SSLSocket.cc

/*
 * Copyright 2003 Michael A. Marsh, Cornell University. All rights reserved.
 * This software is released under the modified BSD license.
 * See the file LICENSE in the top-level directory for details.
 */
//
// $Id: SSLSocket.cc,v 1.3 2004/05/19 15:56:57 mmarsh Exp $
//
// $Log: SSLSocket.cc,v $
// Revision 1.3  2004/05/19 15:56:57  mmarsh
// *** empty log message ***
//
// Revision 1.2  2003/11/04 22:20:38  mmarsh
// General code cleanup, including the addition of a few new exception
// classes.
//
//

#include "SSLSocket.h"
#include "CODEX_Quorum/RemoteServer.h"
#include <sys/errno.h>
#include <openssl/err.h>
#include <iostream>
#include <sstream>

#include "timing.h"

using namespace CODEX_SSL;
using namespace CODEX_Quorum;

SSLSocket::SSLSocket( SSL_CTX*  ctx      ,
                      int       domain   ,
                      int       type     ,
                      int       protocol ,
                      bool      blocking ) :
   SocketBase(domain, type, protocol, blocking),
   m_ctx( ctx ),
   m_ssl_con( 0 ),
   m_needRead( false ),
   m_needWrite( false )
{
}

SSLSocket::SSLSocket( const SSLSocket& aOther ) :
   SocketBase( aOther ),
   m_ctx( aOther.m_ctx ),
   m_ssl_con( 0 ),
   m_needRead( false ),
   m_needWrite( false )
{
}

SSLSocket::~SSLSocket()
{
   if ( 0 != m_ssl_con )
   {
      SSL_set_shutdown( m_ssl_con, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN );
      SSL_shutdown( m_ssl_con );
      //close( SSL_get_fd( m_ssl_con ) );
      SSL_free( m_ssl_con );
   }
}

int
SSLSocket::set_fd( fd_set* fd_bitmap, StateType s ) const
{
   bool ok = true;
   switch(s)
   {
      case SocketBase::kRead :
         if ( m_needWrite )
         {
            ok = false;
         }
         break;
      case SocketBase::kWrite :
         if ( m_needRead )
         {
            ok = false;
         }
         break;
   }
   if ( ok )
   {
      return SocketBase::set_fd( fd_bitmap, s );
   }
   return socket();
}

bool
SSLSocket::isset_fd( const fd_set* fd_bitmap, StateType s ) const
{
   if ( m_needWrite && ( SocketBase::kRead == s ) )
   {
      return false;
   }
   if ( m_needRead && ( SocketBase::kWrite == s ) )
   {
      return false;
   }
   // Because SSL abstracts a layer on top of the raw sockets, it is
   // possible that there's data to read from the SSL structure, but
   // the socket itself has nothing left to read.
   if ( ( SocketBase::kRead == s ) &&
        ( 0 != m_ssl_con ) &&
        ( SSL_pending( m_ssl_con ) > 0 ) )
   {
      return true;
   }
   return SocketBase::isset_fd( fd_bitmap, s );
}

size_t
SSLSocket::readFrom( void* output, size_t maxSize ) const
{
   if ( m_needWrite )
   {
      // We should not have been called.
      return 0;
   }
   if ( 0 == m_ssl_con )
   {
      return 0;
   }
#ifdef TIMING
   SSLTimer.start();
#endif
   m_needRead = false;
   int bytesRead = SSL_read( m_ssl_con, output, maxSize );
   switch ( SSL_get_error( m_ssl_con, bytesRead ) )
   {
      case SSL_ERROR_NONE :
         break;
      case SSL_ERROR_ZERO_RETURN :
#ifdef TIMING
         SSLTimer.stop();
#endif
         throw CODEX_Quorum::QSESocketBaseSocketClosed( __FILE__ , __LINE__ ,
                                                        socket(), 0 );
         break;
      case SSL_ERROR_WANT_READ :
      case SSL_ERROR_WANT_WRITE :
      case SSL_ERROR_WANT_CONNECT :
      case SSL_ERROR_WANT_X509_LOOKUP :
         // The action will need to be repeated.
         m_needRead = true;
         bytesRead = 0;
         break;
      case SSL_ERROR_SYSCALL :
      case SSL_ERROR_SSL :
         unsigned long err = ERR_get_error();
#ifdef TIMING
         SSLTimer.stop();
#endif
         throw QSESSLSocket( __FILE__ , __LINE__ , err );
         break;
   }
#ifdef TIMING
   SSLTimer.stop();
#endif
   return bytesRead;
}

int
SSLSocket::internal_write( const unsigned char* output, size_t maxSize ) const
{
   if ( m_needRead )
   {
      // We should not have been called.
      return 0;
   }
   if ( 0 == m_ssl_con )
   {
      return 0;
   }
#ifdef TIMING
   SSLTimer.start();
#endif
   m_needWrite = false;
   int bytesWritten = SSL_write( m_ssl_con, output, maxSize );
   switch ( SSL_get_error( m_ssl_con, bytesWritten ) )
   {
      case SSL_ERROR_NONE :
         break;
      case SSL_ERROR_ZERO_RETURN :
#ifdef TIMING
         SSLTimer.stop();
#endif
         throw CODEX_Quorum::QSESocketBaseSocketClosed( __FILE__ , __LINE__ ,
                                                        socket(), 0 );
         break;
      case SSL_ERROR_WANT_READ :
      case SSL_ERROR_WANT_WRITE :
      case SSL_ERROR_WANT_CONNECT :
      case SSL_ERROR_WANT_X509_LOOKUP :
         // The action will need to be repeated.
         m_needWrite = true;
         bytesWritten = 0;
         break;
      case SSL_ERROR_SYSCALL :
      case SSL_ERROR_SSL :
         unsigned long err = ERR_get_error();
#ifdef TIMING
         SSLTimer.stop();
#endif
         throw QSESSLSocket( __FILE__ , __LINE__ , err );
         break;
   }
#ifdef TIMING
   SSLTimer.stop();
#endif
   return bytesWritten;
}

SocketBase*
SSLSocket::clone()
{
   SocketBase* copy = new SSLSocket( *this );
   return copy;
}

void
SSLSocket::connect( const RemoteServer& server )
{
   if ( 0 != m_ssl_con )
   {
      // The lazy thing to do is just get rid of the existing context,
      // since it should always be 0 before calling connect().
      SSL_free( m_ssl_con );
      m_ssl_con = 0;
   }
   try
   {
      // Set up the socket through the base class.
      SocketBase::connect( server );

      m_ssl_con = SSL_new( m_ctx );
      if ( 0 == m_ssl_con )
      {
         unsigned long err = ERR_get_error();
         throw QSESSLSocket( __FILE__ , __LINE__ , err );
      }
      SSL_set_fd( m_ssl_con, socket() );

      int c;
      do
      {
         c = SSL_connect(m_ssl_con);
         if ( c <= 0 )
         {
            switch ( SSL_get_error( m_ssl_con, c ) )
            {
               case SSL_ERROR_WANT_READ :
               case SSL_ERROR_WANT_WRITE :
                  break;
               default :
                  unsigned long err = ERR_get_error();
                  throw QSESSLSocket( __FILE__ , __LINE__ , err );
            }
         }
      } while ( c <= 0 );
   }
   catch ( QSESSLSocket& e )
   {
      e.report();
      if ( 0 != m_ssl_con ) SSL_free( m_ssl_con );
      m_ssl_con = 0;
      throw;
   }
   catch ( ... )
   {
      if ( 0 != m_ssl_con ) SSL_free( m_ssl_con );
      m_ssl_con = 0;
      throw;
   }
}

void
SSLSocket::finish_accept()
{
   if ( 0 != m_ssl_con )
   {
      // The lazy thing to do is just get rid of the existing context,
      // since it should always be 0 before calling finish_accept().
      SSL_free( m_ssl_con );
      m_ssl_con = 0;
   }
   try
   {
      m_ssl_con = (SSL*) SSL_new(m_ctx);
      if ( 0 == m_ssl_con )
      {
         unsigned long err = ERR_get_error();
         throw QSESSLSocket( __FILE__ , __LINE__ , err );
      }
      SSL_clear(m_ssl_con);
      if ( ! SSL_set_fd( m_ssl_con, socket() ) )
      {
         unsigned long err = ERR_get_error();
         throw QSESSLSocket( __FILE__ , __LINE__ , err );
      }
      SSL_set_accept_state(m_ssl_con);
      // NOTE:  SSL_accept *does not* call an underlying accept(), it just
      //        performs the SSL part of the transaction.
      int a;
      do
      {
         a = SSL_accept(m_ssl_con);
         if ( a <= 0 )
         {
            switch ( SSL_get_error( m_ssl_con, a ) )
            {
               case SSL_ERROR_WANT_READ :
               case SSL_ERROR_WANT_WRITE :
                  break;
               default :
                  unsigned long err = ERR_get_error();
                  throw QSESSLSocket( __FILE__ , __LINE__ , err );
            }
         }
      } while ( a <= 0 );
   }
   catch ( QSESSLSocket& e )
   {
      e.report();
      if ( 0 != m_ssl_con ) SSL_free( m_ssl_con );
      m_ssl_con = 0;
      throw;
   }
   catch ( ... )
   {
      if ( 0 != m_ssl_con ) SSL_free( m_ssl_con );
      m_ssl_con = 0;
      throw;
   }
}

SSLSocketBuilder::SSLSocketBuilder( SSL_METHOD*  meth,
                                    const X509*  cert,
                                    const RSA*   privKey,
                                    const char*  ciphers,
                                    const char*  caCertFile,
                                    const char*  hostCertFile,
                                    int          verify,
                                    int          domain,
                                    int          type,
                                    int          protocol,
                                    bool         blocking ) :
   CODEX_Quorum::SocketBuilder( domain, type, protocol, blocking )
{
   try
   {
      m_ctx = SSL_CTX_new(meth);
      if ( 0 == m_ctx )
      {
         throw SSLNullContextException( __FILE__ , __LINE__ );
      }
//      if ( ! SSL_CTX_use_certificate( m_ctx, X509_dup((X509*)cert) ) )
      if ( ! SSL_CTX_use_certificate( m_ctx, (X509*)cert ) )
      {
         unsigned long err = ERR_get_error();
         throw QSESSLSocket( __FILE__ , __LINE__ , err );
      }
      if ( ! SSL_CTX_use_RSAPrivateKey( m_ctx, (RSA*)privKey ) )
//                                        RSAPrivateKey_dup((RSA*)privKey) ) )
      {
         unsigned long err = ERR_get_error();
         throw QSESSLSocket( __FILE__ , __LINE__ , err );
      }
      if ( ! SSL_CTX_check_private_key( m_ctx ) )
      {
         unsigned long err = ERR_get_error();
         throw QSESSLSocket( __FILE__ , __LINE__ , err );
      }
      if ( 0 == ciphers )
      {
         throw SSLNullCiphersException( __FILE__ , __LINE__ );
      }
      SSL_CTX_set_cipher_list( m_ctx, ciphers );
      if ( ! SSL_CTX_load_verify_locations( m_ctx, caCertFile, 0 ) )
      {
         unsigned long err = ERR_get_error();
         throw QSESSLSocket( __FILE__ , __LINE__ , err );
      }
      if ( ! SSL_CTX_set_default_verify_paths( m_ctx ) )
      {
         unsigned long err = ERR_get_error();
         throw QSESSLSocket( __FILE__ , __LINE__ , err );
      }
      if ( 0 == verify )
      {
         throw SSLVerificationFlagsException( __FILE__ , __LINE__ );
      }
      SSL_CTX_set_verify( m_ctx, verify, 0 );
      SSL_CTX_set_client_CA_list( m_ctx,
                                  SSL_load_client_CA_file(hostCertFile) );
   }
   catch ( ... )
   {
      if ( 0 != m_ctx ) SSL_CTX_free( m_ctx );
      throw;
   }
}

SSLSocketBuilder::~SSLSocketBuilder()
{
   if ( 0 != m_ctx ) SSL_CTX_free( m_ctx );
}

SocketBase*
SSLSocketBuilder::operator()() const
{
   return new SSLSocket( m_ctx, m_domain, m_type, m_protocol, m_blocking );
}


//------ Exceptions ------//

void
QSESSLSocket::errMsg() const
{
   cerr << "SSL error:\n   "
        << ERR_error_string(error(),0);
}

void
SSLExceptionBase::report() const
{
   cerr << "At line " << m_line
        << " of file " << m_fname
        << "\nSSL exception: ";
   derivedMsg();
   cerr << endl;
}

void
SSLNullContextException::derivedMsg() const
{
   cerr << "Invalid context";
}

void
SSLNullCiphersException::derivedMsg() const
{
   cerr << "Invalid cipher list";
}

void
SSLVerificationFlagsException::derivedMsg() const
{
   cerr << "Invalid SSL verification flags";
}

---