ceph/src/jaegertracing/thrift/lib/c_glib/src/thrift/c_glib/transport/thrift_ssl_socket.h

   1 /*
   2  * Licensed to the Apache Software Foundation (ASF) under one
   3  * or more contributor license agreements. See the NOTICE file
   4  * distributed with this work for additional information
   5  * regarding copyright ownership. The ASF licenses this file
   6  * to you under the Apache License, Version 2.0 (the
   7  * "License"); you may not use this file except in compliance
   8  * with the License. You may obtain a copy of the License at
   9  *
  10  *   http://www.apache.org/licenses/LICENSE-2.0
  11  *
  12  * Unless required by applicable law or agreed to in writing,
  13  * software distributed under the License is distributed on an
  14  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  15  * KIND, either express or implied. See the License for the
  16  * specific language governing permissions and limitations
  17  * under the License.
  18  */
  19
  20 #ifndef _THRIFT_SSL_SOCKET_H
  21 #define _THRIFT_SSL_SOCKET_H
  22
  23 #include <glib-object.h>
  24 #include <glib.h>
  25 #include <openssl/err.h>
  26 #include <openssl/rand.h>
  27 #include <openssl/ssl.h>
  28 #include <openssl/x509v3.h>
  29 #include <sys/socket.h>
  30
  31 #include <thrift/c_glib/transport/thrift_transport.h>
  32 #include <thrift/c_glib/transport/thrift_socket.h>
  33 #include <thrift/c_glib/transport/thrift_platform_socket.h>
  34
  35 G_BEGIN_DECLS
  36
  37 /*! \file thrift_ssl_socket.h
  38  *  \brief SSL Socket implementation of a Thrift transport.  Subclasses the
  39  *         ThriftSocket class. Based on plain openssl.
  40  *         In the future we should take a look to https://issues.apache.org/jira/browse/THRIFT-1016
  41  */
  42
  43 /* type macros */
  44 #define THRIFT_TYPE_SSL_SOCKET (thrift_ssl_socket_get_type ())
  45 #define THRIFT_SSL_SOCKET(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THRIFT_TYPE_SSL_SOCKET, ThriftSSLSocket))
  46 #define THRIFT_IS_SSL_SOCKET(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), THRIFT_TYPE_SSL_SOCKET))
  47 #define THRIFT_SSL_SOCKET_CLASS(c) (G_TYPE_CHECK_CLASS_CAST ((c), THRIFT_TYPE_SSL_SOCKET, ThriftSSLSocketClass))
  48 #define THRIFT_IS_SSL_SOCKET_CLASS(c) (G_TYPE_CHECK_CLASS_TYPE ((c), THRIFT_TYPE_SSL_SOCKET))
  49 #define THRIFT_SSL_SOCKET_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), THRIFT_TYPE_SSL_SOCKET, ThriftSSLSocketClass))
  50
  51
  52 /* define error/exception types */
  53 typedef enum
  54 {
  55   THRIFT_SSL_SOCKET_ERROR_TRANSPORT=7,
  56   THRIFT_SSL_SOCKET_ERROR_CONNECT_BIND,
  57   THRIFT_SSL_SOCKET_ERROR_CIPHER_NOT_AVAILABLE,
  58   THRIFT_SSL_SOCKET_ERROR_SSL,
  59   THRIFT_SSL_SOCKET_ERROR_SSL_CERT_VALIDATION_FAILED
  60 } ThriftSSLSocketError;
  61
  62
  63 typedef struct _ThriftSSLSocket ThriftSSLSocket;
  64
  65 /*!
  66  * Thrift SSL Socket instance.
  67  */
  68 struct _ThriftSSLSocket
  69 {
  70   ThriftSocket parent;
  71
  72   /* private */
  73   SSL *ssl;
  74   SSL_CTX* ctx;
  75   gboolean server;
  76   gboolean allow_selfsigned;
  77 };
  78
  79 typedef struct _ThriftSSLSocketClass ThriftSSLSocketClass;
  80 typedef gboolean (* AUTHORIZATION_MANAGER_CALLBACK) (ThriftTransport * transport, X509 *cert, struct sockaddr_storage *addr, GError **error);
  81
  82 /*!
  83  * Thrift Socket class.
  84  */
  85 struct _ThriftSSLSocketClass
  86 {
  87   ThriftSocketClass parent;
  88
  89   gboolean (* handle_handshake) (ThriftTransport * transport, GError **error);
  90   gboolean (* create_ssl_context) (ThriftTransport * transport, GError **error);
  91   gboolean (* authorize_peer) (ThriftTransport * transport, X509 *cert, struct sockaddr_storage *addr, GError **error);
  92
  93   /* Padding to allow adding up to 12 new virtual functions without
  94    * breaking ABI. */
  95   gpointer padding[12];
  96 };
  97
  98 enum _ThriftSSLSocketProtocol {
  99   SSLTLS  = 0,  /* Supports SSLv2 and SSLv3 handshake but only negotiates at TLSv1_0 or later. */
 100 /*SSLv2   = 1,   HORRIBLY INSECURE! */
 101   SSLv3   = 2,  /* Supports SSLv3 only - also horribly insecure! */
 102   TLSv1_0 = 3,  /* Supports TLSv1_0 or later. */
 103   TLSv1_1 = 4,  /* Supports TLSv1_1 or later. */
 104   TLSv1_2 = 5,  /* Supports TLSv1_2 or later. */
 105   LATEST  = TLSv1_2
 106 };
 107 typedef enum _ThriftSSLSocketProtocol ThriftSSLSocketProtocol;
 108
 109
 110 /* Internal functions */
 111 SSL_CTX*
 112 thrift_ssl_socket_context_initialize(ThriftSSLSocketProtocol ssl_protocol, GError **error);
 113
 114
 115 /* used by THRIFT_TYPE_SSL_SOCKET */
 116 GType thrift_ssl_socket_get_type (void);
 117
 118 /* Public API */
 119
 120 /**
 121  * @brief Set a pinning manager instead of the default one.
 122  *
 123  * The pinning manager will be used during the SSL handshake to check certificate
 124  * and pinning parameters.
 125  *
 126  * @param ssl_socket SSL Socket to operate on.
 127  * @param callback function that will take the control while validating pinning
 128  *
 129  */
 130 void thrift_ssl_socket_set_manager(ThriftSSLSocket *ssl_socket, AUTHORIZATION_MANAGER_CALLBACK callback);
 131
 132 /* This is the SSL API */
 133 /**
 134  * Convenience function to create a new SSL context with the protocol specified
 135  * and assign this new context to the created ThriftSSLSocket with specified host:port.
 136  * @param ssl_protocol
 137  * @param hostname
 138  * @param port
 139  * @param error
 140  * @return
 141  */
 142 ThriftSSLSocket*
 143 thrift_ssl_socket_new_with_host(ThriftSSLSocketProtocol ssl_protocol, gchar *hostname, guint port, GError **error);
 144
 145 /**
 146  * Convenience function to create a new SSL context with the protocol specified
 147  * and assign this new context to the created ThriftSSLSocket.
 148  * @param ssl_protocol
 149  * @param error
 150  * @return
 151  */
 152 ThriftSSLSocket*
 153 thrift_ssl_socket_new(ThriftSSLSocketProtocol ssl_protocol, GError **error);
 154
 155 /**
 156  * Load a certificate chain from a PEM file.
 157  * @param ssl_socket The ssl socket
 158  * @param file_name The file name of the PEM certificate chain
 159  * @return
 160  */
 161 gboolean
 162 thrift_ssl_load_cert_from_file(ThriftSSLSocket *ssl_socket, const char *file_name);
 163
 164 /**
 165  * Load a certificate chain from memory
 166  * @param ssl_socket the ssl socket
 167  * @param chain_certs the buffer to load PEM from
 168  * @return
 169  */
 170 gboolean
 171 thrift_ssl_load_cert_from_buffer(ThriftSSLSocket *ssl_socket, const char chain_certs[]);
 172
 173 /**
 174  * Check if the ssl socket is open and ready to send and receive
 175  * @param transport
 176  * @return true if open
 177  */
 178 gboolean
 179 thrift_ssl_socket_is_open (ThriftTransport *transport);
 180
 181
 182 /**
 183  * Open connection if required and set the socket to be ready to send and receive
 184  * @param transport
 185  * @param error
 186  * @return true if operation was correct
 187  */
 188 gboolean
 189 thrift_ssl_socket_open (ThriftTransport *transport, GError **error);
 190
 191
 192 /**
 193  * @brief Initialization function
 194  *
 195  * It will initialize OpenSSL function. This initialization will be done app
 196  * wide. So if you want to initialize it by yourself you should not call it.
 197  * But it means you must handle OpenSSL initialization and handle locking.
 198  *
 199  * It should be called before anything else.
 200  *
 201  *
 202  */
 203 void
 204 thrift_ssl_socket_initialize_openssl(void);
 205 /**
 206  * @brief Finalization function
 207  *
 208  * It clears all resources initialized in initialize function.
 209  *
 210  * It should be called after anything else.
 211  *
 212  *
 213  */
 214 void
 215 thrift_ssl_socket_finalize_openssl(void);
 216
 217 G_END_DECLS
 218 #endif