//
// SecureStreamSocket.h
//
// Library: NetSSL_OpenSSL
// Package: SSLSockets
// Module:  SecureStreamSocket
//
// Definition of the SecureStreamSocket class.
//
// Copyright (c) 2006-2010, Applied Informatics Software Engineering GmbH.
// and Contributors.
//
// SPDX-License-Identifier:	BSL-1.0
//


#ifndef NetSSL_SecureStreamSocket_INCLUDED
#define NetSSL_SecureStreamSocket_INCLUDED


#include "Poco/Net/NetSSL.h"
#include "Poco/Net/StreamSocket.h"
#include "Poco/Net/Context.h"
#include "Poco/Net/Session.h"
#include "Poco/Net/X509Certificate.h"


namespace Poco {
namespace Net {


class NetSSL_API SecureStreamSocket: public StreamSocket
	/// A subclass of StreamSocket for secure SSL sockets.
	///
	/// A few notes about nonblocking IO:
	/// sendBytes() and receiveBytes() can return a
	/// negative value when using a nonblocking socket, which means 
	/// a SSL handshake is currently in progress and more data
	/// needs to be read or written for the handshake to continue.
	/// If sendBytes() or receiveBytes() return ERR_SSL_WANT_WRITE,
	/// sendBytes() must be called as soon as possible (usually, after
	/// select() indicates that data can be written). Likewise, if
	/// ERR_SSL_WANT_READ is returned, receiveBytes() must be called
	/// as soon as data is available for reading (indicated by select()).
	///
	/// The SSL handshake is delayed until the first sendBytes() or 
	/// receiveBytes() operation is performed on the socket. No automatic
	/// post connection check (checking the peer certificate for a valid
	/// hostname) is performed when using nonblocking I/O. To manually
	/// perform peer certificate validation, call verifyPeerCertificate()
	/// after the SSL handshake has been completed.
{
public:
	enum
	{
		ERR_SSL_WANT_READ  = -1,
		ERR_SSL_WANT_WRITE = -2
	};
	
	SecureStreamSocket();
		/// Creates an unconnected secure stream socket
		/// using the default client SSL context.
		///
		/// Before sending or receiving data, the socket
		/// must be connected with a call to connect().

	explicit SecureStreamSocket(Context::Ptr pContext);
		/// Creates an unconnected secure stream socket
		/// using the given SSL context.
		///
		/// Before sending or receiving data, the socket
		/// must be connected with a call to connect().

	SecureStreamSocket(Context::Ptr pContext, Session::Ptr pSession);
		/// Creates an unconnected secure stream socket
		/// using the given SSL context.
		///
		/// Before sending or receiving data, the socket
		/// must be connected with a call to connect().
		///
		/// The given Session is reused, if possible (client session
		/// caching is enabled for the given Context, and the server
		/// agrees to reuse the session).

	explicit SecureStreamSocket(const SocketAddress& address);
		/// Creates a secure stream socket using the default 
		/// client SSL context and connects it to
		/// the socket specified by address.

	SecureStreamSocket(const SocketAddress& address, Context::Ptr pContext);
		/// Creates a secure stream socket using the given 
		/// client SSL context and connects it to
		/// the socket specified by address.

	SecureStreamSocket(const SocketAddress& address, Context::Ptr pContext, Session::Ptr pSession);
		/// Creates a secure stream socket using the given 
		/// client SSL context and connects it to
		/// the socket specified by address.
		///
		/// The given Session is reused, if possible (client session
		/// caching is enabled for the given Context, and the server
		/// agrees to reuse the session).

	SecureStreamSocket(const SocketAddress& address, const std::string& hostName);
		/// Creates a secure stream socket using the default 
		/// client SSL context and connects it to
		/// the socket specified by address.
		///
		/// The given host name is used for certificate verification.

	SecureStreamSocket(const SocketAddress& address, const std::string& hostName, Context::Ptr pContext);
		/// Creates a secure stream socket using the given 
		/// client SSL context and connects it to
		/// the socket specified by address.
		///
		/// The given host name is used for certificate verification.

	SecureStreamSocket(const SocketAddress& address, const std::string& hostName, Context::Ptr pContext, Session::Ptr pSession);
		/// Creates a secure stream socket using the given 
		/// client SSL context and connects it to
		/// the socket specified by address.
		///
		/// The given host name is used for certificate verification.
		///
		/// The given Session is reused, if possible (client session
		/// caching is enabled for the given Context, and the server
		/// agrees to reuse the session).

	SecureStreamSocket(const Socket& socket);
		/// Creates the SecureStreamSocket with the SocketImpl
		/// from another socket. The SocketImpl must be
		/// a SecureStreamSocketImpl, otherwise an InvalidArgumentException
		/// will be thrown.

	virtual ~SecureStreamSocket();
		/// Destroys the StreamSocket.

	SecureStreamSocket& operator = (const Socket& socket);
		/// Assignment operator.
		///
		/// Releases the socket's SocketImpl and
		/// attaches the SocketImpl from the other socket and
		/// increments the reference count of the SocketImpl.	
	
	bool havePeerCertificate() const;
		/// Returns true iff the peer has presented a
		/// certificate.

	X509Certificate peerCertificate() const;
		/// Returns the peer's X509 certificate.
		///
		/// Throws a SSLException if the peer did not
		/// present a certificate.
		
	void setPeerHostName(const std::string& hostName);
		/// Sets the peer's host name used for certificate validation.
		
	const std::string& getPeerHostName() const;
		/// Returns the peer's host name used for certificate validation.

	static SecureStreamSocket attach(const StreamSocket& streamSocket);
		/// Creates a SecureStreamSocket over an existing socket
		/// connection. The given StreamSocket must be connected.
		/// A SSL handshake will be performed.

	static SecureStreamSocket attach(const StreamSocket& streamSocket, Context::Ptr pContext);
		/// Creates a SecureStreamSocket over an existing socket
		/// connection. The given StreamSocket must be connected.
		/// A SSL handshake will be performed.

	static SecureStreamSocket attach(const StreamSocket& streamSocket, Context::Ptr pContext, Session::Ptr pSession);
		/// Creates a SecureStreamSocket over an existing socket
		/// connection. The given StreamSocket must be connected.
		/// A SSL handshake will be performed.
		///
		/// The given Session is reused, if possible (client session
		/// caching is enabled for the given Context, and the server
		/// agrees to reuse the session).

	static SecureStreamSocket attach(const StreamSocket& streamSocket, const std::string& peerHostName);
		/// Creates a SecureStreamSocket over an existing socket
		/// connection. The given StreamSocket must be connected.
		/// A SSL handshake will be performed.

	static SecureStreamSocket attach(const StreamSocket& streamSocket, const std::string& peerHostName, Context::Ptr pContext);
		/// Creates a SecureStreamSocket over an existing socket
		/// connection. The given StreamSocket must be connected.
		/// A SSL handshake will be performed.

	static SecureStreamSocket attach(const StreamSocket& streamSocket, const std::string& peerHostName, Context::Ptr pContext, Session::Ptr pSession);
		/// Creates a SecureStreamSocket over an existing socket
		/// connection. The given StreamSocket must be connected.
		/// A SSL handshake will be performed.
		///
		/// The given Session is reused, if possible (client session
		/// caching is enabled for the given Context, and the server
		/// agrees to reuse the session).

	Context::Ptr context() const;
		/// Returns the SSL context used by this socket.
		
	void setLazyHandshake(bool flag = true);
		/// Enable lazy SSL handshake. If enabled, the SSL handshake
		/// will be performed the first time date is sent or
		/// received over the connection.
		
	bool getLazyHandshake() const;
		/// Returns true if setLazyHandshake(true) has been called.
		
	void verifyPeerCertificate();
		/// Performs post-connect (or post-accept) peer certificate validation,
		/// using the peer host name set with setPeerHostName(), or the peer's
		/// IP address string if no peer host name has been set.
		///
		/// Should only be used for non-blocking connections, after the
		/// initial SSL handshake has been performed (see completeHandshake()).

	void verifyPeerCertificate(const std::string& hostName);
		/// Performs post-connect (or post-accept) peer certificate validation
		/// using the given host name.
		///
		/// Should only be used for non-blocking connections, after the
		/// initial SSL handshake has been performed (see completeHandshake()).
		
	int completeHandshake();
		/// Completes the SSL handshake.
		///
		/// If the SSL connection was the result of an accept(),
		/// the server-side handshake is completed, otherwise
		/// a client-side handshake is performed.
		///
		/// Returns 1 if the handshake was successful, ERR_SSL_WANT_READ or
		/// ERR_SSL_WANT_WRITE if more data is required to complete the
		/// handshake. In this case, completeHandshake() should be called
		/// again, after the necessary condition has been met.

	Session::Ptr currentSession();
		/// Returns the SSL session of the current connection,
		/// for reuse in a future connection (if session caching
		/// is enabled).
		///
		/// If no connection is established, returns null.
		
	void useSession(Session::Ptr pSession);
		/// Sets the SSL session to use for the next
		/// connection. Setting a previously saved Session
		/// object is necessary to enable session caching.
		///
		/// To remove the currently set session, a null pointer
		/// can be given.
		///
		/// Must be called before connect() to be effective.
		
	bool sessionWasReused();
		/// Returns true iff a reused session was negotiated during
		/// the handshake.
		
	void abort();
		/// Aborts the SSL connection by closing the underlying
		/// TCP connection. No orderly SSL shutdown is performed.
		
protected:
	SecureStreamSocket(SocketImpl* pImpl);

	friend class SecureServerSocket;
};


} } // namespace Poco::Net


#endif // NetSSL_SecureStreamSocket_INCLUDED