yassl_int.cpp

mysql-5.0.33源码包

    case finished :
        if (states_.getServer() != clientKeyExchangeComplete || 
            secure_.get_parms().pending_)    // no change
                order_error();               // cipher yet
        break;
    default :
        order_error();
    };
}


// try to find a suite match
void SSL::matchSuite(const opaque* peer, uint length)
{
    if (length == 0 || (length % 2) != 0) {
        SetError(bad_input);
        return;
    }

    // start with best, if a match we are good, Ciphers are at odd index
    // since all SSL and TLS ciphers have 0x00 first byte
    for (uint i = 1; i < secure_.get_parms().suites_size_; i += 2)
        for (uint j = 1; j < length; j+= 2)
            if (secure_.use_parms().suites_[i] == peer[j]) {
                secure_.use_parms().suite_[0] = 0x00;
                secure_.use_parms().suite_[1] = peer[j];
                return;
            }

    SetError(match_error);
}


void SSL::set_session(SSL_SESSION* s) 
{ 
    if (getSecurity().GetContext()->GetSessionCacheOff())
        return;

    if (s && GetSessions().lookup(s->GetID(), &secure_.use_resume())) {
        secure_.set_resuming(true);
        crypto_.use_certManager().setPeerX509(s->GetPeerX509());
    }
}


const Crypto& SSL::getCrypto() const
{
    return crypto_;
}


const Security& SSL::getSecurity() const
{
    return secure_;
}


const States& SSL::getStates() const
{
    return states_;
}


const sslHashes& SSL::getHashes() const
{
    return hashes_;
}


const sslFactory& SSL::getFactory() const
{
    return GetSSL_Factory();
}


const Socket& SSL::getSocket() const
{
    return socket_;
}


YasslError SSL::GetError() const
{
    return states_.What();
}


bool SSL::GetMultiProtocol() const
{
    return secure_.GetContext()->getMethod()->multipleProtocol();
}


Crypto& SSL::useCrypto()
{
    return crypto_;
}


Security& SSL::useSecurity()
{
    return secure_;
}


States& SSL::useStates()
{
    return states_;
}


sslHashes& SSL::useHashes()
{
    return hashes_;
}


Socket& SSL::useSocket()
{
    return socket_;
}


Log& SSL::useLog()
{
    return log_;
}


bool SSL::isTLS() const
{
    return secure_.get_connection().TLS_;
}


bool SSL::isTLSv1_1() const
{
    return secure_.get_connection().TLSv1_1_;
}


void SSL::addData(input_buffer* data)
{
    buffers_.useData().push_back(data);
}


void SSL::addBuffer(output_buffer* b)
{
    buffers_.useHandShake().push_back(b);
}


void SSL_SESSION::CopyX509(X509* x)
{
    assert(peerX509_ == 0);
    if (x == 0) return;

    X509_NAME* issuer   = x->GetIssuer();
    X509_NAME* subject  = x->GetSubject();
    ASN1_STRING* before = x->GetBefore();
    ASN1_STRING* after  = x->GetAfter();

    peerX509_ = NEW_YS X509(issuer->GetName(), issuer->GetLength(),
        subject->GetName(), subject->GetLength(), (const char*) before->data,
        before->length, (const char*) after->data, after->length);
}


// store connection parameters
SSL_SESSION::SSL_SESSION(const SSL& ssl, RandomPool& ran) 
    : timeout_(DEFAULT_TIMEOUT), random_(ran), peerX509_(0)
{
    const Connection& conn = ssl.getSecurity().get_connection();

    memcpy(sessionID_, conn.sessionID_, ID_LEN);
    memcpy(master_secret_, conn.master_secret_, SECRET_LEN);
    memcpy(suite_, ssl.getSecurity().get_parms().suite_, SUITE_LEN);

    bornOn_ = lowResTimer();

    CopyX509(ssl.getCrypto().get_certManager().get_peerX509());
}


// for resumption copy in ssl::parameters
SSL_SESSION::SSL_SESSION(RandomPool& ran) 
    : bornOn_(0), timeout_(0), random_(ran), peerX509_(0)
{
    memset(sessionID_, 0, ID_LEN);
    memset(master_secret_, 0, SECRET_LEN);
    memset(suite_, 0, SUITE_LEN);
}


SSL_SESSION& SSL_SESSION::operator=(const SSL_SESSION& that)
{
    memcpy(sessionID_, that.sessionID_, ID_LEN);
    memcpy(master_secret_, that.master_secret_, SECRET_LEN);
    memcpy(suite_, that.suite_, SUITE_LEN);
    
    bornOn_  = that.bornOn_;
    timeout_ = that.timeout_;

    if (peerX509_) {
        ysDelete(peerX509_);
        peerX509_ = 0;
    }
    CopyX509(that.peerX509_);

    return *this;
}


const opaque* SSL_SESSION::GetID() const
{
    return sessionID_;
}


const opaque* SSL_SESSION::GetSecret() const
{
    return master_secret_;
}


const Cipher* SSL_SESSION::GetSuite() const
{
    return suite_;
}


X509* SSL_SESSION::GetPeerX509() const
{
    return peerX509_;
}


uint SSL_SESSION::GetBornOn() const
{
    return bornOn_;
}


uint SSL_SESSION::GetTimeOut() const
{
    return timeout_;
}


void SSL_SESSION::SetTimeOut(uint t)
{
    timeout_ = t;
}


extern void clean(volatile opaque*, uint, RandomPool&);


// clean up secret data
SSL_SESSION::~SSL_SESSION()
{
    volatile opaque* p = master_secret_;
    clean(p, SECRET_LEN, random_);

    ysDelete(peerX509_);
}


static Sessions* sessionsInstance = 0;

Sessions& GetSessions()
{
    if (!sessionsInstance)
        sessionsInstance = NEW_YS Sessions;
    return *sessionsInstance;
}


static sslFactory* sslFactoryInstance = 0;

sslFactory& GetSSL_Factory()
{  
    if (!sslFactoryInstance)
        sslFactoryInstance = NEW_YS sslFactory;
    return *sslFactoryInstance;
}


static Errors* errorsInstance = 0;

Errors& GetErrors()
{
    if (!errorsInstance)
        errorsInstance = NEW_YS Errors;
    return *errorsInstance;
}


typedef Mutex::Lock Lock;

 
void Sessions::add(const SSL& ssl) 
{
    if (ssl.getSecurity().get_connection().sessionID_Set_) {
    Lock guard(mutex_);
    list_.push_back(NEW_YS SSL_SESSION(ssl, random_));
    }
}


Sessions::~Sessions() 
{ 
    STL::for_each(list_.begin(), list_.end(), del_ptr_zero()); 
}


// locals
namespace yassl_int_cpp_local2 { // for explicit templates

typedef STL::list<SSL_SESSION*>::iterator sess_iterator;
typedef STL::list<ThreadError>::iterator  thr_iterator;

struct sess_match {
    const opaque* id_;
    explicit sess_match(const opaque* p) : id_(p) {}

    bool operator()(SSL_SESSION* sess)
    {
        if ( memcmp(sess->GetID(), id_, ID_LEN) == 0)
            return true;
        return false;
    }
};


THREAD_ID_T GetSelf()
{
#ifndef _POSIX_THREADS
    return GetCurrentThreadId();
#else
    return pthread_self();
#endif
}

struct thr_match {
    THREAD_ID_T id_;
    explicit thr_match() : id_(GetSelf()) {}

    bool operator()(ThreadError thr)
    {
        if (thr.threadID_ == id_)
            return true;
        return false;
    }
};


} // local namespace
using namespace yassl_int_cpp_local2;


// lookup session by id, return a copy if space provided
SSL_SESSION* Sessions::lookup(const opaque* id, SSL_SESSION* copy)
{
    Lock guard(mutex_);
    sess_iterator find = STL::find_if(list_.begin(), list_.end(),
                                        sess_match(id));
    if (find != list_.end()) {
        uint current = lowResTimer();
        if ( ((*find)->GetBornOn() + (*find)->GetTimeOut()) < current) {
            del_ptr_zero()(*find);
            list_.erase(find);
            return 0;
        }
        if (copy)
            *copy = *(*find);
        return *find;
    }
    return 0;
}


// remove a session by id
void Sessions::remove(const opaque* id)
{
    Lock guard(mutex_);
    sess_iterator find = STL::find_if(list_.begin(), list_.end(),
                                        sess_match(id));
    if (find != list_.end()) {
        del_ptr_zero()(*find);
        list_.erase(find);
    }
}


// remove a self thread error
void Errors::Remove()
{
    Lock guard(mutex_);
    thr_iterator find = STL::find_if(list_.begin(), list_.end(),
                                       thr_match());
    if (find != list_.end())
        list_.erase(find);
}


// lookup self error code
int Errors::Lookup(bool peek)
{
    Lock guard(mutex_);
    thr_iterator find = STL::find_if(list_.begin(), list_.end(),
                                       thr_match());
    if (find != list_.end()) {
        int ret = find->errorID_;
        if (!peek)
            list_.erase(find);
        return ret;
    }
    else
        return 0;
}


// add a new error code for self
void Errors::Add(int error)
{
    ThreadError add;
    add.errorID_  = error;
    add.threadID_ = GetSelf();

    Remove();   // may have old error

    Lock guard(mutex_);
    list_.push_back(add);
}


SSL_METHOD::SSL_METHOD(ConnectionEnd ce, ProtocolVersion pv, bool multiProto) 
    : version_(pv), side_(ce), verifyPeer_(false), verifyNone_(false),
      failNoCert_(false), multipleProtocol_(multiProto)
{}


ProtocolVersion SSL_METHOD::getVersion() const
{
    return version_;
}


ConnectionEnd SSL_METHOD::getSide() const
{
    return side_;
}


void SSL_METHOD::setVerifyPeer()
{
    verifyPeer_ = true;
}


void SSL_METHOD::setVerifyNone()
{
    verifyNone_ = true;
}


void SSL_METHOD::setFailNoCert()
{
    failNoCert_ = true;
}


bool SSL_METHOD::verifyPeer() const
{
    return verifyPeer_;
}


bool SSL_METHOD::verifyNone() const
{
    return verifyNone_;
}


bool SSL_METHOD::failNoCert() const
{
    return failNoCert_;
}


bool SSL_METHOD::multipleProtocol() const
{
    return multipleProtocol_;
}


SSL_CTX::SSL_CTX(SSL_METHOD* meth) 
    : method_(meth), certificate_(0), privateKey_(0), passwordCb_(0),
      userData_(0), sessionCacheOff_(false)
{}


SSL_CTX::~SSL_CTX()
{
    ysDelete(method_);
    ysDelete(certificate_);
    ysDelete(privateKey_);

    STL::for_each(caList_.begin(), caList_.end(), del_ptr_zero());
}


void SSL_CTX::AddCA(x509* ca)
{
    caList_.push_back(ca);
}


const SSL_CTX::CertList& 
SSL_CTX::GetCA_List() const
{
    return caList_;
}


const x509* SSL_CTX::getCert() const
{
    return certificate_;
}


const x509* SSL_CTX::getKey() const
{
    return privateKey_;
}


const SSL_METHOD* SSL_CTX::getMethod() const
{
    return method_;
}


const Ciphers& SSL_CTX::GetCiphers() const
{
    return ciphers_;
}


const DH_Parms& SSL_CTX::GetDH_Parms() const
{
    return dhParms_;
}


const Stats& SSL_CTX::GetStats() const
{
    return stats_;
}


pem_password_cb SSL_CTX::GetPasswordCb() const
{
    return passwordCb_;
}


void SSL_CTX::SetPasswordCb(pem_password_cb cb)
{
    passwordCb_ = cb;
}


void* SSL_CTX::GetUserData() const
{
    return userData_;
}


bool SSL_CTX::GetSessionCacheOff() const
{
    return sessionCacheOff_;
}


void SSL_CTX::SetUserData(void* data)
{
    userData_ = data;
}


void SSL_CTX::SetSessionCacheOff()
{
    sessionCacheOff_ = true;
}


void SSL_CTX::setVerifyPeer()
{
    method_->setVerifyPeer();
}


void SSL_CTX::setVerifyNone()
{
    method_->setVerifyNone();
}


void SSL_CTX::setFailNoCert()
{
    method_->setFailNoCert();
}


bool SSL_CTX::SetDH(const DH& dh)
{
    dhParms_.p_ = dh.p->int_;
    dhParms_.g_ = dh.g->int_;

    return dhParms_.set_ = true;
}