eventmachine 1.0.9.1 → 1.2.0.dev.2

data/ext/ssl.cpp

@@ -120,7 +120,8 @@ static void InitializeDefaultCredentials()
 SslContext_t::SslContext_t
 **************************/
 
-SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile):
+SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, const string &cipherlist, const string &ecdh_curve, const string &dhparam, int ssl_version) :
+	bIsServer (is_server),
 	pCtx (NULL),
 	PrivateKey (NULL),
 	Certificate (NULL)
@@ -144,18 +145,47 @@ SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const str
 		InitializeDefaultCredentials();
 	}
 
-	bIsServer = is_server;
-	pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
+	pCtx = SSL_CTX_new (bIsServer ? SSLv23_server_method() : SSLv23_client_method());
 	if (!pCtx)
 		throw std::runtime_error ("no SSL context");
 
 	SSL_CTX_set_options (pCtx, SSL_OP_ALL);
-	//SSL_CTX_set_options (pCtx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3));
-#ifdef SSL_MODE_RELEASE_BUFFERS
+
+	#ifdef SSL_CTRL_CLEAR_OPTIONS
+	SSL_CTX_clear_options (pCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
+	# ifdef SSL_OP_NO_TLSv1_1
+	SSL_CTX_clear_options (pCtx, SSL_OP_NO_TLSv1_1);
+	# endif
+	# ifdef SSL_OP_NO_TLSv1_2
+	SSL_CTX_clear_options (pCtx, SSL_OP_NO_TLSv1_2);
+	# endif
+	#endif
+
+	if (!(ssl_version & EM_PROTO_SSLv2))
+		SSL_CTX_set_options (pCtx, SSL_OP_NO_SSLv2);
+
+	if (!(ssl_version & EM_PROTO_SSLv3))
+		SSL_CTX_set_options (pCtx, SSL_OP_NO_SSLv3);
+
+	if (!(ssl_version & EM_PROTO_TLSv1))
+		SSL_CTX_set_options (pCtx, SSL_OP_NO_TLSv1);
+
+	#ifdef SSL_OP_NO_TLSv1_1
+	if (!(ssl_version & EM_PROTO_TLSv1_1))
+		SSL_CTX_set_options (pCtx, SSL_OP_NO_TLSv1_1);
+	#endif
+
+	#ifdef SSL_OP_NO_TLSv1_2
+	if (!(ssl_version & EM_PROTO_TLSv1_2))
+		SSL_CTX_set_options (pCtx, SSL_OP_NO_TLSv1_2);
+	#endif
+
+	#ifdef SSL_MODE_RELEASE_BUFFERS
 	SSL_CTX_set_mode (pCtx, SSL_MODE_RELEASE_BUFFERS);
-#endif
+	#endif
+
+	if (bIsServer) {
 
-	if (is_server) {
 		// The SSL_CTX calls here do NOT allocate memory.
 		int e;
 		if (privkeyfile.length() > 0)
@@ -171,11 +201,69 @@ SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const str
 			e = SSL_CTX_use_certificate (pCtx, DefaultCertificate);
 		if (e <= 0) ERR_print_errors_fp(stderr);
 		assert (e > 0);
+
+		if (dhparam.length() > 0) {
+			DH   *dh;
+			BIO  *bio;
+
+			bio = BIO_new_file(dhparam.c_str(), "r");
+			if (bio == NULL) {
+				char buf [500];
+				snprintf (buf, sizeof(buf)-1, "dhparam: BIO_new_file(%s) failed", dhparam.c_str());
+				throw std::runtime_error (buf);
+			}
+
+			dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+
+			if (dh == NULL) {
+				BIO_free(bio);
+				char buf [500];
+				snprintf (buf, sizeof(buf)-1, "dhparam: PEM_read_bio_DHparams(%s) failed", dhparam.c_str());
+				throw new std::runtime_error(buf);
+			}
+
+			SSL_CTX_set_tmp_dh(pCtx, dh);
+
+			DH_free(dh);
+			BIO_free(bio);
+		}
+
+		if (ecdh_curve.length() > 0) {
+			#if OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)
+				int      nid;
+				EC_KEY  *ecdh;
+
+				nid = OBJ_sn2nid((const char *) ecdh_curve.c_str());
+				if (nid == 0) {
+					char buf [200];
+					snprintf (buf, sizeof(buf)-1, "ecdh_curve: Unknown curve name: %s", ecdh_curve.c_str());
+					throw std::runtime_error (buf);
+				}
+
+				ecdh = EC_KEY_new_by_curve_name(nid);
+				if (ecdh == NULL) {
+					char buf [200];
+					snprintf (buf, sizeof(buf)-1, "ecdh_curve: Unable to create: %s", ecdh_curve.c_str());
+					throw std::runtime_error (buf);
+				}
+
+				SSL_CTX_set_options(pCtx, SSL_OP_SINGLE_ECDH_USE);
+
+				SSL_CTX_set_tmp_ecdh(pCtx, ecdh);
+
+				EC_KEY_free(ecdh);
+			#else
+				throw std::runtime_error ("No openssl ECDH support");
+			#endif
+		}
 	}
 
-	SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
+	if (cipherlist.length() > 0)
+		SSL_CTX_set_cipher_list (pCtx, cipherlist.c_str());
+	else
+		SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
 
-	if (is_server) {
+	if (bIsServer) {
 		SSL_CTX_sess_set_cache_size (pCtx, 128);
 		SSL_CTX_set_session_id_context (pCtx, (unsigned char*)"eventmachine", 12);
 	}
@@ -216,10 +304,11 @@ SslContext_t::~SslContext_t()
 SslBox_t::SslBox_t
 ******************/
 
-SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, const uintptr_t binding):
+SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, bool fail_if_no_peer_cert, const string &snihostname, const string &cipherlist, const string &ecdh_curve, const string &dhparam, int ssl_version, const uintptr_t binding):
 	bIsServer (is_server),
 	bHandshakeCompleted (false),
 	bVerifyPeer (verify_peer),
+	bFailIfNoPeerCert (fail_if_no_peer_cert),
 	pSSL (NULL),
 	pbioRead (NULL),
 	pbioWrite (NULL)
@@ -228,7 +317,7 @@ SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &cer
 	 * a new one every time we come here.
 	 */
 
-	Context = new SslContext_t (bIsServer, privkeyfile, certchainfile);
+	Context = new SslContext_t (bIsServer, privkeyfile, certchainfile, cipherlist, ecdh_curve, dhparam, ssl_version);
 	assert (Context);
 
 	pbioRead = BIO_new (BIO_s_mem());
@@ -239,13 +328,22 @@ SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &cer
 
 	pSSL = SSL_new (Context->pCtx);
 	assert (pSSL);
+
+	if (snihostname.length() > 0) {
+		SSL_set_tlsext_host_name (pSSL, snihostname.c_str());
+	}
+
 	SSL_set_bio (pSSL, pbioRead, pbioWrite);
 
 	// Store a pointer to the binding signature in the SSL object so we can retrieve it later
 	SSL_set_ex_data(pSSL, 0, (void*) binding);
 
-	if (bVerifyPeer)
-		SSL_set_verify(pSSL, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_wrapper);
+	if (bVerifyPeer) {
+		int mode = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
+		if (bFailIfNoPeerCert)
+			mode = mode | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+		SSL_set_verify(pSSL, mode, ssl_verify_wrapper);
+	}
 
 	if (!bIsServer)
 		SSL_connect (pSSL);
@@ -437,6 +535,52 @@ X509 *SslBox_t::GetPeerCert()
 	return cert;
 }
 
+/**********************
+SslBox_t::GetCipherBits
+**********************/
+
+int SslBox_t::GetCipherBits()
+{
+	int bits = -1;
+	if (pSSL)
+		SSL_get_cipher_bits(pSSL, &bits);
+	return bits;
+}
+
+/**********************
+SslBox_t::GetCipherName
+**********************/
+
+const char *SslBox_t::GetCipherName()
+{
+	if (pSSL)
+		return SSL_get_cipher_name(pSSL);
+	return NULL;
+}
+
+/**********************
+SslBox_t::GetCipherProtocol
+**********************/
+
+const char *SslBox_t::GetCipherProtocol()
+{
+	if (pSSL)
+		return SSL_get_cipher_version(pSSL);
+	return NULL;
+}
+
+/**********************
+SslBox_t::GetSNIHostname
+**********************/
+
+const char *SslBox_t::GetSNIHostname()
+{
+	#ifdef TLSEXT_NAMETYPE_host_name
+	if (pSSL)
+		return SSL_get_servername (pSSL, TLSEXT_NAMETYPE_host_name);
+	#endif
+	return NULL;
+}
 
 /******************
 ssl_verify_wrapper

data/ext/ssl.h

@@ -33,7 +33,7 @@ class SslContext_t
 class SslContext_t
 {
 	public:
-		SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile);
+		SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, const string &cipherlist, const string &ecdh_curve, const string &dhparam, int ssl_version);
 		virtual ~SslContext_t();
 
 	private:
@@ -61,7 +61,7 @@ class SslBox_t
 class SslBox_t
 {
 	public:
-		SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, const uintptr_t binding);
+		SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, bool fail_if_no_peer_cert, const string &snihostname, const string &cipherlist, const string &ecdh_curve, const string &dhparam, int ssl_version, const uintptr_t binding);
 		virtual ~SslBox_t();
 
 		int PutPlaintext (const char*, int);
@@ -73,6 +73,10 @@ class SslBox_t
 		bool IsHandshakeCompleted() {return bHandshakeCompleted;}
 
 		X509 *GetPeerCert();
+		int GetCipherBits();
+		const char *GetCipherName();
+		const char *GetCipherProtocol();
+		const char *GetSNIHostname();
 
 		void Shutdown();
 
@@ -82,6 +86,7 @@ class SslBox_t
 		bool bIsServer;
 		bool bHandshakeCompleted;
 		bool bVerifyPeer;
+		bool bFailIfNoPeerCert;
 		SSL *pSSL;
 		BIO *pbioRead;
 		BIO *pbioWrite;

data/lib/em/channel.rb

@@ -17,6 +17,11 @@ module EventMachine
       @uid  = 0
     end
 
+    # Return the number of current subscribers.
+    def num_subscribers
+      return @subs.size
+    end
+
     # Takes any arguments suitable for EM::Callback() and returns a subscriber
     # id for use when unsubscribing.
     #

data/lib/em/completion.rb

@@ -1,7 +1,7 @@
 # = EM::Completion
 #
 # A completion is a callback container for various states of completion. In
-# it's most basic form it has a start state and a finish state.
+# its most basic form it has a start state and a finish state.
 #
 # This implementation includes some hold-back from the EM::Deferrable
 # interface in order to be compatible - but it has a much cleaner
@@ -50,7 +50,7 @@
 #          @completion.fail :unknown, line
 #        end
 #      end
-#  
+#
 #      def unbind
 #        @completion.fail :disconnected unless @completion.completed?
 #      end

data/lib/em/connection.rb

@@ -376,10 +376,21 @@ module EventMachine
     #
     # @option args [String] :private_key_file (nil) local path of a readable file that must contain a private key in the [PEM format](http://en.wikipedia.org/wiki/Privacy_Enhanced_Mail).
     #
-    # @option args [String] :verify_peer (false)    indicates whether a server should request a certificate from a peer, to be verified by user code.
+    # @option args [Boolean] :verify_peer (false)   indicates whether a server should request a certificate from a peer, to be verified by user code.
     #                                               If true, the {#ssl_verify_peer} callback on the {EventMachine::Connection} object is called with each certificate
     #                                               in the certificate chain provided by the peer. See documentation on {#ssl_verify_peer} for how to use this.
     #
+    # @option args [Boolean] :fail_if_no_peer_cert (false)   Used in conjunction with verify_peer. If set the SSL handshake will be terminated if the peer does not provide a certificate.
+    #
+    #
+    # @option args [String] :cipher_list ("ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH") indicates the available SSL cipher values. Default value is "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH". Check the format of the OpenSSL cipher string at http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT.
+    #
+    # @option args [String] :ecdh_curve (nil)  The curve for ECDHE ciphers. See available ciphers with 'openssl ecparam -list_curves'
+    #
+    # @option args [String] :dhparam (nil)  The local path of a file containing DH parameters for EDH ciphers in [PEM format](http://en.wikipedia.org/wiki/Privacy_Enhanced_Mail) See: 'openssl dhparam'
+    #
+    # @option args [Array] :ssl_version (TLSv1 TLSv1_1 TLSv1_2) indicates the allowed SSL/TLS versions. Possible values are: {SSLv2}, {SSLv3}, {TLSv1}, {TLSv1_1}, {TLSv1_2}.
+    #
     # @example Using TLS with EventMachine
     #
     #  require 'rubygems'
@@ -404,7 +415,15 @@ module EventMachine
     #
     # @see #ssl_verify_peer
     def start_tls args={}
-      priv_key, cert_chain, verify_peer = args.values_at(:private_key_file, :cert_chain_file, :verify_peer)
+      priv_key     = args[:private_key_file]
+      cert_chain   = args[:cert_chain_file]
+      verify_peer  = args[:verify_peer]
+      sni_hostname = args[:sni_hostname]
+      cipher_list  = args[:cipher_list]
+      ssl_version  = args[:ssl_version]
+      ecdh_curve   = args[:ecdh_curve]
+      dhparam      = args[:dhparam]
+      fail_if_no_peer_cert = args[:fail_if_no_peer_cert]
 
       [priv_key, cert_chain].each do |file|
         next if file.nil? or file.empty?
@@ -412,7 +431,31 @@ module EventMachine
         "Could not find #{file} for start_tls" unless File.exist? file
       end
 
-      EventMachine::set_tls_parms(@signature, priv_key || '', cert_chain || '', verify_peer)
+      protocols_bitmask = 0
+      if ssl_version.nil?
+        protocols_bitmask |= EventMachine::EM_PROTO_TLSv1
+        protocols_bitmask |= EventMachine::EM_PROTO_TLSv1_1
+        protocols_bitmask |= EventMachine::EM_PROTO_TLSv1_2
+      else
+        [ssl_version].flatten.each do |p|
+          case p.to_s.downcase
+          when 'sslv2'
+            protocols_bitmask |= EventMachine::EM_PROTO_SSLv2
+          when 'sslv3'
+            protocols_bitmask |= EventMachine::EM_PROTO_SSLv3
+          when 'tlsv1'
+            protocols_bitmask |= EventMachine::EM_PROTO_TLSv1
+          when 'tlsv1_1'
+            protocols_bitmask |= EventMachine::EM_PROTO_TLSv1_1
+          when 'tlsv1_2'
+            protocols_bitmask |= EventMachine::EM_PROTO_TLSv1_2
+          else
+            raise("Unrecognized SSL/TLS Protocol: #{p}")
+          end
+        end
+      end
+
+      EventMachine::set_tls_parms(@signature, priv_key || '', cert_chain || '', verify_peer, fail_if_no_peer_cert, sni_hostname || '', cipher_list || '', ecdh_curve || '', dhparam || '', protocols_bitmask)
       EventMachine::start_tls @signature
     end
 
@@ -488,6 +531,21 @@ module EventMachine
       EventMachine::get_peer_cert @signature
     end
 
+    def get_cipher_bits
+      EventMachine::get_cipher_bits @signature
+    end
+
+    def get_cipher_name
+      EventMachine::get_cipher_name @signature
+    end
+
+    def get_cipher_protocol
+      EventMachine::get_cipher_protocol @signature
+    end
+
+    def get_sni_hostname
+      EventMachine::get_sni_hostname @signature
+    end
 
     # Sends UDP messages.
     #

data/lib/em/iterator.rb

@@ -41,6 +41,7 @@ module EventMachine
   #   end
   #
   class Iterator
+    Stop = "EM::Stop"
     # Create a new parallel async iterator with specified concurrency.
     #
     #   i = EM::Iterator.new(1..100, 10)
@@ -48,10 +49,21 @@ module EventMachine
     # will create an iterator over the range that processes 10 items at a time. Iteration
     # is started via #each, #map or #inject
     #
+    # The list may either be an array-like object, or a proc that returns a new object
+    # to be processed each time it is called.  If a proc is used, it must return
+    # EventMachine::Iterator::Stop to signal the end of the iterations.
+    #
     def initialize(list, concurrency = 1)
-      raise ArgumentError, 'argument must be an array' unless list.respond_to?(:to_a)
       raise ArgumentError, 'concurrency must be bigger than zero' unless (concurrency > 0)
-      @list = list.to_a.dup
+      if list.respond_to?(:call)
+        @list = nil
+        @list_proc = list
+      elsif list.respond_to?(:to_a)
+        @list = list.to_a.dup
+        @list_proc = nil
+      else
+        raise ArgumentError, 'argument must be a proc or an array'
+      end
       @concurrency = concurrency
 
       @started = false
@@ -98,12 +110,12 @@ module EventMachine
       @process_next = proc{
         # p [:process_next, :pending=, @pending, :workers=, @workers, :ended=, @ended, :concurrency=, @concurrency, :list=, @list]
         unless @ended or @workers > @concurrency
-          if @list.empty?
+          item = next_item()
+          if item.equal?(Stop)
             @ended = true
             @workers -= 1
             all_done.call
           else
-            item = @list.shift
             @pending += 1
 
             is_done = false
@@ -222,10 +234,19 @@ module EventMachine
       })
       nil
     end
+
+    # Return the next item from @list or @list_proc.
+    # Once items have run out, will return EM::Iterator::Stop.  Procs must supply this themselves
+    def next_item
+      if @list_proc
+        @list_proc.call
+      else
+        @list.empty? ? Stop : @list.shift
+      end
+    end
   end
 end
 
 # TODO: pass in one object instead of two? .each{ |iter| puts iter.current; iter.next }
 # TODO: support iter.pause/resume/stop/break/continue?
 # TODO: create some exceptions instead of using RuntimeError
-# TODO: support proc instead of enumerable? EM::Iterator.new(proc{ return queue.pop })