1 martin 1.35 //%LICENSE////////////////////////////////////////////////////////////////
|
2 martin 1.36 //
|
3 martin 1.35 // Licensed to The Open Group (TOG) under one or more contributor license
4 // agreements. Refer to the OpenPegasusNOTICE.txt file distributed with
5 // this work for additional information regarding copyright ownership.
6 // Each contributor licenses this file to you under the OpenPegasus Open
7 // Source License; you may not use this file except in compliance with the
8 // License.
|
9 martin 1.36 //
|
10 martin 1.35 // Permission is hereby granted, free of charge, to any person obtaining a
11 // copy of this software and associated documentation files (the "Software"),
12 // to deal in the Software without restriction, including without limitation
13 // the rights to use, copy, modify, merge, publish, distribute, sublicense,
14 // and/or sell copies of the Software, and to permit persons to whom the
15 // Software is furnished to do so, subject to the following conditions:
|
16 martin 1.36 //
|
17 martin 1.35 // The above copyright notice and this permission notice shall be included
18 // in all copies or substantial portions of the Software.
|
19 martin 1.36 //
|
20 martin 1.35 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
21 martin 1.36 // OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
22 martin 1.35 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
23 // IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
24 // CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
25 // TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
26 // SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
27 martin 1.36 //
|
28 martin 1.35 //////////////////////////////////////////////////////////////////////////
|
29 kumpf 1.1 //
30 //%/////////////////////////////////////////////////////////////////////////////
31
|
32 kumpf 1.30 #ifndef Pegasus_SSLContextRep_h
33 #define Pegasus_SSLContextRep_h
34
|
35 kumpf 1.1 #ifdef PEGASUS_HAS_SSL
|
36 kumpf 1.30 # define OPENSSL_NO_KRB5 1
37 # include <openssl/err.h>
38 # include <openssl/ssl.h>
39 # include <openssl/rand.h>
|
40 kumpf 1.1 #else
|
41 kumpf 1.30 # define SSL_CTX void
|
42 kumpf 1.1 #endif
|
43 kumpf 1.30
|
44 kumpf 1.1 #include <Pegasus/Common/SSLContext.h>
|
45 mike 1.27 #include <Pegasus/Common/Mutex.h>
|
46 kumpf 1.31 #include <Pegasus/Common/Threads.h>
47 #include <Pegasus/Common/Tracer.h>
|
48 kumpf 1.30 #include <Pegasus/Common/AutoPtr.h>
49 #include <Pegasus/Common/SharedPtr.h>
|
50 kumpf 1.1
|
51 kumpf 1.31 //
52 // Typedef's for OpenSSL callback functions.
53 //
54 extern "C"
55 {
56 typedef void (* CRYPTO_SET_LOCKING_CALLBACK)(int, int, const char *, int);
57 typedef unsigned long (* CRYPTO_SET_ID_CALLBACK)(void);
|
58 dmitry.mikulin 1.34 }
|
59 kumpf 1.31
|
60 kumpf 1.30 PEGASUS_NAMESPACE_BEGIN
|
61 kumpf 1.1
|
62 marek 1.40 #ifdef PEGASUS_HAS_SSL
|
63 kumpf 1.30 struct FreeX509STOREPtr
64 {
65 void operator()(X509_STORE* ptr)
66 {
67 X509_STORE_free(ptr);
68 }
69 };
|
70 marek 1.40 #else
71 struct FreeX509STOREPtr
72 {
73 void operator()(X509_STORE*)
74 {
75 }
76 };
77 #endif
78
|
79 kumpf 1.1
|
80 kumpf 1.31 #ifdef PEGASUS_HAS_SSL
81
82 class SSLEnvironmentInitializer
83 {
84 public:
85
86 SSLEnvironmentInitializer()
87 {
88 AutoMutex autoMut(_instanceCountMutex);
89
90 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
91 "In SSLEnvironmentInitializer(), _instanceCount is %d",
92 _instanceCount));
93
94 if (_instanceCount == 0)
95 {
96 _initializeCallbacks();
97 SSL_load_error_strings();
98 SSL_library_init();
99 }
100
101 kumpf 1.31 _instanceCount++;
102 }
103
104 ~SSLEnvironmentInitializer()
105 {
106 AutoMutex autoMut(_instanceCountMutex);
107 _instanceCount--;
108
109 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
110 "In ~SSLEnvironmentInitializer(), _instanceCount is %d",
111 _instanceCount));
112
|
113 dl.meetei 1.41
|
114 kumpf 1.31 if (_instanceCount == 0)
115 {
|
116 dl.meetei 1.41 EVP_cleanup();
117 CRYPTO_cleanup_all_ex_data();
|
118 kumpf 1.31 ERR_free_strings();
119 _uninitializeCallbacks();
120 }
|
121 dl.meetei 1.41 ERR_remove_state(0);
|
122 kumpf 1.31 }
123
124 private:
125
126 SSLEnvironmentInitializer(const SSLEnvironmentInitializer&);
127 SSLEnvironmentInitializer& operator=(const SSLEnvironmentInitializer&);
128
129 /*
130 Initialize the SSL locking and ID callbacks.
131 */
132 static void _initializeCallbacks()
133 {
134 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
135 "Initializing SSL callbacks.");
136
137 // Allocate Memory for _sslLocks. SSL locks needs to be able to handle
138 // up to CRYPTO_num_locks() different mutex locks.
139
140 _sslLocks.reset(new Mutex[CRYPTO_num_locks()]);
141
|
142 john.eisenbraun 1.37 #ifdef PEGASUS_HAVE_PTHREADS
|
143 kumpf 1.31 // Set the ID callback. The ID callback returns a thread ID.
|
144 john.eisenbraun 1.37 # ifdef PEGASUS_OS_VMS
145 CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) _getThreadId);
146 # else
|
147 kumpf 1.31 CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) pthread_self);
148 # endif
|
149 john.eisenbraun 1.37 #endif
|
150 kumpf 1.31
151 // Set the locking callback.
152
153 CRYPTO_set_locking_callback(
154 (CRYPTO_SET_LOCKING_CALLBACK) _lockingCallback);
155 }
156
|
157 john.eisenbraun 1.37 #if defined(PEGASUS_OS_VMS) && defined(PEGASUS_HAVE_PTHREADS)
158 static unsigned long _getThreadId(void)
159 {
160 return pthread_getsequence_np(pthread_self());
161 }
162 #endif
|
163 kumpf 1.31 /*
164 Reset the SSL locking and ID callbacks.
165 */
166 static void _uninitializeCallbacks()
167 {
168 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, "Resetting SSL callbacks.");
169 CRYPTO_set_locking_callback(NULL);
170 CRYPTO_set_id_callback(NULL);
171 _sslLocks.reset();
172 }
173
174 static void _lockingCallback(
175 int mode,
176 int type,
|
177 marek 1.40 const char*,
178 int)
|
179 kumpf 1.31 {
180 if (mode & CRYPTO_LOCK)
181 {
182 _sslLocks.get()[type].lock();
183 }
184 else
185 {
186 _sslLocks.get()[type].unlock();
187 }
188 }
189
190 /**
191 Locks to be used by SSL.
192 */
193 static AutoArrayPtr<Mutex> _sslLocks;
194
195 /**
196 Count of the instances of this class. The SSL environment must be
197 initialized when the first SSLEnvironmentInitializer is constructed.
198 It must be uninitialized when the last SSLEnvironmentInitializer is
199 destructed.
200 kumpf 1.31 */
201 static int _instanceCount;
202
203 /**
204 Mutex for controlling access to _instanceCount.
205 */
206 static Mutex _instanceCountMutex;
207 };
208
209 #endif
210
|
211 dave.sudlik 1.22 class SSLCallbackInfoRep
212 {
213 public:
214 SSLCertificateVerifyFunction* verifyCertificateCallback;
|
215 h.sterling 1.24 Array<SSLCertificateInfo*> peerCertificate;
|
216 dave.sudlik 1.22 X509_STORE* crlStore;
|
217 sushma.fernandes 1.29
218 String ipAddress;
219
220 friend class SSLCallback;
221
222 friend class SSLCallbackInfo;
|
223 dave.sudlik 1.22 };
|
224 kumpf 1.1
|
225 thilo.boehm 1.38 class PEGASUS_COMMON_LINKAGE SSLContextRep
|
226 kumpf 1.1 {
227 public:
228
229 /** Constructor for a SSLContextRep object.
|
230 h.sterling 1.14 @param trustStore trust store file path
|
231 kumpf 1.11 @param certPath server certificate file path
232 @param keyPath server key file path
|
233 kumpf 1.1 @param verifyCert function pointer to a certificate verification
234 call back function.
|
235 h.sterling 1.14 @param randomFile file path of a random file that is used as a seed
236 for random number generation by OpenSSL.
237
238 @exception SSLException exception indicating failure to create a context.
239 */
240 SSLContextRep(
241 const String& trustStore,
242 const String& certPath = String::EMPTY,
243 const String& keyPath = String::EMPTY,
|
244 h.sterling 1.21 const String& crlPath = String::EMPTY,
|
245 h.sterling 1.14 SSLCertificateVerifyFunction* verifyCert = NULL,
|
246 rohini.deshpande 1.39 const String& randomFile = String::EMPTY,
|
247 dl.meetei 1.41.10.1 const String& cipherSuite = String::EMPTY,
248 const Boolean& sslCompatibility = false);
|
249 h.sterling 1.14
|
250 kumpf 1.7 SSLContextRep(const SSLContextRep& sslContextRep);
251
|
252 kumpf 1.1 ~SSLContextRep();
253
254 SSL_CTX * getContext() const;
255
|
256 h.sterling 1.14 String getTrustStore() const;
257
258 String getCertPath() const;
259
260 String getKeyPath() const;
261
|
262 rohini.deshpande 1.39 String getCipherSuite() const;
263
|
264 dave.sudlik 1.22 #ifdef PEGASUS_USE_DEPRECATED_INTERFACES
|
265 kumpf 1.28 String getTrustStoreUserName() const;
|
266 dave.sudlik 1.22 #endif
267
|
268 h.sterling 1.21 String getCRLPath() const;
|
269 h.sterling 1.14
|
270 kumpf 1.30 SharedPtr<X509_STORE, FreeX509STOREPtr> getCRLStore() const;
|
271 h.sterling 1.21
272 void setCRLStore(X509_STORE* store);
|
273 h.sterling 1.14
|
274 h.sterling 1.19 Boolean isPeerVerificationEnabled() const;
|
275 h.sterling 1.14
|
276 h.sterling 1.16 SSLCertificateVerifyFunction* getSSLCertificateVerifyFunction() const;
277
|
278 kumpf 1.32 /**
279 Checks if the certificate associated with this SSL context has expired
280 or is not yet valid.
281 @exception SSLException if the certificate is determined to be invalid.
282 */
283 void validateCertificate();
284
|
285 aruran.ms 1.23 private:
286
|
287 kumpf 1.31 #ifdef PEGASUS_HAS_SSL
288 /**
289 Ensures that the SSL environment remains initialized for the lifetime
290 of the SSLContextRep object.
291 */
292 SSLEnvironmentInitializer _env;
293 #endif
294
|
295 aruran.ms 1.23 SSL_CTX * _makeSSLContext();
296 void _randomInit(const String& randomFile);
297 Boolean _verifyPrivateKey(SSL_CTX *ctx, const String& keyPath);
298
|
299 h.sterling 1.14 String _trustStore;
300 String _certPath;
301 String _keyPath;
|
302 h.sterling 1.21 String _crlPath;
|
303 kumpf 1.7 String _randomFile;
|
304 rohini.deshpande 1.39 String _cipherSuite;
|
305 dl.meetei 1.41.10.1 Boolean _sslCompatibility;
|
306 kumpf 1.7 SSL_CTX * _sslContext;
|
307 h.sterling 1.14
308 Boolean _verifyPeer;
|
309 kumpf 1.10
|
310 h.sterling 1.16 SSLCertificateVerifyFunction* _certificateVerifyFunction;
311
|
312 kumpf 1.30 SharedPtr<X509_STORE, FreeX509STOREPtr> _crlStore;
|
313 kumpf 1.1 };
314
315 PEGASUS_NAMESPACE_END
316
317 #endif /* Pegasus_SSLContextRep_h */
|