proxygen: proxygen/folly/folly/io/async/SSLContext.h Source File

Go to the documentation of this file.
 /*
  * Copyright 2014-present Facebook, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 #pragma once
 
 #include <list>
 #include <map>
 #include <memory>
 #include <mutex>
 #include <random>
 #include <string>
 #include <vector>
 
 #include <glog/logging.h>
 
 #ifndef FOLLY_NO_CONFIG
 #include <folly/folly-config.h>
 #endif
 
 #include <folly/Function.h>
 #include <folly/Portability.h>
 #include <folly/Range.h>
 #include <folly/String.h>
 #include <folly/io/async/ssl/OpenSSLUtils.h>
 #include <folly/portability/OpenSSL.h>
 #include <folly/ssl/OpenSSLLockTypes.h>
 #include <folly/ssl/OpenSSLPtrTypes.h>
 
 namespace folly {
 
 class PasswordCollector {
  public:
   virtual ~PasswordCollector() = default;
   virtual void getPassword(std::string& password, int size) const = 0;
 
   virtual std::string describe() const = 0;
 };
 
 class SSLAcceptRunner {
  public:
   virtual ~SSLAcceptRunner() = default;
 
   virtual void run(Function<int()> acceptFunc, Function<void(int)> finallyFunc)
       const {
     finallyFunc(acceptFunc());
   }
 };
 
 class SSLContext {
  public:
   enum SSLVersion {
     SSLv2,
     SSLv3,
     TLSv1, // support TLS 1.0+
     TLSv1_2, // support for only TLS 1.2+
   };
 
   enum SSLVerifyPeerEnum {
     // Used by AsyncSSLSocket to delegate to the SSLContext's setting
     USE_CTX,
     // For server side - request a client certificate and verify the
     // certificate if it is sent.  Does not fail if the client does not present
     // a certificate.
     // For client side - validates the server certificate or fails.
     VERIFY,
     // For server side - same as VERIFY but will fail if no certificate
     // is sent.
     // For client side - same as VERIFY.
     VERIFY_REQ_CLIENT_CERT,
     // No verification is done for both server and client side.
     NO_VERIFY
   };
 
   struct NextProtocolsItem {
     NextProtocolsItem(int wt, const std::list<std::string>& ptcls)
         : weight(wt), protocols(ptcls) {}
     int weight;
     std::list<std::string> protocols;
   };
 
   // Function that selects a client protocol given the server's list
   using ClientProtocolFilterCallback = bool (*)(
       unsigned char**,
       unsigned int*,
       const unsigned char*,
       unsigned int);
 
   static std::string getErrors() {
     return getErrors(errno);
   }
 
   explicit SSLContext(SSLVersion version = TLSv1);
   virtual ~SSLContext();
 
   virtual void ciphers(const std::string& ciphers);
 
   virtual void setCiphersOrThrow(const std::string& ciphers);
 
   template <typename Iterator>
   void setCipherList(Iterator ibegin, Iterator iend) {
     if (ibegin != iend) {
       std::string opensslCipherList;
       folly::join(":", ibegin, iend, opensslCipherList);
       setCiphersOrThrow(opensslCipherList);
     }
   }
 
   template <typename Container>
   void setCipherList(const Container& cipherList) {
     using namespace std;
     setCipherList(begin(cipherList), end(cipherList));
   }
 
   template <typename Value>
   void setCipherList(const std::initializer_list<Value>& cipherList) {
     setCipherList(cipherList.begin(), cipherList.end());
   }
 
   template <typename Iterator>
   void setSignatureAlgorithms(Iterator ibegin, Iterator iend) {
     if (ibegin != iend) {
 #if OPENSSL_VERSION_NUMBER >= 0x1000200fL
       std::string opensslSigAlgsList;
       join(":", ibegin, iend, opensslSigAlgsList);
       if (!SSL_CTX_set1_sigalgs_list(ctx_, opensslSigAlgsList.c_str())) {
         throw std::runtime_error("SSL_CTX_set1_sigalgs_list " + getErrors());
       }
 #endif
     }
   }
 
   template <typename Container>
   void setSignatureAlgorithms(const Container& sigalgs) {
     using namespace std;
     setSignatureAlgorithms(begin(sigalgs), end(sigalgs));
   }
 
   template <typename Value>
   void setSignatureAlgorithms(const std::initializer_list<Value>& sigalgs) {
     setSignatureAlgorithms(sigalgs.begin(), sigalgs.end());
   }
 
   void setClientECCurvesList(const std::vector<std::string>& ecCurves);
 
   void setServerECCurve(const std::string& curveName);
 
   void setX509VerifyParam(const ssl::X509VerifyParam& x509VerifyParam);
 
   virtual void setVerificationOption(const SSLVerifyPeerEnum& verifyPeer);
 
   virtual bool needsPeerVerification() {
     return (
         verifyPeer_ == SSLVerifyPeerEnum::VERIFY ||
         verifyPeer_ == SSLVerifyPeerEnum::VERIFY_REQ_CLIENT_CERT);
   }
 
   static int getVerificationMode(const SSLVerifyPeerEnum& verifyPeer);
 
   virtual int getVerificationMode();
 
   virtual void authenticate(
       bool checkPeerCert,
       bool checkPeerName,
       const std::string& peerName = std::string());
   virtual void loadCertificate(const char* path, const char* format = "PEM");
   virtual void loadCertificateFromBufferPEM(folly::StringPiece cert);
 
   virtual void loadPrivateKey(const char* path, const char* format = "PEM");
   virtual void loadPrivateKeyFromBufferPEM(folly::StringPiece pkey);
 
   virtual void loadCertKeyPairFromBufferPEM(
       folly::StringPiece cert,
       folly::StringPiece pkey);
 
   virtual void loadCertKeyPairFromFiles(
       const char* certPath,
       const char* keyPath,
       const char* certFormat = "PEM",
       const char* keyFormat = "PEM");
 
   virtual bool isCertKeyPairValid() const;
 
   virtual void loadTrustedCertificates(const char* path);
   virtual void loadTrustedCertificates(X509_STORE* store);
   virtual void loadClientCAList(const char* path);
   virtual void passwordCollector(std::shared_ptr<PasswordCollector> collector);
   virtual std::shared_ptr<PasswordCollector> passwordCollector() {
     return collector_;
   }
 #if FOLLY_OPENSSL_HAS_SNI
 
   enum ServerNameCallbackResult {
     SERVER_NAME_FOUND,
     SERVER_NAME_NOT_FOUND,
     SERVER_NAME_NOT_FOUND_ALERT_FATAL,
   };
   typedef std::function<ServerNameCallbackResult(SSL* ssl)> ServerNameCallback;
   virtual void setServerNameCallback(const ServerNameCallback& cb);
 
   typedef std::function<void(SSL* ssl)> ClientHelloCallback;
   virtual void addClientHelloCallback(const ClientHelloCallback& cb);
 #endif // FOLLY_OPENSSL_HAS_SNI
 
   SSL* createSSL() const;
 
   void setSessionCacheContext(const std::string& context);
 
   void setOptions(long options);
 
 #if FOLLY_OPENSSL_HAS_ALPN
 
   bool setAdvertisedNextProtocols(const std::list<std::string>& protocols);
   bool setRandomizedAdvertisedNextProtocols(
       const std::list<NextProtocolsItem>& items);
 
   void unsetNextProtocols();
   void deleteNextProtocolsStrings();
 #endif // FOLLY_OPENSSL_HAS_ALPN
 
   SSL_CTX* getSSLCtx() const {
     return ctx_;
   }
 
   static std::string getErrors(int errnoCopy);
 
   bool checkPeerName() {
     return checkPeerName_;
   }
   std::string peerFixedName() {
     return peerFixedName_;
   }
 
 #if defined(SSL_MODE_HANDSHAKE_CUTTHROUGH)
 
   void enableFalseStart();
 #endif
 
   void sslAcceptRunner(std::unique_ptr<SSLAcceptRunner> runner) {
     if (nullptr == runner) {
       LOG(ERROR) << "Ignore invalid runner";
       return;
     }
     sslAcceptRunner_ = std::move(runner);
   }
 
   const SSLAcceptRunner* sslAcceptRunner() {
     return sslAcceptRunner_.get();
   }
 
   static bool matchName(const char* host, const char* pattern, int size);
 
   [[deprecated("Use folly::ssl::init")]] static void initializeOpenSSL();
 
  protected:
   SSL_CTX* ctx_;
 
  private:
   SSLVerifyPeerEnum verifyPeer_{SSLVerifyPeerEnum::NO_VERIFY};
 
   bool checkPeerName_;
   std::string peerFixedName_;
   std::shared_ptr<PasswordCollector> collector_;
 #if FOLLY_OPENSSL_HAS_SNI
   ServerNameCallback serverNameCb_;
   std::vector<ClientHelloCallback> clientHelloCbs_;
 #endif
 
   ClientProtocolFilterCallback clientProtoFilter_{nullptr};
 
   static bool initialized_;
 
   std::unique_ptr<SSLAcceptRunner> sslAcceptRunner_;
 
 #if FOLLY_OPENSSL_HAS_ALPN
 
   struct AdvertisedNextProtocolsItem {
     unsigned char* protocols;
     unsigned length;
   };
 
   std::vector<AdvertisedNextProtocolsItem> advertisedNextProtocols_;
   std::vector<int> advertisedNextProtocolWeights_;
   std::discrete_distribution<int> nextProtocolDistribution_;
 
   static int advertisedNextProtocolCallback(
       SSL* ssl,
       const unsigned char** out,
       unsigned int* outlen,
       void* data);
 
   static int alpnSelectCallback(
       SSL* ssl,
       const unsigned char** out,
       unsigned char* outlen,
       const unsigned char* in,
       unsigned int inlen,
       void* data);
 
   size_t pickNextProtocols();
 
 #endif // FOLLY_OPENSSL_HAS_ALPN
 
   static int passwordCallback(char* password, int size, int, void* data);
 
 #if FOLLY_OPENSSL_HAS_SNI
 
   static int baseServerNameOpenSSLCallback(
       SSL* ssl,
       int* al /* alert (return value) */,
       void* data);
 #endif
 
   std::string providedCiphersString_;
 };
 
 typedef std::shared_ptr<SSLContext> SSLContextPtr;
 
 std::ostream& operator<<(
     std::ostream& os,
     const folly::PasswordCollector& collector);
 
 } // namespace folly