factor/basis/io/sockets/secure/unix/unix.factor

! Copyright (C) 2007, 2011, Slava Pestov, Elie CHAFTARI.
! See http://factorcode.org/license.txt for BSD license.
USING: accessors unix byte-arrays kernel sequences namespaces
math math.order combinators init alien alien.c-types
alien.strings libc continuations destructors openssl
openssl.libcrypto openssl.libssl io io.files io.ports
io.backend.unix io.sockets.unix io.encodings.ascii io.buffers
io.sockets io.sockets.private io.sockets.secure
io.sockets.secure.openssl io.timeouts system summary fry
unix.ffi ;
FROM: io.ports => shutdown ;
IN: io.sockets.secure.unix

M: openssl ssl-supported? t ;
M: openssl ssl-certificate-verification-supported? t ;

M: ssl-handle handle-fd file>> handle-fd ;

! Client sockets
: <ssl-socket> ( fd -- ssl )
    [ fd>> BIO_NOCLOSE BIO_new_socket dup ssl-error ] keep <ssl-handle>
    [ handle>> swap dup SSL_set_bio ] keep ;

M: secure ((client)) ( addrspec -- handle )
    addrspec>> ((client)) <ssl-socket> ;

M: secure parse-sockaddr addrspec>> parse-sockaddr <secure> ;

M: secure (get-local-address) addrspec>> (get-local-address) ;

M: secure establish-connection ( client-out remote -- )
    addrspec>> [ establish-connection ] [ secure-connection ] 2bi ;

M: secure (server) addrspec>> (server) ;

M: secure (accept)
    [
        addrspec>> (accept) [ |dispose <ssl-socket> ] dip
    ] with-destructors ;

: check-shutdown-response ( handle r -- event )
    #! We don't do two-step shutdown here because I couldn't
    #! figure out how to do it with non-blocking BIOs. Also, it
    #! seems that SSL_shutdown always returns 0 -- this sounds
    #! like a bug
    over handle>> over SSL_get_error
    {
        { SSL_ERROR_NONE [ 2drop f ] }
        { SSL_ERROR_WANT_READ [ 2drop +input+ ] }
        { SSL_ERROR_WANT_WRITE [ 2drop +output+ ] }
        { SSL_ERROR_SYSCALL [ [ drop f ] [ nip syscall-error ] if-zero ] }
        { SSL_ERROR_SSL [ (ssl-error) ] }
    } case ;

: (shutdown) ( handle -- )
    dup dup handle>> SSL_shutdown check-shutdown-response
    dup [ dupd wait-for-fd (shutdown) ] [ 2drop ] if ;

M: ssl-handle shutdown
    dup connected>> [
        f >>connected [ (shutdown) ] with-timeout
    ] [ drop ] if ;

: check-buffer ( port -- port )
    dup buffer>> buffer-empty? [ upgrade-buffers-full ] unless ;

: input/output-ports ( -- input output )
    input-stream output-stream
    [ get underlying-port check-buffer ] bi@
    2dup [ handle>> ] bi@ eq? [ upgrade-on-non-socket ] unless ;

: make-input/output-secure ( input output -- )
    dup handle>> fd? [ upgrade-on-non-socket ] unless
    [ <ssl-socket> ] change-handle
    handle>> >>handle drop ;

: (send-secure-handshake) ( output -- )
    remote-address get [ upgrade-on-non-socket ] unless*
    secure-connection ;

M: openssl send-secure-handshake
    input/output-ports
    [ make-input/output-secure ] keep
    [ (send-secure-handshake) ] keep
    remote-address get dup inet? [
        host>> swap handle>> check-certificate
    ] [ 2drop ] if ;

M: openssl accept-secure-handshake
    input/output-ports
    make-input/output-secure ;
io.sockets.secure.unix: fix socket shutdown handling to make http.client work with https://www.google.com 2011-01-31 23:45:45 -05:00			`! Copyright (C) 2007, 2011, Slava Pestov, Elie CHAFTARI.`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00			`! See http://factorcode.org/license.txt for BSD license.`
io.sockets: fix to work in deployed apps 2009-09-04 04:57:57 -04:00			`USING: accessors unix byte-arrays kernel sequences namespaces`
			`math math.order combinators init alien alien.c-types`
Move code out of openssl vocabulary 2008-11-23 02:00:29 -05:00			`alien.strings libc continuations destructors openssl`
Move underlying-handle word from io.launcher to io.ports, add a new underlying-port word Add a remote-address symbol to io.sockets, with-client binds it, ditto for io.servers.connection io.sockets.secure now has two new words, send-secure-handshake, accept-secure-handshake, to upgrade existing connections 2008-11-30 14:46:39 -05:00			`openssl.libcrypto openssl.libssl io io.files io.ports`
io.files split up and general refactoring work in progress 2008-12-14 21:03:00 -05:00			`io.backend.unix io.sockets.unix io.encodings.ascii io.buffers`
io.sockets: fix to work in deployed apps 2009-09-04 04:57:57 -04:00			`io.sockets io.sockets.private io.sockets.secure`
Handle EINTR in a lot of cases where it wasn't handled before. Split off unix into unix.ffi and unix. 2010-01-20 23:42:07 -05:00			`io.sockets.secure.openssl io.timeouts system summary fry`
			`unix.ffi ;`
Cleaning up USING: lists for new strict semantics 2009-05-14 17:54:16 -04:00			`FROM: io.ports => shutdown ;`
io.files split up and general refactoring work in progress 2008-12-14 21:03:00 -05:00			`IN: io.sockets.secure.unix`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
io.sockets.secure: add ssl-supported? hook, and make furnace.auth and twitter vocabs use it. This makes furnace work on Windows 2010-10-24 18:54:19 -04:00			`M: openssl ssl-supported? t ;`
io.sockets.secure: new hook variable ssl-certificate-verification-supported? t if the backend is able to verify certificates, f otherwise. Currently certificate validation isn't implemented on Windows 2013-10-14 08:45:33 -04:00			`M: openssl ssl-certificate-verification-supported? t ;`
io.sockets.secure: add ssl-supported? hook, and make furnace.auth and twitter vocabs use it. This makes furnace work on Windows 2010-10-24 18:54:19 -04:00
Working on SSL server sockets 2008-05-14 04:55:33 -04:00			`M: ssl-handle handle-fd file>> handle-fd ;`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
			`! Client sockets`
Working on SSL server sockets 2008-05-14 04:55:33 -04:00			`: <ssl-socket> ( fd -- ssl )`
			`[ fd>> BIO_NOCLOSE BIO_new_socket dup ssl-error ] keep <ssl-handle>`
			`[ handle>> swap dup SSL_set_bio ] keep ;`

Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`M: secure ((client)) ( addrspec -- handle )`
Working on SSL server sockets 2008-05-14 04:55:33 -04:00			`addrspec>> ((client)) <ssl-socket> ;`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`M: secure parse-sockaddr addrspec>> parse-sockaddr <secure> ;`
More Unix I/O work 2008-05-14 00:36:15 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`M: secure (get-local-address) addrspec>> (get-local-address) ;`
Debugging SSL 2008-05-15 06:19:59 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`M: secure establish-connection ( client-out remote -- )`
Move underlying-handle word from io.launcher to io.ports, add a new underlying-port word Add a remote-address symbol to io.sockets, with-client binds it, ditto for io.servers.connection io.sockets.secure now has two new words, send-secure-handshake, accept-secure-handshake, to upgrade existing connections 2008-11-30 14:46:39 -05:00			`addrspec>> [ establish-connection ] [ secure-connection ] 2bi ;`
Working on SSL server sockets 2008-05-14 04:55:33 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`M: secure (server) addrspec>> (server) ;`
Working on SSL server sockets 2008-05-14 04:55:33 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`M: secure (accept)`
Working on SSL server sockets 2008-05-14 04:55:33 -04:00			`[`
Move underlying-handle word from io.launcher to io.ports, add a new underlying-port word Add a remote-address symbol to io.sockets, with-client binds it, ditto for io.servers.connection io.sockets.secure now has two new words, send-secure-handshake, accept-secure-handshake, to upgrade existing connections 2008-11-30 14:46:39 -05:00			`addrspec>> (accept) [ \|dispose <ssl-socket> ] dip`
Working on SSL server sockets 2008-05-14 04:55:33 -04:00			`] with-destructors ;`

			`: check-shutdown-response ( handle r -- event )`
Server certificate verification, lazy handshake for accept 2008-05-22 01:29:19 -04:00			`#! We don't do two-step shutdown here because I couldn't`
			`#! figure out how to do it with non-blocking BIOs. Also, it`
			`#! seems that SSL_shutdown always returns 0 -- this sounds`
			`#! like a bug`
			`over handle>> over SSL_get_error`
Working on SSL server sockets 2008-05-14 04:55:33 -04:00			`{`
Server certificate verification, lazy handshake for accept 2008-05-22 01:29:19 -04:00			`{ SSL_ERROR_NONE [ 2drop f ] }`
			`{ SSL_ERROR_WANT_READ [ 2drop +input+ ] }`
			`{ SSL_ERROR_WANT_WRITE [ 2drop +output+ ] }`
io.sockets.secure.openssl: big refactoring, all error handling merged into one check-ssl-error word 2014-04-18 12:32:59 -04:00			`{ SSL_ERROR_SYSCALL [ [ drop f ] [ nip syscall-error ] if-zero ] }`
Server certificate verification, lazy handshake for accept 2008-05-22 01:29:19 -04:00			`{ SSL_ERROR_SSL [ (ssl-error) ] }`
Working on SSL server sockets 2008-05-14 04:55:33 -04:00			`} case ;`

Fix SSL timeout support and clean up some timeout code 2008-05-21 02:36:30 -04:00			`: (shutdown) ( handle -- )`
			`dup dup handle>> SSL_shutdown check-shutdown-response`
			`dup [ dupd wait-for-fd (shutdown) ] [ 2drop ] if ;`

SSL context is now implicit 2008-05-21 16:54:27 -04:00			`M: ssl-handle shutdown`
			`dup connected>> [`
			`f >>connected [ (shutdown) ] with-timeout`
			`] [ drop ] if ;`
Move underlying-handle word from io.launcher to io.ports, add a new underlying-port word Add a remote-address symbol to io.sockets, with-client binds it, ditto for io.servers.connection io.sockets.secure now has two new words, send-secure-handshake, accept-secure-handshake, to upgrade existing connections 2008-11-30 14:46:39 -05:00
			`: check-buffer ( port -- port )`
			`dup buffer>> buffer-empty? [ upgrade-buffers-full ] unless ;`

			`: input/output-ports ( -- input output )`
			`input-stream output-stream`
			`[ get underlying-port check-buffer ] bi@`
			`2dup [ handle>> ] bi@ eq? [ upgrade-on-non-socket ] unless ;`

			`: make-input/output-secure ( input output -- )`
			`dup handle>> fd? [ upgrade-on-non-socket ] unless`
			`[ <ssl-socket> ] change-handle`
			`handle>> >>handle drop ;`

			`: (send-secure-handshake) ( output -- )`
			`remote-address get [ upgrade-on-non-socket ] unless*`
			`secure-connection ;`

			`M: openssl send-secure-handshake`
			`input/output-ports`
			`[ make-input/output-secure ] keep`
			`[ (send-secure-handshake) ] keep`
			`remote-address get dup inet? [`
			`host>> swap handle>> check-certificate`
			`] [ 2drop ] if ;`

			`M: openssl accept-secure-handshake`
			`input/output-ports`
			`make-input/output-secure ;`