1 | /* GIO - GLib Input, Output and Streaming Library |
2 | * |
3 | * Copyright © 2010 Red Hat, Inc |
4 | * Copyright © 2015 Collabora, Ltd. |
5 | * |
6 | * This library is free software; you can redistribute it and/or |
7 | * modify it under the terms of the GNU Lesser General Public |
8 | * License as published by the Free Software Foundation; either |
9 | * version 2.1 of the License, or (at your option) any later version. |
10 | * |
11 | * This library is distributed in the hope that it will be useful, |
12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
14 | * Lesser General Public License for more details. |
15 | * |
16 | * You should have received a copy of the GNU Lesser General |
17 | * Public License along with this library; if not, see <http://www.gnu.org/licenses/>. |
18 | */ |
19 | |
20 | #include "config.h" |
21 | #include "glib.h" |
22 | |
23 | #include "gdtlsclientconnection.h" |
24 | #include "ginitable.h" |
25 | #include "gioenumtypes.h" |
26 | #include "gsocket.h" |
27 | #include "gsocketconnectable.h" |
28 | #include "gtlsbackend.h" |
29 | #include "gtlscertificate.h" |
30 | #include "glibintl.h" |
31 | |
32 | /** |
33 | * SECTION:gdtlsclientconnection |
34 | * @short_description: DTLS client-side connection |
35 | * @include: gio/gio.h |
36 | * |
37 | * #GDtlsClientConnection is the client-side subclass of |
38 | * #GDtlsConnection, representing a client-side DTLS connection. |
39 | * |
40 | * Since: 2.48 |
41 | */ |
42 | |
43 | /** |
44 | * GDtlsClientConnection: |
45 | * |
46 | * Abstract base class for the backend-specific client connection |
47 | * type. |
48 | * |
49 | * Since: 2.48 |
50 | */ |
51 | |
52 | G_DEFINE_INTERFACE (GDtlsClientConnection, g_dtls_client_connection, |
53 | G_TYPE_DTLS_CONNECTION) |
54 | |
55 | static void |
56 | g_dtls_client_connection_default_init (GDtlsClientConnectionInterface *iface) |
57 | { |
58 | /** |
59 | * GDtlsClientConnection:validation-flags: |
60 | * |
61 | * What steps to perform when validating a certificate received from |
62 | * a server. Server certificates that fail to validate in any of the |
63 | * ways indicated here will be rejected unless the application |
64 | * overrides the default via #GDtlsConnection::accept-certificate. |
65 | * |
66 | * Since: 2.48 |
67 | */ |
68 | g_object_interface_install_property (g_iface: iface, |
69 | pspec: g_param_spec_flags (name: "validation-flags" , |
70 | P_("Validation flags" ), |
71 | P_("What certificate validation to perform" ), |
72 | flags_type: G_TYPE_TLS_CERTIFICATE_FLAGS, |
73 | default_value: G_TLS_CERTIFICATE_VALIDATE_ALL, |
74 | flags: G_PARAM_READWRITE | |
75 | G_PARAM_CONSTRUCT | |
76 | G_PARAM_STATIC_STRINGS)); |
77 | |
78 | /** |
79 | * GDtlsClientConnection:server-identity: |
80 | * |
81 | * A #GSocketConnectable describing the identity of the server that |
82 | * is expected on the other end of the connection. |
83 | * |
84 | * If the %G_TLS_CERTIFICATE_BAD_IDENTITY flag is set in |
85 | * #GDtlsClientConnection:validation-flags, this object will be used |
86 | * to determine the expected identify of the remote end of the |
87 | * connection; if #GDtlsClientConnection:server-identity is not set, |
88 | * or does not match the identity presented by the server, then the |
89 | * %G_TLS_CERTIFICATE_BAD_IDENTITY validation will fail. |
90 | * |
91 | * In addition to its use in verifying the server certificate, |
92 | * this is also used to give a hint to the server about what |
93 | * certificate we expect, which is useful for servers that serve |
94 | * virtual hosts. |
95 | * |
96 | * Since: 2.48 |
97 | */ |
98 | g_object_interface_install_property (g_iface: iface, |
99 | pspec: g_param_spec_object (name: "server-identity" , |
100 | P_("Server identity" ), |
101 | P_("GSocketConnectable identifying the server" ), |
102 | G_TYPE_SOCKET_CONNECTABLE, |
103 | flags: G_PARAM_READWRITE | |
104 | G_PARAM_CONSTRUCT | |
105 | G_PARAM_STATIC_STRINGS)); |
106 | |
107 | /** |
108 | * GDtlsClientConnection:accepted-cas: (type GLib.List) (element-type GLib.ByteArray) |
109 | * |
110 | * A list of the distinguished names of the Certificate Authorities |
111 | * that the server will accept client certificates signed by. If the |
112 | * server requests a client certificate during the handshake, then |
113 | * this property will be set after the handshake completes. |
114 | * |
115 | * Each item in the list is a #GByteArray which contains the complete |
116 | * subject DN of the certificate authority. |
117 | * |
118 | * Since: 2.48 |
119 | */ |
120 | g_object_interface_install_property (g_iface: iface, |
121 | pspec: g_param_spec_pointer (name: "accepted-cas" , |
122 | P_("Accepted CAs" ), |
123 | P_("Distinguished names of the CAs the server accepts certificates from" ), |
124 | flags: G_PARAM_READABLE | |
125 | G_PARAM_STATIC_STRINGS)); |
126 | } |
127 | |
128 | /** |
129 | * g_dtls_client_connection_new: |
130 | * @base_socket: the #GDatagramBased to wrap |
131 | * @server_identity: (nullable): the expected identity of the server |
132 | * @error: #GError for error reporting, or %NULL to ignore. |
133 | * |
134 | * Creates a new #GDtlsClientConnection wrapping @base_socket which is |
135 | * assumed to communicate with the server identified by @server_identity. |
136 | * |
137 | * Returns: (transfer full) (type GDtlsClientConnection): the new |
138 | * #GDtlsClientConnection, or %NULL on error |
139 | * |
140 | * Since: 2.48 |
141 | */ |
142 | GDatagramBased * |
143 | g_dtls_client_connection_new (GDatagramBased *base_socket, |
144 | GSocketConnectable *server_identity, |
145 | GError **error) |
146 | { |
147 | GObject *conn; |
148 | GTlsBackend *backend; |
149 | |
150 | backend = g_tls_backend_get_default (); |
151 | conn = g_initable_new (object_type: g_tls_backend_get_dtls_client_connection_type (backend), |
152 | NULL, error, |
153 | first_property_name: "base-socket" , base_socket, |
154 | "server-identity" , server_identity, |
155 | NULL); |
156 | return G_DATAGRAM_BASED (conn); |
157 | } |
158 | |
159 | /** |
160 | * g_dtls_client_connection_get_validation_flags: |
161 | * @conn: the #GDtlsClientConnection |
162 | * |
163 | * Gets @conn's validation flags |
164 | * |
165 | * Returns: the validation flags |
166 | * |
167 | * Since: 2.48 |
168 | */ |
169 | GTlsCertificateFlags |
170 | g_dtls_client_connection_get_validation_flags (GDtlsClientConnection *conn) |
171 | { |
172 | GTlsCertificateFlags flags = 0; |
173 | |
174 | g_return_val_if_fail (G_IS_DTLS_CLIENT_CONNECTION (conn), 0); |
175 | |
176 | g_object_get (G_OBJECT (conn), first_property_name: "validation-flags" , &flags, NULL); |
177 | return flags; |
178 | } |
179 | |
180 | /** |
181 | * g_dtls_client_connection_set_validation_flags: |
182 | * @conn: the #GDtlsClientConnection |
183 | * @flags: the #GTlsCertificateFlags to use |
184 | * |
185 | * Sets @conn's validation flags, to override the default set of |
186 | * checks performed when validating a server certificate. By default, |
187 | * %G_TLS_CERTIFICATE_VALIDATE_ALL is used. |
188 | * |
189 | * Since: 2.48 |
190 | */ |
191 | void |
192 | g_dtls_client_connection_set_validation_flags (GDtlsClientConnection *conn, |
193 | GTlsCertificateFlags flags) |
194 | { |
195 | g_return_if_fail (G_IS_DTLS_CLIENT_CONNECTION (conn)); |
196 | |
197 | g_object_set (G_OBJECT (conn), first_property_name: "validation-flags" , flags, NULL); |
198 | } |
199 | |
200 | /** |
201 | * g_dtls_client_connection_get_server_identity: |
202 | * @conn: the #GDtlsClientConnection |
203 | * |
204 | * Gets @conn's expected server identity |
205 | * |
206 | * Returns: (transfer none): a #GSocketConnectable describing the |
207 | * expected server identity, or %NULL if the expected identity is not |
208 | * known. |
209 | * |
210 | * Since: 2.48 |
211 | */ |
212 | GSocketConnectable * |
213 | g_dtls_client_connection_get_server_identity (GDtlsClientConnection *conn) |
214 | { |
215 | GSocketConnectable *identity = NULL; |
216 | |
217 | g_return_val_if_fail (G_IS_DTLS_CLIENT_CONNECTION (conn), 0); |
218 | |
219 | g_object_get (G_OBJECT (conn), first_property_name: "server-identity" , &identity, NULL); |
220 | if (identity) |
221 | g_object_unref (object: identity); |
222 | return identity; |
223 | } |
224 | |
225 | /** |
226 | * g_dtls_client_connection_set_server_identity: |
227 | * @conn: the #GDtlsClientConnection |
228 | * @identity: a #GSocketConnectable describing the expected server identity |
229 | * |
230 | * Sets @conn's expected server identity, which is used both to tell |
231 | * servers on virtual hosts which certificate to present, and also |
232 | * to let @conn know what name to look for in the certificate when |
233 | * performing %G_TLS_CERTIFICATE_BAD_IDENTITY validation, if enabled. |
234 | * |
235 | * Since: 2.48 |
236 | */ |
237 | void |
238 | g_dtls_client_connection_set_server_identity (GDtlsClientConnection *conn, |
239 | GSocketConnectable *identity) |
240 | { |
241 | g_return_if_fail (G_IS_DTLS_CLIENT_CONNECTION (conn)); |
242 | |
243 | g_object_set (G_OBJECT (conn), first_property_name: "server-identity" , identity, NULL); |
244 | } |
245 | |
246 | /** |
247 | * g_dtls_client_connection_get_accepted_cas: |
248 | * @conn: the #GDtlsClientConnection |
249 | * |
250 | * Gets the list of distinguished names of the Certificate Authorities |
251 | * that the server will accept certificates from. This will be set |
252 | * during the TLS handshake if the server requests a certificate. |
253 | * Otherwise, it will be %NULL. |
254 | * |
255 | * Each item in the list is a #GByteArray which contains the complete |
256 | * subject DN of the certificate authority. |
257 | * |
258 | * Returns: (element-type GByteArray) (transfer full): the list of |
259 | * CA DNs. You should unref each element with g_byte_array_unref() and then |
260 | * the free the list with g_list_free(). |
261 | * |
262 | * Since: 2.48 |
263 | */ |
264 | GList * |
265 | g_dtls_client_connection_get_accepted_cas (GDtlsClientConnection *conn) |
266 | { |
267 | GList *accepted_cas = NULL; |
268 | |
269 | g_return_val_if_fail (G_IS_DTLS_CLIENT_CONNECTION (conn), NULL); |
270 | |
271 | g_object_get (G_OBJECT (conn), first_property_name: "accepted-cas" , &accepted_cas, NULL); |
272 | return accepted_cas; |
273 | } |
274 | |