Google Git
Sign in
apache / qpid-cpp / 5446ba36f8e8b39c735254c0b787422e3f76db3e / . / src / qpid / sys / ssl / util.cpp
blob: 93f22e7eb16bb29b0c179fee9a0e3f24765bcdb2 [file] [log] [blame]
/*
*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*
*/
#include "qpid/sys/ssl/util.h"
#include "qpid/sys/ssl/check.h"
#include "qpid/Exception.h"
#include "qpid/sys/SystemInfo.h"
#include <unistd.h>
#include <nspr.h>
#include <nss.h>
#include <pk11pub.h>
#include <ssl.h>
#include <iostream>
#include <fstream>
namespace qpid {
namespace sys {
namespace ssl {
static const std::string LOCALHOST("127.0.0.1");
std::string defaultCertName()
{
Address address;
if (SystemInfo::getLocalHostname(address)) {
return address.host;
} else {
return LOCALHOST;
}
}
SslOptions::SslOptions() : qpid::Options("SSL Settings"),
certName(defaultCertName()),
exportPolicy(false)
{
addOptions()
("ssl-use-export-policy", optValue(exportPolicy), "Use NSS export policy")
("ssl-cert-password-file", optValue(certPasswordFile, "PATH"), "File containing password to use for accessing certificate database")
("ssl-cert-db", optValue(certDbPath, "PATH"), "Path to directory containing certificate database")
("ssl-cert-name", optValue(certName, "NAME"), "Name of the certificate to use");
}
char* promptForPassword(PK11SlotInfo*, PRBool retry, void*)
{
if (retry) return 0;
//TODO: something else?
return PL_strdup(getpass("Please enter the password for accessing the certificate database:"));
}
SslOptions SslOptions::global;
char* readPasswordFromFile(PK11SlotInfo*, PRBool retry, void*)
{
const std::string& passwordFile = SslOptions::global.certPasswordFile;
if (retry || passwordFile.empty()) return 0;
std::ifstream file(passwordFile.c_str());
if (!file) return 0;
std::string password;
getline(file, password);
return PL_strdup(password.c_str());
}
void initNSS(const SslOptions& options, bool server)
{
SslOptions::global = options;
if (options.certPasswordFile.empty()) {
PK11_SetPasswordFunc(promptForPassword);
} else {
PK11_SetPasswordFunc(readPasswordFromFile);
}
NSS_CHECK(NSS_Init(options.certDbPath.c_str()));
if (options.exportPolicy) {
NSS_CHECK(NSS_SetExportPolicy());
} else {
NSS_CHECK(NSS_SetDomesticPolicy());
}
if (server) {
//use defaults for all args, TODO: may want to make this configurable
SSL_ConfigServerSessionIDCache(0, 0, 0, 0);
}
// disable SSLv2 and SSLv3 versions of the protocol - they are
// no longer considered secure
SSLVersionRange drange, srange; // default and supported ranges
const uint16_t tlsv1 = 0x0301; // Protocol version for TLSv1.0
NSS_CHECK(SSL_VersionRangeGetDefault(ssl_variant_stream, &drange));
NSS_CHECK(SSL_VersionRangeGetSupported(ssl_variant_stream, &srange));
if (drange.min < tlsv1) {
drange.min = tlsv1;
NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
}
if (srange.max > drange.max) {
drange.max = srange.max;
NSS_CHECK(SSL_VersionRangeSetDefault(ssl_variant_stream, &drange));
}
}
void shutdownNSS()
{
NSS_Shutdown();
}
}}} // namespace qpid::sys::ssl