Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / packaging / sources / thrift / f837f301819d1f1661a185d1e64566e170933357 / . / lib / d / src / thrift / internal / ssl.d
blob: 63a0a2b3bc4c9d093eacada2ef5f1ccf24c24164 [file] [log] [blame]
Jake Farrellb95b0ff2012-03-22 21:49:10 +0000[diff] [blame]1/*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19module thrift.internal.ssl;
20
21import core.memory : GC;
22import core.stdc.config;
Jake Farrellc02efe22012-08-18 03:31:28 +0000[diff] [blame]23import core.stdc.errno : errno;
Jake Farrellb95b0ff2012-03-22 21:49:10 +0000[diff] [blame]24import core.stdc.string : strerror;
25import deimos.openssl.err;
26import deimos.openssl.ssl;
27import deimos.openssl.x509v3;
28import std.array : empty, appender;
29import std.conv : to;
30import std.socket : Address;
31import thrift.transport.ssl;
32
33/**
34 * Checks if the peer is authorized after the SSL handshake has been
35 * completed on the given conncetion and throws an TSSLException if not.
36 *
37 * Params:
38 * ssl = The SSL connection to check.
39 * accessManager = The access manager to check the peer againts.
40 * peerAddress = The (IP) address of the peer.
41 * hostName = The host name of the peer.
42 */
43void authorize(SSL* ssl, TAccessManager accessManager,
44 Address peerAddress, lazy string hostName
45) {
46 alias TAccessManager.Decision Decision;
47
48 auto rc = SSL_get_verify_result(ssl);
49 if (rc != X509_V_OK) {
50 throw new TSSLException("SSL_get_verify_result(): " ~
51 to!string(X509_verify_cert_error_string(rc)));
52 }
53
54 auto cert = SSL_get_peer_certificate(ssl);
55 if (cert is null) {
56 // Certificate is not present.
57 if (SSL_get_verify_mode(ssl) & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
58 throw new TSSLException(
59 "Authorize: Required certificate not present.");
60 }
61
62 // If we don't have an access manager set, we don't intend to authorize
63 // the client, so everything's fine.
64 if (accessManager) {
65 throw new TSSLException(
66 "Authorize: Certificate required for authorization.");
67 }
68 return;
69 }
70
71 if (accessManager is null) {
72 // No access manager set, can return immediately as the cert is valid
73 // and all peers are authorized.
74 X509_free(cert);
75 return;
76 }
77
78 // both certificate and access manager are present
79 auto decision = accessManager.verify(peerAddress);
80
81 if (decision != Decision.SKIP) {
82 X509_free(cert);
83 if (decision != Decision.ALLOW) {
84 throw new TSSLException("Authorize: Access denied based on remote IP.");
85 }
86 return;
87 }
88
89 // Check subjectAltName(s), if present.
90 auto alternatives = cast(STACK_OF!(GENERAL_NAME)*)
91 X509_get_ext_d2i(cert, NID_subject_alt_name, null, null);
92 if (alternatives != null) {
93 auto count = sk_GENERAL_NAME_num(alternatives);
94 for (int i = 0; decision == Decision.SKIP && i < count; i++) {
95 auto name = sk_GENERAL_NAME_value(alternatives, i);
96 if (name is null) {
97 continue;
98 }
99 auto data = ASN1_STRING_data(name.d.ia5);
100 auto length = ASN1_STRING_length(name.d.ia5);
101 switch (name.type) {
102 case GENERAL_NAME.GEN_DNS:
103 decision = accessManager.verify(hostName, cast(char[])data[0 .. length]);
104 break;
105 case GENERAL_NAME.GEN_IPADD:
106 decision = accessManager.verify(peerAddress, data[0 .. length]);
107 break;
108 default:
109 // Do nothing.
110 }
111 }
112
113 // DMD @@BUG@@: Empty template arguments parens should not be needed.
114 sk_GENERAL_NAME_pop_free!()(alternatives, &GENERAL_NAME_free);
115 }
116
117 // If we are alredy done, return.
118 if (decision != Decision.SKIP) {
119 X509_free(cert);
120 if (decision != Decision.ALLOW) {
121 throw new TSSLException("Authorize: Access denied.");
122 }
123 return;
124 }
125
126 // Check commonName.
127 auto name = X509_get_subject_name(cert);
128 if (name !is null) {
129 X509_NAME_ENTRY* entry;
130 char* utf8;
131 int last = -1;
132 while (decision == Decision.SKIP) {
133 last = X509_NAME_get_index_by_NID(name, NID_commonName, last);
134 if (last == -1)
135 break;
136 entry = X509_NAME_get_entry(name, last);
137 if (entry is null)
138 continue;
139 auto common = X509_NAME_ENTRY_get_data(entry);
140 auto size = ASN1_STRING_to_UTF8(&utf8, common);
141 decision = accessManager.verify(hostName, utf8[0 .. size]);
142 CRYPTO_free(utf8);
143 }
144 }
145 X509_free(cert);
146 if (decision != Decision.ALLOW) {
147 throw new TSSLException("Authorize: Could not authorize peer.");
148 }
149}
150
151/*
152 * OpenSSL error information used for storing D exceptions on the OpenSSL
153 * error stack.
154 */
155enum ERR_LIB_D_EXCEPTION = ERR_LIB_USER;
156enum ERR_F_D_EXCEPTION = 0; // function id - what to use here?
157enum ERR_R_D_EXCEPTION = 1234; // 99 and above are reserved for applications
158enum ERR_FILE_D_EXCEPTION = "d_exception";
159enum ERR_LINE_D_EXCEPTION = 0;
160enum ERR_FLAGS_D_EXCEPTION = 0;
161
162/**
163 * Returns an exception for the last.
164 *
165 * Params:
166 * location = An optional "location" to add to the error message (typically
167 * the last SSL API call).
168 */
169Exception getSSLException(string location = null, string clientFile = __FILE__,
170 size_t clientLine = __LINE__
171) {
172 // We can return either an exception saved from D BIO code, or a "true"
173 // OpenSSL error. Because there can possibly be more than one error on the
174 // error stack, we have to fetch all of them, and pick the last, i.e. newest
175 // one. We concatenate multiple successive OpenSSL error messages into a
176 // single one, but always just return the last D expcetion.
177 string message; // Probably better use an Appender here.
178 bool hadMessage;
179 Exception exception;
180
181 void initMessage() {
182 message.clear();
183 hadMessage = false;
184 if (!location.empty) {
185 message ~= location;
186 message ~= ": ";
187 }
188 }
189 initMessage();
190
Jake Farrellc02efe22012-08-18 03:31:28 +0000[diff] [blame]191 auto errn = errno;
Jake Farrellb95b0ff2012-03-22 21:49:10 +0000[diff] [blame]192
193 const(char)* file = void;
194 int line = void;
195 const(char)* data = void;
196 int flags = void;
197 c_ulong code = void;
198 while ((code = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
199 if (ERR_GET_REASON(code) == ERR_R_D_EXCEPTION) {
200 initMessage();
201 GC.removeRoot(cast(void*)data);
202 exception = cast(Exception)data;
203 } else {
204 exception = null;
205
206 if (hadMessage) {
207 message ~= ", ";
208 }
209
210 auto reason = ERR_reason_error_string(code);
211 if (reason) {
212 message ~= "SSL error: " ~ to!string(reason);
213 } else {
214 message ~= "SSL error #" ~ to!string(code);
215 }
216
217 hadMessage = true;
218 }
219 }
220
221 // If the last item from the stack was a D exception, throw it.
222 if (exception) return exception;
223
224 // We are dealing with an OpenSSL error that doesn't root in a D exception.
225 if (!hadMessage) {
226 // If we didn't get an actual error from the stack yet, try errno.
227 string errnString;
228 if (errn != 0) {
229 errnString = to!string(strerror(errn));
230 }
231 if (errnString.empty) {
232 message ~= "Unknown error";
233 } else {
234 message ~= errnString;
235 }
236 }
237
238 message ~= ".";
239 return new TSSLException(message, clientFile, clientLine);
240}