eventmachine 1.0.3-x86-mingw32 → 1.2.0.dev.2-x86-mingw32

data/ext/ssl.cpp

@@ -82,7 +82,7 @@ static char PrivateMaterials[] = {
 builtin_passwd_cb
 *****************/
 
-extern "C" int builtin_passwd_cb (char *buf, int bufsize, int rwflag, void *userdata)
+extern "C" int builtin_passwd_cb (char *buf UNUSED, int bufsize UNUSED, int rwflag UNUSED, void *userdata UNUSED)
 {
 	strcpy (buf, "kittycat");
 	return 8;
@@ -120,7 +120,8 @@ static void InitializeDefaultCredentials()
 SslContext_t::SslContext_t
 **************************/
 
-SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile):
+SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, const string &cipherlist, const string &ecdh_curve, const string &dhparam, int ssl_version) :
+	bIsServer (is_server),
 	pCtx (NULL),
 	PrivateKey (NULL),
 	Certificate (NULL)
@@ -144,18 +145,47 @@ SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const str
 		InitializeDefaultCredentials();
 	}
 
-	bIsServer = is_server;
-	pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
+	pCtx = SSL_CTX_new (bIsServer ? SSLv23_server_method() : SSLv23_client_method());
 	if (!pCtx)
 		throw std::runtime_error ("no SSL context");
 
 	SSL_CTX_set_options (pCtx, SSL_OP_ALL);
-	//SSL_CTX_set_options (pCtx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3));
-#ifdef SSL_MODE_RELEASE_BUFFERS
+
+	#ifdef SSL_CTRL_CLEAR_OPTIONS
+	SSL_CTX_clear_options (pCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
+	# ifdef SSL_OP_NO_TLSv1_1
+	SSL_CTX_clear_options (pCtx, SSL_OP_NO_TLSv1_1);
+	# endif
+	# ifdef SSL_OP_NO_TLSv1_2
+	SSL_CTX_clear_options (pCtx, SSL_OP_NO_TLSv1_2);
+	# endif
+	#endif
+
+	if (!(ssl_version & EM_PROTO_SSLv2))
+		SSL_CTX_set_options (pCtx, SSL_OP_NO_SSLv2);
+
+	if (!(ssl_version & EM_PROTO_SSLv3))
+		SSL_CTX_set_options (pCtx, SSL_OP_NO_SSLv3);
+
+	if (!(ssl_version & EM_PROTO_TLSv1))
+		SSL_CTX_set_options (pCtx, SSL_OP_NO_TLSv1);
+
+	#ifdef SSL_OP_NO_TLSv1_1
+	if (!(ssl_version & EM_PROTO_TLSv1_1))
+		SSL_CTX_set_options (pCtx, SSL_OP_NO_TLSv1_1);
+	#endif
+
+	#ifdef SSL_OP_NO_TLSv1_2
+	if (!(ssl_version & EM_PROTO_TLSv1_2))
+		SSL_CTX_set_options (pCtx, SSL_OP_NO_TLSv1_2);
+	#endif
+
+	#ifdef SSL_MODE_RELEASE_BUFFERS
 	SSL_CTX_set_mode (pCtx, SSL_MODE_RELEASE_BUFFERS);
-#endif
+	#endif
+
+	if (bIsServer) {
 
-	if (is_server) {
 		// The SSL_CTX calls here do NOT allocate memory.
 		int e;
 		if (privkeyfile.length() > 0)
@@ -171,11 +201,69 @@ SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const str
 			e = SSL_CTX_use_certificate (pCtx, DefaultCertificate);
 		if (e <= 0) ERR_print_errors_fp(stderr);
 		assert (e > 0);
+
+		if (dhparam.length() > 0) {
+			DH   *dh;
+			BIO  *bio;
+
+			bio = BIO_new_file(dhparam.c_str(), "r");
+			if (bio == NULL) {
+				char buf [500];
+				snprintf (buf, sizeof(buf)-1, "dhparam: BIO_new_file(%s) failed", dhparam.c_str());
+				throw std::runtime_error (buf);
+			}
+
+			dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+
+			if (dh == NULL) {
+				BIO_free(bio);
+				char buf [500];
+				snprintf (buf, sizeof(buf)-1, "dhparam: PEM_read_bio_DHparams(%s) failed", dhparam.c_str());
+				throw new std::runtime_error(buf);
+			}
+
+			SSL_CTX_set_tmp_dh(pCtx, dh);
+
+			DH_free(dh);
+			BIO_free(bio);
+		}
+
+		if (ecdh_curve.length() > 0) {
+			#if OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)
+				int      nid;
+				EC_KEY  *ecdh;
+
+				nid = OBJ_sn2nid((const char *) ecdh_curve.c_str());
+				if (nid == 0) {
+					char buf [200];
+					snprintf (buf, sizeof(buf)-1, "ecdh_curve: Unknown curve name: %s", ecdh_curve.c_str());
+					throw std::runtime_error (buf);
+				}
+
+				ecdh = EC_KEY_new_by_curve_name(nid);
+				if (ecdh == NULL) {
+					char buf [200];
+					snprintf (buf, sizeof(buf)-1, "ecdh_curve: Unable to create: %s", ecdh_curve.c_str());
+					throw std::runtime_error (buf);
+				}
+
+				SSL_CTX_set_options(pCtx, SSL_OP_SINGLE_ECDH_USE);
+
+				SSL_CTX_set_tmp_ecdh(pCtx, ecdh);
+
+				EC_KEY_free(ecdh);
+			#else
+				throw std::runtime_error ("No openssl ECDH support");
+			#endif
+		}
 	}
 
-	SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
+	if (cipherlist.length() > 0)
+		SSL_CTX_set_cipher_list (pCtx, cipherlist.c_str());
+	else
+		SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
 
-	if (is_server) {
+	if (bIsServer) {
 		SSL_CTX_sess_set_cache_size (pCtx, 128);
 		SSL_CTX_set_session_id_context (pCtx, (unsigned char*)"eventmachine", 12);
 	}
@@ -216,10 +304,11 @@ SslContext_t::~SslContext_t()
 SslBox_t::SslBox_t
 ******************/
 
-SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, const unsigned long binding):
+SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, bool fail_if_no_peer_cert, const string &snihostname, const string &cipherlist, const string &ecdh_curve, const string &dhparam, int ssl_version, const uintptr_t binding):
 	bIsServer (is_server),
 	bHandshakeCompleted (false),
 	bVerifyPeer (verify_peer),
+	bFailIfNoPeerCert (fail_if_no_peer_cert),
 	pSSL (NULL),
 	pbioRead (NULL),
 	pbioWrite (NULL)
@@ -228,7 +317,7 @@ SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &cer
 	 * a new one every time we come here.
 	 */
 
-	Context = new SslContext_t (bIsServer, privkeyfile, certchainfile);
+	Context = new SslContext_t (bIsServer, privkeyfile, certchainfile, cipherlist, ecdh_curve, dhparam, ssl_version);
 	assert (Context);
 
 	pbioRead = BIO_new (BIO_s_mem());
@@ -239,13 +328,22 @@ SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &cer
 
 	pSSL = SSL_new (Context->pCtx);
 	assert (pSSL);
+
+	if (snihostname.length() > 0) {
+		SSL_set_tlsext_host_name (pSSL, snihostname.c_str());
+	}
+
 	SSL_set_bio (pSSL, pbioRead, pbioWrite);
 
 	// Store a pointer to the binding signature in the SSL object so we can retrieve it later
 	SSL_set_ex_data(pSSL, 0, (void*) binding);
 
-	if (bVerifyPeer)
-		SSL_set_verify(pSSL, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_wrapper);
+	if (bVerifyPeer) {
+		int mode = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+		if (bFailIfNoPeerCert)
+			mode = mode | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+		SSL_set_verify(pSSL, mode, ssl_verify_wrapper);
+	}
 
 	if (!bIsServer)
 		SSL_connect (pSSL);
@@ -296,7 +394,7 @@ int SslBox_t::GetPlaintext (char *buf, int bufsize)
 {
 	if (!SSL_is_init_finished (pSSL)) {
 		int e = bIsServer ? SSL_accept (pSSL) : SSL_connect (pSSL);
-		if (e < 0) {
+		if (e != 1) {
 			int er = SSL_get_error (pSSL, e);
 			if (er != SSL_ERROR_WANT_READ) {
 				// Return -1 for a nonfatal error, -2 for an error that should force the connection down.
@@ -312,7 +410,7 @@ int SslBox_t::GetPlaintext (char *buf, int bufsize)
 	if (!SSL_is_init_finished (pSSL)) {
 		// We can get here if a browser abandons a handshake.
 		// The user can see a warning dialog and abort the connection.
-		cerr << "<SSL_incomp>";
+		//cerr << "<SSL_incomp>";
 		return 0;
 	}
 
@@ -392,13 +490,16 @@ int SslBox_t::PutPlaintext (const char *buf, int bufsize)
 
 	bool fatal = false;
 	bool did_work = false;
+	int pending = BIO_pending(pbioWrite);
 
-	while (OutboundQ.HasPages()) {
+	while (OutboundQ.HasPages() && pending < SSLBOX_WRITE_BUFFER_SIZE) {
 		const char *page;
 		int length;
 		OutboundQ.Front (&page, &length);
 		assert (page && (length > 0));
 		int n = SSL_write (pSSL, page, length);
+		pending = BIO_pending(pbioWrite);
+
 		if (n > 0) {
 			did_work = true;
 			OutboundQ.PopFront();
@@ -434,14 +535,60 @@ X509 *SslBox_t::GetPeerCert()
 	return cert;
 }
 
+/**********************
+SslBox_t::GetCipherBits
+**********************/
+
+int SslBox_t::GetCipherBits()
+{
+	int bits = -1;
+	if (pSSL)
+		SSL_get_cipher_bits(pSSL, &bits);
+	return bits;
+}
+
+/**********************
+SslBox_t::GetCipherName
+**********************/
+
+const char *SslBox_t::GetCipherName()
+{
+	if (pSSL)
+		return SSL_get_cipher_name(pSSL);
+	return NULL;
+}
+
+/**********************
+SslBox_t::GetCipherProtocol
+**********************/
+
+const char *SslBox_t::GetCipherProtocol()
+{
+	if (pSSL)
+		return SSL_get_cipher_version(pSSL);
+	return NULL;
+}
+
+/**********************
+SslBox_t::GetSNIHostname
+**********************/
+
+const char *SslBox_t::GetSNIHostname()
+{
+	#ifdef TLSEXT_NAMETYPE_host_name
+	if (pSSL)
+		return SSL_get_servername (pSSL, TLSEXT_NAMETYPE_host_name);
+	#endif
+	return NULL;
+}
 
 /******************
 ssl_verify_wrapper
 *******************/
 
-extern "C" int ssl_verify_wrapper(int preverify_ok, X509_STORE_CTX *ctx)
+extern "C" int ssl_verify_wrapper(int preverify_ok UNUSED, X509_STORE_CTX *ctx)
 {
-	unsigned long binding;
+	uintptr_t binding;
 	X509 *cert;
 	SSL *ssl;
 	BUF_MEM *buf;
@@ -450,7 +597,7 @@ extern "C" int ssl_verify_wrapper(int preverify_ok, X509_STORE_CTX *ctx)
 
 	cert = X509_STORE_CTX_get_current_cert(ctx);
 	ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
-	binding = (unsigned long) SSL_get_ex_data(ssl, 0);
+	binding = (uintptr_t) SSL_get_ex_data(ssl, 0);
 
 	out = BIO_new(BIO_s_mem());
 	PEM_write_bio_X509(out, cert);

data/ext/ssl.h

@@ -33,7 +33,7 @@ class SslContext_t
 class SslContext_t
 {
 	public:
-		SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile);
+		SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, const string &cipherlist, const string &ecdh_curve, const string &dhparam, int ssl_version);
 		virtual ~SslContext_t();
 
 	private:
@@ -54,10 +54,14 @@ class SslContext_t
 class SslBox_t
 **************/
 
+#define SSLBOX_INPUT_CHUNKSIZE 2019
+#define SSLBOX_OUTPUT_CHUNKSIZE 2048
+#define SSLBOX_WRITE_BUFFER_SIZE 8192 // (SSLBOX_OUTPUT_CHUNKSIZE * 4)
+
 class SslBox_t
 {
 	public:
-		SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, const unsigned long binding);
+		SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, bool fail_if_no_peer_cert, const string &snihostname, const string &cipherlist, const string &ecdh_curve, const string &dhparam, int ssl_version, const uintptr_t binding);
 		virtual ~SslBox_t();
 
 		int PutPlaintext (const char*, int);
@@ -69,6 +73,10 @@ class SslBox_t
 		bool IsHandshakeCompleted() {return bHandshakeCompleted;}
 
 		X509 *GetPeerCert();
+		int GetCipherBits();
+		const char *GetCipherName();
+		const char *GetCipherProtocol();
+		const char *GetSNIHostname();
 
 		void Shutdown();
 
@@ -78,6 +86,7 @@ class SslBox_t
 		bool bIsServer;
 		bool bHandshakeCompleted;
 		bool bVerifyPeer;
+		bool bFailIfNoPeerCert;
 		SSL *pSSL;
 		BIO *pbioRead;
 		BIO *pbioWrite;

data/java/src/com/rubyeventmachine/EmReactor.java

@@ -569,6 +569,22 @@ public class EmReactor {
 		return Connections.get(sig).isNotifyWritable();
 	}
 
+	public boolean pauseConnection (long sig) {
+		return ((EventableSocketChannel) Connections.get(sig)).pause();
+	}
+	
+	public boolean resumeConnection (long sig) {
+		return ((EventableSocketChannel) Connections.get(sig)).resume();
+	}
+
+	public boolean isConnectionPaused (long sig) {
+		return ((EventableSocketChannel) Connections.get(sig)).isPaused();
+	}
+
+	public long getOutboundDataSize (long sig) {
+		return Connections.get(sig).getOutboundDataSize();
+	}
+	
 	public int getConnectionCount() {
 	  return Connections.size() + Acceptors.size();
 	}

data/java/src/com/rubyeventmachine/EventableChannel.java

@@ -57,6 +57,8 @@ public interface EventableChannel {
 	
 	public boolean writeOutboundData() throws IOException;
 
+	public long getOutboundDataSize();
+
 	public void setCommInactivityTimeout (long seconds);
 
 	public Object[] getPeerName();

data/java/src/com/rubyeventmachine/EventableDatagramChannel.java

@@ -54,6 +54,7 @@ public class EventableDatagramChannel implements EventableChannel {
 	Selector selector;
 	boolean bCloseScheduled;
 	LinkedList<Packet> outboundQ;
+	long outboundS;
 	SocketAddress returnAddress;
 	
 
@@ -63,6 +64,7 @@ public class EventableDatagramChannel implements EventableChannel {
 		selector = sel;
 		bCloseScheduled = false;
 		outboundQ = new LinkedList<Packet>();
+		outboundS = 0;
 		
 		dc.register(selector, SelectionKey.OP_READ, this);
 	}
@@ -71,6 +73,7 @@ public class EventableDatagramChannel implements EventableChannel {
  		try {
 			if ((!bCloseScheduled) && (bb.remaining() > 0)) {
 				outboundQ.addLast(new Packet(bb, returnAddress));
+				outboundS += bb.remaining();
  				channel.register(selector, SelectionKey.OP_WRITE | SelectionKey.OP_READ, this);
 			}
 		} catch (ClosedChannelException e) {
@@ -82,6 +85,7 @@ public class EventableDatagramChannel implements EventableChannel {
  		try {
 			if ((!bCloseScheduled) && (bb.remaining() > 0)) {
 				outboundQ.addLast(new Packet (bb, new InetSocketAddress (recipAddress, recipPort)));
+				outboundS += bb.remaining();
  				channel.register(selector, SelectionKey.OP_WRITE | SelectionKey.OP_READ, this);
 			}
 		} catch (ClosedChannelException e) {
@@ -136,6 +140,7 @@ public class EventableDatagramChannel implements EventableChannel {
 			try {
 				// With a datagram socket, it's ok to send an empty buffer.
 				written = channel.send(p.bb, p.recipient);
+				outboundS -= written;
 			}
 			catch (IOException e) {
 				return false;
@@ -192,4 +197,5 @@ public class EventableDatagramChannel implements EventableChannel {
 	public boolean isWatchOnly() { return false; }
 	public boolean isNotifyReadable() { return false; }
 	public boolean isNotifyWritable() { return false; }
+	public long getOutboundDataSize() { return outboundS; }
 }

data/java/src/com/rubyeventmachine/EventableSocketChannel.java

@@ -54,6 +54,7 @@ public class EventableSocketChannel implements EventableChannel {
 
 	long binding;
 	LinkedList<ByteBuffer> outboundQ;
+	long outboundS;
 
 	boolean bCloseScheduled;
 	boolean bConnectPending;
@@ -61,6 +62,7 @@ public class EventableSocketChannel implements EventableChannel {
 	boolean bAttached;
 	boolean bNotifyReadable;
 	boolean bNotifyWritable;
+	boolean bPaused;
 	
 	SSLEngine sslEngine;
 	SSLContext sslContext;
@@ -76,6 +78,7 @@ public class EventableSocketChannel implements EventableChannel {
 		bNotifyReadable = false;
 		bNotifyWritable = false;
 		outboundQ = new LinkedList<ByteBuffer>();
+		outboundS = 0;
 	}
 	
 	public long getBinding() {
@@ -164,12 +167,14 @@ public class EventableSocketChannel implements EventableChannel {
 					sslEngine.wrap(bb, b);
 					b.flip();
 					outboundQ.addLast(b);
+					outboundS += b.remaining();
 				} catch (SSLException e) {
 					throw new RuntimeException ("ssl error");
 				}
 			}
 			else {
 				outboundQ.addLast(bb);
+				outboundS += bb.remaining();
 			}
 
 			updateEvents();
@@ -188,6 +193,8 @@ public class EventableSocketChannel implements EventableChannel {
 			throw new IOException ("eof");
 	}
 
+	public long getOutboundDataSize() { return outboundS; }
+
 	/**
 	 * Called by the reactor when we have selected writable.
 	 * Return false to indicate an error that should cause the connection to close.
@@ -196,23 +203,35 @@ public class EventableSocketChannel implements EventableChannel {
 	 * this code is written, we're depending on a nonblocking write NOT TO CONSUME
 	 * the whole outbound buffer in this case, rather than firing an exception.
 	 * We should somehow verify that this is indeed Java's defined behavior.
-	 * Also TODO, see if we can use gather I/O rather than one write at a time.
-	 * Ought to be a big performance enhancer.
 	 * @return
 	 */
 	public boolean writeOutboundData() throws IOException {
+		ByteBuffer[] bufs = new ByteBuffer[64];
+		int i;
+		long written, toWrite;
 		while (!outboundQ.isEmpty()) {
-			ByteBuffer b = outboundQ.getFirst();
-			if (b.remaining() > 0)
-				channel.write(b);
+			i = 0;
+			toWrite = 0;
+			written = 0;
+			while (i < 64 && !outboundQ.isEmpty()) {
+				bufs[i] = outboundQ.removeFirst();
+				toWrite += bufs[i].remaining();
+				i++;
+			}
+			if (toWrite > 0)
+				written = channel.write(bufs, 0, i);
 
+			outboundS -= written;
 			// Did we consume the whole outbound buffer? If yes,
 			// pop it off and keep looping. If no, the outbound network
 			// buffers are full, so break out of here.
-			if (b.remaining() == 0)
-				outboundQ.removeFirst();
-			else
+			if (written < toWrite) {
+				while (i > 0 && bufs[i-1].remaining() > 0) {
+					outboundQ.addFirst(bufs[i-1]);
+					i--;
+				}
 				break;
+			}
 		}
 
 		if (outboundQ.isEmpty() && !bCloseScheduled) {
@@ -244,8 +263,10 @@ public class EventableSocketChannel implements EventableChannel {
 	
 	public boolean scheduleClose (boolean afterWriting) {
 		// TODO: What the hell happens here if bConnectPending is set?
-		if (!afterWriting)
+		if (!afterWriting) {
 			outboundQ.clear();
+			outboundS = 0;
+		}
 
 		if (outboundQ.isEmpty())
 			return true;
@@ -331,6 +352,30 @@ public class EventableSocketChannel implements EventableChannel {
 	}
 	public boolean isNotifyWritable() { return bNotifyWritable; }
 
+	public boolean pause() {
+		if (bWatchOnly) {
+			throw new RuntimeException ("cannot pause/resume 'watch only' connections, set notify readable/writable instead");
+		}
+		boolean old = bPaused;
+		bPaused = true;
+		updateEvents();
+		return !old;
+	}
+
+	public boolean resume() {
+		if (bWatchOnly) {
+			throw new RuntimeException ("cannot pause/resume 'watch only' connections, set notify readable/writable instead");
+		}
+		boolean old = bPaused;
+		bPaused = false;
+		updateEvents();
+		return old;
+	}
+
+	public boolean isPaused() {
+		return bPaused;
+	}
+
 	private void updateEvents() {
 		if (channelKey == null)
 			return;
@@ -353,7 +398,7 @@ public class EventableSocketChannel implements EventableChannel {
 			if (bNotifyWritable)
 				events |= SelectionKey.OP_WRITE;
 		}
-		else
+		else if (!bPaused)
 		{
 			if (bConnectPending)
 				events |= SelectionKey.OP_CONNECT;