eventmachine 1.2.0.dev.2-x64-mingw32
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +105 -0
- data/GNU +281 -0
- data/LICENSE +60 -0
- data/README.md +108 -0
- data/docs/DocumentationGuidesIndex.md +27 -0
- data/docs/GettingStarted.md +521 -0
- data/docs/old/ChangeLog +211 -0
- data/docs/old/DEFERRABLES +246 -0
- data/docs/old/EPOLL +141 -0
- data/docs/old/INSTALL +13 -0
- data/docs/old/KEYBOARD +42 -0
- data/docs/old/LEGAL +25 -0
- data/docs/old/LIGHTWEIGHT_CONCURRENCY +130 -0
- data/docs/old/PURE_RUBY +75 -0
- data/docs/old/RELEASE_NOTES +94 -0
- data/docs/old/SMTP +4 -0
- data/docs/old/SPAWNED_PROCESSES +148 -0
- data/docs/old/TODO +8 -0
- data/examples/guides/getting_started/01_eventmachine_echo_server.rb +18 -0
- data/examples/guides/getting_started/02_eventmachine_echo_server_that_recognizes_exit_command.rb +22 -0
- data/examples/guides/getting_started/03_simple_chat_server.rb +149 -0
- data/examples/guides/getting_started/04_simple_chat_server_step_one.rb +27 -0
- data/examples/guides/getting_started/05_simple_chat_server_step_two.rb +43 -0
- data/examples/guides/getting_started/06_simple_chat_server_step_three.rb +98 -0
- data/examples/guides/getting_started/07_simple_chat_server_step_four.rb +121 -0
- data/examples/guides/getting_started/08_simple_chat_server_step_five.rb +141 -0
- data/examples/old/ex_channel.rb +43 -0
- data/examples/old/ex_queue.rb +2 -0
- data/examples/old/ex_tick_loop_array.rb +15 -0
- data/examples/old/ex_tick_loop_counter.rb +32 -0
- data/examples/old/helper.rb +2 -0
- data/ext/binder.cpp +124 -0
- data/ext/binder.h +46 -0
- data/ext/cmain.cpp +988 -0
- data/ext/ed.cpp +2111 -0
- data/ext/ed.h +442 -0
- data/ext/em.cpp +2379 -0
- data/ext/em.h +308 -0
- data/ext/eventmachine.h +143 -0
- data/ext/extconf.rb +270 -0
- data/ext/fastfilereader/extconf.rb +110 -0
- data/ext/fastfilereader/mapper.cpp +216 -0
- data/ext/fastfilereader/mapper.h +59 -0
- data/ext/fastfilereader/rubymain.cpp +127 -0
- data/ext/kb.cpp +79 -0
- data/ext/page.cpp +107 -0
- data/ext/page.h +51 -0
- data/ext/pipe.cpp +354 -0
- data/ext/project.h +176 -0
- data/ext/rubymain.cpp +1504 -0
- data/ext/ssl.cpp +615 -0
- data/ext/ssl.h +103 -0
- data/java/.classpath +8 -0
- data/java/.project +17 -0
- data/java/src/com/rubyeventmachine/EmReactor.java +591 -0
- data/java/src/com/rubyeventmachine/EmReactorException.java +40 -0
- data/java/src/com/rubyeventmachine/EventableChannel.java +72 -0
- data/java/src/com/rubyeventmachine/EventableDatagramChannel.java +201 -0
- data/java/src/com/rubyeventmachine/EventableSocketChannel.java +415 -0
- data/lib/2.0/fastfilereaderext.so +0 -0
- data/lib/2.0/rubyeventmachine.so +0 -0
- data/lib/2.1/fastfilereaderext.so +0 -0
- data/lib/2.1/rubyeventmachine.so +0 -0
- data/lib/2.2/fastfilereaderext.so +0 -0
- data/lib/2.2/rubyeventmachine.so +0 -0
- data/lib/2.3/fastfilereaderext.so +0 -0
- data/lib/2.3/rubyeventmachine.so +0 -0
- data/lib/em/buftok.rb +59 -0
- data/lib/em/callback.rb +58 -0
- data/lib/em/channel.rb +69 -0
- data/lib/em/completion.rb +304 -0
- data/lib/em/connection.rb +770 -0
- data/lib/em/deferrable.rb +210 -0
- data/lib/em/deferrable/pool.rb +2 -0
- data/lib/em/file_watch.rb +73 -0
- data/lib/em/future.rb +61 -0
- data/lib/em/iterator.rb +252 -0
- data/lib/em/messages.rb +66 -0
- data/lib/em/pool.rb +151 -0
- data/lib/em/process_watch.rb +45 -0
- data/lib/em/processes.rb +123 -0
- data/lib/em/protocols.rb +37 -0
- data/lib/em/protocols/header_and_content.rb +138 -0
- data/lib/em/protocols/httpclient.rb +299 -0
- data/lib/em/protocols/httpclient2.rb +600 -0
- data/lib/em/protocols/line_and_text.rb +125 -0
- data/lib/em/protocols/line_protocol.rb +29 -0
- data/lib/em/protocols/linetext2.rb +166 -0
- data/lib/em/protocols/memcache.rb +331 -0
- data/lib/em/protocols/object_protocol.rb +46 -0
- data/lib/em/protocols/postgres3.rb +246 -0
- data/lib/em/protocols/saslauth.rb +175 -0
- data/lib/em/protocols/smtpclient.rb +394 -0
- data/lib/em/protocols/smtpserver.rb +666 -0
- data/lib/em/protocols/socks4.rb +66 -0
- data/lib/em/protocols/stomp.rb +205 -0
- data/lib/em/protocols/tcptest.rb +54 -0
- data/lib/em/pure_ruby.rb +1022 -0
- data/lib/em/queue.rb +80 -0
- data/lib/em/resolver.rb +232 -0
- data/lib/em/spawnable.rb +84 -0
- data/lib/em/streamer.rb +118 -0
- data/lib/em/threaded_resource.rb +90 -0
- data/lib/em/tick_loop.rb +85 -0
- data/lib/em/timers.rb +61 -0
- data/lib/em/version.rb +3 -0
- data/lib/eventmachine.rb +1584 -0
- data/lib/fastfilereaderext.rb +2 -0
- data/lib/jeventmachine.rb +301 -0
- data/lib/rubyeventmachine.rb +2 -0
- data/rakelib/package.rake +120 -0
- data/rakelib/test.rake +8 -0
- data/tests/client.crt +31 -0
- data/tests/client.key +51 -0
- data/tests/dhparam.pem +13 -0
- data/tests/em_test_helper.rb +151 -0
- data/tests/test_attach.rb +151 -0
- data/tests/test_basic.rb +283 -0
- data/tests/test_channel.rb +75 -0
- data/tests/test_completion.rb +178 -0
- data/tests/test_connection_count.rb +54 -0
- data/tests/test_connection_write.rb +35 -0
- data/tests/test_defer.rb +35 -0
- data/tests/test_deferrable.rb +35 -0
- data/tests/test_epoll.rb +142 -0
- data/tests/test_error_handler.rb +38 -0
- data/tests/test_exc.rb +28 -0
- data/tests/test_file_watch.rb +66 -0
- data/tests/test_fork.rb +75 -0
- data/tests/test_futures.rb +170 -0
- data/tests/test_get_sock_opt.rb +37 -0
- data/tests/test_handler_check.rb +35 -0
- data/tests/test_hc.rb +155 -0
- data/tests/test_httpclient.rb +233 -0
- data/tests/test_httpclient2.rb +128 -0
- data/tests/test_idle_connection.rb +25 -0
- data/tests/test_inactivity_timeout.rb +54 -0
- data/tests/test_ipv4.rb +125 -0
- data/tests/test_ipv6.rb +131 -0
- data/tests/test_iterator.rb +115 -0
- data/tests/test_kb.rb +28 -0
- data/tests/test_line_protocol.rb +33 -0
- data/tests/test_ltp.rb +138 -0
- data/tests/test_ltp2.rb +308 -0
- data/tests/test_many_fds.rb +22 -0
- data/tests/test_next_tick.rb +104 -0
- data/tests/test_object_protocol.rb +36 -0
- data/tests/test_pause.rb +107 -0
- data/tests/test_pending_connect_timeout.rb +52 -0
- data/tests/test_pool.rb +196 -0
- data/tests/test_process_watch.rb +50 -0
- data/tests/test_processes.rb +128 -0
- data/tests/test_proxy_connection.rb +180 -0
- data/tests/test_pure.rb +88 -0
- data/tests/test_queue.rb +64 -0
- data/tests/test_resolver.rb +104 -0
- data/tests/test_running.rb +14 -0
- data/tests/test_sasl.rb +47 -0
- data/tests/test_send_file.rb +217 -0
- data/tests/test_servers.rb +33 -0
- data/tests/test_set_sock_opt.rb +39 -0
- data/tests/test_shutdown_hooks.rb +23 -0
- data/tests/test_smtpclient.rb +75 -0
- data/tests/test_smtpserver.rb +57 -0
- data/tests/test_spawn.rb +293 -0
- data/tests/test_ssl_args.rb +78 -0
- data/tests/test_ssl_dhparam.rb +83 -0
- data/tests/test_ssl_ecdh_curve.rb +79 -0
- data/tests/test_ssl_extensions.rb +49 -0
- data/tests/test_ssl_methods.rb +65 -0
- data/tests/test_ssl_protocols.rb +246 -0
- data/tests/test_ssl_verify.rb +126 -0
- data/tests/test_stomp.rb +37 -0
- data/tests/test_system.rb +46 -0
- data/tests/test_threaded_resource.rb +61 -0
- data/tests/test_tick_loop.rb +59 -0
- data/tests/test_timers.rb +123 -0
- data/tests/test_ud.rb +8 -0
- data/tests/test_unbind_reason.rb +52 -0
- metadata +381 -0
data/ext/ssl.cpp
ADDED
@@ -0,0 +1,615 @@
|
|
1
|
+
/*****************************************************************************
|
2
|
+
|
3
|
+
$Id$
|
4
|
+
|
5
|
+
File: ssl.cpp
|
6
|
+
Date: 30Apr06
|
7
|
+
|
8
|
+
Copyright (C) 2006-07 by Francis Cianfrocca. All Rights Reserved.
|
9
|
+
Gmail: blackhedd
|
10
|
+
|
11
|
+
This program is free software; you can redistribute it and/or modify
|
12
|
+
it under the terms of either: 1) the GNU General Public License
|
13
|
+
as published by the Free Software Foundation; either version 2 of the
|
14
|
+
License, or (at your option) any later version; or 2) Ruby's License.
|
15
|
+
|
16
|
+
See the file COPYING for complete licensing information.
|
17
|
+
|
18
|
+
*****************************************************************************/
|
19
|
+
|
20
|
+
|
21
|
+
#ifdef WITH_SSL
|
22
|
+
|
23
|
+
#include "project.h"
|
24
|
+
|
25
|
+
|
26
|
+
bool SslContext_t::bLibraryInitialized = false;
|
27
|
+
|
28
|
+
|
29
|
+
|
30
|
+
static void InitializeDefaultCredentials();
|
31
|
+
static EVP_PKEY *DefaultPrivateKey = NULL;
|
32
|
+
static X509 *DefaultCertificate = NULL;
|
33
|
+
|
34
|
+
static char PrivateMaterials[] = {
|
35
|
+
"-----BEGIN RSA PRIVATE KEY-----\n"
|
36
|
+
"MIICXAIBAAKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxwVDWV\n"
|
37
|
+
"Igdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t39hJ/\n"
|
38
|
+
"AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQIDAQAB\n"
|
39
|
+
"AoGALA89gIFcr6BIBo8N5fL3aNHpZXjAICtGav+kTUpuxSiaym9cAeTHuAVv8Xgk\n"
|
40
|
+
"H2Wbq11uz+6JMLpkQJH/WZ7EV59DPOicXrp0Imr73F3EXBfR7t2EQDYHPMthOA1D\n"
|
41
|
+
"I9EtCzvV608Ze90hiJ7E3guGrGppZfJ+eUWCPgy8CZH1vRECQQDv67rwV/oU1aDo\n"
|
42
|
+
"6/+d5nqjeW6mWkGqTnUU96jXap8EIw6B+0cUKskwx6mHJv+tEMM2748ZY7b0yBlg\n"
|
43
|
+
"w4KDghbFAkEAz2h8PjSJG55LwqmXih1RONSgdN9hjB12LwXL1CaDh7/lkEhq0PlK\n"
|
44
|
+
"PCAUwQSdM17Sl0Xxm2CZiekTSlwmHrtqXQJAF3+8QJwtV2sRJp8u2zVe37IeH1cJ\n"
|
45
|
+
"xXeHyjTzqZ2803fnjN2iuZvzNr7noOA1/Kp+pFvUZUU5/0G2Ep8zolPUjQJAFA7k\n"
|
46
|
+
"xRdLkzIx3XeNQjwnmLlncyYPRv+qaE3FMpUu7zftuZBnVCJnvXzUxP3vPgKTlzGa\n"
|
47
|
+
"dg5XivDRfsV+okY5uQJBAMV4FesUuLQVEKb6lMs7rzZwpeGQhFDRfywJzfom2TLn\n"
|
48
|
+
"2RdJQQ3dcgnhdVDgt5o1qkmsqQh8uJrJ9SdyLIaZQIc=\n"
|
49
|
+
"-----END RSA PRIVATE KEY-----\n"
|
50
|
+
"-----BEGIN CERTIFICATE-----\n"
|
51
|
+
"MIID6TCCA1KgAwIBAgIJANm4W/Tzs+s+MA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD\n"
|
52
|
+
"VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYw\n"
|
53
|
+
"FAYDVQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsG\n"
|
54
|
+
"A1UEAxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2lu\n"
|
55
|
+
"ZWVyaW5nQHN0ZWFtaGVhdC5uZXQwHhcNMDYwNTA1MTcwNjAzWhcNMjQwMjIwMTcw\n"
|
56
|
+
"NjAzWjCBqjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQH\n"
|
57
|
+
"EwhOZXcgWW9yazEWMBQGA1UEChMNU3RlYW1oZWF0Lm5ldDEUMBIGA1UECxMLRW5n\n"
|
58
|
+
"aW5lZXJpbmcxHTAbBgNVBAMTFG9wZW5jYS5zdGVhbWhlYXQubmV0MSgwJgYJKoZI\n"
|
59
|
+
"hvcNAQkBFhllbmdpbmVlcmluZ0BzdGVhbWhlYXQubmV0MIGfMA0GCSqGSIb3DQEB\n"
|
60
|
+
"AQUAA4GNADCBiQKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxw\n"
|
61
|
+
"VDWVIgdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t3\n"
|
62
|
+
"9hJ/AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQID\n"
|
63
|
+
"AQABo4IBEzCCAQ8wHQYDVR0OBBYEFPJvPd1Fcmd8o/Tm88r+NjYPICCkMIHfBgNV\n"
|
64
|
+
"HSMEgdcwgdSAFPJvPd1Fcmd8o/Tm88r+NjYPICCkoYGwpIGtMIGqMQswCQYDVQQG\n"
|
65
|
+
"EwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYwFAYD\n"
|
66
|
+
"VQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsGA1UE\n"
|
67
|
+
"AxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2luZWVy\n"
|
68
|
+
"aW5nQHN0ZWFtaGVhdC5uZXSCCQDZuFv087PrPjAMBgNVHRMEBTADAQH/MA0GCSqG\n"
|
69
|
+
"SIb3DQEBBQUAA4GBAC1CXey/4UoLgJiwcEMDxOvW74plks23090iziFIlGgcIhk0\n"
|
70
|
+
"Df6hTAs7H3MWww62ddvR8l07AWfSzSP5L6mDsbvq7EmQsmPODwb6C+i2aF3EDL8j\n"
|
71
|
+
"uw73m4YIGI0Zw2XdBpiOGkx2H56Kya6mJJe/5XORZedh1wpI7zki01tHYbcy\n"
|
72
|
+
"-----END CERTIFICATE-----\n"};
|
73
|
+
|
74
|
+
/* These private materials were made with:
|
75
|
+
* openssl req -new -x509 -keyout cakey.pem -out cacert.pem -nodes -days 6500
|
76
|
+
* TODO: We need a full-blown capability to work with user-supplied
|
77
|
+
* keypairs and properly-signed certificates.
|
78
|
+
*/
|
79
|
+
|
80
|
+
|
81
|
+
/*****************
|
82
|
+
builtin_passwd_cb
|
83
|
+
*****************/
|
84
|
+
|
85
|
+
extern "C" int builtin_passwd_cb (char *buf UNUSED, int bufsize UNUSED, int rwflag UNUSED, void *userdata UNUSED)
|
86
|
+
{
|
87
|
+
strcpy (buf, "kittycat");
|
88
|
+
return 8;
|
89
|
+
}
|
90
|
+
|
91
|
+
/****************************
|
92
|
+
InitializeDefaultCredentials
|
93
|
+
****************************/
|
94
|
+
|
95
|
+
static void InitializeDefaultCredentials()
|
96
|
+
{
|
97
|
+
BIO *bio = BIO_new_mem_buf (PrivateMaterials, -1);
|
98
|
+
assert (bio);
|
99
|
+
|
100
|
+
if (DefaultPrivateKey) {
|
101
|
+
// we may come here in a restart.
|
102
|
+
EVP_PKEY_free (DefaultPrivateKey);
|
103
|
+
DefaultPrivateKey = NULL;
|
104
|
+
}
|
105
|
+
PEM_read_bio_PrivateKey (bio, &DefaultPrivateKey, builtin_passwd_cb, 0);
|
106
|
+
|
107
|
+
if (DefaultCertificate) {
|
108
|
+
// we may come here in a restart.
|
109
|
+
X509_free (DefaultCertificate);
|
110
|
+
DefaultCertificate = NULL;
|
111
|
+
}
|
112
|
+
PEM_read_bio_X509 (bio, &DefaultCertificate, NULL, 0);
|
113
|
+
|
114
|
+
BIO_free (bio);
|
115
|
+
}
|
116
|
+
|
117
|
+
|
118
|
+
|
119
|
+
/**************************
|
120
|
+
SslContext_t::SslContext_t
|
121
|
+
**************************/
|
122
|
+
|
123
|
+
SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile, const string &cipherlist, const string &ecdh_curve, const string &dhparam, int ssl_version) :
|
124
|
+
bIsServer (is_server),
|
125
|
+
pCtx (NULL),
|
126
|
+
PrivateKey (NULL),
|
127
|
+
Certificate (NULL)
|
128
|
+
{
|
129
|
+
/* TODO: the usage of the specified private-key and cert-chain filenames only applies to
|
130
|
+
* client-side connections at this point. Server connections currently use the default materials.
|
131
|
+
* That needs to be fixed asap.
|
132
|
+
* Also, in this implementation, server-side connections use statically defined X-509 defaults.
|
133
|
+
* One thing I'm really not clear on is whether or not you have to explicitly free X509 and EVP_PKEY
|
134
|
+
* objects when we call our destructor, or whether just calling SSL_CTX_free is enough.
|
135
|
+
*/
|
136
|
+
|
137
|
+
if (!bLibraryInitialized) {
|
138
|
+
bLibraryInitialized = true;
|
139
|
+
SSL_library_init();
|
140
|
+
OpenSSL_add_ssl_algorithms();
|
141
|
+
OpenSSL_add_all_algorithms();
|
142
|
+
SSL_load_error_strings();
|
143
|
+
ERR_load_crypto_strings();
|
144
|
+
|
145
|
+
InitializeDefaultCredentials();
|
146
|
+
}
|
147
|
+
|
148
|
+
pCtx = SSL_CTX_new (bIsServer ? SSLv23_server_method() : SSLv23_client_method());
|
149
|
+
if (!pCtx)
|
150
|
+
throw std::runtime_error ("no SSL context");
|
151
|
+
|
152
|
+
SSL_CTX_set_options (pCtx, SSL_OP_ALL);
|
153
|
+
|
154
|
+
#ifdef SSL_CTRL_CLEAR_OPTIONS
|
155
|
+
SSL_CTX_clear_options (pCtx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
|
156
|
+
# ifdef SSL_OP_NO_TLSv1_1
|
157
|
+
SSL_CTX_clear_options (pCtx, SSL_OP_NO_TLSv1_1);
|
158
|
+
# endif
|
159
|
+
# ifdef SSL_OP_NO_TLSv1_2
|
160
|
+
SSL_CTX_clear_options (pCtx, SSL_OP_NO_TLSv1_2);
|
161
|
+
# endif
|
162
|
+
#endif
|
163
|
+
|
164
|
+
if (!(ssl_version & EM_PROTO_SSLv2))
|
165
|
+
SSL_CTX_set_options (pCtx, SSL_OP_NO_SSLv2);
|
166
|
+
|
167
|
+
if (!(ssl_version & EM_PROTO_SSLv3))
|
168
|
+
SSL_CTX_set_options (pCtx, SSL_OP_NO_SSLv3);
|
169
|
+
|
170
|
+
if (!(ssl_version & EM_PROTO_TLSv1))
|
171
|
+
SSL_CTX_set_options (pCtx, SSL_OP_NO_TLSv1);
|
172
|
+
|
173
|
+
#ifdef SSL_OP_NO_TLSv1_1
|
174
|
+
if (!(ssl_version & EM_PROTO_TLSv1_1))
|
175
|
+
SSL_CTX_set_options (pCtx, SSL_OP_NO_TLSv1_1);
|
176
|
+
#endif
|
177
|
+
|
178
|
+
#ifdef SSL_OP_NO_TLSv1_2
|
179
|
+
if (!(ssl_version & EM_PROTO_TLSv1_2))
|
180
|
+
SSL_CTX_set_options (pCtx, SSL_OP_NO_TLSv1_2);
|
181
|
+
#endif
|
182
|
+
|
183
|
+
#ifdef SSL_MODE_RELEASE_BUFFERS
|
184
|
+
SSL_CTX_set_mode (pCtx, SSL_MODE_RELEASE_BUFFERS);
|
185
|
+
#endif
|
186
|
+
|
187
|
+
if (bIsServer) {
|
188
|
+
|
189
|
+
// The SSL_CTX calls here do NOT allocate memory.
|
190
|
+
int e;
|
191
|
+
if (privkeyfile.length() > 0)
|
192
|
+
e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
|
193
|
+
else
|
194
|
+
e = SSL_CTX_use_PrivateKey (pCtx, DefaultPrivateKey);
|
195
|
+
if (e <= 0) ERR_print_errors_fp(stderr);
|
196
|
+
assert (e > 0);
|
197
|
+
|
198
|
+
if (certchainfile.length() > 0)
|
199
|
+
e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
|
200
|
+
else
|
201
|
+
e = SSL_CTX_use_certificate (pCtx, DefaultCertificate);
|
202
|
+
if (e <= 0) ERR_print_errors_fp(stderr);
|
203
|
+
assert (e > 0);
|
204
|
+
|
205
|
+
if (dhparam.length() > 0) {
|
206
|
+
DH *dh;
|
207
|
+
BIO *bio;
|
208
|
+
|
209
|
+
bio = BIO_new_file(dhparam.c_str(), "r");
|
210
|
+
if (bio == NULL) {
|
211
|
+
char buf [500];
|
212
|
+
snprintf (buf, sizeof(buf)-1, "dhparam: BIO_new_file(%s) failed", dhparam.c_str());
|
213
|
+
throw std::runtime_error (buf);
|
214
|
+
}
|
215
|
+
|
216
|
+
dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
217
|
+
|
218
|
+
if (dh == NULL) {
|
219
|
+
BIO_free(bio);
|
220
|
+
char buf [500];
|
221
|
+
snprintf (buf, sizeof(buf)-1, "dhparam: PEM_read_bio_DHparams(%s) failed", dhparam.c_str());
|
222
|
+
throw new std::runtime_error(buf);
|
223
|
+
}
|
224
|
+
|
225
|
+
SSL_CTX_set_tmp_dh(pCtx, dh);
|
226
|
+
|
227
|
+
DH_free(dh);
|
228
|
+
BIO_free(bio);
|
229
|
+
}
|
230
|
+
|
231
|
+
if (ecdh_curve.length() > 0) {
|
232
|
+
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH)
|
233
|
+
int nid;
|
234
|
+
EC_KEY *ecdh;
|
235
|
+
|
236
|
+
nid = OBJ_sn2nid((const char *) ecdh_curve.c_str());
|
237
|
+
if (nid == 0) {
|
238
|
+
char buf [200];
|
239
|
+
snprintf (buf, sizeof(buf)-1, "ecdh_curve: Unknown curve name: %s", ecdh_curve.c_str());
|
240
|
+
throw std::runtime_error (buf);
|
241
|
+
}
|
242
|
+
|
243
|
+
ecdh = EC_KEY_new_by_curve_name(nid);
|
244
|
+
if (ecdh == NULL) {
|
245
|
+
char buf [200];
|
246
|
+
snprintf (buf, sizeof(buf)-1, "ecdh_curve: Unable to create: %s", ecdh_curve.c_str());
|
247
|
+
throw std::runtime_error (buf);
|
248
|
+
}
|
249
|
+
|
250
|
+
SSL_CTX_set_options(pCtx, SSL_OP_SINGLE_ECDH_USE);
|
251
|
+
|
252
|
+
SSL_CTX_set_tmp_ecdh(pCtx, ecdh);
|
253
|
+
|
254
|
+
EC_KEY_free(ecdh);
|
255
|
+
#else
|
256
|
+
throw std::runtime_error ("No openssl ECDH support");
|
257
|
+
#endif
|
258
|
+
}
|
259
|
+
}
|
260
|
+
|
261
|
+
if (cipherlist.length() > 0)
|
262
|
+
SSL_CTX_set_cipher_list (pCtx, cipherlist.c_str());
|
263
|
+
else
|
264
|
+
SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
|
265
|
+
|
266
|
+
if (bIsServer) {
|
267
|
+
SSL_CTX_sess_set_cache_size (pCtx, 128);
|
268
|
+
SSL_CTX_set_session_id_context (pCtx, (unsigned char*)"eventmachine", 12);
|
269
|
+
}
|
270
|
+
else {
|
271
|
+
int e;
|
272
|
+
if (privkeyfile.length() > 0) {
|
273
|
+
e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
|
274
|
+
if (e <= 0) ERR_print_errors_fp(stderr);
|
275
|
+
assert (e > 0);
|
276
|
+
}
|
277
|
+
if (certchainfile.length() > 0) {
|
278
|
+
e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
|
279
|
+
if (e <= 0) ERR_print_errors_fp(stderr);
|
280
|
+
assert (e > 0);
|
281
|
+
}
|
282
|
+
}
|
283
|
+
}
|
284
|
+
|
285
|
+
|
286
|
+
|
287
|
+
/***************************
|
288
|
+
SslContext_t::~SslContext_t
|
289
|
+
***************************/
|
290
|
+
|
291
|
+
SslContext_t::~SslContext_t()
|
292
|
+
{
|
293
|
+
if (pCtx)
|
294
|
+
SSL_CTX_free (pCtx);
|
295
|
+
if (PrivateKey)
|
296
|
+
EVP_PKEY_free (PrivateKey);
|
297
|
+
if (Certificate)
|
298
|
+
X509_free (Certificate);
|
299
|
+
}
|
300
|
+
|
301
|
+
|
302
|
+
|
303
|
+
/******************
|
304
|
+
SslBox_t::SslBox_t
|
305
|
+
******************/
|
306
|
+
|
307
|
+
SslBox_t::SslBox_t (bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer, bool fail_if_no_peer_cert, const string &snihostname, const string &cipherlist, const string &ecdh_curve, const string &dhparam, int ssl_version, const uintptr_t binding):
|
308
|
+
bIsServer (is_server),
|
309
|
+
bHandshakeCompleted (false),
|
310
|
+
bVerifyPeer (verify_peer),
|
311
|
+
bFailIfNoPeerCert (fail_if_no_peer_cert),
|
312
|
+
pSSL (NULL),
|
313
|
+
pbioRead (NULL),
|
314
|
+
pbioWrite (NULL)
|
315
|
+
{
|
316
|
+
/* TODO someday: make it possible to re-use SSL contexts so we don't have to create
|
317
|
+
* a new one every time we come here.
|
318
|
+
*/
|
319
|
+
|
320
|
+
Context = new SslContext_t (bIsServer, privkeyfile, certchainfile, cipherlist, ecdh_curve, dhparam, ssl_version);
|
321
|
+
assert (Context);
|
322
|
+
|
323
|
+
pbioRead = BIO_new (BIO_s_mem());
|
324
|
+
assert (pbioRead);
|
325
|
+
|
326
|
+
pbioWrite = BIO_new (BIO_s_mem());
|
327
|
+
assert (pbioWrite);
|
328
|
+
|
329
|
+
pSSL = SSL_new (Context->pCtx);
|
330
|
+
assert (pSSL);
|
331
|
+
|
332
|
+
if (snihostname.length() > 0) {
|
333
|
+
SSL_set_tlsext_host_name (pSSL, snihostname.c_str());
|
334
|
+
}
|
335
|
+
|
336
|
+
SSL_set_bio (pSSL, pbioRead, pbioWrite);
|
337
|
+
|
338
|
+
// Store a pointer to the binding signature in the SSL object so we can retrieve it later
|
339
|
+
SSL_set_ex_data(pSSL, 0, (void*) binding);
|
340
|
+
|
341
|
+
if (bVerifyPeer) {
|
342
|
+
int mode = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
|
343
|
+
if (bFailIfNoPeerCert)
|
344
|
+
mode = mode | SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
345
|
+
SSL_set_verify(pSSL, mode, ssl_verify_wrapper);
|
346
|
+
}
|
347
|
+
|
348
|
+
if (!bIsServer)
|
349
|
+
SSL_connect (pSSL);
|
350
|
+
}
|
351
|
+
|
352
|
+
|
353
|
+
|
354
|
+
/*******************
|
355
|
+
SslBox_t::~SslBox_t
|
356
|
+
*******************/
|
357
|
+
|
358
|
+
SslBox_t::~SslBox_t()
|
359
|
+
{
|
360
|
+
// Freeing pSSL will also free the associated BIOs, so DON'T free them separately.
|
361
|
+
if (pSSL) {
|
362
|
+
if (SSL_get_shutdown (pSSL) & SSL_RECEIVED_SHUTDOWN)
|
363
|
+
SSL_shutdown (pSSL);
|
364
|
+
else
|
365
|
+
SSL_clear (pSSL);
|
366
|
+
SSL_free (pSSL);
|
367
|
+
}
|
368
|
+
|
369
|
+
delete Context;
|
370
|
+
}
|
371
|
+
|
372
|
+
|
373
|
+
|
374
|
+
/***********************
|
375
|
+
SslBox_t::PutCiphertext
|
376
|
+
***********************/
|
377
|
+
|
378
|
+
bool SslBox_t::PutCiphertext (const char *buf, int bufsize)
|
379
|
+
{
|
380
|
+
assert (buf && (bufsize > 0));
|
381
|
+
|
382
|
+
assert (pbioRead);
|
383
|
+
int n = BIO_write (pbioRead, buf, bufsize);
|
384
|
+
|
385
|
+
return (n == bufsize) ? true : false;
|
386
|
+
}
|
387
|
+
|
388
|
+
|
389
|
+
/**********************
|
390
|
+
SslBox_t::GetPlaintext
|
391
|
+
**********************/
|
392
|
+
|
393
|
+
int SslBox_t::GetPlaintext (char *buf, int bufsize)
|
394
|
+
{
|
395
|
+
if (!SSL_is_init_finished (pSSL)) {
|
396
|
+
int e = bIsServer ? SSL_accept (pSSL) : SSL_connect (pSSL);
|
397
|
+
if (e != 1) {
|
398
|
+
int er = SSL_get_error (pSSL, e);
|
399
|
+
if (er != SSL_ERROR_WANT_READ) {
|
400
|
+
// Return -1 for a nonfatal error, -2 for an error that should force the connection down.
|
401
|
+
return (er == SSL_ERROR_SSL) ? (-2) : (-1);
|
402
|
+
}
|
403
|
+
else
|
404
|
+
return 0;
|
405
|
+
}
|
406
|
+
bHandshakeCompleted = true;
|
407
|
+
// If handshake finished, FALL THROUGH and return the available plaintext.
|
408
|
+
}
|
409
|
+
|
410
|
+
if (!SSL_is_init_finished (pSSL)) {
|
411
|
+
// We can get here if a browser abandons a handshake.
|
412
|
+
// The user can see a warning dialog and abort the connection.
|
413
|
+
//cerr << "<SSL_incomp>";
|
414
|
+
return 0;
|
415
|
+
}
|
416
|
+
|
417
|
+
//cerr << "CIPH: " << SSL_get_cipher (pSSL) << endl;
|
418
|
+
|
419
|
+
int n = SSL_read (pSSL, buf, bufsize);
|
420
|
+
if (n >= 0) {
|
421
|
+
return n;
|
422
|
+
}
|
423
|
+
else {
|
424
|
+
if (SSL_get_error (pSSL, n) == SSL_ERROR_WANT_READ) {
|
425
|
+
return 0;
|
426
|
+
}
|
427
|
+
else {
|
428
|
+
return -1;
|
429
|
+
}
|
430
|
+
}
|
431
|
+
|
432
|
+
return 0;
|
433
|
+
}
|
434
|
+
|
435
|
+
|
436
|
+
|
437
|
+
/**************************
|
438
|
+
SslBox_t::CanGetCiphertext
|
439
|
+
**************************/
|
440
|
+
|
441
|
+
bool SslBox_t::CanGetCiphertext()
|
442
|
+
{
|
443
|
+
assert (pbioWrite);
|
444
|
+
return BIO_pending (pbioWrite) ? true : false;
|
445
|
+
}
|
446
|
+
|
447
|
+
|
448
|
+
|
449
|
+
/***********************
|
450
|
+
SslBox_t::GetCiphertext
|
451
|
+
***********************/
|
452
|
+
|
453
|
+
int SslBox_t::GetCiphertext (char *buf, int bufsize)
|
454
|
+
{
|
455
|
+
assert (pbioWrite);
|
456
|
+
assert (buf && (bufsize > 0));
|
457
|
+
|
458
|
+
return BIO_read (pbioWrite, buf, bufsize);
|
459
|
+
}
|
460
|
+
|
461
|
+
|
462
|
+
|
463
|
+
/**********************
|
464
|
+
SslBox_t::PutPlaintext
|
465
|
+
**********************/
|
466
|
+
|
467
|
+
int SslBox_t::PutPlaintext (const char *buf, int bufsize)
|
468
|
+
{
|
469
|
+
// The caller will interpret the return value as the number of bytes written.
|
470
|
+
// WARNING WARNING WARNING, are there any situations in which a 0 or -1 return
|
471
|
+
// from SSL_write means we should immediately retry? The socket-machine loop
|
472
|
+
// will probably wait for a time-out cycle (perhaps a second) before re-trying.
|
473
|
+
// THIS WOULD CAUSE A PERCEPTIBLE DELAY!
|
474
|
+
|
475
|
+
/* We internally queue any outbound plaintext that can't be dispatched
|
476
|
+
* because we're in the middle of a handshake or something.
|
477
|
+
* When we get called, try to send any queued data first, and then
|
478
|
+
* send the caller's data (or queue it). We may get called with no outbound
|
479
|
+
* data, which means we try to send the outbound queue and that's all.
|
480
|
+
*
|
481
|
+
* Return >0 if we wrote any data, 0 if we didn't, and <0 for a fatal error.
|
482
|
+
* Note that if we return 0, the connection is still considered live
|
483
|
+
* and we are signalling that we have accepted the outbound data (if any).
|
484
|
+
*/
|
485
|
+
|
486
|
+
OutboundQ.Push (buf, bufsize);
|
487
|
+
|
488
|
+
if (!SSL_is_init_finished (pSSL))
|
489
|
+
return 0;
|
490
|
+
|
491
|
+
bool fatal = false;
|
492
|
+
bool did_work = false;
|
493
|
+
int pending = BIO_pending(pbioWrite);
|
494
|
+
|
495
|
+
while (OutboundQ.HasPages() && pending < SSLBOX_WRITE_BUFFER_SIZE) {
|
496
|
+
const char *page;
|
497
|
+
int length;
|
498
|
+
OutboundQ.Front (&page, &length);
|
499
|
+
assert (page && (length > 0));
|
500
|
+
int n = SSL_write (pSSL, page, length);
|
501
|
+
pending = BIO_pending(pbioWrite);
|
502
|
+
|
503
|
+
if (n > 0) {
|
504
|
+
did_work = true;
|
505
|
+
OutboundQ.PopFront();
|
506
|
+
}
|
507
|
+
else {
|
508
|
+
int er = SSL_get_error (pSSL, n);
|
509
|
+
if ((er != SSL_ERROR_WANT_READ) && (er != SSL_ERROR_WANT_WRITE))
|
510
|
+
fatal = true;
|
511
|
+
break;
|
512
|
+
}
|
513
|
+
}
|
514
|
+
|
515
|
+
|
516
|
+
if (did_work)
|
517
|
+
return 1;
|
518
|
+
else if (fatal)
|
519
|
+
return -1;
|
520
|
+
else
|
521
|
+
return 0;
|
522
|
+
}
|
523
|
+
|
524
|
+
/**********************
|
525
|
+
SslBox_t::GetPeerCert
|
526
|
+
**********************/
|
527
|
+
|
528
|
+
X509 *SslBox_t::GetPeerCert()
|
529
|
+
{
|
530
|
+
X509 *cert = NULL;
|
531
|
+
|
532
|
+
if (pSSL)
|
533
|
+
cert = SSL_get_peer_certificate(pSSL);
|
534
|
+
|
535
|
+
return cert;
|
536
|
+
}
|
537
|
+
|
538
|
+
/**********************
|
539
|
+
SslBox_t::GetCipherBits
|
540
|
+
**********************/
|
541
|
+
|
542
|
+
int SslBox_t::GetCipherBits()
|
543
|
+
{
|
544
|
+
int bits = -1;
|
545
|
+
if (pSSL)
|
546
|
+
SSL_get_cipher_bits(pSSL, &bits);
|
547
|
+
return bits;
|
548
|
+
}
|
549
|
+
|
550
|
+
/**********************
|
551
|
+
SslBox_t::GetCipherName
|
552
|
+
**********************/
|
553
|
+
|
554
|
+
const char *SslBox_t::GetCipherName()
|
555
|
+
{
|
556
|
+
if (pSSL)
|
557
|
+
return SSL_get_cipher_name(pSSL);
|
558
|
+
return NULL;
|
559
|
+
}
|
560
|
+
|
561
|
+
/**********************
|
562
|
+
SslBox_t::GetCipherProtocol
|
563
|
+
**********************/
|
564
|
+
|
565
|
+
const char *SslBox_t::GetCipherProtocol()
|
566
|
+
{
|
567
|
+
if (pSSL)
|
568
|
+
return SSL_get_cipher_version(pSSL);
|
569
|
+
return NULL;
|
570
|
+
}
|
571
|
+
|
572
|
+
/**********************
|
573
|
+
SslBox_t::GetSNIHostname
|
574
|
+
**********************/
|
575
|
+
|
576
|
+
const char *SslBox_t::GetSNIHostname()
|
577
|
+
{
|
578
|
+
#ifdef TLSEXT_NAMETYPE_host_name
|
579
|
+
if (pSSL)
|
580
|
+
return SSL_get_servername (pSSL, TLSEXT_NAMETYPE_host_name);
|
581
|
+
#endif
|
582
|
+
return NULL;
|
583
|
+
}
|
584
|
+
|
585
|
+
/******************
|
586
|
+
ssl_verify_wrapper
|
587
|
+
*******************/
|
588
|
+
|
589
|
+
extern "C" int ssl_verify_wrapper(int preverify_ok UNUSED, X509_STORE_CTX *ctx)
|
590
|
+
{
|
591
|
+
uintptr_t binding;
|
592
|
+
X509 *cert;
|
593
|
+
SSL *ssl;
|
594
|
+
BUF_MEM *buf;
|
595
|
+
BIO *out;
|
596
|
+
int result;
|
597
|
+
|
598
|
+
cert = X509_STORE_CTX_get_current_cert(ctx);
|
599
|
+
ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
|
600
|
+
binding = (uintptr_t) SSL_get_ex_data(ssl, 0);
|
601
|
+
|
602
|
+
out = BIO_new(BIO_s_mem());
|
603
|
+
PEM_write_bio_X509(out, cert);
|
604
|
+
BIO_write(out, "\0", 1);
|
605
|
+
BIO_get_mem_ptr(out, &buf);
|
606
|
+
|
607
|
+
ConnectionDescriptor *cd = dynamic_cast <ConnectionDescriptor*> (Bindable_t::GetObject(binding));
|
608
|
+
result = (cd->VerifySslPeer(buf->data) == true ? 1 : 0);
|
609
|
+
BIO_free(out);
|
610
|
+
|
611
|
+
return result;
|
612
|
+
}
|
613
|
+
|
614
|
+
#endif // WITH_SSL
|
615
|
+
|