source: box/trunk/lib/server/TLSContext.cpp @ 3096

Revision 3096, 3.6 KB checked in by chris, 4 weeks ago (diff)

Move LogError? out of server/SSLLib so we can use it in Crypto.
  • Property svn:eol-style set to native
Line 
1// --------------------------------------------------------------------------
2//
3// File
4//              Name:    TLSContext.h
5//              Purpose: TLS (SSL) context for connections
6//              Created: 2003/08/06
7//
8// --------------------------------------------------------------------------
9
10#include "Box.h"
11
12#define TLS_CLASS_IMPLEMENTATION_CPP
13#include <openssl/ssl.h>
14
15#include "CryptoUtils.h"
16#include "ServerException.h"
17#include "SSLLib.h"
18#include "TLSContext.h"
19
20#include "MemLeakFindOn.h"
21
22#define MAX_VERIFICATION_DEPTH          2
23#define CIPHER_LIST                                     "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
24
25// --------------------------------------------------------------------------
26//
27// Function
28//              Name:    TLSContext::TLSContext()
29//              Purpose: Constructor
30//              Created: 2003/08/06
31//
32// --------------------------------------------------------------------------
33TLSContext::TLSContext()
34        : mpContext(0)
35{
36}
37
38// --------------------------------------------------------------------------
39//
40// Function
41//              Name:    TLSContext::~TLSContext()
42//              Purpose: Destructor
43//              Created: 2003/08/06
44//
45// --------------------------------------------------------------------------
46TLSContext::~TLSContext()
47{
48        if(mpContext != 0)
49        {
50                ::SSL_CTX_free(mpContext);
51        }
52}
53
54// --------------------------------------------------------------------------
55//
56// Function
57//              Name:    TLSContext::Initialise(bool, const char *, const char *, const char *)
58//              Purpose: Initialise the context, loading in the specified certificate and private key files
59//              Created: 2003/08/06
60//
61// --------------------------------------------------------------------------
62void TLSContext::Initialise(bool AsServer, const char *CertificatesFile, const char *PrivateKeyFile, const char *TrustedCAsFile)
63{
64        if(mpContext != 0)
65        {
66                ::SSL_CTX_free(mpContext);
67        }
68
69        mpContext = ::SSL_CTX_new(AsServer?TLSv1_server_method():TLSv1_client_method());
70        if(mpContext == NULL)
71        {
72                THROW_EXCEPTION(ServerException, TLSAllocationFailed)
73        }
74       
75        // Setup our identity
76        if(::SSL_CTX_use_certificate_chain_file(mpContext, CertificatesFile) != 1)
77        {
78                std::string msg = "loading certificates from ";
79                msg += CertificatesFile;
80                CryptoUtils::LogError(msg);
81                THROW_EXCEPTION(ServerException, TLSLoadCertificatesFailed)
82        }
83        if(::SSL_CTX_use_PrivateKey_file(mpContext, PrivateKeyFile, SSL_FILETYPE_PEM) != 1)
84        {
85                std::string msg = "loading private key from ";
86                msg += PrivateKeyFile;
87                CryptoUtils::LogError(msg);
88                THROW_EXCEPTION(ServerException, TLSLoadPrivateKeyFailed)
89        }
90       
91        // Setup the identify of CAs we trust
92        if(::SSL_CTX_load_verify_locations(mpContext, TrustedCAsFile, NULL) != 1)
93        {
94                std::string msg = "loading CA cert from ";
95                msg += TrustedCAsFile;
96                CryptoUtils::LogError(msg);
97                THROW_EXCEPTION(ServerException, TLSLoadTrustedCAsFailed)
98        }
99       
100        // Setup options to require these certificates
101        ::SSL_CTX_set_verify(mpContext, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
102        // and a sensible maximum depth
103        ::SSL_CTX_set_verify_depth(mpContext, MAX_VERIFICATION_DEPTH);
104       
105        // Setup allowed ciphers
106        if(::SSL_CTX_set_cipher_list(mpContext, CIPHER_LIST) != 1)
107        {
108                CryptoUtils::LogError("setting cipher list to " CIPHER_LIST);
109                THROW_EXCEPTION(ServerException, TLSSetCiphersFailed)
110        }
111}
112
113// --------------------------------------------------------------------------
114//
115// Function
116//              Name:    TLSContext::GetRawContext()
117//              Purpose: Get the raw context for OpenSSL API
118//              Created: 2003/08/06
119//
120// --------------------------------------------------------------------------
121SSL_CTX *TLSContext::GetRawContext() const
122{
123        if(mpContext == 0)
124        {
125                THROW_EXCEPTION(ServerException, TLSContextNotInitialised)
126        }
127        return mpContext;
128}
129
130
131
Note: See TracBrowser for help on using the repository browser.