1//
2// SSLManager.cpp
3//
4// Library: NetSSL_OpenSSL
5// Package: SSLCore
6// Module: SSLManager
7//
8// Copyright (c) 2006-2010, Applied Informatics Software Engineering GmbH.
9// and Contributors.
10//
11// SPDX-License-Identifier: BSL-1.0
12//
13
14
15#include "Poco/Net/SSLManager.h"
16#include "Poco/Net/Context.h"
17#include "Poco/Net/Utility.h"
18#include "Poco/Net/PrivateKeyPassphraseHandler.h"
19#include "Poco/Net/RejectCertificateHandler.h"
20#include "Poco/Crypto/OpenSSLInitializer.h"
21#include "Poco/Net/SSLException.h"
22#include "Poco/SingletonHolder.h"
23#include "Poco/Delegate.h"
24#include "Poco/StringTokenizer.h"
25#include "Poco/Util/Application.h"
26#include "Poco/Util/OptionException.h"
27
28
29namespace Poco {
30namespace Net {
31
32
33const std::string SSLManager::CFG_PRIV_KEY_FILE("privateKeyFile");
34const std::string SSLManager::CFG_CERTIFICATE_FILE("certificateFile");
35const std::string SSLManager::CFG_CA_LOCATION("caConfig");
36const std::string SSLManager::CFG_VER_MODE("verificationMode");
37const Context::VerificationMode SSLManager::VAL_VER_MODE(Context::VERIFY_RELAXED);
38const std::string SSLManager::CFG_VER_DEPTH("verificationDepth");
39const int SSLManager::VAL_VER_DEPTH(9);
40const std::string SSLManager::CFG_ENABLE_DEFAULT_CA("loadDefaultCAFile");
41const bool SSLManager::VAL_ENABLE_DEFAULT_CA(true);
42const std::string SSLManager::CFG_CIPHER_LIST("cipherList");
43const std::string SSLManager::CFG_CYPHER_LIST("cypherList");
44const std::string SSLManager::VAL_CIPHER_LIST("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
45const std::string SSLManager::CFG_PREFER_SERVER_CIPHERS("preferServerCiphers");
46const std::string SSLManager::CFG_DELEGATE_HANDLER("privateKeyPassphraseHandler.name");
47const std::string SSLManager::VAL_DELEGATE_HANDLER("KeyConsoleHandler");
48const std::string SSLManager::CFG_CERTIFICATE_HANDLER("invalidCertificateHandler.name");
49const std::string SSLManager::VAL_CERTIFICATE_HANDLER("ConsoleCertificateHandler");
50const std::string SSLManager::CFG_SERVER_PREFIX("openSSL.server.");
51const std::string SSLManager::CFG_CLIENT_PREFIX("openSSL.client.");
52const std::string SSLManager::CFG_CACHE_SESSIONS("cacheSessions");
53const std::string SSLManager::CFG_SESSION_ID_CONTEXT("sessionIdContext");
54const std::string SSLManager::CFG_SESSION_CACHE_SIZE("sessionCacheSize");
55const std::string SSLManager::CFG_SESSION_TIMEOUT("sessionTimeout");
56const std::string SSLManager::CFG_EXTENDED_VERIFICATION("extendedVerification");
57const std::string SSLManager::CFG_REQUIRE_TLSV1("requireTLSv1");
58const std::string SSLManager::CFG_REQUIRE_TLSV1_1("requireTLSv1_1");
59const std::string SSLManager::CFG_REQUIRE_TLSV1_2("requireTLSv1_2");
60const std::string SSLManager::CFG_REQUIRE_TLSV1_3("requireTLSv1_3");
61const std::string SSLManager::CFG_DISABLE_PROTOCOLS("disableProtocols");
62const std::string SSLManager::CFG_DH_PARAMS_FILE("dhParamsFile");
63const std::string SSLManager::CFG_ECDH_CURVE("ecdhCurve");
64#ifdef OPENSSL_FIPS
65const std::string SSLManager::CFG_FIPS_MODE("openSSL.fips");
66const bool SSLManager::VAL_FIPS_MODE(false);
67#endif
68
69
70SSLManager::SSLManager()
71{
72}
73
74
75SSLManager::~SSLManager()
76{
77 try
78 {
79 shutdown();
80 }
81 catch (...)
82 {
83 poco_unexpected();
84 }
85}
86
87
88void SSLManager::shutdown()
89{
90 PrivateKeyPassphraseRequired.clear();
91 ClientVerificationError.clear();
92 ServerVerificationError.clear();
93 _ptrDefaultServerContext = 0;
94 _ptrDefaultClientContext = 0;
95}
96
97
98namespace
99{
100 static Poco::SingletonHolder<SSLManager> singleton;
101}
102
103
104SSLManager& SSLManager::instance()
105{
106 return *singleton.get();
107}
108
109
110void SSLManager::initializeServer(PrivateKeyPassphraseHandlerPtr ptrPassphraseHandler, InvalidCertificateHandlerPtr ptrHandler, Context::Ptr ptrContext)
111{
112 _ptrServerPassphraseHandler = ptrPassphraseHandler;
113 _ptrServerCertificateHandler = ptrHandler;
114 _ptrDefaultServerContext = ptrContext;
115}
116
117
118void SSLManager::initializeClient(PrivateKeyPassphraseHandlerPtr ptrPassphraseHandler, InvalidCertificateHandlerPtr ptrHandler, Context::Ptr ptrContext)
119{
120 _ptrClientPassphraseHandler = ptrPassphraseHandler;
121 _ptrClientCertificateHandler = ptrHandler;
122 _ptrDefaultClientContext = ptrContext;
123}
124
125
126Context::Ptr SSLManager::defaultServerContext()
127{
128 Poco::FastMutex::ScopedLock lock(_mutex);
129
130 if (!_ptrDefaultServerContext)
131 initDefaultContext(true);
132
133 return _ptrDefaultServerContext;
134}
135
136
137Context::Ptr SSLManager::defaultClientContext()
138{
139 Poco::FastMutex::ScopedLock lock(_mutex);
140
141 if (!_ptrDefaultClientContext)
142 {
143 try
144 {
145 initDefaultContext(false);
146 }
147 catch (Poco::IllegalStateException&)
148 {
149 _ptrClientCertificateHandler = new RejectCertificateHandler(false);
150 _ptrDefaultClientContext = new Context(Context::CLIENT_USE, "", Context::VERIFY_RELAXED, 9, true);
151 _ptrDefaultClientContext->disableProtocols(Context::PROTO_SSLV2 | Context::PROTO_SSLV3);
152 }
153 }
154
155 return _ptrDefaultClientContext;
156}
157
158
159SSLManager::PrivateKeyPassphraseHandlerPtr SSLManager::serverPassphraseHandler()
160{
161 Poco::FastMutex::ScopedLock lock(_mutex);
162
163 if (!_ptrServerPassphraseHandler)
164 initPassphraseHandler(true);
165
166 return _ptrServerPassphraseHandler;
167}
168
169
170SSLManager::PrivateKeyPassphraseHandlerPtr SSLManager::clientPassphraseHandler()
171{
172 Poco::FastMutex::ScopedLock lock(_mutex);
173
174 if (!_ptrClientPassphraseHandler)
175 initPassphraseHandler(false);
176
177 return _ptrClientPassphraseHandler;
178}
179
180
181SSLManager::InvalidCertificateHandlerPtr SSLManager::serverCertificateHandler()
182{
183 Poco::FastMutex::ScopedLock lock(_mutex);
184
185 if (!_ptrServerCertificateHandler)
186 initCertificateHandler(true);
187
188 return _ptrServerCertificateHandler;
189}
190
191
192SSLManager::InvalidCertificateHandlerPtr SSLManager::clientCertificateHandler()
193{
194 Poco::FastMutex::ScopedLock lock(_mutex);
195
196 if (!_ptrClientCertificateHandler)
197 initCertificateHandler(false);
198
199 return _ptrClientCertificateHandler;
200}
201
202
203int SSLManager::verifyCallback(bool server, int ok, X509_STORE_CTX* pStore)
204{
205 if (!ok)
206 {
207 X509* pCert = X509_STORE_CTX_get_current_cert(pStore);
208 X509Certificate x509(pCert, true);
209 int depth = X509_STORE_CTX_get_error_depth(pStore);
210 int err = X509_STORE_CTX_get_error(pStore);
211 std::string error(X509_verify_cert_error_string(err));
212 VerificationErrorArgs args(x509, depth, err, error);
213 if (server)
214 SSLManager::instance().ServerVerificationError.notify(&SSLManager::instance(), args);
215 else
216 SSLManager::instance().ClientVerificationError.notify(&SSLManager::instance(), args);
217 ok = args.getIgnoreError() ? 1 : 0;
218 }
219
220 return ok;
221}
222
223
224int SSLManager::privateKeyPassphraseCallback(char* pBuf, int size, int /*flag*/, void* /*userData*/)
225{
226 std::string pwd;
227 SSLManager::instance().PrivateKeyPassphraseRequired.notify(&SSLManager::instance(), pwd);
228
229 strncpy(pBuf, (char *)(pwd.c_str()), size);
230 pBuf[size - 1] = '\0';
231 if (size > pwd.length())
232 size = (int) pwd.length();
233
234 return size;
235}
236
237
238void SSLManager::initDefaultContext(bool server)
239{
240 if (server && _ptrDefaultServerContext) return;
241 if (!server && _ptrDefaultClientContext) return;
242
243 Poco::Crypto::OpenSSLInitializer openSSLInitializer;
244 initEvents(server);
245 Poco::Util::AbstractConfiguration& config = appConfig();
246
247#ifdef OPENSSL_FIPS
248 bool fipsEnabled = config.getBool(CFG_FIPS_MODE, VAL_FIPS_MODE);
249 if (fipsEnabled && !Poco::Crypto::OpenSSLInitializer::isFIPSEnabled())
250 {
251 Poco::Crypto::OpenSSLInitializer::enableFIPSMode(true);
252 }
253#endif
254
255 std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
256
257 Context::Params params;
258 // mandatory options
259 params.privateKeyFile = config.getString(prefix + CFG_PRIV_KEY_FILE, "");
260 params.certificateFile = config.getString(prefix + CFG_CERTIFICATE_FILE, params.privateKeyFile);
261 params.caLocation = config.getString(prefix + CFG_CA_LOCATION, "");
262
263 if (server && params.certificateFile.empty() && params.privateKeyFile.empty())
264 throw SSLException("Configuration error: no certificate file has been specified");
265
266 // optional options for which we have defaults defined
267 params.verificationMode = VAL_VER_MODE;
268 if (config.hasProperty(prefix + CFG_VER_MODE))
269 {
270 // either: none, relaxed, strict, once
271 std::string mode = config.getString(prefix + CFG_VER_MODE);
272 params.verificationMode = Utility::convertVerificationMode(mode);
273 }
274
275 params.verificationDepth = config.getInt(prefix + CFG_VER_DEPTH, VAL_VER_DEPTH);
276 params.loadDefaultCAs = config.getBool(prefix + CFG_ENABLE_DEFAULT_CA, VAL_ENABLE_DEFAULT_CA);
277 params.cipherList = config.getString(prefix + CFG_CIPHER_LIST, VAL_CIPHER_LIST);
278 params.cipherList = config.getString(prefix + CFG_CYPHER_LIST, params.cipherList); // for backwards compatibility
279 bool requireTLSv1 = config.getBool(prefix + CFG_REQUIRE_TLSV1, false);
280 bool requireTLSv1_1 = config.getBool(prefix + CFG_REQUIRE_TLSV1_1, false);
281 bool requireTLSv1_2 = config.getBool(prefix + CFG_REQUIRE_TLSV1_2, false);
282 bool requireTLSv1_3 = config.getBool(prefix + CFG_REQUIRE_TLSV1_3, false);
283
284 params.dhParamsFile = config.getString(prefix + CFG_DH_PARAMS_FILE, "");
285 params.ecdhCurve = config.getString(prefix + CFG_ECDH_CURVE, "");
286
287 Context::Usage usage;
288
289 if (server)
290 {
291 if (requireTLSv1_3)
292 usage = Context::TLSV1_3_SERVER_USE;
293 else if (requireTLSv1_2)
294 usage = Context::TLSV1_2_SERVER_USE;
295 else if (requireTLSv1_1)
296 usage = Context::TLSV1_1_SERVER_USE;
297 else if (requireTLSv1)
298 usage = Context::TLSV1_SERVER_USE;
299 else
300 usage = Context::SERVER_USE;
301 _ptrDefaultServerContext = new Context(usage, params);
302 }
303 else
304 {
305 if (requireTLSv1_3)
306 usage = Context::TLSV1_3_CLIENT_USE;
307 else if (requireTLSv1_2)
308 usage = Context::TLSV1_2_CLIENT_USE;
309 else if (requireTLSv1_1)
310 usage = Context::TLSV1_1_CLIENT_USE;
311 else if (requireTLSv1)
312 usage = Context::TLSV1_CLIENT_USE;
313 else
314 usage = Context::CLIENT_USE;
315 _ptrDefaultClientContext = new Context(usage, params);
316 }
317
318 std::string disabledProtocolsList = config.getString(prefix + CFG_DISABLE_PROTOCOLS, "");
319 Poco::StringTokenizer dpTok(disabledProtocolsList, ";,", Poco::StringTokenizer::TOK_TRIM | Poco::StringTokenizer::TOK_IGNORE_EMPTY);
320 int disabledProtocols = 0;
321 for (Poco::StringTokenizer::Iterator it = dpTok.begin(); it != dpTok.end(); ++it)
322 {
323 if (*it == "sslv2")
324 disabledProtocols |= Context::PROTO_SSLV2;
325 else if (*it == "sslv3")
326 disabledProtocols |= Context::PROTO_SSLV3;
327 else if (*it == "tlsv1")
328 disabledProtocols |= Context::PROTO_TLSV1;
329 else if (*it == "tlsv1_1")
330 disabledProtocols |= Context::PROTO_TLSV1_1;
331 else if (*it == "tlsv1_2")
332 disabledProtocols |= Context::PROTO_TLSV1_2;
333 else if (*it == "tlsv1_3")
334 disabledProtocols |= Context::PROTO_TLSV1_3;
335 }
336 if (server)
337 _ptrDefaultServerContext->disableProtocols(disabledProtocols);
338 else
339 _ptrDefaultClientContext->disableProtocols(disabledProtocols);
340
341 bool cacheSessions = config.getBool(prefix + CFG_CACHE_SESSIONS, false);
342 if (server)
343 {
344 std::string sessionIdContext = config.getString(prefix + CFG_SESSION_ID_CONTEXT, config.getString("application.name", ""));
345 _ptrDefaultServerContext->enableSessionCache(cacheSessions, sessionIdContext);
346 if (config.hasProperty(prefix + CFG_SESSION_CACHE_SIZE))
347 {
348 int cacheSize = config.getInt(prefix + CFG_SESSION_CACHE_SIZE);
349 _ptrDefaultServerContext->setSessionCacheSize(cacheSize);
350 }
351 if (config.hasProperty(prefix + CFG_SESSION_TIMEOUT))
352 {
353 int timeout = config.getInt(prefix + CFG_SESSION_TIMEOUT);
354 _ptrDefaultServerContext->setSessionTimeout(timeout);
355 }
356 }
357 else
358 {
359 _ptrDefaultClientContext->enableSessionCache(cacheSessions);
360 }
361 bool extendedVerification = config.getBool(prefix + CFG_EXTENDED_VERIFICATION, false);
362 if (server)
363 _ptrDefaultServerContext->enableExtendedCertificateVerification(extendedVerification);
364 else
365 _ptrDefaultClientContext->enableExtendedCertificateVerification(extendedVerification);
366
367 bool preferServerCiphers = config.getBool(prefix + CFG_PREFER_SERVER_CIPHERS, false);
368 if (preferServerCiphers)
369 {
370 if (server)
371 _ptrDefaultServerContext->preferServerCiphers();
372 else
373 _ptrDefaultClientContext->preferServerCiphers();
374 }
375}
376
377
378void SSLManager::initEvents(bool server)
379{
380 initPassphraseHandler(server);
381 initCertificateHandler(server);
382}
383
384
385void SSLManager::initPassphraseHandler(bool server)
386{
387 if (server && _ptrServerPassphraseHandler) return;
388 if (!server && _ptrClientPassphraseHandler) return;
389
390 std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
391 Poco::Util::AbstractConfiguration& config = appConfig();
392
393 std::string className(config.getString(prefix + CFG_DELEGATE_HANDLER, VAL_DELEGATE_HANDLER));
394
395 const PrivateKeyFactory* pFactory = 0;
396 if (privateKeyFactoryMgr().hasFactory(className))
397 {
398 pFactory = privateKeyFactoryMgr().getFactory(className);
399 }
400
401 if (pFactory)
402 {
403 if (server)
404 _ptrServerPassphraseHandler = pFactory->create(server);
405 else
406 _ptrClientPassphraseHandler = pFactory->create(server);
407 }
408 else throw Poco::Util::UnknownOptionException(std::string("No passphrase handler known with the name ") + className);
409}
410
411
412void SSLManager::initCertificateHandler(bool server)
413{
414 if (server && _ptrServerCertificateHandler) return;
415 if (!server && _ptrClientCertificateHandler) return;
416
417 std::string prefix = server ? CFG_SERVER_PREFIX : CFG_CLIENT_PREFIX;
418 Poco::Util::AbstractConfiguration& config = appConfig();
419
420 std::string className(config.getString(prefix+CFG_CERTIFICATE_HANDLER, VAL_CERTIFICATE_HANDLER));
421
422 const CertificateHandlerFactory* pFactory = 0;
423 if (certificateHandlerFactoryMgr().hasFactory(className))
424 {
425 pFactory = certificateHandlerFactoryMgr().getFactory(className);
426 }
427
428 if (pFactory)
429 {
430 if (server)
431 _ptrServerCertificateHandler = pFactory->create(true);
432 else
433 _ptrClientCertificateHandler = pFactory->create(false);
434 }
435 else throw Poco::Util::UnknownOptionException(std::string("No InvalidCertificate handler known with the name ") + className);
436}
437
438
439Poco::Util::AbstractConfiguration& SSLManager::appConfig()
440{
441 try
442 {
443 return Poco::Util::Application::instance().config();
444 }
445 catch (Poco::NullPointerException&)
446 {
447 throw Poco::IllegalStateException(
448 "An application configuration is required to initialize the Poco::Net::SSLManager, "
449 "but no Poco::Util::Application instance is available."
450 );
451 }
452}
453
454
455void initializeSSL()
456{
457 Poco::Crypto::initializeCrypto();
458}
459
460
461void uninitializeSSL()
462{
463 SSLManager::instance().shutdown();
464 Poco::Crypto::uninitializeCrypto();
465}
466
467
468} } // namespace Poco::Net
469