1 martin 1.35 //%LICENSE////////////////////////////////////////////////////////////////
|
2 martin 1.36 //
|
3 martin 1.35 // Licensed to The Open Group (TOG) under one or more contributor license
4 // agreements. Refer to the OpenPegasusNOTICE.txt file distributed with
5 // this work for additional information regarding copyright ownership.
6 // Each contributor licenses this file to you under the OpenPegasus Open
7 // Source License; you may not use this file except in compliance with the
8 // License.
|
9 martin 1.36 //
|
10 martin 1.35 // Permission is hereby granted, free of charge, to any person obtaining a
11 // copy of this software and associated documentation files (the "Software"),
12 // to deal in the Software without restriction, including without limitation
13 // the rights to use, copy, modify, merge, publish, distribute, sublicense,
14 // and/or sell copies of the Software, and to permit persons to whom the
15 // Software is furnished to do so, subject to the following conditions:
|
16 martin 1.36 //
|
17 martin 1.35 // The above copyright notice and this permission notice shall be included
18 // in all copies or substantial portions of the Software.
|
19 martin 1.36 //
|
20 martin 1.35 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
21 martin 1.36 // OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
22 martin 1.35 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
23 // IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
24 // CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
25 // TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
26 // SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
27 martin 1.36 //
|
28 martin 1.35 //////////////////////////////////////////////////////////////////////////
|
29 kumpf 1.1 //
30 //%/////////////////////////////////////////////////////////////////////////////
31
|
32 kumpf 1.30 #ifndef Pegasus_SSLContextRep_h
33 #define Pegasus_SSLContextRep_h
34
|
35 kumpf 1.1 #ifdef PEGASUS_HAS_SSL
|
36 kumpf 1.30 # define OPENSSL_NO_KRB5 1
37 # include <openssl/err.h>
38 # include <openssl/ssl.h>
39 # include <openssl/rand.h>
|
40 kumpf 1.1 #else
|
41 kumpf 1.30 # define SSL_CTX void
|
42 kumpf 1.1 #endif
|
43 kumpf 1.30
|
44 kumpf 1.1 #include <Pegasus/Common/SSLContext.h>
|
45 mike 1.27 #include <Pegasus/Common/Mutex.h>
|
46 kumpf 1.31 #include <Pegasus/Common/Threads.h>
47 #include <Pegasus/Common/Tracer.h>
|
48 kumpf 1.30 #include <Pegasus/Common/AutoPtr.h>
49 #include <Pegasus/Common/SharedPtr.h>
|
50 kumpf 1.1
|
51 kumpf 1.31 //
52 // Typedef's for OpenSSL callback functions.
53 //
54 extern "C"
55 {
56 typedef void (* CRYPTO_SET_LOCKING_CALLBACK)(int, int, const char *, int);
57 typedef unsigned long (* CRYPTO_SET_ID_CALLBACK)(void);
|
58 dmitry.mikulin 1.34 }
|
59 kumpf 1.31
|
60 kumpf 1.30 PEGASUS_NAMESPACE_BEGIN
|
61 kumpf 1.1
|
62 kumpf 1.30 struct FreeX509STOREPtr
63 {
64 void operator()(X509_STORE* ptr)
65 {
66 #ifdef PEGASUS_HAS_SSL
67 X509_STORE_free(ptr);
68 #endif
69 }
70 };
|
71 kumpf 1.1
|
72 kumpf 1.31 #ifdef PEGASUS_HAS_SSL
73
74 class SSLEnvironmentInitializer
75 {
76 public:
77
78 SSLEnvironmentInitializer()
79 {
80 AutoMutex autoMut(_instanceCountMutex);
81
82 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
83 "In SSLEnvironmentInitializer(), _instanceCount is %d",
84 _instanceCount));
85
86 if (_instanceCount == 0)
87 {
88 _initializeCallbacks();
89 SSL_load_error_strings();
90 SSL_library_init();
91 }
92
93 kumpf 1.31 _instanceCount++;
94 }
95
96 ~SSLEnvironmentInitializer()
97 {
98 AutoMutex autoMut(_instanceCountMutex);
99 _instanceCount--;
100
101 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
102 "In ~SSLEnvironmentInitializer(), _instanceCount is %d",
103 _instanceCount));
104
105 if (_instanceCount == 0)
106 {
107 ERR_free_strings();
108 _uninitializeCallbacks();
109 }
110 }
111
112 private:
113
114 kumpf 1.31 SSLEnvironmentInitializer(const SSLEnvironmentInitializer&);
115 SSLEnvironmentInitializer& operator=(const SSLEnvironmentInitializer&);
116
117 /*
118 Initialize the SSL locking and ID callbacks.
119 */
120 static void _initializeCallbacks()
121 {
122 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
123 "Initializing SSL callbacks.");
124
125 // Allocate Memory for _sslLocks. SSL locks needs to be able to handle
126 // up to CRYPTO_num_locks() different mutex locks.
127
128 _sslLocks.reset(new Mutex[CRYPTO_num_locks()]);
129
|
130 john.eisenbraun 1.36.2.1 #ifdef PEGASUS_HAVE_PTHREADS
|
131 kumpf 1.31 // Set the ID callback. The ID callback returns a thread ID.
|
132 john.eisenbraun 1.36.2.1 # ifdef PEGASUS_OS_VMS
133 CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) _getThreadId);
134 # else
|
135 kumpf 1.31 CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) pthread_self);
136 # endif
|
137 john.eisenbraun 1.36.2.1 #endif
|
138 kumpf 1.31
139 // Set the locking callback.
140
141 CRYPTO_set_locking_callback(
142 (CRYPTO_SET_LOCKING_CALLBACK) _lockingCallback);
143 }
144
|
145 john.eisenbraun 1.36.2.1 #if defined(PEGASUS_OS_VMS) && defined(PEGASUS_HAVE_PTHREADS)
146 static unsigned long _getThreadId(void)
147 {
148 return pthread_getsequence_np(pthread_self());
149 }
150 #endif
|
151 kumpf 1.31 /*
152 Reset the SSL locking and ID callbacks.
153 */
154 static void _uninitializeCallbacks()
155 {
156 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, "Resetting SSL callbacks.");
157 CRYPTO_set_locking_callback(NULL);
158 CRYPTO_set_id_callback(NULL);
159 _sslLocks.reset();
160 }
161
162 static void _lockingCallback(
163 int mode,
164 int type,
165 const char* file,
166 int line)
167 {
168 if (mode & CRYPTO_LOCK)
169 {
170 _sslLocks.get()[type].lock();
171 }
172 kumpf 1.31 else
173 {
174 _sslLocks.get()[type].unlock();
175 }
176 }
177
178 /**
179 Locks to be used by SSL.
180 */
181 static AutoArrayPtr<Mutex> _sslLocks;
182
183 /**
184 Count of the instances of this class. The SSL environment must be
185 initialized when the first SSLEnvironmentInitializer is constructed.
186 It must be uninitialized when the last SSLEnvironmentInitializer is
187 destructed.
188 */
189 static int _instanceCount;
190
191 /**
192 Mutex for controlling access to _instanceCount.
193 kumpf 1.31 */
194 static Mutex _instanceCountMutex;
195 };
196
197 #endif
198
|
199 dave.sudlik 1.22 class SSLCallbackInfoRep
200 {
201 public:
202 SSLCertificateVerifyFunction* verifyCertificateCallback;
|
203 h.sterling 1.24 Array<SSLCertificateInfo*> peerCertificate;
|
204 dave.sudlik 1.22 X509_STORE* crlStore;
|
205 sushma.fernandes 1.29
206 String ipAddress;
207
208 friend class SSLCallback;
209
210 friend class SSLCallbackInfo;
|
211 dave.sudlik 1.22 };
|
212 kumpf 1.1
|
213 kumpf 1.33 class SSLContextRep
|
214 kumpf 1.1 {
215 public:
216
217 /** Constructor for a SSLContextRep object.
|
218 h.sterling 1.14 @param trustStore trust store file path
|
219 kumpf 1.11 @param certPath server certificate file path
220 @param keyPath server key file path
|
221 kumpf 1.1 @param verifyCert function pointer to a certificate verification
222 call back function.
|
223 h.sterling 1.14 @param randomFile file path of a random file that is used as a seed
224 for random number generation by OpenSSL.
225
226 @exception SSLException exception indicating failure to create a context.
227 */
228 SSLContextRep(
229 const String& trustStore,
230 const String& certPath = String::EMPTY,
231 const String& keyPath = String::EMPTY,
|
232 h.sterling 1.21 const String& crlPath = String::EMPTY,
|
233 h.sterling 1.14 SSLCertificateVerifyFunction* verifyCert = NULL,
234 const String& randomFile = String::EMPTY);
235
|
236 kumpf 1.7 SSLContextRep(const SSLContextRep& sslContextRep);
237
|
238 kumpf 1.1 ~SSLContextRep();
239
240 SSL_CTX * getContext() const;
241
|
242 h.sterling 1.14 String getTrustStore() const;
243
244 String getCertPath() const;
245
246 String getKeyPath() const;
247
|
248 dave.sudlik 1.22 #ifdef PEGASUS_USE_DEPRECATED_INTERFACES
|
249 kumpf 1.28 String getTrustStoreUserName() const;
|
250 dave.sudlik 1.22 #endif
251
|
252 h.sterling 1.21 String getCRLPath() const;
|
253 h.sterling 1.14
|
254 kumpf 1.30 SharedPtr<X509_STORE, FreeX509STOREPtr> getCRLStore() const;
|
255 h.sterling 1.21
256 void setCRLStore(X509_STORE* store);
|
257 h.sterling 1.14
|
258 h.sterling 1.19 Boolean isPeerVerificationEnabled() const;
|
259 h.sterling 1.14
|
260 h.sterling 1.16 SSLCertificateVerifyFunction* getSSLCertificateVerifyFunction() const;
261
|
262 kumpf 1.32 /**
263 Checks if the certificate associated with this SSL context has expired
264 or is not yet valid.
265 @exception SSLException if the certificate is determined to be invalid.
266 */
267 void validateCertificate();
268
|
269 aruran.ms 1.23 private:
270
|
271 kumpf 1.31 #ifdef PEGASUS_HAS_SSL
272 /**
273 Ensures that the SSL environment remains initialized for the lifetime
274 of the SSLContextRep object.
275 */
276 SSLEnvironmentInitializer _env;
277 #endif
278
|
279 aruran.ms 1.23 SSL_CTX * _makeSSLContext();
280 void _randomInit(const String& randomFile);
281 Boolean _verifyPrivateKey(SSL_CTX *ctx, const String& keyPath);
282
|
283 h.sterling 1.14 String _trustStore;
284 String _certPath;
285 String _keyPath;
|
286 h.sterling 1.21 String _crlPath;
|
287 kumpf 1.7 String _randomFile;
288 SSL_CTX * _sslContext;
|
289 h.sterling 1.14
290 Boolean _verifyPeer;
|
291 kumpf 1.10
|
292 h.sterling 1.16 SSLCertificateVerifyFunction* _certificateVerifyFunction;
293
|
294 kumpf 1.30 SharedPtr<X509_STORE, FreeX509STOREPtr> _crlStore;
|
295 kumpf 1.1 };
296
297 PEGASUS_NAMESPACE_END
298
299 #endif /* Pegasus_SSLContextRep_h */
|