openwbem: OW_SSLCtxMgr.hpp Source File

00001 /*******************************************************************************
00002 * Copyright (C) 2001-2004 Vintela, Inc. All rights reserved.
00003 * Copyright (C) 2004 Novell, Inc. All rights reserved.
00004 *
00005 * Redistribution and use in source and binary forms, with or without
00006 * modification, are permitted provided that the following conditions are met:
00007 *
00008 *  - Redistributions of source code must retain the above copyright notice,
00009 *    this list of conditions and the following disclaimer.
00010 *
00011 *  - Redistributions in binary form must reproduce the above copyright notice,
00012 *    this list of conditions and the following disclaimer in the documentation
00013 *    and/or other materials provided with the distribution.
00014 *
00015 *  - Neither the name of Vintela, Inc. nor the names of its
00016 *    contributors may be used to endorse or promote products derived from this
00017 *    software without specific prior written permission.
00018 *
00019 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ``AS IS''
00020 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
00021 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
00022 * ARE DISCLAIMED. IN NO EVENT SHALL Vintela, Inc. OR THE CONTRIBUTORS
00023 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
00024 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
00025 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
00026 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
00027 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
00028 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
00029 * POSSIBILITY OF SUCH DAMAGE.
00030 *******************************************************************************/
00031 
00037 #ifndef OW_SSLCtxMgr_HPP_INCLUDE_GUARD_
00038 #define OW_SSLCtxMgr_HPP_INCLUDE_GUARD_
00039 #include "OW_config.h"
00040 #include "OW_SSLException.hpp"
00041 #include "OW_IntrusiveCountableBase.hpp"
00042 #include "OW_IntrusiveReference.hpp"
00043 #include "OW_Map.hpp"
00044 #ifdef OW_HAVE_OPENSSL
00045 #include "OW_String.hpp"
00046 #include <openssl/crypto.h>
00047 #include <openssl/ssl.h>
00048 #include <openssl/bio.h>
00049 #define OW_SSLCTX_MAX_CN_LEN 256
00050 #define OW_SSL_RETRY_LIMIT 20
00051 
00052 namespace OW_NAMESPACE
00053 {
00054 
00061 typedef int (*certVerifyFuncPtr_t)(X509* cert, const String& hostName);
00062 
00063 // TODO: Make this class be a singleton.
00064 class OW_COMMON_API SSLCtxMgr
00065 {
00066 public:
00070    static int pem_passwd_cb(char* buf, int size, int rwflag, void *userData);
00078    static bool checkClientCert(SSL* ssl, const String& hostName);
00086    static bool checkServerCert(SSL* ssl, const String& hostName);
00094    static void initClient(const String& certFile = String(), const String& keyFile = String());
00102    static void initServer(const String& certFile, const String& keyFile = String());
00107    static SSL_CTX* getSSLCtxServer()
00108    {
00109       return m_ctxServer;
00110    }
00115    static SSL_CTX* getSSLCtxClient()
00116    {
00117       return m_ctxClient;
00118    }
00127    static int sslRead(SSL* ssl, char* buf, int len); 
00136    static int sslWrite(SSL* ssl, const char* buf, int len);
00141    static bool isClient() { return m_ctxClient != NULL; }
00146    static bool isServer() { return m_ctxServer != NULL; }
00152    static void setClientCertVerifyCallback(certVerifyFuncPtr_t cbfunc)
00153       { m_clientCertVerifyCB = cbfunc; }
00159    static void setServerCertVerifyCallback(certVerifyFuncPtr_t cbfunc)
00160       { m_serverCertVerifyCB = cbfunc; }
00161    // set type to NOT_INIT and free memory.
00162    static void uninit(); 
00166    static void generateEphRSAKey(SSL_CTX* ctx);
00167 
00168    static String getOpenSSLErrorDescription();
00169 
00170 private:
00171 
00172    friend class SSLCtxBase;
00173 
00174    static SSL_CTX* m_ctxClient;
00175    static SSL_CTX* m_ctxServer;
00176    static certVerifyFuncPtr_t m_clientCertVerifyCB;
00177    static certVerifyFuncPtr_t m_serverCertVerifyCB;
00181    static SSL_CTX* initCtx(const String& certfile, const String& keyfile);
00185    static void loadDHParams(SSL_CTX* ctx, const String& file);
00186    static void uninitServer();
00187    static void uninitClient();
00188 
00189    // don't allow instantiation
00190    SSLCtxMgr();
00191    SSLCtxMgr(const SSLCtxMgr&);
00192    SSLCtxMgr& operator=(const SSLCtxMgr&);
00193 
00197    static bool checkCert(SSL* ssl, const String& hostName, certVerifyFuncPtr_t cbFunc);
00198 };
00199 
00201 struct OW_COMMON_API SSLOpts
00202 {
00203    SSLOpts(); 
00204    String certfile; 
00205    String keyfile; 
00206    String trustStore; 
00207    enum VerifyMode_t
00208    {
00209       MODE_DISABLED, 
00210       MODE_REQUIRED, 
00211       MODE_OPTIONAL, 
00212       MODE_AUTOUPDATE
00213    }; 
00214    VerifyMode_t verifyMode; 
00215 }; 
00216 
00217 
00219 class OW_COMMON_API SSLCtxBase
00220 {
00221 public: 
00222    SSL_CTX* getSSLCtx() const; 
00223 
00224 protected: 
00225    SSLCtxBase(const SSLOpts& opts); 
00226    virtual ~SSLCtxBase(); 
00227    SSL_CTX* m_ctx; 
00228 };
00229 
00231 class OW_COMMON_API SSLServerCtx : public SSLCtxBase, public IntrusiveCountableBase
00232 {
00233 public: 
00234    SSLServerCtx(const SSLOpts& opts); 
00235         static const int SSL_DATA_INDEX = 0; 
00236 };
00237 
00239 class OW_COMMON_API SSLClientCtx : public SSLCtxBase, public IntrusiveCountableBase
00240 {
00241 public: 
00242    SSLClientCtx(const SSLOpts& opts = SSLOpts()); 
00243 };
00244 
00245 typedef IntrusiveReference<SSLServerCtx> SSLServerCtxRef; 
00246 typedef IntrusiveReference<SSLClientCtx> SSLClientCtxRef; 
00247 
00249 class OW_COMMON_API SSLTrustStore: public IntrusiveCountableBase
00250 {
00251 public: 
00252    SSLTrustStore(const String& storeLocation); 
00253    void addCertificate(X509* cert, const String& user, const String& uid); 
00254    bool getUser(const String& certhash, String& user, String& uid); 
00255 
00256    static String getCertMD5Fingerprint(X509* cert); 
00257 private: 
00258    String m_store; 
00259    String m_mapfile; 
00260    struct UserInfo
00261    {
00262       String user; 
00263       String uid; 
00264    };
00265 
00266 #ifdef OW_WIN32
00267 #pragma warning (push)
00268 #pragma warning (disable: 4251)
00269 #endif
00270 
00271    Map<String, UserInfo> m_map; 
00272 
00273 #ifdef OW_WIN32
00274 #pragma warning (pop)
00275 #endif
00276 
00277    void readMap(); 
00278    void writeMap(); 
00279 
00280 };
00281 
00282 typedef IntrusiveReference<SSLTrustStore> SSLTrustStoreRef; 
00284 
00285 struct OW_COMMON_API OWSSLContext
00286 {
00287    enum CertVerifyState_t
00288    {
00289       VERIFY_NONE, 
00290       VERIFY_PASS, 
00291       VERIFY_FAIL
00292    }; 
00293     OWSSLContext(); 
00294     ~OWSSLContext(); 
00295     CertVerifyState_t peerCertPassedVerify; 
00296 };
00297 
00299 
00300 
00301 #else // ifdef OW_HAVE_OPENSSL
00302 
00303 namespace OW_NAMESPACE
00304 {
00305 
00306 class OW_COMMON_API SSLServerCtx : public IntrusiveCountableBase
00307 {
00308 };
00309 
00310 class OW_COMMON_API SSLClientCtx : public IntrusiveCountableBase
00311 {
00312 };
00313 
00314 #endif // ifdef OW_HAVE_OPENSSL
00315 
00316 typedef IntrusiveReference<SSLServerCtx> SSLServerCtxRef; 
00317 typedef IntrusiveReference<SSLClientCtx> SSLClientCtxRef; 
00318 
00319 } // end namespace OW_NAMESPACE
00320 
00321 
00322 #endif