SNode.C
Loading...
Searching...
No Matches
ConfigSocketServer.hpp
Go to the documentation of this file.
1/*
2 * SNode.C - A Slim Toolkit for Network Communication
3 * Copyright (C) Volker Christian <me@vchrist.at>
4 * 2020, 2021, 2022, 2023, 2024, 2025
5 *
6 * This program is free software: you can redistribute it and/or modify
7 * it under the terms of the GNU Lesser General Public License as published
8 * by the Free Software Foundation, either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public License
17 * along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20/*
21 * MIT License
22 *
23 * Permission is hereby granted, free of charge, to any person obtaining a copy
24 * of this software and associated documentation files (the "Software"), to deal
25 * in the Software without restriction, including without limitation the rights
26 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
27 * copies of the Software, and to permit persons to whom the Software is
28 * furnished to do so, subject to the following conditions:
29 *
30 * The above copyright notice and this permission notice shall be included in
31 * all copies or substantial portions of the Software.
32 *
33 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
34 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
35 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
36 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
37 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
38 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
39 * THE SOFTWARE.
40 */
41
42#include "net/config/stream/tls/ConfigSocketServer.h"
43
44#ifndef DOXYGEN_SHOULD_SKIP_THIS
45
46#include "log/Logger.h"
47
48#include <algorithm>
49#include <list>
50#include <openssl/ssl.h>
51#include <variant>
52
53#endif // DOXYGEN_SHOULD_SKIP_THIS
54
55namespace net::config::stream::tls {
56
57 template <typename ConfigSocketServerBase>
58 ConfigSocketServer<ConfigSocketServerBase>::ConfigSocketServer(const std::string& name)
59 : net::config::ConfigInstance(name, net::config::ConfigInstance::Role::SERVER)
60 , ConfigSocketServerBase(this)
61 , net::config::ConfigTlsServer(this) {
62 }
63
64 template <typename ConfigSocketServerBase>
65 ConfigSocketServer<ConfigSocketServerBase>::~ConfigSocketServer() {
66 if (sslCtx != nullptr) {
67 core::socket::stream::tls::ssl_ctx_free(sslCtx);
68 }
69
70 for (SSL_CTX* sniCtx : sniCtxs) {
71 if (sniCtx != nullptr) {
72 core::socket::stream::tls::ssl_ctx_free(sniCtx);
73 }
74 }
75 }
76
77 template <typename ConfigSocketServerBase>
78 SSL_CTX* ConfigSocketServer<ConfigSocketServerBase>::getSslCtx() {
79 if (sslCtx == nullptr) {
80 core::socket::stream::tls::SslConfig sslConfig(true);
81
82 sslConfig.instanceName = getInstanceName();
83
84 sslConfig.cert = getCert();
85 sslConfig.certKey = getCertKey();
86 sslConfig.password = getCertKeyPassword();
87 sslConfig.caCert = getCaCert();
88 sslConfig.caCertDir = getCaCertDir();
89 sslConfig.cipherList = getCipherList();
90 sslConfig.sslOptions = getSslOptions();
91 sslConfig.caCertUseDefaultDir = getCaCertUseDefaultDir();
92 sslConfig.caCertAcceptUnknown = getCaCertAcceptUnknown();
93
94 sslCtx = core::socket::stream::tls::ssl_ctx_new(sslConfig);
95 }
96
97 if (sniCtxMap.empty()) {
98 std::map<std::string, SSL_CTX*> sslSans = core::socket::stream::tls::ssl_get_sans(sslCtx);
99
100 sniCtxMap.insert(sslSans.begin(), sslSans.end());
101
102 for (const auto& [sni, ctx] : sniCtxMap) {
103 LOG(TRACE) << getInstanceName() << " SSL/TLS: SSL_CTX (M) sni for '" << sni << "' from master certificate installed";
104 }
105
106 for (const auto& [domain, sniCertConf] : getSniCerts()) {
107 if (!domain.empty()) {
108 core::socket::stream::tls::SslConfig sslConfig(true);
109
110 sslConfig.instanceName = getInstanceName();
111
112 for (const auto& [key, value] : sniCertConf) {
113 if (key == "Cert") {
114 sslConfig.cert = std::get<std::string>(value);
115 } else if (key == "CertKey") {
116 sslConfig.certKey = std::get<std::string>(value);
117 } else if (key == "CertKeyPassword") {
118 sslConfig.password = std::get<std::string>(value);
119 } else if (key == "CaCert") {
120 sslConfig.caCert = std::get<std::string>(value);
121 } else if (key == "CaCertDir") {
122 sslConfig.caCertDir = std::get<std::string>(value);
123 } else if (key == "CaCertUseDefaultDir") {
124 sslConfig.caCertUseDefaultDir = std::get<bool>(value);
125 } else if (key == "CaCertAcceptUnknown") {
126 sslConfig.caCertAcceptUnknown = std::get<bool>(value);
127 } else if (key == "CipherList") {
128 sslConfig.cipherList = std::get<std::string>(value);
129 } else if (key == "SslOptions") {
130 sslConfig.sslOptions = std::get<ssl_option_t>(value);
131 }
132 }
133
134 SSL_CTX* newCtx = core::socket::stream::tls::ssl_ctx_new(sslConfig);
135
136 if (newCtx != nullptr) {
137 sniCtxs.push_back(newCtx);
138 sniCtxMap.insert_or_assign(domain, newCtx);
139
140 LOG(TRACE) << getInstanceName() << " SSL/TLS: SSL_CTX (E) sni for '" << domain << "' explicitly installed";
141
142 for (const auto& [san, ctx] : core::socket::stream::tls::ssl_get_sans(newCtx)) {
143 sniCtxMap.insert_or_assign(san, ctx);
144
145 LOG(TRACE) << getInstanceName() << " SSL/TLS: SSL_CTX (S) sni for '" << san << "' from SAN installed";
146 }
147 } else {
148 LOG(WARNING) << getInstanceName() << " SSL/TLS: Can not create SNI_SSL_CTX for domain '" << domain << "'";
149 }
150 }
151 }
152 LOG(TRACE) << getInstanceName() << " SSL/TLS: SNI list result:";
153 for (const auto& [sni, ctx] : sniCtxMap) {
154 LOG(TRACE) << " " << sni;
155 }
156 }
157
158 return sslCtx;
159 }
160
161 template <typename ConfigSocketServerBase>
162 SSL_CTX* ConfigSocketServer<ConfigSocketServerBase>::getSniCtx(const std::string& serverNameIndication) {
163 LOG(TRACE) << getInstanceName() << " SSL/TLS SNI: Lookup for sni='" << serverNameIndication << "' in sni certificates";
164
165 SSL_CTX* sniCtx = nullptr;
166
167 std::map<std::string, SSL_CTX*>::iterator sniPairIt = std::find_if(
168 sniCtxMap.begin(), sniCtxMap.end(), [&serverNameIndication, this](const std::pair<std::string, SSL_CTX*>& sniPair) -> bool {
169 LOG(TRACE) << getInstanceName() << " SSL/TLS SNI: .. " << sniPair.first.c_str();
170 return core::socket::stream::tls::match(sniPair.first.c_str(), serverNameIndication.c_str());
171 });
172
173 if (sniPairIt != sniCtxMap.end()) {
174 LOG(TRACE) << getInstanceName() << " SSL/TLS SNI: found for " << serverNameIndication << " -> '" << sniPairIt->first << "'";
175 sniCtx = sniPairIt->second;
176 } else {
177 LOG(WARNING) << getInstanceName() << " SSL/TL SNI: not found for " << serverNameIndication;
178 }
179
180 return sniCtx;
181 }
182
183} // namespace net::config::stream::tls
net::config::ConfigInstance::getInstanceName
const std::string & getInstanceName() const
Definition ConfigInstance.cpp:110
net::config::ConfigTlsServer::getSniCerts
const std::map< std::string, std::map< std::string, std::variant< std::string, bool, ssl_option_t > > > & getSniCerts()
Definition ConfigTlsServer.cpp:173
net::config::ConfigTls::getCaCertDir
std::string getCaCertDir() const
Definition ConfigTls.cpp:191
net::config::ConfigTls::getCaCert
std::string getCaCert() const
Definition ConfigTls.cpp:179
net::config::ConfigTls::getCipherList
std::string getCipherList() const
Definition ConfigTls.cpp:227
net::config::ConfigTls::getSslOptions
ssl_option_t getSslOptions() const
Definition ConfigTls.cpp:239
net::config::ConfigTls::getCaCertAcceptUnknown
bool getCaCertAcceptUnknown() const
Definition ConfigTls.cpp:215
net::config::ConfigTls::getCaCertUseDefaultDir
bool getCaCertUseDefaultDir() const
Definition ConfigTls.cpp:203
net::config::ConfigTls::getCertKey
std::string getCertKey() const
Definition ConfigTls.cpp:155
net::config::ConfigTls::getCert
std::string getCert() const
Definition ConfigTls.cpp:143
net::config::ConfigTls::getCertKeyPassword
std::string getCertKeyPassword() const
Definition ConfigTls.cpp:167
net::config::stream::tls::ConfigSocketServer::getSniCtx
SSL_CTX * getSniCtx(const std::string &serverNameIndication)
Definition ConfigSocketServer.hpp:162
net::config::stream::tls::ConfigSocketServer::sniCtxMap
std::map< std::string, SSL_CTX * > sniCtxMap
Definition ConfigSocketServer.h:77
core::socket::stream::tls::match
bool match(const char *first, const char *second)
Definition ssl_utils.cpp:400
core::socket::stream::tls::ssl_ctx_free
void ssl_ctx_free(SSL_CTX *ctx)
Definition ssl_utils.cpp:295
core::socket::stream::tls::ssl_get_sans
std::map< std::string, SSL_CTX * > ssl_get_sans(SSL_CTX *sslCtx)
Definition ssl_utils.cpp:220
core::socket::stream::tls::ssl_ctx_new
SSL_CTX * ssl_ctx_new(const SslConfig &sslConfig)
Definition ssl_utils.cpp:113