ACE/ace/SSL/SSL_Context.h

   1 // -*- C++ -*-
   2 //=============================================================================
   3 /**
   4  *  @file    SSL_Context.h
   5  *
   6  *  @author Carlos O'Ryan <coryan@ece.uci.edu>
   7  *  @author Ossama Othman <ossama@dre.vanderbilt.edu>
   8  */
   9 //=============================================================================
  10
  11 #ifndef ACE_SSL_CONTEXT_H
  12 #define ACE_SSL_CONTEXT_H
  13
  14 #include /**/ "ace/pre.h"
  15
  16 #include "SSL_Export.h"
  17
  18 #if !defined (ACE_LACKS_PRAGMA_ONCE)
  19 # pragma once
  20 #endif /* ACE_LACKS_PRAGMA_ONCE */
  21
  22 #include "ace/SString.h"
  23
  24 #ifdef ACE_HAS_THREADS
  25 # include "ace/Synch_Traits.h"
  26 #endif  /* ACE_HAS_THREADS */
  27
  28 #include <openssl/ssl.h>
  29
  30 ACE_BEGIN_VERSIONED_NAMESPACE_DECL
  31
  32 class ACE_INET_Addr;
  33
  34 class ACE_SSL_Export ACE_SSL_Data_File
  35 {
  36 public:
  37   /// Default constructor
  38   ACE_SSL_Data_File ();
  39
  40   /// Constructor from a file name and the file type.
  41   ACE_SSL_Data_File (const char *file_name,
  42                      int type = SSL_FILETYPE_PEM);
  43
  44   /// The file name
  45   const char *file_name () const;
  46
  47   /// The type
  48   int type () const;
  49
  50 private:
  51   /// The file name
  52   ACE_CString file_name_;
  53
  54   /// The type, used by the SSL library to parse the file contents.
  55   int type_;
  56 };
  57
  58 // ****************************************************************
  59
  60 // NOTE: Some compilers will issue warnings if the
  61 // the correct type of function pointer (i.e. extern "C" ) is not stored/used
  62 // of the form:
  63 // Warning (Anachronism): Formal argument callback of type
  64 //   extern "C" int(*)(int,x509_store_ctx_st*) in call to
  65 //   SSL_CTX_set_verify(ssl_ctx_st*, int, extern "C" int(*)(int,x509_store_ctx_st*))
  66 //   is being passed int(*)(int,x509_store_ctx_st*)
  67 // when C library routines are passed CallBack functions pointers that are
  68 // actually C++ functions.
  69 //
  70 // Unfortunatly you can not specify extern "C" linkage anywhere inside a class
  71 // declaration or inside a function prototype for individual parameters. I.e:
  72 //   class { extern "C" int (*callback_) (int, void *); };
  73 // to store a function pointer as a data member of the class is illegal as is:
  74 //   void function (extern "C" int (*callback) (int, void *);
  75 // to declare function (or a class member) that takes a extern "C" function
  76 // pointer as a parameter.
  77 //
  78 // Since we need an extern "C" function pointer as a parameter to be stored
  79 // in the class and handled by member functions, we are forced to declare
  80 // a typedef of that extern "C" function pointer that we can then use.
  81 // Again unfortunatly you also are not allowed to simply add the extern "C"
  82 // to the typedef itself, instead you have to place the typedef declaration
  83 // inside an extern "C" block, thus:
  84
  85 extern "C" {
  86   typedef int (*extern_C_CallBackVerify_t) (int, X509_STORE_CTX *);
  87 }
  88
  89 /**
  90  * @class ACE_SSL_Context
  91  *
  92  * @brief A wrapper for the OpenSSL SSL_CTX related functions.
  93  *
  94  * This class provides a wrapper for the SSL_CTX data structure.
  95  * Since most applications have a single SSL_CTX structure, this class
  96  * can be used as a singleton.
  97  */
  98 class ACE_SSL_Export ACE_SSL_Context
  99 {
 100 public:
 101 #ifdef ACE_HAS_THREADS
 102   typedef ACE_SYNCH_MUTEX lock_type;
 103 #endif  /* ACE_HAS_THREADS */
 104
 105   enum {
 106     INVALID_METHOD = -1,
 107     SSLv23_client,
 108     SSLv23_server,
 109     SSLv23
 110   };
 111
 112   /// Constructor
 113   ACE_SSL_Context ();
 114
 115   /// Destructor
 116   ~ACE_SSL_Context ();
 117
 118   /// The Singleton context, the SSL components use the singleton if
 119   /// nothing else is available.
 120   static ACE_SSL_Context *instance ();
 121
 122   /// Explicitly delete the Singleton context.
 123   static void close ();
 124
 125   /**
 126    * Set the CTX mode.  The mode can be set only once, afterwards the
 127    * function has no effect and returns -1.
 128    * Once the mode is set the underlying SSL_CTX is initialized and
 129    * the class can be used.
 130    * If the mode is not set, then the class automatically initializes
 131    * itself to the default mode.
 132    */
 133   int set_mode (int mode = ACE_SSL_Context::SSLv23);
 134
 135   int get_mode () const;
 136
 137   /// Get the SSL context
 138   SSL_CTX *context ();
 139
 140   /// Get the file name and file format used for the private key
 141   int private_key_type () const;
 142   const char *private_key_file_name () const;
 143
 144   /// Set the private key file.
 145   /**
 146    * @note This method should only be called after a certificate has
 147    *       been set since key verification is performed against the
 148    *       certificate, among other things.
 149    */
 150   int private_key (const char *file_name, int type = SSL_FILETYPE_PEM);
 151
 152   /// Verify that the private key is valid.
 153   /**
 154    * @note This method should only be called after a certificate has
 155    *       been set since key verification is performed against the
 156    *       certificate, among other things.
 157    */
 158   int verify_private_key ();
 159
 160   /// Get the file name and file format used for the certificate file
 161   int certificate_type () const;
 162   const char *certificate_file_name () const;
 163
 164   /// Set the certificate file.
 165   int certificate (const char *file_name,
 166                    int type = SSL_FILETYPE_PEM);
 167
 168   /// Load certificate from memory rather than a file.
 169   int certificate (X509* cert);
 170
 171   /// Loads certificate chain file_name into ctx. Certificates must be
 172   /// sorted starting with the subject's certificate (actual client or
 173   /// server certificate), followed by ordered intermediate CA certificates.
 174   /// E.g. Let's Encrypt's intermediate certificate chain.
 175   int certificate_chain (const char *file_name, int type = SSL_FILETYPE_PEM);
 176
 177   /// Parse the string and filter crypto versions accordingly
 178   int filter_versions (const char *filter);
 179
 180   /// verify the peer cert matches the host
 181   bool check_host (const ACE_INET_Addr& host, SSL * peerssl);
 182
 183   /**
 184    *  Load the location of the trusted certification authority
 185    *  certificates.  Note that CA certificates are stored in PEM format
 186    *  as a sequence of certificates in @a ca_file or as a set of
 187    *  individual certificates in @a ca_dir (or both).
 188    *
 189    *  Note this method is called by set_mode() to load the default
 190    *  environment settings for @a ca_file and @a ca_dir, if any. This
 191    *  allows for automatic service configuration (and backward
 192    *  compatibility with previous versions).
 193    *
 194    *  Note that the underlying SSL function will add valid file and
 195    *  directory names to the load location lists maintained as part of
 196    *  the SSL_CTX table.  It therefore doesn't make sense to keep a
 197    *  copy of the file and path name of the most recently added
 198    *  @a ca_file or @a ca_path.
 199    *
 200    *  @param[in] ca_file           CA file pathname. Passed to
 201    *                               @c SSL_CTX_load_verify_locations() if not
 202    *                               0. If 0, behavior depends on the value of
 203    *                               @a use_env_defaults.
 204    *  @param[in] ca_dir            CA directory pathname. Passed to
 205    *                               @c SSL_CTX_load_verify_locations() if not
 206    *                               0. If 0, behavior depends on the value of
 207    *                               @a use_env_defaults.
 208    *  @param[in] use_env_defaults  If false, the specified @a ca_file argument
 209    *                               is passed to
 210    *                               @c SSL_CTX_load_verify_locations(),
 211    *                               regardless of its value.
 212    *                               If true (the default), additional defaults
 213    *                               can be applied to either @a ca_file,
 214    *                               @a ca_dir, or both. The following
 215    *                               additional defaults are applied when the
 216    *                               @a ca_file argument is 0:
 217    *                                - The @c SSL_CERT_FILE environment variable
 218    *                                  will be queried for a file name to use as
 219    *                                  the @a ca_file argument. The environment
 220    *                                  variable name to query can be changed by
 221    *                                  supplying a @c ACE_SSL_CERT_FILE_ENV
 222    *                                  configuration item when building ACE.
 223    *                                - If there is no @c SSL_CERT_FILE in the
 224    *                                  current environment, the file specified
 225    *                                  by the @c ACE_DEFAULT_SSL_CERT_FILE ACE
 226    *                                  configuration item will be used. The
 227    *                                  default value is "cert.pem" on Windows
 228    *                                  and "/etc/ssl/cert.pem" on all other
 229    *                                  platforms.
 230    *                               The following additional defaults are
 231    *                               applied when the @a ca_dir argument is 0:
 232    *                                - The @c SSL_CERT_DIR environment variable
 233    *                                  will be queried for a file name to use as
 234    *                                  the @a ca_dir argument. The environment
 235    *                                  variable name to query can be changed by
 236    *                                  supplying a @c ACE_SSL_CERT_DIR_ENV
 237    *                                  configuration item when building ACE.
 238    *                                - If there is no @c SSL_CERT_DIR in the
 239    *                                  current environment, the directory
 240    *                                  specified by the @c
 241    *                                  ACE_DEFAULT_SSL_CERT_DIR ACE
 242    *                                  configuration item will be used. The
 243    *                                  default value is "certs" on Windows
 244    *                                  and "/etc/ssl/certs" on all other
 245    *                                  platforms.
 246    *
 247    *  @return 0 for success or -1 on error.
 248    *
 249    *  @see OpenSSL manual SSL_CTX_load_verify_locations(3) for a
 250    *  detailed description of the CA file and directory requirements
 251    *  and processing.
 252    */
 253   int load_trusted_ca (const char* ca_file = 0,
 254                        const char* ca_dir = 0,
 255                        bool use_env_defaults = true);
 256
 257   /**
 258    *  Test whether any CA locations have been successfully loaded and
 259    *  return the number of successful attempts.
 260    *
 261    *  @retval >0  The number of successful CA load attempts.
 262    *  @retval  0  If all CA load attempts have failed.
 263    */
 264   int have_trusted_ca () const;
 265
 266   /**
 267    *  @todo Complete this documentation where elipses(...) are used
 268    *
 269    *  @doc Use this method when certificate chain verification is
 270    *  required.  The default server behaviour is SSL_VERIFY_NONE
 271    *  i.e. client certicates are requested for verified. This method
 272    *  can be used to configure server to request client certificates
 273    *  and perform the certificate verification. If <strict> is set
 274    *  true the client connection is rejected when certificate
 275    *  verification fails.  Otherwise the session is accepted with a
 276    *  warning, which is the default behaviour.  If <once> is set true
 277    *  (default), certificates are requested only once per session.
 278    *  The last parameter <depth> can be used to set the verification
 279    *  depth.
 280    *
 281    *  Note for verification to work correctly there should be a valid
 282    *  CA name list set using load_trusted_ca().
 283    *
 284    *  @see OpenSSL documentation of SSL_CTX_set_verify(3) for details of
 285    *  the verification process.
 286    *
 287    *  @see OpenSSL documentation ... set_verify_depth(3) ...
 288    *
 289    *  Note that this method overrides the use of the
 290    *  default_verify_mode() method.
 291    */
 292   void set_verify_peer (int strict = 0, int once = 1, int depth = 0);
 293
 294   /// TODO: a implementation that will lookup the CTX table for the list
 295   /// of files and paths etc.
 296   /// Query the location of trusted certification authority
 297   /// certificates.
 298   // const char* ca_file_name() const;
 299   // const char* ca_dir_name() const;
 300
 301   /**
 302    * Set and query the default verify mode for this context, it is
 303    * inherited by all the ACE_SSL objects created using the context.
 304    * It can be overriden on a per-ACE_SSL object.
 305    */
 306   void default_verify_mode (int mode);
 307   int default_verify_mode () const;
 308
 309   /**
 310    * Set and query the default verify callback for this context, it is
 311    * inherited by all the ACE_SSL objects created using the context.
 312    * It can be overriden on a per-ACE_SSL object.
 313    */
 314   void default_verify_callback (extern_C_CallBackVerify_t);
 315   extern_C_CallBackVerify_t  default_verify_callback () const;
 316
 317   /**
 318    * @name OpenSSL Random Number Generator Seed Related Methods
 319    *
 320    * These are methods that can be used to seed OpenSSL's
 321    * pseudo-random number generator.  These methods can be called more
 322    * than once.
 323    */
 324   //@{
 325   /// Seed the underlying random number generator.  This value should
 326   /// have at least 128 bits of entropy.
 327   static int random_seed (const char * seed);
 328
 329   /// Set the Entropy Gathering Daemon (EGD) UNIX domain socket file to
 330   /// read random seed values from.
 331   static int egd_file (const char * socket_file);
 332
 333   /**
 334    * Set the file that contains the random seed value state, and the
 335    * amount of bytes to read.  "-1" bytes causes the entire file to be
 336    * read.
 337    */
 338   static int seed_file (const char * seed_file, long bytes = -1);
 339   //@}
 340
 341   /// Print SSL error corresponding to the given error code.
 342   static void report_error (unsigned long error_code);
 343
 344   /// Print the last SSL error for the current thread.
 345   static void report_error ();
 346
 347   /**
 348    * @name Diffie-Hellman (DH) Parameters
 349    *
 350    * When using DSS-based certificates, Diffie-Hellman keys need to be
 351    * exchanged.  These must be provided in the form of DH key
 352    * generation parameters loaded in, or as fixed keys hardcoded into
 353    * the code itself.  ACE_SSL supports loaded parameters.
 354    *
 355    */
 356   //@{
 357   /**
 358    * Load Diffie-Hellman parameters from file_name.  The specified file can be
 359    * a standalone file containing only DH parameters (e.g., as created
 360    * by <code>openssl dhparam</code>), or it can be a certificate which has
 361    * a PEM-encoded set of DH params concatenated on to i.
 362    */
 363   int dh_params (const char *file_name, int type = SSL_FILETYPE_PEM);
 364   const char *dh_params_file_name () const;
 365   int dh_params_file_type () const;
 366   //@}
 367
 368 private:
 369   /// Verify if the context has been initialized or not.
 370   void check_context ();
 371
 372   /// @@ More to document
 373   void ssl_library_init ();
 374   void ssl_library_fini ();
 375
 376   ACE_SSL_Context (const ACE_SSL_Context &) = delete;
 377   ACE_SSL_Context & operator= (const ACE_SSL_Context &) = delete;
 378
 379 private:
 380   /// The SSL_CTX structure
 381   SSL_CTX *context_;
 382
 383   /// Cache the mode so we can answer fast
 384   int mode_;
 385
 386   /// The private key, certificate, and Diffie-Hellman parameters files
 387   ACE_SSL_Data_File private_key_;
 388   ACE_SSL_Data_File certificate_;
 389   ACE_SSL_Data_File dh_params_;
 390
 391   /// The default verify mode.
 392   int default_verify_mode_;
 393
 394   /// The default verify callback.
 395   extern_C_CallBackVerify_t  default_verify_callback_;
 396
 397   /// count of successful CA load attempts
 398   int have_ca_;
 399
 400 #if defined(ACE_HAS_THREADS) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
 401   /// Array of mutexes used internally by OpenSSL when the SSL
 402   /// application is multithreaded.
 403   static lock_type * locks_;
 404 #endif /* ACE_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L */
 405 };
 406
 407 ACE_END_VERSIONED_NAMESPACE_DECL
 408
 409 #if defined(__ACE_INLINE__)
 410 #include "SSL_Context.inl"
 411 #endif /* __ACE_INLINE__ */
 412
 413 #include /**/ "ace/post.h"
 414 #endif  /* ACE_SSL_CONTEXT_H */