1 karl 1.25 //%2006////////////////////////////////////////////////////////////////////////
|
2 kumpf 1.1 //
|
3 karl 1.18 // Copyright (c) 2000, 2001, 2002 BMC Software; Hewlett-Packard Development
4 // Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.
5 // Copyright (c) 2003 BMC Software; Hewlett-Packard Development Company, L.P.;
|
6 karl 1.13 // IBM Corp.; EMC Corporation, The Open Group.
|
7 karl 1.18 // Copyright (c) 2004 BMC Software; Hewlett-Packard Development Company, L.P.;
8 // IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.
|
9 karl 1.20 // Copyright (c) 2005 Hewlett-Packard Development Company, L.P.; IBM Corp.;
10 // EMC Corporation; VERITAS Software Corporation; The Open Group.
|
11 karl 1.25 // Copyright (c) 2006 Hewlett-Packard Development Company, L.P.; IBM Corp.;
12 // EMC Corporation; Symantec Corporation; The Open Group.
|
13 kumpf 1.1 //
14 // Permission is hereby granted, free of charge, to any person obtaining a copy
|
15 kumpf 1.2 // of this software and associated documentation files (the "Software"), to
16 // deal in the Software without restriction, including without limitation the
17 // rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
|
18 kumpf 1.1 // sell copies of the Software, and to permit persons to whom the Software is
19 // furnished to do so, subject to the following conditions:
20 //
|
21 kumpf 1.2 // THE ABOVE COPYRIGHT NOTICE AND THIS PERMISSION NOTICE SHALL BE INCLUDED IN
|
22 kumpf 1.1 // ALL COPIES OR SUBSTANTIAL PORTIONS OF THE SOFTWARE. THE SOFTWARE IS PROVIDED
23 // "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
|
24 kumpf 1.2 // LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
25 // PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
26 // HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
|
27 kumpf 1.1 // ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
28 // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
29 //
30 //==============================================================================
31 //
32 //%/////////////////////////////////////////////////////////////////////////////
33
|
34 kumpf 1.30 #ifndef Pegasus_SSLContextRep_h
35 #define Pegasus_SSLContextRep_h
36
|
37 kumpf 1.1 #ifdef PEGASUS_HAS_SSL
|
38 kumpf 1.30 # define OPENSSL_NO_KRB5 1
39 # include <openssl/err.h>
40 # include <openssl/ssl.h>
41 # include <openssl/rand.h>
|
42 kumpf 1.1 #else
|
43 kumpf 1.30 # define SSL_CTX void
|
44 kumpf 1.1 #endif
|
45 kumpf 1.30
|
46 kumpf 1.1 #include <Pegasus/Common/SSLContext.h>
|
47 mike 1.27 #include <Pegasus/Common/Mutex.h>
|
48 kumpf 1.31 #include <Pegasus/Common/Threads.h>
49 #include <Pegasus/Common/Tracer.h>
|
50 kumpf 1.30 #include <Pegasus/Common/AutoPtr.h>
51 #include <Pegasus/Common/SharedPtr.h>
|
52 kumpf 1.1
|
53 kumpf 1.31 //
54 // Typedef's for OpenSSL callback functions.
55 //
56 extern "C"
57 {
58 typedef void (* CRYPTO_SET_LOCKING_CALLBACK)(int, int, const char *, int);
59 typedef unsigned long (* CRYPTO_SET_ID_CALLBACK)(void);
60 };
61
|
62 kumpf 1.30 PEGASUS_NAMESPACE_BEGIN
|
63 kumpf 1.1
|
64 kumpf 1.30 struct FreeX509STOREPtr
65 {
66 void operator()(X509_STORE* ptr)
67 {
68 #ifdef PEGASUS_HAS_SSL
69 X509_STORE_free(ptr);
70 #endif
71 }
72 };
|
73 kumpf 1.1
|
74 kumpf 1.31 #ifdef PEGASUS_HAS_SSL
75
76 class SSLEnvironmentInitializer
77 {
78 public:
79
80 SSLEnvironmentInitializer()
81 {
82 AutoMutex autoMut(_instanceCountMutex);
83
84 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
85 "In SSLEnvironmentInitializer(), _instanceCount is %d",
86 _instanceCount));
87
88 if (_instanceCount == 0)
89 {
90 _initializeCallbacks();
91 SSL_load_error_strings();
92 SSL_library_init();
93 }
94
95 kumpf 1.31 _instanceCount++;
96 }
97
98 ~SSLEnvironmentInitializer()
99 {
100 AutoMutex autoMut(_instanceCountMutex);
101 _instanceCount--;
102
103 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
104 "In ~SSLEnvironmentInitializer(), _instanceCount is %d",
105 _instanceCount));
106
107 if (_instanceCount == 0)
108 {
109 ERR_free_strings();
110 _uninitializeCallbacks();
111 }
112 }
113
114 private:
115
116 kumpf 1.31 SSLEnvironmentInitializer(const SSLEnvironmentInitializer&);
117 SSLEnvironmentInitializer& operator=(const SSLEnvironmentInitializer&);
118
119 /*
120 Initialize the SSL locking and ID callbacks.
121 */
122 static void _initializeCallbacks()
123 {
124 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
125 "Initializing SSL callbacks.");
126
127 // Allocate Memory for _sslLocks. SSL locks needs to be able to handle
128 // up to CRYPTO_num_locks() different mutex locks.
129
130 _sslLocks.reset(new Mutex[CRYPTO_num_locks()]);
131
132 # if defined(PEGASUS_HAVE_PTHREADS) && !defined(PEGASUS_OS_VMS)
133 // Set the ID callback. The ID callback returns a thread ID.
134 CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) pthread_self);
135 # endif
136
137 kumpf 1.31 // Set the locking callback.
138
139 CRYPTO_set_locking_callback(
140 (CRYPTO_SET_LOCKING_CALLBACK) _lockingCallback);
141 }
142
143 /*
144 Reset the SSL locking and ID callbacks.
145 */
146 static void _uninitializeCallbacks()
147 {
148 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, "Resetting SSL callbacks.");
149 CRYPTO_set_locking_callback(NULL);
150 CRYPTO_set_id_callback(NULL);
151 _sslLocks.reset();
152 }
153
154 static void _lockingCallback(
155 int mode,
156 int type,
157 const char* file,
158 kumpf 1.31 int line)
159 {
160 if (mode & CRYPTO_LOCK)
161 {
162 _sslLocks.get()[type].lock();
163 }
164 else
165 {
166 _sslLocks.get()[type].unlock();
167 }
168 }
169
170 /**
171 Locks to be used by SSL.
172 */
173 static AutoArrayPtr<Mutex> _sslLocks;
174
175 /**
176 Count of the instances of this class. The SSL environment must be
177 initialized when the first SSLEnvironmentInitializer is constructed.
178 It must be uninitialized when the last SSLEnvironmentInitializer is
179 kumpf 1.31 destructed.
180 */
181 static int _instanceCount;
182
183 /**
184 Mutex for controlling access to _instanceCount.
185 */
186 static Mutex _instanceCountMutex;
187 };
188
189 #endif
190
|
191 dave.sudlik 1.22 class SSLCallbackInfoRep
192 {
193 public:
194 SSLCertificateVerifyFunction* verifyCertificateCallback;
|
195 h.sterling 1.24 Array<SSLCertificateInfo*> peerCertificate;
|
196 dave.sudlik 1.22 X509_STORE* crlStore;
|
197 sushma.fernandes 1.29
198 String ipAddress;
199
200 friend class SSLCallback;
201
202 friend class SSLCallbackInfo;
|
203 dave.sudlik 1.22 };
|
204 kumpf 1.1
|
205 kumpf 1.33 class SSLContextRep
|
206 kumpf 1.1 {
207 public:
208
209 /** Constructor for a SSLContextRep object.
|
210 h.sterling 1.14 @param trustStore trust store file path
|
211 kumpf 1.11 @param certPath server certificate file path
212 @param keyPath server key file path
|
213 kumpf 1.1 @param verifyCert function pointer to a certificate verification
214 call back function.
|
215 h.sterling 1.14 @param randomFile file path of a random file that is used as a seed
216 for random number generation by OpenSSL.
217
218 @exception SSLException exception indicating failure to create a context.
219 */
220 SSLContextRep(
221 const String& trustStore,
222 const String& certPath = String::EMPTY,
223 const String& keyPath = String::EMPTY,
|
224 h.sterling 1.21 const String& crlPath = String::EMPTY,
|
225 h.sterling 1.14 SSLCertificateVerifyFunction* verifyCert = NULL,
226 const String& randomFile = String::EMPTY);
227
|
228 kumpf 1.7 SSLContextRep(const SSLContextRep& sslContextRep);
229
|
230 kumpf 1.1 ~SSLContextRep();
231
232 SSL_CTX * getContext() const;
233
|
234 h.sterling 1.14 String getTrustStore() const;
235
236 String getCertPath() const;
237
238 String getKeyPath() const;
239
|
240 dave.sudlik 1.22 #ifdef PEGASUS_USE_DEPRECATED_INTERFACES
|
241 kumpf 1.28 String getTrustStoreUserName() const;
|
242 dave.sudlik 1.22 #endif
243
|
244 h.sterling 1.21 String getCRLPath() const;
|
245 h.sterling 1.14
|
246 kumpf 1.30 SharedPtr<X509_STORE, FreeX509STOREPtr> getCRLStore() const;
|
247 h.sterling 1.21
248 void setCRLStore(X509_STORE* store);
|
249 h.sterling 1.14
|
250 h.sterling 1.19 Boolean isPeerVerificationEnabled() const;
|
251 h.sterling 1.14
|
252 h.sterling 1.16 SSLCertificateVerifyFunction* getSSLCertificateVerifyFunction() const;
253
|
254 kumpf 1.32 /**
255 Checks if the certificate associated with this SSL context has expired
256 or is not yet valid.
257 @exception SSLException if the certificate is determined to be invalid.
258 */
259 void validateCertificate();
260
|
261 aruran.ms 1.23 private:
262
|
263 kumpf 1.31 #ifdef PEGASUS_HAS_SSL
264 /**
265 Ensures that the SSL environment remains initialized for the lifetime
266 of the SSLContextRep object.
267 */
268 SSLEnvironmentInitializer _env;
269 #endif
270
|
271 aruran.ms 1.23 SSL_CTX * _makeSSLContext();
272 void _randomInit(const String& randomFile);
273 Boolean _verifyPrivateKey(SSL_CTX *ctx, const String& keyPath);
274
|
275 h.sterling 1.14 String _trustStore;
276 String _certPath;
277 String _keyPath;
|
278 h.sterling 1.21 String _crlPath;
|
279 kumpf 1.7 String _randomFile;
280 SSL_CTX * _sslContext;
|
281 h.sterling 1.14
282 Boolean _verifyPeer;
|
283 kumpf 1.10
|
284 h.sterling 1.16 SSLCertificateVerifyFunction* _certificateVerifyFunction;
285
|
286 kumpf 1.30 SharedPtr<X509_STORE, FreeX509STOREPtr> _crlStore;
|
287 kumpf 1.1 };
288
289 PEGASUS_NAMESPACE_END
290
291 #endif /* Pegasus_SSLContextRep_h */
|