openvpn3/sslapi_8hpp_source.html

//    OpenVPN -- An application to securely tunnel IP networks

//               over a single port, with support for SSL/TLS-based

//               session authentication and key exchange,

//               packet encryption, packet authentication, and

//               packet compression.

//

//    Copyright (C) 2012- OpenVPN Inc.

//

//    SPDX-License-Identifier: MPL-2.0 OR AGPL-3.0-only WITH openvpn3-openssl-exception

//


// API for SSL implementations


#ifndef OPENVPN_SSL_SSLAPI_H

#define OPENVPN_SSL_SSLAPI_H


#include <string>

#include <cstdint>


#include <openvpn/common/size.hpp>

#include <openvpn/common/exception.hpp>

#include <openvpn/common/rc.hpp>

#include <openvpn/common/options.hpp>

#include <openvpn/common/mode.hpp>

#include <openvpn/common/jsonlib.hpp>

#include <openvpn/buffer/buffer.hpp>

#include <openvpn/frame/frame.hpp>

#include <openvpn/auth/authcert.hpp>

#include <openvpn/crypto/definitions.hpp>

#include <openvpn/pki/epkibase.hpp>

#include <openvpn/pki/pktype.hpp>

#include <openvpn/ssl/kuparse.hpp>

#include <openvpn/ssl/nscert.hpp>

#include <openvpn/ssl/tlsver.hpp>

#include <openvpn/ssl/tls_remote.hpp>

#include <openvpn/ssl/tls_cert_profile.hpp>

#include <openvpn/ssl/sess_ticket.hpp>

#include <openvpn/ssl/cn_reject_handler.hpp>

#include <openvpn/random/randapi.hpp>

#include "openvpn/log/logger.hpp"


namespace openvpn {


namespace SNI {

class HandlerBase;

}


class SSLAPI : public RC<thread_unsafe_refcount>

{

  public:


    enum TLSWarnings

    {

        TLS_WARN_NONE = 0,

        TLS_WARN_SIG_MD5 = (1 << 0),

        TLS_WARN_SIG_SHA1 = (1 << 1)

    };


    typedef RCPtr<SSLAPI> Ptr;


    virtual void start_handshake() = 0;

    virtual ssize_t write_cleartext_unbuffered(const void *data, const size_t size) = 0;

    virtual ssize_t read_cleartext(void *data, const size_t capacity) = 0;

    virtual bool read_cleartext_ready() const = 0;

    virtual void write_ciphertext(const BufferPtr &buf) = 0;

    virtual void write_ciphertext_unbuffered(const unsigned char *data, const size_t size) = 0;

    virtual bool read_ciphertext_ready() const = 0;

    virtual BufferPtr read_ciphertext() = 0;

    virtual std::string ssl_handshake_details() const = 0;

    virtual bool export_keying_material(const std::string &label, unsigned char *dest, size_t size) = 0;

    virtual bool did_full_handshake() = 0;

    virtual const AuthCert::Ptr &auth_cert() const = 0;

    virtual void mark_no_cache() = 0; // prevent caching of client-side session (only meaningful when client_session_tickets is enabled)


    uint32_t get_tls_warnings() const

    {

        return tls_warnings;

    }


  protected:

    uint32_t tls_warnings = 0; // bitfield of SSLAPI::TLSWarnings

};


class SSLFactoryAPI : public RC<thread_unsafe_refcount>,

                      public logging::LoggingMixin<logging::LOG_LEVEL_VERB, logging::LOG_LEVEL_TRACE, SSLFactoryAPI>

{

  public:

    OPENVPN_EXCEPTION(ssl_options_error);

    OPENVPN_EXCEPTION(ssl_context_error);

    OPENVPN_EXCEPTION(ssl_external_pki);

    OPENVPN_SIMPLE_EXCEPTION(ssl_ciphertext_in_overflow);


    typedef RCPtr<SSLFactoryAPI> Ptr;


    // create a new SSLAPI instance

    virtual SSLAPI::Ptr ssl() = 0;


    // get the library context that is used with this SSLAPI instance

    virtual SSLLib::Ctx libctx() = 0;


    // like ssl() above but optionally verify hostname against cert CommonName and/or

    // SubjectAltName, and optionally set/lookup a cache key for this session.

    virtual SSLAPI::Ptr ssl(const std::string *hostname, const std::string *cache_key) = 0;


    // client or server?

    virtual const Mode &mode() const = 0;

};


class SSLConfigAPI : public RC<thread_unsafe_refcount>

{

  public:

    typedef RCPtr<SSLConfigAPI> Ptr;


    enum LoadFlags

    {

        LF_PARSE_MODE = (1 << 0),

        LF_ALLOW_CLIENT_CERT_NOT_REQUIRED = (1 << 1),

        LF_RELAY_MODE = (1 << 2), // look for "relay-ca" instead of "ca" directive

    };


    std::string private_key_type_string() const

    {

        PKType::Type type = private_key_type();


        switch (type)

        {

        case PKType::PK_NONE:

            return "None";

        case PKType::PK_DSA:

            return "DSA";

        case PKType::PK_RSA:

            return "RSA";

        case PKType::PK_EC:

            return "EC";

        case PKType::PK_ECDSA:

            return "ECDSA";

        case PKType::PK_UNKNOWN:

        default:

            return "Unknown";

        }

    }


    virtual void set_mode(const Mode &mode_arg) = 0;

    virtual const Mode &get_mode() const = 0;

    virtual void set_external_pki_callback(ExternalPKIBase *external_pki_arg, const std::string &alias) = 0; // private key alternative

    virtual void set_session_ticket_handler(TLSSessionTicketBase *session_ticket_handler) = 0;               // server side

    virtual void set_client_session_tickets(const bool v) = 0;                                               // client side

    virtual void enable_legacy_algorithms(const bool v) = 0;                                                 // loads legacy+default provider in OpenSSL 3

    virtual void set_sni_handler(SNI::HandlerBase *sni_handler) = 0;                                         // server side

    virtual void set_sni_name(const std::string &sni_name_arg) = 0;                                          // client side

    virtual void set_private_key_password(const std::string &pwd) = 0;

    virtual void set_cn_reject_handler(CommonNameReject *cn_reject_handler_arg) = 0;

    virtual void load_ca(const std::string &ca_txt, bool strict) = 0;

    virtual void load_crl(const std::string &crl_txt) = 0;

    virtual void load_cert(const std::string &cert_txt) = 0;

    virtual void load_cert(const std::string &cert_txt, const std::string &extra_certs_txt) = 0;

    virtual void load_private_key(const std::string &key_txt) = 0;

    virtual void load_dh(const std::string &dh_txt) = 0;

    virtual std::string extract_ca() const = 0;

    virtual std::string extract_crl() const = 0;

    virtual std::string extract_cert() const = 0;

    virtual std::vector<std::string> extract_extra_certs() const = 0;

    virtual std::string extract_private_key() const = 0;

    virtual std::string extract_dh() const = 0;

    virtual PKType::Type private_key_type() const = 0;

    virtual size_t private_key_length() const = 0;

    virtual void set_frame(const Frame::Ptr &frame_arg) = 0;

    virtual void set_debug_level(const int debug_level) = 0;

    virtual void set_flags(const unsigned int flags_arg) = 0;

    virtual void set_ns_cert_type(const NSCert::Type ns_cert_type_arg) = 0;

    virtual void set_remote_cert_tls(const KUParse::TLSWebType wt) = 0;

    virtual void set_tls_remote(const std::string &tls_remote_arg) = 0;

    virtual void set_tls_version_min(const TLSVersion::Type tvm) = 0;

    virtual void set_tls_version_max(const TLSVersion::Type tvm) = 0;

    virtual void set_tls_version_min_override(const std::string &override) = 0;

    virtual void set_tls_cert_profile(const TLSCertProfile::Type type) = 0;

    virtual void set_tls_cert_profile_override(const std::string &override) = 0;

    virtual void set_local_cert_enabled(const bool v) = 0;

    virtual void set_x509_track(X509Track::ConfigSet x509_track_config_arg) = 0;

    virtual void set_rng(const StrongRandomAPI::Ptr &rng_arg) = 0;

    virtual void load(const OptionList &opt, const unsigned int lflags) = 0;


#ifdef OPENVPN_JSON_INTERNAL

    virtual SSLConfigAPI::Ptr json_override(const Json::Value &root, const bool load_cert_key) const = 0;

#endif


    virtual std::string validate_cert(const std::string &cert_txt) const = 0;

    virtual std::string validate_cert_list(const std::string &certs_txt) const = 0;

    virtual std::string validate_crl(const std::string &crl_txt) const = 0;

    virtual std::string validate_private_key(const std::string &key_txt) const = 0;

    virtual std::string validate_dh(const std::string &dh_txt) const = 0;


    virtual SSLFactoryAPI::Ptr new_factory() = 0;

};


inline const std::string get_ssl_library_version();


} // namespace openvpn


#endif

authcert.hpp

buffer.hpp

openvpn::CommonNameReject
Definition cn_reject_handler.hpp:24

openvpn::ExternalPKIBase
Definition epkibase.hpp:22

openvpn::Mode
Definition mode.hpp:19

openvpn::OptionList
Definition options.hpp:517

openvpn::RCPtr
The smart pointer class.
Definition rc.hpp:119

openvpn::RC
Reference count base class for objects tracked by RCPtr. Disallows copying and assignment.
Definition rc.hpp:912

openvpn::SNI::HandlerBase
Definition sni_handler.hpp:24

openvpn::SSLAPI
Definition sslapi.hpp:49

openvpn::SSLAPI::start_handshake
virtual void start_handshake()=0

openvpn::SSLAPI::write_ciphertext_unbuffered
virtual void write_ciphertext_unbuffered(const unsigned char *data, const size_t size)=0

openvpn::SSLAPI::Ptr
RCPtr< SSLAPI > Ptr
Definition sslapi.hpp:58

openvpn::SSLAPI::write_ciphertext
virtual void write_ciphertext(const BufferPtr &buf)=0

openvpn::SSLAPI::tls_warnings
uint32_t tls_warnings
Definition sslapi.hpp:79

openvpn::SSLAPI::auth_cert
virtual const AuthCert::Ptr & auth_cert() const =0

openvpn::SSLAPI::mark_no_cache
virtual void mark_no_cache()=0

openvpn::SSLAPI::read_ciphertext_ready
virtual bool read_ciphertext_ready() const =0

openvpn::SSLAPI::read_cleartext_ready
virtual bool read_cleartext_ready() const =0

openvpn::SSLAPI::ssl_handshake_details
virtual std::string ssl_handshake_details() const =0

openvpn::SSLAPI::did_full_handshake
virtual bool did_full_handshake()=0

openvpn::SSLAPI::export_keying_material
virtual bool export_keying_material(const std::string &label, unsigned char *dest, size_t size)=0

openvpn::SSLAPI::TLSWarnings
TLSWarnings
Definition sslapi.hpp:52

openvpn::SSLAPI::TLS_WARN_NONE
@ TLS_WARN_NONE
Definition sslapi.hpp:53

openvpn::SSLAPI::TLS_WARN_SIG_MD5
@ TLS_WARN_SIG_MD5
Definition sslapi.hpp:54

openvpn::SSLAPI::TLS_WARN_SIG_SHA1
@ TLS_WARN_SIG_SHA1
Definition sslapi.hpp:55

openvpn::SSLAPI::read_ciphertext
virtual BufferPtr read_ciphertext()=0

openvpn::SSLAPI::write_cleartext_unbuffered
virtual ssize_t write_cleartext_unbuffered(const void *data, const size_t size)=0

openvpn::SSLAPI::read_cleartext
virtual ssize_t read_cleartext(void *data, const size_t capacity)=0

openvpn::SSLAPI::get_tls_warnings
uint32_t get_tls_warnings() const
Definition sslapi.hpp:73

openvpn::SSLConfigAPI
Definition sslapi.hpp:108

openvpn::SSLConfigAPI::load_dh
virtual void load_dh(const std::string &dh_txt)=0

openvpn::SSLConfigAPI::extract_dh
virtual std::string extract_dh() const =0

openvpn::SSLConfigAPI::private_key_length
virtual size_t private_key_length() const =0

openvpn::SSLConfigAPI::validate_cert
virtual std::string validate_cert(const std::string &cert_txt) const =0

openvpn::SSLConfigAPI::validate_dh
virtual std::string validate_dh(const std::string &dh_txt) const =0

openvpn::SSLConfigAPI::set_tls_remote
virtual void set_tls_remote(const std::string &tls_remote_arg)=0

openvpn::SSLConfigAPI::set_mode
virtual void set_mode(const Mode &mode_arg)=0

openvpn::SSLConfigAPI::load_private_key
virtual void load_private_key(const std::string &key_txt)=0

openvpn::SSLConfigAPI::extract_private_key
virtual std::string extract_private_key() const =0

openvpn::SSLConfigAPI::set_remote_cert_tls
virtual void set_remote_cert_tls(const KUParse::TLSWebType wt)=0

openvpn::SSLConfigAPI::private_key_type
virtual PKType::Type private_key_type() const =0

openvpn::SSLConfigAPI::get_mode
virtual const Mode & get_mode() const =0

openvpn::SSLConfigAPI::set_sni_name
virtual void set_sni_name(const std::string &sni_name_arg)=0

openvpn::SSLConfigAPI::Ptr
RCPtr< SSLConfigAPI > Ptr
Definition sslapi.hpp:110

openvpn::SSLConfigAPI::set_x509_track
virtual void set_x509_track(X509Track::ConfigSet x509_track_config_arg)=0

openvpn::SSLConfigAPI::extract_crl
virtual std::string extract_crl() const =0

openvpn::SSLConfigAPI::set_frame
virtual void set_frame(const Frame::Ptr &frame_arg)=0

openvpn::SSLConfigAPI::LoadFlags
LoadFlags
Definition sslapi.hpp:113

openvpn::SSLConfigAPI::LF_ALLOW_CLIENT_CERT_NOT_REQUIRED
@ LF_ALLOW_CLIENT_CERT_NOT_REQUIRED
Definition sslapi.hpp:115

openvpn::SSLConfigAPI::LF_RELAY_MODE
@ LF_RELAY_MODE
Definition sslapi.hpp:116

openvpn::SSLConfigAPI::LF_PARSE_MODE
@ LF_PARSE_MODE
Definition sslapi.hpp:114

openvpn::SSLConfigAPI::set_cn_reject_handler
virtual void set_cn_reject_handler(CommonNameReject *cn_reject_handler_arg)=0

openvpn::SSLConfigAPI::private_key_type_string
std::string private_key_type_string() const
Definition sslapi.hpp:119

openvpn::SSLConfigAPI::set_rng
virtual void set_rng(const StrongRandomAPI::Ptr &rng_arg)=0

openvpn::SSLConfigAPI::set_tls_version_max
virtual void set_tls_version_max(const TLSVersion::Type tvm)=0

openvpn::SSLConfigAPI::load_cert
virtual void load_cert(const std::string &cert_txt)=0

openvpn::SSLConfigAPI::load_ca
virtual void load_ca(const std::string &ca_txt, bool strict)=0

openvpn::SSLConfigAPI::set_session_ticket_handler
virtual void set_session_ticket_handler(TLSSessionTicketBase *session_ticket_handler)=0

openvpn::SSLConfigAPI::set_tls_version_min
virtual void set_tls_version_min(const TLSVersion::Type tvm)=0

openvpn::SSLConfigAPI::load_cert
virtual void load_cert(const std::string &cert_txt, const std::string &extra_certs_txt)=0

openvpn::SSLConfigAPI::set_local_cert_enabled
virtual void set_local_cert_enabled(const bool v)=0

openvpn::SSLConfigAPI::enable_legacy_algorithms
virtual void enable_legacy_algorithms(const bool v)=0

openvpn::SSLConfigAPI::set_tls_cert_profile
virtual void set_tls_cert_profile(const TLSCertProfile::Type type)=0

openvpn::SSLConfigAPI::validate_private_key
virtual std::string validate_private_key(const std::string &key_txt) const =0

openvpn::SSLConfigAPI::set_external_pki_callback
virtual void set_external_pki_callback(ExternalPKIBase *external_pki_arg, const std::string &alias)=0

openvpn::SSLConfigAPI::extract_ca
virtual std::string extract_ca() const =0

openvpn::SSLConfigAPI::set_private_key_password
virtual void set_private_key_password(const std::string &pwd)=0

openvpn::SSLConfigAPI::new_factory
virtual SSLFactoryAPI::Ptr new_factory()=0

openvpn::SSLConfigAPI::load_crl
virtual void load_crl(const std::string &crl_txt)=0

openvpn::SSLConfigAPI::set_client_session_tickets
virtual void set_client_session_tickets(const bool v)=0

openvpn::SSLConfigAPI::set_flags
virtual void set_flags(const unsigned int flags_arg)=0

openvpn::SSLConfigAPI::set_debug_level
virtual void set_debug_level(const int debug_level)=0

openvpn::SSLConfigAPI::load
virtual void load(const OptionList &opt, const unsigned int lflags)=0

openvpn::SSLConfigAPI::validate_cert_list
virtual std::string validate_cert_list(const std::string &certs_txt) const =0

openvpn::SSLConfigAPI::extract_extra_certs
virtual std::vector< std::string > extract_extra_certs() const =0

openvpn::SSLConfigAPI::set_tls_version_min_override
virtual void set_tls_version_min_override(const std::string &override)=0

openvpn::SSLConfigAPI::set_tls_cert_profile_override
virtual void set_tls_cert_profile_override(const std::string &override)=0

openvpn::SSLConfigAPI::validate_crl
virtual std::string validate_crl(const std::string &crl_txt) const =0

openvpn::SSLConfigAPI::extract_cert
virtual std::string extract_cert() const =0

openvpn::SSLConfigAPI::set_ns_cert_type
virtual void set_ns_cert_type(const NSCert::Type ns_cert_type_arg)=0

openvpn::SSLConfigAPI::set_sni_handler
virtual void set_sni_handler(SNI::HandlerBase *sni_handler)=0

openvpn::SSLFactoryAPI
Definition sslapi.hpp:84

openvpn::SSLFactoryAPI::libctx
virtual SSLLib::Ctx libctx()=0

openvpn::SSLFactoryAPI::OPENVPN_EXCEPTION
OPENVPN_EXCEPTION(ssl_external_pki)

openvpn::SSLFactoryAPI::mode
virtual const Mode & mode() const =0

openvpn::SSLFactoryAPI::ssl
virtual SSLAPI::Ptr ssl(const std::string *hostname, const std::string *cache_key)=0

openvpn::SSLFactoryAPI::OPENVPN_EXCEPTION
OPENVPN_EXCEPTION(ssl_options_error)

openvpn::SSLFactoryAPI::ssl
virtual SSLAPI::Ptr ssl()=0

openvpn::SSLFactoryAPI::OPENVPN_EXCEPTION
OPENVPN_EXCEPTION(ssl_context_error)

openvpn::SSLFactoryAPI::Ptr
RCPtr< SSLFactoryAPI > Ptr
Definition sslapi.hpp:91

openvpn::SSLFactoryAPI::OPENVPN_SIMPLE_EXCEPTION
OPENVPN_SIMPLE_EXCEPTION(ssl_ciphertext_in_overflow)

openvpn::TLSSessionTicketBase
Definition sess_ticket.hpp:32

openvpn::logging::LoggingMixin
Definition logger.hpp:165

cn_reject_handler.hpp

definitions.hpp

epkibase.hpp

exception.hpp

frame.hpp

jsonlib.hpp

kuparse.hpp

logger.hpp

mode.hpp

openvpn::KUParse::TLSWebType
TLSWebType
Definition kuparse.hpp:27

openvpn::NSCert::Type
Type
Definition nscert.hpp:25

openvpn::PKType::Type
Type
Definition pktype.hpp:19

openvpn::PKType::PK_NONE
@ PK_NONE
Definition pktype.hpp:21

openvpn::PKType::PK_DSA
@ PK_DSA
Definition pktype.hpp:22

openvpn::PKType::PK_EC
@ PK_EC
Definition pktype.hpp:24

openvpn::PKType::PK_ECDSA
@ PK_ECDSA
Definition pktype.hpp:25

openvpn::PKType::PK_RSA
@ PK_RSA
Definition pktype.hpp:23

openvpn::PKType::PK_UNKNOWN
@ PK_UNKNOWN
Definition pktype.hpp:20

openvpn::SSLLib::Ctx
void * Ctx
Definition definitions.hpp:26

openvpn::TLSCertProfile::Type
Type
Definition tls_cert_profile.hpp:25

openvpn::TLSVersion::Type
Type
Definition tlsver.hpp:25

openvpn
Support deferred server-side state creation when client connects.
Definition ovpncli.cpp:95

openvpn::ssl_external_pki
SSLFactoryAPI::ssl_external_pki ssl_external_pki
Definition extpki.hpp:26

openvpn::get_ssl_library_version
const std::string get_ssl_library_version()
Definition sslctx.hpp:1679

nscert.hpp

options.hpp

pktype.hpp

randapi.hpp
Implementation of the base classes for random number generators.

rc.hpp

sess_ticket.hpp

size.hpp

tlsver.hpp

openvpn::X509Track::ConfigSet
Definition x509track.hpp:110

cert_txt
const std::string cert_txt
Definition test_acc_certcheck.cpp:125

tls_cert_profile.hpp

tls_remote.hpp