[apple/security.git] / Network / https-protocol.cpp

/*
 * Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
 * 
 * The contents of this file constitute Original Code as defined in and are
 * subject to the Apple Public Source License Version 1.2 (the 'License').
 * You may not use this file except in compliance with the License. Please obtain
 * a copy of the License at http://www.apple.com/publicsource and read it before
 * using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
 * OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
 * LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
 * PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
 * specific language governing rights and limitations under the License.
 */


//
// https-protocol - SSL based HTTP.
//
#include "https-protocol.h"
#include "netparameters.h"


namespace Security {
namespace Network {

//
// Construct the protocol object
//
SecureHTTPProtocol::SecureHTTPProtocol(Manager &mgr) : HTTPProtocol(mgr, "https")
{
}


//
// Names and identifiers
//
const char *SecureHTTPProtocol::name() const
{
    return "http/ssl";
}


//
// Create a Transfer object for our protocol
//
SecureHTTPProtocol::SecureHTTPTransfer *SecureHTTPProtocol::makeTransfer(const Target &target,
    Operation operation)
{
    return new SecureHTTPTransfer(*this, target, operation, defaultHttpsPort);
}


//
// Construct an HTTPConnection object
//
SecureHTTPProtocol::SecureHTTPConnection::SecureHTTPConnection(Protocol &proto,
    const HostTarget &hostTarget)
    : HTTPConnection(proto, hostTarget),
    SecureTransport<Socket>(static_cast<TCPClientSocket &>(*this)),	// (CC pitfall)
    deferStartSSL(false), sslActive(false)

{
    // HTTPConnection already set up everything for talking to the server
    deferSendRequest = true;	// interrupt HTTP state machine after connecting state
    sslState = sslConnecting;
}

SecureHTTPProtocol::SecureHTTPConnection::~SecureHTTPConnection()
{
}

void SecureHTTPProtocol::SecureHTTPConnection::sslRequest()
{
    switch (sslState) {
    case sslConnecting:		// new connection - wait for TL ready
        break;
    case sslConnected:		// already set; go ahead HTTP
        transfer().startRequest();
        break;
    default:
        assert(false);		// huh?
    }
}

void SecureHTTPProtocol::SecureHTTPConnection::startSSL()
{
    assert(sslState == sslStartup);

    // from now on, perform I/O through the SSL layer
    sslActive = true;

    // switch initially to raw input mode. Note that no input bytes will actually
    // be delivered by our modified read() until SSL handshake is complete.
    mode(rawInput);
    
    // configure the SSL session
    allowExpiredCerts(getv<bool>(kNetworkHttpAcceptExpiredCerts, false));
    allowUnknownRoots(getv<bool>(kNetworkHttpAcceptUnknownRoots, false));

    // start SSL handshake
    SSL::open();
    assert(SSL::state() == kSSLHandshake);	// there is no chance that we could already be done
    sslState = sslHandshaking;
}


//
// Validate a connection retrieved from the cache
//
bool SecureHTTPProtocol::SecureHTTPConnection::validate()
{
    return HTTPConnection::validate() && SSL::state() == kSSLConnected;
}


//
// Our state transit method controls only the initial SSL handshake.
// Think of it as a "prefix" to the HTTP protocol state engine. Once the handshake
// is complete, we hand off further state management to the HTTP machine.
//
void SecureHTTPProtocol::SecureHTTPConnection::transit(Event event, 
    char *input, size_t inputLength)
{
    try {
        switch (sslState) {
        case sslConnecting:
            HTTPConnection::transit(event, input, inputLength);
            if (HTTPConnection::state == idle) { // transport level ready
                sslState = sslStartup;
                if (!deferStartSSL)
                    startSSL();
            }
            return;
        case sslHandshaking:
            assert(event == inputAvailable);
            SecureTransport<Socket>::open();	// advance handshake protocol
            switch (SSL::state()) {
            case kSSLHandshake:					// not yet done
                return;
            case kSSLConnected:					// ready for HTTP
                sslState = sslConnected;
                transfer().startRequest();
                return;
            default:
                assert(false);	// can't happen - would have thrown
            }
        case sslConnected:
            return HTTPConnection::transit(event, input, inputLength);
        default:
            assert(false);						// huh?
        }

        // if SSL fails, we have to abandon the Connection
    } catch (CssmCommonError &err) {
        setError("SSL failed", err.osStatus());
        throw;
    } catch (...) {
        setError("SSL failed");
        throw;
    }
}


//
// The I/O layer for SecureHTTPConnection objects.
//
size_t SecureHTTPProtocol::SecureHTTPConnection::read(void *data, size_t length)
{
    return sslActive ? SSL::read(data, length) : Socket::read(data, length);
}

size_t SecureHTTPProtocol::SecureHTTPConnection::write(const void *data, size_t length)
{
    return sslActive ? SSL::write(data, length) : Socket::write(data, length);
}

bool SecureHTTPProtocol::SecureHTTPConnection::atEnd() const
{
    return sslActive ? SSL::atEnd() : Socket::atEnd();
}


//
// HTTPS Transfer objects.
//
SecureHTTPProtocol::SecureHTTPTransfer::SecureHTTPTransfer(Protocol &proto,
    const Target &tgt, Operation operation, IPPort defPort) 
    : HTTPTransfer(proto, tgt, operation, defPort)
{
}

void SecureHTTPProtocol::SecureHTTPTransfer::start()
{
    SecureHTTPConnection *connection =
        protocol.manager.findConnection<SecureHTTPConnection>(target);
    if (connection == NULL)
        connection = new SecureHTTPConnection(protocol, target);
    connection->dock(this);
    connection->sslRequest();
}


}	// end namespace Network
}	// end namespace Security
Commit	Line	Data
bac41a7b A	1	/*
	2	* Copyright (c) 2000-2001 Apple Computer, Inc. All Rights Reserved.
	3	*
	4	* The contents of this file constitute Original Code as defined in and are
	5	* subject to the Apple Public Source License Version 1.2 (the 'License').
	6	* You may not use this file except in compliance with the License. Please obtain
	7	* a copy of the License at http://www.apple.com/publicsource and read it before
	8	* using this file.
	9	*
	10	* This Original Code and all software distributed under the License are
	11	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS
	12	* OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, INCLUDING WITHOUT
	13	* LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
	14	* PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. Please see the License for the
	15	* specific language governing rights and limitations under the License.
	16	*/
	17
	18
	19	//
	20	// https-protocol - SSL based HTTP.
	21	//
	22	#include "https-protocol.h"
	23	#include "netparameters.h"
	24
	25
	26
	27	namespace Security {
	28	namespace Network {
	29
	30	//
	31	// Construct the protocol object
	32	//
	33	SecureHTTPProtocol::SecureHTTPProtocol(Manager &mgr) : HTTPProtocol(mgr, "https")
	34	{
	35	}
	36
	37
	38	//
	39	// Names and identifiers
	40	//
	41	const char *SecureHTTPProtocol::name() const
	42	{
	43	return "http/ssl";
	44	}
	45
	46
	47	//
	48	// Create a Transfer object for our protocol
	49	//
	50	SecureHTTPProtocol::SecureHTTPTransfer *SecureHTTPProtocol::makeTransfer(const Target &target,
	51	Operation operation)
	52	{
	53	return new SecureHTTPTransfer(*this, target, operation, defaultHttpsPort);
	54	}
	55
	56
	57	//
	58	// Construct an HTTPConnection object
	59	//
	60	SecureHTTPProtocol::SecureHTTPConnection::SecureHTTPConnection(Protocol &proto,
	61	const HostTarget &hostTarget)
	62	: HTTPConnection(proto, hostTarget),
	63	SecureTransport<Socket>(static_cast<TCPClientSocket &>(*this)), // (CC pitfall)
	64	deferStartSSL(false), sslActive(false)
65
66	{
67	// HTTPConnection already set up everything for talking to the server
68	deferSendRequest = true; // interrupt HTTP state machine after connecting state
69	sslState = sslConnecting;
70	}
71
72	SecureHTTPProtocol::SecureHTTPConnection::~SecureHTTPConnection()
73	{
74	}
75
76	void SecureHTTPProtocol::SecureHTTPConnection::sslRequest()
77	{
78	switch (sslState) {
79	case sslConnecting: // new connection - wait for TL ready
80	break;
81	case sslConnected: // already set; go ahead HTTP
82	transfer().startRequest();
83	break;
84	default:
85	assert(false); // huh?
86	}
87	}
88
89	void SecureHTTPProtocol::SecureHTTPConnection::startSSL()
90	{
91	assert(sslState == sslStartup);
92
93	// from now on, perform I/O through the SSL layer
94	sslActive = true;
95
96	// switch initially to raw input mode. Note that no input bytes will actually
97	// be delivered by our modified read() until SSL handshake is complete.
98	mode(rawInput);
99
100	// configure the SSL session
101	allowExpiredCerts(getv<bool>(kNetworkHttpAcceptExpiredCerts, false));
102	allowUnknownRoots(getv<bool>(kNetworkHttpAcceptUnknownRoots, false));
103
104	// start SSL handshake
105	SSL::open();
106	assert(SSL::state() == kSSLHandshake); // there is no chance that we could already be done
107	sslState = sslHandshaking;
108	}
109
110
111	//
112	// Validate a connection retrieved from the cache
113	//
114	bool SecureHTTPProtocol::SecureHTTPConnection::validate()
115	{
116	return HTTPConnection::validate() && SSL::state() == kSSLConnected;
117	}
118
119
120	//
121	// Our state transit method controls only the initial SSL handshake.
122	// Think of it as a "prefix" to the HTTP protocol state engine. Once the handshake
123	// is complete, we hand off further state management to the HTTP machine.
124	//
125	void SecureHTTPProtocol::SecureHTTPConnection::transit(Event event,
126	char *input, size_t inputLength)
127	{
128	try {
129	switch (sslState) {
130	case sslConnecting:
131	HTTPConnection::transit(event, input, inputLength);
132	if (HTTPConnection::state == idle) { // transport level ready
133	sslState = sslStartup;
134	if (!deferStartSSL)
135	startSSL();
136	}
137	return;
138	case sslHandshaking:
139	assert(event == inputAvailable);
140	SecureTransport<Socket>::open(); // advance handshake protocol
141	switch (SSL::state()) {
142	case kSSLHandshake: // not yet done
143	return;
144	case kSSLConnected: // ready for HTTP
145	sslState = sslConnected;
146	transfer().startRequest();
147	return;
148	default:
149	assert(false); // can't happen - would have thrown
150	}
151	case sslConnected:
152	return HTTPConnection::transit(event, input, inputLength);
153	default:
154	assert(false); // huh?
155	}
156
157	// if SSL fails, we have to abandon the Connection
158	} catch (CssmCommonError &err) {
159	setError("SSL failed", err.osStatus());
160	throw;
161	} catch (...) {
162	setError("SSL failed");
163	throw;
164	}
165	}
166
167
168	//
169	// The I/O layer for SecureHTTPConnection objects.
170	//
171	size_t SecureHTTPProtocol::SecureHTTPConnection::read(void *data, size_t length)
172	{
173	return sslActive ? SSL::read(data, length) : Socket::read(data, length);
174	}
175
176	size_t SecureHTTPProtocol::SecureHTTPConnection::write(const void *data, size_t length)
177	{
178	return sslActive ? SSL::write(data, length) : Socket::write(data, length);
179	}
180
181	bool SecureHTTPProtocol::SecureHTTPConnection::atEnd() const
182	{
183	return sslActive ? SSL::atEnd() : Socket::atEnd();
184	}
185
186
187	//
188	// HTTPS Transfer objects.
189	//
190	SecureHTTPProtocol::SecureHTTPTransfer::SecureHTTPTransfer(Protocol &proto,
191	const Target &tgt, Operation operation, IPPort defPort)
192	: HTTPTransfer(proto, tgt, operation, defPort)
193	{
194	}
195
196	void SecureHTTPProtocol::SecureHTTPTransfer::start()
197	{
198	SecureHTTPConnection *connection =
199	protocol.manager.findConnection<SecureHTTPConnection>(target);
200	if (connection == NULL)
201	connection = new SecureHTTPConnection(protocol, target);
202	connection->dock(this);
203	connection->sslRequest();
204	}
205
206
207	} // end namespace Network
208	} // end namespace Security