unsigned char *data = NULL;
557 if (!handshake_succeeded)
560 ssl = g_tls_connection_openssl_get_ssl (G_TLS_CONNECTION_OPENSSL (tls));
561 session = SSL_get_session (ssl);
563 SSL_get0_alpn_selected (ssl, &data, &len);
565 g_tls_log_debug (tls, "negotiated ALPN protocols: [%d]%p", len, data);
569 g_assert (!*negotiated_protocol);
570 *negotiated_protocol = g_strndup ((gchar *)data, len);
573 *protocol_version = glib_protocol_version_from_openssl (SSL_SESSION_get_protocol_version (session));
574 *ciphersuite_name = g_strdup (SSL_get_cipher_name (ssl));
578 perform_rehandshake (SSL *ssl,
581 GTlsConnectionBase *tls = user_data;
582 int ret = 1; /* always look on the bright side of life */
584 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
585 if (SSL_version(ssl) >= TLS1_3_VERSION)
586 ret = SSL_key_update (ssl, SSL_KEY_UPDATE_REQUESTED);
587 else if (SSL_get_secure_renegotiation_support (ssl) && !(SSL_get_options(ssl) & SSL_OP_NO_RENEGOTIATION))
588 /* remote and local peers both can rehandshake */
589 ret = SSL_renegotiate (ssl);
591 g_tls_log_debug (tls, "Secure renegotiation is not supported");
593 ret = SSL_renegotiate (ssl);
599 static GTlsConnectionBaseStatus
600 g_tls_connection_openssl_handshake_thread_request_rehandshake (GTlsConnectionBase *tls,
602 GCancellable *cancellable,
605 /* On a client-side connection, SSL_renegotiate() itself will start
606 * a rehandshake, so we only need to do something special here for
607 * server-side connections.
609 if (!G_IS_TLS_SERVER_CONNECTION (tls))
610 return G_TLS_CONNECTION_BASE_OK;
612 return perform_openssl_io (G_TLS_CONNECTION_OPENSSL (tls), G_IO_IN | G_IO_OUT,
613 perform_rehandshake, tls, timeout, cancellable,
614 NULL, error, _("Error performing TLS handshake"));
617 static GTlsCertificate *
618 g_tls_connection_openssl_retrieve_peer_certificate (GTlsConnectionBase *tls)
621 STACK_OF (X509) *certs;
622 GTlsCertificateOpenssl *chain;
625 ssl = g_tls_connection_openssl_get_ssl (G_TLS_CONNECTION_OPENSSL (tls));
627 peer = SSL_get_peer_certificate (ssl);
631 certs = SSL_get_peer_cert_chain (ssl);
638 chain = g_tls_certificate_openssl_build_chain (peer, certs);
643 return G_TLS_CERTIFICATE (chain);
647 openssl_get_binding_tls_unique (GTlsConnectionOpenssl *tls,
651 SSL *ssl = g_tls_connection_openssl_get_ssl (tls);
652 gboolean is_client = G_IS_TLS_CLIENT_CONNECTION (tls);
653 gboolean resumed = SSL_session_reused (ssl);
656 #if OPENSSL_VERSION_NUMBER >= 0x10101000L
657 if (SSL_version (ssl) >= TLS1_3_VERSION)
659 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_GENERAL_ERROR,
660 _("The request is invalid."));
665 /* This is a drill */
670 g_byte_array_set_size (data, len);
671 if ((resumed && is_client) || (!resumed && !is_client))
672 len = SSL_get_peer_finished (ssl, data->data, data->len);
674 len = SSL_get_finished (ssl, data->data, data->len);
675 } while (len > data->len);
679 g_byte_array_set_size (data, len);
682 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_NOT_AVAILABLE,
683 _("Channel binding data tls-unique is not available"));
688 openssl_get_binding_tls_server_end_point (GTlsConnectionOpenssl *tls,
692 SSL *ssl = g_tls_connection_openssl_get_ssl (tls);
693 gboolean is_client = G_IS_TLS_CLIENT_CONNECTION (tls);
695 const EVP_MD *algo = NULL;
699 crt = SSL_get_peer_certificate (ssl);
701 crt = SSL_get_certificate (ssl);
705 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_NOT_AVAILABLE,
706 _("X.509 Certificate is not available on the connection"));
710 if (!OBJ_find_sigid_algs (X509_get_signature_nid (crt), &algo_nid, NULL))
713 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_GENERAL_ERROR,
714 _("Unable to obtain certificate signature algorithm"));
718 /* This is a drill */
730 algo_nid = NID_sha256;
733 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_NOT_SUPPORTED,
734 _("Current X.509 certificate uses unknown or unsupported signature algorithm"));
740 g_byte_array_set_size (data, EVP_MAX_MD_SIZE);
741 algo = EVP_get_digestbynid (algo_nid);
742 if (X509_digest (crt, algo, data->data, &(data->len)))
751 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_GENERAL_ERROR,
752 _("Failed to generate X.509 certificate digest"));
756 #define RFC5705_LABEL_DATA "EXPORTER-Channel-Binding"
757 #define RFC5705_LABEL_LEN 24
759 openssl_get_binding_tls_exporter (GTlsConnectionOpenssl *tls,
763 SSL *ssl = g_tls_connection_openssl_get_ssl (tls);
765 guint8 *context = (guint8 *)"";
771 g_byte_array_set_size (data, 32);
772 ret = SSL_export_keying_material (ssl,
773 data->data, data->len,
774 RFC5705_LABEL_DATA, RFC5705_LABEL_LEN,
776 1 /* use context */);
782 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_NOT_SUPPORTED,
783 _("TLS Connection does not support TLS-Exporter feature"));
785 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_GENERAL_ERROR,
786 _("Unexpected error while exporting keying data"));
792 g_tls_connection_openssl_get_channel_binding_data (GTlsConnectionBase *tls,
793 GTlsChannelBindingType type,
797 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
799 /* XXX: remove the cast once public enum supports exporter */
802 case G_TLS_CHANNEL_BINDING_TLS_UNIQUE:
803 return openssl_get_binding_tls_unique (openssl, data, error);
805 case G_TLS_CHANNEL_BINDING_TLS_SERVER_END_POINT:
806 return openssl_get_binding_tls_server_end_point (openssl, data, error);
809 return openssl_get_binding_tls_exporter (openssl, data, error);
812 /* Anyone to implement tls-unique-for-telnet? */
813 g_set_error (error, G_TLS_CHANNEL_BINDING_ERROR, G_TLS_CHANNEL_BINDING_ERROR_NOT_IMPLEMENTED,
814 _("Requested channel binding type is not implemented"));
819 static GTlsConnectionBaseStatus
820 g_tls_connection_openssl_handshake_thread_handshake (GTlsConnectionBase *tls,
822 GCancellable *cancellable,
825 GTlsConnectionBaseStatus status;
828 status = perform_openssl_io (G_TLS_CONNECTION_OPENSSL (tls),
830 (GTlsOpensslIOFunc) SSL_do_handshake,
831 NULL, timeout, cancellable, &ret, error,
832 _("Error reading data from TLS socket"));
836 if (!g_tls_connection_base_handshake_thread_verify_certificate (tls))
838 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
839 _("Unacceptable TLS certificate"));
840 return G_TLS_CONNECTION_BASE_ERROR;
848 g_tls_connection_openssl_push_io (GTlsConnectionBase *tls,
849 GIOCondition direction,
851 GCancellable *cancellable)
853 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
854 GTlsConnectionOpensslPrivate *priv;
857 priv = g_tls_connection_openssl_get_instance_private (openssl);
859 G_TLS_CONNECTION_BASE_CLASS (g_tls_connection_openssl_parent_class)->push_io (tls, direction,
860 timeout, cancellable);
862 if (direction & G_IO_IN)
864 error = g_tls_connection_base_get_read_error (tls);
865 g_tls_bio_set_read_cancellable (priv->bio, cancellable);
866 g_clear_error (error);
867 g_tls_bio_set_read_error (priv->bio, error);
870 if (direction & G_IO_OUT)
872 error = g_tls_connection_base_get_write_error (tls);
873 g_tls_bio_set_write_cancellable (priv->bio, cancellable);
874 g_clear_error (error);
875 g_tls_bio_set_write_error (priv->bio, error);
878 g_mutex_lock (&priv->ssl_mutex);
881 static GTlsConnectionBaseStatus
882 g_tls_connection_openssl_pop_io (GTlsConnectionBase *tls,
883 GIOCondition direction,
887 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
888 GTlsConnectionOpensslPrivate *priv;
890 priv = g_tls_connection_openssl_get_instance_private (openssl);
892 g_mutex_unlock (&priv->ssl_mutex);
894 if (direction & G_IO_IN)
895 g_tls_bio_set_read_cancellable (priv->bio, NULL);
897 if (direction & G_IO_OUT)
898 g_tls_bio_set_write_cancellable (priv->bio, NULL);
900 return G_TLS_CONNECTION_BASE_CLASS (g_tls_connection_openssl_parent_class)->pop_io (tls, direction,
905 perform_read (SSL *ssl,
908 ReadRequest *req = user_data;
910 return SSL_read (ssl, req->buffer, req->count);
913 static GTlsConnectionBaseStatus
914 g_tls_connection_openssl_read (GTlsConnectionBase *tls,
919 GCancellable *cancellable,
922 GTlsConnectionBaseStatus status;
923 ReadRequest req = { buffer, count };
926 status = perform_openssl_io (G_TLS_CONNECTION_OPENSSL (tls), G_IO_IN,
927 perform_read, &req, timeout, cancellable, &ret,
928 error, _("Error reading data from TLS socket"));
930 *nread = MAX (ret, 0);
934 static GTlsConnectionBaseStatus
935 g_tls_connection_openssl_read_message (GTlsConnectionBase *tls,
936 GInputVector *vectors,
940 GCancellable *cancellable,
943 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
944 GTlsConnectionOpensslPrivate *priv;
945 GTlsConnectionBaseStatus status;
947 gsize bytes_copied, bytes_remaining;
952 priv = g_tls_connection_openssl_get_instance_private (openssl);
955 priv->dtls_rx = g_malloc (DTLS_MESSAGE_MAX_SIZE);
957 status = g_tls_connection_openssl_read (tls, priv->dtls_rx,
958 DTLS_MESSAGE_MAX_SIZE, timeout,
959 &bytes_read, cancellable, error);
960 if (status != G_TLS_CONNECTION_BASE_OK)
964 bytes_remaining = bytes_read;
965 for (i = 0; i < num_vectors && bytes_remaining > 0; i++)
967 GInputVector *vector = &vectors[i];
970 n = MIN (bytes_remaining, vector->size);
972 memcpy (vector->buffer, priv->dtls_rx + bytes_copied, n);
975 bytes_remaining -= n;
978 *nread = bytes_copied;
984 perform_write (SSL *ssl,
987 WriteRequest *req = user_data;
989 return SSL_write (ssl, req->buffer, req->count);
992 static GTlsConnectionBaseStatus
993 g_tls_connection_openssl_write (GTlsConnectionBase *tls,
998 GCancellable *cancellable,
1001 GTlsConnectionBaseStatus status;
1002 WriteRequest req = { buffer, count };
1005 status = perform_openssl_io (G_TLS_CONNECTION_OPENSSL (tls), G_IO_OUT,
1006 perform_write, &req, timeout, cancellable, &ret,
1007 error, _("Error writing data to TLS socket"));
1009 *nwrote = MAX (ret, 0);
1013 static GTlsConnectionBaseStatus
1014 g_tls_connection_openssl_write_message (GTlsConnectionBase *tls,
1015 GOutputVector *vectors,
1019 GCancellable *cancellable,
1022 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
1023 GTlsConnectionOpensslPrivate *priv;
1024 gsize bytes_copied, bytes_available;
1027 priv = g_tls_connection_openssl_get_instance_private (openssl);
1030 priv->dtls_tx = g_malloc (DTLS_MESSAGE_MAX_SIZE);
1033 bytes_available = DTLS_MESSAGE_MAX_SIZE;
1034 for (i = 0; i < num_vectors && bytes_available > 0; i++)
1036 GOutputVector *vector = &vectors[i];
1039 n = MIN (vector->size, bytes_available);
1041 memcpy (priv->dtls_tx + bytes_copied, vector->buffer, n);
1044 bytes_available -= n;
1047 return g_tls_connection_openssl_write (tls, priv->dtls_tx, bytes_copied,
1048 timeout, nwrote, cancellable, error);
1051 static GTlsConnectionBaseStatus
1052 g_tls_connection_openssl_close (GTlsConnectionBase *tls,
1054 GCancellable *cancellable,
1057 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
1058 GTlsConnectionOpensslPrivate *priv;
1060 priv = g_tls_connection_openssl_get_instance_private (openssl);
1062 priv->shutting_down = TRUE;
1064 return perform_openssl_io (G_TLS_CONNECTION_OPENSSL (tls),
1066 (GTlsOpensslIOFunc) SSL_shutdown,
1067 NULL, timeout, cancellable, NULL, error,
1068 _("Error performing TLS close"));
1072 g_tls_connection_openssl_class_init (GTlsConnectionOpensslClass *klass)
1074 GObjectClass *object_class = G_OBJECT_CLASS (klass);
1075 GTlsConnectionBaseClass *base_class = G_TLS_CONNECTION_BASE_CLASS (klass);
1077 object_class->finalize = g_tls_connection_openssl_finalize;
1079 base_class->prepare_handshake = g_tls_connection_openssl_prepare_handshake;
1080 base_class->verify_chain = g_tls_connection_openssl_verify_chain;
1081 base_class->complete_handshake = g_tls_connection_openssl_complete_handshake;
1082 base_class->handshake_thread_safe_renegotiation_status = g_tls_connection_openssl_handshake_thread_safe_renegotiation_status;
1083 base_class->handshake_thread_request_rehandshake = g_tls_connection_openssl_handshake_thread_request_rehandshake;
1084 base_class->handshake_thread_handshake = g_tls_connection_openssl_handshake_thread_handshake;
1085 base_class->retrieve_peer_certificate = g_tls_connection_openssl_retrieve_peer_certificate;
1086 base_class->get_channel_binding_data = g_tls_connection_openssl_get_channel_binding_data;
1087 base_class->push_io = g_tls_connection_openssl_push_io;
1088 base_class->pop_io = g_tls_connection_openssl_pop_io;
1089 base_class->read_fn = g_tls_connection_openssl_read;
1090 base_class->read_message_fn = g_tls_connection_openssl_read_message;
1091 base_class->write_fn = g_tls_connection_openssl_write;
1092 base_class->write_message_fn = g_tls_connection_openssl_write_message;
1093 base_class->close_fn = g_tls_connection_openssl_close;
1096 static int data_index = -1;
1099 g_tls_connection_openssl_initable_init (GInitable *initable,
1100 GCancellable *cancellable,
1103 GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (initable);
1104 GTlsConnectionOpensslPrivate *priv;
1105 GTlsConnectionBase *tls = G_TLS_CONNECTION_BASE (initable);
1106 GIOStream *base_io_stream;
1107 GDatagramBased *base_socket;
1111 "base-io-stream", &base_io_stream,
1112 "base-socket", &base_socket,
1115 /* Ensure we are in TLS mode or DTLS mode. */
1116 g_return_val_if_fail (!!base_io_stream != !!base_socket, FALSE);
1118 priv = g_tls_connection_openssl_get_instance_private (openssl);
1120 ssl = g_tls_connection_openssl_get_ssl (openssl);
1123 if (data_index == -1) {
1124 data_index = SSL_get_ex_new_index (0, (void *)"gtlsconnection", NULL, NULL, NULL);
1126 SSL_set_ex_data (ssl, data_index, openssl);
1129 priv->bio = g_tls_bio_new_from_iostream (base_io_stream);
1131 priv->bio = g_tls_bio_new_from_datagram_based (base_socket);
1133 SSL_set_bio (ssl, priv->bio, priv->bio);
1135 g_clear_object (&base_io_stream);
1136 g_clear_object (&base_socket);
1142 g_tls_connection_openssl_initable_iface_init (GInitableIface *iface)
1144 iface->init = g_tls_connection_openssl_initable_init;
1148 g_tls_connection_openssl_init (GTlsConnectionOpenssl *openssl)
1150 GTlsConnectionOpensslPrivate *priv;
1152 priv = g_tls_connection_openssl_get_instance_private (openssl);
1154 g_mutex_init (&priv->ssl_mutex);
1158 g_tls_connection_openssl_get_ssl (GTlsConnectionOpenssl *openssl)
1160 g_return_val_if_fail (G_IS_TLS_CONNECTION_OPENSSL (openssl), NULL);
1162 return G_TLS_CONNECTION_OPENSSL_GET_CLASS (openssl)->get_ssl (openssl);
1165 GTlsConnectionOpenssl *
1166 g_tls_connection_openssl_get_connection_from_ssl (SSL *ssl)
1168 g_return_val_if_fail (ssl, NULL);
1170 return SSL_get_ex_data (ssl, data_index);