00001 // -*- C++ -*- 00002 00003 //============================================================================= 00004 /** 00005 * @file SSL_Context.h 00006 * 00007 * SSL_Context.h,v 1.27 2006/06/22 15:10:08 shuston Exp 00008 * 00009 * @author Carlos O'Ryan <coryan@ece.uci.edu> 00010 * @author Ossama Othman <ossama@dre.vanderbilt.edu> 00011 */ 00012 //============================================================================= 00013 00014 00015 #ifndef ACE_SSL_CONTEXT_H 00016 #define ACE_SSL_CONTEXT_H 00017 00018 #include /**/ "ace/pre.h" 00019 00020 #include "SSL_Export.h" 00021 00022 #if !defined (ACE_LACKS_PRAGMA_ONCE) 00023 # pragma once 00024 #endif /* ACE_LACKS_PRAGMA_ONCE */ 00025 00026 #include "ace/SString.h" 00027 00028 #ifdef ACE_HAS_THREADS 00029 # include "ace/Synch_Traits.h" 00030 #endif /* ACE_HAS_THREADS */ 00031 00032 #include <openssl/ssl.h> 00033 00034 00035 ACE_BEGIN_VERSIONED_NAMESPACE_DECL 00036 00037 class ACE_SSL_Export ACE_SSL_Data_File 00038 { 00039 public: 00040 00041 /// Default constructor 00042 ACE_SSL_Data_File (void); 00043 00044 /// Contructor from a file name and the file type. 00045 ACE_SSL_Data_File (const char *file_name, 00046 int type = SSL_FILETYPE_PEM); 00047 00048 /// The file name 00049 const char *file_name (void) const; 00050 00051 /// The type 00052 int type (void) const; 00053 00054 private: 00055 00056 /// The file name 00057 ACE_CString file_name_; 00058 00059 /// The type, used by the SSL library to parse the file contents. 00060 int type_; 00061 }; 00062 00063 // **************************************************************** 00064 00065 00066 /** 00067 * @class ACE_SSL_Context 00068 * 00069 * @brief A wrapper for the OpenSSL SSL_CTX related functions. 00070 * 00071 * This class provides a wrapper for the SSL_CTX data structure. 00072 * Since most applications have a single SSL_CTX structure, this class 00073 * can be used as a singleton. 00074 */ 00075 class ACE_SSL_Export ACE_SSL_Context 00076 { 00077 public: 00078 00079 #ifdef ACE_HAS_THREADS 00080 typedef ACE_SYNCH_MUTEX lock_type; 00081 #endif /* ACE_HAS_THREADS */ 00082 00083 enum { 00084 INVALID_METHOD = -1, 00085 SSLv2_client = 1, 00086 SSLv2_server, 00087 SSLv2, 00088 SSLv3_client, 00089 SSLv3_server, 00090 SSLv3, 00091 SSLv23_client, 00092 SSLv23_server, 00093 SSLv23, 00094 TLSv1_client, 00095 TLSv1_server, 00096 TLSv1 00097 }; 00098 00099 /// Constructor 00100 ACE_SSL_Context (void); 00101 00102 /// Destructor 00103 ~ACE_SSL_Context (void); 00104 00105 /// The Singleton context, the SSL components use the singleton if 00106 /// nothing else is available. 00107 static ACE_SSL_Context *instance (void); 00108 00109 /** 00110 * Set the CTX mode. The mode can be set only once, afterwards the 00111 * function has no effect and returns -1. 00112 * Once the mode is set the underlying SSL_CTX is initialized and 00113 * the class can be used. 00114 * If the mode is not set, then the class automatically initializes 00115 * itself to the default mode. 00116 */ 00117 int set_mode (int mode = ACE_SSL_Context::SSLv23); 00118 00119 int get_mode (void) const; 00120 00121 /// Get the SSL context 00122 SSL_CTX *context (void); 00123 00124 /// Get the file name and file format used for the private key 00125 int private_key_type (void) const; 00126 const char *private_key_file_name (void) const; 00127 00128 /// Set the private key file. 00129 /** 00130 * @note This method should only be called after a certificate has 00131 * been set since key verification is performed against the 00132 * certificate, among other things. 00133 */ 00134 int private_key (const char *file_name, 00135 int type = SSL_FILETYPE_PEM); 00136 00137 /// Verify that the private key is valid. 00138 /** 00139 * @note This method should only be called after a certificate has 00140 * been set since key verification is performed against the 00141 * certificate, among other things. 00142 */ 00143 int verify_private_key (void); 00144 00145 /// Get the file name and file format used for the certificate file 00146 int certificate_type (void) const; 00147 const char *certificate_file_name (void) const; 00148 00149 /// Set the certificate file. 00150 int certificate (const char *file_name, 00151 int type = SSL_FILETYPE_PEM); 00152 00153 00154 /** 00155 * Load the location of the trusted certification authority 00156 * certificates. Note that CA certificates are stored in PEM format 00157 * as a sequence of certificates in @a ca_file or as a set of 00158 * individual certificates in @a ca_dir (or both). 00159 * 00160 * Note this method is called by set_mode() to load the default 00161 * environment settings for @a ca_file and @a ca_dir, if any. This 00162 * allows for automatic service configuration (and backward 00163 * compatibility with previous versions). 00164 * 00165 * Note that the underlying SSL function will add valid file and 00166 * directory names to the load location lists maintained as part of 00167 * the SSL_CTX table. It therefore doesn't make sense to keep a 00168 * copy of the file and path name of the most recently added 00169 * @a ca_file or @a ca_path. 00170 * 00171 * @param[in] ca_file CA file pathname. Passed to 00172 * @c SSL_CTX_load_verify_locations() if not 00173 * 0. If 0, behavior depends on the value of 00174 * @a use_env_defaults. 00175 * @param[in] ca_dir CA directory pathname. Passed to 00176 * @c SSL_CTX_load_verify_locations() if not 00177 * 0. If 0, behavior depends on the value of 00178 * @a use_env_defaults. 00179 * @param[in] use_env_defaults If false, the specified @a ca_file argument 00180 * is passed to 00181 * @c SSL_CTX_load_verify_locations(), 00182 * regardless of its value. 00183 * If true (the default), additional defaults 00184 * can be applied to either @a ca_file, 00185 * @a ca_dir, or both. The following 00186 * additional defaults are applied when the 00187 * @a ca_file argument is 0: 00188 * - The @c SSL_CERT_FILE environment variable 00189 * will be queried for a file name to use as 00190 * the @a ca_file argument. The environment 00191 * variable name to query can be changed by 00192 * supplying a @c ACE_SSL_CERT_FILE_ENV 00193 * configuration item when building ACE. 00194 * - If there is no @c SSL_CERT_FILE in the 00195 * current environment, the file specified 00196 * by the @c ACE_DEFAULT_SSL_CERT_FILE ACE 00197 * configuration item will be used. The 00198 * default value is "cert.pem" on Windows 00199 * and "/etc/ssl/cert.pem" on all other 00200 * platforms. 00201 * The following additional defaults are 00202 * applied when the @a ca_dir argument is 0: 00203 * - The @c SSL_CERT_DIR environment variable 00204 * will be queried for a file name to use as 00205 * the @a ca_dir argument. The environment 00206 * variable name to query can be changed by 00207 * supplying a @c ACE_SSL_CERT_DIR_ENV 00208 * configuration item when building ACE. 00209 * - If there is no @c SSL_CERT_DIR in the 00210 * current environment, the directory 00211 * specified by the @c 00212 * ACE_DEFAULT_SSL_CERT_DIR ACE 00213 * configuration item will be used. The 00214 * default value is "certs" on Windows 00215 * and "/etc/ssl/certs" on all other 00216 * platforms. 00217 * 00218 * @return 0 for success or -1 on error. 00219 * 00220 * @see OpenSSL manual SSL_CTX_load_verify_locations(3) for a 00221 * detailed description of the CA file and directory requirements 00222 * and processing. 00223 */ 00224 int load_trusted_ca (const char* ca_file = 0, 00225 const char* ca_dir = 0, 00226 bool use_env_defaults = true); 00227 00228 /** 00229 * Test whether any CA locations have been successfully loaded and 00230 * return the number of successful attempts. 00231 * 00232 * @retval >0 The number of successful CA load attempts. 00233 * @retval 0 If all CA load attempts have failed. 00234 */ 00235 int have_trusted_ca (void) const; 00236 00237 00238 /** 00239 * @todo Complete this documentation where elipses(...) are used 00240 * 00241 * @doc Use this method when certificate chain verification is 00242 * required. The default server behaviour is SSL_VERIFY_NONE 00243 * i.e. client certicates are requested for verified. This method 00244 * can be used to configure server to request client certificates 00245 * and perform the certificate verification. If <strict> is set 00246 * true the client connection is rejected when certificate 00247 * verification fails. Otherwise the session is accepted with a 00248 * warning, which is the default behaviour. If <once> is set true 00249 * (default), certificates are requested only once per session. 00250 * The last parameter <depth> can be used to set the verification 00251 * depth. 00252 * 00253 * Note for verification to work correctly there should be a valid 00254 * CA name list set using load_trusted_ca(). 00255 * 00256 * @see OpenSSL documentation of SSL_CTX_set_verify(3) for details of 00257 * the verification process. 00258 * 00259 * @see OpenSSL documentation ... set_verify_depth(3) ... 00260 * 00261 * Note that this method overrides the use of the 00262 * default_verify_mode() method. 00263 */ 00264 void set_verify_peer (int strict = 0, 00265 int once = 1, 00266 int depth = 0); 00267 00268 00269 /// TODO: a implementation that will lookup the CTX table for the list 00270 /// of files and paths etc. 00271 /// Query the location of trusted certification authority 00272 /// certificates. 00273 // const char* ca_file_name(void) const; 00274 // const char* ca_dir_name(void) const; 00275 00276 00277 00278 /** 00279 * Set and query the default verify mode for this context, it is 00280 * inherited by all the ACE_SSL objects created using the context. 00281 * It can be overriden on a per-ACE_SSL object. 00282 */ 00283 void default_verify_mode (int mode); 00284 int default_verify_mode (void) const; 00285 00286 /** 00287 * @name OpenSSL Random Number Generator Seed Related Methods 00288 * 00289 * These are methods that can be used to seed OpenSSL's 00290 * pseudo-random number generator. These methods can be called more 00291 * than once. 00292 */ 00293 //@{ 00294 /// Seed the underlying random number generator. This value should 00295 /// have at least 128 bits of entropy. 00296 static int random_seed (const char * seed); 00297 00298 /// Set the Entropy Gathering Daemon (EGD) UNIX domain socket file to 00299 /// read random seed values from. 00300 static int egd_file (const char * socket_file); 00301 00302 /** 00303 * Set the file that contains the random seed value state, and the 00304 * amount of bytes to read. "-1" bytes causes the entire file to be 00305 * read. 00306 */ 00307 static int seed_file (const char * seed_file, long bytes = -1); 00308 //@} 00309 00310 /// Print SSL error corresponding to the given error code. 00311 static void report_error (unsigned long error_code); 00312 00313 /// Print the last SSL error for the current thread. 00314 static void report_error (void); 00315 00316 /** 00317 * @name Diffie-Hellman (DH) Parameters 00318 * 00319 * When using DSS-based certificates, Diffie-Hellman keys need to be 00320 * exchanged. These must be provided in the form of DH key 00321 * generation parameters loaded in, or as fixed keys hardcoded into 00322 * the code itself. ACE_SSL supports loaded parameters. 00323 * 00324 */ 00325 //@{ 00326 /** 00327 * Load Diffie-Hellman parameters from file_name. The specified file can be 00328 * a standalone file containing only DH parameters (e.g., as created 00329 * by <code>openssl dhparam</code>), or it can be a certificate which has 00330 * a PEM-encoded set of DH params concatenated on to i. 00331 */ 00332 int dh_params (const char *file_name, int type = SSL_FILETYPE_PEM); 00333 const char *dh_params_file_name () const; 00334 int dh_params_file_type () const; 00335 //@} 00336 00337 private: 00338 00339 /// Verify if the context has been initialized or not. 00340 void check_context (void); 00341 00342 /// @@ More to document 00343 void ssl_library_init (); 00344 void ssl_library_fini (); 00345 00346 // = Prevent assignment and copy initialization. 00347 //@{ 00348 ACE_SSL_Context (const ACE_SSL_Context &); 00349 ACE_SSL_Context & operator= (const ACE_SSL_Context &); 00350 //@} 00351 00352 private: 00353 00354 /// The SSL_CTX structure 00355 SSL_CTX *context_; 00356 00357 /// Cache the mode so we can answer fast 00358 int mode_; 00359 00360 /// The private key, certificate, and Diffie-Hellman paramters files 00361 ACE_SSL_Data_File private_key_; 00362 ACE_SSL_Data_File certificate_; 00363 ACE_SSL_Data_File dh_params_; 00364 00365 /// The default verify mode. 00366 int default_verify_mode_; 00367 00368 /// count of successful CA load attempts 00369 int have_ca_; 00370 00371 #ifdef ACE_HAS_THREADS 00372 /// Array of mutexes used internally by OpenSSL when the SSL 00373 /// application is multithreaded. 00374 static lock_type * locks_; 00375 #endif /* ACE_HAS_THREADS */ 00376 00377 }; 00378 00379 ACE_END_VERSIONED_NAMESPACE_DECL 00380 00381 #if defined(__ACE_INLINE__) 00382 #include "SSL_Context.inl" 00383 #endif /* __ACE_INLINE__ */ 00384 00385 #include /**/ "ace/post.h" 00386 00387 #endif /* ACE_SSL_CONTEXT_H */
1.3.6