1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
// Copyright (c) 2006-2013, Andrey N. Sabelnikov, www.sabelnikov.net
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions are met:
// * Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// * Redistributions in binary form must reproduce the above copyright
// notice, this list of conditions and the following disclaimer in the
// documentation and/or other materials provided with the distribution.
// * Neither the name of the Andrey N. Sabelnikov nor the
// names of its contributors may be used to endorse or promote products
// derived from this software without specific prior written permission.
//
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
// ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
// WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
// DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER BE LIABLE FOR ANY
// DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
// (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
// ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
// SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
//
#ifndef _NET_SSL_H
#define _NET_SSL_H
#include <stdint.h>
#include <string>
#include <vector>
#include <boost/utility/string_ref.hpp>
#include <boost/asio/ip/tcp.hpp>
#include <boost/asio/ssl.hpp>
#include <boost/system/error_code.hpp>
namespace epee
{
namespace net_utils
{
enum class ssl_support_t: uint8_t {
e_ssl_support_disabled,
e_ssl_support_enabled,
e_ssl_support_autodetect,
};
enum class ssl_verification_t : uint8_t
{
none = 0, //!< Do not verify peer.
system_ca, //!< Verify peer via system ca only (do not inspect user certificates)
user_certificates //!< Verify peer via user certificate(s) only.
};
struct ssl_authentication_t
{
std::string private_key_path; //!< Private key used for authentication
std::string certificate_path; //!< Certificate used for authentication to peer.
//! Load `private_key_path` and `certificate_path` into `ssl_context`.
void use_ssl_certificate(boost::asio::ssl::context &ssl_context) const;
};
/*!
\note `verification != disabled && support == disabled` is currently
"allowed" via public interface but obviously invalid configuation.
*/
class ssl_options_t
{
// force sorted behavior in private
std::vector<std::vector<std::uint8_t>> fingerprints_;
public:
std::string ca_path;
ssl_authentication_t auth;
ssl_support_t support;
ssl_verification_t verification;
//! Verification is set to system ca unless SSL is disabled.
ssl_options_t(ssl_support_t support)
: fingerprints_(),
ca_path(),
auth(),
support(support),
verification(support == ssl_support_t::e_ssl_support_disabled ? ssl_verification_t::none : ssl_verification_t::system_ca)
{}
//! Provide user fingerprints and/or ca path. Enables SSL and user_certificate verification
ssl_options_t(std::vector<std::vector<std::uint8_t>> fingerprints, std::string ca_path);
ssl_options_t(const ssl_options_t&) = default;
ssl_options_t(ssl_options_t&&) = default;
ssl_options_t& operator=(const ssl_options_t&) = default;
ssl_options_t& operator=(ssl_options_t&&) = default;
//! \return False iff ssl is disabled, otherwise true.
explicit operator bool() const noexcept { return support != ssl_support_t::e_ssl_support_disabled; }
//! Search against internal fingerprints. Always false if `behavior() != user_certificate_check`.
bool has_fingerprint(boost::asio::ssl::verify_context &ctx) const;
boost::asio::ssl::context create_context() const;
bool handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket, boost::asio::ssl::stream_base::handshake_type type) const;
};
// https://security.stackexchange.com/questions/34780/checking-client-hello-for-https-classification
constexpr size_t get_ssl_magic_size() { return 9; }
bool is_ssl(const unsigned char *data, size_t len);
bool ssl_support_from_string(ssl_support_t &ssl, boost::string_ref s);
}
}
#endif //_NET_SSL_H
|
