2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
20 #ifndef _THRIFT_SSL_SOCKET_H
21 #define _THRIFT_SSL_SOCKET_H
23 #include <glib-object.h>
25 #include <openssl/err.h>
26 #include <openssl/rand.h>
27 #include <openssl/ssl.h>
28 #include <openssl/x509v3.h>
29 #include <sys/socket.h>
31 #include <thrift/c_glib/transport/thrift_transport.h>
32 #include <thrift/c_glib/transport/thrift_socket.h>
33 #include <thrift/c_glib/transport/thrift_platform_socket.h>
37 /*! \file thrift_ssl_socket.h
38 * \brief SSL Socket implementation of a Thrift transport. Subclasses the
39 * ThriftSocket class. Based on plain openssl.
40 * In the future we should take a look to https://issues.apache.org/jira/browse/THRIFT-1016
44 #define THRIFT_TYPE_SSL_SOCKET (thrift_ssl_socket_get_type ())
45 #define THRIFT_SSL_SOCKET(obj) (G_TYPE_CHECK_INSTANCE_CAST ((obj), THRIFT_TYPE_SSL_SOCKET, ThriftSSLSocket))
46 #define THRIFT_IS_SSL_SOCKET(obj) (G_TYPE_CHECK_INSTANCE_TYPE ((obj), THRIFT_TYPE_SSL_SOCKET))
47 #define THRIFT_SSL_SOCKET_CLASS(c) (G_TYPE_CHECK_CLASS_CAST ((c), THRIFT_TYPE_SSL_SOCKET, ThriftSSLSocketClass))
48 #define THRIFT_IS_SSL_SOCKET_CLASS(c) (G_TYPE_CHECK_CLASS_TYPE ((c), THRIFT_TYPE_SSL_SOCKET))
49 #define THRIFT_SSL_SOCKET_GET_CLASS(obj) (G_TYPE_INSTANCE_GET_CLASS ((obj), THRIFT_TYPE_SSL_SOCKET, ThriftSSLSocketClass))
52 /* define error/exception types */
55 THRIFT_SSL_SOCKET_ERROR_TRANSPORT
=7,
56 THRIFT_SSL_SOCKET_ERROR_CONNECT_BIND
,
57 THRIFT_SSL_SOCKET_ERROR_CIPHER_NOT_AVAILABLE
,
58 THRIFT_SSL_SOCKET_ERROR_SSL
,
59 THRIFT_SSL_SOCKET_ERROR_SSL_CERT_VALIDATION_FAILED
60 } ThriftSSLSocketError
;
63 typedef struct _ThriftSSLSocket ThriftSSLSocket
;
66 * Thrift SSL Socket instance.
68 struct _ThriftSSLSocket
76 gboolean allow_selfsigned
;
79 typedef struct _ThriftSSLSocketClass ThriftSSLSocketClass
;
80 typedef gboolean (* AUTHORIZATION_MANAGER_CALLBACK
) (ThriftTransport
* transport
, X509
*cert
, struct sockaddr_storage
*addr
, GError
**error
);
83 * Thrift Socket class.
85 struct _ThriftSSLSocketClass
87 ThriftSocketClass parent
;
89 gboolean (* handle_handshake
) (ThriftTransport
* transport
, GError
**error
);
90 gboolean (* create_ssl_context
) (ThriftTransport
* transport
, GError
**error
);
91 gboolean (* authorize_peer
) (ThriftTransport
* transport
, X509
*cert
, struct sockaddr_storage
*addr
, GError
**error
);
93 /* Padding to allow adding up to 12 new virtual functions without
98 enum _ThriftSSLSocketProtocol
{
99 SSLTLS
= 0, /* Supports SSLv2 and SSLv3 handshake but only negotiates at TLSv1_0 or later. */
100 /*SSLv2 = 1, HORRIBLY INSECURE! */
101 SSLv3
= 2, /* Supports SSLv3 only - also horribly insecure! */
102 TLSv1_0
= 3, /* Supports TLSv1_0 or later. */
103 TLSv1_1
= 4, /* Supports TLSv1_1 or later. */
104 TLSv1_2
= 5, /* Supports TLSv1_2 or later. */
107 typedef enum _ThriftSSLSocketProtocol ThriftSSLSocketProtocol
;
110 /* Internal functions */
112 thrift_ssl_socket_context_initialize(ThriftSSLSocketProtocol ssl_protocol
, GError
**error
);
115 /* used by THRIFT_TYPE_SSL_SOCKET */
116 GType
thrift_ssl_socket_get_type (void);
121 * @brief Set a pinning manager instead of the default one.
123 * The pinning manager will be used during the SSL handshake to check certificate
124 * and pinning parameters.
126 * @param ssl_socket SSL Socket to operate on.
127 * @param callback function that will take the control while validating pinning
130 void thrift_ssl_socket_set_manager(ThriftSSLSocket
*ssl_socket
, AUTHORIZATION_MANAGER_CALLBACK callback
);
132 /* This is the SSL API */
134 * Convenience function to create a new SSL context with the protocol specified
135 * and assign this new context to the created ThriftSSLSocket with specified host:port.
136 * @param ssl_protocol
143 thrift_ssl_socket_new_with_host(ThriftSSLSocketProtocol ssl_protocol
, gchar
*hostname
, guint port
, GError
**error
);
146 * Convenience function to create a new SSL context with the protocol specified
147 * and assign this new context to the created ThriftSSLSocket.
148 * @param ssl_protocol
153 thrift_ssl_socket_new(ThriftSSLSocketProtocol ssl_protocol
, GError
**error
);
156 * Load a certificate chain from a PEM file.
157 * @param ssl_socket The ssl socket
158 * @param file_name The file name of the PEM certificate chain
162 thrift_ssl_load_cert_from_file(ThriftSSLSocket
*ssl_socket
, const char *file_name
);
165 * Load a certificate chain from memory
166 * @param ssl_socket the ssl socket
167 * @param chain_certs the buffer to load PEM from
171 thrift_ssl_load_cert_from_buffer(ThriftSSLSocket
*ssl_socket
, const char chain_certs
[]);
174 * Check if the ssl socket is open and ready to send and receive
176 * @return true if open
179 thrift_ssl_socket_is_open (ThriftTransport
*transport
);
183 * Open connection if required and set the socket to be ready to send and receive
186 * @return true if operation was correct
189 thrift_ssl_socket_open (ThriftTransport
*transport
, GError
**error
);
193 * @brief Initialization function
195 * It will initialize OpenSSL function. This initialization will be done app
196 * wide. So if you want to initialize it by yourself you should not call it.
197 * But it means you must handle OpenSSL initialization and handle locking.
199 * It should be called before anything else.
204 thrift_ssl_socket_initialize_openssl(void);
206 * @brief Finalization function
208 * It clears all resources initialized in initialize function.
210 * It should be called after anything else.
215 thrift_ssl_socket_finalize_openssl(void);