version 1.18, 2004/10/17 20:39:17
|
version 1.37, 2009/01/20 20:12:48
|
|
|
//%2004//////////////////////////////////////////////////////////////////////// |
//%LICENSE//////////////////////////////////////////////////////////////// |
// | // |
// Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development |
// Licensed to The Open Group (TOG) under one or more contributor license |
// Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems. |
// agreements. Refer to the OpenPegasusNOTICE.txt file distributed with |
// Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.; |
// this work for additional information regarding copyright ownership. |
// IBM Corp.; EMC Corporation, The Open Group. |
// Each contributor licenses this file to you under the OpenPegasus Open |
// Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.; |
// Source License; you may not use this file except in compliance with the |
// IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group. |
// License. |
// |
|
// Permission is hereby granted, free of charge, to any person obtaining a copy |
|
// of this software and associated documentation files (the "Software"), to |
|
// deal in the Software without restriction, including without limitation the |
|
// rights to use, copy, modify, merge, publish, distribute, sublicense, and/or |
|
// sell copies of the Software, and to permit persons to whom the Software is |
|
// furnished to do so, subject to the following conditions: |
|
// |
|
// THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN |
|
// ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED |
|
// "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT |
|
// LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR |
|
// PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT |
|
// HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN |
|
// ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION |
|
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
|
// | // |
//============================================================================== |
// Permission is hereby granted, free of charge, to any person obtaining a |
|
// copy of this software and associated documentation files (the "Software"), |
|
// to deal in the Software without restriction, including without limitation |
|
// the rights to use, copy, modify, merge, publish, distribute, sublicense, |
|
// and/or sell copies of the Software, and to permit persons to whom the |
|
// Software is furnished to do so, subject to the following conditions: |
// | // |
// Author: Nag Boranna, Hewlett-Packard Company ( nagaraja_boranna@hp.com ) |
// The above copyright notice and this permission notice shall be included |
|
// in all copies or substantial portions of the Software. |
// | // |
// Modified By: Sushma Fernandes, Hewlett-Packard Company (sushma_fernandes@hp.com) |
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS |
// Heather Sterling, IBM (hsterl@us.ibm.com) |
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF |
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. |
|
// IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY |
|
// CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, |
|
// TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE |
|
// SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
|
// |
|
////////////////////////////////////////////////////////////////////////// |
// | // |
//%///////////////////////////////////////////////////////////////////////////// | //%///////////////////////////////////////////////////////////////////////////// |
| |
|
#ifndef Pegasus_SSLContextRep_h |
|
#define Pegasus_SSLContextRep_h |
|
|
#ifdef PEGASUS_HAS_SSL | #ifdef PEGASUS_HAS_SSL |
#define OPENSSL_NO_KRB5 1 | #define OPENSSL_NO_KRB5 1 |
#include <openssl/err.h> | #include <openssl/err.h> |
|
|
#else | #else |
#define SSL_CTX void | #define SSL_CTX void |
#endif | #endif |
#include <Pegasus/Common/SSLContext.h> |
|
#include <Pegasus/Common/Linkage.h> |
|
#include <Pegasus/Common/IPC.h> |
|
| |
#ifndef Pegasus_SSLContextRep_h |
#include <Pegasus/Common/SSLContext.h> |
#define Pegasus_SSLContextRep_h |
#include <Pegasus/Common/Mutex.h> |
|
#include <Pegasus/Common/Threads.h> |
|
#include <Pegasus/Common/Tracer.h> |
|
#include <Pegasus/Common/AutoPtr.h> |
|
#include <Pegasus/Common/SharedPtr.h> |
| |
|
// |
|
// Typedef's for OpenSSL callback functions. |
|
// |
|
extern "C" |
|
{ |
|
typedef void (* CRYPTO_SET_LOCKING_CALLBACK)(int, int, const char *, int); |
|
typedef unsigned long (* CRYPTO_SET_ID_CALLBACK)(void); |
|
} |
| |
PEGASUS_NAMESPACE_BEGIN | PEGASUS_NAMESPACE_BEGIN |
| |
|
struct FreeX509STOREPtr |
|
{ |
|
void operator()(X509_STORE* ptr) |
|
{ |
|
#ifdef PEGASUS_HAS_SSL |
|
X509_STORE_free(ptr); |
|
#endif |
|
} |
|
}; |
|
|
|
#ifdef PEGASUS_HAS_SSL |
|
|
|
class SSLEnvironmentInitializer |
|
{ |
|
public: |
|
|
|
SSLEnvironmentInitializer() |
|
{ |
|
AutoMutex autoMut(_instanceCountMutex); |
|
|
|
PEG_TRACE((TRC_SSL, Tracer::LEVEL4, |
|
"In SSLEnvironmentInitializer(), _instanceCount is %d", |
|
_instanceCount)); |
|
|
|
if (_instanceCount == 0) |
|
{ |
|
_initializeCallbacks(); |
|
SSL_load_error_strings(); |
|
SSL_library_init(); |
|
} |
|
|
|
_instanceCount++; |
|
} |
|
|
|
~SSLEnvironmentInitializer() |
|
{ |
|
AutoMutex autoMut(_instanceCountMutex); |
|
_instanceCount--; |
|
|
|
PEG_TRACE((TRC_SSL, Tracer::LEVEL4, |
|
"In ~SSLEnvironmentInitializer(), _instanceCount is %d", |
|
_instanceCount)); |
| |
class PEGASUS_COMMON_LINKAGE SSLContextRep |
if (_instanceCount == 0) |
{ | { |
|
ERR_free_strings(); |
|
_uninitializeCallbacks(); |
|
} |
|
} |
|
|
|
private: |
|
|
|
SSLEnvironmentInitializer(const SSLEnvironmentInitializer&); |
|
SSLEnvironmentInitializer& operator=(const SSLEnvironmentInitializer&); |
|
|
/* | /* |
SSL locking callback function. It is needed to perform locking on |
Initialize the SSL locking and ID callbacks. |
shared data structures. |
*/ |
|
static void _initializeCallbacks() |
|
{ |
|
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, |
|
"Initializing SSL callbacks."); |
|
|
|
// Allocate Memory for _sslLocks. SSL locks needs to be able to handle |
|
// up to CRYPTO_num_locks() different mutex locks. |
|
|
|
_sslLocks.reset(new Mutex[CRYPTO_num_locks()]); |
| |
This function needs access to variable ssl_locks. |
#ifdef PEGASUS_HAVE_PTHREADS |
Declare it as a friend of class SSLContextRep. |
// Set the ID callback. The ID callback returns a thread ID. |
|
# ifdef PEGASUS_OS_VMS |
|
CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) _getThreadId); |
|
# else |
|
CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) pthread_self); |
|
# endif |
|
#endif |
| |
@param mode Specifies whether to lock/unlock. |
// Set the locking callback. |
@param type Type of lock. |
|
@param file File name of the function setting the lock. |
CRYPTO_set_locking_callback( |
@param line Line number of the function setting the lock. |
(CRYPTO_SET_LOCKING_CALLBACK) _lockingCallback); |
|
} |
|
|
|
#if defined(PEGASUS_OS_VMS) && defined(PEGASUS_HAVE_PTHREADS) |
|
static unsigned long _getThreadId(void) |
|
{ |
|
return pthread_getsequence_np(pthread_self()); |
|
} |
|
#endif |
|
/* |
|
Reset the SSL locking and ID callbacks. |
*/ | */ |
friend void pegasus_locking_callback( |
static void _uninitializeCallbacks() |
|
{ |
|
PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, "Resetting SSL callbacks."); |
|
CRYPTO_set_locking_callback(NULL); |
|
CRYPTO_set_id_callback(NULL); |
|
_sslLocks.reset(); |
|
} |
|
|
|
static void _lockingCallback( |
int mode, | int mode, |
int type, | int type, |
const char* file, | const char* file, |
int line); |
int line) |
|
{ |
|
if (mode & CRYPTO_LOCK) |
|
{ |
|
_sslLocks.get()[type].lock(); |
|
} |
|
else |
|
{ |
|
_sslLocks.get()[type].unlock(); |
|
} |
|
} |
|
|
|
/** |
|
Locks to be used by SSL. |
|
*/ |
|
static AutoArrayPtr<Mutex> _sslLocks; |
|
|
|
/** |
|
Count of the instances of this class. The SSL environment must be |
|
initialized when the first SSLEnvironmentInitializer is constructed. |
|
It must be uninitialized when the last SSLEnvironmentInitializer is |
|
destructed. |
|
*/ |
|
static int _instanceCount; |
|
|
|
/** |
|
Mutex for controlling access to _instanceCount. |
|
*/ |
|
static Mutex _instanceCountMutex; |
|
}; |
| |
|
#endif |
|
|
|
class SSLCallbackInfoRep |
|
{ |
|
public: |
|
SSLCertificateVerifyFunction* verifyCertificateCallback; |
|
Array<SSLCertificateInfo*> peerCertificate; |
|
X509_STORE* crlStore; |
|
|
|
String ipAddress; |
|
|
|
friend class SSLCallback; |
|
|
|
friend class SSLCallbackInfo; |
|
}; |
|
|
|
class SSLContextRep |
|
{ |
public: | public: |
| |
/** Constructor for a SSLContextRep object. | /** Constructor for a SSLContextRep object. |
|
|
@param keyPath server key file path | @param keyPath server key file path |
@param verifyCert function pointer to a certificate verification | @param verifyCert function pointer to a certificate verification |
call back function. | call back function. |
@param trustStoreAutoUpdate indicates that the server can automatically add certificates |
|
to the truststore if they are sent with valid sslTrustStoreUserName credentials |
|
@param trustStoreUserName the user to associate the truststore with; this is basically |
|
a workaround to providers that require a username and will be addressed post 2.4 |
|
@param randomFile file path of a random file that is used as a seed | @param randomFile file path of a random file that is used as a seed |
for random number generation by OpenSSL. | for random number generation by OpenSSL. |
| |
|
|
const String& trustStore, | const String& trustStore, |
const String& certPath = String::EMPTY, | const String& certPath = String::EMPTY, |
const String& keyPath = String::EMPTY, | const String& keyPath = String::EMPTY, |
|
const String& crlPath = String::EMPTY, |
SSLCertificateVerifyFunction* verifyCert = NULL, | SSLCertificateVerifyFunction* verifyCert = NULL, |
Boolean trustStoreAutoUpdate = false, |
|
String trustStoreUserName = String::EMPTY, |
|
const String& randomFile = String::EMPTY); | const String& randomFile = String::EMPTY); |
| |
SSLContextRep(const SSLContextRep& sslContextRep); | SSLContextRep(const SSLContextRep& sslContextRep); |
|
|
| |
String getKeyPath() const; | String getKeyPath() const; |
| |
Boolean isPeerVerificationEnabled() const; |
#ifdef PEGASUS_USE_DEPRECATED_INTERFACES |
|
String getTrustStoreUserName() const; |
|
#endif |
| |
Boolean isTrustStoreAutoUpdateEnabled() const; |
String getCRLPath() const; |
| |
String getTrustStoreUserName() const; |
SharedPtr<X509_STORE, FreeX509STOREPtr> getCRLStore() const; |
| |
SSLCertificateVerifyFunction* getSSLCertificateVerifyFunction() const; |
void setCRLStore(X509_STORE* store); |
| |
/* |
Boolean isPeerVerificationEnabled() const; |
Initialize the SSL locking environment. |
|
| |
This function sets the locking callback functions. |
SSLCertificateVerifyFunction* getSSLCertificateVerifyFunction() const; |
*/ |
|
static void init_ssl(); |
|
| |
/* |
/** |
Cleanup the SSL locking environment. |
Checks if the certificate associated with this SSL context has expired |
|
or is not yet valid. |
|
@exception SSLException if the certificate is determined to be invalid. |
*/ | */ |
static void free_ssl(); |
void validateCertificate(); |
| |
private: | private: |
| |
|
#ifdef PEGASUS_HAS_SSL |
|
/** |
|
Ensures that the SSL environment remains initialized for the lifetime |
|
of the SSLContextRep object. |
|
*/ |
|
SSLEnvironmentInitializer _env; |
|
#endif |
|
|
SSL_CTX * _makeSSLContext(); | SSL_CTX * _makeSSLContext(); |
void _randomInit(const String& randomFile); | void _randomInit(const String& randomFile); |
Boolean _verifyPrivateKey(SSL_CTX *ctx, const String& keyPath); | Boolean _verifyPrivateKey(SSL_CTX *ctx, const String& keyPath); |
|
|
String _trustStore; | String _trustStore; |
String _certPath; | String _certPath; |
String _keyPath; | String _keyPath; |
|
String _crlPath; |
String _randomFile; | String _randomFile; |
SSL_CTX * _sslContext; | SSL_CTX * _sslContext; |
| |
Boolean _verifyPeer; | Boolean _verifyPeer; |
Boolean _trustStoreAutoUpdate; |
|
String _trustStoreUserName; |
|
| |
SSLCertificateVerifyFunction* _certificateVerifyFunction; | SSLCertificateVerifyFunction* _certificateVerifyFunction; |
| |
/* |
SharedPtr<X509_STORE, FreeX509STOREPtr> _crlStore; |
Mutex containing the SSL locks. |
|
*/ |
|
static Mutex* _sslLocks; |
|
|
|
/* |
|
Count for instances of this class. This is used to initialize and free |
|
SSL locking objects. |
|
*/ |
|
static int _countRep; |
|
|
|
/* |
|
Mutex for countRep. |
|
*/ |
|
static Mutex _countRepMutex; |
|
}; | }; |
| |
PEGASUS_NAMESPACE_END | PEGASUS_NAMESPACE_END |
| |
#endif /* Pegasus_SSLContextRep_h */ | #endif /* Pegasus_SSLContextRep_h */ |
|
|