Allow controlling the SSL/TLS versions a GTlsConnection can usewip/danw/poodle

6 files changed, 156 insertions, 2 deletions

diff --git a/docs/reference/gio/gio-sections.txt b/docs/reference/gio/gio-sections.txt
index 80980fd6d..edd74b79b 100644
--- a/docs/reference/gio/gio-sections.txt
+++ b/docs/reference/gio/gio-sections.txt
@@ -3470,6 +3470,10 @@ g_tls_connection_get_require_close_notify
 GTlsRehandshakeMode
 g_tls_connection_set_rehandshake_mode
 g_tls_connection_get_rehandshake_mode
+GTlsVersion
+g_tls_connection_set_requested_versions
+g_tls_connection_get_requested_versions
+g_tls_connection_get_version
 g_tls_connection_set_use_system_certdb
 g_tls_connection_get_use_system_certdb
 g_tls_connection_get_database
diff --git a/gio/gioenums.h b/gio/gioenums.h
index 1ca5be558..bb0c771ad 100644
--- a/gio/gioenums.h
+++ b/gio/gioenums.h
@@ -1811,6 +1811,26 @@ typedef enum {
   G_NOTIFICATION_PRIORITY_URGENT
 } GNotificationPriority;
 
+/**
+ * GTlsVersion:
+ * @G_TLS_VERSION_INVALID: invalid or unspecified version
+ * @G_TLS_VERSION_SSL_3_0: SSL 3.0
+ * @G_TLS_VERSION_TLS_1_0: TLS 1.0
+ * @G_TLS_VERSION_TLS_1_1: TLS 1.1
+ * @G_TLS_VERSION_TLS_1_2: TLS 1.2
+ *
+ * Versions of TLS/SSL that a connection might support.
+ *
+ * Since: 2.44
+ */
+typedef enum {
+  G_TLS_VERSION_INVALID = 0,
+  G_TLS_VERSION_SSL_3_0 = (1 << 0),
+  G_TLS_VERSION_TLS_1_0 = (1 << 1),
+  G_TLS_VERSION_TLS_1_1 = (1 << 2),
+  G_TLS_VERSION_TLS_1_2 = (1 << 3)
+} GTlsVersion;
+
 G_END_DECLS
 
 #endif /* __GIO_ENUMS_H__ */
diff --git a/gio/gtlsclientconnection.c b/gio/gtlsclientconnection.c
index 5d2a17d1b..40b0a728f 100644
--- a/gio/gtlsclientconnection.c
+++ b/gio/gtlsclientconnection.c
@@ -110,6 +110,8 @@ g_tls_client_connection_default_init (GTlsClientConnectionInterface *iface)
    * a "modern" TLS handshake.
    *
    * Since: 2.28
+   * Deprecated: 2.44: #GTlsConnection:requested-versions gives you
+   * greater control over the versions to use.
    */
   g_object_interface_install_property (iface,
 				       g_param_spec_boolean ("use-ssl3",
@@ -118,6 +120,7 @@ g_tls_client_connection_default_init (GTlsClientConnectionInterface *iface)
 							     FALSE,
 							     G_PARAM_READWRITE |
 							     G_PARAM_CONSTRUCT |
+                                                             G_PARAM_DEPRECATED |
 							     G_PARAM_STATIC_STRINGS));
 
   /**
@@ -271,6 +274,8 @@ g_tls_client_connection_set_server_identity (GTlsClientConnection *conn,
  * Returns: whether @conn will use SSL 3.0
  *
  * Since: 2.28
+ * Deprecated: 2.44: #GTlsConnection:requested-versions gives you
+ * greater control over the versions to use.
  */
 gboolean
 g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn)
@@ -295,6 +300,8 @@ g_tls_client_connection_get_use_ssl3 (GTlsClientConnection *conn)
  * a "modern" TLS handshake attempt.
  *
  * Since: 2.28
+ * Deprecated: 2.44: #GTlsConnection:requested-versions gives you
+ * greater control over the versions to use.
  */
 void
 g_tls_client_connection_set_use_ssl3 (GTlsClientConnection *conn,
diff --git a/gio/gtlsclientconnection.h b/gio/gtlsclientconnection.h
index b711a47ed..d8e1f694d 100644
--- a/gio/gtlsclientconnection.h
+++ b/gio/gtlsclientconnection.h
@@ -58,9 +58,9 @@ GSocketConnectable   *g_tls_client_connection_get_server_identity  (GTlsClientCo
 GLIB_AVAILABLE_IN_ALL
 void                  g_tls_client_connection_set_server_identity  (GTlsClientConnection    *conn,
 								    GSocketConnectable      *identity);
-GLIB_AVAILABLE_IN_ALL
+GLIB_DEPRECATED_IN_2_44
 gboolean              g_tls_client_connection_get_use_ssl3         (GTlsClientConnection    *conn);
-GLIB_AVAILABLE_IN_ALL
+GLIB_DEPRECATED_IN_2_44
 void                  g_tls_client_connection_set_use_ssl3         (GTlsClientConnection    *conn,
 								    gboolean                 use_ssl3);
 GLIB_AVAILABLE_IN_ALL
diff --git a/gio/gtlsconnection.c b/gio/gtlsconnection.c
index d614c05ba..573cdf055 100644
--- a/gio/gtlsconnection.c
+++ b/gio/gtlsconnection.c
@@ -76,6 +76,8 @@ enum {
   PROP_BASE_IO_STREAM,
   PROP_REQUIRE_CLOSE_NOTIFY,
   PROP_REHANDSHAKE_MODE,
+  PROP_REQUESTED_VERSIONS,
+  PROP_VERSION,
   PROP_USE_SYSTEM_CERTDB,
   PROP_DATABASE,
   PROP_INTERACTION,
@@ -190,6 +192,46 @@ g_tls_connection_class_init (GTlsConnectionClass *klass)
 						      G_PARAM_CONSTRUCT |
 						      G_PARAM_STATIC_STRINGS));
   /**
+   * GTlsConnection:requested-versions:
+   *
+   * The requested SSL/TLS versions. See
+   * g_tls_connection_set_requested_versions().
+   *
+   * Note that the default value of this property may change in future
+   * releases.
+   *
+   * Since: 2.44
+   */
+  g_object_class_install_property (gobject_class, PROP_REQUESTED_VERSIONS,
+				   g_param_spec_flags ("requested-versions",
+                                                       P_("Requested versions"),
+                                                       P_("SSL/TLS versions to use"),
+                                                       G_TYPE_TLS_VERSION,
+                                                       (G_TLS_VERSION_SSL_3_0 |
+                                                        G_TLS_VERSION_TLS_1_0 |
+                                                        G_TLS_VERSION_TLS_1_1 |
+                                                        G_TLS_VERSION_TLS_1_2),
+                                                       G_PARAM_READWRITE |
+                                                       G_PARAM_CONSTRUCT |
+                                                       G_PARAM_STATIC_STRINGS));
+  /**
+   * GTlsConnection:version:
+   *
+   * The negotiated SSL/TLS version; this is only valid after a
+   * handshake has completed.
+   *
+   * Since: 2.44
+   */
+  g_object_class_install_property (gobject_class, PROP_VERSION,
+				   g_param_spec_flags ("version",
+                                                       P_("Version"),
+                                                       P_("Negotiated SSL/TLS version"),
+                                                       G_TYPE_TLS_VERSION,
+                                                       G_TLS_VERSION_INVALID,
+                                                       G_PARAM_READABLE |
+                                                       G_PARAM_CONSTRUCT |
+                                                       G_PARAM_STATIC_STRINGS));
+  /**
    * GTlsConnection:certificate:
    *
    * The connection's certificate; see
@@ -726,6 +768,78 @@ g_tls_connection_get_rehandshake_mode (GTlsConnection       *conn)
 }
 
 /**
+ * g_tls_connection_set_requested_versions:
+ * @conn: a #GTlsConnection
+ * @versions: the requested versions
+ *
+ * Sets the SSL/TLS versions that @conn will accept when handshaking.
+ *
+ * After the handshake completes, you can use
+ * g_tls_connection_get_version() to discover the negotiated version.
+ *
+ * Since: 2.44
+ */
+void
+g_tls_connection_set_requested_versions (GTlsConnection *conn,
+                                         GTlsVersion     versions)
+{
+  g_return_if_fail (G_IS_TLS_CONNECTION (conn));
+
+  g_object_set (G_OBJECT (conn),
+		"requested-versions", versions,
+		NULL);
+}
+
+/**
+ * g_tls_connection_get_requested_versions:
+ * @conn: a #GTlsConnection
+ *
+ * Gets the SSL/TLS versions that @conn will accept when handshaking.
+ * (To find the version that was actually negotiated, use
+ * g_tls_connection_get_version().)
+ *
+ * Returns: @conn's requested SSL/TLS versions
+ *
+ * Since: 2.44
+ */
+GTlsVersion
+g_tls_connection_get_requested_versions (GTlsConnection *conn)
+{
+  GTlsVersion versions;
+
+  g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), G_TLS_VERSION_INVALID);
+
+  g_object_get (G_OBJECT (conn),
+		"requested-versions", &versions,
+		NULL);
+  return versions;
+}
+
+/**
+ * g_tls_connection_get_version:
+ * @conn: a #GTlsConnection
+ *
+ * Gets the SSL/TLS version that was negotiated on @conn.
+ *
+ * Returns: @conn's SSL/TLS version, or %G_TLS_VERSION_INVALID if @conn
+ * has not yet completed a handshake.
+ *
+ * Since: 2.44
+ */
+GTlsVersion
+g_tls_connection_get_version (GTlsConnection *conn)
+{
+  GTlsVersion version;
+
+  g_return_val_if_fail (G_IS_TLS_CONNECTION (conn), G_TLS_VERSION_INVALID);
+
+  g_object_get (G_OBJECT (conn),
+		"version", &version,
+		NULL);
+  return version;
+}
+
+/**
  * g_tls_connection_handshake:
  * @conn: a #GTlsConnection
  * @cancellable: (allow-none): a #GCancellable, or %NULL
diff --git a/gio/gtlsconnection.h b/gio/gtlsconnection.h
index 15b29aa86..e03ff4abe 100644
--- a/gio/gtlsconnection.h
+++ b/gio/gtlsconnection.h
@@ -115,6 +115,15 @@ void                  g_tls_connection_set_rehandshake_mode        (GTlsConnecti
 GLIB_AVAILABLE_IN_ALL
 GTlsRehandshakeMode   g_tls_connection_get_rehandshake_mode        (GTlsConnection       *conn);
 
+GLIB_AVAILABLE_IN_2_44
+void                  g_tls_connection_set_requested_versions      (GTlsConnection       *conn,
+								    GTlsVersion           versions);
+GLIB_AVAILABLE_IN_2_44
+GTlsVersion           g_tls_connection_get_requested_versions      (GTlsConnection       *conn);
+
+GLIB_AVAILABLE_IN_2_44
+GTlsVersion           g_tls_connection_get_version                 (GTlsConnection       *conn);
+
 GLIB_AVAILABLE_IN_ALL
 gboolean              g_tls_connection_handshake                   (GTlsConnection       *conn,
 								    GCancellable         *cancellable,