THRIFT-1136 C++ SSL implementation cleanup
git-svn-id: https://svn.apache.org/repos/asf/thrift/trunk@1091553 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/lib/cpp/README.SSL b/lib/cpp/README.SSL
new file mode 100644
index 0000000..a928057
--- /dev/null
+++ b/lib/cpp/README.SSL
@@ -0,0 +1,135 @@
+Notes on Thrift/SSL
+
+Author: Ping Li <pingli@facebook.com>
+
+1. Scope
+
+ This SSL only supports blocking mode socket I/O. It can only be used with
+ TSimpleServer, TThreadedServer, and TThreadPoolServer.
+
+2. Implementation
+
+ There're two main classes TSSLSocketFactory and TSSLSocket. Instances of
+ TSSLSocket are always created from TSSLSocketFactory.
+
+ PosixSSLThreadFactory creates PosixSSLThread. The only difference from the
+ PthreadThread type is that it cleanups OpenSSL error queue upon exiting
+ the thread. Ideally, OpenSSL APIs should only be called from PosixSSLThread.
+
+3. How to use SSL APIs
+
+ // This is for demo. In real code, typically only one TSSLSocketFactory
+ // instance is needed.
+ shared_ptr<TSSLSocketFactory> getSSLSocketFactory() {
+ shared_ptr<TSSLSocketFactory> factory(new TSSLSocketFactory());
+ // client: load trusted certificates
+ factory->loadTrustedCertificates("my-trusted-ca-certificates.pem");
+ // client: optionally set your own access manager, otherwise,
+ // the default client access manager will be loaded.
+
+ factory->loadCertificate("my-certificate-signed-by-ca.pem");
+ factory->loadPrivateKey("my-private-key.pem");
+ // server: optionally setup access manager
+ // shared_ptr<AccessManager> accessManager(new MyAccessManager);
+ // factory->access(accessManager);
+ ...
+ }
+
+ // client code sample
+ shared_ptr<TSSLSocketFactory> factory = getSSLSocketFactory();
+ shared_ptr<TSocket> socket = factory.createSocket(host, port);
+ shared_ptr<TBufferedTransport> transport(new TBufferedTransport(socket));
+ ...
+
+ // server code sample
+ shared_ptr<TSSLSocketFactory> factory = getSSLSocketFactory();
+ shared_ptr<TSSLServerSocket> socket(new TSSLServerSocket(port, factory));
+ shared_ptr<TTransportFactory> transportFactory(new TBufferedTransportFactory));
+ ...
+
+4. AccessManager
+
+ AccessManager defines a callback interface. It has three callback methods:
+
+ (a) Decision verify(const sockaddr_storage& sa);
+ (b) Decision verify(const string& host, const char* name, int size);
+ (c) Decision verify(const sockaddr_storage& sa, const char* data, int size);
+
+ After SSL handshake completes, additional checks are conducted. Application
+ is given the chance to decide whether or not to continue the conversation
+ with the remote. Application is queried through the above three "verify"
+ method. They are called at different points of the verification process.
+
+ Decisions can be one of ALLOW, DENY, and SKIP. ALLOW and DENY means the
+ conversation should be continued or disconnected, respectively. ALLOW and
+ DENY decision stops the verification process. SKIP means there's no decision
+ based on the given input, continue the verification process.
+
+ First, (a) is called with the remote IP. It is called once at the beginning.
+ "sa" is the IP address of the remote peer.
+
+ Then, the certificate of remote peer is loaded. SubjectAltName extensions
+ are extracted and sent to application for verification. When a DNS
+ subjectAltName field is extracted, (b) is called. When an IP subjectAltName
+ field is extracted, (c) is called.
+
+ The "host" in (b) is the value from TSocket::getHost() if this is a client
+ side socket, or TSocket::getPeerHost() if this is a server side socket. The
+ reason is client side socket initiates the connection. TSocket::getHost()
+ is the remote host name. On server side, the remote host name is unknown
+ unless it's retrieved through TSocket::getPeerHost(). Either way, "host"
+ should be the remote host name. Keep in mind, if TSocket::getPeerHost()
+ failed, it would return the remote host name in numeric format.
+
+ If all subjectAltName extensions were "skipped", the common name field would
+ be checked. It is sent to application through (c), where "sa" is the remote
+ IP address. "data" is the IP address extracted from subjectAltName IP
+ extension, and "size" is the length of the extension data.
+
+ If any of the above "verify" methods returned a decision ALLOW or DENY, the
+ verification process would be stopped.
+
+ If any of the above "verify" methods returned SKIP, that decision would be
+ ignored and the verification process would move on till the last item is
+ examined. At that point, if there's still no decision, the connection is
+ terminated.
+
+ Thread safety, an access manager should not store state information if it's
+ to be used by many SSL sockets.
+
+5. SIGPIPE signal
+
+ Applications running OpenSSL over network connections may crash if SIGPIPE
+ is not ignored. This happens when they receive a connection reset by remote
+ peer exception, which somehow triggers a SIGPIPE signal. If not handled,
+ this signal would kill the application.
+
+6. How to run test client/server in SSL mode
+
+ The server expects the followings from the current working directory,
+ - "server-certificate.pem"
+ - "server-private-key.pem"
+
+ The client loads "trusted-ca-certificate.pem" from current directory.
+
+ The file names are hard coded in the source code. You need to create these
+ certificates before you can run the test code in SSL mode. Make sure at least
+ one of the followings is included in "server-certificate.pem",
+ - subjectAltName, DNS localhost
+ - subjectAltName, IP 127.0.0.1
+ - common name, localhost
+
+ Run,
+ - "./test_server --ssl" to start server
+ - "./test_client --ssl" to run client
+
+ If "-h <host>" is used to run client, the above "localhost" in the above
+ server-certificate.pem has to be replaced with that host name.
+
+7. TSSLSocketFactory::randomize()
+
+ The default implementation of OpenSSLSocketFactory::randomize() simply calls
+ OpenSSL's RAND_poll() when OpenSSL library is first initialized.
+
+ The PRNG seed is key to the application security. This method should be
+ overridden if it's not strong enough for you.
diff --git a/lib/cpp/src/transport/TSSLServerSocket.cpp b/lib/cpp/src/transport/TSSLServerSocket.cpp
index ed4b648..8e06f30 100644
--- a/lib/cpp/src/transport/TSSLServerSocket.cpp
+++ b/lib/cpp/src/transport/TSSLServerSocket.cpp
@@ -1,8 +1,21 @@
-// Copyright (c) 2009- Facebook
-// Distributed under the Thrift Software License
-//
-// See accompanying file LICENSE or visit the Thrift site at:
-// http://developers.facebook.com/thrift/
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
#include "TSSLServerSocket.h"
#include "TSSLSocket.h"
@@ -13,8 +26,6 @@
/**
* SSL server socket implementation.
- *
- * @author Ping Li <pingli@facebook.com>
*/
TSSLServerSocket::TSSLServerSocket(int port,
shared_ptr<TSSLSocketFactory> factory):
diff --git a/lib/cpp/src/transport/TSSLServerSocket.h b/lib/cpp/src/transport/TSSLServerSocket.h
index 36f895c..a4e659d 100644
--- a/lib/cpp/src/transport/TSSLServerSocket.h
+++ b/lib/cpp/src/transport/TSSLServerSocket.h
@@ -1,8 +1,21 @@
-// Copyright (c) 2009- Facebook
-// Distributed under the Thrift Software License
-//
-// See accompanying file LICENSE or visit the Thrift site at:
-// http://developers.facebook.com/thrift/
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
#ifndef _THRIFT_TRANSPORT_TSSLSERVERSOCKET_H_
#define _THRIFT_TRANSPORT_TSSLSERVERSOCKET_H_ 1
@@ -16,8 +29,6 @@
/**
* Server socket that accepts SSL connections.
- *
- * @author Ping Li <pingli@facebook.com>
*/
class TSSLServerSocket: public TServerSocket {
public:
diff --git a/lib/cpp/src/transport/TSSLSocket.cpp b/lib/cpp/src/transport/TSSLSocket.cpp
index c8a3b25..602a894 100644
--- a/lib/cpp/src/transport/TSSLSocket.cpp
+++ b/lib/cpp/src/transport/TSSLSocket.cpp
@@ -1,8 +1,21 @@
-// Copyright (c) 2009- Facebook
-// Distributed under the Thrift Software License
-//
-// See accompanying file LICENSE or visit the Thrift site at:
-// http://developers.facebook.com/thrift/
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
#include <errno.h>
#include <string>
diff --git a/lib/cpp/src/transport/TSSLSocket.h b/lib/cpp/src/transport/TSSLSocket.h
index 58e3934..6b241b2 100644
--- a/lib/cpp/src/transport/TSSLSocket.h
+++ b/lib/cpp/src/transport/TSSLSocket.h
@@ -1,8 +1,21 @@
-// Copyright (c) 2009- Facebook
-// Distributed under the Thrift Software License
-//
-// See accompanying file LICENSE or visit the Thrift site at:
-// http://developers.facebook.com/thrift/
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
#ifndef _THRIFT_TRANSPORT_TSSLSOCKET_H_
#define _THRIFT_TRANSPORT_TSSLSOCKET_H_ 1
@@ -20,8 +33,6 @@
/**
* OpenSSL implementation for SSL socket interface.
- *
- * @author Ping Li <pingli@facebook.com>
*/
class TSSLSocket: public TSocket {
public: