Apache Mesos
openssl.hpp
Go to the documentation of this file.
1 // Licensed under the Apache License, Version 2.0 (the "License");
2 // you may not use this file except in compliance with the License.
3 // You may obtain a copy of the License at
4 //
5 // http://www.apache.org/licenses/LICENSE-2.0
6 //
7 // Unless required by applicable law or agreed to in writing, software
8 // distributed under the License is distributed on an "AS IS" BASIS,
9 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
10 // See the License for the specific language governing permissions and
11 // limitations under the License
12 
13 #ifndef __OPENSSL_HPP__
14 #define __OPENSSL_HPP__
15 
16 #ifdef __WINDOWS__
17 // NOTE: This must be included before the OpenSSL headers as it includes
18 // `WinSock2.h` and `Windows.h` in the correct order.
19 #include <stout/windows.hpp>
20 #endif // __WINDOWS__
21 
22 #include <openssl/ssl.h>
23 
24 #include <string>
25 
26 #include <stout/ip.hpp>
27 #include <stout/nothing.hpp>
28 #include <stout/option.hpp>
29 #include <stout/try.hpp>
30 
31 #include <process/network.hpp>
32 
34 
35 namespace process {
36 namespace network {
37 namespace openssl {
38 
39 // Initializes the _global_ OpenSSL context (SSL_CTX) as well as the
40 // crypto library in order to support multi-threading. The global
41 // context gets initialized using the environment variables:
42 //
43 // LIBPROCESS_SSL_ENABLED=(false|0,true|1)
44 // LIBPROCESS_SSL_SUPPORT_DOWNGRADE=(false|0,true|1)
45 // LIBPROCESS_SSL_CERT_FILE=(path to certificate)
46 // LIBPROCESS_SSL_KEY_FILE=(path to key)
47 // LIBPROCESS_SSL_VERIFY_CERT=(false|0,true|1)
48 // LIBPROCESS_SSL_VERIFY_SERVER_CERT=(false|0,true|1)
49 // LIBPROCESS_SSL_REQUIRE_CERT=(false|0,true|1)
50 // LIBPROCESS_SSL_REQUIRE_CLIENT_CERT=(false|0,true|1)
51 // LIBPROCESS_SSL_VERIFY_IPADD=(false|0,true|1)
52 // LIBPROCESS_SSL_VERIFY_DEPTH=(4)
53 // LIBPROCESS_SSL_CA_DIR=(path to CA directory)
54 // LIBPROCESS_SSL_CA_FILE=(path to CA file)
55 // LIBPROCESS_SSL_CIPHERS=(accepted ciphers separated by ':')
56 // LIBPROCESS_SSL_ENABLE_SSL_V3=(false|0,true|1)
57 // LIBPROCESS_SSL_ENABLE_TLS_V1_0=(false|0,true|1)
58 // LIBPROCESS_SSL_ENABLE_TLS_V1_1=(false|0,true|1)
59 // LIBPROCESS_SSL_ENABLE_TLS_V1_2=(false|0,true|1)
60 // LIBPROCESS_SSL_ENABLE_TLS_V1_3=(false|0,true|1)
61 // LIBPROCESS_SSL_ECDH_CURVES=(auto|list of curves separated by ':')
62 //
63 // TODO(benh): When/If we need to support multiple contexts in the
64 // same process, for example for Server Name Indication (SNI), then
65 // we'll add other functions for initializing an SSL_CTX based on
66 // these environment variables.
67 // TODO(nneilsen): Support certification revocation.
68 void initialize();
69 
70 // Returns the _global_ OpenSSL context.
71 SSL_CTX* context();
72 
73 // An enum to track whether a given SSL object is in client or server mode.
74 //
75 // TODO(bevers): Once the minimum supported OpenSSL version is at least 1.1.1,
76 // we can remove this enum and use the `SSL_is_server(ssl)` function instead.
77 enum class Mode {
78  CLIENT,
79  SERVER,
80 };
81 
82 // Verify that the hostname is properly associated with the peer
83 // certificate associated with the specified SSL connection.
85  const SSL* const ssl,
86  Mode mode,
88  const Option<net::IP>& ip = None());
89 
90 // Callback for setting SSL options after the TCP connection was
91 // established but before the TLS handshake has started.
93  SSL* ssl,
94  Mode mode,
95  const Address& peer,
96  const Option<std::string>& peer_hostname);
97 
98 } // namespace openssl {
99 } // namespace network {
100 } // namespace process {
101 
102 #endif // __OPENSSL_HPP__
Mode
Definition: openssl.hpp:77
Definition: check.hpp:33
Definition: address.hpp:324
Try< Nothing > verify(const SSL *const ssl, Mode mode, const Option< std::string > &hostname=None(), const Option< net::IP > &ip=None())
Try< Nothing > configure_socket(SSL *ssl, Mode mode, const Address &peer, const Option< std::string > &peer_hostname)
Try< std::string > hostname()
Definition: net.hpp:154
Definition: none.hpp:27
Definition: executor.hpp:48
Try< Address > peer(int_fd s)
Returns the peer&#39;s Address for the accepted or connected socket.
Definition: network.hpp:98
Try< mode_t > mode(const std::string &path, const FollowSymlink follow=FollowSymlink::FOLLOW_SYMLINK)
Definition: stat.hpp:168
void initialize()
Definition: net.hpp:76