poco/NetSSL_OpenSSL/include/Poco/Net/Context.h

//
// Context.h
//
// $Id: //poco/Main/NetSSL_OpenSSL/include/Poco/Net/Context.h#9 $
//
// Library: NetSSL_OpenSSL
// Package: SSLCore
// Module:  Context
//
// Definition of the Context class.
//
// Copyright (c) 2006-2009, Applied Informatics Software Engineering GmbH.
// and Contributors.
//
// Permission is hereby granted, free of charge, to any person or organization
// obtaining a copy of the software and accompanying documentation covered by
// this license (the "Software") to use, reproduce, display, distribute,
// execute, and transmit the Software, and to prepare derivative works of the
// Software, and to permit third-parties to whom the Software is furnished to
// do so, all subject to the following:
// 
// The copyright notices in the Software and this entire statement, including
// the above license grant, this restriction and the following disclaimer,
// must be included in all copies of the Software, in whole or in part, and
// all derivative works of the Software, unless such copies or derivative
// works are solely in the form of machine-executable object code generated by
// a source language processor.
// 
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
// FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT
// SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE
// FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,
// ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
// DEALINGS IN THE SOFTWARE.
//


#ifndef NetSSL_Context_INCLUDED
#define NetSSL_Context_INCLUDED


#include "Poco/Net/NetSSL.h"
#include "Poco/RefCountedObject.h"
#include "Poco/AutoPtr.h"
#include <openssl/ssl.h>


namespace Poco {
namespace Net {


class NetSSL_API Context: public Poco::RefCountedObject
	/// This class encapsulates context information for
	/// an SSL server or client, such as the certificate
	/// verification mode and the location of certificates
	/// and private key files, as well as the list of
	/// supported ciphers.
{
public:
	typedef Poco::AutoPtr<Context> Ptr;
	
	enum Usage
	{
		CLIENT_USE, /// Context is used by a client.
		SERVER_USE  /// Context is used by a server.
	};
	
	enum VerificationMode 
	{
		VERIFY_NONE    = SSL_VERIFY_NONE, 
			/// Server: The server will not send a client certificate 
			/// request to the client, so the client will not send a certificate. 
			///
			/// Client: If not using an anonymous cipher (by default disabled), 
			/// the server will send a certificate which will be checked, but
			/// the result of the check will be ignored.
			
		VERIFY_RELAXED = SSL_VERIFY_PEER, 
			/// Server: The server sends a client certificate request to the 
			/// client. The certificate returned (if any) is checked. 
			/// If the verification process fails, the TLS/SSL handshake is 
			/// immediately terminated with an alert message containing the 
			/// reason for the verification failure. 
			///
			/// Client: The server certificate is verified, if one is provided. 
			/// If the verification process fails, the TLS/SSL handshake is
			/// immediately terminated with an alert message containing the 
			/// reason for the verification failure. 
			
		VERIFY_STRICT  = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
			/// Server: If the client did not return a certificate, the TLS/SSL 
			/// handshake is immediately terminated with a handshake failure
			/// alert. This flag must be used together with SSL_VERIFY_PEER. 
			///
			/// Client: Same as VERIFY_RELAXED. 
			
		VERIFY_ONCE    = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE
			/// Server: Only request a client certificate on the initial 
			/// TLS/SSL handshake. Do not ask for a client certificate 
			/// again in case of a renegotiation.
			///
			/// Client: Same as VERIFY_RELAXED.	
	};

	Context(
		Usage usage,
		const std::string& privateKeyFile,
		const std::string& certificateFile,
		const std::string& caLocation, 
		VerificationMode verificationMode = VERIFY_RELAXED,
		int verificationDepth = 9,
		bool loadDefaultCAs = false,
		const std::string& cipherList = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
			/// Creates a Context.
			/// 
			///   * usage specifies whether the context is used by a client or server.
			///   * privateKeyFile contains the path to the private key file used for encryption.
			///     Can be empty if no private key file is used.
			///   * certificateFile contains the path to the certificate file (in PEM format).
			///     If the private key and the certificate are stored in the same file, this
			///     can be empty if privateKeyFile is given.
			///   * caLocation contains the path to the file or directory containing the
			///     CA/root certificates. Can be empty if the OpenSSL builtin CA certificates
			///     are used (see loadDefaultCAs).
			///   * verificationMode specifies whether and how peer certificates are validated.
			///   * verificationDepth sets the upper limit for verification chain sizes. Verification
			///     will fail if a certificate chain larger than this is encountered.
			///   * loadDefaultCAs specifies wheter the builtin CA certificates from OpenSSL are used.
			///   * cipherList specifies the supported ciphers in OpenSSL notation.

	~Context();
		/// Destroys the Context.

	SSL_CTX* sslContext() const;
		/// Returns the underlying OpenSSL SSL Context object.

	Usage usage() const;
		/// Returns whether the context is for use by a client or by a server.

	Context::VerificationMode verificationMode() const;
		/// Returns the verification mode.

private:
	Usage _usage;
	VerificationMode _mode;
	SSL_CTX* _pSSLContext;
};


//
// inlines
//
inline Context::Usage Context::usage() const
{
	return _usage;
}


inline Context::VerificationMode Context::verificationMode() const
{
	return _mode;
}


inline SSL_CTX* Context::sslContext() const
{
	return _pSSLContext;
}


} } // namespace Poco::Net


#endif // NetSSL_Context_INCLUDED