eventmachine · burke · Jun 1, 2010 · May 22, 2012 · May 22, 2012 · May 22, 2012
diff --git a/.gitignore b/.gitignore
@@ -19,3 +19,4 @@ Gemfile.lock
 .yardoc/*
 doc/*
 
+tags
diff --git a/cacert.pem b/cacert.pem
diff --git a/ext/cmain.cpp b/ext/cmain.cpp
@@ -432,12 +432,12 @@ extern "C" void evma_start_tls (const unsigned long binding)
 evma_set_tls_parms
 ******************/
 
-extern "C" void evma_set_tls_parms (const unsigned long binding, const char *privatekey_filename, const char *certchain_filename, int verify_peer)
+extern "C" void evma_set_tls_parms (const unsigned long binding, const char *ca_filename, const char *privatekey_filename, const char *privatekey_pwd, const char *certchain_filename, const char *hostname, int verify_peer)
 {
 	ensure_eventmachine("evma_set_tls_parms");
 	EventableDescriptor *ed = dynamic_cast <EventableDescriptor*> (Bindable_t::GetObject (binding));
 	if (ed)
-		ed->SetTlsParms (privatekey_filename, certchain_filename, (verify_peer == 1 ? true : false));
+		ed->SetTlsParms (ca_filename, privatekey_filename, privatekey_pwd, certchain_filename, hostname, (verify_peer == 1 ? true : false));
 }
 
 /******************

diff --git a/ext/ed.cpp b/ext/ed.cpp
@@ -569,8 +569,7 @@ int ConnectionDescriptor::SendOutboundData (const char *data, int length)
 			else
 				_DispatchCiphertext();
 		}
-		// TODO: What's the correct return value?
-		return 1; // That's a wild guess, almost certainly wrong.
+		return length;
 	}
 	else
 	#endif
@@ -1132,7 +1131,7 @@ void ConnectionDescriptor::StartTls()
 	if (SslBox)
 		throw std::runtime_error ("SSL/TLS already running on connection");
 
-	SslBox = new SslBox_t (bIsServer, PrivateKeyFilename, CertChainFilename, bSslVerifyPeer, GetBinding());
+	SslBox = new SslBox_t (bIsServer, CAFilename, PrivateKeyFilename, PrivateKeyPwd, CertChainFilename, Hostname, bSslVerifyPeer, GetBinding());
 	_DispatchCiphertext();
 	#endif
 
@@ -1146,15 +1145,22 @@ void ConnectionDescriptor::StartTls()
 ConnectionDescriptor::SetTlsParms
 *********************************/
 
-void ConnectionDescriptor::SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer)
+void ConnectionDescriptor::SetTlsParms (const char *ca_filename, const char *privkey_filename, const char *privkey_pwd, const char *certchain_filename, const char *hostname, bool verify_peer)
 {
 	#ifdef WITH_SSL
 	if (SslBox)
 		throw std::runtime_error ("call SetTlsParms before calling StartTls");
-	if (privkey_filename && *privkey_filename)
+	if (privkey_filename && *privkey_filename) {
 		PrivateKeyFilename = privkey_filename;
+		if (privkey_pwd && *privkey_pwd)
+			PrivateKeyPwd = privkey_pwd;
+	}
+	if (ca_filename && *ca_filename)
+		CAFilename = ca_filename;
 	if (certchain_filename && *certchain_filename)
 		CertChainFilename = certchain_filename;
+	if (hostname && *hostname)
+		Hostname = hostname;
 	bSslVerifyPeer = verify_peer;
 	#endif
 
@@ -1183,12 +1189,14 @@ ConnectionDescriptor::VerifySslPeer
 ***********************************/
 
 #ifdef WITH_SSL
-bool ConnectionDescriptor::VerifySslPeer(const char *cert)
+bool ConnectionDescriptor::VerifySslPeer(const char *cert, int preverify_ok)
 {
 	bSslPeerAccepted = false;
 
+	int message = (preverify_ok == 1 ? EM_SSL_VERIFY_SUCCESS : EM_SSL_VERIFY_FAILURE);
+
 	if (EventCallback)
-		(*EventCallback)(GetBinding(), EM_SSL_VERIFY, cert, strlen(cert));
+		(*EventCallback)(GetBinding(), message, cert, strlen(cert));
 
 	return bSslPeerAccepted;
 }

diff --git a/ext/ed.h b/ext/ed.h
@@ -69,7 +69,7 @@ class EventableDescriptor: public Bindable_t
 		virtual bool GetSubprocessPid (pid_t*) {return false;}
 
 		virtual void StartTls() {}
-		virtual void SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer) {}
+		virtual void SetTlsParms (const char *ca_filename, const char *privkey_filename, const char *privkey_file_pwd, const char *certchain_filename, const char *hostname, bool verify_peer) {}
 
 		#ifdef WITH_SSL
 		virtual X509 *GetPeerCert() {return NULL;}
@@ -193,11 +193,11 @@ class ConnectionDescriptor: public EventableDescriptor
 		virtual int GetOutboundDataSize() {return OutboundDataSize;}
 
 		virtual void StartTls();
-		virtual void SetTlsParms (const char *privkey_filename, const char *certchain_filename, bool verify_peer);
+		virtual void SetTlsParms (const char *ca_filename, const char *privkey_filename, const char *privkey_pwd, const char *certchain_filename, const char *hostname, bool verify_peer);
 
 		#ifdef WITH_SSL
 		virtual X509 *GetPeerCert();
-		virtual bool VerifySslPeer(const char*);
+		virtual bool VerifySslPeer(const char*, int);
 		virtual void AcceptSslPeer();
 		#endif
 
@@ -236,7 +236,10 @@ class ConnectionDescriptor: public EventableDescriptor
 		#ifdef WITH_SSL
 		SslBox_t *SslBox;
 		std::string CertChainFilename;
+		std::string CAFilename;
 		std::string PrivateKeyFilename;
+		std::string PrivateKeyPwd;
+		std::string Hostname;
 		bool bHandshakeSignaled;
 		bool bSslVerifyPeer;
 		bool bSslPeerAccepted;

diff --git a/ext/eventmachine.h b/ext/eventmachine.h
@@ -34,9 +34,11 @@ extern "C" {
 		EM_CONNECTION_NOTIFY_READABLE = 106,
 		EM_CONNECTION_NOTIFY_WRITABLE = 107,
 		EM_SSL_HANDSHAKE_COMPLETED = 108,
-		EM_SSL_VERIFY = 109,
+		// EM_SSL_VERIFY = 109, -- deprecated for 112 & 113. reuse?
 		EM_PROXY_TARGET_UNBOUND = 110,
-		EM_PROXY_COMPLETED = 111
+		EM_PROXY_COMPLETED = 111,
+		EM_SSL_VERIFY_SUCCESS = 112,
+		EM_SSL_VERIFY_FAILURE = 113
 
 	};
 
@@ -66,7 +68,7 @@ extern "C" {
 	const unsigned long evma_create_unix_domain_server (const char *filename);
 	const unsigned long evma_open_datagram_socket (const char *server, int port);
 	const unsigned long evma_open_keyboard();
-	void evma_set_tls_parms (const unsigned long binding, const char *privatekey_filename, const char *certchain_filenane, int verify_peer);
+	void evma_set_tls_parms (const unsigned long binding, const char *ca_filename, const char *privatekey_filename, const char *privatekey_pwd, const char *certchain_filenane, const char *hostname, int verify_peer);
 	void evma_start_tls (const unsigned long binding);
 
 	#ifdef WITH_SSL

diff --git a/ext/project.h b/ext/project.h
@@ -105,6 +105,7 @@ using namespace std;
 #ifdef WITH_SSL
 #include <openssl/ssl.h>
 #include <openssl/err.h>
+#include <openssl/x509v3.h>
 #endif
 
 #ifdef HAVE_EPOLL

diff --git a/ext/rubymain.cpp b/ext/rubymain.cpp
@@ -146,10 +146,26 @@ static inline void event_callback (struct em_event* e)
 			rb_funcall (conn, Intern_ssl_handshake_completed, 0);
 			return;
 		}
-		case EM_SSL_VERIFY:
+		case EM_SSL_VERIFY_SUCCESS:
 		{
 			VALUE conn = ensure_conn(signature);
-			VALUE should_accept = rb_funcall (conn, Intern_ssl_verify_peer, 1, rb_str_new(data_str, data_num));
+			VALUE should_accept;
+			if (rb_obj_method_arity(conn, Intern_ssl_verify_peer) == 1)
+				should_accept = rb_funcall (conn, Intern_ssl_verify_peer, 1, rb_str_new(data_str, data_num));
+			else
+				should_accept = rb_funcall (conn, Intern_ssl_verify_peer, 2, rb_str_new(data_str, data_num), Qtrue);
+			if (RTEST(should_accept))
+				evma_accept_ssl_peer (signature);
+			return;
+		}
+		case EM_SSL_VERIFY_FAILURE:
+		{
+			VALUE conn = ensure_conn(signature);
+			VALUE should_accept;
+			if (rb_obj_method_arity(conn, Intern_ssl_verify_peer) == 1)
+				should_accept = rb_funcall (conn, Intern_ssl_verify_peer, 1, rb_str_new(data_str, data_num));
+			else
+				should_accept = rb_funcall (conn, Intern_ssl_verify_peer, 2, rb_str_new(data_str, data_num), Qfalse);
 			if (RTEST(should_accept))
 				evma_accept_ssl_peer (signature);
 			return;
@@ -300,14 +316,14 @@ static VALUE t_start_tls (VALUE self, VALUE signature)
 t_set_tls_parms
 ***************/
 
-static VALUE t_set_tls_parms (VALUE self, VALUE signature, VALUE privkeyfile, VALUE certchainfile, VALUE verify_peer)
+static VALUE t_set_tls_parms (VALUE self, VALUE signature, VALUE cafile, VALUE privkeyfile, VALUE privkeypwd, VALUE certchainfile, VALUE hostname, VALUE verify_peer)
 {
 	/* set_tls_parms takes a series of positional arguments for specifying such things
 	 * as private keys and certificate chains.
 	 * It's expected that the parameter list will grow as we add more supported features.
 	 * ALL of these parameters are optional, and can be specified as empty or NULL strings.
 	 */
-	evma_set_tls_parms (NUM2ULONG (signature), StringValuePtr (privkeyfile), StringValuePtr (certchainfile), (verify_peer == Qtrue ? 1 : 0));
+	evma_set_tls_parms (NUM2ULONG (signature), StringValuePtr (cafile), StringValuePtr (privkeyfile), StringValuePtr (privkeypwd), StringValuePtr (certchainfile), StringValuePtr (hostname), (verify_peer == Qtrue ? 1 : 0));
 	return Qnil;
 }
 
@@ -1204,7 +1220,7 @@ extern "C" void Init_rubyeventmachine()
 	rb_define_module_function (EmModule, "start_tcp_server", (VALUE(*)(...))t_start_server, 2);
 	rb_define_module_function (EmModule, "stop_tcp_server", (VALUE(*)(...))t_stop_server, 1);
 	rb_define_module_function (EmModule, "start_unix_server", (VALUE(*)(...))t_start_unix_server, 1);
-	rb_define_module_function (EmModule, "set_tls_parms", (VALUE(*)(...))t_set_tls_parms, 4);
+	rb_define_module_function (EmModule, "set_tls_parms", (VALUE(*)(...))t_set_tls_parms, 7);
 	rb_define_module_function (EmModule, "start_tls", (VALUE(*)(...))t_start_tls, 1);
 	rb_define_module_function (EmModule, "get_peer_cert", (VALUE(*)(...))t_get_peer_cert, 1);
 	rb_define_module_function (EmModule, "send_data", (VALUE(*)(...))t_send_data, 3);