1 /* GIO - GLib Input, Output and Streaming Library
2 *
3 * Copyright © 2010 Red Hat, Inc
4 * Copyright © 2015 Collabora, Ltd.
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General
17 * Public License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "config.h"
21 #include "glib.h"
22
23 #include "gtlsbackend.h"
24 #include "gtlsdatabase.h"
25 #include "gdummytlsbackend.h"
26 #include "gioenumtypes.h"
27 #include "giomodule-priv.h"
28
29 /**
30 * SECTION:gtls
31 * @title: TLS Overview
32 * @short_description: TLS (aka SSL) support for GSocketConnection
33 * @include: gio/gio.h
34 *
35 * #GTlsConnection and related classes provide TLS (Transport Layer
36 * Security, previously known as SSL, Secure Sockets Layer) support for
37 * gio-based network streams.
38 *
39 * #GDtlsConnection and related classes provide DTLS (Datagram TLS) support for
40 * GIO-based network sockets, using the #GDatagramBased interface. The TLS and
41 * DTLS APIs are almost identical, except TLS is stream-based and DTLS is
42 * datagram-based. They share certificate and backend infrastructure.
43 *
44 * In the simplest case, for a client TLS connection, you can just set the
45 * #GSocketClient:tls flag on a #GSocketClient, and then any
46 * connections created by that client will have TLS negotiated
47 * automatically, using appropriate default settings, and rejecting
48 * any invalid or self-signed certificates (unless you change that
49 * default by setting the #GSocketClient:tls-validation-flags
50 * property). The returned object will be a #GTcpWrapperConnection,
51 * which wraps the underlying #GTlsClientConnection.
52 *
53 * For greater control, you can create your own #GTlsClientConnection,
54 * wrapping a #GSocketConnection (or an arbitrary #GIOStream with
55 * pollable input and output streams) and then connect to its signals,
56 * such as #GTlsConnection::accept-certificate, before starting the
57 * handshake.
58 *
59 * Server-side TLS is similar, using #GTlsServerConnection. At the
60 * moment, there is no support for automatically wrapping server-side
61 * connections in the way #GSocketClient does for client-side
62 * connections.
63 */
64
65 /**
66 * SECTION:gtlsbackend
67 * @title: GTlsBackend
68 * @short_description: TLS backend implementation
69 * @include: gio/gio.h
70 *
71 * TLS (Transport Layer Security, aka SSL) and DTLS backend.
72 *
73 * Since: 2.28
74 */
75
76 /**
77 * GTlsBackend:
78 *
79 * TLS (Transport Layer Security, aka SSL) and DTLS backend. This is an
80 * internal type used to coordinate the different classes implemented
81 * by a TLS backend.
82 *
83 * Since: 2.28
84 */
85
G_DEFINE_INTERFACE(GTlsBackend,g_tls_backend,G_TYPE_OBJECT)86 G_DEFINE_INTERFACE (GTlsBackend, g_tls_backend, G_TYPE_OBJECT)
87
88 static GTlsDatabase *default_database;
89 G_LOCK_DEFINE_STATIC (default_database_lock);
90
91 static void
92 g_tls_backend_default_init (GTlsBackendInterface *iface)
93 {
94 }
95
96 static GTlsBackend *tls_backend_default_singleton = NULL; /* (owned) (atomic) */
97
98 /**
99 * g_tls_backend_get_default:
100 *
101 * Gets the default #GTlsBackend for the system.
102 *
103 * Returns: (not nullable) (transfer none): a #GTlsBackend, which will be a
104 * dummy object if no TLS backend is available
105 *
106 * Since: 2.28
107 */
108 GTlsBackend *
g_tls_backend_get_default(void)109 g_tls_backend_get_default (void)
110 {
111 if (g_once_init_enter (&tls_backend_default_singleton))
112 {
113 GTlsBackend *singleton;
114
115 singleton = _g_io_module_get_default (G_TLS_BACKEND_EXTENSION_POINT_NAME,
116 "GIO_USE_TLS",
117 NULL);
118
119 g_once_init_leave (&tls_backend_default_singleton, singleton);
120 }
121
122 return tls_backend_default_singleton;
123 }
124
125 /**
126 * g_tls_backend_supports_tls:
127 * @backend: the #GTlsBackend
128 *
129 * Checks if TLS is supported; if this returns %FALSE for the default
130 * #GTlsBackend, it means no "real" TLS backend is available.
131 *
132 * Returns: whether or not TLS is supported
133 *
134 * Since: 2.28
135 */
136 gboolean
g_tls_backend_supports_tls(GTlsBackend * backend)137 g_tls_backend_supports_tls (GTlsBackend *backend)
138 {
139 if (G_TLS_BACKEND_GET_INTERFACE (backend)->supports_tls)
140 return G_TLS_BACKEND_GET_INTERFACE (backend)->supports_tls (backend);
141 else if (G_IS_DUMMY_TLS_BACKEND (backend))
142 return FALSE;
143 else
144 return TRUE;
145 }
146
147 /**
148 * g_tls_backend_supports_dtls:
149 * @backend: the #GTlsBackend
150 *
151 * Checks if DTLS is supported. DTLS support may not be available even if TLS
152 * support is available, and vice-versa.
153 *
154 * Returns: whether DTLS is supported
155 *
156 * Since: 2.48
157 */
158 gboolean
g_tls_backend_supports_dtls(GTlsBackend * backend)159 g_tls_backend_supports_dtls (GTlsBackend *backend)
160 {
161 if (G_TLS_BACKEND_GET_INTERFACE (backend)->supports_dtls)
162 return G_TLS_BACKEND_GET_INTERFACE (backend)->supports_dtls (backend);
163
164 return FALSE;
165 }
166
167 /**
168 * g_tls_backend_get_default_database:
169 * @backend: the #GTlsBackend
170 *
171 * Gets the default #GTlsDatabase used to verify TLS connections.
172 *
173 * Returns: (transfer full): the default database, which should be
174 * unreffed when done.
175 *
176 * Since: 2.30
177 */
178 GTlsDatabase *
g_tls_backend_get_default_database(GTlsBackend * backend)179 g_tls_backend_get_default_database (GTlsBackend *backend)
180 {
181 GTlsDatabase *db;
182
183 g_return_val_if_fail (G_IS_TLS_BACKEND (backend), NULL);
184
185 /* This method was added later, so accept the (remote) possibility it can be NULL */
186 if (!G_TLS_BACKEND_GET_INTERFACE (backend)->get_default_database)
187 return NULL;
188
189 G_LOCK (default_database_lock);
190
191 if (!default_database)
192 default_database = G_TLS_BACKEND_GET_INTERFACE (backend)->get_default_database (backend);
193 db = default_database ? g_object_ref (default_database) : NULL;
194 G_UNLOCK (default_database_lock);
195
196 return db;
197 }
198
199 /**
200 * g_tls_backend_set_default_database:
201 * @backend: the #GTlsBackend
202 * @database: (nullable): the #GTlsDatabase
203 *
204 * Set the default #GTlsDatabase used to verify TLS connections
205 *
206 * Any subsequent call to g_tls_backend_get_default_database() will return
207 * the database set in this call. Existing databases and connections are not
208 * modified.
209 *
210 * Setting a %NULL default database will reset to using the system default
211 * database as if g_tls_backend_set_default_database() had never been called.
212 *
213 * Since: 2.60
214 */
215 void
g_tls_backend_set_default_database(GTlsBackend * backend,GTlsDatabase * database)216 g_tls_backend_set_default_database (GTlsBackend *backend,
217 GTlsDatabase *database)
218 {
219 g_return_if_fail (G_IS_TLS_BACKEND (backend));
220 g_return_if_fail (database == NULL || G_IS_TLS_DATABASE (database));
221
222 G_LOCK (default_database_lock);
223 g_set_object (&default_database, database);
224 G_UNLOCK (default_database_lock);
225 }
226
227 /**
228 * g_tls_backend_get_certificate_type:
229 * @backend: the #GTlsBackend
230 *
231 * Gets the #GType of @backend's #GTlsCertificate implementation.
232 *
233 * Returns: the #GType of @backend's #GTlsCertificate
234 * implementation.
235 *
236 * Since: 2.28
237 */
238 GType
g_tls_backend_get_certificate_type(GTlsBackend * backend)239 g_tls_backend_get_certificate_type (GTlsBackend *backend)
240 {
241 return G_TLS_BACKEND_GET_INTERFACE (backend)->get_certificate_type ();
242 }
243
244 /**
245 * g_tls_backend_get_client_connection_type:
246 * @backend: the #GTlsBackend
247 *
248 * Gets the #GType of @backend's #GTlsClientConnection implementation.
249 *
250 * Returns: the #GType of @backend's #GTlsClientConnection
251 * implementation.
252 *
253 * Since: 2.28
254 */
255 GType
g_tls_backend_get_client_connection_type(GTlsBackend * backend)256 g_tls_backend_get_client_connection_type (GTlsBackend *backend)
257 {
258 return G_TLS_BACKEND_GET_INTERFACE (backend)->get_client_connection_type ();
259 }
260
261 /**
262 * g_tls_backend_get_server_connection_type:
263 * @backend: the #GTlsBackend
264 *
265 * Gets the #GType of @backend's #GTlsServerConnection implementation.
266 *
267 * Returns: the #GType of @backend's #GTlsServerConnection
268 * implementation.
269 *
270 * Since: 2.28
271 */
272 GType
g_tls_backend_get_server_connection_type(GTlsBackend * backend)273 g_tls_backend_get_server_connection_type (GTlsBackend *backend)
274 {
275 return G_TLS_BACKEND_GET_INTERFACE (backend)->get_server_connection_type ();
276 }
277
278 /**
279 * g_tls_backend_get_dtls_client_connection_type:
280 * @backend: the #GTlsBackend
281 *
282 * Gets the #GType of @backend’s #GDtlsClientConnection implementation.
283 *
284 * Returns: the #GType of @backend’s #GDtlsClientConnection
285 * implementation, or %G_TYPE_INVALID if this backend doesn’t support DTLS.
286 *
287 * Since: 2.48
288 */
289 GType
g_tls_backend_get_dtls_client_connection_type(GTlsBackend * backend)290 g_tls_backend_get_dtls_client_connection_type (GTlsBackend *backend)
291 {
292 GTlsBackendInterface *iface;
293
294 g_return_val_if_fail (G_IS_TLS_BACKEND (backend), G_TYPE_INVALID);
295
296 iface = G_TLS_BACKEND_GET_INTERFACE (backend);
297 if (iface->get_dtls_client_connection_type == NULL)
298 return G_TYPE_INVALID;
299
300 return iface->get_dtls_client_connection_type ();
301 }
302
303 /**
304 * g_tls_backend_get_dtls_server_connection_type:
305 * @backend: the #GTlsBackend
306 *
307 * Gets the #GType of @backend’s #GDtlsServerConnection implementation.
308 *
309 * Returns: the #GType of @backend’s #GDtlsServerConnection
310 * implementation, or %G_TYPE_INVALID if this backend doesn’t support DTLS.
311 *
312 * Since: 2.48
313 */
314 GType
g_tls_backend_get_dtls_server_connection_type(GTlsBackend * backend)315 g_tls_backend_get_dtls_server_connection_type (GTlsBackend *backend)
316 {
317 GTlsBackendInterface *iface;
318
319 g_return_val_if_fail (G_IS_TLS_BACKEND (backend), G_TYPE_INVALID);
320
321 iface = G_TLS_BACKEND_GET_INTERFACE (backend);
322 if (iface->get_dtls_server_connection_type == NULL)
323 return G_TYPE_INVALID;
324
325 return iface->get_dtls_server_connection_type ();
326 }
327
328 /**
329 * g_tls_backend_get_file_database_type:
330 * @backend: the #GTlsBackend
331 *
332 * Gets the #GType of @backend's #GTlsFileDatabase implementation.
333 *
334 * Returns: the #GType of backend's #GTlsFileDatabase implementation.
335 *
336 * Since: 2.30
337 */
338 GType
g_tls_backend_get_file_database_type(GTlsBackend * backend)339 g_tls_backend_get_file_database_type (GTlsBackend *backend)
340 {
341 g_return_val_if_fail (G_IS_TLS_BACKEND (backend), 0);
342
343 /* This method was added later, so accept the (remote) possibility it can be NULL */
344 if (!G_TLS_BACKEND_GET_INTERFACE (backend)->get_file_database_type)
345 return 0;
346
347 return G_TLS_BACKEND_GET_INTERFACE (backend)->get_file_database_type ();
348 }
349