factor/basis/io/sockets/secure/secure.factor

! Copyright (C) 2008 Slava Pestov.
! See http://factorcode.org/license.txt for BSD license.
USING: accessors kernel namespaces continuations destructors io
debugger io.sockets io.sockets.private sequences summary
calendar delegate system vocabs.loader combinators present ;
IN: io.sockets.secure

SYMBOL: secure-socket-timeout

1 minutes secure-socket-timeout set-global

SYMBOL: secure-socket-backend

SINGLETONS: SSLv2 SSLv23 SSLv3 TLSv1 ;

TUPLE: secure-config
method
key-file password
verify
verify-depth
ca-file ca-path
dh-file
ephemeral-key-bits ;

: <secure-config> ( -- config )
    secure-config new
        SSLv23 >>method
        1024 >>ephemeral-key-bits
        "vocab:openssl/cacert.pem" >>ca-file
        t >>verify ;

TUPLE: secure-context < disposable config handle ;

HOOK: <secure-context> secure-socket-backend ( config -- context )

: with-secure-context ( config quot -- )
    [
        [ <secure-context> ] [ [ secure-context set ] prepose ] bi*
        with-disposal
    ] with-scope ; inline

TUPLE: secure addrspec ;

C: <secure> secure

M: secure present addrspec>> present " (secure)" append ;

CONSULT: inet secure addrspec>> ;

M: secure resolve-host ( secure -- seq )
    addrspec>> resolve-host [ <secure> ] map ;

HOOK: check-certificate secure-socket-backend ( host handle -- )

PREDICATE: secure-inet < secure addrspec>> inet? ;

<PRIVATE

M: secure-inet (client)
    [
        [ resolve-host (client) [ |dispose ] dip ] keep
        addrspec>> host>> pick handle>> check-certificate
    ] with-destructors ;

PRIVATE>

ERROR: premature-close ;

M: premature-close summary
    drop "Connection closed prematurely - potential truncation attack" ;

ERROR: certificate-verify-error result ;

M: certificate-verify-error summary
    drop "Certificate verification failed" ;

ERROR: common-name-verify-error expected got ;

M: common-name-verify-error summary
    drop "Common name verification failed" ;

ERROR: upgrade-on-non-socket ;

M: upgrade-on-non-socket summary
    drop
    "send-secure-handshake can only be used if input-stream and" print
    "output-stream are a socket" ;

ERROR: upgrade-buffers-full ;

M: upgrade-buffers-full summary
    drop
    "send-secure-handshake can only be used if buffers are empty" ;

HOOK: send-secure-handshake secure-socket-backend ( -- )

HOOK: accept-secure-handshake secure-socket-backend ( -- )

{
    { [ os unix? ] [ "io.sockets.secure.unix" require ] }
    { [ os windows? ] [ "openssl" require ] }
} cond
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00			`! Copyright (C) 2008 Slava Pestov.`
			`! See http://factorcode.org/license.txt for BSD license.`
io.sockets: fix to work in deployed apps 2009-09-04 04:57:57 -04:00			`USING: accessors kernel namespaces continuations destructors io`
			`debugger io.sockets io.sockets.private sequences summary`
			`calendar delegate system vocabs.loader combinators present ;`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00			`IN: io.sockets.secure`

Fix SSL timeout support and clean up some timeout code 2008-05-21 02:36:30 -04:00			`SYMBOL: secure-socket-timeout`

			`1 minutes secure-socket-timeout set-global`

Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`SYMBOL: secure-socket-backend`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00
			`SINGLETONS: SSLv2 SSLv23 SSLv3 TLSv1 ;`

Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`TUPLE: secure-config`
			`method`
			`key-file password`
Server certificate verification, lazy handshake for accept 2008-05-22 01:29:19 -04:00			`verify`
			`verify-depth`
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`ca-file ca-path`
			`dh-file`
			`ephemeral-key-bits ;`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`: <secure-config> ( -- config )`
			`secure-config new`
			`SSLv23 >>method`
Server certificate verification, lazy handshake for accept 2008-05-22 01:29:19 -04:00			`1024 >>ephemeral-key-bits`
Add vocab: for vocab-relative paths 2009-02-15 20:53:21 -05:00			`"vocab:openssl/cacert.pem" >>ca-file`
Server certificate verification, lazy handshake for accept 2008-05-22 01:29:19 -04:00			`t >>verify ;`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00
Disposables are now registered in a global disposables set. To take advantage of this, subclass disposable instead of providing a disposed slot and call new-disposable instead of new. tools.disposables defines two words, 'disposable.' and 'leaks', to help track down resource lifetime problems 2009-08-24 03:26:13 -04:00			`TUPLE: secure-context < disposable config handle ;`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`HOOK: <secure-context> secure-socket-backend ( config -- context )`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`: with-secure-context ( config quot -- )`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00			`[`
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`[ <secure-context> ] [ [ secure-context set ] prepose ] bi*`
Working on OpenSSL sockets 2008-05-11 18:44:14 -04:00			`with-disposal`
			`] with-scope ; inline`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`TUPLE: secure addrspec ;`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`C: <secure> secure`

Better connection logging 2008-09-22 17:09:10 -04:00			`M: secure present addrspec>> present " (secure)" append ;`

New threaded-server 2008-06-17 01:04:18 -04:00			`CONSULT: inet secure addrspec>> ;`

			`M: secure resolve-host ( secure -- seq )`
			`addrspec>> resolve-host [ <secure> ] map ;`
Fix SSL shutdown 2008-05-17 18:45:56 -04:00
			`HOOK: check-certificate secure-socket-backend ( host handle -- )`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`PREDICATE: secure-inet < secure addrspec>> inet? ;`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
Move underlying-handle word from io.launcher to io.ports, add a new underlying-port word Add a remote-address symbol to io.sockets, with-client binds it, ditto for io.servers.connection io.sockets.secure now has two new words, send-secure-handshake, accept-secure-handshake, to upgrade existing connections 2008-11-30 14:46:39 -05:00			`<PRIVATE`

Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`M: secure-inet (client)`
			`[`
New threaded-server 2008-06-17 01:04:18 -04:00			`[ resolve-host (client) [ \|dispose ] dip ] keep`
			`addrspec>> host>> pick handle>> check-certificate`
Fix SSL shutdown 2008-05-17 18:45:56 -04:00			`] with-destructors ;`
Working on SSL and refactoring related code to make things easier to plug in 2008-05-12 19:53:22 -04:00
			`PRIVATE>`
Fix SSL shutdown 2008-05-17 18:45:56 -04:00
			`ERROR: premature-close ;`

			`M: premature-close summary`
			`drop "Connection closed prematurely - potential truncation attack" ;`

			`ERROR: certificate-verify-error result ;`

			`M: certificate-verify-error summary`
			`drop "Certificate verification failed" ;`

			`ERROR: common-name-verify-error expected got ;`

			`M: common-name-verify-error summary`
			`drop "Common name verification failed" ;`
Fix deploy tests 2008-07-02 22:52:28 -04:00
Move underlying-handle word from io.launcher to io.ports, add a new underlying-port word Add a remote-address symbol to io.sockets, with-client binds it, ditto for io.servers.connection io.sockets.secure now has two new words, send-secure-handshake, accept-secure-handshake, to upgrade existing connections 2008-11-30 14:46:39 -05:00			`ERROR: upgrade-on-non-socket ;`

			`M: upgrade-on-non-socket summary`
			`drop`
			`"send-secure-handshake can only be used if input-stream and" print`
			`"output-stream are a socket" ;`

			`ERROR: upgrade-buffers-full ;`

			`M: upgrade-buffers-full summary`
			`drop`
			`"send-secure-handshake can only be used if buffers are empty" ;`

			`HOOK: send-secure-handshake secure-socket-backend ( -- )`

			`HOOK: accept-secure-handshake secure-socket-backend ( -- )`

Fix deploy tests 2008-07-02 22:52:28 -04:00			`{`
io.files split up and general refactoring work in progress 2008-12-14 21:03:00 -05:00			`{ [ os unix? ] [ "io.sockets.secure.unix" require ] }`
$U-SLAVA-DFB8FF805\Slava$ Fix Windows bootstrap 2008-07-03 20:53:40 -04:00			`{ [ os windows? ] [ "openssl" require ] }`
Fix deploy tests 2008-07-02 22:52:28 -04:00			`} cond`