25#include <unordered_set>
28#include <fmt/format.h>
31#include <seastar/core/future.hh>
32#include <seastar/core/internal/api-level.hh>
33#include <seastar/core/sstring.hh>
34#include <seastar/core/shared_ptr.hh>
35#include <seastar/net/socket_defs.hh>
36#include <seastar/net/inet_address.hh>
37#include <seastar/util/std-compat.hh>
38#include <seastar/util/modules.hh>
39#include <seastar/net/api.hh>
46class connected_socket;
62 enum class x509_crt_format {
67 typedef std::basic_string_view<char> blob;
71 class server_credentials;
72 class certificate_credentials;
73 class credentials_builder;
105 std::unique_ptr<impl> _impl;
126 virtual void set_x509_trust(
const blob&, x509_crt_format) = 0;
127 virtual void set_x509_crl(
const blob&, x509_crt_format) = 0;
128 virtual void set_x509_key(
const blob& cert,
const blob& key, x509_crt_format) = 0;
130 virtual void set_simple_pkcs12(
const blob&, x509_crt_format,
const sstring& password) = 0;
132 virtual future<> set_x509_trust_file(
const sstring& cafile, x509_crt_format);
133 virtual future<> set_x509_crl_file(
const sstring& crlfile, x509_crt_format);
134 virtual future<> set_x509_key_file(
const sstring& cf,
const sstring& kf, x509_crt_format);
136 virtual future<> set_simple_pkcs12_file(
const sstring& pkcs12file, x509_crt_format,
const sstring& password);
139 template<
typename Base>
180 void set_x509_trust(
const blob&, x509_crt_format)
override;
181 void set_x509_crl(
const blob&, x509_crt_format)
override;
182 void set_x509_key(
const blob& cert,
const blob& key, x509_crt_format)
override;
183 void set_simple_pkcs12(
const blob&, x509_crt_format,
const sstring& password)
override;
226 friend class session;
227 friend class server_session;
230 template<
typename Base>
238 using runtime_error::runtime_error;
241 enum class client_auth {
242 NONE, REQUEST, REQUIRE
250 NONE, TLS13_SESSION_TICKET
269 void set_client_auth(client_auth);
280 class reloadable_credentials_base;
282 using reload_callback = std::function<void(
const std::unordered_set<sstring>&, std::exception_ptr)>;
296 void set_dh_level(dh_params::level = dh_params::level::LEGACY);
298 void set_x509_trust(
const blob&, x509_crt_format)
override ;
299 void set_x509_crl(
const blob&, x509_crt_format)
override;
300 void set_x509_key(
const blob& cert,
const blob& key, x509_crt_format)
override;
301 void set_simple_pkcs12(
const blob&, x509_crt_format,
const sstring& password)
override;
303 future<> set_x509_trust_file(
const sstring& cafile, x509_crt_format)
override;
304 future<> set_x509_crl_file(
const sstring& crlfile, x509_crt_format)
override;
305 future<> set_x509_key_file(
const sstring& cf,
const sstring& kf, x509_crt_format)
override;
306 future<> set_simple_pkcs12_file(
const sstring& pkcs12file, x509_crt_format,
const sstring& password)
override;
309 void set_client_auth(client_auth);
310 void set_priority_string(
const sstring&);
323 friend class reloadable_credentials_base;
325 std::multimap<sstring, std::any> _blobs;
326 client_auth _client_auth = client_auth::NONE;
331 using session_data = std::vector<uint8_t>;
356 [[deprecated(
"Use overload with tls_options parameter")]]
358 [[deprecated(
"Use overload with tls_options parameter")]]
386 [[deprecated(
"Use overload with tls_options parameter")]]
410 [[deprecated(
"Use overload with tls_options parameter")]]
462 using value_type = std::variant<
502 std::ostream& operator<<(std::ostream&,
const subject_alt_name::value_type&);
534 extern const int ERROR_UNKNOWN_CIPHER_TYPE;
535 extern const int ERROR_INVALID_SESSION;
536 extern const int ERROR_UNEXPECTED_HANDSHAKE_PACKET;
537 extern const int ERROR_UNKNOWN_CIPHER_SUITE;
538 extern const int ERROR_UNKNOWN_ALGORITHM;
539 extern const int ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM;
540 extern const int ERROR_SAFE_RENEGOTIATION_FAILED;
541 extern const int ERROR_UNSAFE_RENEGOTIATION_DENIED;
542 extern const int ERROR_UNKNOWN_SRP_USERNAME;
543 extern const int ERROR_PREMATURE_TERMINATION;
544 extern const int ERROR_PUSH;
545 extern const int ERROR_PULL;
546 extern const int ERROR_UNEXPECTED_PACKET;
547 extern const int ERROR_UNSUPPORTED_VERSION;
548 extern const int ERROR_NO_CIPHER_SUITES;
549 extern const int ERROR_DECRYPTION_FAILED;
550 extern const int ERROR_MAC_VERIFY_FAILED;
554template <>
struct fmt::formatter<
seastar::tls::subject_alt_name_type> : fmt::formatter<string_view> {
555 template <
typename FormatContext>
557 return formatter<string_view>::format(format_as(type), ctx);
561template <>
struct fmt::formatter<
seastar::tls::subject_alt_name::value_type> : fmt::formatter<string_view> {
562 template <
typename FormatContext>
563 auto format(
const seastar::tls::subject_alt_name::value_type& value, FormatContext& ctx)
const {
565 return fmt::format_to(ctx.out(),
"{}", v);
570template <>
struct fmt::formatter<
seastar::tls::subject_alt_name> : fmt::formatter<string_view> {
571 template <
typename FormatContext>
573 return fmt::format_to(ctx.out(),
"{}={}", name.type, name.value);
A representation of a possibly not-yet-computed value.
Definition: future.hh:1240
Definition: inet_address.hh:50
A listening socket, waiting to accept incoming network connections.
Definition: api.hh:326
Definition: socket_defs.hh:47
void set_priority_string(const sstring &)
future set_system_trust()
void set_dn_verification_callback(dn_callback)
static future< dh_params > from_file(const sstring &, x509_crt_format)
void set_session_resume_mode(session_resume_mode)
auto visit(Variant &&variant, Args &&... args)
Definition: variant_utils.hh:68
holds the implementation parts of the metrics layer, do not use directly.
sstring server_name
server name to be used for the SNI TLS extension
Definition: tls.hh:338
future< connected_socket > wrap_client(shared_ptr< certificate_credentials >, connected_socket &&, sstring name)
session_type
Definition: tls.hh:147
std::string_view format_as(subject_alt_name_type)
session_resume_mode
Definition: tls.hh:249
subject_alt_name_type
Definition: tls.hh:451
future< session_data > get_session_resume_data(connected_socket &)
session_data session_resume_data
Optional session resume data. Must be retrieved via get_session_resume_data below.
Definition: tls.hh:342
future< std::optional< session_dn > > get_dn_information(connected_socket &socket)
bool wait_for_eof_on_shutdown
whether to wait for EOF from server on session termination
Definition: tls.hh:336
future< std::vector< subject_alt_name > > get_alt_name_information(connected_socket &socket, std::unordered_set< subject_alt_name_type > types={})
::seastar::socket socket(shared_ptr< certificate_credentials >, sstring name)
const std::error_category & error_category()
future< connected_socket > connect(shared_ptr< certificate_credentials >, socket_address, sstring name)
server_socket listen(shared_ptr< server_credentials >, socket_address sa, listen_options opts=listen_options())
const int ERROR_UNKNOWN_COMPRESSION_ALGORITHM
future< bool > check_session_is_resumed(connected_socket &socket)
TLS configuration options.
Definition: tls.hh:334
Seastar API namespace.
Definition: abort_on_ebadf.hh:26
Definition: noncopyable_function.hh:37