factor/basis/io/sockets/secure/secure.factor

! Copyright (C) 2008 Slava Pestov.
! See http://factorcode.org/license.txt for BSD license.
USING: accessors kernel symbols namespaces continuations
destructors io.sockets sequences summary calendar delegate
system vocabs.loader combinators ;
IN: io.sockets.secure

SYMBOL: secure-socket-timeout

1 minutes secure-socket-timeout set-global

SYMBOL: secure-socket-backend

SINGLETONS: SSLv2 SSLv23 SSLv3 TLSv1 ;

TUPLE: secure-config
method
key-file password
verify
verify-depth
ca-file ca-path
dh-file
ephemeral-key-bits ;

: <secure-config> ( -- config )
    secure-config new
        SSLv23 >>method
        1024 >>ephemeral-key-bits
        "resource:basis/openssl/cacert.pem" >>ca-file
        t >>verify ;

TUPLE: secure-context config handle disposed ;

HOOK: <secure-context> secure-socket-backend ( config -- context )

: with-secure-context ( config quot -- )
    [
        [ <secure-context> ] [ [ secure-context set ] prepose ] bi*
        with-disposal
    ] with-scope ; inline

TUPLE: secure addrspec ;

C: <secure> secure

CONSULT: inet secure addrspec>> ;

M: secure resolve-host ( secure -- seq )
    addrspec>> resolve-host [ <secure> ] map ;

HOOK: check-certificate secure-socket-backend ( host handle -- )

<PRIVATE

PREDICATE: secure-inet < secure addrspec>> inet? ;

M: secure-inet (client)
    [
        [ resolve-host (client) [ |dispose ] dip ] keep
        addrspec>> host>> pick handle>> check-certificate
    ] with-destructors ;

PRIVATE>

ERROR: premature-close ;

M: premature-close summary
    drop "Connection closed prematurely - potential truncation attack" ;

ERROR: certificate-verify-error result ;

M: certificate-verify-error summary
    drop "Certificate verification failed" ;

ERROR: common-name-verify-error expected got ;

M: common-name-verify-error summary
    drop "Common name verification failed" ;

{
    { [ os unix? ] [ "io.unix.sockets.secure" require ] }
    { [ os windows? ] [ "openssl" require ] }
} cond
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00			`! Copyright (C) 2008 Slava Pestov.`
			`! See http://factorcode.org/license.txt for BSD license.`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00			`USING: accessors kernel symbols namespaces continuations`
Fix deploy tests 2008-07-02 22:52:28 -04:00			`destructors io.sockets sequences summary calendar delegate`
			`system vocabs.loader combinators ;`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00			`IN: io.sockets.secure`

Fix SSL timeout support and clean up some timeout code 2008-05-21 02:36:30 -04:00			`SYMBOL: secure-socket-timeout`

			`1 minutes secure-socket-timeout set-global`

Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`SYMBOL: secure-socket-backend`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00
			`SINGLETONS: SSLv2 SSLv23 SSLv3 TLSv1 ;`

Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`TUPLE: secure-config`
			`method`
			`key-file password`
Server certificate verification, lazy handshake for accept 2008-05-22 01:29:19 -04:00			`verify`
			`verify-depth`
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`ca-file ca-path`
			`dh-file`
			`ephemeral-key-bits ;`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`: <secure-config> ( -- config )`
			`secure-config new`
			`SSLv23 >>method`
Server certificate verification, lazy handshake for accept 2008-05-22 01:29:19 -04:00			`1024 >>ephemeral-key-bits`
Create basis vocab root 2008-07-28 23:03:13 -04:00			`"resource:basis/openssl/cacert.pem" >>ca-file`
Server certificate verification, lazy handshake for accept 2008-05-22 01:29:19 -04:00			`t >>verify ;`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`TUPLE: secure-context config handle disposed ;`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`HOOK: <secure-context> secure-socket-backend ( config -- context )`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`: with-secure-context ( config quot -- )`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00			`[`
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`[ <secure-context> ] [ [ secure-context set ] prepose ] bi*`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00			`with-disposal`
			`] with-scope ; inline`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`TUPLE: secure addrspec ;`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`C: <secure> secure`

New threaded-server 2008-06-17 01:04:18 -04:00			`CONSULT: inet secure addrspec>> ;`

			`M: secure resolve-host ( secure -- seq )`
			`addrspec>> resolve-host [ <secure> ] map ;`
Fix SSL shutdown 2008-05-17 18:45:56 -04:00
			`HOOK: check-certificate secure-socket-backend ( host handle -- )`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
			`<PRIVATE`

Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`PREDICATE: secure-inet < secure addrspec>> inet? ;`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`M: secure-inet (client)`
			`[`
New threaded-server 2008-06-17 01:04:18 -04:00			`[ resolve-host (client) [ \|dispose ] dip ] keep`
			`addrspec>> host>> pick handle>> check-certificate`
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`] with-destructors ;`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
			`PRIVATE>`
Fix SSL shutdown 2008-05-17 18:45:56 -04:00
			`ERROR: premature-close ;`

			`M: premature-close summary`
			`drop "Connection closed prematurely - potential truncation attack" ;`

			`ERROR: certificate-verify-error result ;`

			`M: certificate-verify-error summary`
			`drop "Certificate verification failed" ;`

			`ERROR: common-name-verify-error expected got ;`

			`M: common-name-verify-error summary`
			`drop "Common name verification failed" ;`
Fix deploy tests 2008-07-02 22:52:28 -04:00
			`{`
			`{ [ os unix? ] [ "io.unix.sockets.secure" require ] }`
$U-SLAVA-DFB8FF805\Slava$ Fix Windows bootstrap 2008-07-03 20:53:40 -04:00			`{ [ os windows? ] [ "openssl" require ] }`
Fix deploy tests 2008-07-02 22:52:28 -04:00			`} cond`