mirror of
https://gitlab.isc.org/isc-projects/kea
synced 2025-08-22 09:57:41 +00:00
136 lines
3.4 KiB
C++
136 lines
3.4 KiB
C++
// Copyright (C) 2021-2022 Internet Systems Consortium, Inc. ("ISC")
|
|
//
|
|
// This Source Code Form is subject to the terms of the Mozilla Public
|
|
// License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
/// @file openssl_tls.cc OpenSSL implementation of the TLS API.
|
|
|
|
#include <config.h>
|
|
|
|
#ifdef WITH_OPENSSL
|
|
|
|
#include <asiolink/asio_wrapper.h>
|
|
#include <asiolink/crypto_tls.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <openssl/opensslv.h>
|
|
|
|
using namespace boost::asio;
|
|
using namespace boost::asio::ssl;
|
|
using namespace boost::system;
|
|
using namespace isc::cryptolink;
|
|
|
|
namespace isc {
|
|
namespace asiolink {
|
|
|
|
// Enforce TLS 1.2 when the generic TLS method is not available (i.e.
|
|
// the boost version is older than 1.64.0).
|
|
TlsContext::TlsContext(TlsRole role)
|
|
: TlsContextBase(role), cert_required_(true),
|
|
context_(context::method::tls)
|
|
{
|
|
// Not leave the verify mode to OpenSSL default.
|
|
setCertRequired(true);
|
|
}
|
|
|
|
boost::asio::ssl::context&
|
|
TlsContext::getContext() {
|
|
return (context_);
|
|
}
|
|
|
|
::SSL_CTX*
|
|
TlsContext::getNativeContext() {
|
|
return (context_.native_handle());
|
|
}
|
|
|
|
void
|
|
TlsContext::setCertRequired(bool cert_required) {
|
|
if (!cert_required && (getRole() == TlsRole::CLIENT)) {
|
|
isc_throw(BadValue,
|
|
"'cert-required' parameter must be true for a TLS client");
|
|
}
|
|
cert_required_ = cert_required;
|
|
error_code ec;
|
|
int mode = verify_peer | verify_fail_if_no_peer_cert;
|
|
if (!cert_required_) {
|
|
mode = verify_none;
|
|
}
|
|
context_.set_verify_mode(mode, ec);
|
|
if (ec) {
|
|
isc_throw(LibraryError, getErrMsg(ec));
|
|
}
|
|
}
|
|
|
|
bool
|
|
TlsContext::getCertRequired() const {
|
|
return (cert_required_);
|
|
}
|
|
|
|
void
|
|
TlsContext::loadCaFile(const std::string& ca_file) {
|
|
error_code ec;
|
|
context_.load_verify_file(ca_file, ec);
|
|
if (ec) {
|
|
isc_throw(LibraryError, getErrMsg(ec));
|
|
}
|
|
}
|
|
|
|
void
|
|
TlsContext::loadCaPath(const std::string& ca_path) {
|
|
error_code ec;
|
|
context_.add_verify_path(ca_path, ec);
|
|
if (ec) {
|
|
isc_throw(LibraryError, getErrMsg(ec));
|
|
}
|
|
}
|
|
|
|
void
|
|
TlsContext::loadCertFile(const std::string& cert_file) {
|
|
error_code ec;
|
|
context_.use_certificate_chain_file(cert_file, ec);
|
|
if (ec) {
|
|
isc_throw(LibraryError, getErrMsg(ec));
|
|
}
|
|
}
|
|
|
|
void
|
|
TlsContext::loadKeyFile(const std::string& key_file) {
|
|
error_code ec;
|
|
context_.use_private_key_file(key_file, context::file_format::pem, ec);
|
|
if (ec) {
|
|
isc_throw(LibraryError, getErrMsg(ec));
|
|
}
|
|
}
|
|
|
|
std::string
|
|
TlsContext::getErrMsg(error_code ec) {
|
|
std::string msg = ec.message();
|
|
#ifdef ERR_SYSTEM_ERROR
|
|
// The SSL category message() method uses ERR_reason_error_string()
|
|
// which since OpenSSL 3.0 returns NULL on system errors in order
|
|
// to avoid a memory leak with the strerror_r() buffer.
|
|
// This code recovers the user-friendly message from the error code
|
|
// value i.e. the OpenSSL error. Layout of OpenSSL errors is detailed
|
|
// in the OpenSSL err.h header.
|
|
unsigned long err = static_cast<unsigned long>(ec.value());
|
|
if ((msg == "asio.ssl error") && (ERR_SYSTEM_ERROR(err))) {
|
|
char buf[1024];
|
|
#ifndef __USE_GNU
|
|
if (strerror_r(err & ERR_SYSTEM_MASK, &buf[0], sizeof(buf)) == 0) {
|
|
msg = buf;
|
|
}
|
|
#else
|
|
msg = strerror_r(err & ERR_SYSTEM_MASK, &buf[0], sizeof(buf));
|
|
#endif
|
|
}
|
|
#endif
|
|
return (msg);
|
|
}
|
|
|
|
} // namespace asiolink
|
|
} // namespace isc
|
|
|
|
#endif // WITH_OPENSSL
|