File: tls_layer_impl.hpp

package info (click to toggle)
libfilezilla 0.54.1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 4,504 kB
  • sloc: cpp: 31,105; sh: 4,241; makefile: 375; xml: 37
file content (278 lines) | stat: -rw-r--r-- 9,743 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
 
#ifndef LIBFILEZILLA_TLS_LAYER_IMPL_HEADER
#define LIBFILEZILLA_TLS_LAYER_IMPL_HEADER

#if defined(_MSC_VER)
typedef std::make_signed_t<size_t> ssize_t;
#endif

#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#include <gnutls/abstract.h>

#include "libfilezilla/buffer.hpp"
#include "libfilezilla/logger.hpp"
#include "libfilezilla/socket.hpp"
#include "libfilezilla/tls_info.hpp"
#include "libfilezilla/tls_layer.hpp"

#include <optional>
#include <string_view>

namespace fz {
class tls_system_trust_store;
class logger_interface;

struct cert_list_holder final
{
	cert_list_holder() = default;
	~cert_list_holder() {
		for (unsigned int i = 0; i < certs_size; ++i) {
			gnutls_x509_crt_deinit(certs[i]);
		}
		gnutls_free(certs);
	}

	cert_list_holder(cert_list_holder const&) = delete;
	cert_list_holder& operator=(cert_list_holder const&) = delete;

	gnutls_x509_crt_t * certs{};
	unsigned int certs_size{};
};


struct gnutls_privkey_deinitializer
{
	using pointer = gnutls_privkey_t;
	void operator()(gnutls_privkey_t key)
	{
		if (key) {
			gnutls_privkey_deinit(key);
		}
	}
};

using unique_gnutls_privkey = std::unique_ptr<gnutls_privkey_t, gnutls_privkey_deinitializer>;

class tls_layer;
class tls_layer_impl final
{
public:
	struct cert_context final
	{
		cert_context(logger_interface &logger, bool ignore_function_when_logging = false, bool do_init = false)
			: logger(logger)
			, ignore_function_when_logging(ignore_function_when_logging)
		{
			if (do_init) {
				init();
			}
		}
		~cert_context()
		{
			deinit();
		}

		explicit operator bool() const
		{
			return credentials != nullptr;
		}

		void log_gnutls_error(int code, std::wstring_view const& function = {}, logmsg::type logLevel = logmsg::error)
		{
			tls_layer_impl::log_gnutls_error(logger, code, ignore_function_when_logging ? std::wstring_view{} : function, logLevel);
		}

		bool init();
		void deinit();

		logger_interface &logger;
		gnutls_certificate_credentials_t credentials{};
		std::string pin;

	private:
		bool ignore_function_when_logging{};
	};

	tls_layer_impl(tls_layer& layer, tls_system_trust_store * systemTrustStore, logger_interface & logger);
	~tls_layer_impl();

	bool client_handshake(std::vector<uint8_t> const& session_to_resume, native_string const& session_hostname, std::vector<uint8_t> const& required_certificate, event_handler * verification_handler, tls_client_flags flags);

	bool server_handshake(std::vector<uint8_t> const& session_to_resume, std::string_view const& preamble, tls_server_flags flags);

	int connect(native_string const& host, unsigned int port, address_type family);

	int read(void *buffer, unsigned int size, int& error);
	int write(void const* buffer, unsigned int size, int& error);

	int shutdown();

	void set_verification_result(bool trusted);

	socket_state get_state() const {
		return state_;
	}

	std::vector<uint8_t> get_session_parameters() const;
	std::vector<uint8_t> get_raw_certificate() const;

	std::string get_protocol() const;
	std::string get_key_exchange() const;
	std::string get_cipher() const;
	std::string get_mac() const;
	int get_algorithm_warnings() const;

	bool resumed_session() const;

	static std::string list_tls_ciphers(std::string const& priority);

	bool set_key_and_certs(const_tls_param_ref key, const_tls_param_ref certs, native_string const& password, tls_data_format format);

	static std::string get_gnutls_version();

	ssize_t push_function(void const* data, size_t len);
	ssize_t pull_function(void* data, size_t len);

	static std::pair<std::string, std::string> generate_selfsigned_certificate(native_string const& password, std::string const& distinguished_name, std::vector<std::string> const& hostnames, duration const& lifetime, tls_layer::cert_type type, bool ecdsa, logger_interface &logger = get_null_logger());
	static std::string generate_selfsigned_certificate(const_tls_param_ref key, native_string const& password, std::string const& distinguished_name, std::vector<std::string> const& hostnames, duration const& lifetime, tls_layer::cert_type type, logger_interface &logger = get_null_logger());
	static std::pair<std::string, std::string> generate_csr(native_string const& password, std::string const& distinguished_name, std::vector<std::string> const& hostnames, bool csr_as_pem, tls_layer::cert_type type, bool ecdsa, logger_interface &logger = get_null_logger());
	static std::string generate_csr(const_tls_param_ref key, native_string const& password, std::string const& distinguished_name, std::vector<std::string> const& hostnames, bool csr_as_pem, tls_layer::cert_type type, logger_interface &logger = get_null_logger());
	static std::string generate_cert_from_csr(std::pair<std::string, std::string> const& issuer, native_string const& password, std::string const& csr, std::string const& distinguished_name, std::vector<std::string> const& hostnames, duration const& lifetime, tls_layer::cert_type type, logger_interface &logger = get_null_logger());
	static bool add_pkcs11_provider(native_string_view const &path, logger_interface &logger = get_null_logger());

	int shutdown_read();

	void set_event_handler(event_handler* pEvtHandler, fz::socket_event_flag retrigger_block);

	std::string get_alpn() const;
	native_string get_hostname() const;

	static int load_certificates(const_tls_param_ref in, tls_data_format format, gnutls_x509_crt_t *& certs, unsigned int & certs_size, bool & sort, logger_interface * logger);
	static int load_certificates(std::string_view const& in, bool pem, gnutls_x509_crt_t *& certs, unsigned int & certs_size, bool & sort);
	static bool extract_cert(gnutls_x509_crt_t const& cert, x509_certificate& out, bool last, logger_interface * logger);
	static void log_gnutls_error(logger_interface &logger, int code, std::wstring_view const& function = {}, logmsg::type logLevel = logmsg::error);

	static bool set_key_and_certs(cert_context &ctx, const_tls_param_ref keyfile, const_tls_param_ref certsfile, native_string const& password, tls_data_format format);

	void set_min_tls_ver(tls_ver ver);
	void set_max_tls_ver(tls_ver ver);

	void set_unexpected_eof_cb(std::function<bool()> && cb);

private:
	bool init();
	void deinit();

	bool init_session(bool client, int extra_flags = 0);
	void deinit_session();

	int continue_write();
	int continue_handshake();
	int continue_shutdown();

	int verify_certificate();
	bool certificate_is_blacklisted(cert_list_holder const& certificates);
	bool certificate_is_blacklisted(gnutls_x509_crt_t const& cert);

	void log_error(int code, std::wstring_view const& function, logmsg::type logLevel = logmsg::error);
	void log_alert(logmsg::type logLevel);

	// Failure logs the error, uninits the session and sends a close event
	void failure(int code, bool send_close, std::wstring_view const& function = {});

	int do_call_gnutls_record_recv(void* data, size_t len);

	void operator()(event_base const& ev);
	void on_socket_event(socket_event_source* source, socket_event_flag t, int error);
	void forward_hostaddress_event(socket_event_source* source, std::string const& address);

	void on_read();
	void on_send();

	bool get_sorted_peer_certificates(gnutls_x509_crt_t *& certs, unsigned int & certs_size);

	static std::vector<x509_certificate::subject_name> get_cert_subject_alt_names(gnutls_x509_crt_t cert);

	void log_verification_error(int status);

	void set_hostname(native_string const& host);

	bool do_set_alpn();

	int new_session_ticket();

	static std::vector<gnutls_pcert_st> import_certs(cert_context &ctx, const_tls_param_ref certs, tls_data_format format);
	static unique_gnutls_privkey import_private_key(cert_context &ctx, const_tls_param_ref key, native_string const& password, tls_data_format format);
	static std::string generate_csr(cert_context &ctx, unique_gnutls_privkey priv, std::string const& distinguished_name, std::vector<std::string> const& hostnames, bool csr_as_pem, tls_layer::cert_type type);
	static std::string generate_selfsigned_certificate(cert_context &ctx, unique_gnutls_privkey priv, std::string const& distinguished_name, std::vector<std::string> const& hostnames, duration const& lifetime, tls_layer::cert_type type);

	tls_layer& tls_layer_;

	logger_interface & logger_;

	std::function<bool()> unexpected_eof_cb_;

	gnutls_session_t session_{};

	std::vector<uint8_t> ticket_key_;
	std::vector<uint8_t> session_db_key_;
	std::vector<uint8_t> session_db_data_;

	cert_context cert_context_ { logger_ };

	std::vector<std::string> alpn_;
	bool alpn_server_priority_{};

	socket_state state_{};

	bool handshake_successful_{};
	bool sent_closure_alert_{};

	bool can_read_from_socket_{false};
	bool can_write_to_socket_{false};

	bool shutdown_silence_read_errors_{true};

	// gnutls_record_send has strange semantics, it needs to be called again
	// with either 0 data and 0 length after GNUTLS_E_AGAIN, to actually send
	// previously queued data. We unfortunately do not know how much data has
	// been queued and thus need to make a copy of the input up to
	// gnutls_record_get_max_size()
	buffer send_buffer_;

	// Sent out just before the handshake itself
	buffer preamble_;

	std::vector<uint8_t> required_certificate_;

	friend class tls_layer;
	friend class tls_layerCallbacks;

	native_string hostname_;

	tls_system_trust_store* system_trust_store_{};

	event_handler * verification_handler_{};

	tls_ver min_tls_ver_{tls_ver::v1_0};
	std::optional<tls_ver> max_tls_ver_;

	int socket_error_{}; // Set in the push and pull functions if reading/writing fails fatally
	bool socket_eof_{};

	bool initialized_{};
	bool server_{};

	bool write_blocked_by_send_buffer_{};

	bool send_new_ticket_{};

#if DEBUG_SOCKETEVENTS
	bool debug_can_read_{};
	bool debug_can_write_{};
#endif
};

}

#endif