Re: [gnet-dev] [PATCH] SSL

From: "David A. Helder" <dhelder gizmolabs org>
To: Szalai Ferenc <szferi angel elte hu>
Cc: gnet-dev gnetlibrary org
Subject: Re: [gnet-dev] [PATCH] SSL
Date: Sun, 31 Aug 2003 15:09:03 -0400

I've finally gotten around to taking a closer look at Szalai's patch.

My notes:

Szalai's patch is mostly a thin wrapper around OpenSSL.  It has context
and session objects corresponding to OpenSSL's.  The main feature of the
patch is the GSSLChannel object, which can be used like any other
GIOChannel.

To connect, a client does the following:
  ctx = gnet_ssl_ctx_new (key file, cert file, CA file, CA directory)
  session = gnet_ssl_session_new (string id, ctx)
  socket = gnet_tcp_ssl_socket_new (addr, session)
  iochannel = gnet_tcp_socket_get_iochannel (socket)

  The iochannel is actually a GSSLChannel, but a "child" of GIOChannel.

To accept, a server does the following
  server = gnet_tcp_socket_server_with_port (port)
  ctx = ... 
  session = ...
  client_socket = gnet_tcp_ssl_socket_server_accept (server, session)
  iochannel = gnet_tcp_socket_get_iochannel (client_socket)

This is a good start and all the features we need are here, AFAIK.  The
API could be simplified though.  I would combine context and session
into one struct (GSSLOptions) or session into the SSLChannel. 
SSLChannel creation can be moved out of TCPSocket.  Like this:

  GSSLOptions*
  gnet_ssl_options_new ()
                  _use_key (key file)
		  _use_certificate_file (certificate file)
		...
	I don't know't OpenSSL very well, so I don't know what API
	make sense here.  The point is the arguments to the constructor
	should be manditory (assert != NULL).  Then call set_XXX for
	optional things.  (Or, have a _new(manditory arguments) and
	_new_full(manditory + optional arguements) if that makes more
	sense.
  ...

  GIOChannel*
  gnet_ssl_io_channel_new_connect (GIOChannel* iochannel, 
				   GSSLOptions* options);
    (calls SSL_connect, creates IOChannel from old IOChannel

  GIOChannel*
  gnet_ssl_io_channel_new_accept (GIOChannel* iochannel, 
  				  GSSLOptions* options);
    (calls SSL_accept, ...)

GTCPSocket does not need know about SSL.  We could add SSL
constructors that would call gnet_ssl_io_channel_new_XXX() and set the
IOChannel appropriately.  Currently tcp_socket_get_io_channel() would
return the raw iochannel, not the SSL iochannel.  I don't think this is
a necessary feature.

Does this make sense?  I'm not an OpenSSL expert so this may not be
possible.  Like I said before, I'm mostly concerned about getting the
API right the first time.

David

PS, if it's easier, we (Szalai and anyone interested) should meet on IRC
and discuss it.

On Tue, 2003-08-19 at 09:10, Szalai Ferenc wrote:
> Hello,
> 
> Here is my first version of SSL patch to GNet:
> 
> https://boogie.lpds.sztaki.hu/~szferi/gnetssl.tgz
> 
> Any comment and questions are welcome.
> 
> Sort todo here:
> - Currently only works with TCP based communication sockets.
> - Session cacheing
> - More utility to handle certificates
> - Digital signature generation for data buffers
> - GNet 1.2 support
> - CRL management
> - reduce code duplication
>  
> Regards,
> Ferenc
> 
> _______________________________________________
> gnet-dev mailing list
> gnet-dev gnetlibrary org
> http://www.gnetlibrary.org/mailman/listinfo/gnet-dev
-- 
David Helder - dhelder gizmolabs org - http://www.gizmolabs.org/~dhelder

References:
- [gnet-dev] [PATCH] SSL
  - From: Szalai Ferenc

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]