Skip to content

Commit

Permalink
Merge branch 'main' of github.com:my-devices/sdk
Browse files Browse the repository at this point in the history
obiltschnig committed Jan 15, 2025
2 parents 48072ef + 46902c4 commit 5834322
Showing 8 changed files with 639 additions and 527 deletions.
2 changes: 1 addition & 1 deletion NetSSL_Win/include/Poco/Net/AcceptCertificateHandler.h
Original file line number Diff line number Diff line change
@@ -27,7 +27,7 @@ namespace Net {


class NetSSL_Win_API AcceptCertificateHandler: public InvalidCertificateHandler
/// A AcceptCertificateHandler is invoked whenever an error
/// A AcceptCertificateHandler is invoked whenever an error
/// occurs verifying the certificate. It always accepts
/// the certificate.
///
124 changes: 87 additions & 37 deletions NetSSL_Win/include/Poco/Net/SecureSocketImpl.h
Original file line number Diff line number Diff line change
@@ -18,6 +18,10 @@
#define NetSSL_SecureSocketImpl_INCLUDED


// Temporary debugging aid, to be removed
// #define ENABLE_PRINT_STATE


#include "Poco/Net/SocketImpl.h"
#include "Poco/Net/NetSSL.h"
#include "Poco/Net/Context.h"
@@ -35,6 +39,14 @@
#include <sspi.h>



#ifdef ENABLE_PRINT_STATE
#define PRINT_STATE(m) printState(m)
#else
#define PRINT_STATE(m)
#endif


namespace Poco {
namespace Net {

@@ -154,10 +166,11 @@ class NetSSL_Win_API SecureSocketImpl
/// number of connections that can be queued
/// for this socket.

void shutdown();
int shutdown();
/// Shuts down the connection by attempting
/// an orderly SSL shutdown, then actually
/// shutting down the TCP connection.
/// shutting down the TCP connection in the
/// send direction.

void close();
/// Close the socket.
@@ -224,67 +237,103 @@ class NetSSL_Win_API SecureSocketImpl
{
ST_INITIAL = 0,
ST_CONNECTING,
ST_CLIENTHANDSHAKESTART,
ST_CLIENTHANDSHAKECONDREAD,
ST_CLIENTHANDSHAKEINCOMPLETE,
ST_CLIENTHANDSHAKEOK,
ST_CLIENTHANDSHAKEEXTERROR,
ST_CLIENTHANDSHAKECONTINUE,
ST_VERIFY,
ST_CLIENT_HSK_START,
ST_CLIENT_HSK_SEND_TOKEN,
ST_CLIENT_HSK_LOOP_INIT,
ST_CLIENT_HSK_LOOP_RECV,
ST_CLIENT_HSK_LOOP_PROCESS,
ST_CLIENT_HSK_LOOP_SEND,
ST_CLIENT_HSK_LOOP_DONE,
ST_CLIENT_HSK_SEND_FINAL,
ST_CLIENT_HSK_SEND_ERROR,
ST_CLIENT_VERIFY,
ST_ACCEPTING,
ST_SERVER_HSK_START,
ST_SERVER_HSK_LOOP_INIT,
ST_SERVER_HSK_LOOP_RECV,
ST_SERVER_HSK_LOOP_PROCESS,
ST_SERVER_HSK_LOOP_SEND,
ST_SERVER_HSK_LOOP_DONE,
ST_SERVER_VERIFY,
ST_DONE,
ST_ERROR
ST_ERROR,
ST_MAX
};

enum TLSShutdown
{
TLS_SHUTDOWN_SENT = 1,
TLS_SHUTDOWN_RECEIVED = 2
};

int sendRawBytes(const void* buffer, int length, int flags = 0);
int receiveRawBytes(void* buffer, int length, int flags = 0);
void clientConnectVerify();
void sendInitialTokenOutBuffer();
void performServerHandshake();
bool serverHandshakeLoop(PCtxtHandle phContext, PCredHandle phCred, bool requireClientAuth, bool doInitialRead, bool newContext);
void clientVerifyCertificate(const std::string& hostName);
void verifyCertificateChainClient(PCCERT_CONTEXT pServerCert);
void serverVerifyCertificate();
LONG serverDisconnect(PCredHandle phCreds, CtxtHandle* phContext);
LONG clientDisconnect(PCredHandle phCreds, CtxtHandle* phContext);
bool loadSecurityLibrary();
void initClientContext();
void initServerContext();
int serverShutdown(PCredHandle phCreds, CtxtHandle* phContext);
int clientShutdown(PCredHandle phCreds, CtxtHandle* phContext);
PCCERT_CONTEXT loadCertificate(bool mustFindCertificate);
void initCommon();
void cleanup();
void performClientHandshake();
void performInitialClientHandshake();
SECURITY_STATUS performClientHandshakeLoop();
void performClientHandshakeLoopIncompleteMessage();
void performClientHandshakeLoopCondReceive();
void performClientHandshakeLoopReceive();
void performClientHandshakeLoopOK();
void performClientHandshakeLoopInit();
void performClientHandshakeExtraBuffer();
void performClientHandshakeSendOutBuffer();
void performClientHandshakeLoopContinueNeeded();
void performClientHandshakeLoopError();
void performClientHandshakeLoopExtError();

void stateIllegal();
void stateError();

void stateClientConnected();
void stateClientHandshakeStart();
void stateClientHandshakeSendToken();
void stateClientHandshakeLoopInit();
void stateClientHandshakeLoopRecv();
void stateClientHandshakeLoopProcess();
void stateClientHandshakeLoopSend();
void stateClientHandshakeLoopDone();
void stateClientHandshakeSendFinal();
void stateClientHandshakeSendError();
void stateClientVerify();

void stateServerAccepted();
void stateServerHandshakeStart();
void stateServerHandshakeLoopInit();
void stateServerHandshakeLoopRecv();
void stateServerHandshakeLoopProcess();
void stateServerHandshakeLoopSend();
void stateServerHandshakeLoopDone();
void stateServerHandshakeVerify();

void sendOutSecBufferAndAdvanceState(State state);
void drainExtraBuffer();
static int getRecordLength(const BYTE* pBuffer, int length);
static bool bufferHasCompleteRecords(const BYTE* pBuffer, int length);

void initClientCredentials();
void initServerCredentials();
SECURITY_STATUS doHandshake();
int completeHandshake();

SECURITY_STATUS decodeMessage(BYTE* pBuffer, DWORD bufSize, AutoSecBufferDesc<4>& msg, SecBuffer*& pData, SecBuffer*& pExtra);
SECURITY_STATUS decodeBufferFull(BYTE* pBuffer, DWORD bufSize, char* pOutBuffer, int outLength, int& bytesDecoded);
void stateIllegal();
void stateConnected();

void acceptSSL();
void connectSSL(bool completeHandshake);
void completeHandshake();
static int lastError();
void stateMachine();
bool stateMachine();
State getState() const;
void setState(State st);
static bool isLocalHost(const std::string& hostName);

#ifdef ENABLE_PRINT_STATE
void printState(const std::string& msg);
#endif

private:
SecureSocketImpl(const SecureSocketImpl&);
SecureSocketImpl& operator = (const SecureSocketImpl&);

Poco::AutoPtr<SocketImpl> _pSocket;
Context::Ptr _pContext;
Mode _mode;
int _shutdownFlags;
std::string _peerHostName;
bool _useMachineStore;
bool _clientAuthRequired;
@@ -312,9 +361,9 @@ class NetSSL_Win_API SecureSocketImpl
SecBuffer _extraSecBuffer;
SECURITY_STATUS _securityStatus;
State _state;
DWORD _outFlags;
bool _needData;
bool _needHandshake;
bool _initServerContext = false;

friend class SecureStreamSocketImpl;
friend class StateMachine;
@@ -357,6 +406,7 @@ inline SecureSocketImpl::State SecureSocketImpl::getState() const
inline void SecureSocketImpl::setState(SecureSocketImpl::State st)
{
_state = st;
PRINT_STATE("setState: ");
}


23 changes: 17 additions & 6 deletions NetSSL_Win/include/Poco/Net/SecureStreamSocketImpl.h
Original file line number Diff line number Diff line change
@@ -117,15 +117,26 @@ class NetSSL_Win_API SecureStreamSocketImpl: public StreamSocketImpl
/// Since SSL does not support a half shutdown, this does
/// nothing.

void shutdownSend();
int shutdownSend();
/// Shuts down the receiving part of the socket connection.
///
/// Since SSL does not support a half shutdown, this does
/// nothing.

void shutdown();
/// Sends a close notify shutdown alert message to the peer
/// (if not sent yet), then calls shutdownSend() on the
/// underlying socket.
///
/// Returns 0 if the message has been sent.
/// Returns 1 if the message has been sent, but the peer
/// has not yet sent its shutdown alert message.
/// In case of a non-blocking socket, returns < 0 if the
/// message cannot be sent at the moment. In this case,
/// the call to shutdownSend() must be retried after the
/// underlying socket becomes writable again.

int shutdown();
/// Shuts down the SSL connection.

///
/// Same as shutdownSend().

void abort();
/// Aborts the connection by closing the underlying
/// TCP connection. No orderly SSL shutdown is performed.
2 changes: 1 addition & 1 deletion NetSSL_Win/include/Poco/Net/Utility.h
Original file line number Diff line number Diff line change
@@ -35,7 +35,7 @@ class NetSSL_Win_API Utility
/// Non-case sensitive conversion of a string to a VerificationMode enum.
/// If verMode is illegal an OptionException is thrown.

static const std::string& formatError(long errCode);
static std::string formatError(long errCode);
/// Converts an winerror.h code into human readable form.

private:
978 changes: 517 additions & 461 deletions NetSSL_Win/src/SecureSocketImpl.cpp

Large diffs are not rendered by default.

24 changes: 12 additions & 12 deletions NetSSL_Win/src/SecureStreamSocketImpl.cpp
Original file line number Diff line number Diff line change
@@ -67,7 +67,7 @@ void SecureStreamSocketImpl::connect(const SocketAddress& address, const Poco::T
_impl.connect(address, timeout, !_lazyHandshake);
reset(_impl.sockfd());
}


void SecureStreamSocketImpl::connectNB(const SocketAddress& address)
{
@@ -80,19 +80,19 @@ void SecureStreamSocketImpl::connectSSL()
{
_impl.connectSSL(!_lazyHandshake);
}


void SecureStreamSocketImpl::bind(const SocketAddress& address, bool reuseAddress)
{
throw Poco::InvalidAccessException("Cannot bind() a SecureStreamSocketImpl");
}


void SecureStreamSocketImpl::listen(int backlog)
{
throw Poco::InvalidAccessException("Cannot listen() on a SecureStreamSocketImpl");
}


void SecureStreamSocketImpl::close()
{
@@ -148,15 +148,16 @@ void SecureStreamSocketImpl::shutdownReceive()
{
}

void SecureStreamSocketImpl::shutdownSend()

int SecureStreamSocketImpl::shutdownSend()
{
return _impl.shutdown();
}

void SecureStreamSocketImpl::shutdown()

int SecureStreamSocketImpl::shutdown()
{
_impl.shutdown();
return _impl.shutdown();
}


@@ -187,7 +188,7 @@ void SecureStreamSocketImpl::setLazyHandshake(bool flag)
_lazyHandshake = flag;
}


bool SecureStreamSocketImpl::getLazyHandshake() const
{
return _lazyHandshake;
@@ -208,8 +209,7 @@ void SecureStreamSocketImpl::verifyPeerCertificate(const std::string& hostName)

int SecureStreamSocketImpl::completeHandshake()
{
_impl.completeHandshake();
return 0;
return _impl.completeHandshake();
}


11 changes: 3 additions & 8 deletions NetSSL_Win/src/Utility.cpp
Original file line number Diff line number Diff line change
@@ -24,9 +24,6 @@ namespace Poco {
namespace Net {


Poco::FastMutex Utility::_mutex;


Context::VerificationMode Utility::convertVerificationMode(const std::string& vMode)
{
std::string mode = Poco::toLower(vMode);
@@ -54,6 +51,7 @@ inline void add(std::map<long, const std::string>& messageMap, long key, const s
std::map<long, const std::string> Utility::initSSPIErr()
{
std::map<long, const std::string> messageMap;
add(messageMap, SEC_E_OK, "OK");
add(messageMap, NTE_BAD_UID, "Bad UID");
add(messageMap, NTE_BAD_HASH, "Bad Hash");
add(messageMap, NTE_BAD_KEY, "Bad Key");
@@ -185,18 +183,15 @@ std::map<long, const std::string> Utility::initSSPIErr()
}


const std::string& Utility::formatError(long errCode)
std::string Utility::formatError(long errCode)
{
Poco::FastMutex::ScopedLock lock(_mutex);

static const std::string def("Internal SSPI error");
static const std::map<long, const std::string> errs(initSSPIErr());

const std::map<long, const std::string>::const_iterator it = errs.find(errCode);
if (it != errs.end())
return it->second;
else
return def;
return "0x" + Poco::NumberFormatter::formatHex(errCode, 8);
}


2 changes: 1 addition & 1 deletion WebTunnel/WebTunnelClient/README.md
Original file line number Diff line number Diff line change
@@ -154,5 +154,5 @@ documentation for configuring a HTTP proxy, including proxy credentials.

### Logging

Please refer to the [`WebTunnelAgent`](../WebTunnelAgent/README.md#ssltls-configuration)
Please refer to the [`WebTunnelAgent`](../WebTunnelAgent/README.md#logging)
documentation for configuring logging.

0 comments on commit 5834322

Please sign in to comment.