1 martin 1.35 //%LICENSE////////////////////////////////////////////////////////////////
|
2 martin 1.36 //
|
3 martin 1.35 // Licensed to The Open Group (TOG) under one or more contributor license
4 // agreements. Refer to the OpenPegasusNOTICE.txt file distributed with
5 // this work for additional information regarding copyright ownership.
6 // Each contributor licenses this file to you under the OpenPegasus Open
7 // Source License; you may not use this file except in compliance with the
8 // License.
|
9 martin 1.36 //
|
10 martin 1.35 // Permission is hereby granted, free of charge, to any person obtaining a
11 // copy of this software and associated documentation files (the "Software"),
12 // to deal in the Software without restriction, including without limitation
13 // the rights to use, copy, modify, merge, publish, distribute, sublicense,
14 // and/or sell copies of the Software, and to permit persons to whom the
15 // Software is furnished to do so, subject to the following conditions:
|
16 martin 1.36 //
|
17 martin 1.35 // The above copyright notice and this permission notice shall be included
18 // in all copies or substantial portions of the Software.
|
19 martin 1.36 //
|
20 martin 1.35 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
21 martin 1.36 // OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
22 martin 1.35 // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
23 // IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
24 // CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
25 // TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
26 // SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
27 martin 1.36 //
|
28 martin 1.35 //////////////////////////////////////////////////////////////////////////
|
29 kumpf 1.1 //
30 //%/////////////////////////////////////////////////////////////////////////////
31
|
32 kumpf 1.30 #ifndef Pegasus_SSLContextRep_h
33 #define Pegasus_SSLContextRep_h
34
|
35 kumpf 1.1 #ifdef PEGASUS_HAS_SSL
|
36 kumpf 1.30 # define OPENSSL_NO_KRB5 1
37 # include <openssl/err.h>
38 # include <openssl/ssl.h>
39 # include <openssl/rand.h>
|
40 dl.meetei 1.43
41 //Include the applink.c to stop crashes as per OpenSSL FAQ
42 //http://www.openssl.org/support/faq.html#PROG
43 # ifdef PEGASUS_OS_TYPE_WINDOWS
44 # include<openssl/applink.c>
45 # endif
46
|
47 kumpf 1.1 #else
|
48 kumpf 1.30 # define SSL_CTX void
|
49 kumpf 1.1 #endif
|
50 kumpf 1.30
|
51 kumpf 1.1 #include <Pegasus/Common/SSLContext.h>
|
52 mike 1.27 #include <Pegasus/Common/Mutex.h>
|
53 kumpf 1.31 #include <Pegasus/Common/Threads.h>
54 #include <Pegasus/Common/Tracer.h>
|
55 kumpf 1.30 #include <Pegasus/Common/AutoPtr.h>
56 #include <Pegasus/Common/SharedPtr.h>
|
57 kumpf 1.1
|
58 kumpf 1.31 //
59 // Typedef's for OpenSSL callback functions.
60 //
61 extern "C"
62 {
63 typedef void (* CRYPTO_SET_LOCKING_CALLBACK)(int, int, const char *, int);
64 typedef unsigned long (* CRYPTO_SET_ID_CALLBACK)(void);
|
65 dmitry.mikulin 1.34 }
|
66 kumpf 1.31
|
67 kumpf 1.30 PEGASUS_NAMESPACE_BEGIN
|
68 kumpf 1.1
|
69 marek 1.40 #ifdef PEGASUS_HAS_SSL
|
70 kumpf 1.30 struct FreeX509STOREPtr
71 {
72 void operator()(X509_STORE* ptr)
73 {
74 X509_STORE_free(ptr);
75 }
76 };
|
77 marek 1.40 #else
78 struct FreeX509STOREPtr
79 {
80 void operator()(X509_STORE*)
81 {
82 }
83 };
84 #endif
85
|
86 kumpf 1.1
|
87 kumpf 1.31 #ifdef PEGASUS_HAS_SSL
88
89 class SSLEnvironmentInitializer
90 {
91 public:
92
93 SSLEnvironmentInitializer()
94 {
95 AutoMutex autoMut(_instanceCountMutex);
96
97 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
98 "In SSLEnvironmentInitializer(), _instanceCount is %d",
99 _instanceCount));
100
101 if (_instanceCount == 0)
102 {
103 _initializeCallbacks();
|
104 dl.meetei 1.43
105 //important as per following site for
106 //http://www.openssl.org/support/faq.html#PROG
107 CRYPTO_malloc_init();
108 SSL_library_init();
|
109 kumpf 1.31 SSL_load_error_strings();
110 }
111
112 _instanceCount++;
113 }
114
115 ~SSLEnvironmentInitializer()
116 {
117 AutoMutex autoMut(_instanceCountMutex);
118 _instanceCount--;
119
120 PEG_TRACE((TRC_SSL, Tracer::LEVEL4,
121 "In ~SSLEnvironmentInitializer(), _instanceCount is %d",
122 _instanceCount));
123
|
124 dl.meetei 1.41
|
125 kumpf 1.31 if (_instanceCount == 0)
126 {
|
127 dl.meetei 1.41 EVP_cleanup();
128 CRYPTO_cleanup_all_ex_data();
|
129 kumpf 1.31 ERR_free_strings();
130 _uninitializeCallbacks();
131 }
|
132 dl.meetei 1.41 ERR_remove_state(0);
|
133 kumpf 1.31 }
134
135 private:
136
137 SSLEnvironmentInitializer(const SSLEnvironmentInitializer&);
138 SSLEnvironmentInitializer& operator=(const SSLEnvironmentInitializer&);
139
140 /*
141 Initialize the SSL locking and ID callbacks.
142 */
143 static void _initializeCallbacks()
144 {
145 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4,
146 "Initializing SSL callbacks.");
147
148 // Allocate Memory for _sslLocks. SSL locks needs to be able to handle
149 // up to CRYPTO_num_locks() different mutex locks.
150
151 _sslLocks.reset(new Mutex[CRYPTO_num_locks()]);
152
|
153 john.eisenbraun 1.37 #ifdef PEGASUS_HAVE_PTHREADS
|
154 kumpf 1.31 // Set the ID callback. The ID callback returns a thread ID.
|
155 john.eisenbraun 1.37 # ifdef PEGASUS_OS_VMS
156 CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) _getThreadId);
157 # else
|
158 kumpf 1.31 CRYPTO_set_id_callback((CRYPTO_SET_ID_CALLBACK) pthread_self);
159 # endif
|
160 john.eisenbraun 1.37 #endif
|
161 kumpf 1.31
162 // Set the locking callback.
163
164 CRYPTO_set_locking_callback(
165 (CRYPTO_SET_LOCKING_CALLBACK) _lockingCallback);
166 }
167
|
168 john.eisenbraun 1.37 #if defined(PEGASUS_OS_VMS) && defined(PEGASUS_HAVE_PTHREADS)
169 static unsigned long _getThreadId(void)
170 {
171 return pthread_getsequence_np(pthread_self());
172 }
173 #endif
|
174 kumpf 1.31 /*
175 Reset the SSL locking and ID callbacks.
176 */
177 static void _uninitializeCallbacks()
178 {
179 PEG_TRACE_CSTRING(TRC_SSL, Tracer::LEVEL4, "Resetting SSL callbacks.");
180 CRYPTO_set_locking_callback(NULL);
181 CRYPTO_set_id_callback(NULL);
182 _sslLocks.reset();
183 }
184
185 static void _lockingCallback(
186 int mode,
187 int type,
|
188 marek 1.40 const char*,
189 int)
|
190 kumpf 1.31 {
191 if (mode & CRYPTO_LOCK)
192 {
193 _sslLocks.get()[type].lock();
194 }
195 else
196 {
197 _sslLocks.get()[type].unlock();
198 }
199 }
200
201 /**
202 Locks to be used by SSL.
203 */
204 static AutoArrayPtr<Mutex> _sslLocks;
205
206 /**
207 Count of the instances of this class. The SSL environment must be
208 initialized when the first SSLEnvironmentInitializer is constructed.
209 It must be uninitialized when the last SSLEnvironmentInitializer is
210 destructed.
211 kumpf 1.31 */
212 static int _instanceCount;
213
214 /**
215 Mutex for controlling access to _instanceCount.
216 */
217 static Mutex _instanceCountMutex;
218 };
219
220 #endif
221
|
222 dave.sudlik 1.22 class SSLCallbackInfoRep
223 {
224 public:
225 SSLCertificateVerifyFunction* verifyCertificateCallback;
|
226 h.sterling 1.24 Array<SSLCertificateInfo*> peerCertificate;
|
227 dave.sudlik 1.22 X509_STORE* crlStore;
|
228 sushma.fernandes 1.29
229 String ipAddress;
230
231 friend class SSLCallback;
232
233 friend class SSLCallbackInfo;
|
234 dave.sudlik 1.22 };
|
235 kumpf 1.1
|
236 thilo.boehm 1.38 class PEGASUS_COMMON_LINKAGE SSLContextRep
|
237 kumpf 1.1 {
238 public:
239
240 /** Constructor for a SSLContextRep object.
|
241 h.sterling 1.14 @param trustStore trust store file path
|
242 kumpf 1.11 @param certPath server certificate file path
243 @param keyPath server key file path
|
244 kumpf 1.1 @param verifyCert function pointer to a certificate verification
245 call back function.
|
246 h.sterling 1.14 @param randomFile file path of a random file that is used as a seed
247 for random number generation by OpenSSL.
248
249 @exception SSLException exception indicating failure to create a context.
250 */
251 SSLContextRep(
252 const String& trustStore,
253 const String& certPath = String::EMPTY,
254 const String& keyPath = String::EMPTY,
|
255 h.sterling 1.21 const String& crlPath = String::EMPTY,
|
256 h.sterling 1.14 SSLCertificateVerifyFunction* verifyCert = NULL,
|
257 rohini.deshpande 1.39 const String& randomFile = String::EMPTY,
|
258 ashok.pathak 1.42 const String& cipherSuite = String::EMPTY,
259 const Boolean& sslCompatibility = false);
|
260 h.sterling 1.14
|
261 kumpf 1.7 SSLContextRep(const SSLContextRep& sslContextRep);
262
|
263 kumpf 1.1 ~SSLContextRep();
264
265 SSL_CTX * getContext() const;
266
|
267 h.sterling 1.14 String getTrustStore() const;
268
269 String getCertPath() const;
270
271 String getKeyPath() const;
272
|
273 rohini.deshpande 1.39 String getCipherSuite() const;
274
|
275 dave.sudlik 1.22 #ifdef PEGASUS_USE_DEPRECATED_INTERFACES
|
276 kumpf 1.28 String getTrustStoreUserName() const;
|
277 dave.sudlik 1.22 #endif
278
|
279 h.sterling 1.21 String getCRLPath() const;
|
280 h.sterling 1.14
|
281 kumpf 1.30 SharedPtr<X509_STORE, FreeX509STOREPtr> getCRLStore() const;
|
282 h.sterling 1.21
283 void setCRLStore(X509_STORE* store);
|
284 h.sterling 1.14
|
285 h.sterling 1.19 Boolean isPeerVerificationEnabled() const;
|
286 h.sterling 1.14
|
287 h.sterling 1.16 SSLCertificateVerifyFunction* getSSLCertificateVerifyFunction() const;
288
|
289 kumpf 1.32 /**
290 Checks if the certificate associated with this SSL context has expired
291 or is not yet valid.
292 @exception SSLException if the certificate is determined to be invalid.
293 */
294 void validateCertificate();
295
|
296 aruran.ms 1.23 private:
297
|
298 kumpf 1.31 #ifdef PEGASUS_HAS_SSL
299 /**
300 Ensures that the SSL environment remains initialized for the lifetime
301 of the SSLContextRep object.
302 */
303 SSLEnvironmentInitializer _env;
304 #endif
305
|
306 aruran.ms 1.23 SSL_CTX * _makeSSLContext();
307 void _randomInit(const String& randomFile);
308 Boolean _verifyPrivateKey(SSL_CTX *ctx, const String& keyPath);
309
|
310 h.sterling 1.14 String _trustStore;
311 String _certPath;
312 String _keyPath;
|
313 h.sterling 1.21 String _crlPath;
|
314 kumpf 1.7 String _randomFile;
|
315 rohini.deshpande 1.39 String _cipherSuite;
|
316 ashok.pathak 1.42 Boolean _sslCompatibility;
|
317 kumpf 1.7 SSL_CTX * _sslContext;
|
318 h.sterling 1.14
319 Boolean _verifyPeer;
|
320 kumpf 1.10
|
321 h.sterling 1.16 SSLCertificateVerifyFunction* _certificateVerifyFunction;
322
|
323 kumpf 1.30 SharedPtr<X509_STORE, FreeX509STOREPtr> _crlStore;
|
324 kumpf 1.1 };
325
326 PEGASUS_NAMESPACE_END
327
328 #endif /* Pegasus_SSLContextRep_h */
|