blocxx
SSLCtxMgr.hpp
Go to the documentation of this file.
1/*******************************************************************************
2* Copyright (C) 2001-2004 Vintela, Inc. All rights reserved.
3* Copyright (C) 2004 Novell, Inc. All rights reserved.
4*
5* Redistribution and use in source and binary forms, with or without
6* modification, are permitted provided that the following conditions are met:
7*
8* - Redistributions of source code must retain the above copyright notice,
9* this list of conditions and the following disclaimer.
10*
11* - Redistributions in binary form must reproduce the above copyright notice,
12* this list of conditions and the following disclaimer in the documentation
13* and/or other materials provided with the distribution.
14*
15* - Neither the name of Vintela, Inc. nor the names of its
16* contributors may be used to endorse or promote products derived from this
17* software without specific prior written permission.
18*
19* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS''
20* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22* ARE DISCLAIMED. IN NO EVENT SHALL Vintela, Inc. OR THE CONTRIBUTORS
23* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29* POSSIBILITY OF SUCH DAMAGE.
30*******************************************************************************/
31
36
37#ifndef BLOCXX_SSLCtxMgr_HPP_INCLUDE_GUARD_
38#define BLOCXX_SSLCtxMgr_HPP_INCLUDE_GUARD_
39#include "blocxx/BLOCXX_config.h"
43#include "blocxx/Map.hpp"
44#include "blocxx/Bool.hpp"
45#ifdef BLOCXX_HAVE_OPENSSL
46#include "blocxx/String.hpp"
47#include <openssl/crypto.h>
48#include <openssl/ssl.h>
49#include <openssl/bio.h>
50#define BLOCXX_SSLCTX_MAX_CN_LEN 256
51#define BLOCXX_SSL_RETRY_LIMIT 20
52
53namespace BLOCXX_NAMESPACE
54{
55
62typedef int (*certVerifyFuncPtr_t)(X509* cert, const String& hostName);
63
64// TODO: Make this class be a singleton.
65class BLOCXX_COMMON_API SSLCtxMgr
66{
67public:
71 static int pem_passwd_cb(char* buf, int size, int rwflag, void *userData);
79 static bool checkClientCert(SSL* ssl, const String& hostName);
87 static bool checkServerCert(SSL* ssl, const String& hostName);
95 static void initClient(const String& certFile = String(), const String& keyFile = String());
103 static void initServer(const String& certFile, const String& keyFile = String());
108 static SSL_CTX* getSSLCtxServer()
109 {
110 return m_ctxServer;
111 }
116 static SSL_CTX* getSSLCtxClient()
117 {
118 return m_ctxClient;
119 }
128 static int sslRead(SSL* ssl, char* buf, int len);
137 static int sslWrite(SSL* ssl, const char* buf, int len);
142 static bool isClient() { return m_ctxClient != NULL; }
147 static bool isServer() { return m_ctxServer != NULL; }
153 static void setClientCertVerifyCallback(certVerifyFuncPtr_t cbfunc)
154 { m_clientCertVerifyCB = cbfunc; }
160 static void setServerCertVerifyCallback(certVerifyFuncPtr_t cbfunc)
161 { m_serverCertVerifyCB = cbfunc; }
162 // set type to NOT_INIT and free memory.
163 static void uninit();
167 static void generateEphRSAKey(SSL_CTX* ctx);
168
169 static String getOpenSSLErrorDescription();
170
180 static void disableSSLInit();
189 static void disableLocks();
190
191 static Bool getSSLInitDisabled();
192 static Bool getSSLLocksDisabled();
193
194private:
195
196 friend class SSLCtxBase;
197
198 static SSL_CTX* m_ctxClient;
199 static SSL_CTX* m_ctxServer;
200 static certVerifyFuncPtr_t m_clientCertVerifyCB;
201 static certVerifyFuncPtr_t m_serverCertVerifyCB;
202
206 static SSL_CTX* initCtx(const String& certfile, const String& keyfile,
207 EVP_PKEY* pkey = 0);
211 static void loadDHParams(SSL_CTX* ctx, const String& file);
212 static void uninitServer();
213 static void uninitClient();
214
215 // don't allow instantiation
216 SSLCtxMgr();
217 SSLCtxMgr(const SSLCtxMgr&);
218 SSLCtxMgr& operator=(const SSLCtxMgr&);
219
223 static bool checkCert(SSL* ssl, const String& hostName, certVerifyFuncPtr_t cbFunc);
224};
225
227struct BLOCXX_COMMON_API SSLOpts
228{
229 SSLOpts();
230 ~SSLOpts();
231 String certfile;
232 String keyfile;
233 String trustStore;
234 enum VerifyMode_t
235 {
236 MODE_DISABLED,
237 MODE_REQUIRED,
238 MODE_OPTIONAL,
239 MODE_AUTOUPDATE
240 };
241 VerifyMode_t verifyMode;
242 EVP_PKEY* pkey;
243};
244
245
247class BLOCXX_COMMON_API SSLCtxBase
248{
249public:
250 SSL_CTX* getSSLCtx() const;
251
252protected:
253 SSLCtxBase(const SSLOpts& opts);
254 virtual ~SSLCtxBase();
255 SSL_CTX* m_ctx;
256};
257
259class BLOCXX_COMMON_API SSLServerCtx : public SSLCtxBase, public IntrusiveCountableBase
260{
261public:
262 SSLServerCtx(const SSLOpts& opts);
263 static const int SSL_DATA_INDEX = 0;
264};
265
267class BLOCXX_COMMON_API SSLClientCtx : public SSLCtxBase, public IntrusiveCountableBase
268{
269public:
270 SSLClientCtx(const SSLOpts& opts = SSLOpts());
271};
272
274class BLOCXX_COMMON_API SSLTrustStore: public IntrusiveCountableBase
275{
276public:
277 SSLTrustStore(const String& storeLocation);
278 void addCertificate(X509* cert, const String& user, const String& uid);
279 bool getUser(const String& certhash, String& user, String& uid);
280
281 static String getCertMD5Fingerprint(X509* cert);
282private:
283 String m_store;
284 String m_mapfile;
285 struct UserInfo
286 {
287 String user;
288 String uid;
289 };
290
291#ifdef BLOCXX_WIN32
292#pragma warning (push)
293#pragma warning (disable: 4251)
294#endif
295
296 Map<String, UserInfo> m_map;
297
298#ifdef BLOCXX_WIN32
299#pragma warning (pop)
300#endif
301
302 void readMap();
303 void writeMap();
304
305};
306
308
309struct BLOCXX_COMMON_API OWSSLContext
310{
311 enum CertVerifyState_t
312 {
313 VERIFY_NONE,
314 VERIFY_PASS,
315 VERIFY_FAIL
316 };
317 OWSSLContext();
318 ~OWSSLContext();
319 CertVerifyState_t peerCertPassedVerify;
320};
321
323
324
325#else // ifdef BLOCXX_HAVE_OPENSSL
326
327namespace BLOCXX_NAMESPACE
328{
329
330class BLOCXX_COMMON_API SSLServerCtx : public IntrusiveCountableBase
331{
332};
333
334class BLOCXX_COMMON_API SSLClientCtx : public IntrusiveCountableBase
335{
336};
337
338#endif // ifdef BLOCXX_HAVE_OPENSSL
339
340} // end namespace BLOCXX_NAMESPACE
341
342
343#endif
This String class is an abstract data type that represents as NULL terminated string of characters.
Definition String.hpp:67
Taken from RFC 1321.