You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
tdelibs/tdeio/kssl/kssl.h

301 lines
7.9 KiB

/* This file is part of the KDE project
*
* Copyright (C) 2000-2003 George Staikos <staikos@kde.org>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
* License as published by the Free Software Foundation; either
* version 2 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library General Public License for more details.
*
* You should have received a copy of the GNU Library General Public License
* along with this library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
* Boston, MA 02110-1301, USA.
*/
#ifndef _KSSL_H
#define _KSSL_H
#include <ksslsettings.h>
#include <ksslpeerinfo.h>
#include <ksslconnectioninfo.h>
class KSSLPrivate;
class KSSLCertificate;
class KSSLPKCS12;
class KSSLSession;
/**
* KDE SSL Wrapper Class
*
* This class implements KDE's SSL support by wrapping OpenSSL.
*
* @author George Staikos <staikos@kde.org>
* @see KExtendedSocket, TCPSlaveBase
* @short KDE SSL Class
*/
class TDEIO_EXPORT KSSL {
public:
/**
* Construct a KSSL object
*
* @param init Set this to false if you do not want this class to
* immediately initialize OpenSSL.
*/
KSSL(bool init = true);
/**
* Destroy this KSSL object
*
* Does not close any socket.
*/
~KSSL();
/**
* Determine if SSL is available and works.
*
* @return true is SSL is available and usable
*/
static bool doesSSLWork();
/**
* Initialize OpenSSL.
*
* @return true on success
*
* This will do nothing if it is already initialized.
* @see reInitialize
*/
bool initialize();
/**
* This is used for applicationss which do STARTTLS or something
* similar. It creates a TLS method regardless of the user's settings.
*
* @return true if TLS is successfully initialized
*/
bool TLSInit();
/**
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
* Set an SSL session to use. This takes the session from the original
* KSSL object, so it is in fact a session move operation.
*
* @param session A valid session to reuse. If 0L, it will clear the
* session ID in memory.
*
* @return true on success
*/
Added support for OpenSSL 1.1 Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it> (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)
8 years ago
bool takeSession(KSSLSession *session);
/**
* Close the SSL session.
*/
void close();
/**
* Reinitialize OpenSSL.
*
* @return true on success
*
* This is not generally needed unless you are reusing the KSSL object
* for a new session.
* @see initialize
*/
bool reInitialize();
/**
* Trigger a reread of KSSL configuration and reInitialize() KSSL.
*
* @return true on successful reinitalizations
*
* If you setAutoReconfig() to false, then this will simply
* reInitialize() and not read in the new configuration.
* @see setAutoReconfig
*/
bool reconfig();
/**
* Enable or disable automatic reconfiguration on initialize().
*
* @param ar Set to false in order to disable auto-reloading of the
* KSSL configuration during initialize().
*
* By default, KSSL will read its configuration on initialize(). You
* might want to disable this for performance reasons.
*/
void setAutoReconfig(bool ar);
/**
* This will reseed the pseudo-random number generator with the EGD
* (entropy gathering daemon) if the EGD is configured and enabled.
* You don't need to call this yourself normally.
*
* @return 0 on success
*/
int seedWithEGD();
/**
* Set a new KSSLSettings instance as the settings. This deletes the
* current instance of KSSLSettings.
*
* @param settings A new, valid settings object.
*
* @return true on success
*/
bool setSettings(KSSLSettings *settings);
/**
* One is built by the constructor, so this will only return a NULL
* pointer if you set one with setSettings().
*
* @return the current settings instance
*/
KSSLSettings * settings() { return m_cfg; }
/**
* Use this to set the certificate to send to the server.
* Do NOT delete the KSSLPKCS12 object until you are done with the
* session. It is not defined when KSSL will be done with this.
*
* @param pkcs the valid PKCS#12 object to send.
*
* @return true if the certificate was properly set to the session.
*/
bool setClientCertificate(KSSLPKCS12 *pkcs);
/**
* Set the status of the connection with respect to proxies.
*
* @param active is not used
* @param realIP is the IP address of the host you're connecting to
* @param realPort is the port of the host you're connecting to
* @param proxy is the IP or hostname of the proxy server
* @deprecated
*/
void setProxyUse(bool active, TQString realIP = TQString::null, int realPort = 0, TQString proxy = TQString::null) KDE_DEPRECATED;
/**
* Set the peer hostname to be used for certificate verification.
*
* @param realHost the remote hostname as the user believes to be
* connecting to
*/
void setPeerHost(TQString realHost = TQString::null);
/**
* Connect the SSL session to the remote host using the provided
* socket descriptor.
*
* @param sock the socket descriptor to connect with. This must be
* an already connected socket.
* @return 1 on success, 0 on error setting the file descriptor,
* -1 on other error.
*/
int connect(int sock);
/**
* Connect the SSL session to the remote host using the provided
* socket descriptor. This is for use with an SSL server application.
*
* @param sock the socket descriptor to connect with. This must be
* an already connected socket.
* @return 1 on success, 0 on error setting the file descriptor,
* -1 on other error.
*/
int accept(int sock);
/**
* Read data from the remote host via SSL.
*
* @param buf the buffer to read the data into.
* @param len the maximum length of data to read.
* @return the number of bytes read, 0 on an exception, or -1 on error.
*/
int read(void *buf, int len);
/**
* Peek at available data from the remote host via SSL.
*
* @param buf the buffer to read the data into.
* @param len the maximum length of data to read.
* @return the number of bytes read, 0 on an exception, or -1 on error.
*/
int peek(void *buf, int len);
/**
* Write data to the remote host via SSL.
*
* @param buf the buffer to read the data from.
* @param len the length of data to send from the buffer.
* @return the number of bytes written, 0 on an exception,
* or -1 on error.
*/
int write(const void *buf, int len);
/**
* Determine if data is waiting to be read.
*
* @return -1 on error, 0 if no data is waiting, > 0 if data is waiting.
*/
int pending();
/**
* Obtain a reference to the connection information.
*
* @return a reference to the connection information,
* valid after connected
* @see KSSLConnectionInfo
*/
KSSLConnectionInfo& connectionInfo();
/**
* Obtain a reference to the information about the peer.
*
* @return a reference to the peer information,
* valid after connected
* @see KSSLPeerInfo
*/
KSSLPeerInfo& peerInfo();
/**
* Obtain a pointer to the session information.
*
* @return a pointer to the session information.
* This is valid after connected, while connected.
* It is deleted by the KSSL object which returns it.
* May return 0L if no valid session exists.
* @see KSSLSession
*/
const KSSLSession* session() const;
/**
* Determine if we are currently reusing an SSL session ID.
*
* @return true if we are reusing a session ID.
*/
bool reusingSession() const;
private:
static bool m_bSSLWorks;
bool m_bInit;
bool m_bAutoReconfig;
KSSLSettings *m_cfg;
KSSLConnectionInfo m_ci;
KSSLPeerInfo m_pi;
KSSLPrivate *d;
void setConnectionInfo();
void setPeerInfo();
bool setVerificationLogic();
};
#endif