RubyGems - ruby-tls - Versions diffs - 1.0.0 - Mend

ruby-tls 1.0.0

Files changed (19) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6b5c1cc1141c7f766b1321efc906a5e7c80b43bc
+  data.tar.gz: 7b4ebd9ce165bb26a5b0c0b90ede1d25548cafe5
+SHA512:
+  metadata.gz: dd6c9eabcc26971ba5f2c8d6c8776578d78b52a09f78a65c16037099056b9d6db0b2863d9fe89a5ef36510478c392edb734b35218f58a027ec249d422fa1826e
+  data.tar.gz: 75788c47a3e44f23db722fea7ca6b18361603c333b3adeb6f68a0fef4a1f30d0a48ec91393807c6441d416adbe8d790d28b7b275898c8e7d920a76dea24de684

data/EM-LICENSE ADDED

@@ -0,0 +1,60 @@
+EventMachine is copyrighted free software owned by Francis Cianfrocca
+(blackhedd ... gmail.com). The Owner of this software permits you to
+redistribute and/or modify the software under either the terms of the GPL
+version 2 (see the file GPL), or the conditions below ("Ruby License"):
+  1. You may make and give away verbatim copies of the source form of this
+     software without restriction, provided that you retain ALL of the
+     original copyright notices and associated disclaimers.
+  2. You may modify your copy of the software in any way, provided that
+     you do at least ONE of the following:
+       a) place your modifications in the Public Domain or otherwise
+          make them Freely Available, such as by posting said
+	  modifications to Usenet or an equivalent medium, or by allowing
+	  the author to include your modifications in the software.
+       b) use the modified software only within your corporation or
+          organization.
+       c) give non-standard binaries non-standard names, with
+          instructions on where to get the original software distribution.
+       d) make other distribution arrangements with the Owner.
+  3. You may distribute the software in object code or binary form,
+     provided that you do at least ONE of the following:
+       a) distribute the binaries and library files of the software,
+	  together with instructions (in a manual page or equivalent)
+	  on where to get the original distribution.
+       b) accompany the distribution with the machine-readable source of
+	  the software.
+       c) give non-standard binaries non-standard names, with
+          instructions on where to get the original software distribution.
+       d) make other distribution arrangements with the Owner.
+  4. You may modify and include parts of the software into any other
+     software (possibly commercial), provided you comply with the terms in
+     Sections 1, 2, and 3 above. But some files in the distribution
+     are not written by the Owner, so they may be made available to you
+     under different terms.
+     For the list of those files and their copying conditions, see the
+     file LEGAL.
+  5. The scripts and library files supplied as input to or produced as
+     output from the software do not automatically fall under the
+     copyright of the software, but belong to whoever generated them,
+     and may be sold commercially, and may be aggregated with this
+     software.
+  6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+     IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+     WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+     PURPOSE.

data/README.md ADDED

@@ -0,0 +1,69 @@
+# ruby-tls
+Ruby-TLS decouples the management of encrypted communications, putting you in charge of the transport layer. It can be used as an alternative to Ruby's SSLSocket.
+## Install the gem
+Install it with [RubyGems](https://rubygems.org/)
+    gem install ruby-tls
+or add this to your Gemfile if you use [Bundler](http://gembundler.com/):
+    gem "ruby-tls"
+Windows users will require an installation of OpenSSL (32bit or 64bit matching the Ruby installation) and be setup with [Ruby Installers DevKit](http://rubyinstaller.org/downloads/)
+## Usage
+```ruby
+require 'rubygems'
+require 'ruby-tls'
+#
+# Create a new TLS connection and attach callbacks
+#
+connection = RubyTls::Connection.new do |state|
+  state.handshake_cb do
+    puts "TLS handshake complete"
+  end
+  state.transmit_cb do |data|
+    puts "Data for transmission to remote"
+  end
+  state.dispatch_cb do |data|
+    puts "Clear text data that has been decrypted"
+  end
+  state.close_cb do |inst, data|
+    puts "An error occurred, the transport layer should be shutdown"
+  end
+end
+#
+# Init the handshake
+#
+connection.start
+#
+# Start sending data to the remote, this will trigger the
+# transmit_cb with encrypted data to send.
+#
+connection.encrypt('client request')
+#
+# Similarly when data is received from the remote it should be
+# passed to connection.decrypt where the dispatch_cb will be
+# called with clear text
+#
+```
+## License and copyright
+The core SSL code was originally extracted and isolated from [EventMachine](https://github.com/eventmachine/eventmachine/). So is licensed under the same terms, either the GPL or Ruby's License.

data/Rakefile ADDED

@@ -0,0 +1,19 @@
+require 'rubygems'
+require 'rake'
+require 'rspec/core/rake_task'
+task :default => [:compile, :test]
+task :compile do
+    protect = ['ssl.cpp', 'ssl.h', 'page.cpp', 'page.h']
+    Dir["ext/tls/**/*"].each do |file|
+        begin
+            next if protect.include? File.basename(file)
+            FileUtils.rm file
+        rescue
+        end
+    end
+    system 'cd ext && rake'
+end
+RSpec::Core::RakeTask.new(:test)

data/ext/Rakefile ADDED

@@ -0,0 +1,18 @@
+require 'ffi-compiler/compile_task'
+FFI::Compiler::CompileTask.new('ruby-tls-ext') do |t|
+    t.cflags << "-Wall -Wextra -O3"
+    t.cflags << "-D_GNU_SOURCE=1" if RbConfig::CONFIG["host_os"].downcase =~ /mingw/
+    t.cflags << "-arch x86_64 -arch i386" if t.platform.mac?
+    t.ldflags << "-arch x86_64 -arch i386" if t.platform.mac?
+    # Link to OpenSSL
+    if FFI::Platform.windows?
+        path = File.dirname(ENV["OPENSSL_CONF"])
+        path = File.expand_path("../", path)
+        t.cflags << "-I \"#{path}/include\""
+        t.ldflags << "-L\"#{path}/lib\" -lssleay32 -llibeay32"
+    else
+        t.ldflags << "-lssl -lcrypto"
+    end
+end

data/ext/tls/page.cpp ADDED

@@ -0,0 +1,107 @@
+/*****************************************************************************
+$Id$
+File:     page.cpp
+Date:     30Apr06
+Copyright (C) 2006-07 by Francis Cianfrocca. All Rights Reserved.
+Gmail: blackhedd
+This program is free software; you can redistribute it and/or modify
+it under the terms of either: 1) the GNU General Public License
+as published by the Free Software Foundation; either version 2 of the
+License, or (at your option) any later version; or 2) Ruby's License.
+See the file COPYING for complete licensing information.
+*****************************************************************************/
+#include "page.h"
+/******************
+PageList::PageList
+******************/
+PageList::PageList()
+{
+}
+/*******************
+PageList::~PageList
+*******************/
+PageList::~PageList()
+{
+	while (HasPages())
+		PopFront();
+}
+/***************
+PageList::Front
+***************/
+void PageList::Front (const char **page, int *length)
+{
+	assert (page && length);
+	if (HasPages()) {
+		Page p = Pages.front();
+		*page = p.Buffer;
+		*length = p.Size;
+	}
+	else {
+		*page = NULL;
+		*length = 0;
+	}
+}
+/******************
+PageList::PopFront
+******************/
+void PageList::PopFront()
+{
+	if (HasPages()) {
+		Page p = Pages.front();
+		Pages.pop_front();
+		if (p.Buffer)
+			free ((void*)p.Buffer);
+	}
+}
+/******************
+PageList::HasPages
+******************/
+bool PageList::HasPages()
+{
+	return (Pages.size() > 0) ? true : false;
+}
+/**************
+PageList::Push
+**************/
+void PageList::Push (const char *buf, int size)
+{
+	if (buf && (size > 0)) {
+		char *copy = (char*) malloc (size);
+		if (!copy)
+			throw runtime_error ("no memory in pagelist");
+		memcpy (copy, buf, size);
+		Pages.push_back (Page (copy, size));
+	}
+}

data/ext/tls/page.h ADDED

@@ -0,0 +1,62 @@
+/*****************************************************************************
+$Id$
+File:     page.h
+Date:     30Apr06
+Copyright (C) 2006-07 by Francis Cianfrocca. All Rights Reserved.
+Gmail: blackhedd
+This program is free software; you can redistribute it and/or modify
+it under the terms of either: 1) the GNU General Public License
+as published by the Free Software Foundation; either version 2 of the
+License, or (at your option) any later version; or 2) Ruby's License.
+See the file COPYING for complete licensing information.
+*****************************************************************************/
+#ifndef __PageManager__H_
+#define __PageManager__H_
+#include <deque>
+#include <stdexcept>
+#include <assert.h>
+#if defined(WIN32) || defined(_WIN32) || defined(__WIN32) && !defined(__CYGWIN__)
+	#include <windows.h>
+#endif
+using namespace std;
+/**************
+class PageList
+**************/
+class PageList
+{
+	struct Page {
+		Page (const char *b, size_t s): Buffer(b), Size(s) {}
+		const char *Buffer;
+		size_t Size;
+	};
+	public:
+		PageList();
+		virtual ~PageList();
+		void Push (const char*, int);
+		bool HasPages();
+		void Front (const char**, int*);
+		void PopFront();
+	private:
+		deque<Page> Pages;
+};
+#endif // __PageManager__H_

data/ext/tls/ssl.cpp ADDED

@@ -0,0 +1,591 @@
+/*****************************************************************************
+$Id$
+File:     ssl.cpp
+Date:     30Apr06
+Copyright (C) 2006-07 by Francis Cianfrocca. All Rights Reserved.
+Gmail: blackhedd
+This program is free software; you can redistribute it and/or modify
+it under the terms of either: 1) the GNU General Public License
+as published by the Free Software Foundation; either version 2 of the
+License, or (at your option) any later version; or 2) Ruby's License.
+See the file COPYING for complete licensing information.
+*****************************************************************************/
+#include "ssl.h"
+bool SslContext_t::bLibraryInitialized = false;
+static void InitializeDefaultCredentials();
+static EVP_PKEY *DefaultPrivateKey = NULL;
+static X509 *DefaultCertificate = NULL;
+static char PrivateMaterials[] = {
+"-----BEGIN RSA PRIVATE KEY-----\n"
+"MIICXAIBAAKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxwVDWV\n"
+"Igdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t39hJ/\n"
+"AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQIDAQAB\n"
+"AoGALA89gIFcr6BIBo8N5fL3aNHpZXjAICtGav+kTUpuxSiaym9cAeTHuAVv8Xgk\n"
+"H2Wbq11uz+6JMLpkQJH/WZ7EV59DPOicXrp0Imr73F3EXBfR7t2EQDYHPMthOA1D\n"
+"I9EtCzvV608Ze90hiJ7E3guGrGppZfJ+eUWCPgy8CZH1vRECQQDv67rwV/oU1aDo\n"
+"6/+d5nqjeW6mWkGqTnUU96jXap8EIw6B+0cUKskwx6mHJv+tEMM2748ZY7b0yBlg\n"
+"w4KDghbFAkEAz2h8PjSJG55LwqmXih1RONSgdN9hjB12LwXL1CaDh7/lkEhq0PlK\n"
+"PCAUwQSdM17Sl0Xxm2CZiekTSlwmHrtqXQJAF3+8QJwtV2sRJp8u2zVe37IeH1cJ\n"
+"xXeHyjTzqZ2803fnjN2iuZvzNr7noOA1/Kp+pFvUZUU5/0G2Ep8zolPUjQJAFA7k\n"
+"xRdLkzIx3XeNQjwnmLlncyYPRv+qaE3FMpUu7zftuZBnVCJnvXzUxP3vPgKTlzGa\n"
+"dg5XivDRfsV+okY5uQJBAMV4FesUuLQVEKb6lMs7rzZwpeGQhFDRfywJzfom2TLn\n"
+"2RdJQQ3dcgnhdVDgt5o1qkmsqQh8uJrJ9SdyLIaZQIc=\n"
+"-----END RSA PRIVATE KEY-----\n"
+"-----BEGIN CERTIFICATE-----\n"
+"MIID6TCCA1KgAwIBAgIJANm4W/Tzs+s+MA0GCSqGSIb3DQEBBQUAMIGqMQswCQYD\n"
+"VQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYw\n"
+"FAYDVQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsG\n"
+"A1UEAxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2lu\n"
+"ZWVyaW5nQHN0ZWFtaGVhdC5uZXQwHhcNMDYwNTA1MTcwNjAzWhcNMjQwMjIwMTcw\n"
+"NjAzWjCBqjELMAkGA1UEBhMCVVMxETAPBgNVBAgTCE5ldyBZb3JrMREwDwYDVQQH\n"
+"EwhOZXcgWW9yazEWMBQGA1UEChMNU3RlYW1oZWF0Lm5ldDEUMBIGA1UECxMLRW5n\n"
+"aW5lZXJpbmcxHTAbBgNVBAMTFG9wZW5jYS5zdGVhbWhlYXQubmV0MSgwJgYJKoZI\n"
+"hvcNAQkBFhllbmdpbmVlcmluZ0BzdGVhbWhlYXQubmV0MIGfMA0GCSqGSIb3DQEB\n"
+"AQUAA4GNADCBiQKBgQDCYYhcw6cGRbhBVShKmbWm7UVsEoBnUf0cCh8AX+MKhMxw\n"
+"VDWVIgdskntn3cSJjRtmgVJHIK0lpb/FYHQB93Ohpd9/Z18pDmovfFF9nDbFF0t3\n"
+"9hJ/AqSzFB3GiVPoFFZJEE1vJqh+3jzsSF5K56bZ6azz38VlZgXeSozNW5bXkQID\n"
+"AQABo4IBEzCCAQ8wHQYDVR0OBBYEFPJvPd1Fcmd8o/Tm88r+NjYPICCkMIHfBgNV\n"
+"HSMEgdcwgdSAFPJvPd1Fcmd8o/Tm88r+NjYPICCkoYGwpIGtMIGqMQswCQYDVQQG\n"
+"EwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAPBgNVBAcTCE5ldyBZb3JrMRYwFAYD\n"
+"VQQKEw1TdGVhbWhlYXQubmV0MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEdMBsGA1UE\n"
+"AxMUb3BlbmNhLnN0ZWFtaGVhdC5uZXQxKDAmBgkqhkiG9w0BCQEWGWVuZ2luZWVy\n"
+"aW5nQHN0ZWFtaGVhdC5uZXSCCQDZuFv087PrPjAMBgNVHRMEBTADAQH/MA0GCSqG\n"
+"SIb3DQEBBQUAA4GBAC1CXey/4UoLgJiwcEMDxOvW74plks23090iziFIlGgcIhk0\n"
+"Df6hTAs7H3MWww62ddvR8l07AWfSzSP5L6mDsbvq7EmQsmPODwb6C+i2aF3EDL8j\n"
+"uw73m4YIGI0Zw2XdBpiOGkx2H56Kya6mJJe/5XORZedh1wpI7zki01tHYbcy\n"
+"-----END CERTIFICATE-----\n"};
+/* These private materials were made with:
+ * openssl req -new -x509 -keyout cakey.pem -out cacert.pem -nodes -days 6500
+ * TODO: We need a full-blown capability to work with user-supplied
+ * keypairs and properly-signed certificates.
+ */
+/*****************
+builtin_passwd_cb
+*****************/
+extern "C" int builtin_passwd_cb (char *buf, int bufsize, int rwflag, void *userdata)
+{
+	strcpy (buf, "kittycat");
+	return 8;
+}
+/****************************
+InitializeDefaultCredentials
+****************************/
+static void InitializeDefaultCredentials()
+{
+	BIO *bio = BIO_new_mem_buf (PrivateMaterials, -1);
+	assert (bio);
+	if (DefaultPrivateKey) {
+		// we may come here in a restart.
+		EVP_PKEY_free (DefaultPrivateKey);
+		DefaultPrivateKey = NULL;
+	}
+	PEM_read_bio_PrivateKey (bio, &DefaultPrivateKey, builtin_passwd_cb, 0);
+	if (DefaultCertificate) {
+		// we may come here in a restart.
+		X509_free (DefaultCertificate);
+		DefaultCertificate = NULL;
+	}
+	PEM_read_bio_X509 (bio, &DefaultCertificate, NULL, 0);
+	BIO_free (bio);
+}
+/**************************
+SslContext_t::SslContext_t
+**************************/
+SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const string &certchainfile):
+	pCtx (NULL),
+	PrivateKey (NULL),
+	Certificate (NULL)
+{
+	/* TODO: the usage of the specified private-key and cert-chain filenames only applies to
+	 * client-side connections at this point. Server connections currently use the default materials.
+	 * That needs to be fixed asap.
+	 * Also, in this implementation, server-side connections use statically defined X-509 defaults.
+	 * One thing I'm really not clear on is whether or not you have to explicitly free X509 and EVP_PKEY
+	 * objects when we call our destructor, or whether just calling SSL_CTX_free is enough.
+	 */
+	if (!bLibraryInitialized) {
+		bLibraryInitialized = true;
+		SSL_library_init();
+		OpenSSL_add_ssl_algorithms();
+		OpenSSL_add_all_algorithms();
+		SSL_load_error_strings();
+		ERR_load_crypto_strings();
+		InitializeDefaultCredentials();
+	}
+	bIsServer = is_server;
+	pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
+	if (!pCtx)
+		throw std::runtime_error ("no SSL context");
+	SSL_CTX_set_options (pCtx, SSL_OP_ALL);
+	//SSL_CTX_set_options (pCtx, (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3));
+#ifdef SSL_MODE_RELEASE_BUFFERS
+	SSL_CTX_set_mode (pCtx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+	if (is_server) {
+		// The SSL_CTX calls here do NOT allocate memory.
+		int e;
+		if (privkeyfile.length() > 0)
+			e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
+		else
+			e = SSL_CTX_use_PrivateKey (pCtx, DefaultPrivateKey);
+		if (e <= 0) ERR_print_errors_fp(stderr);
+		assert (e > 0);
+		if (certchainfile.length() > 0)
+			e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
+		else
+			e = SSL_CTX_use_certificate (pCtx, DefaultCertificate);
+		if (e <= 0) ERR_print_errors_fp(stderr);
+		assert (e > 0);
+	}
+	SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");
+	if (is_server) {
+		SSL_CTX_sess_set_cache_size (pCtx, 128);
+		SSL_CTX_set_session_id_context (pCtx, (unsigned char*)"ruby-tls", 8);
+	}
+	else {
+		int e;
+		if (privkeyfile.length() > 0) {
+			e = SSL_CTX_use_PrivateKey_file (pCtx, privkeyfile.c_str(), SSL_FILETYPE_PEM);
+			if (e <= 0) ERR_print_errors_fp(stderr);
+			assert (e > 0);
+		}
+		if (certchainfile.length() > 0) {
+			e = SSL_CTX_use_certificate_chain_file (pCtx, certchainfile.c_str());
+			if (e <= 0) ERR_print_errors_fp(stderr);
+			assert (e > 0);
+		}
+	}
+}
+/***************************
+SslContext_t::~SslContext_t
+***************************/
+SslContext_t::~SslContext_t()
+{
+	if (pCtx)
+		SSL_CTX_free (pCtx);
+	if (PrivateKey)
+		EVP_PKEY_free (PrivateKey);
+	if (Certificate)
+		X509_free (Certificate);
+}
+/******************
+SslBox_t::SslBox_t
+******************/
+SslBox_t::SslBox_t (tls_state_t *tls_state, bool is_server, const string &privkeyfile, const string &certchainfile, bool verify_peer):
+	bIsServer (is_server),
+	bHandshakeCompleted (false),
+	bVerifyPeer (verify_peer),
+	pSSL (NULL),
+	pbioRead (NULL),
+	pbioWrite (NULL)
+{
+	/* TODO someday: make it possible to re-use SSL contexts so we don't have to create
+	 * a new one every time we come here.
+	 */
+	Context = new SslContext_t (bIsServer, privkeyfile, certchainfile);
+	assert (Context);
+	pbioRead = BIO_new (BIO_s_mem());
+	assert (pbioRead);
+	pbioWrite = BIO_new (BIO_s_mem());
+	assert (pbioWrite);
+	pSSL = SSL_new (Context->pCtx);
+	assert (pSSL);
+	SSL_set_bio (pSSL, pbioRead, pbioWrite);
+	// Store a pointer to the callbacks in the SSL object so we can retrieve it later
+	SSL_set_ex_data(pSSL, 0, (void*) tls_state);
+	if (bVerifyPeer)
+		SSL_set_verify(pSSL, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, ssl_verify_wrapper);
+	if (!bIsServer)
+		SSL_connect (pSSL);
+}
+/*******************
+SslBox_t::~SslBox_t
+*******************/
+SslBox_t::~SslBox_t()
+{
+	// Freeing pSSL will also free the associated BIOs, so DON'T free them separately.
+	if (pSSL) {
+		if (SSL_get_shutdown (pSSL) & SSL_RECEIVED_SHUTDOWN)
+			SSL_shutdown (pSSL);
+		else
+			SSL_clear (pSSL);
+		SSL_free (pSSL);
+	}
+	delete Context;
+}
+/***********************
+SslBox_t::PutCiphertext
+***********************/
+bool SslBox_t::PutCiphertext (const char *buf, int bufsize)
+{
+	assert (buf && (bufsize > 0));
+	assert (pbioRead);
+	int n = BIO_write (pbioRead, buf, bufsize);
+	return (n == bufsize) ? true : false;
+}
+/**********************
+SslBox_t::GetPlaintext
+**********************/
+int SslBox_t::GetPlaintext (char *buf, int bufsize)
+{
+	if (!SSL_is_init_finished (pSSL)) {
+		int e = bIsServer ? SSL_accept (pSSL) : SSL_connect (pSSL);
+		if (e < 0) {
+			int er = SSL_get_error (pSSL, e);
+			if (er != SSL_ERROR_WANT_READ) {
+				// Return -1 for a nonfatal error, -2 for an error that should force the connection down.
+				return (er == SSL_ERROR_SSL) ? (-2) : (-1);
+			}
+			else
+				return 0;
+		}
+		bHandshakeCompleted = true;
+		// If handshake finished, FALL THROUGH and return the available plaintext.
+	}
+	if (!SSL_is_init_finished (pSSL)) {
+		// We can get here if a browser abandons a handshake.
+		// The user can see a warning dialog and abort the connection.
+		cerr << "<SSL_incomp>";
+		return 0;
+	}
+	//cerr << "CIPH: " << SSL_get_cipher (pSSL) << endl;
+	int n = SSL_read (pSSL, buf, bufsize);
+	if (n >= 0) {
+		return n;
+	}
+	else {
+		if (SSL_get_error (pSSL, n) == SSL_ERROR_WANT_READ) {
+			return 0;
+		}
+		else {
+			return -1;
+		}
+	}
+	return 0;
+}
+/**************************
+SslBox_t::CanGetCiphertext
+**************************/
+bool SslBox_t::CanGetCiphertext()
+{
+	assert (pbioWrite);
+	return BIO_pending (pbioWrite) ? true : false;
+}
+/***********************
+SslBox_t::GetCiphertext
+***********************/
+int SslBox_t::GetCiphertext (char *buf, int bufsize)
+{
+	assert (pbioWrite);
+	assert (buf && (bufsize > 0));
+	return BIO_read (pbioWrite, buf, bufsize);
+}
+/**********************
+SslBox_t::PutPlaintext
+**********************/
+int SslBox_t::PutPlaintext (const char *buf, int bufsize)
+{
+	// The caller will interpret the return value as the number of bytes written.
+	// WARNING WARNING WARNING, are there any situations in which a 0 or -1 return
+	// from SSL_write means we should immediately retry? The socket-machine loop
+	// will probably wait for a time-out cycle (perhaps a second) before re-trying.
+	// THIS WOULD CAUSE A PERCEPTIBLE DELAY!
+	/* We internally queue any outbound plaintext that can't be dispatched
+	 * because we're in the middle of a handshake or something.
+	 * When we get called, try to send any queued data first, and then
+	 * send the caller's data (or queue it). We may get called with no outbound
+	 * data, which means we try to send the outbound queue and that's all.
+	 *
+	 * Return >0 if we wrote any data, 0 if we didn't, and <0 for a fatal error.
+	 * Note that if we return 0, the connection is still considered live
+	 * and we are signalling that we have accepted the outbound data (if any).
+	 */
+	OutboundQ.Push (buf, bufsize);
+	if (!SSL_is_init_finished (pSSL))
+		return 0;
+	bool fatal = false;
+	bool did_work = false;
+	while (OutboundQ.HasPages()) {
+		const char *page;
+		int length;
+		OutboundQ.Front (&page, &length);
+		assert (page && (length > 0));
+		int n = SSL_write (pSSL, page, length);
+		if (n > 0) {
+			did_work = true;
+			OutboundQ.PopFront();
+		}
+		else {
+			int er = SSL_get_error (pSSL, n);
+			if ((er != SSL_ERROR_WANT_READ) && (er != SSL_ERROR_WANT_WRITE))
+				fatal = true;
+			break;
+		}
+	}
+	if (did_work)
+		return 1;
+	else if (fatal)
+		return -1;
+	else
+		return 0;
+}
+/**********************
+SslBox_t::GetPeerCert
+**********************/
+X509 *SslBox_t::GetPeerCert()
+{
+	X509 *cert = NULL;
+	if (pSSL)
+		cert = SSL_get_peer_certificate(pSSL);
+	return cert;
+}
+void _DispatchCiphertext(tls_state_t *tls_state)
+{
+	SslBox_t *SslBox = tls_state->SslBox;
+	assert (SslBox);
+	char BigBuf [2048];
+	bool did_work;
+	do {
+		did_work = false;
+		// try to drain ciphertext
+		while (SslBox->CanGetCiphertext()) {
+			int r = SslBox->GetCiphertext(BigBuf, sizeof(BigBuf));
+			assert (r > 0);
+			// Queue the data for transmit
+			tls_state->transmit_cb(tls_state, BigBuf, r);
+			did_work = true;
+		}
+		// Pump the SslBox, in case it has queued outgoing plaintext
+		// This will return >0 if data was written,
+		// 0 if no data was written, and <0 if there was a fatal error.
+		bool pump;
+		do {
+			pump = false;
+			int w = SslBox->PutPlaintext(NULL, 0);
+			if (w > 0) {
+				did_work = true;
+				pump = true;
+			} else if (w < 0) {
+				// Close on error
+				tls_state->close_cb(tls_state);
+			}
+		} while (pump);
+	} while (did_work);
+}
+void _CheckHandshakeStatus(tls_state_t *tls_state)
+{
+	SslBox_t *SslBox = tls_state->SslBox;
+	// keep track of weather or not this function has been called yet
+	if (SslBox && tls_state->handshake_signaled == 0 && SslBox->IsHandshakeCompleted()) {
+		tls_state->handshake_signaled = 1;
+		// Optional callback
+		if (tls_state->handshake_cb) {
+			tls_state->handshake_cb(tls_state);
+		}
+	}
+}
+/******************
+ssl_verify_wrapper
+*******************/
+extern "C" int ssl_verify_wrapper(int preverify_ok, X509_STORE_CTX *ctx)
+{
+	X509 *cert;
+	SSL *ssl;
+	BUF_MEM *buf;
+	BIO *out;
+	int result;
+	tls_state_t *tls_state;
+	cert = X509_STORE_CTX_get_current_cert(ctx);
+	ssl = (SSL*) X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+	out = BIO_new(BIO_s_mem());
+	PEM_write_bio_X509(out, cert);
+	BIO_write(out, "\0", 1);
+	BIO_get_mem_ptr(out, &buf);
+	tls_state = (tls_state_t *) SSL_get_ex_data(ssl, 0);
+	result = tls_state->verify_cb(tls_state, buf->data);
+	BIO_free(out);
+	return result;
+}
+// These are the FFI interactions:
+// ------------------------------
+extern "C" void start_tls(tls_state_t *tls_state, bool bIsServer, const char *PrivateKeyFilename, const char *CertChainFilename, bool bSslVerifyPeer)
+{
+	tls_state->SslBox = new SslBox_t (tls_state, bIsServer, PrivateKeyFilename, CertChainFilename, bSslVerifyPeer);
+	_DispatchCiphertext(tls_state);
+}
+extern "C" void encrypt_data(tls_state_t *tls_state, const char *data, int length) {
+	SslBox_t *SslBox = tls_state->SslBox;
+	if (length > 0 && SslBox) {
+		int w = SslBox->PutPlaintext(data, length);
+		if (w < 0) {
+			// Close the connection if there was an issue
+			tls_state->close_cb(tls_state);
+		} else {
+			_DispatchCiphertext(tls_state);
+		}
+	}
+}
+extern "C" void decrypt_data(tls_state_t *tls_state, const char *buffer, int size) {
+	SslBox_t *SslBox = tls_state->SslBox;
+	if (SslBox) {
+		SslBox->PutCiphertext (buffer, size);
+		int s;
+		char B [2048];
+		while ((s = SslBox->GetPlaintext(B, sizeof(B) - 1)) > 0) {
+			_CheckHandshakeStatus(tls_state);
+			B[s] = 0;
+			// data recieved callback
+			tls_state->dispatch_cb(tls_state, B, s);
+		}
+		// If our SSL handshake had a problem, shut down the connection.
+		if (s == -2) {
+			tls_state->close_cb(tls_state);
+			return;
+		}
+		_CheckHandshakeStatus(tls_state);
+		_DispatchCiphertext(tls_state);
+	}
+}
+extern "C" X509 *get_peer_cert(tls_state_t *tls_state)
+{
+	if (tls_state->SslBox)
+		return tls_state->SslBox->GetPeerCert();
+	return 0;
+}