SSLManager.cpp source code [ClickHouse/contrib/poco/NetSSL_OpenSSL/src/SSLManager.cpp]

1	//
2	// SSLManager.cpp
3	//
4	// Library: NetSSL_OpenSSL
5	// Package: SSLCore
6	// Module: SSLManager
7	//
8	// Copyright (c) 2006-2010, Applied Informatics Software Engineering GmbH.
9	// and Contributors.
10	//
11	// SPDX-License-Identifier: BSL-1.0
12	//
13
14
15	#include "Poco/Net/SSLManager.h"
16	#include "Poco/Net/Context.h"
17	#include "Poco/Net/Utility.h"
18	#include "Poco/Net/PrivateKeyPassphraseHandler.h"
19	#include "Poco/Net/RejectCertificateHandler.h"
20	#include "Poco/Crypto/OpenSSLInitializer.h"
21	#include "Poco/Net/SSLException.h"
22	#include "Poco/SingletonHolder.h"
23	#include "Poco/Delegate.h"
24	#include "Poco/StringTokenizer.h"
25	#include "Poco/Util/Application.h"
26	#include "Poco/Util/OptionException.h"
27
28
29	namespace Poco {
30	namespace Net {
31
32
33	const std::string SSLManager::CFG_PRIV_KEY_FILE("privateKeyFile");
34	const std::string SSLManager::CFG_CERTIFICATE_FILE("certificateFile");
35	const std::string SSLManager::CFG_CA_LOCATION("caConfig");
36	const std::string SSLManager::CFG_VER_MODE("verificationMode");
37	const Context::VerificationMode SSLManager::VAL_VER_MODE(Context::VERIFY_RELAXED);
38	const std::string SSLManager::CFG_VER_DEPTH("verificationDepth");
39	const int SSLManager::VAL_VER_DEPTH(`9`);
40	const std::string SSLManager::CFG_ENABLE_DEFAULT_CA("loadDefaultCAFile");
41	const bool SSLManager::VAL_ENABLE_DEFAULT_CA(true);
42	const std::string SSLManager::CFG_CIPHER_LIST("cipherList");
43	const std::string SSLManager::CFG_CYPHER_LIST("cypherList");
44	const std::string SSLManager::VAL_CIPHER_LIST("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
45	const std::string SSLManager::CFG_PREFER_SERVER_CIPHERS("preferServerCiphers");
46	const std::string SSLManager::CFG_DELEGATE_HANDLER("privateKeyPassphraseHandler.name");
47	const std::string SSLManager::VAL_DELEGATE_HANDLER("KeyConsoleHandler");
48	const std::string SSLManager::CFG_CERTIFICATE_HANDLER("invalidCertificateHandler.name");
49	const std::string SSLManager::VAL_CERTIFICATE_HANDLER("ConsoleCertificateHandler");
50	const std::string SSLManager::CFG_SERVER_PREFIX("openSSL.server.");
51	const std::string SSLManager::CFG_CLIENT_PREFIX("openSSL.client.");
52	const std::string SSLManager::CFG_CACHE_SESSIONS("cacheSessions");
53	const std::string SSLManager::CFG_SESSION_ID_CONTEXT("sessionIdContext");
54	const std::string SSLManager::CFG_SESSION_CACHE_SIZE("sessionCacheSize");
55	const std::string SSLManager::CFG_SESSION_TIMEOUT("sessionTimeout");
56	const std::string SSLManager::CFG_EXTENDED_VERIFICATION("extendedVerification");
57	const std::string SSLManager::CFG_REQUIRE_TLSV1("requireTLSv1");
58	const std::string SSLManager::CFG_REQUIRE_TLSV1_1("requireTLSv1_1");
59	const std::string SSLManager::CFG_REQUIRE_TLSV1_2("requireTLSv1_2");
60	const std::string SSLManager::CFG_DISABLE_PROTOCOLS("disableProtocols");
61	const std::string SSLManager::CFG_DH_PARAMS_FILE("dhParamsFile");
62	const std::string SSLManager::CFG_ECDH_CURVE("ecdhCurve");
63	#ifdef OPENSSL_FIPS
64	const std::string SSLManager::CFG_FIPS_MODE("openSSL.fips");
65	const bool SSLManager::VAL_FIPS_MODE(false);
66	#endif
67
68
69	SSLManager::SSLManager()
70	{
71	}
72
73
74	SSLManager::~SSLManager()
75	{
76	try
77	{
78	shutdown();
79	}
80	catch (...)
81	{
82	poco_unexpected();
83	}
84	}
85
86
87	void SSLManager::shutdown()
88	{
89	PrivateKeyPassphraseRequired.clear();
90	ClientVerificationError.clear();
91	ServerVerificationError.clear();
92	_ptrDefaultServerContext = `0`;
93	_ptrDefaultClientContext = `0`;
94	}
95
96
97	namespace
98	{
99	static Poco::SingletonHolder<SSLManager> singleton;
100	}
101
102
103	SSLManager& SSLManager::instance()
104	{
105	return *singleton.get();
106	}
107
108
109	void SSLManager::initializeServer(PrivateKeyPassphraseHandlerPtr ptrPassphraseHandler, InvalidCertificateHandlerPtr ptrHandler, Context::Ptr ptrContext)
110	{
111	_ptrServerPassphraseHandler = ptrPassphraseHandler;
112	_ptrServerCertificateHandler = ptrHandler;
113	_ptrDefaultServerContext = ptrContext;
114	}
115
116
117	void SSLManager::initializeClient(PrivateKeyPassphraseHandlerPtr ptrPassphraseHandler, InvalidCertificateHandlerPtr ptrHandler, Context::Ptr ptrContext)
118	{
119	_ptrClientPassphraseHandler = ptrPassphraseHandler;
120	_ptrClientCertificateHandler = ptrHandler;
121	_ptrDefaultClientContext = ptrContext;
122	}
123
124
125	Context::Ptr SSLManager::defaultServerContext()
126	{
127	Poco::FastMutex::ScopedLock lock(_mutex);
128
129	if (!_ptrDefaultServerContext)
130	initDefaultContext(true);
131
132	return _ptrDefaultServerContext;
133	}
134
135
136	Context::Ptr SSLManager::defaultClientContext()
137	{
138	Poco::FastMutex::ScopedLock lock(_mutex);
139
140	if (!_ptrDefaultClientContext)
141	{
142	try
143	{
144	initDefaultContext(false);
145	}
146	catch (Poco::IllegalStateException&)
147	{
148	_ptrClientCertificateHandler = new RejectCertificateHandler (false);
149	_ptrDefaultClientContext = new Context (Context::CLIENT_USE, "", Context::VERIFY_RELAXED, `9`, true);
150	_ptrDefaultClientContext ->disableProtocols(Context::PROTO_SSLV2 \| Context::PROTO_SSLV3);
151	}
152	}
153
154	return _ptrDefaultClientContext;
155	}
156
157
158	SSLManager::PrivateKeyPassphraseHandlerPtr SSLManager::serverPassphraseHandler()
159	{
160	Poco::FastMutex::ScopedLock lock(_mutex);
161
162	if (!_ptrServerPassphraseHandler)
163	initPassphraseHandler(true);
164
165	return _ptrServerPassphraseHandler;
166	}
167
168
169	SSLManager::PrivateKeyPassphraseHandlerPtr SSLManager::clientPassphraseHandler()
170	{
171	Poco::FastMutex::ScopedLock lock(_mutex);
172
173	if (!_ptrClientPassphraseHandler)
174	initPassphraseHandler(false);
175
176	return _ptrClientPassphraseHandler;
177	}
178
179
180	SSLManager::InvalidCertificateHandlerPtr SSLManager::serverCertificateHandler()
181	{
182	Poco::FastMutex::ScopedLock lock(_mutex);
183
184	if (!_ptrServerCertificateHandler)
185	initCertificateHandler(true);
186
187	return _ptrServerCertificateHandler;
188	}
189
190
191	SSLManager::InvalidCertificateHandlerPtr SSLManager::clientCertificateHandler()
192	{
193	Poco::FastMutex::ScopedLock lock(_mutex);
194
195	if (!_ptrClientCertificateHandler)
196	initCertificateHandler(false);
197
198	return _ptrClientCertificateHandler;
199	}
200
201
202	int SSLManager::verifyCallback(bool server, int ok, X509_STORE_CTX* pStore)
203	{
204	if (!ok)
205	{
206	X509* pCert = X509_STORE_CTX_get_current_cert(pStore);
207	X509Certificate x509(pCert, true);
208	int depth = X509_STORE_CTX_get_error_depth(pStore);
209	int err = X509_STORE_CTX_get_error(pStore);
210	std::string error(X509_verify_cert_error_string(err));
211	VerificationErrorArgs args(x509, depth, err, error);
212	if (server)
213	SSLManager::instance().ServerVerificationError.notify(&SSLManager::instance(), args);
214	else
215	SSLManager::instance().ClientVerificationError.notify(&SSLManager::instance(), args);
216	ok = args.getIgnoreError() ? `1` : `0`;
217	}
218
219	return ok;
220	}
221
222
223	int SSLManager::privateKeyPassphraseCallback(char* pBuf, int size, int flag, void* userData)
224	{
225	std::string pwd;
226	SSLManager::instance().PrivateKeyPassphraseRequired.notify(&SSLManager::instance(), pwd);
227
228	strncpy(pBuf, (char *)(pwd.c_str()), size);
229	pBuf[size - `1`] = `'\0'`;
230	if (size > pwd.length())
231	size = (int) pwd.length();
232
233	return size;
234	}
235
236
237	void SSLManager::initDefaultContext(bool server)
238	{
239	if (server && _ptrDefaultServerContext) return;
240	if (!server && _ptrDefaultClientContext) return;
241
242	Poco::Crypto::OpenSSLInitializer openSSLInitializer;
243	initEvents(server);
244	Poco::Util::AbstractConfiguration& config = appConfig();
245
246	#ifdef OPENSSL_FIPS
247	bool fipsEnabled = config.getBool(CFG_FIPS_MODE, VAL_FIPS_MODE);
248	if (fipsEnabled && !Poco::Crypto::OpenSSLInitializer::isFIPSEnabled())
249	{
250	Poco::Crypto::OpenSSLInitializer::enableFIPSMode(true);
251	}
252	#endif
253
254	std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
255
256	Context::Params params;
257	// mandatory options
258	params.privateKeyFile = config.getString(prefix + CFG_PRIV_KEY_FILE, "");
259	params.certificateFile = config.getString(prefix + CFG_CERTIFICATE_FILE, params.privateKeyFile);
260	params.caLocation = config.getString(prefix + CFG_CA_LOCATION, "");
261
262	if (server && params.certificateFile.empty() && params.privateKeyFile.empty())
263	throw SSLException ("Configuration error: no certificate file has been specified");
264
265	// optional options for which we have defaults defined
266	params.verificationMode = VAL_VER_MODE;
267	if (config.hasProperty(prefix + CFG_VER_MODE))
268	{
269	// either: none, relaxed, strict, once
270	std::string mode = config.getString(prefix + CFG_VER_MODE);
271	params.verificationMode = Utility::convertVerificationMode(mode);
272	}
273
274	params.verificationDepth = config.getInt(prefix + CFG_VER_DEPTH, VAL_VER_DEPTH);
275	params.loadDefaultCAs = config.getBool(prefix + CFG_ENABLE_DEFAULT_CA, VAL_ENABLE_DEFAULT_CA);
276	params.cipherList = config.getString(prefix + CFG_CIPHER_LIST, VAL_CIPHER_LIST);
277	params.cipherList = config.getString(prefix + CFG_CYPHER_LIST, params.cipherList); // for backwards compatibility
278	bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false);
279	bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false);
280	bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false);
281
282	params.dhParamsFile = config.getString(prefix + CFG_DH_PARAMS_FILE, "");
283	params.ecdhCurve = config.getString(prefix + CFG_ECDH_CURVE, "");
284
285	Context::Usage usage;
286
287	if (server)
288	{
289	if (requireTLSv1_2)
290	usage = Context::TLSV1_2_SERVER_USE;
291	else if (requireTLSv1_1)
292	usage = Context::TLSV1_1_SERVER_USE;
293	else if (requireTLSv1)
294	usage = Context::TLSV1_SERVER_USE;
295	else
296	usage = Context::SERVER_USE;
297	_ptrDefaultServerContext = new Context (usage, params);
298	}
299	else
300	{
301	if (requireTLSv1_2)
302	usage = Context::TLSV1_2_CLIENT_USE;
303	else if (requireTLSv1_1)
304	usage = Context::TLSV1_1_CLIENT_USE;
305	else if (requireTLSv1)
306	usage = Context::TLSV1_CLIENT_USE;
307	else
308	usage = Context::CLIENT_USE;
309	_ptrDefaultClientContext = new Context (usage, params);
310	}
311
312	std::string disabledProtocolsList = config.getString(prefix + CFG_DISABLE_PROTOCOLS, "");
313	Poco::StringTokenizer dpTok(disabledProtocolsList, ";,", Poco::StringTokenizer::TOK_TRIM \| Poco::StringTokenizer::TOK_IGNORE_EMPTY);
314	int disabledProtocols = `0`;
315	for (Poco::StringTokenizer::Iterator it = dpTok.begin(); it != dpTok.end(); ++it)
316	{
317	if (*it == "sslv2")
318	disabledProtocols \|= Context::PROTO_SSLV2;
319	else if (*it == "sslv3")
320	disabledProtocols \|= Context::PROTO_SSLV3;
321	else if (*it == "tlsv1")
322	disabledProtocols \|= Context::PROTO_TLSV1;
323	else if (*it == "tlsv1_1")
324	disabledProtocols \|= Context::PROTO_TLSV1_1;
325	else if (*it == "tlsv1_2")
326	disabledProtocols \|= Context::PROTO_TLSV1_2;
327	}
328	if (server)
329	_ptrDefaultServerContext ->disableProtocols(disabledProtocols);
330	else
331	_ptrDefaultClientContext ->disableProtocols(disabledProtocols);
332
333	bool cacheSessions = config.getBool(prefix + CFG_CACHE_SESSIONS, false);
334	if (server)
335	{
336	std::string sessionIdContext = config.getString(prefix + CFG_SESSION_ID_CONTEXT, config.getString("application.name", ""));
337	_ptrDefaultServerContext ->enableSessionCache(cacheSessions, sessionIdContext);
338	if (config.hasProperty(prefix + CFG_SESSION_CACHE_SIZE))
339	{
340	int cacheSize = config.getInt(prefix + CFG_SESSION_CACHE_SIZE);
341	_ptrDefaultServerContext ->setSessionCacheSize(cacheSize);
342	}
343	if (config.hasProperty(prefix + CFG_SESSION_TIMEOUT))
344	{
345	int timeout = config.getInt(prefix + CFG_SESSION_TIMEOUT);
346	_ptrDefaultServerContext ->setSessionTimeout(timeout);
347	}
348	}
349	else
350	{
351	_ptrDefaultClientContext ->enableSessionCache(cacheSessions);
352	}
353	bool extendedVerification = config.getBool(prefix + CFG_EXTENDED_VERIFICATION, false);
354	if (server)
355	_ptrDefaultServerContext ->enableExtendedCertificateVerification(extendedVerification);
356	else
357	_ptrDefaultClientContext ->enableExtendedCertificateVerification(extendedVerification);
358
359	bool preferServerCiphers = config.getBool(prefix + CFG_PREFER_SERVER_CIPHERS, false);
360	if (preferServerCiphers)
361	{
362	if (server)
363	_ptrDefaultServerContext ->preferServerCiphers();
364	else
365	_ptrDefaultClientContext ->preferServerCiphers();
366	}
367	}
368
369
370	void SSLManager::initEvents(bool server)
371	{
372	initPassphraseHandler(server);
373	initCertificateHandler(server);
374	}
375
376
377	void SSLManager::initPassphraseHandler(bool server)
378	{
379	if (server && _ptrServerPassphraseHandler) return;
380	if (!server && _ptrClientPassphraseHandler) return;
381
382	std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
383	Poco::Util::AbstractConfiguration& config = appConfig();
384
385	std::string className(config.getString(prefix + CFG_DELEGATE_HANDLER, VAL_DELEGATE_HANDLER));
386
387	const PrivateKeyFactory* pFactory = `0`;
388	if (privateKeyFactoryMgr().hasFactory(className))
389	{
390	pFactory = privateKeyFactoryMgr().getFactory(className);
391	}
392
393	if (pFactory)
394	{
395	if (server)
396	_ptrServerPassphraseHandler = pFactory->create(server);
397	else
398	_ptrClientPassphraseHandler = pFactory->create(server);
399	}
400	else throw Poco::Util::UnknownOptionException (std::string ("No passphrase handler known with the name ") + className);
401	}
402
403
404	void SSLManager::initCertificateHandler(bool server)
405	{
406	if (server && _ptrServerCertificateHandler) return;
407	if (!server && _ptrClientCertificateHandler) return;
408
409	std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
410	Poco::Util::AbstractConfiguration& config = appConfig();
411
412	std::string className(config.getString(prefix +CFG_CERTIFICATE_HANDLER, VAL_CERTIFICATE_HANDLER));
413
414	const CertificateHandlerFactory* pFactory = `0`;
415	if (certificateHandlerFactoryMgr().hasFactory(className))
416	{
417	pFactory = certificateHandlerFactoryMgr().getFactory(className);
418	}
419
420	if (pFactory)
421	{
422	if (server)
423	_ptrServerCertificateHandler = pFactory->create(true);
424	else
425	_ptrClientCertificateHandler = pFactory->create(false);
426	}
427	else throw Poco::Util::UnknownOptionException (std::string ("No InvalidCertificate handler known with the name ") + className);
428	}
429
430
431	Poco::Util::AbstractConfiguration& SSLManager::appConfig()
432	{
433	try
434	{
435	return Poco::Util::Application::instance().config();
436	}
437	catch (Poco::NullPointerException&)
438	{
439	throw Poco::IllegalStateException (
440	"An application configuration is required to initialize the Poco::Net::SSLManager, "
441	"but no Poco::Util::Application instance is available."
442	);
443	}
444	}
445
446
447	void initializeSSL()
448	{
449	Poco::Crypto::initializeCrypto();
450	}
451
452
453	void uninitializeSSL()
454	{
455	SSLManager::instance().shutdown();
456	Poco::Crypto::uninitializeCrypto();
457	}
458
459
460	} } // namespace Poco::Net
461

Browse the source code of ClickHouse/contrib/poco/NetSSL_OpenSSL/src/SSLManager.cpp