proxygen
|
#include <SSLContext.h>
Classes | |
struct | NextProtocolsItem |
Public Types | |
enum | SSLVersion { SSLv2, SSLv3, TLSv1, TLSv1_2 } |
enum | SSLVerifyPeerEnum { USE_CTX, VERIFY, VERIFY_REQ_CLIENT_CERT, NO_VERIFY } |
using | ClientProtocolFilterCallback = bool(*)(unsigned char **, unsigned int *, const unsigned char *, unsigned int) |
Public Member Functions | |
SSLContext (SSLVersion version=TLSv1) | |
virtual | ~SSLContext () |
virtual void | ciphers (const std::string &ciphers) |
virtual void | setCiphersOrThrow (const std::string &ciphers) |
template<typename Iterator > | |
void | setCipherList (Iterator ibegin, Iterator iend) |
template<typename Container > | |
void | setCipherList (const Container &cipherList) |
template<typename Value > | |
void | setCipherList (const std::initializer_list< Value > &cipherList) |
template<typename Iterator > | |
void | setSignatureAlgorithms (Iterator ibegin, Iterator iend) |
template<typename Container > | |
void | setSignatureAlgorithms (const Container &sigalgs) |
template<typename Value > | |
void | setSignatureAlgorithms (const std::initializer_list< Value > &sigalgs) |
void | setClientECCurvesList (const std::vector< std::string > &ecCurves) |
void | setServerECCurve (const std::string &curveName) |
void | setX509VerifyParam (const ssl::X509VerifyParam &x509VerifyParam) |
virtual void | setVerificationOption (const SSLVerifyPeerEnum &verifyPeer) |
virtual bool | needsPeerVerification () |
virtual int | getVerificationMode () |
virtual void | authenticate (bool checkPeerCert, bool checkPeerName, const std::string &peerName=std::string()) |
virtual void | loadCertificate (const char *path, const char *format="PEM") |
virtual void | loadCertificateFromBufferPEM (folly::StringPiece cert) |
virtual void | loadPrivateKey (const char *path, const char *format="PEM") |
virtual void | loadPrivateKeyFromBufferPEM (folly::StringPiece pkey) |
virtual void | loadCertKeyPairFromBufferPEM (folly::StringPiece cert, folly::StringPiece pkey) |
virtual void | loadCertKeyPairFromFiles (const char *certPath, const char *keyPath, const char *certFormat="PEM", const char *keyFormat="PEM") |
virtual bool | isCertKeyPairValid () const |
virtual void | loadTrustedCertificates (const char *path) |
virtual void | loadTrustedCertificates (X509_STORE *store) |
virtual void | loadClientCAList (const char *path) |
virtual void | passwordCollector (std::shared_ptr< PasswordCollector > collector) |
virtual std::shared_ptr< PasswordCollector > | passwordCollector () |
SSL * | createSSL () const |
void | setSessionCacheContext (const std::string &context) |
void | setOptions (long options) |
SSL_CTX * | getSSLCtx () const |
bool | checkPeerName () |
std::string | peerFixedName () |
void | sslAcceptRunner (std::unique_ptr< SSLAcceptRunner > runner) |
const SSLAcceptRunner * | sslAcceptRunner () |
Static Public Member Functions | |
static std::string | getErrors () |
static int | getVerificationMode (const SSLVerifyPeerEnum &verifyPeer) |
static std::string | getErrors (int errnoCopy) |
static bool | matchName (const char *host, const char *pattern, int size) |
static void | initializeOpenSSL () |
Protected Attributes | |
SSL_CTX * | ctx_ |
Static Private Member Functions | |
static int | passwordCallback (char *password, int size, int, void *data) |
Private Attributes | |
SSLVerifyPeerEnum | verifyPeer_ {SSLVerifyPeerEnum::NO_VERIFY} |
bool | checkPeerName_ |
std::string | peerFixedName_ |
std::shared_ptr< PasswordCollector > | collector_ |
ClientProtocolFilterCallback | clientProtoFilter_ {nullptr} |
std::unique_ptr< SSLAcceptRunner > | sslAcceptRunner_ |
std::string | providedCiphersString_ |
Static Private Attributes | |
static bool | initialized_ |
Wrap OpenSSL SSL_CTX into a class.
Definition at line 89 of file SSLContext.h.
using folly::SSLContext::ClientProtocolFilterCallback = bool (*)( unsigned char**, unsigned int*, const unsigned char*, unsigned int) |
Definition at line 129 of file SSLContext.h.
Defines the way that peers are verified.
Enumerator | |
---|---|
USE_CTX | |
VERIFY | |
VERIFY_REQ_CLIENT_CERT | |
NO_VERIFY |
Definition at line 101 of file SSLContext.h.
Enumerator | |
---|---|
SSLv2 | |
SSLv3 | |
TLSv1 | |
TLSv1_2 |
Definition at line 91 of file SSLContext.h.
|
explicit |
Constructor.
version | The lowest or oldest SSL version to support. |
Definition at line 36 of file SSLContext.cpp.
References ctx_, and folly::ssl::init().
|
virtual |
|
virtual |
Enable/Disable authentication. Peer name validation can only be done if checkPeerCert is true.
checkPeerCert | If true, require peer to present valid certificate |
checkPeerName | If true, validate that the certificate common name or alternate name(s) of peer matches the hostname used to connect. |
peerName | If non-empty, validate that the certificate common name of peer matches the given string (altername name(s) are not used in this case). |
Definition at line 189 of file SSLContext.cpp.
References folly::Optional< Value >::clear(), ctx_, and mode.
|
inline |
Definition at line 515 of file SSLContext.h.
|
virtual |
Set default ciphers to be used in SSL handshake process.
ciphers | A list of ciphers to use for TLSv1.0 |
Definition at line 88 of file SSLContext.cpp.
SSL * folly::SSLContext::createSSL | ( | ) | const |
Create an SSL object from this context.
Definition at line 518 of file SSLContext.cpp.
References ctx_.
Referenced by folly::TEST_F().
|
inlinestatic |
Convenience function to call getErrors() with the current errno value.
Make sure that you only call this when there was no intervening operation since the last OpenSSL error that may have changed the current errno value.
Definition at line 137 of file SSLContext.h.
References string, and version.
|
static |
Examine OpenSSL's error stack, and return a string description of the errors.
This operation removes the errors from OpenSSL's error stack.
Definition at line 597 of file SSLContext.cpp.
References message, and string.
|
inline |
Gets the underlying SSL_CTX for advanced usage
Definition at line 503 of file SSLContext.h.
Referenced by wangle::ServerSSLContext::setupSessionCache(), folly::AsyncSSLSocket::sslAccept(), wangle::SSLSessionCacheManager::SSLSessionCacheManager(), wangle::SSLSessionCacheManager::storeCacheRecord(), and TEST().
|
static |
Method to fetch Verification mode for a SSLVerifyPeerEnum. verifyPeer cannot be SSLVerifyPeerEnum::USE_CTX since there is no context.
verifyPeer | SSLVerifyPeerEnum for which the flags need to to be returned |
Definition at line 159 of file SSLContext.cpp.
References mode.
|
virtual |
Method to fetch Verification mode determined by the options set using setVerificationOption.
Definition at line 185 of file SSLContext.cpp.
Referenced by folly::AsyncSSLSocket::applyVerificationOptions().
|
static |
Definition at line 586 of file SSLContext.cpp.
References folly::ssl::init().
|
virtual |
Call after both cert and key are loaded to check if cert matches key. Must call if private key is loaded before loading the cert. No need to call if cert is loaded first before private key.
Definition at line 316 of file SSLContext.cpp.
References ctx_.
Referenced by folly::TEST_F().
|
virtual |
Load server certificate.
path | Path to the certificate file |
format | Certificate file format |
Definition at line 207 of file SSLContext.cpp.
Referenced by folly::TEST_F().
|
virtual |
Load server certificate from memory.
cert | A PEM formatted certificate |
Definition at line 227 of file SSLContext.cpp.
References ctx_, folly::Range< Iter >::data(), and folly::Range< Iter >::size().
Referenced by folly::TEST_F().
|
virtual |
Load cert and key from PEM buffers. Guaranteed to throw if cert and private key mismatch so no need to call isCertKeyPairValid.
Definition at line 294 of file SSLContext.cpp.
Referenced by folly::TEST_F().
|
virtual |
Load cert and key from files. Guaranteed to throw if cert and key mismatch. Equivalent to calling loadCertificate() and loadPrivateKey().
certPath | Path to the certificate file |
keyPath | Path to the private key file |
certFormat | Certificate file format |
keyFormat | Private key file format |
Definition at line 304 of file SSLContext.cpp.
Referenced by folly::TEST_F().
|
virtual |
Load a client CA list for validating clients
Definition at line 334 of file SSLContext.cpp.
References ctx_.
|
virtual |
Load private key.
path | Path to the private key file |
format | Private key file format |
Definition at line 253 of file SSLContext.cpp.
Referenced by folly::TEST_F().
|
virtual |
Load private key from memory.
pkey | A PEM formatted key |
Definition at line 268 of file SSLContext.cpp.
References ctx_, folly::Range< Iter >::data(), and folly::Range< Iter >::size().
Referenced by folly::TEST_F().
|
virtual |
Load trusted certificates from specified file.
path | Path to trusted certificate file |
Definition at line 320 of file SSLContext.cpp.
References ctx_.
|
virtual |
Load trusted certificates from specified X509 certificate store.
store | X509 certificate store. |
Definition at line 330 of file SSLContext.cpp.
References ctx_.
|
static |
Helper to match a hostname versus a pattern.
Match a name with a pattern. The pattern may include wildcard. A single wildcard "*" can match up to one component in the domain name.
host | Host name, typically the name of the remote host |
pattern | Name retrieved from certificate |
size | Size of "pattern" |
Definition at line 543 of file SSLContext.cpp.
References i.
|
inlinevirtual |
Method to check if peer verfication is set.
Definition at line 248 of file SSLContext.h.
References folly::format(), and string.
|
staticprivate |
Definition at line 567 of file SSLContext.cpp.
References context, ctx_, min, passwordCollector(), and string.
|
virtual |
Override default OpenSSL password collector.
collector | Instance of user defined password collector |
Definition at line 343 of file SSLContext.cpp.
References context, ctx_, folly::data(), i, fizz::passwordCallback(), rng, and uint8_t.
Referenced by passwordCallback().
|
inlinevirtual |
Obtain password collector.
Definition at line 379 of file SSLContext.h.
References context, and string.
|
inline |
Definition at line 518 of file SSLContext.h.
|
inline |
Set default ciphers to be used in SSL handshake process.
Definition at line 167 of file SSLContext.h.
References folly::join(), and string.
Referenced by folly::ssl::setCipherSuites().
|
inline |
Definition at line 176 of file SSLContext.h.
References folly::test::begin(), and folly::test::end().
|
inline |
Definition at line 182 of file SSLContext.h.
|
virtual |
Low-level method that attempts to set the provided ciphers on the SSL_CTX object, and throws if something goes wrong.
Definition at line 145 of file SSLContext.cpp.
References ctx_.
void folly::SSLContext::setClientECCurvesList | ( | const std::vector< std::string > & | ecCurves | ) |
Sets the list of EC curves supported by the client.
ecCurves | A list of ec curves, eg: P-256 |
Definition at line 92 of file SSLContext.cpp.
References ctx_, folly::join(), and string.
Referenced by folly::ssl::SSLCommonOptions::setClientOptions().
void folly::SSLContext::setOptions | ( | long | options | ) |
Set the options on the SSL_CTX object.
Definition at line 590 of file SSLContext.cpp.
References ctx_.
Referenced by wangle::ServerSSLContext::setupTicketManager().
void folly::SSLContext::setServerECCurve | ( | const std::string & | curveName | ) |
Method to add support for a specific elliptic curve encryption algorithm.
curveName | The name of the ec curve to support, eg: prime256v1. |
Definition at line 107 of file SSLContext.cpp.
References ctx_, and folly::FATAL.
void folly::SSLContext::setSessionCacheContext | ( | const std::string & | context | ) |
Sets the namespace to use for sessions created from this context.
Definition at line 526 of file SSLContext.cpp.
References ctx_.
Referenced by wangle::ServerSSLContext::ServerSSLContext(), and wangle::SSLSessionCacheManager::SSLSessionCacheManager().
|
inline |
Sets the signature algorithms to be used during SSL negotiation for TLS1.2+.
Definition at line 192 of file SSLContext.h.
References ctx_, folly::join(), and string.
Referenced by folly::ssl::setSignatureAlgorithms().
|
inline |
Definition at line 205 of file SSLContext.h.
References folly::test::begin(), folly::test::end(), and folly::ssl::setSignatureAlgorithms().
|
inline |
Definition at line 211 of file SSLContext.h.
References folly::ssl::setSignatureAlgorithms(), and string.
|
virtual |
Method to set verification option in the context object.
verifyPeer | SSLVerifyPeerEnum indicating the verification method to use. |
Definition at line 153 of file SSLContext.cpp.
void folly::SSLContext::setX509VerifyParam | ( | const ssl::X509VerifyParam & | x509VerifyParam | ) |
Sets an x509 verification param on the context.
Definition at line 135 of file SSLContext.cpp.
References ctx_.
Referenced by folly::ssl::SSLCommonOptions::setClientOptions().
|
inline |
Sets the runner used for SSL_accept. If none is given, the accept will be done directly.
Definition at line 535 of file SSLContext.h.
References folly::gen::move.
|
inline |
Definition at line 543 of file SSLContext.h.
References folly::size().
|
private |
Definition at line 560 of file SSLContext.h.
|
private |
Definition at line 568 of file SSLContext.h.
|
private |
Definition at line 562 of file SSLContext.h.
|
protected |
Definition at line 555 of file SSLContext.h.
|
staticprivate |
Definition at line 570 of file SSLContext.h.
|
private |
Definition at line 561 of file SSLContext.h.
|
private |
Definition at line 625 of file SSLContext.h.
|
private |
Definition at line 572 of file SSLContext.h.
|
private |
Definition at line 558 of file SSLContext.h.