Refactored no or wrong ssl certificate error handling #4410

Conflicts:
	src/lib/net/TCPListenSocket.cpp
	src/lib/plugin/ns/SecureListenSocket.cpp
	src/lib/plugin/ns/SecureSocket.cpp
	src/lib/plugin/ns/SecureSocket.h
This commit is contained in:
XinyuHou 2015-04-10 14:07:53 +01:00
parent dd574c4f2c
commit 916a4c75af
6 changed files with 83 additions and 42 deletions

View File

@ -18,7 +18,6 @@
#include "mt/Thread.h"
#include "net/XSocket.h"
#include "mt/XMT.h"
#include "mt/XThread.h"
#include "arch/Arch.h"
@ -158,10 +157,6 @@ Thread::threadFunc(void* vjob)
job->run();
LOG((CLOG_DEBUG1 "thread 0x%08x exit", id));
}
catch (XSocket& e) {
LOG((CLOG_DEBUG "%s", e.what()));
}
catch (XThreadCancel&) {
// client called cancel()
LOG((CLOG_DEBUG1 "caught cancel on thread 0x%08x", id));

View File

@ -112,27 +112,35 @@ TCPListenSocket::accept()
try {
socket = new TCPSocket(m_events, m_socketMultiplexer, ARCH->acceptSocket(m_socket, NULL));
if (socket != NULL) {
m_socketMultiplexer->addSocket(this,
new TSocketMultiplexerMethodJob<TCPListenSocket>(
this, &TCPListenSocket::serviceListening,
m_socket, true, false));
setListeningJob();
}
return socket;
}
catch (XArchNetwork&) {
if (socket != NULL) {
delete socket;
setListeningJob();
}
return NULL;
}
catch (std::exception &ex) {
if (socket != NULL) {
delete socket;
setListeningJob();
}
throw ex;
}
}
void
CTCPListenSocket::setListeningJob()
{
m_socketMultiplexer->addSocket(this,
new TSocketMultiplexerMethodJob<CTCPListenSocket>(
this, &CTCPListenSocket::serviceListening,
m_socket, true, false));
}
ISocketMultiplexerJob*
TCPListenSocket::serviceListening(ISocketMultiplexerJob* job,
bool read, bool, bool error)

View File

@ -45,6 +45,9 @@ public:
accept();
virtual void deleteSocket(void*) { }
protected:
void setListeningJob();
public:
ISocketMultiplexerJob*
serviceListening(ISocketMultiplexerJob*,

View File

@ -55,9 +55,16 @@ SecureListenSocket::accept()
m_socketMultiplexer,
ARCH->acceptSocket(m_socket, NULL));
<<<<<<< HEAD:src/lib/plugin/ns/SecureListenSocket.cpp
m_secureSocketSet.insert(socket);
socket->initSsl(true);
=======
if (socket != NULL) {
setListeningJob();
}
>>>>>>> 79b9c52... Refactored no or wrong ssl certificate error handling #30:src/lib/net/SecureListenSocket.cpp
// TODO: customized certificate path
String certificateFilename = ARCH->getProfileDirectory();
#if SYSAPI_WIN32
@ -67,26 +74,36 @@ SecureListenSocket::accept()
#endif
certificateFilename.append(s_certificateFilename);
socket->loadCertificates(certificateFilename.c_str());
bool loaded = socket->loadCertificates(certificateFilename);
if (!loaded) {
delete socket;
return NULL;
}
socket->secureAccept();
<<<<<<< HEAD:src/lib/plugin/ns/SecureListenSocket.cpp
if (socket != NULL) {
m_socketMultiplexer->addSocket(this,
new TSocketMultiplexerMethodJob<TCPListenSocket>(
this, &TCPListenSocket::serviceListening,
m_socket, true, false));
}
=======
>>>>>>> 79b9c52... Refactored no or wrong ssl certificate error handling #30:src/lib/net/SecureListenSocket.cpp
return dynamic_cast<IDataSocket*>(socket);
}
catch (XArchNetwork&) {
if (socket != NULL) {
delete socket;
setListeningJob();
}
return NULL;
}
catch (std::exception &ex) {
if (socket != NULL) {
delete socket;
setListeningJob();
}
throw ex;
}

View File

@ -151,24 +151,46 @@ SecureSocket::initSsl(bool server)
initContext(server);
}
void
SecureSocket::loadCertificates(const char* filename)
bool
CSecureSocket::loadCertificates(CString& filename)
{
int r = 0;
r = SSL_CTX_use_certificate_file(m_ssl->m_context, filename, SSL_FILETYPE_PEM);
if (r <= 0) {
throwError("could not use ssl certificate");
if (filename.empty()) {
showError("ssl certificate is not specified");
return false;
}
else {
std::ifstream file(filename.c_str());
bool exist = file.good();
file.close();
if (!exist) {
CString errorMsg("ssl certificate doesn't exist: ");
errorMsg.append(filename);
showError(errorMsg.c_str());
return false;
}
}
r = SSL_CTX_use_PrivateKey_file(m_ssl->m_context, filename, SSL_FILETYPE_PEM);
int r = 0;
r = SSL_CTX_use_certificate_file(m_ssl->m_context, filename.c_str(), SSL_FILETYPE_PEM);
if (r <= 0) {
throwError("could not use ssl private key");
showError("could not use ssl certificate");
return false;
}
r = SSL_CTX_use_PrivateKey_file(m_ssl->m_context, filename.c_str(), SSL_FILETYPE_PEM);
if (r <= 0) {
showError("could not use ssl private key");
return false;
}
r = SSL_CTX_check_private_key(m_ssl->m_context);
if (!r) {
throwError("could not verify ssl private key");
showError("could not verify ssl private key");
return false;
}
return true;
}
void
@ -258,7 +280,8 @@ SecureSocket::secureConnect(int socket)
// tell user and sleep so the socket isn't hammered.
LOG((CLOG_ERR "failed to connect secure socket"));
LOG((CLOG_INFO "server connection may not be secure"));
ARCH->sleep(1);
disconnect();
return false;
}
m_secureReady = !retry;
@ -266,7 +289,9 @@ SecureSocket::secureConnect(int socket)
if (m_secureReady) {
if (verifyCertFingerprint()) {
LOG((CLOG_INFO "connected to secure socket"));
showCertificate();
if (!showCertificate()) {
disconnect();
}
}
else {
LOG((CLOG_ERR "failed to verity server certificate fingerprint"));
@ -277,8 +302,8 @@ SecureSocket::secureConnect(int socket)
return retry;
}
void
SecureSocket::showCertificate()
bool
CSecureSocket::showCertificate()
{
X509* cert;
char* line;
@ -292,8 +317,11 @@ SecureSocket::showCertificate()
X509_free(cert);
}
else {
throwError("server has no ssl certificate");
showError("server has no ssl certificate");
return false;
}
return true;
}
void
@ -359,24 +387,15 @@ SecureSocket::checkResult(int n, bool& fatal, bool& retry)
}
void
SecureSocket::showError()
CSecureSocket::showError(const char* reason)
{
String error = getError();
if (!error.empty()) {
LOG((CLOG_ERR "secure socket error: %s", error.c_str()));
}
if (reason != NULL) {
LOG((CLOG_ERR "%s", reason));
}
void
SecureSocket::throwError(const char* reason)
{
String error = getError();
CString error = getError();
if (!error.empty()) {
throw XSocket(synergy::string::sprintf(
"%s: %s", reason, error.c_str()));
}
else {
throw XSocket(reason);
LOG((CLOG_ERR "%s", error.c_str()));
}
}

View File

@ -50,7 +50,7 @@ public:
UInt32 secureRead(void* buffer, UInt32 n);
UInt32 secureWrite(const void* buffer, UInt32 n);
void initSsl(bool server);
void loadCertificates(const char* CertFile);
bool loadCertificates(CString& CertFile);
private:
// SSL
@ -58,10 +58,9 @@ private:
void createSSL();
bool secureAccept(int s);
bool secureConnect(int s);
void showCertificate();
bool showCertificate();
void checkResult(int n, bool& fatal, bool& retry);
void showError();
void throwError(const char* reason);
void showError(const char* reason = NULL);
String getError();
void disconnect();
bool verifyCertFingerprint();