search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Document return values
[ACE_TAO.git] / ACE / ace / SSL / SSL_Context.cpp
blob9313dc5717f9b49317ca0bd7b438ca6079831dda
1 #include "SSL_Context.h"
2
3 #include "sslconf.h"
4
5 #if !defined(__ACE_INLINE__)
6 #include "SSL_Context.inl"
7 #endif /* __ACE_INLINE__ */
8
9 #include "ace/Guard_T.h"
10 #include "ace/Object_Manager.h"
11 #include "ace/Log_Category.h"
12 #include "ace/Singleton.h"
13 #include "ace/Synch_Traits.h"
14 #include "ace/Truncate.h"
15 #include "ace/ACE.h"
16 #include "ace/INET_Addr.h"
17 #include "ace/OS_NS_errno.h"
18 #include "ace/OS_NS_string.h"
19 #include "ace/OS_NS_ctype.h"
20 #include "ace/OS_NS_netdb.h"
21
22 #ifdef ACE_HAS_THREADS
23 # include "ace/Thread_Mutex.h"
24 # include "ace/OS_NS_Thread.h"
25 #endif /* ACE_HAS_THREADS */
26
27 #include <openssl/x509.h>
28 #include <openssl/x509v3.h>
29 #include <openssl/err.h>
30 #include <openssl/rand.h>
31 #include <openssl/safestack.h>
32
33 namespace
34 {
35 /// Reference count of the number of times the ACE_SSL_Context was
36 /// initialized.
37 int ssl_library_init_count = 0;
38
39 // @@ This should also be done with a singleton, otherwise it is not
40 // thread safe and/or portable to some weird platforms...
41
42 #if defined(ACE_HAS_THREADS) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
43 /// Array of mutexes used internally by OpenSSL when the SSL
44 /// application is multithreaded.
45 ACE_SSL_Context::lock_type * ssl_locks = 0;
46
47 // @@ This should also be managed by a singleton.
48 #endif /* ACE_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L */
49 }
50
51 #if defined (ACE_HAS_THREADS) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
52
53 # if (defined (ACE_HAS_VERSIONED_NAMESPACE) && ACE_HAS_VERSIONED_NAMESPACE == 1)
54 # define ACE_SSL_LOCKING_CALLBACK_NAME ACE_PREPROC_CONCATENATE(ACE_VERSIONED_NAMESPACE_NAME, _ACE_SSL_locking_callback)
55 # define ACE_SSL_THREAD_ID_NAME ACE_PREPROC_CONCATENATE(ACE_VERSIONED_NAMESPACE_NAME, _ACE_SSL_thread_id)
56 # else
57 # define ACE_SSL_LOCKING_CALLBACK_NAME ACE_SSL_locking_callback
58 # define ACE_SSL_THREAD_ID_NAME ACE_SSL_thread_id
59 # endif /* ACE_HAS_VERSIONED_NAMESPACE == 1 */
60
61 extern "C"
62 {
63 void
64 ACE_SSL_LOCKING_CALLBACK_NAME (int mode,
65 int type,
66 const char * /* file */,
67 int /* line */)
68 {
69 // #ifdef undef
70 // fprintf(stderr,"thread=%4d mode=%s lock=%s %s:%d\n",
71 // CRYPTO_thread_id(),
72 // (mode&CRYPTO_LOCK)?"l":"u",
73 // (type&CRYPTO_READ)?"r":"w",file,line);
74 // #endif
75 // /*
76 // if (CRYPTO_LOCK_SSL_CERT == type)
77 // fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
78 // CRYPTO_thread_id(),
79 // mode,file,line);
80 // */
81 if (mode & CRYPTO_LOCK)
82 (void) ssl_locks[type].acquire ();
83 else
84 (void) ssl_locks[type].release ();
85 }
86
87 // -------------------------------
88
89 // Return the current thread ID. OpenSSL uses this on platforms
90 // that need it.
91 unsigned long
92 ACE_SSL_THREAD_ID_NAME ()
93 {
94 return (unsigned long) ACE_VERSIONED_NAMESPACE_NAME::ACE_OS::thr_self ();
95 }
96 }
97 #endif /* ACE_HAS_THREADS && (OPENSSL_VERSION_NUMBER < 0x10100000L) */
98
99
100 // ****************************************************************
101
102 ACE_BEGIN_VERSIONED_NAMESPACE_DECL
103
104 #if defined (ACE_HAS_THREADS) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
105 ACE_SSL_Context::lock_type * ACE_SSL_Context::locks_ = 0;
106 #endif /* ACE_HAS_THREADS && (OPENSSL_VERSION_NUMBER < 0x10100000L) */
107
108 ACE_SSL_Context::ACE_SSL_Context ()
109 : context_ (0),
110 mode_ (-1),
111 default_verify_mode_ (SSL_VERIFY_NONE),
112 default_verify_callback_ (0),
113 have_ca_ (0)
114 {
115 ACE_TRACE ("ACE_SSL_Context::ACE_SSL_Context");
116
117 ACE_SSL_Context::ssl_library_init ();
118 }
119
120 ACE_SSL_Context::~ACE_SSL_Context ()
121 {
122 ACE_TRACE ("ACE_SSL_Context::~ACE_SSL_Context");
123
124 if (this->context_)
125 {
126 ::SSL_CTX_free (this->context_);
127 this->context_ = 0;
128 }
129
130 ACE_SSL_Context::ssl_library_fini ();
131 }
132
133 ACE_SSL_Context *
134 ACE_SSL_Context::instance ()
135 {
136 ACE_TRACE ("ACE_SSL_Context::instance");
137
138 return ACE_Unmanaged_Singleton<ACE_SSL_Context, ACE_SYNCH_MUTEX>::instance ();
139 }
140
141 void
142 ACE_SSL_Context::close ()
143 {
144 ACE_TRACE ("ACE_SSL_Context::close");
145
146 ACE_Unmanaged_Singleton<ACE_SSL_Context, ACE_SYNCH_MUTEX>::close ();
147 }
148
149 void
150 ACE_SSL_Context::ssl_library_init ()
151 {
152 ACE_TRACE ("ACE_SSL_Context::ssl_library_init");
153
154 ACE_MT (ACE_GUARD (ACE_Recursive_Thread_Mutex,
155 ace_ssl_mon,
156 *ACE_Static_Object_Lock::instance ()));
157
158 if (ssl_library_init_count == 0)
159 {
160 // Initialize the locking callbacks before initializing anything
161 // else.
162 #if defined(ACE_HAS_THREADS) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
163 int const num_locks = ::CRYPTO_num_locks ();
164
165 this->locks_ = new lock_type[num_locks];
166 ssl_locks = this->locks_;
167
168 # if !defined (WIN32)
169 // This call isn't necessary on some platforms. See the CRYPTO
170 // library's threads(3) man page for details.
171 ::CRYPTO_set_id_callback (ACE_SSL_THREAD_ID_NAME);
172 # endif /* !WIN32 */
173 ::CRYPTO_set_locking_callback (ACE_SSL_LOCKING_CALLBACK_NAME);
174 #endif /* ACE_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L */
175
176 ::SSLeay_add_ssl_algorithms ();
177 ::SSL_load_error_strings ();
178
179 // Seed the random number generator. Note that the random
180 // number generator can be seeded more than once to "stir" its
181 // state.
182
183 #ifdef WIN32
184 // Seed the random number generator by sampling the screen.
185 # if OPENSSL_VERSION_NUMBER < 0x10100000L
186 ::RAND_screen ();
187 # else
188 ::RAND_poll ();
189 # endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
190 #endif /* WIN32 */
191
192 #if OPENSSL_VERSION_NUMBER >= 0x00905100L
193 // OpenSSL < 0.9.5 doesn't have EGD support.
194
195 const char *egd_socket_file =
196 ACE_OS::getenv (ACE_SSL_EGD_FILE_ENV);
197
198 if (egd_socket_file != 0)
199 (void) this->egd_file (egd_socket_file);
200 #endif /* OPENSSL_VERSION_NUMBER */
201
202 const char *rand_file = ACE_OS::getenv (ACE_SSL_RAND_FILE_ENV);
203
204 if (rand_file != 0)
205 {
206 (void) this->seed_file (rand_file);
207 }
208
209 // Initialize the mutexes that will be used by the SSL and
210 // crypto library.
211 }
212
213 ++ssl_library_init_count;
214 }
215
216 void
217 ACE_SSL_Context::ssl_library_fini ()
218 {
219 ACE_TRACE ("ACE_SSL_Context::ssl_library_fini");
220
221 ACE_MT (ACE_GUARD (ACE_Recursive_Thread_Mutex,
222 ace_ssl_mon,
223 *ACE_Static_Object_Lock::instance ()));
224
225 --ssl_library_init_count;
226 if (ssl_library_init_count == 0)
227 {
228 #if OPENSSL_VERSION_NUMBER < 0x10100000L
229 ::ERR_free_strings ();
230 ::EVP_cleanup ();
231
232 // Clean up the locking callbacks after everything else has been
233 // cleaned up.
234 #ifdef ACE_HAS_THREADS
235 ::CRYPTO_set_locking_callback (0);
236 ssl_locks = 0;
237
238 delete [] this->locks_;
239 this->locks_ = 0;
240 #endif /* ACE_HAS_THREADS && */
241 #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
242 }
243 }
244
245 int
246 ACE_SSL_Context::set_mode (int mode)
247 {
248 ACE_TRACE ("ACE_SSL_Context::set_mode");
249
250 ACE_MT (ACE_GUARD_RETURN (ACE_Recursive_Thread_Mutex,
251 ace_ssl_mon,
252 *ACE_Static_Object_Lock::instance (),
253 -1));
254
255 if (this->context_ != 0)
256 return -1;
257
258 #if OPENSSL_VERSION_NUMBER >= 0x10000002
259 const SSL_METHOD *method = 0;
260 #else
261 SSL_METHOD *method = 0;
262 #endif
263
264 switch (mode)
265 {
266 case ACE_SSL_Context::SSLv23_client:
267 method = ::SSLv23_client_method ();
268 break;
269 case ACE_SSL_Context::SSLv23_server:
270 method = ::SSLv23_server_method ();
271 break;
272 case ACE_SSL_Context::SSLv23:
273 method = ::SSLv23_method ();
274 break;
275 default:
276 method = ::SSLv23_method ();
277 break;
278 }
279
280 this->context_ = ::SSL_CTX_new (method);
281 if (this->context_ == 0)
282 return -1;
283
284 this->mode_ = mode;
285
286 // Load the trusted certificate authority (default) certificate
287 // locations. But do not return -1 on error, doing so confuses CTX
288 // allocation (severe error) with the less important loading of CA
289 // certificate location error. If it is important for your
290 // application then call ACE_SSL_Context::have_trusted_ca(),
291 // immediately following this call to set_mode().
292 (void) this->load_trusted_ca ();
293
294 return 0;
295 }
296
297 int
298 ACE_SSL_Context::filter_versions (const char* versionlist)
299 {
300 ACE_TRACE ("ACE_SSL_Context::filter_versions");
301
302 this->check_context ();
303
304 ACE_CString vlist = versionlist;
305 ACE_CString seplist = " ,;";
306 ACE_CString::size_type pos = 0;
307 bool match = false;
308
309 for (; pos < vlist.length (); pos++)
310 {
311 vlist[pos] = ACE_OS::ace_tolower (vlist[pos]);
312 }
313
314 #if defined (SSL_OP_NO_SSLv2)
315 pos = vlist.find("sslv2");
316 match = pos != ACE_CString::npos &&
317 (pos == vlist.length () - 5 ||
318 seplist.find (vlist[pos + 5]) != ACE_CString::npos);
319 if (!match)
320 {
321 ::SSL_CTX_set_options (this->context_, SSL_OP_NO_SSLv2);
322 }
323 #endif /* SSL_OP_NO_SSLv2 */
324
325 #if defined (SSL_OP_NO_SSLv3)
326 pos = vlist.find("sslv3");
327 match = pos != ACE_CString::npos &&
328 (pos == vlist.length () - 5 ||
329 seplist.find (vlist[pos + 5]) != ACE_CString::npos);
330 if (!match)
331 {
332 ::SSL_CTX_set_options (this->context_, SSL_OP_NO_SSLv3);
333 }
334 #endif /* SSL_OP_NO_SSLv3 */
335
336 #if defined (SSL_OP_NO_TLSv1)
337 pos = vlist.find("tlsv1");
338 match = pos != ACE_CString::npos &&
339 (pos == vlist.length () - 5 ||
340 seplist.find (vlist[pos + 5]) != ACE_CString::npos);
341 if (!match)
342 {
343 ::SSL_CTX_set_options (this->context_, SSL_OP_NO_TLSv1);
344 }
345 #endif /* SSL_OP_NO_TLSv1 */
346
347 #if defined (SSL_OP_NO_TLSv1_1)
348 pos = vlist.find("tlsv1.1");
349 match = pos != ACE_CString::npos &&
350 (pos == vlist.length () - 7 ||
351 seplist.find (vlist[pos + 7]) != ACE_CString::npos);
352 if (!match)
353 {
354 ::SSL_CTX_set_options (this->context_, SSL_OP_NO_TLSv1_1);
355 }
356 #endif /* SSL_OP_NO_TLSv1_1 */
357
358 #if defined (SSL_OP_NO_TLSv1_2)
359 pos = vlist.find("tlsv1.2");
360 match = pos != ACE_CString::npos &&
361 (pos == vlist.length () - 7 ||
362 seplist.find (vlist[pos + 7]) != ACE_CString::npos);
363 if (!match)
364 {
365 ::SSL_CTX_set_options (this->context_, SSL_OP_NO_TLSv1_2);
366 }
367 #endif /* SSL_OP_NO_TLSv1_2 */
368
369 #if defined (SSL_OP_NO_TLSv1_3)
370 pos = vlist.find("tlsv1.3");
371 match = pos != ACE_CString::npos &&
372 (pos == vlist.length() - 7 ||
373 seplist.find(vlist[pos + 7]) != ACE_CString::npos);
374 if (!match)
375 {
376 ::SSL_CTX_set_options(this->context_, SSL_OP_NO_TLSv1_3);
377 }
378 #endif /* SSL_OP_NO_TLSv1_3 */
379 return 0;
380 }
381
382 bool
383 ACE_SSL_Context::check_host (const ACE_INET_Addr &host, SSL *peerssl)
384 {
385 ACE_TRACE ("ACE_SSL_Context::check_host");
386
387 #if defined (OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10002001L)
388
389 this->check_context ();
390
391 char name[MAXHOSTNAMELEN+1];
392
393 if (peerssl == 0 || host.get_host_name (name, MAXHOSTNAMELEN) == -1)
394 {
395 return false;
396 }
397
398 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
399 X509* cert = ::SSL_get1_peer_certificate(peerssl);
400 #else
401 X509* cert = ::SSL_get_peer_certificate(peerssl);
402 #endif
403
404 if (cert == 0)
405 {
406 return false;
407 }
408
409 char *peer = 0;
410 char **peerarg = ACE::debug () ? &peer : 0;
411 int const flags = X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT;
412 size_t const len = ACE_OS::strlen (name);
413
414 int const result = ::X509_check_host (cert, name, len, flags, peerarg);
415
416 if (ACE::debug ())
417 {
418 ACELIB_DEBUG ((LM_DEBUG,
419 ACE_TEXT ("ACE (%P|%t) SSL_Context::check_host ")
420 ACE_TEXT ("name <%C> returns %d, peer <%C>\n"),
421 name, result, peer));
422 }
423 if (peer != 0)
424 {
425 ::OPENSSL_free (peer);
426 }
427
428 ::X509_free (cert);
429
430 return result == 1;
431 #else
432 ACE_UNUSED_ARG (host);
433 ACE_UNUSED_ARG (peerssl);
434
435 return false;
436 #endif /* OPENSSL_VERSION_NUMBER */
437 }
438
439 int
440 ACE_SSL_Context::load_trusted_ca (const char* ca_file,
441 const char* ca_dir,
442 bool use_env_defaults)
443 {
444 ACE_TRACE ("ACE_SSL_Context::load_trusted_ca");
445
446 this->check_context ();
447
448 if (ca_file == 0 && use_env_defaults)
449 {
450 // Use the default environment settings.
451 ca_file = ACE_OS::getenv (ACE_SSL_CERT_FILE_ENV);
452 #ifdef ACE_DEFAULT_SSL_CERT_FILE
453 if (ca_file == 0)
454 ca_file = ACE_DEFAULT_SSL_CERT_FILE;
455 #endif
456 }
457
458 if (ca_dir == 0 && use_env_defaults)
459 {
460 // Use the default environment settings.
461 ca_dir = ACE_OS::getenv (ACE_SSL_CERT_DIR_ENV);
462 #ifdef ACE_DEFAULT_SSL_CERT_DIR
463 if (ca_dir == 0)
464 ca_dir = ACE_DEFAULT_SSL_CERT_DIR;
465 #endif
466 }
467
468 // NOTE: SSL_CTX_load_verify_locations() returns 0 on error.
469 if (::SSL_CTX_load_verify_locations (this->context_,
470 ca_file,
471 ca_dir) <= 0)
472 {
473 if (ACE::debug ())
474 ACE_SSL_Context::report_error ();
475 return -1;
476 }
477
478 ++this->have_ca_;
479
480 // For TLS/SSL servers scan all certificates in ca_file and ca_dir and
481 // list them as acceptable CAs when requesting a client certificate.
482 if (mode_ == SSLv23 || mode_ == SSLv23_server)
483 {
484 // Note: The STACK_OF(X509_NAME) pointer is a copy of the pointer in
485 // the CTX; any changes to it by way of these function calls will
486 // change the CTX directly.
487 STACK_OF (X509_NAME) * cert_names = 0;
488 cert_names = ::SSL_CTX_get_client_CA_list (this->context_);
489
490 // Add CAs from both the file and dir, if specified. There should
491 // already be a STACK_OF(X509_NAME) in the CTX, but if not, we create
492 // one.
493 if (ca_file)
494 {
495 bool error = false;
496 if (cert_names == 0)
497 {
498 if ((cert_names = ::SSL_load_client_CA_file (ca_file)) != 0)
499 ::SSL_CTX_set_client_CA_list (this->context_, cert_names);
500 else
501 error = true;
502 }
503 else
504 {
505 // Add new certificate names to the list.
506 error = (0 == ::SSL_add_file_cert_subjects_to_stack (cert_names,
507 ca_file));
508 }
509
510 if (error)
511 {
512 if (ACE::debug ())
513 ACE_SSL_Context::report_error ();
514 return -1;
515 }
516 }
517
518 // SSL_add_dir_cert_subjects_to_stack is defined at 0.9.8a (but not
519 // on Mac Classic); it may be available earlier. Change
520 // this comparison if so. It's still (1.0.1g) broken on windows too.
521 #if defined (OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x0090801fL)
522 # if !defined (OPENSSL_SYS_MACINTOSH_CLASSIC)
523 # if !defined (OPENSSL_SYS_WIN32)
524
525 if (ca_dir != 0)
526 {
527 if (cert_names == 0)
528 {
529 if ((cert_names = sk_X509_NAME_new_null ()) == 0)
530 {
531 if (ACE::debug ())
532 ACE_SSL_Context::report_error ();
533 return -1;
534 }
535 ::SSL_CTX_set_client_CA_list (this->context_, cert_names);
536 }
537 if (0 == ::SSL_add_dir_cert_subjects_to_stack (cert_names, ca_dir))
538 {
539 if (ACE::debug ())
540 ACE_SSL_Context::report_error ();
541 return -1;
542 }
543 }
544 # endif /* !OPENSSL_SYS_WIN32 */
545 # endif /* !OPENSSL_SYS_MACINTOSH_CLASSIC */
546 #endif /* OPENSSL_VERSION_NUMBER >= 0.9.8a release */
547
548 }
549
550 return 0;
551 }
552
553 int
554 ACE_SSL_Context::private_key (const char *file_name,
555 int type)
556 {
557 ACE_TRACE ("ACE_SSL_Context::private_key");
558
559 if (this->private_key_.type () != -1)
560 return 0;
561
562 this->check_context ();
563
564 this->private_key_ = ACE_SSL_Data_File (file_name, type);
565
566 if (::SSL_CTX_use_PrivateKey_file (this->context_,
567 this->private_key_.file_name (),
568 this->private_key_.type ()) <= 0)
569 {
570 this->private_key_ = ACE_SSL_Data_File ();
571 return -1;
572 }
573 else
574 return this->verify_private_key ();
575 }
576
577 int
578 ACE_SSL_Context::verify_private_key ()
579 {
580 ACE_TRACE ("ACE_SSL_Context::verify_private_key");
581
582 this->check_context ();
583
584 return (::SSL_CTX_check_private_key (this->context_) <= 0 ? -1 : 0);
585 }
586
587 int
588 ACE_SSL_Context::certificate (const char *file_name,
589 int type)
590 {
591 ACE_TRACE ("ACE_SSL_Context::certificate:file_name:type");
592
593 if (this->certificate_.type () != -1)
594 return 0;
595
596 this->certificate_ = ACE_SSL_Data_File (file_name, type);
597
598 this->check_context ();
599
600 if (::SSL_CTX_use_certificate_file (this->context_,
601 this->certificate_.file_name (),
602 this->certificate_.type ()) <= 0)
603 {
604 this->certificate_ = ACE_SSL_Data_File ();
605 return -1;
606 }
607 else
608 return 0;
609 }
610
611 int
612 ACE_SSL_Context::certificate (X509* cert)
613 {
614 ACE_TRACE ("ACE_SSL_Context::certificate:cert");
615
616 // Is it really a good idea to return 0 if we're not setting the
617 // certificate?
618 if (this->certificate_.type () != -1)
619 return 0;
620
621 this->check_context();
622
623 if (::SSL_CTX_use_certificate (this->context_, cert) <= 0)
624 {
625 return -1;
626 }
627 else
628 {
629 // No file is associated with the certificate, set this to a fictional
630 // value so we don't reset it later.
631 this->certificate_ = ACE_SSL_Data_File ("MEMORY CERTIFICATE");
632
633 return 0;
634 }
635 }
636
637 int
638 ACE_SSL_Context::certificate_chain (const char *file_name, int type)
639 {
640 ACE_TRACE ("ACE_SSL_Context::certificate_chain:file_name");
641
642 this->certificate_ = ACE_SSL_Data_File (file_name, type);
643
644 this->check_context ();
645
646 if (::SSL_CTX_use_certificate_chain_file (this->context_,
647 this->certificate_.file_name ()) <= 0)
648 {
649 return -1;
650 }
651 else
652 return 0;
653 }
654
655 void
656 ACE_SSL_Context::set_verify_peer (int strict, int once, int depth)
657 {
658 ACE_TRACE ("ACE_SSL_Context::set_verify_peer");
659
660 this->check_context ();
661
662 // Setup the peer verification mode.
663 int verify_mode = SSL_VERIFY_PEER;
664 if (once)
665 verify_mode |= SSL_VERIFY_CLIENT_ONCE;
666 if (strict)
667 verify_mode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
668
669 // set the default verify mode
670 this->default_verify_mode (verify_mode);
671
672 // Set the max certificate depth but later let the verify_callback
673 // catch the depth error by adding one to the required depth.
674 if (depth > 0)
675 ::SSL_CTX_set_verify_depth (this->context_, depth + 1);
676 }
677
678 int
679 ACE_SSL_Context::random_seed (const char * seed)
680 {
681 ACE_TRACE ("ACE_SSL_Context::random_seed");
682
683 int len = ACE_Utils::truncate_cast<int> (ACE_OS::strlen (seed));
684 ::RAND_seed (seed, len);
685
686 #if OPENSSL_VERSION_NUMBER >= 0x00905100L
687 // RAND_status() returns 1 if the PRNG has enough entropy.
688 return (::RAND_status () == 1 ? 0 : -1);
689 #else
690 return 0; // Ugly, but OpenSSL <= 0.9.4 doesn't have RAND_status().
691 #endif /* OPENSSL_VERSION_NUMBER >= 0x00905100L */
692 }
693
694 int
695 ACE_SSL_Context::egd_file (const char * socket_file)
696 {
697 ACE_TRACE ("ACE_SSL_Context::egd_file");
698
699 #if OPENSSL_VERSION_NUMBER < 0x00905100L || defined (OPENSSL_NO_EGD)
700 // OpenSSL < 0.9.5 doesn't have EGD support. OpenSSL 1.1 and newer
701 // disable egd by default
702 ACE_UNUSED_ARG (socket_file);
703 ACE_NOTSUP_RETURN (-1);
704 #else
705 // RAND_egd() returns the amount of entropy used to seed the random
706 // number generator. The actual value should be greater than 16,
707 // i.e. 128 bits.
708 if (::RAND_egd (socket_file) > 0)
709 return 0;
710 else
711 return -1;
712 #endif /* OPENSSL_VERSION_NUMBER < 0x00905100L */
713 }
714
715 int
716 ACE_SSL_Context::seed_file (const char * seed_file, long bytes)
717 {
718 ACE_TRACE ("ACE_SSL_Context::seed_file");
719
720 // RAND_load_file() returns the number of bytes used to seed the
721 // random number generator. If the file reads ok, check RAND_status to
722 // see if it got enough entropy.
723 if (::RAND_load_file (seed_file, bytes) > 0)
724 #if OPENSSL_VERSION_NUMBER >= 0x00905100L
725 // RAND_status() returns 1 if the PRNG has enough entropy.
726 return (::RAND_status () == 1 ? 0 : -1);
727 #else
728 return 0; // Ugly, but OpenSSL <= 0.9.4 doesn't have RAND_status().
729 #endif /* OPENSSL_VERSION_NUMBER >= 0x00905100L */
730 else
731 return -1;
732 }
733
734 void
735 ACE_SSL_Context::report_error (unsigned long error_code)
736 {
737 ACE_TRACE ("ACE_SSL_Context::report_error:error_code");
738
739 if (error_code != 0)
740 {
741 char error_string[256];
742
743 // OpenSSL < 0.9.6a doesn't have ERR_error_string_n() function.
744 #if OPENSSL_VERSION_NUMBER >= 0x0090601fL
745 (void) ::ERR_error_string_n (error_code, error_string, sizeof error_string);
746 #else /* OPENSSL_VERSION_NUMBER >= 0x0090601fL */
747 (void) ::ERR_error_string (error_code, error_string);
748 #endif /* OPENSSL_VERSION_NUMBER >= 0x0090601fL */
749
750 ACELIB_ERROR ((LM_ERROR,
751 ACE_TEXT ("ACE_SSL (%P|%t) error code: %u - %C\n"),
752 error_code,
753 error_string));
754 }
755 }
756
757 void
758 ACE_SSL_Context::report_error ()
759 {
760 ACE_TRACE ("ACE_SSL_Context::report_error");
761
762 unsigned long const err = ::ERR_get_error ();
763 ACE_SSL_Context::report_error (err);
764 ACE_OS::last_error (err);
765 }
766
767 int
768 ACE_SSL_Context::dh_params (const char *file_name,
769 int type)
770 {
771 ACE_TRACE ("ACE_SSL_Context::dh_params");
772
773 if (this->dh_params_.type () != -1)
774 return 0;
775
776 // For now we only support PEM encodings
777 if (type != SSL_FILETYPE_PEM)
778 return -1;
779
780 this->dh_params_ = ACE_SSL_Data_File (file_name, type);
781
782 this->check_context ();
783
784 {
785 // Swiped from Rescorla's examples and the OpenSSL s_server.c app
786 DH * ret = nullptr;
787 BIO * bio = nullptr;
788
789 if ((bio = ::BIO_new_file (this->dh_params_.file_name (), "r")) == 0)
790 {
791 this->dh_params_ = ACE_SSL_Data_File ();
792 return -1;
793 }
794
795 ret = PEM_read_bio_DHparams (bio, 0, 0, 0);
796 BIO_free (bio);
797
798 if (ret == 0)
799 {
800 this->dh_params_ = ACE_SSL_Data_File ();
801 return -1;
802 }
803
804 if (::SSL_CTX_set_tmp_dh (this->context_, ret) < 0)
805 {
806 this->dh_params_ = ACE_SSL_Data_File ();
807 return -1;
808 }
809 DH_free (ret);
810 }
811
812 return 0;
813 }
814
815 // ****************************************************************
816 ACE_SINGLETON_TEMPLATE_INSTANTIATE(ACE_Unmanaged_Singleton, ACE_SSL_Context, ACE_SYNCH_MUTEX)
817
818 ACE_END_VERSIONED_NAMESPACE_DECL