summaryrefslogtreecommitdiff
path: root/cpp/src/IceSSL/SslServerTransceiver.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'cpp/src/IceSSL/SslServerTransceiver.cpp')
-rw-r--r--cpp/src/IceSSL/SslServerTransceiver.cpp364
1 files changed, 364 insertions, 0 deletions
diff --git a/cpp/src/IceSSL/SslServerTransceiver.cpp b/cpp/src/IceSSL/SslServerTransceiver.cpp
new file mode 100644
index 00000000000..4732c59bad9
--- /dev/null
+++ b/cpp/src/IceSSL/SslServerTransceiver.cpp
@@ -0,0 +1,364 @@
+// **********************************************************************
+//
+// Copyright (c) 2001
+// Mutable Realms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#include <Ice/Logger.h>
+#include <Ice/LoggerUtil.h>
+#include <Ice/Buffer.h>
+#include <Ice/Network.h>
+#include <IceSSL/OpenSSL.h>
+#include <IceSSL/PluginBaseI.h>
+#include <IceSSL/TraceLevels.h>
+
+#include <Ice/LocalException.h>
+#include <IceSSL/OpenSSLUtils.h>
+#include <IceSSL/Exception.h>
+#include <IceSSL/OpenSSLJanitors.h>
+#include <IceSSL/SslServerTransceiver.h>
+
+#include <sstream>
+
+using namespace std;
+using namespace Ice;
+using namespace IceInternal;
+
+//
+// Public Methods
+//
+
+void
+IceSSL::SslServerTransceiver::write(Buffer& buf, int timeout)
+{
+ assert(_fd != INVALID_SOCKET);
+
+ int totalBytesWritten = 0;
+ int bytesWritten = 0;
+
+ int packetSize = buf.b.end() - buf.i;
+
+#ifdef _WIN32
+ //
+ // Limit packet size to avoid performance problems on WIN32.
+ //
+ if(packetSize > 64 * 1024)
+ {
+ packetSize = 64 * 1024;
+ }
+#endif
+
+ // We keep writing until we're done.
+ while(buf.i != buf.b.end())
+ {
+ // Ensure we're initialized.
+ if(initialize(timeout) <= 0)
+ {
+ // Retry the initialize call
+ continue;
+ }
+
+ // initialize() must have returned > 0, so we're okay to try a write.
+
+ // Perform a select on the socket.
+ if(!writeSelect(timeout))
+ {
+ // We're done here.
+ break;
+ }
+
+ bytesWritten = sslWrite(static_cast<char*>(&*buf.i), packetSize);
+
+ switch(getLastError())
+ {
+ case SSL_ERROR_NONE:
+ {
+ if(_traceLevels->network >= 3)
+ {
+ ostringstream s;
+ s << "sent " << bytesWritten << " of " << packetSize;
+ s << " bytes via ssl\n" << fdToString(SSL_get_fd(_sslConnection));
+ _logger->trace(_traceLevels->networkCat, s.str());
+ }
+
+ totalBytesWritten += bytesWritten;
+
+ buf.i += bytesWritten;
+
+ if(packetSize > buf.b.end() - buf.i)
+ {
+ packetSize = buf.b.end() - buf.i;
+ }
+ continue;
+ }
+
+ case SSL_ERROR_WANT_WRITE:
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_WANT_X509_LOOKUP:
+ {
+ continue;
+ }
+
+ case SSL_ERROR_SYSCALL:
+ {
+ if(bytesWritten == -1)
+ {
+ // IO Error in underlying BIO
+
+ if(interrupted())
+ {
+ break;
+ }
+
+ if(wouldBlock())
+ {
+ break;
+ }
+
+ if(connectionLost())
+ {
+ ConnectionLostException ex(__FILE__, __LINE__);
+ ex.error = getSocketErrno();
+ throw ex;
+ }
+
+ SocketException ex(__FILE__, __LINE__);
+ ex.error = getSocketErrno();
+ throw ex;
+ }
+ else
+ {
+ ProtocolException protocolEx(__FILE__, __LINE__);
+
+ // Protocol Error: Unexpected EOF.
+ protocolEx.message = "encountered an EOF that violates the ssl protocol\n";
+ protocolEx.message += IceSSL::OpenSSL::sslGetErrors();
+
+ throw protocolEx;
+ }
+ }
+
+ case SSL_ERROR_SSL:
+ {
+ ProtocolException protocolEx(__FILE__, __LINE__);
+
+ protocolEx.message = "encountered a violation of the ssl protocol\n";
+ protocolEx.message += IceSSL::OpenSSL::sslGetErrors();
+
+ throw protocolEx;
+ }
+
+ case SSL_ERROR_ZERO_RETURN:
+ {
+ ConnectionLostException ex(__FILE__, __LINE__);
+ ex.error = getSocketErrno();
+ throw ex;
+ }
+ }
+ }
+}
+
+int
+IceSSL::SslServerTransceiver::handshake(int timeout)
+{
+ assert(_sslConnection != 0);
+
+ int retCode = SSL_is_init_finished(_sslConnection);
+
+ while(!retCode)
+ {
+ _readTimeout = timeout > _handshakeReadTimeout ? timeout : _handshakeReadTimeout;
+
+ if(_initWantWrite)
+ {
+ int i = writeSelect(timeout);
+
+ if(i == 0)
+ {
+ cerr << "-" << flush;
+ return 0;
+ }
+
+ _initWantWrite = 0;
+ }
+ else
+ {
+ int i = readSelect(_readTimeout);
+
+ if(i == 0)
+ {
+ cerr << "-" << flush;
+ return 0;
+ }
+ }
+
+ int result = accept();
+
+ // We're doing an Accept and we don't get a retry on the socket.
+ if((result <= 0) && (BIO_sock_should_retry(result) == 0))
+ {
+ // Socket can't retry - bad scene, find out why.
+ long verifyError = SSL_get_verify_result(_sslConnection);
+
+ if(verifyError != X509_V_OK)
+ {
+ // Flag the connection for shutdown, let the
+ // usual initialization take care of it.
+
+ _phase = Shutdown;
+
+ return 0;
+ }
+ else
+ {
+ ProtocolException protocolEx(__FILE__, __LINE__);
+
+ protocolEx.message = "encountered an ssl protocol violation during handshake\n";
+ protocolEx.message += IceSSL::OpenSSL::sslGetErrors();
+
+ throw protocolEx;
+ }
+ }
+
+ // Find out what the error was (if any).
+ switch(getLastError())
+ {
+ case SSL_ERROR_WANT_WRITE:
+ {
+ _initWantWrite = 1;
+ break;
+ }
+
+ case SSL_ERROR_WANT_READ:
+ case SSL_ERROR_NONE:
+ case SSL_ERROR_WANT_X509_LOOKUP:
+ {
+ // Do nothing, life is good!
+ break;
+ }
+
+ case SSL_ERROR_SYSCALL:
+ {
+ // This is a SOCKET_ERROR, but we don't use
+ // this define here as OpenSSL doesn't refer
+ // to it as a SOCKET_ERROR (but that's what it is
+ // if you look at their code).
+ if(result == -1)
+ {
+ if(interrupted())
+ {
+ break;
+ }
+
+ if(wouldBlock())
+ {
+ readSelect(_readTimeout);
+ break;
+ }
+
+ if(connectionLost())
+ {
+ ConnectionLostException ex(__FILE__, __LINE__);
+ ex.error = getSocketErrno();
+ throw ex;
+ }
+
+ SocketException ex(__FILE__, __LINE__);
+ ex.error = getSocketErrno();
+ throw ex;
+ }
+ else
+ {
+ //
+ // NOTE: Should this be ConnectFailedException like in the Client?
+ //
+
+ ProtocolException protocolEx(__FILE__, __LINE__);
+
+ // Protocol Error: Unexpected EOF
+ protocolEx.message = "encountered an eof during handshake that violates the ssl protocol\n";
+ protocolEx.message += IceSSL::OpenSSL::sslGetErrors();
+
+ throw protocolEx;
+ }
+ }
+
+ case SSL_ERROR_SSL:
+ {
+ ProtocolException protocolEx(__FILE__, __LINE__);
+
+ protocolEx.message = "encountered a violation of the ssl protocol during handshake\n";
+ protocolEx.message += IceSSL::OpenSSL::sslGetErrors();
+
+ throw protocolEx;
+ }
+
+ case SSL_ERROR_ZERO_RETURN:
+ {
+ ConnectionLostException ex(__FILE__, __LINE__);
+ ex.error = getSocketErrno();
+ throw ex;
+ }
+ }
+
+ retCode = SSL_is_init_finished(_sslConnection);
+
+ if(retCode > 0)
+ {
+ _phase = Connected;
+
+ // Init finished, look at the connection information.
+ showConnectionInfo();
+ }
+ }
+
+ return retCode;
+}
+
+//
+// Protected Methods
+//
+
+void
+IceSSL::SslServerTransceiver::showConnectionInfo()
+{
+ // Only in extreme cases do we enable this, partially because it doesn't use the Logger.
+ if((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL_DEBUG) && 0)
+ {
+ IceSSL::OpenSSL::BIOJanitor bioJanitor(BIO_new_fp(stdout, BIO_NOCLOSE));
+ BIO* bio = bioJanitor.get();
+
+ showCertificateChain(bio);
+
+ showPeerCertificate(bio,"Server");
+
+ showSharedCiphers(bio);
+
+ showSelectedCipherInfo(bio);
+
+ showHandshakeStats(bio);
+
+ showSessionInfo(bio);
+ }
+}
+
+// Note: I would use a using directive of the form:
+// using IceSSL::CertificateVerifierPtr;
+// but unfortunately, it appears that this is not properly picked up.
+//
+
+IceSSL::SslServerTransceiver::SslServerTransceiver(const PluginBaseIPtr& plugin,
+ SOCKET fd,
+ const IceSSL::OpenSSL::CertificateVerifierPtr& certVerifier,
+ SSL* sslConnection) :
+ SslTransceiver(plugin, fd, certVerifier, sslConnection)
+{
+ // Set the Accept Connection state for this connection.
+ SSL_set_accept_state(sslConnection);
+}
+
+
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-04 06:36:22 +0000