Refactor of SSL Extension, phase 1.

author: Anthony Neal <aneal@zeroc.com> 2002-03-13 20:10:07 +0000
committer: Anthony Neal <aneal@zeroc.com> 2002-03-13 20:10:07 +0000
commit: 27c5fa0a95a523c5bea82eecc420e805b4533aae (patch)
tree: b18f7be9632d266d7e8f6c16b02de831a3e11d57 /cpp/src/Ice/SslConnectionOpenSSL.cpp
parent: cleanup (diff)
download: ice-27c5fa0a95a523c5bea82eecc420e805b4533aae.tar.bz2
ice-27c5fa0a95a523c5bea82eecc420e805b4533aae.tar.xz
ice-27c5fa0a95a523c5bea82eecc420e805b4533aae.zip
1 files changed, 66 insertions, 163 deletions
diff --git a/cpp/src/Ice/SslConnectionOpenSSL.cpp b/cpp/src/Ice/SslConnectionOpenSSL.cpp
index 90356d05045..26ec74d9c7c 100644
--- a/cpp/src/Ice/SslConnectionOpenSSL.cpp
+++ b/cpp/src/Ice/SslConnectionOpenSSL.cpp
@@ -44,107 +44,8 @@ using Ice::Int;
 
 using std::endl;
 
-using IceSecurity::Ssl::Factory;
-using IceSecurity::Ssl::SystemPtr;
-
-////////////////////////////////////////////////
-////////// DefaultCertificateVerifier //////////
-////////////////////////////////////////////////
-
-IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::DefaultCertificateVerifier()
-{
-}
-
-void
-IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::setTraceLevels(const TraceLevelsPtr& traceLevels)
-{
-    _traceLevels = traceLevels;
-}
-
-void
-IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::setLogger(const LoggerPtr& logger)
-{
-    _logger = logger;
-}
-
-int
-IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::verify(int preVerifyOkay,
-                                                              X509_STORE_CTX* x509StoreContext,
-                                                              SSL* sslConnection)
-{
-    //
-    // Default verification steps.
-    //
-
-    int verifyError = X509_STORE_CTX_get_error(x509StoreContext);
-    int errorDepth = X509_STORE_CTX_get_error_depth(x509StoreContext);
-    int verifyDepth = SSL_get_verify_depth(sslConnection);
-
-    // Verify Depth was set
-    if (verifyError != X509_V_OK)
-    {
-        // If we have no errors so far, and the certificate chain is too long
-        if ((verifyDepth != -1) && (verifyDepth < errorDepth))
-        {
-            verifyError = X509_V_ERR_CERT_CHAIN_TOO_LONG;
-            X509_STORE_CTX_set_error(x509StoreContext, verifyError);
-        }
-
-        // If we have ANY errors, we bail out.
-        preVerifyOkay = 0;
-    }
-
-    // Only if ICE_PROTOCOL level logging is on do we worry about this.
-    if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
-    {
-        char buf[256];
-
-        X509* err_cert = X509_STORE_CTX_get_current_cert(x509StoreContext);
-
-        X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
-
-        ostringstream outStringStream;
-
-        outStringStream << "depth = " << dec << errorDepth << ":" << buf << std::endl;
-
-        if (!preVerifyOkay)
-        {
-            outStringStream << "verify error: num = " << verifyError << " : " 
-			    << X509_verify_cert_error_string(verifyError) << endl;
-
-        }
-
-        switch (verifyError)
-        {
-            case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-            {
-                X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf));
-                outStringStream << "issuer = " << buf << endl;
-                break;
-            }
-
-            case X509_V_ERR_CERT_NOT_YET_VALID:
-            case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
-            {
-                outStringStream << "notBefore = " << getASN1time(X509_get_notBefore(err_cert)) << endl;
-                break;
-            }
-
-            case X509_V_ERR_CERT_HAS_EXPIRED:
-            case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
-            {
-                outStringStream << "notAfter = " << getASN1time(X509_get_notAfter(err_cert)) << endl;
-                break;
-            }
-        }
-
-        outStringStream << "verify return = " << preVerifyOkay << endl;
-
-        _logger->trace(_traceLevels->securityCat, outStringStream.str());
-    }
-
-    return preVerifyOkay;
-}
+using IceSSL::Factory;
+using IceSSL::SystemInternalPtr;
 
 ////////////////////////////////
 ////////// Connection //////////
@@ -153,32 +54,34 @@ IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::verify(int preVerifyOkay,
 //
 // Static Member Initialization
 //
-IceSecurity::Ssl::OpenSSL::SslConnectionMap IceSecurity::Ssl::OpenSSL::Connection::_connectionMap;
-::IceUtil::Mutex IceSecurity::Ssl::OpenSSL::Connection::_connectionRepositoryMutex;
+IceSSL::OpenSSL::SslConnectionMap IceSSL::OpenSSL::Connection::_connectionMap;
+::IceUtil::Mutex IceSSL::OpenSSL::Connection::_connectionRepositoryMutex;
 
 //
 // Public Methods
 //
 
-void ::IceInternal::incRef(::IceSecurity::Ssl::OpenSSL::Connection* p) { p->__incRef(); }
-void ::IceInternal::decRef(::IceSecurity::Ssl::OpenSSL::Connection* p) { p->__decRef(); }
+void ::IceInternal::incRef(::IceSSL::OpenSSL::Connection* p) { p->__incRef(); }
+void ::IceInternal::decRef(::IceSSL::OpenSSL::Connection* p) { p->__decRef(); }
 
 // Note: I would use a using directive of the form:
-//       using IceSecurity::Ssl::CertificateVerifierPtr;
+//       using IceSSL::CertificateVerifierPtr;
 //       but unfortunately, it appears that this is not properly picked up.
 //
 
-IceSecurity::Ssl::OpenSSL::Connection::Connection(
-            const IceSecurity::Ssl::CertificateVerifierPtr& certificateVerifier,
-            SSL* sslConnection,
-            const SystemPtr& system) :
-                                      IceSecurity::Ssl::Connection(certificateVerifier),
-                                      _sslConnection(sslConnection),
-                                      _system(system)
+IceSSL::OpenSSL::Connection::Connection(
+            const IceInternal::TraceLevelsPtr& traceLevels,
+            const Ice::LoggerPtr& logger,
+            const IceSSL::CertificateVerifierPtr& certificateVerifier,
+            SSL* sslConnection,
+            const IceSSL::SystemInternalPtr& system) :
+                                      IceSSL::Connection(traceLevels, logger, certificateVerifier),
+                                      _sslConnection(sslConnection)
 {
-    assert(sslConnection);
+    assert(_sslConnection != 0);
+    assert(system != 0);
 
-    Factory::addSystemHandle(sslConnection, system);
+    Factory::addSystemHandle(_sslConnection, system);
 
     _lastError = SSL_ERROR_NONE;
 
@@ -192,7 +95,7 @@ IceSecurity::Ssl::OpenSSL::Connection::Connection(
     addConnection(_sslConnection, this);
 }
 
-IceSecurity::Ssl::OpenSSL::Connection::~Connection()
+IceSSL::OpenSSL::Connection::~Connection()
 {
     if (_sslConnection != 0)
     {
@@ -204,11 +107,11 @@ IceSecurity::Ssl::OpenSSL::Connection::~Connection()
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::shutdown()
+IceSSL::OpenSSL::Connection::shutdown()
 {
     if (_sslConnection != 0)
     {
-        if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+        if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
         { 
             _logger->trace(_traceLevels->securityCat, "WRN " +
                            string("shutting down SSL connection\n") +
@@ -225,7 +128,7 @@ IceSecurity::Ssl::OpenSSL::Connection::shutdown()
         }
         while ((shutdown == 0) && (retries > 0));
 
-        if ((_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL) && (shutdown <= 0))
+        if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) && (shutdown <= 0))
         {
             ostringstream s;
             s << "SSL shutdown failure encountered: code[" << shutdown << "] retries[";
@@ -236,25 +139,13 @@ IceSecurity::Ssl::OpenSSL::Connection::shutdown()
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::setTrace(const TraceLevelsPtr& traceLevels)
-{
-    _traceLevels = traceLevels;
-}
-
-void
-IceSecurity::Ssl::OpenSSL::Connection::setLogger(const LoggerPtr& traceLevels)
-{
-    _logger = traceLevels;
-}
-
-void
-IceSecurity::Ssl::OpenSSL::Connection::setHandshakeReadTimeout(int timeout)
-{
+IceSSL::OpenSSL::Connection::setHandshakeReadTimeout(int timeout)
+{
     _handshakeReadTimeout = timeout;
 }
 
-IceSecurity::Ssl::OpenSSL::ConnectionPtr
-IceSecurity::Ssl::OpenSSL::Connection::getConnection(SSL* sslPtr)
+IceSSL::OpenSSL::ConnectionPtr
+IceSSL::OpenSSL::Connection::getConnection(SSL* sslPtr)
 {
     IceUtil::Mutex::Lock sync(_connectionRepositoryMutex);
 
@@ -268,14 +159,14 @@ IceSecurity::Ssl::OpenSSL::Connection::getConnection(SSL* sslPtr)
 }
 
 int
-IceSecurity::Ssl::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX* x509StoreContext)
+IceSSL::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX* x509StoreContext)
 {
     // Should NEVER be able to happen.
     assert(_certificateVerifier.get() != 0);
 
     // Get the verifier, make sure it is for OpenSSL connections
-    IceSecurity::Ssl::OpenSSL::CertificateVerifier* verifier;
-    verifier = dynamic_cast<IceSecurity::Ssl::OpenSSL::CertificateVerifier*>(_certificateVerifier.get());
+    IceSSL::OpenSSL::CertificateVerifier* verifier;
+    verifier = dynamic_cast<IceSSL::OpenSSL::CertificateVerifier*>(_certificateVerifier.get());
 
     // Check to make sure we have a proper verifier for the operation.
     if (verifier)
@@ -288,7 +179,7 @@ IceSecurity::Ssl::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509
         // Note: This code should NEVER be able to be reached, as we check each
         //       CertificateVerifier as it is added to the System.
 
-        if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+        if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
         {
             string errorString;
 
@@ -314,7 +205,7 @@ IceSecurity::Ssl::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509
 //
 
 int
-IceSecurity::Ssl::OpenSSL::Connection::connect()
+IceSSL::OpenSSL::Connection::connect()
 {
     int result = SSL_connect(_sslConnection);
 
@@ -324,7 +215,7 @@ IceSecurity::Ssl::OpenSSL::Connection::connect()
 }
 
 int
-IceSecurity::Ssl::OpenSSL::Connection::accept()
+IceSSL::OpenSSL::Connection::accept()
 {
     int result = SSL_accept(_sslConnection);
 
@@ -334,18 +225,18 @@ IceSecurity::Ssl::OpenSSL::Connection::accept()
 }
 
 int
-IceSecurity::Ssl::OpenSSL::Connection::renegotiate()
+IceSSL::OpenSSL::Connection::renegotiate()
 {
     return SSL_renegotiate(_sslConnection);
 }
 
 int
-IceSecurity::Ssl::OpenSSL::Connection::initialize(int timeout)
+IceSSL::OpenSSL::Connection::initialize(int timeout)
 {
     int retCode = 0;
 
     while (true)
-    {
+    {
         // One lucky thread will get the honor of carrying out the hanshake,
         // if there is one to perform.  The HandshakeSentinel effectively
         // establishes a first-come, first-serve policy.  One thread will own
@@ -383,8 +274,20 @@ IceSecurity::Ssl::OpenSSL::Connection::initialize(int timeout)
     return retCode;
 }
 
+int
+IceSSL::OpenSSL::Connection::pending()
+{
+    return SSL_pending(_sslConnection);
+}
+
+int
+IceSSL::OpenSSL::Connection::getLastError() const
+{
+    return SSL_get_error(_sslConnection, _lastError);
+}
+
 int
-IceSecurity::Ssl::OpenSSL::Connection::sslRead(char* buffer, int bufferSize)
+IceSSL::OpenSSL::Connection::sslRead(char* buffer, int bufferSize)
 {
     int bytesRead = SSL_read(_sslConnection, buffer, bufferSize);
 
@@ -394,7 +297,7 @@ IceSecurity::Ssl::OpenSSL::Connection::sslRead(char* buffer, int bufferSize)
 }
 
 int
-IceSecurity::Ssl::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize)
+IceSSL::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize)
 {
     int bytesWritten = SSL_write(_sslConnection, buffer, bufferSize);
 
@@ -413,7 +316,7 @@ IceSecurity::Ssl::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize)
 // the demo programs are doing, so I feel okay copying them.  The only reason that I
 // have defined the buffer[] array is so that I have a valid buffer pointer.
 void
-IceSecurity::Ssl::OpenSSL::Connection::protocolWrite()
+IceSSL::OpenSSL::Connection::protocolWrite()
 {
     static char buffer[10];
 
@@ -426,7 +329,7 @@ IceSecurity::Ssl::OpenSSL::Connection::protocolWrite()
 }
 
 int
-IceSecurity::Ssl::OpenSSL::Connection::readInBuffer(Buffer& buf)
+IceSSL::OpenSSL::Connection::readInBuffer(Buffer& buf)
 {
     IceUtil::Mutex::Lock sync(_inBufferMutex);
 
@@ -453,7 +356,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readInBuffer(Buffer& buf)
         // Erase the data that we've copied out of the _inBuffer.
         _inBuffer.b.erase(inBufferBegin, inBufferEndAt);
 
-        if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
+        if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL)
         {
             ostringstream protocolMsg;
             protocolMsg << "Copied " << dec << bytesRead << " bytes from SSL buffer\n";
@@ -467,7 +370,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readInBuffer(Buffer& buf)
 }
 
 int
-IceSecurity::Ssl::OpenSSL::Connection::readSelect(int timeout)
+IceSSL::OpenSSL::Connection::readSelect(int timeout)
 {
     int ret;
     SOCKET fd = SSL_get_fd(_sslConnection);
@@ -513,7 +416,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readSelect(int timeout)
 }
 
 int
-IceSecurity::Ssl::OpenSSL::Connection::writeSelect(int timeout)
+IceSSL::OpenSSL::Connection::writeSelect(int timeout)
 {
     int ret;
     SOCKET fd = SSL_get_fd(_sslConnection);
@@ -559,7 +462,7 @@ IceSecurity::Ssl::OpenSSL::Connection::writeSelect(int timeout)
 }
 
 int
-IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout)
+IceSSL::OpenSSL::Connection::readSSL(Buffer& buf, int timeout)
 {
     int packetSize = buf.b.end() - buf.i;
     int totalBytesRead = 0;
@@ -600,7 +503,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout)
 
         if (!bytesPending)
         {
-            if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
+            if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL)
             {
                 _logger->trace(_traceLevels->securityCat, "No pending application-level bytes.");
             }
@@ -730,7 +633,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout)
 }
 
 string
-IceSecurity::Ssl::OpenSSL::Connection::sslGetErrors()
+IceSSL::OpenSSL::Connection::sslGetErrors()
 {
     string errorMessage;
     char buf[200];
@@ -773,7 +676,7 @@ IceSecurity::Ssl::OpenSSL::Connection::sslGetErrors()
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::addConnection(SSL* sslPtr, Connection* connection)
+IceSSL::OpenSSL::Connection::addConnection(SSL* sslPtr, Connection* connection)
 {
     assert(sslPtr);
     assert(connection);
@@ -782,7 +685,7 @@ IceSecurity::Ssl::OpenSSL::Connection::addConnection(SSL* sslPtr, Connection* co
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::removeConnection(SSL* sslPtr)
+IceSSL::OpenSSL::Connection::removeConnection(SSL* sslPtr)
 {
     assert(sslPtr);
     IceUtil::Mutex::Lock sync(_connectionRepositoryMutex);
@@ -790,7 +693,7 @@ IceSecurity::Ssl::OpenSSL::Connection::removeConnection(SSL* sslPtr)
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::showCertificateChain(BIO* bio)
+IceSSL::OpenSSL::Connection::showCertificateChain(BIO* bio)
 {
     STACK_OF(X509)* sk;
 
@@ -819,7 +722,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showCertificateChain(BIO* bio)
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::showPeerCertificate(BIO* bio, const char* connType)
+IceSSL::OpenSSL::Connection::showPeerCertificate(BIO* bio, const char* connType)
 {
     X509* peerCert = 0;
     char buffer[4096];
@@ -849,7 +752,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showPeerCertificate(BIO* bio, const char*
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::showSharedCiphers(BIO* bio)
+IceSSL::OpenSSL::Connection::showSharedCiphers(BIO* bio)
 {
     char buffer[4096];
     char* strpointer = 0;
@@ -889,7 +792,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showSharedCiphers(BIO* bio)
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::showSessionInfo(BIO* bio)
+IceSSL::OpenSSL::Connection::showSessionInfo(BIO* bio)
 {
     if (_sslConnection->hit)
     {
@@ -900,7 +803,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showSessionInfo(BIO* bio)
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::showSelectedCipherInfo(BIO* bio)
+IceSSL::OpenSSL::Connection::showSelectedCipherInfo(BIO* bio)
 {
     const char* str;
     SSL_CIPHER* cipher;
@@ -916,7 +819,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showSelectedCipherInfo(BIO* bio)
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::showHandshakeStats(BIO* bio)
+IceSSL::OpenSSL::Connection::showHandshakeStats(BIO* bio)
 {
     BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n",
             BIO_number_read(SSL_get_rbio(_sslConnection)),
@@ -924,7 +827,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showHandshakeStats(BIO* bio)
 }
 
 void
-IceSecurity::Ssl::OpenSSL::Connection::showClientCAList(BIO* bio, const char* connType)
+IceSSL::OpenSSL::Connection::showClientCAList(BIO* bio, const char* connType)
 {
     char buffer[4096];
     STACK_OF(X509_NAME)* sk = SSL_get_client_CA_list(_sslConnection);
author	Anthony Neal <aneal@zeroc.com>	2002-03-13 20:10:07 +0000
committer	Anthony Neal <aneal@zeroc.com>	2002-03-13 20:10:07 +0000
commit	27c5fa0a95a523c5bea82eecc420e805b4533aae (patch)
tree	b18f7be9632d266d7e8f6c16b02de831a3e11d57 /cpp/src/Ice/SslConnectionOpenSSL.cpp
parent	cleanup (diff)
download	ice-27c5fa0a95a523c5bea82eecc420e805b4533aae.tar.bz2 ice-27c5fa0a95a523c5bea82eecc420e805b4533aae.tar.xz ice-27c5fa0a95a523c5bea82eecc420e805b4533aae.zip