diff options
| author | Anthony Neal <aneal@zeroc.com> | 2002-02-18 19:59:08 +0000 |
|---|---|---|
| committer | Anthony Neal <aneal@zeroc.com> | 2002-02-18 19:59:08 +0000 |
| commit | 05d06bf28399d88cf387da0cf5db7b4861495767 (patch) | |
| tree | 1cc9d3629f4b8b8a58db33816c5be5f05cedb736 /cpp/src | |
| parent | Update. (diff) | |
| download | ice-05d06bf28399d88cf387da0cf5db7b4861495767.tar.bz2 ice-05d06bf28399d88cf387da0cf5db7b4861495767.tar.xz ice-05d06bf28399d88cf387da0cf5db7b4861495767.zip | |
Another update, primarily for slicifying SslCertificateVerifier and the
macro cleanup.
Diffstat (limited to 'cpp/src')
23 files changed, 436 insertions, 1057 deletions
diff --git a/cpp/src/Ice/OpenSSL.h b/cpp/src/Ice/OpenSSL.h new file mode 100644 index 00000000000..9481f15a98e --- /dev/null +++ b/cpp/src/Ice/OpenSSL.h @@ -0,0 +1,29 @@ +// **********************************************************************
+//
+// Copyright (c) 2001
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+#ifndef ICE_OPENSSL_H
+#define ICE_OPENSSL_H
+
+#include <openssl/ssl.h>
+
+namespace IceSecurity
+{
+
+typedef enum
+{
+ NO_SECURITY_TRACE = 0,
+ SECURITY_WARNINGS,
+ SECURITY_PARSE_WARNINGS,
+ SECURITY_PROTOCOL,
+ SECURITY_PROTOCOL_DEBUG
+} SecurityTraceLevel;
+
+}
+
+#endif
diff --git a/cpp/src/Ice/SUdpClientControlChannel.cpp b/cpp/src/Ice/SUdpClientControlChannel.cpp index fcc293932e1..58acd881baf 100644 --- a/cpp/src/Ice/SUdpClientControlChannel.cpp +++ b/cpp/src/Ice/SUdpClientControlChannel.cpp @@ -8,7 +8,7 @@ // // ********************************************************************** -#include <Ice/Security.h> +#include <Ice/OpenSSL.h> #include <Ice/Stream.h> #include <Ice/SUdpClientControlChannel.h> #include <Ice/Instance.h> @@ -37,16 +37,12 @@ IceSecurity::SecureUdp::ClientControlChannel::serverHello(Long clientID, const B { IceUtil::Mutex::Lock sync(_mutex); - ICE_METHOD_INV("ClientControlChannel::serverHello()"); - _clientID = clientID; // TODO: There is a wierd segmentation fault happening here if I uncomment // the call to serverKeyChangeMessage(). Dunno why. // ICE_DEV_DEBUG("About to call serverKeyChangeMessage()"); // serverKeyChangeMessage(key); - - ICE_METHOD_RET("ClientControlChannel::serverHello()"); } void @@ -54,11 +50,7 @@ IceSecurity::SecureUdp::ClientControlChannel::serverKeyChange(const ByteSeq& key { IceUtil::Mutex::Lock sync(_mutex); - ICE_METHOD_INV("ClientControlChannel::serverKeyChange()"); - serverKeyChangeMessage(key); - - ICE_METHOD_RET("ClientControlChannel::serverKeyChange()"); } void @@ -66,11 +58,7 @@ IceSecurity::SecureUdp::ClientControlChannel::serverGoodbye(const Current&) { IceUtil::Mutex::Lock sync(_mutex); - ICE_METHOD_INV("ClientControlChannel::serverGoodbye()"); - // TODO: Should find some way to shut down the Transceiver here. - - ICE_METHOD_RET("ClientControlChannel::serverGoodbye()"); } //////////////////////////////////////////////////////////////////////////////// @@ -84,8 +72,6 @@ IceSecurity::SecureUdp::ClientControlChannel::ClientControlChannel(SUdpTransceiv int port) : ControlChannel(transceiver, instance) { - ICE_METHOD_INV("ClientControlChannel::ClientControlChannel()"); - // Create the Client Channel's name ostringstream objectName; objectName << "sudpClient" << hex << (void *) this; @@ -131,7 +117,6 @@ IceSecurity::SecureUdp::ClientControlChannel::ClientControlChannel(SUdpTransceiv ostringstream exptString; exptString << "Exception: " << expt; - ICE_DEV_DEBUG(exptString.str()); throw; } @@ -149,8 +134,6 @@ IceSecurity::SecureUdp::ClientControlChannel::ClientControlChannel(SUdpTransceiv _msgID = 0L; clientHello(); - - ICE_METHOD_RET("ClientControlChannel::ClientControlChannel()"); } IceSecurity::SecureUdp::ClientControlChannel::~ClientControlChannel() @@ -163,8 +146,6 @@ IceSecurity::SecureUdp::ClientControlChannel::~ClientControlChannel() void IceSecurity::SecureUdp::ClientControlChannel::serverKeyChangeMessage(const ByteSeq& key) { - ICE_METHOD_INV("ClientControlChannel::serverKeyChangeMessage()"); - Long msgID = _msgID + 1; assert(_cryptor); @@ -175,8 +156,6 @@ IceSecurity::SecureUdp::ClientControlChannel::serverKeyChangeMessage(const ByteS assert(_serverChannel); _serverChannel->clientKeyAcknowledge(_clientID, msgID, _encryptionKey->toByteSeq()); - - ICE_METHOD_RET("ClientControlChannel::serverKeyChangeMessage()"); } void diff --git a/cpp/src/Ice/SUdpServerControlChannel.cpp b/cpp/src/Ice/SUdpServerControlChannel.cpp index be2d5415e3b..338ea9bc435 100644 --- a/cpp/src/Ice/SUdpServerControlChannel.cpp +++ b/cpp/src/Ice/SUdpServerControlChannel.cpp @@ -8,7 +8,7 @@ // // ********************************************************************** -#include <Ice/Security.h> +#include <Ice/OpenSSL.h>
#include <Ice/Buffer.h> #include <Ice/SUdpServerControlChannel.h> #include <Ice/SUdpClient.h> @@ -37,31 +37,19 @@ IceSecurity::SecureUdp::ServerControlChannel::clientHello(const ClientChannelPrx { IceUtil::Mutex::Lock sync(_mutex); - ICE_METHOD_INV("ServerControlChannel::clientHello()"); - Long clientID = getNewClientID(); MessageAuthenticatorPtr messageAuthenticator = new MessageAuthenticator(MACkey); - ICE_DEV_DEBUG("Creating new SUdpClient()"); - SUdpClientPtr sudpClient = new SUdpClient(clientID, client, messageAuthenticator); - ICE_DEV_DEBUG("Creating new CryptKey()"); - assert(_cryptor); CryptKeyPtr cryptKey = _cryptor->getNewKey(); - ICE_DEV_DEBUG("Sending serverHello()"); - sudpClient->serverHello(cryptKey); - ICE_DEV_DEBUG("adding new SUdpClient() to map."); - newSUdpClient(sudpClient); - - ICE_METHOD_RET("ServerControlChannel::clientHello()"); } void @@ -72,15 +60,11 @@ IceSecurity::SecureUdp::ServerControlChannel::clientKeyAcknowledge(Long clientID { IceUtil::Mutex::Lock sync(_mutex); - ICE_METHOD_INV("ServerControlChannel::clientKeyAcknowledge()"); - SUdpClientPtr sudpClient = getSUdpClient(clientID); CryptKeyPtr cryptKey = _cryptor->getKey(key); sudpClient->setNewCryptKey(msgID, cryptKey); - - ICE_METHOD_RET("ServerControlChannel::clientKeyAcknowledge()"); } void @@ -88,15 +72,11 @@ IceSecurity::SecureUdp::ServerControlChannel::clientKeyRequest(Long clientID, co { IceUtil::Mutex::Lock sync(_mutex); - ICE_METHOD_INV("ServerControlChannel::clientKeyRequest()"); - SUdpClientPtr sudpClient = getSUdpClient(clientID); CryptKeyPtr cryptKey = _cryptor->getNewKey(); sudpClient->serverKeyChange(cryptKey); - - ICE_METHOD_RET("ServerControlChannel::clientKeyRequest()"); } void @@ -104,11 +84,7 @@ IceSecurity::SecureUdp::ServerControlChannel::clientGoodbye(Long clientID, const { IceUtil::Mutex::Lock sync(_mutex); - ICE_METHOD_INV("ServerControlChannel::clientGoodbye()"); - deleteSUdpClient(clientID); - - ICE_METHOD_RET("ServerControlChannel::clientGoodbye()"); } // IceSecurity::SecureUdp::ServerControlChannel::ServerControlChannel(const SUdpTransceiverPtr& transceiver, @@ -117,8 +93,6 @@ IceSecurity::SecureUdp::ServerControlChannel::ServerControlChannel(SUdpTransceiv int port) : ControlChannel(transceiver, instance) { - ICE_METHOD_INV("ServerControlChannel::ServerControlChannel()"); - _clientIDGenerator = 0L; // Create the Server Channel's name @@ -135,30 +109,16 @@ IceSecurity::SecureUdp::ServerControlChannel::ServerControlChannel(SUdpTransceiv Ice::CommunicatorPtr communicator = _instance->communicator(); - ICE_DEV_DEBUG("Creating ObjectAdapter."); - // Create our ObjectAdapter _adapter = communicator->createObjectAdapterWithEndpoints(objectAdapterName.str(), endpt.str()); - ICE_DEV_DEBUG("ObjectAdapter created."); - // The server control channel is the implemenation. ServerChannelPtr serverChannel = this; - ICE_DEV_DEBUG("Adding serverChannel to ObjectAdapter."); - _adapter->add(serverChannel, Ice::stringToIdentity(objectName.str())); - ICE_DEV_DEBUG("Added serverChannel named: " + objectName.str()); - - ICE_DEV_DEBUG("Activating ObjectAdapter."); - // Okay, allow the object to begin accepting requests _adapter->activate(); - - ICE_DEV_DEBUG("ObjectAdapter activated."); - - ICE_METHOD_RET("ServerControlChannel::ServerControlChannel()"); } IceSecurity::SecureUdp::ServerControlChannel::~ServerControlChannel() diff --git a/cpp/src/Ice/SUdpTransceiver.cpp b/cpp/src/Ice/SUdpTransceiver.cpp index 9f34328f1de..b8694a63c2d 100644 --- a/cpp/src/Ice/SUdpTransceiver.cpp +++ b/cpp/src/Ice/SUdpTransceiver.cpp @@ -8,7 +8,7 @@ // // ********************************************************************** -#include <Ice/Security.h> +#include <Ice/OpenSSL.h>
#include <Ice/SUdpTransceiver.h> #include <Ice/Instance.h> #include <Ice/TraceLevels.h> @@ -36,41 +36,25 @@ IceInternal::SUdpTransceiver::fd() void IceInternal::SUdpTransceiver::close() { - ICE_METHOD_INV("SUdpTransceiver::close()"); - _udpTransceiver.close(); - - ICE_METHOD_RET("SUdpTransceiver::close()"); } void IceInternal::SUdpTransceiver::shutdown() { - ICE_METHOD_INV("SUdpTransceiver::shutdown()"); - _udpTransceiver.shutdown(); - - ICE_METHOD_RET("SUdpTransceiver::shutdown()"); } void IceInternal::SUdpTransceiver::write(Buffer& buf, int) { - ICE_METHOD_INV("SUdpTransceiver::write()"); - _udpTransceiver.write(buf,0); - - ICE_METHOD_RET("SUdpTransceiver::write()"); } void IceInternal::SUdpTransceiver::read(Buffer& buf, int) { - ICE_METHOD_INV("SUdpTransceiver::read()"); - _udpTransceiver.read(buf,0); - - ICE_METHOD_RET("SUdpTransceiver::read()"); } string @@ -97,12 +81,8 @@ IceInternal::SUdpTransceiver::SUdpTransceiver(const InstancePtr& instance, const _traceLevels(instance->traceLevels()), _logger(instance->logger()) { - ICE_METHOD_INV("SUdpTransceiver::SUdpTransceiver()"); - // Perform our handshake with the server connectControlChannel(host, port); - - ICE_METHOD_RET("SUdpTransceiver::SUdpTransceiver()"); } IceInternal::SUdpTransceiver::SUdpTransceiver(const InstancePtr& instance, int port, bool connect) : @@ -111,42 +91,26 @@ IceInternal::SUdpTransceiver::SUdpTransceiver(const InstancePtr& instance, int p _traceLevels(instance->traceLevels()), _logger(instance->logger()) { - ICE_METHOD_INV("SUdpTransceiver::SUdpTransceiver()"); - // Build our control channel createControlChannel(port); - - ICE_METHOD_RET("SUdpTransceiver::SUdpTransceiver()"); } IceInternal::SUdpTransceiver::~SUdpTransceiver() { - ICE_METHOD_INV("SUdpTransceiver::~SUdpTransceiver()"); - _controlChannel->unsetTransceiver(); - - ICE_METHOD_RET("SUdpTransceiver::~SUdpTransceiver()"); } void IceInternal::SUdpTransceiver::connectControlChannel(const string& host, int port) { - ICE_METHOD_INV("SUdpTransceiver::connectControlChannel()"); - // Create a control channel, one for this Client SUdp connection _controlChannel = new ClientControlChannel(this, _instance, host, port); - - ICE_METHOD_RET("SUdpTransceiver::connectControlChannel()"); } void IceInternal::SUdpTransceiver::createControlChannel(int port) { - ICE_METHOD_INV("SUdpTransceiver::createControlChannel()"); - // Create a control channel, one for this Server SUdp connection _controlChannel = new ServerControlChannel(this, _instance, port); - - ICE_METHOD_RET("SUdpTransceiver::createControlChannel()"); } diff --git a/cpp/src/Ice/Security.h b/cpp/src/Ice/Security.h deleted file mode 100644 index 9c7ca2e4b78..00000000000 --- a/cpp/src/Ice/Security.h +++ /dev/null @@ -1,176 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2001 -// MutableRealms, Inc. -// Huntsville, AL, USA -// -// All Rights Reserved -// -// ********************************************************************** -#ifndef ICE_SECURITY_H -#define ICE_SECURITY_H - -// NOTE: Define USE_SOCKETS in order to turn on use of sockets in OpenSSL -#ifndef USE_SOCKETS -#define USE_SOCKETS -#endif - -#include <openssl/ssl.h> -#include <time.h> - -namespace IceSecurity -{ - -typedef enum -{ - NO_SECURITY_TRACE = 0, - SECURITY_WARNINGS, - SECURITY_PARSE_WARNINGS, - SECURITY_METHODS, - SECURITY_EXCEPTIONS, - SECURITY_PROTOCOL, - SECURITY_DEV_DEBUG, - SECURITY_PROTOCOL_DEBUG -} SecurityTraceLevel; - -} - -#define ICE_SECURITY_DEBUG - -#ifdef WIN32 -#define GETTHREADID GetCurrentThreadId() -#else -#define GETTHREADID getpid() -#endif - -#define ICE_SECURITY_DISPLAYTHREADS - -/* - time_t ltime; \ - time(<ime); \ - thread << " " << dec << ltime << " " << hex << (void *)this << " Thread(" << dec << GETTHREADID << ") "; \ -*/ - -#ifdef ICE_SECURITY_DISPLAYTHREADS -#define ICE_SECURITY_LOGGER(s) \ - ostringstream thread; \ - thread << hex << (void *)this << " Thread(" << dec << GETTHREADID << ") "; \ - _logger->trace(_traceLevels->securityCat, thread.str() + s); -#else -#define ICE_SECURITY_LOGGER(s) _logger->trace(_traceLevels->securityCat, s); -#endif - - -#ifdef ICE_SECURITY_DEBUG - -#define ICE_SECURITY_LEVEL_METHODS (_traceLevels->security >= IceSecurity::SECURITY_METHODS) -#define ICE_SECURITY_LEVEL_PARSEWARNINGS (_traceLevels->security >= IceSecurity::SECURITY_PARSE_WARNINGS) -#define ICE_SECURITY_LEVEL_WARNINGS (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS) -#define ICE_SECURITY_LEVEL_EXCEPTIONS (_traceLevels->security >= IceSecurity::SECURITY_EXCEPTIONS) -#define ICE_SECURITY_LEVEL_PROTOCOL (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL) -#define ICE_SECURITY_LEVEL_PROTOCOL_DEBUG (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL_DEBUG) -#define ICE_SECURITY_LEVEL_DEV_DEBUG (_traceLevels->security >= IceSecurity::SECURITY_DEV_DEBUG) - -#define ICE_SECURITY_LEVEL_PROTOCOL_GLOBAL \ - (IceSecurity::Ssl::OpenSSL::System::_globalTraceLevels->security >= IceSecurity::SECURITY_PROTOCOL) - -#define ICE_METHOD_INV(s) \ - if (ICE_SECURITY_LEVEL_METHODS) \ - { \ - ICE_SECURITY_LOGGER("INV " + string(s)); \ - } - -#define ICE_METHOD_INS(s) \ - if (ICE_SECURITY_LEVEL_METHODS) \ - { \ - ICE_SECURITY_LOGGER("INS " + string(s)); \ - } - -#define ICE_METHOD_RET(s) \ - if (ICE_SECURITY_LEVEL_METHODS) \ - { \ - ICE_SECURITY_LOGGER("RET " + string(s)); \ - } - -#define ICE_PARSE_WARNING(s) \ - if (ICE_SECURITY_LEVEL_PARSEWARNINGS) \ - { \ - ICE_SECURITY_LOGGER("PWN " + string(s)); \ - } - -#define ICE_WARNING(s) \ - if (ICE_SECURITY_LEVEL_WARNINGS) \ - { \ - ICE_SECURITY_LOGGER("WRN " + string(s)); \ - } - -#define ICE_EXCEPTION(s) \ - if (ICE_SECURITY_LEVEL_EXCEPTIONS) \ - { \ - ICE_SECURITY_LOGGER("EXC " + string(s)); \ - } - -#define ICE_PROTOCOL(s) \ - if (ICE_SECURITY_LEVEL_PROTOCOL) \ - { \ - ICE_SECURITY_LOGGER("PTL " + string(s)); \ - } - -#define ICE_PROTOCOL_DEBUG(s) \ - if (ICE_SECURITY_LEVEL_PROTOCOL_DEBUG) \ - { \ - ICE_SECURITY_LOGGER("PDB " + string(s)); \ - } - -#define ICE_DEV_DEBUG(s) \ - if (ICE_SECURITY_LEVEL_DEV_DEBUG) \ - { \ - ICE_SECURITY_LOGGER("DBG " + string(s)); \ - } - -#else - -#define ICE_SECURITY_LEVEL_METHODS false -#define ICE_SECURITY_LEVEL_PARSEWARNINGS (_traceLevels->security >= IceSecurity::SECURITY_PARSE_WARNINGS) -#define ICE_SECURITY_LEVEL_WARNINGS (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS) -#define ICE_SECURITY_LEVEL_EXCEPTIONS false -#define ICE_SECURITY_LEVEL_PROTOCOL false -#define ICE_SECURITY_LEVEL_PROTOCOL_DEBUG false -#define ICE_SECURITY_LEVEL_PROTOCOL_GLOBAL false -#define ICE_SECURITY_LEVEL_DEV_DEBUG false - -#define ICE_METHOD_INV(s) -#define ICE_METHOD_INS(s) -#define ICE_METHOD_RET(s) - -#define ICE_PARSE_WARNING(s) \ - if (ICE_SECURITY_LEVEL_PARSEWARNINGS) \ - { \ - ICE_SECURITY_LOGGER("PWN " + string(s)); \ - } - -#define ICE_WARNING(s) \ - if (ICE_SECURITY_LEVEL_WARNINGS) \ - { \ - ICE_SECURITY_LOGGER("WRN " + string(s)); \ - } - -#define ICE_EXCEPTION(s) -#define ICE_PROTOCOL(s) -#define ICE_PROTOCOL_DEBUG(s) -#define ICE_DEV_DEBUG(s) - -#endif - -#define ICE_SSLERRORS(s) \ - if (!s.empty()) \ - { \ - s += "\n"; \ - s += sslGetErrors(); \ - } \ - else \ - { \ - s = sslGetErrors(); \ - } - -#endif diff --git a/cpp/src/Ice/SslCertificateVerifier.cpp b/cpp/src/Ice/SslCertificateVerifier.cpp deleted file mode 100644 index 064bd0a6fcf..00000000000 --- a/cpp/src/Ice/SslCertificateVerifier.cpp +++ /dev/null @@ -1,20 +0,0 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <Ice/SslCertificateVerifier.h>
-
-void ::IceInternal::incRef(::IceSecurity::Ssl::CertificateVerifier* p) { p->__incRef(); }
-void ::IceInternal::decRef(::IceSecurity::Ssl::CertificateVerifier* p) { p->__decRef(); }
-
-IceSecurity::Ssl::CertificateVerifier::~CertificateVerifier()
-{
-}
-
-
diff --git a/cpp/src/Ice/SslCertificateVerifier.h b/cpp/src/Ice/SslCertificateVerifier.h deleted file mode 100644 index c93d7b56c8a..00000000000 --- a/cpp/src/Ice/SslCertificateVerifier.h +++ /dev/null @@ -1,39 +0,0 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_SSL_CERTIFICATE_VERIFIER_H
-#define ICE_SSL_CERTIFICATE_VERIFIER_H
-
-#include <IceUtil/Shared.h>
-#include <Ice/SslCertificateVerifierF.h>
-
-namespace IceSecurity
-{
-
-namespace Ssl
-{
-
-using IceUtil::Shared;
-
-class CertificateVerifier : public Shared
-{
-
-public:
- virtual ~CertificateVerifier();
-
-};
-
-}
-
-}
-
-#endif
-
-
diff --git a/cpp/src/Ice/SslCertificateVerifierF.h b/cpp/src/Ice/SslCertificateVerifierF.h deleted file mode 100644 index 26e91ccd9f2..00000000000 --- a/cpp/src/Ice/SslCertificateVerifierF.h +++ /dev/null @@ -1,39 +0,0 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_SSL_CERTIFICATE_VERIFIER_F_H
-#define ICE_SSL_CERTIFICATE_VERIFIER_F_H
-
-#include <Ice/Handle.h>
-
-namespace IceSecurity
-{
-
-namespace Ssl
-{
-
-class CertificateVerifier;
-typedef IceInternal::Handle<CertificateVerifier> CertificateVerifierPtr;
-
-}
-
-}
-
-namespace IceInternal
-{
-
-void incRef(::IceSecurity::Ssl::CertificateVerifier*);
-void decRef(::IceSecurity::Ssl::CertificateVerifier*);
-
-}
-
-#endif
-
-
diff --git a/cpp/src/Ice/SslCertificateVerifierOpenSSL.cpp b/cpp/src/Ice/SslCertificateVerifierOpenSSL.cpp index faaeccffd61..91479d5e880 100644 --- a/cpp/src/Ice/SslCertificateVerifierOpenSSL.cpp +++ b/cpp/src/Ice/SslCertificateVerifierOpenSSL.cpp @@ -14,31 +14,3 @@ IceSecurity::Ssl::OpenSSL::CertificateVerifier::~CertificateVerifier() {
}
-int
-IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::verify(int preVerifyOkay,
- X509_STORE_CTX* x509StoreContext,
- SSL* sslConnection)
-{
- //
- // Default verification steps.
- //
-
- int verifyError = X509_STORE_CTX_get_error(x509StoreContext);
- int errorDepth = X509_STORE_CTX_get_error_depth(x509StoreContext);
- int verifyDepth = SSL_get_verify_depth(sslConnection);
-
- // Verify Depth was set
- if (verifyError != X509_V_OK)
- {
- // If we have no errors so far, and the certificate chain is too long
- if ((verifyDepth != -1) && (verifyDepth < errorDepth))
- {
- verifyError = X509_V_ERR_CERT_CHAIN_TOO_LONG;
- }
-
- // If we have ANY errors, we bail out.
- preVerifyOkay = 0;
- }
-
- return preVerifyOkay;
-}
diff --git a/cpp/src/Ice/SslCertificateVerifierOpenSSL.h b/cpp/src/Ice/SslCertificateVerifierOpenSSL.h index edbd5f5209e..58257ee91f8 100644 --- a/cpp/src/Ice/SslCertificateVerifierOpenSSL.h +++ b/cpp/src/Ice/SslCertificateVerifierOpenSSL.h @@ -14,6 +14,16 @@ #include <Ice/SslCertificateVerifier.h>
#include <openssl/ssl.h>
+#ifdef WIN32
+# ifdef ICE_API_EXPORTS
+# define ICE_API __declspec(dllexport)
+# else
+# define ICE_API __declspec(dllimport)
+# endif
+#else
+# define ICE_API /**/
+#endif
+
namespace IceSecurity
{
@@ -23,7 +33,7 @@ namespace Ssl namespace OpenSSL
{
-class CertificateVerifier : public IceSecurity::Ssl::CertificateVerifier
+class ICE_API CertificateVerifier : public IceSecurity::Ssl::CertificateVerifier
{
public:
@@ -32,13 +42,6 @@ public: virtual int verify(int, X509_STORE_CTX*, SSL*) = 0;
};
-class DefaultCertificateVerifier : public CertificateVerifier
-{
-
-public:
- virtual int verify(int, X509_STORE_CTX*, SSL*);
-};
-
}
}
diff --git a/cpp/src/Ice/SslConfig.cpp b/cpp/src/Ice/SslConfig.cpp index d9bd3bb1f0f..960475d902f 100644 --- a/cpp/src/Ice/SslConfig.cpp +++ b/cpp/src/Ice/SslConfig.cpp @@ -25,7 +25,7 @@ #include <framework/LocalFileInputSource.hpp> #include <util/Janitor.hpp> -#include <Ice/Security.h> +#include <Ice/OpenSSL.h>
#include <Ice/SecurityException.h> #include <Ice/SslConfigErrorReporter.h> #include <Ice/SslConfig.h> diff --git a/cpp/src/Ice/SslConfigErrorReporter.cpp b/cpp/src/Ice/SslConfigErrorReporter.cpp index 32bf7022d68..8f84627a6b9 100644 --- a/cpp/src/Ice/SslConfigErrorReporter.cpp +++ b/cpp/src/Ice/SslConfigErrorReporter.cpp @@ -17,14 +17,14 @@ #include <string.h> #include <Ice/TraceLevels.h> #include <Ice/Logger.h> -#include <Ice/Security.h> +#include <Ice/OpenSSL.h>
using namespace std; void IceSecurity::Ssl::ErrorReporter::warning(const SAXParseException& toCatch) { - if (ICE_SECURITY_LEVEL_PARSEWARNINGS) + if (_traceLevels->security >= IceSecurity::SECURITY_PARSE_WARNINGS) { ostringstream s; @@ -34,8 +34,8 @@ IceSecurity::Ssl::ErrorReporter::warning(const SAXParseException& toCatch) s << "\", line " << toCatch.getLineNumber() << flush; s << ", column " << toCatch.getColumnNumber() << flush; s << "\n Message: " << DOMString(toCatch.getMessage()) << endl; - - ICE_PARSE_WARNING(s.str()); +
+ _logger->trace(_traceLevels->securityCat, "PWN " + s.str()); } } @@ -44,7 +44,7 @@ IceSecurity::Ssl::ErrorReporter::error(const SAXParseException& toCatch) { _sawErrors = true; - if (ICE_SECURITY_LEVEL_PARSEWARNINGS) + if (_traceLevels->security >= IceSecurity::SECURITY_PARSE_WARNINGS) { ostringstream s; @@ -55,7 +55,7 @@ IceSecurity::Ssl::ErrorReporter::error(const SAXParseException& toCatch) s << ", column " << toCatch.getColumnNumber() << flush; s << "\n Message: " << DOMString(toCatch.getMessage()) << endl; - ICE_PARSE_WARNING(s.str()); + _logger->trace(_traceLevels->securityCat, "PWN " + s.str());
} } @@ -64,7 +64,7 @@ IceSecurity::Ssl::ErrorReporter::fatalError(const SAXParseException& toCatch) { _sawErrors = true; - if (ICE_SECURITY_LEVEL_PARSEWARNINGS) + if (_traceLevels->security >= IceSecurity::SECURITY_PARSE_WARNINGS) { ostringstream s; @@ -75,7 +75,7 @@ IceSecurity::Ssl::ErrorReporter::fatalError(const SAXParseException& toCatch) s << ", column " << toCatch.getColumnNumber() << flush; s << "\n Message: " << DOMString(toCatch.getMessage()) << endl; - ICE_PARSE_WARNING(s.str()); + _logger->trace(_traceLevels->securityCat, "PWN " + s.str());
} } diff --git a/cpp/src/Ice/SslConnectionOpenSSL.cpp b/cpp/src/Ice/SslConnectionOpenSSL.cpp index 28db8c164e0..3b59201ccdd 100644 --- a/cpp/src/Ice/SslConnectionOpenSSL.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSL.cpp @@ -21,7 +21,7 @@ #include <string> #include <sstream> #include <Ice/Network.h> -#include <Ice/Security.h> +#include <Ice/OpenSSL.h>
#include <Ice/SecurityException.h> #include <Ice/SslFactory.h> #include <Ice/SslConnection.h> @@ -40,6 +40,104 @@ using std::endl; using IceSecurity::Ssl::Factory; using IceSecurity::Ssl::SystemPtr; +
+////////////////////////////////////////////////
+////////// DefaultCertificateVerifier //////////
+////////////////////////////////////////////////
+
+IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::DefaultCertificateVerifier()
+{
+}
+
+void
+IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::setTraceLevels(const TraceLevelsPtr& traceLevels)
+{
+ _traceLevels = traceLevels;
+}
+
+void
+IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::setLogger(const LoggerPtr& logger)
+{
+ _logger = logger;
+}
+
+int
+IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::verify(int preVerifyOkay,
+ X509_STORE_CTX* x509StoreContext,
+ SSL* sslConnection)
+{
+ //
+ // Default verification steps.
+ //
+
+ int verifyError = X509_STORE_CTX_get_error(x509StoreContext);
+ int errorDepth = X509_STORE_CTX_get_error_depth(x509StoreContext);
+ int verifyDepth = SSL_get_verify_depth(sslConnection);
+
+ // Verify Depth was set
+ if (verifyError != X509_V_OK)
+ {
+ // If we have no errors so far, and the certificate chain is too long
+ if ((verifyDepth != -1) && (verifyDepth < errorDepth))
+ {
+ verifyError = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+ }
+
+ // If we have ANY errors, we bail out.
+ preVerifyOkay = 0;
+ }
+
+ // Only if ICE_PROTOCOL level logging is on do we worry about this.
+ if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
+ {
+ char buf[256];
+
+ X509* err_cert = X509_STORE_CTX_get_current_cert(x509StoreContext);
+
+ X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+
+ ostringstream outStringStream;
+
+ outStringStream << "depth = " << errorDepth << ":" << buf << endl;
+
+ if (!preVerifyOkay)
+ {
+ outStringStream << "verify error: num = " << verifyError << " : "
+ << X509_verify_cert_error_string(verifyError) << endl;
+
+ }
+
+ switch (verifyError)
+ {
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+ {
+ X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf));
+ outStringStream << "issuer = " << buf << endl;
+ break;
+ }
+
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ {
+ outStringStream << "notBefore = " << getASN1time(X509_get_notBefore(err_cert)) << endl;
+ break;
+ }
+
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ {
+ outStringStream << "notAfter = " << getASN1time(X509_get_notAfter(err_cert)) << endl;
+ break;
+ }
+ }
+
+ outStringStream << "verify return = " << preVerifyOkay << endl;
+
+ _logger->trace(_traceLevels->securityCat, outStringStream.str());
+ }
+
+ return preVerifyOkay;
+}
//////////////////////////////// ////////// Connection ////////// @@ -83,8 +181,6 @@ IceSecurity::Ssl::OpenSSL::Connection::Connection(const CertificateVerifierPtr& IceSecurity::Ssl::OpenSSL::Connection::~Connection() { - ICE_METHOD_INV("OpenSSL::Connection::~Connection()"); - if (_sslConnection != 0) { removeConnection(_sslConnection);
@@ -92,18 +188,20 @@ IceSecurity::Ssl::OpenSSL::Connection::~Connection() SSL_free(_sslConnection); _sslConnection = 0; } - - ICE_METHOD_RET("OpenSSL::Connection::~Connection()"); } void IceSecurity::Ssl::OpenSSL::Connection::shutdown() { - ICE_METHOD_INV("OpenSSL::Connection::shutdown()"); - if (_sslConnection != 0) { - ICE_WARNING(string("shutting down SSL connection\n") + fdToString(SSL_get_fd(_sslConnection))); + if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN " +
+ string("shutting down SSL connection\n") +
+ fdToString(SSL_get_fd(_sslConnection)));
+ }
+
int shutdown = 0; int retries = 100; @@ -114,16 +212,14 @@ IceSecurity::Ssl::OpenSSL::Connection::shutdown() } while ((shutdown == 0) && (retries > 0)); - if (shutdown <= 0) + if ((_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL) && (shutdown <= 0)) { ostringstream s; s << "SSL shutdown failure encountered: code[" << shutdown << "] retries["; s << retries << "]\n" << fdToString(SSL_get_fd(_sslConnection)); - ICE_PROTOCOL_DEBUG(s.str()); + _logger->trace(_traceLevels->securityCat, s.str());
} } - - ICE_METHOD_RET("OpenSSL::Connection::shutdown()"); } void
@@ -176,57 +272,6 @@ IceSecurity::Ssl::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509 // Use the verifier to verify the certificate
preVerifyOkay = verifier->verify(preVerifyOkay, x509StoreContext, _sslConnection);
- // Only if ICE_PROTOCOL level logging is on do we worry about this.
- if (ICE_SECURITY_LEVEL_PROTOCOL)
- {
- char buf[256];
-
- X509* err_cert = X509_STORE_CTX_get_current_cert(x509StoreContext);
- int verifyError = X509_STORE_CTX_get_error(x509StoreContext);
- int depth = X509_STORE_CTX_get_error_depth(x509StoreContext);
-
- X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
-
- ostringstream outStringStream;
-
- outStringStream << "depth = " << depth << ":" << buf << endl;
-
- if (!preVerifyOkay)
- {
- outStringStream << "verify error: num = " << verifyError << " : "
- << X509_verify_cert_error_string(verifyError) << endl;
-
- }
-
- switch (verifyError)
- {
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- {
- X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf));
- outStringStream << "issuer = " << buf << endl;
- break;
- }
-
- case X509_V_ERR_CERT_NOT_YET_VALID:
- case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
- {
- outStringStream << "notBefore = " << getASN1time(X509_get_notBefore(err_cert)) << endl;
- break;
- }
-
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
- {
- outStringStream << "notAfter = " << getASN1time(X509_get_notAfter(err_cert)) << endl;
- break;
- }
- }
-
- outStringStream << "verify return = " << preVerifyOkay << endl;
-
- ICE_PROTOCOL(outStringStream.str());
- }
-
return preVerifyOkay;
}
@@ -237,44 +282,32 @@ IceSecurity::Ssl::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509 int IceSecurity::Ssl::OpenSSL::Connection::connect() { - ICE_METHOD_INV("OpenSSL::Connection::connect()"); - int result = SSL_connect(_sslConnection); setLastError(result); - ICE_METHOD_RET("OpenSSL::Connection::connect()"); - return result; } int IceSecurity::Ssl::OpenSSL::Connection::accept() { - ICE_METHOD_INV("OpenSSL::Connection::accept()"); - int result = SSL_accept(_sslConnection); setLastError(result); - ICE_METHOD_RET("OpenSSL::Connection::accept()"); - return result; } int IceSecurity::Ssl::OpenSSL::Connection::renegotiate() { - ICE_METHOD_INS("OpenSSL::Connection::renegotiate()"); - return SSL_renegotiate(_sslConnection); } int IceSecurity::Ssl::OpenSSL::Connection::initialize(int timeout) { - ICE_METHOD_INV("OpenSSL::Connection::initialize()"); - int retCode = 0; while (true) @@ -313,105 +346,29 @@ IceSecurity::Ssl::OpenSSL::Connection::initialize(int timeout) } } - ICE_METHOD_RET("OpenSSL::Connection::initialize()"); - return retCode; } int IceSecurity::Ssl::OpenSSL::Connection::sslRead(char* buffer, int bufferSize) { - ICE_METHOD_INV("OpenSSL::Connection::sslRead()"); - int bytesRead = SSL_read(_sslConnection, buffer, bufferSize); setLastError(bytesRead); - ICE_METHOD_RET("OpenSSL::Connection::sslRead()"); - return bytesRead; } int IceSecurity::Ssl::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize) { - ICE_METHOD_INV("OpenSSL::Connection::sslWrite()"); - int bytesWritten = SSL_write(_sslConnection, buffer, bufferSize); setLastError(bytesWritten); - ICE_METHOD_RET("OpenSSL::Connection::sslWrite()"); - return bytesWritten; } - -void -IceSecurity::Ssl::OpenSSL::Connection::printGetError(int errCode) -{ - if (ICE_SECURITY_LEVEL_PROTOCOL_DEBUG) - { - string errorString; - - switch (errCode) - { - case SSL_ERROR_NONE : - { - errorString = "SSL_ERROR_NONE"; - break; - } - - case SSL_ERROR_ZERO_RETURN : - { - errorString = "SSL_ERROR_ZERO_RETURN"; - break; - } - - case SSL_ERROR_WANT_READ : - { - errorString = "SSL_ERROR_WANT_READ"; - break; - } - - case SSL_ERROR_WANT_WRITE : - { - errorString = "SSL_ERROR_WANT_WRITE"; - break; - } - - case SSL_ERROR_WANT_CONNECT : - { - errorString = "SSL_ERROR_WANT_CONNECT"; - break; - } - - case SSL_ERROR_WANT_X509_LOOKUP : - { - errorString = "SSL_ERROR_WANT_X509_LOOKUP"; - break; - } - - case SSL_ERROR_SYSCALL : - { - errorString = "SSL_ERROR_SYSCALL"; - break; - } - - case SSL_ERROR_SSL : - { - errorString = "SSL_ERROR_SSL"; - break; - } - } - - if (!errorString.empty()) - { - ICE_SECURITY_LOGGER(string("Encountered: ") + errorString) - } - } -} - // protocolWrite() // // The entire purpose of this strange little routine is to provide OpenSSL with a @@ -424,8 +381,6 @@ IceSecurity::Ssl::OpenSSL::Connection::printGetError(int errCode) void IceSecurity::Ssl::OpenSSL::Connection::protocolWrite() { - ICE_METHOD_INV("OpenSSL::Connection::protocolWrite()"); - static char buffer[10]; memset(buffer, 0, sizeof(buffer)); @@ -434,8 +389,6 @@ IceSecurity::Ssl::OpenSSL::Connection::protocolWrite() // not the write(Buffer&,int) method. If things start acting // strangely, check this! sslWrite(buffer,0); - - ICE_METHOD_RET("OpenSSL::Connection::protocolWrite()"); } int @@ -443,8 +396,6 @@ IceSecurity::Ssl::OpenSSL::Connection::readInBuffer(Buffer& buf) { IceUtil::Mutex::Lock sync(_inBufferMutex); - ICE_METHOD_INV("OpenSSL::Connection::readInBuffer()"); - int bytesRead = 0; if (!_inBuffer.b.empty()) @@ -468,27 +419,23 @@ IceSecurity::Ssl::OpenSSL::Connection::readInBuffer(Buffer& buf) // Erase the data that we've copied out of the _inBuffer. _inBuffer.b.erase(inBufferBegin, inBufferEndAt); - if (ICE_SECURITY_LEVEL_PROTOCOL) + if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL) { string protocolString = "Copied "; protocolString += Int(bytesRead); protocolString += string(" bytes from SSL buffer\n"); protocolString += fdToString(SSL_get_fd(_sslConnection)); - - ICE_PROTOCOL(protocolString); +
+ _logger->trace(_traceLevels->securityCat, protocolString);
} } - ICE_METHOD_RET("OpenSSL::Connection::readInBuffer()"); - return bytesRead; } int IceSecurity::Ssl::OpenSSL::Connection::readSelect(int timeout) { - ICE_METHOD_INV("OpenSSL::Connection::readSelect()"); - int ret; SOCKET fd = SSL_get_fd(_sslConnection); fd_set rFdSet; @@ -519,7 +466,6 @@ IceSecurity::Ssl::OpenSSL::Connection::readSelect(int timeout) if (ret == SOCKET_ERROR) { - ICE_DEV_DEBUG("Connection::readSelect(): Throwing SocketException... SslConnectionOpenSSL.cpp, 325"); SocketException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; @@ -527,20 +473,15 @@ IceSecurity::Ssl::OpenSSL::Connection::readSelect(int timeout) if (ret == 0) { - ICE_DEV_DEBUG("Connection::readSelect(): Throwing TimeoutException... SslConnectionOpenSSL.cpp, 333"); throw TimeoutException(__FILE__, __LINE__); } - ICE_METHOD_RET("OpenSSL::Connection::readSelect()"); - return FD_ISSET(fd, &rFdSet); } int IceSecurity::Ssl::OpenSSL::Connection::writeSelect(int timeout) { - ICE_METHOD_INV("OpenSSL::Connection::writeSelect()"); - int ret; SOCKET fd = SSL_get_fd(_sslConnection); fd_set wFdSet; @@ -571,7 +512,6 @@ IceSecurity::Ssl::OpenSSL::Connection::writeSelect(int timeout) if (ret == SOCKET_ERROR) { - ICE_DEV_DEBUG("Connection::writeSelect(): Throwing SocketException... SslConnectionOpenSSL.cpp, 378"); SocketException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; @@ -579,20 +519,15 @@ IceSecurity::Ssl::OpenSSL::Connection::writeSelect(int timeout) if (ret == 0) { - ICE_DEV_DEBUG("Connection::writeSelect(): Throwing TimeoutException... SslConnectionOpenSSL.cpp, 386"); throw TimeoutException(__FILE__, __LINE__); } - ICE_METHOD_RET("OpenSSL::Connection::writeSelect()"); - return FD_ISSET(fd, &wFdSet); } int IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) { - ICE_METHOD_INV("OpenSSL::Connection::readSSL()"); - int packetSize = buf.b.end() - buf.i; int totalBytesRead = 0; int bytesPending; @@ -631,7 +566,10 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) if (!bytesPending) { - ICE_PROTOCOL("No pending application-level bytes."); + if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
+ {
+ _logger->trace(_traceLevels->securityCat, "No pending application-level bytes.");
+ }
// We're done here. break; @@ -662,15 +600,6 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) packetSize = buf.b.end() - buf.i; } } - else - { - // TODO: The client application performs a cleanup at this point, - // not even shutting down SSL - it just frees the SSL - // structure. The server does nothing. I'm ignoring this, - // at the moment, I'm sure it will come back at me. - - ICE_PROTOCOL("Error SSL_ERROR_NONE: Repeating as per protocol."); - } continue; } @@ -681,11 +610,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) // write with an empty buffer. I've seen this done in the demo // programs, so this should be valid. No actual application data // will be sent, just protocol packets. - - ICE_PROTOCOL("Error SSL_ERROR_WANT_WRITE."); - protocolWrite(); - continue; } @@ -694,18 +619,12 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) // Repeat with the same arguments! (as in the OpenSSL documentation) // Whatever happened, the last read didn't actually read anything for // us. This is effectively a retry. - - ICE_PROTOCOL("Error SSL_ERROR_WANT_READ: Repeating as per protocol."); - continue; } case SSL_ERROR_WANT_X509_LOOKUP: { // Perform another read. The read should take care of this. - - ICE_PROTOCOL("Error SSL_ERROR_WANT_X509_LOOKUP: Repeating as per protocol."); - continue; } @@ -727,14 +646,12 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) if (connectionLost()) { - ICE_DEV_DEBUG("Connection::readSSL(): Throwing ConnectionLostException... SslConnectionOpenSSL.cpp, 518"); ConnectionLostException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; } else { - ICE_DEV_DEBUG("Connection::readSSL(): Throwing SocketException...SslConnectionOpenSSL.cpp, 525"); SocketException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; @@ -745,10 +662,8 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) ProtocolException protocolEx(__FILE__, __LINE__); // Protocol Error: Unexpected EOF - protocolEx._message = "Encountered an EOF that violates the SSL Protocol."; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); + protocolEx._message = "Encountered an EOF that violates the SSL Protocol.\n"; + protocolEx._message += sslGetErrors();
throw protocolEx; } @@ -758,10 +673,8 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) { ProtocolException protocolEx(__FILE__, __LINE__); - protocolEx._message = "Encountered a violation of the SSL Protocol."; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); + protocolEx._message = "Encountered a violation of the SSL Protocol.\n"; + protocolEx._message += sslGetErrors();
throw protocolEx; } @@ -772,7 +685,6 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) // But does not necessarily indicate that the underlying transport // has been closed (in the case of Ice, it definitely hasn't yet). - ICE_DEV_DEBUG("Connection::readSSL(): Throwing ConnectionLostException... SslConnectionOpenSSL.cpp, 559"); ConnectionLostException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; @@ -780,16 +692,12 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) } } - ICE_METHOD_RET("OpenSSL::Connection::readSSL()"); - return totalBytesRead; } string IceSecurity::Ssl::OpenSSL::Connection::sslGetErrors() { - ICE_METHOD_INV("OpenSSL::Connection::sslGetErrors()"); - string errorMessage; char buf[200]; char bigBuffer[1024]; @@ -827,8 +735,6 @@ IceSecurity::Ssl::OpenSSL::Connection::sslGetErrors() errorNum++; } - ICE_METHOD_RET("OpenSSL::Connection::sslGetErrors()"); - return errorMessage; } diff --git a/cpp/src/Ice/SslConnectionOpenSSL.h b/cpp/src/Ice/SslConnectionOpenSSL.h index c0eb5cd182b..dee4a2aa07e 100644 --- a/cpp/src/Ice/SslConnectionOpenSSL.h +++ b/cpp/src/Ice/SslConnectionOpenSSL.h @@ -17,7 +17,7 @@ #include <Ice/SslConnection.h> #include <Ice/SslSystemF.h>
#include <Ice/SslConnectionOpenSSLF.h>
-#include <Ice/SslCertificateVerifierF.h> +#include <Ice/SslCertificateVerifier.h> namespace IceSecurity { @@ -110,6 +110,22 @@ private: SafeFlag& _flag; }; +class DefaultCertificateVerifier : public CertificateVerifier
+{
+
+public:
+ DefaultCertificateVerifier();
+
+ void setTraceLevels(const TraceLevelsPtr&);
+ void setLogger(const LoggerPtr&);
+
+ virtual int verify(int, X509_STORE_CTX*, SSL*);
+
+private:
+ TraceLevelsPtr _traceLevels;
+ LoggerPtr _logger;
+};
+
// NOTE: This is a mapping from SSL* to Connection*, for use with the verifyCallback.
// I have purposely not used ConnectionPtr here, as connections register themselves
// with this map on construction and unregister themselves in the destructor. If
@@ -154,8 +170,6 @@ protected: int sslRead(char*, int); int sslWrite(char*, int); - void printGetError(int); - void protocolWrite(); int readInBuffer(Buffer&); diff --git a/cpp/src/Ice/SslConnectionOpenSSLClient.cpp b/cpp/src/Ice/SslConnectionOpenSSLClient.cpp index a6278cd717f..e3d0bfa7b7b 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLClient.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSLClient.cpp @@ -11,7 +11,7 @@ #include <string> #include <sstream> #include <Ice/Network.h> -#include <Ice/Security.h> +#include <Ice/OpenSSL.h>
#include <Ice/SecurityException.h> #include <Ice/SslConnectionOpenSSLClient.h> @@ -46,26 +46,17 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::ClientConnection(const CertificateV IceSecurity::Ssl::OpenSSL::ClientConnection::~ClientConnection() { - ICE_METHOD_INV("OpenSSL::ClientConnection::~ClientConnection()"); - - ICE_METHOD_RET("OpenSSL::ClientConnection::~ClientConnection()"); } void IceSecurity::Ssl::OpenSSL::ClientConnection::shutdown() { - ICE_METHOD_INV("OpenSSL::ClientConnection::shutdown()"); - Connection::shutdown(); - - ICE_METHOD_RET("OpenSSL::ClientConnection::shutdown()"); } int IceSecurity::Ssl::OpenSSL::ClientConnection::init(int timeout) { - ICE_METHOD_INV("OpenSSL::ClientConnection::init()"); - int retCode = SSL_is_init_finished(_sslConnection); while (!retCode) @@ -101,8 +92,6 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::init(int timeout) // Find out what the error was (if any). int code = getLastError(); - printGetError(code); - switch (code) { case SSL_ERROR_WANT_READ: @@ -148,14 +137,12 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::init(int timeout) if (connectionLost()) { - ICE_DEV_DEBUG("ClientConnection::init(): Throwing ConnectionLostException... SslConnectionOpenSSLClient.cpp, 177"); ConnectionLostException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; } else { - ICE_DEV_DEBUG("ClientConnection::init(): Throwing SocketException... SslConnectionOpenSSLClient.cpp, 184"); SocketException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; @@ -167,9 +154,7 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::init(int timeout) // Protocol Error: Unexpected EOF protocolEx._message = "Encountered an EOF during handshake that violates the SSL Protocol.\n"; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); + protocolEx._message += sslGetErrors();
throw protocolEx; } @@ -180,9 +165,7 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::init(int timeout) ProtocolException protocolEx(__FILE__, __LINE__); protocolEx._message = "Encountered a violation of the SSL Protocol during handshake.\n"; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); + protocolEx._message += sslGetErrors();
throw protocolEx; } @@ -197,16 +180,12 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::init(int timeout) } } - ICE_METHOD_RET("OpenSSL::ClientConnection::init()"); - return retCode; } int IceSecurity::Ssl::OpenSSL::ClientConnection::read(Buffer& buf, int timeout) { - ICE_METHOD_INV("OpenSSL::ClientConnection::read(Buffer&,int)"); - int totalBytesRead = 0; // Initialization to 1 is a cheap trick to ensure we enter the loop. @@ -229,16 +208,12 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::read(Buffer& buf, int timeout) totalBytesRead += bytesRead; } - ICE_METHOD_RET("OpenSSL::ClientConnection::read(Buffer&,int)"); - return totalBytesRead; } int IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) { - ICE_METHOD_INV("OpenSSL::ClientConnection::write(Buffer&,int)"); - int totalBytesWritten = 0; int bytesWritten = 0; @@ -303,15 +278,6 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) packetSize = buf.b.end() - buf.i; } } - else - { - // TODO: The client application performs a cleanup at this point, - // not even shutting down SSL - it just frees the SSL - // structure. I'm ignoring this, at the moment, as I'm sure - // the demo is handling it in an artificial manner. - - ICE_PROTOCOL("Error SSL_ERROR_NONE: Repeating as per protocol."); - } continue; } @@ -320,9 +286,6 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) // Repeat with the same arguments! (as in the OpenSSL documentation) // Whatever happened, the last write didn't actually write anything // for us. This is effectively a retry. - - ICE_PROTOCOL("Error SSL_ERROR_WANT_WRITE: Repeating as per protocol."); - continue; } @@ -332,20 +295,13 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) // the protocol wants to do something handshake related. // In the case that we might actually get some application data, // we will use the base SSL read method, using the _inBuffer. - - ICE_PROTOCOL("Error SSL_ERROR_WANT_READ."); - readSSL(_inBuffer, timeout); - continue; } case SSL_ERROR_WANT_X509_LOOKUP: { // Perform another read. The read should take care of this. - - ICE_PROTOCOL("Error SSL_ERROR_WANT_X509_LOOKUP: Repeating as per protocol."); - continue; } @@ -371,14 +327,12 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) if (connectionLost()) { - ICE_DEV_DEBUG("ClientConnection::write(): Throwing ConnectionLostException... SslConnectionOpenSSLClient.cpp, 390"); ConnectionLostException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; } else { - ICE_DEV_DEBUG("ClientConnection::write(): Throwing SocketException... SslConnectionOpenSSLClient.cpp, 397"); SocketException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; @@ -390,18 +344,13 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) // Protocol Error: Unexpected EOF protocolEx._message = "Encountered an EOF that violates the SSL Protocol.\n"; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); + protocolEx._message += sslGetErrors();
throw protocolEx; } else // bytesWritten == 0 { // Didn't write anything, continue, should be fine. - - ICE_PROTOCOL("Error SSL_ERROR_SYSCALL: Repeating as per protocol."); - break; } } @@ -411,17 +360,13 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) ProtocolException protocolEx(__FILE__, __LINE__); protocolEx._message = "Encountered a violation of the SSL Protocol.\n"; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); + protocolEx._message += sslGetErrors();
throw protocolEx; } case SSL_ERROR_ZERO_RETURN: { - ICE_EXCEPTION("SSL_ERROR_ZERO_RETURN"); - ConnectionLostException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; @@ -429,8 +374,6 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) } } - ICE_METHOD_RET("OpenSSL::ClientConnection::write(Buffer&,int)"); - return totalBytesWritten; } @@ -442,13 +385,9 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) void IceSecurity::Ssl::OpenSSL::ClientConnection::showConnectionInfo() { - ICE_METHOD_INV("OpenSSL::ClientConnection::showConnectionInfo()"); - // Only in extreme cases do we enable this, partially because it doesn't use the Logger. - if (ICE_SECURITY_LEVEL_PROTOCOL_DEBUG && 0) + if ((_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL_DEBUG) && 0) { - ICE_PROTOCOL_DEBUG("Begin Connection Information"); - BIO* bio = BIO_new_fp(stdout, BIO_NOCLOSE); showCertificateChain(bio); @@ -466,14 +405,10 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::showConnectionInfo() showSessionInfo(bio); - ICE_PROTOCOL_DEBUG("End of Connection Information"); - if (bio != 0) { BIO_free(bio); bio = 0; } } - - ICE_METHOD_RET("OpenSSL::ClientConnection::showConnectionInfo()"); } diff --git a/cpp/src/Ice/SslConnectionOpenSSLServer.cpp b/cpp/src/Ice/SslConnectionOpenSSLServer.cpp index 66e3816a8ff..91409ced3b4 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLServer.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSLServer.cpp @@ -11,7 +11,7 @@ #include <string> #include <sstream> #include <Ice/Network.h> -#include <Ice/Security.h> +#include <Ice/OpenSSL.h>
#include <Ice/SecurityException.h> #include <Ice/SslConnectionOpenSSLServer.h> @@ -47,26 +47,17 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::ServerConnection(const CertificateV IceSecurity::Ssl::OpenSSL::ServerConnection::~ServerConnection() { - ICE_METHOD_INV("OpenSSL::ServerConnection::~ServerConnection()"); - - ICE_METHOD_RET("OpenSSL::ServerConnection::~ServerConnection()"); } void IceSecurity::Ssl::OpenSSL::ServerConnection::shutdown() { - ICE_METHOD_INV("OpenSSL::ServerConnection::shutdown()"); - Connection::shutdown(); - - ICE_METHOD_RET("OpenSSL::ServerConnection::shutdown()"); } int IceSecurity::Ssl::OpenSSL::ServerConnection::init(int timeout) { - ICE_METHOD_INV("OpenSSL::ServerConnection::init()"); - int retCode = SSL_is_init_finished(_sslConnection); while (!retCode) @@ -114,18 +105,14 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::init(int timeout) certEx._message = "SSL certificate verification error."; - ICE_EXCEPTION(certEx._message); - throw certEx; } else { ProtocolException protocolEx(__FILE__, __LINE__); - protocolEx._message = "Encountered an SSL Protocol violation during handshake."; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); + protocolEx._message = "Encountered an SSL Protocol violation during handshake.\n"; + protocolEx._message += sslGetErrors();
throw protocolEx; } @@ -174,14 +161,12 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::init(int timeout) if (connectionLost()) { - ICE_DEV_DEBUG("ServerConnection::init(): Throwing ConnectionLostException... SslConnectionOpenSSLServer.cpp, 207"); ConnectionLostException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; } else { - ICE_DEV_DEBUG("ServerConnection::init(): Throwing SocketException... SslConnectionOpenSSLServer.cpp, 214"); SocketException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; @@ -192,10 +177,8 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::init(int timeout) ProtocolException protocolEx(__FILE__, __LINE__); // Protocol Error: Unexpected EOF - protocolEx._message = "Encountered an EOF during handshake that violates the SSL Protocol."; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); + protocolEx._message = "Encountered an EOF during handshake that violates the SSL Protocol.\n"; + protocolEx._message += sslGetErrors();
throw protocolEx; } @@ -205,10 +188,8 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::init(int timeout) { ProtocolException protocolEx(__FILE__, __LINE__); - protocolEx._message = "Encountered a violation of the SSL Protocol during handshake."; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); + protocolEx._message = "Encountered a violation of the SSL Protocol during handshake.\n"; + protocolEx._message += sslGetErrors();
throw protocolEx; } @@ -223,16 +204,12 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::init(int timeout) } } - ICE_METHOD_RET("OpenSSL::ServerConnection::init()"); - return retCode; } int IceSecurity::Ssl::OpenSSL::ServerConnection::read(Buffer& buf, int timeout) { - ICE_METHOD_INV("OpenSSL::ServerConnection::read(Buffer&, int)"); - int bytesRead = 1; int totalBytesRead = 0; @@ -253,16 +230,12 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::read(Buffer& buf, int timeout) totalBytesRead += bytesRead; } - ICE_METHOD_RET("OpenSSL::ServerConnection::read(Buffer&, int)"); - return totalBytesRead; } int IceSecurity::Ssl::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) { - ICE_METHOD_INV("OpenSSL::ServerConnection::write(Buffer&, int)"); - int totalBytesWritten = 0; int bytesWritten = 0; @@ -327,23 +300,9 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) } case SSL_ERROR_WANT_WRITE: // Retry... - { - ICE_PROTOCOL("Error SSL_ERROR_WANT_WRITE: Repeating as per protocol."); - - continue; - } - case SSL_ERROR_WANT_READ: // The demo server ignores this error. - { - ICE_PROTOCOL("Error SSL_ERROR_WANT_READ: Ignoring as per protocol."); - - continue; - } - case SSL_ERROR_WANT_X509_LOOKUP: // The demo server ignores this error. { - ICE_PROTOCOL("Error SSL_ERROR_WANT_X509_LOOKUP: Repeating as per protocol."); - continue; } @@ -365,14 +324,12 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) if (connectionLost()) { - ICE_DEV_DEBUG("ServerConnection::write(): Throwing ConnectionLostException... SslConnectionOpenSSLServer.cpp, 388"); ConnectionLostException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; } else { - ICE_DEV_DEBUG("ServerConnection::write(): Throwing SocketException... SslConnectionOpenSSLServer.cpp, 395"); SocketException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; @@ -383,10 +340,8 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) ProtocolException protocolEx(__FILE__, __LINE__); // Protocol Error: Unexpected EOF - protocolEx._message = "Encountered an EOF that violates the SSL Protocol."; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); + protocolEx._message = "Encountered an EOF that violates the SSL Protocol.\n"; + protocolEx._message += sslGetErrors();
throw protocolEx; } @@ -396,19 +351,14 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) { ProtocolException protocolEx(__FILE__, __LINE__); - protocolEx._message = "Encountered a violation of the SSL Protocol."; - - ICE_SSLERRORS(protocolEx._message); - ICE_EXCEPTION(protocolEx._message); - + protocolEx._message = "Encountered a violation of the SSL Protocol.\n"; + protocolEx._message += sslGetErrors();
+
throw protocolEx; } case SSL_ERROR_ZERO_RETURN: { - ICE_EXCEPTION("SSL_ERROR_ZERO_RETURN"); - ICE_DEV_DEBUG("ServerConnection::write(): Throwing ConnectionLostException... SslConnectionOpenSSLServer.cpp, 430"); - ConnectionLostException ex(__FILE__, __LINE__); ex.error = getSocketErrno(); throw ex; @@ -416,8 +366,6 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) } } - ICE_METHOD_RET("OpenSSL::ServerConnection::write(Buffer&, int)"); - return totalBytesWritten; } @@ -428,13 +376,9 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) void IceSecurity::Ssl::OpenSSL::ServerConnection::showConnectionInfo() { - ICE_METHOD_INV("OpenSSL::ServerConnection::showConnectionInfo()"); - // Only in extreme cases do we enable this, partially because it doesn't use the Logger. - if (ICE_SECURITY_LEVEL_PROTOCOL_DEBUG) + if ((_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL_DEBUG) && 0) { - ICE_PROTOCOL_DEBUG("Begin Connection Information"); - BIO* bio = BIO_new_fp(stdout, BIO_NOCLOSE); showCertificateChain(bio); @@ -449,14 +393,10 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::showConnectionInfo() showSessionInfo(bio); - ICE_PROTOCOL_DEBUG("End of Connection Information"); - if (bio != 0) { BIO_free(bio); bio = 0; } } - - ICE_METHOD_RET("OpenSSL::ServerConnection::showConnectionInfo()"); } diff --git a/cpp/src/Ice/SslFactory.cpp b/cpp/src/Ice/SslFactory.cpp index 91b31a69d7d..7ff34d6ff89 100644 --- a/cpp/src/Ice/SslFactory.cpp +++ b/cpp/src/Ice/SslFactory.cpp @@ -19,7 +19,7 @@ #include <Ice/SslFactory.h> #include <Ice/SslSystemOpenSSL.h> -#include <Ice/Security.h> +#include <Ice/OpenSSL.h>
#define OPENSSL_THREAD_DEFINES #include <openssl/opensslconf.h> diff --git a/cpp/src/Ice/SslFactory.h b/cpp/src/Ice/SslFactory.h index cd56012d201..b51fef870de 100644 --- a/cpp/src/Ice/SslFactory.h +++ b/cpp/src/Ice/SslFactory.h @@ -17,6 +17,16 @@ #include <Ice/SslSystemF.h>
#include <Ice/SslCertificateVerifierF.h> +#ifdef WIN32
+# ifdef ICE_API_EXPORTS
+# define ICE_API __declspec(dllexport)
+# else
+# define ICE_API __declspec(dllimport)
+# endif
+#else
+# define ICE_API /**/
+#endif
+
namespace IceSecurity { @@ -55,16 +65,19 @@ private: static void reapSystems(); }; +// TODO: This is NOT how this should be done, but to get us over the hump for the
+// time being, we'll take this shortcut.
+
typedef enum
{
None = 0,
Client,
Server,
ClientServer
-} CertificateVerifierType;
+} ICE_API CertificateVerifierType;
-void setSystemCertificateVerifier(const string&, CertificateVerifierType, const CertificateVerifierPtr&);
+void ICE_API setSystemCertificateVerifier(const string&, CertificateVerifierType, const CertificateVerifierPtr&);
} diff --git a/cpp/src/Ice/SslSystem.h b/cpp/src/Ice/SslSystem.h index ae8b596a5c7..e860fa337aa 100644 --- a/cpp/src/Ice/SslSystem.h +++ b/cpp/src/Ice/SslSystem.h @@ -48,10 +48,10 @@ public: virtual void setServerCertificateVerifier(const CertificateVerifierPtr&); virtual void setClientCertificateVerifier(const CertificateVerifierPtr&);
- void setTrace(const TraceLevelsPtr&); + virtual void setTrace(const TraceLevelsPtr&); bool isTraceSet() const; - void setLogger(const LoggerPtr&); + virtual void setLogger(const LoggerPtr&); bool isLoggerSet() const; void setProperties(const PropertiesPtr&); diff --git a/cpp/src/Ice/SslSystemOpenSSL.cpp b/cpp/src/Ice/SslSystemOpenSSL.cpp index 734bb5ecfbd..b7013614d4b 100644 --- a/cpp/src/Ice/SslSystemOpenSSL.cpp +++ b/cpp/src/Ice/SslSystemOpenSSL.cpp @@ -28,7 +28,7 @@ #include <openssl/err.h> #include <openssl/e_os.h> #include <openssl/rand.h> -#include <Ice/Security.h> +#include <Ice/OpenSSL.h>
#include <Ice/SslSystem.h> #include <Ice/SecurityException.h> #include <Ice/SslConnectionOpenSSLClient.h> @@ -238,7 +238,7 @@ bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret) if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) { - outStringStream << "PTC Thread(" << dec << GETTHREADID << ") "; + outStringStream << "PTC "; outStringStream << "read from " << hex << (void *)bio << " [" << hex << (void *)argp; outStringStream << "] (" << dec << argi << " bytes => " << ret << " (0x"; outStringStream << hex << ret << "))"; @@ -246,7 +246,7 @@ bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret) } else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) { - outStringStream << "PTC Thread(" << dec << GETTHREADID << ") "; + outStringStream << "PTC "; outStringStream << "write to " << hex << (void *)bio << " [" << hex << (void *)argp; outStringStream << "] (" << dec << argi << " bytes => " << ret << " (0x"; outStringStream << hex << ret << "))"; @@ -265,53 +265,9 @@ bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret) } -void -IceSecurity::Ssl::OpenSSL::System::printContextInfo(SSL_CTX* context) -{ - if (ICE_SECURITY_LEVEL_PROTOCOL) - { - ostringstream s; - - s << endl; - s << "SSL_CTX Structure" << endl; - s << "=================" << endl; - s << "options: 0x" << hex << context->options << endl; - s << "mode: 0x" << hex << context->mode << endl; - - s << "session_cache_size: " << context->session_cache_size << endl; - s << "session_cache_mode: 0x" << hex << context->session_cache_mode << endl; - s << "session_timeout: " << Int(context->session_timeout) << endl << endl; - - s << "Stats" << endl; - s << "Connect: " << context->stats.sess_connect << " (New Connect Started)" << endl; - s << "Renegotiate: " << context->stats.sess_connect_renegotiate << " (Renegotiation Requested)" << endl; - s << "Connect Good: " << context->stats.sess_connect_good << " (Connect/Renegotiation finished)"; - s << endl << endl; - - s << "Accept: " << context->stats.sess_accept << " (New Accept Started)" << endl; - s << "Renegotiate: " << context->stats.sess_accept_renegotiate << " (Renegotiation Requested)" << endl; - s << "Accept Good: " << context->stats.sess_accept_good << " (Accept/Renegotiation finished)"; - s << endl << endl; - - s << "Miss: " << context->stats.sess_miss << " (Session Lookup Misses)" << endl; - s << "Timeout: " << context->stats.sess_timeout << " (Reuse attempt on Timeouted Session)" << endl; - s << "Cache Full: " << context->stats.sess_cache_full << " (Session Removed due to full cache)" << endl; - s << "Hit: " << context->stats.sess_hit << " (Session Reuse actually done.)" << endl; - s << "CB Hit: " << context->stats.sess_cb_hit << " (Session ID supplied by Callback)" << endl; - - s << "read_ahead: " << context->read_ahead << endl; - s << "verify_mode: 0x" << hex << context->verify_mode << endl; - s << "verify_depth: " << dec << Int(context->verify_depth) << endl; - - ICE_PROTOCOL(s.str()); - } -} - IceSecurity::Ssl::Connection* IceSecurity::Ssl::OpenSSL::System::createServerConnection(int socket) { - ICE_METHOD_INV("OpenSSL::System::createServerConnection()"); - if (_sslServerContext == 0) { ContextException contextEx(__FILE__, __LINE__); @@ -319,8 +275,6 @@ IceSecurity::Ssl::OpenSSL::System::createServerConnection(int socket) contextEx._message = "Server context has not been set up - "; contextEx._message += "please specify an SSL server configuration file."; - ICE_EXCEPTION(contextEx._message); - throw contextEx; } @@ -333,16 +287,12 @@ IceSecurity::Ssl::OpenSSL::System::createServerConnection(int socket) commonConnectionSetup(connection); - ICE_METHOD_RET("OpenSSL::System::createServerConnection()"); - return connection; } IceSecurity::Ssl::Connection* IceSecurity::Ssl::OpenSSL::System::createClientConnection(int socket) { - ICE_METHOD_INV("OpenSSL::System::createClientConnection()"); - if (_sslClientContext == 0) { ContextException contextEx(__FILE__, __LINE__); @@ -350,8 +300,6 @@ IceSecurity::Ssl::OpenSSL::System::createClientConnection(int socket) contextEx._message = "Client context has not been set up - "; contextEx._message += "please specify an SSL client configuration file."; - ICE_EXCEPTION(contextEx._message); - throw contextEx; } @@ -364,16 +312,12 @@ IceSecurity::Ssl::OpenSSL::System::createClientConnection(int socket) commonConnectionSetup(connection); - ICE_METHOD_RET("OpenSSL::System::createClientConnection()"); - return connection; } void IceSecurity::Ssl::OpenSSL::System::shutdown() { - ICE_METHOD_INV("OpenSSL::System::shutdown()"); - if (_sslServerContext != 0) { SSL_CTX_free(_sslServerContext); @@ -407,23 +351,59 @@ IceSecurity::Ssl::OpenSSL::System::shutdown() DH_free((*iDH).second); iDH++; } - - ICE_METHOD_RET("OpenSSL::System::shutdown()"); } +
+void
+IceSecurity::Ssl::OpenSSL::System::setTrace(const TraceLevelsPtr& traceLevels)
+{
+ // Note: Due to a known bug with VC++, I cannot simply call the base-class
+ // implementation here, I get a C2352 error about calling a static function.
+ _traceLevels = traceLevels;
+
+ DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get());
+ DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get());
+
+ if (clientVerifier)
+ {
+ clientVerifier->setTraceLevels(traceLevels);
+ }
+
+ if (serverVerifier)
+ {
+ serverVerifier->setTraceLevels(traceLevels);
+ }
+}
+
+void
+IceSecurity::Ssl::OpenSSL::System::setLogger(const LoggerPtr& logger)
+{
+ // Note: Due to a known bug with VC++, I cannot simply call the base-class
+ // implementation here, I get a C2352 error about calling a static function.
+ _logger = logger;
+
+ DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get());
+ DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get());
+
+ if (clientVerifier)
+ {
+ clientVerifier->setLogger(logger);
+ }
+
+ if (serverVerifier)
+ {
+ serverVerifier->setLogger(logger);
+ }
+}
bool IceSecurity::Ssl::OpenSSL::System::isConfigLoaded() { - ICE_METHOD_INS("OpenSSL::System::isConfigLoaded()"); - return _configLoaded; } void IceSecurity::Ssl::OpenSSL::System::loadConfig() { - ICE_METHOD_INV("OpenSSL::System::loadConfig()"); - // This step is required in order to supply callback functions // with access to the TraceLevels and Logger. if (_globalTraceLevels == 0) @@ -449,8 +429,8 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig() // Walk the parse tree, get the Client configuration. if (sslConfig.loadClientConfig(clientGeneral, clientCertAuth, clientBaseCerts)) { - if (ICE_SECURITY_LEVEL_PROTOCOL) - { + if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
+ {
ostringstream s; s << endl; @@ -462,7 +442,7 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig() s << "--------------------------" << endl; s << clientBaseCerts << endl; - ICE_PROTOCOL(s.str()); + _logger->trace(_traceLevels->securityCat, s.str());
} initClient(clientGeneral, clientCertAuth, clientBaseCerts); @@ -476,8 +456,8 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig() // Walk the parse tree, get the Server configuration. if (sslConfig.loadServerConfig(serverGeneral, serverCertAuth, serverBaseCerts, serverTempCerts)) { - if (ICE_SECURITY_LEVEL_PROTOCOL) - { + if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL)
+ {
ostringstream s; s << endl; @@ -493,20 +473,16 @@ IceSecurity::Ssl::OpenSSL::System::loadConfig() s << "--------------------------" << endl; s << serverTempCerts << endl; - ICE_PROTOCOL(s.str()); + _logger->trace(_traceLevels->securityCat, s.str());
} initServer(serverGeneral, serverCertAuth, serverBaseCerts, serverTempCerts); } - - ICE_METHOD_RET("OpenSSL::System::loadConfig()"); } RSA* IceSecurity::Ssl::OpenSSL::System::getRSAKey(SSL *s, int isExport, int keyLength) { - ICE_METHOD_INV("OpenSSL::System::getRSAKey()"); - IceUtil::Mutex::Lock sync(_tempRSAKeysMutex); RSA* rsa_tmp = 0; @@ -581,16 +557,12 @@ IceSecurity::Ssl::OpenSSL::System::getRSAKey(SSL *s, int isExport, int keyLength } } - ICE_METHOD_RET("OpenSSL::System::getRSAKey()"); - return rsa_tmp; } DH* IceSecurity::Ssl::OpenSSL::System::getDHParams(SSL *s, int isExport, int keyLength) { - ICE_METHOD_INV("OpenSSL::System::getDHParams()"); - IceUtil::Mutex::Lock sync(_tempDHKeysMutex); DH *dh_tmp = 0; @@ -622,8 +594,6 @@ IceSecurity::Ssl::OpenSSL::System::getDHParams(SSL *s, int isExport, int keyLeng } } - ICE_METHOD_RET("OpenSSL::System::getDHParams()"); - return dh_tmp; } @@ -645,7 +615,7 @@ IceSecurity::Ssl::OpenSSL::System::System() // than check the verification depth. This can be overridden.
_clientVerifier = new DefaultCertificateVerifier();
_serverVerifier = _clientVerifier;
- +
SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); @@ -653,11 +623,7 @@ IceSecurity::Ssl::OpenSSL::System::System() IceSecurity::Ssl::OpenSSL::System::~System() { - ICE_METHOD_INV("OpenSSL::~System()"); - shutdown(); - - ICE_METHOD_RET("OpenSSL::~System()"); } // @@ -670,8 +636,6 @@ IceSecurity::Ssl::OpenSSL::System::setKeyCert(SSL_CTX* context, const string& privateKey, const string& publicKey) { - ICE_METHOD_INV("OpenSSL::System::setKeyCert()"); - if (!privateKey.empty() && !publicKey.empty()) { addKeyCert(context, privateKey, publicKey); @@ -680,8 +644,6 @@ IceSecurity::Ssl::OpenSSL::System::setKeyCert(SSL_CTX* context, { processCertificate(context, certDesc); } - - ICE_METHOD_RET("OpenSSL::System::setKeyCert()"); } void @@ -689,8 +651,6 @@ IceSecurity::Ssl::OpenSSL::System::initClient(GeneralConfig& general, CertificateAuthority& certAuth, BaseCertificates& baseCerts) { - ICE_METHOD_INV("OpenSSL::System::initClient()"); - // Init the Random Number System. initRandSystem(general.getRandomBytesFiles()); @@ -728,8 +688,6 @@ IceSecurity::Ssl::OpenSSL::System::initClient(GeneralConfig& general, // Load the Certificate Authority files, and check them. loadCAFiles(_sslClientContext, certAuth); } - - ICE_METHOD_RET("OpenSSL::System::initClient()"); } void @@ -738,8 +696,6 @@ IceSecurity::Ssl::OpenSSL::System::initServer(GeneralConfig& general, BaseCertificates& baseCerts, TempCertificates& tempCerts) { - ICE_METHOD_INV("OpenSSL::System::initServer()"); - // Init the Random Number System. initRandSystem(general.getRandomBytesFiles()); @@ -798,17 +754,11 @@ IceSecurity::Ssl::OpenSSL::System::initServer(GeneralConfig& general, reinterpret_cast<const unsigned char *>(_sessionContext.c_str()), _sessionContext.size()); } - - printContextInfo(_sslServerContext); - - ICE_METHOD_RET("OpenSSL::System::initServer()"); } SSL_METHOD* IceSecurity::Ssl::OpenSSL::System::getSslMethod(SslProtocol sslVersion) { - ICE_METHOD_INV("OpenSSL::System::getSslMethod()"); - SSL_METHOD* sslMethod = 0; switch (sslVersion) @@ -839,34 +789,30 @@ IceSecurity::Ssl::OpenSSL::System::getSslMethod(SslProtocol sslVersion) default : { - string errorString; - - errorString = "SSL Version "; - errorString += sslVersion; - errorString += " not supported - defaulting to SSL_V23."; - - ICE_WARNING(errorString); + if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ string errorString;
+
+ errorString = "SSL Version ";
+ errorString += sslVersion;
+ errorString += " not supported - defaulting to SSL_V23.";
+ _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
+ }
sslMethod = SSLv23_method(); } } - ICE_METHOD_RET("OpenSSL::System::getSslMethod()"); - return sslMethod; } void IceSecurity::Ssl::OpenSSL::System::processCertificate(SSL_CTX* sslContext, const CertificateDesc& certificateDesc) { - ICE_METHOD_INV("OpenSSL::System::processCertificate()"); - const CertificateFile& publicCert = certificateDesc.getPublic(); const CertificateFile& privateKey = certificateDesc.getPrivate(); addKeyCert(sslContext, publicCert, privateKey); - - ICE_METHOD_RET("OpenSSL::System::processCertificate()"); } void @@ -874,8 +820,6 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext, const CertificateFile& publicCert, const CertificateFile& privateKey) { - ICE_METHOD_INV("OpenSSL::System::addKeyCert()"); - if (!publicCert.getFileName().empty()) { string publicCertFile = publicCert.getFileName(); @@ -896,14 +840,15 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext, contextEx._message += "'\n"; contextEx._message += sslGetErrors(); - ICE_EXCEPTION(contextEx._message); - throw contextEx; } if (privateKey.getFileName().empty()) { - ICE_WARNING("No private key specified - using the certificate."); + if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
+ }
privKeyFile = publicFile; privKeyFileType = publicEncoding; @@ -919,8 +864,6 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext, contextEx._message += "'\n"; contextEx._message += sslGetErrors(); - ICE_EXCEPTION(contextEx._message); - throw contextEx; } @@ -939,13 +882,9 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext, contextEx._message += sslError; } - ICE_EXCEPTION(contextEx._message); - throw contextEx; } } - - ICE_METHOD_RET("OpenSSL::System::addKeyCert()"); } void @@ -953,13 +892,14 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext, const string& privateKey, const string& publicKey) { - ICE_METHOD_INV("OpenSSL::System::addKeyCert()"); - string privKey = privateKey; if (privKey.empty()) { - ICE_WARNING("No private key specified - using the certificate."); + if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
+ }
privKey = publicKey; } @@ -985,8 +925,6 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext, contextEx._message += sslError; } - ICE_EXCEPTION(contextEx._message); - throw contextEx; } @@ -1004,8 +942,6 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext, contextEx._message += sslError; } - ICE_EXCEPTION(contextEx._message); - throw contextEx; } @@ -1024,20 +960,14 @@ IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext, contextEx._message += sslError; } - ICE_EXCEPTION(contextEx._message); - throw contextEx; } - - ICE_METHOD_RET("OpenSSL::System::addKeyCert()"); } SSL_CTX* IceSecurity::Ssl::OpenSSL::System::createContext(SslProtocol sslProtocol) { - ICE_METHOD_INV("OpenSSL::System::createContext()"); - SSL_CTX* context = SSL_CTX_new(getSslMethod(sslProtocol)); if (context == 0) @@ -1046,16 +976,12 @@ IceSecurity::Ssl::OpenSSL::System::createContext(SslProtocol sslProtocol) contextEx._message = "Unable to create SSL Context.\n" + sslGetErrors(); - ICE_EXCEPTION(contextEx._message); - throw contextEx; } // Turn off session caching, supposedly fixes a problem with multithreading. SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF); - ICE_METHOD_RET("OpenSSL::System::createContext()"); - return context; } @@ -1063,8 +989,6 @@ IceSecurity::Ssl::OpenSSL::System::createContext(SslProtocol sslProtocol) string IceSecurity::Ssl::OpenSSL::System::sslGetErrors() { - ICE_METHOD_INV("OpenSSL::System::sslGetErrors()"); - string errorMessage; char buf[200]; char bigBuffer[1024]; @@ -1104,8 +1028,6 @@ IceSecurity::Ssl::OpenSSL::System::sslGetErrors() ERR_clear_error(); - ICE_METHOD_RET("OpenSSL::System::sslGetErrors()"); - return errorMessage; } @@ -1122,7 +1044,8 @@ IceSecurity::Ssl::OpenSSL::System::commonConnectionSetup(Connection* connection) if (!value.empty()) { - const_cast<int&>(handshakeReadTimeout) = atoi(value.c_str()); + // const_cast<int&>(handshakeReadTimeout) = atoi(value.c_str()); + handshakeReadTimeout = atoi(value.c_str());
} else { @@ -1135,17 +1058,13 @@ IceSecurity::Ssl::OpenSSL::System::commonConnectionSetup(Connection* connection) SSL* IceSecurity::Ssl::OpenSSL::System::createConnection(SSL_CTX* sslContext, int socket) { - ICE_METHOD_INV("OpenSSL::System::createConnection()"); - - SSL* sslConnection = 0; - - sslConnection = SSL_new(sslContext); + SSL* sslConnection = SSL_new(sslContext); SSL_clear(sslConnection); SSL_set_fd(sslConnection, socket); - if (ICE_SECURITY_LEVEL_PROTOCOL_DEBUG) + if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL_DEBUG) { sslConnection->debug = 1; BIO_set_callback(SSL_get_rbio(sslConnection), bio_dump_cb); @@ -1154,97 +1073,87 @@ IceSecurity::Ssl::OpenSSL::System::createConnection(SSL_CTX* sslContext, int soc BIO_set_callback_arg(SSL_get_rbio(sslConnection), 0); } + // TODO: Remove?
// Map the SSL Connection to this SslSystem // This is required for the OpenSSL callbacks // to work properly. // Factory::addSystemHandle(sslConnection, this); - ICE_METHOD_RET("OpenSSL::System::createConnection()"); - return sslConnection; } void IceSecurity::Ssl::OpenSSL::System::loadCAFiles(SSL_CTX* sslContext, CertificateAuthority& certAuth) -{ - ICE_METHOD_INV("OpenSSL::System::loadCAFiles()"); +{
+ assert(sslContext);
string caFile = certAuth.getCAFileName(); string caPath = certAuth.getCAPath(); loadCAFiles(sslContext, caFile.c_str(), caPath.c_str()); - - ICE_METHOD_RET("OpenSSL::System::loadCAFiles()"); } void IceSecurity::Ssl::OpenSSL::System::loadCAFiles(SSL_CTX* sslContext, const char* caFile, const char* caPath) { - ICE_METHOD_INV("OpenSSL::System::loadCAFiles()"); - - if (sslContext != 0) + assert(sslContext); +
+ // The following checks are required to send the expected values to the OpenSSL library. + // It does not like receiving "", but prefers NULLs. + if ((caFile != 0) && (strlen(caFile) == 0)) { - // The following checks are required to send the expected values to the OpenSSL library. - // It does not like receiving "", but prefers NULLs. - if ((caFile != 0) && (strlen(caFile) == 0)) - { - caFile = 0; - } - - if ((caPath != 0) && (strlen(caPath) == 0)) - { - caPath = 0; - } + caFile = 0; + } - // Check the Certificate Authority file(s). - if ((!SSL_CTX_load_verify_locations(sslContext, caFile, caPath)) || - (!SSL_CTX_set_default_verify_paths(sslContext))) - { - // Non Fatal. - ICE_WARNING("Unable to load/verify Certificate Authorities."); - } + if ((caPath != 0) && (strlen(caPath) == 0)) + { + caPath = 0; } - ICE_METHOD_RET("OpenSSL::System::loadCAFiles()"); + // Check the Certificate Authority file(s). + if ((!SSL_CTX_load_verify_locations(sslContext, caFile, caPath)) || + (!SSL_CTX_set_default_verify_paths(sslContext))) + { + // Non Fatal. + if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN Unable to load/verify Certificate Authorities.");
+ }
+ } } void IceSecurity::Ssl::OpenSSL::System::loadAndCheckCAFiles(SSL_CTX* sslContext, CertificateAuthority& certAuth) { - ICE_METHOD_INV("OpenSSL::System::loadAndCheckCAFiles()"); + assert(sslContext); +
+ string caFile = certAuth.getCAFileName(); + string caPath = certAuth.getCAPath(); - if (sslContext != 0) - { - string caFile = certAuth.getCAFileName(); - string caPath = certAuth.getCAPath(); + // Check the Certificate Authority file(s). + loadCAFiles(sslContext, caFile.c_str(), caPath.c_str()); - // Check the Certificate Authority file(s). - loadCAFiles(sslContext, caFile.c_str(), caPath.c_str()); + if (!caPath.empty()) + { + STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str()); - if (!caPath.empty()) + if ((certNames == 0) && (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)) { - STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str()); - - if (certNames == 0) - { - string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n"; - errorString += sslGetErrors(); - ICE_WARNING(errorString); - } - else - { - SSL_CTX_set_client_CA_list(sslContext, certNames); - } + string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n"; + errorString += sslGetErrors(); + _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
+ } + else + { + SSL_CTX_set_client_CA_list(sslContext, certNames); } } - - ICE_METHOD_RET("OpenSSL::System::loadAndCheckCAFiles()"); } DH* IceSecurity::Ssl::OpenSSL::System::loadDHParam(const char* dhfile) { - ICE_METHOD_INV(string("OpenSSL::System::loadDHParam(") + dhfile + string(")")); + assert(dhfile);
DH* ret = 0; BIO* bio; @@ -1259,16 +1168,12 @@ IceSecurity::Ssl::OpenSSL::System::loadDHParam(const char* dhfile) BIO_free(bio); } - ICE_METHOD_RET(string("OpenSSL::System::loadDHParam(") + dhfile + string(")")); - return ret; } DH* IceSecurity::Ssl::OpenSSL::System::getTempDH(unsigned char* p, int plen, unsigned char* g, int glen) { - ICE_METHOD_INV("OpenSSL::System::getTempDH()"); - DH* dh = 0; if ((dh = DH_new()) != 0) @@ -1284,29 +1189,21 @@ IceSecurity::Ssl::OpenSSL::System::getTempDH(unsigned char* p, int plen, unsigne } } - ICE_METHOD_RET("OpenSSL::System::getTempDH()"); - return dh; } DH* IceSecurity::Ssl::OpenSSL::System::getTempDH512() { - ICE_METHOD_INV("OpenSSL::System::getTempDH512()"); - DH* dh = getTempDH(_tempDiffieHellman512p, sizeof(_tempDiffieHellman512p), _tempDiffieHellman512g, sizeof(_tempDiffieHellman512g)); - ICE_METHOD_RET("OpenSSL::System::getTempDH512()"); - return dh; } void IceSecurity::Ssl::OpenSSL::System::setDHParams(SSL_CTX* sslContext, BaseCertificates& baseCerts) { - ICE_METHOD_INV("OpenSSL::System::setDHParams()"); - string dhFile; int encoding = 0; @@ -1332,7 +1229,11 @@ IceSecurity::Ssl::OpenSSL::System::setDHParams(SSL_CTX* sslContext, BaseCertific if (dh == 0) { - ICE_WARNING("Could not load Diffie-Hellman params, generating a temporary 512bit key."); + if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat,
+ "WRN Could not load Diffie-Hellman params, generating a temporary 512bit key.");
+ }
dh = getTempDH512(); } @@ -1343,32 +1244,23 @@ IceSecurity::Ssl::OpenSSL::System::setDHParams(SSL_CTX* sslContext, BaseCertific DH_free(dh); } - - ICE_METHOD_RET("OpenSSL::System::setDHParams()"); } void IceSecurity::Ssl::OpenSSL::System::setCipherList(SSL_CTX* sslContext, const string& cipherList) { - ICE_METHOD_INV("OpenSSL::System::setCipherList()"); - - if (!cipherList.empty() && (!SSL_CTX_set_cipher_list(sslContext, cipherList.c_str()))) + if (!cipherList.empty() && (!SSL_CTX_set_cipher_list(sslContext, cipherList.c_str())) &&
+ (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)) { - string errorString = "Error setting cipher list " + cipherList + " - using default list.\n"; - + string errorString = "WRN Error setting cipher list " + cipherList + " - using default list.\n"; errorString += sslGetErrors(); - - ICE_WARNING(errorString); + _logger->trace(_traceLevels->securityCat, errorString);
} - - ICE_METHOD_RET("OpenSSL::System::setCipherList()"); } int IceSecurity::Ssl::OpenSSL::System::seedRand() { - ICE_METHOD_INV("OpenSSL::System::seedRand()"); - int retCode = 1; char buffer[1024]; @@ -1387,16 +1279,12 @@ IceSecurity::Ssl::OpenSSL::System::seedRand() _randSeeded = 1; } - ICE_METHOD_RET("OpenSSL::System::seedRand()"); - return retCode; } long IceSecurity::Ssl::OpenSSL::System::loadRandFiles(const string& names) { - ICE_METHOD_INV("OpenSSL::System::loadRandFiles(" + names + ")"); - long tot = 0; if (!names.empty()) @@ -1437,23 +1325,21 @@ IceSecurity::Ssl::OpenSSL::System::loadRandFiles(const string& names) delete []namesString; } - ICE_METHOD_RET("OpenSSL::System::loadRandFiles(" + names + ")"); - return tot; } void IceSecurity::Ssl::OpenSSL::System::initRandSystem(const string& randBytesFiles) { - ICE_METHOD_INV("OpenSSL::System::initRandSystem(" + randBytesFiles + ")"); - if (!_randSeeded) { long randBytesLoaded = 0; - if (!seedRand() && randBytesFiles.empty() && !RAND_status()) + if (!seedRand() && randBytesFiles.empty() && !RAND_status() &&
+ (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)) { - ICE_WARNING("There is a lack of random data, consider specifying a random data file."); + _logger->trace(_traceLevels->securityCat,
+ "WRN There is a lack of random data, consider specifying a random data file.");
} if (!randBytesFiles.empty()) @@ -1461,15 +1347,11 @@ IceSecurity::Ssl::OpenSSL::System::initRandSystem(const string& randBytesFiles) randBytesLoaded = loadRandFiles(randBytesFiles); } } - - ICE_METHOD_RET("OpenSSL::System::initRandSystem(" + randBytesFiles + ")"); } void IceSecurity::Ssl::OpenSSL::System::loadTempCerts(TempCertificates& tempCerts) { - ICE_METHOD_INV("OpenSSL::System::loadTempCerts()"); - RSAVector::iterator iRSA = tempCerts.getRSACerts().begin(); RSAVector::iterator eRSA = tempCerts.getRSACerts().end(); @@ -1496,6 +1378,4 @@ IceSecurity::Ssl::OpenSSL::System::loadTempCerts(TempCertificates& tempCerts) _tempDHParamsFileMap[(*iDHP).getKeySize()] = *iDHP; iDHP++; } - - ICE_METHOD_RET("OpenSSL::System::loadTempCerts()"); } diff --git a/cpp/src/Ice/SslSystemOpenSSL.h b/cpp/src/Ice/SslSystemOpenSSL.h index 970d8a2b30c..0f26a9876c7 100644 --- a/cpp/src/Ice/SslSystemOpenSSL.h +++ b/cpp/src/Ice/SslSystemOpenSSL.h @@ -77,8 +77,6 @@ class System : public IceSecurity::Ssl::System { public: - void printContextInfo(SSL_CTX*); - // This is how we create a Server connection. virtual IceSecurity::Ssl::Connection* createServerConnection(int); @@ -88,6 +86,9 @@ public: // Shuts down the SSL System. virtual void shutdown(); + virtual void setTrace(const TraceLevelsPtr&);
+ virtual void setLogger(const LoggerPtr&);
+
virtual bool isConfigLoaded(); virtual void loadConfig(); diff --git a/cpp/src/Ice/SslTransceiver.cpp b/cpp/src/Ice/SslTransceiver.cpp index a3ab29e1566..ef38b60eb3e 100644 --- a/cpp/src/Ice/SslTransceiver.cpp +++ b/cpp/src/Ice/SslTransceiver.cpp @@ -8,7 +8,7 @@ // // ********************************************************************** -#include <Ice/Security.h> +#include <Ice/OpenSSL.h>
#include <Ice/SslConnection.h> #include <Ice/SslTransceiver.h> #include <Ice/Instance.h> @@ -33,8 +33,6 @@ IceInternal::SslTransceiver::fd() void IceInternal::SslTransceiver::close() { - ICE_METHOD_INV("SslTransceiver::close()"); - if (_traceLevels->network >= 1) { ostringstream s; @@ -47,15 +45,11 @@ IceInternal::SslTransceiver::close() _sslConnection->shutdown(); ::shutdown(fd, SHUT_RDWR); // helps to unblock threads in recv() closeSocket(fd); - - ICE_METHOD_RET("SslTransceiver::close()"); } void IceInternal::SslTransceiver::shutdown() { - ICE_METHOD_INV("SslTransceiver::shutdown()"); - if (_traceLevels->network >= 2) { ostringstream s; @@ -65,26 +59,23 @@ IceInternal::SslTransceiver::shutdown() _sslConnection->shutdown(); ::shutdown(_fd, SHUT_WR); // Shutdown socket for writing - - ICE_METHOD_RET("SslTransceiver::shutdown()"); } void IceInternal::SslTransceiver::write(Buffer& buf, int timeout) { - ICE_METHOD_INV("SslTransceiver::write()") _sslConnection->write(buf, timeout); - ICE_METHOD_RET("SslTransceiver::write()"); } void IceInternal::SslTransceiver::read(Buffer& buf, int timeout) { - ICE_METHOD_INV("SslTransceiver::read()"); - if (!_sslConnection->read(buf, timeout)) { - ICE_WARNING("Connection::read() returning no bytes read."); + if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN Connection::read() returning no bytes read.");
+ }
// TODO: Perhaps this should be a NoApplicationDataException ??? // ICE_WARNING("Throwing ConnectionLostException."); @@ -92,8 +83,6 @@ IceInternal::SslTransceiver::read(Buffer& buf, int timeout) // clEx.error = 0; // throw clEx; } - - ICE_METHOD_RET("SslTransceiver::read()"); } string diff --git a/cpp/src/Ice/ice.dsp b/cpp/src/Ice/ice.dsp index 10f9ed1483a..160de8c1a8d 100644 --- a/cpp/src/Ice/ice.dsp +++ b/cpp/src/Ice/ice.dsp @@ -43,7 +43,7 @@ RSC=rc.exe # PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBRARY_EXPORTS" /Yu"stdafx.h" /FD /c
-# ADD CPP /nologo /MD /W3 /WX /GR /GX /O2 /I ".." /I "../../include" /D "WIN32" /D "_UNICODE" /D "NDEBUG" /D "_CONSOLE" /D "_USRDLL" /D "ICE_API_EXPORTS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /WX /GR /GX /O2 /I ".." /I "../../include" /D "NDEBUG" /D "WIN32" /D "_UNICODE" /D "_CONSOLE" /D "_USRDLL" /D "ICE_API_EXPORTS" /D "USE_SOCKETS" /YX /FD /c
# SUBTRACT CPP /Fr
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -75,7 +75,7 @@ PostBuild_Cmds=copy Release\ice001.* ..\..\lib # PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBRARY_EXPORTS" /Yu"stdafx.h" /FD /GZ /c
-# ADD CPP /nologo /MDd /W3 /WX /Gm /GR /GX /Zi /Od /I ".." /I "../../include" /D "WIN32" /D "_UNICODE" /D "_DEBUG" /D "_CONSOLE" /D "_USRDLL" /D "ICE_API_EXPORTS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /WX /Gm /GR /GX /Zi /Od /I ".." /I "../../include" /D "_DEBUG" /D "USE_SOCKETS" /D "WIN32" /D "_UNICODE" /D "_CONSOLE" /D "_USRDLL" /D "ICE_API_EXPORTS" /YX /FD /GZ /c
# SUBTRACT CPP /Fr
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
@@ -680,6 +680,10 @@ SOURCE=.\ObjectFactoryManagerF.h # End Source File
# Begin Source File
+SOURCE=.\OpenSSL.h
+# End Source File
+# Begin Source File
+
SOURCE=..\..\include\Ice\Outgoing.h
# End Source File
# Begin Source File
@@ -772,10 +776,6 @@ SOURCE=.\SecureUdp.h # End Source File
# Begin Source File
-SOURCE=.\Security.h
-# End Source File
-# Begin Source File
-
SOURCE=..\..\include\Ice\ServantLocator.h
# End Source File
# Begin Source File
@@ -800,11 +800,11 @@ SOURCE=.\SslCertificateDesc.h # End Source File
# Begin Source File
-SOURCE=.\SslCertificateVerifier.h
+SOURCE=..\..\include\Ice\SslCertificateVerifier.h
# End Source File
# Begin Source File
-SOURCE=.\SslCertificateVerifierF.h
+SOURCE=..\..\include\Ice\SslCertificateVerifierF.h
# End Source File
# Begin Source File
@@ -1856,6 +1856,74 @@ InputPath=..\..\slice\Ice\ServantLocatorF.ice # End Source File
# Begin Source File
+SOURCE=..\..\slice\Ice\SslCertificateVerifier.ice
+
+!IF "$(CFG)" == "Ice - Win32 Release"
+
+USERDEP__SSLCE="../../bin/slice2cpp.exe"
+# Begin Custom Build
+InputPath=..\..\slice\Ice\SslCertificateVerifier.ice
+
+BuildCmds= \
+ set PATH=%PATH%;..\..\lib \
+ ..\..\bin\slice2cpp.exe --dll-export ICE_API --include-dir Ice -I../../slice ../../slice/Ice/SslCertificateVerifier.ice \
+ move SslCertificateVerifier.h ..\..\include\Ice \
+
+
+"..\..\include\Ice\SslCertificateVerifier.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ $(BuildCmds)
+
+"SslCertificateVerifier.cpp" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ $(BuildCmds)
+# End Custom Build
+
+!ELSEIF "$(CFG)" == "Ice - Win32 Debug"
+
+USERDEP__SSLCE="../../bin/slice2cpp.exe"
+# Begin Custom Build
+InputPath=..\..\slice\Ice\SslCertificateVerifier.ice
+
+BuildCmds= \
+ set PATH=%PATH%;..\..\lib \
+ ..\..\bin\slice2cpp.exe --dll-export ICE_API --include-dir Ice -I../../slice ../../slice/Ice/SslCertificateVerifier.ice \
+ move SslCertificateVerifier.h ..\..\include\Ice \
+
+
+"..\..\include\Ice\SslCertificateVerifier.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ $(BuildCmds)
+
+"SslCertificateVerifier.cpp" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ $(BuildCmds)
+# End Custom Build
+
+!ENDIF
+
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\slice\Ice\SslCertificateVerifierF.ice
+
+!IF "$(CFG)" == "Ice - Win32 Release"
+
+!ELSEIF "$(CFG)" == "Ice - Win32 Debug"
+
+USERDEP__SSLCER="../../bin/slice2cpp.exe"
+# Begin Custom Build
+InputPath=..\..\slice\Ice\SslCertificateVerifierF.ice
+
+"..\..\include\Ice\SslCertificateVerifierF.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ set PATH=%PATH%;..\..\lib
+ ..\..\bin\slice2cpp.exe --dll-export ICE_API --include-dir Ice -I../../slice ../../slice/Ice/SslCertificateVerifierF.ice
+ move SslCertificateVerifierF.h ..\..\include\Ice
+ del SslCertificateVerifierF.cpp
+
+# End Custom Build
+
+!ENDIF
+
+# End Source File
+# Begin Source File
+
SOURCE=..\..\slice\Ice\Stream.ice
!IF "$(CFG)" == "Ice - Win32 Release"
|