1 // -*- Mode: C++; -*-
2 //                            Package   : omniORB
3 // sslContext.h               Created on: 29 May 2001
4 //                            Author    : Sai Lai Lo (sll)
5 //
6 //    Copyright (C) 2005-2012 Apasphere Ltd
7 //    Copyright (C) 2001      AT&T Laboratories Cambridge
8 //
9 //    This file is part of the omniORB library
10 //
11 //    The omniORB library is free software; you can redistribute it and/or
12 //    modify it under the terms of the GNU Lesser General Public
13 //    License as published by the Free Software Foundation; either
14 //    version 2.1 of the License, or (at your option) any later version.
15 //
16 //    This library is distributed in the hope that it will be useful,
17 //    but WITHOUT ANY WARRANTY; without even the implied warranty of
18 //    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
19 //    Lesser General Public License for more details.
20 //
21 //    You should have received a copy of the GNU Lesser General Public
22 //    License along with this library. If not, see http://www.gnu.org/licenses/
23 //
24 //
25 // Description:
26 //	*** PROPRIETARY INTERFACE ***
27 //
28 
29 #ifndef __SSLCONTEXT_H__
30 #define __SSLCONTEXT_H__
31 
32 #include <omniORB4/linkHacks.h>
33 
34 OMNI_FORCE_LINK(omnisslTP);
35 
36 
37 #ifdef _core_attr
38 # error "A local CPP macro _core_attr has already been defined."
39 #endif
40 
41 #if defined(_OMNIORB_SSL_LIBRARY)
42 #     define _core_attr
43 #else
44 #     define _core_attr _OMNIORB_NTDLL_IMPORT
45 #endif
46 
47 #define crypt _openssl_broken_crypt
48 #include <openssl/ssl.h>
49 #undef crypt
50 
OMNI_NAMESPACE_BEGIN(omni)51 OMNI_NAMESPACE_BEGIN(omni)
52   class omni_sslTransport_initialiser;
53 OMNI_NAMESPACE_END(omni)
54 
55 class sslContext {
56  public:
57   sslContext(const char* cafile, const char* keyfile, const char* password);
58 
59   SSL_CTX* get_SSL_CTX() const { return pd_ctx; }
60 
61   // These parameters must be set or else the default way to
62   // initialise a sslContext singleton will not be used.
63   static _core_attr const char* certificate_authority_file; // In PEM format
64   static _core_attr const char* certificate_authority_path; // Path
65   static _core_attr const char* key_file;                   // In PEM format
66   static _core_attr const char* key_file_password;
67 
68   // These parameters can be overriden to adjust the verify mode and
69   // verify callback passed to SSL_CTX_set_verify and the info
70   // callback passed to SSL_CTX_set_info_callback.
71   static _core_attr int         verify_mode;
72   static _core_attr int       (*verify_callback)(int, X509_STORE_CTX*);
73 
74   static _core_attr void      (*info_callback)(const SSL *s,
75 					       int where, int ret);
76 
77   // If this parameter is false (the default), interceptor
78   // peerdetails() calls treturn an X509*. If set true, the calls
79   // return a pointer to an sslContext::PeerDetails object.
80   static _core_attr CORBA::Boolean full_peerdetails;
81 
82   class PeerDetails {
83   public:
84     inline PeerDetails(SSL* s, X509* c, CORBA::Boolean v)
85       : pd_ssl(s), pd_cert(c), pd_verified(v) {}
86 
87     ~PeerDetails();
88 
89     inline SSL*           ssl()      { return pd_ssl; }
90     inline X509*          cert()     { return pd_cert; }
91     inline CORBA::Boolean verified() { return pd_verified; }
92 
93   private:
94     SSL*           pd_ssl;
95     X509*          pd_cert;
96     CORBA::Boolean pd_verified;
97   };
98 
99   // sslContext singleton object.
100   static _core_attr sslContext* singleton;
101 
102   virtual ~sslContext();
103 
104  protected:
105   virtual SSL_METHOD* set_method();
106   // Default to return SSLv23_method().
107 
108   virtual void set_supported_versions();
109   // Default to SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
110   // That is only accept TLS.
111 
112   virtual void set_CA();
113   // Default to read the certificates of the Certificate Authorities in the
114   // file named by the static member certificate_authority_file.
115 
116   virtual void set_certificate();
117   // Default to read the certificate of this server from the file named
118   // by the static member key_file.
119 
120   virtual void set_cipher();
121   // Default to call OpenSSL_add_all_algorithms().
122 
123   virtual void set_privatekey();
124   // Default to read the private key of this server from the file named
125   // by the static member key_file. Notice that this file also contains
126   // the server's certificate.
127 
128   virtual void seed_PRNG();
129   // On systems that does not provide a /dev/urandom, default to provide
130   // a seed for the PRNG using process ID and time of date. This is not
131   // a very good seed cryptographically. Secure applications should definitely
132   // override this method to provide a better seed.
133 
134   virtual void set_DH();
135 
136   virtual void set_ephemeralRSA();
137 
138   virtual int set_verify_mode();
139   // Set the SSL verify mode.
140   // Defaults to return SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
141 
142   sslContext();
143 
144   friend class _OMNI_NS(omni_sslTransport_initialiser);
145  private:
146 
147   void thread_setup();
148   void thread_cleanup();
149 
150   virtual void internal_initialise();
151 
152   const char* 	    pd_cafile;
153   const char* 	    pd_keyfile;
154   const char* 	    pd_password;
155   SSL_CTX*    	    pd_ctx;
156   omni_tracedmutex* pd_locks;
157   CORBA::Boolean    pd_ssl_owner;
158 };
159 
160 #undef _core_attr
161 
162 #endif // __SSLCONTEXT_H__
163