proxygen: proxygen/wangle/wangle/ssl/SSLContextManager.h Source File

Go to the documentation of this file.
 /*
  * Copyright 2017-present Facebook, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 #pragma once
 
 #include <folly/io/async/EventBase.h>
 #include <folly/io/async/SSLContext.h>
 #include <folly/SharedMutex.h>
 
 #include <glog/logging.h>
 #include <list>
 #include <memory>
 #include <wangle/ssl/SSLContextConfig.h>
 #include <wangle/ssl/SSLSessionCacheManager.h>
 #include <wangle/ssl/TLSTicketKeySeeds.h>
 #include <wangle/acceptor/SSLContextSelectionMisc.h>
 #include <vector>
 
 namespace folly {
 
 class SocketAddress;
 class SSLContext;
 
 }
 
 namespace wangle {
 
 class ClientHelloExtStats;
 struct SSLCacheOptions;
 class SSLStats;
 class TLSTicketKeyManager;
 struct TLSTicketKeySeeds;
 class ServerSSLContext;
 
 class SSLContextManager {
  private:
   struct SslContexts {
     void clear();
     void swap(SslContexts& other) noexcept;
 
     std::vector<std::shared_ptr<ServerSSLContext>> ctxs;
     std::shared_ptr<ServerSSLContext> defaultCtx;
     std::string defaultCtxDomainName;
 
     std::unordered_map<
       SSLContextKey,
       std::shared_ptr<folly::SSLContext>,
       SSLContextKeyHash> dnMap;
   };
 
  public:
 
    struct ClientCertVerifyCallback {
 
      // no-op. Should be overridden if actual
      // verification is required
      virtual void attachSSLContext(
        const std::shared_ptr<folly::SSLContext>& sslCtx) = 0;
      virtual ~ClientCertVerifyCallback() {}
    };
 
 
   explicit SSLContextManager(folly::EventBase* eventBase,
                              const std::string& vipName, bool strict,
                              SSLStats* stats);
   virtual ~SSLContextManager();
 
   void addSSLContextConfig(
     const SSLContextConfig& ctxConfig,
     const SSLCacheOptions& cacheOptions,
     const TLSTicketKeySeeds* ticketSeeds,
     const folly::SocketAddress& vipAddress,
     const std::shared_ptr<SSLCacheProvider> &externalCache,
     SslContexts* contexts = nullptr);
 
   void resetSSLContextConfigs(
     const std::vector<SSLContextConfig>& ctxConfig,
     const SSLCacheOptions& cacheOptions,
     const TLSTicketKeySeeds* ticketSeeds,
     const folly::SocketAddress& vipAddress,
     const std::shared_ptr<SSLCacheProvider> &externalCache);
 
   void clear();
 
   std::shared_ptr<folly::SSLContext>
     getDefaultSSLCtx() const;
 
   std::shared_ptr<folly::SSLContext>
     getSSLCtx(const SSLContextKey& key) const;
 
   std::shared_ptr<folly::SSLContext>
     getSSLCtxBySuffix(const SSLContextKey& key) const;
 
   std::shared_ptr<folly::SSLContext>
     getSSLCtxByExactDomain(const SSLContextKey& key) const;
 
   void reloadTLSTicketKeys(const std::vector<std::string>& oldSeeds,
                            const std::vector<std::string>& currentSeeds,
                            const std::vector<std::string>& newSeeds);
 
   void setSSLStats(SSLStats* stats) {
     stats_ = stats;
   }
 
   void setClientHelloExtStats(ClientHelloExtStats* stats) {
     clientHelloTLSExtStats_ = stats;
   }
 
   void setClientVerifyCallback(std::unique_ptr<ClientCertVerifyCallback> cb) {
         clientCertVerifyCallback_ = std::move(cb);
   }
 
  protected:
   virtual void loadCertKeyPairExternal(
     const std::shared_ptr<folly::SSLContext>&,
     const SSLContextConfig&,
     const std::string& /* certificateFile */) {
     LOG(FATAL) << "Unsupported in base SSLContextManager";
   }
 
   virtual void overrideConfiguration(
     const std::shared_ptr<folly::SSLContext>&,
     const SSLContextConfig&) {}
 
   std::string vipName_;
   SSLStats* stats_{nullptr};
 
   void insertSSLCtxByDomainName(
     const char* dn,
     size_t len,
     std::shared_ptr<folly::SSLContext> sslCtx,
     SslContexts& contexts,
     CertCrypto certCrypto = CertCrypto::BEST_AVAILABLE);
 
   void insertSSLCtxByDomainName(
     const char* dn,
     size_t len,
     std::shared_ptr<folly::SSLContext> sslCtx,
     CertCrypto certCrypto = CertCrypto::BEST_AVAILABLE) {
     insertSSLCtxByDomainName(dn, len, sslCtx, contexts_, certCrypto);
   }
 
  private:
   SSLContextManager(const SSLContextManager&) = delete;
 
   void ctxSetupByOpensslFeature(
     std::shared_ptr<ServerSSLContext> sslCtx,
     const SSLContextConfig& ctxConfig,
     SslContexts& contexts);
 
 #if FOLLY_OPENSSL_HAS_SNI
 # define PROXYGEN_HAVE_SERVERNAMECALLBACK
   folly::SSLContext::ServerNameCallbackResult
     serverNameCallback(SSL* ssl);
 #endif
 
   void insert(
     std::shared_ptr<ServerSSLContext> sslCtx,
     bool defaultFallback,
     SslContexts& contexts);
 
   void insertSSLCtxByDomainNameImpl(
     const char* dn,
     size_t len,
     std::shared_ptr<folly::SSLContext> sslCtx,
     SslContexts& contexts,
     CertCrypto certCrypto);
 
   void insertIntoDnMap(SSLContextKey key,
     std::shared_ptr<folly::SSLContext> sslCtx,
     bool overwrite,
     SslContexts& contexts);
 
   SslContexts contexts_;
   folly::EventBase* eventBase_;
   ClientHelloExtStats* clientHelloTLSExtStats_{nullptr};
   SSLContextConfig::SNINoMatchFn noMatchFn_;
   bool strict_{true};
   std::unique_ptr<ClientCertVerifyCallback> clientCertVerifyCallback_{nullptr};
 };
 
 } // namespace wangle