1 /* GIO - GLib Input, Output and Streaming Library
2 *
3 * Copyright © 2010 Red Hat, Inc
4 * Copyright © 2015 Collabora, Ltd.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General
17 * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "config.h"
21 #include "glib.h"
22
23 #include "gtlsbackend.h"
24 #include "gtlsdatabase.h"
25 #include "gdummytlsbackend.h"
26 #include "gioenumtypes.h"
27 #include "giomodule-priv.h"
28
29 /**
30 * SECTION:gtls
31 * @title: TLS Overview
32 * @short_description: TLS (aka SSL) support for GSocketConnection
33 * @include: gio/gio.h
34 *
35 * #GTlsConnection and related classes provide TLS (Transport Layer
36 * Security, previously known as SSL, Secure Sockets Layer) support for
37 * gio-based network streams.
38 *
39 * #GDtlsConnection and related classes provide DTLS (Datagram TLS) support for
40 * GIO-based network sockets, using the #GDatagramBased interface. The TLS and
41 * DTLS APIs are almost identical, except TLS is stream-based and DTLS is
42 * datagram-based. They share certificate and backend infrastructure.
43 *
44 * In the simplest case, for a client TLS connection, you can just set the
45 * #GSocketClient:tls flag on a #GSocketClient, and then any
46 * connections created by that client will have TLS negotiated
47 * automatically, using appropriate default settings, and rejecting
48 * any invalid or self-signed certificates (unless you change that
49 * default by setting the #GSocketClient:tls-validation-flags
50 * property). The returned object will be a #GTcpWrapperConnection,
51 * which wraps the underlying #GTlsClientConnection.
52 *
53 * For greater control, you can create your own #GTlsClientConnection,
54 * wrapping a #GSocketConnection (or an arbitrary #GIOStream with
55 * pollable input and output streams) and then connect to its signals,
56 * such as #GTlsConnection::accept-certificate, before starting the
57 * handshake.
58 *
59 * Server-side TLS is similar, using #GTlsServerConnection. At the
60 * moment, there is no support for automatically wrapping server-side
61 * connections in the way #GSocketClient does for client-side
62 * connections.
63 */
64
65 /**
66 * SECTION:gtlsbackend
67 * @title: GTlsBackend
68 * @short_description: TLS backend implementation
69 * @include: gio/gio.h
70 *
71 * TLS (Transport Layer Security, aka SSL) and DTLS backend.
72 *
73 * Since: 2.28
74 */
75
76 /**
77 * GTlsBackend:
78 *
79 * TLS (Transport Layer Security, aka SSL) and DTLS backend. This is an
80 * internal type used to coordinate the different classes implemented
81 * by a TLS backend.
82 *
83 * Since: 2.28
84 */
85
G_DEFINE_INTERFACE(GTlsBackend,g_tls_backend,G_TYPE_OBJECT)86 G_DEFINE_INTERFACE (GTlsBackend, g_tls_backend, G_TYPE_OBJECT)
87
88 static GTlsDatabase *default_database;
89 G_LOCK_DEFINE_STATIC (default_database_lock);
90
91 static void
92 g_tls_backend_default_init (GTlsBackendInterface *iface)
93 {
94 }
95
96 /**
97 * g_tls_backend_get_default:
98 *
99 * Gets the default #GTlsBackend for the system.
100 *
101 * Returns: (transfer none): a #GTlsBackend
102 *
103 * Since: 2.28
104 */
105 GTlsBackend *
g_tls_backend_get_default(void)106 g_tls_backend_get_default (void)
107 {
108 return _g_io_module_get_default (G_TLS_BACKEND_EXTENSION_POINT_NAME,
109 "GIO_USE_TLS", NULL);
110 }
111
112 /**
113 * g_tls_backend_supports_tls:
114 * @backend: the #GTlsBackend
115 *
116 * Checks if TLS is supported; if this returns %FALSE for the default
117 * #GTlsBackend, it means no "real" TLS backend is available.
118 *
119 * Returns: whether or not TLS is supported
120 *
121 * Since: 2.28
122 */
123 gboolean
g_tls_backend_supports_tls(GTlsBackend * backend)124 g_tls_backend_supports_tls (GTlsBackend *backend)
125 {
126 if (G_TLS_BACKEND_GET_INTERFACE (backend)->supports_tls)
127 return G_TLS_BACKEND_GET_INTERFACE (backend)->supports_tls (backend);
128 else if (G_IS_DUMMY_TLS_BACKEND (backend))
129 return FALSE;
130 else
131 return TRUE;
132 }
133
134 /**
135 * g_tls_backend_supports_dtls:
136 * @backend: the #GTlsBackend
137 *
138 * Checks if DTLS is supported. DTLS support may not be available even if TLS
139 * support is available, and vice-versa.
140 *
141 * Returns: whether DTLS is supported
142 *
143 * Since: 2.48
144 */
145 gboolean
g_tls_backend_supports_dtls(GTlsBackend * backend)146 g_tls_backend_supports_dtls (GTlsBackend *backend)
147 {
148 if (G_TLS_BACKEND_GET_INTERFACE (backend)->supports_dtls)
149 return G_TLS_BACKEND_GET_INTERFACE (backend)->supports_dtls (backend);
150
151 return FALSE;
152 }
153
154 /**
155 * g_tls_backend_get_default_database:
156 * @backend: the #GTlsBackend
157 *
158 * Gets the default #GTlsDatabase used to verify TLS connections.
159 *
160 * Returns: (transfer full): the default database, which should be
161 * unreffed when done.
162 *
163 * Since: 2.30
164 */
165 GTlsDatabase *
g_tls_backend_get_default_database(GTlsBackend * backend)166 g_tls_backend_get_default_database (GTlsBackend *backend)
167 {
168 GTlsDatabase *db;
169
170 g_return_val_if_fail (G_IS_TLS_BACKEND (backend), NULL);
171
172 /* This method was added later, so accept the (remote) possibility it can be NULL */
173 if (!G_TLS_BACKEND_GET_INTERFACE (backend)->get_default_database)
174 return NULL;
175
176 G_LOCK (default_database_lock);
177
178 if (!default_database)
179 default_database = G_TLS_BACKEND_GET_INTERFACE (backend)->get_default_database (backend);
180 db = default_database ? g_object_ref (default_database) : NULL;
181 G_UNLOCK (default_database_lock);
182
183 return db;
184 }
185
186 /**
187 * g_tls_backend_set_default_database:
188 * @backend: the #GTlsBackend
189 * @database: (nullable): the #GTlsDatabase
190 *
191 * Set the default #GTlsDatabase used to verify TLS connections
192 *
193 * Any subsequent call to g_tls_backend_get_default_database() will return
194 * the database set in this call. Existing databases and connections are not
195 * modified.
196 *
197 * Setting a %NULL default database will reset to using the system default
198 * database as if g_tls_backend_set_default_database() had never been called.
199 *
200 * Since: 2.60
201 */
202 void
g_tls_backend_set_default_database(GTlsBackend * backend,GTlsDatabase * database)203 g_tls_backend_set_default_database (GTlsBackend *backend,
204 GTlsDatabase *database)
205 {
206 g_return_if_fail (G_IS_TLS_BACKEND (backend));
207 g_return_if_fail (database == NULL || G_IS_TLS_DATABASE (database));
208
209 G_LOCK (default_database_lock);
210 g_set_object (&default_database, database);
211 G_UNLOCK (default_database_lock);
212 }
213
214 /**
215 * g_tls_backend_get_certificate_type:
216 * @backend: the #GTlsBackend
217 *
218 * Gets the #GType of @backend's #GTlsCertificate implementation.
219 *
220 * Returns: the #GType of @backend's #GTlsCertificate
221 * implementation.
222 *
223 * Since: 2.28
224 */
225 GType
g_tls_backend_get_certificate_type(GTlsBackend * backend)226 g_tls_backend_get_certificate_type (GTlsBackend *backend)
227 {
228 return G_TLS_BACKEND_GET_INTERFACE (backend)->get_certificate_type ();
229 }
230
231 /**
232 * g_tls_backend_get_client_connection_type:
233 * @backend: the #GTlsBackend
234 *
235 * Gets the #GType of @backend's #GTlsClientConnection implementation.
236 *
237 * Returns: the #GType of @backend's #GTlsClientConnection
238 * implementation.
239 *
240 * Since: 2.28
241 */
242 GType
g_tls_backend_get_client_connection_type(GTlsBackend * backend)243 g_tls_backend_get_client_connection_type (GTlsBackend *backend)
244 {
245 return G_TLS_BACKEND_GET_INTERFACE (backend)->get_client_connection_type ();
246 }
247
248 /**
249 * g_tls_backend_get_server_connection_type:
250 * @backend: the #GTlsBackend
251 *
252 * Gets the #GType of @backend's #GTlsServerConnection implementation.
253 *
254 * Returns: the #GType of @backend's #GTlsServerConnection
255 * implementation.
256 *
257 * Since: 2.28
258 */
259 GType
g_tls_backend_get_server_connection_type(GTlsBackend * backend)260 g_tls_backend_get_server_connection_type (GTlsBackend *backend)
261 {
262 return G_TLS_BACKEND_GET_INTERFACE (backend)->get_server_connection_type ();
263 }
264
265 /**
266 * g_tls_backend_get_dtls_client_connection_type:
267 * @backend: the #GTlsBackend
268 *
269 * Gets the #GType of @backend’s #GDtlsClientConnection implementation.
270 *
271 * Returns: the #GType of @backend’s #GDtlsClientConnection
272 * implementation, or %G_TYPE_INVALID if this backend doesn’t support DTLS.
273 *
274 * Since: 2.48
275 */
276 GType
g_tls_backend_get_dtls_client_connection_type(GTlsBackend * backend)277 g_tls_backend_get_dtls_client_connection_type (GTlsBackend *backend)
278 {
279 GTlsBackendInterface *iface;
280
281 g_return_val_if_fail (G_IS_TLS_BACKEND (backend), G_TYPE_INVALID);
282
283 iface = G_TLS_BACKEND_GET_INTERFACE (backend);
284 if (iface->get_dtls_client_connection_type == NULL)
285 return G_TYPE_INVALID;
286
287 return iface->get_dtls_client_connection_type ();
288 }
289
290 /**
291 * g_tls_backend_get_dtls_server_connection_type:
292 * @backend: the #GTlsBackend
293 *
294 * Gets the #GType of @backend’s #GDtlsServerConnection implementation.
295 *
296 * Returns: the #GType of @backend’s #GDtlsServerConnection
297 * implementation, or %G_TYPE_INVALID if this backend doesn’t support DTLS.
298 *
299 * Since: 2.48
300 */
301 GType
g_tls_backend_get_dtls_server_connection_type(GTlsBackend * backend)302 g_tls_backend_get_dtls_server_connection_type (GTlsBackend *backend)
303 {
304 GTlsBackendInterface *iface;
305
306 g_return_val_if_fail (G_IS_TLS_BACKEND (backend), G_TYPE_INVALID);
307
308 iface = G_TLS_BACKEND_GET_INTERFACE (backend);
309 if (iface->get_dtls_server_connection_type == NULL)
310 return G_TYPE_INVALID;
311
312 return iface->get_dtls_server_connection_type ();
313 }
314
315 /**
316 * g_tls_backend_get_file_database_type:
317 * @backend: the #GTlsBackend
318 *
319 * Gets the #GType of @backend's #GTlsFileDatabase implementation.
320 *
321 * Returns: the #GType of backend's #GTlsFileDatabase implementation.
322 *
323 * Since: 2.30
324 */
325 GType
g_tls_backend_get_file_database_type(GTlsBackend * backend)326 g_tls_backend_get_file_database_type (GTlsBackend *backend)
327 {
328 g_return_val_if_fail (G_IS_TLS_BACKEND (backend), 0);
329
330 /* This method was added later, so accept the (remote) possibility it can be NULL */
331 if (!G_TLS_BACKEND_GET_INTERFACE (backend)->get_file_database_type)
332 return 0;
333
334 return G_TLS_BACKEND_GET_INTERFACE (backend)->get_file_database_type ();
335 }
336