]>
Commit | Line | Data |
---|---|---|
f67539c2 TL |
1 | /* |
2 | * Licensed to the Apache Software Foundation (ASF) under one | |
3 | * or more contributor license agreements. See the NOTICE file | |
4 | * distributed with this work for additional information | |
5 | * regarding copyright ownership. The ASF licenses this file | |
6 | * to you under the Apache License, Version 2.0 (the | |
7 | * "License"); you may not use this file except in compliance | |
8 | * with the License. You may obtain a copy of the License at | |
9 | * | |
10 | * http://www.apache.org/licenses/LICENSE-2.0 | |
11 | * | |
12 | * Unless required by applicable law or agreed to in writing, | |
13 | * software distributed under the License is distributed on an | |
14 | * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
15 | * KIND, either express or implied. See the License for the | |
16 | * specific language governing permissions and limitations | |
17 | * under the License. | |
18 | */ | |
19 | ||
20 | #ifndef _THRIFT_SSL_SOCKET_H | |
21 | #define _THRIFT_SSL_SOCKET_H | |
22 | ||
23 | #include <glib-object.h> | |
24 | #include <glib.h> | |
25 | #include <openssl/err.h> | |
26 | #include <openssl/rand.h> | |
27 | #include <openssl/ssl.h> | |
28 | #include <openssl/x509v3.h> | |
29 | #include <sys/socket.h> | |
30 | ||
31 | #include <thrift/c_glib/transport/thrift_transport.h> | |
32 | #include <thrift/c_glib/transport/thrift_socket.h> | |
33 | #include <thrift/c_glib/transport/thrift_platform_socket.h> | |
34 | ||
35 | G_BEGIN_DECLS | |
36 | ||
37 | /*! \file thrift_ssl_socket.h | |
38 | * \brief SSL Socket implementation of a Thrift transport. Subclasses the | |
39 | * ThriftSocket class. Based on plain openssl. | |
40 | * In the future we should take a look to https://issues.apache.org/jira/browse/THRIFT-1016 | |
41 | */ | |
42 | ||
43 | /* type macros */ | |
44 | #define THRIFT_TYPE_SSL_SOCKET (thrift_ssl_socket_get_type ()) | |
45 | #define THRIFT_SSL_SOCKET(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THRIFT_TYPE_SSL_SOCKET, ThriftSSLSocket)) | |
46 | #define THRIFT_IS_SSL_SOCKET(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), THRIFT_TYPE_SSL_SOCKET)) | |
47 | #define THRIFT_SSL_SOCKET_CLASS(c) (G_TYPE_CHECK_CLASS_CAST ((c), THRIFT_TYPE_SSL_SOCKET, ThriftSSLSocketClass)) | |
48 | #define THRIFT_IS_SSL_SOCKET_CLASS(c) (G_TYPE_CHECK_CLASS_TYPE ((c), THRIFT_TYPE_SSL_SOCKET)) | |
49 | #define THRIFT_SSL_SOCKET_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), THRIFT_TYPE_SSL_SOCKET, ThriftSSLSocketClass)) | |
50 | ||
51 | ||
52 | /* define error/exception types */ | |
53 | typedef enum | |
54 | { | |
55 | THRIFT_SSL_SOCKET_ERROR_TRANSPORT=7, | |
56 | THRIFT_SSL_SOCKET_ERROR_CONNECT_BIND, | |
57 | THRIFT_SSL_SOCKET_ERROR_CIPHER_NOT_AVAILABLE, | |
58 | THRIFT_SSL_SOCKET_ERROR_SSL, | |
59 | THRIFT_SSL_SOCKET_ERROR_SSL_CERT_VALIDATION_FAILED | |
60 | } ThriftSSLSocketError; | |
61 | ||
62 | ||
63 | typedef struct _ThriftSSLSocket ThriftSSLSocket; | |
64 | ||
65 | /*! | |
66 | * Thrift SSL Socket instance. | |
67 | */ | |
68 | struct _ThriftSSLSocket | |
69 | { | |
70 | ThriftSocket parent; | |
71 | ||
72 | /* private */ | |
73 | SSL *ssl; | |
74 | SSL_CTX* ctx; | |
75 | gboolean server; | |
76 | gboolean allow_selfsigned; | |
77 | }; | |
78 | ||
79 | typedef struct _ThriftSSLSocketClass ThriftSSLSocketClass; | |
80 | typedef gboolean (* AUTHORIZATION_MANAGER_CALLBACK) (ThriftTransport * transport, X509 *cert, struct sockaddr_storage *addr, GError **error); | |
81 | ||
82 | /*! | |
83 | * Thrift Socket class. | |
84 | */ | |
85 | struct _ThriftSSLSocketClass | |
86 | { | |
87 | ThriftSocketClass parent; | |
88 | ||
89 | gboolean (* handle_handshake) (ThriftTransport * transport, GError **error); | |
90 | gboolean (* create_ssl_context) (ThriftTransport * transport, GError **error); | |
91 | gboolean (* authorize_peer) (ThriftTransport * transport, X509 *cert, struct sockaddr_storage *addr, GError **error); | |
92 | ||
93 | /* Padding to allow adding up to 12 new virtual functions without | |
94 | * breaking ABI. */ | |
95 | gpointer padding[12]; | |
96 | }; | |
97 | ||
98 | enum _ThriftSSLSocketProtocol { | |
99 | SSLTLS = 0, /* Supports SSLv2 and SSLv3 handshake but only negotiates at TLSv1_0 or later. */ | |
100 | /*SSLv2 = 1, HORRIBLY INSECURE! */ | |
101 | SSLv3 = 2, /* Supports SSLv3 only - also horribly insecure! */ | |
102 | TLSv1_0 = 3, /* Supports TLSv1_0 or later. */ | |
103 | TLSv1_1 = 4, /* Supports TLSv1_1 or later. */ | |
104 | TLSv1_2 = 5, /* Supports TLSv1_2 or later. */ | |
105 | LATEST = TLSv1_2 | |
106 | }; | |
107 | typedef enum _ThriftSSLSocketProtocol ThriftSSLSocketProtocol; | |
108 | ||
109 | ||
110 | /* Internal functions */ | |
111 | SSL_CTX* | |
112 | thrift_ssl_socket_context_initialize(ThriftSSLSocketProtocol ssl_protocol, GError **error); | |
113 | ||
114 | ||
115 | /* used by THRIFT_TYPE_SSL_SOCKET */ | |
116 | GType thrift_ssl_socket_get_type (void); | |
117 | ||
118 | /* Public API */ | |
119 | ||
120 | /** | |
121 | * @brief Set a pinning manager instead of the default one. | |
122 | * | |
123 | * The pinning manager will be used during the SSL handshake to check certificate | |
124 | * and pinning parameters. | |
125 | * | |
126 | * @param ssl_socket SSL Socket to operate on. | |
127 | * @param callback function that will take the control while validating pinning | |
128 | * | |
129 | */ | |
130 | void thrift_ssl_socket_set_manager(ThriftSSLSocket *ssl_socket, AUTHORIZATION_MANAGER_CALLBACK callback); | |
131 | ||
132 | /* This is the SSL API */ | |
133 | /** | |
134 | * Convenience function to create a new SSL context with the protocol specified | |
135 | * and assign this new context to the created ThriftSSLSocket with specified host:port. | |
136 | * @param ssl_protocol | |
137 | * @param hostname | |
138 | * @param port | |
139 | * @param error | |
140 | * @return | |
141 | */ | |
142 | ThriftSSLSocket* | |
143 | thrift_ssl_socket_new_with_host(ThriftSSLSocketProtocol ssl_protocol, gchar *hostname, guint port, GError **error); | |
144 | ||
145 | /** | |
146 | * Convenience function to create a new SSL context with the protocol specified | |
147 | * and assign this new context to the created ThriftSSLSocket. | |
148 | * @param ssl_protocol | |
149 | * @param error | |
150 | * @return | |
151 | */ | |
152 | ThriftSSLSocket* | |
153 | thrift_ssl_socket_new(ThriftSSLSocketProtocol ssl_protocol, GError **error); | |
154 | ||
155 | /** | |
156 | * Load a certificate chain from a PEM file. | |
157 | * @param ssl_socket The ssl socket | |
158 | * @param file_name The file name of the PEM certificate chain | |
159 | * @return | |
160 | */ | |
161 | gboolean | |
162 | thrift_ssl_load_cert_from_file(ThriftSSLSocket *ssl_socket, const char *file_name); | |
163 | ||
164 | /** | |
165 | * Load a certificate chain from memory | |
166 | * @param ssl_socket the ssl socket | |
167 | * @param chain_certs the buffer to load PEM from | |
168 | * @return | |
169 | */ | |
170 | gboolean | |
171 | thrift_ssl_load_cert_from_buffer(ThriftSSLSocket *ssl_socket, const char chain_certs[]); | |
172 | ||
173 | /** | |
174 | * Check if the ssl socket is open and ready to send and receive | |
175 | * @param transport | |
176 | * @return true if open | |
177 | */ | |
178 | gboolean | |
179 | thrift_ssl_socket_is_open (ThriftTransport *transport); | |
180 | ||
181 | ||
182 | /** | |
183 | * Open connection if required and set the socket to be ready to send and receive | |
184 | * @param transport | |
185 | * @param error | |
186 | * @return true if operation was correct | |
187 | */ | |
188 | gboolean | |
189 | thrift_ssl_socket_open (ThriftTransport *transport, GError **error); | |
190 | ||
191 | ||
192 | /** | |
193 | * @brief Initialization function | |
194 | * | |
195 | * It will initialize OpenSSL function. This initialization will be done app | |
196 | * wide. So if you want to initialize it by yourself you should not call it. | |
197 | * But it means you must handle OpenSSL initialization and handle locking. | |
198 | * | |
199 | * It should be called before anything else. | |
200 | * | |
201 | * | |
202 | */ | |
203 | void | |
204 | thrift_ssl_socket_initialize_openssl(void); | |
205 | /** | |
206 | * @brief Finalization function | |
207 | * | |
208 | * It clears all resources initialized in initialize function. | |
209 | * | |
210 | * It should be called after anything else. | |
211 | * | |
212 | * | |
213 | */ | |
214 | void | |
215 | thrift_ssl_socket_finalize_openssl(void); | |
216 | ||
217 | G_END_DECLS | |
218 | #endif |