SNode.C
Loading...
Searching...
No Matches
ConfigSocketServer.hpp
Go to the documentation of this file.
1/*
2 * SNode.C - a slim toolkit for network communication
3 * Copyright (C) Volker Christian <me@vchrist.at>
4 * 2020, 2021, 2022, 2023, 2024, 2025
5 *
6 * This program is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU Lesser General Public License as published
8 * by the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20#include "net/config/stream/tls/ConfigSocketServer.h"
21
22#ifndef DOXYGEN_SHOULD_SKIP_THIS
23
24#include "log/Logger.h"
25
26#include <algorithm>
27#include <list>
28#include <openssl/ssl.h>
29#include <variant>
30
31#endif // DOXYGEN_SHOULD_SKIP_THIS
32
33namespace net::config::stream::tls {
34
35 template <typename ConfigSocketServerBase>
41
42 template <typename ConfigSocketServerBase>
43 ConfigSocketServer<ConfigSocketServerBase>::~ConfigSocketServer() {
44 if (sslCtx != nullptr) {
45 core::socket::stream::tls::ssl_ctx_free(sslCtx);
46 }
47
48 for (SSL_CTX* sniCtx : sniCtxs) {
49 if (sniCtx != nullptr) {
50 core::socket::stream::tls::ssl_ctx_free(sniCtx);
51 }
52 }
53 }
54
55 template <typename ConfigSocketServerBase>
56 SSL_CTX* ConfigSocketServer<ConfigSocketServerBase>::getSslCtx() {
57 if (sslCtx == nullptr) {
58 core::socket::stream::tls::SslConfig sslConfig(true);
59
60 sslConfig.instanceName = getInstanceName();
61
62 sslConfig.cert = getCert();
63 sslConfig.certKey = getCertKey();
64 sslConfig.password = getCertKeyPassword();
65 sslConfig.caCert = getCaCert();
66 sslConfig.caCertDir = getCaCertDir();
67 sslConfig.cipherList = getCipherList();
68 sslConfig.sslOptions = getSslOptions();
69 sslConfig.caCertUseDefaultDir = getCaCertUseDefaultDir();
70 sslConfig.caCertAcceptUnknown = getCaCertAcceptUnknown();
71
72 sslCtx = core::socket::stream::tls::ssl_ctx_new(sslConfig);
73 }
74
75 if (sniCtxMap.empty()) {
76 std::map<std::string, SSL_CTX*> sslSans = core::socket::stream::tls::ssl_get_sans(sslCtx);
77
78 sniCtxMap.insert(sslSans.begin(), sslSans.end());
79
80 for (const auto& [sni, ctx] : sniCtxMap) {
81 LOG(TRACE) << getInstanceName() << " SSL/TLS: SSL_CTX (M) sni for '" << sni << "' from master certificate installed";
82 }
83
84 for (const auto& [domain, sniCertConf] : getSniCerts()) {
85 if (!domain.empty()) {
86 core::socket::stream::tls::SslConfig sslConfig(true);
87
88 sslConfig.instanceName = getInstanceName();
89
90 for (const auto& [key, value] : sniCertConf) {
91 if (key == "Cert") {
92 sslConfig.cert = std::get<std::string>(value);
93 } else if (key == "CertKey") {
94 sslConfig.certKey = std::get<std::string>(value);
95 } else if (key == "CertKeyPassword") {
96 sslConfig.password = std::get<std::string>(value);
97 } else if (key == "CaCert") {
98 sslConfig.caCert = std::get<std::string>(value);
99 } else if (key == "CaCertDir") {
100 sslConfig.caCertDir = std::get<std::string>(value);
101 } else if (key == "CaCertUseDefaultDir") {
102 sslConfig.caCertUseDefaultDir = std::get<bool>(value);
103 } else if (key == "CaCertAcceptUnknown") {
104 sslConfig.caCertAcceptUnknown = std::get<bool>(value);
105 } else if (key == "CipherList") {
106 sslConfig.cipherList = std::get<std::string>(value);
107 } else if (key == "SslOptions") {
108 sslConfig.sslOptions = std::get<ssl_option_t>(value);
109 }
110 }
111
112 SSL_CTX* newCtx = core::socket::stream::tls::ssl_ctx_new(sslConfig);
113
114 if (newCtx != nullptr) {
115 sniCtxs.push_back(newCtx);
116 sniCtxMap.insert_or_assign(domain, newCtx);
117
118 LOG(TRACE) << getInstanceName() << " SSL/TLS: SSL_CTX (E) sni for '" << domain << "' explicitly installed";
119
120 for (const auto& [san, ctx] : core::socket::stream::tls::ssl_get_sans(newCtx)) {
121 sniCtxMap.insert_or_assign(san, ctx);
122
123 LOG(TRACE) << getInstanceName() << " SSL/TLS: SSL_CTX (S) sni for '" << san << "' from SAN installed";
124 }
125 } else {
126 LOG(WARNING) << getInstanceName() << " SSL/TLS: Can not create SNI_SSL_CTX for domain '" << domain << "'";
127 }
128 }
129 }
130 LOG(TRACE) << getInstanceName() << " SSL/TLS: SNI list result:";
131 for (const auto& [sni, ctx] : sniCtxMap) {
132 LOG(TRACE) << " " << sni;
133 }
134 }
135
136 return sslCtx;
137 }
138
139 template <typename ConfigSocketServerBase>
140 SSL_CTX* ConfigSocketServer<ConfigSocketServerBase>::getSniCtx(const std::string& serverNameIndication) {
141 LOG(TRACE) << getInstanceName() << " SSL/TLS SNI: Lookup for sni='" << serverNameIndication << "' in sni certificates";
142
143 SSL_CTX* sniCtx = nullptr;
144
145 std::map<std::string, SSL_CTX*>::iterator sniPairIt = std::find_if(
146 sniCtxMap.begin(), sniCtxMap.end(), [&serverNameIndication, this](const std::pair<std::string, SSL_CTX*>& sniPair) -> bool {
147 LOG(TRACE) << getInstanceName() << " SSL/TLS SNI: .. " << sniPair.first.c_str();
148 return core::socket::stream::tls::match(sniPair.first.c_str(), serverNameIndication.c_str());
149 });
150
151 if (sniPairIt != sniCtxMap.end()) {
152 LOG(TRACE) << getInstanceName() << " SSL/TLS SNI: found for " << serverNameIndication << " -> '" << sniPairIt->first << "'";
153 sniCtx = sniPairIt->second;
154 } else {
155 LOG(WARNING) << getInstanceName() << " SSL/TL SNI: not found for " << serverNameIndication;
156 }
157
158 return sniCtx;
159 }
160
161} // namespace net::config::stream::tls