Add logs for TFO succeded

[folly.git] / folly / io / async / SSLContext.h

diff --git a/folly/io/async/SSLContext.h b/folly/io/async/SSLContext.h
index 65b572cfeaa4dcefeea5b3e6eaaebd71f22cb35e..a8f18620e47377de4a71d993adcce9fcd641e0d3 100644 (file)
--- a/folly/io/async/SSLContext.h
+++ b/folly/io/async/SSLContext.h
@@ -24,19 +24,18 @@
 #include <string>
 #include <random>
 
+// This has to come before SSL.
+#include <folly/portability/Sockets.h>
+
 #include <openssl/ssl.h>
 #include <openssl/tls1.h>
 
-#include <sys/socket.h>
-#include <netinet/in.h>
-
 #include <glog/logging.h>
 
 #ifndef FOLLY_NO_CONFIG
 #include <folly/folly-config.h>
 #endif
 
-#include <folly/Random.h>
 #include <folly/Range.h>
 #include <folly/io/async/ssl/OpenSSLPtrTypes.h>
 #include <folly/io/async/ssl/OpenSSLUtils.h>
@@ -59,7 +58,7 @@ class PasswordCollector {
    * @param password Pass collected password back to OpenSSL
    * @param size     Maximum length of password including nullptr character
    */
-  virtual void getPassword(std::string& password, int size) = 0;
+  virtual void getPassword(std::string& password, int size) const = 0;
 
   /**
    * Return a description of this collector for logging purposes
@@ -134,12 +133,46 @@ class SSLContext {
    */
   virtual void ciphers(const std::string& ciphers);
 
+  /**
+   * Set default ciphers to be used in SSL handshake process.
+   *
+   * @param ciphers A list of ciphers to use for TLS.
+   */
+  virtual void setCipherList(const std::vector<std::string>& ciphers);
+
   /**
    * Low-level method that attempts to set the provided ciphers on the
    * SSL_CTX object, and throws if something goes wrong.
    */
   virtual void setCiphersOrThrow(const std::string& ciphers);
 
+  /**
+   * Sets the signature algorithms to be used during SSL negotiation
+   * for TLS1.2+
+   *
+   * @param sigalgs A list of signature algorithms, eg. RSA+SHA512
+   */
+  void setSignatureAlgorithms(const std::vector<std::string>& sigalgs);
+
+  /**
+   * Sets the list of EC curves supported by the client.
+   *
+   * @param ecCurves A list of ec curves, eg: P-256
+   */
+  void setClientECCurvesList(const std::vector<std::string>& ecCurves);
+
+  /**
+   * Method to add support for a specific elliptic curve encryption algorithm.
+   *
+   * @param curveName: The name of the ec curve to support, eg: prime256v1.
+   */
+  void setServerECCurve(const std::string& curveName);
+
+  /**
+   * Sets an x509 verification param on the context.
+   */
+  void setX509VerifyParam(const ssl::X509VerifyParam& x509VerifyParam);
+
   /**
    * Method to set verification option in the context object.
    *
@@ -431,11 +464,14 @@ class SSLContext {
 
   /**
    * We want to vary which cipher we'll use based on the client's TLS version.
+   *
+   * XXX: The refernces to tls11CipherString and tls11AltCipherlist are reused
+   * for * each >= TLS 1.1 handshake, so we expect these fields to not change.
    */
   void switchCiphersIfTLS11(
-    SSL* ssl,
-    const std::string& tls11CipherString
-  );
+      SSL* ssl,
+      const std::string& tls11CipherString,
+      const std::vector<std::pair<std::string, int>>& tls11AltCipherlist);
 
   bool checkPeerName() { return checkPeerName_; }
   std::string peerFixedName() { return peerFixedName_; }
@@ -491,6 +527,9 @@ class SSLContext {
 
   static bool initialized_;
 
+  // To provide control over choice of server ciphersuites
+  std::unique_ptr<std::discrete_distribution<int>> cipherListPicker_;
+
 #ifdef OPENSSL_NPN_NEGOTIATED
 
   struct AdvertisedNextProtocolsItem {
@@ -504,7 +543,6 @@ class SSLContext {
   std::vector<AdvertisedNextProtocolsItem> advertisedNextProtocols_;
   std::vector<int> advertisedNextProtocolWeights_;
   std::discrete_distribution<int> nextProtocolDistribution_;
-  Random::DefaultGenerator nextProtocolPicker_;
 
   static int sNextProtocolsExDataIndex_;