thijn/SqMod
1
0
Fork 0
mirror of https://github.com/VCMP-SqMod/SqMod.git synced 2025-01-19 03:57:14 +01:00
Code Releases Activity
SqMod/vendor/POCO/NetSSL_OpenSSL/src/SSLManager.cpp
Sandu Liviu Catalin 4a6bfc086c Major plugin refactor and cleanup. 
Switched to POCO library for unified platform/library interface.
Deprecated the external module API. It was creating more problems than solving.
Removed most built-in libraries in favor of system libraries for easier maintenance.
Cleaned and secured code with help from static analyzers.
2021-01-30 08:51:39 +02:00

469 lines
14 KiB
C++
Raw Blame History

//
// SSLManager.cpp
//
// Library: NetSSL_OpenSSL
// Package: SSLCore
// Module: SSLManager
//
// Copyright (c) 2006-2010, Applied Informatics Software Engineering GmbH.
// and Contributors.
//
// SPDX-License-Identifier: BSL-1.0
//
#include "Poco/Net/SSLManager.h"
#include "Poco/Net/Context.h"
#include "Poco/Net/Utility.h"
#include "Poco/Net/PrivateKeyPassphraseHandler.h"
#include "Poco/Net/RejectCertificateHandler.h"
#include "Poco/Crypto/OpenSSLInitializer.h"
#include "Poco/Net/SSLException.h"
#include "Poco/SingletonHolder.h"
#include "Poco/Delegate.h"
#include "Poco/StringTokenizer.h"
#include "Poco/Util/Application.h"
#include "Poco/Util/OptionException.h"
namespace Poco {
namespace Net {
const std::string SSLManager::CFG_PRIV_KEY_FILE("privateKeyFile");
const std::string SSLManager::CFG_CERTIFICATE_FILE("certificateFile");
const std::string SSLManager::CFG_CA_LOCATION("caConfig");
const std::string SSLManager::CFG_VER_MODE("verificationMode");
const Context::VerificationMode SSLManager::VAL_VER_MODE(Context::VERIFY_RELAXED);
const std::string SSLManager::CFG_VER_DEPTH("verificationDepth");
const int SSLManager::VAL_VER_DEPTH(9);
const std::string SSLManager::CFG_ENABLE_DEFAULT_CA("loadDefaultCAFile");
const bool SSLManager::VAL_ENABLE_DEFAULT_CA(true);
const std::string SSLManager::CFG_CIPHER_LIST("cipherList");
const std::string SSLManager::CFG_CYPHER_LIST("cypherList");
const std::string SSLManager::VAL_CIPHER_LIST("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
const std::string SSLManager::CFG_PREFER_SERVER_CIPHERS("preferServerCiphers");
const std::string SSLManager::CFG_DELEGATE_HANDLER("privateKeyPassphraseHandler.name");
const std::string SSLManager::VAL_DELEGATE_HANDLER("KeyConsoleHandler");
const std::string SSLManager::CFG_CERTIFICATE_HANDLER("invalidCertificateHandler.name");
const std::string SSLManager::VAL_CERTIFICATE_HANDLER("ConsoleCertificateHandler");
const std::string SSLManager::CFG_SERVER_PREFIX("openSSL.server.");
const std::string SSLManager::CFG_CLIENT_PREFIX("openSSL.client.");
const std::string SSLManager::CFG_CACHE_SESSIONS("cacheSessions");
const std::string SSLManager::CFG_SESSION_ID_CONTEXT("sessionIdContext");
const std::string SSLManager::CFG_SESSION_CACHE_SIZE("sessionCacheSize");
const std::string SSLManager::CFG_SESSION_TIMEOUT("sessionTimeout");
const std::string SSLManager::CFG_EXTENDED_VERIFICATION("extendedVerification");
const std::string SSLManager::CFG_REQUIRE_TLSV1("requireTLSv1");
const std::string SSLManager::CFG_REQUIRE_TLSV1_1("requireTLSv1_1");
const std::string SSLManager::CFG_REQUIRE_TLSV1_2("requireTLSv1_2");
const std::string SSLManager::CFG_REQUIRE_TLSV1_3("requireTLSv1_3");
const std::string SSLManager::CFG_DISABLE_PROTOCOLS("disableProtocols");
const std::string SSLManager::CFG_DH_PARAMS_FILE("dhParamsFile");
const std::string SSLManager::CFG_ECDH_CURVE("ecdhCurve");
#ifdef OPENSSL_FIPS
const std::string SSLManager::CFG_FIPS_MODE("openSSL.fips");
const bool SSLManager::VAL_FIPS_MODE(false);
#endif
SSLManager::SSLManager()
{
}
SSLManager::~SSLManager()
{
try
{
shutdown();
}
catch (...)
{
poco_unexpected();
}
}
void SSLManager::shutdown()
{
PrivateKeyPassphraseRequired.clear();
ClientVerificationError.clear();
ServerVerificationError.clear();
_ptrDefaultServerContext = 0;
_ptrDefaultClientContext = 0;
}
namespace
{
static Poco::SingletonHolder<SSLManager> singleton;
}
SSLManager& SSLManager::instance()
{
return *singleton.get();
}
void SSLManager::initializeServer(PrivateKeyPassphraseHandlerPtr ptrPassphraseHandler, InvalidCertificateHandlerPtr ptrHandler, Context::Ptr ptrContext)
{
_ptrServerPassphraseHandler = ptrPassphraseHandler;
_ptrServerCertificateHandler = ptrHandler;
_ptrDefaultServerContext = ptrContext;
}
void SSLManager::initializeClient(PrivateKeyPassphraseHandlerPtr ptrPassphraseHandler, InvalidCertificateHandlerPtr ptrHandler, Context::Ptr ptrContext)
{
_ptrClientPassphraseHandler = ptrPassphraseHandler;
_ptrClientCertificateHandler = ptrHandler;
_ptrDefaultClientContext = ptrContext;
}
Context::Ptr SSLManager::defaultServerContext()
{
Poco::FastMutex::ScopedLock lock(_mutex);
if (!_ptrDefaultServerContext)
initDefaultContext(true);
return _ptrDefaultServerContext;
}
Context::Ptr SSLManager::defaultClientContext()
{
Poco::FastMutex::ScopedLock lock(_mutex);
if (!_ptrDefaultClientContext)
{
try
{
initDefaultContext(false);
}
catch (Poco::IllegalStateException&)
{
_ptrClientCertificateHandler = new RejectCertificateHandler(false);
_ptrDefaultClientContext = new Context(Context::CLIENT_USE, "", Context::VERIFY_RELAXED, 9, true);
_ptrDefaultClientContext->disableProtocols(Context::PROTO_SSLV2 | Context::PROTO_SSLV3);
}
}
return _ptrDefaultClientContext;
}
SSLManager::PrivateKeyPassphraseHandlerPtr SSLManager::serverPassphraseHandler()
{
Poco::FastMutex::ScopedLock lock(_mutex);
if (!_ptrServerPassphraseHandler)
initPassphraseHandler(true);
return _ptrServerPassphraseHandler;
}
SSLManager::PrivateKeyPassphraseHandlerPtr SSLManager::clientPassphraseHandler()
{
Poco::FastMutex::ScopedLock lock(_mutex);
if (!_ptrClientPassphraseHandler)
initPassphraseHandler(false);
return _ptrClientPassphraseHandler;
}
SSLManager::InvalidCertificateHandlerPtr SSLManager::serverCertificateHandler()
{
Poco::FastMutex::ScopedLock lock(_mutex);
if (!_ptrServerCertificateHandler)
initCertificateHandler(true);
return _ptrServerCertificateHandler;
}
SSLManager::InvalidCertificateHandlerPtr SSLManager::clientCertificateHandler()
{
Poco::FastMutex::ScopedLock lock(_mutex);
if (!_ptrClientCertificateHandler)
initCertificateHandler(false);
return _ptrClientCertificateHandler;
}
int SSLManager::verifyCallback(bool server, int ok, X509_STORE_CTX* pStore)
{
if (!ok)
{
X509* pCert = X509_STORE_CTX_get_current_cert(pStore);
X509Certificate x509(pCert, true);
int depth = X509_STORE_CTX_get_error_depth(pStore);
int err = X509_STORE_CTX_get_error(pStore);
std::string error(X509_verify_cert_error_string(err));
VerificationErrorArgs args(x509, depth, err, error);
if (server)
SSLManager::instance().ServerVerificationError.notify(&SSLManager::instance(), args);
else
SSLManager::instance().ClientVerificationError.notify(&SSLManager::instance(), args);
ok = args.getIgnoreError() ? 1 : 0;
}
return ok;
}
int SSLManager::privateKeyPassphraseCallback(char* pBuf, int size, int flag, void* userData)
{
std::string pwd;
SSLManager::instance().PrivateKeyPassphraseRequired.notify(&SSLManager::instance(), pwd);
strncpy(pBuf, (char *)(pwd.c_str()), size);
pBuf[size - 1] = '\0';
if (size > pwd.length())
size = (int) pwd.length();
return size;
}
void SSLManager::initDefaultContext(bool server)
{
if (server && _ptrDefaultServerContext) return;
if (!server && _ptrDefaultClientContext) return;
Poco::Crypto::OpenSSLInitializer openSSLInitializer;
initEvents(server);
Poco::Util::AbstractConfiguration& config = appConfig();
#ifdef OPENSSL_FIPS
bool fipsEnabled = config.getBool(CFG_FIPS_MODE, VAL_FIPS_MODE);
if (fipsEnabled && !Poco::Crypto::OpenSSLInitializer::isFIPSEnabled())
{
Poco::Crypto::OpenSSLInitializer::enableFIPSMode(true);
}
#endif
std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
Context::Params params;
// mandatory options
params.privateKeyFile = config.getString(prefix + CFG_PRIV_KEY_FILE, "");
params.certificateFile = config.getString(prefix + CFG_CERTIFICATE_FILE, params.privateKeyFile);
params.caLocation = config.getString(prefix + CFG_CA_LOCATION, "");
if (server && params.certificateFile.empty() && params.privateKeyFile.empty())
throw SSLException("Configuration error: no certificate file has been specified");
// optional options for which we have defaults defined
params.verificationMode = VAL_VER_MODE;
if (config.hasProperty(prefix + CFG_VER_MODE))
{
// either: none, relaxed, strict, once
std::string mode = config.getString(prefix + CFG_VER_MODE);
params.verificationMode = Utility::convertVerificationMode(mode);
}
params.verificationDepth = config.getInt(prefix + CFG_VER_DEPTH, VAL_VER_DEPTH);
params.loadDefaultCAs = config.getBool(prefix + CFG_ENABLE_DEFAULT_CA, VAL_ENABLE_DEFAULT_CA);
params.cipherList = config.getString(prefix + CFG_CIPHER_LIST, VAL_CIPHER_LIST);
params.cipherList = config.getString(prefix + CFG_CYPHER_LIST, params.cipherList); // for backwards compatibility
bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false);
bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false);
bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false);
bool requireTLSv1_3 = config.getBool(prefix + CFG_REQUIRE_TLSV1_3, false);
params.dhParamsFile = config.getString(prefix + CFG_DH_PARAMS_FILE, "");
params.ecdhCurve = config.getString(prefix + CFG_ECDH_CURVE, "");
Context::Usage usage;
if (server)
{
if (requireTLSv1_3)
usage = Context::TLSV1_3_SERVER_USE;
else if (requireTLSv1_2)
usage = Context::TLSV1_2_SERVER_USE;
else if (requireTLSv1_1)
usage = Context::TLSV1_1_SERVER_USE;
else if (requireTLSv1)
usage = Context::TLSV1_SERVER_USE;
else
usage = Context::SERVER_USE;
_ptrDefaultServerContext = new Context(usage, params);
}
else
{
if (requireTLSv1_3)
usage = Context::TLSV1_3_CLIENT_USE;
else if (requireTLSv1_2)
usage = Context::TLSV1_2_CLIENT_USE;
else if (requireTLSv1_1)
usage = Context::TLSV1_1_CLIENT_USE;
else if (requireTLSv1)
usage = Context::TLSV1_CLIENT_USE;
else
usage = Context::CLIENT_USE;
_ptrDefaultClientContext = new Context(usage, params);
}
std::string disabledProtocolsList = config.getString(prefix + CFG_DISABLE_PROTOCOLS, "");
Poco::StringTokenizer dpTok(disabledProtocolsList, ";,", Poco::StringTokenizer::TOK_TRIM | Poco::StringTokenizer::TOK_IGNORE_EMPTY);
int disabledProtocols = 0;
for (Poco::StringTokenizer::Iterator it = dpTok.begin(); it != dpTok.end(); ++it)
{
if (*it == "sslv2")
disabledProtocols |= Context::PROTO_SSLV2;
else if (*it == "sslv3")
disabledProtocols |= Context::PROTO_SSLV3;
else if (*it == "tlsv1")
disabledProtocols |= Context::PROTO_TLSV1;
else if (*it == "tlsv1_1")
disabledProtocols |= Context::PROTO_TLSV1_1;
else if (*it == "tlsv1_2")
disabledProtocols |= Context::PROTO_TLSV1_2;
else if (*it == "tlsv1_3")
disabledProtocols |= Context::PROTO_TLSV1_3;
}
if (server)
_ptrDefaultServerContext->disableProtocols(disabledProtocols);
else
_ptrDefaultClientContext->disableProtocols(disabledProtocols);
bool cacheSessions = config.getBool(prefix + CFG_CACHE_SESSIONS, false);
if (server)
{
std::string sessionIdContext = config.getString(prefix + CFG_SESSION_ID_CONTEXT, config.getString("application.name", ""));
_ptrDefaultServerContext->enableSessionCache(cacheSessions, sessionIdContext);
if (config.hasProperty(prefix + CFG_SESSION_CACHE_SIZE))
{
int cacheSize = config.getInt(prefix + CFG_SESSION_CACHE_SIZE);
_ptrDefaultServerContext->setSessionCacheSize(cacheSize);
}
if (config.hasProperty(prefix + CFG_SESSION_TIMEOUT))
{
int timeout = config.getInt(prefix + CFG_SESSION_TIMEOUT);
_ptrDefaultServerContext->setSessionTimeout(timeout);
}
}
else
{
_ptrDefaultClientContext->enableSessionCache(cacheSessions);
}
bool extendedVerification = config.getBool(prefix + CFG_EXTENDED_VERIFICATION, false);
if (server)
_ptrDefaultServerContext->enableExtendedCertificateVerification(extendedVerification);
else
_ptrDefaultClientContext->enableExtendedCertificateVerification(extendedVerification);
bool preferServerCiphers = config.getBool(prefix + CFG_PREFER_SERVER_CIPHERS, false);
if (preferServerCiphers)
{
if (server)
_ptrDefaultServerContext->preferServerCiphers();
else
_ptrDefaultClientContext->preferServerCiphers();
}
}
void SSLManager::initEvents(bool server)
{
initPassphraseHandler(server);
initCertificateHandler(server);
}
void SSLManager::initPassphraseHandler(bool server)
{
if (server && _ptrServerPassphraseHandler) return;
if (!server && _ptrClientPassphraseHandler) return;
std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
Poco::Util::AbstractConfiguration& config = appConfig();
std::string className(config.getString(prefix + CFG_DELEGATE_HANDLER, VAL_DELEGATE_HANDLER));
const PrivateKeyFactory* pFactory = 0;
if (privateKeyFactoryMgr().hasFactory(className))
{
pFactory = privateKeyFactoryMgr().getFactory(className);
}
if (pFactory)
{
if (server)
_ptrServerPassphraseHandler = pFactory->create(server);
else
_ptrClientPassphraseHandler = pFactory->create(server);
}
else throw Poco::Util::UnknownOptionException(std::string("No passphrase handler known with the name ") + className);
}
void SSLManager::initCertificateHandler(bool server)
{
if (server && _ptrServerCertificateHandler) return;
if (!server && _ptrClientCertificateHandler) return;
std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
Poco::Util::AbstractConfiguration& config = appConfig();
std::string className(config.getString(prefix+CFG_CERTIFICATE_HANDLER, VAL_CERTIFICATE_HANDLER));
const CertificateHandlerFactory* pFactory = 0;
if (certificateHandlerFactoryMgr().hasFactory(className))
{
pFactory = certificateHandlerFactoryMgr().getFactory(className);
}
if (pFactory)
{
if (server)
_ptrServerCertificateHandler = pFactory->create(true);
else
_ptrClientCertificateHandler = pFactory->create(false);
}
else throw Poco::Util::UnknownOptionException(std::string("No InvalidCertificate handler known with the name ") + className);
}
Poco::Util::AbstractConfiguration& SSLManager::appConfig()
{
try
{
return Poco::Util::Application::instance().config();
}
catch (Poco::NullPointerException&)
{
throw Poco::IllegalStateException(
"An application configuration is required to initialize the Poco::Net::SSLManager, "
"but no Poco::Util::Application instance is available."
);
}
}
void initializeSSL()
{
Poco::Crypto::initializeCrypto();
}
void uninitializeSSL()
{
SSLManager::instance().shutdown();
Poco::Crypto::uninitializeCrypto();
}
} } // namespace Poco::Net
View Git Blame Copy Permalink