1 martin 1.35 //%LICENSE////////////////////////////////////////////////////////////////
2 //
3 // Licensed to The Open Group (TOG) under one or more contributor license
4 // agreements. Refer to the OpenPegasusNOTICE.txt file distributed with
5 // this work for additional information regarding copyright ownership.
6 // Each contributor licenses this file to you under the OpenPegasus Open
7 // Source License; you may not use this file except in compliance with the
8 // License.
9 //
10 // Permission is hereby granted, free of charge, to any person obtaining a
11 // copy of this software and associated documentation files (the "Software"),
12 // to deal in the Software without restriction, including without limitation
13 // the rights to use, copy, modify, merge, publish, distribute, sublicense,
14 // and/or sell copies of the Software, and to permit persons to whom the
15 // Software is furnished to do so, subject to the following conditions:
16 //
17 // The above copyright notice and this permission notice shall be included
18 // in all copies or substantial portions of the Software.
19 //
20 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
21 // OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
22 martin 1.35 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
23 // IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
24 // CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
25 // TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
26 // SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
27 kumpf 1.1 //
|
28 martin 1.35 //////////////////////////////////////////////////////////////////////////
|
29 kumpf 1.1 //
30 //%/////////////////////////////////////////////////////////////////////////////
31
|
32 kumpf 1.30 #ifndef Pegasus_SSLContextRep_h
33 #define Pegasus_SSLContextRep_h
34
|
35 kumpf 1.1 #ifdef PEGASUS_HAS_SSL
|
36 kumpf 1.30 # define OPENSSL_NO_KRB5 1
37 # include <openssl/err.h>
38 # include <openssl/ssl.h>
39 # include <openssl/rand.h>
|
40 kumpf 1.1 #else
|
41 kumpf 1.30 # define SSL_CTX void
|
42 kumpf 1.1 #endif
|
43 kumpf 1.30
|
44 kumpf 1.1 #include <Pegasus/Common/SSLContext.h>
|
45 mike 1.27 #include <Pegasus/Common/Mutex.h>
|
46 kumpf 1.31 #include <Pegasus/Common/Threads.h>
47 #include <Pegasus/Common/Tracer.h>
|
48 kumpf 1.30 #include <Pegasus/Common/AutoPtr.h>
49 #include <Pegasus/Common/SharedPtr.h>
|
50 kumpf 1.1
|
51 kumpf 1.31 //
52 // Typedef's for OpenSSL callback functions.
53 //
54 extern "C"
55 {
56 typedef void (* CRYPTO_SET_LOCKING_CALLBACK)(int, int, const char *, int);
57 typedef unsigned long (* CRYPTO_SET_ID_CALLBACK)(void);
|
58 dmitry.mikulin 1.34 }
|
59 kumpf 1.31
|
60 kumpf 1.30 PEGASUS_NAMESPACE_BEGIN
|
61 kumpf 1.1
|
62 kumpf 1.30 struct FreeX509STOREPtr
63 {
64 void operator()(X509_STORE* ptr)
65 {
66 #ifdef PEGASUS_HAS_SSL
67 X509_STORE_free(ptr);
68 #endif
69 }
70 };
|
71 kumpf 1.1
|
72 kumpf 1.31 #ifdef PEGASUS_HAS_SSL
73
74 class SSLEnvironmentInitializer
75 {
76 public:
77
78 SSLEnvironmentInitializer()
79 {
80 AutoMutex autoMut(_instanceCountMutex);
81
82 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
83 "In SSLEnvironmentInitializer(), _instanceCount is %d",
84 _instanceCount));
85
86 if (_instanceCount == 0)
87 {
88 _initializeCallbacks();
89 SSL_load_error_strings();
90 SSL_library_init();
91 }
92
93 kumpf 1.31 _instanceCount++;
94 }
95
96 ~SSLEnvironmentInitializer()
97 {
98 AutoMutex autoMut(_instanceCountMutex);
99 _instanceCount--;
100
101 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
102 "In ~SSLEnvironmentInitializer(), _instanceCount is %d",
103 _instanceCount));
104
105 if (_instanceCount == 0)
106 {
107 ERR_free_strings();
108 _uninitializeCallbacks();
109 }
110 }
111
112 private:
113
114 kumpf 1.31 SSLEnvironmentInitializer(const SSLEnvironmentInitializer&);
115 SSLEnvironmentInitializer& operator=(const SSLEnvironmentInitializer&);
116
117 /*
118 Initialize the SSL locking and ID callbacks.
119 */
120 static void _initializeCallbacks()
121 {
122 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
123 "Initializing SSL callbacks.");
124
125 // Allocate Memory for _sslLocks. SSL locks needs to be able to handle
126 // up to CRYPTO_num_locks() different mutex locks.
127
128 _sslLocks.reset(new Mutex[CRYPTO_num_locks()]);
129
130 # if defined(PEGASUS_HAVE_PTHREADS) && !defined(PEGASUS_OS_VMS)
131 // Set the ID callback. The ID callback returns a thread ID.
132 CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) pthread_self);
133 # endif
134
135 kumpf 1.31 // Set the locking callback.
136
137 CRYPTO_set_locking_callback(
138 (CRYPTO_SET_LOCKING_CALLBACK) _lockingCallback);
139 }
140
141 /*
142 Reset the SSL locking and ID callbacks.
143 */
144 static void _uninitializeCallbacks()
145 {
146 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, "Resetting SSL callbacks.");
147 CRYPTO_set_locking_callback(NULL);
148 CRYPTO_set_id_callback(NULL);
149 _sslLocks.reset();
150 }
151
152 static void _lockingCallback(
153 int mode,
154 int type,
155 const char* file,
156 kumpf 1.31 int line)
157 {
158 if (mode & CRYPTO_LOCK)
159 {
160 _sslLocks.get()[type].lock();
161 }
162 else
163 {
164 _sslLocks.get()[type].unlock();
165 }
166 }
167
168 /**
169 Locks to be used by SSL.
170 */
171 static AutoArrayPtr<Mutex> _sslLocks;
172
173 /**
174 Count of the instances of this class. The SSL environment must be
175 initialized when the first SSLEnvironmentInitializer is constructed.
176 It must be uninitialized when the last SSLEnvironmentInitializer is
177 kumpf 1.31 destructed.
178 */
179 static int _instanceCount;
180
181 /**
182 Mutex for controlling access to _instanceCount.
183 */
184 static Mutex _instanceCountMutex;
185 };
186
187 #endif
188
|
189 dave.sudlik 1.22 class SSLCallbackInfoRep
190 {
191 public:
192 SSLCertificateVerifyFunction* verifyCertificateCallback;
|
193 h.sterling 1.24 Array<SSLCertificateInfo*> peerCertificate;
|
194 dave.sudlik 1.22 X509_STORE* crlStore;
|
195 sushma.fernandes 1.29
196 String ipAddress;
197
198 friend class SSLCallback;
199
200 friend class SSLCallbackInfo;
|
201 dave.sudlik 1.22 };
|
202 kumpf 1.1
|
203 kumpf 1.33 class SSLContextRep
|
204 kumpf 1.1 {
205 public:
206
207 /** Constructor for a SSLContextRep object.
|
208 h.sterling 1.14 @param trustStore trust store file path
|
209 kumpf 1.11 @param certPath server certificate file path
210 @param keyPath server key file path
|
211 kumpf 1.1 @param verifyCert function pointer to a certificate verification
212 call back function.
|
213 h.sterling 1.14 @param randomFile file path of a random file that is used as a seed
214 for random number generation by OpenSSL.
215
216 @exception SSLException exception indicating failure to create a context.
217 */
218 SSLContextRep(
219 const String& trustStore,
220 const String& certPath = String::EMPTY,
221 const String& keyPath = String::EMPTY,
|
222 h.sterling 1.21 const String& crlPath = String::EMPTY,
|
223 h.sterling 1.14 SSLCertificateVerifyFunction* verifyCert = NULL,
224 const String& randomFile = String::EMPTY);
225
|
226 kumpf 1.7 SSLContextRep(const SSLContextRep& sslContextRep);
227
|
228 kumpf 1.1 ~SSLContextRep();
229
230 SSL_CTX * getContext() const;
231
|
232 h.sterling 1.14 String getTrustStore() const;
233
234 String getCertPath() const;
235
236 String getKeyPath() const;
237
|
238 dave.sudlik 1.22 #ifdef PEGASUS_USE_DEPRECATED_INTERFACES
|
239 kumpf 1.28 String getTrustStoreUserName() const;
|
240 dave.sudlik 1.22 #endif
241
|
242 h.sterling 1.21 String getCRLPath() const;
|
243 h.sterling 1.14
|
244 kumpf 1.30 SharedPtr<X509_STORE, FreeX509STOREPtr> getCRLStore() const;
|
245 h.sterling 1.21
246 void setCRLStore(X509_STORE* store);
|
247 h.sterling 1.14
|
248 h.sterling 1.19 Boolean isPeerVerificationEnabled() const;
|
249 h.sterling 1.14
|
250 h.sterling 1.16 SSLCertificateVerifyFunction* getSSLCertificateVerifyFunction() const;
251
|
252 kumpf 1.32 /**
253 Checks if the certificate associated with this SSL context has expired
254 or is not yet valid.
255 @exception SSLException if the certificate is determined to be invalid.
256 */
257 void validateCertificate();
258
|
259 aruran.ms 1.23 private:
260
|
261 kumpf 1.31 #ifdef PEGASUS_HAS_SSL
262 /**
263 Ensures that the SSL environment remains initialized for the lifetime
264 of the SSLContextRep object.
265 */
266 SSLEnvironmentInitializer _env;
267 #endif
268
|
269 aruran.ms 1.23 SSL_CTX * _makeSSLContext();
270 void _randomInit(const String& randomFile);
271 Boolean _verifyPrivateKey(SSL_CTX *ctx, const String& keyPath);
272
|
273 h.sterling 1.14 String _trustStore;
274 String _certPath;
275 String _keyPath;
|
276 h.sterling 1.21 String _crlPath;
|
277 kumpf 1.7 String _randomFile;
278 SSL_CTX * _sslContext;
|
279 h.sterling 1.14
280 Boolean _verifyPeer;
|
281 kumpf 1.10
|
282 h.sterling 1.16 SSLCertificateVerifyFunction* _certificateVerifyFunction;
283
|
284 kumpf 1.30 SharedPtr<X509_STORE, FreeX509STOREPtr> _crlStore;
|
285 kumpf 1.1 };
286
287 PEGASUS_NAMESPACE_END
288
289 #endif /* Pegasus_SSLContextRep_h */
|