kodi
NptTls.h
1 /*****************************************************************
2 |
3 | Neptune - TLS/SSL Support
4 |
5 | Copyright (c) 2002-2008, Axiomatic Systems, LLC.
6 | All rights reserved.
7 |
8 | Redistribution and use in source and binary forms, with or without
9 | modification, are permitted provided that the following conditions are met:
10 | * Redistributions of source code must retain the above copyright
11 | notice, this list of conditions and the following disclaimer.
12 | * Redistributions in binary form must reproduce the above copyright
13 | notice, this list of conditions and the following disclaimer in the
14 | documentation and/or other materials provided with the distribution.
15 | * Neither the name of Axiomatic Systems nor the
16 | names of its contributors may be used to endorse or promote products
17 | derived from this software without specific prior written permission.
18 |
19 | THIS SOFTWARE IS PROVIDED BY AXIOMATIC SYSTEMS ''AS IS'' AND ANY
20 | EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
21 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 | DISCLAIMED. IN NO EVENT SHALL AXIOMATIC SYSTEMS BE LIABLE FOR ANY
23 | DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
24 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
26 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
28 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 |
30  ****************************************************************/
31 
32 #ifndef _NPT_TLS_H_
33 #define _NPT_TLS_H_
34 
35 /*----------------------------------------------------------------------
36 | includes
37 +---------------------------------------------------------------------*/
38 #include "NptConfig.h"
39 #include "NptStreams.h"
40 #include "NptTime.h"
41 #include "NptHttp.h"
42 
43 /*----------------------------------------------------------------------
44 | error codes
45 +---------------------------------------------------------------------*/
46 const NPT_Result NPT_ERROR_INVALID_PASSWORD = (NPT_ERROR_BASE_TLS-1);
47 const NPT_Result NPT_ERROR_TLS_INVALID_HANDSHAKE = (NPT_ERROR_BASE_TLS-2);
48 const NPT_Result NPT_ERROR_TLS_INVALID_PROTOCOL_MESSAGE = (NPT_ERROR_BASE_TLS-3);
49 const NPT_Result NPT_ERROR_TLS_INVALID_HMAC = (NPT_ERROR_BASE_TLS-4);
50 const NPT_Result NPT_ERROR_TLS_INVALID_VERSION = (NPT_ERROR_BASE_TLS-5);
51 const NPT_Result NPT_ERROR_TLS_INVALID_SESSION = (NPT_ERROR_BASE_TLS-6);
52 const NPT_Result NPT_ERROR_TLS_NO_CIPHER = (NPT_ERROR_BASE_TLS-7);
53 const NPT_Result NPT_ERROR_TLS_BAD_CERTIFICATE = (NPT_ERROR_BASE_TLS-8);
54 const NPT_Result NPT_ERROR_TLS_INVALID_KEY = (NPT_ERROR_BASE_TLS-9);
55 const NPT_Result NPT_ERROR_TLS_NO_CLIENT_RENEGOTIATION = (NPT_ERROR_BASE_TLS-10);
56 const NPT_Result NPT_ERROR_TLS_INVALID_FINISHED_MESSAGE = (NPT_ERROR_BASE_TLS-11);
57 const NPT_Result NPT_ERROR_TLS_NO_CERTIFICATE_DEFINED = (NPT_ERROR_BASE_TLS-12);
58 const NPT_Result NPT_ERROR_TLS_ALERT_HANDSHAKE_FAILED = (NPT_ERROR_BASE_TLS-13);
59 const NPT_Result NPT_ERROR_TLS_ALERT_BAD_CERTIFICATE = (NPT_ERROR_BASE_TLS-14);
60 const NPT_Result NPT_ERROR_TLS_ALERT_INVALID_VERSION = (NPT_ERROR_BASE_TLS-15);
61 const NPT_Result NPT_ERROR_TLS_ALERT_BAD_RECORD_MAC = (NPT_ERROR_BASE_TLS-16);
62 const NPT_Result NPT_ERROR_TLS_ALERT_DECODE_ERROR = (NPT_ERROR_BASE_TLS-17);
63 const NPT_Result NPT_ERROR_TLS_ALERT_DECRYPT_ERROR = (NPT_ERROR_BASE_TLS-18);
64 const NPT_Result NPT_ERROR_TLS_ALERT_ILLEGAL_PARAMETER = (NPT_ERROR_BASE_TLS-19);
65 const NPT_Result NPT_ERROR_TLS_ALERT_UNEXPECTED_MESSAGE = (NPT_ERROR_BASE_TLS-20);
66 const NPT_Result NPT_ERROR_TLS_CERTIFICATE_FAILURE = (NPT_ERROR_BASE_TLS-21);
67 const NPT_Result NPT_ERROR_TLS_CERTIFICATE_NO_TRUST_ANCHOR = (NPT_ERROR_BASE_TLS-22);
68 const NPT_Result NPT_ERROR_TLS_CERTIFICATE_BAD_SIGNATURE = (NPT_ERROR_BASE_TLS-23);
69 const NPT_Result NPT_ERROR_TLS_CERTIFICATE_NOT_YET_VALID = (NPT_ERROR_BASE_TLS-24);
70 const NPT_Result NPT_ERROR_TLS_CERTIFICATE_EXPIRED = (NPT_ERROR_BASE_TLS-25);
71 const NPT_Result NPT_ERROR_TLS_CERTIFICATE_SELF_SIGNED = (NPT_ERROR_BASE_TLS-26);
72 const NPT_Result NPT_ERROR_TLS_CERTIFICATE_INVALID_CHAIN = (NPT_ERROR_BASE_TLS-27);
73 const NPT_Result NPT_ERROR_TLS_CERTIFICATE_UNSUPPORTED_DIGEST = (NPT_ERROR_BASE_TLS-28);
74 const NPT_Result NPT_ERROR_TLS_CERTIFICATE_INVALID_PRIVATE_KEY = (NPT_ERROR_BASE_TLS-29);
75 const NPT_Result NPT_ERROR_TLS_DNS_NAME_MISMATCH = (NPT_ERROR_BASE_TLS-30);
76 
77 /*----------------------------------------------------------------------
78 | constants
79 +---------------------------------------------------------------------*/
80 const unsigned int NPT_TLS_NULL_WITH_NULL_NULL = 0x00;
81 const unsigned int NPT_TLS_RSA_WITH_RC4_128_MD5 = 0x04;
82 const unsigned int NPT_TLS_RSA_WITH_RC4_128_SHA = 0x05;
83 const unsigned int NPT_TLS_RSA_WITH_AES_128_CBC_SHA = 0x2F;
84 const unsigned int NPT_TLS_RSA_WITH_AES_256_CBC_SHA = 0x35;
85 
86 /*----------------------------------------------------------------------
87 | class references
88 +---------------------------------------------------------------------*/
89 class NPT_TlsContextImpl;
90 class NPT_TlsSessionImpl;
91 
92 /*----------------------------------------------------------------------
93 | types
94 +---------------------------------------------------------------------*/
95 typedef enum {
96  NPT_TLS_KEY_FORMAT_RSA_PRIVATE,
97  NPT_TLS_KEY_FORMAT_PKCS8,
98  NPT_TLS_KEY_FORMAT_PKCS12
99 } NPT_TlsKeyFormat;
100 
101 struct NPT_TlsTrustAnchorData {
102  const unsigned char* cert_data;
103  unsigned int cert_size;
104 };
105 
106 /*----------------------------------------------------------------------
107 | NPT_Tls
108 +---------------------------------------------------------------------*/
109 class NPT_Tls
110 {
111 public:
112  static const NPT_TlsTrustAnchorData* GetDefaultTrustAnchors(NPT_Ordinal indx=0);
113  static bool MatchDnsNames(const char* hostname,
114  const NPT_List<NPT_String>& dns_names);
115  static bool MatchDnsName(const char* hostname, const char* dns_name);
116 
117 private:
118  NPT_Tls() {}; // don't instantiate
119 };
120 
121 /*----------------------------------------------------------------------
122 | NPT_TlsContext
123 +---------------------------------------------------------------------*/
124 class NPT_TlsContext : public NPT_AutomaticCleaner::Singleton
125 {
126 public:
127  enum {
128  OPTION_VERIFY_LATER = 1,
129  OPTION_REQUIRE_CLIENT_CERTIFICATE = 2,
130  OPTION_ADD_DEFAULT_TRUST_ANCHORS = 4,
131  OPTION_NO_SESSION_CACHE = 8
132  };
133  NPT_TlsContext(NPT_Flags options=0);
134  ~NPT_TlsContext() override;
135 
136  // methods
137  NPT_Result LoadKey(NPT_TlsKeyFormat key_format,
138  const unsigned char* key_data,
139  NPT_Size key_data_size,
140  const char* password);
141 
142  NPT_Result SelfSignCertificate(const char* common_name,
143  const char* organization,
144  const char* organizational_name);
145 
149  NPT_Result AddTrustAnchor(const unsigned char* ta_data,
150  NPT_Size ta_data_size);
158  NPT_Result AddTrustAnchors(const NPT_TlsTrustAnchorData* anchors,
159  NPT_Cardinal anchor_count = 0);
160 
161 protected:
162  NPT_TlsContextImpl* m_Impl;
163 
164  // friends
165  friend class NPT_TlsSession;
166  friend class NPT_TlsClientSession;
167  friend class NPT_TlsServerSession;
168 };
169 
170 /*----------------------------------------------------------------------
171 | NPT_TlsCertificateInfo
172 +---------------------------------------------------------------------*/
173 struct NPT_TlsCertificateInfo
174 {
175  struct _subject {
176  NPT_String common_name;
177  NPT_String organization;
178  NPT_String organizational_name;
179  } subject;
180  struct _issuer {
181  NPT_String common_name;
182  NPT_String organization;
183  NPT_String organizational_name;
184  } issuer;
185  struct _fingerprint {
186  unsigned char sha1[20];
187  unsigned char md5[16];
188  } fingerprint;
189  NPT_DateTime issue_date;
190  NPT_DateTime expiration_date;
191  NPT_List<NPT_String> alternate_names;
192 };
193 
194 /*----------------------------------------------------------------------
195 | NPT_TlsSession
196 +---------------------------------------------------------------------*/
197 class NPT_TlsSession
198 {
199 public:
200  virtual ~NPT_TlsSession();
201  virtual NPT_Result Handshake();
202  virtual NPT_Result GetHandshakeStatus();
203  virtual NPT_Result GetPeerCertificateInfo(NPT_TlsCertificateInfo& info, NPT_Ordinal position=0);
204  virtual NPT_Result VerifyPeerCertificate();
205  virtual NPT_Result VerifyDnsNameMatch(const char* hostname);
206  virtual NPT_Result GetSessionId(NPT_DataBuffer& session_id);
207  virtual NPT_UInt32 GetCipherSuiteId();
208  virtual NPT_Result GetInputStream(NPT_InputStreamReference& stream);
209  virtual NPT_Result GetOutputStream(NPT_OutputStreamReference& stream);
210 
211 protected:
212  NPT_TlsSession(NPT_TlsContext& context,
213  NPT_TlsSessionImpl* impl);
214 
215  NPT_TlsContext& m_Context;
216  NPT_Reference<NPT_TlsSessionImpl> m_Impl;
217  NPT_InputStreamReference m_InputStream;
218  NPT_OutputStreamReference m_OutputStream;
219 };
220 
221 /*----------------------------------------------------------------------
222 | NPT_TlsClientSession
223 +---------------------------------------------------------------------*/
224 class NPT_TlsClientSession : public NPT_TlsSession
225 {
226 public:
227  NPT_TlsClientSession(NPT_TlsContext& context,
228  NPT_InputStreamReference& input,
229  NPT_OutputStreamReference& output);
230 };
231 
232 /*----------------------------------------------------------------------
233 | NPT_TlsServerSession
234 +---------------------------------------------------------------------*/
235 class NPT_TlsServerSession : public NPT_TlsSession
236 {
237 public:
238  NPT_TlsServerSession(NPT_TlsContext& context,
239  NPT_InputStreamReference& input,
240  NPT_OutputStreamReference& output);
241 };
242 
243 /*----------------------------------------------------------------------
244 | NPT_HttpTlsConnector
245 +---------------------------------------------------------------------*/
246 #if defined(NPT_CONFIG_ENABLE_TLS)
247 class NPT_HttpTlsConnector : public NPT_HttpClient::Connector
248 {
249 public:
250  enum {
251  OPTION_ACCEPT_SELF_SIGNED_CERTS = 1,
252  OPTION_ACCEPT_HOSTNAME_MISMATCH = 2
253  };
254  NPT_HttpTlsConnector(NPT_Flags options = 0);
255  NPT_HttpTlsConnector(NPT_TlsContext& tls_context, NPT_Flags options = 0);
256  virtual ~NPT_HttpTlsConnector() {}
257  NPT_TlsContext& GetTlsContext() { return m_TlsContext; }
258  virtual NPT_Result Connect(const NPT_HttpUrl& url,
259  NPT_HttpClient& client,
260  const NPT_HttpProxyAddress* proxy,
261  bool reuse,
262  NPT_HttpClient::Connection*& connection);
263 
264  virtual NPT_Result VerifyPeer(NPT_TlsClientSession& session,
265  const char* hostname);
266 
267 private:
268  // class methods
269  static NPT_TlsContext& GetDefaultTlsContext();
270 
271  // class members
272  static NPT_TlsContext* DefaultTlsContext;
273 
274  // members
275  NPT_TlsContext& m_TlsContext;
276  NPT_Flags m_Options;
277 };
278 #else
279 class NPT_HttpTlsConnector : public NPT_HttpClient::Connector
280 {
281 public:
282  ~NPT_HttpTlsConnector() override {}
283  NPT_Result Connect(const NPT_HttpUrl& url,
284  NPT_HttpClient& client,
285  const NPT_HttpProxyAddress* proxy,
286  bool reuse,
287  NPT_HttpClient::Connection*& connection) override;
288 };
289 #endif
290 
291 /*----------------------------------------------------------------------
292 | Trust Anchors
293 +-----------------------------------------------------------------*/
299 #if defined(NPT_CONFIG_ENABLE_TLS)
300 #include "NptTlsDefaultTrustAnchorsBase.h"
301 #include "NptTlsDefaultTrustAnchorsExtended.h"
302 #endif
303 
304 #endif // _NPT_TLS_H_
NPT_AutomaticCleaner::Singleton
Definition: NptAutomaticCleaner.h:46
NPT_TlsCertificateInfo
Definition: NptTls.h:173
NPT_TlsClientSession
Definition: NptTls.h:224
NPT_TlsTrustAnchorData
Definition: NptTls.h:101
NPT_HttpUrl
Definition: NptHttp.h:126
NPT_TlsCertificateInfo::_issuer
Definition: NptTls.h:180
NPT_TlsServerSession
Definition: NptTls.h:235
NPT_Tls
Definition: NptTls.h:109
NPT_HttpProxyAddress
Definition: NptHttp.h:345
NPT_TlsCertificateInfo::_fingerprint
Definition: NptTls.h:185
NPT_DataBuffer
Definition: NptDataBuffer.h:44
NPT_TlsContext
Definition: NptTls.h:124
NPT_HttpTlsConnector
Definition: NptTls.h:279
NPT_HttpClient
Definition: NptHttp.h:386
NPT_Reference< NPT_InputStream >
NPT_HttpClient::Connection
Definition: NptHttp.h:402
NPT_DateTime
Definition: NptTime.h:116
NPT_TlsSession
Definition: NptTls.h:197
NPT_HttpClient::Connector
Definition: NptHttp.h:414
NPT_TlsCertificateInfo::_subject
Definition: NptTls.h:175
NPT_String
Definition: NptStrings.h:57
NPT_List< NPT_String >
Generated by   doxygen 1.8.13