eventmachine 0.12.8-x86-mswin32-60 → 0.12.10-x86-mswin32-60

Sign up to get free protection for your applications and to get access to all the features.
Files changed (66) hide show
  1. data/.gitignore +14 -13
  2. data/Rakefile +374 -264
  3. data/eventmachine.gemspec +4 -5
  4. data/ext/binder.cpp +125 -126
  5. data/ext/binder.h +46 -48
  6. data/ext/cmain.cpp +184 -42
  7. data/ext/cplusplus.cpp +202 -202
  8. data/ext/ed.cpp +242 -81
  9. data/ext/ed.h +39 -22
  10. data/ext/em.cpp +127 -108
  11. data/ext/em.h +27 -18
  12. data/ext/emwin.cpp +3 -3
  13. data/ext/eventmachine.h +49 -38
  14. data/ext/eventmachine_cpp.h +96 -96
  15. data/ext/extconf.rb +147 -132
  16. data/ext/fastfilereader/extconf.rb +82 -76
  17. data/ext/project.h +151 -140
  18. data/ext/rubymain.cpp +222 -103
  19. data/ext/ssl.cpp +460 -460
  20. data/ext/ssl.h +94 -94
  21. data/java/src/com/rubyeventmachine/EmReactor.java +570 -423
  22. data/java/src/com/rubyeventmachine/EventableChannel.java +69 -57
  23. data/java/src/com/rubyeventmachine/EventableDatagramChannel.java +189 -171
  24. data/java/src/com/rubyeventmachine/EventableSocketChannel.java +364 -244
  25. data/java/src/com/rubyeventmachine/{Application.java → application/Application.java} +194 -200
  26. data/java/src/com/rubyeventmachine/{Connection.java → application/Connection.java} +74 -74
  27. data/java/src/com/rubyeventmachine/{ConnectionFactory.java → application/ConnectionFactory.java} +36 -36
  28. data/java/src/com/rubyeventmachine/{DefaultConnectionFactory.java → application/DefaultConnectionFactory.java} +46 -46
  29. data/java/src/com/rubyeventmachine/{PeriodicTimer.java → application/PeriodicTimer.java} +38 -38
  30. data/java/src/com/rubyeventmachine/{Timer.java → application/Timer.java} +54 -54
  31. data/java/src/com/rubyeventmachine/tests/ApplicationTest.java +109 -108
  32. data/java/src/com/rubyeventmachine/tests/ConnectTest.java +148 -146
  33. data/java/src/com/rubyeventmachine/tests/TestDatagrams.java +53 -53
  34. data/java/src/com/rubyeventmachine/tests/TestServers.java +75 -74
  35. data/java/src/com/rubyeventmachine/tests/TestTimers.java +90 -89
  36. data/lib/em/connection.rb +71 -12
  37. data/lib/em/deferrable.rb +191 -186
  38. data/lib/em/protocols.rb +36 -35
  39. data/lib/em/protocols/httpclient2.rb +590 -582
  40. data/lib/em/protocols/line_and_text.rb +125 -126
  41. data/lib/em/protocols/linetext2.rb +161 -160
  42. data/lib/em/protocols/object_protocol.rb +45 -39
  43. data/lib/em/protocols/smtpclient.rb +357 -331
  44. data/lib/em/protocols/socks4.rb +66 -0
  45. data/lib/em/queue.rb +60 -60
  46. data/lib/em/timers.rb +56 -55
  47. data/lib/em/version.rb +1 -1
  48. data/lib/eventmachine.rb +125 -169
  49. data/lib/jeventmachine.rb +257 -142
  50. data/tasks/{cpp.rake → cpp.rake_example} +76 -76
  51. data/tests/test_attach.rb +125 -100
  52. data/tests/test_basic.rb +1 -2
  53. data/tests/test_connection_count.rb +34 -44
  54. data/tests/test_epoll.rb +0 -2
  55. data/tests/test_get_sock_opt.rb +30 -0
  56. data/tests/test_httpclient2.rb +3 -3
  57. data/tests/test_inactivity_timeout.rb +21 -1
  58. data/tests/test_ltp.rb +182 -188
  59. data/tests/test_next_tick.rb +0 -2
  60. data/tests/test_pause.rb +70 -0
  61. data/tests/test_pending_connect_timeout.rb +48 -0
  62. data/tests/test_ssl_args.rb +78 -67
  63. data/tests/test_timers.rb +162 -141
  64. metadata +13 -11
  65. data/tasks/project.rake +0 -79
  66. data/tasks/tests.rake +0 -193
@@ -1,460 +1,460 @@
1
- /*****************************************************************************
2
-
3
- $Id$
4
-
5
- File: ssl.cpp
6
- Date: 30Apr06
7
-
8
- Copyright (C) 2006-07 by Francis Cianfrocca. All Rights Reserved.
9
- Gmail: blackhedd
10
-
11
- This program is free software; you can redistribute it and/or modify
12
- it under the terms of either: 1) the GNU General Public License
13
- as published by the Free Software Foundation; either version 2 of the
14
- License, or (at your option) any later version; or 2) Ruby's License.
15
-
16
- See the file COPYING for complete licensing information.
17
-
18
- *****************************************************************************/
19
-
20
-
21
- #ifdef WITH_SSL
22
-
23
- #include "project.h"
24
-
25
-
26
- bool SslContext_t::bLibraryInitialized = false;
27
-
28
-
29
-
30
- static void InitializeDefaultCredentials();
31
- static EVP_PKEY *DefaultPrivateKey = NULL;
32
- static X509 *DefaultCertificate = NULL;
33
-
34
- static char PrivateMaterials[] = {
35
- "-----BEGIN RSA PRIVATE KEY-----\n"
36
- "MIICXAIBAAKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxwVDWV\n"
37
- "Igdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t39hJ/\n"
38
- "AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQIDAQAB\n"
39
- "AoGALA89gIFcr6BIBo8N5fL3aNHpZXjAICtGav+kTUpuxSiaym9cAeTHuAVv8Xgk\n"
40
- "H2Wbq11uz+6JMLpkQJH/WZ7EV59DPOicXrp0Imr73F3EXBfR7t2EQDYHPMthOA1D\n"
41
- "I9EtCzvV608Ze90hiJ7E3guGrGppZfJ+eUWCPgy8CZH1vRECQQDv67rwV/oU1aDo\n"
42
- "6/+d5nqjeW6mWkGqTnUU96jXap8EIw6B+0cUKskwx6mHJv+tEMM2748ZY7b0yBlg\n"
43
- "w4KDghbFAkEAz2h8PjSJG55LwqmXih1RONSgdN9hjB12LwXL1CaDh7/lkEhq0PlK\n"
44
- "PCAUwQSdM17Sl0Xxm2CZiekTSlwmHrtqXQJAF3+8QJwtV2sRJp8u2zVe37IeH1cJ\n"
45
- "xXeHyjTzqZ2803fnjN2iuZvzNr7noOA1/Kp+pFvUZUU5/0G2Ep8zolPUjQJAFA7k\n"
46
- "xRdLkzIx3XeNQjwnmLlncyYPRv+qaE3FMpUu7zftuZBnVCJnvXzUxP3vPgKTlzGa\n"
47
- "dg5XivDRfsV+okY5uQJBAMV4FesUuLQVEKb6lMs7rzZwpeGQhFDRfywJzfom2TLn\n"
48
- "2RdJQQ3dcgnhdVDgt5o1qkmsqQh8uJrJ9SdyLIaZQIc=\n"
49
- "-----END RSA PRIVATE KEY-----\n"
50
- "-----BEGIN CERTIFICATE-----\n"
51
- "MIID6TCCA1KgAwIBAgIJANm4W/Tzs+s+MA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD\n"
52
- "VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYw\n"
53
- "FAYDVQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsG\n"
54
- "A1UEAxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2lu\n"
55
- "ZWVyaW5nQHN0ZWFtaGVhdC5uZXQwHhcNMDYwNTA1MTcwNjAzWhcNMjQwMjIwMTcw\n"
56
- "NjAzWjCBqjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQH\n"
57
- "EwhOZXcgWW9yazEWMBQGA1UEChMNU3RlYW1oZWF0Lm5ldDEUMBIGA1UECxMLRW5n\n"
58
- "aW5lZXJpbmcxHTAbBgNVBAMTFG9wZW5jYS5zdGVhbWhlYXQubmV0MSgwJgYJKoZI\n"
59
- "hvcNAQkBFhllbmdpbmVlcmluZ0BzdGVhbWhlYXQubmV0MIGfMA0GCSqGSIb3DQEB\n"
60
- "AQUAA4GNADCBiQKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxw\n"
61
- "VDWVIgdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t3\n"
62
- "9hJ/AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQID\n"
63
- "AQABo4IBEzCCAQ8wHQYDVR0OBBYEFPJvPd1Fcmd8o/Tm88r+NjYPICCkMIHfBgNV\n"
64
- "HSMEgdcwgdSAFPJvPd1Fcmd8o/Tm88r+NjYPICCkoYGwpIGtMIGqMQswCQYDVQQG\n"
65
- "EwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYwFAYD\n"
66
- "VQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsGA1UE\n"
67
- "AxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2luZWVy\n"
68
- "aW5nQHN0ZWFtaGVhdC5uZXSCCQDZuFv087PrPjAMBgNVHRMEBTADAQH/MA0GCSqG\n"
69
- "SIb3DQEBBQUAA4GBAC1CXey/4UoLgJiwcEMDxOvW74plks23090iziFIlGgcIhk0\n"
70
- "Df6hTAs7H3MWww62ddvR8l07AWfSzSP5L6mDsbvq7EmQsmPODwb6C+i2aF3EDL8j\n"
71
- "uw73m4YIGI0Zw2XdBpiOGkx2H56Kya6mJJe/5XORZedh1wpI7zki01tHYbcy\n"
72
- "-----END CERTIFICATE-----\n"};
73
-
74
- /* These private materials were made with:
75
- * openssl req -new -x509 -keyout cakey.pem -out cacert.pem -nodes -days 6500
76
- * TODO: We need a full-blown capability to work with user-supplied
77
- * keypairs and properly-signed certificates.
78
- */
79
-
80
-
81
- /*****************
82
- builtin_passwd_cb
83
- *****************/
84
-
85
- extern "C" int builtin_passwd_cb (char *buf, int bufsize, int rwflag, void *userdata)
86
- {
87
- strcpy (buf, "kittycat");
88
- return 8;
89
- }
90
-
91
- /****************************
92
- InitializeDefaultCredentials
93
- ****************************/
94
-
95
- static void InitializeDefaultCredentials()
96
- {
97
- BIO *bio = BIO_new_mem_buf (PrivateMaterials, -1);
98
- assert (bio);
99
-
100
- if (DefaultPrivateKey) {
101
- // we may come here in a restart.
102
- EVP_PKEY_free (DefaultPrivateKey);
103
- DefaultPrivateKey = NULL;
104
- }
105
- PEM_read_bio_PrivateKey (bio, &DefaultPrivateKey, builtin_passwd_cb, 0);
106
-
107
- if (DefaultCertificate) {
108
- // we may come here in a restart.
109
- X509_free (DefaultCertificate);
110
- DefaultCertificate = NULL;
111
- }
112
- PEM_read_bio_X509 (bio, &DefaultCertificate, NULL, 0);
113
-
114
- BIO_free (bio);
115
- }
116
-
117
-
118
-
119
- /**************************
120
- SslContext_t::SslContext_t
121
- **************************/
122
-
123
- SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile):
124
- pCtx (NULL),
125
- PrivateKey (NULL),
126
- Certificate (NULL)
127
- {
128
- /* TODO: the usage of the specified private-key and cert-chain filenames only applies to
129
- * client-side connections at this point. Server connections currently use the default materials.
130
- * That needs to be fixed asap.
131
- * Also, in this implementation, server-side connections use statically defined X-509 defaults.
132
- * One thing I'm really not clear on is whether or not you have to explicitly free X509 and EVP_PKEY
133
- * objects when we call our destructor, or whether just calling SSL_CTX_free is enough.
134
- */
135
-
136
- if (!bLibraryInitialized) {
137
- bLibraryInitialized = true;
138
- SSL_library_init();
139
- OpenSSL_add_ssl_algorithms();
140
- OpenSSL_add_all_algorithms();
141
- SSL_load_error_strings();
142
- ERR_load_crypto_strings();
143
-
144
- InitializeDefaultCredentials();
145
- }
146
-
147
- bIsServer = is_server;
148
- pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
149
- if (!pCtx)
150
- throw std::runtime_error ("no SSL context");
151
-
152
- SSL_CTX_set_options (pCtx, SSL_OP_ALL);
153
- //SSL_CTX_set_options (pCtx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3));
154
-
155
- if (is_server) {
156
- // The SSL_CTX calls here do NOT allocate memory.
157
- int e;
158
- if (privkeyfile.length() > 0)
159
- e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
160
- else
161
- e = SSL_CTX_use_PrivateKey (pCtx, DefaultPrivateKey);
162
- assert (e > 0);
163
- if (certchainfile.length() > 0)
164
- e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
165
- else
166
- e = SSL_CTX_use_certificate (pCtx, DefaultCertificate);
167
- assert (e > 0);
168
- }
169
-
170
- SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
171
-
172
- if (is_server) {
173
- SSL_CTX_sess_set_cache_size (pCtx, 128);
174
- SSL_CTX_set_session_id_context (pCtx, (unsigned char*)"eventmachine", 12);
175
- }
176
- else {
177
- int e;
178
- if (privkeyfile.length() > 0) {
179
- e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
180
- assert (e > 0);
181
- }
182
- if (certchainfile.length() > 0) {
183
- e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
184
- assert (e > 0);
185
- }
186
- }
187
- }
188
-
189
-
190
-
191
- /***************************
192
- SslContext_t::~SslContext_t
193
- ***************************/
194
-
195
- SslContext_t::~SslContext_t()
196
- {
197
- if (pCtx)
198
- SSL_CTX_free (pCtx);
199
- if (PrivateKey)
200
- EVP_PKEY_free (PrivateKey);
201
- if (Certificate)
202
- X509_free (Certificate);
203
- }
204
-
205
-
206
-
207
- /******************
208
- SslBox_t::SslBox_t
209
- ******************/
210
-
211
- SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, const char *binding):
212
- bIsServer (is_server),
213
- bHandshakeCompleted (false),
214
- bVerifyPeer (verify_peer),
215
- pSSL (NULL),
216
- pbioRead (NULL),
217
- pbioWrite (NULL)
218
- {
219
- /* TODO someday: make it possible to re-use SSL contexts so we don't have to create
220
- * a new one every time we come here.
221
- */
222
-
223
- Context = new SslContext_t (bIsServer, privkeyfile, certchainfile);
224
- assert (Context);
225
-
226
- pbioRead = BIO_new (BIO_s_mem());
227
- assert (pbioRead);
228
-
229
- pbioWrite = BIO_new (BIO_s_mem());
230
- assert (pbioWrite);
231
-
232
- pSSL = SSL_new (Context->pCtx);
233
- assert (pSSL);
234
- SSL_set_bio (pSSL, pbioRead, pbioWrite);
235
-
236
- // Store a pointer to the binding signature in the SSL object so we can retrieve it later
237
- SSL_set_ex_data(pSSL, 0, (void*) binding);
238
-
239
- if (bVerifyPeer)
240
- SSL_set_verify(pSSL, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_wrapper);
241
-
242
- if (!bIsServer)
243
- SSL_connect (pSSL);
244
- }
245
-
246
-
247
-
248
- /*******************
249
- SslBox_t::~SslBox_t
250
- *******************/
251
-
252
- SslBox_t::~SslBox_t()
253
- {
254
- // Freeing pSSL will also free the associated BIOs, so DON'T free them separately.
255
- if (pSSL) {
256
- if (SSL_get_shutdown (pSSL) & SSL_RECEIVED_SHUTDOWN)
257
- SSL_shutdown (pSSL);
258
- else
259
- SSL_clear (pSSL);
260
- SSL_free (pSSL);
261
- }
262
-
263
- delete Context;
264
- }
265
-
266
-
267
-
268
- /***********************
269
- SslBox_t::PutCiphertext
270
- ***********************/
271
-
272
- bool SslBox_t::PutCiphertext (const char *buf, int bufsize)
273
- {
274
- assert (buf && (bufsize > 0));
275
-
276
- assert (pbioRead);
277
- int n = BIO_write (pbioRead, buf, bufsize);
278
-
279
- return (n == bufsize) ? true : false;
280
- }
281
-
282
-
283
- /**********************
284
- SslBox_t::GetPlaintext
285
- **********************/
286
-
287
- int SslBox_t::GetPlaintext (char *buf, int bufsize)
288
- {
289
- if (!SSL_is_init_finished (pSSL)) {
290
- int e = bIsServer ? SSL_accept (pSSL) : SSL_connect (pSSL);
291
- if (e < 0) {
292
- int er = SSL_get_error (pSSL, e);
293
- if (er != SSL_ERROR_WANT_READ) {
294
- // Return -1 for a nonfatal error, -2 for an error that should force the connection down.
295
- return (er == SSL_ERROR_SSL) ? (-2) : (-1);
296
- }
297
- else
298
- return 0;
299
- }
300
- bHandshakeCompleted = true;
301
- // If handshake finished, FALL THROUGH and return the available plaintext.
302
- }
303
-
304
- if (!SSL_is_init_finished (pSSL)) {
305
- // We can get here if a browser abandons a handshake.
306
- // The user can see a warning dialog and abort the connection.
307
- cerr << "<SSL_incomp>";
308
- return 0;
309
- }
310
-
311
- //cerr << "CIPH: " << SSL_get_cipher (pSSL) << endl;
312
-
313
- int n = SSL_read (pSSL, buf, bufsize);
314
- if (n >= 0) {
315
- return n;
316
- }
317
- else {
318
- if (SSL_get_error (pSSL, n) == SSL_ERROR_WANT_READ) {
319
- return 0;
320
- }
321
- else {
322
- return -1;
323
- }
324
- }
325
-
326
- return 0;
327
- }
328
-
329
-
330
-
331
- /**************************
332
- SslBox_t::CanGetCiphertext
333
- **************************/
334
-
335
- bool SslBox_t::CanGetCiphertext()
336
- {
337
- assert (pbioWrite);
338
- return BIO_pending (pbioWrite) ? true : false;
339
- }
340
-
341
-
342
-
343
- /***********************
344
- SslBox_t::GetCiphertext
345
- ***********************/
346
-
347
- int SslBox_t::GetCiphertext (char *buf, int bufsize)
348
- {
349
- assert (pbioWrite);
350
- assert (buf && (bufsize > 0));
351
-
352
- return BIO_read (pbioWrite, buf, bufsize);
353
- }
354
-
355
-
356
-
357
- /**********************
358
- SslBox_t::PutPlaintext
359
- **********************/
360
-
361
- int SslBox_t::PutPlaintext (const char *buf, int bufsize)
362
- {
363
- // The caller will interpret the return value as the number of bytes written.
364
- // WARNING WARNING WARNING, are there any situations in which a 0 or -1 return
365
- // from SSL_write means we should immediately retry? The socket-machine loop
366
- // will probably wait for a time-out cycle (perhaps a second) before re-trying.
367
- // THIS WOULD CAUSE A PERCEPTIBLE DELAY!
368
-
369
- /* We internally queue any outbound plaintext that can't be dispatched
370
- * because we're in the middle of a handshake or something.
371
- * When we get called, try to send any queued data first, and then
372
- * send the caller's data (or queue it). We may get called with no outbound
373
- * data, which means we try to send the outbound queue and that's all.
374
- *
375
- * Return >0 if we wrote any data, 0 if we didn't, and <0 for a fatal error.
376
- * Note that if we return 0, the connection is still considered live
377
- * and we are signalling that we have accepted the outbound data (if any).
378
- */
379
-
380
- OutboundQ.Push (buf, bufsize);
381
-
382
- if (!SSL_is_init_finished (pSSL))
383
- return 0;
384
-
385
- bool fatal = false;
386
- bool did_work = false;
387
-
388
- while (OutboundQ.HasPages()) {
389
- const char *page;
390
- int length;
391
- OutboundQ.Front (&page, &length);
392
- assert (page && (length > 0));
393
- int n = SSL_write (pSSL, page, length);
394
- if (n > 0) {
395
- did_work = true;
396
- OutboundQ.PopFront();
397
- }
398
- else {
399
- int er = SSL_get_error (pSSL, n);
400
- if ((er != SSL_ERROR_WANT_READ) && (er != SSL_ERROR_WANT_WRITE))
401
- fatal = true;
402
- break;
403
- }
404
- }
405
-
406
-
407
- if (did_work)
408
- return 1;
409
- else if (fatal)
410
- return -1;
411
- else
412
- return 0;
413
- }
414
-
415
- /**********************
416
- SslBox_t::GetPeerCert
417
- **********************/
418
-
419
- X509 *SslBox_t::GetPeerCert()
420
- {
421
- X509 *cert = NULL;
422
-
423
- if (pSSL)
424
- cert = SSL_get_peer_certificate(pSSL);
425
-
426
- return cert;
427
- }
428
-
429
-
430
- /******************
431
- ssl_verify_wrapper
432
- *******************/
433
-
434
- extern "C" int ssl_verify_wrapper(int preverify_ok, X509_STORE_CTX *ctx)
435
- {
436
- const char *binding;
437
- X509 *cert;
438
- SSL *ssl;
439
- BUF_MEM *buf;
440
- BIO *out;
441
- int result;
442
-
443
- cert = X509_STORE_CTX_get_current_cert(ctx);
444
- ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
445
- binding = (const char*) SSL_get_ex_data(ssl, 0);
446
-
447
- out = BIO_new(BIO_s_mem());
448
- PEM_write_bio_X509(out, cert);
449
- BIO_write(out, "\0", 1);
450
- BIO_get_mem_ptr(out, &buf);
451
-
452
- ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject(binding));
453
- result = (cd->VerifySslPeer(buf->data) == true ? 1 : 0);
454
- BUF_MEM_free(buf);
455
-
456
- return result;
457
- }
458
-
459
- #endif // WITH_SSL
460
-
1
+ /*****************************************************************************
2
+
3
+ $Id$
4
+
5
+ File: ssl.cpp
6
+ Date: 30Apr06
7
+
8
+ Copyright (C) 2006-07 by Francis Cianfrocca. All Rights Reserved.
9
+ Gmail: blackhedd
10
+
11
+ This program is free software; you can redistribute it and/or modify
12
+ it under the terms of either: 1) the GNU General Public License
13
+ as published by the Free Software Foundation; either version 2 of the
14
+ License, or (at your option) any later version; or 2) Ruby's License.
15
+
16
+ See the file COPYING for complete licensing information.
17
+
18
+ *****************************************************************************/
19
+
20
+
21
+ #ifdef WITH_SSL
22
+
23
+ #include "project.h"
24
+
25
+
26
+ bool SslContext_t::bLibraryInitialized = false;
27
+
28
+
29
+
30
+ static void InitializeDefaultCredentials();
31
+ static EVP_PKEY *DefaultPrivateKey = NULL;
32
+ static X509 *DefaultCertificate = NULL;
33
+
34
+ static char PrivateMaterials[] = {
35
+ "-----BEGIN RSA PRIVATE KEY-----\n"
36
+ "MIICXAIBAAKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxwVDWV\n"
37
+ "Igdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t39hJ/\n"
38
+ "AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQIDAQAB\n"
39
+ "AoGALA89gIFcr6BIBo8N5fL3aNHpZXjAICtGav+kTUpuxSiaym9cAeTHuAVv8Xgk\n"
40
+ "H2Wbq11uz+6JMLpkQJH/WZ7EV59DPOicXrp0Imr73F3EXBfR7t2EQDYHPMthOA1D\n"
41
+ "I9EtCzvV608Ze90hiJ7E3guGrGppZfJ+eUWCPgy8CZH1vRECQQDv67rwV/oU1aDo\n"
42
+ "6/+d5nqjeW6mWkGqTnUU96jXap8EIw6B+0cUKskwx6mHJv+tEMM2748ZY7b0yBlg\n"
43
+ "w4KDghbFAkEAz2h8PjSJG55LwqmXih1RONSgdN9hjB12LwXL1CaDh7/lkEhq0PlK\n"
44
+ "PCAUwQSdM17Sl0Xxm2CZiekTSlwmHrtqXQJAF3+8QJwtV2sRJp8u2zVe37IeH1cJ\n"
45
+ "xXeHyjTzqZ2803fnjN2iuZvzNr7noOA1/Kp+pFvUZUU5/0G2Ep8zolPUjQJAFA7k\n"
46
+ "xRdLkzIx3XeNQjwnmLlncyYPRv+qaE3FMpUu7zftuZBnVCJnvXzUxP3vPgKTlzGa\n"
47
+ "dg5XivDRfsV+okY5uQJBAMV4FesUuLQVEKb6lMs7rzZwpeGQhFDRfywJzfom2TLn\n"
48
+ "2RdJQQ3dcgnhdVDgt5o1qkmsqQh8uJrJ9SdyLIaZQIc=\n"
49
+ "-----END RSA PRIVATE KEY-----\n"
50
+ "-----BEGIN CERTIFICATE-----\n"
51
+ "MIID6TCCA1KgAwIBAgIJANm4W/Tzs+s+MA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD\n"
52
+ "VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYw\n"
53
+ "FAYDVQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsG\n"
54
+ "A1UEAxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2lu\n"
55
+ "ZWVyaW5nQHN0ZWFtaGVhdC5uZXQwHhcNMDYwNTA1MTcwNjAzWhcNMjQwMjIwMTcw\n"
56
+ "NjAzWjCBqjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQH\n"
57
+ "EwhOZXcgWW9yazEWMBQGA1UEChMNU3RlYW1oZWF0Lm5ldDEUMBIGA1UECxMLRW5n\n"
58
+ "aW5lZXJpbmcxHTAbBgNVBAMTFG9wZW5jYS5zdGVhbWhlYXQubmV0MSgwJgYJKoZI\n"
59
+ "hvcNAQkBFhllbmdpbmVlcmluZ0BzdGVhbWhlYXQubmV0MIGfMA0GCSqGSIb3DQEB\n"
60
+ "AQUAA4GNADCBiQKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxw\n"
61
+ "VDWVIgdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t3\n"
62
+ "9hJ/AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQID\n"
63
+ "AQABo4IBEzCCAQ8wHQYDVR0OBBYEFPJvPd1Fcmd8o/Tm88r+NjYPICCkMIHfBgNV\n"
64
+ "HSMEgdcwgdSAFPJvPd1Fcmd8o/Tm88r+NjYPICCkoYGwpIGtMIGqMQswCQYDVQQG\n"
65
+ "EwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYwFAYD\n"
66
+ "VQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsGA1UE\n"
67
+ "AxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2luZWVy\n"
68
+ "aW5nQHN0ZWFtaGVhdC5uZXSCCQDZuFv087PrPjAMBgNVHRMEBTADAQH/MA0GCSqG\n"
69
+ "SIb3DQEBBQUAA4GBAC1CXey/4UoLgJiwcEMDxOvW74plks23090iziFIlGgcIhk0\n"
70
+ "Df6hTAs7H3MWww62ddvR8l07AWfSzSP5L6mDsbvq7EmQsmPODwb6C+i2aF3EDL8j\n"
71
+ "uw73m4YIGI0Zw2XdBpiOGkx2H56Kya6mJJe/5XORZedh1wpI7zki01tHYbcy\n"
72
+ "-----END CERTIFICATE-----\n"};
73
+
74
+ /* These private materials were made with:
75
+ * openssl req -new -x509 -keyout cakey.pem -out cacert.pem -nodes -days 6500
76
+ * TODO: We need a full-blown capability to work with user-supplied
77
+ * keypairs and properly-signed certificates.
78
+ */
79
+
80
+
81
+ /*****************
82
+ builtin_passwd_cb
83
+ *****************/
84
+
85
+ extern "C" int builtin_passwd_cb (char *buf, int bufsize, int rwflag, void *userdata)
86
+ {
87
+ strcpy (buf, "kittycat");
88
+ return 8;
89
+ }
90
+
91
+ /****************************
92
+ InitializeDefaultCredentials
93
+ ****************************/
94
+
95
+ static void InitializeDefaultCredentials()
96
+ {
97
+ BIO *bio = BIO_new_mem_buf (PrivateMaterials, -1);
98
+ assert (bio);
99
+
100
+ if (DefaultPrivateKey) {
101
+ // we may come here in a restart.
102
+ EVP_PKEY_free (DefaultPrivateKey);
103
+ DefaultPrivateKey = NULL;
104
+ }
105
+ PEM_read_bio_PrivateKey (bio, &DefaultPrivateKey, builtin_passwd_cb, 0);
106
+
107
+ if (DefaultCertificate) {
108
+ // we may come here in a restart.
109
+ X509_free (DefaultCertificate);
110
+ DefaultCertificate = NULL;
111
+ }
112
+ PEM_read_bio_X509 (bio, &DefaultCertificate, NULL, 0);
113
+
114
+ BIO_free (bio);
115
+ }
116
+
117
+
118
+
119
+ /**************************
120
+ SslContext_t::SslContext_t
121
+ **************************/
122
+
123
+ SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile):
124
+ pCtx (NULL),
125
+ PrivateKey (NULL),
126
+ Certificate (NULL)
127
+ {
128
+ /* TODO: the usage of the specified private-key and cert-chain filenames only applies to
129
+ * client-side connections at this point. Server connections currently use the default materials.
130
+ * That needs to be fixed asap.
131
+ * Also, in this implementation, server-side connections use statically defined X-509 defaults.
132
+ * One thing I'm really not clear on is whether or not you have to explicitly free X509 and EVP_PKEY
133
+ * objects when we call our destructor, or whether just calling SSL_CTX_free is enough.
134
+ */
135
+
136
+ if (!bLibraryInitialized) {
137
+ bLibraryInitialized = true;
138
+ SSL_library_init();
139
+ OpenSSL_add_ssl_algorithms();
140
+ OpenSSL_add_all_algorithms();
141
+ SSL_load_error_strings();
142
+ ERR_load_crypto_strings();
143
+
144
+ InitializeDefaultCredentials();
145
+ }
146
+
147
+ bIsServer = is_server;
148
+ pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
149
+ if (!pCtx)
150
+ throw std::runtime_error ("no SSL context");
151
+
152
+ SSL_CTX_set_options (pCtx, SSL_OP_ALL);
153
+ //SSL_CTX_set_options (pCtx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3));
154
+
155
+ if (is_server) {
156
+ // The SSL_CTX calls here do NOT allocate memory.
157
+ int e;
158
+ if (privkeyfile.length() > 0)
159
+ e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
160
+ else
161
+ e = SSL_CTX_use_PrivateKey (pCtx, DefaultPrivateKey);
162
+ assert (e > 0);
163
+ if (certchainfile.length() > 0)
164
+ e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
165
+ else
166
+ e = SSL_CTX_use_certificate (pCtx, DefaultCertificate);
167
+ assert (e > 0);
168
+ }
169
+
170
+ SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
171
+
172
+ if (is_server) {
173
+ SSL_CTX_sess_set_cache_size (pCtx, 128);
174
+ SSL_CTX_set_session_id_context (pCtx, (unsigned char*)"eventmachine", 12);
175
+ }
176
+ else {
177
+ int e;
178
+ if (privkeyfile.length() > 0) {
179
+ e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
180
+ assert (e > 0);
181
+ }
182
+ if (certchainfile.length() > 0) {
183
+ e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
184
+ assert (e > 0);
185
+ }
186
+ }
187
+ }
188
+
189
+
190
+
191
+ /***************************
192
+ SslContext_t::~SslContext_t
193
+ ***************************/
194
+
195
+ SslContext_t::~SslContext_t()
196
+ {
197
+ if (pCtx)
198
+ SSL_CTX_free (pCtx);
199
+ if (PrivateKey)
200
+ EVP_PKEY_free (PrivateKey);
201
+ if (Certificate)
202
+ X509_free (Certificate);
203
+ }
204
+
205
+
206
+
207
+ /******************
208
+ SslBox_t::SslBox_t
209
+ ******************/
210
+
211
+ SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, const unsigned long binding):
212
+ bIsServer (is_server),
213
+ bHandshakeCompleted (false),
214
+ bVerifyPeer (verify_peer),
215
+ pSSL (NULL),
216
+ pbioRead (NULL),
217
+ pbioWrite (NULL)
218
+ {
219
+ /* TODO someday: make it possible to re-use SSL contexts so we don't have to create
220
+ * a new one every time we come here.
221
+ */
222
+
223
+ Context = new SslContext_t (bIsServer, privkeyfile, certchainfile);
224
+ assert (Context);
225
+
226
+ pbioRead = BIO_new (BIO_s_mem());
227
+ assert (pbioRead);
228
+
229
+ pbioWrite = BIO_new (BIO_s_mem());
230
+ assert (pbioWrite);
231
+
232
+ pSSL = SSL_new (Context->pCtx);
233
+ assert (pSSL);
234
+ SSL_set_bio (pSSL, pbioRead, pbioWrite);
235
+
236
+ // Store a pointer to the binding signature in the SSL object so we can retrieve it later
237
+ SSL_set_ex_data(pSSL, 0, (void*) binding);
238
+
239
+ if (bVerifyPeer)
240
+ SSL_set_verify(pSSL, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_wrapper);
241
+
242
+ if (!bIsServer)
243
+ SSL_connect (pSSL);
244
+ }
245
+
246
+
247
+
248
+ /*******************
249
+ SslBox_t::~SslBox_t
250
+ *******************/
251
+
252
+ SslBox_t::~SslBox_t()
253
+ {
254
+ // Freeing pSSL will also free the associated BIOs, so DON'T free them separately.
255
+ if (pSSL) {
256
+ if (SSL_get_shutdown (pSSL) & SSL_RECEIVED_SHUTDOWN)
257
+ SSL_shutdown (pSSL);
258
+ else
259
+ SSL_clear (pSSL);
260
+ SSL_free (pSSL);
261
+ }
262
+
263
+ delete Context;
264
+ }
265
+
266
+
267
+
268
+ /***********************
269
+ SslBox_t::PutCiphertext
270
+ ***********************/
271
+
272
+ bool SslBox_t::PutCiphertext (const char *buf, int bufsize)
273
+ {
274
+ assert (buf && (bufsize > 0));
275
+
276
+ assert (pbioRead);
277
+ int n = BIO_write (pbioRead, buf, bufsize);
278
+
279
+ return (n == bufsize) ? true : false;
280
+ }
281
+
282
+
283
+ /**********************
284
+ SslBox_t::GetPlaintext
285
+ **********************/
286
+
287
+ int SslBox_t::GetPlaintext (char *buf, int bufsize)
288
+ {
289
+ if (!SSL_is_init_finished (pSSL)) {
290
+ int e = bIsServer ? SSL_accept (pSSL) : SSL_connect (pSSL);
291
+ if (e < 0) {
292
+ int er = SSL_get_error (pSSL, e);
293
+ if (er != SSL_ERROR_WANT_READ) {
294
+ // Return -1 for a nonfatal error, -2 for an error that should force the connection down.
295
+ return (er == SSL_ERROR_SSL) ? (-2) : (-1);
296
+ }
297
+ else
298
+ return 0;
299
+ }
300
+ bHandshakeCompleted = true;
301
+ // If handshake finished, FALL THROUGH and return the available plaintext.
302
+ }
303
+
304
+ if (!SSL_is_init_finished (pSSL)) {
305
+ // We can get here if a browser abandons a handshake.
306
+ // The user can see a warning dialog and abort the connection.
307
+ cerr << "<SSL_incomp>";
308
+ return 0;
309
+ }
310
+
311
+ //cerr << "CIPH: " << SSL_get_cipher (pSSL) << endl;
312
+
313
+ int n = SSL_read (pSSL, buf, bufsize);
314
+ if (n >= 0) {
315
+ return n;
316
+ }
317
+ else {
318
+ if (SSL_get_error (pSSL, n) == SSL_ERROR_WANT_READ) {
319
+ return 0;
320
+ }
321
+ else {
322
+ return -1;
323
+ }
324
+ }
325
+
326
+ return 0;
327
+ }
328
+
329
+
330
+
331
+ /**************************
332
+ SslBox_t::CanGetCiphertext
333
+ **************************/
334
+
335
+ bool SslBox_t::CanGetCiphertext()
336
+ {
337
+ assert (pbioWrite);
338
+ return BIO_pending (pbioWrite) ? true : false;
339
+ }
340
+
341
+
342
+
343
+ /***********************
344
+ SslBox_t::GetCiphertext
345
+ ***********************/
346
+
347
+ int SslBox_t::GetCiphertext (char *buf, int bufsize)
348
+ {
349
+ assert (pbioWrite);
350
+ assert (buf && (bufsize > 0));
351
+
352
+ return BIO_read (pbioWrite, buf, bufsize);
353
+ }
354
+
355
+
356
+
357
+ /**********************
358
+ SslBox_t::PutPlaintext
359
+ **********************/
360
+
361
+ int SslBox_t::PutPlaintext (const char *buf, int bufsize)
362
+ {
363
+ // The caller will interpret the return value as the number of bytes written.
364
+ // WARNING WARNING WARNING, are there any situations in which a 0 or -1 return
365
+ // from SSL_write means we should immediately retry? The socket-machine loop
366
+ // will probably wait for a time-out cycle (perhaps a second) before re-trying.
367
+ // THIS WOULD CAUSE A PERCEPTIBLE DELAY!
368
+
369
+ /* We internally queue any outbound plaintext that can't be dispatched
370
+ * because we're in the middle of a handshake or something.
371
+ * When we get called, try to send any queued data first, and then
372
+ * send the caller's data (or queue it). We may get called with no outbound
373
+ * data, which means we try to send the outbound queue and that's all.
374
+ *
375
+ * Return >0 if we wrote any data, 0 if we didn't, and <0 for a fatal error.
376
+ * Note that if we return 0, the connection is still considered live
377
+ * and we are signalling that we have accepted the outbound data (if any).
378
+ */
379
+
380
+ OutboundQ.Push (buf, bufsize);
381
+
382
+ if (!SSL_is_init_finished (pSSL))
383
+ return 0;
384
+
385
+ bool fatal = false;
386
+ bool did_work = false;
387
+
388
+ while (OutboundQ.HasPages()) {
389
+ const char *page;
390
+ int length;
391
+ OutboundQ.Front (&page, &length);
392
+ assert (page && (length > 0));
393
+ int n = SSL_write (pSSL, page, length);
394
+ if (n > 0) {
395
+ did_work = true;
396
+ OutboundQ.PopFront();
397
+ }
398
+ else {
399
+ int er = SSL_get_error (pSSL, n);
400
+ if ((er != SSL_ERROR_WANT_READ) && (er != SSL_ERROR_WANT_WRITE))
401
+ fatal = true;
402
+ break;
403
+ }
404
+ }
405
+
406
+
407
+ if (did_work)
408
+ return 1;
409
+ else if (fatal)
410
+ return -1;
411
+ else
412
+ return 0;
413
+ }
414
+
415
+ /**********************
416
+ SslBox_t::GetPeerCert
417
+ **********************/
418
+
419
+ X509 *SslBox_t::GetPeerCert()
420
+ {
421
+ X509 *cert = NULL;
422
+
423
+ if (pSSL)
424
+ cert = SSL_get_peer_certificate(pSSL);
425
+
426
+ return cert;
427
+ }
428
+
429
+
430
+ /******************
431
+ ssl_verify_wrapper
432
+ *******************/
433
+
434
+ extern "C" int ssl_verify_wrapper(int preverify_ok, X509_STORE_CTX *ctx)
435
+ {
436
+ unsigned long binding;
437
+ X509 *cert;
438
+ SSL *ssl;
439
+ BUF_MEM *buf;
440
+ BIO *out;
441
+ int result;
442
+
443
+ cert = X509_STORE_CTX_get_current_cert(ctx);
444
+ ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
445
+ binding = (unsigned long) SSL_get_ex_data(ssl, 0);
446
+
447
+ out = BIO_new(BIO_s_mem());
448
+ PEM_write_bio_X509(out, cert);
449
+ BIO_write(out, "\0", 1);
450
+ BIO_get_mem_ptr(out, &buf);
451
+
452
+ ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject(binding));
453
+ result = (cd->VerifySslPeer(buf->data) == true ? 1 : 0);
454
+ BUF_MEM_free(buf);
455
+
456
+ return result;
457
+ }
458
+
459
+ #endif // WITH_SSL
460
+