X-Git-Url: http://plrg.eecs.uci.edu/git/?a=blobdiff_plain;f=folly%2Fio%2Fasync%2FSSLContext.h;h=c8db033eb525e780599c920642e560e0bfba1b9e;hb=fbc4c23895b0ee3874d9a36401d580a2a8957ba9;hp=65b572cfeaa4dcefeea5b3e6eaaebd71f22cb35e;hpb=1e9f346577617277df9d866d908acc1e2baf7709;p=folly.git

diff --git a/folly/io/async/SSLContext.h b/folly/io/async/SSLContext.h
index 65b572cf..c8db033e 100644
--- a/folly/io/async/SSLContext.h
+++ b/folly/io/async/SSLContext.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016 Facebook, Inc.
+ * Copyright 2017 Facebook, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -16,19 +16,13 @@
 
 #pragma once
 
-#include <mutex>
 #include <list>
 #include <map>
-#include <vector>
 #include <memory>
-#include <string>
+#include <mutex>
 #include <random>
-
-#include <openssl/ssl.h>
-#include <openssl/tls1.h>
-
-#include <sys/socket.h>
-#include <netinet/in.h>
+#include <string>
+#include <vector>
 
 #include <glog/logging.h>
 
@@ -36,10 +30,13 @@
 #include <folly/folly-config.h>
 #endif
 
-#include <folly/Random.h>
+#include <folly/Portability.h>
 #include <folly/Range.h>
-#include <folly/io/async/ssl/OpenSSLPtrTypes.h>
+#include <folly/String.h>
 #include <folly/io/async/ssl/OpenSSLUtils.h>
+#include <folly/portability/OpenSSL.h>
+#include <folly/ssl/OpenSSLLockTypes.h>
+#include <folly/ssl/OpenSSLPtrTypes.h>
 
 namespace folly {
 
@@ -59,7 +56,7 @@ class PasswordCollector {
    * @param password Pass collected password back to OpenSSL
    * @param size     Maximum length of password including nullptr character
    */
-  virtual void getPassword(std::string& password, int size) = 0;
+  virtual void getPassword(std::string& password, int size) const = 0;
 
   /**
    * Return a description of this collector for logging purposes
@@ -72,11 +69,11 @@ class PasswordCollector {
  */
 class SSLContext {
  public:
-
   enum SSLVersion {
-     SSLv2,
-     SSLv3,
-     TLSv1
+    SSLv2,
+    SSLv3,
+    TLSv1, // support TLS 1.0+
+    TLSv1_2, // support for only TLS 1.2+
   };
 
   /**
@@ -140,6 +137,78 @@ class SSLContext {
    */
   virtual void setCiphersOrThrow(const std::string& ciphers);
 
+  /**
+   * Set default ciphers to be used in SSL handshake process.
+   */
+
+  template <typename Iterator>
+  void setCipherList(Iterator ibegin, Iterator iend) {
+    if (ibegin != iend) {
+      std::string opensslCipherList;
+      folly::join(":", ibegin, iend, opensslCipherList);
+      setCiphersOrThrow(opensslCipherList);
+    }
+  }
+
+  template <typename Container>
+  void setCipherList(const Container& cipherList) {
+    using namespace std;
+    setCipherList(begin(cipherList), end(cipherList));
+  }
+
+  template <typename Value>
+  void setCipherList(const std::initializer_list<Value>& cipherList) {
+    setCipherList(cipherList.begin(), cipherList.end());
+  }
+
+  /**
+   * Sets the signature algorithms to be used during SSL negotiation
+   * for TLS1.2+.
+   */
+
+  template <typename Iterator>
+  void setSignatureAlgorithms(Iterator ibegin, Iterator iend) {
+    if (ibegin != iend) {
+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+      std::string opensslSigAlgsList;
+      join(":", ibegin, iend, opensslSigAlgsList);
+      if (!SSL_CTX_set1_sigalgs_list(ctx_, opensslSigAlgsList.c_str())) {
+        throw std::runtime_error("SSL_CTX_set1_sigalgs_list " + getErrors());
+      }
+#endif
+    }
+  }
+
+  template <typename Container>
+  void setSignatureAlgorithms(const Container& sigalgs) {
+    using namespace std;
+    setSignatureAlgorithms(begin(sigalgs), end(sigalgs));
+  }
+
+  template <typename Value>
+  void setSignatureAlgorithms(const std::initializer_list<Value>& sigalgs) {
+    setSignatureAlgorithms(sigalgs.begin(), sigalgs.end());
+  }
+
+  /**
+   * Sets the list of EC curves supported by the client.
+   *
+   * @param ecCurves A list of ec curves, eg: P-256
+   */
+  void setClientECCurvesList(const std::vector<std::string>& ecCurves);
+
+  /**
+   * Method to add support for a specific elliptic curve encryption algorithm.
+   *
+   * @param curveName: The name of the ec curve to support, eg: prime256v1.
+   */
+  void setServerECCurve(const std::string& curveName);
+
+  /**
+   * Sets an x509 verification param on the context.
+   */
+  void setX509VerifyParam(const ssl::X509VerifyParam& x509VerifyParam);
+
   /**
    * Method to set verification option in the context object.
    *
@@ -249,7 +318,7 @@ class SSLContext {
   virtual std::shared_ptr<PasswordCollector> passwordCollector() {
     return collector_;
   }
-#if OPENSSL_VERSION_NUMBER >= 0x1000105fL && !defined(OPENSSL_NO_TLSEXT)
+#if FOLLY_OPENSSL_HAS_SNI
   /**
    * Provide SNI support
    */
@@ -302,7 +371,7 @@ class SSLContext {
    */
   typedef std::function<void(SSL* ssl)> ClientHelloCallback;
   virtual void addClientHelloCallback(const ClientHelloCallback& cb);
-#endif
+#endif // FOLLY_OPENSSL_HAS_SNI
 
   /**
    * Create an SSL object from this context.
@@ -393,34 +462,6 @@ class SSLContext {
     return ctx_;
   }
 
-  enum SSLLockType {
-    LOCK_MUTEX,
-    LOCK_SPINLOCK,
-    LOCK_NONE
-  };
-
-  /**
-   * Set preferences for how to treat locks in OpenSSL.  This must be
-   * called before the instantiation of any SSLContext objects, otherwise
-   * the defaults will be used.
-   *
-   * OpenSSL has a lock for each module rather than for each object or
-   * data that needs locking.  Some locks protect only refcounts, and
-   * might be better as spinlocks rather than mutexes.  Other locks
-   * may be totally unnecessary if the objects being protected are not
-   * shared between threads in the application.
-   *
-   * By default, all locks are initialized as mutexes.  OpenSSL's lock usage
-   * may change from version to version and you should know what you are doing
-   * before disabling any locks entirely.
-   *
-   * Example: if you don't share SSL sessions between threads in your
-   * application, you may be able to do this
-   *
-   * setSSLLockTypes({{CRYPTO_LOCK_SSL_SESSION, SSLContext::LOCK_NONE}})
-   */
-  static void setSSLLockTypes(std::map<int, SSLLockType> lockTypes);
-
   /**
    * Examine OpenSSL's error stack, and return a string description of the
    * errors.
@@ -429,14 +470,6 @@ class SSLContext {
    */
   static std::string getErrors(int errnoCopy);
 
-  /**
-   * We want to vary which cipher we'll use based on the client's TLS version.
-   */
-  void switchCiphersIfTLS11(
-    SSL* ssl,
-    const std::string& tls11CipherString
-  );
-
   bool checkPeerName() { return checkPeerName_; }
   std::string peerFixedName() { return peerFixedName_; }
 
@@ -454,24 +487,8 @@ class SSLContext {
    */
   static bool matchName(const char* host, const char* pattern, int size);
 
-  /**
-   * Functions for setting up and cleaning up openssl.
-   * They can be invoked during the start of the application.
-   */
+  FOLLY_DEPRECATED("Use folly::ssl::init")
   static void initializeOpenSSL();
-  static void cleanupOpenSSL();
-
-  /**
-   * Mark openssl as initialized without actually performing any initialization.
-   * Please use this only if you are using a library which requires that it must
-   * make its own calls to SSL_library_init() and related functions.
-   */
-  static void markInitialized();
-
-  /**
-   * Default randomize method.
-   */
-  static void randomize();
 
  protected:
   SSL_CTX* ctx_;
@@ -482,7 +499,7 @@ class SSLContext {
   bool checkPeerName_;
   std::string peerFixedName_;
   std::shared_ptr<PasswordCollector> collector_;
-#if OPENSSL_VERSION_NUMBER >= 0x1000105fL && !defined(OPENSSL_NO_TLSEXT)
+#if FOLLY_OPENSSL_HAS_SNI
   ServerNameCallback serverNameCb_;
   std::vector<ClientHelloCallback> clientHelloCbs_;
 #endif
@@ -504,9 +521,6 @@ class SSLContext {
   std::vector<AdvertisedNextProtocolsItem> advertisedNextProtocols_;
   std::vector<int> advertisedNextProtocolWeights_;
   std::discrete_distribution<int> nextProtocolDistribution_;
-  Random::DefaultGenerator nextProtocolPicker_;
-
-  static int sNextProtocolsExDataIndex_;
 
   static int advertisedNextProtocolCallback(SSL* ssl,
       const unsigned char** out, unsigned int* outlen, void* data);
@@ -514,7 +528,7 @@ class SSLContext {
     SSL* ssl, unsigned char **out, unsigned char *outlen,
     const unsigned char *server, unsigned int server_len, void *args);
 
-#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_TLSEXT)
+#if FOLLY_OPENSSL_HAS_ALPN
   static int alpnSelectCallback(SSL* ssl,
                                 const unsigned char** out,
                                 unsigned char* outlen,
@@ -528,7 +542,7 @@ class SSLContext {
 
   static int passwordCallback(char* password, int size, int, void* data);
 
-#if OPENSSL_VERSION_NUMBER >= 0x1000105fL && !defined(OPENSSL_NO_TLSEXT)
+#if FOLLY_OPENSSL_HAS_SNI
   /**
    * The function that will be called directly from openssl
    * in order for the application to get the tlsext_hostname just after
@@ -547,15 +561,12 @@ class SSLContext {
 #endif
 
   std::string providedCiphersString_;
-
-  // Functions are called when locked by the calling function.
-  static void initializeOpenSSLLocked();
-  static void cleanupOpenSSLLocked();
 };
 
 typedef std::shared_ptr<SSLContext> SSLContextPtr;
 
-std::ostream& operator<<(std::ostream& os, const folly::PasswordCollector& collector);
-
+std::ostream& operator<<(
+    std::ostream& os,
+    const folly::PasswordCollector& collector);
 
-} // folly
+} // namespace folly