1 #ifndef LIBFILEZILLA_TLS_LAYER_IMPL_HEADER 2 #define LIBFILEZILLA_TLS_LAYER_IMPL_HEADER 3 4 #if defined(_MSC_VER) 5 typedef std::make_signed_t<size_t> ssize_t; 6 #endif 7 8 #include <gnutls/gnutls.h> 9 #include <gnutls/x509.h> 10 11 #include "libfilezilla/buffer.hpp" 12 #include "libfilezilla/logger.hpp" 13 #include "libfilezilla/socket.hpp" 14 #include "libfilezilla/tls_info.hpp" 15 #include "libfilezilla/tls_layer.hpp" 16 17 #include <optional> 18 19 namespace fz { 20 class tls_system_trust_store; 21 class logger_interface; 22 23 struct cert_list_holder final 24 { 25 cert_list_holder() = default; ~cert_list_holderfz::cert_list_holder26 ~cert_list_holder() { 27 for (unsigned int i = 0; i < certs_size; ++i) { 28 gnutls_x509_crt_deinit(certs[i]); 29 } 30 gnutls_free(certs); 31 } 32 33 cert_list_holder(cert_list_holder const&) = delete; 34 cert_list_holder& operator=(cert_list_holder const&) = delete; 35 36 gnutls_x509_crt_t * certs{}; 37 unsigned int certs_size{}; 38 }; 39 40 class tls_layer; 41 class tls_layer_impl final 42 { 43 public: 44 tls_layer_impl(tls_layer& layer, tls_system_trust_store * systemTrustStore, logger_interface & logger); 45 ~tls_layer_impl(); 46 47 bool client_handshake(std::vector<uint8_t> const& session_to_resume, native_string const& session_hostname, std::vector<uint8_t> const& required_certificate, event_handler * verification_handler); 48 49 bool server_handshake(std::vector<uint8_t> const& session_to_resume, std::string_view const& preamble); 50 51 int connect(native_string const& host, unsigned int port, address_type family); 52 53 int read(void *buffer, unsigned int size, int& error); 54 int write(void const* buffer, unsigned int size, int& error); 55 56 int shutdown(); 57 58 void set_verification_result(bool trusted); 59 get_state() const60 socket_state get_state() const { 61 return state_; 62 } 63 64 std::vector<uint8_t> get_session_parameters() const; 65 std::vector<uint8_t> get_raw_certificate() const; 66 67 std::string get_protocol() const; 68 std::string get_key_exchange() const; 69 std::string get_cipher() const; 70 std::string get_mac() const; 71 int get_algorithm_warnings() const; 72 73 bool resumed_session() const; 74 75 static std::string list_tls_ciphers(std::string const& priority); 76 77 bool set_certificate_file(native_string const& keyfile, native_string const& certsfile, native_string const& password, bool pem); 78 79 bool set_certificate(std::string_view const& key, std::string_view const& certs, native_string const& password, bool pem); 80 81 static std::string get_gnutls_version(); 82 83 ssize_t push_function(void const* data, size_t len); 84 ssize_t pull_function(void* data, size_t len); 85 86 static std::pair<std::string, std::string> generate_selfsigned_certificate(native_string const& password, std::string const& distinguished_name, std::vector<std::string> const& hostnames); 87 static std::pair<std::string, std::string> generate_csr(native_string const& password, std::string const& distinguished_name, std::vector<std::string> const& hostnames, bool csr_as_pem); 88 89 int shutdown_read(); 90 91 void set_event_handler(event_handler* pEvtHandler, fz::socket_event_flag retrigger_block); 92 93 std::string get_alpn() const; 94 native_string get_hostname() const; 95 96 static int load_certificates(std::string_view const& in, bool pem, gnutls_x509_crt_t *& certs, unsigned int & certs_size, bool & sort); 97 static bool extract_cert(gnutls_x509_crt_t const& cert, x509_certificate& out, bool last, logger_interface * logger); 98 99 void set_min_tls_ver(tls_ver ver); 100 void set_max_tls_ver(tls_ver ver); 101 102 private: 103 bool init(); 104 void deinit(); 105 106 bool init_session(bool client); 107 void deinit_session(); 108 109 int continue_write(); 110 int continue_handshake(); 111 int continue_shutdown(); 112 113 int verify_certificate(); 114 bool certificate_is_blacklisted(cert_list_holder const& certificates); 115 bool certificate_is_blacklisted(gnutls_x509_crt_t const& cert); 116 117 void log_error(int code, std::wstring const& function, logmsg::type logLevel = logmsg::error); 118 void log_alert(logmsg::type logLevel); 119 120 // Failure logs the error, uninits the session and sends a close event 121 void failure(int code, bool send_close, std::wstring const& function = std::wstring()); 122 123 int do_call_gnutls_record_recv(void* data, size_t len); 124 125 void operator()(event_base const& ev); 126 void on_socket_event(socket_event_source* source, socket_event_flag t, int error); 127 void forward_hostaddress_event(socket_event_source* source, std::string const& address); 128 129 void on_read(); 130 void on_send(); 131 132 bool get_sorted_peer_certificates(gnutls_x509_crt_t *& certs, unsigned int & certs_size); 133 134 static std::vector<x509_certificate::subject_name> get_cert_subject_alt_names(gnutls_x509_crt_t cert); 135 136 void log_verification_error(int status); 137 138 void set_hostname(native_string const& host); 139 is_client() const140 bool is_client() const { 141 return ticket_key_.empty(); 142 } 143 144 bool do_set_alpn(); 145 146 tls_layer& tls_layer_; 147 148 logger_interface & logger_; 149 150 gnutls_session_t session_{}; 151 152 std::vector<uint8_t> ticket_key_; 153 std::vector<uint8_t> session_db_key_; 154 std::vector<uint8_t> session_db_data_; 155 156 gnutls_certificate_credentials_t cert_credentials_{}; 157 158 std::vector<std::string> alpn_; 159 160 socket_state state_{}; 161 162 bool handshake_successful_{}; 163 bool sent_closure_alert_{}; 164 165 bool can_read_from_socket_{false}; 166 bool can_write_to_socket_{false}; 167 168 bool shutdown_silence_read_errors_{true}; 169 170 // gnutls_record_send has strange semantics, it needs to be called again 171 // with either 0 data and 0 length after GNUTLS_E_AGAIN, to actually send 172 // previously queued data. We unfortunately do not know how much data has 173 // been queued and thus need to make a copy of the input up to 174 // gnutls_record_get_max_size() 175 buffer send_buffer_; 176 177 // Sent out just before the handshake itself 178 buffer preamble_; 179 180 std::vector<uint8_t> required_certificate_; 181 182 friend class tls_layer; 183 friend class tls_layerCallbacks; 184 185 native_string hostname_; 186 187 tls_system_trust_store* system_trust_store_{}; 188 189 event_handler * verification_handler_{}; 190 191 tls_ver min_tls_ver_{tls_ver::v1_0}; 192 std::optional<tls_ver> max_tls_ver_; 193 194 int socket_error_{}; // Set in the push and pull functions if reading/writing fails fatally 195 bool socket_eof_{}; 196 197 bool initialized_{}; 198 bool server_{}; 199 200 bool write_blocked_by_send_buffer_{}; 201 202 #if DEBUG_SOCKETEVENTS 203 bool debug_can_read_{}; 204 bool debug_can_write_{}; 205 #endif 206 }; 207 208 std::string read_certificates_file(native_string const& certsfile, logger_interface * logger); 209 210 } 211 212 #endif 213