Seastar
High performance C++ framework for concurrent servers
All Classes Namespaces Files Functions Variables Typedefs Enumerations Enumerator Friends Modules Pages
tls.hh
1/*
2 * This file is open source software, licensed to you under the terms
3 * of the Apache License, Version 2.0 (the "License"). See the NOTICE file
4 * distributed with this work for additional information regarding copyright
5 * ownership. You may not use this file except in compliance with the License.
6 *
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing,
12 * software distributed under the License is distributed on an
13 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14 * KIND, either express or implied. See the License for the
15 * specific language governing permissions and limitations
16 * under the License.
17 */
18/*
19 * Copyright 2015 Cloudius Systems
20 */
21#pragma once
22
23#ifndef SEASTAR_MODULE
24#include <functional>
25#include <unordered_set>
26#include <map>
27#include <any>
28#include <fmt/format.h>
29#endif
30
31#include <seastar/core/future.hh>
32#include <seastar/core/internal/api-level.hh>
33#include <seastar/core/sstring.hh>
34#include <seastar/core/shared_ptr.hh>
35#include <seastar/net/socket_defs.hh>
36#include <seastar/net/inet_address.hh>
37#include <seastar/util/std-compat.hh>
38#include <seastar/util/modules.hh>
39#include <seastar/net/api.hh>
40
41namespace seastar {
42
43class socket;
44
45class server_socket;
46class connected_socket;
47class socket_address;
48
59SEASTAR_MODULE_EXPORT
60namespace tls {
61
62 enum class x509_crt_format {
63 DER,
64 PEM,
65 };
66
67 typedef std::basic_string_view<char> blob;
68
69 class session;
70 class server_session;
71 class server_credentials;
72 class certificate_credentials;
73 class credentials_builder;
74
79 class dh_params {
80 public:
81 // Key strength
82 enum class level {
83 LEGACY = 2,
84 MEDIUM = 3,
85 HIGH = 4,
86 ULTRA = 5
87 };
88 dh_params(level = level::LEGACY);
89 // loads a key from data
90 dh_params(const blob&, x509_crt_format);
91 ~dh_params();
92
93 dh_params(dh_params&&) noexcept;
94 dh_params& operator=(dh_params&&) noexcept;
95
96 dh_params(const dh_params&) = delete;
97 dh_params& operator=(const dh_params&) = delete;
98
100 static future<dh_params> from_file(const sstring&, x509_crt_format);
101 private:
102 class impl;
103 friend class server_credentials;
104 friend class certificate_credentials;
105 std::unique_ptr<impl> _impl;
106 };
107
108 class x509_cert {
109 x509_cert(const blob&, x509_crt_format);
110
111 static future<x509_cert> from_file(const sstring&, x509_crt_format);
112 private:
113 class impl;
114 x509_cert(shared_ptr<impl>);
115 shared_ptr<impl> _impl;
116 };
117
118 class abstract_credentials {
119 protected:
120 abstract_credentials() = default;
121 abstract_credentials(const abstract_credentials&) = default;
122 abstract_credentials& operator=(abstract_credentials&) = default;
123 abstract_credentials& operator=(abstract_credentials&&) = default;
124 virtual ~abstract_credentials() {};
125 public:
126 virtual void set_x509_trust(const blob&, x509_crt_format) = 0;
127 virtual void set_x509_crl(const blob&, x509_crt_format) = 0;
128 virtual void set_x509_key(const blob& cert, const blob& key, x509_crt_format) = 0;
129
130 virtual void set_simple_pkcs12(const blob&, x509_crt_format, const sstring& password) = 0;
131
132 virtual future<> set_x509_trust_file(const sstring& cafile, x509_crt_format);
133 virtual future<> set_x509_crl_file(const sstring& crlfile, x509_crt_format);
134 virtual future<> set_x509_key_file(const sstring& cf, const sstring& kf, x509_crt_format);
135
136 virtual future<> set_simple_pkcs12_file(const sstring& pkcs12file, x509_crt_format, const sstring& password);
137 };
138
139 template<typename Base>
140 class reloadable_credentials;
141
147 enum class session_type {
148 CLIENT, SERVER,
149 };
150
158 using dn_callback = noncopyable_function<void(session_type type, sstring subject, sstring issuer)>;
159
169 class certificate_credentials : public abstract_credentials {
170 public:
171 certificate_credentials();
172 ~certificate_credentials();
173
174 certificate_credentials(certificate_credentials&&) noexcept;
175 certificate_credentials& operator=(certificate_credentials&&) noexcept;
176
177 certificate_credentials(const certificate_credentials&) = delete;
178 certificate_credentials& operator=(const certificate_credentials&) = delete;
179
180 void set_x509_trust(const blob&, x509_crt_format) override;
181 void set_x509_crl(const blob&, x509_crt_format) override;
182 void set_x509_key(const blob& cert, const blob& key, x509_crt_format) override;
183 void set_simple_pkcs12(const blob&, x509_crt_format, const sstring& password) override;
184
189 future<> set_system_trust();
190
191 // TODO add methods for certificate verification
192
199 void set_priority_string(const sstring&);
200
222 void set_dn_verification_callback(dn_callback);
223
227 void set_enable_certificate_verification(bool enable);
228
229 private:
230 class impl;
231 friend class session;
232 friend class server_session;
233 friend class server_credentials;
234 friend class credentials_builder;
235 template<typename Base>
236 friend class reloadable_credentials;
237 shared_ptr<impl> _impl;
238 };
239
241 class verification_error : public std::runtime_error {
242 public:
243 using runtime_error::runtime_error;
244 };
245
246 enum class client_auth {
247 NONE, REQUEST, REQUIRE
248 };
249
254 enum class session_resume_mode {
255 NONE, TLS13_SESSION_TICKET
256 };
257
262 class server_credentials : public certificate_credentials {
263 public:
264 server_credentials();
265 server_credentials(shared_ptr<dh_params>);
266 server_credentials(const dh_params&);
267
268 server_credentials(server_credentials&&) noexcept;
269 server_credentials& operator=(server_credentials&&) noexcept;
270
271 server_credentials(const server_credentials&) = delete;
272 server_credentials& operator=(const server_credentials&) = delete;
273
274 void set_client_auth(client_auth);
275
282 void set_session_resume_mode(session_resume_mode);
283 };
284
285 class reloadable_credentials_base;
286 class credentials_builder;
287
288 using reload_callback = std::function<void(const std::unordered_set<sstring>&, std::exception_ptr)>;
289 using reload_callback_ex = std::function<future<>(const credentials_builder&, const std::unordered_set<sstring>&, std::exception_ptr)>;
290
301 class credentials_builder : public abstract_credentials {
302 public:
303 void set_dh_level(dh_params::level = dh_params::level::LEGACY);
304
305 void set_x509_trust(const blob&, x509_crt_format) override ;
306 void set_x509_crl(const blob&, x509_crt_format) override;
307 void set_x509_key(const blob& cert, const blob& key, x509_crt_format) override;
308 void set_simple_pkcs12(const blob&, x509_crt_format, const sstring& password) override;
309
310 future<> set_x509_trust_file(const sstring& cafile, x509_crt_format) override;
311 future<> set_x509_crl_file(const sstring& crlfile, x509_crt_format) override;
312 future<> set_x509_key_file(const sstring& cf, const sstring& kf, x509_crt_format) override;
313 future<> set_simple_pkcs12_file(const sstring& pkcs12file, x509_crt_format, const sstring& password) override;
314
315 future<> set_system_trust();
316 void set_client_auth(client_auth);
317 void set_priority_string(const sstring&);
318 void set_session_resume_mode(session_resume_mode);
319
320 void apply_to(certificate_credentials&) const;
321
322 shared_ptr<certificate_credentials> build_certificate_credentials() const;
323 shared_ptr<server_credentials> build_server_credentials() const;
324
325 void rebuild(certificate_credentials&) const;
326 void rebuild(server_credentials&) const;
327
328 // same as above, but any files used for certs/keys etc will be watched
329 // for modification and reloaded if changed
330 future<shared_ptr<certificate_credentials>> build_reloadable_certificate_credentials(reload_callback_ex = {}, std::optional<std::chrono::milliseconds> tolerance = {}) const;
331 future<shared_ptr<server_credentials>> build_reloadable_server_credentials(reload_callback_ex = {}, std::optional<std::chrono::milliseconds> tolerance = {}) const;
332
333 future<shared_ptr<certificate_credentials>> build_reloadable_certificate_credentials(reload_callback, std::optional<std::chrono::milliseconds> tolerance = {}) const;
334 future<shared_ptr<server_credentials>> build_reloadable_server_credentials(reload_callback, std::optional<std::chrono::milliseconds> tolerance = {}) const;
335 private:
336 friend class reloadable_credentials_base;
337
338 std::multimap<sstring, std::any> _blobs;
339 client_auth _client_auth = client_auth::NONE;
340 session_resume_mode _session_resume_mode = session_resume_mode::NONE;
341 sstring _priority;
342 };
343
344 using session_data = std::vector<uint8_t>;
345
347 struct tls_options {
349 bool wait_for_eof_on_shutdown = true;
351 sstring server_name = {};
352
355 bool verify_certificate = true;
356
359 session_data session_resume_data;
360 };
361
373 [[deprecated("Use overload with tls_options parameter")]]
374 future<connected_socket> connect(shared_ptr<certificate_credentials>, socket_address, sstring name);
375 [[deprecated("Use overload with tls_options parameter")]]
376 future<connected_socket> connect(shared_ptr<certificate_credentials>, socket_address, socket_address local, sstring name);
378
388 future<connected_socket> connect(shared_ptr<certificate_credentials>, socket_address, tls_options option = {});
389 future<connected_socket> connect(shared_ptr<certificate_credentials>, socket_address, socket_address local, tls_options options = {});
391
403 [[deprecated("Use overload with tls_options parameter")]]
404 ::seastar::socket socket(shared_ptr<certificate_credentials>, sstring name);
406
416 ::seastar::socket socket(shared_ptr<certificate_credentials>, tls_options options = {});
418
427 [[deprecated("Use overload with tls_options parameter")]]
428 future<connected_socket> wrap_client(shared_ptr<certificate_credentials>, connected_socket&&, sstring name);
429 future<connected_socket> wrap_server(shared_ptr<server_credentials>, connected_socket&&);
431
438 future<connected_socket> wrap_client(shared_ptr<certificate_credentials>, connected_socket&&, tls_options options = {});
440
448 server_socket listen(shared_ptr<server_credentials>, socket_address sa, listen_options opts = listen_options());
449 // Wraps an existing server socket in SSL
450 server_socket listen(shared_ptr<server_credentials>, server_socket);
452
463 future<std::optional<session_dn>> get_dn_information(connected_socket& socket);
464
468 enum class subject_alt_name_type {
469 dnsname = 1, // string value representing a 'DNS' entry
470 rfc822name, // string value representing an 'email' entry
471 uri, // string value representing an 'uri' entry
472 ipaddress, // inet_address value representing an 'IP' entry
473 othername, // string value
474 dn, // string value
475 };
476
477 // Subject alt name entry
478 struct subject_alt_name {
479 using value_type = std::variant<
480 sstring,
481 net::inet_address
482 >;
483 subject_alt_name_type type;
484 value_type value;
485 };
486
495 future<std::vector<subject_alt_name>> get_alt_name_information(connected_socket& socket, std::unordered_set<subject_alt_name_type> types = {});
496
497 using certificate_data = std::vector<uint8_t>;
498
508 future<std::vector<certificate_data>> get_peer_certificate_chain(connected_socket& socket);
509
517 future<bool> check_session_is_resumed(connected_socket& socket);
518
530 future<session_data> get_session_resume_data(connected_socket&);
531
532 std::ostream& operator<<(std::ostream&, const subject_alt_name::value_type&);
533 std::ostream& operator<<(std::ostream&, const subject_alt_name&);
534
549 std::string_view format_as(subject_alt_name_type);
550 std::ostream& operator<<(std::ostream&, subject_alt_name_type);
551
557 const std::error_category& error_category();
558
563 extern const int ERROR_UNKNOWN_COMPRESSION_ALGORITHM;
564 extern const int ERROR_UNKNOWN_CIPHER_TYPE;
565 extern const int ERROR_INVALID_SESSION;
566 extern const int ERROR_UNEXPECTED_HANDSHAKE_PACKET;
567 extern const int ERROR_UNKNOWN_CIPHER_SUITE;
568 extern const int ERROR_UNKNOWN_ALGORITHM;
569 extern const int ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM;
570 extern const int ERROR_SAFE_RENEGOTIATION_FAILED;
571 extern const int ERROR_UNSAFE_RENEGOTIATION_DENIED;
572 extern const int ERROR_UNKNOWN_SRP_USERNAME;
573 extern const int ERROR_PREMATURE_TERMINATION;
574 extern const int ERROR_PUSH;
575 extern const int ERROR_PULL;
576 extern const int ERROR_UNEXPECTED_PACKET;
577 extern const int ERROR_UNSUPPORTED_VERSION;
578 extern const int ERROR_NO_CIPHER_SUITES;
579 extern const int ERROR_DECRYPTION_FAILED;
580 extern const int ERROR_MAC_VERIFY_FAILED;
581}
582}
583
584template <> struct fmt::formatter<seastar::tls::subject_alt_name_type> : fmt::formatter<string_view> {
585 template <typename FormatContext>
586 auto format(seastar::tls::subject_alt_name_type type, FormatContext& ctx) const {
587 return formatter<string_view>::format(format_as(type), ctx);
588 }
589};
590
591template <> struct fmt::formatter<seastar::tls::subject_alt_name::value_type> : fmt::formatter<string_view> {
592 template <typename FormatContext>
593 auto format(const seastar::tls::subject_alt_name::value_type& value, FormatContext& ctx) const {
594 return std::visit([&](const auto& v) {
595 return fmt::format_to(ctx.out(), "{}", v);
596 }, value);
597 }
598};
599
600template <> struct fmt::formatter<seastar::tls::subject_alt_name> : fmt::formatter<string_view> {
601 template <typename FormatContext>
602 auto format(const seastar::tls::subject_alt_name& name, FormatContext& ctx) const {
603 return fmt::format_to(ctx.out(), "{}={}", name.type, name.value);
604 }
605};
seastar::connected_socket
Definition: api.hh:183
seastar::future
A representation of a possibly not-yet-computed value.
Definition: future.hh:1197
seastar::net::inet_address
Definition: inet_address.hh:50
seastar::server_socket
A listening socket, waiting to accept incoming network connections.
Definition: api.hh:326
seastar::shared_ptr< impl >
seastar::socket_address
Definition: socket_defs.hh:47
seastar::socket
Definition: api.hh:283
seastar::tls::abstract_credentials
Definition: tls.hh:118
seastar::tls::certificate_credentials
Definition: tls.hh:169
seastar::tls::certificate_credentials::set_priority_string
void set_priority_string(const sstring &)
seastar::tls::certificate_credentials::set_enable_certificate_verification
void set_enable_certificate_verification(bool enable)
seastar::tls::certificate_credentials::set_system_trust
future set_system_trust()
seastar::tls::certificate_credentials::set_dn_verification_callback
void set_dn_verification_callback(dn_callback)
seastar::tls::credentials_builder
Definition: tls.hh:301
seastar::tls::dh_params
Definition: tls.hh:79
seastar::tls::dh_params::from_file
static future< dh_params > from_file(const sstring &, x509_crt_format)
seastar::tls::server_credentials
Definition: tls.hh:262
seastar::tls::server_credentials::set_session_resume_mode
void set_session_resume_mode(session_resume_mode)
seastar::tls::verification_error
Definition: tls.hh:241
seastar::tls::x509_cert
Definition: tls.hh:108
seastar::visit
auto visit(Variant &&variant, Args &&... args)
Definition: variant_utils.hh:68
impl
holds the implementation parts of the metrics layer, do not use directly.
seastar::tls::tls_options::server_name
sstring server_name
server name to be used for the SNI TLS extension
Definition: tls.hh:351
seastar::tls::get_peer_certificate_chain
future< std::vector< certificate_data > > get_peer_certificate_chain(connected_socket &socket)
seastar::tls::wrap_client
future< connected_socket > wrap_client(shared_ptr< certificate_credentials >, connected_socket &&, sstring name)
seastar::tls::session_type
session_type
Definition: tls.hh:147
seastar::tls::format_as
std::string_view format_as(subject_alt_name_type)
seastar::tls::session_resume_mode
session_resume_mode
Definition: tls.hh:254
seastar::tls::subject_alt_name_type
subject_alt_name_type
Definition: tls.hh:468
seastar::tls::get_session_resume_data
future< session_data > get_session_resume_data(connected_socket &)
seastar::tls::tls_options::session_resume_data
session_data session_resume_data
Optional session resume data. Must be retrieved via get_session_resume_data below.
Definition: tls.hh:359
seastar::tls::tls_options::verify_certificate
bool verify_certificate
whether server certificate should be verified. May be set to false in test environments.
Definition: tls.hh:355
seastar::tls::get_dn_information
future< std::optional< session_dn > > get_dn_information(connected_socket &socket)
seastar::tls::tls_options::wait_for_eof_on_shutdown
bool wait_for_eof_on_shutdown
whether to wait for EOF from server on session termination
Definition: tls.hh:349
seastar::tls::get_alt_name_information
future< std::vector< subject_alt_name > > get_alt_name_information(connected_socket &socket, std::unordered_set< subject_alt_name_type > types={})
seastar::tls::socket
::seastar::socket socket(shared_ptr< certificate_credentials >, sstring name)
seastar::tls::error_category
const std::error_category & error_category()
seastar::tls::connect
future< connected_socket > connect(shared_ptr< certificate_credentials >, socket_address, sstring name)
seastar::tls::listen
server_socket listen(shared_ptr< server_credentials >, socket_address sa, listen_options opts=listen_options())
seastar::tls::ERROR_UNKNOWN_COMPRESSION_ALGORITHM
const int ERROR_UNKNOWN_COMPRESSION_ALGORITHM
seastar::tls::check_session_is_resumed
future< bool > check_session_is_resumed(connected_socket &socket)
seastar::tls::reloadable_credentials
Definition: tls.hh:140
seastar::tls::subject_alt_name
Definition: tls.hh:478
seastar::tls::tls_options
TLS configuration options.
Definition: tls.hh:347
seastar
Seastar API namespace.
Definition: abort_on_ebadf.hh:26
seastar::noncopyable_function
Definition: noncopyable_function.hh:37
seastar::listen_options
Definition: api.hh:397
Generated by doxygen 1.9.4