Electroneum
net_ssl.h
Go to the documentation of this file.
1 // Copyright (c) 2006-2013, Andrey N. Sabelnikov, www.sabelnikov.net
2 // All rights reserved.
3 //
4 // Redistribution and use in source and binary forms, with or without
5 // modification, are permitted provided that the following conditions are met:
6 // * Redistributions of source code must retain the above copyright
7 // notice, this list of conditions and the following disclaimer.
8 // * Redistributions in binary form must reproduce the above copyright
9 // notice, this list of conditions and the following disclaimer in the
10 // documentation and/or other materials provided with the distribution.
11 // * Neither the name of the Andrey N. Sabelnikov nor the
12 // names of its contributors may be used to endorse or promote products
13 // derived from this software without specific prior written permission.
14 //
15 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
16 // ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
17 // WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
18 // DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER BE LIABLE FOR ANY
19 // DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
20 // (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
21 // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
22 // ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
24 // SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 //
26 
27 
28 
29 #ifndef _NET_SSL_H
30 #define _NET_SSL_H
31 
32 #include <stdint.h>
33 #include <string>
34 #include <vector>
35 #include <boost/utility/string_ref.hpp>
36 #include <boost/asio/ip/tcp.hpp>
37 #include <boost/asio/ssl.hpp>
38 #include <boost/system/error_code.hpp>
39 
40 #define SSL_FINGERPRINT_SIZE 32
41 
42 namespace epee
43 {
44 namespace net_utils
45 {
46  enum class ssl_support_t: uint8_t {
50  };
51 
53  {
54  none = 0,
55  system_ca,
57  user_ca
58  };
59 
61  {
64 
66  void use_ssl_certificate(boost::asio::ssl::context &ssl_context) const;
67  };
68 
74  {
75  // force sorted behavior in private
76  std::vector<std::vector<std::uint8_t>> fingerprints_;
77 
78  public:
83 
86  : fingerprints_(),
87  ca_path(),
88  auth(),
91  {}
92 
94  ssl_options_t(std::vector<std::vector<std::uint8_t>> fingerprints, std::string ca_path);
95 
96  ssl_options_t(const ssl_options_t&) = default;
97  ssl_options_t(ssl_options_t&&) = default;
98 
99  ssl_options_t& operator=(const ssl_options_t&) = default;
100  ssl_options_t& operator=(ssl_options_t&&) = default;
101 
103  explicit operator bool() const noexcept { return support != ssl_support_t::e_ssl_support_disabled; }
104 
106  bool has_strong_verification(boost::string_ref host) const noexcept;
107 
109  bool has_fingerprint(boost::asio::ssl::verify_context &ctx) const;
110 
112 
131  bool handshake(boost::asio::ssl::stream<boost::asio::ip::tcp::socket> &socket, boost::asio::ssl::stream_base::handshake_type type, const std::string& host = {}) const;
132  };
133 
134  // https://security.stackexchange.com/questions/34780/checking-client-hello-for-https-classification
135  constexpr size_t get_ssl_magic_size() { return 9; }
136  bool is_ssl(const unsigned char *data, size_t len);
137  bool ssl_support_from_string(ssl_support_t &ssl, boost::string_ref s);
138 
139  bool create_ec_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert);
140  bool create_rsa_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert);
141 }
142 }
143 
144 #endif //_NET_SSL_H
bool ssl_support_from_string(ssl_support_t &ssl, boost::string_ref s)
Definition: net_ssl.cpp:516
constexpr size_t get_ssl_magic_size()
Definition: net_ssl.h:135
ssl_options_t(ssl_support_t support)
Verification is set to system ca unless SSL is disabled.
Definition: net_ssl.h:85
bool has_fingerprint(boost::asio::ssl::verify_context &ctx) const
Search against internal fingerprints. Always false if behavior() != user_certificate_check.
Definition: net_ssl.cpp:421
::std::string string
Definition: gtest-port.h:1097
bool create_rsa_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert)
Definition: net_ssl.cpp:122
std::unique_ptr< void, close > socket
Unique ZMQ socket handle, calls zmq_close on destruction.
Definition: zmq.h:101
void use_ssl_certificate(boost::asio::ssl::context &ssl_context) const
Load private_key_path and certificate_path into ssl_context.
Definition: net_ssl.cpp:376
unsigned char uint8_t
Definition: stdint.h:124
std::string certificate_path
Certificate used for authentication to peer.
Definition: net_ssl.h:63
Verify peer via system ca only (do not inspect user certificates)
bool is_ssl(const unsigned char *data, size_t len)
Definition: net_ssl.cpp:382
Verify peer via specific (possibly chain) certificate(s) only.
ssl_authentication_t auth
Definition: net_ssl.h:80
bool handshake(boost::asio::ssl::stream< boost::asio::ip::tcp::socket > &socket, boost::asio::ssl::stream_base::handshake_type type, const std::string &host={}) const
Definition: net_ssl.cpp:459
std::unique_ptr< void, terminate > context
Unique ZMQ context handle, calls zmq_term on destruction.
Definition: zmq.h:98
Verify peer via specific (non-chain) certificate(s) only.
bool create_ec_ssl_certificate(EVP_PKEY *&pkey, X509 *&cert)
int bool
Definition: stdbool.h:36
ssl_verification_t verification
Definition: net_ssl.h:82
bool has_strong_verification(boost::string_ref host) const noexcept
True if host can be verified using this configuration WITHOUT system "root" CAs.
Definition: net_ssl.cpp:402
std::string private_key_path
Private key used for authentication.
Definition: net_ssl.h:62
boost::asio::ssl::context create_context() const
Definition: net_ssl.cpp:283
ssl_options_t & operator=(const ssl_options_t &)=default