1 // -*- Mode: C++; -*-
2 // Package : omniORB
3 // sslContext.h Created on: 29 May 2001
4 // Author : Sai Lai Lo (sll)
5 //
6 // Copyright (C) 2005-2012 Apasphere Ltd
7 // Copyright (C) 2001 AT&T Laboratories Cambridge
8 //
9 // This file is part of the omniORB library
10 //
11 // The omniORB library is free software; you can redistribute it and/or
12 // modify it under the terms of the GNU Lesser General Public
13 // License as published by the Free Software Foundation; either
14 // version 2.1 of the License, or (at your option) any later version.
15 //
16 // This library is distributed in the hope that it will be useful,
17 // but WITHOUT ANY WARRANTY; without even the implied warranty of
18 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 // Lesser General Public License for more details.
20 //
21 // You should have received a copy of the GNU Lesser General Public
22 // License along with this library. If not, see http://www.gnu.org/licenses/
23 //
24 //
25 // Description:
26 // *** PROPRIETARY INTERFACE ***
27 //
28
29 #ifndef __SSLCONTEXT_H__
30 #define __SSLCONTEXT_H__
31
32 #include <omniORB4/linkHacks.h>
33
34 OMNI_FORCE_LINK(omnisslTP);
35
36
37 #ifdef _core_attr
38 # error "A local CPP macro _core_attr has already been defined."
39 #endif
40
41 #if defined(_OMNIORB_SSL_LIBRARY)
42 # define _core_attr
43 #else
44 # define _core_attr _OMNIORB_NTDLL_IMPORT
45 #endif
46
47 #define crypt _openssl_broken_crypt
48 #include <openssl/ssl.h>
49 #undef crypt
50
OMNI_NAMESPACE_BEGIN(omni)51 OMNI_NAMESPACE_BEGIN(omni)
52 class omni_sslTransport_initialiser;
53 OMNI_NAMESPACE_END(omni)
54
55 class sslContext {
56 public:
57 sslContext(const char* cafile, const char* keyfile, const char* password);
58
59 SSL_CTX* get_SSL_CTX() const { return pd_ctx; }
60
61 // These parameters must be set or else the default way to
62 // initialise a sslContext singleton will not be used.
63 static _core_attr const char* certificate_authority_file; // In PEM format
64 static _core_attr const char* certificate_authority_path; // Path
65 static _core_attr const char* key_file; // In PEM format
66 static _core_attr const char* key_file_password;
67
68 // These parameters can be overriden to adjust the verify mode and
69 // verify callback passed to SSL_CTX_set_verify and the info
70 // callback passed to SSL_CTX_set_info_callback.
71 static _core_attr int verify_mode;
72 static _core_attr int (*verify_callback)(int, X509_STORE_CTX*);
73
74 static _core_attr void (*info_callback)(const SSL *s,
75 int where, int ret);
76
77 // If this parameter is false (the default), interceptor
78 // peerdetails() calls treturn an X509*. If set true, the calls
79 // return a pointer to an sslContext::PeerDetails object.
80 static _core_attr CORBA::Boolean full_peerdetails;
81
82 class PeerDetails {
83 public:
84 inline PeerDetails(SSL* s, X509* c, CORBA::Boolean v)
85 : pd_ssl(s), pd_cert(c), pd_verified(v) {}
86
87 ~PeerDetails();
88
89 inline SSL* ssl() { return pd_ssl; }
90 inline X509* cert() { return pd_cert; }
91 inline CORBA::Boolean verified() { return pd_verified; }
92
93 private:
94 SSL* pd_ssl;
95 X509* pd_cert;
96 CORBA::Boolean pd_verified;
97 };
98
99 // sslContext singleton object.
100 static _core_attr sslContext* singleton;
101
102 virtual ~sslContext();
103
104 protected:
105 virtual SSL_METHOD* set_method();
106 // Default to return SSLv23_method().
107
108 virtual void set_supported_versions();
109 // Default to SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
110 // That is only accept TLS.
111
112 virtual void set_CA();
113 // Default to read the certificates of the Certificate Authorities in the
114 // file named by the static member certificate_authority_file.
115
116 virtual void set_certificate();
117 // Default to read the certificate of this server from the file named
118 // by the static member key_file.
119
120 virtual void set_cipher();
121 // Default to call OpenSSL_add_all_algorithms().
122
123 virtual void set_privatekey();
124 // Default to read the private key of this server from the file named
125 // by the static member key_file. Notice that this file also contains
126 // the server's certificate.
127
128 virtual void seed_PRNG();
129 // On systems that does not provide a /dev/urandom, default to provide
130 // a seed for the PRNG using process ID and time of date. This is not
131 // a very good seed cryptographically. Secure applications should definitely
132 // override this method to provide a better seed.
133
134 virtual void set_DH();
135
136 virtual void set_ephemeralRSA();
137
138 virtual int set_verify_mode();
139 // Set the SSL verify mode.
140 // Defaults to return SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
141
142 sslContext();
143
144 friend class _OMNI_NS(omni_sslTransport_initialiser);
145 private:
146
147 void thread_setup();
148 void thread_cleanup();
149
150 virtual void internal_initialise();
151
152 const char* pd_cafile;
153 const char* pd_keyfile;
154 const char* pd_password;
155 SSL_CTX* pd_ctx;
156 omni_tracedmutex* pd_locks;
157 CORBA::Boolean pd_ssl_owner;
158 };
159
160 #undef _core_attr
161
162 #endif // __SSLCONTEXT_H__
163