/src/glib/gio/gdtlsconnection.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* GIO - GLib Input, Output and Streaming Library |
2 | | * |
3 | | * Copyright © 2010 Red Hat, Inc |
4 | | * Copyright © 2015 Collabora, Ltd. |
5 | | * |
6 | | * SPDX-License-Identifier: LGPL-2.1-or-later |
7 | | * |
8 | | * This library is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public |
10 | | * License as published by the Free Software Foundation; either |
11 | | * version 2.1 of the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, |
14 | | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General |
19 | | * Public License along with this library; if not, see <http://www.gnu.org/licenses/>. |
20 | | */ |
21 | | |
22 | | #include "config.h" |
23 | | #include "glib.h" |
24 | | |
25 | | #include "gdtlsconnection.h" |
26 | | #include "gcancellable.h" |
27 | | #include "gioenumtypes.h" |
28 | | #include "gsocket.h" |
29 | | #include "gtlsbackend.h" |
30 | | #include "gtlscertificate.h" |
31 | | #include "gtlsconnection.h" |
32 | | #include "gdtlsclientconnection.h" |
33 | | #include "gtlsdatabase.h" |
34 | | #include "gtlsinteraction.h" |
35 | | #include "glibintl.h" |
36 | | #include "gmarshal-internal.h" |
37 | | |
38 | | /** |
39 | | * SECTION:gdtlsconnection |
40 | | * @short_description: DTLS connection type |
41 | | * @include: gio/gio.h |
42 | | * |
43 | | * #GDtlsConnection is the base DTLS connection class type, which wraps |
44 | | * a #GDatagramBased and provides DTLS encryption on top of it. Its |
45 | | * subclasses, #GDtlsClientConnection and #GDtlsServerConnection, |
46 | | * implement client-side and server-side DTLS, respectively. |
47 | | * |
48 | | * For TLS support, see #GTlsConnection. |
49 | | * |
50 | | * As DTLS is datagram based, #GDtlsConnection implements #GDatagramBased, |
51 | | * presenting a datagram-socket-like API for the encrypted connection. This |
52 | | * operates over a base datagram connection, which is also a #GDatagramBased |
53 | | * (#GDtlsConnection:base-socket). |
54 | | * |
55 | | * To close a DTLS connection, use g_dtls_connection_close(). |
56 | | * |
57 | | * Neither #GDtlsServerConnection or #GDtlsClientConnection set the peer address |
58 | | * on their base #GDatagramBased if it is a #GSocket — it is up to the caller to |
59 | | * do that if they wish. If they do not, and g_socket_close() is called on the |
60 | | * base socket, the #GDtlsConnection will not raise a %G_IO_ERROR_NOT_CONNECTED |
61 | | * error on further I/O. |
62 | | * |
63 | | * Since: 2.48 |
64 | | */ |
65 | | |
66 | | /** |
67 | | * GDtlsConnection: |
68 | | * |
69 | | * Abstract base class for the backend-specific #GDtlsClientConnection |
70 | | * and #GDtlsServerConnection types. |
71 | | * |
72 | | * Since: 2.48 |
73 | | */ |
74 | | |
75 | | G_DEFINE_INTERFACE (GDtlsConnection, g_dtls_connection, G_TYPE_DATAGRAM_BASED) |
76 | | |
77 | | enum { |
78 | | ACCEPT_CERTIFICATE, |
79 | | LAST_SIGNAL |
80 | | }; |
81 | | |
82 | | static guint signals[LAST_SIGNAL] = { 0 }; |
83 | | |
84 | | enum { |
85 | | PROP_BASE_SOCKET = 1, |
86 | | PROP_REQUIRE_CLOSE_NOTIFY, |
87 | | PROP_REHANDSHAKE_MODE, |
88 | | PROP_DATABASE, |
89 | | PROP_INTERACTION, |
90 | | PROP_CERTIFICATE, |
91 | | PROP_PEER_CERTIFICATE, |
92 | | PROP_PEER_CERTIFICATE_ERRORS, |
93 | | PROP_PROTOCOL_VERSION, |
94 | | PROP_CIPHERSUITE_NAME, |
95 | | }; |
96 | | |
97 | | static void |
98 | | g_dtls_connection_default_init (GDtlsConnectionInterface *iface) |
99 | 0 | { |
100 | | /** |
101 | | * GDtlsConnection:base-socket: |
102 | | * |
103 | | * The #GDatagramBased that the connection wraps. Note that this may be any |
104 | | * implementation of #GDatagramBased, not just a #GSocket. |
105 | | * |
106 | | * Since: 2.48 |
107 | | */ |
108 | 0 | g_object_interface_install_property (iface, |
109 | 0 | g_param_spec_object ("base-socket", |
110 | 0 | P_("Base Socket"), |
111 | 0 | P_("The GDatagramBased that the connection wraps"), |
112 | 0 | G_TYPE_DATAGRAM_BASED, |
113 | 0 | G_PARAM_READWRITE | |
114 | 0 | G_PARAM_CONSTRUCT_ONLY | |
115 | 0 | G_PARAM_STATIC_STRINGS)); |
116 | | /** |
117 | | * GDtlsConnection:database: (nullable) |
118 | | * |
119 | | * The certificate database to use when verifying this TLS connection. |
120 | | * If no certificate database is set, then the default database will be |
121 | | * used. See g_tls_backend_get_default_database(). |
122 | | * |
123 | | * When using a non-default database, #GDtlsConnection must fall back to using |
124 | | * the #GTlsDatabase to perform certificate verification using |
125 | | * g_tls_database_verify_chain(), which means certificate verification will |
126 | | * not be able to make use of TLS session context. This may be less secure. |
127 | | * For example, if you create your own #GTlsDatabase that just wraps the |
128 | | * default #GTlsDatabase, you might expect that you have not changed anything, |
129 | | * but this is not true because you may have altered the behavior of |
130 | | * #GDtlsConnection by causing it to use g_tls_database_verify_chain(). See the |
131 | | * documentation of g_tls_database_verify_chain() for more details on specific |
132 | | * security checks that may not be performed. Accordingly, setting a |
133 | | * non-default database is discouraged except for specialty applications with |
134 | | * unusual security requirements. |
135 | | * |
136 | | * Since: 2.48 |
137 | | */ |
138 | 0 | g_object_interface_install_property (iface, |
139 | 0 | g_param_spec_object ("database", |
140 | 0 | P_("Database"), |
141 | 0 | P_("Certificate database to use for looking up or verifying certificates"), |
142 | 0 | G_TYPE_TLS_DATABASE, |
143 | 0 | G_PARAM_READWRITE | |
144 | 0 | G_PARAM_STATIC_STRINGS)); |
145 | | /** |
146 | | * GDtlsConnection:interaction: (nullable) |
147 | | * |
148 | | * A #GTlsInteraction object to be used when the connection or certificate |
149 | | * database need to interact with the user. This will be used to prompt the |
150 | | * user for passwords where necessary. |
151 | | * |
152 | | * Since: 2.48 |
153 | | */ |
154 | 0 | g_object_interface_install_property (iface, |
155 | 0 | g_param_spec_object ("interaction", |
156 | 0 | P_("Interaction"), |
157 | 0 | P_("Optional object for user interaction"), |
158 | 0 | G_TYPE_TLS_INTERACTION, |
159 | 0 | G_PARAM_READWRITE | |
160 | 0 | G_PARAM_STATIC_STRINGS)); |
161 | | /** |
162 | | * GDtlsConnection:require-close-notify: |
163 | | * |
164 | | * Whether or not proper TLS close notification is required. |
165 | | * See g_dtls_connection_set_require_close_notify(). |
166 | | * |
167 | | * Since: 2.48 |
168 | | */ |
169 | 0 | g_object_interface_install_property (iface, |
170 | 0 | g_param_spec_boolean ("require-close-notify", |
171 | 0 | P_("Require close notify"), |
172 | 0 | P_("Whether to require proper TLS close notification"), |
173 | 0 | TRUE, |
174 | 0 | G_PARAM_READWRITE | |
175 | 0 | G_PARAM_CONSTRUCT | |
176 | 0 | G_PARAM_STATIC_STRINGS)); |
177 | | /** |
178 | | * GDtlsConnection:rehandshake-mode: |
179 | | * |
180 | | * The rehandshaking mode. See |
181 | | * g_dtls_connection_set_rehandshake_mode(). |
182 | | * |
183 | | * Since: 2.48 |
184 | | * |
185 | | * Deprecated: 2.60: The rehandshake mode is ignored. |
186 | | */ |
187 | 0 | g_object_interface_install_property (iface, |
188 | 0 | g_param_spec_enum ("rehandshake-mode", |
189 | 0 | P_("Rehandshake mode"), |
190 | 0 | P_("When to allow rehandshaking"), |
191 | 0 | G_TYPE_TLS_REHANDSHAKE_MODE, |
192 | 0 | G_TLS_REHANDSHAKE_NEVER, |
193 | 0 | G_PARAM_READWRITE | |
194 | 0 | G_PARAM_CONSTRUCT | |
195 | 0 | G_PARAM_STATIC_STRINGS | |
196 | 0 | G_PARAM_DEPRECATED)); |
197 | | /** |
198 | | * GDtlsConnection:certificate: |
199 | | * |
200 | | * The connection's certificate; see |
201 | | * g_dtls_connection_set_certificate(). |
202 | | * |
203 | | * Since: 2.48 |
204 | | */ |
205 | 0 | g_object_interface_install_property (iface, |
206 | 0 | g_param_spec_object ("certificate", |
207 | 0 | P_("Certificate"), |
208 | 0 | P_("The connection’s certificate"), |
209 | 0 | G_TYPE_TLS_CERTIFICATE, |
210 | 0 | G_PARAM_READWRITE | |
211 | 0 | G_PARAM_STATIC_STRINGS)); |
212 | | /** |
213 | | * GDtlsConnection:peer-certificate: (nullable) |
214 | | * |
215 | | * The connection's peer's certificate, after the TLS handshake has |
216 | | * completed or failed. Note in particular that this is not yet set |
217 | | * during the emission of #GDtlsConnection::accept-certificate. |
218 | | * |
219 | | * (You can watch for a #GObject::notify signal on this property to |
220 | | * detect when a handshake has occurred.) |
221 | | * |
222 | | * Since: 2.48 |
223 | | */ |
224 | 0 | g_object_interface_install_property (iface, |
225 | 0 | g_param_spec_object ("peer-certificate", |
226 | 0 | P_("Peer Certificate"), |
227 | 0 | P_("The connection’s peer’s certificate"), |
228 | 0 | G_TYPE_TLS_CERTIFICATE, |
229 | 0 | G_PARAM_READABLE | |
230 | 0 | G_PARAM_STATIC_STRINGS)); |
231 | | /** |
232 | | * GDtlsConnection:peer-certificate-errors: |
233 | | * |
234 | | * The errors noticed while verifying |
235 | | * #GDtlsConnection:peer-certificate. Normally this should be 0, but |
236 | | * it may not be if #GDtlsClientConnection:validation-flags is not |
237 | | * %G_TLS_CERTIFICATE_VALIDATE_ALL, or if |
238 | | * #GDtlsConnection::accept-certificate overrode the default |
239 | | * behavior. |
240 | | * |
241 | | * GLib guarantees that if certificate verification fails, at least |
242 | | * one error will be set, but it does not guarantee that all possible |
243 | | * errors will be set. Accordingly, you may not safely decide to |
244 | | * ignore any particular type of error. For example, it would be |
245 | | * incorrect to mask %G_TLS_CERTIFICATE_EXPIRED if you want to allow |
246 | | * expired certificates, because this could potentially be the only |
247 | | * error flag set even if other problems exist with the certificate. |
248 | | * |
249 | | * Since: 2.48 |
250 | | */ |
251 | 0 | g_object_interface_install_property (iface, |
252 | 0 | g_param_spec_flags ("peer-certificate-errors", |
253 | 0 | P_("Peer Certificate Errors"), |
254 | 0 | P_("Errors found with the peer’s certificate"), |
255 | 0 | G_TYPE_TLS_CERTIFICATE_FLAGS, |
256 | 0 | 0, |
257 | 0 | G_PARAM_READABLE | |
258 | 0 | G_PARAM_STATIC_STRINGS)); |
259 | | /** |
260 | | * GDtlsConnection:advertised-protocols: (nullable) |
261 | | * |
262 | | * The list of application-layer protocols that the connection |
263 | | * advertises that it is willing to speak. See |
264 | | * g_dtls_connection_set_advertised_protocols(). |
265 | | * |
266 | | * Since: 2.60 |
267 | | */ |
268 | 0 | g_object_interface_install_property (iface, |
269 | 0 | g_param_spec_boxed ("advertised-protocols", |
270 | 0 | P_("Advertised Protocols"), |
271 | 0 | P_("Application-layer protocols available on this connection"), |
272 | 0 | G_TYPE_STRV, |
273 | 0 | G_PARAM_READWRITE | |
274 | 0 | G_PARAM_STATIC_STRINGS)); |
275 | | /** |
276 | | * GDtlsConnection:negotiated-protocol: |
277 | | * |
278 | | * The application-layer protocol negotiated during the TLS |
279 | | * handshake. See g_dtls_connection_get_negotiated_protocol(). |
280 | | * |
281 | | * Since: 2.60 |
282 | | */ |
283 | 0 | g_object_interface_install_property (iface, |
284 | 0 | g_param_spec_string ("negotiated-protocol", |
285 | 0 | P_("Negotiated Protocol"), |
286 | 0 | P_("Application-layer protocol negotiated for this connection"), |
287 | 0 | NULL, |
288 | 0 | G_PARAM_READABLE | |
289 | 0 | G_PARAM_STATIC_STRINGS)); |
290 | | |
291 | | /** |
292 | | * GDtlsConnection:protocol-version: |
293 | | * |
294 | | * The DTLS protocol version in use. See g_dtls_connection_get_protocol_version(). |
295 | | * |
296 | | * Since: 2.70 |
297 | | */ |
298 | 0 | g_object_interface_install_property (iface, |
299 | 0 | g_param_spec_enum ("protocol-version", |
300 | 0 | P_("Protocol Version"), |
301 | 0 | P_("DTLS protocol version negotiated for this connection"), |
302 | 0 | G_TYPE_TLS_PROTOCOL_VERSION, |
303 | 0 | G_TLS_PROTOCOL_VERSION_UNKNOWN, |
304 | 0 | G_PARAM_READABLE | |
305 | 0 | G_PARAM_STATIC_STRINGS)); |
306 | | |
307 | | /** |
308 | | * GDtlsConnection:ciphersuite-name: (nullable) |
309 | | * |
310 | | * The name of the DTLS ciphersuite in use. See g_dtls_connection_get_ciphersuite_name(). |
311 | | * |
312 | | * Since: 2.70 |
313 | | */ |
314 | 0 | g_object_interface_install_property (iface, |
315 | 0 | g_param_spec_string ("ciphersuite-name", |
316 | 0 | P_("Ciphersuite Name"), |
317 | 0 | P_("Name of ciphersuite negotiated for this connection"), |
318 | 0 | NULL, |
319 | 0 | G_PARAM_READABLE | |
320 | 0 | G_PARAM_STATIC_STRINGS)); |
321 | | |
322 | | /** |
323 | | * GDtlsConnection::accept-certificate: |
324 | | * @conn: a #GDtlsConnection |
325 | | * @peer_cert: the peer's #GTlsCertificate |
326 | | * @errors: the problems with @peer_cert. |
327 | | * |
328 | | * Emitted during the TLS handshake after the peer certificate has |
329 | | * been received. You can examine @peer_cert's certification path by |
330 | | * calling g_tls_certificate_get_issuer() on it. |
331 | | * |
332 | | * For a client-side connection, @peer_cert is the server's |
333 | | * certificate, and the signal will only be emitted if the |
334 | | * certificate was not acceptable according to @conn's |
335 | | * #GDtlsClientConnection:validation_flags. If you would like the |
336 | | * certificate to be accepted despite @errors, return %TRUE from the |
337 | | * signal handler. Otherwise, if no handler accepts the certificate, |
338 | | * the handshake will fail with %G_TLS_ERROR_BAD_CERTIFICATE. |
339 | | * |
340 | | * GLib guarantees that if certificate verification fails, this signal |
341 | | * will be emitted with at least one error will be set in @errors, but |
342 | | * it does not guarantee that all possible errors will be set. |
343 | | * Accordingly, you may not safely decide to ignore any particular |
344 | | * type of error. For example, it would be incorrect to ignore |
345 | | * %G_TLS_CERTIFICATE_EXPIRED if you want to allow expired |
346 | | * certificates, because this could potentially be the only error flag |
347 | | * set even if other problems exist with the certificate. |
348 | | * |
349 | | * For a server-side connection, @peer_cert is the certificate |
350 | | * presented by the client, if this was requested via the server's |
351 | | * #GDtlsServerConnection:authentication_mode. On the server side, |
352 | | * the signal is always emitted when the client presents a |
353 | | * certificate, and the certificate will only be accepted if a |
354 | | * handler returns %TRUE. |
355 | | * |
356 | | * Note that if this signal is emitted as part of asynchronous I/O |
357 | | * in the main thread, then you should not attempt to interact with |
358 | | * the user before returning from the signal handler. If you want to |
359 | | * let the user decide whether or not to accept the certificate, you |
360 | | * would have to return %FALSE from the signal handler on the first |
361 | | * attempt, and then after the connection attempt returns a |
362 | | * %G_TLS_ERROR_BAD_CERTIFICATE, you can interact with the user, and |
363 | | * if the user decides to accept the certificate, remember that fact, |
364 | | * create a new connection, and return %TRUE from the signal handler |
365 | | * the next time. |
366 | | * |
367 | | * If you are doing I/O in another thread, you do not |
368 | | * need to worry about this, and can simply block in the signal |
369 | | * handler until the UI thread returns an answer. |
370 | | * |
371 | | * Returns: %TRUE to accept @peer_cert (which will also |
372 | | * immediately end the signal emission). %FALSE to allow the signal |
373 | | * emission to continue, which will cause the handshake to fail if |
374 | | * no one else overrides it. |
375 | | * |
376 | | * Since: 2.48 |
377 | | */ |
378 | 0 | signals[ACCEPT_CERTIFICATE] = |
379 | 0 | g_signal_new (I_("accept-certificate"), |
380 | 0 | G_TYPE_DTLS_CONNECTION, |
381 | 0 | G_SIGNAL_RUN_LAST, |
382 | 0 | G_STRUCT_OFFSET (GDtlsConnectionInterface, accept_certificate), |
383 | 0 | g_signal_accumulator_true_handled, NULL, |
384 | 0 | _g_cclosure_marshal_BOOLEAN__OBJECT_FLAGS, |
385 | 0 | G_TYPE_BOOLEAN, 2, |
386 | 0 | G_TYPE_TLS_CERTIFICATE, |
387 | 0 | G_TYPE_TLS_CERTIFICATE_FLAGS); |
388 | 0 | g_signal_set_va_marshaller (signals[ACCEPT_CERTIFICATE], |
389 | 0 | G_TYPE_FROM_INTERFACE (iface), |
390 | 0 | _g_cclosure_marshal_BOOLEAN__OBJECT_FLAGSv); |
391 | 0 | } |
392 | | |
393 | | /** |
394 | | * g_dtls_connection_set_database: |
395 | | * @conn: a #GDtlsConnection |
396 | | * @database: (nullable): a #GTlsDatabase |
397 | | * |
398 | | * Sets the certificate database that is used to verify peer certificates. |
399 | | * This is set to the default database by default. See |
400 | | * g_tls_backend_get_default_database(). If set to %NULL, then |
401 | | * peer certificate validation will always set the |
402 | | * %G_TLS_CERTIFICATE_UNKNOWN_CA error (meaning |
403 | | * #GDtlsConnection::accept-certificate will always be emitted on |
404 | | * client-side connections, unless that bit is not set in |
405 | | * #GDtlsClientConnection:validation-flags). |
406 | | * |
407 | | * There are nonintuitive security implications when using a non-default |
408 | | * database. See #GDtlsConnection:database for details. |
409 | | * |
410 | | * Since: 2.48 |
411 | | */ |
412 | | void |
413 | | g_dtls_connection_set_database (GDtlsConnection *conn, |
414 | | GTlsDatabase *database) |
415 | 0 | { |
416 | 0 | g_return_if_fail (G_IS_DTLS_CONNECTION (conn)); |
417 | 0 | g_return_if_fail (database == NULL || G_IS_TLS_DATABASE (database)); |
418 | | |
419 | 0 | g_object_set (G_OBJECT (conn), |
420 | 0 | "database", database, |
421 | 0 | NULL); |
422 | 0 | } |
423 | | |
424 | | /** |
425 | | * g_dtls_connection_get_database: |
426 | | * @conn: a #GDtlsConnection |
427 | | * |
428 | | * Gets the certificate database that @conn uses to verify |
429 | | * peer certificates. See g_dtls_connection_set_database(). |
430 | | * |
431 | | * Returns: (transfer none) (nullable): the certificate database that @conn uses or %NULL |
432 | | * |
433 | | * Since: 2.48 |
434 | | */ |
435 | | GTlsDatabase* |
436 | | g_dtls_connection_get_database (GDtlsConnection *conn) |
437 | 0 | { |
438 | 0 | GTlsDatabase *database = NULL; |
439 | |
|
440 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), NULL); |
441 | | |
442 | 0 | g_object_get (G_OBJECT (conn), |
443 | 0 | "database", &database, |
444 | 0 | NULL); |
445 | 0 | if (database) |
446 | 0 | g_object_unref (database); |
447 | 0 | return database; |
448 | 0 | } |
449 | | |
450 | | /** |
451 | | * g_dtls_connection_set_certificate: |
452 | | * @conn: a #GDtlsConnection |
453 | | * @certificate: the certificate to use for @conn |
454 | | * |
455 | | * This sets the certificate that @conn will present to its peer |
456 | | * during the TLS handshake. For a #GDtlsServerConnection, it is |
457 | | * mandatory to set this, and that will normally be done at construct |
458 | | * time. |
459 | | * |
460 | | * For a #GDtlsClientConnection, this is optional. If a handshake fails |
461 | | * with %G_TLS_ERROR_CERTIFICATE_REQUIRED, that means that the server |
462 | | * requires a certificate, and if you try connecting again, you should |
463 | | * call this method first. You can call |
464 | | * g_dtls_client_connection_get_accepted_cas() on the failed connection |
465 | | * to get a list of Certificate Authorities that the server will |
466 | | * accept certificates from. |
467 | | * |
468 | | * (It is also possible that a server will allow the connection with |
469 | | * or without a certificate; in that case, if you don't provide a |
470 | | * certificate, you can tell that the server requested one by the fact |
471 | | * that g_dtls_client_connection_get_accepted_cas() will return |
472 | | * non-%NULL.) |
473 | | * |
474 | | * Since: 2.48 |
475 | | */ |
476 | | void |
477 | | g_dtls_connection_set_certificate (GDtlsConnection *conn, |
478 | | GTlsCertificate *certificate) |
479 | 0 | { |
480 | 0 | g_return_if_fail (G_IS_DTLS_CONNECTION (conn)); |
481 | 0 | g_return_if_fail (G_IS_TLS_CERTIFICATE (certificate)); |
482 | | |
483 | 0 | g_object_set (G_OBJECT (conn), "certificate", certificate, NULL); |
484 | 0 | } |
485 | | |
486 | | /** |
487 | | * g_dtls_connection_get_certificate: |
488 | | * @conn: a #GDtlsConnection |
489 | | * |
490 | | * Gets @conn's certificate, as set by |
491 | | * g_dtls_connection_set_certificate(). |
492 | | * |
493 | | * Returns: (transfer none) (nullable): @conn's certificate, or %NULL |
494 | | * |
495 | | * Since: 2.48 |
496 | | */ |
497 | | GTlsCertificate * |
498 | | g_dtls_connection_get_certificate (GDtlsConnection *conn) |
499 | 0 | { |
500 | 0 | GTlsCertificate *certificate; |
501 | |
|
502 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), NULL); |
503 | | |
504 | 0 | g_object_get (G_OBJECT (conn), "certificate", &certificate, NULL); |
505 | 0 | if (certificate) |
506 | 0 | g_object_unref (certificate); |
507 | |
|
508 | 0 | return certificate; |
509 | 0 | } |
510 | | |
511 | | /** |
512 | | * g_dtls_connection_set_interaction: |
513 | | * @conn: a connection |
514 | | * @interaction: (nullable): an interaction object, or %NULL |
515 | | * |
516 | | * Set the object that will be used to interact with the user. It will be used |
517 | | * for things like prompting the user for passwords. |
518 | | * |
519 | | * The @interaction argument will normally be a derived subclass of |
520 | | * #GTlsInteraction. %NULL can also be provided if no user interaction |
521 | | * should occur for this connection. |
522 | | * |
523 | | * Since: 2.48 |
524 | | */ |
525 | | void |
526 | | g_dtls_connection_set_interaction (GDtlsConnection *conn, |
527 | | GTlsInteraction *interaction) |
528 | 0 | { |
529 | 0 | g_return_if_fail (G_IS_DTLS_CONNECTION (conn)); |
530 | 0 | g_return_if_fail (interaction == NULL || G_IS_TLS_INTERACTION (interaction)); |
531 | | |
532 | 0 | g_object_set (G_OBJECT (conn), "interaction", interaction, NULL); |
533 | 0 | } |
534 | | |
535 | | /** |
536 | | * g_dtls_connection_get_interaction: |
537 | | * @conn: a connection |
538 | | * |
539 | | * Get the object that will be used to interact with the user. It will be used |
540 | | * for things like prompting the user for passwords. If %NULL is returned, then |
541 | | * no user interaction will occur for this connection. |
542 | | * |
543 | | * Returns: (transfer none) (nullable): The interaction object. |
544 | | * |
545 | | * Since: 2.48 |
546 | | */ |
547 | | GTlsInteraction * |
548 | | g_dtls_connection_get_interaction (GDtlsConnection *conn) |
549 | 0 | { |
550 | 0 | GTlsInteraction *interaction = NULL; |
551 | |
|
552 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), NULL); |
553 | | |
554 | 0 | g_object_get (G_OBJECT (conn), "interaction", &interaction, NULL); |
555 | 0 | if (interaction) |
556 | 0 | g_object_unref (interaction); |
557 | |
|
558 | 0 | return interaction; |
559 | 0 | } |
560 | | |
561 | | /** |
562 | | * g_dtls_connection_get_peer_certificate: |
563 | | * @conn: a #GDtlsConnection |
564 | | * |
565 | | * Gets @conn's peer's certificate after the handshake has completed |
566 | | * or failed. (It is not set during the emission of |
567 | | * #GDtlsConnection::accept-certificate.) |
568 | | * |
569 | | * Returns: (transfer none) (nullable): @conn's peer's certificate, or %NULL |
570 | | * |
571 | | * Since: 2.48 |
572 | | */ |
573 | | GTlsCertificate * |
574 | | g_dtls_connection_get_peer_certificate (GDtlsConnection *conn) |
575 | 0 | { |
576 | 0 | GTlsCertificate *peer_certificate; |
577 | |
|
578 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), NULL); |
579 | | |
580 | 0 | g_object_get (G_OBJECT (conn), "peer-certificate", &peer_certificate, NULL); |
581 | 0 | if (peer_certificate) |
582 | 0 | g_object_unref (peer_certificate); |
583 | |
|
584 | 0 | return peer_certificate; |
585 | 0 | } |
586 | | |
587 | | /** |
588 | | * g_dtls_connection_get_peer_certificate_errors: |
589 | | * @conn: a #GDtlsConnection |
590 | | * |
591 | | * Gets the errors associated with validating @conn's peer's |
592 | | * certificate, after the handshake has completed or failed. (It is |
593 | | * not set during the emission of #GDtlsConnection::accept-certificate.) |
594 | | * |
595 | | * Returns: @conn's peer's certificate errors |
596 | | * |
597 | | * Since: 2.48 |
598 | | */ |
599 | | GTlsCertificateFlags |
600 | | g_dtls_connection_get_peer_certificate_errors (GDtlsConnection *conn) |
601 | 0 | { |
602 | 0 | GTlsCertificateFlags errors; |
603 | |
|
604 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), 0); |
605 | | |
606 | 0 | g_object_get (G_OBJECT (conn), "peer-certificate-errors", &errors, NULL); |
607 | 0 | return errors; |
608 | 0 | } |
609 | | |
610 | | /** |
611 | | * g_dtls_connection_set_require_close_notify: |
612 | | * @conn: a #GDtlsConnection |
613 | | * @require_close_notify: whether or not to require close notification |
614 | | * |
615 | | * Sets whether or not @conn expects a proper TLS close notification |
616 | | * before the connection is closed. If this is %TRUE (the default), |
617 | | * then @conn will expect to receive a TLS close notification from its |
618 | | * peer before the connection is closed, and will return a |
619 | | * %G_TLS_ERROR_EOF error if the connection is closed without proper |
620 | | * notification (since this may indicate a network error, or |
621 | | * man-in-the-middle attack). |
622 | | * |
623 | | * In some protocols, the application will know whether or not the |
624 | | * connection was closed cleanly based on application-level data |
625 | | * (because the application-level data includes a length field, or is |
626 | | * somehow self-delimiting); in this case, the close notify is |
627 | | * redundant and may be omitted. You |
628 | | * can use g_dtls_connection_set_require_close_notify() to tell @conn |
629 | | * to allow an "unannounced" connection close, in which case the close |
630 | | * will show up as a 0-length read, as in a non-TLS |
631 | | * #GDatagramBased, and it is up to the application to check that |
632 | | * the data has been fully received. |
633 | | * |
634 | | * Note that this only affects the behavior when the peer closes the |
635 | | * connection; when the application calls g_dtls_connection_close_async() on |
636 | | * @conn itself, this will send a close notification regardless of the |
637 | | * setting of this property. If you explicitly want to do an unclean |
638 | | * close, you can close @conn's #GDtlsConnection:base-socket rather |
639 | | * than closing @conn itself. |
640 | | * |
641 | | * Since: 2.48 |
642 | | */ |
643 | | void |
644 | | g_dtls_connection_set_require_close_notify (GDtlsConnection *conn, |
645 | | gboolean require_close_notify) |
646 | 0 | { |
647 | 0 | g_return_if_fail (G_IS_DTLS_CONNECTION (conn)); |
648 | | |
649 | 0 | g_object_set (G_OBJECT (conn), |
650 | 0 | "require-close-notify", require_close_notify, |
651 | 0 | NULL); |
652 | 0 | } |
653 | | |
654 | | /** |
655 | | * g_dtls_connection_get_require_close_notify: |
656 | | * @conn: a #GDtlsConnection |
657 | | * |
658 | | * Tests whether or not @conn expects a proper TLS close notification |
659 | | * when the connection is closed. See |
660 | | * g_dtls_connection_set_require_close_notify() for details. |
661 | | * |
662 | | * Returns: %TRUE if @conn requires a proper TLS close notification. |
663 | | * |
664 | | * Since: 2.48 |
665 | | */ |
666 | | gboolean |
667 | | g_dtls_connection_get_require_close_notify (GDtlsConnection *conn) |
668 | 0 | { |
669 | 0 | gboolean require_close_notify; |
670 | |
|
671 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), TRUE); |
672 | | |
673 | 0 | g_object_get (G_OBJECT (conn), |
674 | 0 | "require-close-notify", &require_close_notify, |
675 | 0 | NULL); |
676 | 0 | return require_close_notify; |
677 | 0 | } |
678 | | |
679 | | /** |
680 | | * g_dtls_connection_set_rehandshake_mode: |
681 | | * @conn: a #GDtlsConnection |
682 | | * @mode: the rehandshaking mode |
683 | | * |
684 | | * Since GLib 2.64, changing the rehandshake mode is no longer supported |
685 | | * and will have no effect. With TLS 1.3, rehandshaking has been removed from |
686 | | * the TLS protocol, replaced by separate post-handshake authentication and |
687 | | * rekey operations. |
688 | | * |
689 | | * Since: 2.48 |
690 | | * |
691 | | * Deprecated: 2.60. Changing the rehandshake mode is no longer |
692 | | * required for compatibility. Also, rehandshaking has been removed |
693 | | * from the TLS protocol in TLS 1.3. |
694 | | */ |
695 | | G_GNUC_BEGIN_IGNORE_DEPRECATIONS |
696 | | void |
697 | | g_dtls_connection_set_rehandshake_mode (GDtlsConnection *conn, |
698 | | GTlsRehandshakeMode mode) |
699 | 0 | { |
700 | 0 | g_return_if_fail (G_IS_DTLS_CONNECTION (conn)); |
701 | | |
702 | 0 | g_object_set (G_OBJECT (conn), |
703 | 0 | "rehandshake-mode", G_TLS_REHANDSHAKE_SAFELY, |
704 | 0 | NULL); |
705 | 0 | } |
706 | | G_GNUC_END_IGNORE_DEPRECATIONS |
707 | | |
708 | | /** |
709 | | * g_dtls_connection_get_rehandshake_mode: |
710 | | * @conn: a #GDtlsConnection |
711 | | * |
712 | | * Gets @conn rehandshaking mode. See |
713 | | * g_dtls_connection_set_rehandshake_mode() for details. |
714 | | * |
715 | | * Returns: %G_TLS_REHANDSHAKE_SAFELY |
716 | | * |
717 | | * Since: 2.48 |
718 | | * |
719 | | * Deprecated: 2.64. Changing the rehandshake mode is no longer |
720 | | * required for compatibility. Also, rehandshaking has been removed |
721 | | * from the TLS protocol in TLS 1.3. |
722 | | */ |
723 | | G_GNUC_BEGIN_IGNORE_DEPRECATIONS |
724 | | GTlsRehandshakeMode |
725 | | g_dtls_connection_get_rehandshake_mode (GDtlsConnection *conn) |
726 | 0 | { |
727 | 0 | GTlsRehandshakeMode mode; |
728 | |
|
729 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), G_TLS_REHANDSHAKE_SAFELY); |
730 | | |
731 | | /* Continue to call g_object_get(), even though the return value is |
732 | | * ignored, so that behavior doesn’t change for derived classes. |
733 | | */ |
734 | 0 | g_object_get (G_OBJECT (conn), |
735 | 0 | "rehandshake-mode", &mode, |
736 | 0 | NULL); |
737 | 0 | return G_TLS_REHANDSHAKE_SAFELY; |
738 | 0 | } |
739 | | G_GNUC_END_IGNORE_DEPRECATIONS |
740 | | |
741 | | /** |
742 | | * g_dtls_connection_handshake: |
743 | | * @conn: a #GDtlsConnection |
744 | | * @cancellable: (nullable): a #GCancellable, or %NULL |
745 | | * @error: a #GError, or %NULL |
746 | | * |
747 | | * Attempts a TLS handshake on @conn. |
748 | | * |
749 | | * On the client side, it is never necessary to call this method; |
750 | | * although the connection needs to perform a handshake after |
751 | | * connecting, #GDtlsConnection will handle this for you automatically |
752 | | * when you try to send or receive data on the connection. You can call |
753 | | * g_dtls_connection_handshake() manually if you want to know whether |
754 | | * the initial handshake succeeded or failed (as opposed to just |
755 | | * immediately trying to use @conn to read or write, in which case, |
756 | | * if it fails, it may not be possible to tell if it failed before |
757 | | * or after completing the handshake), but beware that servers may reject |
758 | | * client authentication after the handshake has completed, so a |
759 | | * successful handshake does not indicate the connection will be usable. |
760 | | * |
761 | | * Likewise, on the server side, although a handshake is necessary at |
762 | | * the beginning of the communication, you do not need to call this |
763 | | * function explicitly unless you want clearer error reporting. |
764 | | * |
765 | | * Previously, calling g_dtls_connection_handshake() after the initial |
766 | | * handshake would trigger a rehandshake; however, this usage was |
767 | | * deprecated in GLib 2.60 because rehandshaking was removed from the |
768 | | * TLS protocol in TLS 1.3. Since GLib 2.64, calling this function after |
769 | | * the initial handshake will no longer do anything. |
770 | | * |
771 | | * #GDtlsConnection::accept_certificate may be emitted during the |
772 | | * handshake. |
773 | | * |
774 | | * Returns: success or failure |
775 | | * |
776 | | * Since: 2.48 |
777 | | */ |
778 | | gboolean |
779 | | g_dtls_connection_handshake (GDtlsConnection *conn, |
780 | | GCancellable *cancellable, |
781 | | GError **error) |
782 | 0 | { |
783 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE); |
784 | | |
785 | 0 | return G_DTLS_CONNECTION_GET_INTERFACE (conn)->handshake (conn, cancellable, |
786 | 0 | error); |
787 | 0 | } |
788 | | |
789 | | /** |
790 | | * g_dtls_connection_handshake_async: |
791 | | * @conn: a #GDtlsConnection |
792 | | * @io_priority: the [I/O priority][io-priority] of the request |
793 | | * @cancellable: (nullable): a #GCancellable, or %NULL |
794 | | * @callback: callback to call when the handshake is complete |
795 | | * @user_data: the data to pass to the callback function |
796 | | * |
797 | | * Asynchronously performs a TLS handshake on @conn. See |
798 | | * g_dtls_connection_handshake() for more information. |
799 | | * |
800 | | * Since: 2.48 |
801 | | */ |
802 | | void |
803 | | g_dtls_connection_handshake_async (GDtlsConnection *conn, |
804 | | int io_priority, |
805 | | GCancellable *cancellable, |
806 | | GAsyncReadyCallback callback, |
807 | | gpointer user_data) |
808 | 0 | { |
809 | 0 | g_return_if_fail (G_IS_DTLS_CONNECTION (conn)); |
810 | | |
811 | 0 | G_DTLS_CONNECTION_GET_INTERFACE (conn)->handshake_async (conn, io_priority, |
812 | 0 | cancellable, |
813 | 0 | callback, user_data); |
814 | 0 | } |
815 | | |
816 | | /** |
817 | | * g_dtls_connection_handshake_finish: |
818 | | * @conn: a #GDtlsConnection |
819 | | * @result: a #GAsyncResult. |
820 | | * @error: a #GError pointer, or %NULL |
821 | | * |
822 | | * Finish an asynchronous TLS handshake operation. See |
823 | | * g_dtls_connection_handshake() for more information. |
824 | | * |
825 | | * Returns: %TRUE on success, %FALSE on failure, in which |
826 | | * case @error will be set. |
827 | | * |
828 | | * Since: 2.48 |
829 | | */ |
830 | | gboolean |
831 | | g_dtls_connection_handshake_finish (GDtlsConnection *conn, |
832 | | GAsyncResult *result, |
833 | | GError **error) |
834 | 0 | { |
835 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE); |
836 | | |
837 | 0 | return G_DTLS_CONNECTION_GET_INTERFACE (conn)->handshake_finish (conn, |
838 | 0 | result, |
839 | 0 | error); |
840 | 0 | } |
841 | | |
842 | | /** |
843 | | * g_dtls_connection_shutdown: |
844 | | * @conn: a #GDtlsConnection |
845 | | * @shutdown_read: %TRUE to stop reception of incoming datagrams |
846 | | * @shutdown_write: %TRUE to stop sending outgoing datagrams |
847 | | * @cancellable: (nullable): a #GCancellable, or %NULL |
848 | | * @error: a #GError, or %NULL |
849 | | * |
850 | | * Shut down part or all of a DTLS connection. |
851 | | * |
852 | | * If @shutdown_read is %TRUE then the receiving side of the connection is shut |
853 | | * down, and further reading is disallowed. Subsequent calls to |
854 | | * g_datagram_based_receive_messages() will return %G_IO_ERROR_CLOSED. |
855 | | * |
856 | | * If @shutdown_write is %TRUE then the sending side of the connection is shut |
857 | | * down, and further writing is disallowed. Subsequent calls to |
858 | | * g_datagram_based_send_messages() will return %G_IO_ERROR_CLOSED. |
859 | | * |
860 | | * It is allowed for both @shutdown_read and @shutdown_write to be TRUE — this |
861 | | * is equivalent to calling g_dtls_connection_close(). |
862 | | * |
863 | | * If @cancellable is cancelled, the #GDtlsConnection may be left |
864 | | * partially-closed and any pending untransmitted data may be lost. Call |
865 | | * g_dtls_connection_shutdown() again to complete closing the #GDtlsConnection. |
866 | | * |
867 | | * Returns: %TRUE on success, %FALSE otherwise |
868 | | * |
869 | | * Since: 2.48 |
870 | | */ |
871 | | gboolean |
872 | | g_dtls_connection_shutdown (GDtlsConnection *conn, |
873 | | gboolean shutdown_read, |
874 | | gboolean shutdown_write, |
875 | | GCancellable *cancellable, |
876 | | GError **error) |
877 | 0 | { |
878 | 0 | GDtlsConnectionInterface *iface; |
879 | |
|
880 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE); |
881 | 0 | g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), |
882 | 0 | FALSE); |
883 | 0 | g_return_val_if_fail (error == NULL || *error == NULL, FALSE); |
884 | | |
885 | 0 | if (!shutdown_read && !shutdown_write) |
886 | 0 | return TRUE; |
887 | | |
888 | 0 | iface = G_DTLS_CONNECTION_GET_INTERFACE (conn); |
889 | 0 | g_assert (iface->shutdown != NULL); |
890 | | |
891 | 0 | return iface->shutdown (conn, shutdown_read, shutdown_write, |
892 | 0 | cancellable, error); |
893 | 0 | } |
894 | | |
895 | | /** |
896 | | * g_dtls_connection_shutdown_async: |
897 | | * @conn: a #GDtlsConnection |
898 | | * @shutdown_read: %TRUE to stop reception of incoming datagrams |
899 | | * @shutdown_write: %TRUE to stop sending outgoing datagrams |
900 | | * @io_priority: the [I/O priority][io-priority] of the request |
901 | | * @cancellable: (nullable): a #GCancellable, or %NULL |
902 | | * @callback: callback to call when the shutdown operation is complete |
903 | | * @user_data: the data to pass to the callback function |
904 | | * |
905 | | * Asynchronously shut down part or all of the DTLS connection. See |
906 | | * g_dtls_connection_shutdown() for more information. |
907 | | * |
908 | | * Since: 2.48 |
909 | | */ |
910 | | void |
911 | | g_dtls_connection_shutdown_async (GDtlsConnection *conn, |
912 | | gboolean shutdown_read, |
913 | | gboolean shutdown_write, |
914 | | int io_priority, |
915 | | GCancellable *cancellable, |
916 | | GAsyncReadyCallback callback, |
917 | | gpointer user_data) |
918 | 0 | { |
919 | 0 | GDtlsConnectionInterface *iface; |
920 | |
|
921 | 0 | g_return_if_fail (G_IS_DTLS_CONNECTION (conn)); |
922 | 0 | g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable)); |
923 | | |
924 | 0 | iface = G_DTLS_CONNECTION_GET_INTERFACE (conn); |
925 | 0 | g_assert (iface->shutdown_async != NULL); |
926 | | |
927 | 0 | iface->shutdown_async (conn, TRUE, TRUE, io_priority, cancellable, |
928 | 0 | callback, user_data); |
929 | 0 | } |
930 | | |
931 | | /** |
932 | | * g_dtls_connection_shutdown_finish: |
933 | | * @conn: a #GDtlsConnection |
934 | | * @result: a #GAsyncResult |
935 | | * @error: a #GError pointer, or %NULL |
936 | | * |
937 | | * Finish an asynchronous TLS shutdown operation. See |
938 | | * g_dtls_connection_shutdown() for more information. |
939 | | * |
940 | | * Returns: %TRUE on success, %FALSE on failure, in which |
941 | | * case @error will be set |
942 | | * |
943 | | * Since: 2.48 |
944 | | */ |
945 | | gboolean |
946 | | g_dtls_connection_shutdown_finish (GDtlsConnection *conn, |
947 | | GAsyncResult *result, |
948 | | GError **error) |
949 | 0 | { |
950 | 0 | GDtlsConnectionInterface *iface; |
951 | |
|
952 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE); |
953 | 0 | g_return_val_if_fail (error == NULL || *error == NULL, FALSE); |
954 | | |
955 | 0 | iface = G_DTLS_CONNECTION_GET_INTERFACE (conn); |
956 | 0 | g_assert (iface->shutdown_finish != NULL); |
957 | | |
958 | 0 | return iface->shutdown_finish (conn, result, error); |
959 | 0 | } |
960 | | |
961 | | /** |
962 | | * g_dtls_connection_close: |
963 | | * @conn: a #GDtlsConnection |
964 | | * @cancellable: (nullable): a #GCancellable, or %NULL |
965 | | * @error: a #GError, or %NULL |
966 | | * |
967 | | * Close the DTLS connection. This is equivalent to calling |
968 | | * g_dtls_connection_shutdown() to shut down both sides of the connection. |
969 | | * |
970 | | * Closing a #GDtlsConnection waits for all buffered but untransmitted data to |
971 | | * be sent before it completes. It then sends a `close_notify` DTLS alert to the |
972 | | * peer and may wait for a `close_notify` to be received from the peer. It does |
973 | | * not close the underlying #GDtlsConnection:base-socket; that must be closed |
974 | | * separately. |
975 | | * |
976 | | * Once @conn is closed, all other operations will return %G_IO_ERROR_CLOSED. |
977 | | * Closing a #GDtlsConnection multiple times will not return an error. |
978 | | * |
979 | | * #GDtlsConnections will be automatically closed when the last reference is |
980 | | * dropped, but you might want to call this function to make sure resources are |
981 | | * released as early as possible. |
982 | | * |
983 | | * If @cancellable is cancelled, the #GDtlsConnection may be left |
984 | | * partially-closed and any pending untransmitted data may be lost. Call |
985 | | * g_dtls_connection_close() again to complete closing the #GDtlsConnection. |
986 | | * |
987 | | * Returns: %TRUE on success, %FALSE otherwise |
988 | | * |
989 | | * Since: 2.48 |
990 | | */ |
991 | | gboolean |
992 | | g_dtls_connection_close (GDtlsConnection *conn, |
993 | | GCancellable *cancellable, |
994 | | GError **error) |
995 | 0 | { |
996 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE); |
997 | 0 | g_return_val_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable), |
998 | 0 | FALSE); |
999 | 0 | g_return_val_if_fail (error == NULL || *error == NULL, FALSE); |
1000 | | |
1001 | 0 | return G_DTLS_CONNECTION_GET_INTERFACE (conn)->shutdown (conn, TRUE, TRUE, |
1002 | 0 | cancellable, error); |
1003 | 0 | } |
1004 | | |
1005 | | /** |
1006 | | * g_dtls_connection_close_async: |
1007 | | * @conn: a #GDtlsConnection |
1008 | | * @io_priority: the [I/O priority][io-priority] of the request |
1009 | | * @cancellable: (nullable): a #GCancellable, or %NULL |
1010 | | * @callback: callback to call when the close operation is complete |
1011 | | * @user_data: the data to pass to the callback function |
1012 | | * |
1013 | | * Asynchronously close the DTLS connection. See g_dtls_connection_close() for |
1014 | | * more information. |
1015 | | * |
1016 | | * Since: 2.48 |
1017 | | */ |
1018 | | void |
1019 | | g_dtls_connection_close_async (GDtlsConnection *conn, |
1020 | | int io_priority, |
1021 | | GCancellable *cancellable, |
1022 | | GAsyncReadyCallback callback, |
1023 | | gpointer user_data) |
1024 | 0 | { |
1025 | 0 | g_return_if_fail (G_IS_DTLS_CONNECTION (conn)); |
1026 | 0 | g_return_if_fail (cancellable == NULL || G_IS_CANCELLABLE (cancellable)); |
1027 | | |
1028 | 0 | G_DTLS_CONNECTION_GET_INTERFACE (conn)->shutdown_async (conn, TRUE, TRUE, |
1029 | 0 | io_priority, |
1030 | 0 | cancellable, |
1031 | 0 | callback, user_data); |
1032 | 0 | } |
1033 | | |
1034 | | /** |
1035 | | * g_dtls_connection_close_finish: |
1036 | | * @conn: a #GDtlsConnection |
1037 | | * @result: a #GAsyncResult |
1038 | | * @error: a #GError pointer, or %NULL |
1039 | | * |
1040 | | * Finish an asynchronous TLS close operation. See g_dtls_connection_close() |
1041 | | * for more information. |
1042 | | * |
1043 | | * Returns: %TRUE on success, %FALSE on failure, in which |
1044 | | * case @error will be set |
1045 | | * |
1046 | | * Since: 2.48 |
1047 | | */ |
1048 | | gboolean |
1049 | | g_dtls_connection_close_finish (GDtlsConnection *conn, |
1050 | | GAsyncResult *result, |
1051 | | GError **error) |
1052 | 0 | { |
1053 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE); |
1054 | 0 | g_return_val_if_fail (error == NULL || *error == NULL, FALSE); |
1055 | | |
1056 | 0 | return G_DTLS_CONNECTION_GET_INTERFACE (conn)->shutdown_finish (conn, result, |
1057 | 0 | error); |
1058 | 0 | } |
1059 | | |
1060 | | /** |
1061 | | * g_dtls_connection_emit_accept_certificate: |
1062 | | * @conn: a #GDtlsConnection |
1063 | | * @peer_cert: the peer's #GTlsCertificate |
1064 | | * @errors: the problems with @peer_cert |
1065 | | * |
1066 | | * Used by #GDtlsConnection implementations to emit the |
1067 | | * #GDtlsConnection::accept-certificate signal. |
1068 | | * |
1069 | | * Returns: %TRUE if one of the signal handlers has returned |
1070 | | * %TRUE to accept @peer_cert |
1071 | | * |
1072 | | * Since: 2.48 |
1073 | | */ |
1074 | | gboolean |
1075 | | g_dtls_connection_emit_accept_certificate (GDtlsConnection *conn, |
1076 | | GTlsCertificate *peer_cert, |
1077 | | GTlsCertificateFlags errors) |
1078 | 0 | { |
1079 | 0 | gboolean accept = FALSE; |
1080 | |
|
1081 | 0 | g_signal_emit (conn, signals[ACCEPT_CERTIFICATE], 0, |
1082 | 0 | peer_cert, errors, &accept); |
1083 | 0 | return accept; |
1084 | 0 | } |
1085 | | |
1086 | | /** |
1087 | | * g_dtls_connection_set_advertised_protocols: |
1088 | | * @conn: a #GDtlsConnection |
1089 | | * @protocols: (array zero-terminated=1) (nullable): a %NULL-terminated |
1090 | | * array of ALPN protocol names (eg, "http/1.1", "h2"), or %NULL |
1091 | | * |
1092 | | * Sets the list of application-layer protocols to advertise that the |
1093 | | * caller is willing to speak on this connection. The |
1094 | | * Application-Layer Protocol Negotiation (ALPN) extension will be |
1095 | | * used to negotiate a compatible protocol with the peer; use |
1096 | | * g_dtls_connection_get_negotiated_protocol() to find the negotiated |
1097 | | * protocol after the handshake. Specifying %NULL for the the value |
1098 | | * of @protocols will disable ALPN negotiation. |
1099 | | * |
1100 | | * See [IANA TLS ALPN Protocol IDs](https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids) |
1101 | | * for a list of registered protocol IDs. |
1102 | | * |
1103 | | * Since: 2.60 |
1104 | | */ |
1105 | | void |
1106 | | g_dtls_connection_set_advertised_protocols (GDtlsConnection *conn, |
1107 | | const gchar * const *protocols) |
1108 | 0 | { |
1109 | 0 | GDtlsConnectionInterface *iface; |
1110 | |
|
1111 | 0 | iface = G_DTLS_CONNECTION_GET_INTERFACE (conn); |
1112 | 0 | if (iface->set_advertised_protocols == NULL) |
1113 | 0 | return; |
1114 | | |
1115 | 0 | iface->set_advertised_protocols (conn, protocols); |
1116 | 0 | } |
1117 | | |
1118 | | /** |
1119 | | * g_dtls_connection_get_negotiated_protocol: |
1120 | | * @conn: a #GDtlsConnection |
1121 | | * |
1122 | | * Gets the name of the application-layer protocol negotiated during |
1123 | | * the handshake. |
1124 | | * |
1125 | | * If the peer did not use the ALPN extension, or did not advertise a |
1126 | | * protocol that matched one of @conn's protocols, or the TLS backend |
1127 | | * does not support ALPN, then this will be %NULL. See |
1128 | | * g_dtls_connection_set_advertised_protocols(). |
1129 | | * |
1130 | | * Returns: (nullable): the negotiated protocol, or %NULL |
1131 | | * |
1132 | | * Since: 2.60 |
1133 | | */ |
1134 | | const gchar * |
1135 | | g_dtls_connection_get_negotiated_protocol (GDtlsConnection *conn) |
1136 | 0 | { |
1137 | 0 | GDtlsConnectionInterface *iface; |
1138 | |
|
1139 | 0 | iface = G_DTLS_CONNECTION_GET_INTERFACE (conn); |
1140 | 0 | if (iface->get_negotiated_protocol == NULL) |
1141 | 0 | return NULL; |
1142 | | |
1143 | 0 | return iface->get_negotiated_protocol (conn); |
1144 | 0 | } |
1145 | | |
1146 | | /** |
1147 | | * g_dtls_connection_get_channel_binding_data: |
1148 | | * @conn: a #GDtlsConnection |
1149 | | * @type: #GTlsChannelBindingType type of data to fetch |
1150 | | * @data: (out callee-allocates)(optional)(transfer none): #GByteArray is |
1151 | | * filled with the binding data, or %NULL |
1152 | | * @error: a #GError pointer, or %NULL |
1153 | | * |
1154 | | * Query the TLS backend for TLS channel binding data of @type for @conn. |
1155 | | * |
1156 | | * This call retrieves TLS channel binding data as specified in RFC |
1157 | | * [5056](https://tools.ietf.org/html/rfc5056), RFC |
1158 | | * [5929](https://tools.ietf.org/html/rfc5929), and related RFCs. The |
1159 | | * binding data is returned in @data. The @data is resized by the callee |
1160 | | * using #GByteArray buffer management and will be freed when the @data |
1161 | | * is destroyed by g_byte_array_unref(). If @data is %NULL, it will only |
1162 | | * check whether TLS backend is able to fetch the data (e.g. whether @type |
1163 | | * is supported by the TLS backend). It does not guarantee that the data |
1164 | | * will be available though. That could happen if TLS connection does not |
1165 | | * support @type or the binding data is not available yet due to additional |
1166 | | * negotiation or input required. |
1167 | | * |
1168 | | * Returns: %TRUE on success, %FALSE otherwise |
1169 | | * |
1170 | | * Since: 2.66 |
1171 | | */ |
1172 | | gboolean |
1173 | | g_dtls_connection_get_channel_binding_data (GDtlsConnection *conn, |
1174 | | GTlsChannelBindingType type, |
1175 | | GByteArray *data, |
1176 | | GError **error) |
1177 | 0 | { |
1178 | 0 | GDtlsConnectionInterface *iface; |
1179 | |
|
1180 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), FALSE); |
1181 | 0 | g_return_val_if_fail (error == NULL || *error == NULL, FALSE); |
1182 | | |
1183 | 0 | iface = G_DTLS_CONNECTION_GET_INTERFACE (conn); |
1184 | 0 | if (iface->get_binding_data == NULL) |
1185 | 0 | { |
1186 | 0 | g_set_error_literal (error, G_TLS_CHANNEL_BINDING_ERROR, |
1187 | 0 | G_TLS_CHANNEL_BINDING_ERROR_NOT_IMPLEMENTED, |
1188 | 0 | _("TLS backend does not implement TLS binding retrieval")); |
1189 | 0 | return FALSE; |
1190 | 0 | } |
1191 | | |
1192 | 0 | return iface->get_binding_data (conn, type, data, error); |
1193 | 0 | } |
1194 | | |
1195 | | /** |
1196 | | * g_dtls_connection_get_protocol_version: |
1197 | | * @conn: a #GDTlsConnection |
1198 | | * |
1199 | | * Returns the current DTLS protocol version, which may be |
1200 | | * %G_TLS_PROTOCOL_VERSION_UNKNOWN if the connection has not handshaked, or |
1201 | | * has been closed, or if the TLS backend has implemented a protocol version |
1202 | | * that is not a recognized #GTlsProtocolVersion. |
1203 | | * |
1204 | | * Returns: The current DTLS protocol version |
1205 | | * |
1206 | | * Since: 2.70 |
1207 | | */ |
1208 | | GTlsProtocolVersion |
1209 | | g_dtls_connection_get_protocol_version (GDtlsConnection *conn) |
1210 | 0 | { |
1211 | 0 | GTlsProtocolVersion protocol_version; |
1212 | 0 | GEnumClass *enum_class; |
1213 | 0 | GEnumValue *enum_value; |
1214 | |
|
1215 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), G_TLS_PROTOCOL_VERSION_UNKNOWN); |
1216 | | |
1217 | 0 | g_object_get (G_OBJECT (conn), |
1218 | 0 | "protocol-version", &protocol_version, |
1219 | 0 | NULL); |
1220 | | |
1221 | | /* Convert unknown values to G_TLS_PROTOCOL_VERSION_UNKNOWN. */ |
1222 | 0 | enum_class = g_type_class_peek_static (G_TYPE_TLS_PROTOCOL_VERSION); |
1223 | 0 | enum_value = g_enum_get_value (enum_class, protocol_version); |
1224 | 0 | return enum_value ? protocol_version : G_TLS_PROTOCOL_VERSION_UNKNOWN; |
1225 | 0 | } |
1226 | | |
1227 | | /** |
1228 | | * g_dtls_connection_get_ciphersuite_name: |
1229 | | * @conn: a #GDTlsConnection |
1230 | | * |
1231 | | * Returns the name of the current DTLS ciphersuite, or %NULL if the |
1232 | | * connection has not handshaked or has been closed. Beware that the TLS |
1233 | | * backend may use any of multiple different naming conventions, because |
1234 | | * OpenSSL and GnuTLS have their own ciphersuite naming conventions that |
1235 | | * are different from each other and different from the standard, IANA- |
1236 | | * registered ciphersuite names. The ciphersuite name is intended to be |
1237 | | * displayed to the user for informative purposes only, and parsing it |
1238 | | * is not recommended. |
1239 | | * |
1240 | | * Returns: (nullable): The name of the current DTLS ciphersuite, or %NULL |
1241 | | * |
1242 | | * Since: 2.70 |
1243 | | */ |
1244 | | gchar * |
1245 | | g_dtls_connection_get_ciphersuite_name (GDtlsConnection *conn) |
1246 | 0 | { |
1247 | 0 | gchar *ciphersuite_name; |
1248 | |
|
1249 | 0 | g_return_val_if_fail (G_IS_DTLS_CONNECTION (conn), NULL); |
1250 | | |
1251 | 0 | g_object_get (G_OBJECT (conn), |
1252 | 0 | "ciphersuite-name", &ciphersuite_name, |
1253 | 0 | NULL); |
1254 | |
|
1255 | 0 | return g_steal_pointer (&ciphersuite_name); |
1256 | 0 | } |