Seastar
High performance C++ framework for concurrent servers
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Modules Pages
tls.hh
1/*
2 * This file is open source software, licensed to you under the terms
3 * of the Apache License, Version 2.0 (the "License"). See the NOTICE file
4 * distributed with this work for additional information regarding copyright
5 * ownership. You may not use this file except in compliance with the License.
6 *
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing,
12 * software distributed under the License is distributed on an
13 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14 * KIND, either express or implied. See the License for the
15 * specific language governing permissions and limitations
16 * under the License.
17 */
18/*
19 * Copyright 2015 Cloudius Systems
20 */
21#pragma once
22
23#ifndef SEASTAR_MODULE
24#include <functional>
25#include <unordered_set>
26#include <map>
27#include <any>
28#include <fmt/format.h>
29#endif
30
31#include <seastar/core/future.hh>
32#include <seastar/core/internal/api-level.hh>
33#include <seastar/core/sstring.hh>
34#include <seastar/core/shared_ptr.hh>
35#include <seastar/net/socket_defs.hh>
36#include <seastar/net/inet_address.hh>
37#include <seastar/util/std-compat.hh>
38#include <seastar/util/modules.hh>
39#include <seastar/net/api.hh>
40
41namespace seastar {
42
43class socket;
44
45class server_socket;
46class connected_socket;
47class socket_address;
48
59SEASTAR_MODULE_EXPORT
60namespace tls {
61
62 enum class x509_crt_format {
63 DER,
64 PEM,
65 };
66
67 typedef std::basic_string_view<char> blob;
68
69 class session;
70 class server_session;
71 class server_credentials;
72 class certificate_credentials;
73 class credentials_builder;
74
79 class dh_params {
80 public:
81 // Key strength
82 enum class level {
83 LEGACY = 2,
84 MEDIUM = 3,
85 HIGH = 4,
86 ULTRA = 5
87 };
88 dh_params(level = level::LEGACY);
89 // loads a key from data
90 dh_params(const blob&, x509_crt_format);
91 ~dh_params();
92
93 dh_params(dh_params&&) noexcept;
94 dh_params& operator=(dh_params&&) noexcept;
95
96 dh_params(const dh_params&) = delete;
97 dh_params& operator=(const dh_params&) = delete;
98
100 static future<dh_params> from_file(const sstring&, x509_crt_format);
101 private:
102 class impl;
103 friend class server_credentials;
104 friend class certificate_credentials;
105 std::unique_ptr<impl> _impl;
106 };
107
108 class x509_cert {
109 x509_cert(const blob&, x509_crt_format);
110
111 static future<x509_cert> from_file(const sstring&, x509_crt_format);
112 private:
113 class impl;
115 shared_ptr<impl> _impl;
116 };
117
119 protected:
120 abstract_credentials() = default;
122 abstract_credentials& operator=(abstract_credentials&) = default;
123 abstract_credentials& operator=(abstract_credentials&&) = default;
124 virtual ~abstract_credentials() {};
125 public:
126 virtual void set_x509_trust(const blob&, x509_crt_format) = 0;
127 virtual void set_x509_crl(const blob&, x509_crt_format) = 0;
128 virtual void set_x509_key(const blob& cert, const blob& key, x509_crt_format) = 0;
129
130 virtual void set_simple_pkcs12(const blob&, x509_crt_format, const sstring& password) = 0;
131
132 virtual future<> set_x509_trust_file(const sstring& cafile, x509_crt_format);
133 virtual future<> set_x509_crl_file(const sstring& crlfile, x509_crt_format);
134 virtual future<> set_x509_key_file(const sstring& cf, const sstring& kf, x509_crt_format);
135
136 virtual future<> set_simple_pkcs12_file(const sstring& pkcs12file, x509_crt_format, const sstring& password);
137 };
138
139 template<typename Base>
141
147 enum class session_type {
148 CLIENT, SERVER,
149 };
150
158 using dn_callback = noncopyable_function<void(session_type type, sstring subject, sstring issuer)>;
159
170 public:
173
176
178 certificate_credentials& operator=(const certificate_credentials&) = delete;
179
180 void set_x509_trust(const blob&, x509_crt_format) override;
181 void set_x509_crl(const blob&, x509_crt_format) override;
182 void set_x509_key(const blob& cert, const blob& key, x509_crt_format) override;
183 void set_simple_pkcs12(const blob&, x509_crt_format, const sstring& password) override;
184
190
191 // TODO add methods for certificate verification
192
199 void set_priority_string(const sstring&);
200
223
224 private:
225 class impl;
226 friend class session;
227 friend class server_session;
228 friend class server_credentials;
229 friend class credentials_builder;
230 template<typename Base>
231 friend class reloadable_credentials;
232 shared_ptr<impl> _impl;
233 };
234
236 class verification_error : public std::runtime_error {
237 public:
238 using runtime_error::runtime_error;
239 };
240
241 enum class client_auth {
242 NONE, REQUEST, REQUIRE
243 };
244
250 NONE, TLS13_SESSION_TICKET
251 };
252
258 public:
262
264 server_credentials& operator=(server_credentials&&) noexcept;
265
266 server_credentials(const server_credentials&) = delete;
267 server_credentials& operator=(const server_credentials&) = delete;
268
269 void set_client_auth(client_auth);
270
278 };
279
280 class reloadable_credentials_base;
281
282 using reload_callback = std::function<void(const std::unordered_set<sstring>&, std::exception_ptr)>;
283
295 public:
296 void set_dh_level(dh_params::level = dh_params::level::LEGACY);
297
298 void set_x509_trust(const blob&, x509_crt_format) override ;
299 void set_x509_crl(const blob&, x509_crt_format) override;
300 void set_x509_key(const blob& cert, const blob& key, x509_crt_format) override;
301 void set_simple_pkcs12(const blob&, x509_crt_format, const sstring& password) override;
302
303 future<> set_x509_trust_file(const sstring& cafile, x509_crt_format) override;
304 future<> set_x509_crl_file(const sstring& crlfile, x509_crt_format) override;
305 future<> set_x509_key_file(const sstring& cf, const sstring& kf, x509_crt_format) override;
306 future<> set_simple_pkcs12_file(const sstring& pkcs12file, x509_crt_format, const sstring& password) override;
307
308 future<> set_system_trust();
309 void set_client_auth(client_auth);
310 void set_priority_string(const sstring&);
311 void set_session_resume_mode(session_resume_mode);
312
313 void apply_to(certificate_credentials&) const;
314
315 shared_ptr<certificate_credentials> build_certificate_credentials() const;
316 shared_ptr<server_credentials> build_server_credentials() const;
317
318 // same as above, but any files used for certs/keys etc will be watched
319 // for modification and reloaded if changed
320 future<shared_ptr<certificate_credentials>> build_reloadable_certificate_credentials(reload_callback = {}, std::optional<std::chrono::milliseconds> tolerance = {}) const;
321 future<shared_ptr<server_credentials>> build_reloadable_server_credentials(reload_callback = {}, std::optional<std::chrono::milliseconds> tolerance = {}) const;
322 private:
323 friend class reloadable_credentials_base;
324
325 std::multimap<sstring, std::any> _blobs;
326 client_auth _client_auth = client_auth::NONE;
327 session_resume_mode _session_resume_mode = session_resume_mode::NONE;
328 sstring _priority;
329 };
330
331 using session_data = std::vector<uint8_t>;
332
334 struct tls_options {
338 sstring server_name = {};
339
343 };
344
356 [[deprecated("Use overload with tls_options parameter")]]
358 [[deprecated("Use overload with tls_options parameter")]]
361
374
386 [[deprecated("Use overload with tls_options parameter")]]
389
401
410 [[deprecated("Use overload with tls_options parameter")]]
414
423
432 // Wraps an existing server socket in SSL
435
447
452 dnsname = 1, // string value representing a 'DNS' entry
453 rfc822name, // string value representing an 'email' entry
454 uri, // string value representing an 'uri' entry
455 ipaddress, // inet_address value representing an 'IP' entry
456 othername, // string value
457 dn, // string value
458 };
459
460 // Subject alt name entry
462 using value_type = std::variant<
463 sstring,
465 >;
467 value_type value;
468 };
469
478 future<std::vector<subject_alt_name>> get_alt_name_information(connected_socket& socket, std::unordered_set<subject_alt_name_type> types = {});
479
488
501
502 std::ostream& operator<<(std::ostream&, const subject_alt_name::value_type&);
503 std::ostream& operator<<(std::ostream&, const subject_alt_name&);
504
520 std::ostream& operator<<(std::ostream&, subject_alt_name_type);
521
527 const std::error_category& error_category();
528
534 extern const int ERROR_UNKNOWN_CIPHER_TYPE;
535 extern const int ERROR_INVALID_SESSION;
536 extern const int ERROR_UNEXPECTED_HANDSHAKE_PACKET;
537 extern const int ERROR_UNKNOWN_CIPHER_SUITE;
538 extern const int ERROR_UNKNOWN_ALGORITHM;
539 extern const int ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM;
540 extern const int ERROR_SAFE_RENEGOTIATION_FAILED;
541 extern const int ERROR_UNSAFE_RENEGOTIATION_DENIED;
542 extern const int ERROR_UNKNOWN_SRP_USERNAME;
543 extern const int ERROR_PREMATURE_TERMINATION;
544 extern const int ERROR_PUSH;
545 extern const int ERROR_PULL;
546 extern const int ERROR_UNEXPECTED_PACKET;
547 extern const int ERROR_UNSUPPORTED_VERSION;
548 extern const int ERROR_NO_CIPHER_SUITES;
549 extern const int ERROR_DECRYPTION_FAILED;
550 extern const int ERROR_MAC_VERIFY_FAILED;
551}
552}
553
554template <> struct fmt::formatter<seastar::tls::subject_alt_name_type> : fmt::formatter<string_view> {
555 template <typename FormatContext>
556 auto format(seastar::tls::subject_alt_name_type type, FormatContext& ctx) const {
557 return formatter<string_view>::format(format_as(type), ctx);
558 }
559};
560
561template <> struct fmt::formatter<seastar::tls::subject_alt_name::value_type> : fmt::formatter<string_view> {
562 template <typename FormatContext>
563 auto format(const seastar::tls::subject_alt_name::value_type& value, FormatContext& ctx) const {
564 return std::visit([&](const auto& v) {
565 return fmt::format_to(ctx.out(), "{}", v);
566 }, value);
567 }
568};
569
570template <> struct fmt::formatter<seastar::tls::subject_alt_name> : fmt::formatter<string_view> {
571 template <typename FormatContext>
572 auto format(const seastar::tls::subject_alt_name& name, FormatContext& ctx) const {
573 return fmt::format_to(ctx.out(), "{}={}", name.type, name.value);
574 }
575};
Definition: api.hh:183
A representation of a possibly not-yet-computed value.
Definition: future.hh:1240
Definition: inet_address.hh:50
A listening socket, waiting to accept incoming network connections.
Definition: api.hh:326
Definition: socket_defs.hh:47
Definition: api.hh:283
void set_priority_string(const sstring &)
void set_dn_verification_callback(dn_callback)
Definition: tls.hh:294
Definition: tls.hh:79
static future< dh_params > from_file(const sstring &, x509_crt_format)
Definition: tls.hh:257
void set_session_resume_mode(session_resume_mode)
Definition: tls.hh:236
Definition: tls.hh:108
auto visit(Variant &&variant, Args &&... args)
Definition: variant_utils.hh:68
holds the implementation parts of the metrics layer, do not use directly.
sstring server_name
server name to be used for the SNI TLS extension
Definition: tls.hh:338
future< connected_socket > wrap_client(shared_ptr< certificate_credentials >, connected_socket &&, sstring name)
session_type
Definition: tls.hh:147
std::string_view format_as(subject_alt_name_type)
session_resume_mode
Definition: tls.hh:249
subject_alt_name_type
Definition: tls.hh:451
future< session_data > get_session_resume_data(connected_socket &)
session_data session_resume_data
Optional session resume data. Must be retrieved via get_session_resume_data below.
Definition: tls.hh:342
future< std::optional< session_dn > > get_dn_information(connected_socket &socket)
bool wait_for_eof_on_shutdown
whether to wait for EOF from server on session termination
Definition: tls.hh:336
future< std::vector< subject_alt_name > > get_alt_name_information(connected_socket &socket, std::unordered_set< subject_alt_name_type > types={})
::seastar::socket socket(shared_ptr< certificate_credentials >, sstring name)
const std::error_category & error_category()
future< connected_socket > connect(shared_ptr< certificate_credentials >, socket_address, sstring name)
server_socket listen(shared_ptr< server_credentials >, socket_address sa, listen_options opts=listen_options())
const int ERROR_UNKNOWN_COMPRESSION_ALGORITHM
future< bool > check_session_is_resumed(connected_socket &socket)
Definition: tls.hh:461
TLS configuration options.
Definition: tls.hh:334
Seastar API namespace.
Definition: abort_on_ebadf.hh:26
Definition: noncopyable_function.hh:37
Definition: api.hh:397