Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add possibility to load providers and use them in Poco #4656

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add possibility to load providers and use them in Poco #4656

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ac9f209
Add possiblity to load providers and use them in Poco
Aug 28, 2024
1cb722a
Add OpenSSL 3.x version check for provider API
Sep 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 51 additions & 1 deletion NetSSL_OpenSSL/include/Poco/Net/Context.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,11 @@
#include "Poco/SharedPtr.h"
#include "Poco/AutoPtr.h"
#include <openssl/ssl.h>

#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/types.h>
#endif

#include <cstdlib>


Expand Down Expand Up @@ -141,6 +146,11 @@ class NetSSL_API Context: public Poco::RefCountedObject
Params();
/// Initializes the struct with default values.

#if OPENSSL_VERSION_NUMBER >= 0x30000000L
std::string providerName;
OSSL_LIB_CTX *libctx = nullptr;
#endif

std::string privateKeyFile;
/// Path to the private key file used for encryption.
/// Can be empty if no private key file is used.
Expand Down Expand Up @@ -270,6 +280,46 @@ class NetSSL_API Context: public Poco::RefCountedObject
/// Note that a private key and/or certificate must be specified with
/// usePrivateKey()/useCertificate() before the Context can be used.

#if OPENSSL_VERSION_NUMBER >= 0x30000000L
Context( Usage usage,
OSSL_LIB_CTX *libctx,
const std::string &provider,
VerificationMode verificationMode = VERIFY_RELAXED,
int verificationDepth = 9,
bool loadDefaultCAs = false,
const std::string &cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" );
/// Creates a Context.
///
/// * usage specifies whether the context is used by a client or server.
/// * libctx pointer to OpenSSL library context (i.e. from OSSL_LIB_CTX_new)
/// * provider specifies the custom provider query string
/// * verificationMode specifies whether and how peer certificates are validated.
/// * verificationDepth sets the upper limit for verification chain sizes. Verification
/// will fail if a certificate chain larger than this is encountered.
/// * loadDefaultCAs specifies whether the builtin CA certificates from OpenSSL are used.
/// * cipherList specifies the supported ciphers in OpenSSL notation.
///
/// Note that a private key and/or certificate must be specified with
/// usePrivateKey()/useCertificate() or loaded through a registered provider before the Context can be used.
///
/// Example usage:
/// * // Create a OpenSSL libary context and set default provider library search path.
/// * auto ctx = OSSL_LIB_CTX_new();
/// * OSSL_PROVIDER_set_default_search_path( ctx, "<a valid path>" );
/// *
/// * // Load providers
/// * auto provider = OSSL_PROVIDER_load( ctx, "<a custom provider name>" );
/// * auto providerDefault = OSSL_PROVIDER_load( ctx, "default" );
/// *
/// * // Create context to be used by server.
/// * auto serverCtx = new Poco::Net::Context( Poco::Net::Context::SERVER_USE, ctx, "<a provider query string>", Poco::Net::Context::VERIFY_STRICT );
/// * ...
/// * // clean-up
/// * OSSL_PROVIDER_unload( provider );
/// * OSSL_PROVIDER_unload( providerDefault );
/// * OSSL_LIB_CTX_free( ctx );
#endif

~Context();
/// Destroys the Context.

Expand Down Expand Up @@ -465,7 +515,7 @@ class NetSSL_API Context: public Poco::RefCountedObject
/// Initializes the Context with Elliptic-Curve Diffie-Hellman key
/// exchange curve parameters.

void createSSLContext();
void createSSLContext( const Params &params );
/// Create a SSL_CTX object according to Context configuration.

Usage _usage;
Expand Down
186 changes: 158 additions & 28 deletions NetSSL_OpenSSL/src/Context.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ Context::Params::Params():
cipherList("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"),
dhUse2048Bits(false),
securityLevel(SECURITY_LEVEL_NONE)
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
,libctx(0)
#endif
{
}

Expand Down Expand Up @@ -112,6 +115,36 @@ Context::Context(
}


#if OPENSSL_VERSION_NUMBER >= 0x30000000L

Context::Context(
Usage usage,
OSSL_LIB_CTX *libctx,
const std::string &provider,
VerificationMode verificationMode,
int verificationDepth,
bool loadDefaultCAs,
const std::string &cipherList ) :
_usage( usage ),
_mode( verificationMode ),
_pSSLContext( 0 ),
_extendedCertificateVerification( true ),
_ocspStaplingResponseVerification( false )
{
Params params;
params.providerName = provider;
params.libctx = libctx;
params.verificationMode = verificationMode;
params.verificationDepth = verificationDepth;
params.loadDefaultCAs = loadDefaultCAs;
params.cipherList = cipherList;

init( params );
}

#endif


Context::~Context()
{
try
Expand All @@ -130,7 +163,7 @@ void Context::init(const Params& params)
{
Poco::Crypto::OpenSSLInitializer::initialize();

createSSLContext();
createSSLContext( params );

try
{
Expand Down Expand Up @@ -533,14 +566,21 @@ void Context::setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalid
}


void Context::createSSLContext()
void Context::createSSLContext( const Params &params )
{
int minTLSVersion = 0;

if (SSLManager::isFIPSEnabled())
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_method());
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_method() );
}
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new( TLS_method() );
#else
_pSSLContext = SSL_CTX_new(TLSv1_method());
#endif
Expand All @@ -551,8 +591,17 @@ void Context::createSSLContext()
{
case CLIENT_USE:
case TLS_CLIENT_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_client_method());
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_client_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_client_method() );
}

minTLSVersion = TLS1_VERSION;
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new( TLS_client_method() );
minTLSVersion = TLS1_VERSION;
#else
_pSSLContext = SSL_CTX_new(SSLv23_client_method());
Expand All @@ -561,26 +610,53 @@ void Context::createSSLContext()

case SERVER_USE:
case TLS_SERVER_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_server_method());
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_server_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_server_method() );
}

minTLSVersion = TLS1_VERSION;
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new( TLS_server_method() );
minTLSVersion = TLS1_VERSION;
#else
_pSSLContext = SSL_CTX_new(SSLv23_server_method());
#endif
break;

case TLSV1_CLIENT_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_client_method());
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_client_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_client_method() );
}

minTLSVersion = TLS1_VERSION;
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new( TLS_client_method() );
minTLSVersion = TLS1_VERSION;
#else
_pSSLContext = SSL_CTX_new(TLSv1_client_method());
#endif
break;

case TLSV1_SERVER_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_server_method());
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_server_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_server_method() );
}

minTLSVersion = TLS1_VERSION;
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new( TLS_server_method() );
minTLSVersion = TLS1_VERSION;
#else
_pSSLContext = SSL_CTX_new(TLSv1_server_method());
Expand All @@ -593,17 +669,35 @@ void Context::createSSLContext()
* if TLS1.x was removed at OpenSSL library build time via Configure options.
*/
case TLSV1_1_CLIENT_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_client_method());
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_client_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_client_method() );
}

minTLSVersion = TLS1_1_VERSION;
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new( TLS_client_method() );
minTLSVersion = TLS1_1_VERSION;
#else
_pSSLContext = SSL_CTX_new(TLSv1_1_client_method());
#endif
break;

case TLSV1_1_SERVER_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_server_method());
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_server_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_server_method() );
}

minTLSVersion = TLS1_1_VERSION;
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new( TLS_server_method() );
minTLSVersion = TLS1_1_VERSION;
#else
_pSSLContext = SSL_CTX_new(TLSv1_1_server_method());
Expand All @@ -613,18 +707,36 @@ void Context::createSSLContext()

#if defined(SSL_OP_NO_TLSv1_2) && !defined(OPENSSL_NO_TLS1)
case TLSV1_2_CLIENT_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_client_method());
minTLSVersion = TLS1_2_VERSION;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_client_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_client_method() );
}

minTLSVersion = TLS1_2_VERSION;
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new( TLS_client_method() );
minTLSVersion = TLS1_2_VERSION;
#else
_pSSLContext = SSL_CTX_new(TLSv1_2_client_method());
#endif
break;

case TLSV1_2_SERVER_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new(TLS_server_method());
minTLSVersion = TLS1_2_VERSION;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_server_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_server_method() );
}

minTLSVersion = TLS1_2_VERSION;
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new( TLS_server_method() );
minTLSVersion = TLS1_2_VERSION;
#else
_pSSLContext = SSL_CTX_new(TLSv1_2_server_method());
#endif
Expand All @@ -633,16 +745,34 @@ void Context::createSSLContext()

#if defined(SSL_OP_NO_TLSv1_3) && !defined(OPENSSL_NO_TLS1)
case TLSV1_3_CLIENT_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
_pSSLContext = SSL_CTX_new(TLS_client_method());
minTLSVersion = TLS1_3_VERSION;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_client_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_client_method() );
}

minTLSVersion = TLS1_3_VERSION;
#elif OPENSSL_VERSION_NUMBER >= 0x10101000L
_pSSLContext = SSL_CTX_new( TLS_client_method() );
minTLSVersion = TLS1_3_VERSION;
#endif
break;

case TLSV1_3_SERVER_USE:
#if OPENSSL_VERSION_NUMBER >= 0x10101000L
_pSSLContext = SSL_CTX_new(TLS_server_method());
minTLSVersion = TLS1_3_VERSION;
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
if ( nullptr != params.libctx && !params.providerName.empty() ) {
_pSSLContext = SSL_CTX_new_ex( params.libctx, params.providerName.c_str(), TLS_server_method() );
}
else {
_pSSLContext = SSL_CTX_new( TLS_server_method() );
}

minTLSVersion = TLS1_3_VERSION;
#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
_pSSLContext = SSL_CTX_new( TLS_server_method() );
minTLSVersion = TLS1_3_VERSION;
#endif
break;
#endif
Expand Down
Loading