SNode.C
Loading...
Searching...
No Matches
core::socket::stream::tls Namespace Reference

Classes

class  SocketReader
class  SocketWriter
class  TLSHandshake
class  TLSShutdown
class  SocketConnection
class  SocketConnector
struct  SslConfig
class  SocketAcceptor

Functions

static int password_callback (char *buf, int size, int a, void *u)
static int verify_callback (int preverify_ok, X509_STORE_CTX *ctx)
SSL_CTX * ssl_ctx_new (const SslConfig &sslConfig)
std::map< std::string, SSL_CTX * > ssl_get_sans (SSL_CTX *sslCtx)
void ssl_set_sni (SSL *ssl, const std::string &sni)
SSL_CTX * ssl_set_ssl_ctx (SSL *ssl, SSL_CTX *sslCtx)
void ssl_ctx_free (SSL_CTX *ctx)
std::string ssl_get_servername_from_client_hello (SSL *ssl)
void ssl_log (const std::string &message, int sslErr)
void ssl_log_error (const std::string &message)
void ssl_log_warning (const std::string &message)
void ssl_log_info (const std::string &message)
bool match (const char *first, const char *second)

Function Documentation

◆ match()

bool core::socket::stream::tls::match ( const char * first,
const char * second )

Definition at line 371 of file ssl_utils.cpp.

371 {
372 // If we reach at the end of both strings, we are done
373 if (*first == '\0' && *second == '\0') {
374 return true;
375 }
376
377 // Make sure to eliminate consecutive '*'
378 if (*first == '*') {
379 while (*(first + 1) == '*') {
380 first++;
381 }
382 }
383
384 // Make sure that the characters after '*' are present
385 // in second string. This function assumes that the
386 // first string will not contain two consecutive '*'
387 if (*first == '*' && *(first + 1) != '\0' && *second == '\0') {
388 return false;
389 }
390
391 // If the first string contains '?', or current
392 // characters of both strings match
393 if (*first == '?' || *first == *second) {
394 return match(first + 1, second + 1);
395 }
396
397 // If there is *, then there are two possibilities
398 // a) We consider current character of second string
399 // b) We ignore current character of second string.
400 if (*first == '*') {
401 return match(first + 1, second) || match(first, second + 1);
402 }
403
404 return false;
405 }
core::socket::stream::tls::match
bool match(const char *first, const char *second)
Definition ssl_utils.cpp:371

References match().

Referenced by net::config::stream::tls::ConfigSocketServer< ConfigSocketServerBaseT >::getSniCtx(), and match().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ password_callback()

int core::socket::stream::tls::password_callback ( char * buf,
int size,
int a,
void * u )
static

Definition at line 65 of file ssl_utils.cpp.

65 {
66 strncpy(buf, static_cast<char*>(u), static_cast<std::size_t>(size));
67 buf[size - 1] = '\0';
68
69 memset(u, 0, ::strlen(static_cast<char*>(u))); // garble Password
70 free(u);
71
72 return static_cast<int>(std::strlen(buf));
73 }

Referenced by ssl_ctx_new().

Here is the caller graph for this function:

◆ ssl_ctx_free()

void core::socket::stream::tls::ssl_ctx_free ( SSL_CTX * ctx)

Definition at line 266 of file ssl_utils.cpp.

266 {
267 if (ctx != nullptr) {
268 SSL_CTX_free(ctx);
269 }
270 }

Referenced by net::config::stream::tls::ConfigSocketServer< net::in6::stream::config::ConfigSocketServer >::getSniCtx(), and net::config::stream::tls::ConfigSocketServer< net::in6::stream::config::ConfigSocketServer >::~ConfigSocketServer().

Here is the caller graph for this function:

◆ ssl_ctx_new()

SSL_CTX * core::socket::stream::tls::ssl_ctx_new ( const SslConfig & sslConfig)

Definition at line 114 of file ssl_utils.cpp.

114 {
115 static int sslSessionCtxId = 1;
116
117 SSL_CTX* ctx = SSL_CTX_new(sslConfig.server ? TLS_server_method() : TLS_client_method());
118
119 if (ctx != nullptr) {
120 SSL_CTX_set_read_ahead(ctx, 1);
121
122 SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
123 SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
124
125 bool sslErr = false;
126
127 if (sslConfig.server) {
128 SSL_CTX_set_session_id_context(ctx, reinterpret_cast<const unsigned char*>(&sslSessionCtxId), sizeof(sslSessionCtxId));
129 sslSessionCtxId++;
130 }
131 if (!sslConfig.caCert.empty() || !sslConfig.caCertDir.empty()) {
132 if (SSL_CTX_load_verify_locations(ctx,
133 !sslConfig.caCert.empty() ? sslConfig.caCert.c_str() : nullptr,
134 !sslConfig.caCertDir.empty() ? sslConfig.caCertDir.c_str() : nullptr) == 0) {
135 ssl_log_error(sslConfig.instanceName + " SSL/TLS: CA certificate error loading file '" + sslConfig.caCert + "', dir '" +
136 sslConfig.caCertDir + "'");
137 sslErr = true;
138 } else {
139 if (!sslConfig.caCert.empty()) {
140 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: CA certificate loaded";
141 LOG(TRACE) << " " << sslConfig.caCert;
142 } else {
143 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: CA certificate not loaded from a file";
144 }
145 if (!sslConfig.caCertDir.empty()) {
146 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: CA certificates load from";
147 LOG(TRACE) << " " << sslConfig.caCertDir;
148 } else {
149 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: CA certificates not loaded from a directory";
150 }
151 }
152 } else {
153 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: CA certificate not loaded from a file";
154 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: CA certificates not loaded from a directory";
155 }
156 if (!sslErr && sslConfig.caCertUseDefaultDir) {
157 if (SSL_CTX_set_default_verify_paths(ctx) == 0) {
158 ssl_log_error(sslConfig.instanceName + " SSL/TLS: CA certificates error load from default openssl CA directory");
159 sslErr = true;
160 } else {
161 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: CA certificates enabled load from default openssl CA directory";
162 }
163 } else {
164 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: CA certificates not loaded from default openssl CA directory";
165 }
166 if (!sslErr) {
167 SSL_CTX_set_verify_depth(ctx, 5);
168 SSL_CTX_set_verify(ctx,
169 (sslConfig.caCertAcceptUnknown ? SSL_VERIFY_NONE
170 : (!sslConfig.caCert.empty() || !sslConfig.caCertDir.empty() || sslConfig.caCertUseDefaultDir)
171 ? SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_FAIL_IF_NO_PEER_CERT
172 : 0),
173 verify_callback);
174 if ((SSL_CTX_get_verify_mode(ctx) & SSL_VERIFY_PEER) != 0) {
175 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: CA requested verify";
176 }
177 if (!sslConfig.cert.empty()) {
178 if (SSL_CTX_use_certificate_chain_file(ctx, sslConfig.cert.c_str()) == 0) {
179 ssl_log_error(sslConfig.instanceName + " SSL/TLS: Cert chain error loading from file '" + sslConfig.cert + "'");
180 sslErr = true;
181 } else if (!sslConfig.certKey.empty()) {
182 if (!sslConfig.password.empty()) {
183 SSL_CTX_set_default_passwd_cb(ctx, password_callback);
184 SSL_CTX_set_default_passwd_cb_userdata(ctx, ::strdup(sslConfig.password.c_str()));
185 }
186 if (SSL_CTX_use_PrivateKey_file(ctx, sslConfig.certKey.c_str(), SSL_FILETYPE_PEM) == 0) {
187 ssl_log_error(sslConfig.instanceName + " SSL/TLS: Cert chain key error loading file '" + sslConfig.certKey +
188 "'");
189 sslErr = true;
190 } else if (SSL_CTX_check_private_key(ctx) != 1) {
191 ssl_log_error(sslConfig.instanceName + " SSL/TLS: Cert chain key error");
192
193 LOG(TRACE) << " " << sslConfig.certKey;
194 sslErr = true;
195 } else {
196 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: Cert chain key loaded";
197 LOG(TRACE) << " " << sslConfig.certKey;
198
199 LOG(TRACE) << sslConfig.instanceName << " SSL/TLS: Cert chain loaded";
200 LOG(TRACE) << " " << sslConfig.cert;
201 }
202 }
203 }
204 }
205 if (!sslErr) {
206 if (sslConfig.sslOptions != 0) {
207 SSL_CTX_set_options(ctx, sslConfig.sslOptions);
208 }
209 if (!sslConfig.cipherList.empty()) {
210 SSL_CTX_set_cipher_list(ctx, sslConfig.cipherList.c_str());
211 }
212 } else {
213 SSL_CTX_free(ctx);
214 ctx = nullptr;
215 }
216 }
217
218 return ctx;
219 }
core::socket::stream::tls::verify_callback
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
Definition ssl_utils.cpp:75
core::socket::stream::tls::password_callback
static int password_callback(char *buf, int size, int a, void *u)
Definition ssl_utils.cpp:65
core::socket::stream::tls::ssl_log_error
void ssl_log_error(const std::string &message)
Definition ssl_utils.cpp:341

References core::socket::stream::tls::SslConfig::caCert, core::socket::stream::tls::SslConfig::caCertAcceptUnknown, core::socket::stream::tls::SslConfig::caCertDir, core::socket::stream::tls::SslConfig::caCertUseDefaultDir, core::socket::stream::tls::SslConfig::cert, core::socket::stream::tls::SslConfig::certKey, core::socket::stream::tls::SslConfig::cipherList, core::socket::stream::tls::SslConfig::instanceName, core::socket::stream::tls::SslConfig::password, password_callback(), core::socket::stream::tls::SslConfig::server, ssl_log_error(), core::socket::stream::tls::SslConfig::sslOptions, and verify_callback().

Referenced by net::config::stream::tls::ConfigSocketClient< ConfigSocketClientBaseT >::getSslCtx(), and net::config::stream::tls::ConfigSocketServer< ConfigSocketServerBaseT >::getSslCtx().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ ssl_get_sans()

std::map< std::string, SSL_CTX * > core::socket::stream::tls::ssl_get_sans ( SSL_CTX * sslCtx)

Definition at line 221 of file ssl_utils.cpp.

221 {
222 std::map<std::string, SSL_CTX*> sans;
223
224 if (sslCtx != nullptr) {
225 X509* x509 = SSL_CTX_get0_certificate(sslCtx);
226 if (x509 != nullptr) {
227 GENERAL_NAMES* subjectAltNames =
228 static_cast<GENERAL_NAMES*>(X509_get_ext_d2i(x509, NID_subject_alt_name, nullptr, nullptr));
229
230 const int32_t altNameCount = sk_GENERAL_NAME_num(subjectAltNames);
231
232 for (int32_t i = 0; i < altNameCount; ++i) {
233 GENERAL_NAME* generalName = sk_GENERAL_NAME_value(subjectAltNames, i);
234 if (generalName->type == GEN_DNS || generalName->type == GEN_URI || generalName->type == GEN_EMAIL) {
235 const std::string subjectAltName =
236 std::string(reinterpret_cast<const char*>(ASN1_STRING_get0_data(generalName->d.dNSName)),
237 static_cast<std::size_t>(ASN1_STRING_length(generalName->d.dNSName)));
238 sans.insert({subjectAltName, sslCtx});
239 }
240 }
241
242 sk_GENERAL_NAME_pop_free(subjectAltNames, GENERAL_NAME_free);
243 }
244 }
245
246 return sans;
247 }

Referenced by net::config::stream::tls::ConfigSocketServer< ConfigSocketServerBaseT >::getSslCtx().

Here is the caller graph for this function:

◆ ssl_get_servername_from_client_hello()

std::string core::socket::stream::tls::ssl_get_servername_from_client_hello ( SSL * ssl)

Definition at line 273 of file ssl_utils.cpp.

273 {
274 const unsigned char* ext = nullptr;
275 size_t ext_len = 0;
276 size_t p = 0;
277 size_t server_name_list_len = 0;
278 size_t server_name_len = 0;
279
280 if (SSL_client_hello_get0_ext(ssl, TLSEXT_TYPE_server_name, &ext, &ext_len) == 0) {
281 return "";
282 }
283
284 /* length (2 bytes) + type (1) + length (2) + server name (1+) */
285 if (ext_len < 6) {
286 return "";
287 }
288
289 /* Fetch Server Name list length */
290 server_name_list_len = static_cast<size_t>((ext[p] << 8) + ext[p + 1]);
291 p += 2;
292 if (p + server_name_list_len != ext_len) {
293 return "";
294 }
295
296 /* Fetch Server Name Type */
297 if (ext[p] != TLSEXT_NAMETYPE_host_name) {
298 return "";
299 }
300 p++;
301
302 /* Fetch Server Name Length */
303 server_name_len = static_cast<size_t>((ext[p] << 8) + ext[p + 1]);
304 p += 2;
305 if (p + server_name_len != ext_len) {
306 return "";
307 }
308
309 /* ext_len >= 6 && p == 5 */
310
311 /* Finally fetch Server Name */
312
313 return std::string(reinterpret_cast<const char*>(ext + p), ext_len - p);
314 }

Referenced by core::socket::stream::tls::SocketAcceptor< PhysicalSocketServerT, ConfigT >::clientHelloCallback().

Here is the caller graph for this function:

◆ ssl_log()

void core::socket::stream::tls::ssl_log ( const std::string & message,
int sslErr )

Definition at line 316 of file ssl_utils.cpp.

316 {
317 const utils::PreserveErrno preserveErrno;
318
319 switch (sslErr) {
320 case SSL_ERROR_NONE:
321 [[fallthrough]];
322 case SSL_ERROR_ZERO_RETURN:
323 ssl_log_info(message);
324 break;
325 case SSL_ERROR_SYSCALL:
326 if (errno != 0) {
327 ssl_log_error(message);
328 } else {
329 ssl_log_info(message);
330 }
331 break;
332 case SSL_ERROR_SSL:
333 ssl_log_error(message);
334 break;
335 default:
336 ssl_log_warning(message);
337 break;
338 }
339 }
core::socket::stream::tls::ssl_log_warning
void ssl_log_warning(const std::string &message)
Definition ssl_utils.cpp:351
core::socket::stream::tls::ssl_log_info
void ssl_log_info(const std::string &message)
Definition ssl_utils.cpp:361

References ssl_log_error(), ssl_log_info(), and ssl_log_warning().

Referenced by core::socket::stream::tls::SocketReader::read(), and core::socket::stream::tls::SocketWriter::write().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ ssl_log_error()

void core::socket::stream::tls::ssl_log_error ( const std::string & message)

Definition at line 341 of file ssl_utils.cpp.

341 {
342 LOG(ERROR) << message;
343 LOG(ERROR) << " " << ERR_error_string(ERR_get_error(), nullptr);
344
345 unsigned long errorCode = 0;
346 while ((errorCode = ERR_get_error()) != 0) {
347 LOG(ERROR) << " " << ERR_error_string(errorCode, nullptr);
348 }
349 }

Referenced by ssl_ctx_new(), and ssl_log().

Here is the caller graph for this function:

◆ ssl_log_info()

void core::socket::stream::tls::ssl_log_info ( const std::string & message)

Definition at line 361 of file ssl_utils.cpp.

361 {
362 LOG(INFO) << message;
363 LOG(INFO) << " " << ERR_error_string(ERR_get_error(), nullptr);
364
365 unsigned long errorCode = 0;
366 while ((errorCode = ERR_get_error()) != 0) {
367 LOG(INFO) << " " << ERR_error_string(errorCode, nullptr);
368 }
369 }

Referenced by ssl_log().

Here is the caller graph for this function:

◆ ssl_log_warning()

void core::socket::stream::tls::ssl_log_warning ( const std::string & message)

Definition at line 351 of file ssl_utils.cpp.

351 {
352 LOG(WARNING) << message;
353 LOG(WARNING) << " " << ERR_error_string(ERR_get_error(), nullptr);
354
355 unsigned long errorCode = 0;
356 while ((errorCode = ERR_get_error()) != 0) {
357 LOG(WARNING) << " " << ERR_error_string(errorCode, nullptr);
358 }
359 }

Referenced by ssl_log().

Here is the caller graph for this function:

◆ ssl_set_sni()

void core::socket::stream::tls::ssl_set_sni ( SSL * ssl,
const std::string & sni )

Definition at line 249 of file ssl_utils.cpp.

249 {
250 if (!sni.empty()) {
251 SSL_set_tlsext_host_name(ssl, sni.data());
252 }
253 }

◆ ssl_set_ssl_ctx()

SSL_CTX * core::socket::stream::tls::ssl_set_ssl_ctx ( SSL * ssl,
SSL_CTX * sslCtx )

Definition at line 255 of file ssl_utils.cpp.

255 {
256 SSL_CTX* newSslCtx = SSL_set_SSL_CTX(ssl, sslCtx);
257 SSL_clear_options(ssl, 0xFFFFFFFFL);
258 SSL_set_options(ssl, SSL_CTX_get_options(sslCtx));
259 SSL_set_verify(ssl, SSL_CTX_get_verify_mode(sslCtx), SSL_CTX_get_verify_callback(sslCtx));
260 SSL_set_verify_depth(ssl, SSL_CTX_get_verify_depth(sslCtx));
261 SSL_set_mode(ssl, SSL_CTX_get_mode(sslCtx));
262
263 return newSslCtx;
264 }

Referenced by core::socket::stream::tls::SocketAcceptor< PhysicalSocketServerT, ConfigT >::clientHelloCallback().

Here is the caller graph for this function:

◆ verify_callback()

int core::socket::stream::tls::verify_callback ( int preverify_ok,
X509_STORE_CTX * ctx )
static

Definition at line 75 of file ssl_utils.cpp.

75 {
76 SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
77
78 const std::string connectionName = *static_cast<std::string*>(SSL_get_ex_data(ssl, 0));
79
80 X509* curr_cert = X509_STORE_CTX_get_current_cert(ctx);
81 const int depth = X509_STORE_CTX_get_error_depth(ctx);
82
83 char subjectName[256];
84 X509_NAME_oneline(X509_get_subject_name(curr_cert), subjectName, 256);
85
86 char issuerName[256];
87 X509_NAME_oneline(X509_get_issuer_name(curr_cert), issuerName, 256);
88
89 if (preverify_ok != 0) {
90 LOG(DEBUG) << connectionName << ": SSL/TLS verify success at depth=" << depth;
91 LOG(DEBUG) << " Issuer: " << issuerName;
92 LOG(DEBUG) << " Subject: " << subjectName;
93 } else {
94 const int err = X509_STORE_CTX_get_error(ctx);
95
96 LOG(DEBUG) << connectionName << ": SSL/TLS verify error at depth=" << depth << ": " << X509_verify_cert_error_string(err);
97 LOG(DEBUG) << " Issuer: " << issuerName;
98 LOG(DEBUG) << " Subject: " << subjectName;
99
100 /*
101 * At this point, err contains the last verification error. We can use
102 * it for something special and set preverify_ok to 1 in case an unsafe connection
103 * shall be used.
104 */
105 }
106
107 return preverify_ok;
108 }

Referenced by ssl_ctx_new().

Here is the caller graph for this function: