github
/
aria2
mirror of https://github.com/aria2/aria2
1
0
Fork 0
Code Issues Releases Wiki Activity

Abstract TLS session implementation 

Now TLS session object is abstracted as TLSSession class. Currently,
we have GNUTLS and OpenSSL implementations.
pull/60/head
Tatsuhiro Tsujikawa 2013-04-03 02:24:41 +09:00
parent 10a19b1382
commit 8580c98bce
9 changed files with 948 additions and 441 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

266
src/LibgnutlsTLSSession.cc Normal file
View File

@ -0,0 +1,266 @@
/* <!-- copyright */
/*
* aria2 - The high speed download utility
*
* Copyright (C) 2013 Tatsuhiro Tsujikawa
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
/* copyright --> */
#include "LibgnutlsTLSSession.h"
#include <gnutls/x509.h>
#include "TLSContext.h"
#include "util.h"
#include "SocketCore.h"
namespace aria2 {
TLSSession::TLSSession(TLSContext* tlsContext)
: sslSession_(0),
tlsContext_(tlsContext),
rv_(0)
{}
TLSSession::~TLSSession()
{
if(sslSession_) {
gnutls_deinit(sslSession_);
}
}
int TLSSession::init(sock_t sockfd)
{
rv_ = gnutls_init(&sslSession_,
tlsContext_->getSide() == TLS_CLIENT ?
GNUTLS_CLIENT : GNUTLS_SERVER);
if(rv_ != GNUTLS_E_SUCCESS) {
return TLS_ERR_ERROR;
}
// It seems err is not error message, but the argument string
// which causes syntax error.
const char* err;
// For client side, disables TLS1.1 here because there are servers
// that don't understand TLS1.1. TODO Is this still necessary?
rv_ = gnutls_priority_set_direct(sslSession_,
tlsContext_->getSide() == TLS_CLIENT ?
"NORMAL:-VERS-TLS1.1" :
"NORMAL",
&err);
if(rv_ != GNUTLS_E_SUCCESS) {
return TLS_ERR_ERROR;
}
// put the x509 credentials to the current session
rv_ = gnutls_credentials_set(sslSession_, GNUTLS_CRD_CERTIFICATE,
tlsContext_->getCertCred());
if(rv_ != GNUTLS_E_SUCCESS) {
return TLS_ERR_ERROR;
}
// TODO Consider to use gnutls_transport_set_int() for GNUTLS 3.1.9
// or later
gnutls_transport_set_ptr(sslSession_,
(gnutls_transport_ptr_t)(ptrdiff_t)sockfd);
return TLS_ERR_OK;
}
int TLSSession::setSNIHostname(const std::string& hostname)
{
// TLS extensions: SNI
rv_ = gnutls_server_name_set(sslSession_, GNUTLS_NAME_DNS,
hostname.c_str(), hostname.size());
if(rv_ != GNUTLS_E_SUCCESS) {
return TLS_ERR_ERROR;
}
return TLS_ERR_OK;
}
int TLSSession::closeConnection()
{
rv_ = gnutls_bye(sslSession_, GNUTLS_SHUT_WR);
if(rv_ == GNUTLS_E_SUCCESS) {
return TLS_ERR_OK;
} else if(rv_ == GNUTLS_E_AGAIN) {
return TLS_ERR_WOULDBLOCK;
} else {
return TLS_ERR_ERROR;
}
}
int TLSSession::checkDirection()
{
int direction = gnutls_record_get_direction(sslSession_);
return direction == 0 ? TLS_WANT_READ : TLS_WANT_WRITE;
}
ssize_t TLSSession::writeData(const void* data, size_t len)
{
while((rv_ = gnutls_record_send(sslSession_, data, len)) ==
GNUTLS_E_INTERRUPTED);
if(rv_ >= 0) {
ssize_t ret = rv_;
rv_ = 0;
return ret;
} else if(rv_ == GNUTLS_E_AGAIN) {
return TLS_ERR_WOULDBLOCK;
} else {
return TLS_ERR_ERROR;
}
}
ssize_t TLSSession::readData(void* data, size_t len)
{
while((rv_ = gnutls_record_recv(sslSession_, data, len)) ==
GNUTLS_E_INTERRUPTED);
if(rv_ >= 0) {
ssize_t ret = rv_;
rv_ = 0;
return ret;
} else if(rv_ == GNUTLS_E_AGAIN) {
return TLS_ERR_WOULDBLOCK;
} else {
return TLS_ERR_ERROR;
}
}
int TLSSession::tlsConnect(const std::string& hostname,
std::string& handshakeErr)
{
handshakeErr = "";
rv_ = gnutls_handshake(sslSession_);
if(rv_ < 0) {
if(rv_ == GNUTLS_E_AGAIN) {
return TLS_ERR_WOULDBLOCK;
} else {
return TLS_ERR_ERROR;
}
}
if(tlsContext_->peerVerificationEnabled()) {
// verify peer
unsigned int status;
rv_ = gnutls_certificate_verify_peers2(sslSession_, &status);
if(rv_ != GNUTLS_E_SUCCESS) {
return TLS_ERR_ERROR;
}
if(status) {
handshakeErr = "";
if(status & GNUTLS_CERT_INVALID) {
handshakeErr += " `not signed by known authorities or invalid'";
}
if(status & GNUTLS_CERT_REVOKED) {
handshakeErr += " `revoked by its CA'";
}
if(status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
handshakeErr += " `issuer is not known'";
}
// TODO should check GNUTLS_CERT_SIGNER_NOT_CA ?
if(status & GNUTLS_CERT_INSECURE_ALGORITHM) {
handshakeErr += " `insecure algorithm'";
}
if(status & GNUTLS_CERT_NOT_ACTIVATED) {
handshakeErr += " `not activated yet'";
}
if(status & GNUTLS_CERT_EXPIRED) {
handshakeErr += " `expired'";
}
// TODO Add GNUTLS_CERT_SIGNATURE_FAILURE here
if(!handshakeErr.empty()) {
return TLS_ERR_ERROR;
}
}
// certificate type: only X509 is allowed.
if(gnutls_certificate_type_get(sslSession_) != GNUTLS_CRT_X509) {
handshakeErr = "certificate type must be X509";
return TLS_ERR_ERROR;
}
unsigned int peerCertsLength;
const gnutls_datum_t* peerCerts;
peerCerts = gnutls_certificate_get_peers(sslSession_, &peerCertsLength);
if(!peerCerts || peerCertsLength == 0 ) {
handshakeErr = "certificate not found";
return TLS_ERR_ERROR;
}
gnutls_x509_crt_t cert;
rv_ = gnutls_x509_crt_init(&cert);
if(rv_ != GNUTLS_E_SUCCESS) {
return TLS_ERR_ERROR;
}
auto_delete<gnutls_x509_crt_t> certDeleter(cert, gnutls_x509_crt_deinit);
rv_ = gnutls_x509_crt_import(cert, &peerCerts[0], GNUTLS_X509_FMT_DER);
if(rv_ != GNUTLS_E_SUCCESS) {
return TLS_ERR_ERROR;
}
std::string commonName;
std::vector<std::string> dnsNames;
std::vector<std::string> ipAddrs;
int ret = 0;
char altName[256];
size_t altNameLen;
for(int i = 0; !(ret < 0); ++i) {
altNameLen = sizeof(altName);
ret = gnutls_x509_crt_get_subject_alt_name(cert, i, altName,
&altNameLen, 0);
if(ret == GNUTLS_SAN_DNSNAME) {
dnsNames.push_back(std::string(altName, altNameLen));
} else if(ret == GNUTLS_SAN_IPADDRESS) {
ipAddrs.push_back(std::string(altName, altNameLen));
}
}
altNameLen = sizeof(altName);
ret = gnutls_x509_crt_get_dn_by_oid(cert,
GNUTLS_OID_X520_COMMON_NAME, 0, 0,
altName, &altNameLen);
if(ret == 0) {
commonName.assign(altName, altNameLen);
}
if(!net::verifyHostname(hostname, dnsNames, ipAddrs, commonName)) {
handshakeErr = "hostname does not match";
return TLS_ERR_ERROR;
}
}
return TLS_ERR_OK;
}
int TLSSession::tlsAccept()
{
rv_ = gnutls_handshake(sslSession_);
if(rv_ == GNUTLS_E_SUCCESS) {
return TLS_ERR_OK;
} else if(rv_ == GNUTLS_E_AGAIN) {
return TLS_ERR_WOULDBLOCK;
} else {
return TLS_ERR_ERROR;
}
}
std::string TLSSession::getLastErrorString()
{
return gnutls_strerror(rv_);
}
} // namespace aria2

73
src/LibgnutlsTLSSession.h Normal file
View File

@ -0,0 +1,73 @@
/* <!-- copyright */
/*
* aria2 - The high speed download utility
*
* Copyright (C) 2013 Tatsuhiro Tsujikawa
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
/* copyright --> */
#ifndef LIBGNUTLS_TLS_SESSION_H
#define LIBGNUTLS_TLS_SESSION_H
#include "common.h"
#include <gnutls/gnutls.h>
#include <string>
#include "TLSSessionConst.h"
#include "a2netcompat.h"
namespace aria2 {
class TLSContext;
class TLSSession {
public:
TLSSession(TLSContext* tlsContext);
~TLSSession();
int init(sock_t sockfd);
int setSNIHostname(const std::string& hostname);
int closeConnection();
int checkDirection();
ssize_t writeData(const void* data, size_t len);
ssize_t readData(void* data, size_t len);
int tlsConnect(const std::string& hostname, std::string& handshakeErr);
int tlsAccept();
std::string getLastErrorString();
private:
gnutls_session_t sslSession_;
TLSContext* tlsContext_;
// Last error code from gnutls library functions
int rv_;
};
} // namespace aria2
#endif // LIBGNUTLS_TLS_SESSION_H

299
src/LibsslTLSSession.cc Normal file
View File

@ -0,0 +1,299 @@
/* <!-- copyright */
/*
* aria2 - The high speed download utility
*
* Copyright (C) 2013 Tatsuhiro Tsujikawa
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
/* copyright --> */
#include "LibsslTLSSession.h"
#include <openssl/err.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include "TLSContext.h"
#include "util.h"
#include "SocketCore.h"
namespace aria2 {
TLSSession::TLSSession(TLSContext* tlsContext)
: ssl_(0),
tlsContext_(tlsContext),
rv_(1)
{}
TLSSession::~TLSSession()
{
if(ssl_) {
SSL_shutdown(ssl_);
}
}
int TLSSession::init(sock_t sockfd)
{
ERR_clear_error();
ssl_ = SSL_new(tlsContext_->getSSLCtx());
if(!ssl_) {
return TLS_ERR_ERROR;
}
rv_ = SSL_set_fd(ssl_, sockfd);
if(rv_ == 0) {
return TLS_ERR_ERROR;
}
return TLS_ERR_OK;
}
int TLSSession::setSNIHostname(const std::string& hostname)
{
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
ERR_clear_error();
// TLS extensions: SNI. There is not documentation about the
// return code for this function (actually this is macro
// wrapping SSL_ctrl at the time of this writing).
SSL_set_tlsext_host_name(ssl_, hostname.c_str());
#endif // SSL_CTRL_SET_TLSEXT_HOSTNAME
return TLS_ERR_OK;
}
int TLSSession::closeConnection()
{
ERR_clear_error();
SSL_shutdown(ssl_);
// TODO handle return value
return TLS_ERR_OK;
}
int TLSSession::checkDirection()
{
int error = SSL_get_error(ssl_, rv_);
if(error == SSL_ERROR_WANT_WRITE) {
return TLS_WANT_WRITE;
} else {
// TODO We ignore error other than SSL_ERR_WANT_READ here for now
return TLS_WANT_READ;
}
}
namespace {
bool wouldblock(SSL* ssl, int rv)
{
int error = SSL_get_error(ssl, rv);
return error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE;
}
} // namespace
ssize_t TLSSession::writeData(const void* data, size_t len)
{
ERR_clear_error();
rv_ = SSL_write(ssl_, data, len);
if(rv_ <= 0) {
if(wouldblock(ssl_, rv_)) {
return TLS_ERR_WOULDBLOCK;
} else {
return TLS_ERR_ERROR;
}
} else {
ssize_t ret = rv_;
rv_ = 1;
return ret;
}
}
ssize_t TLSSession::readData(void* data, size_t len)
{
ERR_clear_error();
rv_ = SSL_read(ssl_, data, len);
if(rv_ <= 0) {
if(wouldblock(ssl_, rv_)) {
return TLS_ERR_WOULDBLOCK;
} else {
return TLS_ERR_ERROR;
}
} else {
ssize_t ret = rv_;
rv_ = 1;
return ret;
}
}
int TLSSession::handshake()
{
ERR_clear_error();
if(tlsContext_->getSide() == TLS_CLIENT) {
rv_ = SSL_connect(ssl_);
} else {
rv_ = SSL_accept(ssl_);
}
if(rv_ <= 0) {
int sslError = SSL_get_error(ssl_, rv_);
switch(sslError) {
case SSL_ERROR_NONE:
case SSL_ERROR_WANT_X509_LOOKUP:
case SSL_ERROR_ZERO_RETURN:
// TODO Now assume we are doing non-blocking. Then above 2
// errors are OK.
break;
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
return TLS_ERR_WOULDBLOCK;
default:
return TLS_ERR_ERROR;
}
}
return TLS_ERR_OK;
}
int TLSSession::tlsConnect(const std::string& hostname,
std::string& handshakeErr)
{
handshakeErr = "";
int ret;
ret = handshake();
if(ret != TLS_ERR_OK) {
return ret;
}
if(tlsContext_->getSide() == TLS_CLIENT &&
tlsContext_->peerVerificationEnabled()) {
// verify peer
X509* peerCert = SSL_get_peer_certificate(ssl_);
if(!peerCert) {
handshakeErr = "certificate not found";
return TLS_ERR_ERROR;
}
auto_delete<X509*> certDeleter(peerCert, X509_free);
long verifyResult = SSL_get_verify_result(ssl_);
if(verifyResult != X509_V_OK) {
handshakeErr = X509_verify_cert_error_string(verifyResult);
return TLS_ERR_ERROR;
}
std::string commonName;
std::vector<std::string> dnsNames;
std::vector<std::string> ipAddrs;
GENERAL_NAMES* altNames;
altNames = reinterpret_cast<GENERAL_NAMES*>
(X509_get_ext_d2i(peerCert, NID_subject_alt_name, NULL, NULL));
if(altNames) {
auto_delete<GENERAL_NAMES*> altNamesDeleter
(altNames, GENERAL_NAMES_free);
size_t n = sk_GENERAL_NAME_num(altNames);
for(size_t i = 0; i < n; ++i) {
const GENERAL_NAME* altName = sk_GENERAL_NAME_value(altNames, i);
if(altName->type == GEN_DNS) {
const char* name =
reinterpret_cast<char*>(ASN1_STRING_data(altName->d.ia5));
if(!name) {
continue;
}
size_t len = ASN1_STRING_length(altName->d.ia5);
dnsNames.push_back(std::string(name, len));
} else if(altName->type == GEN_IPADD) {
const unsigned char* ipAddr = altName->d.iPAddress->data;
if(!ipAddr) {
continue;
}
size_t len = altName->d.iPAddress->length;
ipAddrs.push_back(std::string(reinterpret_cast<const char*>(ipAddr),
len));
}
}
}
X509_NAME* subjectName = X509_get_subject_name(peerCert);
if(!subjectName) {
handshakeErr = "could not get X509 name object from the certificate.";
return TLS_ERR_ERROR;
}
int lastpos = -1;
while(1) {
lastpos = X509_NAME_get_index_by_NID(subjectName, NID_commonName,
lastpos);
if(lastpos == -1) {
break;
}
X509_NAME_ENTRY* entry = X509_NAME_get_entry(subjectName, lastpos);
unsigned char* out;
int outlen = ASN1_STRING_to_UTF8(&out,
X509_NAME_ENTRY_get_data(entry));
if(outlen < 0) {
continue;
}
commonName.assign(&out[0], &out[outlen]);
OPENSSL_free(out);
break;
}
if(!net::verifyHostname(hostname, dnsNames, ipAddrs, commonName)) {
handshakeErr = "hostname does not match";
return TLS_ERR_ERROR;
}
}
return TLS_ERR_OK;
}
int TLSSession::tlsAccept()
{
return handshake();
}
std::string TLSSession::getLastErrorString()
{
if(rv_ <= 0) {
int sslError = SSL_get_error(ssl_, rv_);
switch(sslError) {
case SSL_ERROR_NONE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_X509_LOOKUP:
case SSL_ERROR_ZERO_RETURN:
return "";
case SSL_ERROR_SYSCALL: {
int err = ERR_get_error();
if(err == 0) {
if(rv_ == 0) {
return "EOF was received";
} else if(rv_ == -1) {
return "SSL I/O error";
} else {
return "unknown syscall error";
}
} else {
return ERR_error_string(err, 0);
}
}
case SSL_ERROR_SSL:
return "protocol error";
default:
return "unknown error";
}
} else {
return "";
}
}
} // namespace aria2

74
src/LibsslTLSSession.h Normal file
View File

@ -0,0 +1,74 @@
/* <!-- copyright */
/*
* aria2 - The high speed download utility
*
* Copyright (C) 2013 Tatsuhiro Tsujikawa
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
/* copyright --> */
#ifndef LIBSSL_TLS_SESSION_H
#define LIBSSL_TLS_SESSION_H
#include "common.h"
#include <openssl/ssl.h>
#include <string>
#include "TLSSessionConst.h"
#include "a2netcompat.h"
namespace aria2 {
class TLSContext;
class TLSSession {
public:
TLSSession(TLSContext* tlsContext);
~TLSSession();
int init(sock_t sockfd);
int setSNIHostname(const std::string& hostname);
int closeConnection();
int checkDirection();
ssize_t writeData(const void* data, size_t len);
ssize_t readData(void* data, size_t len);
int tlsConnect(const std::string& hostname, std::string& handshakeErr);
int tlsAccept();
std::string getLastErrorString();
private:
int handshake();
SSL* ssl_;
TLSContext* tlsContext_;
// Last error code from openSSL library functions
int rv_;
};
} // namespace aria2
#endif // LIBSSL_TLS_SESSION_H

8
src/Makefile.am
View File

@ -299,11 +299,14 @@ SRCS += EpollEventPoll.cc EpollEventPoll.h
endif # HAVE_EPOLL endif # HAVE_EPOLL
if ENABLE_SSL if ENABLE_SSL
SRCS += TLSContext.h SRCS += TLSContext.h\
TLSSession.h\
TLSSessionConst.h
endif # ENABLE_SSL endif # ENABLE_SSL
if HAVE_LIBGNUTLS if HAVE_LIBGNUTLS
SRCS += LibgnutlsTLSContext.cc LibgnutlsTLSContext.h SRCS += LibgnutlsTLSContext.cc LibgnutlsTLSContext.h\
LibgnutlsTLSSession.cc LibgnutlsTLSSession.h
endif # HAVE_LIBGNUTLS endif # HAVE_LIBGNUTLS
if HAVE_LIBGCRYPT if HAVE_LIBGCRYPT
@ -324,6 +327,7 @@ endif # HAVE_LIBGMP
if HAVE_OPENSSL if HAVE_OPENSSL
SRCS += LibsslTLSContext.cc LibsslTLSContext.h\ SRCS += LibsslTLSContext.cc LibsslTLSContext.h\
LibsslTLSSession.cc LibsslTLSSession.h\
LibsslMessageDigestImpl.cc LibsslMessageDigestImpl.h\ LibsslMessageDigestImpl.cc LibsslMessageDigestImpl.h\
LibsslARC4Encryptor.cc LibsslARC4Encryptor.h\ LibsslARC4Encryptor.cc LibsslARC4Encryptor.h\
LibsslDHKeyExchange.cc LibsslDHKeyExchange.h LibsslDHKeyExchange.cc LibsslDHKeyExchange.h

463
src/SocketCore.cc
View File

@ -46,15 +46,6 @@
#include <cerrno> #include <cerrno>
#include <cstring> #include <cstring>
#ifdef HAVE_OPENSSL
# include <openssl/x509.h>
# include <openssl/x509v3.h>
#endif // HAVE_OPENSSL
#ifdef HAVE_LIBGNUTLS
# include <gnutls/x509.h>
#endif // HAVE_LIBGNUTLS
#include "message.h" #include "message.h"
#include "DlRetryEx.h" #include "DlRetryEx.h"
#include "DlAbortEx.h" #include "DlAbortEx.h"
@ -66,6 +57,7 @@
#include "A2STR.h" #include "A2STR.h"
#ifdef ENABLE_SSL #ifdef ENABLE_SSL
# include "TLSContext.h" # include "TLSContext.h"
# include "TLSSession.h"
#endif // ENABLE_SSL #endif // ENABLE_SSL
namespace aria2 { namespace aria2 {
@ -179,14 +171,6 @@ void SocketCore::init()
wantRead_ = false; wantRead_ = false;
wantWrite_ = false; wantWrite_ = false;
#ifdef HAVE_OPENSSL
// for SSL
ssl = NULL;
#endif // HAVE_OPENSSL
#ifdef HAVE_LIBGNUTLS
sslSession_ = 0;
#endif //HAVE_LIBGNUTLS
} }
SocketCore::~SocketCore() { SocketCore::~SocketCore() {
@ -586,33 +570,15 @@ void SocketCore::setBlockingMode()
void SocketCore::closeConnection() void SocketCore::closeConnection()
{ {
#ifdef HAVE_OPENSSL if(tlsSession_) {
// for SSL tlsSession_->closeConnection();
if(secure_) { tlsSession_.reset();
SSL_shutdown(ssl);
} }
#endif // HAVE_OPENSSL
#ifdef HAVE_LIBGNUTLS
if(secure_) {
gnutls_bye(sslSession_, GNUTLS_SHUT_WR);
}
#endif // HAVE_LIBGNUTLS
if(sockfd_ != (sock_t) -1) { if(sockfd_ != (sock_t) -1) {
shutdown(sockfd_, SHUT_WR); shutdown(sockfd_, SHUT_WR);
CLOSE(sockfd_); CLOSE(sockfd_);
sockfd_ = -1; sockfd_ = -1;
} }
#ifdef HAVE_OPENSSL
// for SSL
if(secure_) {
SSL_free(ssl);
}
#endif // HAVE_OPENSSL
#ifdef HAVE_LIBGNUTLS
if(secure_) {
gnutls_deinit(sslSession_);
}
#endif // HAVE_LIBGNUTLS
} }
#ifndef __MINGW32__ #ifndef __MINGW32__
@ -716,34 +682,6 @@ bool SocketCore::isReadable(time_t timeout)
#endif // !HAVE_POLL #endif // !HAVE_POLL
} }
#ifdef HAVE_OPENSSL
int SocketCore::sslHandleEAGAIN(int ret)
{
int error = SSL_get_error(ssl, ret);
if(error == SSL_ERROR_WANT_READ || error == SSL_ERROR_WANT_WRITE) {
ret = 0;
if(error == SSL_ERROR_WANT_READ) {
wantRead_ = true;
} else {
wantWrite_ = true;
}
}
return ret;
}
#endif // HAVE_OPENSSL
#ifdef HAVE_LIBGNUTLS
void SocketCore::gnutlsRecordCheckDirection()
{
int direction = gnutls_record_get_direction(sslSession_);
if(direction == 0) {
wantRead_ = true;
} else { // if(direction == 1) {
wantWrite_ = true;
}
}
#endif // HAVE_LIBGNUTLS
ssize_t SocketCore::writeVector(a2iovec *iov, size_t iovcnt) ssize_t SocketCore::writeVector(a2iovec *iov, size_t iovcnt)
{ {
ssize_t ret = 0; ssize_t ret = 0;
@ -805,29 +743,21 @@ ssize_t SocketCore::writeData(const void* data, size_t len)
} }
} }
} else { } else {
#ifdef HAVE_OPENSSL ret = tlsSession_->writeData(data, len);
ERR_clear_error();
ret = SSL_write(ssl, data, len);
if(ret < 0) { if(ret < 0) {
ret = sslHandleEAGAIN(ret); if(ret == TLS_ERR_WOULDBLOCK) {
if(tlsSession_->checkDirection() == TLS_WANT_READ) {
wantRead_ = true;
} else {
wantWrite_ = true;
} }
if(ret < 0) {
throw DL_RETRY_EX
(fmt(EX_SOCKET_SEND, ERR_error_string(ERR_get_error(), 0)));
}
#endif // HAVE_OPENSSL
#ifdef HAVE_LIBGNUTLS
while((ret = gnutls_record_send(sslSession_, data, len)) ==
GNUTLS_E_INTERRUPTED);
if(ret == GNUTLS_E_AGAIN) {
gnutlsRecordCheckDirection();
ret = 0; ret = 0;
} else if(ret < 0) { } else {
throw DL_RETRY_EX(fmt(EX_SOCKET_SEND, gnutls_strerror(ret))); throw DL_RETRY_EX(fmt(EX_SOCKET_SEND,
tlsSession_->getLastErrorString().c_str()));
}
} }
#endif // HAVE_LIBGNUTLS
} }
return ret; return ret;
} }
@ -851,31 +781,21 @@ void SocketCore::readData(void* data, size_t& len)
} }
} }
} else { } else {
#ifdef HAVE_OPENSSL ret = tlsSession_->readData(data, len);
// for SSL
// TODO handling len == 0 case required
ERR_clear_error();
ret = SSL_read(ssl, data, len);
if(ret < 0) { if(ret < 0) {
ret = sslHandleEAGAIN(ret); if(ret == TLS_ERR_WOULDBLOCK) {
if(tlsSession_->checkDirection() == TLS_WANT_READ) {
wantRead_ = true;
} else {
wantWrite_ = true;
} }
if(ret < 0) {
throw DL_RETRY_EX
(fmt(EX_SOCKET_RECV, ERR_error_string(ERR_get_error(), 0)));
}
#endif // HAVE_OPENSSL
#ifdef HAVE_LIBGNUTLS
while((ret = gnutls_record_recv(sslSession_, data, len)) ==
GNUTLS_E_INTERRUPTED);
if(ret == GNUTLS_E_AGAIN) {
gnutlsRecordCheckDirection();
ret = 0; ret = 0;
} else if(ret < 0) { } else {
throw DL_RETRY_EX(fmt(EX_SOCKET_RECV, gnutls_strerror(ret))); throw DL_RETRY_EX(fmt(EX_SOCKET_SEND,
tlsSession_->getLastErrorString().c_str()));
}
} }
#endif // HAVE_LIBGNUTLS
} }
len = ret; len = ret;
} }
@ -893,324 +813,57 @@ bool SocketCore::tlsConnect(const std::string& hostname)
bool SocketCore::tlsHandshake(TLSContext* tlsctx, const std::string& hostname) bool SocketCore::tlsHandshake(TLSContext* tlsctx, const std::string& hostname)
{ {
int rv = 0;
std::string handshakeError;
wantRead_ = false; wantRead_ = false;
wantWrite_ = false; wantWrite_ = false;
#ifdef HAVE_OPENSSL
switch(secure_) { switch(secure_) {
case A2_TLS_NONE: case A2_TLS_NONE:
ssl = SSL_new(tlsctx->getSSLCtx()); tlsSession_.reset(new TLSSession(tlsctx));
if(!ssl) { rv = tlsSession_->init(sockfd_);
throw DL_ABORT_EX if(rv != TLS_ERR_OK) {
(fmt(EX_SSL_INIT_FAILURE, ERR_error_string(ERR_get_error(), 0))); std::string error = tlsSession_->getLastErrorString();
tlsSession_.reset();
throw DL_ABORT_EX(fmt(EX_SSL_INIT_FAILURE, error.c_str()));
} }
if(SSL_set_fd(ssl, sockfd_) == 0) {
throw DL_ABORT_EX
(fmt(EX_SSL_INIT_FAILURE, ERR_error_string(ERR_get_error(), 0)));
}
// Fall through
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
if(tlsctx->getSide() == TLS_CLIENT && !util::isNumericHost(hostname)) {
// TLS extensions: SNI. There is not documentation about the
// return code for this function (actually this is macro
// wrapping SSL_ctrl at the time of this writing).
SSL_set_tlsext_host_name(ssl, hostname.c_str());
}
#endif // SSL_CTRL_SET_TLSEXT_HOSTNAME
secure_ = A2_TLS_HANDSHAKING;
// Fall through
case A2_TLS_HANDSHAKING: {
ERR_clear_error();
int e;
if(tlsctx->getSide() == TLS_CLIENT) {
e = SSL_connect(ssl);
} else {
e = SSL_accept(ssl);
}
if (e <= 0) {
int ssl_error = SSL_get_error(ssl, e);
switch(ssl_error) {
case SSL_ERROR_NONE:
break;
case SSL_ERROR_WANT_READ:
wantRead_ = true;
return false;
case SSL_ERROR_WANT_WRITE:
wantWrite_ = true;
return false;
case SSL_ERROR_WANT_X509_LOOKUP:
case SSL_ERROR_ZERO_RETURN:
if (blocking_) {
throw DL_ABORT_EX(fmt(EX_SSL_CONNECT_ERROR, ssl_error));
}
break;
case SSL_ERROR_SYSCALL: {
int sslErr = ERR_get_error();
if(sslErr == 0) {
if(e == 0) {
throw DL_ABORT_EX("Got EOF in SSL handshake");
} else if(e == -1) {
throw DL_ABORT_EX(fmt("SSL I/O error: %s", strerror(errno)));
} else {
throw DL_ABORT_EX(EX_SSL_IO_ERROR);
}
} else {
throw DL_ABORT_EX(fmt("SSL I/O error: %s",
ERR_error_string(sslErr, 0)));
}
}
case SSL_ERROR_SSL:
throw DL_ABORT_EX(EX_SSL_PROTOCOL_ERROR);
default:
throw DL_ABORT_EX(fmt(EX_SSL_UNKNOWN_ERROR, ssl_error));
}
}
if(tlsctx->getSide() == TLS_CLIENT &&
tlsctx->peerVerificationEnabled()) {
// verify peer
X509* peerCert = SSL_get_peer_certificate(ssl);
if(!peerCert) {
throw DL_ABORT_EX(MSG_NO_CERT_FOUND);
}
auto_delete<X509*> certDeleter(peerCert, X509_free);
long verifyResult = SSL_get_verify_result(ssl);
if(verifyResult != X509_V_OK) {
throw DL_ABORT_EX
(fmt(MSG_CERT_VERIFICATION_FAILED,
X509_verify_cert_error_string(verifyResult)));
}
std::string commonName;
std::vector<std::string> dnsNames;
std::vector<std::string> ipAddrs;
GENERAL_NAMES* altNames;
altNames = reinterpret_cast<GENERAL_NAMES*>
(X509_get_ext_d2i(peerCert, NID_subject_alt_name, NULL, NULL));
if(altNames) {
auto_delete<GENERAL_NAMES*> altNamesDeleter
(altNames, GENERAL_NAMES_free);
size_t n = sk_GENERAL_NAME_num(altNames);
for(size_t i = 0; i < n; ++i) {
const GENERAL_NAME* altName = sk_GENERAL_NAME_value(altNames, i);
if(altName->type == GEN_DNS) {
const char* name =
reinterpret_cast<char*>(ASN1_STRING_data(altName->d.ia5));
if(!name) {
continue;
}
size_t len = ASN1_STRING_length(altName->d.ia5);
dnsNames.push_back(std::string(name, len));
} else if(altName->type == GEN_IPADD) {
const unsigned char* ipAddr = altName->d.iPAddress->data;
if(!ipAddr) {
continue;
}
size_t len = altName->d.iPAddress->length;
ipAddrs.push_back(std::string(reinterpret_cast<const char*>(ipAddr),
len));
}
}
}
X509_NAME* subjectName = X509_get_subject_name(peerCert);
if(!subjectName) {
throw DL_ABORT_EX
("Could not get X509 name object from the certificate.");
}
int lastpos = -1;
while(1) {
lastpos = X509_NAME_get_index_by_NID(subjectName, NID_commonName,
lastpos);
if(lastpos == -1) {
break;
}
X509_NAME_ENTRY* entry = X509_NAME_get_entry(subjectName, lastpos);
unsigned char* out;
int outlen = ASN1_STRING_to_UTF8(&out,
X509_NAME_ENTRY_get_data(entry));
if(outlen < 0) {
continue;
}
commonName.assign(&out[0], &out[outlen]);
OPENSSL_free(out);
break;
}
if(!net::verifyHostname(hostname, dnsNames, ipAddrs, commonName)) {
throw DL_ABORT_EX(MSG_HOSTNAME_NOT_MATCH);
}
}
secure_ = A2_TLS_CONNECTED;
break;
}
default:
break;
}
#endif // HAVE_OPENSSL
#ifdef HAVE_LIBGNUTLS
switch(secure_) {
case A2_TLS_NONE:
int r;
gnutls_init(&sslSession_,
tlsctx->getSide() == TLS_CLIENT ?
GNUTLS_CLIENT : GNUTLS_SERVER);
// It seems err is not error message, but the argument string
// which causes syntax error.
const char* err;
// For client side, disables TLS1.1 here because there are servers
// that don't understand TLS1.1. TODO Is this still necessary?
r = gnutls_priority_set_direct(sslSession_,
tlsctx->getSide() == TLS_CLIENT ?
"NORMAL:-VERS-TLS1.1" :
"NORMAL",
&err);
if(r != GNUTLS_E_SUCCESS) {
throw DL_ABORT_EX(fmt(EX_SSL_INIT_FAILURE, gnutls_strerror(r)));
}
// put the x509 credentials to the current session
gnutls_credentials_set(sslSession_, GNUTLS_CRD_CERTIFICATE,
tlsctx->getCertCred());
gnutls_transport_set_ptr(sslSession_, (gnutls_transport_ptr_t)sockfd_);
if(tlsctx->getSide() == TLS_CLIENT) {
// Check hostname is not numeric and it includes ".". Setting // Check hostname is not numeric and it includes ".". Setting
// "localhost" will produce TLS alert. // "localhost" will produce TLS alert with GNUTLS.
if(!util::isNumericHost(hostname) && if(tlsctx->getSide() == TLS_CLIENT &&
!util::isNumericHost(hostname) &&
hostname.find(".") != std::string::npos) { hostname.find(".") != std::string::npos) {
// TLS extensions: SNI rv = tlsSession_->setSNIHostname(hostname);
int ret = gnutls_server_name_set(sslSession_, GNUTLS_NAME_DNS, if(rv != TLS_ERR_OK) {
hostname.c_str(), hostname.size()); throw DL_ABORT_EX(fmt(EX_SSL_INIT_FAILURE,
if(ret < 0) { tlsSession_->getLastErrorString().c_str()));
A2_LOG_WARN(fmt
("Setting hostname in SNI extension failed. Cause: %s",
gnutls_strerror(ret)));
}
} }
} }
secure_ = A2_TLS_HANDSHAKING; secure_ = A2_TLS_HANDSHAKING;
// Fall through // Fall through
case A2_TLS_HANDSHAKING: { case A2_TLS_HANDSHAKING:
int ret = gnutls_handshake(sslSession_); if(tlsctx->getSide() == TLS_CLIENT) {
if(ret == GNUTLS_E_AGAIN) { rv = tlsSession_->tlsConnect(hostname, handshakeError);
gnutlsRecordCheckDirection(); } else {
return false; rv = tlsSession_->tlsAccept();
} else if(ret < 0) {
throw DL_ABORT_EX(fmt(EX_SSL_INIT_FAILURE, gnutls_strerror(ret)));
}
if(tlsctx->getSide() == TLS_CLIENT && tlsctx->peerVerificationEnabled()) {
// verify peer
unsigned int status;
ret = gnutls_certificate_verify_peers2(sslSession_, &status);
if(ret < 0) {
throw DL_ABORT_EX
(fmt("gnutls_certificate_verify_peer2() failed. Cause: %s",
gnutls_strerror(ret)));
}
if(status) {
std::string errors;
if(status & GNUTLS_CERT_INVALID) {
errors += " `not signed by known authorities or invalid'";
}
if(status & GNUTLS_CERT_REVOKED) {
errors += " `revoked by its CA'";
}
if(status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
errors += " `issuer is not known'";
}
// TODO should check GNUTLS_CERT_SIGNER_NOT_CA ?
if(status & GNUTLS_CERT_INSECURE_ALGORITHM) {
errors += " `insecure algorithm'";
}
if(status & GNUTLS_CERT_NOT_ACTIVATED) {
errors += " `not activated yet'";
}
if(status & GNUTLS_CERT_EXPIRED) {
errors += " `expired'";
}
// TODO Add GNUTLS_CERT_SIGNATURE_FAILURE here
if(!errors.empty()) {
throw DL_ABORT_EX(fmt(MSG_CERT_VERIFICATION_FAILED, errors.c_str()));
}
}
// certificate type: only X509 is allowed.
if(gnutls_certificate_type_get(sslSession_) != GNUTLS_CRT_X509) {
throw DL_ABORT_EX("Certificate type is not X509.");
}
unsigned int peerCertsLength;
const gnutls_datum_t* peerCerts = gnutls_certificate_get_peers
(sslSession_, &peerCertsLength);
if(!peerCerts || peerCertsLength == 0 ) {
throw DL_ABORT_EX(MSG_NO_CERT_FOUND);
}
Time now;
for(unsigned int i = 0; i < peerCertsLength; ++i) {
gnutls_x509_crt_t cert;
ret = gnutls_x509_crt_init(&cert);
if(ret < 0) {
throw DL_ABORT_EX
(fmt("gnutls_x509_crt_init() failed. Cause: %s",
gnutls_strerror(ret)));
}
auto_delete<gnutls_x509_crt_t> certDeleter
(cert, gnutls_x509_crt_deinit);
ret = gnutls_x509_crt_import(cert, &peerCerts[i], GNUTLS_X509_FMT_DER);
if(ret < 0) {
throw DL_ABORT_EX
(fmt("gnutls_x509_crt_import() failed. Cause: %s",
gnutls_strerror(ret)));
}
if(i == 0) {
std::string commonName;
std::vector<std::string> dnsNames;
std::vector<std::string> ipAddrs;
int ret = 0;
char altName[256];
size_t altNameLen;
for(int j = 0; !(ret < 0); ++j) {
altNameLen = sizeof(altName);
ret = gnutls_x509_crt_get_subject_alt_name(cert, j, altName,
&altNameLen, 0);
if(ret == GNUTLS_SAN_DNSNAME) {
dnsNames.push_back(std::string(altName, altNameLen));
} else if(ret == GNUTLS_SAN_IPADDRESS) {
ipAddrs.push_back(std::string(altName, altNameLen));
}
}
altNameLen = sizeof(altName);
ret = gnutls_x509_crt_get_dn_by_oid(cert,
GNUTLS_OID_X520_COMMON_NAME, 0, 0,
altName, &altNameLen);
if(ret == 0) {
commonName.assign(altName, altNameLen);
}
if(!net::verifyHostname(hostname, dnsNames, ipAddrs, commonName)) {
throw DL_ABORT_EX(MSG_HOSTNAME_NOT_MATCH);
}
}
time_t activationTime = gnutls_x509_crt_get_activation_time(cert);
if(activationTime == -1) {
throw DL_ABORT_EX("Could not get activation time from certificate.");
}
if(now.getTime() < activationTime) {
throw DL_ABORT_EX("Certificate is not activated yet.");
}
time_t expirationTime = gnutls_x509_crt_get_expiration_time(cert);
if(expirationTime == -1) {
throw DL_ABORT_EX("Could not get expiration time from certificate.");
}
if(expirationTime < now.getTime()) {
throw DL_ABORT_EX("Certificate has expired.");
}
}
} }
if(rv == TLS_ERR_OK) {
secure_ = A2_TLS_CONNECTED; secure_ = A2_TLS_CONNECTED;
break; } else if(rv == TLS_ERR_WOULDBLOCK) {
if(tlsSession_->checkDirection() == TLS_WANT_READ) {
wantRead_ = true;
} else {
wantWrite_ = true;
} }
return false;
} else {
throw DL_ABORT_EX(fmt("SSL/TLS handshake failure: %s",
handshakeError.empty() ?
tlsSession_->getLastErrorString().c_str() :
handshakeError.c_str()));
}
break;
default: default:
break; break;
} }
#endif // HAVE_LIBGNUTLS
return true; return true;
} }

37
src/SocketCore.h
View File

@ -43,16 +43,6 @@
#include <vector> #include <vector>
#include "a2netcompat.h" #include "a2netcompat.h"
#ifdef HAVE_OPENSSL
// for SSL
# include <openssl/ssl.h>
# include <openssl/err.h>
#endif // HAVE_OPENSSL
#ifdef HAVE_LIBGNUTLS
# include <gnutls/gnutls.h>
#endif // HAVE_LIBGNUTLS
#include "SharedHandle.h" #include "SharedHandle.h"
#include "a2io.h" #include "a2io.h"
#include "a2netcompat.h" #include "a2netcompat.h"
@ -62,6 +52,7 @@ namespace aria2 {
#ifdef ENABLE_SSL #ifdef ENABLE_SSL
class TLSContext; class TLSContext;
class TLSSession;
#endif // ENABLE_SSL #endif // ENABLE_SSL
class SocketCore { class SocketCore {
@ -89,27 +80,9 @@ private:
static SharedHandle<TLSContext> clTlsContext_; static SharedHandle<TLSContext> clTlsContext_;
// TLS context for server side // TLS context for server side
static SharedHandle<TLSContext> svTlsContext_; static SharedHandle<TLSContext> svTlsContext_;
#endif // ENABLE_SSL
#ifdef HAVE_OPENSSL SharedHandle<TLSSession> tlsSession_;
// for SSL
SSL* ssl;
int sslHandleEAGAIN(int ret);
#endif // HAVE_OPENSSL
#ifdef HAVE_LIBGNUTLS
gnutls_session_t sslSession_;
void gnutlsRecordCheckDirection();
#endif // HAVE_LIBGNUTLS
void init();
void bind(const struct sockaddr* addr, socklen_t addrlen);
void setSockOpt(int level, int optname, void* optval, socklen_t optlen);
#ifdef ENABLE_SSL
/** /**
* Makes this socket secure. The connection must be established * Makes this socket secure. The connection must be established
* before calling this method. * before calling this method.
@ -119,6 +92,12 @@ private:
bool tlsHandshake(TLSContext* tlsctx, const std::string& hostname); bool tlsHandshake(TLSContext* tlsctx, const std::string& hostname);
#endif // ENABLE_SSL #endif // ENABLE_SSL
void init();
void bind(const struct sockaddr* addr, socklen_t addrlen);
void setSockOpt(int level, int optname, void* optval, socklen_t optlen);
SocketCore(sock_t sockfd, int sockType); SocketCore(sock_t sockfd, int sockType);
public: public:
SocketCore(int sockType = SOCK_STREAM); SocketCore(int sockType = SOCK_STREAM);

104
src/TLSSession.h Normal file
View File

@ -0,0 +1,104 @@
/* <!-- copyright */
/*
* aria2 - The high speed download utility
*
* Copyright (C) 2013 Tatsuhiro Tsujikawa
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
/* copyright --> */
#ifndef TLS_SESSION_H
#define TLS_SESSION_H
#include "common.h"
// To create another SSL/TLS backend, implement TLSSession class below.
//
// class TLSSession {
// public:
// TLSSession(TLSContext* tlsContext);
//
// // MUST deallocate all resources
// ~TLSSession();
//
// // Initializes SSL/TLS session. The |sockfd| is the underlying
// // tranport socket. This function returns TLS_ERR_OK if it
// // succeeds, or TLS_ERR_ERROR.
// int init(sock_t sockfd);
//
// // Sets |hostname| for TLS SNI extension. This is only meaningful for
// // client side session. This function returns TLS_ERR_OK if it
// // succeeds, or TLS_ERR_ERROR.
// int setSNIHostname(const std::string& hostname);
//
// // Closes the SSL/TLS session. Don't close underlying transport
// // socket. This function returns TLS_ERR_OK if it succeeds, or
// // TLS_ERR_ERROR.
// int closeConnection();
//
// // Returns TLS_WANT_READ if SSL/TLS session needs more data from
// // remote endpoint to proceed, or TLS_WANT_WRITE if SSL/TLS session
// // needs to write more data to proceed. If SSL/TLS session needs
// // neither read nor write data at the moment, return value is
// // undefined.
// int checkDirection();
//
// // Sends |data| with length |len|. This function returns the number
// // of bytes sent if it succeeds, or TLS_ERR_WOULDBLOCK if the
// // underlying tranport blocks, or TLS_ERR_ERROR.
// ssize_t writeData(const void* data, size_t len);
//
// // Receives data into |data| with length |len|. This function returns
// // the number of bytes received if it succeeds, or TLS_ERR_WOULDBLOCK
// // if the underlying tranport blocks, or TLS_ERR_ERROR.
// ssize_t readData(void* data, size_t len);
//
// // Performs client side handshake. The |hostname| is the hostname of
// // the remote endpoint and is used to verify its certificate. This
// // function returns TLS_ERR_OK if it succeeds, or TLS_ERR_WOULDBLOCK
// // if the underlying transport blocks, or TLS_ERR_ERROR.
// // When returning TLS_ERR_ERROR, provide certificate validation error
// // in |handshakeErr|.
// int tlsConnect(const std::string& hostname, std::string& handshakeErr);
//
// // Performs server side handshake. This function returns TLS_ERR_OK
// // if it succeeds, or TLS_ERR_WOULDBLOCK if the underlying transport
// // blocks, or TLS_ERR_ERROR.
// int tlsAccept();
//
// // Returns last error string
// std::string getLastErrorString();
// };
#ifdef HAVE_OPENSSL
# include "LibsslTLSSession.h"
#elif defined HAVE_LIBGNUTLS
# include "LibgnutlsTLSSession.h"
#endif
#endif // TLS_SESSION_H

55
src/TLSSessionConst.h Normal file
View File

@ -0,0 +1,55 @@
/* <!-- copyright */
/*
* aria2 - The high speed download utility
*
* Copyright (C) 2013 Tatsuhiro Tsujikawa
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
/* copyright --> */
#ifndef TLS_SESSION_CONST_H
#define TLS_SESSION_CONST_H
#include "common.h"
namespace aria2 {
enum TLSDirection {
TLS_WANT_READ = 1,
TLS_WANT_WRITE
};
enum TLSErrorCode {
TLS_ERR_OK = 0,
TLS_ERR_ERROR = -1,
TLS_ERR_WOULDBLOCK = -2
};
} // namespace aria2
#endif // TLS_SESSION_CONST_H