1 /* GIO - GLib Input, Output and Streaming Library
2 *
3 * Copyright © 2010 Red Hat, Inc
4 *
5 * SPDX-License-Identifier: LGPL-2.1-or-later
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General
18 * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "config.h"
22 #include "glib.h"
23
24 #include "gtlsclientconnection.h"
25 #include "ginitable.h"
26 #include "gioenumtypes.h"
27 #include "gsocket.h"
28 #include "gsocketconnectable.h"
29 #include "gtlsbackend.h"
30 #include "gtlscertificate.h"
31 #include "glibintl.h"
32
33 /**
34 * GTlsClientConnection:
35 *
36 * `GTlsClientConnection` is the client-side subclass of
37 * [class@Gio.TlsConnection], representing a client-side TLS connection.
38 *
39 * Since: 2.28
40 */
41
42 G_DEFINE_INTERFACE (GTlsClientConnection, g_tls_client_connection, G_TYPE_TLS_CONNECTION)
43
44 static void
45 g_tls_client_connection_default_init (GTlsClientConnectionInterface *iface)
46 {
47 /**
48 * GTlsClientConnection:validation-flags:
49 *
50 * What steps to perform when validating a certificate received from
51 * a server. Server certificates that fail to validate in any of the
52 * ways indicated here will be rejected unless the application
53 * overrides the default via #GTlsConnection::accept-certificate.
54 *
55 * GLib guarantees that if certificate verification fails, at least one
56 * flag will be set, but it does not guarantee that all possible flags
57 * will be set. Accordingly, you may not safely decide to ignore any
58 * particular type of error. For example, it would be incorrect to mask
59 * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired certificates,
60 * because this could potentially be the only error flag set even if
61 * other problems exist with the certificate. Therefore, there is no
62 * safe way to use this property. This is not a horrible problem,
63 * though, because you should not be attempting to ignore validation
64 * errors anyway. If you really must ignore TLS certificate errors,
65 * connect to #GTlsConnection::accept-certificate.
66 *
67 * Since: 2.28
68 *
69 * Deprecated: 2.72: Do not attempt to ignore validation errors.
70 */
71 g_object_interface_install_property (iface,
72 g_param_spec_flags ("validation-flags", NULL, NULL,
73 G_TYPE_TLS_CERTIFICATE_FLAGS,
74 G_TLS_CERTIFICATE_VALIDATE_ALL,
75 G_PARAM_READWRITE |
76 G_PARAM_CONSTRUCT |
77 G_PARAM_STATIC_STRINGS |
78 G_PARAM_DEPRECATED));
79
80 /**
81 * GTlsClientConnection:server-identity:
82 *
83 * A #GSocketConnectable describing the identity of the server that
84 * is expected on the other end of the connection.
85 *
86 * If the %G_TLS_CERTIFICATE_BAD_IDENTITY flag is set in
87 * #GTlsClientConnection:validation-flags, this object will be used
88 * to determine the expected identify of the remote end of the
89 * connection; if #GTlsClientConnection:server-identity is not set,
90 * or does not match the identity presented by the server, then the
91 * %G_TLS_CERTIFICATE_BAD_IDENTITY validation will fail.
92 *
93 * In addition to its use in verifying the server certificate,
94 * this is also used to give a hint to the server about what
95 * certificate we expect, which is useful for servers that serve
96 * virtual hosts.
97 *
98 * Since: 2.28
99 */
100 g_object_interface_install_property (iface,
101 g_param_spec_object ("server-identity", NULL, NULL,
102 G_TYPE_SOCKET_CONNECTABLE,
103 G_PARAM_READWRITE |
104 G_PARAM_CONSTRUCT |
105 G_PARAM_STATIC_STRINGS));
106
107 /**
108 * GTlsClientConnection:use-ssl3:
109 *
110 * SSL 3.0 is no longer supported. See
111 * g_tls_client_connection_set_use_ssl3() for details.
112 *
113 * Since: 2.28
114 *
115 * Deprecated: 2.56: SSL 3.0 is insecure.
116 */
117 g_object_interface_install_property (iface,
118 g_param_spec_boolean ("use-ssl3", NULL, NULL,
119 FALSE,
120 G_PARAM_READWRITE |
121 G_PARAM_CONSTRUCT |
122 G_PARAM_STATIC_STRINGS |
123 G_PARAM_DEPRECATED));
124
125 /**
126 * GTlsClientConnection:accepted-cas: (type GLib.List) (element-type GLib.ByteArray)
127 *
128 * A list of the distinguished names of the Certificate Authorities
129 * that the server will accept client certificates signed by. If the
130 * server requests a client certificate during the handshake, then
131 * this property will be set after the handshake completes.
132 *
133 * Each item in the list is a #GByteArray which contains the complete
134 * subject DN of the certificate authority.
135 *
136 * Since: 2.28
137 */
138 g_object_interface_install_property (iface,
139 g_param_spec_pointer ("accepted-cas", NULL, NULL,
140 G_PARAM_READABLE |
141 G_PARAM_STATIC_STRINGS));
142 }
143
144 /**
145 * g_tls_client_connection_new:
146 * @base_io_stream: the #GIOStream to wrap
147 * @server_identity: (nullable): the expected identity of the server
148 * @error: #GError for error reporting, or %NULL to ignore.
149 *
150 * Creates a new #GTlsClientConnection wrapping @base_io_stream (which
151 * must have pollable input and output streams) which is assumed to
152 * communicate with the server identified by @server_identity.
153 *
154 * See the documentation for #GTlsConnection:base-io-stream for restrictions
155 * on when application code can run operations on the @base_io_stream after
156 * this function has returned.
157 *
158 * Returns: (transfer full) (type GTlsClientConnection): the new
159 * #GTlsClientConnection, or %NULL on error
160 *
161 * Since: 2.28
162 */
163 GIOStream *
164 g_tls_client_connection_new (GIOStream *base_io_stream,
165 GSocketConnectable *server_identity,
166 GError **error)
167 {
168 GObject *conn;
169 GTlsBackend *backend;
170
171 backend = g_tls_backend_get_default ();
172 conn = g_initable_new (g_tls_backend_get_client_connection_type (backend),
173 NULL, error,
174 "base-io-stream", base_io_stream,
175 "server-identity", server_identity,
176 NULL);
177 return G_IO_STREAM (conn);
178 }
179
180 /**
181 * g_tls_client_connection_get_validation_flags:
182 * @conn: the #GTlsClientConnection
183 *
184 * Gets @conn's validation flags
185 *
186 * This function does not work as originally designed and is impossible
187 * to use correctly. See #GTlsClientConnection:validation-flags for more
188 * information.
189 *
190 * Returns: the validation flags
191 *
192 * Since: 2.28
193 *
194 * Deprecated: 2.72: Do not attempt to ignore validation errors.
195 */
196 GTlsCertificateFlags
197 g_tls_client_connection_get_validation_flags (GTlsClientConnection *conn)
198 {
199 GTlsCertificateFlags flags = G_TLS_CERTIFICATE_NO_FLAGS;
200
201 g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0);
202
203 g_object_get (G_OBJECT (conn), "validation-flags", &flags, NULL);
204 return flags;
205 }
206
207 /**
208 * g_tls_client_connection_set_validation_flags:
209 * @conn: the #GTlsClientConnection
210 * @flags: the #GTlsCertificateFlags to use
211 *
212 * Sets @conn's validation flags, to override the default set of
213 * checks performed when validating a server certificate. By default,
214 * %G_TLS_CERTIFICATE_VALIDATE_ALL is used.
215 *
216 * This function does not work as originally designed and is impossible
217 * to use correctly. See #GTlsClientConnection:validation-flags for more
218 * information.
219 *
220 * Since: 2.28
221 *
222 * Deprecated: 2.72: Do not attempt to ignore validation errors.
223 */
224 void
225 g_tls_client_connection_set_validation_flags (GTlsClientConnection *conn,
226 GTlsCertificateFlags flags)
227 {
228 g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn));
229
230 g_object_set (G_OBJECT (conn), "validation-flags", flags, NULL);
231 }
232
233 /**
234 * g_tls_client_connection_get_server_identity:
235 * @conn: the #GTlsClientConnection
236 *
237 * Gets @conn's expected server identity
238 *
239 * Returns: (nullable) (transfer none): a #GSocketConnectable describing the
240 * expected server identity, or %NULL if the expected identity is not
241 * known.
242 *
243 * Since: 2.28
244 */
245 GSocketConnectable *
246 g_tls_client_connection_get_server_identity (GTlsClientConnection *conn)
247 {
248 GSocketConnectable *identity = NULL;
249
250 g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0);
251
252 g_object_get (G_OBJECT (conn), "server-identity", &identity, NULL);
253 if (identity)
254 g_object_unref (identity);
255 return identity;
256 }
257
258 /**
259 * g_tls_client_connection_set_server_identity:
260 * @conn: the #GTlsClientConnection
261 * @identity: a #GSocketConnectable describing the expected server identity
262 *
263 * Sets @conn's expected server identity, which is used both to tell
264 * servers on virtual hosts which certificate to present, and also
265 * to let @conn know what name to look for in the certificate when
266 * performing %G_TLS_CERTIFICATE_BAD_IDENTITY validation, if enabled.
267 *
268 * Since: 2.28
269 */
270 void
271 g_tls_client_connection_set_server_identity (GTlsClientConnection *conn,
272 GSocketConnectable *identity)
273 {
274 g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn));
275
276 g_object_set (G_OBJECT (conn), "server-identity", identity, NULL);
277 }
278
279 /**
280 * g_tls_client_connection_get_use_ssl3:
281 * @conn: the #GTlsClientConnection
282 *
283 * SSL 3.0 is no longer supported. See
284 * g_tls_client_connection_set_use_ssl3() for details.
285 *
286 * Returns: %FALSE
287 *
288 * Since: 2.28
289 *
290 * Deprecated: 2.56: SSL 3.0 is insecure.
291 */
292 gboolean
293 g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn)
294 {
295 gboolean use_ssl3 = FALSE;
296
297 g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), 0);
298
299 g_object_get (G_OBJECT (conn), "use-ssl3", &use_ssl3, NULL);
300 return FALSE;
301 }
302
303 /**
304 * g_tls_client_connection_set_use_ssl3:
305 * @conn: the #GTlsClientConnection
306 * @use_ssl3: a #gboolean, ignored
307 *
308 * Since GLib 2.42.1, SSL 3.0 is no longer supported.
309 *
310 * From GLib 2.42.1 through GLib 2.62, this function could be used to
311 * force use of TLS 1.0, the lowest-supported TLS protocol version at
312 * the time. In the past, this was needed to connect to broken TLS
313 * servers that exhibited protocol version intolerance. Such servers
314 * are no longer common, and using TLS 1.0 is no longer considered
315 * acceptable.
316 *
317 * Since GLib 2.64, this function does nothing.
318 *
319 * Since: 2.28
320 *
321 * Deprecated: 2.56: SSL 3.0 is insecure.
322 */
323 void
324 g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn,
325 gboolean use_ssl3)
326 {
327 g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn));
328
329 g_object_set (G_OBJECT (conn), "use-ssl3", FALSE, NULL);
330 }
331
332 /**
333 * g_tls_client_connection_get_accepted_cas:
334 * @conn: the #GTlsClientConnection
335 *
336 * Gets the list of distinguished names of the Certificate Authorities
337 * that the server will accept certificates from. This will be set
338 * during the TLS handshake if the server requests a certificate.
339 * Otherwise, it will be %NULL.
340 *
341 * Each item in the list is a #GByteArray which contains the complete
342 * subject DN of the certificate authority.
343 *
344 * Returns: (element-type GByteArray) (transfer full): the list of
345 * CA DNs. You should unref each element with g_byte_array_unref() and then
346 * the free the list with g_list_free().
347 *
348 * Since: 2.28
349 */
350 GList *
351 g_tls_client_connection_get_accepted_cas (GTlsClientConnection *conn)
352 {
353 GList *accepted_cas = NULL;
354
355 g_return_val_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn), NULL);
356
357 g_object_get (G_OBJECT (conn), "accepted-cas", &accepted_cas, NULL);
358 return accepted_cas;
359 }
360
361 /**
362 * g_tls_client_connection_copy_session_state:
363 * @conn: a #GTlsClientConnection
364 * @source: a #GTlsClientConnection
365 *
366 * Possibly copies session state from one connection to another, for use
367 * in TLS session resumption. This is not normally needed, but may be
368 * used when the same session needs to be used between different
369 * endpoints, as is required by some protocols, such as FTP over TLS.
370 * @source should have already completed a handshake and, since TLS 1.3,
371 * it should have been used to read data at least once. @conn should not
372 * have completed a handshake.
373 *
374 * It is not possible to know whether a call to this function will
375 * actually do anything. Because session resumption is normally used
376 * only for performance benefit, the TLS backend might not implement
377 * this function. Even if implemented, it may not actually succeed in
378 * allowing @conn to resume @source's TLS session, because the server
379 * may not have sent a session resumption token to @source, or it may
380 * refuse to accept the token from @conn. There is no way to know
381 * whether a call to this function is actually successful.
382 *
383 * Using this function is not required to benefit from session
384 * resumption. If the TLS backend supports session resumption, the
385 * session will be resumed automatically if it is possible to do so
386 * without weakening the privacy guarantees normally provided by TLS,
387 * without need to call this function. For example, with TLS 1.3,
388 * a session ticket will be automatically copied from any
389 * #GTlsClientConnection that has previously received session tickets
390 * from the server, provided a ticket is available that has not
391 * previously been used for session resumption, since session ticket
392 * reuse would be a privacy weakness. Using this function causes the
393 * ticket to be copied without regard for privacy considerations.
394 *
395 * Since: 2.46
396 */
397 void
398 g_tls_client_connection_copy_session_state (GTlsClientConnection *conn,
399 GTlsClientConnection *source)
400 {
401 g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (conn));
402 g_return_if_fail (G_IS_TLS_CLIENT_CONNECTION (source));
403 g_return_if_fail (G_TLS_CLIENT_CONNECTION_GET_INTERFACE (conn)->copy_session_state != NULL);
404
405 G_TLS_CLIENT_CONNECTION_GET_INTERFACE (conn)->copy_session_state (conn,
406 source);
407 }