blocxx
SSLCtxMgr.hpp
Go to the documentation of this file.
1 /*******************************************************************************
2 * Copyright (C) 2001-2004 Vintela, Inc. All rights reserved.
3 * Copyright (C) 2004 Novell, Inc. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions are met:
7 *
8 * - Redistributions of source code must retain the above copyright notice,
9 * this list of conditions and the following disclaimer.
10 *
11 * - Redistributions in binary form must reproduce the above copyright notice,
12 * this list of conditions and the following disclaimer in the documentation
13 * and/or other materials provided with the distribution.
14 *
15 * - Neither the name of Vintela, Inc. nor the names of its
16 * contributors may be used to endorse or promote products derived from this
17 * software without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS''
20 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL Vintela, Inc. OR THE CONTRIBUTORS
23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 *******************************************************************************/
31 
37 #ifndef BLOCXX_SSLCtxMgr_HPP_INCLUDE_GUARD_
38 #define BLOCXX_SSLCtxMgr_HPP_INCLUDE_GUARD_
39 #include "blocxx/BLOCXX_config.h"
40 #include "blocxx/SSLException.hpp"
41 #include "blocxx/IntrusiveCountableBase.hpp"
42 #include "blocxx/IntrusiveReference.hpp"
43 #include "blocxx/Map.hpp"
44 #include "blocxx/Bool.hpp"
45 #ifdef BLOCXX_HAVE_OPENSSL
46 #include "blocxx/String.hpp"
47 #include <openssl/crypto.h>
48 #include <openssl/ssl.h>
49 #include <openssl/bio.h>
50 #define BLOCXX_SSLCTX_MAX_CN_LEN 256
51 #define BLOCXX_SSL_RETRY_LIMIT 20
52 
53 namespace BLOCXX_NAMESPACE
54 {
55 
62 typedef int (*certVerifyFuncPtr_t)(X509* cert, const String& hostName);
63 
64 // TODO: Make this class be a singleton.
65 class BLOCXX_COMMON_API SSLCtxMgr
66 {
67 public:
71  static int pem_passwd_cb(char* buf, int size, int rwflag, void *userData);
79  static bool checkClientCert(SSL* ssl, const String& hostName);
87  static bool checkServerCert(SSL* ssl, const String& hostName);
95  static void initClient(const String& certFile = String(), const String& keyFile = String());
103  static void initServer(const String& certFile, const String& keyFile = String());
108  static SSL_CTX* getSSLCtxServer()
109  {
110  return m_ctxServer;
111  }
116  static SSL_CTX* getSSLCtxClient()
117  {
118  return m_ctxClient;
119  }
128  static int sslRead(SSL* ssl, char* buf, int len);
137  static int sslWrite(SSL* ssl, const char* buf, int len);
142  static bool isClient() { return m_ctxClient != NULL; }
147  static bool isServer() { return m_ctxServer != NULL; }
153  static void setClientCertVerifyCallback(certVerifyFuncPtr_t cbfunc)
154  { m_clientCertVerifyCB = cbfunc; }
160  static void setServerCertVerifyCallback(certVerifyFuncPtr_t cbfunc)
161  { m_serverCertVerifyCB = cbfunc; }
162  // set type to NOT_INIT and free memory.
163  static void uninit();
167  static void generateEphRSAKey(SSL_CTX* ctx);
168 
169  static String getOpenSSLErrorDescription();
170 
180  static void disableSSLInit();
189  static void disableLocks();
190 
191  static Bool getSSLInitDisabled();
192  static Bool getSSLLocksDisabled();
193 
194 private:
195 
196  friend class SSLCtxBase;
197 
198  static SSL_CTX* m_ctxClient;
199  static SSL_CTX* m_ctxServer;
200  static certVerifyFuncPtr_t m_clientCertVerifyCB;
201  static certVerifyFuncPtr_t m_serverCertVerifyCB;
202 
206  static SSL_CTX* initCtx(const String& certfile, const String& keyfile,
207  EVP_PKEY* pkey = 0);
211  static void loadDHParams(SSL_CTX* ctx, const String& file);
212  static void uninitServer();
213  static void uninitClient();
214 
215  // don't allow instantiation
216  SSLCtxMgr();
217  SSLCtxMgr(const SSLCtxMgr&);
218  SSLCtxMgr& operator=(const SSLCtxMgr&);
219 
223  static bool checkCert(SSL* ssl, const String& hostName, certVerifyFuncPtr_t cbFunc);
224 };
225 
227 struct BLOCXX_COMMON_API SSLOpts
228 {
229  SSLOpts();
230  ~SSLOpts();
231  String certfile;
232  String keyfile;
233  String trustStore;
234  enum VerifyMode_t
235  {
236  MODE_DISABLED,
237  MODE_REQUIRED,
238  MODE_OPTIONAL,
239  MODE_AUTOUPDATE
240  };
241  VerifyMode_t verifyMode;
242  EVP_PKEY* pkey;
243 };
244 
245 
247 class BLOCXX_COMMON_API SSLCtxBase
248 {
249 public:
250  SSL_CTX* getSSLCtx() const;
251 
252 protected:
253  SSLCtxBase(const SSLOpts& opts);
254  virtual ~SSLCtxBase();
255  SSL_CTX* m_ctx;
256 };
257 
259 class BLOCXX_COMMON_API SSLServerCtx : public SSLCtxBase, public IntrusiveCountableBase
260 {
261 public:
262  SSLServerCtx(const SSLOpts& opts);
263  static const int SSL_DATA_INDEX = 0;
264 };
265 
267 class BLOCXX_COMMON_API SSLClientCtx : public SSLCtxBase, public IntrusiveCountableBase
268 {
269 public:
270  SSLClientCtx(const SSLOpts& opts = SSLOpts());
271 };
272 
274 class BLOCXX_COMMON_API SSLTrustStore: public IntrusiveCountableBase
275 {
276 public:
277  SSLTrustStore(const String& storeLocation);
278  void addCertificate(X509* cert, const String& user, const String& uid);
279  bool getUser(const String& certhash, String& user, String& uid);
280 
281  static String getCertMD5Fingerprint(X509* cert);
282 private:
283  String m_store;
284  String m_mapfile;
285  struct UserInfo
286  {
287  String user;
288  String uid;
289  };
290 
291 #ifdef BLOCXX_WIN32
292 #pragma warning (push)
293 #pragma warning (disable: 4251)
294 #endif
295 
296  Map<String, UserInfo> m_map;
297 
298 #ifdef BLOCXX_WIN32
299 #pragma warning (pop)
300 #endif
301 
302  void readMap();
303  void writeMap();
304 
305 };
306 
308 
309 struct BLOCXX_COMMON_API OWSSLContext
310 {
311  enum CertVerifyState_t
312  {
313  VERIFY_NONE,
314  VERIFY_PASS,
315  VERIFY_FAIL
316  };
317  OWSSLContext();
318  ~OWSSLContext();
319  CertVerifyState_t peerCertPassedVerify;
320 };
321 
323 
324 
325 #else // ifdef BLOCXX_HAVE_OPENSSL
326 
327 namespace BLOCXX_NAMESPACE
328 {
329 
330 class BLOCXX_COMMON_API SSLServerCtx : public IntrusiveCountableBase
331 {
332 };
333 
334 class BLOCXX_COMMON_API SSLClientCtx : public IntrusiveCountableBase
335 {
336 };
337 
338 #endif // ifdef BLOCXX_HAVE_OPENSSL
339 
340 } // end namespace BLOCXX_NAMESPACE
341 
342 
343 #endif
Generated by   doxygen 1.8.2