2 * Copyright (c) 2015, Peter Thorson. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions are met:
6 * * Redistributions of source code must retain the above copyright
7 * notice, this list of conditions and the following disclaimer.
8 * * Redistributions in binary form must reproduce the above copyright
9 * notice, this list of conditions and the following disclaimer in the
10 * documentation and/or other materials provided with the distribution.
11 * * Neither the name of the WebSocket++ Project nor the
12 * names of its contributors may be used to endorse or promote products
13 * derived from this software without specific prior written permission.
15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL PETER THORSON BE LIABLE FOR ANY
19 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
20 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
21 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
22 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
24 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #ifndef WEBSOCKETPP_TRANSPORT_SECURITY_TLS_HPP
29 #define WEBSOCKETPP_TRANSPORT_SECURITY_TLS_HPP
31 #include <websocketpp/transport/asio/security/base.hpp>
33 #include <websocketpp/uri.hpp>
35 #include <websocketpp/common/asio_ssl.hpp>
36 #include <websocketpp/common/asio.hpp>
37 #include <websocketpp/common/connection_hdl.hpp>
38 #include <websocketpp/common/functional.hpp>
39 #include <websocketpp/common/memory.hpp>
44 namespace websocketpp {
47 /// A socket policy for the asio transport that implements a TLS encrypted
48 /// socket by wrapping with an asio::ssl::stream
49 namespace tls_socket {
51 /// The signature of the socket_init_handler for this socket policy
52 typedef lib::function<void(connection_hdl,lib::asio::ssl::stream<
53 lib::asio::ip::tcp::socket>&)> socket_init_handler;
54 /// The signature of the tls_init_handler for this socket policy
55 typedef lib::function<lib::shared_ptr<lib::asio::ssl::context>(connection_hdl)>
58 /// TLS enabled Asio connection socket component
60 * transport::asio::tls_socket::connection implements a secure connection socket
61 * component that uses Asio's ssl::stream to wrap an ip::tcp::socket.
63 class connection : public lib::enable_shared_from_this<connection> {
65 /// Type of this connection socket component
66 typedef connection type;
67 /// Type of a shared pointer to this connection socket component
68 typedef lib::shared_ptr<type> ptr;
70 /// Type of the ASIO socket being used
71 typedef lib::asio::ssl::stream<lib::asio::ip::tcp::socket> socket_type;
72 /// Type of a shared pointer to the ASIO socket being used
73 typedef lib::shared_ptr<socket_type> socket_ptr;
74 /// Type of a pointer to the ASIO io_service being used
75 typedef lib::asio::io_service * io_service_ptr;
76 /// Type of a pointer to the ASIO io_service strand being used
77 typedef lib::shared_ptr<lib::asio::io_service::strand> strand_ptr;
78 /// Type of a shared pointer to the ASIO TLS context being used
79 typedef lib::shared_ptr<lib::asio::ssl::context> context_ptr;
81 explicit connection() {
82 //std::cout << "transport::asio::tls_socket::connection constructor"
86 /// Get a shared pointer to this component
88 return shared_from_this();
91 /// Check whether or not this connection is secure
93 * @return Whether or not this connection is secure
95 bool is_secure() const {
99 /// Retrieve a pointer to the underlying socket
101 * This is used internally. It can also be used to set socket options, etc
103 socket_type::lowest_layer_type & get_raw_socket() {
104 return m_socket->lowest_layer();
107 /// Retrieve a pointer to the layer below the ssl stream
109 * This is used internally.
111 socket_type::next_layer_type & get_next_layer() {
112 return m_socket->next_layer();
115 /// Retrieve a pointer to the wrapped socket
117 * This is used internally.
119 socket_type & get_socket() {
123 /// Set the socket initialization handler
125 * The socket initialization handler is called after the socket object is
126 * created but before it is used. This gives the application a chance to
127 * set any ASIO socket options it needs.
129 * @param h The new socket_init_handler
131 void set_socket_init_handler(socket_init_handler h) {
132 m_socket_init_handler = h;
135 /// Set TLS init handler
137 * The tls init handler is called when needed to request a TLS context for
138 * the library to use. A TLS init handler must be set and it must return a
139 * valid TLS context in order for this endpoint to be able to initialize
142 * @param h The new tls_init_handler
144 void set_tls_init_handler(tls_init_handler h) {
145 m_tls_init_handler = h;
148 /// Get the remote endpoint address
150 * The iostream transport has no information about the ultimate remote
151 * endpoint. It will return the string "iostream transport". To indicate
154 * TODO: allow user settable remote endpoint addresses if this seems useful
156 * @return A string identifying the address of the remote endpoint
158 std::string get_remote_endpoint(lib::error_code & ec) const {
161 lib::asio::error_code aec;
162 lib::asio::ip::tcp::endpoint ep = m_socket->lowest_layer().remote_endpoint(aec);
165 ec = error::make_error_code(error::pass_through);
166 s << "Error getting remote endpoint: " << aec
167 << " (" << aec.message() << ")";
170 ec = lib::error_code();
176 /// Perform one time initializations
178 * init_asio is called once immediately after construction to initialize
179 * Asio components to the io_service
181 * @param service A pointer to the endpoint's io_service
182 * @param strand A pointer to the connection's strand
183 * @param is_server Whether or not the endpoint is a server or not.
185 lib::error_code init_asio (io_service_ptr service, strand_ptr strand,
188 if (!m_tls_init_handler) {
189 return socket::make_error_code(socket::error::missing_tls_init_handler);
191 m_context = m_tls_init_handler(m_hdl);
194 return socket::make_error_code(socket::error::invalid_tls_context);
196 m_socket = lib::make_shared<socket_type>(
197 _WEBSOCKETPP_REF(*service),lib::ref(*m_context));
199 m_io_service = service;
201 m_is_server = is_server;
203 return lib::error_code();
206 /// Set hostname hook
208 * Called by the transport as a connection is being established to provide
209 * the hostname being connected to to the security/socket layer.
211 * This socket policy uses the hostname to set the appropriate TLS SNI
216 * @param u The uri to set
218 void set_uri(uri_ptr u) {
222 /// Pre-initialize security policy
224 * Called by the transport after a new connection is created to initialize
225 * the socket component of the connection. This method is not allowed to
226 * write any bytes to the wire. This initialization happens before any
227 * proxies or other intermediate wrappers are negotiated.
229 * @param callback Handler to call back with completion information
231 void pre_init(init_handler callback) {
232 // TODO: is this the best way to check whether this function is
233 // available in the version of OpenSSL being used?
234 // TODO: consider case where host is an IP address
235 #if OPENSSL_VERSION_NUMBER >= 0x90812f
237 // For clients on systems with a suitable OpenSSL version, set the
238 // TLS SNI hostname header so connecting to TLS servers using SNI
240 long res = SSL_set_tlsext_host_name(
241 get_socket().native_handle(), m_uri->get_host().c_str());
243 callback(socket::make_error_code(socket::error::tls_failed_sni_hostname));
248 if (m_socket_init_handler) {
249 m_socket_init_handler(m_hdl,get_socket());
252 callback(lib::error_code());
255 /// Post-initialize security policy
257 * Called by the transport after all intermediate proxies have been
258 * negotiated. This gives the security policy the chance to talk with the
259 * real remote endpoint for a bit before the websocket handshake.
261 * @param callback Handler to call back with completion information
263 void post_init(init_handler callback) {
264 m_ec = socket::make_error_code(socket::error::tls_handshake_timeout);
268 m_socket->async_handshake(
269 get_handshake_type(),
270 m_strand->wrap(lib::bind(
271 &type::handle_init, get_shared(),
273 lib::placeholders::_1
277 m_socket->async_handshake(
278 get_handshake_type(),
280 &type::handle_init, get_shared(),
282 lib::placeholders::_1
288 /// Sets the connection handle
290 * The connection handle is passed to any handlers to identify the
293 * @param hdl The new handle
295 void set_handle(connection_hdl hdl) {
299 void handle_init(init_handler callback,lib::asio::error_code const & ec) {
301 m_ec = socket::make_error_code(socket::error::tls_handshake_failed);
303 m_ec = lib::error_code();
309 lib::error_code get_ec() const {
313 /// Cancel all async operations on this socket
315 * Attempts to cancel all async operations on this socket and reports any
318 * NOTE: Windows XP and earlier do not support socket cancellation.
320 * @return The error that occurred, if any.
322 lib::asio::error_code cancel_socket() {
323 lib::asio::error_code ec;
324 get_raw_socket().cancel(ec);
328 void async_shutdown(socket::shutdown_handler callback) {
330 m_socket->async_shutdown(m_strand->wrap(callback));
332 m_socket->async_shutdown(callback);
336 /// Translate any security policy specific information about an error code
338 * Translate_ec takes an Asio error code and attempts to convert its value
339 * to an appropriate websocketpp error code. In the case that the Asio and
340 * Websocketpp error types are the same (such as using boost::asio and
341 * boost::system_error or using standalone asio and std::system_error the
342 * code will be passed through natively.
344 * In the case of a mismatch (boost::asio with std::system_error) a
345 * translated code will be returned. Any error that is determined to be
346 * related to TLS but does not have a more specific websocketpp error code
347 * is returned under the catch all error `tls_error`. Non-TLS related errors
348 * are returned as the transport generic error `pass_through`
352 * @param ec The error code to translate_ec
353 * @return The translated error code
355 template <typename ErrorCodeType>
356 lib::error_code translate_ec(ErrorCodeType ec) {
357 if (ec.category() == lib::asio::error::get_ssl_category()) {
358 if (ERR_GET_REASON(ec.value()) == SSL_R_SHORT_READ) {
359 return make_error_code(transport::error::tls_short_read);
361 // We know it is a TLS related error, but otherwise don't know
362 // more. Pass through as TLS generic.
363 return make_error_code(transport::error::tls_error);
366 // We don't know any more information about this error so pass
368 return make_error_code(transport::error::pass_through);
372 /// Overload of translate_ec to catch cases where lib::error_code is the
373 /// same type as lib::asio::error_code
374 lib::error_code translate_ec(lib::error_code ec) {
375 // Normalize the tls_short_read error as it is used by the library and
376 // needs a consistent value. All other errors pass through natively.
377 // TODO: how to get the SSL category from std::error?
378 /*if (ec.category() == lib::asio::error::get_ssl_category()) {
379 if (ERR_GET_REASON(ec.value()) == SSL_R_SHORT_READ) {
380 return make_error_code(transport::error::tls_short_read);
386 socket_type::handshake_type get_handshake_type() {
388 return lib::asio::ssl::stream_base::server;
390 return lib::asio::ssl::stream_base::client;
394 io_service_ptr m_io_service;
396 context_ptr m_context;
401 lib::error_code m_ec;
403 connection_hdl m_hdl;
404 socket_init_handler m_socket_init_handler;
405 tls_init_handler m_tls_init_handler;
408 /// TLS enabled Asio endpoint socket component
410 * transport::asio::tls_socket::endpoint implements a secure endpoint socket
411 * component that uses Asio's ssl::stream to wrap an ip::tcp::socket.
415 /// The type of this endpoint socket component
416 typedef endpoint type;
418 /// The type of the corresponding connection socket component
419 typedef connection socket_con_type;
420 /// The type of a shared pointer to the corresponding connection socket
422 typedef socket_con_type::ptr socket_con_ptr;
424 explicit endpoint() {}
426 /// Checks whether the endpoint creates secure connections
428 * @return Whether or not the endpoint creates secure connections
430 bool is_secure() const {
434 /// Set socket init handler
436 * The socket init handler is called after a connection's socket is created
437 * but before it is used. This gives the end application an opportunity to
438 * set asio socket specific parameters.
440 * @param h The new socket_init_handler
442 void set_socket_init_handler(socket_init_handler h) {
443 m_socket_init_handler = h;
446 /// Set TLS init handler
448 * The tls init handler is called when needed to request a TLS context for
449 * the library to use. A TLS init handler must be set and it must return a
450 * valid TLS context in order for this endpoint to be able to initialize
453 * @param h The new tls_init_handler
455 void set_tls_init_handler(tls_init_handler h) {
456 m_tls_init_handler = h;
459 /// Initialize a connection
461 * Called by the transport after a new connection is created to initialize
462 * the socket component of the connection.
464 * @param scon Pointer to the socket component of the connection
466 * @return Error code (empty on success)
468 lib::error_code init(socket_con_ptr scon) {
469 scon->set_socket_init_handler(m_socket_init_handler);
470 scon->set_tls_init_handler(m_tls_init_handler);
471 return lib::error_code();
475 socket_init_handler m_socket_init_handler;
476 tls_init_handler m_tls_init_handler;
479 } // namespace tls_socket
481 } // namespace transport
482 } // namespace websocketpp
484 #endif // WEBSOCKETPP_TRANSPORT_SECURITY_TLS_HPP