/* Copyright 2009 10gen Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see .
*
* As a special exception, the copyright holders give permission to link the
* code of portions of this program with the OpenSSL library under certain
* conditions as described in each individual source file and distribute
* linked combinations including the program with the OpenSSL library. You
* must comply with the GNU Affero General Public License in all respects
* for all of the code used other than as permitted herein. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you do not
* wish to do so, delete this exception statement from your version. If you
* delete this exception statement from all source files in the program,
* then also delete it in the license file.
*/
#pragma once
#include
#include
#include "mongo/config.h"
#ifdef MONGO_CONFIG_SSL
#include "mongo/base/disallow_copying.h"
#include "mongo/bson/bsonobj.h"
#include "mongo/util/net/sock.h"
#include "mongo/util/time_support.h"
#include
#include
#endif // #ifdef MONGO_CONFIG_SSL
namespace mongo {
/*
* @return the SSL version std::string prefixed with prefix and suffixed with suffix
*/
const std::string getSSLVersion(const std::string &prefix, const std::string &suffix);
}
#ifdef MONGO_CONFIG_SSL
namespace mongo {
struct SSLParams;
class SSLConnection {
public:
SSL* ssl;
BIO* networkBIO;
BIO* internalBIO;
Socket* socket;
SSLConnection(SSL_CTX* ctx, Socket* sock, const char* initialBytes, int len);
~SSLConnection();
};
struct SSLConfiguration {
SSLConfiguration() :
serverSubjectName(""), clientSubjectName(""),
hasCA(false) {}
SSLConfiguration(const std::string& serverSubjectName,
const std::string& clientSubjectName,
const Date_t& serverCertificateExpirationDate,
bool hasCA) :
serverSubjectName(serverSubjectName),
clientSubjectName(clientSubjectName),
serverCertificateExpirationDate(serverCertificateExpirationDate),
hasCA(hasCA) {}
BSONObj getServerStatusBSON() const;
std::string serverSubjectName;
std::string clientSubjectName;
Date_t serverCertificateExpirationDate;
bool hasCA;
};
class SSLManagerInterface {
public:
static std::unique_ptr create(const SSLParams& params, bool isServer);
virtual ~SSLManagerInterface();
/**
* Initiates a TLS connection.
* Throws SocketException on failure.
* @return a pointer to an SSLConnection. Resources are freed in SSLConnection's destructor
*/
virtual SSLConnection* connect(Socket* socket) = 0;
/**
* Waits for the other side to initiate a TLS connection.
* Throws SocketException on failure.
* @return a pointer to an SSLConnection. Resources are freed in SSLConnection's destructor
*/
virtual SSLConnection* accept(Socket* socket, const char* initialBytes, int len) = 0;
/**
* Fetches a peer certificate and validates it if it exists
* Throws SocketException on failure
* @return a std::string containing the certificate's subject name.
*/
virtual std::string parseAndValidatePeerCertificate(const SSLConnection* conn,
const std::string& remoteHost) = 0;
/**
* Cleans up SSL thread local memory; use at thread exit
* to avoid memory leaks
*/
virtual void cleanupThreadLocals() = 0;
/**
* Gets the SSLConfiguration containing all information about the current SSL setup
* @return the SSLConfiguration
*/
virtual const SSLConfiguration& getSSLConfiguration() const = 0;
/**
* Fetches the error text for an error code, in a thread-safe manner.
*/
static std::string getSSLErrorMessage(int code);
/**
* ssl.h wrappers
*/
virtual int SSL_read(SSLConnection* conn, void* buf, int num) = 0;
virtual int SSL_write(SSLConnection* conn, const void* buf, int num) = 0;
virtual unsigned long ERR_get_error() = 0;
virtual char* ERR_error_string(unsigned long e, char* buf) = 0;
virtual int SSL_get_error(const SSLConnection* conn, int ret) = 0;
virtual int SSL_shutdown(SSLConnection* conn) = 0;
virtual void SSL_free(SSLConnection* conn) = 0;
};
// Access SSL functions through this instance.
SSLManagerInterface* getSSLManager();
extern bool isSSLServer;
}
#endif // #ifdef MONGO_CONFIG_SSL