eventmachine 0.12.8-x86-mswin32-60 → 0.12.10-x86-mswin32-60
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +14 -13
- data/Rakefile +374 -264
- data/eventmachine.gemspec +4 -5
- data/ext/binder.cpp +125 -126
- data/ext/binder.h +46 -48
- data/ext/cmain.cpp +184 -42
- data/ext/cplusplus.cpp +202 -202
- data/ext/ed.cpp +242 -81
- data/ext/ed.h +39 -22
- data/ext/em.cpp +127 -108
- data/ext/em.h +27 -18
- data/ext/emwin.cpp +3 -3
- data/ext/eventmachine.h +49 -38
- data/ext/eventmachine_cpp.h +96 -96
- data/ext/extconf.rb +147 -132
- data/ext/fastfilereader/extconf.rb +82 -76
- data/ext/project.h +151 -140
- data/ext/rubymain.cpp +222 -103
- data/ext/ssl.cpp +460 -460
- data/ext/ssl.h +94 -94
- data/java/src/com/rubyeventmachine/EmReactor.java +570 -423
- data/java/src/com/rubyeventmachine/EventableChannel.java +69 -57
- data/java/src/com/rubyeventmachine/EventableDatagramChannel.java +189 -171
- data/java/src/com/rubyeventmachine/EventableSocketChannel.java +364 -244
- data/java/src/com/rubyeventmachine/{Application.java → application/Application.java} +194 -200
- data/java/src/com/rubyeventmachine/{Connection.java → application/Connection.java} +74 -74
- data/java/src/com/rubyeventmachine/{ConnectionFactory.java → application/ConnectionFactory.java} +36 -36
- data/java/src/com/rubyeventmachine/{DefaultConnectionFactory.java → application/DefaultConnectionFactory.java} +46 -46
- data/java/src/com/rubyeventmachine/{PeriodicTimer.java → application/PeriodicTimer.java} +38 -38
- data/java/src/com/rubyeventmachine/{Timer.java → application/Timer.java} +54 -54
- data/java/src/com/rubyeventmachine/tests/ApplicationTest.java +109 -108
- data/java/src/com/rubyeventmachine/tests/ConnectTest.java +148 -146
- data/java/src/com/rubyeventmachine/tests/TestDatagrams.java +53 -53
- data/java/src/com/rubyeventmachine/tests/TestServers.java +75 -74
- data/java/src/com/rubyeventmachine/tests/TestTimers.java +90 -89
- data/lib/em/connection.rb +71 -12
- data/lib/em/deferrable.rb +191 -186
- data/lib/em/protocols.rb +36 -35
- data/lib/em/protocols/httpclient2.rb +590 -582
- data/lib/em/protocols/line_and_text.rb +125 -126
- data/lib/em/protocols/linetext2.rb +161 -160
- data/lib/em/protocols/object_protocol.rb +45 -39
- data/lib/em/protocols/smtpclient.rb +357 -331
- data/lib/em/protocols/socks4.rb +66 -0
- data/lib/em/queue.rb +60 -60
- data/lib/em/timers.rb +56 -55
- data/lib/em/version.rb +1 -1
- data/lib/eventmachine.rb +125 -169
- data/lib/jeventmachine.rb +257 -142
- data/tasks/{cpp.rake → cpp.rake_example} +76 -76
- data/tests/test_attach.rb +125 -100
- data/tests/test_basic.rb +1 -2
- data/tests/test_connection_count.rb +34 -44
- data/tests/test_epoll.rb +0 -2
- data/tests/test_get_sock_opt.rb +30 -0
- data/tests/test_httpclient2.rb +3 -3
- data/tests/test_inactivity_timeout.rb +21 -1
- data/tests/test_ltp.rb +182 -188
- data/tests/test_next_tick.rb +0 -2
- data/tests/test_pause.rb +70 -0
- data/tests/test_pending_connect_timeout.rb +48 -0
- data/tests/test_ssl_args.rb +78 -67
- data/tests/test_timers.rb +162 -141
- metadata +13 -11
- data/tasks/project.rake +0 -79
- data/tasks/tests.rake +0 -193
data/ext/ssl.cpp
CHANGED
@@ -1,460 +1,460 @@
|
|
1
|
-
/*****************************************************************************
|
2
|
-
|
3
|
-
$Id$
|
4
|
-
|
5
|
-
File: ssl.cpp
|
6
|
-
Date: 30Apr06
|
7
|
-
|
8
|
-
Copyright (C) 2006-07 by Francis Cianfrocca. All Rights Reserved.
|
9
|
-
Gmail: blackhedd
|
10
|
-
|
11
|
-
This program is free software; you can redistribute it and/or modify
|
12
|
-
it under the terms of either: 1) the GNU General Public License
|
13
|
-
as published by the Free Software Foundation; either version 2 of the
|
14
|
-
License, or (at your option) any later version; or 2) Ruby's License.
|
15
|
-
|
16
|
-
See the file COPYING for complete licensing information.
|
17
|
-
|
18
|
-
*****************************************************************************/
|
19
|
-
|
20
|
-
|
21
|
-
#ifdef WITH_SSL
|
22
|
-
|
23
|
-
#include "project.h"
|
24
|
-
|
25
|
-
|
26
|
-
bool SslContext_t::bLibraryInitialized = false;
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
static void InitializeDefaultCredentials();
|
31
|
-
static EVP_PKEY *DefaultPrivateKey = NULL;
|
32
|
-
static X509 *DefaultCertificate = NULL;
|
33
|
-
|
34
|
-
static char PrivateMaterials[] = {
|
35
|
-
"-----BEGIN RSA PRIVATE KEY-----\n"
|
36
|
-
"MIICXAIBAAKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxwVDWV\n"
|
37
|
-
"Igdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t39hJ/\n"
|
38
|
-
"AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQIDAQAB\n"
|
39
|
-
"AoGALA89gIFcr6BIBo8N5fL3aNHpZXjAICtGav+kTUpuxSiaym9cAeTHuAVv8Xgk\n"
|
40
|
-
"H2Wbq11uz+6JMLpkQJH/WZ7EV59DPOicXrp0Imr73F3EXBfR7t2EQDYHPMthOA1D\n"
|
41
|
-
"I9EtCzvV608Ze90hiJ7E3guGrGppZfJ+eUWCPgy8CZH1vRECQQDv67rwV/oU1aDo\n"
|
42
|
-
"6/+d5nqjeW6mWkGqTnUU96jXap8EIw6B+0cUKskwx6mHJv+tEMM2748ZY7b0yBlg\n"
|
43
|
-
"w4KDghbFAkEAz2h8PjSJG55LwqmXih1RONSgdN9hjB12LwXL1CaDh7/lkEhq0PlK\n"
|
44
|
-
"PCAUwQSdM17Sl0Xxm2CZiekTSlwmHrtqXQJAF3+8QJwtV2sRJp8u2zVe37IeH1cJ\n"
|
45
|
-
"xXeHyjTzqZ2803fnjN2iuZvzNr7noOA1/Kp+pFvUZUU5/0G2Ep8zolPUjQJAFA7k\n"
|
46
|
-
"xRdLkzIx3XeNQjwnmLlncyYPRv+qaE3FMpUu7zftuZBnVCJnvXzUxP3vPgKTlzGa\n"
|
47
|
-
"dg5XivDRfsV+okY5uQJBAMV4FesUuLQVEKb6lMs7rzZwpeGQhFDRfywJzfom2TLn\n"
|
48
|
-
"2RdJQQ3dcgnhdVDgt5o1qkmsqQh8uJrJ9SdyLIaZQIc=\n"
|
49
|
-
"-----END RSA PRIVATE KEY-----\n"
|
50
|
-
"-----BEGIN CERTIFICATE-----\n"
|
51
|
-
"MIID6TCCA1KgAwIBAgIJANm4W/Tzs+s+MA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD\n"
|
52
|
-
"VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYw\n"
|
53
|
-
"FAYDVQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsG\n"
|
54
|
-
"A1UEAxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2lu\n"
|
55
|
-
"ZWVyaW5nQHN0ZWFtaGVhdC5uZXQwHhcNMDYwNTA1MTcwNjAzWhcNMjQwMjIwMTcw\n"
|
56
|
-
"NjAzWjCBqjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQH\n"
|
57
|
-
"EwhOZXcgWW9yazEWMBQGA1UEChMNU3RlYW1oZWF0Lm5ldDEUMBIGA1UECxMLRW5n\n"
|
58
|
-
"aW5lZXJpbmcxHTAbBgNVBAMTFG9wZW5jYS5zdGVhbWhlYXQubmV0MSgwJgYJKoZI\n"
|
59
|
-
"hvcNAQkBFhllbmdpbmVlcmluZ0BzdGVhbWhlYXQubmV0MIGfMA0GCSqGSIb3DQEB\n"
|
60
|
-
"AQUAA4GNADCBiQKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxw\n"
|
61
|
-
"VDWVIgdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t3\n"
|
62
|
-
"9hJ/AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQID\n"
|
63
|
-
"AQABo4IBEzCCAQ8wHQYDVR0OBBYEFPJvPd1Fcmd8o/Tm88r+NjYPICCkMIHfBgNV\n"
|
64
|
-
"HSMEgdcwgdSAFPJvPd1Fcmd8o/Tm88r+NjYPICCkoYGwpIGtMIGqMQswCQYDVQQG\n"
|
65
|
-
"EwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYwFAYD\n"
|
66
|
-
"VQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsGA1UE\n"
|
67
|
-
"AxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2luZWVy\n"
|
68
|
-
"aW5nQHN0ZWFtaGVhdC5uZXSCCQDZuFv087PrPjAMBgNVHRMEBTADAQH/MA0GCSqG\n"
|
69
|
-
"SIb3DQEBBQUAA4GBAC1CXey/4UoLgJiwcEMDxOvW74plks23090iziFIlGgcIhk0\n"
|
70
|
-
"Df6hTAs7H3MWww62ddvR8l07AWfSzSP5L6mDsbvq7EmQsmPODwb6C+i2aF3EDL8j\n"
|
71
|
-
"uw73m4YIGI0Zw2XdBpiOGkx2H56Kya6mJJe/5XORZedh1wpI7zki01tHYbcy\n"
|
72
|
-
"-----END CERTIFICATE-----\n"};
|
73
|
-
|
74
|
-
/* These private materials were made with:
|
75
|
-
* openssl req -new -x509 -keyout cakey.pem -out cacert.pem -nodes -days 6500
|
76
|
-
* TODO: We need a full-blown capability to work with user-supplied
|
77
|
-
* keypairs and properly-signed certificates.
|
78
|
-
*/
|
79
|
-
|
80
|
-
|
81
|
-
/*****************
|
82
|
-
builtin_passwd_cb
|
83
|
-
*****************/
|
84
|
-
|
85
|
-
extern "C" int builtin_passwd_cb (char *buf, int bufsize, int rwflag, void *userdata)
|
86
|
-
{
|
87
|
-
strcpy (buf, "kittycat");
|
88
|
-
return 8;
|
89
|
-
}
|
90
|
-
|
91
|
-
/****************************
|
92
|
-
InitializeDefaultCredentials
|
93
|
-
****************************/
|
94
|
-
|
95
|
-
static void InitializeDefaultCredentials()
|
96
|
-
{
|
97
|
-
BIO *bio = BIO_new_mem_buf (PrivateMaterials, -1);
|
98
|
-
assert (bio);
|
99
|
-
|
100
|
-
if (DefaultPrivateKey) {
|
101
|
-
// we may come here in a restart.
|
102
|
-
EVP_PKEY_free (DefaultPrivateKey);
|
103
|
-
DefaultPrivateKey = NULL;
|
104
|
-
}
|
105
|
-
PEM_read_bio_PrivateKey (bio, &DefaultPrivateKey, builtin_passwd_cb, 0);
|
106
|
-
|
107
|
-
if (DefaultCertificate) {
|
108
|
-
// we may come here in a restart.
|
109
|
-
X509_free (DefaultCertificate);
|
110
|
-
DefaultCertificate = NULL;
|
111
|
-
}
|
112
|
-
PEM_read_bio_X509 (bio, &DefaultCertificate, NULL, 0);
|
113
|
-
|
114
|
-
BIO_free (bio);
|
115
|
-
}
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
/**************************
|
120
|
-
SslContext_t::SslContext_t
|
121
|
-
**************************/
|
122
|
-
|
123
|
-
SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile):
|
124
|
-
pCtx (NULL),
|
125
|
-
PrivateKey (NULL),
|
126
|
-
Certificate (NULL)
|
127
|
-
{
|
128
|
-
/* TODO: the usage of the specified private-key and cert-chain filenames only applies to
|
129
|
-
* client-side connections at this point. Server connections currently use the default materials.
|
130
|
-
* That needs to be fixed asap.
|
131
|
-
* Also, in this implementation, server-side connections use statically defined X-509 defaults.
|
132
|
-
* One thing I'm really not clear on is whether or not you have to explicitly free X509 and EVP_PKEY
|
133
|
-
* objects when we call our destructor, or whether just calling SSL_CTX_free is enough.
|
134
|
-
*/
|
135
|
-
|
136
|
-
if (!bLibraryInitialized) {
|
137
|
-
bLibraryInitialized = true;
|
138
|
-
SSL_library_init();
|
139
|
-
OpenSSL_add_ssl_algorithms();
|
140
|
-
OpenSSL_add_all_algorithms();
|
141
|
-
SSL_load_error_strings();
|
142
|
-
ERR_load_crypto_strings();
|
143
|
-
|
144
|
-
InitializeDefaultCredentials();
|
145
|
-
}
|
146
|
-
|
147
|
-
bIsServer = is_server;
|
148
|
-
pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
|
149
|
-
if (!pCtx)
|
150
|
-
throw std::runtime_error ("no SSL context");
|
151
|
-
|
152
|
-
SSL_CTX_set_options (pCtx, SSL_OP_ALL);
|
153
|
-
//SSL_CTX_set_options (pCtx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3));
|
154
|
-
|
155
|
-
if (is_server) {
|
156
|
-
// The SSL_CTX calls here do NOT allocate memory.
|
157
|
-
int e;
|
158
|
-
if (privkeyfile.length() > 0)
|
159
|
-
e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
|
160
|
-
else
|
161
|
-
e = SSL_CTX_use_PrivateKey (pCtx, DefaultPrivateKey);
|
162
|
-
assert (e > 0);
|
163
|
-
if (certchainfile.length() > 0)
|
164
|
-
e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
|
165
|
-
else
|
166
|
-
e = SSL_CTX_use_certificate (pCtx, DefaultCertificate);
|
167
|
-
assert (e > 0);
|
168
|
-
}
|
169
|
-
|
170
|
-
SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
|
171
|
-
|
172
|
-
if (is_server) {
|
173
|
-
SSL_CTX_sess_set_cache_size (pCtx, 128);
|
174
|
-
SSL_CTX_set_session_id_context (pCtx, (unsigned char*)"eventmachine", 12);
|
175
|
-
}
|
176
|
-
else {
|
177
|
-
int e;
|
178
|
-
if (privkeyfile.length() > 0) {
|
179
|
-
e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
|
180
|
-
assert (e > 0);
|
181
|
-
}
|
182
|
-
if (certchainfile.length() > 0) {
|
183
|
-
e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
|
184
|
-
assert (e > 0);
|
185
|
-
}
|
186
|
-
}
|
187
|
-
}
|
188
|
-
|
189
|
-
|
190
|
-
|
191
|
-
/***************************
|
192
|
-
SslContext_t::~SslContext_t
|
193
|
-
***************************/
|
194
|
-
|
195
|
-
SslContext_t::~SslContext_t()
|
196
|
-
{
|
197
|
-
if (pCtx)
|
198
|
-
SSL_CTX_free (pCtx);
|
199
|
-
if (PrivateKey)
|
200
|
-
EVP_PKEY_free (PrivateKey);
|
201
|
-
if (Certificate)
|
202
|
-
X509_free (Certificate);
|
203
|
-
}
|
204
|
-
|
205
|
-
|
206
|
-
|
207
|
-
/******************
|
208
|
-
SslBox_t::SslBox_t
|
209
|
-
******************/
|
210
|
-
|
211
|
-
SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, const
|
212
|
-
bIsServer (is_server),
|
213
|
-
bHandshakeCompleted (false),
|
214
|
-
bVerifyPeer (verify_peer),
|
215
|
-
pSSL (NULL),
|
216
|
-
pbioRead (NULL),
|
217
|
-
pbioWrite (NULL)
|
218
|
-
{
|
219
|
-
/* TODO someday: make it possible to re-use SSL contexts so we don't have to create
|
220
|
-
* a new one every time we come here.
|
221
|
-
*/
|
222
|
-
|
223
|
-
Context = new SslContext_t (bIsServer, privkeyfile, certchainfile);
|
224
|
-
assert (Context);
|
225
|
-
|
226
|
-
pbioRead = BIO_new (BIO_s_mem());
|
227
|
-
assert (pbioRead);
|
228
|
-
|
229
|
-
pbioWrite = BIO_new (BIO_s_mem());
|
230
|
-
assert (pbioWrite);
|
231
|
-
|
232
|
-
pSSL = SSL_new (Context->pCtx);
|
233
|
-
assert (pSSL);
|
234
|
-
SSL_set_bio (pSSL, pbioRead, pbioWrite);
|
235
|
-
|
236
|
-
// Store a pointer to the binding signature in the SSL object so we can retrieve it later
|
237
|
-
SSL_set_ex_data(pSSL, 0, (void*) binding);
|
238
|
-
|
239
|
-
if (bVerifyPeer)
|
240
|
-
SSL_set_verify(pSSL, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_wrapper);
|
241
|
-
|
242
|
-
if (!bIsServer)
|
243
|
-
SSL_connect (pSSL);
|
244
|
-
}
|
245
|
-
|
246
|
-
|
247
|
-
|
248
|
-
/*******************
|
249
|
-
SslBox_t::~SslBox_t
|
250
|
-
*******************/
|
251
|
-
|
252
|
-
SslBox_t::~SslBox_t()
|
253
|
-
{
|
254
|
-
// Freeing pSSL will also free the associated BIOs, so DON'T free them separately.
|
255
|
-
if (pSSL) {
|
256
|
-
if (SSL_get_shutdown (pSSL) & SSL_RECEIVED_SHUTDOWN)
|
257
|
-
SSL_shutdown (pSSL);
|
258
|
-
else
|
259
|
-
SSL_clear (pSSL);
|
260
|
-
SSL_free (pSSL);
|
261
|
-
}
|
262
|
-
|
263
|
-
delete Context;
|
264
|
-
}
|
265
|
-
|
266
|
-
|
267
|
-
|
268
|
-
/***********************
|
269
|
-
SslBox_t::PutCiphertext
|
270
|
-
***********************/
|
271
|
-
|
272
|
-
bool SslBox_t::PutCiphertext (const char *buf, int bufsize)
|
273
|
-
{
|
274
|
-
assert (buf && (bufsize > 0));
|
275
|
-
|
276
|
-
assert (pbioRead);
|
277
|
-
int n = BIO_write (pbioRead, buf, bufsize);
|
278
|
-
|
279
|
-
return (n == bufsize) ? true : false;
|
280
|
-
}
|
281
|
-
|
282
|
-
|
283
|
-
/**********************
|
284
|
-
SslBox_t::GetPlaintext
|
285
|
-
**********************/
|
286
|
-
|
287
|
-
int SslBox_t::GetPlaintext (char *buf, int bufsize)
|
288
|
-
{
|
289
|
-
if (!SSL_is_init_finished (pSSL)) {
|
290
|
-
int e = bIsServer ? SSL_accept (pSSL) : SSL_connect (pSSL);
|
291
|
-
if (e < 0) {
|
292
|
-
int er = SSL_get_error (pSSL, e);
|
293
|
-
if (er != SSL_ERROR_WANT_READ) {
|
294
|
-
// Return -1 for a nonfatal error, -2 for an error that should force the connection down.
|
295
|
-
return (er == SSL_ERROR_SSL) ? (-2) : (-1);
|
296
|
-
}
|
297
|
-
else
|
298
|
-
return 0;
|
299
|
-
}
|
300
|
-
bHandshakeCompleted = true;
|
301
|
-
// If handshake finished, FALL THROUGH and return the available plaintext.
|
302
|
-
}
|
303
|
-
|
304
|
-
if (!SSL_is_init_finished (pSSL)) {
|
305
|
-
// We can get here if a browser abandons a handshake.
|
306
|
-
// The user can see a warning dialog and abort the connection.
|
307
|
-
cerr << "<SSL_incomp>";
|
308
|
-
return 0;
|
309
|
-
}
|
310
|
-
|
311
|
-
//cerr << "CIPH: " << SSL_get_cipher (pSSL) << endl;
|
312
|
-
|
313
|
-
int n = SSL_read (pSSL, buf, bufsize);
|
314
|
-
if (n >= 0) {
|
315
|
-
return n;
|
316
|
-
}
|
317
|
-
else {
|
318
|
-
if (SSL_get_error (pSSL, n) == SSL_ERROR_WANT_READ) {
|
319
|
-
return 0;
|
320
|
-
}
|
321
|
-
else {
|
322
|
-
return -1;
|
323
|
-
}
|
324
|
-
}
|
325
|
-
|
326
|
-
return 0;
|
327
|
-
}
|
328
|
-
|
329
|
-
|
330
|
-
|
331
|
-
/**************************
|
332
|
-
SslBox_t::CanGetCiphertext
|
333
|
-
**************************/
|
334
|
-
|
335
|
-
bool SslBox_t::CanGetCiphertext()
|
336
|
-
{
|
337
|
-
assert (pbioWrite);
|
338
|
-
return BIO_pending (pbioWrite) ? true : false;
|
339
|
-
}
|
340
|
-
|
341
|
-
|
342
|
-
|
343
|
-
/***********************
|
344
|
-
SslBox_t::GetCiphertext
|
345
|
-
***********************/
|
346
|
-
|
347
|
-
int SslBox_t::GetCiphertext (char *buf, int bufsize)
|
348
|
-
{
|
349
|
-
assert (pbioWrite);
|
350
|
-
assert (buf && (bufsize > 0));
|
351
|
-
|
352
|
-
return BIO_read (pbioWrite, buf, bufsize);
|
353
|
-
}
|
354
|
-
|
355
|
-
|
356
|
-
|
357
|
-
/**********************
|
358
|
-
SslBox_t::PutPlaintext
|
359
|
-
**********************/
|
360
|
-
|
361
|
-
int SslBox_t::PutPlaintext (const char *buf, int bufsize)
|
362
|
-
{
|
363
|
-
// The caller will interpret the return value as the number of bytes written.
|
364
|
-
// WARNING WARNING WARNING, are there any situations in which a 0 or -1 return
|
365
|
-
// from SSL_write means we should immediately retry? The socket-machine loop
|
366
|
-
// will probably wait for a time-out cycle (perhaps a second) before re-trying.
|
367
|
-
// THIS WOULD CAUSE A PERCEPTIBLE DELAY!
|
368
|
-
|
369
|
-
/* We internally queue any outbound plaintext that can't be dispatched
|
370
|
-
* because we're in the middle of a handshake or something.
|
371
|
-
* When we get called, try to send any queued data first, and then
|
372
|
-
* send the caller's data (or queue it). We may get called with no outbound
|
373
|
-
* data, which means we try to send the outbound queue and that's all.
|
374
|
-
*
|
375
|
-
* Return >0 if we wrote any data, 0 if we didn't, and <0 for a fatal error.
|
376
|
-
* Note that if we return 0, the connection is still considered live
|
377
|
-
* and we are signalling that we have accepted the outbound data (if any).
|
378
|
-
*/
|
379
|
-
|
380
|
-
OutboundQ.Push (buf, bufsize);
|
381
|
-
|
382
|
-
if (!SSL_is_init_finished (pSSL))
|
383
|
-
return 0;
|
384
|
-
|
385
|
-
bool fatal = false;
|
386
|
-
bool did_work = false;
|
387
|
-
|
388
|
-
while (OutboundQ.HasPages()) {
|
389
|
-
const char *page;
|
390
|
-
int length;
|
391
|
-
OutboundQ.Front (&page, &length);
|
392
|
-
assert (page && (length > 0));
|
393
|
-
int n = SSL_write (pSSL, page, length);
|
394
|
-
if (n > 0) {
|
395
|
-
did_work = true;
|
396
|
-
OutboundQ.PopFront();
|
397
|
-
}
|
398
|
-
else {
|
399
|
-
int er = SSL_get_error (pSSL, n);
|
400
|
-
if ((er != SSL_ERROR_WANT_READ) && (er != SSL_ERROR_WANT_WRITE))
|
401
|
-
fatal = true;
|
402
|
-
break;
|
403
|
-
}
|
404
|
-
}
|
405
|
-
|
406
|
-
|
407
|
-
if (did_work)
|
408
|
-
return 1;
|
409
|
-
else if (fatal)
|
410
|
-
return -1;
|
411
|
-
else
|
412
|
-
return 0;
|
413
|
-
}
|
414
|
-
|
415
|
-
/**********************
|
416
|
-
SslBox_t::GetPeerCert
|
417
|
-
**********************/
|
418
|
-
|
419
|
-
X509 *SslBox_t::GetPeerCert()
|
420
|
-
{
|
421
|
-
X509 *cert = NULL;
|
422
|
-
|
423
|
-
if (pSSL)
|
424
|
-
cert = SSL_get_peer_certificate(pSSL);
|
425
|
-
|
426
|
-
return cert;
|
427
|
-
}
|
428
|
-
|
429
|
-
|
430
|
-
/******************
|
431
|
-
ssl_verify_wrapper
|
432
|
-
*******************/
|
433
|
-
|
434
|
-
extern "C" int ssl_verify_wrapper(int preverify_ok, X509_STORE_CTX *ctx)
|
435
|
-
{
|
436
|
-
|
437
|
-
X509 *cert;
|
438
|
-
SSL *ssl;
|
439
|
-
BUF_MEM *buf;
|
440
|
-
BIO *out;
|
441
|
-
int result;
|
442
|
-
|
443
|
-
cert = X509_STORE_CTX_get_current_cert(ctx);
|
444
|
-
ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
445
|
-
binding = (
|
446
|
-
|
447
|
-
out = BIO_new(BIO_s_mem());
|
448
|
-
PEM_write_bio_X509(out, cert);
|
449
|
-
BIO_write(out, "\0", 1);
|
450
|
-
BIO_get_mem_ptr(out, &buf);
|
451
|
-
|
452
|
-
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject(binding));
|
453
|
-
result = (cd->VerifySslPeer(buf->data) == true ? 1 : 0);
|
454
|
-
BUF_MEM_free(buf);
|
455
|
-
|
456
|
-
return result;
|
457
|
-
}
|
458
|
-
|
459
|
-
#endif // WITH_SSL
|
460
|
-
|
1
|
+
/*****************************************************************************
|
2
|
+
|
3
|
+
$Id$
|
4
|
+
|
5
|
+
File: ssl.cpp
|
6
|
+
Date: 30Apr06
|
7
|
+
|
8
|
+
Copyright (C) 2006-07 by Francis Cianfrocca. All Rights Reserved.
|
9
|
+
Gmail: blackhedd
|
10
|
+
|
11
|
+
This program is free software; you can redistribute it and/or modify
|
12
|
+
it under the terms of either: 1) the GNU General Public License
|
13
|
+
as published by the Free Software Foundation; either version 2 of the
|
14
|
+
License, or (at your option) any later version; or 2) Ruby's License.
|
15
|
+
|
16
|
+
See the file COPYING for complete licensing information.
|
17
|
+
|
18
|
+
*****************************************************************************/
|
19
|
+
|
20
|
+
|
21
|
+
#ifdef WITH_SSL
|
22
|
+
|
23
|
+
#include "project.h"
|
24
|
+
|
25
|
+
|
26
|
+
bool SslContext_t::bLibraryInitialized = false;
|
27
|
+
|
28
|
+
|
29
|
+
|
30
|
+
static void InitializeDefaultCredentials();
|
31
|
+
static EVP_PKEY *DefaultPrivateKey = NULL;
|
32
|
+
static X509 *DefaultCertificate = NULL;
|
33
|
+
|
34
|
+
static char PrivateMaterials[] = {
|
35
|
+
"-----BEGIN RSA PRIVATE KEY-----\n"
|
36
|
+
"MIICXAIBAAKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxwVDWV\n"
|
37
|
+
"Igdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t39hJ/\n"
|
38
|
+
"AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQIDAQAB\n"
|
39
|
+
"AoGALA89gIFcr6BIBo8N5fL3aNHpZXjAICtGav+kTUpuxSiaym9cAeTHuAVv8Xgk\n"
|
40
|
+
"H2Wbq11uz+6JMLpkQJH/WZ7EV59DPOicXrp0Imr73F3EXBfR7t2EQDYHPMthOA1D\n"
|
41
|
+
"I9EtCzvV608Ze90hiJ7E3guGrGppZfJ+eUWCPgy8CZH1vRECQQDv67rwV/oU1aDo\n"
|
42
|
+
"6/+d5nqjeW6mWkGqTnUU96jXap8EIw6B+0cUKskwx6mHJv+tEMM2748ZY7b0yBlg\n"
|
43
|
+
"w4KDghbFAkEAz2h8PjSJG55LwqmXih1RONSgdN9hjB12LwXL1CaDh7/lkEhq0PlK\n"
|
44
|
+
"PCAUwQSdM17Sl0Xxm2CZiekTSlwmHrtqXQJAF3+8QJwtV2sRJp8u2zVe37IeH1cJ\n"
|
45
|
+
"xXeHyjTzqZ2803fnjN2iuZvzNr7noOA1/Kp+pFvUZUU5/0G2Ep8zolPUjQJAFA7k\n"
|
46
|
+
"xRdLkzIx3XeNQjwnmLlncyYPRv+qaE3FMpUu7zftuZBnVCJnvXzUxP3vPgKTlzGa\n"
|
47
|
+
"dg5XivDRfsV+okY5uQJBAMV4FesUuLQVEKb6lMs7rzZwpeGQhFDRfywJzfom2TLn\n"
|
48
|
+
"2RdJQQ3dcgnhdVDgt5o1qkmsqQh8uJrJ9SdyLIaZQIc=\n"
|
49
|
+
"-----END RSA PRIVATE KEY-----\n"
|
50
|
+
"-----BEGIN CERTIFICATE-----\n"
|
51
|
+
"MIID6TCCA1KgAwIBAgIJANm4W/Tzs+s+MA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD\n"
|
52
|
+
"VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYw\n"
|
53
|
+
"FAYDVQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsG\n"
|
54
|
+
"A1UEAxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2lu\n"
|
55
|
+
"ZWVyaW5nQHN0ZWFtaGVhdC5uZXQwHhcNMDYwNTA1MTcwNjAzWhcNMjQwMjIwMTcw\n"
|
56
|
+
"NjAzWjCBqjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQH\n"
|
57
|
+
"EwhOZXcgWW9yazEWMBQGA1UEChMNU3RlYW1oZWF0Lm5ldDEUMBIGA1UECxMLRW5n\n"
|
58
|
+
"aW5lZXJpbmcxHTAbBgNVBAMTFG9wZW5jYS5zdGVhbWhlYXQubmV0MSgwJgYJKoZI\n"
|
59
|
+
"hvcNAQkBFhllbmdpbmVlcmluZ0BzdGVhbWhlYXQubmV0MIGfMA0GCSqGSIb3DQEB\n"
|
60
|
+
"AQUAA4GNADCBiQKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxw\n"
|
61
|
+
"VDWVIgdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t3\n"
|
62
|
+
"9hJ/AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQID\n"
|
63
|
+
"AQABo4IBEzCCAQ8wHQYDVR0OBBYEFPJvPd1Fcmd8o/Tm88r+NjYPICCkMIHfBgNV\n"
|
64
|
+
"HSMEgdcwgdSAFPJvPd1Fcmd8o/Tm88r+NjYPICCkoYGwpIGtMIGqMQswCQYDVQQG\n"
|
65
|
+
"EwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYwFAYD\n"
|
66
|
+
"VQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsGA1UE\n"
|
67
|
+
"AxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2luZWVy\n"
|
68
|
+
"aW5nQHN0ZWFtaGVhdC5uZXSCCQDZuFv087PrPjAMBgNVHRMEBTADAQH/MA0GCSqG\n"
|
69
|
+
"SIb3DQEBBQUAA4GBAC1CXey/4UoLgJiwcEMDxOvW74plks23090iziFIlGgcIhk0\n"
|
70
|
+
"Df6hTAs7H3MWww62ddvR8l07AWfSzSP5L6mDsbvq7EmQsmPODwb6C+i2aF3EDL8j\n"
|
71
|
+
"uw73m4YIGI0Zw2XdBpiOGkx2H56Kya6mJJe/5XORZedh1wpI7zki01tHYbcy\n"
|
72
|
+
"-----END CERTIFICATE-----\n"};
|
73
|
+
|
74
|
+
/* These private materials were made with:
|
75
|
+
* openssl req -new -x509 -keyout cakey.pem -out cacert.pem -nodes -days 6500
|
76
|
+
* TODO: We need a full-blown capability to work with user-supplied
|
77
|
+
* keypairs and properly-signed certificates.
|
78
|
+
*/
|
79
|
+
|
80
|
+
|
81
|
+
/*****************
|
82
|
+
builtin_passwd_cb
|
83
|
+
*****************/
|
84
|
+
|
85
|
+
extern "C" int builtin_passwd_cb (char *buf, int bufsize, int rwflag, void *userdata)
|
86
|
+
{
|
87
|
+
strcpy (buf, "kittycat");
|
88
|
+
return 8;
|
89
|
+
}
|
90
|
+
|
91
|
+
/****************************
|
92
|
+
InitializeDefaultCredentials
|
93
|
+
****************************/
|
94
|
+
|
95
|
+
static void InitializeDefaultCredentials()
|
96
|
+
{
|
97
|
+
BIO *bio = BIO_new_mem_buf (PrivateMaterials, -1);
|
98
|
+
assert (bio);
|
99
|
+
|
100
|
+
if (DefaultPrivateKey) {
|
101
|
+
// we may come here in a restart.
|
102
|
+
EVP_PKEY_free (DefaultPrivateKey);
|
103
|
+
DefaultPrivateKey = NULL;
|
104
|
+
}
|
105
|
+
PEM_read_bio_PrivateKey (bio, &DefaultPrivateKey, builtin_passwd_cb, 0);
|
106
|
+
|
107
|
+
if (DefaultCertificate) {
|
108
|
+
// we may come here in a restart.
|
109
|
+
X509_free (DefaultCertificate);
|
110
|
+
DefaultCertificate = NULL;
|
111
|
+
}
|
112
|
+
PEM_read_bio_X509 (bio, &DefaultCertificate, NULL, 0);
|
113
|
+
|
114
|
+
BIO_free (bio);
|
115
|
+
}
|
116
|
+
|
117
|
+
|
118
|
+
|
119
|
+
/**************************
|
120
|
+
SslContext_t::SslContext_t
|
121
|
+
**************************/
|
122
|
+
|
123
|
+
SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile):
|
124
|
+
pCtx (NULL),
|
125
|
+
PrivateKey (NULL),
|
126
|
+
Certificate (NULL)
|
127
|
+
{
|
128
|
+
/* TODO: the usage of the specified private-key and cert-chain filenames only applies to
|
129
|
+
* client-side connections at this point. Server connections currently use the default materials.
|
130
|
+
* That needs to be fixed asap.
|
131
|
+
* Also, in this implementation, server-side connections use statically defined X-509 defaults.
|
132
|
+
* One thing I'm really not clear on is whether or not you have to explicitly free X509 and EVP_PKEY
|
133
|
+
* objects when we call our destructor, or whether just calling SSL_CTX_free is enough.
|
134
|
+
*/
|
135
|
+
|
136
|
+
if (!bLibraryInitialized) {
|
137
|
+
bLibraryInitialized = true;
|
138
|
+
SSL_library_init();
|
139
|
+
OpenSSL_add_ssl_algorithms();
|
140
|
+
OpenSSL_add_all_algorithms();
|
141
|
+
SSL_load_error_strings();
|
142
|
+
ERR_load_crypto_strings();
|
143
|
+
|
144
|
+
InitializeDefaultCredentials();
|
145
|
+
}
|
146
|
+
|
147
|
+
bIsServer = is_server;
|
148
|
+
pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
|
149
|
+
if (!pCtx)
|
150
|
+
throw std::runtime_error ("no SSL context");
|
151
|
+
|
152
|
+
SSL_CTX_set_options (pCtx, SSL_OP_ALL);
|
153
|
+
//SSL_CTX_set_options (pCtx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3));
|
154
|
+
|
155
|
+
if (is_server) {
|
156
|
+
// The SSL_CTX calls here do NOT allocate memory.
|
157
|
+
int e;
|
158
|
+
if (privkeyfile.length() > 0)
|
159
|
+
e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
|
160
|
+
else
|
161
|
+
e = SSL_CTX_use_PrivateKey (pCtx, DefaultPrivateKey);
|
162
|
+
assert (e > 0);
|
163
|
+
if (certchainfile.length() > 0)
|
164
|
+
e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
|
165
|
+
else
|
166
|
+
e = SSL_CTX_use_certificate (pCtx, DefaultCertificate);
|
167
|
+
assert (e > 0);
|
168
|
+
}
|
169
|
+
|
170
|
+
SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
|
171
|
+
|
172
|
+
if (is_server) {
|
173
|
+
SSL_CTX_sess_set_cache_size (pCtx, 128);
|
174
|
+
SSL_CTX_set_session_id_context (pCtx, (unsigned char*)"eventmachine", 12);
|
175
|
+
}
|
176
|
+
else {
|
177
|
+
int e;
|
178
|
+
if (privkeyfile.length() > 0) {
|
179
|
+
e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
|
180
|
+
assert (e > 0);
|
181
|
+
}
|
182
|
+
if (certchainfile.length() > 0) {
|
183
|
+
e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
|
184
|
+
assert (e > 0);
|
185
|
+
}
|
186
|
+
}
|
187
|
+
}
|
188
|
+
|
189
|
+
|
190
|
+
|
191
|
+
/***************************
|
192
|
+
SslContext_t::~SslContext_t
|
193
|
+
***************************/
|
194
|
+
|
195
|
+
SslContext_t::~SslContext_t()
|
196
|
+
{
|
197
|
+
if (pCtx)
|
198
|
+
SSL_CTX_free (pCtx);
|
199
|
+
if (PrivateKey)
|
200
|
+
EVP_PKEY_free (PrivateKey);
|
201
|
+
if (Certificate)
|
202
|
+
X509_free (Certificate);
|
203
|
+
}
|
204
|
+
|
205
|
+
|
206
|
+
|
207
|
+
/******************
|
208
|
+
SslBox_t::SslBox_t
|
209
|
+
******************/
|
210
|
+
|
211
|
+
SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, const unsigned long binding):
|
212
|
+
bIsServer (is_server),
|
213
|
+
bHandshakeCompleted (false),
|
214
|
+
bVerifyPeer (verify_peer),
|
215
|
+
pSSL (NULL),
|
216
|
+
pbioRead (NULL),
|
217
|
+
pbioWrite (NULL)
|
218
|
+
{
|
219
|
+
/* TODO someday: make it possible to re-use SSL contexts so we don't have to create
|
220
|
+
* a new one every time we come here.
|
221
|
+
*/
|
222
|
+
|
223
|
+
Context = new SslContext_t (bIsServer, privkeyfile, certchainfile);
|
224
|
+
assert (Context);
|
225
|
+
|
226
|
+
pbioRead = BIO_new (BIO_s_mem());
|
227
|
+
assert (pbioRead);
|
228
|
+
|
229
|
+
pbioWrite = BIO_new (BIO_s_mem());
|
230
|
+
assert (pbioWrite);
|
231
|
+
|
232
|
+
pSSL = SSL_new (Context->pCtx);
|
233
|
+
assert (pSSL);
|
234
|
+
SSL_set_bio (pSSL, pbioRead, pbioWrite);
|
235
|
+
|
236
|
+
// Store a pointer to the binding signature in the SSL object so we can retrieve it later
|
237
|
+
SSL_set_ex_data(pSSL, 0, (void*) binding);
|
238
|
+
|
239
|
+
if (bVerifyPeer)
|
240
|
+
SSL_set_verify(pSSL, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_wrapper);
|
241
|
+
|
242
|
+
if (!bIsServer)
|
243
|
+
SSL_connect (pSSL);
|
244
|
+
}
|
245
|
+
|
246
|
+
|
247
|
+
|
248
|
+
/*******************
|
249
|
+
SslBox_t::~SslBox_t
|
250
|
+
*******************/
|
251
|
+
|
252
|
+
SslBox_t::~SslBox_t()
|
253
|
+
{
|
254
|
+
// Freeing pSSL will also free the associated BIOs, so DON'T free them separately.
|
255
|
+
if (pSSL) {
|
256
|
+
if (SSL_get_shutdown (pSSL) & SSL_RECEIVED_SHUTDOWN)
|
257
|
+
SSL_shutdown (pSSL);
|
258
|
+
else
|
259
|
+
SSL_clear (pSSL);
|
260
|
+
SSL_free (pSSL);
|
261
|
+
}
|
262
|
+
|
263
|
+
delete Context;
|
264
|
+
}
|
265
|
+
|
266
|
+
|
267
|
+
|
268
|
+
/***********************
|
269
|
+
SslBox_t::PutCiphertext
|
270
|
+
***********************/
|
271
|
+
|
272
|
+
bool SslBox_t::PutCiphertext (const char *buf, int bufsize)
|
273
|
+
{
|
274
|
+
assert (buf && (bufsize > 0));
|
275
|
+
|
276
|
+
assert (pbioRead);
|
277
|
+
int n = BIO_write (pbioRead, buf, bufsize);
|
278
|
+
|
279
|
+
return (n == bufsize) ? true : false;
|
280
|
+
}
|
281
|
+
|
282
|
+
|
283
|
+
/**********************
|
284
|
+
SslBox_t::GetPlaintext
|
285
|
+
**********************/
|
286
|
+
|
287
|
+
int SslBox_t::GetPlaintext (char *buf, int bufsize)
|
288
|
+
{
|
289
|
+
if (!SSL_is_init_finished (pSSL)) {
|
290
|
+
int e = bIsServer ? SSL_accept (pSSL) : SSL_connect (pSSL);
|
291
|
+
if (e < 0) {
|
292
|
+
int er = SSL_get_error (pSSL, e);
|
293
|
+
if (er != SSL_ERROR_WANT_READ) {
|
294
|
+
// Return -1 for a nonfatal error, -2 for an error that should force the connection down.
|
295
|
+
return (er == SSL_ERROR_SSL) ? (-2) : (-1);
|
296
|
+
}
|
297
|
+
else
|
298
|
+
return 0;
|
299
|
+
}
|
300
|
+
bHandshakeCompleted = true;
|
301
|
+
// If handshake finished, FALL THROUGH and return the available plaintext.
|
302
|
+
}
|
303
|
+
|
304
|
+
if (!SSL_is_init_finished (pSSL)) {
|
305
|
+
// We can get here if a browser abandons a handshake.
|
306
|
+
// The user can see a warning dialog and abort the connection.
|
307
|
+
cerr << "<SSL_incomp>";
|
308
|
+
return 0;
|
309
|
+
}
|
310
|
+
|
311
|
+
//cerr << "CIPH: " << SSL_get_cipher (pSSL) << endl;
|
312
|
+
|
313
|
+
int n = SSL_read (pSSL, buf, bufsize);
|
314
|
+
if (n >= 0) {
|
315
|
+
return n;
|
316
|
+
}
|
317
|
+
else {
|
318
|
+
if (SSL_get_error (pSSL, n) == SSL_ERROR_WANT_READ) {
|
319
|
+
return 0;
|
320
|
+
}
|
321
|
+
else {
|
322
|
+
return -1;
|
323
|
+
}
|
324
|
+
}
|
325
|
+
|
326
|
+
return 0;
|
327
|
+
}
|
328
|
+
|
329
|
+
|
330
|
+
|
331
|
+
/**************************
|
332
|
+
SslBox_t::CanGetCiphertext
|
333
|
+
**************************/
|
334
|
+
|
335
|
+
bool SslBox_t::CanGetCiphertext()
|
336
|
+
{
|
337
|
+
assert (pbioWrite);
|
338
|
+
return BIO_pending (pbioWrite) ? true : false;
|
339
|
+
}
|
340
|
+
|
341
|
+
|
342
|
+
|
343
|
+
/***********************
|
344
|
+
SslBox_t::GetCiphertext
|
345
|
+
***********************/
|
346
|
+
|
347
|
+
int SslBox_t::GetCiphertext (char *buf, int bufsize)
|
348
|
+
{
|
349
|
+
assert (pbioWrite);
|
350
|
+
assert (buf && (bufsize > 0));
|
351
|
+
|
352
|
+
return BIO_read (pbioWrite, buf, bufsize);
|
353
|
+
}
|
354
|
+
|
355
|
+
|
356
|
+
|
357
|
+
/**********************
|
358
|
+
SslBox_t::PutPlaintext
|
359
|
+
**********************/
|
360
|
+
|
361
|
+
int SslBox_t::PutPlaintext (const char *buf, int bufsize)
|
362
|
+
{
|
363
|
+
// The caller will interpret the return value as the number of bytes written.
|
364
|
+
// WARNING WARNING WARNING, are there any situations in which a 0 or -1 return
|
365
|
+
// from SSL_write means we should immediately retry? The socket-machine loop
|
366
|
+
// will probably wait for a time-out cycle (perhaps a second) before re-trying.
|
367
|
+
// THIS WOULD CAUSE A PERCEPTIBLE DELAY!
|
368
|
+
|
369
|
+
/* We internally queue any outbound plaintext that can't be dispatched
|
370
|
+
* because we're in the middle of a handshake or something.
|
371
|
+
* When we get called, try to send any queued data first, and then
|
372
|
+
* send the caller's data (or queue it). We may get called with no outbound
|
373
|
+
* data, which means we try to send the outbound queue and that's all.
|
374
|
+
*
|
375
|
+
* Return >0 if we wrote any data, 0 if we didn't, and <0 for a fatal error.
|
376
|
+
* Note that if we return 0, the connection is still considered live
|
377
|
+
* and we are signalling that we have accepted the outbound data (if any).
|
378
|
+
*/
|
379
|
+
|
380
|
+
OutboundQ.Push (buf, bufsize);
|
381
|
+
|
382
|
+
if (!SSL_is_init_finished (pSSL))
|
383
|
+
return 0;
|
384
|
+
|
385
|
+
bool fatal = false;
|
386
|
+
bool did_work = false;
|
387
|
+
|
388
|
+
while (OutboundQ.HasPages()) {
|
389
|
+
const char *page;
|
390
|
+
int length;
|
391
|
+
OutboundQ.Front (&page, &length);
|
392
|
+
assert (page && (length > 0));
|
393
|
+
int n = SSL_write (pSSL, page, length);
|
394
|
+
if (n > 0) {
|
395
|
+
did_work = true;
|
396
|
+
OutboundQ.PopFront();
|
397
|
+
}
|
398
|
+
else {
|
399
|
+
int er = SSL_get_error (pSSL, n);
|
400
|
+
if ((er != SSL_ERROR_WANT_READ) && (er != SSL_ERROR_WANT_WRITE))
|
401
|
+
fatal = true;
|
402
|
+
break;
|
403
|
+
}
|
404
|
+
}
|
405
|
+
|
406
|
+
|
407
|
+
if (did_work)
|
408
|
+
return 1;
|
409
|
+
else if (fatal)
|
410
|
+
return -1;
|
411
|
+
else
|
412
|
+
return 0;
|
413
|
+
}
|
414
|
+
|
415
|
+
/**********************
|
416
|
+
SslBox_t::GetPeerCert
|
417
|
+
**********************/
|
418
|
+
|
419
|
+
X509 *SslBox_t::GetPeerCert()
|
420
|
+
{
|
421
|
+
X509 *cert = NULL;
|
422
|
+
|
423
|
+
if (pSSL)
|
424
|
+
cert = SSL_get_peer_certificate(pSSL);
|
425
|
+
|
426
|
+
return cert;
|
427
|
+
}
|
428
|
+
|
429
|
+
|
430
|
+
/******************
|
431
|
+
ssl_verify_wrapper
|
432
|
+
*******************/
|
433
|
+
|
434
|
+
extern "C" int ssl_verify_wrapper(int preverify_ok, X509_STORE_CTX *ctx)
|
435
|
+
{
|
436
|
+
unsigned long binding;
|
437
|
+
X509 *cert;
|
438
|
+
SSL *ssl;
|
439
|
+
BUF_MEM *buf;
|
440
|
+
BIO *out;
|
441
|
+
int result;
|
442
|
+
|
443
|
+
cert = X509_STORE_CTX_get_current_cert(ctx);
|
444
|
+
ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
445
|
+
binding = (unsigned long) SSL_get_ex_data(ssl, 0);
|
446
|
+
|
447
|
+
out = BIO_new(BIO_s_mem());
|
448
|
+
PEM_write_bio_X509(out, cert);
|
449
|
+
BIO_write(out, "\0", 1);
|
450
|
+
BIO_get_mem_ptr(out, &buf);
|
451
|
+
|
452
|
+
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject(binding));
|
453
|
+
result = (cd->VerifySslPeer(buf->data) == true ? 1 : 0);
|
454
|
+
BUF_MEM_free(buf);
|
455
|
+
|
456
|
+
return result;
|
457
|
+
}
|
458
|
+
|
459
|
+
#endif // WITH_SSL
|
460
|
+
|