Add SSL_CONF_cmd support (#148)

Author: oToToT

trantor/net/TcpClient.cc

@@ -208,7 +208,7 @@ void TcpClient::enableSSL(bool useOldTLS,
 {
 #ifdef USE_OPENSSL
     /* Create a new OpenSSL context */
-    sslCtxPtr_ = newSSLContext(useOldTLS, validateCert);
+    sslCtxPtr_ = newSSLContext(useOldTLS, validateCert, {});
     validateCert_ = validateCert;
     if (!hostname.empty())
     {

trantor/net/TcpConnection.h

@@ -29,7 +29,8 @@ class SSLContext;
 TRANTOR_EXPORT std::shared_ptr<SSLContext> newSSLServerContext(
     const std::string &certPath,
     const std::string &keyPath,
-    bool useOldTLS = false);
+    bool useOldTLS = false,
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds = {});
 /**
  * @brief This class represents a TCP connection.
  *
@@ -230,10 +231,13 @@ class TRANTOR_EXPORT TcpConnection
      * @param hostname The server hostname for SNI. If it is empty, the SNI is
      * not used.
      */
-    virtual void startClientEncryption(std::function<void()> callback,
-                                       bool useOldTLS = false,
-                                       bool validateCert = true,
-                                       std::string hostname = "") = 0;
+    virtual void startClientEncryption(
+        std::function<void()> callback,
+        bool useOldTLS = false,
+        bool validateCert = true,
+        std::string hostname = "",
+        const std::vector<std::pair<std::string, std::string>> &sslConfCmds =
+            {}) = 0;
 
     /**
      * @brief Start the SSL encryption on the connection (as a server).

trantor/net/TcpServer.cc

@@ -185,13 +185,15 @@ const trantor::InetAddress &TcpServer::address() const
     return acceptorPtr_->addr();
 }
 
-void TcpServer::enableSSL(const std::string &certPath,
-                          const std::string &keyPath,
-                          bool useOldTLS)
+void TcpServer::enableSSL(
+    const std::string &certPath,
+    const std::string &keyPath,
+    bool useOldTLS,
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
 {
 #ifdef USE_OPENSSL
     /* Create a new OpenSSL context */
-    sslCtxPtr_ = newSSLServerContext(certPath, keyPath, useOldTLS);
+    sslCtxPtr_ = newSSLServerContext(certPath, keyPath, useOldTLS, sslConfCmds);
 #else
     LOG_FATAL << "OpenSSL is not found in your system!";
     abort();

trantor/net/TcpServer.h

@@ -207,7 +207,9 @@ class TRANTOR_EXPORT TcpServer : NonCopyable
      */
     void enableSSL(const std::string &certPath,
                    const std::string &keyPath,
-                   bool useOldTLS = false);
+                   bool useOldTLS = false,
+                   const std::vector<std::pair<std::string, std::string>>
+                       &sslConfCmds = {});
 
   private:
     EventLoop *loop_;

trantor/net/inner/TcpConnectionImpl.cc

@@ -197,10 +197,23 @@ void initOpenSSL()
 class SSLContext
 {
   public:
-    explicit SSLContext(bool useOldTLS, bool enableValidtion)
+    explicit SSLContext(
+        bool useOldTLS,
+        bool enableValidtion,
+        const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
     {
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
         ctxPtr_ = SSL_CTX_new(TLS_method());
+        SSL_CONF_CTX *cctx = SSL_CONF_CTX_new();
+        SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+        SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+        SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
+        SSL_CONF_CTX_set_ssl_ctx(cctx, ctxPtr_);
+        for (auto cmd : sslConfCmds)
+        {
+            SSL_CONF_cmd(cctx, cmd.first.data(), cmd.second.data());
+        }
+        SSL_CONF_CTX_finish(cctx);
         if (!useOldTLS)
         {
             SSL_CTX_set_min_proto_version(ctxPtr_, TLS1_2_VERSION);
@@ -213,6 +226,16 @@ class SSLContext
         }
 #else
         ctxPtr_ = SSL_CTX_new(SSLv23_method());
+        SSL_CONF_CTX *cctx = SSL_CONF_CTX_new();
+        SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+        SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+        SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
+        SSL_CONF_CTX_set_ssl_ctx(cctx, ctxPtr_);
+        for (auto cmd : sslConfCmds)
+        {
+            SSL_CONF_cmd(cctx, cmd.first.data(), cmd.second.data());
+        }
+        SSL_CONF_CTX_finish(cctx);
         if (!useOldTLS)
         {
             SSL_CTX_set_options(ctxPtr_, SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
@@ -271,16 +294,21 @@ class SSLConn
     SSL *SSL_;
 };
 
-std::shared_ptr<SSLContext> newSSLContext(bool useOldTLS, bool validateCert)
+std::shared_ptr<SSLContext> newSSLContext(
+    bool useOldTLS,
+    bool validateCert,
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
 {  // init OpenSSL
     initOpenSSL();
-    return std::make_shared<SSLContext>(useOldTLS, validateCert);
+    return std::make_shared<SSLContext>(useOldTLS, validateCert, sslConfCmds);
 }
-std::shared_ptr<SSLContext> newSSLServerContext(const std::string &certPath,
-                                                const std::string &keyPath,
-                                                bool useOldTLS)
+std::shared_ptr<SSLContext> newSSLServerContext(
+    const std::string &certPath,
+    const std::string &keyPath,
+    bool useOldTLS,
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
 {
-    auto ctx = newSSLContext(useOldTLS, false);
+    auto ctx = newSSLContext(useOldTLS, false, sslConfCmds);
     auto r = SSL_CTX_use_certificate_chain_file(ctx->get(), certPath.c_str());
     if (!r)
     {
@@ -319,9 +347,11 @@ std::shared_ptr<SSLContext> newSSLServerContext(const std::string &certPath,
 #else
 namespace trantor
 {
-std::shared_ptr<SSLContext> newSSLServerContext(const std::string &certPath,
-                                                const std::string &keyPath,
-                                                bool useOldTLS)
+std::shared_ptr<SSLContext> newSSLServerContext(
+    const std::string &certPath,
+    const std::string &keyPath,
+    bool useOldTLS,
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
 {
     LOG_FATAL << "OpenSSL is not found in your system!";
     abort();
@@ -360,7 +390,8 @@ void TcpConnectionImpl::startClientEncryptionInLoop(
     std::function<void()> &&callback,
     bool useOldTLS,
     bool validateCert,
-    const std::string &hostname)
+    const std::string &hostname,
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
 {
     validateCert_ = validateCert;
     loop_->assertInLoopThread();
@@ -371,7 +402,8 @@ void TcpConnectionImpl::startClientEncryptionInLoop(
     }
     sslEncryptionPtr_ = std::make_unique<SSLEncryption>();
     sslEncryptionPtr_->upgradeCallback_ = std::move(callback);
-    sslEncryptionPtr_->sslCtxPtr_ = newSSLContext(useOldTLS, validateCert_);
+    sslEncryptionPtr_->sslCtxPtr_ =
+        newSSLContext(useOldTLS, validateCert_, sslConfCmds);
     sslEncryptionPtr_->sslPtr_ =
         std::make_unique<SSLConn>(sslEncryptionPtr_->sslCtxPtr_->get());
     if (validateCert)
@@ -452,10 +484,12 @@ void TcpConnectionImpl::startServerEncryption(
 
 #endif
 }
-void TcpConnectionImpl::startClientEncryption(std::function<void()> callback,
-                                              bool useOldTLS,
-                                              bool validateCert,
-                                              std::string hostname)
+void TcpConnectionImpl::startClientEncryption(
+    std::function<void()> callback,
+    bool useOldTLS,
+    bool validateCert,
+    std::string hostname,
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds)
 {
 #ifndef USE_OPENSSL
     LOG_FATAL << "OpenSSL is not found in your system!";
@@ -475,19 +509,22 @@ void TcpConnectionImpl::startClientEncryption(std::function<void()> callback,
         startClientEncryptionInLoop(std::move(callback),
                                     useOldTLS,
                                     validateCert,
-                                    hostname);
+                                    hostname,
+                                    sslConfCmds);
     }
     else
     {
         loop_->queueInLoop([thisPtr = shared_from_this(),
                             callback = std::move(callback),
                             useOldTLS,
                             hostname = std::move(hostname),
-                            validateCert]() mutable {
+                            validateCert,
+                            &sslConfCmds]() mutable {
             thisPtr->startClientEncryptionInLoop(std::move(callback),
                                                  useOldTLS,
                                                  validateCert,
-                                                 hostname);
+                                                 hostname,
+                                                 sslConfCmds);
         });
     }
 #endif

trantor/net/inner/TcpConnectionImpl.h

@@ -38,10 +38,15 @@ enum class SSLStatus
 class SSLContext;
 class SSLConn;
 
-std::shared_ptr<SSLContext> newSSLContext(bool useOldTLS, bool validateCert);
-std::shared_ptr<SSLContext> newSSLServerContext(const std::string &certPath,
-                                                const std::string &keyPath,
-                                                bool useOldTLS);
+std::shared_ptr<SSLContext> newSSLContext(
+    bool useOldTLS,
+    bool validateCert,
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds);
+std::shared_ptr<SSLContext> newSSLServerContext(
+    const std::string &certPath,
+    const std::string &keyPath,
+    bool useOldTLS,
+    const std::vector<std::pair<std::string, std::string>> &sslConfCmds);
 // void initServerSSLContext(const std::shared_ptr<SSLContext> &ctx,
 //                           const std::string &certPath,
 //                           const std::string &keyPath);
@@ -171,10 +176,13 @@ class TcpConnectionImpl : public TcpConnection,
     {
         return bytesReceived_;
     }
-    virtual void startClientEncryption(std::function<void()> callback,
-                                       bool useOldTLS = false,
-                                       bool validateCert = true,
-                                       std::string hostname = "") override;
+    virtual void startClientEncryption(
+        std::function<void()> callback,
+        bool useOldTLS = false,
+        bool validateCert = true,
+        std::string hostname = "",
+        const std::vector<std::pair<std::string, std::string>> &sslConfCmds =
+            {}) override;
     virtual void startServerEncryption(const std::shared_ptr<SSLContext> &ctx,
                                        std::function<void()> callback) override;
     virtual bool isSSLConnection() const override
@@ -320,10 +328,12 @@ class TcpConnectionImpl : public TcpConnection,
         std::string hostname_;
     };
     std::unique_ptr<SSLEncryption> sslEncryptionPtr_;
-    void startClientEncryptionInLoop(std::function<void()> &&callback,
-                                     bool useOldTLS,
-                                     bool validateCert,
-                                     const std::string &hostname);
+    void startClientEncryptionInLoop(
+        std::function<void()> &&callback,
+        bool useOldTLS,
+        bool validateCert,
+        const std::string &hostname,
+        const std::vector<std::pair<std::string, std::string>> &sslConfCmds);
     void startServerEncryptionInLoop(const std::shared_ptr<SSLContext> &ctx,
                                      std::function<void()> &&callback);
 #endif

trantor/tests/DelayedSSLServerTest.cc

@@ -17,7 +17,7 @@ int main()
     InetAddress addr(8888);
 #endif
     TcpServer server(loopThread.getLoop(), addr, "test");
-    auto ctx = newSSLServerContext("server.pem", "server.pem");
+    auto ctx = newSSLServerContext("server.pem", "server.pem", {});
     LOG_INFO << "start";
     server.setRecvMessageCallback(
         [](const TcpConnectionPtr &connectionPtr, MsgBuffer *buffer) {