diff options
| author | Marc Laukien <marc@zeroc.com> | 2002-04-02 17:08:47 +0000 |
|---|---|---|
| committer | Marc Laukien <marc@zeroc.com> | 2002-04-02 17:08:47 +0000 |
| commit | c98649e0be8c8bcbc8eba686f9a08f1ed17d36cb (patch) | |
| tree | cd9ddef90cf2f5496be9abc07e3018bb294d8213 /cpp/src/Ice/SslConnectionOpenSSL.cpp | |
| parent | removed shutdown() from acceptor (diff) | |
| download | ice-c98649e0be8c8bcbc8eba686f9a08f1ed17d36cb.tar.bz2 ice-c98649e0be8c8bcbc8eba686f9a08f1ed17d36cb.tar.xz ice-c98649e0be8c8bcbc8eba686f9a08f1ed17d36cb.zip | |
cleanup
Diffstat (limited to 'cpp/src/Ice/SslConnectionOpenSSL.cpp')
| -rw-r--r-- | cpp/src/Ice/SslConnectionOpenSSL.cpp | 296 |
1 files changed, 148 insertions, 148 deletions
diff --git a/cpp/src/Ice/SslConnectionOpenSSL.cpp b/cpp/src/Ice/SslConnectionOpenSSL.cpp index 289015b64a1..7bc74e0559d 100644 --- a/cpp/src/Ice/SslConnectionOpenSSL.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSL.cpp @@ -20,7 +20,7 @@ #include <openssl/err.h> #include <string> #include <sstream> -#include <Ice/Network.h>
+#include <Ice/Network.h> #include <Ice/OpenSSL.h> #include <Ice/SslException.h> #include <Ice/SslFactory.h> @@ -69,15 +69,15 @@ void ::IceInternal::decRef(::IceSSL::OpenSSL::Connection* p) { p->__decRef(); } // but unfortunately, it appears that this is not properly picked up. // -IceSSL::OpenSSL::Connection::Connection(const IceInternal::TraceLevelsPtr& traceLevels,
- const Ice::LoggerPtr& logger,
+IceSSL::OpenSSL::Connection::Connection(const IceInternal::TraceLevelsPtr& traceLevels, + const Ice::LoggerPtr& logger, const IceSSL::CertificateVerifierPtr& certificateVerifier, - SSL* sslConnection,
+ SSL* sslConnection, const IceSSL::SystemInternalPtr& system) : IceSSL::Connection(traceLevels, logger, certificateVerifier), _sslConnection(sslConnection) { - assert(_sslConnection != 0);
+ assert(_sslConnection != 0); assert(system != 0); Factory::addSystemHandle(_sslConnection, system); @@ -109,10 +109,10 @@ void IceSSL::OpenSSL::Connection::shutdown() { if (_sslConnection == 0) - {
- return;
+ { + return; } -
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) { _logger->trace(_traceLevels->securityCat, "WRN " + @@ -120,7 +120,7 @@ IceSSL::OpenSSL::Connection::shutdown() fdToString(SSL_get_fd(_sslConnection))); } - int shutdown = 0;
+ int shutdown = 0; int numRetries = 100; int retries = -numRetries; @@ -142,7 +142,7 @@ IceSSL::OpenSSL::Connection::shutdown() void IceSSL::OpenSSL::Connection::setHandshakeReadTimeout(int timeout) -{
+{ _handshakeReadTimeout = timeout; } @@ -160,12 +160,12 @@ IceSSL::OpenSSL::Connection::getConnection(SSL* sslPtr) return ConnectionPtr(connection); } -//
-// Note: Do not throw exceptions from verifyCertificate - it would rip through the OpenSSL system,
-// interfering with the usual handling and alert system of the handshake. Exceptions should
-// be caught here (if they can be generated), logged and then a fail return code (0) should
-// returned.
-//
+// +// Note: Do not throw exceptions from verifyCertificate - it would rip through the OpenSSL system, +// interfering with the usual handling and alert system of the handshake. Exceptions should +// be caught here (if they can be generated), logged and then a fail return code (0) should +// returned. +// int IceSSL::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX* x509StoreContext) { @@ -179,24 +179,24 @@ IceSSL::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX // Check to make sure we have a proper verifier for the operation. if (verifier) { - // Use the verifier to verify the certificate
- try
+ // Use the verifier to verify the certificate + try { - preVerifyOkay = verifier->verify(preVerifyOkay, x509StoreContext, _sslConnection);
- }
- catch (const Ice::LocalException& localEx)
- {
- if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
- {
- ostringstream s;
-
- s << "WRN exception during certificate verification: " << std::endl;
- s << localEx << flush;
-
- _logger->trace(_traceLevels->securityCat, s.str());
- }
-
- preVerifyOkay = 0;
+ preVerifyOkay = verifier->verify(preVerifyOkay, x509StoreContext, _sslConnection); + } + catch (const Ice::LocalException& localEx) + { + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) + { + ostringstream s; + + s << "WRN exception during certificate verification: " << std::endl; + s << localEx << flush; + + _logger->trace(_traceLevels->securityCat, s.str()); + } + + preVerifyOkay = 0; } } else @@ -232,8 +232,8 @@ IceSSL::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX int IceSSL::OpenSSL::Connection::connect() { - assert(_sslConnection != 0);
-
+ assert(_sslConnection != 0); + int result = SSL_connect(_sslConnection); setLastError(result); @@ -244,20 +244,20 @@ IceSSL::OpenSSL::Connection::connect() int IceSSL::OpenSSL::Connection::accept() { - assert(_sslConnection != 0);
-
+ assert(_sslConnection != 0); + int result = SSL_accept(_sslConnection); setLastError(result); return result; } -
+ // NOTE: Currently not used, maybe later. int IceSSL::OpenSSL::Connection::renegotiate() { - assert(_sslConnection != 0);
+ assert(_sslConnection != 0); return SSL_renegotiate(_sslConnection); } @@ -267,7 +267,7 @@ IceSSL::OpenSSL::Connection::initialize(int timeout) int retCode = 0; while (true) - {
+ { // One lucky thread will get the honor of carrying out the hanshake, // if there is one to perform. The HandshakeSentinel effectively // establishes a first-come, first-serve policy. One thread will own @@ -305,25 +305,25 @@ IceSSL::OpenSSL::Connection::initialize(int timeout) return retCode; } -int
-IceSSL::OpenSSL::Connection::pending()
-{
- assert(_sslConnection != 0);
- return SSL_pending(_sslConnection);
-}
-
-int
-IceSSL::OpenSSL::Connection::getLastError() const
-{
- assert(_sslConnection != 0);
- return SSL_get_error(_sslConnection, _lastError);
-}
-
+int +IceSSL::OpenSSL::Connection::pending() +{ + assert(_sslConnection != 0); + return SSL_pending(_sslConnection); +} + +int +IceSSL::OpenSSL::Connection::getLastError() const +{ + assert(_sslConnection != 0); + return SSL_get_error(_sslConnection, _lastError); +} + int IceSSL::OpenSSL::Connection::sslRead(char* buffer, int bufferSize) { - assert(_sslConnection != 0);
-
+ assert(_sslConnection != 0); + int bytesRead = SSL_read(_sslConnection, buffer, bufferSize); setLastError(bytesRead); @@ -334,8 +334,8 @@ IceSSL::OpenSSL::Connection::sslRead(char* buffer, int bufferSize) int IceSSL::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize) { - assert(_sslConnection != 0);
-
+ assert(_sslConnection != 0); + int bytesWritten = SSL_write(_sslConnection, buffer, bufferSize); setLastError(bytesWritten); @@ -343,78 +343,78 @@ IceSSL::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize) return bytesWritten; } -int
-IceSSL::OpenSSL::Connection::select(int timeout, bool write)
-{
- int ret;
-
- assert(_sslConnection != 0);
- SOCKET fd = SSL_get_fd(_sslConnection);
-
- fd_set rwFdSet;
- struct timeval tv;
-
- if (timeout >= 0)
- {
- tv.tv_sec = timeout / 1000;
- tv.tv_usec = (timeout - tv.tv_sec * 1000) * 1000;
- }
-
- do
- {
- FD_ZERO(&rwFdSet);
- FD_SET(fd, &rwFdSet);
-
- if (timeout >= 0)
- {
- if (write)
- {
- ret = ::select(fd + 1, 0, &rwFdSet, 0, &tv);
- }
- else
- {
- ret = ::select(fd + 1, &rwFdSet, 0, 0, &tv);
- }
- }
- else
- {
- if (write)
- {
- ret = ::select(fd + 1, 0, &rwFdSet, 0, 0);
- }
- else
- {
- ret = ::select(fd + 1, &rwFdSet, 0, 0, 0);
- }
- }
- }
- while (ret == SOCKET_ERROR && interrupted());
-
- if (ret == SOCKET_ERROR)
- {
- SocketException ex(__FILE__, __LINE__);
- ex.error = getSocketErrno();
- throw ex;
- }
-
- if (ret == 0)
- {
- throw TimeoutException(__FILE__, __LINE__);
- }
-
- return FD_ISSET(fd, &rwFdSet);
+int +IceSSL::OpenSSL::Connection::select(int timeout, bool write) +{ + int ret; + + assert(_sslConnection != 0); + SOCKET fd = SSL_get_fd(_sslConnection); + + fd_set rwFdSet; + struct timeval tv; + + if (timeout >= 0) + { + tv.tv_sec = timeout / 1000; + tv.tv_usec = (timeout - tv.tv_sec * 1000) * 1000; + } + + do + { + FD_ZERO(&rwFdSet); + FD_SET(fd, &rwFdSet); + + if (timeout >= 0) + { + if (write) + { + ret = ::select(fd + 1, 0, &rwFdSet, 0, &tv); + } + else + { + ret = ::select(fd + 1, &rwFdSet, 0, 0, &tv); + } + } + else + { + if (write) + { + ret = ::select(fd + 1, 0, &rwFdSet, 0, 0); + } + else + { + ret = ::select(fd + 1, &rwFdSet, 0, 0, 0); + } + } + } + while (ret == SOCKET_ERROR && interrupted()); + + if (ret == SOCKET_ERROR) + { + SocketException ex(__FILE__, __LINE__); + ex.error = getSocketErrno(); + throw ex; + } + + if (ret == 0) + { + throw TimeoutException(__FILE__, __LINE__); + } + + return FD_ISSET(fd, &rwFdSet); } int IceSSL::OpenSSL::Connection::readSelect(int timeout) { - return select(timeout, false);
+ return select(timeout, false); } int IceSSL::OpenSSL::Connection::writeSelect(int timeout) -{
- return select(timeout, true);
+{ + return select(timeout, true); } int @@ -569,14 +569,14 @@ IceSSL::OpenSSL::Connection::read(Buffer& buf, int timeout) return totalBytesRead; } -
+ void IceSSL::OpenSSL::Connection::addConnection(SSL* sslPtr, Connection* connection) { assert(sslPtr); assert(connection); IceUtil::Mutex::Lock sync(_connectionRepositoryMutex); - _connectionMap[sslPtr] = connection;
+ _connectionMap[sslPtr] = connection; } void @@ -589,10 +589,10 @@ IceSSL::OpenSSL::Connection::removeConnection(SSL* sslPtr) void IceSSL::OpenSSL::Connection::showCertificateChain(BIO* bio) -{
- assert(_sslConnection != 0);
- assert(bio != 0);
-
+{ + assert(_sslConnection != 0); + assert(bio != 0); + STACK_OF(X509)* sk; // Big nasty buffer @@ -622,9 +622,9 @@ IceSSL::OpenSSL::Connection::showCertificateChain(BIO* bio) void IceSSL::OpenSSL::Connection::showPeerCertificate(BIO* bio, const char* connType) { - assert(_sslConnection != 0);
- assert(bio != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + X509* peerCert = 0; char buffer[4096]; @@ -655,16 +655,16 @@ IceSSL::OpenSSL::Connection::showPeerCertificate(BIO* bio, const char* connType) void IceSSL::OpenSSL::Connection::showSharedCiphers(BIO* bio) { - assert(_sslConnection != 0);
- assert(bio != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + char buffer[4096]; char* strPointer = 0; if ((strPointer = SSL_get_shared_ciphers(_sslConnection, buffer, sizeof(buffer))) != 0) { - // This works only for SSL 2. In later protocol versions, the client does not know
- // what other ciphers (in addition to the one to be used in the current connection)
+ // This works only for SSL 2. In later protocol versions, the client does not know + // what other ciphers (in addition to the one to be used in the current connection) // the server supports. BIO_printf(bio, "---\nShared Ciphers:\n"); @@ -697,9 +697,9 @@ IceSSL::OpenSSL::Connection::showSharedCiphers(BIO* bio) void IceSSL::OpenSSL::Connection::showSessionInfo(BIO* bio) { - assert(_sslConnection != 0);
- assert(bio != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + if (_sslConnection->hit) { BIO_printf(bio, "Reused session-id\n"); @@ -711,9 +711,9 @@ IceSSL::OpenSSL::Connection::showSessionInfo(BIO* bio) void IceSSL::OpenSSL::Connection::showSelectedCipherInfo(BIO* bio) { - assert(_sslConnection != 0);
- assert(bio != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + const char* str; SSL_CIPHER* cipher; @@ -730,9 +730,9 @@ IceSSL::OpenSSL::Connection::showSelectedCipherInfo(BIO* bio) void IceSSL::OpenSSL::Connection::showHandshakeStats(BIO* bio) { - assert(_sslConnection != 0);
- assert(bio != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n", BIO_number_read(SSL_get_rbio(_sslConnection)), BIO_number_written(SSL_get_wbio(_sslConnection))); @@ -741,10 +741,10 @@ IceSSL::OpenSSL::Connection::showHandshakeStats(BIO* bio) void IceSSL::OpenSSL::Connection::showClientCAList(BIO* bio, const char* connType) { - assert(_sslConnection != 0);
- assert(bio != 0);
- assert(connType != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + assert(connType != 0); + char buffer[4096]; STACK_OF(X509_NAME)* sk = SSL_get_client_CA_list(_sslConnection); |