folly::SSLContext Class Reference

#include <SSLContext.h>

Inheritance diagram for folly::SSLContext:

Classes
struct	NextProtocolsItem

Public Types
enum	SSLVersion { SSLv2, SSLv3, TLSv1, TLSv1_2 }
enum	SSLVerifyPeerEnum { USE_CTX, VERIFY, VERIFY_REQ_CLIENT_CERT, NO_VERIFY }
using	ClientProtocolFilterCallback = bool(*)(unsigned char **, unsigned int *, const unsigned char *, unsigned int)

Public Member Functions
	SSLContext (SSLVersion version=TLSv1)
virtual	~SSLContext ()
virtual void	ciphers (const std::string &ciphers)
virtual void	setCiphersOrThrow (const std::string &ciphers)
template<typename Iterator >
void	setCipherList (Iterator ibegin, Iterator iend)
template<typename Container >
void	setCipherList (const Container &cipherList)
template<typename Value >
void	setCipherList (const std::initializer_list< Value > &cipherList)
template<typename Iterator >
void	setSignatureAlgorithms (Iterator ibegin, Iterator iend)
template<typename Container >
void	setSignatureAlgorithms (const Container &sigalgs)
template<typename Value >
void	setSignatureAlgorithms (const std::initializer_list< Value > &sigalgs)
void	setClientECCurvesList (const std::vector< std::string > &ecCurves)
void	setServerECCurve (const std::string &curveName)
void	setX509VerifyParam (const ssl::X509VerifyParam &x509VerifyParam)
virtual void	setVerificationOption (const SSLVerifyPeerEnum &verifyPeer)
virtual bool	needsPeerVerification ()
virtual int	getVerificationMode ()
virtual void	authenticate (bool checkPeerCert, bool checkPeerName, const std::string &peerName=std::string())
virtual void	loadCertificate (const char *path, const char *format="PEM")
virtual void	loadCertificateFromBufferPEM (folly::StringPiece cert)
virtual void	loadPrivateKey (const char *path, const char *format="PEM")
virtual void	loadPrivateKeyFromBufferPEM (folly::StringPiece pkey)
virtual void	loadCertKeyPairFromBufferPEM (folly::StringPiece cert, folly::StringPiece pkey)
virtual void	loadCertKeyPairFromFiles (const char *certPath, const char *keyPath, const char *certFormat="PEM", const char *keyFormat="PEM")
virtual bool	isCertKeyPairValid () const
virtual void	loadTrustedCertificates (const char *path)
virtual void	loadTrustedCertificates (X509_STORE *store)
virtual void	loadClientCAList (const char *path)
virtual void	passwordCollector (std::shared_ptr< PasswordCollector > collector)
virtual std::shared_ptr< PasswordCollector >	passwordCollector ()
SSL *	createSSL () const
void	setSessionCacheContext (const std::string &context)
void	setOptions (long options)
SSL_CTX *	getSSLCtx () const
bool	checkPeerName ()
std::string	peerFixedName ()
void	sslAcceptRunner (std::unique_ptr< SSLAcceptRunner > runner)
const SSLAcceptRunner *	sslAcceptRunner ()

Static Public Member Functions
static std::string	getErrors ()
static int	getVerificationMode (const SSLVerifyPeerEnum &verifyPeer)
static std::string	getErrors (int errnoCopy)
static bool	matchName (const char *host, const char *pattern, int size)
static void	initializeOpenSSL ()

Protected Attributes
SSL_CTX *	ctx_

Static Private Member Functions
static int	passwordCallback (char *password, int size, int, void *data)

Private Attributes
SSLVerifyPeerEnum	verifyPeer_ {SSLVerifyPeerEnum::NO_VERIFY}
bool	checkPeerName_
std::string	peerFixedName_
std::shared_ptr< PasswordCollector >	collector_
ClientProtocolFilterCallback	clientProtoFilter_ {nullptr}
std::unique_ptr< SSLAcceptRunner >	sslAcceptRunner_
std::string	providedCiphersString_

Static Private Attributes
static bool	initialized_

Detailed Description

Wrap OpenSSL SSL_CTX into a class.

Definition at line 89 of file SSLContext.h.

Member Typedef Documentation

using folly::SSLContext::ClientProtocolFilterCallback = bool (*)( unsigned char**, unsigned int*, const unsigned char*, unsigned int)

Definition at line 129 of file SSLContext.h.

Member Enumeration Documentation

enum folly::SSLContext::SSLVerifyPeerEnum

Defines the way that peers are verified.

Enumerator
USE_CTX
VERIFY
VERIFY_REQ_CLIENT_CERT
NO_VERIFY

Definition at line 101 of file SSLContext.h.

                         {
    // Used by AsyncSSLSocket to delegate to the SSLContext's setting
    USE_CTX,
    // For server side - request a client certificate and verify the
    // certificate if it is sent.  Does not fail if the client does not present
    // a certificate.
    // For client side - validates the server certificate or fails.
    VERIFY,
    // For server side - same as VERIFY but will fail if no certificate
    // is sent.
    // For client side - same as VERIFY.
    VERIFY_REQ_CLIENT_CERT,
    // No verification is done for both server and client side.
    NO_VERIFY
  };

enum folly::SSLContext::SSLVersion

Enumerator
SSLv2
SSLv3
TLSv1
TLSv1_2

Definition at line 91 of file SSLContext.h.

                  {
    SSLv2,
    SSLv3,
    TLSv1, // support TLS 1.0+
    TLSv1_2, // support for only TLS 1.2+
  };

Constructor & Destructor Documentation

folly::SSLContext::SSLContext ( SSLVersion  version = TLSv1 )

explicit

Constructor.

Parameters

version

The lowest or oldest SSL version to support.

Definition at line 36 of file SSLContext.cpp.

References ctx_, and folly::ssl::init().

                                         {
  folly::ssl::init();

  ctx_ = SSL_CTX_new(SSLv23_method());
  if (ctx_ == nullptr) {
    throw std::runtime_error("SSL_CTX_new: " + getErrors());
  }

  int opt = 0;
  switch (version) {
    case TLSv1:
      opt = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
      break;
    case SSLv3:
      opt = SSL_OP_NO_SSLv2;
      break;
    case TLSv1_2:
      opt = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 |
          SSL_OP_NO_TLSv1_1;
      break;
    default:
      // do nothing
      break;
  }
  int newOpt = SSL_CTX_set_options(ctx_, opt);
  DCHECK((newOpt & opt) == opt);

  SSL_CTX_set_mode(ctx_, SSL_MODE_AUTO_RETRY);

  checkPeerName_ = false;

  SSL_CTX_set_options(ctx_, SSL_OP_NO_COMPRESSION);

  sslAcceptRunner_ = std::make_unique<SSLAcceptRunner>();

#if FOLLY_OPENSSL_HAS_SNI
  SSL_CTX_set_tlsext_servername_callback(ctx_, baseServerNameOpenSSLCallback);
  SSL_CTX_set_tlsext_servername_arg(ctx_, this);
#endif
}

folly::SSLContext::~SSLContext ( )

virtual

Definition at line 77 of file SSLContext.cpp.

References ctx_.

                        {
  if (ctx_ != nullptr) {
    SSL_CTX_free(ctx_);
    ctx_ = nullptr;
  }

#if FOLLY_OPENSSL_HAS_ALPN
  deleteNextProtocolsStrings();
#endif
}

Member Function Documentation

void folly::SSLContext::authenticate ( bool  checkPeerCert, bool  checkPeerName, const std::string &  peerName = std::string()  )

virtual

Enable/Disable authentication. Peer name validation can only be done if checkPeerCert is true.

Parameters

checkPeerCert	If true, require peer to present valid certificate
checkPeerName	If true, validate that the certificate common name or alternate name(s) of peer matches the hostname used to connect.
peerName	If non-empty, validate that the certificate common name of peer matches the given string (altername name(s) are not used in this case).

Definition at line 189 of file SSLContext.cpp.

References folly::Optional< Value >::clear(), ctx_, and mode.

                               {
  int mode;
  if (checkPeerCert) {
    mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
        SSL_VERIFY_CLIENT_ONCE;
    checkPeerName_ = checkPeerName;
    peerFixedName_ = peerName;
  } else {
    mode = SSL_VERIFY_NONE;
    checkPeerName_ = false; // can't check name without cert!
    peerFixedName_.clear();
  }
  SSL_CTX_set_verify(ctx_, mode, nullptr);
}

bool folly::SSLContext::checkPeerName ( )

inline

Definition at line 515 of file SSLContext.h.

                       {
    return checkPeerName_;
  }

void folly::SSLContext::ciphers ( const std::string &  ciphers )

virtual

Set default ciphers to be used in SSL handshake process.

Parameters

ciphers

A list of ciphers to use for TLSv1.0

Definition at line 88 of file SSLContext.cpp.

                                                 {
  setCiphersOrThrow(ciphers);
}

SSL * folly::SSLContext::createSSL

(

)

const

Create an SSL object from this context.

Definition at line 518 of file SSLContext.cpp.

References ctx_.

Referenced by folly::TEST_F().

                                 {
  SSL* ssl = SSL_new(ctx_);
  if (ssl == nullptr) {
    throw std::runtime_error("SSL_new: " + getErrors());
  }
  return ssl;
}

static std::string folly::SSLContext::getErrors ( )

inlinestatic

Convenience function to call getErrors() with the current errno value.

Make sure that you only call this when there was no intervening operation since the last OpenSSL error that may have changed the current errno value.

Definition at line 137 of file SSLContext.h.

References string, and version.

                               {
    return getErrors(errno);
  }

std::string folly::SSLContext::getErrors ( int  errnoCopy )

static

Examine OpenSSL's error stack, and return a string description of the errors.

This operation removes the errors from OpenSSL's error stack.

Definition at line 597 of file SSLContext.cpp.

References message, and string.

                                             {
  std::string errors;
  unsigned long errorCode;
  char message[256];

  errors.reserve(512);
  while ((errorCode = ERR_get_error()) != 0) {
    if (!errors.empty()) {
      errors += "; ";
    }
    const char* reason = ERR_reason_error_string(errorCode);
    if (reason == nullptr) {
      snprintf(message, sizeof(message) - 1, "SSL error # %08lX", errorCode);
      reason = message;
    }
    errors += reason;
  }
  if (errors.empty()) {
    errors = "error code: " + folly::to<std::string>(errnoCopy);
  }
  return errors;
}

SSL_CTX* folly::SSLContext::getSSLCtx ( ) const

inline

Gets the underlying SSL_CTX for advanced usage

Definition at line 503 of file SSLContext.h.

References ctx_, and string.

Referenced by wangle::ServerSSLContext::setupSessionCache(), folly::AsyncSSLSocket::sslAccept(), wangle::SSLSessionCacheManager::SSLSessionCacheManager(), wangle::SSLSessionCacheManager::storeCacheRecord(), and TEST().

                             {
    return ctx_;
  }

int folly::SSLContext::getVerificationMode ( const SSLVerifyPeerEnum &  verifyPeer )

static

Method to fetch Verification mode for a SSLVerifyPeerEnum. verifyPeer cannot be SSLVerifyPeerEnum::USE_CTX since there is no context.

Parameters

verifyPeer

SSLVerifyPeerEnum for which the flags need to to be returned

Returns

mode flags that can be used with SSL_set_verify

Definition at line 159 of file SSLContext.cpp.

References mode.

                                                   {
  CHECK(verifyPeer != SSLVerifyPeerEnum::USE_CTX);
  int mode = SSL_VERIFY_NONE;
  switch (verifyPeer) {
      // case SSLVerifyPeerEnum::USE_CTX: // can't happen
      // break;

    case SSLVerifyPeerEnum::VERIFY:
      mode = SSL_VERIFY_PEER;
      break;

    case SSLVerifyPeerEnum::VERIFY_REQ_CLIENT_CERT:
      mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
      break;

    case SSLVerifyPeerEnum::NO_VERIFY:
      mode = SSL_VERIFY_NONE;
      break;

    default:
      break;
  }
  return mode;
}

int folly::SSLContext::getVerificationMode ( )

virtual

Method to fetch Verification mode determined by the options set using setVerificationOption.

Returns

mode flags that can be used with SSL_set_verify

Definition at line 185 of file SSLContext.cpp.

Referenced by folly::AsyncSSLSocket::applyVerificationOptions().

                                    {
  return getVerificationMode(verifyPeer_);
}

void folly::SSLContext::initializeOpenSSL ( )

static

Definition at line 586 of file SSLContext.cpp.

References folly::ssl::init().

                                   {
  folly::ssl::init();
}

bool folly::SSLContext::isCertKeyPairValid ( ) const

virtual

Call after both cert and key are loaded to check if cert matches key. Must call if private key is loaded before loading the cert. No need to call if cert is loaded first before private key.

Returns

true if matches, or false if mismatch.

Definition at line 316 of file SSLContext.cpp.

References ctx_.

Referenced by folly::TEST_F().

                                          {
  return SSL_CTX_check_private_key(ctx_) == 1;
}

void folly::SSLContext::loadCertificate ( const char *  path, const char *  format = "PEM"  )

virtual

Load server certificate.

Parameters

path	Path to the certificate file
format	Certificate file format

Definition at line 207 of file SSLContext.cpp.

References ctx_, and string.

Referenced by folly::TEST_F().

                                                                     {
  if (path == nullptr || format == nullptr) {
    throw std::invalid_argument(
        "loadCertificateChain: either <path> or <format> is nullptr");
  }
  if (strcmp(format, "PEM") == 0) {
    if (SSL_CTX_use_certificate_chain_file(ctx_, path) != 1) {
      int errnoCopy = errno;
      std::string reason("SSL_CTX_use_certificate_chain_file: ");
      reason.append(path);
      reason.append(": ");
      reason.append(getErrors(errnoCopy));
      throw std::runtime_error(reason);
    }
  } else {
    throw std::runtime_error(
        "Unsupported certificate format: " + std::string(format));
  }
}

void folly::SSLContext::loadCertificateFromBufferPEM ( folly::StringPiece  cert )

virtual

Load server certificate from memory.

Parameters

cert	A PEM formatted certificate

Definition at line 227 of file SSLContext.cpp.

References ctx_, folly::Range< Iter >::data(), and folly::Range< Iter >::size().

Referenced by folly::TEST_F().

                                                                   {
  if (cert.data() == nullptr) {
    throw std::invalid_argument("loadCertificate: <cert> is nullptr");
  }

  ssl::BioUniquePtr bio(BIO_new(BIO_s_mem()));
  if (bio == nullptr) {
    throw std::runtime_error("BIO_new: " + getErrors());
  }

  int written = BIO_write(bio.get(), cert.data(), int(cert.size()));
  if (written <= 0 || static_cast<unsigned>(written) != cert.size()) {
    throw std::runtime_error("BIO_write: " + getErrors());
  }

  ssl::X509UniquePtr x509(
      PEM_read_bio_X509(bio.get(), nullptr, nullptr, nullptr));
  if (x509 == nullptr) {
    throw std::runtime_error("PEM_read_bio_X509: " + getErrors());
  }

  if (SSL_CTX_use_certificate(ctx_, x509.get()) == 0) {
    throw std::runtime_error("SSL_CTX_use_certificate: " + getErrors());
  }
}

void folly::SSLContext::loadCertKeyPairFromBufferPEM ( folly::StringPiece  cert, folly::StringPiece  pkey  )

virtual

Load cert and key from PEM buffers. Guaranteed to throw if cert and private key mismatch so no need to call isCertKeyPairValid.

Parameters

cert	A PEM formatted certificate
pkey	A PEM formatted key

Definition at line 294 of file SSLContext.cpp.

Referenced by folly::TEST_F().

                           {
  loadCertificateFromBufferPEM(cert);
  loadPrivateKeyFromBufferPEM(pkey);
  if (!isCertKeyPairValid()) {
    throw std::runtime_error("SSL certificate and private key do not match");
  }
}

void folly::SSLContext::loadCertKeyPairFromFiles ( const char *  certPath, const char *  keyPath, const char *  certFormat = "PEM", const char *  keyFormat = "PEM"  )

virtual

Load cert and key from files. Guaranteed to throw if cert and key mismatch. Equivalent to calling loadCertificate() and loadPrivateKey().

Parameters

certPath	Path to the certificate file
keyPath	Path to the private key file
certFormat	Certificate file format
keyFormat	Private key file format

Definition at line 304 of file SSLContext.cpp.

Referenced by folly::TEST_F().

                           {
  loadCertificate(certPath, certFormat);
  loadPrivateKey(keyPath, keyFormat);
  if (!isCertKeyPairValid()) {
    throw std::runtime_error("SSL certificate and private key do not match");
  }
}

void folly::SSLContext::loadClientCAList ( const char *  path )

virtual

Load a client CA list for validating clients

Definition at line 334 of file SSLContext.cpp.

References ctx_.

                                                  {
  auto clientCAs = SSL_load_client_CA_file(path);
  if (clientCAs == nullptr) {
    LOG(ERROR) << "Unable to load ca file: " << path << " " << getErrors();
    return;
  }
  SSL_CTX_set_client_CA_list(ctx_, clientCAs);
}

void folly::SSLContext::loadPrivateKey ( const char *  path, const char *  format = "PEM"  )

virtual

Load private key.

Parameters

path	Path to the private key file
format	Private key file format

Definition at line 253 of file SSLContext.cpp.

References ctx_, and string.

Referenced by folly::TEST_F().

                                                                    {
  if (path == nullptr || format == nullptr) {
    throw std::invalid_argument(
        "loadPrivateKey: either <path> or <format> is nullptr");
  }
  if (strcmp(format, "PEM") == 0) {
    if (SSL_CTX_use_PrivateKey_file(ctx_, path, SSL_FILETYPE_PEM) == 0) {
      throw std::runtime_error("SSL_CTX_use_PrivateKey_file: " + getErrors());
    }
  } else {
    throw std::runtime_error(
        "Unsupported private key format: " + std::string(format));
  }
}

void folly::SSLContext::loadPrivateKeyFromBufferPEM ( folly::StringPiece  pkey )

virtual

Load private key from memory.

Parameters

pkey	A PEM formatted key

Definition at line 268 of file SSLContext.cpp.

References ctx_, folly::Range< Iter >::data(), and folly::Range< Iter >::size().

Referenced by folly::TEST_F().

                                                                  {
  if (pkey.data() == nullptr) {
    throw std::invalid_argument("loadPrivateKey: <pkey> is nullptr");
  }

  ssl::BioUniquePtr bio(BIO_new(BIO_s_mem()));
  if (bio == nullptr) {
    throw std::runtime_error("BIO_new: " + getErrors());
  }

  int written = BIO_write(bio.get(), pkey.data(), int(pkey.size()));
  if (written <= 0 || static_cast<unsigned>(written) != pkey.size()) {
    throw std::runtime_error("BIO_write: " + getErrors());
  }

  ssl::EvpPkeyUniquePtr key(
      PEM_read_bio_PrivateKey(bio.get(), nullptr, nullptr, nullptr));
  if (key == nullptr) {
    throw std::runtime_error("PEM_read_bio_PrivateKey: " + getErrors());
  }

  if (SSL_CTX_use_PrivateKey(ctx_, key.get()) == 0) {
    throw std::runtime_error("SSL_CTX_use_PrivateKey: " + getErrors());
  }
}

void folly::SSLContext::loadTrustedCertificates ( const char *  path )

virtual

Load trusted certificates from specified file.

Parameters

path	Path to trusted certificate file

Definition at line 320 of file SSLContext.cpp.

References ctx_.

                                                         {
  if (path == nullptr) {
    throw std::invalid_argument("loadTrustedCertificates: <path> is nullptr");
  }
  if (SSL_CTX_load_verify_locations(ctx_, path, nullptr) == 0) {
    throw std::runtime_error("SSL_CTX_load_verify_locations: " + getErrors());
  }
  ERR_clear_error();
}

void folly::SSLContext::loadTrustedCertificates ( X509_STORE *  store )

virtual

Load trusted certificates from specified X509 certificate store.

Parameters

store

X509 certificate store.

Definition at line 330 of file SSLContext.cpp.

References ctx_.

                                                          {
  SSL_CTX_set_cert_store(ctx_, store);
}

bool folly::SSLContext::matchName ( const char *  host, const char *  pattern, int  size  )

static

Helper to match a hostname versus a pattern.

Match a name with a pattern. The pattern may include wildcard. A single wildcard "*" can match up to one component in the domain name.

Parameters

host	Host name, typically the name of the remote host
pattern	Name retrieved from certificate
size	Size of "pattern"

Returns

True, if "host" matches "pattern". False otherwise.

Definition at line 543 of file SSLContext.cpp.

References i.

                                                                          {
  bool match = false;
  int i = 0, j = 0;
  while (i < size && host[j] != '\0') {
    if (toupper(pattern[i]) == toupper(host[j])) {
      i++;
      j++;
      continue;
    }
    if (pattern[i] == '*') {
      while (host[j] != '.' && host[j] != '\0') {
        j++;
      }
      i++;
      continue;
    }
    break;
  }
  if (i == size && host[j] == '\0') {
    match = true;
  }
  return match;
}

virtual bool folly::SSLContext::needsPeerVerification ( )

inlinevirtual

Method to check if peer verfication is set.

Returns

true if peer verification is required.

Definition at line 248 of file SSLContext.h.

References folly::format(), and string.

                                       {
    return (
        verifyPeer_ == SSLVerifyPeerEnum::VERIFY ||
        verifyPeer_ == SSLVerifyPeerEnum::VERIFY_REQ_CLIENT_CERT);
  }

int folly::SSLContext::passwordCallback ( char *  password, int  size, int  , void *  data  )

staticprivate

Definition at line 567 of file SSLContext.cpp.

References context, ctx_, min, passwordCollector(), and string.

                                                                          {
  SSLContext* context = (SSLContext*)data;
  if (context == nullptr || context->passwordCollector() == nullptr) {
    return 0;
  }
  std::string userPassword;
  // call user defined password collector to get password
  context->passwordCollector()->getPassword(userPassword, size);
  auto const length = std::min(userPassword.size(), size_t(size));
  std::memcpy(password, userPassword.data(), length);
  return int(length);
}

void folly::SSLContext::passwordCollector ( std::shared_ptr< PasswordCollector >  collector )

virtual

Override default OpenSSL password collector.

Parameters

collector

Instance of user defined password collector

Definition at line 343 of file SSLContext.cpp.

References context, ctx_, folly::data(), i, fizz::passwordCallback(), rng, and uint8_t.

Referenced by passwordCallback().

                                                {
  if (collector == nullptr) {
    LOG(ERROR) << "passwordCollector: ignore invalid password collector";
    return;
  }
  collector_ = collector;
  SSL_CTX_set_default_passwd_cb(ctx_, passwordCallback);
  SSL_CTX_set_default_passwd_cb_userdata(ctx_, this);
}

virtual std::shared_ptr<PasswordCollector> folly::SSLContext::passwordCollector ( )

inlinevirtual

Obtain password collector.

Returns

User defined password collector

Definition at line 379 of file SSLContext.h.

References context, and string.

                                                               {
    return collector_;
  }

std::string folly::SSLContext::peerFixedName ( )

inline

Definition at line 518 of file SSLContext.h.

                            {
    return peerFixedName_;
  }

template<typename Iterator >

void folly::SSLContext::setCipherList ( Iterator  ibegin, Iterator  iend  )

inline

Set default ciphers to be used in SSL handshake process.

Definition at line 167 of file SSLContext.h.

References folly::join(), and string.

Referenced by folly::ssl::setCipherSuites().

                                                     {
    if (ibegin != iend) {
      std::string opensslCipherList;
      folly::join(":", ibegin, iend, opensslCipherList);
      setCiphersOrThrow(opensslCipherList);
    }
  }

template<typename Container >

void folly::SSLContext::setCipherList ( const Container &  cipherList )

inline

Definition at line 176 of file SSLContext.h.

References folly::test::begin(), and folly::test::end().

                                                  {
    using namespace std;
    setCipherList(begin(cipherList), end(cipherList));
  }

template<typename Value >

void folly::SSLContext::setCipherList ( const std::initializer_list< Value > &  cipherList )

inline

Definition at line 182 of file SSLContext.h.

                                                                   {
    setCipherList(cipherList.begin(), cipherList.end());
  }

void folly::SSLContext::setCiphersOrThrow ( const std::string &  ciphers )

virtual

Low-level method that attempts to set the provided ciphers on the SSL_CTX object, and throws if something goes wrong.

Definition at line 145 of file SSLContext.cpp.

References ctx_.

                                                           {
  int rc = SSL_CTX_set_cipher_list(ctx_, ciphers.c_str());
  if (rc == 0) {
    throw std::runtime_error("SSL_CTX_set_cipher_list: " + getErrors());
  }
  providedCiphersString_ = ciphers;
}

void folly::SSLContext::setClientECCurvesList

(

const std::vector< std::string > &

ecCurves

)

Sets the list of EC curves supported by the client.

Parameters

ecCurves

A list of ec curves, eg: P-256

Definition at line 92 of file SSLContext.cpp.

References ctx_, folly::join(), and string.

Referenced by folly::ssl::SSLCommonOptions::setClientOptions().

                                          {
  if (ecCurves.size() == 0) {
    return;
  }
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
  std::string ecCurvesList;
  join(":", ecCurves, ecCurvesList);
  int rc = SSL_CTX_set1_curves_list(ctx_, ecCurvesList.c_str());
  if (rc == 0) {
    throw std::runtime_error("SSL_CTX_set1_curves_list " + getErrors());
  }
#endif
}

void folly::SSLContext::setOptions

(

long

options

)

Set the options on the SSL_CTX object.

Definition at line 590 of file SSLContext.cpp.

References ctx_.

Referenced by wangle::ServerSSLContext::setupTicketManager().

                                        {
  long newOpt = SSL_CTX_set_options(ctx_, options);
  if ((newOpt & options) != options) {
    throw std::runtime_error("SSL_CTX_set_options failed");
  }
}

void folly::SSLContext::setServerECCurve

(

const std::string &

curveName

)

Method to add support for a specific elliptic curve encryption algorithm.

Parameters

curveName

The name of the ec curve to support, eg: prime256v1.

Definition at line 107 of file SSLContext.cpp.

References ctx_, and folly::FATAL.

                                                            {
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)
  EC_KEY* ecdh = nullptr;
  int nid;

  /*
   * Elliptic-Curve Diffie-Hellman parameters are either "named curves"
   * from RFC 4492 section 5.1.1, or explicitly described curves over
   * binary fields. OpenSSL only supports the "named curves", which provide
   * maximum interoperability.
   */

  nid = OBJ_sn2nid(curveName.c_str());
  if (nid == 0) {
    LOG(FATAL) << "Unknown curve name:" << curveName.c_str();
  }
  ecdh = EC_KEY_new_by_curve_name(nid);
  if (ecdh == nullptr) {
    LOG(FATAL) << "Unable to create curve:" << curveName.c_str();
  }

  SSL_CTX_set_tmp_ecdh(ctx_, ecdh);
  EC_KEY_free(ecdh);
#else
  throw std::runtime_error("Elliptic curve encryption not allowed");
#endif
}

void folly::SSLContext::setSessionCacheContext

(

const std::string &

context

)

Sets the namespace to use for sessions created from this context.

Definition at line 526 of file SSLContext.cpp.

References ctx_.

Referenced by wangle::ServerSSLContext::ServerSSLContext(), and wangle::SSLSessionCacheManager::SSLSessionCacheManager().

                                                                {
  SSL_CTX_set_session_id_context(
      ctx_,
      reinterpret_cast<const unsigned char*>(context.data()),
      std::min<unsigned int>(
          static_cast<unsigned int>(context.length()), SSL_MAX_SID_CTX_LENGTH));
}

template<typename Iterator >

void folly::SSLContext::setSignatureAlgorithms ( Iterator  ibegin, Iterator  iend  )

inline

Sets the signature algorithms to be used during SSL negotiation for TLS1.2+.

Definition at line 192 of file SSLContext.h.

References ctx_, folly::join(), and string.

Referenced by folly::ssl::setSignatureAlgorithms().

                                                              {
    if (ibegin != iend) {
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
      std::string opensslSigAlgsList;
      join(":", ibegin, iend, opensslSigAlgsList);
      if (!SSL_CTX_set1_sigalgs_list(ctx_, opensslSigAlgsList.c_str())) {
        throw std::runtime_error("SSL_CTX_set1_sigalgs_list " + getErrors());
      }
#endif
    }
  }

template<typename Container >

void folly::SSLContext::setSignatureAlgorithms ( const Container &  sigalgs )

inline

Definition at line 205 of file SSLContext.h.

References folly::test::begin(), folly::test::end(), and folly::ssl::setSignatureAlgorithms().

                                                        {
    using namespace std;
    setSignatureAlgorithms(begin(sigalgs), end(sigalgs));
  }

template<typename Value >

void folly::SSLContext::setSignatureAlgorithms ( const std::initializer_list< Value > &  sigalgs )

inline

Definition at line 211 of file SSLContext.h.

References folly::ssl::setSignatureAlgorithms(), and string.

                                                                         {
    setSignatureAlgorithms(sigalgs.begin(), sigalgs.end());
  }

void folly::SSLContext::setVerificationOption ( const SSLVerifyPeerEnum &  verifyPeer )

virtual

Method to set verification option in the context object.

Parameters

verifyPeer

SSLVerifyPeerEnum indicating the verification method to use.

Definition at line 153 of file SSLContext.cpp.

                                                   {
  CHECK(verifyPeer != SSLVerifyPeerEnum::USE_CTX); // dont recurse
  verifyPeer_ = verifyPeer;
}

void folly::SSLContext::setX509VerifyParam

(

const ssl::X509VerifyParam &

x509VerifyParam

)

Sets an x509 verification param on the context.

Definition at line 135 of file SSLContext.cpp.

References ctx_.

Referenced by folly::ssl::SSLCommonOptions::setClientOptions().

                                               {
  if (!x509VerifyParam) {
    return;
  }
  if (SSL_CTX_set1_param(ctx_, x509VerifyParam.get()) != 1) {
    throw std::runtime_error("SSL_CTX_set1_param " + getErrors());
  }
}

void folly::SSLContext::sslAcceptRunner ( std::unique_ptr< SSLAcceptRunner >  runner )

inline

Sets the runner used for SSL_accept. If none is given, the accept will be done directly.

Definition at line 535 of file SSLContext.h.

References folly::gen::move.

                                                              {
    if (nullptr == runner) {
      LOG(ERROR) << "Ignore invalid runner";
      return;
    }
    sslAcceptRunner_ = std::move(runner);
  }

const SSLAcceptRunner* folly::SSLContext::sslAcceptRunner ( )

inline

Definition at line 543 of file SSLContext.h.

References folly::size().

                                           {
    return sslAcceptRunner_.get();
  }

Member Data Documentation

bool folly::SSLContext::checkPeerName_

private

Definition at line 560 of file SSLContext.h.

ClientProtocolFilterCallback folly::SSLContext::clientProtoFilter_ {nullptr}

private

Definition at line 568 of file SSLContext.h.

std::shared_ptr<PasswordCollector> folly::SSLContext::collector_

private

Definition at line 562 of file SSLContext.h.

SSL_CTX* folly::SSLContext::ctx_

protected

Definition at line 555 of file SSLContext.h.

bool folly::SSLContext::initialized_

staticprivate

Definition at line 570 of file SSLContext.h.

std::string folly::SSLContext::peerFixedName_

private

Definition at line 561 of file SSLContext.h.

std::string folly::SSLContext::providedCiphersString_

private

Definition at line 625 of file SSLContext.h.

std::unique_ptr<SSLAcceptRunner> folly::SSLContext::sslAcceptRunner_

private

Definition at line 572 of file SSLContext.h.

SSLVerifyPeerEnum folly::SSLContext::verifyPeer_ {SSLVerifyPeerEnum::NO_VERIFY}

private

Definition at line 558 of file SSLContext.h.

---

The documentation for this class was generated from the following files:

• proxygen/folly/folly/io/async/SSLContext.h
• proxygen/folly/folly/io/async/SSLContext.cpp