#pragma once
-#include <mutex>
#include <list>
#include <map>
-#include <vector>
#include <memory>
-#include <string>
+#include <mutex>
#include <random>
+#include <string>
+#include <vector>
#include <glog/logging.h>
#include <folly/folly-config.h>
#endif
+#include <folly/Portability.h>
#include <folly/Range.h>
-#include <folly/ssl/OpenSSLPtrTypes.h>
+#include <folly/String.h>
#include <folly/io/async/ssl/OpenSSLUtils.h>
#include <folly/portability/OpenSSL.h>
+#include <folly/ssl/OpenSSLLockTypes.h>
+#include <folly/ssl/OpenSSLPtrTypes.h>
namespace folly {
*/
class SSLContext {
public:
-
enum SSLVersion {
- SSLv2,
- SSLv3,
- TLSv1
+ SSLv2,
+ SSLv3,
+ TLSv1, // support TLS 1.0+
+ TLSv1_2, // support for only TLS 1.2+
};
/**
*/
virtual void ciphers(const std::string& ciphers);
- /**
- * Set default ciphers to be used in SSL handshake process.
- *
- * @param ciphers A list of ciphers to use for TLS.
- */
- virtual void setCipherList(const std::vector<std::string>& ciphers);
-
/**
* Low-level method that attempts to set the provided ciphers on the
* SSL_CTX object, and throws if something goes wrong.
virtual void setCiphersOrThrow(const std::string& ciphers);
/**
- * Sets the signature algorithms to be used during SSL negotiation
- * for TLS1.2+
- *
- * @param sigalgs A list of signature algorithms, eg. RSA+SHA512
+ * Set default ciphers to be used in SSL handshake process.
*/
- void setSignatureAlgorithms(const std::vector<std::string>& sigalgs);
+
+ template <typename Iterator>
+ void setCipherList(Iterator ibegin, Iterator iend) {
+ if (ibegin != iend) {
+ std::string opensslCipherList;
+ folly::join(":", ibegin, iend, opensslCipherList);
+ setCiphersOrThrow(opensslCipherList);
+ }
+ }
+
+ template <typename Container>
+ void setCipherList(const Container& cipherList) {
+ using namespace std;
+ setCipherList(begin(cipherList), end(cipherList));
+ }
+
+ template <typename Value>
+ void setCipherList(const std::initializer_list<Value>& cipherList) {
+ setCipherList(cipherList.begin(), cipherList.end());
+ }
+
+ /**
+ * Sets the signature algorithms to be used during SSL negotiation
+ * for TLS1.2+.
+ */
+
+ template <typename Iterator>
+ void setSignatureAlgorithms(Iterator ibegin, Iterator iend) {
+ if (ibegin != iend) {
+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
+ std::string opensslSigAlgsList;
+ join(":", ibegin, iend, opensslSigAlgsList);
+ if (!SSL_CTX_set1_sigalgs_list(ctx_, opensslSigAlgsList.c_str())) {
+ throw std::runtime_error("SSL_CTX_set1_sigalgs_list " + getErrors());
+ }
+#endif
+ }
+ }
+
+ template <typename Container>
+ void setSignatureAlgorithms(const Container& sigalgs) {
+ using namespace std;
+ setSignatureAlgorithms(begin(sigalgs), end(sigalgs));
+ }
+
+ template <typename Value>
+ void setSignatureAlgorithms(const std::initializer_list<Value>& sigalgs) {
+ setSignatureAlgorithms(sigalgs.begin(), sigalgs.end());
+ }
/**
* Sets the list of EC curves supported by the client.
* @param cert A PEM formatted certificate
*/
virtual void loadCertificateFromBufferPEM(folly::StringPiece cert);
+
/**
* Load private key.
*
* @param pkey A PEM formatted key
*/
virtual void loadPrivateKeyFromBufferPEM(folly::StringPiece pkey);
+
+ /**
+ * Load cert and key from PEM buffers. Guaranteed to throw if cert and
+ * private key mismatch so no need to call isCertKeyPairValid.
+ *
+ * @param cert A PEM formatted certificate
+ * @param pkey A PEM formatted key
+ */
+ virtual void loadCertKeyPairFromBufferPEM(
+ folly::StringPiece cert,
+ folly::StringPiece pkey);
+
+ /**
+ * Load cert and key from files. Guaranteed to throw if cert and key mismatch.
+ * Equivalent to calling loadCertificate() and loadPrivateKey().
+ *
+ * @param certPath Path to the certificate file
+ * @param keyPath Path to the private key file
+ * @param certFormat Certificate file format
+ * @param keyFormat Private key file format
+ */
+ virtual void loadCertKeyPairFromFiles(
+ const char* certPath,
+ const char* keyPath,
+ const char* certFormat = "PEM",
+ const char* keyFormat = "PEM");
+
+ /**
+ * Call after both cert and key are loaded to check if cert matches key.
+ * Must call if private key is loaded before loading the cert.
+ * No need to call if cert is loaded first before private key.
+ * @return true if matches, or false if mismatch.
+ */
+ virtual bool isCertKeyPairValid() const;
+
/**
* Load trusted certificates from specified file.
*
return ctx_;
}
- enum SSLLockType {
- LOCK_MUTEX,
- LOCK_SPINLOCK,
- LOCK_NONE
- };
-
- /**
- * Set preferences for how to treat locks in OpenSSL. This must be
- * called before the instantiation of any SSLContext objects, otherwise
- * the defaults will be used.
- *
- * OpenSSL has a lock for each module rather than for each object or
- * data that needs locking. Some locks protect only refcounts, and
- * might be better as spinlocks rather than mutexes. Other locks
- * may be totally unnecessary if the objects being protected are not
- * shared between threads in the application.
- *
- * By default, all locks are initialized as mutexes. OpenSSL's lock usage
- * may change from version to version and you should know what you are doing
- * before disabling any locks entirely.
- *
- * Example: if you don't share SSL sessions between threads in your
- * application, you may be able to do this
- *
- * setSSLLockTypes({{CRYPTO_LOCK_SSL_SESSION, SSLContext::LOCK_NONE}})
- */
- static void setSSLLockTypes(std::map<int, SSLLockType> lockTypes);
-
- /**
- * Set the lock types and initialize OpenSSL in an atomic fashion. This
- * aborts if the library has already been initialized.
- */
- static void setSSLLockTypesAndInitOpenSSL(
- std::map<int, SSLLockType> lockTypes);
-
- /**
- * Determine if the SSL lock with the specified id (i.e.
- * CRYPTO_LOCK_SSL_SESSION) is disabled. This should be called after
- * initializeOpenSSL. This will only check if the specified lock has been
- * explicitly set to LOCK_NONE.
- *
- * This is not safe to call while setSSLLockTypes is being called.
- */
- static bool isSSLLockDisabled(int lockId);
-
/**
* Examine OpenSSL's error stack, and return a string description of the
* errors.
*/
static std::string getErrors(int errnoCopy);
- /**
- * We want to vary which cipher we'll use based on the client's TLS version.
- *
- * XXX: The refernces to tls11CipherString and tls11AltCipherlist are reused
- * for * each >= TLS 1.1 handshake, so we expect these fields to not change.
- */
- void switchCiphersIfTLS11(
- SSL* ssl,
- const std::string& tls11CipherString,
- const std::vector<std::pair<std::string, int>>& tls11AltCipherlist);
-
bool checkPeerName() { return checkPeerName_; }
std::string peerFixedName() { return peerFixedName_; }
*/
static bool matchName(const char* host, const char* pattern, int size);
- /**
- * Functions for setting up and cleaning up openssl.
- * They can be invoked during the start of the application.
- */
+ FOLLY_DEPRECATED("Use folly::ssl::init")
static void initializeOpenSSL();
- static void cleanupOpenSSL();
-
- /**
- * Mark openssl as initialized without actually performing any initialization.
- * Please use this only if you are using a library which requires that it must
- * make its own calls to SSL_library_init() and related functions.
- */
- static void markInitialized();
-
- /**
- * Default randomize method.
- */
- static void randomize();
protected:
SSL_CTX* ctx_;
static bool initialized_;
- // To provide control over choice of server ciphersuites
- std::unique_ptr<std::discrete_distribution<int>> cipherListPicker_;
-
#ifdef OPENSSL_NPN_NEGOTIATED
struct AdvertisedNextProtocolsItem {
std::vector<int> advertisedNextProtocolWeights_;
std::discrete_distribution<int> nextProtocolDistribution_;
- static int sNextProtocolsExDataIndex_;
-
static int advertisedNextProtocolCallback(SSL* ssl,
const unsigned char** out, unsigned int* outlen, void* data);
static int selectNextProtocolCallback(
#endif
std::string providedCiphersString_;
-
- // Functions are called when locked by the calling function.
- static void initializeOpenSSLLocked();
- static void cleanupOpenSSLLocked();
- static void setSSLLockTypesLocked(std::map<int, SSLLockType> inLockTypes);
};
typedef std::shared_ptr<SSLContext> SSLContextPtr;
-std::ostream& operator<<(std::ostream& os, const folly::PasswordCollector& collector);
-
+std::ostream& operator<<(
+ std::ostream& os,
+ const folly::PasswordCollector& collector);
-} // folly
+} // namespace folly
projects / folly.git / blobdiff