gio/auto/tls_connection.rs
1// This file was generated by gir (https://github.com/gtk-rs/gir)
2// from gir-files (https://github.com/gtk-rs/gir-files)
3// DO NOT EDIT
4#![allow(deprecated)]
5
6#[cfg(feature = "v2_70")]
7#[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
8use crate::TlsProtocolVersion;
9use crate::{
10 AsyncResult, Cancellable, IOStream, TlsCertificate, TlsCertificateFlags, TlsDatabase,
11 TlsInteraction, TlsRehandshakeMode, ffi,
12};
13use glib::{
14 object::ObjectType as _,
15 prelude::*,
16 signal::{SignalHandlerId, connect_raw},
17 translate::*,
18};
19use std::{boxed::Box as Box_, pin::Pin};
20
21glib::wrapper! {
22 /// `GTlsConnection` is the base TLS connection class type, which wraps
23 /// a [`IOStream`][crate::IOStream] and provides TLS encryption on top of it. Its
24 /// subclasses, [`TlsClientConnection`][crate::TlsClientConnection] and
25 /// [`TlsServerConnection`][crate::TlsServerConnection], implement client-side and server-side TLS,
26 /// respectively.
27 ///
28 /// For DTLS (Datagram TLS) support, see [`DtlsConnection`][crate::DtlsConnection].
29 ///
30 /// This is an Abstract Base Class, you cannot instantiate it.
31 ///
32 /// ## Properties
33 ///
34 ///
35 /// #### `advertised-protocols`
36 /// The list of application-layer protocols that the connection
37 /// advertises that it is willing to speak. See
38 /// g_tls_connection_set_advertised_protocols().
39 ///
40 /// Readable | Writeable
41 ///
42 ///
43 /// #### `base-io-stream`
44 /// The #GIOStream that the connection wraps. The connection holds a reference
45 /// to this stream, and may run operations on the stream from other threads
46 /// throughout its lifetime. Consequently, after the #GIOStream has been
47 /// constructed, application code may only run its own operations on this
48 /// stream when no #GIOStream operations are running.
49 ///
50 /// Readable | Writeable | Construct Only
51 ///
52 ///
53 /// #### `certificate`
54 /// The connection's certificate; see
55 /// g_tls_connection_set_certificate().
56 ///
57 /// Readable | Writeable
58 ///
59 ///
60 /// #### `ciphersuite-name`
61 /// The name of the TLS ciphersuite in use. See g_tls_connection_get_ciphersuite_name().
62 ///
63 /// Readable
64 ///
65 ///
66 /// #### `database`
67 /// The certificate database to use when verifying this TLS connection.
68 /// If no certificate database is set, then the default database will be
69 /// used. See g_tls_backend_get_default_database().
70 ///
71 /// When using a non-default database, #GTlsConnection must fall back to using
72 /// the #GTlsDatabase to perform certificate verification using
73 /// g_tls_database_verify_chain(), which means certificate verification will
74 /// not be able to make use of TLS session context. This may be less secure.
75 /// For example, if you create your own #GTlsDatabase that just wraps the
76 /// default #GTlsDatabase, you might expect that you have not changed anything,
77 /// but this is not true because you may have altered the behavior of
78 /// #GTlsConnection by causing it to use g_tls_database_verify_chain(). See the
79 /// documentation of g_tls_database_verify_chain() for more details on specific
80 /// security checks that may not be performed. Accordingly, setting a
81 /// non-default database is discouraged except for specialty applications with
82 /// unusual security requirements.
83 ///
84 /// Readable | Writeable
85 ///
86 ///
87 /// #### `interaction`
88 /// A #GTlsInteraction object to be used when the connection or certificate
89 /// database need to interact with the user. This will be used to prompt the
90 /// user for passwords where necessary.
91 ///
92 /// Readable | Writeable
93 ///
94 ///
95 /// #### `negotiated-protocol`
96 /// The application-layer protocol negotiated during the TLS
97 /// handshake. See g_tls_connection_get_negotiated_protocol().
98 ///
99 /// Readable
100 ///
101 ///
102 /// #### `peer-certificate`
103 /// The connection's peer's certificate, after the TLS handshake has
104 /// completed or failed. Note in particular that this is not yet set
105 /// during the emission of #GTlsConnection::accept-certificate.
106 ///
107 /// (You can watch for a #GObject::notify signal on this property to
108 /// detect when a handshake has occurred.)
109 ///
110 /// Readable
111 ///
112 ///
113 /// #### `peer-certificate-errors`
114 /// The errors noticed while verifying
115 /// #GTlsConnection:peer-certificate. Normally this should be 0, but
116 /// it may not be if #GTlsClientConnection:validation-flags is not
117 /// [`TlsCertificateFlags::VALIDATE_ALL`][crate::TlsCertificateFlags::VALIDATE_ALL], or if
118 /// #GTlsConnection::accept-certificate overrode the default
119 /// behavior.
120 ///
121 /// GLib guarantees that if certificate verification fails, at least
122 /// one error will be set, but it does not guarantee that all possible
123 /// errors will be set. Accordingly, you may not safely decide to
124 /// ignore any particular type of error. For example, it would be
125 /// incorrect to mask [`TlsCertificateFlags::EXPIRED`][crate::TlsCertificateFlags::EXPIRED] if you want to allow
126 /// expired certificates, because this could potentially be the only
127 /// error flag set even if other problems exist with the certificate.
128 ///
129 /// Readable
130 ///
131 ///
132 /// #### `protocol-version`
133 /// The TLS protocol version in use. See g_tls_connection_get_protocol_version().
134 ///
135 /// Readable
136 ///
137 ///
138 /// #### `rehandshake-mode`
139 /// The rehandshaking mode. See
140 /// g_tls_connection_set_rehandshake_mode().
141 ///
142 /// Readable | Writeable | Construct
143 ///
144 ///
145 /// #### `require-close-notify`
146 /// Whether or not proper TLS close notification is required.
147 /// See g_tls_connection_set_require_close_notify().
148 ///
149 /// Readable | Writeable | Construct
150 ///
151 ///
152 /// #### `use-system-certdb`
153 /// Whether or not the system certificate database will be used to
154 /// verify peer certificates. See
155 /// g_tls_connection_set_use_system_certdb().
156 ///
157 /// Readable | Writeable | Construct
158 /// <details><summary><h4>IOStream</h4></summary>
159 ///
160 ///
161 /// #### `closed`
162 /// Whether the stream is closed.
163 ///
164 /// Readable
165 ///
166 ///
167 /// #### `input-stream`
168 /// The [`InputStream`][crate::InputStream] to read from.
169 ///
170 /// Readable
171 ///
172 ///
173 /// #### `output-stream`
174 /// The [`OutputStream`][crate::OutputStream] to write to.
175 ///
176 /// Readable
177 /// </details>
178 ///
179 /// ## Signals
180 ///
181 ///
182 /// #### `accept-certificate`
183 /// Emitted during the TLS handshake after the peer certificate has
184 /// been received. You can examine @peer_cert's certification path by
185 /// calling g_tls_certificate_get_issuer() on it.
186 ///
187 /// For a client-side connection, @peer_cert is the server's
188 /// certificate, and the signal will only be emitted if the
189 /// certificate was not acceptable according to @conn's
190 /// #GTlsClientConnection:validation_flags. If you would like the
191 /// certificate to be accepted despite @errors, return [`true`] from the
192 /// signal handler. Otherwise, if no handler accepts the certificate,
193 /// the handshake will fail with [`TlsError::BadCertificate`][crate::TlsError::BadCertificate].
194 ///
195 /// GLib guarantees that if certificate verification fails, this signal
196 /// will be emitted with at least one error will be set in @errors, but
197 /// it does not guarantee that all possible errors will be set.
198 /// Accordingly, you may not safely decide to ignore any particular
199 /// type of error. For example, it would be incorrect to ignore
200 /// [`TlsCertificateFlags::EXPIRED`][crate::TlsCertificateFlags::EXPIRED] if you want to allow expired
201 /// certificates, because this could potentially be the only error flag
202 /// set even if other problems exist with the certificate.
203 ///
204 /// For a server-side connection, @peer_cert is the certificate
205 /// presented by the client, if this was requested via the server's
206 /// #GTlsServerConnection:authentication_mode. On the server side,
207 /// the signal is always emitted when the client presents a
208 /// certificate, and the certificate will only be accepted if a
209 /// handler returns [`true`].
210 ///
211 /// Note that if this signal is emitted as part of asynchronous I/O
212 /// in the main thread, then you should not attempt to interact with
213 /// the user before returning from the signal handler. If you want to
214 /// let the user decide whether or not to accept the certificate, you
215 /// would have to return [`false`] from the signal handler on the first
216 /// attempt, and then after the connection attempt returns a
217 /// [`TlsError::BadCertificate`][crate::TlsError::BadCertificate], you can interact with the user, and
218 /// if the user decides to accept the certificate, remember that fact,
219 /// create a new connection, and return [`true`] from the signal handler
220 /// the next time.
221 ///
222 /// If you are doing I/O in another thread, you do not
223 /// need to worry about this, and can simply block in the signal
224 /// handler until the UI thread returns an answer.
225 ///
226 ///
227 ///
228 /// # Implements
229 ///
230 /// [`TlsConnectionExt`][trait@crate::prelude::TlsConnectionExt], [`IOStreamExt`][trait@crate::prelude::IOStreamExt], [`trait@glib::ObjectExt`], [`TlsConnectionExtManual`][trait@crate::prelude::TlsConnectionExtManual], [`IOStreamExtManual`][trait@crate::prelude::IOStreamExtManual]
231 #[doc(alias = "GTlsConnection")]
232 pub struct TlsConnection(Object<ffi::GTlsConnection, ffi::GTlsConnectionClass>) @extends IOStream;
233
234 match fn {
235 type_ => || ffi::g_tls_connection_get_type(),
236 }
237}
238
239impl TlsConnection {
240 pub const NONE: Option<&'static TlsConnection> = None;
241}
242
243/// Trait containing all [`struct@TlsConnection`] methods.
244///
245/// # Implementors
246///
247/// [`TlsClientConnection`][struct@crate::TlsClientConnection], [`TlsConnection`][struct@crate::TlsConnection], [`TlsServerConnection`][struct@crate::TlsServerConnection]
248pub trait TlsConnectionExt: IsA<TlsConnection> + 'static {
249 /// Used by #GTlsConnection implementations to emit the
250 /// #GTlsConnection::accept-certificate signal.
251 /// ## `peer_cert`
252 /// the peer's #GTlsCertificate
253 /// ## `errors`
254 /// the problems with @peer_cert
255 ///
256 /// # Returns
257 ///
258 /// [`true`] if one of the signal handlers has returned
259 /// [`true`] to accept @peer_cert
260 #[doc(alias = "g_tls_connection_emit_accept_certificate")]
261 fn emit_accept_certificate(
262 &self,
263 peer_cert: &impl IsA<TlsCertificate>,
264 errors: TlsCertificateFlags,
265 ) -> bool {
266 unsafe {
267 from_glib(ffi::g_tls_connection_emit_accept_certificate(
268 self.as_ref().to_glib_none().0,
269 peer_cert.as_ref().to_glib_none().0,
270 errors.into_glib(),
271 ))
272 }
273 }
274
275 /// Gets @self's certificate, as set by
276 /// g_tls_connection_set_certificate().
277 ///
278 /// # Returns
279 ///
280 /// @self's certificate, or [`None`]
281 #[doc(alias = "g_tls_connection_get_certificate")]
282 #[doc(alias = "get_certificate")]
283 fn certificate(&self) -> Option<TlsCertificate> {
284 unsafe {
285 from_glib_none(ffi::g_tls_connection_get_certificate(
286 self.as_ref().to_glib_none().0,
287 ))
288 }
289 }
290
291 /// Returns the name of the current TLS ciphersuite, or [`None`] if the
292 /// connection has not handshaked or has been closed. Beware that the TLS
293 /// backend may use any of multiple different naming conventions, because
294 /// OpenSSL and GnuTLS have their own ciphersuite naming conventions that
295 /// are different from each other and different from the standard, IANA-
296 /// registered ciphersuite names. The ciphersuite name is intended to be
297 /// displayed to the user for informative purposes only, and parsing it
298 /// is not recommended.
299 ///
300 /// # Returns
301 ///
302 /// The name of the current TLS ciphersuite, or [`None`]
303 #[cfg(feature = "v2_70")]
304 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
305 #[doc(alias = "g_tls_connection_get_ciphersuite_name")]
306 #[doc(alias = "get_ciphersuite_name")]
307 #[doc(alias = "ciphersuite-name")]
308 fn ciphersuite_name(&self) -> Option<glib::GString> {
309 unsafe {
310 from_glib_full(ffi::g_tls_connection_get_ciphersuite_name(
311 self.as_ref().to_glib_none().0,
312 ))
313 }
314 }
315
316 /// Gets the certificate database that @self uses to verify
317 /// peer certificates. See g_tls_connection_set_database().
318 ///
319 /// # Returns
320 ///
321 /// the certificate database that @self uses or [`None`]
322 #[doc(alias = "g_tls_connection_get_database")]
323 #[doc(alias = "get_database")]
324 fn database(&self) -> Option<TlsDatabase> {
325 unsafe {
326 from_glib_none(ffi::g_tls_connection_get_database(
327 self.as_ref().to_glib_none().0,
328 ))
329 }
330 }
331
332 /// Get the object that will be used to interact with the user. It will be used
333 /// for things like prompting the user for passwords. If [`None`] is returned, then
334 /// no user interaction will occur for this connection.
335 ///
336 /// # Returns
337 ///
338 /// The interaction object.
339 #[doc(alias = "g_tls_connection_get_interaction")]
340 #[doc(alias = "get_interaction")]
341 fn interaction(&self) -> Option<TlsInteraction> {
342 unsafe {
343 from_glib_none(ffi::g_tls_connection_get_interaction(
344 self.as_ref().to_glib_none().0,
345 ))
346 }
347 }
348
349 /// Gets the name of the application-layer protocol negotiated during
350 /// the handshake.
351 ///
352 /// If the peer did not use the ALPN extension, or did not advertise a
353 /// protocol that matched one of @self's protocols, or the TLS backend
354 /// does not support ALPN, then this will be [`None`]. See
355 /// g_tls_connection_set_advertised_protocols().
356 ///
357 /// # Returns
358 ///
359 /// the negotiated protocol, or [`None`]
360 #[cfg(feature = "v2_60")]
361 #[cfg_attr(docsrs, doc(cfg(feature = "v2_60")))]
362 #[doc(alias = "g_tls_connection_get_negotiated_protocol")]
363 #[doc(alias = "get_negotiated_protocol")]
364 #[doc(alias = "negotiated-protocol")]
365 fn negotiated_protocol(&self) -> Option<glib::GString> {
366 unsafe {
367 from_glib_none(ffi::g_tls_connection_get_negotiated_protocol(
368 self.as_ref().to_glib_none().0,
369 ))
370 }
371 }
372
373 /// Gets @self's peer's certificate after the handshake has completed
374 /// or failed. (It is not set during the emission of
375 /// #GTlsConnection::accept-certificate.)
376 ///
377 /// # Returns
378 ///
379 /// @self's peer's certificate, or [`None`]
380 #[doc(alias = "g_tls_connection_get_peer_certificate")]
381 #[doc(alias = "get_peer_certificate")]
382 #[doc(alias = "peer-certificate")]
383 fn peer_certificate(&self) -> Option<TlsCertificate> {
384 unsafe {
385 from_glib_none(ffi::g_tls_connection_get_peer_certificate(
386 self.as_ref().to_glib_none().0,
387 ))
388 }
389 }
390
391 /// Gets the errors associated with validating @self's peer's
392 /// certificate, after the handshake has completed or failed. (It is
393 /// not set during the emission of #GTlsConnection::accept-certificate.)
394 ///
395 /// See #GTlsConnection:peer-certificate-errors for more information.
396 ///
397 /// # Returns
398 ///
399 /// @self's peer's certificate errors
400 #[doc(alias = "g_tls_connection_get_peer_certificate_errors")]
401 #[doc(alias = "get_peer_certificate_errors")]
402 #[doc(alias = "peer-certificate-errors")]
403 fn peer_certificate_errors(&self) -> TlsCertificateFlags {
404 unsafe {
405 from_glib(ffi::g_tls_connection_get_peer_certificate_errors(
406 self.as_ref().to_glib_none().0,
407 ))
408 }
409 }
410
411 /// Returns the current TLS protocol version, which may be
412 /// [`TlsProtocolVersion::Unknown`][crate::TlsProtocolVersion::Unknown] if the connection has not handshaked, or
413 /// has been closed, or if the TLS backend has implemented a protocol version
414 /// that is not a recognized #GTlsProtocolVersion.
415 ///
416 /// # Returns
417 ///
418 /// The current TLS protocol version
419 #[cfg(feature = "v2_70")]
420 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
421 #[doc(alias = "g_tls_connection_get_protocol_version")]
422 #[doc(alias = "get_protocol_version")]
423 #[doc(alias = "protocol-version")]
424 fn protocol_version(&self) -> TlsProtocolVersion {
425 unsafe {
426 from_glib(ffi::g_tls_connection_get_protocol_version(
427 self.as_ref().to_glib_none().0,
428 ))
429 }
430 }
431
432 /// Gets @self rehandshaking mode. See
433 /// g_tls_connection_set_rehandshake_mode() for details.
434 ///
435 /// # Deprecated since 2.60
436 ///
437 /// Changing the rehandshake mode is no longer
438 /// required for compatibility. Also, rehandshaking has been removed
439 /// from the TLS protocol in TLS 1.3.
440 ///
441 /// # Returns
442 ///
443 /// [`TlsRehandshakeMode::Safely`][crate::TlsRehandshakeMode::Safely]
444 #[cfg_attr(feature = "v2_60", deprecated = "Since 2.60")]
445 #[allow(deprecated)]
446 #[doc(alias = "g_tls_connection_get_rehandshake_mode")]
447 #[doc(alias = "get_rehandshake_mode")]
448 #[doc(alias = "rehandshake-mode")]
449 fn rehandshake_mode(&self) -> TlsRehandshakeMode {
450 unsafe {
451 from_glib(ffi::g_tls_connection_get_rehandshake_mode(
452 self.as_ref().to_glib_none().0,
453 ))
454 }
455 }
456
457 /// Tests whether or not @self expects a proper TLS close notification
458 /// when the connection is closed. See
459 /// g_tls_connection_set_require_close_notify() for details.
460 ///
461 /// # Returns
462 ///
463 /// [`true`] if @self requires a proper TLS close
464 /// notification.
465 #[doc(alias = "g_tls_connection_get_require_close_notify")]
466 #[doc(alias = "get_require_close_notify")]
467 #[doc(alias = "require-close-notify")]
468 fn requires_close_notify(&self) -> bool {
469 unsafe {
470 from_glib(ffi::g_tls_connection_get_require_close_notify(
471 self.as_ref().to_glib_none().0,
472 ))
473 }
474 }
475
476 /// Attempts a TLS handshake on @self.
477 ///
478 /// On the client side, it is never necessary to call this method;
479 /// although the connection needs to perform a handshake after
480 /// connecting (or after sending a "STARTTLS"-type command),
481 /// #GTlsConnection will handle this for you automatically when you try
482 /// to send or receive data on the connection. You can call
483 /// g_tls_connection_handshake() manually if you want to know whether
484 /// the initial handshake succeeded or failed (as opposed to just
485 /// immediately trying to use @self to read or write, in which case,
486 /// if it fails, it may not be possible to tell if it failed before or
487 /// after completing the handshake), but beware that servers may reject
488 /// client authentication after the handshake has completed, so a
489 /// successful handshake does not indicate the connection will be usable.
490 ///
491 /// Likewise, on the server side, although a handshake is necessary at
492 /// the beginning of the communication, you do not need to call this
493 /// function explicitly unless you want clearer error reporting.
494 ///
495 /// Previously, calling g_tls_connection_handshake() after the initial
496 /// handshake would trigger a rehandshake; however, this usage was
497 /// deprecated in GLib 2.60 because rehandshaking was removed from the
498 /// TLS protocol in TLS 1.3. Since GLib 2.64, calling this function after
499 /// the initial handshake will no longer do anything.
500 ///
501 /// When using a #GTlsConnection created by #GSocketClient, the
502 /// #GSocketClient performs the initial handshake, so calling this
503 /// function manually is not recommended.
504 ///
505 /// #GTlsConnection::accept_certificate may be emitted during the
506 /// handshake.
507 /// ## `cancellable`
508 /// a #GCancellable, or [`None`]
509 ///
510 /// # Returns
511 ///
512 /// success or failure
513 #[doc(alias = "g_tls_connection_handshake")]
514 fn handshake(&self, cancellable: Option<&impl IsA<Cancellable>>) -> Result<(), glib::Error> {
515 unsafe {
516 let mut error = std::ptr::null_mut();
517 let is_ok = ffi::g_tls_connection_handshake(
518 self.as_ref().to_glib_none().0,
519 cancellable.map(|p| p.as_ref()).to_glib_none().0,
520 &mut error,
521 );
522 debug_assert_eq!(is_ok == glib::ffi::GFALSE, !error.is_null());
523 if error.is_null() {
524 Ok(())
525 } else {
526 Err(from_glib_full(error))
527 }
528 }
529 }
530
531 /// Asynchronously performs a TLS handshake on @self. See
532 /// g_tls_connection_handshake() for more information.
533 /// ## `io_priority`
534 /// the [I/O priority](iface.AsyncResult.html#io-priority) of the request
535 /// ## `cancellable`
536 /// a #GCancellable, or [`None`]
537 /// ## `callback`
538 /// callback to call when the handshake is complete
539 #[doc(alias = "g_tls_connection_handshake_async")]
540 fn handshake_async<P: FnOnce(Result<(), glib::Error>) + 'static>(
541 &self,
542 io_priority: glib::Priority,
543 cancellable: Option<&impl IsA<Cancellable>>,
544 callback: P,
545 ) {
546 let main_context = glib::MainContext::ref_thread_default();
547 let is_main_context_owner = main_context.is_owner();
548 let has_acquired_main_context = (!is_main_context_owner)
549 .then(|| main_context.acquire().ok())
550 .flatten();
551 assert!(
552 is_main_context_owner || has_acquired_main_context.is_some(),
553 "Async operations only allowed if the thread is owning the MainContext"
554 );
555
556 let user_data: Box_<glib::thread_guard::ThreadGuard<P>> =
557 Box_::new(glib::thread_guard::ThreadGuard::new(callback));
558 unsafe extern "C" fn handshake_async_trampoline<
559 P: FnOnce(Result<(), glib::Error>) + 'static,
560 >(
561 _source_object: *mut glib::gobject_ffi::GObject,
562 res: *mut crate::ffi::GAsyncResult,
563 user_data: glib::ffi::gpointer,
564 ) {
565 unsafe {
566 let mut error = std::ptr::null_mut();
567 ffi::g_tls_connection_handshake_finish(_source_object as *mut _, res, &mut error);
568 let result = if error.is_null() {
569 Ok(())
570 } else {
571 Err(from_glib_full(error))
572 };
573 let callback: Box_<glib::thread_guard::ThreadGuard<P>> =
574 Box_::from_raw(user_data as *mut _);
575 let callback: P = callback.into_inner();
576 callback(result);
577 }
578 }
579 let callback = handshake_async_trampoline::<P>;
580 unsafe {
581 ffi::g_tls_connection_handshake_async(
582 self.as_ref().to_glib_none().0,
583 io_priority.into_glib(),
584 cancellable.map(|p| p.as_ref()).to_glib_none().0,
585 Some(callback),
586 Box_::into_raw(user_data) as *mut _,
587 );
588 }
589 }
590
591 fn handshake_future(
592 &self,
593 io_priority: glib::Priority,
594 ) -> Pin<Box_<dyn std::future::Future<Output = Result<(), glib::Error>> + 'static>> {
595 Box_::pin(crate::GioFuture::new(
596 self,
597 move |obj, cancellable, send| {
598 obj.handshake_async(io_priority, Some(cancellable), move |res| {
599 send.resolve(res);
600 });
601 },
602 ))
603 }
604
605 /// This sets the certificate that @self will present to its peer
606 /// during the TLS handshake. For a #GTlsServerConnection, it is
607 /// mandatory to set this, and that will normally be done at construct
608 /// time.
609 ///
610 /// For a #GTlsClientConnection, this is optional. If a handshake fails
611 /// with [`TlsError::CertificateRequired`][crate::TlsError::CertificateRequired], that means that the server
612 /// requires a certificate, and if you try connecting again, you should
613 /// call this method first. You can call
614 /// g_tls_client_connection_get_accepted_cas() on the failed connection
615 /// to get a list of Certificate Authorities that the server will
616 /// accept certificates from.
617 ///
618 /// (It is also possible that a server will allow the connection with
619 /// or without a certificate; in that case, if you don't provide a
620 /// certificate, you can tell that the server requested one by the fact
621 /// that g_tls_client_connection_get_accepted_cas() will return
622 /// non-[`None`].)
623 /// ## `certificate`
624 /// the certificate to use for @self
625 #[doc(alias = "g_tls_connection_set_certificate")]
626 #[doc(alias = "certificate")]
627 fn set_certificate(&self, certificate: &impl IsA<TlsCertificate>) {
628 unsafe {
629 ffi::g_tls_connection_set_certificate(
630 self.as_ref().to_glib_none().0,
631 certificate.as_ref().to_glib_none().0,
632 );
633 }
634 }
635
636 /// Sets the certificate database that is used to verify peer certificates.
637 /// This is set to the default database by default. See
638 /// g_tls_backend_get_default_database(). If set to [`None`], then
639 /// peer certificate validation will always set the
640 /// [`TlsCertificateFlags::UNKNOWN_CA`][crate::TlsCertificateFlags::UNKNOWN_CA] error (meaning
641 /// #GTlsConnection::accept-certificate will always be emitted on
642 /// client-side connections, unless that bit is not set in
643 /// #GTlsClientConnection:validation-flags).
644 ///
645 /// There are nonintuitive security implications when using a non-default
646 /// database. See #GTlsConnection:database for details.
647 /// ## `database`
648 /// a #GTlsDatabase
649 #[doc(alias = "g_tls_connection_set_database")]
650 #[doc(alias = "database")]
651 fn set_database(&self, database: Option<&impl IsA<TlsDatabase>>) {
652 unsafe {
653 ffi::g_tls_connection_set_database(
654 self.as_ref().to_glib_none().0,
655 database.map(|p| p.as_ref()).to_glib_none().0,
656 );
657 }
658 }
659
660 /// Set the object that will be used to interact with the user. It will be used
661 /// for things like prompting the user for passwords.
662 ///
663 /// The @interaction argument will normally be a derived subclass of
664 /// #GTlsInteraction. [`None`] can also be provided if no user interaction
665 /// should occur for this connection.
666 /// ## `interaction`
667 /// an interaction object, or [`None`]
668 #[doc(alias = "g_tls_connection_set_interaction")]
669 #[doc(alias = "interaction")]
670 fn set_interaction(&self, interaction: Option<&impl IsA<TlsInteraction>>) {
671 unsafe {
672 ffi::g_tls_connection_set_interaction(
673 self.as_ref().to_glib_none().0,
674 interaction.map(|p| p.as_ref()).to_glib_none().0,
675 );
676 }
677 }
678
679 /// Since GLib 2.64, changing the rehandshake mode is no longer supported
680 /// and will have no effect. With TLS 1.3, rehandshaking has been removed from
681 /// the TLS protocol, replaced by separate post-handshake authentication and
682 /// rekey operations.
683 ///
684 /// # Deprecated since 2.60
685 ///
686 /// Changing the rehandshake mode is no longer
687 /// required for compatibility. Also, rehandshaking has been removed
688 /// from the TLS protocol in TLS 1.3.
689 /// ## `mode`
690 /// the rehandshaking mode
691 #[cfg_attr(feature = "v2_60", deprecated = "Since 2.60")]
692 #[allow(deprecated)]
693 #[doc(alias = "g_tls_connection_set_rehandshake_mode")]
694 #[doc(alias = "rehandshake-mode")]
695 fn set_rehandshake_mode(&self, mode: TlsRehandshakeMode) {
696 unsafe {
697 ffi::g_tls_connection_set_rehandshake_mode(
698 self.as_ref().to_glib_none().0,
699 mode.into_glib(),
700 );
701 }
702 }
703
704 /// Sets whether or not @self expects a proper TLS close notification
705 /// before the connection is closed. If this is [`true`] (the default),
706 /// then @self will expect to receive a TLS close notification from its
707 /// peer before the connection is closed, and will return a
708 /// [`TlsError::Eof`][crate::TlsError::Eof] error if the connection is closed without proper
709 /// notification (since this may indicate a network error, or
710 /// man-in-the-middle attack).
711 ///
712 /// In some protocols, the application will know whether or not the
713 /// connection was closed cleanly based on application-level data
714 /// (because the application-level data includes a length field, or is
715 /// somehow self-delimiting); in this case, the close notify is
716 /// redundant and sometimes omitted. (TLS 1.1 explicitly allows this;
717 /// in TLS 1.0 it is technically an error, but often done anyway.) You
718 /// can use g_tls_connection_set_require_close_notify() to tell @self
719 /// to allow an "unannounced" connection close, in which case the close
720 /// will show up as a 0-length read, as in a non-TLS
721 /// #GSocketConnection, and it is up to the application to check that
722 /// the data has been fully received.
723 ///
724 /// Note that this only affects the behavior when the peer closes the
725 /// connection; when the application calls g_io_stream_close() itself
726 /// on @self, this will send a close notification regardless of the
727 /// setting of this property. If you explicitly want to do an unclean
728 /// close, you can close @self's #GTlsConnection:base-io-stream rather
729 /// than closing @self itself, but note that this may only be done when no other
730 /// operations are pending on @self or the base I/O stream.
731 /// ## `require_close_notify`
732 /// whether or not to require close notification
733 #[doc(alias = "g_tls_connection_set_require_close_notify")]
734 #[doc(alias = "require-close-notify")]
735 fn set_require_close_notify(&self, require_close_notify: bool) {
736 unsafe {
737 ffi::g_tls_connection_set_require_close_notify(
738 self.as_ref().to_glib_none().0,
739 require_close_notify.into_glib(),
740 );
741 }
742 }
743
744 /// The list of application-layer protocols that the connection
745 /// advertises that it is willing to speak. See
746 /// g_tls_connection_set_advertised_protocols().
747 #[cfg(feature = "v2_60")]
748 #[cfg_attr(docsrs, doc(cfg(feature = "v2_60")))]
749 #[doc(alias = "advertised-protocols")]
750 fn advertised_protocols(&self) -> Vec<glib::GString> {
751 ObjectExt::property(self.as_ref(), "advertised-protocols")
752 }
753
754 /// The #GIOStream that the connection wraps. The connection holds a reference
755 /// to this stream, and may run operations on the stream from other threads
756 /// throughout its lifetime. Consequently, after the #GIOStream has been
757 /// constructed, application code may only run its own operations on this
758 /// stream when no #GIOStream operations are running.
759 #[doc(alias = "base-io-stream")]
760 fn base_io_stream(&self) -> Option<IOStream> {
761 ObjectExt::property(self.as_ref(), "base-io-stream")
762 }
763
764 /// Emitted during the TLS handshake after the peer certificate has
765 /// been received. You can examine @peer_cert's certification path by
766 /// calling g_tls_certificate_get_issuer() on it.
767 ///
768 /// For a client-side connection, @peer_cert is the server's
769 /// certificate, and the signal will only be emitted if the
770 /// certificate was not acceptable according to @conn's
771 /// #GTlsClientConnection:validation_flags. If you would like the
772 /// certificate to be accepted despite @errors, return [`true`] from the
773 /// signal handler. Otherwise, if no handler accepts the certificate,
774 /// the handshake will fail with [`TlsError::BadCertificate`][crate::TlsError::BadCertificate].
775 ///
776 /// GLib guarantees that if certificate verification fails, this signal
777 /// will be emitted with at least one error will be set in @errors, but
778 /// it does not guarantee that all possible errors will be set.
779 /// Accordingly, you may not safely decide to ignore any particular
780 /// type of error. For example, it would be incorrect to ignore
781 /// [`TlsCertificateFlags::EXPIRED`][crate::TlsCertificateFlags::EXPIRED] if you want to allow expired
782 /// certificates, because this could potentially be the only error flag
783 /// set even if other problems exist with the certificate.
784 ///
785 /// For a server-side connection, @peer_cert is the certificate
786 /// presented by the client, if this was requested via the server's
787 /// #GTlsServerConnection:authentication_mode. On the server side,
788 /// the signal is always emitted when the client presents a
789 /// certificate, and the certificate will only be accepted if a
790 /// handler returns [`true`].
791 ///
792 /// Note that if this signal is emitted as part of asynchronous I/O
793 /// in the main thread, then you should not attempt to interact with
794 /// the user before returning from the signal handler. If you want to
795 /// let the user decide whether or not to accept the certificate, you
796 /// would have to return [`false`] from the signal handler on the first
797 /// attempt, and then after the connection attempt returns a
798 /// [`TlsError::BadCertificate`][crate::TlsError::BadCertificate], you can interact with the user, and
799 /// if the user decides to accept the certificate, remember that fact,
800 /// create a new connection, and return [`true`] from the signal handler
801 /// the next time.
802 ///
803 /// If you are doing I/O in another thread, you do not
804 /// need to worry about this, and can simply block in the signal
805 /// handler until the UI thread returns an answer.
806 /// ## `peer_cert`
807 /// the peer's #GTlsCertificate
808 /// ## `errors`
809 /// the problems with @peer_cert.
810 ///
811 /// # Returns
812 ///
813 /// [`true`] to accept @peer_cert (which will also
814 /// immediately end the signal emission). [`false`] to allow the signal
815 /// emission to continue, which will cause the handshake to fail if
816 /// no one else overrides it.
817 #[doc(alias = "accept-certificate")]
818 fn connect_accept_certificate<
819 F: Fn(&Self, &TlsCertificate, TlsCertificateFlags) -> bool + 'static,
820 >(
821 &self,
822 f: F,
823 ) -> SignalHandlerId {
824 unsafe extern "C" fn accept_certificate_trampoline<
825 P: IsA<TlsConnection>,
826 F: Fn(&P, &TlsCertificate, TlsCertificateFlags) -> bool + 'static,
827 >(
828 this: *mut ffi::GTlsConnection,
829 peer_cert: *mut ffi::GTlsCertificate,
830 errors: ffi::GTlsCertificateFlags,
831 f: glib::ffi::gpointer,
832 ) -> glib::ffi::gboolean {
833 unsafe {
834 let f: &F = &*(f as *const F);
835 f(
836 TlsConnection::from_glib_borrow(this).unsafe_cast_ref(),
837 &from_glib_borrow(peer_cert),
838 from_glib(errors),
839 )
840 .into_glib()
841 }
842 }
843 unsafe {
844 let f: Box_<F> = Box_::new(f);
845 connect_raw(
846 self.as_ptr() as *mut _,
847 c"accept-certificate".as_ptr() as *const _,
848 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
849 accept_certificate_trampoline::<Self, F> as *const (),
850 )),
851 Box_::into_raw(f),
852 )
853 }
854 }
855
856 #[cfg(feature = "v2_60")]
857 #[cfg_attr(docsrs, doc(cfg(feature = "v2_60")))]
858 #[doc(alias = "advertised-protocols")]
859 fn connect_advertised_protocols_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
860 unsafe extern "C" fn notify_advertised_protocols_trampoline<
861 P: IsA<TlsConnection>,
862 F: Fn(&P) + 'static,
863 >(
864 this: *mut ffi::GTlsConnection,
865 _param_spec: glib::ffi::gpointer,
866 f: glib::ffi::gpointer,
867 ) {
868 unsafe {
869 let f: &F = &*(f as *const F);
870 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
871 }
872 }
873 unsafe {
874 let f: Box_<F> = Box_::new(f);
875 connect_raw(
876 self.as_ptr() as *mut _,
877 c"notify::advertised-protocols".as_ptr() as *const _,
878 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
879 notify_advertised_protocols_trampoline::<Self, F> as *const (),
880 )),
881 Box_::into_raw(f),
882 )
883 }
884 }
885
886 #[doc(alias = "certificate")]
887 fn connect_certificate_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
888 unsafe extern "C" fn notify_certificate_trampoline<
889 P: IsA<TlsConnection>,
890 F: Fn(&P) + 'static,
891 >(
892 this: *mut ffi::GTlsConnection,
893 _param_spec: glib::ffi::gpointer,
894 f: glib::ffi::gpointer,
895 ) {
896 unsafe {
897 let f: &F = &*(f as *const F);
898 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
899 }
900 }
901 unsafe {
902 let f: Box_<F> = Box_::new(f);
903 connect_raw(
904 self.as_ptr() as *mut _,
905 c"notify::certificate".as_ptr() as *const _,
906 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
907 notify_certificate_trampoline::<Self, F> as *const (),
908 )),
909 Box_::into_raw(f),
910 )
911 }
912 }
913
914 #[cfg(feature = "v2_70")]
915 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
916 #[doc(alias = "ciphersuite-name")]
917 fn connect_ciphersuite_name_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
918 unsafe extern "C" fn notify_ciphersuite_name_trampoline<
919 P: IsA<TlsConnection>,
920 F: Fn(&P) + 'static,
921 >(
922 this: *mut ffi::GTlsConnection,
923 _param_spec: glib::ffi::gpointer,
924 f: glib::ffi::gpointer,
925 ) {
926 unsafe {
927 let f: &F = &*(f as *const F);
928 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
929 }
930 }
931 unsafe {
932 let f: Box_<F> = Box_::new(f);
933 connect_raw(
934 self.as_ptr() as *mut _,
935 c"notify::ciphersuite-name".as_ptr() as *const _,
936 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
937 notify_ciphersuite_name_trampoline::<Self, F> as *const (),
938 )),
939 Box_::into_raw(f),
940 )
941 }
942 }
943
944 #[doc(alias = "database")]
945 fn connect_database_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
946 unsafe extern "C" fn notify_database_trampoline<
947 P: IsA<TlsConnection>,
948 F: Fn(&P) + 'static,
949 >(
950 this: *mut ffi::GTlsConnection,
951 _param_spec: glib::ffi::gpointer,
952 f: glib::ffi::gpointer,
953 ) {
954 unsafe {
955 let f: &F = &*(f as *const F);
956 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
957 }
958 }
959 unsafe {
960 let f: Box_<F> = Box_::new(f);
961 connect_raw(
962 self.as_ptr() as *mut _,
963 c"notify::database".as_ptr() as *const _,
964 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
965 notify_database_trampoline::<Self, F> as *const (),
966 )),
967 Box_::into_raw(f),
968 )
969 }
970 }
971
972 #[doc(alias = "interaction")]
973 fn connect_interaction_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
974 unsafe extern "C" fn notify_interaction_trampoline<
975 P: IsA<TlsConnection>,
976 F: Fn(&P) + 'static,
977 >(
978 this: *mut ffi::GTlsConnection,
979 _param_spec: glib::ffi::gpointer,
980 f: glib::ffi::gpointer,
981 ) {
982 unsafe {
983 let f: &F = &*(f as *const F);
984 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
985 }
986 }
987 unsafe {
988 let f: Box_<F> = Box_::new(f);
989 connect_raw(
990 self.as_ptr() as *mut _,
991 c"notify::interaction".as_ptr() as *const _,
992 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
993 notify_interaction_trampoline::<Self, F> as *const (),
994 )),
995 Box_::into_raw(f),
996 )
997 }
998 }
999
1000 #[cfg(feature = "v2_60")]
1001 #[cfg_attr(docsrs, doc(cfg(feature = "v2_60")))]
1002 #[doc(alias = "negotiated-protocol")]
1003 fn connect_negotiated_protocol_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
1004 unsafe extern "C" fn notify_negotiated_protocol_trampoline<
1005 P: IsA<TlsConnection>,
1006 F: Fn(&P) + 'static,
1007 >(
1008 this: *mut ffi::GTlsConnection,
1009 _param_spec: glib::ffi::gpointer,
1010 f: glib::ffi::gpointer,
1011 ) {
1012 unsafe {
1013 let f: &F = &*(f as *const F);
1014 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
1015 }
1016 }
1017 unsafe {
1018 let f: Box_<F> = Box_::new(f);
1019 connect_raw(
1020 self.as_ptr() as *mut _,
1021 c"notify::negotiated-protocol".as_ptr() as *const _,
1022 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
1023 notify_negotiated_protocol_trampoline::<Self, F> as *const (),
1024 )),
1025 Box_::into_raw(f),
1026 )
1027 }
1028 }
1029
1030 #[doc(alias = "peer-certificate")]
1031 fn connect_peer_certificate_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
1032 unsafe extern "C" fn notify_peer_certificate_trampoline<
1033 P: IsA<TlsConnection>,
1034 F: Fn(&P) + 'static,
1035 >(
1036 this: *mut ffi::GTlsConnection,
1037 _param_spec: glib::ffi::gpointer,
1038 f: glib::ffi::gpointer,
1039 ) {
1040 unsafe {
1041 let f: &F = &*(f as *const F);
1042 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
1043 }
1044 }
1045 unsafe {
1046 let f: Box_<F> = Box_::new(f);
1047 connect_raw(
1048 self.as_ptr() as *mut _,
1049 c"notify::peer-certificate".as_ptr() as *const _,
1050 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
1051 notify_peer_certificate_trampoline::<Self, F> as *const (),
1052 )),
1053 Box_::into_raw(f),
1054 )
1055 }
1056 }
1057
1058 #[doc(alias = "peer-certificate-errors")]
1059 fn connect_peer_certificate_errors_notify<F: Fn(&Self) + 'static>(
1060 &self,
1061 f: F,
1062 ) -> SignalHandlerId {
1063 unsafe extern "C" fn notify_peer_certificate_errors_trampoline<
1064 P: IsA<TlsConnection>,
1065 F: Fn(&P) + 'static,
1066 >(
1067 this: *mut ffi::GTlsConnection,
1068 _param_spec: glib::ffi::gpointer,
1069 f: glib::ffi::gpointer,
1070 ) {
1071 unsafe {
1072 let f: &F = &*(f as *const F);
1073 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
1074 }
1075 }
1076 unsafe {
1077 let f: Box_<F> = Box_::new(f);
1078 connect_raw(
1079 self.as_ptr() as *mut _,
1080 c"notify::peer-certificate-errors".as_ptr() as *const _,
1081 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
1082 notify_peer_certificate_errors_trampoline::<Self, F> as *const (),
1083 )),
1084 Box_::into_raw(f),
1085 )
1086 }
1087 }
1088
1089 #[cfg(feature = "v2_70")]
1090 #[cfg_attr(docsrs, doc(cfg(feature = "v2_70")))]
1091 #[doc(alias = "protocol-version")]
1092 fn connect_protocol_version_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
1093 unsafe extern "C" fn notify_protocol_version_trampoline<
1094 P: IsA<TlsConnection>,
1095 F: Fn(&P) + 'static,
1096 >(
1097 this: *mut ffi::GTlsConnection,
1098 _param_spec: glib::ffi::gpointer,
1099 f: glib::ffi::gpointer,
1100 ) {
1101 unsafe {
1102 let f: &F = &*(f as *const F);
1103 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
1104 }
1105 }
1106 unsafe {
1107 let f: Box_<F> = Box_::new(f);
1108 connect_raw(
1109 self.as_ptr() as *mut _,
1110 c"notify::protocol-version".as_ptr() as *const _,
1111 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
1112 notify_protocol_version_trampoline::<Self, F> as *const (),
1113 )),
1114 Box_::into_raw(f),
1115 )
1116 }
1117 }
1118
1119 #[cfg_attr(feature = "v2_60", deprecated = "Since 2.60")]
1120 #[doc(alias = "rehandshake-mode")]
1121 fn connect_rehandshake_mode_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
1122 unsafe extern "C" fn notify_rehandshake_mode_trampoline<
1123 P: IsA<TlsConnection>,
1124 F: Fn(&P) + 'static,
1125 >(
1126 this: *mut ffi::GTlsConnection,
1127 _param_spec: glib::ffi::gpointer,
1128 f: glib::ffi::gpointer,
1129 ) {
1130 unsafe {
1131 let f: &F = &*(f as *const F);
1132 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
1133 }
1134 }
1135 unsafe {
1136 let f: Box_<F> = Box_::new(f);
1137 connect_raw(
1138 self.as_ptr() as *mut _,
1139 c"notify::rehandshake-mode".as_ptr() as *const _,
1140 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
1141 notify_rehandshake_mode_trampoline::<Self, F> as *const (),
1142 )),
1143 Box_::into_raw(f),
1144 )
1145 }
1146 }
1147
1148 #[doc(alias = "require-close-notify")]
1149 fn connect_require_close_notify_notify<F: Fn(&Self) + 'static>(&self, f: F) -> SignalHandlerId {
1150 unsafe extern "C" fn notify_require_close_notify_trampoline<
1151 P: IsA<TlsConnection>,
1152 F: Fn(&P) + 'static,
1153 >(
1154 this: *mut ffi::GTlsConnection,
1155 _param_spec: glib::ffi::gpointer,
1156 f: glib::ffi::gpointer,
1157 ) {
1158 unsafe {
1159 let f: &F = &*(f as *const F);
1160 f(TlsConnection::from_glib_borrow(this).unsafe_cast_ref())
1161 }
1162 }
1163 unsafe {
1164 let f: Box_<F> = Box_::new(f);
1165 connect_raw(
1166 self.as_ptr() as *mut _,
1167 c"notify::require-close-notify".as_ptr() as *const _,
1168 Some(std::mem::transmute::<*const (), unsafe extern "C" fn()>(
1169 notify_require_close_notify_trampoline::<Self, F> as *const (),
1170 )),
1171 Box_::into_raw(f),
1172 )
1173 }
1174 }
1175}
1176
1177impl<O: IsA<TlsConnection>> TlsConnectionExt for O {}