00001 // -*- C++ -*- 00002 00003 //============================================================================= 00004 /** 00005 * @file SSL_Context.h 00006 * 00007 * $Id: SSL_Context.h 77198 2007-02-19 18:34:48Z johnnyw $ 00008 * 00009 * @author Carlos O'Ryan <coryan@ece.uci.edu> 00010 * @author Ossama Othman <ossama@dre.vanderbilt.edu> 00011 */ 00012 //============================================================================= 00013 00014 00015 #ifndef ACE_SSL_CONTEXT_H 00016 #define ACE_SSL_CONTEXT_H 00017 00018 #include /**/ "ace/pre.h" 00019 00020 #include "SSL_Export.h" 00021 00022 #if !defined (ACE_LACKS_PRAGMA_ONCE) 00023 # pragma once 00024 #endif /* ACE_LACKS_PRAGMA_ONCE */ 00025 00026 #include "ace/SString.h" 00027 00028 #ifdef ACE_HAS_THREADS 00029 # include "ace/Synch_Traits.h" 00030 #endif /* ACE_HAS_THREADS */ 00031 00032 #include <openssl/ssl.h> 00033 00034 00035 ACE_BEGIN_VERSIONED_NAMESPACE_DECL 00036 00037 class ACE_SSL_Export ACE_SSL_Data_File 00038 { 00039 public: 00040 00041 /// Default constructor 00042 ACE_SSL_Data_File (void); 00043 00044 /// Contructor from a file name and the file type. 00045 ACE_SSL_Data_File (const char *file_name, 00046 int type = SSL_FILETYPE_PEM); 00047 00048 /// The file name 00049 const char *file_name (void) const; 00050 00051 /// The type 00052 int type (void) const; 00053 00054 private: 00055 00056 /// The file name 00057 ACE_CString file_name_; 00058 00059 /// The type, used by the SSL library to parse the file contents. 00060 int type_; 00061 }; 00062 00063 // **************************************************************** 00064 00065 00066 /** 00067 * @class ACE_SSL_Context 00068 * 00069 * @brief A wrapper for the OpenSSL SSL_CTX related functions. 00070 * 00071 * This class provides a wrapper for the SSL_CTX data structure. 00072 * Since most applications have a single SSL_CTX structure, this class 00073 * can be used as a singleton. 00074 */ 00075 class ACE_SSL_Export ACE_SSL_Context 00076 { 00077 public: 00078 00079 #ifdef ACE_HAS_THREADS 00080 typedef ACE_SYNCH_MUTEX lock_type; 00081 #endif /* ACE_HAS_THREADS */ 00082 00083 enum { 00084 INVALID_METHOD = -1, 00085 SSLv2_client = 1, 00086 SSLv2_server, 00087 SSLv2, 00088 SSLv3_client, 00089 SSLv3_server, 00090 SSLv3, 00091 SSLv23_client, 00092 SSLv23_server, 00093 SSLv23, 00094 TLSv1_client, 00095 TLSv1_server, 00096 TLSv1 00097 }; 00098 00099 /// Constructor 00100 ACE_SSL_Context (void); 00101 00102 /// Destructor 00103 ~ACE_SSL_Context (void); 00104 00105 /// The Singleton context, the SSL components use the singleton if 00106 /// nothing else is available. 00107 static ACE_SSL_Context *instance (void); 00108 00109 /** 00110 * Set the CTX mode. The mode can be set only once, afterwards the 00111 * function has no effect and returns -1. 00112 * Once the mode is set the underlying SSL_CTX is initialized and 00113 * the class can be used. 00114 * If the mode is not set, then the class automatically initializes 00115 * itself to the default mode. 00116 */ 00117 int set_mode (int mode = ACE_SSL_Context::SSLv23); 00118 00119 int get_mode (void) const; 00120 00121 /// Get the SSL context 00122 SSL_CTX *context (void); 00123 00124 /// Get the file name and file format used for the private key 00125 int private_key_type (void) const; 00126 const char *private_key_file_name (void) const; 00127 00128 /// Set the private key file. 00129 /** 00130 * @note This method should only be called after a certificate has 00131 * been set since key verification is performed against the 00132 * certificate, among other things. 00133 */ 00134 int private_key (const char *file_name, int type = SSL_FILETYPE_PEM); 00135 00136 /// Verify that the private key is valid. 00137 /** 00138 * @note This method should only be called after a certificate has 00139 * been set since key verification is performed against the 00140 * certificate, among other things. 00141 */ 00142 int verify_private_key (void); 00143 00144 /// Get the file name and file format used for the certificate file 00145 int certificate_type (void) const; 00146 const char *certificate_file_name (void) const; 00147 00148 /// Set the certificate file. 00149 int certificate (const char *file_name, 00150 int type = SSL_FILETYPE_PEM); 00151 00152 /// Load certificate from memory rather than a file. 00153 int certificate (X509* cert); 00154 00155 /** 00156 * Load the location of the trusted certification authority 00157 * certificates. Note that CA certificates are stored in PEM format 00158 * as a sequence of certificates in @a ca_file or as a set of 00159 * individual certificates in @a ca_dir (or both). 00160 * 00161 * Note this method is called by set_mode() to load the default 00162 * environment settings for @a ca_file and @a ca_dir, if any. This 00163 * allows for automatic service configuration (and backward 00164 * compatibility with previous versions). 00165 * 00166 * Note that the underlying SSL function will add valid file and 00167 * directory names to the load location lists maintained as part of 00168 * the SSL_CTX table. It therefore doesn't make sense to keep a 00169 * copy of the file and path name of the most recently added 00170 * @a ca_file or @a ca_path. 00171 * 00172 * @param[in] ca_file CA file pathname. Passed to 00173 * @c SSL_CTX_load_verify_locations() if not 00174 * 0. If 0, behavior depends on the value of 00175 * @a use_env_defaults. 00176 * @param[in] ca_dir CA directory pathname. Passed to 00177 * @c SSL_CTX_load_verify_locations() if not 00178 * 0. If 0, behavior depends on the value of 00179 * @a use_env_defaults. 00180 * @param[in] use_env_defaults If false, the specified @a ca_file argument 00181 * is passed to 00182 * @c SSL_CTX_load_verify_locations(), 00183 * regardless of its value. 00184 * If true (the default), additional defaults 00185 * can be applied to either @a ca_file, 00186 * @a ca_dir, or both. The following 00187 * additional defaults are applied when the 00188 * @a ca_file argument is 0: 00189 * - The @c SSL_CERT_FILE environment variable 00190 * will be queried for a file name to use as 00191 * the @a ca_file argument. The environment 00192 * variable name to query can be changed by 00193 * supplying a @c ACE_SSL_CERT_FILE_ENV 00194 * configuration item when building ACE. 00195 * - If there is no @c SSL_CERT_FILE in the 00196 * current environment, the file specified 00197 * by the @c ACE_DEFAULT_SSL_CERT_FILE ACE 00198 * configuration item will be used. The 00199 * default value is "cert.pem" on Windows 00200 * and "/etc/ssl/cert.pem" on all other 00201 * platforms. 00202 * The following additional defaults are 00203 * applied when the @a ca_dir argument is 0: 00204 * - The @c SSL_CERT_DIR environment variable 00205 * will be queried for a file name to use as 00206 * the @a ca_dir argument. The environment 00207 * variable name to query can be changed by 00208 * supplying a @c ACE_SSL_CERT_DIR_ENV 00209 * configuration item when building ACE. 00210 * - If there is no @c SSL_CERT_DIR in the 00211 * current environment, the directory 00212 * specified by the @c 00213 * ACE_DEFAULT_SSL_CERT_DIR ACE 00214 * configuration item will be used. The 00215 * default value is "certs" on Windows 00216 * and "/etc/ssl/certs" on all other 00217 * platforms. 00218 * 00219 * @return 0 for success or -1 on error. 00220 * 00221 * @see OpenSSL manual SSL_CTX_load_verify_locations(3) for a 00222 * detailed description of the CA file and directory requirements 00223 * and processing. 00224 */ 00225 int load_trusted_ca (const char* ca_file = 0, 00226 const char* ca_dir = 0, 00227 bool use_env_defaults = true); 00228 00229 /** 00230 * Test whether any CA locations have been successfully loaded and 00231 * return the number of successful attempts. 00232 * 00233 * @retval >0 The number of successful CA load attempts. 00234 * @retval 0 If all CA load attempts have failed. 00235 */ 00236 int have_trusted_ca (void) const; 00237 00238 00239 /** 00240 * @todo Complete this documentation where elipses(...) are used 00241 * 00242 * @doc Use this method when certificate chain verification is 00243 * required. The default server behaviour is SSL_VERIFY_NONE 00244 * i.e. client certicates are requested for verified. This method 00245 * can be used to configure server to request client certificates 00246 * and perform the certificate verification. If <strict> is set 00247 * true the client connection is rejected when certificate 00248 * verification fails. Otherwise the session is accepted with a 00249 * warning, which is the default behaviour. If <once> is set true 00250 * (default), certificates are requested only once per session. 00251 * The last parameter <depth> can be used to set the verification 00252 * depth. 00253 * 00254 * Note for verification to work correctly there should be a valid 00255 * CA name list set using load_trusted_ca(). 00256 * 00257 * @see OpenSSL documentation of SSL_CTX_set_verify(3) for details of 00258 * the verification process. 00259 * 00260 * @see OpenSSL documentation ... set_verify_depth(3) ... 00261 * 00262 * Note that this method overrides the use of the 00263 * default_verify_mode() method. 00264 */ 00265 void set_verify_peer (int strict = 0, int once = 1, int depth = 0); 00266 00267 00268 /// TODO: a implementation that will lookup the CTX table for the list 00269 /// of files and paths etc. 00270 /// Query the location of trusted certification authority 00271 /// certificates. 00272 // const char* ca_file_name(void) const; 00273 // const char* ca_dir_name(void) const; 00274 00275 /** 00276 * Set and query the default verify mode for this context, it is 00277 * inherited by all the ACE_SSL objects created using the context. 00278 * It can be overriden on a per-ACE_SSL object. 00279 */ 00280 void default_verify_mode (int mode); 00281 int default_verify_mode (void) const; 00282 00283 /** 00284 * @name OpenSSL Random Number Generator Seed Related Methods 00285 * 00286 * These are methods that can be used to seed OpenSSL's 00287 * pseudo-random number generator. These methods can be called more 00288 * than once. 00289 */ 00290 //@{ 00291 /// Seed the underlying random number generator. This value should 00292 /// have at least 128 bits of entropy. 00293 static int random_seed (const char * seed); 00294 00295 /// Set the Entropy Gathering Daemon (EGD) UNIX domain socket file to 00296 /// read random seed values from. 00297 static int egd_file (const char * socket_file); 00298 00299 /** 00300 * Set the file that contains the random seed value state, and the 00301 * amount of bytes to read. "-1" bytes causes the entire file to be 00302 * read. 00303 */ 00304 static int seed_file (const char * seed_file, long bytes = -1); 00305 //@} 00306 00307 /// Print SSL error corresponding to the given error code. 00308 static void report_error (unsigned long error_code); 00309 00310 /// Print the last SSL error for the current thread. 00311 static void report_error (void); 00312 00313 /** 00314 * @name Diffie-Hellman (DH) Parameters 00315 * 00316 * When using DSS-based certificates, Diffie-Hellman keys need to be 00317 * exchanged. These must be provided in the form of DH key 00318 * generation parameters loaded in, or as fixed keys hardcoded into 00319 * the code itself. ACE_SSL supports loaded parameters. 00320 * 00321 */ 00322 //@{ 00323 /** 00324 * Load Diffie-Hellman parameters from file_name. The specified file can be 00325 * a standalone file containing only DH parameters (e.g., as created 00326 * by <code>openssl dhparam</code>), or it can be a certificate which has 00327 * a PEM-encoded set of DH params concatenated on to i. 00328 */ 00329 int dh_params (const char *file_name, int type = SSL_FILETYPE_PEM); 00330 const char *dh_params_file_name () const; 00331 int dh_params_file_type () const; 00332 //@} 00333 00334 private: 00335 00336 /// Verify if the context has been initialized or not. 00337 void check_context (void); 00338 00339 /// @@ More to document 00340 void ssl_library_init (); 00341 void ssl_library_fini (); 00342 00343 // = Prevent assignment and copy initialization. 00344 //@{ 00345 ACE_SSL_Context (const ACE_SSL_Context &); 00346 ACE_SSL_Context & operator= (const ACE_SSL_Context &); 00347 //@} 00348 00349 private: 00350 00351 /// The SSL_CTX structure 00352 SSL_CTX *context_; 00353 00354 /// Cache the mode so we can answer fast 00355 int mode_; 00356 00357 /// The private key, certificate, and Diffie-Hellman paramters files 00358 ACE_SSL_Data_File private_key_; 00359 ACE_SSL_Data_File certificate_; 00360 ACE_SSL_Data_File dh_params_; 00361 00362 /// The default verify mode. 00363 int default_verify_mode_; 00364 00365 /// count of successful CA load attempts 00366 int have_ca_; 00367 00368 #ifdef ACE_HAS_THREADS 00369 /// Array of mutexes used internally by OpenSSL when the SSL 00370 /// application is multithreaded. 00371 static lock_type * locks_; 00372 #endif /* ACE_HAS_THREADS */ 00373 00374 }; 00375 00376 ACE_END_VERSIONED_NAMESPACE_DECL 00377 00378 #if defined(__ACE_INLINE__) 00379 #include "SSL_Context.inl" 00380 #endif /* __ACE_INLINE__ */ 00381 00382 #include /**/ "ace/post.h" 00383 00384 #endif /* ACE_SSL_CONTEXT_H */
1.3.6