1 #ifndef LIBFILEZILLA_TLS_LAYER_IMPL_HEADER
2 #define LIBFILEZILLA_TLS_LAYER_IMPL_HEADER
3 
4 #if defined(_MSC_VER)
5 typedef std::make_signed_t<size_t> ssize_t;
6 #endif
7 
8 #include <gnutls/gnutls.h>
9 #include <gnutls/x509.h>
10 
11 #include "libfilezilla/buffer.hpp"
12 #include "libfilezilla/logger.hpp"
13 #include "libfilezilla/socket.hpp"
14 #include "libfilezilla/tls_info.hpp"
15 #include "libfilezilla/tls_layer.hpp"
16 
17 #include <optional>
18 
19 namespace fz {
20 class tls_system_trust_store;
21 class logger_interface;
22 
23 struct cert_list_holder final
24 {
25 	cert_list_holder() = default;
~cert_list_holderfz::cert_list_holder26 	~cert_list_holder() {
27 		for (unsigned int i = 0; i < certs_size; ++i) {
28 			gnutls_x509_crt_deinit(certs[i]);
29 		}
30 		gnutls_free(certs);
31 	}
32 
33 	cert_list_holder(cert_list_holder const&) = delete;
34 	cert_list_holder& operator=(cert_list_holder const&) = delete;
35 
36 	gnutls_x509_crt_t * certs{};
37 	unsigned int certs_size{};
38 };
39 
40 class tls_layer;
41 class tls_layer_impl final
42 {
43 public:
44 	tls_layer_impl(tls_layer& layer, tls_system_trust_store * systemTrustStore, logger_interface & logger);
45 	~tls_layer_impl();
46 
47 	bool client_handshake(std::vector<uint8_t> const& session_to_resume, native_string const& session_hostname, std::vector<uint8_t> const& required_certificate, event_handler * verification_handler);
48 
49 	bool server_handshake(std::vector<uint8_t> const& session_to_resume, std::string_view const& preamble);
50 
51 	int connect(native_string const& host, unsigned int port, address_type family);
52 
53 	int read(void *buffer, unsigned int size, int& error);
54 	int write(void const* buffer, unsigned int size, int& error);
55 
56 	int shutdown();
57 
58 	void set_verification_result(bool trusted);
59 
get_state() const60 	socket_state get_state() const {
61 		return state_;
62 	}
63 
64 	std::vector<uint8_t> get_session_parameters() const;
65 	std::vector<uint8_t> get_raw_certificate() const;
66 
67 	std::string get_protocol() const;
68 	std::string get_key_exchange() const;
69 	std::string get_cipher() const;
70 	std::string get_mac() const;
71 	int get_algorithm_warnings() const;
72 
73 	bool resumed_session() const;
74 
75 	static std::string list_tls_ciphers(std::string const& priority);
76 
77 	bool set_certificate_file(native_string const& keyfile, native_string const& certsfile, native_string const& password, bool pem);
78 
79 	bool set_certificate(std::string_view const& key, std::string_view const& certs, native_string const& password, bool pem);
80 
81 	static std::string get_gnutls_version();
82 
83 	ssize_t push_function(void const* data, size_t len);
84 	ssize_t pull_function(void* data, size_t len);
85 
86 	static std::pair<std::string, std::string> generate_selfsigned_certificate(native_string const& password, std::string const& distinguished_name, std::vector<std::string> const& hostnames);
87 	static std::pair<std::string, std::string> generate_csr(native_string const& password, std::string const& distinguished_name, std::vector<std::string> const& hostnames, bool csr_as_pem);
88 
89 	int shutdown_read();
90 
91 	void set_event_handler(event_handler* pEvtHandler, fz::socket_event_flag retrigger_block);
92 
93 	std::string get_alpn() const;
94 	native_string get_hostname() const;
95 
96 	static int load_certificates(std::string_view const& in, bool pem, gnutls_x509_crt_t *& certs, unsigned int & certs_size, bool & sort);
97 	static bool extract_cert(gnutls_x509_crt_t const& cert, x509_certificate& out, bool last, logger_interface * logger);
98 
99 	void set_min_tls_ver(tls_ver ver);
100 	void set_max_tls_ver(tls_ver ver);
101 
102 private:
103 	bool init();
104 	void deinit();
105 
106 	bool init_session(bool client);
107 	void deinit_session();
108 
109 	int continue_write();
110 	int continue_handshake();
111 	int continue_shutdown();
112 
113 	int verify_certificate();
114 	bool certificate_is_blacklisted(cert_list_holder const& certificates);
115 	bool certificate_is_blacklisted(gnutls_x509_crt_t const& cert);
116 
117 	void log_error(int code, std::wstring const& function, logmsg::type logLevel = logmsg::error);
118 	void log_alert(logmsg::type logLevel);
119 
120 	// Failure logs the error, uninits the session and sends a close event
121 	void failure(int code, bool send_close, std::wstring const& function = std::wstring());
122 
123 	int do_call_gnutls_record_recv(void* data, size_t len);
124 
125 	void operator()(event_base const& ev);
126 	void on_socket_event(socket_event_source* source, socket_event_flag t, int error);
127 	void forward_hostaddress_event(socket_event_source* source, std::string const& address);
128 
129 	void on_read();
130 	void on_send();
131 
132 	bool get_sorted_peer_certificates(gnutls_x509_crt_t *& certs, unsigned int & certs_size);
133 
134 	static std::vector<x509_certificate::subject_name> get_cert_subject_alt_names(gnutls_x509_crt_t cert);
135 
136 	void log_verification_error(int status);
137 
138 	void set_hostname(native_string const& host);
139 
is_client() const140 	bool is_client() const {
141 		return ticket_key_.empty();
142 	}
143 
144 	bool do_set_alpn();
145 
146 	tls_layer& tls_layer_;
147 
148 	logger_interface & logger_;
149 
150 	gnutls_session_t session_{};
151 
152 	std::vector<uint8_t> ticket_key_;
153 	std::vector<uint8_t> session_db_key_;
154 	std::vector<uint8_t> session_db_data_;
155 
156 	gnutls_certificate_credentials_t cert_credentials_{};
157 
158 	std::vector<std::string> alpn_;
159 
160 	socket_state state_{};
161 
162 	bool handshake_successful_{};
163 	bool sent_closure_alert_{};
164 
165 	bool can_read_from_socket_{false};
166 	bool can_write_to_socket_{false};
167 
168 	bool shutdown_silence_read_errors_{true};
169 
170 	// gnutls_record_send has strange semantics, it needs to be called again
171 	// with either 0 data and 0 length after GNUTLS_E_AGAIN, to actually send
172 	// previously queued data. We unfortunately do not know how much data has
173 	// been queued and thus need to make a copy of the input up to
174 	// gnutls_record_get_max_size()
175 	buffer send_buffer_;
176 
177 	// Sent out just before the handshake itself
178 	buffer preamble_;
179 
180 	std::vector<uint8_t> required_certificate_;
181 
182 	friend class tls_layer;
183 	friend class tls_layerCallbacks;
184 
185 	native_string hostname_;
186 
187 	tls_system_trust_store* system_trust_store_{};
188 
189 	event_handler * verification_handler_{};
190 
191 	tls_ver min_tls_ver_{tls_ver::v1_0};
192 	std::optional<tls_ver> max_tls_ver_;
193 
194 	int socket_error_{}; // Set in the push and pull functions if reading/writing fails fatally
195 	bool socket_eof_{};
196 
197 	bool initialized_{};
198 	bool server_{};
199 
200 	bool write_blocked_by_send_buffer_{};
201 
202 #if DEBUG_SOCKETEVENTS
203 	bool debug_can_read_{};
204 	bool debug_can_write_{};
205 #endif
206 };
207 
208 std::string read_certificates_file(native_string const& certsfile, logger_interface * logger);
209 
210 }
211 
212 #endif
213