1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
/*-
* SSLsplit - transparent SSL/TLS interception
* https://www.roe.ch/SSLsplit
*
* Copyright (c) 2009-2018, Daniel Roethlisberger <[email protected]>.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS ``AS IS''
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
#ifndef CERT_H
#define CERT_H
#include "attrib.h"
#include <openssl/ssl.h>
#include <pthread.h>
#include <memory>
#include <string>
#include "cfgparser.h"
typedef struct cert {
EVP_PKEY *key;
X509 *crt;
STACK_OF(X509) * chain;
pthread_mutex_t mutex;
size_t references;
} cert_t;
cert_t * cert_new(void) MALLOC;
cert_t * cert_new_load(const char *) MALLOC;
cert_t * cert_new3(EVP_PKEY *, X509 *, STACK_OF(X509) *) MALLOC;
cert_t * cert_new3_copy(EVP_PKEY *, X509 *, STACK_OF(X509) *) MALLOC;
void cert_refcount_inc(cert_t *) NONNULL(1);
void cert_set_key(cert_t *, EVP_PKEY *) NONNULL(1);
void cert_set_crt(cert_t *, X509 *) NONNULL(1);
void cert_set_chain(cert_t *, STACK_OF(X509) *) NONNULL(1);
void cert_free(cert_t *) NONNULL(1);
class CertCA
{
public:
struct ca_handlers
{
X509 * cacrt{nullptr};
EVP_PKEY * cakey{nullptr};
STACK_OF(X509) * chain{sk_X509_new_null()};
};
bool SSLConnectionVerify(const SSL * ssl_connection);
const struct ca_handlers * CaHandlersGet(bool ssl_verify_result) const
{
return ssl_verify_result ? &trust_ca_handlers_ : &untrust_ca_handlers_;
}
public:
virtual ~CertCA() = default;
public:
static std::unique_ptr<CertCA> Factory(TfeConfigParser & parsre);
private:
CertCA() = default;
private:
struct ca_handlers trust_ca_handlers_{};
struct ca_handlers untrust_ca_handlers_{};
bool is_ca_root_filepath_set_{false};
bool is_ca_root_dirpath_set_{false};
std::string ca_root_filepath_{};
std::string ca_root_dirpath_{};
struct __x509_store_deleter
{
void operator()(X509_STORE * x509_store)
{ X509_STORE_free(x509_store); }
void operator()(X509_STORE_CTX * x509_store_ctx)
{ X509_STORE_CTX_free(x509_store_ctx); }
};
std::unique_ptr<X509_STORE, struct __x509_store_deleter> x509_store_;
static int __load_cakey_from_file(struct ca_handlers * ca_config, const std::string & cakey_filepath);
static int __load_cacert_from_file(struct ca_handlers * ca_config, const std::string & cacrt_filepath);
static void __throw_ssl_load_exception(int err, std::string what);
};
#endif /* !CERT_H */
/* vim: set noet ft=c: */
|
