merging from plugins branch

1 files changed, 389 insertions, 0 deletions

diff --git a/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp b/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp
new file mode 100644
index 00000000000..0920aa798d3
--- /dev/null
+++ b/cpp/src/IceSSL/SslConnectionOpenSSLClient.cpp
@@ -0,0 +1,389 @@
+// **********************************************************************
+//
+// Copyright (c) 2001
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#include <Ice/Network.h>
+#include <Ice/TraceLevels.h>
+#include <Ice/Logger.h>
+#include <Ice/LocalException.h>
+#include <IceSSL/OpenSSLUtils.h>
+#include <IceSSL/OpenSSL.h>
+#include <IceSSL/Exception.h>
+#include <IceSSL/OpenSSLJanitors.h>
+#include <IceSSL/SslConnectionOpenSSLClient.h>
+
+#include <sstream>
+
+using namespace std;
+using namespace Ice;
+using namespace IceInternal;
+
+////////////////////////////////////////////////
+////////// SslConnectionOpenSSLClient //////////
+////////////////////////////////////////////////
+
+//
+// Public Methods
+//
+
+// Note: I would use a using directive of the form:
+//       using IceSSL::CertificateVerifierPtr;
+//       but unfortunately, it appears that this is not properly picked up.
+//
+
+IceSSL::OpenSSL::ClientConnection::ClientConnection(const TraceLevelsPtr& traceLevels,
+                                                    const LoggerPtr& logger,
+                                                    const IceSSL::CertificateVerifierPtr& certificateVerifier,
+                                                    SSL* connection,
+                                                    const PluginBaseIPtr& plugin) :
+                                  Connection(traceLevels, logger, certificateVerifier, connection, plugin)
+{
+    assert(_sslConnection != 0);
+
+    // Set the Connect Connection state for this connection.
+    SSL_set_connect_state(_sslConnection);
+}
+
+IceSSL::OpenSSL::ClientConnection::~ClientConnection()
+{
+}
+
+void
+IceSSL::OpenSSL::ClientConnection::shutdown()
+{
+    Connection::shutdown();
+}
+
+int
+IceSSL::OpenSSL::ClientConnection::init(int timeout)
+{
+    assert(_sslConnection != 0);
+
+    int retCode = SSL_is_init_finished(_sslConnection);
+
+    while (!retCode)
+    {
+        int i = 0;
+
+        _readTimeout = timeout > _handshakeReadTimeout ? timeout : _handshakeReadTimeout;
+
+        if (_initWantRead)
+        {
+            i = readSelect(_readTimeout);
+        }
+        else if (_initWantWrite)
+        {
+            i = writeSelect(timeout);
+        }
+
+        if (_initWantRead && i == 0)
+        {
+            return 0;
+        }
+
+        if (_initWantWrite && i == 0)
+        {
+            return 0;
+        }
+
+        _initWantRead = 0;
+        _initWantWrite = 0;
+
+        int result = connect();
+
+        switch (getLastError())
+        {
+            case SSL_ERROR_WANT_READ:
+            {
+                _initWantRead = 1;
+                break;
+            }
+
+            case SSL_ERROR_WANT_WRITE:
+            {
+                _initWantWrite = 1;
+                break;
+            }
+
+            
+            case SSL_ERROR_NONE:
+            case SSL_ERROR_WANT_X509_LOOKUP:
+            {
+                // Retry connect.
+                break;
+            }
+
+            case SSL_ERROR_SYSCALL:
+            {
+                // This is a SOCKET_ERROR, but we don't use
+                // this define here as OpenSSL doesn't refer
+                // to it as a SOCKET_ERROR (but that's what it is
+                // if you look at their code).
+                if(result == -1)
+                {
+                    // IO Error in underlying BIO
+
+                    if (interrupted())
+                    {
+                        break;
+                    }
+
+                    if (wouldBlock())
+                    {
+                        readSelect(_readTimeout);
+                        break;
+                    }
+
+                    if (connectionLost())
+                    {
+                        ConnectionLostException ex(__FILE__, __LINE__);
+                        ex.error = getSocketErrno();
+                        throw ex;
+                    }
+                    else
+                    {
+                        SocketException ex(__FILE__, __LINE__);
+                        ex.error = getSocketErrno();
+                        throw ex;
+                    }
+                }
+                else    // result == 0
+                {
+                    //
+                    // The OpenSSL docs say that a result code of 0 indicates
+                    // a graceful shutdown. In order to cause a retry in the
+                    // Ice core, we raise ConnectFailedException. However,
+                    // errno isn't set in this situation, so we always use
+                    // ECONNREFUSED.
+                    //
+                    ConnectFailedException ex(__FILE__, __LINE__);
+                    ex.error = ECONNREFUSED;
+                    throw ex;
+                }
+            }
+
+            case SSL_ERROR_SSL:
+            {
+                int verifyError = SSL_get_verify_result(_sslConnection);
+
+                if (verifyError != X509_V_OK && verifyError != 1)
+	        {
+                    CertificateVerificationException certVerEx(__FILE__, __LINE__);
+
+                    certVerEx._message = "ssl certificate verification error";
+
+                    string errors = sslGetErrors();
+
+                    if (!errors.empty())
+                    {
+                        certVerEx._message += "\n";
+                        certVerEx._message += errors;
+                    }
+
+                    throw certVerEx;
+	        }
+                else
+                {
+                    ProtocolException protocolEx(__FILE__, __LINE__);
+
+                    protocolEx._message = "encountered a violation of the ssl protocol during handshake\n";
+                    protocolEx._message += sslGetErrors();
+
+                    throw protocolEx;
+                }
+            }
+        }
+
+        retCode = SSL_is_init_finished(_sslConnection);
+
+        if (retCode > 0)
+        {
+            // Init finished, look at the connection information.
+            showConnectionInfo();
+        }
+    }
+
+    return retCode;
+}
+
+int
+IceSSL::OpenSSL::ClientConnection::write(Buffer& buf, int timeout)
+{
+    int totalBytesWritten = 0;
+    int bytesWritten = 0;
+
+    int packetSize = buf.b.end() - buf.i;
+
+#ifdef _WIN32
+    //
+    // Limit packet size to avoid performance problems on WIN32.
+    // (blatantly ripped off from Marc Laukien)
+    //
+    if (packetSize > 64 * 1024)
+    {
+        packetSize = 64 * 1024;
+    }
+#endif
+
+    // We keep reading until we're done
+    while (buf.i != buf.b.end())
+    {
+        // Ensure we're initialized.
+        if (initialize(timeout) <= 0)
+        {
+            // Retry the initialize call
+            continue;
+        }
+
+        // initialize() must have returned > 0, so we're okay to try a write.
+
+        // Perform a select on the socket.
+        if (!writeSelect(timeout))
+        {
+            // We're done here.
+            break;
+        }
+
+        bytesWritten = sslWrite((char *)buf.i, packetSize);
+
+        switch (getLastError())
+        {
+            case SSL_ERROR_NONE:
+            {
+                if (bytesWritten > 0)
+                {
+                    if (_traceLevels->network >= 3)
+                    {
+                        ostringstream s;
+                        s << "sent " << bytesWritten << " of " << packetSize;
+                        s << " bytes via ssl\n" << fdToString(SSL_get_fd(_sslConnection));
+                       _logger->trace(_traceLevels->networkCat, s.str());
+                    }
+
+                    totalBytesWritten += bytesWritten;
+
+                    buf.i += bytesWritten;
+
+                    if (packetSize > buf.b.end() - buf.i)
+                    {
+                        packetSize = buf.b.end() - buf.i;
+                    }
+                }
+                continue;
+            }
+
+            case SSL_ERROR_WANT_WRITE:
+            case SSL_ERROR_WANT_READ:
+            case SSL_ERROR_WANT_X509_LOOKUP:
+            {
+                // Perform another read.  The read should take care of this.
+                continue;
+            }
+
+            case SSL_ERROR_SYSCALL:
+            {
+                // NOTE:  The OpenSSL demo client only raises and error condition if there were
+                //        actually bytes written.  This is considered to be an error status
+                //        requiring shutdown.
+                //        If nothing was written, the demo client stops writing - we continue.
+                //        This is potentially something wierd to watch out for.
+                if (bytesWritten == -1)
+                {
+                    // IO Error in underlying BIO
+
+                    if (interrupted())
+                    {
+                        break;
+                    }
+
+                    if (wouldBlock())
+	            {
+                        break;
+                    }
+
+                    if (connectionLost())
+	            {
+		        ConnectionLostException ex(__FILE__, __LINE__);
+		        ex.error = getSocketErrno();
+		        throw ex;
+	            }
+	            else
+	            {
+		        SocketException ex(__FILE__, __LINE__);
+		        ex.error = getSocketErrno();
+		        throw ex;
+	            }
+                }
+                else if (bytesWritten > 0)
+                {
+                    ProtocolException protocolEx(__FILE__, __LINE__);
+
+                    // Protocol Error: Unexpected EOF
+                    protocolEx._message = "encountered an EOF that violates the ssl protocol\n";
+                    protocolEx._message += sslGetErrors();
+
+                    throw protocolEx;
+                }
+                else // bytesWritten == 0
+                {
+                    // Didn't write anything, continue, should be fine.
+                    break;
+                }
+            }
+
+            case SSL_ERROR_SSL:
+            {
+                ProtocolException protocolEx(__FILE__, __LINE__);
+
+                protocolEx._message = "encountered a violation of the ssl protocol\n";
+                protocolEx._message += sslGetErrors();
+
+                throw protocolEx;
+            }
+
+            case SSL_ERROR_ZERO_RETURN:
+            {
+		ConnectionLostException ex(__FILE__, __LINE__);
+		ex.error = getSocketErrno();
+		throw ex;
+            }
+        }
+    }
+
+    return totalBytesWritten;
+}
+
+//
+// Protected Methods
+//
+
+void
+IceSSL::OpenSSL::ClientConnection::showConnectionInfo()
+{
+    // Only in extreme cases do we enable this, partially because it doesn't use the Logger.
+    if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL_DEBUG) && 0)
+    {
+        BIOJanitor bioJanitor(BIO_new_fp(stdout, BIO_NOCLOSE));
+        BIO* bio = bioJanitor.get();
+
+        showCertificateChain(bio);
+
+        showPeerCertificate(bio,"Client");
+
+        showClientCAList(bio, "Client");
+
+        showSharedCiphers(bio);
+
+        showSelectedCipherInfo(bio);
+
+        showHandshakeStats(bio);
+
+        showSessionInfo(bio);
+    }
+}