diff options
| author | Mark Spruiell <mes@zeroc.com> | 2006-03-28 20:53:42 +0000 |
|---|---|---|
| committer | Mark Spruiell <mes@zeroc.com> | 2006-03-28 20:53:42 +0000 |
| commit | 0a58e76f0fde2dcddd5505951fe5f1201d36ced7 (patch) | |
| tree | 1929d74d1a70670fe74e863de4dacad5c37aa7a4 /cpp/src | |
| parent | minor fix (diff) | |
| download | ice-0a58e76f0fde2dcddd5505951fe5f1201d36ced7.tar.bz2 ice-0a58e76f0fde2dcddd5505951fe5f1201d36ced7.tar.xz ice-0a58e76f0fde2dcddd5505951fe5f1201d36ced7.zip | |
new IceSSL plugin
Diffstat (limited to 'cpp/src')
71 files changed, 3059 insertions, 7795 deletions
diff --git a/cpp/src/Ice/Network.cpp b/cpp/src/Ice/Network.cpp index deb8e18fa66..201d63f5bbe 100644 --- a/cpp/src/Ice/Network.cpp +++ b/cpp/src/Ice/Network.cpp @@ -223,20 +223,6 @@ IceInternal::createSocket(bool udp) return fd; } -static void -closeSocketNoThrow(SOCKET fd) -{ -#ifdef _WIN32 - int error = WSAGetLastError(); - closesocket(fd); - WSASetLastError(error); -#else - int error = errno; - close(fd); - errno = error; -#endif -} - void IceInternal::closeSocket(SOCKET fd) { @@ -260,6 +246,20 @@ IceInternal::closeSocket(SOCKET fd) errno = error; #endif } + +void +IceInternal::closeSocketNoThrow(SOCKET fd) +{ +#ifdef _WIN32 + int error = WSAGetLastError(); + closesocket(fd); + WSASetLastError(error); +#else + int error = errno; + close(fd); + errno = error; +#endif +} void IceInternal::shutdownSocketWrite(SOCKET fd) @@ -1200,33 +1200,18 @@ IceInternal::fdToString(SOCKET fd) struct sockaddr_in localAddr; fdToLocalAddress(fd, localAddr); - bool peerNotConnected = false; - socklen_t remoteLen = static_cast<socklen_t>(sizeof(struct sockaddr_in)); struct sockaddr_in remoteAddr; - if(getpeername(fd, reinterpret_cast<struct sockaddr*>(&remoteAddr), &remoteLen) == SOCKET_ERROR) - { - if(notConnected()) - { - peerNotConnected = true; - } - else - { - closeSocketNoThrow(fd); - SocketException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - } + bool peerConnected = fdToRemoteAddress(fd, remoteAddr); ostringstream s; s << "local address = " << addrToString(localAddr); - if(peerNotConnected) + if(peerConnected) { - s << "\nremote address = <not connected>"; + s << "\nremote address = " << addrToString(remoteAddr); } else { - s << "\nremote address = " << addrToString(remoteAddr); + s << "\nremote address = <not connected>"; } return s.str(); } @@ -1244,6 +1229,28 @@ IceInternal::fdToLocalAddress(SOCKET fd, struct sockaddr_in& addr) } } +bool +IceInternal::fdToRemoteAddress(SOCKET fd, struct sockaddr_in& addr) +{ + socklen_t len = static_cast<socklen_t>(sizeof(struct sockaddr_in)); + if(getpeername(fd, reinterpret_cast<struct sockaddr*>(&addr), &len) == SOCKET_ERROR) + { + if(notConnected()) + { + return false; + } + else + { + closeSocketNoThrow(fd); + SocketException ex(__FILE__, __LINE__); + ex.error = getSocketErrno(); + throw ex; + } + } + + return true; +} + string IceInternal::addrToString(const struct sockaddr_in& addr) { diff --git a/cpp/src/Ice/Network.h b/cpp/src/Ice/Network.h index f178383af3f..c35d899089a 100644 --- a/cpp/src/Ice/Network.h +++ b/cpp/src/Ice/Network.h @@ -82,6 +82,7 @@ ICE_API bool recvTruncated(); ICE_API SOCKET createSocket(bool); ICE_API void closeSocket(SOCKET); +ICE_API void closeSocketNoThrow(SOCKET); ICE_API void shutdownSocketWrite(SOCKET); ICE_API void shutdownSocketReadWrite(SOCKET); @@ -109,6 +110,7 @@ ICE_API std::string lastErrorToString(); ICE_API std::string fdToString(SOCKET); ICE_API void fdToLocalAddress(SOCKET, struct sockaddr_in&); +ICE_API bool fdToRemoteAddress(SOCKET, struct sockaddr_in&); ICE_API std::string addrToString(const struct sockaddr_in&); ICE_API std::vector<std::string> getLocalHosts(); diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp index dd7b013565a..97cc05cbc21 100644 --- a/cpp/src/Ice/PropertyNames.cpp +++ b/cpp/src/Ice/PropertyNames.cpp @@ -7,7 +7,7 @@ // // ********************************************************************** -// Generated by makeprops.py from file `../config/PropertyNames.def', Wed Mar 22 09:08:02 2006 +// Generated by makeprops.py from file `../config/PropertyNames.def', Tue Mar 28 10:20:52 2006 // IMPORTANT: Do not edit this file -- any edits made here will be lost! @@ -203,38 +203,47 @@ const char* IceInternal::PropertyNames::IcePatch2Props[] = const char* IceInternal::PropertyNames::IceSSLProps[] = { - "IceSSL.Client.CertPath", - "IceSSL.Client.Config", - "IceSSL.Client.IgnoreValidPeriod", - "IceSSL.Client.Overrides.CACertificate", - "IceSSL.Client.Overrides.DSA.Certificate", - "IceSSL.Client.Overrides.DSA.PrivateKey", - "IceSSL.Client.Overrides.RSA.Certificate", - "IceSSL.Client.Overrides.RSA.PrivateKey", - "IceSSL.Client.Passphrase.Retries", - "IceSSL.Server.CertPath", - "IceSSL.Server.Config", - "IceSSL.Server.IgnoreValidPeriod", - "IceSSL.Server.Overrides.CACertificate", - "IceSSL.Server.Overrides.DSA.Certificate", - "IceSSL.Server.Overrides.DSA.PrivateKey", - "IceSSL.Server.Overrides.RSA.Certificate", - "IceSSL.Server.Overrides.RSA.PrivateKey", - "IceSSL.Server.Passphrase.Retries", + "IceSSL.Client.CertAuthDir", + "IceSSL.Client.CertAuthFile", + "IceSSL.Client.CertFile", + "IceSSL.Client.CheckCertName", + "IceSSL.Client.CheckCRL", + "IceSSL.Client.Ciphers", + "IceSSL.Client.DefaultDir", + "IceSSL.Client.DH.*", + "IceSSL.Client.KeyFile", + "IceSSL.Client.Password", + "IceSSL.Client.PasswordRetryMax", + "IceSSL.Client.Protocols", + "IceSSL.Client.VerifyDepthMax", + "IceSSL.Client.VerifyPeer", + "IceSSL.DelayInit", + "IceSSL.EntropyDaemon", + "IceSSL.ImportCert.*", + "IceSSL.Random", + "IceSSL.Server.CertAuthDir", + "IceSSL.Server.CertAuthFile", + "IceSSL.Server.CertFile", + "IceSSL.Server.CheckCRL", + "IceSSL.Server.Ciphers", + "IceSSL.Server.DefaultDir", + "IceSSL.Server.DH.*", + "IceSSL.Server.KeyFile", + "IceSSL.Server.Password", + "IceSSL.Server.PasswordRetryMax", + "IceSSL.Server.Protocols", + "IceSSL.Server.VerifyDepthMax", + "IceSSL.Server.VerifyPeer", "IceSSL.Trace.Security", "IceSSL.Client.Certs", "IceSSL.Client.CertsPassword", - "IceSSL.Client.Ciphers", "IceSSL.Client.Keystore", "IceSSL.Client.KeystorePassword", - "IceSSL.Client.Password", "IceSSL.Server.Certs", "IceSSL.Server.CertsPassword", - "IceSSL.Server.Ciphers", "IceSSL.Server.ClientAuth", "IceSSL.Server.Keystore", "IceSSL.Server.KeystorePassword", - "IceSSL.Server.Password", 0 }; diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h index 36bfecd88f5..471140102df 100644 --- a/cpp/src/Ice/PropertyNames.h +++ b/cpp/src/Ice/PropertyNames.h @@ -7,7 +7,7 @@ // // ********************************************************************** -// Generated by makeprops.py from file `../config/PropertyNames.def', Wed Mar 22 09:08:02 2006 +// Generated by makeprops.py from file `../config/PropertyNames.def', Tue Mar 28 10:20:52 2006 // IMPORTANT: Do not edit this file -- any edits made here will be lost! diff --git a/cpp/src/IceSSL/.depend b/cpp/src/IceSSL/.depend index c29829404d8..023fb8d7838 100644 --- a/cpp/src/IceSSL/.depend +++ b/cpp/src/IceSSL/.depend @@ -1,37 +1,8 @@ -BaseCerts.o: BaseCerts.cpp ../IceSSL/BaseCerts.h ../IceSSL/CertificateDesc.h ../../include/IceUtil/Config.h -CertificateAuthority.o: CertificateAuthority.cpp ../IceSSL/CertificateAuthority.h ../../include/IceUtil/Config.h -CertificateDesc.o: CertificateDesc.cpp ../IceSSL/CertificateDesc.h ../../include/IceUtil/Config.h -CertificateVerifierF.o: CertificateVerifierF.cpp ../../include/IceSSL/CertificateVerifierF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/UndefSysMacros.h -CertificateVerifier.o: CertificateVerifier.cpp ../../include/IceSSL/CertificateVerifier.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/IceSSL/Plugin.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Plugin.h ../../include/IceSSL/CertificateVerifierF.h ../../include/Ice/BasicStream.h ../../include/Ice/InstanceF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/Buffer.h ../../include/Ice/Object.h ../../include/Ice/GCShared.h ../../include/Ice/GCRecMutex.h ../../include/IceUtil/RecMutex.h ../../include/Ice/IncomingAsyncF.h -CertificateVerifierOpenSSL.o: CertificateVerifierOpenSSL.cpp ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceUtil/Config.h ../../include/IceSSL/CertificateVerifier.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/IceSSL/Plugin.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Plugin.h ../../include/IceSSL/CertificateVerifierF.h -ClientContext.o: ClientContext.cpp ../../include/Ice/Communicator.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/LoggerF.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LoggerUtil.h ../../include/IceSSL/Exception.h ../IceSSL/ClientContext.h ../IceSSL/OpenSSLPluginIF.h ../IceSSL/Context.h ../IceSSL/TraceLevelsF.h ../IceSSL/SslTransceiverF.h ../IceSSL/ContextF.h ../../include/Ice/BuiltinSequences.h ../IceSSL/OpenSSL.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ../../include/IceSSL/CertificateVerifierF.h ../IceSSL/GeneralConfig.h ../IceSSL/CertificateAuthority.h ../IceSSL/BaseCerts.h ../IceSSL/CertificateDesc.h ../IceSSL/TempCerts.h ../../include/IceSSL/RSAPublicKey.h ../../include/IceSSL/RSAPublicKeyF.h ../../include/IceSSL/RSAKeyPairF.h ../IceSSL/SslTransceiver.h ../../include/IceUtil/StaticMutex.h ../Ice/Transceiver.h ../Ice/TransceiverF.h ../../include/Ice/Buffer.h ../IceSSL/TraceLevels.h ../../include/Ice/ProtocolPluginFacadeF.h -ConfigParser.o: ConfigParser.cpp ../IceSSL/ConfigParser.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/UndefSysMacros.h ../IceSSL/CertificateDesc.h ../IceSSL/GeneralConfig.h ../IceSSL/OpenSSL.h ../IceSSL/CertificateAuthority.h ../IceSSL/BaseCerts.h ../IceSSL/TempCerts.h ../IceSSL/TraceLevelsF.h ../../include/IceXML/Parser.h ../../include/IceSSL/Exception.h -Context.o: Context.cpp ../../include/Ice/Communicator.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/LoggerF.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LoggerUtil.h ../../include/Ice/Properties.h ../../include/Ice/BuiltinSequences.h ../IceSSL/DefaultCertificateVerifier.h ../IceSSL/TraceLevelsF.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ../../include/IceSSL/CertificateVerifierF.h ../../include/IceSSL/Exception.h ../../include/IceSSL/RSAKeyPair.h ../../include/IceSSL/RSAKeyPairF.h ../../include/IceSSL/RSACertificateGenF.h ../../include/IceSSL/RSAPrivateKeyF.h ../../include/IceSSL/RSAPublicKeyF.h ../IceSSL/CertificateDesc.h ../IceSSL/SslTransceiver.h ../IceSSL/SslTransceiverF.h ../IceSSL/OpenSSLPluginIF.h ../../include/IceUtil/StaticMutex.h ../Ice/Transceiver.h ../Ice/TransceiverF.h ../../include/Ice/Buffer.h ../IceSSL/Context.h ../IceSSL/ContextF.h ../IceSSL/OpenSSL.h ../IceSSL/GeneralConfig.h ../IceSSL/CertificateAuthority.h ../IceSSL/BaseCerts.h ../IceSSL/TempCerts.h ../../include/IceSSL/RSAPublicKey.h ../IceSSL/OpenSSLJanitors.h ../IceSSL/OpenSSLUtils.h ../IceSSL/TraceLevels.h ../../include/Ice/ProtocolPluginFacadeF.h -Convert.o: Convert.cpp ../../include/IceUtil/Config.h ../IceSSL/Convert.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h -DefaultCertificateVerifier.o: DefaultCertificateVerifier.cpp ../../include/Ice/Communicator.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/LoggerF.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/Properties.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LoggerUtil.h ../IceSSL/OpenSSL.h ../IceSSL/DefaultCertificateVerifier.h ../IceSSL/TraceLevelsF.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ../../include/IceSSL/CertificateVerifierF.h ../IceSSL/OpenSSLUtils.h ../IceSSL/TraceLevels.h ../../include/Ice/ProtocolPluginFacadeF.h -DHParams.o: DHParams.cpp ../IceSSL/DHParams.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Config.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/IceUtil/Exception.h ../IceSSL/DHParamsF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/Ice/Config.h -Exception.o: Exception.cpp ../../include/IceSSL/Exception.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/UndefSysMacros.h -GeneralConfig.o: GeneralConfig.cpp ../IceSSL/GeneralConfig.h ../IceSSL/OpenSSL.h ../../include/IceUtil/Config.h -OpenSSLJanitors.o: OpenSSLJanitors.cpp ../IceSSL/OpenSSLJanitors.h ../../include/IceUtil/Config.h -OpenSSLPluginI.o: OpenSSLPluginI.cpp ../IceSSL/OpenSSLPluginI.h ../../include/IceUtil/RecMutex.h ../../include/IceUtil/Config.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/IceUtil/Exception.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ProtocolPluginFacadeF.h ../IceSSL/OpenSSLPluginIF.h ../../include/IceSSL/CertificateVerifierF.h ../IceSSL/TraceLevelsF.h ../IceSSL/SslTransceiverF.h ../../include/IceSSL/RSAPrivateKeyF.h ../../include/IceSSL/Plugin.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Plugin.h ../IceSSL/CertificateDesc.h ../IceSSL/CertificateAuthority.h ../IceSSL/BaseCerts.h ../IceSSL/TempCerts.h ../IceSSL/ServerContext.h ../IceSSL/Context.h ../IceSSL/ContextF.h ../IceSSL/OpenSSL.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../IceSSL/GeneralConfig.h ../../include/IceSSL/RSAPublicKey.h ../../include/IceSSL/RSAPublicKeyF.h ../../include/IceSSL/RSAKeyPairF.h ../IceSSL/ClientContext.h ../IceSSL/DHParamsF.h ../../include/Ice/LoggerUtil.h ../../include/Ice/Properties.h ../../include/Ice/ProtocolPluginFacade.h ../../include/Ice/EndpointFactoryF.h ../../include/Ice/InstanceF.h ../../include/Ice/Communicator.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../IceSSL/TraceLevels.h ../../include/IceSSL/Exception.h ../IceSSL/ConfigParser.h ../../include/IceXML/Parser.h ../IceSSL/OpenSSLJanitors.h ../IceSSL/OpenSSLUtils.h ../IceSSL/SslTransceiver.h ../../include/IceUtil/StaticMutex.h ../Ice/Transceiver.h ../Ice/TransceiverF.h ../../include/Ice/Buffer.h ../IceSSL/DefaultCertificateVerifier.h ../IceSSL/SingleCertificateVerifier.h ../IceSSL/SslEndpointI.h ../Ice/EndpointI.h ../Ice/ConnectorF.h ../Ice/AcceptorF.h ../../include/Ice/EndpointFactory.h ../../include/IceSSL/RSAPrivateKey.h ../IceSSL/DHParams.h -OpenSSLUtils.o: OpenSSLUtils.cpp ../../include/IceUtil/StaticMutex.h ../../include/IceUtil/Config.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/IceUtil/Exception.h ../IceSSL/OpenSSLPluginI.h ../../include/IceUtil/RecMutex.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ProtocolPluginFacadeF.h ../IceSSL/OpenSSLPluginIF.h ../../include/IceSSL/CertificateVerifierF.h ../IceSSL/TraceLevelsF.h ../IceSSL/SslTransceiverF.h ../../include/IceSSL/RSAPrivateKeyF.h ../../include/IceSSL/Plugin.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Plugin.h ../IceSSL/CertificateDesc.h ../IceSSL/CertificateAuthority.h ../IceSSL/BaseCerts.h ../IceSSL/TempCerts.h ../IceSSL/ServerContext.h ../IceSSL/Context.h ../IceSSL/ContextF.h ../IceSSL/OpenSSL.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../IceSSL/GeneralConfig.h ../../include/IceSSL/RSAPublicKey.h ../../include/IceSSL/RSAPublicKeyF.h ../../include/IceSSL/RSAKeyPairF.h ../IceSSL/ClientContext.h ../IceSSL/DHParamsF.h ../IceSSL/OpenSSLUtils.h ../IceSSL/SslTransceiver.h ../Ice/Transceiver.h ../Ice/TransceiverF.h ../../include/Ice/Buffer.h -PluginF.o: PluginF.cpp ../../include/IceSSL/PluginF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/UndefSysMacros.h -Plugin.o: Plugin.cpp ../../include/IceSSL/Plugin.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Plugin.h ../../include/IceSSL/CertificateVerifierF.h ../../include/Ice/BasicStream.h ../../include/Ice/InstanceF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/Buffer.h ../../include/Ice/Object.h ../../include/Ice/GCShared.h ../../include/Ice/GCRecMutex.h ../../include/IceUtil/RecMutex.h ../../include/Ice/IncomingAsyncF.h -RSACertificateGen.o: RSACertificateGen.cpp ../../include/IceUtil/Config.h ../../include/IceSSL/RSACertificateGen.h ../../include/IceSSL/RSAKeyPairF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/Config.h ../../include/IceSSL/Config.h ../IceSSL/OpenSSLJanitors.h ../../include/IceSSL/RSAKeyPair.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/IceSSL/RSACertificateGenF.h ../../include/IceSSL/RSAPrivateKeyF.h ../../include/IceSSL/RSAPublicKeyF.h ../../include/IceSSL/RSAPrivateKey.h ../../include/IceSSL/RSAPublicKey.h ../../include/IceSSL/Exception.h ../IceSSL/OpenSSLUtils.h -RSAKeyPair.o: RSAKeyPair.cpp ../../include/IceUtil/Config.h ../../include/IceUtil/Base64.h ../../include/IceSSL/RSAKeyPair.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/IceUtil/Exception.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/IceSSL/RSAKeyPairF.h ../../include/IceSSL/Config.h ../../include/IceSSL/RSACertificateGenF.h ../../include/IceSSL/RSAPrivateKeyF.h ../../include/IceSSL/RSAPublicKeyF.h ../../include/IceSSL/RSAPrivateKey.h ../../include/IceSSL/RSAPublicKey.h -RSAPrivateKey.o: RSAPrivateKey.cpp ../../include/IceUtil/Config.h ../../include/IceUtil/Base64.h ../../include/IceSSL/RSAPrivateKey.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/IceUtil/Exception.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/IceSSL/Config.h ../../include/IceSSL/RSAPrivateKeyF.h ../IceSSL/Convert.h ../IceSSL/OpenSSLUtils.h ../../include/IceSSL/Exception.h -RSAPublicKey.o: RSAPublicKey.cpp ../../include/IceUtil/Config.h ../../include/IceUtil/Base64.h ../../include/IceSSL/RSAPublicKey.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/IceUtil/Exception.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/IceSSL/Config.h ../../include/IceSSL/RSAPublicKeyF.h ../IceSSL/Convert.h ../IceSSL/OpenSSLUtils.h ../../include/IceSSL/Exception.h -ServerContext.o: ServerContext.cpp ../../include/Ice/Communicator.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/LoggerF.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LoggerUtil.h ../../include/IceSSL/Exception.h ../IceSSL/ServerContext.h ../IceSSL/OpenSSLPluginIF.h ../IceSSL/Context.h ../IceSSL/TraceLevelsF.h ../IceSSL/SslTransceiverF.h ../IceSSL/ContextF.h ../../include/Ice/BuiltinSequences.h ../IceSSL/OpenSSL.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ../../include/IceSSL/CertificateVerifierF.h ../IceSSL/GeneralConfig.h ../IceSSL/CertificateAuthority.h ../IceSSL/BaseCerts.h ../IceSSL/CertificateDesc.h ../IceSSL/TempCerts.h ../../include/IceSSL/RSAPublicKey.h ../../include/IceSSL/RSAPublicKeyF.h ../../include/IceSSL/RSAKeyPairF.h ../IceSSL/SslTransceiver.h ../../include/IceUtil/StaticMutex.h ../Ice/Transceiver.h ../Ice/TransceiverF.h ../../include/Ice/Buffer.h ../IceSSL/OpenSSLUtils.h ../IceSSL/TraceLevels.h ../../include/Ice/ProtocolPluginFacadeF.h -SingleCertificateVerifier.o: SingleCertificateVerifier.cpp ../IceSSL/SingleCertificateVerifier.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ../../include/IceSSL/CertificateVerifierF.h ../IceSSL/Convert.h -SslAcceptor.o: SslAcceptor.cpp ../../include/Ice/LoggerUtil.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/UndefSysMacros.h ../Ice/Network.h ../IceSSL/OpenSSLPluginI.h ../../include/IceUtil/RecMutex.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ProtocolPluginFacadeF.h ../IceSSL/OpenSSLPluginIF.h ../../include/IceSSL/CertificateVerifierF.h ../IceSSL/TraceLevelsF.h ../IceSSL/SslTransceiverF.h ../../include/IceSSL/RSAPrivateKeyF.h ../../include/IceSSL/Plugin.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Plugin.h ../IceSSL/CertificateDesc.h ../IceSSL/CertificateAuthority.h ../IceSSL/BaseCerts.h ../IceSSL/TempCerts.h ../IceSSL/ServerContext.h ../IceSSL/Context.h ../IceSSL/ContextF.h ../IceSSL/OpenSSL.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../IceSSL/GeneralConfig.h ../../include/IceSSL/RSAPublicKey.h ../../include/IceSSL/RSAPublicKeyF.h ../../include/IceSSL/RSAKeyPairF.h ../IceSSL/ClientContext.h ../IceSSL/DHParamsF.h ../IceSSL/SslAcceptor.h ../Ice/TransceiverF.h ../Ice/Acceptor.h ../Ice/AcceptorF.h ../IceSSL/SslTransceiver.h ../../include/IceUtil/StaticMutex.h ../Ice/Transceiver.h ../../include/Ice/Buffer.h ../IceSSL/TraceLevels.h -SslConnector.o: SslConnector.cpp ../Ice/Network.h ../../include/Ice/Config.h ../../include/IceUtil/Config.h ../../include/Ice/LoggerUtil.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/UndefSysMacros.h ../IceSSL/OpenSSLPluginI.h ../../include/IceUtil/RecMutex.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ProtocolPluginFacadeF.h ../IceSSL/OpenSSLPluginIF.h ../../include/IceSSL/CertificateVerifierF.h ../IceSSL/TraceLevelsF.h ../IceSSL/SslTransceiverF.h ../../include/IceSSL/RSAPrivateKeyF.h ../../include/IceSSL/Plugin.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Plugin.h ../IceSSL/CertificateDesc.h ../IceSSL/CertificateAuthority.h ../IceSSL/BaseCerts.h ../IceSSL/TempCerts.h ../IceSSL/ServerContext.h ../IceSSL/Context.h ../IceSSL/ContextF.h ../IceSSL/OpenSSL.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../IceSSL/GeneralConfig.h ../../include/IceSSL/RSAPublicKey.h ../../include/IceSSL/RSAPublicKeyF.h ../../include/IceSSL/RSAKeyPairF.h ../IceSSL/ClientContext.h ../IceSSL/DHParamsF.h ../IceSSL/SslConnector.h ../Ice/TransceiverF.h ../Ice/Connector.h ../Ice/ConnectorF.h ../IceSSL/SslTransceiver.h ../../include/IceUtil/StaticMutex.h ../Ice/Transceiver.h ../../include/Ice/Buffer.h ../IceSSL/TraceLevels.h -SslEndpointI.o: SslEndpointI.cpp ../Ice/Network.h ../../include/Ice/Config.h ../../include/IceUtil/Config.h ../../include/Ice/BasicStream.h ../../include/Ice/InstanceF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/ObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/Buffer.h ../../include/Ice/LocalException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/ProtocolPluginFacade.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/Ice/EndpointFactoryF.h ../IceSSL/SslEndpointI.h ../Ice/EndpointI.h ../Ice/TransceiverF.h ../Ice/ConnectorF.h ../Ice/AcceptorF.h ../../include/Ice/EndpointFactory.h ../IceSSL/OpenSSLPluginIF.h ../IceSSL/SslAcceptor.h ../../include/Ice/LoggerF.h ../IceSSL/TraceLevelsF.h ../Ice/Acceptor.h ../IceSSL/SslConnector.h ../Ice/Connector.h ../IceSSL/SslTransceiver.h ../../include/Ice/StatsF.h ../IceSSL/SslTransceiverF.h ../../include/IceSSL/CertificateVerifierF.h ../../include/IceUtil/StaticMutex.h ../Ice/Transceiver.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ../IceSSL/OpenSSLPluginI.h ../../include/IceUtil/RecMutex.h ../../include/Ice/PropertiesF.h ../../include/IceSSL/RSAPrivateKeyF.h ../IceSSL/CertificateDesc.h ../IceSSL/CertificateAuthority.h ../IceSSL/BaseCerts.h ../IceSSL/TempCerts.h ../IceSSL/ServerContext.h ../IceSSL/Context.h ../IceSSL/ContextF.h ../IceSSL/OpenSSL.h ../IceSSL/GeneralConfig.h ../../include/IceSSL/RSAPublicKey.h ../../include/IceSSL/RSAPublicKeyF.h ../../include/IceSSL/RSAKeyPairF.h ../IceSSL/ClientContext.h ../IceSSL/DHParamsF.h -SslException.o: SslException.cpp ../../include/Ice/LocalException.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/BuiltinSequences.h ../../include/IceSSL/Exception.h -SslTransceiver.o: SslTransceiver.cpp ../../include/Ice/LoggerUtil.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/Stats.h ../Ice/Network.h ../../include/Ice/LocalException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/BuiltinSequences.h ../IceSSL/SslTransceiver.h ../../include/Ice/StatsF.h ../IceSSL/SslTransceiverF.h ../IceSSL/OpenSSLPluginIF.h ../IceSSL/TraceLevelsF.h ../../include/IceSSL/CertificateVerifierF.h ../../include/IceUtil/StaticMutex.h ../Ice/Transceiver.h ../Ice/TransceiverF.h ../../include/Ice/Buffer.h ../../include/IceSSL/CertificateVerifierOpenSSL.h ../../include/IceSSL/Config.h ../../include/IceSSL/CertificateVerifier.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ../IceSSL/TraceLevels.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Exception.h ../IceSSL/OpenSSLPluginI.h ../../include/IceUtil/RecMutex.h ../../include/Ice/PropertiesF.h ../../include/IceSSL/RSAPrivateKeyF.h ../IceSSL/CertificateDesc.h ../IceSSL/CertificateAuthority.h ../IceSSL/BaseCerts.h ../IceSSL/TempCerts.h ../IceSSL/ServerContext.h ../IceSSL/Context.h ../IceSSL/ContextF.h ../IceSSL/OpenSSL.h ../IceSSL/GeneralConfig.h ../../include/IceSSL/RSAPublicKey.h ../../include/IceSSL/RSAPublicKeyF.h ../../include/IceSSL/RSAKeyPairF.h ../IceSSL/ClientContext.h ../IceSSL/DHParamsF.h ../IceSSL/OpenSSLUtils.h -TempCerts.o: TempCerts.cpp ../IceSSL/TempCerts.h ../IceSSL/CertificateDesc.h ../../include/IceUtil/Config.h -TraceLevels.o: TraceLevels.cpp ../IceSSL/TraceLevels.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Config.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/IceUtil/Exception.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/Ice/Config.h ../IceSSL/TraceLevelsF.h ../../include/Ice/Communicator.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/LoggerF.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/Properties.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/ProtocolPluginFacade.h ../../include/Ice/EndpointFactoryF.h ../../include/Ice/InstanceF.h -Exception.cpp: ../../slice/IceSSL/Exception.ice -PluginF.cpp: ../../slice/IceSSL/PluginF.ice -Plugin.cpp: ../../slice/IceSSL/Plugin.ice ../../slice/Ice/BuiltinSequences.ice ../../slice/Ice/Plugin.ice ../../slice/IceSSL/CertificateVerifierF.ice -CertificateVerifierF.cpp: ../../slice/IceSSL/CertificateVerifierF.ice -CertificateVerifier.cpp: ../../slice/IceSSL/CertificateVerifier.ice ../../slice/IceSSL/Plugin.ice ../../slice/Ice/BuiltinSequences.ice ../../slice/Ice/Plugin.ice ../../slice/IceSSL/CertificateVerifierF.ice +AcceptorI.o: AcceptorI.cpp ./AcceptorI.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../Ice/TransceiverF.h ../Ice/Acceptor.h ../Ice/AcceptorF.h ./InstanceF.h ./Instance.h ./Context.h ./UtilF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ./TransceiverI.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ./Util.h ../Ice/Network.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LoggerUtil.h +Context.o: Context.cpp ./Context.h ./InstanceF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ./UtilF.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ./Instance.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ./Util.h ../Ice/Network.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Logger.h ../../include/Ice/LoggerUtil.h ../../include/Ice/Properties.h +ConnectorI.o: ConnectorI.cpp ./ConnectorI.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../Ice/TransceiverF.h ../Ice/Connector.h ../Ice/ConnectorF.h ./InstanceF.h ./Instance.h ./Context.h ./UtilF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ./TransceiverI.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ./Util.h ../Ice/Network.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LoggerUtil.h +EndpointI.o: EndpointI.cpp ./EndpointI.h ../Ice/EndpointI.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Config.h ../../include/Ice/Endpoint.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/EndpointIF.h ../../include/Ice/InstanceF.h ../Ice/TransceiverF.h ../Ice/ConnectorF.h ../Ice/AcceptorF.h ../../include/Ice/EndpointFactory.h ../../include/Ice/EndpointFactoryF.h ./InstanceF.h ./AcceptorI.h ../../include/Ice/LoggerF.h ../Ice/Acceptor.h ./ConnectorI.h ../Ice/Connector.h ./TransceiverI.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ./Instance.h ./Context.h ./UtilF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ../Ice/Network.h ../../include/Ice/BasicStream.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/Buffer.h ../../include/Ice/Protocol.h ../../include/IceUtil/AutoArray.h ../../include/Ice/LocalException.h ../../include/Ice/Proxy.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/BuiltinSequences.h ../Ice/DefaultsAndOverrides.h ../Ice/DefaultsAndOverridesF.h ../../include/Ice/PropertiesF.h +Instance.o: Instance.cpp ./Instance.h ./InstanceF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ./Context.h ./UtilF.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ./EndpointI.h ../Ice/EndpointI.h ../../include/Ice/Endpoint.h ../../include/Ice/EndpointIF.h ../../include/Ice/InstanceF.h ../Ice/TransceiverF.h ../Ice/ConnectorF.h ../Ice/AcceptorF.h ../../include/Ice/EndpointFactory.h ../../include/Ice/EndpointFactoryF.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Logger.h ../../include/Ice/Properties.h ../../include/Ice/ProtocolPluginFacade.h +PluginI.o: PluginI.cpp ./PluginI.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ./InstanceF.h ../../include/Ice/CommunicatorF.h ./Instance.h ./Context.h ./UtilF.h ../../include/Ice/LoggerF.h ../../include/Ice/ProtocolPluginFacadeF.h ./Util.h ../Ice/Network.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/Communicator.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/Logger.h ../../include/Ice/Properties.h ../../include/IceUtil/StaticMutex.h +TransceiverI.o: TransceiverI.cpp ./TransceiverI.h ./InstanceF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ../Ice/TransceiverF.h ./Instance.h ./Context.h ./UtilF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/Ice/Plugin.h ./Util.h ../Ice/Network.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LoggerUtil.h ../../include/Ice/Stats.h ../../include/Ice/Buffer.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h +Util.o: Util.cpp ./Util.h ./UtilF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../Ice/Network.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/IceUtil/Shared.h ../../include/Ice/LocalException.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/ConnectionF.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/BuiltinSequences.h diff --git a/cpp/src/IceSSL/AcceptorI.cpp b/cpp/src/IceSSL/AcceptorI.cpp new file mode 100644 index 00000000000..dc4f0b1f8ad --- /dev/null +++ b/cpp/src/IceSSL/AcceptorI.cpp @@ -0,0 +1,291 @@ +// ********************************************************************** +// +// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. +// +// This copy of Ice is licensed to you under the terms described in the +// ICE_LICENSE file included in this distribution. +// +// ********************************************************************** + +#include <AcceptorI.h> +#include <Instance.h> +#include <TransceiverI.h> +#include <Util.h> +#include <Ice/Communicator.h> +#include <Ice/Exception.h> +#include <Ice/LocalException.h> +#include <Ice/LoggerUtil.h> +#include <Ice/Network.h> + +using namespace std; +using namespace Ice; +using namespace IceSSL; + +SOCKET +IceSSL::AcceptorI::fd() +{ + return _fd; +} + +void +IceSSL::AcceptorI::close() +{ + if(_instance->networkTraceLevel() >= 1) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "stopping to accept ssl connections at " << toString(); + } + + SOCKET fd = _fd; + _fd = INVALID_SOCKET; + IceInternal::closeSocket(fd); +} + +void +IceSSL::AcceptorI::listen() +{ + try + { + IceInternal::doListen(_fd, _backlog); + } + catch(...) + { + _fd = INVALID_SOCKET; + throw; + } + + if(_instance->networkTraceLevel() >= 1) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "accepting ssl connections at " << toString(); + } +} + +IceInternal::TransceiverPtr +IceSSL::AcceptorI::accept(int timeout) +{ + // + // The plugin may not be fully initialized. + // + ContextPtr ctx = _instance->serverContext(); + + SOCKET fd = IceInternal::doAccept(_fd, timeout); + IceInternal::setBlock(fd, false); + + // + // Get a description of the remote address in case we need it later. + // + struct sockaddr_in remoteAddr; + string desc; + if(IceInternal::fdToRemoteAddress(fd, remoteAddr)) + { + desc = IceInternal::addrToString(remoteAddr); + } + + BIO* bio = BIO_new_socket(fd, BIO_CLOSE); + if(!bio) + { + IceInternal::closeSocketNoThrow(fd); + SecurityException ex(__FILE__, __LINE__); + ex.reason = "openssl failure"; + throw ex; + } + + SSL* ssl = SSL_new(ctx->ctx()); + if(!ssl) + { + BIO_free(bio); // Also closes the socket. + SecurityException ex(__FILE__, __LINE__); + ex.reason = "openssl failure"; + throw ex; + } + SSL_set_bio(ssl, bio, bio); + + if(_instance->networkTraceLevel() >= 2) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "trying to validate incoming ssl connection\n" << IceInternal::fdToString(fd); + } + + // TODO: The timeout is 0 when called by the thread pool. + // Make this configurable? + if(timeout == 0) + { + timeout = -1; + } + + try + { + do + { + int ret = SSL_accept(ssl); + switch(SSL_get_error(ssl, ret)) + { + case SSL_ERROR_NONE: + assert(SSL_is_init_finished(ssl)); + break; + case SSL_ERROR_ZERO_RETURN: + { + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + case SSL_ERROR_WANT_READ: + { + if(!selectRead(fd, timeout)) + { + throw ConnectTimeoutException(__FILE__, __LINE__); + } + break; + } + case SSL_ERROR_WANT_WRITE: + { + if(!selectWrite(fd, timeout)) + { + throw ConnectTimeoutException(__FILE__, __LINE__); + } + break; + } + case SSL_ERROR_SYSCALL: + { + if(ret == -1) + { + if(IceInternal::interrupted()) + { + break; + } + + if(IceInternal::wouldBlock()) + { + if(SSL_want_read(ssl)) + { + if(!selectRead(fd, timeout)) + { + throw ConnectTimeoutException(__FILE__, __LINE__); + } + } + else if(SSL_want_write(ssl)) + { + if(!selectWrite(fd, timeout)) + { + throw ConnectTimeoutException(__FILE__, __LINE__); + } + } + + break; + } + + if(IceInternal::connectionLost()) + { + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + } + + if(ret == 0) + { + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = 0; + throw ex; + } + + SocketException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + case SSL_ERROR_SSL: + { + ProtocolException ex(__FILE__, __LINE__); + ex.reason = "SSL error occurred for new incoming connection:\nremote address = " + desc + "\n" + + _instance->sslErrors(); + throw ex; + } + } + } + while(!SSL_is_init_finished(ssl)); + + _instance->serverContext()->validatePeer(ssl, "", true); + } + catch(...) + { + SSL_free(ssl); + throw; + } + + if(_instance->networkTraceLevel() >= 1) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "accepted ssl connection\n" << IceInternal::fdToString(fd); + } + + if(_instance->securityTraceLevel() >= 1) + { + _instance->serverContext()->traceConnection(ssl, true); + } + + return new TransceiverI(_instance, ssl, fd); +} + +void +IceSSL::AcceptorI::connectToSelf() +{ + SOCKET fd = IceInternal::createSocket(false); + IceInternal::setBlock(fd, false); + IceInternal::doConnect(fd, _addr, -1); + IceInternal::closeSocket(fd); +} + +string +IceSSL::AcceptorI::toString() const +{ + return IceInternal::addrToString(_addr); +} + +bool +IceSSL::AcceptorI::equivalent(const string& host, int port) const +{ + struct sockaddr_in addr; + IceInternal::getAddress(host, port, addr); + return IceInternal::compareAddress(addr, _addr); +} + +int +IceSSL::AcceptorI::effectivePort() +{ + return ntohs(_addr.sin_port); +} + +IceSSL::AcceptorI::AcceptorI(const InstancePtr& instance, const string& host, int port) : + _instance(instance), + _logger(instance->communicator()->getLogger()), + _backlog(0) +{ + if(_backlog <= 0) + { + _backlog = 5; + } + + try + { + _fd = IceInternal::createSocket(false); + IceInternal::setBlock(_fd, false); + IceInternal::getAddress(host, port, _addr); + if(_instance->networkTraceLevel() >= 2) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "attempting to bind to ssl socket " << toString(); + } + IceInternal::doBind(_fd, _addr); + } + catch(...) + { + _fd = INVALID_SOCKET; + throw; + } +} + +IceSSL::AcceptorI::~AcceptorI() +{ + assert(_fd == INVALID_SOCKET); +} diff --git a/cpp/src/IceSSL/SslAcceptor.h b/cpp/src/IceSSL/AcceptorI.h index cf4b99de30e..980a3a0b536 100644 --- a/cpp/src/IceSSL/SslAcceptor.h +++ b/cpp/src/IceSSL/AcceptorI.h @@ -7,14 +7,13 @@ // // ********************************************************************** -#ifndef ICE_SSL_ACCEPTOR_H -#define ICE_SSL_ACCEPTOR_H +#ifndef ICE_SSL_ACCEPTOR_I_H +#define ICE_SSL_ACCEPTOR_I_H -#include <Ice/TransceiverF.h> #include <Ice/LoggerF.h> -#include <IceSSL/TraceLevelsF.h> -#include <IceSSL/OpenSSLPluginIF.h> +#include <Ice/TransceiverF.h> #include <Ice/Acceptor.h> +#include <InstanceF.h> #ifndef _WIN32 # include <netinet/in.h> // For struct sockaddr_in @@ -23,9 +22,9 @@ namespace IceSSL { -class SslEndpoint; +class EndpointI; -class SslAcceptor : public IceInternal::Acceptor +class AcceptorI : public IceInternal::Acceptor { public: @@ -41,13 +40,12 @@ public: private: - SslAcceptor(const OpenSSLPluginIPtr&, const std::string&, int); - virtual ~SslAcceptor(); - friend class SslEndpointI; + AcceptorI(const InstancePtr&, const std::string&, int); + virtual ~AcceptorI(); + friend class EndpointI; - const OpenSSLPluginIPtr _plugin; - const TraceLevelsPtr _traceLevels; - const ::Ice::LoggerPtr _logger; + InstancePtr _instance; + Ice::LoggerPtr _logger; SOCKET _fd; int _backlog; struct sockaddr_in _addr; diff --git a/cpp/src/IceSSL/BaseCerts.cpp b/cpp/src/IceSSL/BaseCerts.cpp deleted file mode 100644 index 9e71a8e4ddc..00000000000 --- a/cpp/src/IceSSL/BaseCerts.cpp +++ /dev/null @@ -1,50 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/BaseCerts.h> - -using namespace IceSSL; - -IceSSL::BaseCertificates::BaseCertificates() -{ -} - -IceSSL::BaseCertificates::BaseCertificates(CertificateDesc& rsaCert, - CertificateDesc& dsaCert, - DiffieHellmanParamsFile& dhParams) : - _rsaCert(rsaCert), - _dsaCert(dsaCert), - _dhParams(dhParams) -{ -} - -IceSSL::BaseCertificates::BaseCertificates(BaseCertificates& baseCerts) : - _rsaCert(baseCerts._rsaCert), - _dsaCert(baseCerts._dsaCert), - _dhParams(baseCerts._dhParams) -{ -} - -const IceSSL::CertificateDesc& -IceSSL::BaseCertificates::getRSACert() const -{ - return _rsaCert; -} - -const IceSSL::CertificateDesc& -IceSSL::BaseCertificates::getDSACert() const -{ - return _dsaCert; -} - -const IceSSL::DiffieHellmanParamsFile& -IceSSL::BaseCertificates::getDHParams() const -{ - return _dhParams; -} diff --git a/cpp/src/IceSSL/BaseCerts.h b/cpp/src/IceSSL/BaseCerts.h deleted file mode 100644 index 03e658bb554..00000000000 --- a/cpp/src/IceSSL/BaseCerts.h +++ /dev/null @@ -1,67 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_BASE_CERTS_H -#define ICE_SSL_BASE_CERTS_H - -#include <IceSSL/CertificateDesc.h> - -namespace IceSSL -{ - -class BaseCertificates -{ -public: - - BaseCertificates(); - BaseCertificates(CertificateDesc&, CertificateDesc&, DiffieHellmanParamsFile&); - BaseCertificates(BaseCertificates&); - - const CertificateDesc& getRSACert() const; - const CertificateDesc& getDSACert() const; - - const DiffieHellmanParamsFile& getDHParams() const; - -protected: - - CertificateDesc _rsaCert; - CertificateDesc _dsaCert; - DiffieHellmanParamsFile _dhParams; -}; - -template<class Stream> -inline Stream& operator << (Stream& target, const BaseCertificates& baseCerts) -{ - if(baseCerts.getRSACert().getKeySize() != 0) - { - target << "RSA\n{\n"; - IceSSL::operator<<(target, baseCerts.getRSACert()); - target << "}\n\n"; - } - - if(baseCerts.getDSACert().getKeySize() != 0) - { - target << "DSA\n{\n"; - IceSSL::operator<<(target, baseCerts.getDSACert()); - target << "}\n\n"; - } - - if(baseCerts.getDHParams().getKeySize() != 0) - { - target << "DH\n{\n"; - IceSSL::operator<<(target, baseCerts.getDHParams()); - target << "}\n\n"; - } - - return target; -} - -} - -#endif diff --git a/cpp/src/IceSSL/CertificateAuthority.cpp b/cpp/src/IceSSL/CertificateAuthority.cpp deleted file mode 100644 index 4065f4530cd..00000000000 --- a/cpp/src/IceSSL/CertificateAuthority.cpp +++ /dev/null @@ -1,52 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/CertificateAuthority.h> - -using namespace std; - -IceSSL::CertificateAuthority::CertificateAuthority() -{ -} - -IceSSL::CertificateAuthority::CertificateAuthority(string& fileName, string& path) : - _fileName(fileName), - _path(path) -{ -} - -IceSSL::CertificateAuthority::CertificateAuthority(CertificateAuthority& certAuthority) : - _fileName(certAuthority._fileName), - _path(certAuthority._path) -{ -} - -void -IceSSL::CertificateAuthority::setCAFileName(string& fileName) -{ - _fileName = fileName; -} - -void -IceSSL::CertificateAuthority::setCAPath(string& caPath) -{ - _path = caPath; -} - -const std::string& -IceSSL::CertificateAuthority::getCAFileName() const -{ - return _fileName; -} - -const std::string& -IceSSL::CertificateAuthority::getCAPath() const -{ - return _path; -} diff --git a/cpp/src/IceSSL/CertificateAuthority.h b/cpp/src/IceSSL/CertificateAuthority.h deleted file mode 100644 index 54b4e116423..00000000000 --- a/cpp/src/IceSSL/CertificateAuthority.h +++ /dev/null @@ -1,40 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_CERTIFICATE_AUTHORITY_H -#define ICE_SSL_CERTIFICATE_AUTHORITY_H - -#include <IceUtil/Config.h> - -namespace IceSSL -{ - -class CertificateAuthority -{ -public: - - CertificateAuthority(); - CertificateAuthority(std::string&, std::string&); - CertificateAuthority(CertificateAuthority&); - - void setCAFileName(std::string&); - void setCAPath(std::string&); - - const std::string& getCAFileName() const; - const std::string& getCAPath() const; - -private: - - std::string _fileName; - std::string _path; -}; - -} - -#endif diff --git a/cpp/src/IceSSL/CertificateDesc.cpp b/cpp/src/IceSSL/CertificateDesc.cpp deleted file mode 100644 index c3c1e2bc3d2..00000000000 --- a/cpp/src/IceSSL/CertificateDesc.cpp +++ /dev/null @@ -1,122 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/CertificateDesc.h> - -using namespace std; -using namespace IceSSL; - -///////////////////////// -//// CertificateFile //// -///////////////////////// - -IceSSL::CertificateFile::CertificateFile() : - _fileName(""), - _encoding(SSL_FILETYPE_PEM) -{ -} - -IceSSL::CertificateFile::CertificateFile(const string& filename, const int encoding) : - _fileName(filename), - _encoding(encoding) -{ -} - -IceSSL::CertificateFile::CertificateFile(const CertificateFile& certFile) : - _fileName(certFile._fileName), - _encoding(certFile._encoding) -{ -} - -std::string -IceSSL::CertificateFile::getFileName() const -{ - return _fileName; -} - -int -IceSSL::CertificateFile::getEncoding() const -{ - return _encoding; -} - -///////////////////////////////// -//// DiffieHellmanParamsFile //// -///////////////////////////////// - -IceSSL::DiffieHellmanParamsFile::DiffieHellmanParamsFile() : - CertificateFile(), - _keySize(0) -{ -} - -IceSSL::DiffieHellmanParamsFile::DiffieHellmanParamsFile(const int keySize, - const string& filename, - const int encoding) : - CertificateFile(filename, encoding), - _keySize(keySize) -{ -} - -IceSSL::DiffieHellmanParamsFile::DiffieHellmanParamsFile(const DiffieHellmanParamsFile& dhParams) : - CertificateFile(dhParams._fileName, dhParams._encoding), - _keySize(dhParams._keySize) -{ -} - -int -IceSSL::DiffieHellmanParamsFile::getKeySize() const -{ - return _keySize; -} - -///////////////////////// -//// CertificateDesc //// -///////////////////////// - -IceSSL::CertificateDesc::CertificateDesc() : - _keySize(0), - _public(), - _private() -{ -} - -IceSSL::CertificateDesc::CertificateDesc(const int keySize, - const CertificateFile& publicFile, - const CertificateFile& privateFile) : - _keySize(keySize), - _public(publicFile), - _private(privateFile) -{ -} - -IceSSL::CertificateDesc::CertificateDesc(const CertificateDesc& certDesc) : - _keySize(certDesc._keySize), - _public(certDesc._public), - _private(certDesc._private) -{ -} - -int -IceSSL::CertificateDesc::getKeySize() const -{ - return _keySize; -} - -const CertificateFile& -IceSSL::CertificateDesc::getPublic() const -{ - return _public; -} - -const CertificateFile& -IceSSL::CertificateDesc::getPrivate() const -{ - return _private; -} diff --git a/cpp/src/IceSSL/CertificateDesc.h b/cpp/src/IceSSL/CertificateDesc.h deleted file mode 100644 index 9bd6166b3f3..00000000000 --- a/cpp/src/IceSSL/CertificateDesc.h +++ /dev/null @@ -1,124 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_CERTIFICATE_DESC_H -#define ICE_SSL_CERTIFICATE_DESC_H - -#include <IceUtil/Config.h> -#include <openssl/ssl.h> -#include <vector> - -namespace IceSSL -{ - -class CertificateFile -{ -public: - - CertificateFile(); - CertificateFile(const std::string&, const int); - CertificateFile(const CertificateFile&); - - std::string getFileName() const; - int getEncoding() const; - -protected: - - std::string _fileName; - int _encoding; -}; - -class DiffieHellmanParamsFile : public CertificateFile -{ -public: - - DiffieHellmanParamsFile(); - DiffieHellmanParamsFile(const int, const std::string&, const int); - DiffieHellmanParamsFile(const DiffieHellmanParamsFile&); - - int getKeySize() const; - -protected: - - int _keySize; -}; - -class CertificateDesc -{ -public: - - CertificateDesc(); - CertificateDesc(const int, const CertificateFile&, const CertificateFile&); - CertificateDesc(const CertificateDesc&); - - int getKeySize() const; - - const CertificateFile& getPublic() const; - const CertificateFile& getPrivate() const; - -protected: - - int _keySize; - CertificateFile _public; - CertificateFile _private; -}; - -typedef std::vector<CertificateDesc> RSAVector; -typedef std::vector<CertificateDesc> DSAVector; -typedef std::vector<DiffieHellmanParamsFile> DHVector; - -template<class Stream> -inline Stream& operator << (Stream& target, const CertificateFile& certFile) -{ - if(certFile.getEncoding() == SSL_FILETYPE_PEM) - { - target << "[PEM]: " << certFile.getFileName(); - } - else if(certFile.getEncoding() == SSL_FILETYPE_ASN1) - { - target << "[ASN1]: " << certFile.getFileName(); - } - - return target; -} - -template<class Stream> -inline Stream& operator << (Stream& target, const DiffieHellmanParamsFile& dhParams) -{ - if(dhParams.getKeySize() != 0) - { - target << "Keysize: " << dhParams.getKeySize() << "\n"; - target << "File: "; - IceSSL::operator<<(target, ((CertificateFile&)dhParams)); - target << "\n"; - } - - return target; -} - -template<class Stream> -inline Stream& operator << (Stream& target, const CertificateDesc& certDesc) -{ - if(certDesc.getKeySize() != 0) - { - target << "Keysize: " << certDesc.getKeySize() << "\n"; - target << "Public: "; - IceSSL::operator<<(target, certDesc.getPublic()); - target << "\n"; - target << "Private: "; - IceSSL::operator<<(target, certDesc.getPrivate()); - target << "\n"; - } - - return target; -} - -} - -#endif diff --git a/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp b/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp deleted file mode 100644 index ba0eae3fa38..00000000000 --- a/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp +++ /dev/null @@ -1,33 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/CertificateVerifierOpenSSL.h> - -IceSSL::CertificateVerifierOpenSSL::~CertificateVerifierOpenSSL() -{ -} - -void -IceSSL::CertificateVerifierOpenSSL::setContext(::IceSSL::ContextType contextType) -{ - _contextType = contextType; -} - -void -IceInternal::incRef(::IceSSL::CertificateVerifierOpenSSL* p) -{ - p->__incRef(); -} - -void -IceInternal::decRef(::IceSSL::CertificateVerifierOpenSSL* p) -{ - p->__decRef(); -} - diff --git a/cpp/src/IceSSL/ClientContext.cpp b/cpp/src/IceSSL/ClientContext.cpp deleted file mode 100644 index e9a83188c98..00000000000 --- a/cpp/src/IceSSL/ClientContext.cpp +++ /dev/null @@ -1,75 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <Ice/Communicator.h> -#include <Ice/LoggerUtil.h> - -#include <IceSSL/Exception.h> -#include <IceSSL/ClientContext.h> -#include <IceSSL/SslTransceiver.h> -#include <IceSSL/TraceLevels.h> - -using namespace std; -using namespace Ice; - -void -IceSSL::ClientContext::configure(const GeneralConfig& generalConfig, - const CertificateAuthority& certificateAuthority, - const BaseCertificates& baseCertificates) -{ - Context::configure(generalConfig, certificateAuthority, baseCertificates); - - loadCertificateAuthority(certificateAuthority); - - if(_traceLevels->security >= SECURITY_PROTOCOL) - { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - - out << "\n"; - out << "general configuration (client)\n"; - out << "------------------------------\n"; - IceSSL::operator<<(out, generalConfig); - out << "\n\n"; - - out << "certificate authority (client)\n"; - out << "------------------------------\n"; - out << "file: " << certificateAuthority.getCAFileName() << "\n"; - out << "path: " << certificateAuthority.getCAPath() << "\n"; - - out << "base certificates (client)\n"; - out << "--------------------------\n"; - IceSSL::operator<<(out, baseCertificates); - out << "\n"; - } -} - -IceSSL::SslTransceiverPtr -IceSSL::ClientContext::createTransceiver(int socket, const OpenSSLPluginIPtr& plugin, int timeout) -{ - if(_sslContext == 0) - { - ContextNotConfiguredException contextEx(__FILE__, __LINE__); - - throw contextEx; - } - - SSL* ssl = createSSLConnection(socket); - return new SslTransceiver(IceSSL::Client, plugin, socket, _certificateVerifier, ssl, timeout); -} - -IceSSL::ClientContext::ClientContext(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) : - Context(traceLevels, communicator, Client) -{ - _rsaPrivateKeyProperty = "IceSSL.Client.Overrides.RSA.PrivateKey"; - _rsaPublicKeyProperty = "IceSSL.Client.Overrides.RSA.Certificate"; - _dsaPrivateKeyProperty = "IceSSL.Client.Overrides.DSA.PrivateKey"; - _dsaPublicKeyProperty = "IceSSL.Client.Overrides.DSA.Certificate"; - _caCertificateProperty = "IceSSL.Client.Overrides.CACertificate"; - _passphraseRetriesProperty = "IceSSL.Client.Passphrase.Retries"; -} diff --git a/cpp/src/IceSSL/ClientContext.h b/cpp/src/IceSSL/ClientContext.h deleted file mode 100644 index a24c79ab47d..00000000000 --- a/cpp/src/IceSSL/ClientContext.h +++ /dev/null @@ -1,38 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICESSL_CLIENT_CONTEXT_H -#define ICESSL_CLIENT_CONTEXT_H - -#include <IceSSL/OpenSSLPluginIF.h> -#include <IceSSL/Context.h> - -namespace IceSSL -{ - -class ClientContext : public Context -{ -public: - - virtual void configure(const GeneralConfig&, - const CertificateAuthority&, - const BaseCertificates&); - - SslTransceiverPtr createTransceiver(int, const OpenSSLPluginIPtr&, int); - -protected: - - ClientContext(const TraceLevelsPtr&, const Ice::CommunicatorPtr&); - - friend class OpenSSLPluginI; -}; - -} - -#endif diff --git a/cpp/src/IceSSL/ConfigParser.cpp b/cpp/src/IceSSL/ConfigParser.cpp deleted file mode 100644 index 443bb22d9a9..00000000000 --- a/cpp/src/IceSSL/ConfigParser.cpp +++ /dev/null @@ -1,478 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/ConfigParser.h> -#include <IceSSL/OpenSSL.h> -#include <IceSSL/Exception.h> - -#include <algorithm> - -using namespace std; -using namespace IceSSL; - -#ifdef WINDOWS - #define CURRENTDIR ".\\" -#else - #define CURRENTDIR "./" -#endif - -// -// Public Methods -// - -IceSSL::ConfigParser::ConfigParser(const string& configFile, const TraceLevelsPtr& traceLevels, - const Ice::LoggerPtr& logger) : - _root(0), - _configFile(configFile), - _configPath(CURRENTDIR), - _traceLevels(traceLevels), - _logger(logger) -{ - assert(!configFile.empty()); -} - -IceSSL::ConfigParser::ConfigParser(const string& configFile, const string& configPath, - const TraceLevelsPtr& traceLevels, const Ice::LoggerPtr& logger) : - _root(0), - _configFile(configFile), - _configPath(configPath), - _traceLevels(traceLevels), - _logger(logger) -{ - assert(!configFile.empty()); - assert(!configPath.empty()); -} - -IceSSL::ConfigParser::~ConfigParser() -{ -} - -void -IceSSL::ConfigParser::process() -{ - try - { - string configFile; - if(!isAbsolutePath(_configFile)) - { - // TODO: ML: _configPath.back(); - // ASN: There is no back() method in basic_string. -#ifdef WINDOWS - if(*(_configPath.rbegin()) != '\\') - { - _configPath += "\\"; - } -#else - if(*(_configPath.rbegin()) != '/') - { - _configPath += "/"; - } -#endif - - configFile = _configPath + _configFile; - } - else - { - configFile = _configFile; - } - - _root = IceXML::Parser::parse(configFile); - } - catch(const IceXML::ParserException& e) - { - ConfigParseException configEx(__FILE__, __LINE__); - - ostringstream s; - s << "error while parsing " << _configFile << ":\n"; - e.ice_print(s); - - configEx.message = s.str(); - - throw configEx; - } - catch(...) - { - ConfigParseException configEx(__FILE__, __LINE__); - - // occured during parsing". The latter is redundant, given - // that it already says "while parsing". - configEx.message = "while parsing " + _configFile + ":\n" + "unknown exception occured during parsing"; - - throw configEx; - } -} - -bool -IceSSL::ConfigParser::loadClientConfig(GeneralConfig& general, - CertificateAuthority& certAuth, - BaseCertificates& baseCerts) -{ - string clientSectionString("SSLConfig:client"); - IceXML::NodePtr clientSection = find(clientSectionString); - - // If we actually have a client section. - if(clientSection) - { - getGeneral(clientSection, general); - getCertAuth(clientSection, certAuth); - getBaseCerts(clientSection, baseCerts); - return true; - } - - return false; -} - -bool -IceSSL::ConfigParser::loadServerConfig(GeneralConfig& general, - CertificateAuthority& certAuth, - BaseCertificates& baseCerts, - TempCertificates& tempCerts) -{ - string serverSectionString("SSLConfig:server"); - IceXML::NodePtr serverSection = find(serverSectionString); - - // If we actually have a client section. - if(serverSection) - { - getGeneral(serverSection, general); - getCertAuth(serverSection, certAuth); - getBaseCerts(serverSection, baseCerts); - getTempCerts(serverSection, tempCerts); - return true; - } - - return false; -} - -// -// Private Methods -// - -// Path is of the form "sslconfig:client:general" -void -IceSSL::ConfigParser::popRoot(string& path, string& root, string& tail) -{ - string::size_type pos = path.find_first_of(':'); - - if(pos != string::npos) - { - root = path.substr(0,pos); - tail = path.substr(pos+1); - } - else - { - root = path; - tail = ""; - } -} - -IceXML::NodePtr -IceSSL::ConfigParser::find(string& nodePath) -{ - return find(_root, nodePath); -} - -IceXML::NodePtr -IceSSL::ConfigParser::find(const IceXML::NodePtr& rootNode, string& nodePath) -{ - // The target node that we're looking for. - IceXML::NodePtr tNode; - - if(!rootNode) - { - return tNode; - } - - string rootNodeName; - string tailNodes; - - // Pop the root off the path. - popRoot(nodePath, rootNodeName, tailNodes); - - IceXML::NodeList children = rootNode->getChildren(); - for(IceXML::NodeList::iterator p = children.begin(); p != children.end(); ++p) - { - // Ignore any other node types - we're only interested in elements. - IceXML::ElementPtr elem = IceXML::ElementPtr::dynamicCast(*p); - if(elem) - { - string nodeName = elem->getName(); - - if(nodeName.compare(rootNodeName) == 0) - { - // No further to recurse, this must be it. - if(tailNodes.empty()) - { - tNode = elem; - } - else - { - // Recursive call. - tNode = find(elem, tailNodes); - } - } - } - } - - return tNode; -} - -void -IceSSL::ConfigParser::getGeneral(const IceXML::NodePtr& rootNode, GeneralConfig& generalConfig) -{ - if(!rootNode) - { - return; - } - - string generalString("general"); - IceXML::NodePtr general = find(rootNode, generalString); - - IceXML::Attributes attributes = general->getAttributes(); - for(IceXML::Attributes::iterator p = attributes.begin(); p != attributes.end(); ++p) - { - // Set the property. - generalConfig.set(p->first, p->second); - } -} - -void -IceSSL::ConfigParser::getCertAuth(const IceXML::NodePtr& rootNode, CertificateAuthority& certAuth) -{ - if(!rootNode) - { - return; - } - - string nodeName = "certauthority"; - IceXML::NodePtr certAuthNode = find(rootNode, nodeName); - - if(!certAuthNode) - { - return; - } - - string file = certAuthNode->getAttribute("file"); - if(!file.empty()) - { - // Just a filename, no path component, prepend path. - if(!isAbsolutePath(file)) - { - file = _configPath + file; - } - - certAuth.setCAFileName(file); - } - - string path = certAuthNode->getAttribute("path"); - if(!path.empty()) - { - certAuth.setCAPath(path); - } -} - -void -IceSSL::ConfigParser::getBaseCerts(const IceXML::NodePtr& rootNode, BaseCertificates& baseCerts) -{ - if(!rootNode) - { - return; - } - - string nodeName = "basecerts"; - IceXML::NodePtr baseCertsRoot = find(rootNode, nodeName); - - if(!baseCertsRoot) - { - return; - } - - CertificateDesc rsaCert; - CertificateDesc dsaCert; - DiffieHellmanParamsFile dhParams; - - string rsaCertString("rsacert"); - string dsaCertString("dsacert"); - string dhParamsString("dhparams"); - - getCert(find(baseCertsRoot, rsaCertString), rsaCert); - getCert(find(baseCertsRoot, dsaCertString), dsaCert); - - getDHParams(find(baseCertsRoot, dhParamsString), dhParams); - - const BaseCertificates result(rsaCert, dsaCert, dhParams); - baseCerts = result; -} - -void -IceSSL::ConfigParser::getTempCerts(const IceXML::NodePtr& rootNode, TempCertificates& tempCerts) -{ - if(!rootNode) - { - return; - } - - string nodeName = "tempcerts"; - IceXML::NodePtr tempCertsRoot = find(rootNode, nodeName); - - if(!tempCertsRoot) - { - return; - } - - IceXML::NodeList children = tempCertsRoot->getChildren(); - for(IceXML::NodeList::iterator p = children.begin(); p != children.end(); ++p) - { - string name = (*p)->getName(); - - if(name.compare("dhparams") == 0) - { - loadDHParams(*p, tempCerts); - } - else if(name.compare("rsacert") == 0) - { - loadRSACert(*p, tempCerts); - } - } -} - -void -IceSSL::ConfigParser::loadDHParams(const IceXML::NodePtr& rootNode, TempCertificates& tempCerts) -{ - DiffieHellmanParamsFile dhParams; - - getDHParams(rootNode, dhParams); - - tempCerts.addDHParams(dhParams); -} - -void -IceSSL::ConfigParser::loadRSACert(const IceXML::NodePtr& rootNode, TempCertificates& tempCerts) -{ - CertificateDesc rsaCert; - - getCert(rootNode, rsaCert); - - tempCerts.addRSACert(rsaCert); -} - -void -IceSSL::ConfigParser::getCert(const IceXML::NodePtr& rootNode, CertificateDesc& certDesc) -{ - if(!rootNode) - { - return; - } - - CertificateFile publicFile; - CertificateFile privateFile; - int keySize = 0; - - string keySizeValue = rootNode->getAttribute("keysize"); - if(!keySizeValue.empty()) - { - keySize = atoi(keySizeValue.c_str()); - } - - string publicString("public"); - string privateString("private"); - - loadCertificateFile(find(rootNode, publicString), publicFile); - loadCertificateFile(find(rootNode, privateString), privateFile); - - // Initialize the certificate description. - certDesc = CertificateDesc(keySize, publicFile, privateFile); -} - -void -IceSSL::ConfigParser::getDHParams(const IceXML::NodePtr& rootNode, DiffieHellmanParamsFile& dhParams) -{ - if(!rootNode) - { - return; - } - - CertificateFile certFile; - loadCertificateFile(rootNode, certFile); - - int keySize = 0; - - string keySizeValue = rootNode->getAttribute("keysize"); - if(!keySizeValue.empty()) - { - keySize = atoi(keySizeValue.c_str()); - } - - dhParams = DiffieHellmanParamsFile(keySize, certFile.getFileName(), certFile.getEncoding()); -} - -void -IceSSL::ConfigParser::loadCertificateFile(const IceXML::NodePtr& rootNode, CertificateFile& certFile) -{ - if(!rootNode) - { - return; - } - - string filename; - int encoding = SSL_FILETYPE_PEM; // PEM is the default type. - - filename = rootNode->getAttribute("filename"); - if(!filename.empty()) - { - // Just a filename, no path component, prepend path. - if(!isAbsolutePath(filename)) - { - filename = _configPath + filename; - } - } - - string encodingValue = rootNode->getAttribute("encoding"); - if(!encodingValue.empty()) - { - encoding = parseEncoding(encodingValue); - } - - certFile = CertificateFile(filename, encoding); -} - -bool -IceSSL::ConfigParser::isAbsolutePath(string& pathString) -{ -#ifdef WINDOWS - // Is true if the pathString begins with a \ or if its second and third characters are ":\" - - string rootDir = ":\\"; - string pathStringInternal = pathString.substr(1); - return ((!pathStringInternal.substr(0,rootDir.length()).compare(rootDir)) || - (*pathStringInternal.begin()) == '\\'); -#else - // Is true if the pathString begins with a / - - string rootDir = "/"; - return !pathString.substr(0,rootDir.length()).compare(rootDir); -#endif -} - -int -IceSSL::ConfigParser::parseEncoding(string& encodingString) -{ - int encoding = SSL_FILETYPE_PEM; - - if(encodingString == "PEM") - { - encoding = SSL_FILETYPE_PEM; - } - else if(encodingString == "ASN1") - { - encoding = SSL_FILETYPE_ASN1; - } - - return encoding; -} diff --git a/cpp/src/IceSSL/ConfigParser.h b/cpp/src/IceSSL/ConfigParser.h deleted file mode 100644 index 4453c0bd81b..00000000000 --- a/cpp/src/IceSSL/ConfigParser.h +++ /dev/null @@ -1,83 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_CONFIG_PARSER_H -#define ICE_SSL_CONFIG_PARSER_H - -#include <Ice/LoggerF.h> -#include <IceSSL/CertificateDesc.h> -#include <IceSSL/GeneralConfig.h> -#include <IceSSL/CertificateAuthority.h> -#include <IceSSL/BaseCerts.h> -#include <IceSSL/TempCerts.h> -#include <IceSSL/TraceLevelsF.h> -#include <IceXML/Parser.h> - -namespace IceSSL -{ - -class ConfigParser -{ -public: - - // Construction based on the indicated config file, or config file and - // certificate path. - ConfigParser(const std::string&, const TraceLevelsPtr&, const Ice::LoggerPtr&); - ConfigParser(const std::string&, const std::string&, const TraceLevelsPtr&, const Ice::LoggerPtr&); - ~ConfigParser(); - - // Performs a complete parsing of the file. - void process(); - - // Loads the Client/Server portions of the config file. - bool loadClientConfig(GeneralConfig&, CertificateAuthority&, BaseCertificates&); - bool loadServerConfig(GeneralConfig&, CertificateAuthority&, BaseCertificates&, TempCertificates&); - -private: - - IceXML::NodePtr _root; - std::string _configFile; - std::string _configPath; - - TraceLevelsPtr _traceLevels; - Ice::LoggerPtr _logger; - - // Parse tree walking utility methods. - void popRoot(std::string&, std::string&, std::string&); - IceXML::NodePtr find(std::string&); - IceXML::NodePtr find(const IceXML::NodePtr&, std::string&); - - // Loading of the base elements of the file. - void getGeneral(const IceXML::NodePtr&, GeneralConfig&); - void getCertAuth(const IceXML::NodePtr&, CertificateAuthority&); - void getBaseCerts(const IceXML::NodePtr&, BaseCertificates&); - void getTempCerts(const IceXML::NodePtr&, TempCertificates&); - - // Loading of temporary certificates/params (Ephemeral Keys). - void loadDHParams(const IceXML::NodePtr&, TempCertificates&); - void loadRSACert(const IceXML::NodePtr&, TempCertificates&); - - // Populate with information from the indicated node in the parse tree. - void getCert(const IceXML::NodePtr&, CertificateDesc&); - void getDHParams(const IceXML::NodePtr&, DiffieHellmanParamsFile&); - - // Populate a certificate file object, basis of all certificates. - void loadCertificateFile(const IceXML::NodePtr&, CertificateFile&); - - // Determines if the string represents an absolute pathname. - bool isAbsolutePath(std::string&); - - // Parses the certificate encoding format from a string representation - // to the proper integer value used by the underlying SSL framework. - int parseEncoding(std::string&); -}; - -} - -#endif diff --git a/cpp/src/IceSSL/ConnectorI.cpp b/cpp/src/IceSSL/ConnectorI.cpp new file mode 100644 index 00000000000..113d5501356 --- /dev/null +++ b/cpp/src/IceSSL/ConnectorI.cpp @@ -0,0 +1,186 @@ +// ********************************************************************** +// +// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. +// +// This copy of Ice is licensed to you under the terms described in the +// ICE_LICENSE file included in this distribution. +// +// ********************************************************************** + +#include <ConnectorI.h> +#include <Instance.h> +#include <TransceiverI.h> +#include <Util.h> +#include <Ice/Communicator.h> +#include <Ice/LocalException.h> +#include <Ice/LoggerUtil.h> +#include <Ice/Network.h> + +#include <openssl/err.h> + +using namespace std; +using namespace Ice; +using namespace IceSSL; + +IceInternal::TransceiverPtr +IceSSL::ConnectorI::connect(int timeout) +{ + // + // The plugin may not be fully initialized. + // + ContextPtr ctx = _instance->clientContext(); + + if(_instance->networkTraceLevel() >= 2) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "trying to establish ssl connection to " << toString(); + } + + SOCKET fd = IceInternal::createSocket(false); + IceInternal::setBlock(fd, false); + IceInternal::doConnect(fd, _addr, timeout); + + BIO* bio = BIO_new_socket(fd, BIO_CLOSE); + if(!bio) + { + IceInternal::closeSocketNoThrow(fd); + SecurityException ex(__FILE__, __LINE__); + ex.reason = "openssl failure"; + throw ex; + } + + SSL* ssl = SSL_new(ctx->ctx()); + if(!ssl) + { + BIO_free(bio); // Also closes the socket. + SecurityException ex(__FILE__, __LINE__); + ex.reason = "openssl failure"; + throw ex; + } + SSL_set_bio(ssl, bio, bio); + + try + { + do + { + int result = SSL_connect(ssl); + switch(SSL_get_error(ssl, result)) + { + case SSL_ERROR_NONE: + break; + case SSL_ERROR_ZERO_RETURN: + { + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + case SSL_ERROR_WANT_READ: + if(!selectRead(fd, timeout)) + { + throw ConnectTimeoutException(__FILE__, __LINE__); + } + break; + case SSL_ERROR_WANT_WRITE: + if(!selectWrite(fd, timeout)) + { + throw ConnectTimeoutException(__FILE__, __LINE__); + } + break; + case SSL_ERROR_SYSCALL: + { + if(result == -1) + { + if(IceInternal::interrupted()) + { + break; + } + + if(IceInternal::wouldBlock()) + { + if(SSL_want_read(ssl)) + { + if(!selectRead(fd, timeout)) + { + throw ConnectTimeoutException(__FILE__, __LINE__); + } + } + else if(SSL_want_write(ssl)) + { + if(!selectWrite(fd, timeout)) + { + throw ConnectTimeoutException(__FILE__, __LINE__); + } + } + + continue; + } + + if(IceInternal::connectionLost()) + { + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + } + + if(result == 0) + { + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = 0; + throw ex; + } + + SocketException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + case SSL_ERROR_SSL: + { + ProtocolException ex(__FILE__, __LINE__); + ex.reason = "SSL error for new outgoing connection:\nremote address = " + + IceInternal::addrToString(_addr) + "\n" + _instance->sslErrors(); + throw ex; + } + } + } + while(!SSL_is_init_finished(ssl)); + + _instance->clientContext()->validatePeer(ssl, _host, false); + } + catch(...) + { + SSL_free(ssl); + throw; + } + + if(_instance->networkTraceLevel() >= 1) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "ssl connection established\n" << IceInternal::fdToString(fd); + } + + if(_instance->securityTraceLevel() >= 1) + { + _instance->clientContext()->traceConnection(ssl, false); + } + + return new TransceiverI(_instance, ssl, fd); +} + +string +IceSSL::ConnectorI::toString() const +{ + return IceInternal::addrToString(_addr); +} + +IceSSL::ConnectorI::ConnectorI(const InstancePtr& instance, const string& host, int port) : + _instance(instance), + _host(host), + _logger(instance->communicator()->getLogger()) +{ + IceInternal::getAddress(host, port, _addr); +} + +IceSSL::ConnectorI::~ConnectorI() +{ +} diff --git a/cpp/src/IceSSL/SslConnector.h b/cpp/src/IceSSL/ConnectorI.h index 7e7e161fad8..64972aa9512 100644 --- a/cpp/src/IceSSL/SslConnector.h +++ b/cpp/src/IceSSL/ConnectorI.h @@ -7,25 +7,26 @@ // // ********************************************************************** -#ifndef ICE_SSL_CONNECTOR_H -#define ICE_SSL_CONNECTOR_H +#ifndef ICE_SSL_CONNECTOR_I_H +#define ICE_SSL_CONNECTOR_I_H -#include <Ice/TransceiverF.h> #include <Ice/LoggerF.h> -#include <IceSSL/TraceLevelsF.h> -#include <IceSSL/OpenSSLPluginIF.h> +#include <Ice/TransceiverF.h> #include <Ice/Connector.h> +#include <InstanceF.h> -#ifndef _WIN32 +#ifdef _WIN32 +# include <winsock2.h> +#else # include <netinet/in.h> // For struct sockaddr_in #endif namespace IceSSL { -class SslEndpoint; +class EndpointI; -class SslConnector : public IceInternal::Connector +class ConnectorI : public IceInternal::Connector { public: @@ -34,14 +35,14 @@ public: private: - SslConnector(const OpenSSLPluginIPtr&, const std::string&, int); - virtual ~SslConnector(); - friend class SslEndpointI; + ConnectorI(const InstancePtr&, const std::string&, int); + virtual ~ConnectorI(); + friend class EndpointI; - const OpenSSLPluginIPtr _plugin; + InstancePtr _instance; + std::string _host; + Ice::LoggerPtr _logger; struct sockaddr_in _addr; - const TraceLevelsPtr _traceLevels; - const ::Ice::LoggerPtr _logger; }; } diff --git a/cpp/src/IceSSL/Context.cpp b/cpp/src/IceSSL/Context.cpp index 099eaa17bed..ffa4d6a8a11 100644 --- a/cpp/src/IceSSL/Context.cpp +++ b/cpp/src/IceSSL/Context.cpp @@ -7,650 +7,915 @@ // // ********************************************************************** +#include <Context.h> +#include <Instance.h> +#include <Util.h> #include <Ice/Communicator.h> +#include <Ice/LocalException.h> +#include <Ice/Logger.h> #include <Ice/LoggerUtil.h> #include <Ice/Properties.h> -#include <IceSSL/DefaultCertificateVerifier.h> -#include <IceSSL/Exception.h> -#include <IceSSL/RSAKeyPair.h> -#include <IceSSL/CertificateDesc.h> -#include <IceSSL/SslTransceiver.h> -#include <IceSSL/Context.h> -#include <IceSSL/OpenSSLJanitors.h> -#include <IceSSL/OpenSSLUtils.h> -#include <IceSSL/TraceLevels.h> - +#ifdef _WIN32 +# include <direct.h> +# include <sys/types.h> +# include <sys/stat.h> +# define S_ISDIR(mode) ((mode) & _S_IFDIR) +# define S_ISREG(mode) ((mode) & _S_IFREG) +#else +# include <sys/stat.h> +#endif + +#include <openssl/x509v3.h> #include <openssl/err.h> using namespace std; using namespace Ice; -using namespace IceInternal; - -void IceInternal::incRef(::IceSSL::Context* p) { p->__incRef(); } -void IceInternal::decRef(::IceSSL::Context* p) { p->__decRef(); } - -IceSSL::Context::~Context() -{ - cleanUp(); -} +using namespace IceSSL; -bool -IceSSL::Context::isConfigured() +static int +opensslPasswordCallback(char* buf, int size, int flag, void* userData) { - return (_sslContext != 0 ? true : false); -} - -void -IceSSL::Context::cleanUp() -{ - if(_sslContext != 0) + IceSSL::Context* c = reinterpret_cast<IceSSL::Context*>(userData); + string passwd = c->password(flag == 1); + int sz = static_cast<int>(passwd.size()); + if(sz > size) { - SSL_CTX_free(_sslContext); - - _sslContext = 0; + sz = size - 1; } + strncpy(buf, passwd.c_str(), sz); + buf[sz] = '\0'; + return sz; } -void -IceSSL::Context::setCertificateVerifier(const CertificateVerifierPtr& verifier) +#ifndef OPENSSL_NO_DH +static DH* +opensslDHCallback(SSL* ssl, int /*isExport*/, int keyLength) { - _certificateVerifier = verifier; - _certificateVerifier->setContext(_contextType); + IceSSL::Context* c = reinterpret_cast<IceSSL::Context*>(SSL_CTX_get_ex_data(ssl->ctx, 0)); + return c->dhParams(keyLength); } +#endif -void -IceSSL::Context::addTrustedCertificateBase64(const string& trustedCertString) +static int +opensslVerifyCallback(int ok, X509_STORE_CTX* ctx) { - RSAPublicKey pubKey(trustedCertString); - - addTrustedCertificate(pubKey); + SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); + IceSSL::Context* c = reinterpret_cast<IceSSL::Context*>(SSL_CTX_get_ex_data(ssl->ctx, 0)); + return c->verifyCallback(ok, ssl, ctx); } -void -IceSSL::Context::addTrustedCertificate(const Ice::ByteSeq& trustedCert) +static bool +passwordError() { - RSAPublicKey pubKey(trustedCert); - - addTrustedCertificate(pubKey); + int reason = ERR_GET_REASON(ERR_peek_error()); + return (reason == PEM_R_BAD_BASE64_DECODE || + reason == PEM_R_BAD_DECRYPT || + reason == PEM_R_BAD_PASSWORD_READ || + reason == PEM_R_PROBLEMS_GETTING_PASSWORD); } -void -IceSSL::Context::setRSAKeysBase64(const string& privateKey, const string& publicKey) +// +// Context. +// +IceSSL::Context::Context(const InstancePtr& instance, const string& propPrefix, SSL_CTX* ctx) : + _instance(instance), + _logger(instance->communicator()->getLogger()), + _ctx(ctx) { - if(privateKey.empty()) + if(_ctx) { - IceSSL::PrivateKeyException privateKeyEx(__FILE__, __LINE__); - - privateKeyEx.message = "Empty private key supplied."; - - throw privateKeyEx; + return; } - addKeyCert(privateKey, publicKey); -} - -void -IceSSL::Context::setRSAKeys(const Ice::ByteSeq& privateKey, const Ice::ByteSeq& publicKey) -{ - if(privateKey.empty()) + _ctx = SSL_CTX_new(SSLv23_method()); + if(!_ctx) { - IceSSL::PrivateKeyException privateKeyEx(__FILE__, __LINE__); - - privateKeyEx.message = "Empty private key supplied."; - - throw privateKeyEx; + string err = _instance->sslErrors(); + string msg = "IceSSL: unable to create SSL context:\n" + err; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; } - addKeyCert(privateKey, publicKey); -} - -void -IceSSL::Context::configure(const GeneralConfig& generalConfig, - const CertificateAuthority& certificateAuthority, - const BaseCertificates& baseCertificates) -{ - // Create an SSL Context based on the context params. - createContext(generalConfig.getProtocol()); - - // Enable workarounds and disable SSLv2. - SSL_CTX_set_options(_sslContext, SSL_OP_ALL|SSL_OP_NO_SSLv2); - - // Get the cipherlist and set it in the context. - setCipherList(generalConfig.getCipherList()); - - // Set the certificate verification mode. - SSL_CTX_set_verify(_sslContext, generalConfig.getVerifyMode(), verifyCallback); - - // Set the certificate verify depth - SSL_CTX_set_verify_depth(_sslContext, generalConfig.getVerifyDepth()); - - // Determine the number of retries the user gets on passphrase entry. - string passphraseRetries = _communicator->getProperties()->getPropertyWithDefault(_passphraseRetriesProperty, - _maxPassphraseRetriesDefault); - int retries = atoi(passphraseRetries.c_str()); - retries = (retries < 0 ? 0 : retries); - _maxPassphraseTries = retries + 1; + // + // Store a pointer to ourself for use in OpenSSL callbacks. + // + SSL_CTX_set_ex_data(_ctx, 0, this); - // Process the RSA Certificate - setKeyCert(baseCertificates.getRSACert(), _rsaPrivateKeyProperty, _rsaPublicKeyProperty); + PropertiesPtr properties = _instance->communicator()->getProperties(); - // Process the DSA Certificate - setKeyCert(baseCertificates.getDSACert(), _dsaPrivateKeyProperty, _dsaPublicKeyProperty); - - // Set the DH key agreement parameters. - if(baseCertificates.getDHParams().getKeySize() != 0) + // + // Check for a default directory. We look in this directory for + // files mentioned in the configuration. + // { - setDHParams(baseCertificates); + _defaultDir = properties->getProperty(propPrefix + "DefaultDir"); } -} - -// -// Protected -// - -IceSSL::Context::Context(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator, - const ContextType& type) : - _traceLevels(traceLevels), - _communicator(communicator), - _contextType(type) -{ - _certificateVerifier = new DefaultCertificateVerifier(traceLevels, communicator); - _certificateVerifier->setContext(_contextType); - _sslContext = 0; - - _maxPassphraseRetriesDefault = "4"; -} -SSL_METHOD* -IceSSL::Context::getSslMethod(SslProtocol sslVersion) -{ - SSL_METHOD* sslMethod = 0; - - switch(sslVersion) + // + // Select protocols. + // { - case SSL_V23 : - { - sslMethod = SSLv23_method(); - break; - } - - case SSL_V3 : - { - sslMethod = SSLv3_method(); - break; - } - - case TLS_V1 : - { - sslMethod = TLSv1_method(); - break; - } - - default : - { - if(_traceLevels->security >= IceSSL::SECURITY_WARNINGS) - { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - out << "WRN ssl version " << sslVersion; - out << " not supported (defaulting to SSL_V23)"; - } - - sslMethod = SSLv23_method(); - } + string protocols = properties->getProperty(propPrefix + "Protocols"); + if(!protocols.empty()) + { + parseProtocols(protocols); + } } - return sslMethod; -} - -void -IceSSL::Context::createContext(SslProtocol sslProtocol) -{ - if(_sslContext != 0) + // + // Determine whether a certificate is required from the peer. + // { - SSL_CTX_free(_sslContext); - _sslContext = 0; + int verifyPeer = properties->getPropertyAsIntWithDefault(propPrefix + "VerifyPeer", 2); + int sslVerifyMode; + switch(verifyPeer) + { + case 0: + sslVerifyMode = SSL_VERIFY_NONE; + break; + case 1: + sslVerifyMode = SSL_VERIFY_PEER; + break; + case 2: + sslVerifyMode = SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + break; + default: + { + string msg = "IceSSL: invalid value for " + propPrefix + "VerifyPeer"; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } + SSL_CTX_set_verify(_ctx, sslVerifyMode, opensslVerifyCallback); } - _sslContext = SSL_CTX_new(getSslMethod(sslProtocol)); - - if(_sslContext == 0) + // + // If the configuration defines a password, or the application has supplied + // a password prompt object, then register a password callback. Otherwise, + // let OpenSSL use its default behavior. + // { - ContextInitializationException contextInitEx(__FILE__, __LINE__); - - contextInitEx.message = "unable to create ssl context\n" + sslGetErrors(); - - throw contextInitEx; + // TODO: Support quoted value? + string password = properties->getProperty(propPrefix + "Password"); + if(!password.empty() || _instance->passwordPrompt()) + { + SSL_CTX_set_default_passwd_cb(_ctx, opensslPasswordCallback); + SSL_CTX_set_default_passwd_cb_userdata(_ctx, this); + _password = password; + } } - // Turn off session caching, supposedly fixes a problem with multithreading. - SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF); -} - -void -IceSSL::Context::loadCertificateAuthority(const CertificateAuthority& certAuth) -{ - assert(_sslContext != 0); - - string fileName = certAuth.getCAFileName(); - string certPath = certAuth.getCAPath(); + int passwordRetryMax = properties->getPropertyAsIntWithDefault(propPrefix + "PasswordRetryMax", 3); - const char* caFile = 0; - const char* caPath = 0; - - // The following checks are required to send the expected values to the OpenSSL library. - // It does not like receiving "", but prefers NULLs. - - if(!fileName.empty()) + // + // Establish the location of CA certificates. + // { - caFile = fileName.c_str(); + string caFile = properties->getProperty(propPrefix + "CertAuthFile"); + string caDir = properties->getPropertyWithDefault(propPrefix + "CertAuthDir", _defaultDir); + const char* file = 0; + const char* dir = 0; + if(!caFile.empty()) + { + if(!checkPath(caFile, false)) + { + string msg = "IceSSL: CA certificate file not found:\n" + caFile; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + file = caFile.c_str(); + } + if(!caDir.empty()) + { + if(!checkPath(caDir, true)) + { + string msg = "IceSSL: CA certificate directory not found:\n" + caDir; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + dir = caDir.c_str(); + } + if(file || dir) + { + // + // The certificate may be stored in an encrypted file, so handle + // password retries. + // + int count = 0; + int err; + while(count < passwordRetryMax) + { + ERR_clear_error(); + err = SSL_CTX_load_verify_locations(_ctx, file, dir); + if(err || !passwordError()) + { + break; + } + ++count; + } + if(err == 0) + { + string msg = "IceSSL: unable to establish CA certificates"; + if(passwordError()) + { + msg += ":\ninvalid password"; + } + else + { + string err = _instance->sslErrors(); + if(!err.empty()) + { + msg += ":\n" + err; + } + } + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } } - if(!certPath.empty()) + // + // Establish the certificate chains and private keys. One RSA certificate and + // one DSA certificate are allowed. + // { - caPath = certPath.c_str(); +#ifdef _WIN32 + const string sep = ";"; +#else + const string sep = ":"; +#endif + string certFile = properties->getProperty(propPrefix + "CertFile"); + string keyFile = properties->getProperty(propPrefix + "KeyFile"); + vector<string>::size_type numCerts = 0; + if(!certFile.empty()) + { + vector<string> files; + if(!splitString(certFile, sep, false, files) || files.size() > 2) + { + string msg = "IceSSL: invalid value for " + propPrefix + "CertFile:\n" + certFile; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + numCerts = files.size(); + for(vector<string>::iterator p = files.begin(); p != files.end(); ++p) + { + string file = *p; + if(!checkPath(file, false)) + { + string msg = "IceSSL: certificate file not found:\n" + file; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + // + // The certificate may be stored in an encrypted file, so handle + // password retries. + // + int count = 0; + int err; + while(count < passwordRetryMax) + { + ERR_clear_error(); + err = SSL_CTX_use_certificate_chain_file(_ctx, file.c_str()); + if(err || !passwordError()) + { + break; + } + ++count; + } + if(err == 0) + { + string msg = "IceSSL: unable to load certificate chain from file " + file; + if(passwordError()) + { + msg += ":\ninvalid password"; + } + else + { + string err = _instance->sslErrors(); + if(!err.empty()) + { + msg += ":\n" + err; + } + } + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } + } + if(keyFile.empty()) + { + keyFile = certFile; // Assume the certificate file also contains the private key. + } + if(!keyFile.empty()) + { + vector<string> files; + if(!splitString(keyFile, sep, false, files) || files.size() > 2) + { + string msg = "IceSSL: invalid value for " + propPrefix + "KeyFile:\n" + keyFile; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + if(files.size() != numCerts) + { + string msg = "IceSSL: " + propPrefix + "KeyFile does not agree with " + propPrefix + "CertFile"; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + for(vector<string>::iterator p = files.begin(); p != files.end(); ++p) + { + string file = *p; + if(!checkPath(file, false)) + { + string msg = "IceSSL: key file not found:\n" + file; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + // + // The private key may be stored in an encrypted file, so handle + // password retries. + // + int count = 0; + int err; + while(count < passwordRetryMax) + { + ERR_clear_error(); + err = SSL_CTX_use_PrivateKey_file(_ctx, file.c_str(), SSL_FILETYPE_PEM); + if(err || !passwordError()) + { + break; + } + ++count; + } + if(err == 0) + { + string msg = "IceSSL: unable to load private key from file " + file; + if(passwordError()) + { + msg += ":\ninvalid password"; + } + else + { + string err = _instance->sslErrors(); + if(!err.empty()) + { + msg += ":\n" + err; + } + } + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } + if(!SSL_CTX_check_private_key(_ctx)) + { + string err = _instance->sslErrors(); + string msg = "IceSSL: unable to validate private key(s):\n" + err; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } } - // SSL_CTX_set_default_passwd_cb(sslContext, passwordCallback); - - // Check the Certificate Authority file(s). - int loadVerifyRet = SSL_CTX_load_verify_locations(_sslContext, caFile, caPath); - - if(!loadVerifyRet) - { - if(_traceLevels->security >= IceSSL::SECURITY_WARNINGS) - { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - out << "WRN unable to load certificate authorities."; - } - } - else + // + // Establish the cipher list. + // { - int setDefaultVerifyPathsRet = SSL_CTX_set_default_verify_paths(_sslContext); + string ciphers = properties->getProperty(propPrefix + "Ciphers"); + if(!ciphers.empty()) + { + if(!SSL_CTX_set_cipher_list(_ctx, ciphers.c_str())) + { + string err = _instance->sslErrors(); + string msg = "IceSSL: unable to set ciphers using `" + ciphers + "':\n" + err; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } + } - if(!setDefaultVerifyPathsRet && (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)) - { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - out << "WRN unable to verify certificate authorities."; - } + // + // Establish the maximum verify depth. + // + { + int depth = properties->getPropertyAsIntWithDefault(propPrefix + "VerifyDepthMax", -1); + if(depth >= 0) + { + SSL_CTX_set_verify_depth(_ctx, depth); + } } - // Now we add whatever override/addition that we wish to put into the trusted certificates list - string caCertBase64 = _communicator->getProperties()->getProperty(_caCertificateProperty); - if(!caCertBase64.empty()) + // + // Diffie Hellman configuration. + // { - addTrustedCertificateBase64(caCertBase64); +#ifndef OPENSSL_NO_DH + _dhParams = new DHParams; + SSL_CTX_set_options(_ctx, SSL_OP_SINGLE_DH_USE); + SSL_CTX_set_tmp_dh_callback(_ctx, opensslDHCallback); +#endif + // + // Properties have the following form: + // + // ...DH.<keyLength>=file + // + const string dhPrefix = propPrefix + "DH."; + PropertyDict d = properties->getPropertiesForPrefix(dhPrefix); + if(!d.empty()) + { +#ifdef OPENSSL_NO_DH + _logger->warning("IceSSL: OpenSSL is not configured for Diffie Hellman"); +#else + for(PropertyDict::iterator p = d.begin(); p != d.end(); ++p) + { + string s = p->first.substr(dhPrefix.size()); + int keyLength = atoi(s.c_str()); + if(keyLength > 0) + { + string file = p->second; + if(!checkPath(file, false)) + { + string msg = "IceSSL: DH parameter file not found:\n" + file; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + if(!_dhParams->add(keyLength, file)) + { + string msg = "IceSSL: unable to read DH parameter file " + file; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } + } +#endif + } } } -void -IceSSL::Context::setKeyCert(const CertificateDesc& certDesc, - const string& privateProperty, - const string& publicProperty) +IceSSL::Context::~Context() { - string privateKey; - string publicKey; - - if(!privateProperty.empty()) + if(_ctx) { - privateKey = _communicator->getProperties()->getProperty(privateProperty); + SSL_CTX_free(_ctx); } +} - if(!publicProperty.empty()) +SSL_CTX* +IceSSL::Context::ctx() const +{ + return _ctx; +} + +void +IceSSL::Context::validatePeer(SSL* ssl, const string& address, bool incoming) +{ + long result = SSL_get_verify_result(ssl); + if(result != X509_V_OK) { - publicKey = _communicator->getProperties()->getProperty(publicProperty); + ostringstream ostr; + ostr << "IceSSL: certificate verification failed:\n" << X509_verify_cert_error_string(result); + string msg = ostr.str(); + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + SecurityException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; } - if(!privateKey.empty() && !publicKey.empty()) + X509* cert = SSL_get_peer_certificate(ssl); + try { - addKeyCert(privateKey, publicKey); + // + // Collect the dnsName and ipAddress values that appear in the peer's subjectAltName + // certificate extension. + // + vector<string> dnsNames, ipAddresses; + if(cert) + { + GENERAL_NAMES* gens = reinterpret_cast<GENERAL_NAMES*>(X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0)); + int i; + for(i = 0; i < sk_GENERAL_NAME_num(gens); ++i) + { + GENERAL_NAME* gen = sk_GENERAL_NAME_value(gens, i); + if(gen->type == GEN_DNS) + { + ASN1_IA5STRING* str = gen->d.dNSName; + if(str && str->type == V_ASN1_IA5STRING && str->data && str->length > 0) + { + string s = reinterpret_cast<const char*>(str->data); + dnsNames.push_back(s); + } + } + else if(gen->type == GEN_IPADD) + { + ASN1_OCTET_STRING* addr = gen->d.iPAddress; + // TODO: Support IPv6 someday. + if(addr && addr->type == V_ASN1_OCTET_STRING && addr->data && addr->length == 4) + { + ostringstream ostr; + for(int j = 0; j < 4; ++j) + { + if(j > 0) + { + ostr << '.'; + } + ostr << static_cast<int>(addr->data[j]); + } + ipAddresses.push_back(ostr.str()); + } + } + } + sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); + } + + CertificateVerifierPtr verifier = _instance->certificateVerifier(); + + // + // Compare the peer's address against the dnsName and ipAddress values. + // + if(!address.empty()) + { + bool certNameOK = false; + + for(vector<string>::iterator p = ipAddresses.begin(); p != ipAddresses.end() && !certNameOK; ++p) + { + if(address == *p) + { + certNameOK = true; + } + } + + if(!certNameOK && !dnsNames.empty()) + { + string host = address; + transform(host.begin(), host.end(), host.begin(), ::tolower); + for(vector<string>::iterator p = dnsNames.begin(); p != dnsNames.end() && !certNameOK; ++p) + { + string s = *p; + transform(s.begin(), s.end(), s.begin(), ::tolower); + if(host == s) + { + certNameOK = true; + } + } + } + + // + // Log a message if the name comparison fails. If CheckCertName is defined, + // we also raise an exception to abort the connection. Don't log a message + // if CheckCertName is not defined and a verifier is present. + // + if(!certNameOK && (_checkCertName || (_instance->securityTraceLevel() >= 1 && !verifier))) + { + ostringstream ostr; + ostr << "IceSSL: "; + if(!_checkCertName) + { + ostr << "ignoring "; + } + ostr << "certificate validation failure:\npeer certificate does not contain `" + << address << "' in its subjectAltName extension"; + if(!dnsNames.empty()) + { + ostr << "\nDNS names found in certificate: "; + for(vector<string>::iterator p = dnsNames.begin(); p != dnsNames.end(); ++p) + { + if(p != dnsNames.begin()) + { + ostr << ", "; + } + ostr << *p; + } + } + if(!ipAddresses.empty()) + { + ostr << "\nIP addresses found in certificate: "; + for(vector<string>::iterator p = ipAddresses.begin(); p != ipAddresses.end(); ++p) + { + if(p != ipAddresses.begin()) + { + ostr << ", "; + } + ostr << *p; + } + } + string msg = ostr.str(); + if(_instance->securityTraceLevel() >= 1) + { + Trace out(_logger, _instance->securityTraceCategory()); + out << msg; + } + if(_checkCertName) + { + SecurityException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } + } + + if(verifier) + { + VerifyInfo info; + const_cast<bool&>(info.incoming) = incoming; + info.cert = cert; + info.ssl = ssl; + const_cast<string&>(info.address) = address; + const_cast<vector<string>&>(info.dnsNames) = dnsNames; + const_cast<vector<string>&>(info.ipAddresses) = ipAddresses; + verifier->verify(info); + } } - else if(certDesc.getKeySize() != 0) + catch(...) { - addKeyCert(certDesc.getPrivate(), certDesc.getPublic()); + if(cert) + { + X509_free(cert); + } + throw; } -} - -void -IceSSL::Context::checkKeyCert() -{ - assert(_sslContext != 0); - - // Check to see if the Private and Public keys that have been - // set against the SSL context match up. - if(!SSL_CTX_check_private_key(_sslContext)) + if(cert) { - CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__); - - certKeyMatchEx.message = "private key does not match the certificate public key"; - string sslError = sslGetErrors(); - - if(!sslError.empty()) - { - certKeyMatchEx.message += "\n"; - certKeyMatchEx.message += sslError; - } - - throw certKeyMatchEx; + X509_free(cert); } } -void -IceSSL::Context::addTrustedCertificate(const RSAPublicKey& trustedCertificate) +string +IceSSL::Context::password(bool /*encrypting*/) { - if(_sslContext == 0) + PasswordPromptPtr prompt = _instance->passwordPrompt(); + if(prompt) { - ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__); - - contextConfigEx.message = "ssl context not configured"; - - throw contextConfigEx; + try + { + return prompt->getPassword(); + } + catch(...) + { + // + // Don't allow exceptions to cross an OpenSSL boundary. + // + return string(); + } } - - X509_STORE* certStore = SSL_CTX_get_cert_store(_sslContext); - - assert(certStore != 0); - - if(X509_STORE_add_cert(certStore, trustedCertificate.getX509PublicKey()) == 0) + else { - TrustedCertificateAddException trustEx(__FILE__, __LINE__); - - trustEx.message = sslGetErrors(); - - throw trustEx; + return _password; } } -void -IceSSL::Context::addKeyCert(const CertificateFile& privateKey, const CertificateFile& publicCert) +#ifndef OPENSSL_NO_DH +DH* +IceSSL::Context::dhParams(int keyLength) { - assert(_sslContext != 0); + return _dhParams->get(keyLength); +} +#endif - if(!publicCert.getFileName().empty()) +int +IceSSL::Context::verifyCallback(int ok, SSL* ssl, X509_STORE_CTX* c) +{ + if(!ok && _instance->securityTraceLevel() >= 1) { - string publicCertFile = publicCert.getFileName(); - const char* publicFile = publicCertFile.c_str(); - int publicEncoding = publicCert.getEncoding(); - - string privCertFile = privateKey.getFileName(); - const char* privKeyFile = privCertFile.c_str(); - int privKeyFileType = privateKey.getEncoding(); - - // Set which Public Key file to use. - if(SSL_CTX_use_certificate_file(_sslContext, publicFile, publicEncoding) <= 0) - { - CertificateLoadException certLoadEx(__FILE__, __LINE__); - - certLoadEx.message = "unable to load certificate from '"; - certLoadEx.message += publicFile; - certLoadEx.message += "'\n"; - certLoadEx.message += sslGetErrors(); - - throw certLoadEx; - } - - if(privateKey.getFileName().empty()) - { - if(_traceLevels->security >= IceSSL::SECURITY_WARNINGS) - { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - out << "WRN no private key specified -- using the certificate"; - } - - privKeyFile = publicFile; - privKeyFileType = publicEncoding; - } - - int retryCount = 0; - int pkLoadResult = 0; - int errCode = 0; - - while(retryCount != _maxPassphraseTries) - { - // We ignore the errors and remove them from the stack. - string errorString = sslGetErrors(); - - // Set which Private Key file to use. - pkLoadResult = SSL_CTX_use_PrivateKey_file(_sslContext, privKeyFile, privKeyFileType); - - if(pkLoadResult <= 0) - { - errCode = ERR_GET_REASON(ERR_peek_error()); - } - else - { - // The load went fine - continue on. - break; - } - - // PEM errors, most likely related to a bad passphrase. - if(errCode != PEM_R_BAD_PASSWORD_READ && - errCode != PEM_R_BAD_DECRYPT && - errCode != PEM_R_BAD_BASE64_DECODE) - { - // Other errors get dealt with below. - break; - } - - cout << "Passphrase error!" << endl; - - retryCount++; - } - - if(pkLoadResult <= 0) - { - errCode = ERR_GET_REASON(ERR_peek_error()); - - // Note: Because OpenSSL currently (V0.9.6b) performs a check to see if the - // key matches the private key when calling SSL_CTX_use_PrivateKey_file(). - if(errCode == X509_R_KEY_VALUES_MISMATCH || errCode == X509_R_KEY_TYPE_MISMATCH) - { - CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__); - - certKeyMatchEx.message = "private key does not match the certificate public key"; - string sslError = sslGetErrors(); - - if(!sslError.empty()) - { - certKeyMatchEx.message += "\n"; - certKeyMatchEx.message += sslError; - } - - throw certKeyMatchEx; - } - else - { - PrivateKeyLoadException pklEx(__FILE__, __LINE__); - - pklEx.message = "unable to load private key from '"; - pklEx.message += privKeyFile; - pklEx.message += "'\n"; - pklEx.message += sslGetErrors(); - - throw pklEx; - } - } - - checkKeyCert(); + X509* cert = X509_STORE_CTX_get_current_cert(c); + int err = X509_STORE_CTX_get_error(c); + char buf[256]; + + Trace out(_logger, _instance->securityTraceCategory()); + out << "certificate verification failure\n"; + + X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); + out << "issuer = " << buf << '\n'; + X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); + out << "subject = " << buf << '\n'; + out << "depth = " << X509_STORE_CTX_get_error_depth(c) << '\n'; + out << "error = " << X509_verify_cert_error_string(err) << '\n'; + out << IceInternal::fdToString(SSL_get_fd(ssl)); } + return ok; } void -IceSSL::Context::addKeyCert(const RSAKeyPair& keyPair) +IceSSL::Context::traceConnection(SSL* ssl, bool incoming) { - if(_sslContext == 0) - { - ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__); - - contextConfigEx.message = "ssl context not configured"; - - throw contextConfigEx; - } - - // Note: Normally I would use an X509Janitor and RSAJanitor to ensure that - // memory was being freed properly when exceptions are thrown, but - // both SSL_CTX_use_certificate and SSL_CTX_use_RSAPrivateKey free - // certificate/key memory regardless if the call succeeded. - - // Set which Public Key file to use. - if(SSL_CTX_use_certificate(_sslContext, keyPair.getX509PublicKey()) <= 0) + Trace out(_logger, _instance->securityTraceCategory()); + out << "SSL summary for " << (incoming ? "incoming" : "outgoing") << " connection\n"; + SSL_CIPHER* cipher = SSL_get_current_cipher(ssl); + if(!cipher) { - CertificateLoadException certLoadEx(__FILE__, __LINE__); - - certLoadEx.message = "unable to set certificate from memory"; - string sslError = sslGetErrors(); - - if(!sslError.empty()) - { - certLoadEx.message += "\n"; - certLoadEx.message += sslError; - } - - throw certLoadEx; + out << "unknown cipher\n"; } - - // Set which Private Key file to use. - if(SSL_CTX_use_RSAPrivateKey(_sslContext, keyPair.getRSAPrivateKey()) <= 0) + else { - int errCode = ERR_GET_REASON(ERR_peek_error()); - - // Note: Because OpenSSL currently (V0.9.6b) performs a check to see if the - // key matches the private key when calling SSL_CTX_use_PrivateKey_file(). - if(errCode == X509_R_KEY_VALUES_MISMATCH || errCode == X509_R_KEY_TYPE_MISMATCH) - { - CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__); - - certKeyMatchEx.message = "private key does not match the certificate public key"; - string sslError = sslGetErrors(); - - if(!sslError.empty()) - { - certKeyMatchEx.message += "\n"; - certKeyMatchEx.message += sslError; - } - - throw certKeyMatchEx; - } - else - { - PrivateKeyLoadException pklEx(__FILE__, __LINE__); - - pklEx.message = "unable to set private key from memory"; - string sslError = sslGetErrors(); - - if(!sslError.empty()) - { - pklEx.message += "\n"; - pklEx.message += sslError; - } - - throw pklEx; - } + out << "cipher = " << SSL_CIPHER_get_name(cipher) << "\n"; + out << "bits = " << SSL_CIPHER_get_bits(cipher, 0) << "\n"; + out << "protocol = " << SSL_get_version(ssl) << "\n"; } - - checkKeyCert(); + out << IceInternal::fdToString(SSL_get_fd(ssl)); } -void -IceSSL::Context::addKeyCert(const Ice::ByteSeq& privateKey, const Ice::ByteSeq& publicKey) +bool +IceSSL::Context::checkPath(string& path, bool dir) { - Ice::ByteSeq privKey = privateKey; - - if(privKey.empty()) + // + // Check if file exists. If not, try prepending the default + // directory and check again. If the file is found, the + // string argument is modified and true is returned. Otherwise + // false is returned. + // +#ifdef _WIN32 + struct _stat st; + int err = ::_stat(path.c_str(), &st); +#else + struct stat st; + int err = ::stat(path.c_str(), &st); +#endif + if(err == 0) { - if(_traceLevels->security >= IceSSL::SECURITY_WARNINGS) - { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - out << "WRN no private key specified -- using the certificate"; - } - - privKey = publicKey; + return dir ? S_ISDIR(st.st_mode) != 0 : S_ISREG(st.st_mode) != 0; } - // Make a key pair based on the DER encoded byte sequences. - RSAKeyPair rsaKeyPair(privKey, publicKey); - addKeyCert(rsaKeyPair); -} - -void -IceSSL::Context::addKeyCert(const string& privateKey, const string& publicKey) -{ - string privKey = privateKey; - - if(privKey.empty()) + if(!_defaultDir.empty()) { - if(_traceLevels->security >= IceSSL::SECURITY_WARNINGS) - { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - out << "WRN no private key specified -- using the certificate"; - } - - privKey = publicKey; +#ifdef _WIN32 + string s = _defaultDir + "\\" + path; + err = ::_stat(s.c_str(), &st); +#else + string s = _defaultDir + "/" + path; + err = ::stat(s.c_str(), &st); +#endif + if(err == 0 && ((!dir && S_ISREG(st.st_mode)) || (dir && S_ISDIR(st.st_mode)))) + { + path = s; + return true; + } } - // Make a key pair based on the Base64 encoded strings. - RSAKeyPair rsaKeyPair(privKey, publicKey); - addKeyCert(rsaKeyPair); -} - -SSL* -IceSSL::Context::createSSLConnection(int socket) -{ - assert(_sslContext != 0); - - SSL* sslConnection = SSL_new(_sslContext); - assert(sslConnection != 0); - - SSL_clear(sslConnection); - - SSL_set_fd(sslConnection, socket); - - return sslConnection; + return false; } void -IceSSL::Context::setCipherList(const string& cipherList) +IceSSL::Context::parseProtocols(const string& val) { - assert(_sslContext != 0); - - if(!cipherList.empty() && (!SSL_CTX_set_cipher_list(_sslContext, cipherList.c_str())) && - (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)) + const string delim = ", "; + bool sslv3 = false, tlsv1 = false; + string::size_type pos = 0; + while(pos != string::npos) { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - out << "WRN error setting cipher list " << cipherList << " -- using default list" << "\n"; - out << sslGetErrors(); + pos = val.find_first_not_of(delim, pos); + if(pos == string::npos) + { + break; + } + + string prot; + string::size_type end = val.find_first_of(delim, pos); + if(end == string::npos) + { + prot = val.substr(pos); + } + else + { + prot = val.substr(pos, end - pos); + } + pos = end; + + if(prot == "ssl3" || prot == "sslv3") + { + sslv3 = true; + } + else if(prot == "tls1" || prot == "tlsv1") + { + tlsv1 = true; + } + else + { + string msg = "IceSSL: unrecognized protocol `" + prot + "'"; + if(_instance->securityTraceLevel() >= 1) + { + _logger->trace(_instance->securityTraceCategory(), msg); + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } } -} - -void -IceSSL::Context::setDHParams(const BaseCertificates& baseCerts) -{ - DH* dh = 0; - - string dhFile = baseCerts.getDHParams().getFileName(); - int encoding = baseCerts.getDHParams().getEncoding(); - // File type must be PEM - that's the only way we can load DH Params, apparently. - if((!dhFile.empty()) && (encoding == SSL_FILETYPE_PEM)) + long opts = SSL_OP_NO_SSLv2; // SSLv2 is not supported. + if(!sslv3) { - dh = loadDHParam(dhFile.c_str()); + opts |= SSL_OP_NO_SSLv3; } - - if(dh == 0) + if(!tlsv1) { - if(_traceLevels->security >= IceSSL::SECURITY_WARNINGS) - { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - out << "WRN Could not load Diffie-Hellman params, generating a temporary 512bit key."; - } - - dh = getTempDH512(); + opts |= SSL_OP_NO_TLSv1; } + SSL_CTX_set_options(_ctx, opts); +} - if(dh != 0) - { - SSL_CTX_set_tmp_dh(_sslContext, dh); +// +// ClientContext. +// +IceSSL::ClientContext::ClientContext(const InstancePtr& instance, SSL_CTX* ctx) : + Context(instance, "IceSSL.Client.", ctx) +{ + PropertiesPtr properties = _instance->communicator()->getProperties(); - DH_free(dh); + // + // CheckCertName determines whether we compare the name in a peer's + // certificate against its hostname. + // + { + _checkCertName = properties->getPropertyAsIntWithDefault("IceSSL.Client.CheckCertName", 0) > 0; } } + +// +// ServerContext. +// +IceSSL::ServerContext::ServerContext(const InstancePtr& instance, SSL_CTX* ctx) : + Context(instance, "IceSSL.Server.", ctx) +{ + _checkCertName = false; +} diff --git a/cpp/src/IceSSL/Context.h b/cpp/src/IceSSL/Context.h index d3f38050bf9..e002031f5e7 100644 --- a/cpp/src/IceSSL/Context.h +++ b/cpp/src/IceSSL/Context.h @@ -7,23 +7,12 @@ // // ********************************************************************** -#ifndef ICESSL_CONTEXT_H -#define ICESSL_CONTEXT_H - -#include <Ice/CommunicatorF.h> -#include <IceSSL/TraceLevelsF.h> -#include <IceSSL/SslTransceiverF.h> -#include <IceSSL/ContextF.h> - -#include <Ice/BuiltinSequences.h> -#include <IceSSL/OpenSSL.h> -#include <IceSSL/CertificateVerifierOpenSSL.h> -#include <IceSSL/GeneralConfig.h> -#include <IceSSL/CertificateAuthority.h> -#include <IceSSL/BaseCerts.h> -#include <IceSSL/TempCerts.h> -#include <IceSSL/RSAPublicKey.h> -#include <IceSSL/RSAKeyPairF.h> +#ifndef ICE_SSL_CONTEXT_H +#define ICE_SSL_CONTEXT_H + +#include <InstanceF.h> +#include <UtilF.h> +#include <Ice/LoggerF.h> namespace IceSSL { @@ -32,68 +21,55 @@ class Context : public IceUtil::Shared { public: - virtual ~Context(); - - bool isConfigured(); - - void cleanUp(); - - virtual void setCertificateVerifier(const CertificateVerifierPtr&); - virtual void addTrustedCertificateBase64(const std::string&); - virtual void addTrustedCertificate(const Ice::ByteSeq&); - virtual void setRSAKeysBase64(const std::string&, const std::string&); - virtual void setRSAKeys(const Ice::ByteSeq&, const Ice::ByteSeq&); - virtual void configure(const GeneralConfig&, const CertificateAuthority&, const BaseCertificates&); - virtual SslTransceiverPtr createTransceiver(int, const OpenSSLPluginIPtr&, int) = 0; - -protected: - - Context(const TraceLevelsPtr&, const Ice::CommunicatorPtr&, const ContextType&); - - SSL_METHOD* getSslMethod(SslProtocol); - void createContext(SslProtocol); - - virtual void loadCertificateAuthority(const CertificateAuthority&); - - void setKeyCert(const CertificateDesc&, const std::string&, const std::string&); - - void checkKeyCert(); + Context(const InstancePtr&, const std::string&, SSL_CTX*); + ~Context(); - void addTrustedCertificate(const RSAPublicKey&); + SSL_CTX* ctx() const; - void addKeyCert(const CertificateFile&, const CertificateFile&); + void validatePeer(SSL*, const std::string&, bool); - void addKeyCert(const RSAKeyPair&); + std::string password(bool); - void addKeyCert(const Ice::ByteSeq&, const Ice::ByteSeq&); - - void addKeyCert(const std::string&, const std::string&); +#ifndef OPENSSL_NO_DH + DH* dhParams(int); +#endif - SSL* createSSLConnection(int); + int verifyCallback(int, SSL*, X509_STORE_CTX*); - void setCipherList(const std::string&); + void traceConnection(SSL*, bool); - void setDHParams(const BaseCertificates&); +protected: - TraceLevelsPtr _traceLevels; - Ice::CommunicatorPtr _communicator; - ContextType _contextType; + bool checkPath(std::string&, bool); + void parseProtocols(const std::string&); + + InstancePtr _instance; + Ice::LoggerPtr _logger; + SSL_CTX* _ctx; + std::string _defaultDir; + bool _checkCertName; + std::string _password; +#ifndef OPENSSL_NO_DH + DHParamsPtr _dhParams; +#endif +}; +typedef IceUtil::Handle<Context> ContextPtr; - std::string _rsaPrivateKeyProperty; - std::string _rsaPublicKeyProperty; - std::string _dsaPrivateKeyProperty; - std::string _dsaPublicKeyProperty; - std::string _caCertificateProperty; - std::string _passphraseRetriesProperty; - std::string _maxPassphraseRetriesDefault; - std::string _connectionHandshakeRetries; +class ClientContext : public Context +{ +public: - CertificateVerifierPtr _certificateVerifier; + ClientContext(const InstancePtr&, SSL_CTX*); +}; +typedef IceUtil::Handle<ClientContext> ClientContextPtr; - SSL_CTX* _sslContext; +class ServerContext : public Context +{ +public: - int _maxPassphraseTries; + ServerContext(const InstancePtr&, SSL_CTX*); }; +typedef IceUtil::Handle<ServerContext> ServerContextPtr; } diff --git a/cpp/src/IceSSL/ContextF.h b/cpp/src/IceSSL/ContextF.h deleted file mode 100644 index 2e79a053a97..00000000000 --- a/cpp/src/IceSSL/ContextF.h +++ /dev/null @@ -1,31 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_CONTEXT_OPENSSL_F_H -#define ICE_SSL_CONTEXT_OPENSSL_F_H - -#include <Ice/Handle.h> - -namespace IceSSL -{ - -class Context; -typedef IceInternal::Handle<Context> ContextPtr; - -} - -namespace IceInternal -{ - -void incRef(::IceSSL::Context*); -void decRef(::IceSSL::Context*); - -} - -#endif diff --git a/cpp/src/IceSSL/Convert.cpp b/cpp/src/IceSSL/Convert.cpp deleted file mode 100644 index bdfa65068f1..00000000000 --- a/cpp/src/IceSSL/Convert.cpp +++ /dev/null @@ -1,38 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceUtil/DisableWarnings.h> -#include <IceUtil/Config.h> -#include <IceSSL/Convert.h> -#include <iterator> - -void -IceSSL::ucharToByteSeq(unsigned char* ucharBuffer, int length, Ice::ByteSeq& destBuffer) -{ - assert(ucharBuffer != 0); - destBuffer.reserve(length); - std::copy(ucharBuffer, (ucharBuffer + length), std::back_inserter(destBuffer)); -} - -unsigned char* -IceSSL::byteSeqToUChar(const Ice::ByteSeq& sequence) -{ - size_t seqSize = sequence.size(); - - assert(seqSize > 0); - - unsigned char* ucharSeq = new unsigned char[seqSize]; - - assert(ucharSeq != 0); - - unsigned char* ucharPtr = ucharSeq; - std::copy(sequence.begin(), sequence.end(), ucharPtr); - - return ucharSeq; -} diff --git a/cpp/src/IceSSL/DHParams.cpp b/cpp/src/IceSSL/DHParams.cpp deleted file mode 100644 index dd0e2496d76..00000000000 --- a/cpp/src/IceSSL/DHParams.cpp +++ /dev/null @@ -1,34 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/DHParams.h> - -void IceInternal::incRef(::IceSSL::DHParams* p) { p->__incRef(); } -void IceInternal::decRef(::IceSSL::DHParams* p) { p->__decRef(); } - -IceSSL::DHParams::DHParams(DH* dhParams) : - _dhParams(dhParams) -{ - assert(_dhParams != 0); -} - -IceSSL::DHParams::~DHParams() -{ - if(_dhParams != 0) - { - DH_free(_dhParams); - } -} - -DH* -IceSSL::DHParams::get() const -{ - return _dhParams; -} - diff --git a/cpp/src/IceSSL/DHParams.h b/cpp/src/IceSSL/DHParams.h deleted file mode 100644 index 5e24758aacc..00000000000 --- a/cpp/src/IceSSL/DHParams.h +++ /dev/null @@ -1,39 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_DH_PARAMS_H -#define ICE_DH_PARAMS_H - -#include <IceUtil/Shared.h> -#include <IceSSL/DHParamsF.h> -#include <openssl/ssl.h> - -namespace IceSSL -{ - -class DHParams : public IceUtil::Shared -{ -public: - - // Construction from DH Params structure (simple initialization). - DHParams(DH*); - - ~DHParams(); - - // Get the internal key structure as per the OpenSSL implementation. - DH* get() const; - -private: - - DH* _dhParams; -}; - -} - -#endif diff --git a/cpp/src/IceSSL/DefaultCertificateVerifier.cpp b/cpp/src/IceSSL/DefaultCertificateVerifier.cpp deleted file mode 100644 index 5f44957c600..00000000000 --- a/cpp/src/IceSSL/DefaultCertificateVerifier.cpp +++ /dev/null @@ -1,177 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <Ice/Communicator.h> -#include <Ice/Properties.h> -#include <Ice/LoggerUtil.h> -#include <IceSSL/OpenSSL.h> -#include <IceSSL/DefaultCertificateVerifier.h> -#include <IceSSL/OpenSSLUtils.h> -#include <IceSSL/TraceLevels.h> - -#include <ostream> - -using namespace std; - -IceSSL::DefaultCertificateVerifier::DefaultCertificateVerifier(const IceSSL::TraceLevelsPtr& traceLevels, - const Ice::CommunicatorPtr& communicator) : - _traceLevels(traceLevels), - _communicator(communicator) -{ -} - -int -IceSSL::DefaultCertificateVerifier::verify(int preVerifyOkay, X509_STORE_CTX* x509StoreContext, SSL* sslConnection) -{ - // - // Default verification steps. - // - - int verifyError = X509_STORE_CTX_get_error(x509StoreContext); - int errorDepth = X509_STORE_CTX_get_error_depth(x509StoreContext); - int verifyDepth = SSL_get_verify_depth(sslConnection); - - // A verify error has been encountered. - if(verifyError != X509_V_OK) - { - // We have a limited verify depth, and we have had to delve too deeply - // into the certificate chain to find an acceptable root certificate. - if((verifyDepth != -1) && (verifyDepth < errorDepth)) - { - verifyError = X509_V_ERR_CERT_CHAIN_TOO_LONG; - X509_STORE_CTX_set_error(x509StoreContext, verifyError); - } - - bool checkIgnoreValid = false; - - switch(verifyError) - { - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - { - checkIgnoreValid = true; - break; - } - - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - { - checkIgnoreValid = true; - break; - } - - default : - { - // If we have any other errors, we bail out. - preVerifyOkay = 0; - break; - } - } - - if(checkIgnoreValid) - { - ::Ice::PropertiesPtr properties = _communicator->getProperties(); - - switch(_contextType) - { - case Client : - { - if(properties->getPropertyAsIntWithDefault("IceSSL.Client.IgnoreValidPeriod", 0) == 0) - { - // Unless we're told to ignore this result, we bail out. - preVerifyOkay = 0; - } - else - { - preVerifyOkay = 1; - } - break; - } - - case Server : - { - if(properties->getPropertyAsIntWithDefault("IceSSL.Server.IgnoreValidPeriod", 0) == 0) - { - // Unless we're told to ignore this result, we bail out. - preVerifyOkay = 0; - } - else - { - preVerifyOkay = 1; - } - break; - } - - case ClientServer: - { - if(properties->getPropertyAsIntWithDefault("IceSSL.Client.IgnoreValidPeriod", 0) == 0 && - properties->getPropertyAsIntWithDefault("IceSSL.Server.IgnoreValidPeriod", 0) == 0) - { - // Unless we're told to ignore this result, we bail out. - preVerifyOkay = 0; - } - else - { - preVerifyOkay = 1; - } - break; - } - } - } - } - - // Only if ICE_PROTOCOL level logging is on do we worry about this. - if(_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) - { - char buf[256]; - - X509* err_cert = X509_STORE_CTX_get_current_cert(x509StoreContext); - - X509_NAME_oneline(X509_get_subject_name(err_cert), buf, int(sizeof(buf))); - - Ice::Trace out(_communicator->getLogger(), _traceLevels->securityCat); - - out << "depth = " << dec << errorDepth << ":" << buf << "\n"; - - if(!preVerifyOkay) - { - out << "verify error: num = " << verifyError << " : " - << X509_verify_cert_error_string(verifyError) << "\n"; - - } - - switch(verifyError) - { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - { - X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, int(sizeof(buf))); - out << "issuer = " << buf << "\n"; - break; - } - - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - { - out << "notBefore = " << getASN1time(X509_get_notBefore(err_cert)) << "\n"; - break; - } - - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - { - out << "notAfter = " << getASN1time(X509_get_notAfter(err_cert)) << "\n"; - break; - } - } - - out << "verify return = " << preVerifyOkay << "\n"; - } - - return preVerifyOkay; -} diff --git a/cpp/src/IceSSL/DefaultCertificateVerifier.h b/cpp/src/IceSSL/DefaultCertificateVerifier.h deleted file mode 100644 index 9a3e7058bb3..00000000000 --- a/cpp/src/IceSSL/DefaultCertificateVerifier.h +++ /dev/null @@ -1,36 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_DEFAULT_CERTIFICATE_VERIFIER_H -#define ICE_SSL_DEFAULT_CERTIFICATE_VERIFIER_H - -#include <Ice/CommunicatorF.h> -#include <IceSSL/TraceLevelsF.h> -#include <IceSSL/CertificateVerifierOpenSSL.h> - -namespace IceSSL -{ - -class DefaultCertificateVerifier : public IceSSL::CertificateVerifierOpenSSL -{ -public: - - DefaultCertificateVerifier(const IceSSL::TraceLevelsPtr&, const Ice::CommunicatorPtr&); - - virtual int verify(int, X509_STORE_CTX*, SSL*); - -private: - - IceSSL::TraceLevelsPtr _traceLevels; - Ice::CommunicatorPtr _communicator; -}; - -} - -#endif diff --git a/cpp/src/IceSSL/SslEndpointI.cpp b/cpp/src/IceSSL/EndpointI.cpp index 5478c2228e3..361ca90e3ae 100644 --- a/cpp/src/IceSSL/SslEndpointI.cpp +++ b/cpp/src/IceSSL/EndpointI.cpp @@ -7,23 +7,23 @@ // // ********************************************************************** +#include <EndpointI.h> +#include <AcceptorI.h> +#include <ConnectorI.h> +#include <TransceiverI.h> +#include <Instance.h> #include <Ice/Network.h> #include <Ice/BasicStream.h> #include <Ice/LocalException.h> -#include <Ice/ProtocolPluginFacade.h> -#include <IceSSL/SslEndpointI.h> -#include <IceSSL/SslAcceptor.h> -#include <IceSSL/SslConnector.h> -#include <IceSSL/SslTransceiver.h> -#include <IceSSL/OpenSSLPluginI.h> +#include <Ice/DefaultsAndOverrides.h> using namespace std; using namespace Ice; -using namespace IceInternal; +using namespace IceSSL; -IceSSL::SslEndpointI::SslEndpointI(const OpenSSLPluginIPtr& plugin, const string& ho, Int po, Int ti, - const string& conId, bool co, bool pub) : - _plugin(plugin), +IceSSL::EndpointI::EndpointI(const InstancePtr& instance, const string& ho, Int po, Int ti, const string& conId, + bool co, bool pub) : + _instance(instance), _host(ho), _port(po), _timeout(ti), @@ -33,8 +33,8 @@ IceSSL::SslEndpointI::SslEndpointI(const OpenSSLPluginIPtr& plugin, const string { } -IceSSL::SslEndpointI::SslEndpointI(const OpenSSLPluginIPtr& plugin, const string& str) : - _plugin(plugin), +IceSSL::EndpointI::EndpointI(const InstancePtr& instance, const string& str) : + _instance(instance), _port(0), _timeout(-1), _compress(false), @@ -141,11 +141,11 @@ IceSSL::SslEndpointI::SslEndpointI(const OpenSSLPluginIPtr& plugin, const string if(_host.empty()) { - const_cast<string&>(_host) = _plugin->getProtocolPluginFacade()->getDefaultHost(); - if(_host.empty()) - { + const_cast<string&>(_host) = _instance->defaultHost(); + if(_host.empty()) + { const_cast<string&>(_host) = "0.0.0.0"; - } + } } else if(_host == "*") { @@ -153,8 +153,8 @@ IceSSL::SslEndpointI::SslEndpointI(const OpenSSLPluginIPtr& plugin, const string } } -IceSSL::SslEndpointI::SslEndpointI(const OpenSSLPluginIPtr& plugin, BasicStream* s) : - _plugin(plugin), +IceSSL::EndpointI::EndpointI(const InstancePtr& instance, IceInternal::BasicStream* s) : + _instance(instance), _port(0), _timeout(-1), _compress(false), @@ -169,9 +169,9 @@ IceSSL::SslEndpointI::SslEndpointI(const OpenSSLPluginIPtr& plugin, BasicStream* } void -IceSSL::SslEndpointI::streamWrite(BasicStream* s) const +IceSSL::EndpointI::streamWrite(IceInternal::BasicStream* s) const { - s->write(SslEndpointType); + s->write(EndpointType); s->startWriteEncaps(); s->write(_host); s->write(_port); @@ -181,7 +181,7 @@ IceSSL::SslEndpointI::streamWrite(BasicStream* s) const } string -IceSSL::SslEndpointI::toString() const +IceSSL::EndpointI::toString() const { ostringstream s; s << "ssl -h " << _host << " -p " << _port; @@ -197,147 +197,146 @@ IceSSL::SslEndpointI::toString() const } Short -IceSSL::SslEndpointI::type() const +IceSSL::EndpointI::type() const { - return SslEndpointType; + return EndpointType; } Int -IceSSL::SslEndpointI::timeout() const +IceSSL::EndpointI::timeout() const { return _timeout; } -EndpointIPtr -IceSSL::SslEndpointI::timeout(Int timeout) const +IceInternal::EndpointIPtr +IceSSL::EndpointI::timeout(Int timeout) const { if(timeout == _timeout) { - return const_cast<SslEndpointI*>(this); + return const_cast<EndpointI*>(this); } else { - return new SslEndpointI(_plugin, _host, _port, timeout, _connectionId, _compress, _publish); + return new EndpointI(_instance, _host, _port, timeout, _connectionId, _compress, _publish); } } -EndpointIPtr -IceSSL::SslEndpointI::connectionId(const string& connectionId) const +IceInternal::EndpointIPtr +IceSSL::EndpointI::connectionId(const string& connectionId) const { if(connectionId == _connectionId) { - return const_cast<SslEndpointI*>(this); + return const_cast<EndpointI*>(this); } else { - return new SslEndpointI(_plugin, _host, _port, _timeout, connectionId, _compress, _publish); + return new EndpointI(_instance, _host, _port, _timeout, connectionId, _compress, _publish); } } bool -IceSSL::SslEndpointI::compress() const +IceSSL::EndpointI::compress() const { return _compress; } -EndpointIPtr -IceSSL::SslEndpointI::compress(bool compress) const +IceInternal::EndpointIPtr +IceSSL::EndpointI::compress(bool compress) const { if(compress == _compress) { - return const_cast<SslEndpointI*>(this); + return const_cast<EndpointI*>(this); } else { - return new SslEndpointI(_plugin, _host, _port, _timeout, _connectionId, compress, _publish); + return new EndpointI(_instance, _host, _port, _timeout, _connectionId, compress, _publish); } } bool -IceSSL::SslEndpointI::datagram() const +IceSSL::EndpointI::datagram() const { return false; } bool -IceSSL::SslEndpointI::secure() const +IceSSL::EndpointI::secure() const { return true; } bool -IceSSL::SslEndpointI::unknown() const +IceSSL::EndpointI::unknown() const { return false; } -TransceiverPtr -IceSSL::SslEndpointI::clientTransceiver() const +IceInternal::TransceiverPtr +IceSSL::EndpointI::clientTransceiver() const { return 0; } -TransceiverPtr -IceSSL::SslEndpointI::serverTransceiver(EndpointIPtr& endp) const +IceInternal::TransceiverPtr +IceSSL::EndpointI::serverTransceiver(IceInternal::EndpointIPtr& endp) const { - endp = const_cast<SslEndpointI*>(this); + endp = const_cast<EndpointI*>(this); return 0; } -ConnectorPtr -IceSSL::SslEndpointI::connector() const +IceInternal::ConnectorPtr +IceSSL::EndpointI::connector() const { - return new SslConnector(_plugin, _host, _port); + return new ConnectorI(_instance, _host, _port); } -AcceptorPtr -IceSSL::SslEndpointI::acceptor(EndpointIPtr& endp) const +IceInternal::AcceptorPtr +IceSSL::EndpointI::acceptor(IceInternal::EndpointIPtr& endp) const { - SslAcceptor* p = new SslAcceptor(_plugin, _host, _port); - endp = new SslEndpointI(_plugin, _host, p->effectivePort(), _timeout, _connectionId, _compress, _publish); + AcceptorI* p = new AcceptorI(_instance, _host, _port); + endp = new EndpointI(_instance, _host, p->effectivePort(), _timeout, _connectionId, _compress, _publish); return p; } -vector<EndpointIPtr> -IceSSL::SslEndpointI::expand(bool includeLoopback) const +vector<IceInternal::EndpointIPtr> +IceSSL::EndpointI::expand(bool includeLoopback) const { - vector<EndpointIPtr> endps; + vector<IceInternal::EndpointIPtr> endps; if(_host == "0.0.0.0") { - vector<string> hosts = getLocalHosts(); - for(unsigned int i = 0; i < hosts.size(); ++i) - { + vector<string> hosts = IceInternal::getLocalHosts(); + for(unsigned int i = 0; i < hosts.size(); ++i) + { if(includeLoopback || hosts.size() == 1 || hosts[i] != "127.0.0.1") { - endps.push_back(new SslEndpointI(_plugin, hosts[i], _port, _timeout, _connectionId, _compress, - hosts.size() == 1 || hosts[i] != "127.0.0.1")); + endps.push_back(new EndpointI(_instance, hosts[i], _port, _timeout, _connectionId, _compress, + hosts.size() == 1 || hosts[i] != "127.0.0.1")); } - } + } } else { - endps.push_back(const_cast<SslEndpointI*>(this)); + endps.push_back(const_cast<EndpointI*>(this)); } return endps; - } bool -IceSSL::SslEndpointI::publish() const +IceSSL::EndpointI::publish() const { return _publish; } bool -IceSSL::SslEndpointI::equivalent(const TransceiverPtr&) const +IceSSL::EndpointI::equivalent(const IceInternal::TransceiverPtr&) const { return false; } bool -IceSSL::SslEndpointI::equivalent(const AcceptorPtr& acceptor) const +IceSSL::EndpointI::equivalent(const IceInternal::AcceptorPtr& acceptor) const { - const SslAcceptor* sslAcceptor = dynamic_cast<const SslAcceptor*>(acceptor.get()); + const AcceptorI* sslAcceptor = dynamic_cast<const AcceptorI*>(acceptor.get()); if(!sslAcceptor) { return false; @@ -346,9 +345,9 @@ IceSSL::SslEndpointI::equivalent(const AcceptorPtr& acceptor) const } bool -IceSSL::SslEndpointI::operator==(const EndpointI& r) const +IceSSL::EndpointI::operator==(const IceInternal::EndpointI& r) const { - const SslEndpointI* p = dynamic_cast<const SslEndpointI*>(&r); + const EndpointI* p = dynamic_cast<const EndpointI*>(&r); if(!p) { return false; @@ -388,30 +387,30 @@ IceSSL::SslEndpointI::operator==(const EndpointI& r) const struct sockaddr_in raddr; try { - getAddress(_host, _port, laddr); - getAddress(p->_host, p->_port, raddr); + IceInternal::getAddress(_host, _port, laddr); + IceInternal::getAddress(p->_host, p->_port, raddr); } catch(const DNSException&) { return false; } - return compareAddress(laddr, raddr); + return IceInternal::compareAddress(laddr, raddr); } return true; } bool -IceSSL::SslEndpointI::operator!=(const EndpointI& r) const +IceSSL::EndpointI::operator!=(const IceInternal::EndpointI& r) const { return !operator==(r); } bool -IceSSL::SslEndpointI::operator<(const EndpointI& r) const +IceSSL::EndpointI::operator<(const IceInternal::EndpointI& r) const { - const SslEndpointI* p = dynamic_cast<const SslEndpointI*>(&r); + const EndpointI* p = dynamic_cast<const EndpointI*>(&r); if(!p) { return type() < r.type(); @@ -466,7 +465,7 @@ IceSSL::SslEndpointI::operator<(const EndpointI& r) const struct sockaddr_in laddr; try { - getAddress(_host, _port, laddr); + IceInternal::getAddress(_host, _port, laddr); } catch(const DNSException&) { @@ -475,7 +474,7 @@ IceSSL::SslEndpointI::operator<(const EndpointI& r) const struct sockaddr_in raddr; try { - getAddress(p->_host, p->_port, raddr); + IceInternal::getAddress(p->_host, p->_port, raddr); } catch(const DNSException&) { @@ -494,41 +493,41 @@ IceSSL::SslEndpointI::operator<(const EndpointI& r) const return false; } -IceSSL::SslEndpointFactory::SslEndpointFactory(const OpenSSLPluginIPtr& plugin) - : _plugin(plugin) +IceSSL::EndpointFactoryI::EndpointFactoryI(const InstancePtr& instance) + : _instance(instance) { } -IceSSL::SslEndpointFactory::~SslEndpointFactory() +IceSSL::EndpointFactoryI::~EndpointFactoryI() { } Short -IceSSL::SslEndpointFactory::type() const +IceSSL::EndpointFactoryI::type() const { - return SslEndpointType; + return EndpointType; } string -IceSSL::SslEndpointFactory::protocol() const +IceSSL::EndpointFactoryI::protocol() const { return "ssl"; } -EndpointIPtr -IceSSL::SslEndpointFactory::create(const std::string& str) const +IceInternal::EndpointIPtr +IceSSL::EndpointFactoryI::create(const std::string& str) const { - return new SslEndpointI(_plugin, str); + return new EndpointI(_instance, str); } -EndpointIPtr -IceSSL::SslEndpointFactory::read(BasicStream* s) const +IceInternal::EndpointIPtr +IceSSL::EndpointFactoryI::read(IceInternal::BasicStream* s) const { - return new SslEndpointI(_plugin, s); + return new EndpointI(_instance, s); } void -IceSSL::SslEndpointFactory::destroy() +IceSSL::EndpointFactoryI::destroy() { - _plugin = 0; + _instance = 0; } diff --git a/cpp/src/IceSSL/SslEndpointI.h b/cpp/src/IceSSL/EndpointI.h index d4903bfd9d8..365bdb4d142 100644 --- a/cpp/src/IceSSL/SslEndpointI.h +++ b/cpp/src/IceSSL/EndpointI.h @@ -7,33 +7,32 @@ // // ********************************************************************** -#ifndef ICE_SSL_ENDPOINT_H -#define ICE_SSL_ENDPOINT_H +#ifndef ICE_SSL_ENDPOINT_I_H +#define ICE_SSL_ENDPOINT_I_H #include <Ice/EndpointI.h> #include <Ice/EndpointFactory.h> -#include <IceSSL/OpenSSLPluginIF.h> +#include <InstanceF.h> namespace IceSSL { -const Ice::Short SslEndpointType = 2; +const Ice::Short EndpointType = 2; -class SslEndpointI : public IceInternal::EndpointI +class EndpointI : public IceInternal::EndpointI { public: - SslEndpointI(const IceSSL::OpenSSLPluginIPtr&, const std::string&, Ice::Int, Ice::Int, - const std::string&, bool, bool); - SslEndpointI(const IceSSL::OpenSSLPluginIPtr&, const std::string&); - SslEndpointI(const IceSSL::OpenSSLPluginIPtr&, IceInternal::BasicStream*); + EndpointI(const InstancePtr&, const std::string&, Ice::Int, Ice::Int, const std::string&, bool, bool); + EndpointI(const InstancePtr&, const std::string&); + EndpointI(const InstancePtr&, IceInternal::BasicStream*); virtual void streamWrite(IceInternal::BasicStream*) const; virtual std::string toString() const; virtual Ice::Short type() const; virtual Ice::Int timeout() const; virtual IceInternal::EndpointIPtr timeout(Ice::Int) const; - virtual IceInternal::EndpointIPtr connectionId(const std::string&) const; + virtual IceInternal::EndpointIPtr connectionId(const ::std::string&) const; virtual bool compress() const; virtual IceInternal::EndpointIPtr compress(bool) const; virtual bool datagram() const; @@ -67,7 +66,7 @@ private: // // All members are const, because endpoints are immutable. // - const IceSSL::OpenSSLPluginIPtr _plugin; + const InstancePtr _instance; const std::string _host; const Ice::Int _port; const Ice::Int _timeout; @@ -76,12 +75,11 @@ private: const bool _publish; }; -class SslEndpointFactory : public IceInternal::EndpointFactory +class EndpointFactoryI : public IceInternal::EndpointFactory { public: - SslEndpointFactory(const IceSSL::OpenSSLPluginIPtr&); - virtual ~SslEndpointFactory(); + virtual ~EndpointFactoryI(); virtual Ice::Short type() const; virtual std::string protocol() const; @@ -91,7 +89,10 @@ public: private: - IceSSL::OpenSSLPluginIPtr _plugin; + EndpointFactoryI(const InstancePtr&); + friend class Instance; + + InstancePtr _instance; }; } diff --git a/cpp/src/IceSSL/GeneralConfig.cpp b/cpp/src/IceSSL/GeneralConfig.cpp deleted file mode 100644 index 80144df87e0..00000000000 --- a/cpp/src/IceSSL/GeneralConfig.cpp +++ /dev/null @@ -1,175 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/GeneralConfig.h> - -#include <string> -#include <algorithm> - -using namespace std; - -IceSSL::GeneralConfig::GeneralConfig() -{ - _sslVersion = SSL_V23; - - _verifyMode = SSL_VERIFY_NONE; - - // Unlimited verifcation depth. - _verifyDepth = -1; - - _context = ""; - _cipherList = ""; - _randomBytesFiles = ""; -} - -IceSSL::SslProtocol -IceSSL::GeneralConfig::getProtocol() const -{ - return _sslVersion; -} - -int -IceSSL::GeneralConfig::getVerifyMode() const -{ - return _verifyMode; -} - -int -IceSSL::GeneralConfig::getVerifyDepth() const -{ - return _verifyDepth; -} - -std::string -IceSSL::GeneralConfig::getContext() const -{ - return _context; -} - -std::string -IceSSL::GeneralConfig::getCipherList() const -{ - return _cipherList; -} - -std::string -IceSSL::GeneralConfig::getRandomBytesFiles() const -{ - return _randomBytesFiles; -} - -void -IceSSL::GeneralConfig::set(const string& name, const string& value) -{ - if(name.compare("version") == 0) - { - parseVersion(value); - } - else if(name.compare("cipherlist") == 0) - { - _cipherList = value; - } - else if(name.compare("context") == 0) - { - _context = value; - } - else if(name.compare("verifymode") == 0) - { - parseVerifyMode(value); - } - else if(name.compare("verifydepth") == 0) - { - _verifyDepth = atoi(value.c_str()); - } - else if(name.compare("randombytes") == 0) - { - _randomBytesFiles = value; - } - return; -} - -// -// Protected Methods -// - -void -IceSSL::GeneralConfig::parseVersion(const string& value) -{ - if(value.compare("SSLv23") == 0) - { - _sslVersion = SSL_V23; - } - else if(value.compare("SSLv3") == 0) - { - _sslVersion = SSL_V3; - } - else if(value.compare("TLSv1") == 0) - { - _sslVersion = TLS_V1; - } - - return; -} - -void -IceSSL::GeneralConfig::parseVerifyMode(const string& value) -{ - const string delim = " |\t\n\r"; - - string s(value); - transform(s.begin(), s.end(), s.begin(), ::tolower); - - string::size_type beg; - string::size_type end = 0; - - while(true) - { - beg = s.find_first_not_of(delim, end); - - if(beg == string::npos) - { - break; - } - - end = s.find_first_of(delim, beg); - - if(end == string::npos) - { - end = s.length(); - } - - string option = s.substr(beg, end - beg); - - if(option.compare("none") == 0) - { - _verifyMode |= SSL_VERIFY_NONE; - } - else if(option.compare("peer") == 0) - { - _verifyMode |= SSL_VERIFY_PEER; - } - else if(option.compare("fail_no_cert") == 0) - { - _verifyMode |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - } - else if(option.compare("client_once") == 0) - { - _verifyMode |= SSL_VERIFY_CLIENT_ONCE; - } - } - - // Both SSL_VERIFY_FAIL_IF_NO_PEER_CERT and SSL_VERIFY_CLIENT_ONCE require - // that SSL_VERIFY_PEER be set, otherwise it's an error. - if((_verifyMode != SSL_VERIFY_NONE) && !(_verifyMode & SSL_VERIFY_PEER)) - { - _verifyMode = SSL_VERIFY_NONE; - } - - return; -} diff --git a/cpp/src/IceSSL/GeneralConfig.h b/cpp/src/IceSSL/GeneralConfig.h deleted file mode 100644 index 7d33d79be3d..00000000000 --- a/cpp/src/IceSSL/GeneralConfig.h +++ /dev/null @@ -1,65 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_GENERAL_CONFIG_H -#define ICE_SSL_GENERAL_CONFIG_H - -#include <IceSSL/OpenSSL.h> - -namespace IceSSL -{ - -class GeneralConfig -{ -public: - - GeneralConfig(); - - SslProtocol getProtocol() const; - int getVerifyMode() const; - int getVerifyDepth() const; - - std::string getContext() const; - std::string getCipherList() const; - std::string getRandomBytesFiles() const; - - // General method - it will figure out how to properly parse the data. - void set(const std::string&, const std::string&); - -protected: - - SslProtocol _sslVersion; - - int _verifyMode; - int _verifyDepth; - - std::string _context; - std::string _cipherList; - std::string _randomBytesFiles; - - void parseVersion(const std::string&); - void parseVerifyMode(const std::string&); -}; - -template<class Stream> inline -Stream& operator << (Stream& target, const GeneralConfig& generalConfig) -{ - target << "Protocol: " << generalConfig.getProtocol() << "\n"; - target << "Verify Mode: " << generalConfig.getVerifyMode() << "\n"; - target << "Verify Depth: " << generalConfig.getVerifyDepth() << "\n"; - target << "Context: " << generalConfig.getContext() << "\n"; - target << "Cipher List: " << generalConfig.getCipherList() << "\n"; - target << "Random Bytes: " << generalConfig.getRandomBytesFiles() << "\n"; - - return target; -} - -} - -#endif diff --git a/cpp/src/IceSSL/Instance.cpp b/cpp/src/IceSSL/Instance.cpp new file mode 100644 index 00000000000..015e4b53f57 --- /dev/null +++ b/cpp/src/IceSSL/Instance.cpp @@ -0,0 +1,222 @@ +// ********************************************************************** +// +// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. +// +// This copy of Ice is licensed to you under the terms described in the +// ICE_LICENSE file included in this distribution. +// +// ********************************************************************** + +#include <Instance.h> +#include <EndpointI.h> +#include <Ice/Communicator.h> +#include <Ice/LocalException.h> +#include <Ice/Logger.h> +#include <Ice/Properties.h> +#include <Ice/ProtocolPluginFacade.h> + +#include <openssl/err.h> + +using namespace std; +using namespace Ice; +using namespace IceSSL; + +void IceSSL::incRef(Instance* p) { p->__incRef(); } +void IceSSL::decRef(Instance* p) { p->__decRef(); } + +IceSSL::Instance::Instance(const CommunicatorPtr& communicator) +{ + __setNoDelete(true); + + PropertiesPtr properties = communicator->getProperties(); + + _facade = getProtocolPluginFacade(communicator); + _securityTraceLevel = properties->getPropertyAsInt("IceSSL.Trace.Security"); + _securityTraceCategory = "Security"; + + // + // Create the client and server contexts. We always create both, even + // if only one is used. + // + // If IceSSL.DelayInit=1, postpone the creation of the contexts until + // the application manually initializes the plugin. + // + if(properties->getPropertyAsInt("IceSSL.DelayInit") == 0) + { + _clientContext = new ClientContext(this, 0); + _serverContext = new ServerContext(this, 0); + } + + // + // Register the endpoint factory. + // + _facade->addEndpointFactory(new EndpointFactoryI(this)); + + __setNoDelete(false); +} + +void +IceSSL::Instance::initialize(SSL_CTX* clientContext, SSL_CTX* serverContext) +{ + if(_clientContext) + { + SecurityException ex(__FILE__, __LINE__); + ex.reason = "plugin is already initialized"; + throw ex; + } + else + { + _clientContext = new ClientContext(this, clientContext); + _serverContext = new ServerContext(this, serverContext); + } +} + +void +IceSSL::Instance::setCertificateVerifier(const CertificateVerifierPtr& verifier) +{ + _verifier = verifier; +} + +void +IceSSL::Instance::setPasswordPrompt(const PasswordPromptPtr& prompt) +{ + _prompt = prompt; +} + +CommunicatorPtr +IceSSL::Instance::communicator() const +{ + return _facade->getCommunicator(); +} + +string +IceSSL::Instance::defaultHost() const +{ + return _facade->getDefaultHost(); +} + +int +IceSSL::Instance::networkTraceLevel() const +{ + return _facade->getNetworkTraceLevel(); +} + +string +IceSSL::Instance::networkTraceCategory() const +{ + return _facade->getNetworkTraceCategory(); +} + +int +IceSSL::Instance::securityTraceLevel() const +{ + return _securityTraceLevel; +} + +string +IceSSL::Instance::securityTraceCategory() const +{ + return _securityTraceCategory; +} + +ClientContextPtr +IceSSL::Instance::clientContext() const +{ + if(!_clientContext) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: plugin is not fully initialized"; + throw ex; + } + return _clientContext; +} + +ServerContextPtr +IceSSL::Instance::serverContext() const +{ + if(!_serverContext) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: plugin is not fully initialized"; + throw ex; + } + return _serverContext; +} + +CertificateVerifierPtr +IceSSL::Instance::certificateVerifier() const +{ + return _verifier; +} + +PasswordPromptPtr +IceSSL::Instance::passwordPrompt() const +{ + return _prompt; +} + +string +IceSSL::Instance::sslErrors() const +{ + ostringstream ostr; + + const unsigned long threadId = CRYPTO_thread_id(); + + const char* file; + const char* data; + int line; + int flags; + unsigned long err; + int count = 0; + while((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) + { + if(count > 0) + { + ostr << endl; + } + + if(_securityTraceLevel > 0) + { + if(count > 0) + { + ostr << endl; + } + + char buf[200]; + ERR_error_string_n(err, buf, sizeof(buf)); + + ostr << "Thread ID: " << threadId << endl; + ostr << "Error #: " << err << endl; + ostr << "Message: " << buf << endl; + ostr << "Location: " << file << ", " << line; + if(flags & ERR_TXT_STRING) + { + ostr << endl; + ostr << "Data: " << data; + } + } + else + { + const char* reason = ERR_reason_error_string(err); + ostr << (reason == NULL ? "unknown reason" : reason); + if(flags & ERR_TXT_STRING) + { + ostr << ": " << data; + } + } + + ++count; + } + + ERR_clear_error(); + + return ostr.str(); +} + +void +IceSSL::Instance::destroy() +{ + _facade = 0; + _clientContext = 0; + _serverContext = 0; +} diff --git a/cpp/src/IceSSL/Instance.h b/cpp/src/IceSSL/Instance.h new file mode 100644 index 00000000000..03b99a3b1e9 --- /dev/null +++ b/cpp/src/IceSSL/Instance.h @@ -0,0 +1,62 @@ +// ********************************************************************** +// +// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. +// +// This copy of Ice is licensed to you under the terms described in the +// ICE_LICENSE file included in this distribution. +// +// ********************************************************************** + +#ifndef ICE_SSL_INSTANCE_H +#define ICE_SSL_INSTANCE_H + +#include <InstanceF.h> +#include <Context.h> +#include <Ice/CommunicatorF.h> +#include <Ice/ProtocolPluginFacadeF.h> +#include <IceSSL/Plugin.h> + +namespace IceSSL +{ + +class Instance : public IceUtil::Shared +{ +public: + + Instance(const Ice::CommunicatorPtr&); + + void initialize(SSL_CTX*, SSL_CTX*); + void setCertificateVerifier(const CertificateVerifierPtr&); + void setPasswordPrompt(const PasswordPromptPtr&); + + Ice::CommunicatorPtr communicator() const; + std::string defaultHost() const; + int networkTraceLevel() const; + std::string networkTraceCategory() const; + int securityTraceLevel() const; + std::string securityTraceCategory() const; + + ClientContextPtr clientContext() const; + ServerContextPtr serverContext() const; + + CertificateVerifierPtr certificateVerifier() const; + PasswordPromptPtr passwordPrompt() const; + + std::string sslErrors() const; + + void destroy(); + +private: + + IceInternal::ProtocolPluginFacadePtr _facade; + int _securityTraceLevel; + std::string _securityTraceCategory; + ClientContextPtr _clientContext; + ServerContextPtr _serverContext; + CertificateVerifierPtr _verifier; + PasswordPromptPtr _prompt; +}; + +} + +#endif diff --git a/cpp/src/IceSSL/Convert.h b/cpp/src/IceSSL/InstanceF.h index 10c55885f31..d6d6dc35879 100644 --- a/cpp/src/IceSSL/Convert.h +++ b/cpp/src/IceSSL/InstanceF.h @@ -7,19 +7,19 @@ // // ********************************************************************** -#ifndef ICE_SSL_CONVERT_H -#define ICE_SSL_CONVERT_H +#ifndef ICE_SSL_INSTANCE_F_H +#define ICE_SSL_INSTANCE_F_H -#include <Ice/BuiltinSequences.h> +#include <Ice/Handle.h> namespace IceSSL { -void ucharToByteSeq(unsigned char*, int, Ice::ByteSeq&); - -unsigned char* byteSeqToUChar(const Ice::ByteSeq&); +class Instance; +void incRef(Instance*); +void decRef(Instance*); +typedef IceInternal::Handle<Instance> InstancePtr; } #endif - diff --git a/cpp/src/IceSSL/Makefile b/cpp/src/IceSSL/Makefile index 582a5f662ef..f918d2d33ff 100644 --- a/cpp/src/IceSSL/Makefile +++ b/cpp/src/IceSSL/Makefile @@ -15,56 +15,24 @@ LIBNAME = $(call mklibname,IceSSL) TARGETS = $(call mklibtargets,$(libdir)/$(LIBFILENAME),$(libdir)/$(SONAME),$(libdir)/$(LIBNAME)) -OBJS = BaseCerts.o \ - CertificateAuthority.o \ - CertificateDesc.o \ - CertificateVerifierF.o \ - CertificateVerifier.o \ - CertificateVerifierOpenSSL.o \ - ClientContext.o \ - ConfigParser.o \ - Context.o \ - Convert.o \ - DefaultCertificateVerifier.o \ - DHParams.o \ - Exception.o \ - GeneralConfig.o \ - OpenSSLJanitors.o \ - OpenSSLPluginI.o \ - OpenSSLUtils.o \ - PluginF.o \ - Plugin.o \ - RSACertificateGen.o \ - RSAKeyPair.o \ - RSAPrivateKey.o \ - RSAPublicKey.o \ - ServerContext.o \ - SingleCertificateVerifier.o \ - SslAcceptor.o \ - SslConnector.o \ - SslEndpointI.o \ - SslException.o \ - SslTransceiver.o \ - TempCerts.o \ - TraceLevels.o +OBJS = AcceptorI.o \ + Context.o \ + ConnectorI.o \ + EndpointI.o \ + Instance.o \ + PluginI.o \ + TransceiverI.o \ + Util.o SRCS = $(OBJS:.o=.cpp) -SLICE_SRCS = $(SDIR)/Exception.ice \ - $(SDIR)/PluginF.ice \ - $(SDIR)/Plugin.ice \ - $(SDIR)/CertificateVerifierF.ice \ - $(SDIR)/CertificateVerifier.ice - HDIR = $(includedir)/IceSSL -SDIR = $(slicedir)/IceSSL include $(top_srcdir)/config/Make.rules -CPPFLAGS := -I.. $(CPPFLAGS) -DICE_SSL_API_EXPORTS $(OPENSSL_FLAGS) -SLICE2CPPFLAGS := --ice --include-dir IceSSL --dll-export ICE_SSL_API $(SLICE2CPPFLAGS) +CPPFLAGS := -I. -I.. $(CPPFLAGS) -DICE_SSL_API_EXPORTS $(OPENSSL_FLAGS) -LINKWITH := $(EXPAT_RPATH_LINK) -lIceXML $(BZIP2_RPATH_LINK) -lIce -lIceUtil $(OPENSSL_LIBS) $(CXXLIBS) +LINKWITH := $(BZIP2_RPATH_LINK) -lIce -lIceUtil $(OPENSSL_LIBS) $(CXXLIBS) $(libdir)/$(LIBFILENAME): $(OBJS) rm -f $@ diff --git a/cpp/src/IceSSL/OpenSSL.h b/cpp/src/IceSSL/OpenSSL.h deleted file mode 100644 index 63fdcc7f448..00000000000 --- a/cpp/src/IceSSL/OpenSSL.h +++ /dev/null @@ -1,37 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_OPENSSL_H -#define ICE_OPENSSL_H - -#include <IceUtil/Config.h> -#include <openssl/ssl.h> - -namespace IceSSL -{ - -typedef enum -{ - NO_SECURITY_TRACE = 0, - SECURITY_WARNINGS, - SECURITY_PARSE_WARNINGS, - SECURITY_PROTOCOL, - SECURITY_PROTOCOL_DEBUG -} SecurityTraceLevel; - -enum SslProtocol -{ - SSL_V23 = 1, // Speak SSLv3 and TLSv1 - SSL_V3, // Only speak SSLv3 - TLS_V1 // Only speak TLSv1 -}; - -} - -#endif diff --git a/cpp/src/IceSSL/OpenSSLJanitors.cpp b/cpp/src/IceSSL/OpenSSLJanitors.cpp deleted file mode 100644 index 7938506d8ce..00000000000 --- a/cpp/src/IceSSL/OpenSSLJanitors.cpp +++ /dev/null @@ -1,141 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/OpenSSLJanitors.h> - -IceSSL::RSAJanitor::RSAJanitor(RSA* rsa) : - _rsa(rsa) -{ - assert(_rsa != 0); -} - -IceSSL::RSAJanitor::~RSAJanitor() -{ - if(_rsa) - { - RSA_free(_rsa); - } -} - -void -IceSSL::RSAJanitor::clear() -{ - _rsa = 0; -} - -RSA* -IceSSL::RSAJanitor::get() const -{ - return _rsa; -} - -IceSSL::EVP_PKEYJanitor::EVP_PKEYJanitor(EVP_PKEY* evp_pkey) : - _evp_pkey(evp_pkey) -{ - assert(_evp_pkey != 0); -} - -IceSSL::EVP_PKEYJanitor::~EVP_PKEYJanitor() -{ - if(_evp_pkey) - { - EVP_PKEY_free(_evp_pkey); - } -} - -void -IceSSL::EVP_PKEYJanitor::clear() -{ - _evp_pkey = 0; -} - -EVP_PKEY* -IceSSL::EVP_PKEYJanitor::get() const -{ - return _evp_pkey; -} - -IceSSL::X509_REQJanitor::X509_REQJanitor(X509_REQ* x509_req) : - _x509_req(x509_req) -{ - assert(_x509_req != 0); -} - -IceSSL::X509_REQJanitor::~X509_REQJanitor() -{ - if(_x509_req) - { - X509_REQ_free(_x509_req); - } -} - -void -IceSSL::X509_REQJanitor::clear() -{ - _x509_req = 0; -} - -X509_REQ* -IceSSL::X509_REQJanitor::get() const -{ - return _x509_req; -} - -IceSSL::X509Janitor::X509Janitor(X509* x509) : - _x509(x509) -{ - assert(_x509 != 0); -} - -IceSSL::X509Janitor::~X509Janitor() -{ - if(_x509) - { - X509_free(_x509); - } -} - -void -IceSSL::X509Janitor::clear() -{ - _x509 = 0; -} - -X509* -IceSSL::X509Janitor::get() const -{ - return _x509; -} - -IceSSL::BIOJanitor::BIOJanitor(BIO* bio) : - _bio(bio) -{ - assert(_bio != 0); -} - -IceSSL::BIOJanitor::~BIOJanitor() -{ - if(_bio) - { - BIO_free(_bio); - } -} - -void -IceSSL::BIOJanitor::clear() -{ - _bio = 0; -} - -BIO* -IceSSL::BIOJanitor::get() const -{ - return _bio; -} - diff --git a/cpp/src/IceSSL/OpenSSLJanitors.h b/cpp/src/IceSSL/OpenSSLJanitors.h deleted file mode 100644 index 4a1e32342b1..00000000000 --- a/cpp/src/IceSSL/OpenSSLJanitors.h +++ /dev/null @@ -1,96 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_JANITORS_H -#define ICE_SSL_JANITORS_H - -#include <IceUtil/Config.h> -#include <openssl/ssl.h> - -namespace IceSSL -{ - -class RSAJanitor -{ -public: - - RSAJanitor(RSA*); - ~RSAJanitor(); - - void clear(); - RSA* get() const; - -private: - - RSA* _rsa; -}; - -class EVP_PKEYJanitor -{ -public: - - EVP_PKEYJanitor(EVP_PKEY*); - ~EVP_PKEYJanitor(); - - void clear(); - EVP_PKEY* get() const; - -private: - - EVP_PKEY* _evp_pkey; -}; - -class X509_REQJanitor -{ -public: - - X509_REQJanitor(X509_REQ*); - ~X509_REQJanitor(); - - void clear(); - X509_REQ* get() const; - -private: - - X509_REQ* _x509_req; -}; - -class X509Janitor -{ -public: - - X509Janitor(X509*); - ~X509Janitor(); - - void clear(); - X509* get() const; - -private: - - X509* _x509; -}; - -class BIOJanitor -{ -public: - - BIOJanitor(BIO*); - ~BIOJanitor(); - - void clear(); - BIO* get() const; - -private: - - BIO* _bio; -}; - -} - -#endif diff --git a/cpp/src/IceSSL/OpenSSLPluginI.cpp b/cpp/src/IceSSL/OpenSSLPluginI.cpp deleted file mode 100644 index 0aa77040dd0..00000000000 --- a/cpp/src/IceSSL/OpenSSLPluginI.cpp +++ /dev/null @@ -1,937 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceUtil/DisableWarnings.h> - -#include <IceSSL/OpenSSLPluginI.h> - -#include <Ice/LoggerUtil.h> -#include <Ice/Properties.h> -#include <Ice/ProtocolPluginFacade.h> -#include <Ice/Communicator.h> -#include <Ice/LocalException.h> - -#include <IceSSL/TraceLevels.h> -#include <IceSSL/Exception.h> -#include <IceSSL/ConfigParser.h> -#include <IceSSL/OpenSSLJanitors.h> -#include <IceSSL/OpenSSLUtils.h> -#include <IceSSL/SslTransceiver.h> -#include <IceSSL/DefaultCertificateVerifier.h> -#include <IceSSL/SingleCertificateVerifier.h> -#include <IceSSL/SslEndpointI.h> -#include <IceSSL/RSAPrivateKey.h> -#include <IceSSL/DHParams.h> - -#include <openssl/rand.h> -#include <openssl/err.h> - -#if OPENSSL_VERSION_NUMBER >= 0x0090700fL -#include <openssl/engine.h> -#endif - -#include <sstream> - -#define OPENSSL_THREAD_DEFINES -#include <openssl/opensslconf.h> -#if OPENSSL_VERSION_NUMBER < 0x0090700fL || defined(__FreeBSD__) -# if !defined(THREADS) -# error "Thread support not enabled" -# endif -#else -# if !defined(OPENSSL_THREADS) -# error "Thread support not enabled" -# endif -#endif - -using namespace std; -using namespace Ice; -using namespace IceSSL; - -void IceInternal::incRef(OpenSSLPluginI* p) { p->__incRef(); } -void IceInternal::decRef(OpenSSLPluginI* p) { p->__decRef(); } - -static IceUtil::StaticMutex staticMutex = ICE_STATIC_MUTEX_INITIALIZER; -static int instanceCount = 0; - -// -// Plugin factory function -// -extern "C" -{ - -ICE_SSL_API Ice::Plugin* -create(const CommunicatorPtr& communicator, const string& name, const StringSeq& args) -{ - IceInternal::ProtocolPluginFacadePtr facade = IceInternal::getProtocolPluginFacade(communicator); - - OpenSSLPluginI* plugin = new OpenSSLPluginI(facade); - try - { - plugin->configure(); - - // - // Install the SSL endpoint factory - // - IceInternal::EndpointFactoryPtr sslEndpointFactory = new SslEndpointFactory(plugin); - facade->addEndpointFactory(sslEndpointFactory); - } - catch(const Exception& ex) - { - Ice::PluginPtr ptr = plugin; // Reclaim the plug-in instance - - Error out(communicator->getLogger()); - out << "exception in IceSSL plug-in:\n" << ex; - - // Can't throw from an extern "C" function - return 0; - } - catch(...) - { - Ice::PluginPtr ptr = plugin; // Reclaim the plug-in instance - - Error out(communicator->getLogger()); - out << "unknown exception in IceSSL plug-in"; - - // Can't throw from an extern "C" function - return 0; - } - - return plugin; -} - -} - - -// -// Thread safety implementation for OpenSSL -// -namespace IceSSL -{ - -class SslLockKeeper -{ -public: - - SslLockKeeper(); - ~SslLockKeeper(); - - IceUtil::Mutex sslLocks[CRYPTO_NUM_LOCKS]; - -}; - -SslLockKeeper lockKeeper; - -} - -extern "C" -{ - -static void lockingCallback(int mode, int type, const char *file, int line) -{ - if(mode & CRYPTO_LOCK) - { - lockKeeper.sslLocks[type].lock(); - } - else - { - lockKeeper.sslLocks[type].unlock(); - } -} - -static unsigned long -idFunction() -{ -#if defined(_WIN32) - return static_cast<unsigned long>(GetCurrentThreadId()); -#elif defined(__FreeBSD__) || defined(__APPLE__) || defined(__osf1__) - // - // On FreeBSD, pthread_t is a pointer to a per-thread structure - // - return reinterpret_cast<unsigned long>(pthread_self()); -#elif (defined(__linux) || defined(__sun) || defined(__hpux)) || defined(_AIX) - // - // On Linux, Solaris, HP-UX and AIX, pthread_t is an integer - // - return static_cast<unsigned long>(pthread_self()); -#else -# error "Unknown platform" -#endif -} -} - -IceSSL::SslLockKeeper::SslLockKeeper() -{ - CRYPTO_set_id_callback(idFunction); - CRYPTO_set_locking_callback(lockingCallback); -} - -IceSSL::SslLockKeeper::~SslLockKeeper() -{ - CRYPTO_set_locking_callback(0); - CRYPTO_set_id_callback(0); -} - -// -// Public Methods -// -// -IceSSL::OpenSSLPluginI::OpenSSLPluginI(const IceInternal::ProtocolPluginFacadePtr& protocolPluginFacade) : - _protocolPluginFacade(protocolPluginFacade), - _traceLevels(new TraceLevels(_protocolPluginFacade)), - _properties(_protocolPluginFacade->getCommunicator()->getProperties()), - _memDebug(_properties->getPropertyAsIntWithDefault("IceSSL.MemoryDebug", 0)), - _serverContext(new TraceLevels(protocolPluginFacade), protocolPluginFacade->getCommunicator()), - _clientContext(new TraceLevels(protocolPluginFacade), protocolPluginFacade->getCommunicator()), - _randSeeded(0) -{ - // - // It is possible for multiple instances of OpenSSLPluginI to be created - // (one for each communicator). We use a mutex-protected counter to know - // when to initialize and clean up OpenSSL. - // - IceUtil::StaticMutex::Lock sync(staticMutex); - if(instanceCount == 0) - { - if(_memDebug != 0) - { - CRYPTO_malloc_debug_init(); - CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); - CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - } - else - { - CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); - } - - SSL_library_init(); - - SSL_load_error_strings(); - - OpenSSL_add_ssl_algorithms(); - } - ++instanceCount; -} - -IceSSL::OpenSSLPluginI::~OpenSSLPluginI() -{ - _serverContext.cleanUp(); - _clientContext.cleanUp(); - - unregisterThreads(); - - IceUtil::StaticMutex::Lock sync(staticMutex); - if(--instanceCount == 0) - { -#if OPENSSL_VERSION_NUMBER >= 0x0090700fL - ENGINE_cleanup(); - CRYPTO_cleanup_all_ex_data(); -#endif - - // TODO: Introduces a 72byte memory leak, if we kidnap the code from OpenSSL 0.9.7a for - // ENGINE_cleanup(), we can fix that. - - ERR_free_strings(); - ERR_remove_state(0); - - EVP_cleanup(); - - if(_memDebug != 0) - { - CRYPTO_mem_leaks_fp(stderr); - } - } -} - -SslTransceiverPtr -IceSSL::OpenSSLPluginI::createServerTransceiver(int socket, int timeout) -{ - IceUtil::RecMutex::Lock sync(_configMutex); - - // Configure the context if need be. - if(!isConfigured(IceSSL::Server)) - { - configure(IceSSL::Server); - } - - SslTransceiverPtr transceiver; - - return _serverContext.createTransceiver(socket, this, timeout); -} - -SslTransceiverPtr -IceSSL::OpenSSLPluginI::createClientTransceiver(int socket, int timeout) -{ - IceUtil::RecMutex::Lock sync(_configMutex); - - // Configure the context if need be. - if(!isConfigured(IceSSL::Client)) - { - configure(IceSSL::Client); - } - - SslTransceiverPtr transceiver; - - return _clientContext.createTransceiver(socket, this, timeout); -} - -bool -IceSSL::OpenSSLPluginI::isConfigured(ContextType contextType) -{ - IceUtil::RecMutex::Lock sync(_configMutex); - - bool retCode = false; - - switch(contextType) - { - case Client : - { - retCode = _clientContext.isConfigured(); - break; - } - - case Server : - { - retCode = _serverContext.isConfigured(); - break; - } - - case ClientServer : - { - retCode = _clientContext.isConfigured() && _serverContext.isConfigured(); - break; - } - } - - return retCode; -} - -void -IceSSL::OpenSSLPluginI::configure() -{ - string clientConfigFile = _properties->getProperty("IceSSL.Client.Config"); - string serverConfigFile = _properties->getProperty("IceSSL.Server.Config"); - - bool clientConfig = (clientConfigFile.empty() ? false : true); - bool serverConfig = (serverConfigFile.empty() ? false : true); - - if(clientConfig && serverConfig) - { - configure(ClientServer); - } - else if(clientConfig) - { - configure(Client); - } - else if(serverConfig) - { - configure(Server); - } -} - -void -IceSSL::OpenSSLPluginI::configure(ContextType contextType) -{ - IceUtil::RecMutex::Lock sync(_configMutex); - - switch(contextType) - { - case Client : - { - string configFile = _properties->getProperty("IceSSL.Client.Config"); - string certPath = _properties->getProperty("IceSSL.Client.CertPath"); - loadConfig(Client, configFile, certPath); - break; - } - - case Server : - { - string configFile = _properties->getProperty("IceSSL.Server.Config"); - string certPath = _properties->getProperty("IceSSL.Server.CertPath"); - loadConfig(Server, configFile, certPath); - break; - } - - case ClientServer : - { - string clientConfigFile = _properties->getProperty("IceSSL.Client.Config"); - string clientCertPath = _properties->getProperty("IceSSL.Client.CertPath"); - string serverConfigFile = _properties->getProperty("IceSSL.Server.Config"); - string serverCertPath = _properties->getProperty("IceSSL.Server.CertPath"); - - // Short cut, so that we only have to load the file once. - if((clientConfigFile == serverConfigFile) && (clientCertPath == serverCertPath)) - { - loadConfig(ClientServer, clientConfigFile, clientCertPath); - } - else - { - loadConfig(Client, clientConfigFile, clientCertPath); - loadConfig(Server, serverConfigFile, serverCertPath); - } - break; - } - } -} - -void -IceSSL::OpenSSLPluginI::loadConfig(ContextType contextType, - const string& configFile, - const string& certPath) -{ - if(configFile.empty()) - { - ConfigurationLoadingException configEx(__FILE__, __LINE__); - - string contextString; - - switch(contextType) - { - case Client : - { - contextString = "client"; - break; - } - - case Server : - { - contextString = "server"; - break; - } - - case ClientServer : - { - contextString = "client/server"; - break; - } - } - - configEx.message = "no ssl configuration file specified for "; - configEx.message += contextString; - - throw configEx; - } - - ConfigParser sslConfig(configFile, certPath, _traceLevels, getLogger()); - - // Actually parse the file now. - sslConfig.process(); - - if((contextType == Client || contextType == ClientServer)) - { - GeneralConfig clientGeneral; - CertificateAuthority clientCertAuth; - BaseCertificates clientBaseCerts; - - // Walk the parse tree, get the Client configuration. - if(sslConfig.loadClientConfig(clientGeneral, clientCertAuth, clientBaseCerts)) - { - initRandSystem(clientGeneral.getRandomBytesFiles()); - - _clientContext.configure(clientGeneral, clientCertAuth, clientBaseCerts); - } - } - - if((contextType == Server || contextType == ClientServer)) - { - GeneralConfig serverGeneral; - CertificateAuthority serverCertAuth; - BaseCertificates serverBaseCerts; - TempCertificates serverTempCerts; - - // Walk the parse tree, get the Server configuration. - if(sslConfig.loadServerConfig(serverGeneral, serverCertAuth, serverBaseCerts, serverTempCerts)) - { - initRandSystem(serverGeneral.getRandomBytesFiles()); - - loadTempCerts(serverTempCerts); - - _serverContext.configure(serverGeneral, serverCertAuth, serverBaseCerts); - - if(_traceLevels->security >= SECURITY_PROTOCOL) - { - Trace out(getLogger(), _traceLevels->securityCat); - - out << "temporary certificates (server)\n"; - out << "-------------------------------\n"; - out << serverTempCerts << "\n"; - } - } - } -} - -RSA* -IceSSL::OpenSSLPluginI::getRSAKey(int isExport, int keyLength) -{ - IceUtil::Mutex::Lock sync(_tempRSAKeysMutex); - - RSA* rsa_tmp = 0; - - RSAMap::iterator retVal = _tempRSAKeys.find(keyLength); - - // Does the key already exist? - if(retVal != _tempRSAKeys.end()) - { - // Yes! Use it. - rsa_tmp = (*retVal).second->get(); - - assert(rsa_tmp != 0); - } - else - { - const RSACertMap::iterator& it = _tempRSAFileMap.find(keyLength); - - // First we try to load a private and public key from specified files - if(it != _tempRSAFileMap.end()) - { - CertificateDesc& rsaKeyCert = (*it).second; - - const string& privKeyFile = rsaKeyCert.getPrivate().getFileName(); - const string& pubCertFile = rsaKeyCert.getPublic().getFileName(); - - RSA* rsaCert = 0; - RSA* rsaKey = 0; - BIO* bio = 0; - - if((bio = BIO_new_file(pubCertFile.c_str(), "r")) != 0) - { - BIOJanitor bioJanitor(bio); - - rsaCert = PEM_read_bio_RSAPublicKey(bio, 0, 0, 0); - } - - if(rsaCert != 0) - { - if((bio = BIO_new_file(privKeyFile.c_str(), "r")) != 0) - { - BIOJanitor bioJanitor(bio); - - rsaKey = PEM_read_bio_RSAPrivateKey(bio, &rsaCert, 0, 0); - } - } - - // Now, if all was well, the Certificate and Key should both be loaded into - // rsaCert. We check to ensure that both are not 0, because if either are, - // one of the reads failed. - - if((rsaCert != 0) && (rsaKey != 0)) - { - rsa_tmp = rsaCert; - } - else - { - if(rsaCert != 0) - { - RSA_free(rsaCert); - rsaCert = 0; - } - } - } - - // Couldn't load file, last ditch effort - generate a key on the fly. - if(rsa_tmp == 0) - { - rsa_tmp = RSA_generate_key(keyLength, RSA_F4, 0, 0); - } - - // Save in our temporary key cache. - if(rsa_tmp != 0) - { - _tempRSAKeys[keyLength] = new RSAPrivateKey(rsa_tmp); - } - else if(_traceLevels->security >= SECURITY_WARNINGS) - { - Trace out(getLogger(), _traceLevels->securityCat); - out << "WRN Unable to obtain a " << dec << keyLength << "-bit RSA key.\n"; - } - } - - return rsa_tmp; -} - -DH* -IceSSL::OpenSSLPluginI::getDHParams(int isExport, int keyLength) -{ - IceUtil::Mutex::Lock sync(_tempDHKeysMutex); - - DH* dh_tmp = 0; - - const DHMap::iterator& retVal = _tempDHKeys.find(keyLength); - - // Does the key already exist? - if(retVal != _tempDHKeys.end()) - { - // Yes! Use it. - dh_tmp = (*retVal).second->get(); - } - else - { - const DHParamsMap::iterator& it = _tempDHParamsFileMap.find(keyLength); - - // First we try to load params from specified files - if(it != _tempDHParamsFileMap.end()) - { - DiffieHellmanParamsFile& dhParamsFile = (*it).second; - - string dhFile = dhParamsFile.getFileName(); - - dh_tmp = loadDHParam(dhFile.c_str()); - } - - // If that doesn't work, use a compiled-in group. - if(dh_tmp == 0) - { - switch(keyLength) - { - case 512 : - { - dh_tmp = getTempDH512(); - break; - } - - case 1024 : - { - dh_tmp = getTempDH1024(); - break; - } - - case 2048 : - { - dh_tmp = getTempDH2048(); - break; - } - - case 4096 : - { - dh_tmp = getTempDH4096(); - break; - } - } - } - - if(dh_tmp != 0) - { - // Cache the dh params for quick lookup - no - // extra processing required then. - _tempDHKeys[keyLength] = new DHParams(dh_tmp); - } - else if(_traceLevels->security >= SECURITY_WARNINGS) - { - Trace out(getLogger(), _traceLevels->securityCat); - out << "WRN Unable to obtain a " << dec << keyLength << "-bit Diffie-Hellman parameter group.\n"; - } - } - - return dh_tmp; -} - -void -IceSSL::OpenSSLPluginI::setCertificateVerifier(ContextType contextType, - const CertificateVerifierPtr& verifier) -{ - IceUtil::RecMutex::Lock sync(_configMutex); - - IceSSL::CertificateVerifierOpenSSLPtr castVerifier; - castVerifier = CertificateVerifierOpenSSLPtr::dynamicCast(verifier); - - if(!castVerifier.get()) - { - CertificateVerifierTypeException cvtEx(__FILE__, __LINE__); - throw cvtEx; - } - - castVerifier->setContext(contextType); - - if(contextType == Client || contextType == ClientServer) - { - _clientContext.setCertificateVerifier(castVerifier); - } - - if(contextType == Server || contextType == ClientServer) - { - _serverContext.setCertificateVerifier(castVerifier); - } -} - -void -IceSSL::OpenSSLPluginI::addTrustedCertificateBase64(ContextType contextType, const string& certString) -{ - IceUtil::RecMutex::Lock sync(_configMutex); - - if(contextType == Client || contextType == ClientServer) - { - _clientContext.addTrustedCertificateBase64(certString); - } - - if(contextType == Server || contextType == ClientServer) - { - _serverContext.addTrustedCertificateBase64(certString); - } -} - -void -IceSSL::OpenSSLPluginI::addTrustedCertificate(ContextType contextType, const Ice::ByteSeq& certSeq) -{ - IceUtil::RecMutex::Lock sync(_configMutex); - - if(contextType == Client || contextType == ClientServer) - { - _clientContext.addTrustedCertificate(certSeq); - } - - if(contextType == Server || contextType == ClientServer) - { - _serverContext.addTrustedCertificate(certSeq); - } -} - -void -IceSSL::OpenSSLPluginI::setRSAKeysBase64(ContextType contextType, const string& privateKey, const string& publicKey) -{ - IceUtil::RecMutex::Lock sync(_configMutex); - - if(contextType == Client || contextType == ClientServer) - { - _clientContext.setRSAKeysBase64(privateKey, publicKey); - } - - if(contextType == Server || contextType == ClientServer) - { - _serverContext.setRSAKeysBase64(privateKey, publicKey); - } -} - -void -IceSSL::OpenSSLPluginI::setRSAKeys(ContextType contextType, - const ByteSeq& privateKey, - const ByteSeq& publicKey) -{ - IceUtil::RecMutex::Lock sync(_configMutex); - - if(contextType == Client || contextType == ClientServer) - { - _clientContext.setRSAKeys(privateKey, publicKey); - } - - if(contextType == Server || contextType == ClientServer) - { - _serverContext.setRSAKeys(privateKey, publicKey); - } -} - -CertificateVerifierPtr -IceSSL::OpenSSLPluginI::getDefaultCertVerifier() -{ - return new DefaultCertificateVerifier(getTraceLevels(), _protocolPluginFacade->getCommunicator()); -} - -CertificateVerifierPtr -IceSSL::OpenSSLPluginI::getSingleCertVerifier(const ByteSeq& certSeq) -{ - return new SingleCertificateVerifier(certSeq); -} - -void -IceSSL::OpenSSLPluginI::destroy() -{ -} - -TraceLevelsPtr -IceSSL::OpenSSLPluginI::getTraceLevels() const -{ - return _traceLevels; -} - -LoggerPtr -IceSSL::OpenSSLPluginI::getLogger() const -{ - // - // Don't cache the logger object. It might not be set on the - // communicator when the plug-in is initialized. - // - return _protocolPluginFacade->getCommunicator()->getLogger(); -} - -StatsPtr -IceSSL::OpenSSLPluginI::getStats() const -{ - // - // Don't cache the stats object. It might not be set on the - // communicator when the plug-in is initialized. - // - try - { - return _protocolPluginFacade->getCommunicator()->getStats(); - } - catch(const CommunicatorDestroyedException&) - { - return 0; - } -} - -PropertiesPtr -IceSSL::OpenSSLPluginI::getProperties() const -{ - return _properties; -} - -IceInternal::ProtocolPluginFacadePtr -IceSSL::OpenSSLPluginI::getProtocolPluginFacade() const -{ - return _protocolPluginFacade; -} - -// -// Private -// - -int -IceSSL::OpenSSLPluginI::seedRand() -{ -#ifdef WINDOWS - RAND_screen(); -#endif - - char buffer[1024]; - const char* file = RAND_file_name(buffer, sizeof(buffer)); - - if(file == 0) - { - return 0; - } - - return RAND_load_file(file, -1); -} - -long -IceSSL::OpenSSLPluginI::loadRandFiles(const string& names) -{ - if(!names.empty()) - { - return 0; - } - - long tot = 0; - int egd; - - // Make a modifiable copy of the string. - char* namesString = new char[names.length() + 1]; - assert(namesString != 0); - - strcpy(namesString, names.c_str()); - -#ifdef _WIN32 - const char* seps = ";"; -#else - const char* seps = ":"; -#endif - - char* token = strtok(namesString, seps); - - while(token != 0) - { - egd = RAND_egd(token); - - if(egd > 0) - { - tot += egd; - } - else - { - tot += RAND_load_file(token, -1); - } - - token = strtok(0, seps); - } - - if(tot > 512) - { - _randSeeded = 1; - } - - delete []namesString; - - return tot; -} - -void -IceSSL::OpenSSLPluginI::initRandSystem(const string& randBytesFiles) -{ - if(_randSeeded) - { - return; - } - - long randBytesLoaded = seedRand(); - - if(!randBytesFiles.empty()) - { - randBytesLoaded += loadRandFiles(randBytesFiles); - } - - if(!randBytesLoaded && !RAND_status() && (_traceLevels->security >= SECURITY_WARNINGS)) - { - // In this case, there are two options open to us - specify a random data file using the - // RANDFILE environment variable, or specify additional random data files in the - // SSL configuration file. - Trace out(getLogger(), _traceLevels->securityCat); - out << "WRN there is a lack of random data, consider specifying additional random data files"; - } - - _randSeeded = (randBytesLoaded > 0 ? 1 : 0); -} - -void -IceSSL::OpenSSLPluginI::loadTempCerts(TempCertificates& tempCerts) -{ - RSAVector::iterator iRSA = tempCerts.getRSACerts().begin(); - RSAVector::iterator eRSA = tempCerts.getRSACerts().end(); - - while(iRSA != eRSA) - { - _tempRSAFileMap[(*iRSA).getKeySize()] = *iRSA; - iRSA++; - } - - DHVector::iterator iDHP = tempCerts.getDHParams().begin(); - DHVector::iterator eDHP = tempCerts.getDHParams().end(); - - while(iDHP != eDHP) - { - _tempDHParamsFileMap[(*iDHP).getKeySize()] = *iDHP; - iDHP++; - } -} - -// -// Note: These two methods are used to remember each thread that uses the IceSSL plugin, -// and then clean up the thread-specific error queue on plugin shutdown. -// - -void -IceSSL::OpenSSLPluginI::registerThread() -{ - unsigned long threadID = idFunction(); - - IceUtil::Mutex::Lock sync(_threadIdCacheMutex); - - if(find(_threadIdCache.begin(), _threadIdCache.end(), threadID) == _threadIdCache.end()) - { - _threadIdCache.push_back(threadID); - } -} - -void -IceSSL::OpenSSLPluginI::unregisterThreads() -{ - IceUtil::Mutex::Lock sync(_threadIdCacheMutex); - - for_each(_threadIdCache.begin(), _threadIdCache.end(), ERR_remove_state); -} - diff --git a/cpp/src/IceSSL/OpenSSLPluginI.h b/cpp/src/IceSSL/OpenSSLPluginI.h deleted file mode 100644 index 57f2c91c1f4..00000000000 --- a/cpp/src/IceSSL/OpenSSLPluginI.h +++ /dev/null @@ -1,140 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_OPENSSL_PLUGIN_I_H -#define ICE_SSL_OPENSSL_PLUGIN_I_H - -#include <IceUtil/RecMutex.h> - -#include <Ice/LoggerF.h> -#include <Ice/StatsF.h> -#include <Ice/PropertiesF.h> -#include <Ice/ProtocolPluginFacadeF.h> - -#include <IceSSL/OpenSSLPluginIF.h> -#include <IceSSL/CertificateVerifierF.h> -#include <IceSSL/TraceLevelsF.h> -#include <IceSSL/SslTransceiverF.h> -#include <IceSSL/RSAPrivateKeyF.h> - -#include <IceSSL/Plugin.h> -#include <IceSSL/CertificateDesc.h> -#include <IceSSL/CertificateAuthority.h> -#include <IceSSL/BaseCerts.h> -#include <IceSSL/TempCerts.h> -#include <IceSSL/ServerContext.h> -#include <IceSSL/ClientContext.h> -#include <IceSSL/DHParamsF.h> - -#include <openssl/ssl.h> - -namespace IceSSL -{ - -typedef std::map<int,RSAPrivateKeyPtr> RSAMap; -typedef std::map<int,DHParamsPtr> DHMap; - -typedef std::map<int,CertificateDesc> RSACertMap; -typedef std::map<int,DiffieHellmanParamsFile> DHParamsMap; - -class OpenSSLPluginI : public Plugin -{ -public: - - OpenSSLPluginI(const IceInternal::ProtocolPluginFacadePtr&); - virtual ~OpenSSLPluginI(); - - SslTransceiverPtr createServerTransceiver(int, int); - SslTransceiverPtr createClientTransceiver(int, int); - - virtual bool isConfigured(ContextType); - virtual void configure(); - virtual void configure(ContextType); - virtual void loadConfig(ContextType, const ::std::string&, const ::std::string&); - - // Returns the desired RSA Key, or creates it if not already created. - // This is public because the tmpRSACallback must be able to access it. - RSA* getRSAKey(int, int); - - // Returns the desired DH Params. If the Params do not already exist, and the key - // requested is a 512bit or 1024bit key, we use the compiled-in temporary params. - // If the key is some other length, we read the desired key, based on length, - // from a DH Param file. - // This is public because the tmpDHCallback must be able to access it. - DH* getDHParams(int, int); - - virtual void setCertificateVerifier(ContextType, const CertificateVerifierPtr&); - virtual void addTrustedCertificateBase64(ContextType, const std::string&); - virtual void addTrustedCertificate(ContextType, const Ice::ByteSeq&); - virtual void setRSAKeysBase64(ContextType, const std::string&, const std::string&); - virtual void setRSAKeys(ContextType, const ::Ice::ByteSeq&, const ::Ice::ByteSeq&); - - virtual IceSSL::CertificateVerifierPtr getDefaultCertVerifier(); - virtual IceSSL::CertificateVerifierPtr getSingleCertVerifier(const Ice::ByteSeq&); - virtual void destroy(); - - TraceLevelsPtr getTraceLevels() const; - Ice::LoggerPtr getLogger() const; - Ice::StatsPtr getStats() const; - Ice::PropertiesPtr getProperties() const; - IceInternal::ProtocolPluginFacadePtr getProtocolPluginFacade() const; - -private: - - const IceInternal::ProtocolPluginFacadePtr _protocolPluginFacade; - const TraceLevelsPtr _traceLevels; - const Ice::PropertiesPtr _properties; - const int _memDebug; - - IceSSL::ServerContext _serverContext; - IceSSL::ClientContext _clientContext; - - // Mutex to ensure synchronization of calls to configure - // the contexts and calls to create connections. - IceUtil::RecMutex _configMutex; - - // Keep a cache of all temporary RSA keys. - RSAMap _tempRSAKeys; - IceUtil::Mutex _tempRSAKeysMutex; - - // Keep a cache of all temporary Diffie-Hellman keys. - DHMap _tempDHKeys; - IceUtil::Mutex _tempDHKeysMutex; - - // Maps of all temporary keying information. - // The files themselves will not be loaded until - // needed. - RSACertMap _tempRSAFileMap; - DHParamsMap _tempDHParamsFileMap; - - // Flag as to whether the Random Number system has been seeded. - int _randSeeded; - - // Cryptographic Random Number System related routines. - int seedRand(); - long loadRandFiles(const std::string&); - void initRandSystem(const std::string&); - - // Load the temporary (ephemeral) certificates for Server operations. - void loadTempCerts(TempCertificates&); - - friend class SslTransceiver; - friend class SslClientTransceiver; - friend class SslServerTransceiver; - - IceUtil::Mutex _threadIdCacheMutex; - std::vector<unsigned long> _threadIdCache; - - void registerThread(); - void unregisterThreads(); -}; - -} - -#endif diff --git a/cpp/src/IceSSL/OpenSSLPluginIF.h b/cpp/src/IceSSL/OpenSSLPluginIF.h deleted file mode 100644 index de7212ea018..00000000000 --- a/cpp/src/IceSSL/OpenSSLPluginIF.h +++ /dev/null @@ -1,31 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_OPENSSL_PLUGIN_I_F_H -#define ICE_SSL_OPENSSL_PLUGIN_I_F_H - -#include <Ice/Handle.h> - -namespace IceSSL -{ - -class OpenSSLPluginI; -typedef IceInternal::Handle<OpenSSLPluginI> OpenSSLPluginIPtr; - -} - -namespace IceInternal -{ - -void incRef(IceSSL::OpenSSLPluginI*); -void decRef(IceSSL::OpenSSLPluginI*); - -} - -#endif diff --git a/cpp/src/IceSSL/OpenSSLUtils.cpp b/cpp/src/IceSSL/OpenSSLUtils.cpp deleted file mode 100644 index 52c0154ba62..00000000000 --- a/cpp/src/IceSSL/OpenSSLUtils.cpp +++ /dev/null @@ -1,519 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceUtil/DisableWarnings.h> -#include <IceUtil/StaticMutex.h> -#include <IceSSL/OpenSSLPluginI.h> -#include <IceSSL/OpenSSLUtils.h> -#include <IceSSL/SslTransceiver.h> - -#include <openssl/err.h> - -using namespace std; - -// The following arrays are compiled-in diffie hellman group parameters. -// These are used when OpenSSL opts to use ephemeral diffie-hellman keys -// and no group parameters have been supplied in the SSL configuration -// files. These are known strong primes, distributed with the OpenSSL -// library in the files dh512.pem, dh1024.pem, dh2048.pem and dh4096.pem. -// They are not keys themselves, but the basis for generating DH keys -// on the fly. - -static unsigned char dh512_p[] = -{ - 0xF5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C, - 0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29, - 0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B, - 0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C, - 0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55, - 0xE9,0x2A,0x05,0x5F, -}; - -static unsigned char dh512_g[] = { 0x02, }; - -static unsigned char dh1024_p[] = -{ - 0xF4,0x88,0xFD,0x58,0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4, - 0x91,0x07,0x36,0x6B,0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C, - 0x88,0xB3,0x1C,0x7C,0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0, - 0x43,0xF0,0xA5,0x5B,0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D, - 0x38,0xD3,0x34,0xFD,0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C, - 0xDE,0x33,0x21,0x2C,0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40, - 0x18,0x11,0x8D,0x7C,0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03, - 0x19,0xC8,0x07,0x29,0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB, - 0xD0,0x0A,0x50,0x9B,0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D, - 0x41,0x9F,0x9C,0x7C,0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB, - 0xA2,0x5E,0xC3,0x55,0xE9,0x2F,0x78,0xC7, -}; - -static unsigned char dh1024_g[] = { 0x02, }; - -static unsigned char dh2048_p[] = -{ - 0xF6,0x42,0x57,0xB7,0x08,0x7F,0x08,0x17,0x72,0xA2,0xBA,0xD6, - 0xA9,0x42,0xF3,0x05,0xE8,0xF9,0x53,0x11,0x39,0x4F,0xB6,0xF1, - 0x6E,0xB9,0x4B,0x38,0x20,0xDA,0x01,0xA7,0x56,0xA3,0x14,0xE9, - 0x8F,0x40,0x55,0xF3,0xD0,0x07,0xC6,0xCB,0x43,0xA9,0x94,0xAD, - 0xF7,0x4C,0x64,0x86,0x49,0xF8,0x0C,0x83,0xBD,0x65,0xE9,0x17, - 0xD4,0xA1,0xD3,0x50,0xF8,0xF5,0x59,0x5F,0xDC,0x76,0x52,0x4F, - 0x3D,0x3D,0x8D,0xDB,0xCE,0x99,0xE1,0x57,0x92,0x59,0xCD,0xFD, - 0xB8,0xAE,0x74,0x4F,0xC5,0xFC,0x76,0xBC,0x83,0xC5,0x47,0x30, - 0x61,0xCE,0x7C,0xC9,0x66,0xFF,0x15,0xF9,0xBB,0xFD,0x91,0x5E, - 0xC7,0x01,0xAA,0xD3,0x5B,0x9E,0x8D,0xA0,0xA5,0x72,0x3A,0xD4, - 0x1A,0xF0,0xBF,0x46,0x00,0x58,0x2B,0xE5,0xF4,0x88,0xFD,0x58, - 0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4,0x91,0x07,0x36,0x6B, - 0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C,0x88,0xB3,0x1C,0x7C, - 0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0,0x43,0xF0,0xA5,0x5B, - 0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D,0x38,0xD3,0x34,0xFD, - 0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C,0xDE,0x33,0x21,0x2C, - 0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C, - 0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29, - 0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B, - 0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C, - 0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55, - 0xE9,0x32,0x0B,0x3B, -}; - -static unsigned char dh2048_g[] = { 0x02, }; - -static unsigned char dh4096_p[] = -{ - 0xFA,0x14,0x72,0x52,0xC1,0x4D,0xE1,0x5A,0x49,0xD4,0xEF,0x09, - 0x2D,0xC0,0xA8,0xFD,0x55,0xAB,0xD7,0xD9,0x37,0x04,0x28,0x09, - 0xE2,0xE9,0x3E,0x77,0xE2,0xA1,0x7A,0x18,0xDD,0x46,0xA3,0x43, - 0x37,0x23,0x90,0x97,0xF3,0x0E,0xC9,0x03,0x50,0x7D,0x65,0xCF, - 0x78,0x62,0xA6,0x3A,0x62,0x22,0x83,0xA1,0x2F,0xFE,0x79,0xBA, - 0x35,0xFF,0x59,0xD8,0x1D,0x61,0xDD,0x1E,0x21,0x13,0x17,0xFE, - 0xCD,0x38,0x87,0x9E,0xF5,0x4F,0x79,0x10,0x61,0x8D,0xD4,0x22, - 0xF3,0x5A,0xED,0x5D,0xEA,0x21,0xE9,0x33,0x6B,0x48,0x12,0x0A, - 0x20,0x77,0xD4,0x25,0x60,0x61,0xDE,0xF6,0xB4,0x4F,0x1C,0x63, - 0x40,0x8B,0x3A,0x21,0x93,0x8B,0x79,0x53,0x51,0x2C,0xCA,0xB3, - 0x7B,0x29,0x56,0xA8,0xC7,0xF8,0xF4,0x7B,0x08,0x5E,0xA6,0xDC, - 0xA2,0x45,0x12,0x56,0xDD,0x41,0x92,0xF2,0xDD,0x5B,0x8F,0x23, - 0xF0,0xF3,0xEF,0xE4,0x3B,0x0A,0x44,0xDD,0xED,0x96,0x84,0xF1, - 0xA8,0x32,0x46,0xA3,0xDB,0x4A,0xBE,0x3D,0x45,0xBA,0x4E,0xF8, - 0x03,0xE5,0xDD,0x6B,0x59,0x0D,0x84,0x1E,0xCA,0x16,0x5A,0x8C, - 0xC8,0xDF,0x7C,0x54,0x44,0xC4,0x27,0xA7,0x3B,0x2A,0x97,0xCE, - 0xA3,0x7D,0x26,0x9C,0xAD,0xF4,0xC2,0xAC,0x37,0x4B,0xC3,0xAD, - 0x68,0x84,0x7F,0x99,0xA6,0x17,0xEF,0x6B,0x46,0x3A,0x7A,0x36, - 0x7A,0x11,0x43,0x92,0xAD,0xE9,0x9C,0xFB,0x44,0x6C,0x3D,0x82, - 0x49,0xCC,0x5C,0x6A,0x52,0x42,0xF8,0x42,0xFB,0x44,0xF9,0x39, - 0x73,0xFB,0x60,0x79,0x3B,0xC2,0x9E,0x0B,0xDC,0xD4,0xA6,0x67, - 0xF7,0x66,0x3F,0xFC,0x42,0x3B,0x1B,0xDB,0x4F,0x66,0xDC,0xA5, - 0x8F,0x66,0xF9,0xEA,0xC1,0xED,0x31,0xFB,0x48,0xA1,0x82,0x7D, - 0xF8,0xE0,0xCC,0xB1,0xC7,0x03,0xE4,0xF8,0xB3,0xFE,0xB7,0xA3, - 0x13,0x73,0xA6,0x7B,0xC1,0x0E,0x39,0xC7,0x94,0x48,0x26,0x00, - 0x85,0x79,0xFC,0x6F,0x7A,0xAF,0xC5,0x52,0x35,0x75,0xD7,0x75, - 0xA4,0x40,0xFA,0x14,0x74,0x61,0x16,0xF2,0xEB,0x67,0x11,0x6F, - 0x04,0x43,0x3D,0x11,0x14,0x4C,0xA7,0x94,0x2A,0x39,0xA1,0xC9, - 0x90,0xCF,0x83,0xC6,0xFF,0x02,0x8F,0xA3,0x2A,0xAC,0x26,0xDF, - 0x0B,0x8B,0xBE,0x64,0x4A,0xF1,0xA1,0xDC,0xEE,0xBA,0xC8,0x03, - 0x82,0xF6,0x62,0x2C,0x5D,0xB6,0xBB,0x13,0x19,0x6E,0x86,0xC5, - 0x5B,0x2B,0x5E,0x3A,0xF3,0xB3,0x28,0x6B,0x70,0x71,0x3A,0x8E, - 0xFF,0x5C,0x15,0xE6,0x02,0xA4,0xCE,0xED,0x59,0x56,0xCC,0x15, - 0x51,0x07,0x79,0x1A,0x0F,0x25,0x26,0x27,0x30,0xA9,0x15,0xB2, - 0xC8,0xD4,0x5C,0xCC,0x30,0xE8,0x1B,0xD8,0xD5,0x0F,0x19,0xA8, - 0x80,0xA4,0xC7,0x01,0xAA,0x8B,0xBA,0x53,0xBB,0x47,0xC2,0x1F, - 0x6B,0x54,0xB0,0x17,0x60,0xED,0x79,0x21,0x95,0xB6,0x05,0x84, - 0x37,0xC8,0x03,0xA4,0xDD,0xD1,0x06,0x69,0x8F,0x4C,0x39,0xE0, - 0xC8,0x5D,0x83,0x1D,0xBE,0x6A,0x9A,0x99,0xF3,0x9F,0x0B,0x45, - 0x29,0xD4,0xCB,0x29,0x66,0xEE,0x1E,0x7E,0x3D,0xD7,0x13,0x4E, - 0xDB,0x90,0x90,0x58,0xCB,0x5E,0x9B,0xCD,0x2E,0x2B,0x0F,0xA9, - 0x4E,0x78,0xAC,0x05,0x11,0x7F,0xE3,0x9E,0x27,0xD4,0x99,0xE1, - 0xB9,0xBD,0x78,0xE1,0x84,0x41,0xA0,0xDF, -}; - -static unsigned char dh4096_g[] = { 0x02, }; - -// Ensures that the sslGetErrors() function is synchronized. -static IceUtil::StaticMutex sslErrorsMutex = ICE_STATIC_MUTEX_INITIALIZER; - -// -// NOTE: The following (mon, getGeneralizedTime, getUTCTime and getASN1time) -// are routines that have been abducted from the OpenSSL X509 library, -// and modified to work with the STL basic_string template. - -static const char* mon[12]= -{ - "Jan","Feb","Mar","Apr","May","Jun", - "Jul","Aug","Sep","Oct","Nov","Dec" -}; - -string -IceSSL::getGeneralizedTime(ASN1_GENERALIZEDTIME *tm) -{ - assert(tm != 0); - - char buf[30]; - int gmt = 0, y = 0, M = 0, d = 0, h = 0, m = 0, s = 0; - - int i = tm->length; - - char* v = (char *) tm->data; - - if(i < 12) - { - goto err; - } - - if(v[i-1] == 'Z') - { - gmt=1; - } - - for(i=0; i<12; i++) - { - if((v[i] > '9') || (v[i] < '0')) - { - goto err; - } - } - - y = (v[0] - '0') * 1000 + (v[1] - '0') * 100 + (v[2] - '0') * 10 + (v[3] - '0'); - M = (v[4] - '0') * 10 + (v[5] - '0'); - - if((M > 12) || (M < 1)) - { - goto err; - } - - d = (v[6] - '0') * 10 + (v[7] - '0'); - h = (v[8] - '0') * 10 + (v[9] - '0'); - m = (v[10] - '0') * 10 + (v[11] - '0'); - - if((v[12] >= '0') && (v[12] <= '9') && - (v[13] >= '0') && (v[13] <= '9')) - { - s = (v[12] - '0') * 10 + (v[13] - '0'); - } - - sprintf(buf, "%s %2d %02d:%02d:%02d %d%s", mon[M-1], d, h, m, s, y, (gmt)?" GMT":""); - return string(buf); - -err: - return string("Bad time value"); -} - -string -IceSSL::getUTCTime(ASN1_UTCTIME *tm) -{ - assert(tm != 0); - - char buf[30]; - int gmt = 0, y = 0, M = 0, d = 0, h = 0, m = 0, s = 0; - - int i = tm->length; - char* v = (char *) tm->data; - - if(i < 10) - { - goto err; - } - - if(v[i-1] == 'Z') - { - gmt=1; - } - - for(i = 0; i < 10; i++) - { - if((v[i] > '9') || (v[i] < '0')) - { - goto err; - } - } - - y = (v[0] - '0') * 10 + (v[1] - '0'); - - if(y < 50) - { - y+=100; - } - - M = (v[2] - '0') * 10 + (v[3] - '0'); - - if((M > 12) || (M < 1)) - { - goto err; - } - - d = (v[4] - '0') * 10 + (v[5] - '0'); - h = (v[6] - '0') * 10 + (v[7] - '0'); - m = (v[8] - '0') * 10 + (v[9] - '0'); - - if((v[10] >= '0') && (v[10] <= '9') && (v[11] >= '0') && (v[11] <= '9')) - { - s = (v[10] - '0') * 10 + (v[11] - '0'); - } - - sprintf(buf, "%s %2d %02d:%02d:%02d %d%s", mon[M-1], d, h, m, s, y+1900, (gmt)?" GMT":""); - return string(buf); - -err: - return string("Bad time value"); -} - -string -IceSSL::getASN1time(ASN1_TIME *tm) -{ - assert(tm != 0); - - string theTime; - - switch(tm->type) - { - case V_ASN1_UTCTIME : - { - theTime = getUTCTime(tm); - break; - } - - case V_ASN1_GENERALIZEDTIME : - { - theTime = getGeneralizedTime(tm); - break; - } - - default : - { - theTime = "Bad time value"; - break; - } - } - - return theTime; -} - -DH* -IceSSL::loadDHParam(const char* dhfile) -{ - assert(dhfile != 0); - - DH* ret = 0; - BIO* bio = BIO_new_file(dhfile,"r"); - - if(bio != 0) - { - ret = PEM_read_bio_DHparams(bio, 0, 0, 0); - BIO_free(bio); - } - - return ret; -} - -DH* -IceSSL::getTempDH(unsigned char* p, int plen, unsigned char* g, int glen) -{ - assert(p != 0); - assert(g != 0); - - DH* dh = DH_new(); - - if(dh != 0) - { - dh->p = BN_bin2bn(p, plen, 0); - - dh->g = BN_bin2bn(g, glen, 0); - - if((dh->p == 0) || (dh->g == 0)) - { - // Note: Clears both p and g if they are not NULL. - DH_free(dh); - dh = 0; - } - } - - return dh; -} - -DH* -IceSSL::getTempDH512() -{ - return getTempDH(dh512_p, (int) sizeof(dh512_p), dh512_g, (int) sizeof(dh512_g)); -} - -DH* -IceSSL::getTempDH1024() -{ - return getTempDH(dh1024_p, (int) sizeof(dh1024_p), dh1024_g, (int) sizeof(dh1024_g)); -} - -DH* -IceSSL::getTempDH2048() -{ - return getTempDH(dh2048_p, (int) sizeof(dh2048_p), dh2048_g, (int) sizeof(dh2048_g)); -} - -DH* -IceSSL::getTempDH4096() -{ - return getTempDH(dh4096_p, (int) sizeof(dh4096_p), dh4096_g, (int) sizeof(dh4096_g)); -} - -string -IceSSL::sslGetErrors() -{ - IceUtil::StaticMutex::Lock sync(sslErrorsMutex); - - string errorMessage; - char buf[200]; - char bigBuffer[1024]; - const char* file = 0; - const char* data = 0; - int line = 0; - int flags = 0; - unsigned long errorCode = 0; - int errorNum = 1; - - unsigned long es = CRYPTO_thread_id(); - - while((errorCode = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) - { - sprintf(bigBuffer,"%6d - Thread ID: %lu\n", errorNum, es); - errorMessage += bigBuffer; - - sprintf(bigBuffer,"%6d - Error: %lu\n", errorNum, errorCode); - errorMessage += bigBuffer; - - // Request an error from the OpenSSL library - ERR_error_string_n(errorCode, buf, sizeof(buf)); - sprintf(bigBuffer,"%6d - Message: %s\n", errorNum, buf); - errorMessage += bigBuffer; - - sprintf(bigBuffer,"%6d - Location: %s, %d\n", errorNum, file, line); - errorMessage += bigBuffer; - - if(flags & ERR_TXT_STRING) - { - sprintf(bigBuffer,"%6d - Data: %s\n", errorNum, data); - errorMessage += bigBuffer; - } - - errorNum++; - } - - ERR_clear_error(); - - return errorMessage; -} - -static const char* errorStrings[] = -{ - "Unable to get issuer's certificate.", - "Unable to get certificate revocation list.", - "Unable to decrypt certificate signature.", - "Unable to decrypt certificate revocation list signature.", - "Unable to decode issuer's public key.", - "Certificate signature failure.", - "Certificate revocation list signature failure.", - "Certificate not yet valid.", - "Certificate has expired.", - "Certificate revocation list not yet valid.", - "Certificate revocation list has expired.", - "Error in certificate's \"not before\" field", - "Error in certificate's \"not after\" field", - "Error in the certificate revocation list's \"last update\" field", - "Error in the certificate revocation list's \"next update\" field", - "Out of memory failure.", - "Encountered a zero-depth self-signed certificate.", - "Encountered self-signed certificate in the certificate chain.", - "Unable to get issuer certificate locally.", - "Unable to verify leaf signature.", - "Certificate chain too long.", - "Certificate has been revoked.", - "Invalid certificate authority.", - "Certificate Authority path length exceeded.", - "Invalid certificate purpose.", - "Certificate is untrusted.", - "Certificate is rejected.", - "Subject and Issuer do not match.", - "AKID/SKID mismatch.", - "AKID and Issuer Serial mismatch.", - "Key usage precludes certifiicate signing.", - "Application verification." -}; - -string -IceSSL::getVerificationError(long errorCode) -{ - string errString; - - if(errorCode > X509_V_ERR_KEYUSAGE_NO_CERTSIGN) - { - if(errorCode == X509_V_ERR_APPLICATION_VERIFICATION) - { - errString = "Application Verification error."; - } - else - { - ostringstream errStream; - errStream << "Unknown error code: " << dec << errorCode << "."; - errString = errStream.str(); - } - } - else - { - errorCode -= 2; - errString = errorStrings[errorCode]; - } - - return errString; -} - -extern "C" -{ - -RSA* -tmpRSACallback(SSL* sslConnection, int isExport, int keyLength) -{ - assert(sslConnection != 0); - - void* p = SSL_get_ex_data(sslConnection, 0); - assert(p != 0); - IceSSL::OpenSSLPluginI* openSslPlugin = static_cast<IceSSL::OpenSSLPluginI*>(p); - assert(openSslPlugin != 0); - - return openSslPlugin->getRSAKey(isExport, keyLength); -} - -DH* -tmpDHCallback(SSL* sslConnection, int isExport, int keyLength) -{ - assert(sslConnection != 0); - - void* p = SSL_get_ex_data(sslConnection, 0); - assert(p != 0); - IceSSL::OpenSSLPluginI* openSslPlugin = static_cast<IceSSL::OpenSSLPluginI*>(p); - - assert(openSslPlugin != 0); - - return openSslPlugin->getDHParams(isExport, keyLength); -} - -// verifyCallback - Certificate Verification callback function. -int -verifyCallback(int ok, X509_STORE_CTX* ctx) -{ - assert(ctx != 0); - - // Tricky method to get access to our connection. I would use - // SSL_get_ex_data() to get the Connection object, if only I had - // some way to retrieve the index of the object in this function. - // Hence, we have to invent our own reference system here. - SSL* sslConnection = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); - assert(sslConnection != 0); - - IceSSL::SslTransceiverPtr transceiver = IceSSL::SslTransceiver::getTransceiver(sslConnection); - assert(transceiver != 0); - - // Call the connection, get it to perform the verification. - return transceiver->verifyCertificate(ok, ctx); -} - -} diff --git a/cpp/src/IceSSL/OpenSSLUtils.h b/cpp/src/IceSSL/OpenSSLUtils.h deleted file mode 100644 index 3bba800d54e..00000000000 --- a/cpp/src/IceSSL/OpenSSLUtils.h +++ /dev/null @@ -1,49 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceUtil/Config.h> - -#include <openssl/ssl.h> - -namespace IceSSL -{ - -std::string getGeneralizedTime(ASN1_GENERALIZEDTIME*); - -std::string getUTCTime(ASN1_UTCTIME*); - -std::string getASN1time(ASN1_TIME*); - -DH* loadDHParam(const char*); - -DH* getTempDH(unsigned char*, int, unsigned char*, int); - -DH* getTempDH512(); -DH* getTempDH1024(); -DH* getTempDH2048(); -DH* getTempDH4096(); - -std::string sslGetErrors(); - -std::string getVerificationError(long); - -} - -extern "C" -{ - -RSA* tmpRSACallback(SSL*, int, int); - -DH* tmpDHCallback(SSL*, int, int); - -int verifyCallback(int, X509_STORE_CTX*); - -int passwordCallback(char*, int, int, void*); - -} diff --git a/cpp/src/IceSSL/PluginI.cpp b/cpp/src/IceSSL/PluginI.cpp new file mode 100644 index 00000000000..f3a10359b2d --- /dev/null +++ b/cpp/src/IceSSL/PluginI.cpp @@ -0,0 +1,260 @@ +// ********************************************************************** +// +// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. +// +// This copy of Ice is licensed to you under the terms described in the +// ICE_LICENSE file included in this distribution. +// +// ********************************************************************** + +#include <PluginI.h> +#include <Instance.h> +#include <Util.h> +#include <Ice/BuiltinSequences.h> +#include <Ice/Communicator.h> +#include <Ice/LocalException.h> +#include <Ice/Logger.h> +#include <Ice/Properties.h> +#include <IceUtil/StaticMutex.h> + +#include <openssl/crypto.h> +#include <openssl/err.h> +#include <openssl/evp.h> +#include <openssl/rand.h> +#include <openssl/ssl.h> + +using namespace std; +using namespace Ice; +using namespace IceSSL; + +#ifndef ICE_SSL_API +# ifdef ICE_SSL_API_EXPORTS +# define ICE_SSL_API ICE_DECLSPEC_EXPORT +# else +# define ICE_SSL_API ICE_DECLSPEC_IMPORT +# endif +#endif + +// +// Plugin factory function. +// +extern "C" +{ + +ICE_SSL_API Ice::Plugin* +create(const CommunicatorPtr& communicator, const string& name, const StringSeq& args) +{ + PluginI* plugin = new PluginI(communicator); + return plugin; +} + +} + +static IceUtil::StaticMutex staticMutex = ICE_STATIC_MUTEX_INITIALIZER; +static int instanceCount = 0; +static IceUtil::Mutex* locks = 0; + +// +// OpenSSL mutex callback. +// +static void opensslLockCallback(int mode, int n, const char* file, int line) +{ + if(mode & CRYPTO_LOCK) + { + locks[n].lock(); + } + else + { + locks[n].unlock(); + } +} + +// +// OpenSSL thread id callback. +// +static unsigned long +opensslThreadIdCallback() +{ +#if defined(_WIN32) + return static_cast<unsigned long>(GetCurrentThreadId()); +#elif defined(__FreeBSD__) || defined(__APPLE__) || defined(__osf1__) + // + // On some platforms, pthread_t is a pointer to a per-thread structure. + // + return reinterpret_cast<unsigned long>(pthread_self()); +#elif (defined(__linux) || defined(__sun) || defined(__hpux)) || defined(_AIX) + // + // On Linux, Solaris, HP-UX and AIX, pthread_t is an integer. + // + return static_cast<unsigned long>(pthread_self()); +#else +# error "Unknown platform" +#endif +} + +// +// VerifyInfo constructor. +// +IceSSL::VerifyInfo::VerifyInfo() : + incoming(false), + cert(0), + ssl(0) +{ +} + +// +// Plugin implementation. +// +IceSSL::PluginI::PluginI(const Ice::CommunicatorPtr& communicator) +{ + setupSSL(communicator); + + _instance = new Instance(communicator); +} + +void +IceSSL::PluginI::destroy() +{ + _instance->destroy(); + _instance = 0; + + cleanupSSL(); +} + +void +IceSSL::PluginI::initialize(SSL_CTX* clientContext, SSL_CTX* serverContext) +{ + _instance->initialize(clientContext, serverContext); +} + +void +IceSSL::PluginI::setCertificateVerifier(const CertificateVerifierPtr& verifier) +{ + _instance->setCertificateVerifier(verifier); +} + +void +IceSSL::PluginI::setPasswordPrompt(const PasswordPromptPtr& prompt) +{ + _instance->setPasswordPrompt(prompt); +} + +SSL_CTX* +IceSSL::PluginI::clientContext() +{ + return _instance->clientContext()->ctx(); +} + +SSL_CTX* +IceSSL::PluginI::serverContext() +{ + return _instance->serverContext()->ctx(); +} + +void +IceSSL::PluginI::setupSSL(const CommunicatorPtr& communicator) +{ + // + // Initialize OpenSSL. + // + IceUtil::StaticMutex::Lock sync(staticMutex); + instanceCount++; + + if(instanceCount == 1) + { + PropertiesPtr properties = communicator->getProperties(); + + // + // Create the mutexes and set the callbacks. + // + locks = new IceUtil::Mutex[CRYPTO_num_locks()]; + CRYPTO_set_locking_callback(opensslLockCallback); + CRYPTO_set_id_callback(opensslThreadIdCallback); + + // + // Load human-readable error messages. + // + SSL_load_error_strings(); + + // + // Initialize the SSL library. + // + SSL_library_init(); + + // + // Initialize the PRNG. + // +#ifdef WINDOWS + RAND_screen(); // Uses data from the screen if possible. +#endif + char randFile[1024]; + if(RAND_file_name(randFile, sizeof(randFile))) // Gets the name of a default seed file. + { + RAND_load_file(randFile, 1024); + } + string randFiles = properties->getProperty("IceSSL.Random"); + if(!randFiles.empty()) + { + vector<string> files; +#ifdef _WIN32 + const string sep = ";"; +#else + const string sep = ":"; +#endif + if(!splitString(randFiles, sep, false, files)) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: invalid value for IceSSL.Random:\n" + randFiles; + throw ex; + } + for(vector<string>::iterator p = files.begin(); p != files.end(); ++p) + { + if(!RAND_load_file(p->c_str(), 1024)) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: unable to load entropy data from " + *p; + throw ex; + } + } + } +#ifndef _WIN32 + // + // The Entropy Gathering Daemon (EGD) is not available on Windows. + // The file should be a Unix domain socket for the daemon. + // + string entropyDaemon = properties->getProperty("IceSSL.EntropyDaemon"); + if(!entropyDaemon.empty()) + { + if(RAND_egd(entropyDaemon.c_str()) <= 0) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: EGD failure using file " + entropyDaemon; + throw ex; + } + } +#endif + if(!RAND_status()) + { + communicator->getLogger()->warning("IceSSL: insufficient data to initialize PRNG"); + } + } +} + +void +IceSSL::PluginI::cleanupSSL() +{ + IceUtil::StaticMutex::Lock sync(staticMutex); + + if(--instanceCount == 0) + { + CRYPTO_set_locking_callback(0); + CRYPTO_set_id_callback(0); + delete[] locks; + locks = 0; + + CRYPTO_cleanup_all_ex_data(); + RAND_cleanup(); + ERR_free_strings(); + EVP_cleanup(); + } +} diff --git a/cpp/src/IceSSL/PluginI.h b/cpp/src/IceSSL/PluginI.h new file mode 100644 index 00000000000..8da74a0667a --- /dev/null +++ b/cpp/src/IceSSL/PluginI.h @@ -0,0 +1,46 @@ +// ********************************************************************** +// +// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. +// +// This copy of Ice is licensed to you under the terms described in the +// ICE_LICENSE file included in this distribution. +// +// ********************************************************************** + +#ifndef ICE_SSL_PLUGIN_I_H +#define ICE_SSL_PLUGIN_I_H + +#include <IceSSL/Plugin.h> +#include <InstanceF.h> +#include <Ice/CommunicatorF.h> +#include <Ice/Plugin.h> + +namespace IceSSL +{ + +class PluginI : public IceSSL::Plugin +{ +public: + + PluginI(const Ice::CommunicatorPtr&); + + virtual void destroy(); + + virtual void initialize(SSL_CTX* = 0, SSL_CTX* = 0); + virtual void setCertificateVerifier(const CertificateVerifierPtr&); + virtual void setPasswordPrompt(const PasswordPromptPtr&); + + virtual SSL_CTX* clientContext(); + virtual SSL_CTX* serverContext(); + +private: + + void setupSSL(const Ice::CommunicatorPtr&); + void cleanupSSL(); + + InstancePtr _instance; +}; + +} + +#endif diff --git a/cpp/src/IceSSL/RSACertificateGen.cpp b/cpp/src/IceSSL/RSACertificateGen.cpp deleted file mode 100644 index 46cfde37851..00000000000 --- a/cpp/src/IceSSL/RSACertificateGen.cpp +++ /dev/null @@ -1,375 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceUtil/Config.h> -#include <IceSSL/RSACertificateGen.h> -#include <IceSSL/OpenSSLJanitors.h> -#include <IceSSL/RSAKeyPair.h> -#include <IceSSL/RSAPrivateKey.h> -#include <IceSSL/RSAPublicKey.h> -#include <IceSSL/Exception.h> -#include <IceSSL/OpenSSLUtils.h> -#include <openssl/err.h> -#include <openssl/ssl.h> - -using std::string; -using std::back_inserter; - -IceSSL::RSACertificateGenContext::RSACertificateGenContext() : - _modulusLength(0), - _secondsValid(0), - _issuedAdjustment(0) -{ -} - -IceSSL::RSACertificateGenContext::~RSACertificateGenContext() -{ -} - -long -IceSSL::RSACertificateGenContext::minutesToSeconds(long minutes) -{ - return minutes * 60L; -} - -long -IceSSL::RSACertificateGenContext::hoursToSeconds(long hours) -{ - return minutesToSeconds(hours * 60L); -} - -long -IceSSL::RSACertificateGenContext::daysToSeconds(long days) -{ - return hoursToSeconds(days * 24L); -} - -long -IceSSL::RSACertificateGenContext::weeksToSeconds(long weeks) -{ - return daysToSeconds(weeks * 7L); -} - -long -IceSSL::RSACertificateGenContext::yearsToSeconds(long years) -{ - return weeksToSeconds(years * 365L); -} - -void -IceSSL::RSACertificateGenContext::setCountry(const string& country) -{ - _country = country; -} - -void -IceSSL::RSACertificateGenContext::setStateProvince(const string& stateProvince) -{ - _stateProvince = stateProvince; -} - -void -IceSSL::RSACertificateGenContext::setLocality(const string& locality) -{ - _locality = locality; -} - -void -IceSSL::RSACertificateGenContext::setOrganization(const string& organization) -{ - _organization = organization; -} - -void -IceSSL::RSACertificateGenContext::setOrgainizationalUnit(const string& organizationalUnit) -{ - _organizationalUnit = organizationalUnit; -} - -void -IceSSL::RSACertificateGenContext::setCommonName(const string& commonName) -{ - _commonName = commonName; -} - -void -IceSSL::RSACertificateGenContext::setBitStrength(int bitStrength) -{ - _modulusLength = bitStrength; -} - -void -IceSSL::RSACertificateGenContext::setSecondsValid(long secondsValid) -{ - _secondsValid = secondsValid; -} - -void -IceSSL::RSACertificateGenContext::setIssuedAdjustment(long issuedAdjustment) -{ - _issuedAdjustment = issuedAdjustment; -} - -unsigned char* -IceSSL::RSACertificateGenContext::getCountry() const -{ - unsigned char* country = reinterpret_cast<unsigned char *>(const_cast<char*>(_country.c_str())); - - assert(country != 0); - - return country; -} - -unsigned char* -IceSSL::RSACertificateGenContext::getStateProvince() const -{ - unsigned char* stateProvince = reinterpret_cast<unsigned char *>(const_cast<char*>(_stateProvince.c_str())); - - assert(stateProvince != 0); - - return stateProvince; -} - -unsigned char* -IceSSL::RSACertificateGenContext::getLocality() const -{ - unsigned char* locality = reinterpret_cast<unsigned char *>(const_cast<char*>(_locality.c_str())); - - assert(locality != 0); - - return locality; -} - -unsigned char* -IceSSL::RSACertificateGenContext::getOrganization() const -{ - unsigned char* organization = reinterpret_cast<unsigned char *>(const_cast<char*>(_organization.c_str())); - - assert(organization != 0); - - return organization; -} - -unsigned char* -IceSSL::RSACertificateGenContext::getOrganizationalUnit() const -{ - unsigned char* orgUnit = reinterpret_cast<unsigned char *>(const_cast<char*>(_organizationalUnit.c_str())); - - assert(orgUnit != 0); - - return orgUnit; -} - -unsigned char* -IceSSL::RSACertificateGenContext::getCommonName() const -{ - unsigned char* commonName = reinterpret_cast<unsigned char *>(const_cast<char*>(_commonName.c_str())); - - assert(commonName != 0); - - return commonName; -} - -int -IceSSL::RSACertificateGenContext::getModulusLength() const -{ - return _modulusLength; -} - -long -IceSSL::RSACertificateGenContext::getSecondsValid() const -{ - return _secondsValid; -} - -long -IceSSL::RSACertificateGenContext::getIssuedAdjustment() const -{ - return _issuedAdjustment; -} - -IceSSL::RSACertificateGen::RSACertificateGen() -{ - ERR_load_crypto_strings(); -} - -IceSSL::RSACertificateGen::~RSACertificateGen() -{ -} - -IceSSL::RSAKeyPairPtr -IceSSL::RSACertificateGen::generate(const RSACertificateGenContext& context) -{ - // Generate an RSA key pair. - RSAJanitor rsaJanitor(RSA_generate_key(context.getModulusLength(), RSA_F4, 0, 0)); - RSA* rsaKeyPair = rsaJanitor.get(); - - assert(rsaKeyPair != 0); - - EVP_PKEYJanitor evpPkeyJanitor(EVP_PKEY_new()); - EVP_PKEY* pkey = evpPkeyJanitor.get(); - assert(pkey != 0); - EVP_PKEY_assign_RSA(pkey, rsaKeyPair); - - // The RSA structure now belongs (temporarily) to the EVP_PKEY - rsaJanitor.clear(); - - // Create a signing request - X509_REQJanitor x509ReqJanitor(X509_REQ_new()); - X509_REQ* signingRequest = x509ReqJanitor.get(); - assert(signingRequest != 0); - - X509Janitor x509Janitor(X509_new()); - X509* x509SelfSigned = x509Janitor.get(); - assert(x509SelfSigned != 0); - - // Set version to V3. -#ifdef NDEBUG // Avoid compiler warnings when compiling with optimization. - X509_set_version(x509SelfSigned, 2); -#else - assert(X509_set_version(x509SelfSigned, 2) != 0); -#endif - - ASN1_INTEGER_set(X509_get_serialNumber(x509SelfSigned), 0); - - // NOTE: This is wierd. It looks like, for some reason, that the typedef of - // X509_NAME gets lost in this code module. I am using the straight struct - // here because X509_NAME isn't here. - - // X509_NAME* subjectName = X509_REQ_get_subject_name(signingRequest); - struct X509_name_st* subjectName = X509_REQ_get_subject_name(signingRequest); - - // Set valid time period. - X509_gmtime_adj(X509_get_notBefore(x509SelfSigned), context.getIssuedAdjustment()); - X509_gmtime_adj(X509_get_notAfter(x509SelfSigned), context.getSecondsValid()); - - // Set up subject/issuer Distinguished Name (DN). - X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("C"), MBSTRING_ASC, context.getCountry(), - -1, -1, 0); - X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("ST"), MBSTRING_ASC, context.getStateProvince(), - -1, -1, 0); - X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("L"), MBSTRING_ASC, context.getLocality(), - -1, -1, 0); - X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("O"), MBSTRING_ASC, context.getOrganization(), - -1, -1, 0); - X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("OU"), MBSTRING_ASC, context.getOrganizationalUnit(), - -1, -1, 0); - X509_NAME_add_entry_by_txt(subjectName, const_cast<char*>("CN"), MBSTRING_ASC, context.getCommonName(), - -1, -1, 0); - - // Self signed - set issuer and subject names identical - X509_set_issuer_name(x509SelfSigned, subjectName); - X509_set_subject_name(x509SelfSigned, subjectName); - - // Set the public key in the self signed certificate from the request. - X509_set_pubkey(x509SelfSigned, pkey); - - // Sign the public key using an MD5 digest. - if(!X509_sign(x509SelfSigned, pkey, EVP_md5())) - { - throw IceSSL::CertificateSigningException(__FILE__, __LINE__); - } - - // Verify the Signature (paranoia). - if(!X509_REQ_verify(signingRequest, pkey)) - { - throw IceSSL::CertificateSignatureException(__FILE__, __LINE__); - } - - // Nasty Hack: Getting the pkey to let go of our rsaKeyPair - we own that now. - // Checked this out, though, and there are no current issues (0.9.7a) with doing this. - pkey->pkey.ptr = 0; - - RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaKeyPair); - RSAPublicKeyPtr pubKeyPtr = new RSAPublicKey(x509SelfSigned); - RSAKeyPair* keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr); - - // Do not let the janitors clean up, we're keeping the keys for ourselves. - rsaJanitor.clear(); - x509Janitor.clear(); - - return keyPairPtr; -} - -IceSSL::RSAKeyPairPtr -IceSSL::RSACertificateGen::loadKeyPair(const std::string& keyFile, const std::string& certFile) -{ - // - // Read in the X509 Certificate Structure - // - BIOJanitor certBIO(BIO_new_file(certFile.c_str(), "r")); - if(certBIO.get() == 0) - { - IceSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__); - - certLoadEx.message = "unable to load certificate from '"; - certLoadEx.message += certFile; - certLoadEx.message += "'\n"; - certLoadEx.message += sslGetErrors(); - - throw certLoadEx; - } - - X509Janitor x509Janitor(PEM_read_bio_X509(certBIO.get(), 0, 0, 0)); - - if(x509Janitor.get() == 0) - { - IceSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__); - - certLoadEx.message = "unable to load certificate from '"; - certLoadEx.message += certFile; - certLoadEx.message += "'\n"; - certLoadEx.message += sslGetErrors(); - - throw certLoadEx; - } - - // - // Read in the RSA Private Key Structure - // - BIOJanitor keyBIO(BIO_new_file(keyFile.c_str(), "r")); - if(keyBIO.get() == 0) - { - IceSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__); - - pklEx.message = "unable to load private key from '"; - pklEx.message += keyFile; - pklEx.message += "'\n"; - pklEx.message += sslGetErrors(); - - throw pklEx; - } - - RSAJanitor rsaJanitor(PEM_read_bio_RSAPrivateKey(keyBIO.get(), 0, 0, 0)); - - if(rsaJanitor.get() == 0) - { - IceSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__); - - pklEx.message = "unable to load private key from '"; - pklEx.message += keyFile; - pklEx.message += "'\n"; - pklEx.message += sslGetErrors(); - - throw pklEx; - } - - // - // Construct our RSAKeyPair - // - RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaJanitor.get()); - RSAPublicKeyPtr pubKeyPtr = new RSAPublicKey(x509Janitor.get()); - RSAKeyPairPtr keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr); - - // Do not let the janitors clean up, we're keeping these keys. - rsaJanitor.clear(); - x509Janitor.clear(); - - return keyPairPtr; -} diff --git a/cpp/src/IceSSL/RSAKeyPair.cpp b/cpp/src/IceSSL/RSAKeyPair.cpp deleted file mode 100644 index 334ed4c2556..00000000000 --- a/cpp/src/IceSSL/RSAKeyPair.cpp +++ /dev/null @@ -1,86 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceUtil/Config.h> -#include <IceUtil/Base64.h> -#include <IceSSL/RSAKeyPair.h> -#include <IceSSL/RSAPrivateKey.h> -#include <IceSSL/RSAPublicKey.h> -#include <assert.h> - -void IceInternal::incRef(::IceSSL::RSAKeyPair* p) { p->__incRef(); } -void IceInternal::decRef(::IceSSL::RSAKeyPair* p) { p->__decRef(); } - -using std::back_inserter; -using std::string; -using Ice::ByteSeq; -using IceUtil::Base64; - -IceSSL::RSAKeyPair::RSAKeyPair(const string& key, const string& cert) : - _privateKey(new RSAPrivateKey(key)), - _publicKey(new RSAPublicKey(cert)) -{ - assert(_privateKey != 0); - assert(_publicKey != 0); -} - -IceSSL::RSAKeyPair::RSAKeyPair(const ByteSeq& keySeq, const ByteSeq& certSeq) : - _privateKey(new RSAPrivateKey(keySeq)), - _publicKey(new RSAPublicKey(certSeq)) -{ - assert(_privateKey != 0); - assert(_publicKey != 0); -} - -IceSSL::RSAKeyPair::~RSAKeyPair() -{ -} - -void -IceSSL::RSAKeyPair::keyToBase64(string& b64Key) -{ - _privateKey->keyToBase64(b64Key); -} - -void -IceSSL::RSAKeyPair::certToBase64(string& b64Cert) -{ - _publicKey->certToBase64(b64Cert); -} - -void -IceSSL::RSAKeyPair::keyToByteSeq(ByteSeq& keySeq) -{ - _privateKey->keyToByteSeq(keySeq); -} - -void -IceSSL::RSAKeyPair::certToByteSeq(ByteSeq& certSeq) -{ - _publicKey->certToByteSeq(certSeq); -} - -RSA* -IceSSL::RSAKeyPair::getRSAPrivateKey() const -{ - return _privateKey->get(); -} - -X509* -IceSSL::RSAKeyPair::getX509PublicKey() const -{ - return _publicKey->getX509PublicKey(); -} - -IceSSL::RSAKeyPair::RSAKeyPair(const RSAPrivateKeyPtr& rsa, const RSAPublicKeyPtr& x509) : - _privateKey(rsa), - _publicKey(x509) -{ -} - diff --git a/cpp/src/IceSSL/RSAPrivateKey.cpp b/cpp/src/IceSSL/RSAPrivateKey.cpp deleted file mode 100644 index 2cd9934c915..00000000000 --- a/cpp/src/IceSSL/RSAPrivateKey.cpp +++ /dev/null @@ -1,123 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceUtil/Config.h> -#include <IceUtil/Base64.h> -#include <IceSSL/RSAPrivateKey.h> -#include <IceSSL/Convert.h> -#include <IceSSL/OpenSSLUtils.h> -#include <IceSSL/Exception.h> -#include <assert.h> - -void IceInternal::incRef(::IceSSL::RSAPrivateKey* p) { p->__incRef(); } -void IceInternal::decRef(::IceSSL::RSAPrivateKey* p) { p->__decRef(); } - -using std::back_inserter; -using std::string; -using Ice::ByteSeq; -using IceUtil::Base64; - -IceSSL::RSAPrivateKey::RSAPrivateKey(const string& key) -{ - assert(!key.empty()); - - _privateKey = 0; - - ByteSeq keySeq = Base64::decode(key); - - byteSeqToKey(keySeq); -} - -IceSSL::RSAPrivateKey::RSAPrivateKey(const ByteSeq& keySeq) -{ - assert(!keySeq.empty()); - - _privateKey = 0; - - byteSeqToKey(keySeq); -} - -IceSSL::RSAPrivateKey::RSAPrivateKey(RSA* rsa) : - _privateKey(rsa) -{ - assert(_privateKey != 0); -} - -IceSSL::RSAPrivateKey::~RSAPrivateKey() -{ - if(_privateKey != 0) - { - RSA_free(_privateKey); - } -} - -void -IceSSL::RSAPrivateKey::keyToBase64(string& b64Key) -{ - ByteSeq keySeq; - keyToByteSeq(keySeq); - b64Key = Base64::encode(keySeq); -} - -void -IceSSL::RSAPrivateKey::keyToByteSeq(ByteSeq& keySeq) -{ - assert(_privateKey); - - // Output the Private Key to a char buffer - unsigned int privKeySize = i2d_RSAPrivateKey(_privateKey, 0); - - assert(privKeySize > 0); - - unsigned char* privateKeyBuffer = new unsigned char[privKeySize]; - assert(privateKeyBuffer != 0); - - // We have to do this because i2d_RSAPrivateKey changes the pointer. - unsigned char* privKeyBuff = privateKeyBuffer; - i2d_RSAPrivateKey(_privateKey, &privKeyBuff); - - IceSSL::ucharToByteSeq(privateKeyBuffer, privKeySize, keySeq); - - delete [] privateKeyBuffer; -} - -RSA* -IceSSL::RSAPrivateKey::get() const -{ - return _privateKey; -} - -void -IceSSL::RSAPrivateKey::byteSeqToKey(const ByteSeq& keySeq) -{ - unsigned char* privateKeyBuffer = byteSeqToUChar(keySeq); - assert(privateKeyBuffer != 0); - - unsigned char* privKeyBuff = privateKeyBuffer; - unsigned char** privKeyBuffpp = &privKeyBuff; - RSA** rsapp = &_privateKey; - -#if OPENSSL_VERSION_NUMBER < 0x0090700fL - _privateKey = d2i_RSAPrivateKey(rsapp, privKeyBuffpp, (long)keySeq.size()); -#else - _privateKey = d2i_RSAPrivateKey(rsapp, (const unsigned char **)privKeyBuffpp, (long)keySeq.size()); -#endif - - delete [] privateKeyBuffer; - - if(_privateKey == 0) - { - IceSSL::PrivateKeyParseException pkParseException(__FILE__, __LINE__); - - pkParseException.message = "unable to parse provided private key\n" + sslGetErrors(); - - throw pkParseException; - } -} - diff --git a/cpp/src/IceSSL/RSAPublicKey.cpp b/cpp/src/IceSSL/RSAPublicKey.cpp deleted file mode 100644 index 88374c66593..00000000000 --- a/cpp/src/IceSSL/RSAPublicKey.cpp +++ /dev/null @@ -1,124 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceUtil/Config.h> -#include <IceUtil/Base64.h> -#include <IceSSL/RSAPublicKey.h> -#include <IceSSL/Convert.h> -#include <IceSSL/OpenSSLUtils.h> -#include <IceSSL/Exception.h> -#include <assert.h> - -void IceInternal::incRef(::IceSSL::RSAPublicKey* p) { p->__incRef(); } -void IceInternal::decRef(::IceSSL::RSAPublicKey* p) { p->__decRef(); } - -using std::back_inserter; -using std::string; -using Ice::ByteSeq; -using IceUtil::Base64; - -IceSSL::RSAPublicKey::RSAPublicKey(const string& cert) -{ - assert(!cert.empty()); - - _publicKey = 0; - - ByteSeq certSeq = Base64::decode(cert); - - byteSeqToCert(certSeq); -} - -IceSSL::RSAPublicKey::RSAPublicKey(const ByteSeq& certSeq) -{ - assert(!certSeq.empty()); - - _publicKey = 0; - - byteSeqToCert(certSeq); -} - -IceSSL::RSAPublicKey::~RSAPublicKey() -{ - if(_publicKey != 0) - { - X509_free(_publicKey); - } -} - -void -IceSSL::RSAPublicKey::certToBase64(string& b64Cert) -{ - ByteSeq certSeq; - certToByteSeq(certSeq); - b64Cert = Base64::encode(certSeq); -} - -void -IceSSL::RSAPublicKey::certToByteSeq(ByteSeq& certSeq) -{ - assert(_publicKey); - - // Output the Public Key to a char buffer - unsigned int pubKeySize = i2d_X509(_publicKey, 0); - - assert(pubKeySize > 0); - - unsigned char* publicKeyBuffer = new unsigned char[pubKeySize]; - assert(publicKeyBuffer != 0); - - // We have to do this because i2d_X509_PUBKEY changes the pointer. - unsigned char* pubKeyBuff = publicKeyBuffer; - i2d_X509(_publicKey, &pubKeyBuff); - - IceSSL::ucharToByteSeq(publicKeyBuffer, pubKeySize, certSeq); - - delete []publicKeyBuffer; -} - -X509* -IceSSL::RSAPublicKey::getX509PublicKey() const -{ - return _publicKey; -} - -IceSSL::RSAPublicKey::RSAPublicKey(X509* x509) : - _publicKey(x509) -{ -} - -void -IceSSL::RSAPublicKey::byteSeqToCert(const ByteSeq& certSeq) -{ - const unsigned char* publicKeyBuffer = byteSeqToUChar(certSeq); - assert(publicKeyBuffer != 0); - - // We have to do this because d2i_X509 changes the pointer. - const unsigned char* pubKeyBuff = publicKeyBuffer; - const unsigned char** pubKeyBuffpp = &pubKeyBuff; - - X509** x509pp = &_publicKey; -#if OPENSSL_VERSION_NUMBER < 0x0090800fL - _publicKey = d2i_X509(x509pp, const_cast<unsigned char**>(pubKeyBuffpp), (long)certSeq.size()); -#else - _publicKey = d2i_X509(x509pp, pubKeyBuffpp, (long)certSeq.size()); -#endif - - delete [] const_cast<unsigned char*>(publicKeyBuffer); - - if(_publicKey == 0) - { - IceSSL::CertificateParseException certParseException(__FILE__, __LINE__); - - certParseException.message = "unable to parse provided public key\n" + sslGetErrors(); - - throw certParseException; - } -} - - diff --git a/cpp/src/IceSSL/ServerContext.cpp b/cpp/src/IceSSL/ServerContext.cpp deleted file mode 100644 index 5dbfb57f4d7..00000000000 --- a/cpp/src/IceSSL/ServerContext.cpp +++ /dev/null @@ -1,131 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <Ice/Communicator.h> -#include <Ice/LoggerUtil.h> - -#include <IceSSL/Exception.h> -#include <IceSSL/ServerContext.h> -#include <IceSSL/SslTransceiver.h> -#include <IceSSL/OpenSSLUtils.h> -#include <IceSSL/TraceLevels.h> - -using namespace std; -using namespace Ice; - -void -IceSSL::ServerContext::configure(const GeneralConfig& generalConfig, - const CertificateAuthority& certificateAuthority, - const BaseCertificates& baseCertificates) -{ - Context::configure(generalConfig, certificateAuthority, baseCertificates); - - assert(_sslContext != 0); - - // On servers, Attempt to use non-export (strong) encryption - // first. This option does not always work, and in the OpenSSL - // documentation is declared as 'broken'. - // SSL_CTX_set_options(_sslContext, SSL_OP_NON_EXPORT_FIRST); - - // Always use a new DH key when using Diffie-Hellman key agreement. - SSL_CTX_set_options(_sslContext, SSL_OP_SINGLE_DH_USE); - - // Set the RSA Callback routine in case we need to build a temporary (ephemeral) RSA key. - SSL_CTX_set_tmp_rsa_callback(_sslContext, tmpRSACallback); - - // Set the DH Callback routine in case we need a temporary (ephemeral) DH key. - SSL_CTX_set_tmp_dh_callback(_sslContext, tmpDHCallback); - - loadCertificateAuthority(certificateAuthority); - - // Set the session context for the SSL system [SERVER ONLY]. - string connectionContext = generalConfig.getContext(); - SSL_CTX_set_session_id_context(_sslContext, - reinterpret_cast<const unsigned char *>(connectionContext.c_str()), - (unsigned int) connectionContext.size()); - - if(_traceLevels->security >= SECURITY_PROTOCOL) - { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - - out << "\n"; - out << "general configuration (server)\n"; - out << "------------------------------\n"; - IceSSL::operator<<(out, generalConfig); - out << "\n\n"; - - out << "CA file: " << certificateAuthority.getCAFileName() << "\n"; - out << "CA path: " << certificateAuthority.getCAPath() << "\n"; - - out << "base certificates (server)\n"; - out << "--------------------------\n"; - IceSSL::operator<<(out, baseCertificates); - out << "\n\n"; - } -} - -IceSSL::SslTransceiverPtr -IceSSL::ServerContext::createTransceiver(int socket, const OpenSSLPluginIPtr& plugin, int timeout) -{ - if(_sslContext == 0) - { - ContextNotConfiguredException contextEx(__FILE__, __LINE__); - - throw contextEx; - } - - SSL* ssl = createSSLConnection(socket); - return new SslTransceiver(IceSSL::Server, plugin, socket, _certificateVerifier, ssl, timeout); -} - -// -// Protected -// - -IceSSL::ServerContext::ServerContext(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) : - Context(traceLevels, communicator, Server) -{ - _rsaPrivateKeyProperty = "IceSSL.Server.Overrides.RSA.PrivateKey"; - _rsaPublicKeyProperty = "IceSSL.Server.Overrides.RSA.Certificate"; - _dsaPrivateKeyProperty = "IceSSL.Server.Overrides.DSA.PrivateKey"; - _dsaPublicKeyProperty = "IceSSL.Server.Overrides.DSA.Certificate"; - _caCertificateProperty = "IceSSL.Server.Overrides.CACertificate"; - _passphraseRetriesProperty = "IceSSL.Server.Passphrase.Retries"; -} - -void -IceSSL::ServerContext::loadCertificateAuthority(const CertificateAuthority& certAuth) -{ - assert(_sslContext != 0); - - Context::loadCertificateAuthority(certAuth); - - string caFile = certAuth.getCAFileName(); - - if(caFile.empty()) - { - return; - } - - STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str()); - - if(certNames == 0) - { - if(_traceLevels->security >= SECURITY_WARNINGS) - { - Trace out(_communicator->getLogger(), _traceLevels->securityCat); - out << "WRN unable to load certificate authorities certificate names from " << caFile << "\n"; - out << sslGetErrors(); - } - } - else - { - SSL_CTX_set_client_CA_list(_sslContext, certNames); - } -} diff --git a/cpp/src/IceSSL/ServerContext.h b/cpp/src/IceSSL/ServerContext.h deleted file mode 100644 index 30899bb77d2..00000000000 --- a/cpp/src/IceSSL/ServerContext.h +++ /dev/null @@ -1,40 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICESSL_SERVER_CONTEXT_H -#define ICESSL_SERVER_CONTEXT_H - -#include <IceSSL/OpenSSLPluginIF.h> -#include <IceSSL/Context.h> - -namespace IceSSL -{ - -class ServerContext : public Context -{ -public: - - virtual void configure(const GeneralConfig&, - const CertificateAuthority&, - const BaseCertificates&); - - SslTransceiverPtr createTransceiver(int, const OpenSSLPluginIPtr&, int); - -protected: - - ServerContext(const TraceLevelsPtr&, const Ice::CommunicatorPtr&); - - virtual void loadCertificateAuthority(const CertificateAuthority& certAuth); - - friend class OpenSSLPluginI; -}; - -} - -#endif diff --git a/cpp/src/IceSSL/SingleCertificateVerifier.cpp b/cpp/src/IceSSL/SingleCertificateVerifier.cpp deleted file mode 100644 index b0b87f5ba8f..00000000000 --- a/cpp/src/IceSSL/SingleCertificateVerifier.cpp +++ /dev/null @@ -1,110 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/SingleCertificateVerifier.h> -#include <IceSSL/Convert.h> -#include <openssl/err.h> -#include <algorithm> -#include <iostream> - -using namespace std; -using Ice::ByteSeq; - -IceSSL::SingleCertificateVerifier::SingleCertificateVerifier(const ByteSeq& publicKey) : - _publicKey(publicKey) -{ -} - -int -IceSSL::SingleCertificateVerifier::verify(int preVerifyOkay, - X509_STORE_CTX* x509StoreContext, - SSL* sslConnection) -{ - // For getting the CA certificate - X509* trustedCert = 0; - X509_OBJECT trustedObject; - - // Get the peer certificate offered by whoever we're talking to. - X509* peerCertificate = x509StoreContext->cert; - - // We only bother to do the rest of this if we have something to verify. - if(peerCertificate) - { - // Get the subject name (Not a memory leak, this is how this is used). - X509_NAME* peerCertName = X509_get_subject_name(peerCertificate); - - // The Trusted Certificate by the same name. - int retCode = X509_STORE_get_by_subject(x509StoreContext, - X509_LU_X509, - peerCertName, - &trustedObject); - - switch(retCode) - { - case X509_LU_X509: - { - trustedCert = trustedObject.data.x509; - break; - } - - case X509_LU_RETRY: - { - // Log the error properly. - X509err(X509_F_X509_VERIFY_CERT, X509_R_SHOULD_RETRY); - - // Drop through intended. - } - - default : - { - // Regardless of error, if we can't look up the trusted - // certificate, then we fail out. - - preVerifyOkay = 0; - break; - } - } - } - - // Compare, only if we have both. - if(trustedCert) - { - ByteSeq peerByteSeq; - toByteSeq(peerCertificate, peerByteSeq); - - ByteSeq trustedByteSeq; - toByteSeq(trustedCert, trustedByteSeq); - - // The presented certificate must exactly match one that is in - // the certificate store, and that must be the expected certificate. - - preVerifyOkay = (peerByteSeq == trustedByteSeq) && - (_publicKey == peerByteSeq); - - X509_OBJECT_free_contents(&trustedObject); - } - - return preVerifyOkay; -} - -void -IceSSL::SingleCertificateVerifier::toByteSeq(X509* certificate, - ByteSeq& certByteSeq) -{ - // Convert the X509 to a unsigned char buffer. - unsigned int certSize = i2d_X509(certificate, 0); - unsigned char* certBuffer = new unsigned char[certSize]; - unsigned char* certPtr = certBuffer; - i2d_X509(certificate, &certPtr); - - // Yet another conversion to a ByteSeq (easy comparison this way). - IceSSL::ucharToByteSeq(certBuffer, certSize, certByteSeq); - delete []certBuffer; -} - diff --git a/cpp/src/IceSSL/SingleCertificateVerifier.h b/cpp/src/IceSSL/SingleCertificateVerifier.h deleted file mode 100644 index 9b560d4ef7c..00000000000 --- a/cpp/src/IceSSL/SingleCertificateVerifier.h +++ /dev/null @@ -1,37 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_SINGLE_CERTIFICATE_VERIFIER_H -#define ICE_SSL_SINGLE_CERTIFICATE_VERIFIER_H - -#include <Ice/BuiltinSequences.h> -#include <IceSSL/CertificateVerifierOpenSSL.h> - -namespace IceSSL -{ - -class SingleCertificateVerifier : public IceSSL::CertificateVerifierOpenSSL -{ -public: - - SingleCertificateVerifier(const Ice::ByteSeq&); - - virtual int verify(int, X509_STORE_CTX*, SSL*); - - void toByteSeq(X509*, Ice::ByteSeq&); - -protected: - - Ice::ByteSeq _publicKey; -}; - -} - -#endif - diff --git a/cpp/src/IceSSL/SslAcceptor.cpp b/cpp/src/IceSSL/SslAcceptor.cpp deleted file mode 100644 index 019dc3f7eb7..00000000000 --- a/cpp/src/IceSSL/SslAcceptor.cpp +++ /dev/null @@ -1,140 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <Ice/LoggerUtil.h> -#include <Ice/Network.h> - -#include <IceSSL/OpenSSLPluginI.h> -#include <IceSSL/SslAcceptor.h> -#include <IceSSL/SslTransceiver.h> -#include <IceSSL/TraceLevels.h> - -using namespace std; -using namespace Ice; -using namespace IceInternal; - -SOCKET -IceSSL::SslAcceptor::fd() -{ - return _fd; -} - -void -IceSSL::SslAcceptor::close() -{ - if(_traceLevels->network >= 1) - { - Trace out(_logger, _traceLevels->networkCat); - out << "stopping to accept ssl connections at " << toString(); - } - - SOCKET fd = _fd; - _fd = INVALID_SOCKET; - closeSocket(fd); -} - -void -IceSSL::SslAcceptor::listen() -{ - try - { - doListen(_fd, _backlog); - } - catch(...) - { - _fd = INVALID_SOCKET; - throw; - } - - if(_traceLevels->network >= 1) - { - Trace out(_logger, _traceLevels->networkCat); - out << "accepting ssl connections at " << toString(); - } -} - -TransceiverPtr -IceSSL::SslAcceptor::accept(int timeout) -{ - SOCKET fd = doAccept(_fd, timeout); - setBlock(fd, false); - - if(_traceLevels->network >= 1) - { - Trace out(_logger, _traceLevels->networkCat); - out << "accepted ssl connection\n" << fdToString(fd); - } - - return _plugin->createServerTransceiver( - static_cast<int>(fd), timeout); -} - -void -IceSSL::SslAcceptor::connectToSelf() -{ - SOCKET fd = createSocket(false); - setBlock(fd, false); - doConnect(fd, _addr, -1); - closeSocket(fd); -} - -string -IceSSL::SslAcceptor::toString() const -{ - return addrToString(_addr); -} - -bool -IceSSL::SslAcceptor::equivalent(const string& host, int port) const -{ - struct sockaddr_in addr; - getAddress(host, port, addr); - return compareAddress(addr, _addr); -} - -int -IceSSL::SslAcceptor::effectivePort() -{ - return ntohs(_addr.sin_port); -} - -IceSSL::SslAcceptor::SslAcceptor(const OpenSSLPluginIPtr& plugin, const string& host, int port) : - _plugin(plugin), - _traceLevels(plugin->getTraceLevels()), - _logger(plugin->getLogger()), - _backlog(0) -{ - if(_backlog <= 0) - { - _backlog = 5; - } - - try - { - _fd = createSocket(false); - setBlock(_fd, false); - getAddress(host, port, _addr); - if(_traceLevels->network >= 2) - { - Trace out(_logger, _traceLevels->networkCat); - out << "attempting to bind to ssl socket " << toString(); - } - doBind(_fd, _addr); - } - catch(...) - { - _fd = INVALID_SOCKET; - throw; - } -} - -IceSSL::SslAcceptor::~SslAcceptor() -{ - assert(_fd == INVALID_SOCKET); -} diff --git a/cpp/src/IceSSL/SslConnector.cpp b/cpp/src/IceSSL/SslConnector.cpp deleted file mode 100644 index 9d4377a7418..00000000000 --- a/cpp/src/IceSSL/SslConnector.cpp +++ /dev/null @@ -1,61 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <Ice/Network.h> -#include <Ice/LoggerUtil.h> - -#include <IceSSL/OpenSSLPluginI.h> -#include <IceSSL/SslConnector.h> -#include <IceSSL/SslTransceiver.h> -#include <IceSSL/TraceLevels.h> - -using namespace std; -using namespace Ice; -using namespace IceInternal; - -TransceiverPtr -IceSSL::SslConnector::connect(int timeout) -{ - if(_traceLevels->network >= 2) - { - Trace out(_logger, _traceLevels->networkCat); - out << "trying to establish ssl connection to " << toString(); - } - - SOCKET fd = createSocket(false); - setBlock(fd, false); - doConnect(fd, _addr, timeout); - - if(_traceLevels->network >= 1) - { - Trace out(_logger, _traceLevels->networkCat); - out << "ssl connection established\n" << fdToString(fd); - } - - return _plugin->createClientTransceiver( - static_cast<int>(fd), timeout); -} - -string -IceSSL::SslConnector::toString() const -{ - return addrToString(_addr); -} - -IceSSL::SslConnector::SslConnector(const OpenSSLPluginIPtr& plugin, const string& host, int port) : - _plugin(plugin), - _traceLevels(plugin->getTraceLevels()), - _logger(plugin->getLogger()) -{ - getAddress(host, port, _addr); -} - -IceSSL::SslConnector::~SslConnector() -{ -} diff --git a/cpp/src/IceSSL/SslException.cpp b/cpp/src/IceSSL/SslException.cpp deleted file mode 100644 index c4835041a12..00000000000 --- a/cpp/src/IceSSL/SslException.cpp +++ /dev/null @@ -1,144 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <Ice/LocalException.h> -#include <IceSSL/Exception.h> - -using namespace std; -using namespace Ice; - -void -IceSSL::SslException::ice_print(ostream& out) const -{ - Exception::ice_print(out); - if(!message.empty()) - { - out << ":\n" << message; - } -} - -void -IceSSL::ConfigurationLoadingException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::ConfigParseException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::ShutdownException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::ProtocolException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::CertificateVerificationException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::CertificateException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::CertificateSigningException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::CertificateSignatureException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::CertificateParseException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::PrivateKeyException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::PrivateKeyParseException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::CertificateVerifierTypeException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::ContextException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::ContextInitializationException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::ContextNotConfiguredException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::UnsupportedContextException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::CertificateLoadException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::PrivateKeyLoadException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::CertificateKeyMatchException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} - -void -IceSSL::TrustedCertificateAddException::ice_print(ostream& out) const -{ - SslException::ice_print(out); -} diff --git a/cpp/src/IceSSL/SslTransceiver.cpp b/cpp/src/IceSSL/SslTransceiver.cpp deleted file mode 100644 index c6c5c9e32bb..00000000000 --- a/cpp/src/IceSSL/SslTransceiver.cpp +++ /dev/null @@ -1,1053 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <Ice/LoggerUtil.h> -#include <Ice/Stats.h> -#include <Ice/Network.h> -#include <Ice/LocalException.h> -#include <IceSSL/SslTransceiver.h> -#include <IceSSL/TraceLevels.h> -#include <IceSSL/Exception.h> -#include <IceSSL/OpenSSLPluginI.h> -#include <IceSSL/OpenSSLUtils.h> - -#include <openssl/err.h> - -using namespace std; -using namespace Ice; -using namespace IceInternal; - -// -// Static Member Initialization -// -IceSSL::SslTransceiverMap IceSSL::SslTransceiver::_transceiverMap; -IceUtil::StaticMutex IceSSL::SslTransceiver::_transceiverRepositoryMutex = ICE_STATIC_MUTEX_INITIALIZER; - -void IceInternal::incRef(IceSSL::SslTransceiver* p) { p->__incRef(); } -void IceInternal::decRef(IceSSL::SslTransceiver* p) { p->__decRef(); } - -SOCKET -IceSSL::SslTransceiver::fd() -{ - assert(_fd != INVALID_SOCKET); - return _fd; -} - -void -IceSSL::SslTransceiver::close() -{ - if(_fd == INVALID_SOCKET) - { - // Ignore - the connection was never set up. - return; - } - - if(_traceLevels->network >= 1) - { - Trace out(_logger, _traceLevels->networkCat); - out << "closing ssl connection\n" << toString(); - } - - try - { - internalShutdownWrite(10 * 1000); - } - catch(const Ice::Exception& e) - { - Warning warn(_logger); - warn << "error in shutting down ssl connection " << e; - } - - assert(_fd != INVALID_SOCKET); - try - { - closeSocket(_fd); - _fd = INVALID_SOCKET; - } - catch(const SocketException&) - { - _fd = INVALID_SOCKET; - throw; - } -} - -void -IceSSL::SslTransceiver::shutdownWrite() -{ - if(_traceLevels->network >= 2) - { - Trace out(_logger, _traceLevels->networkCat); - out << "shutting down ssl connection for writing\n" << toString(); - } - - try - { - internalShutdownWrite(10 * 1000); - } - catch(const Ice::Exception& e) - { - Warning warn(_logger); - warn << "error in shutting down ssl connection " << e; - } - - assert(_fd != INVALID_SOCKET); - shutdownSocketWrite(_fd); -} - -void -IceSSL::SslTransceiver::shutdownReadWrite() -{ - if(_traceLevels->network >= 2) - { - Trace out(_logger, _traceLevels->networkCat); - out << "shutting down ssl connection for reading and writing\n" << toString(); - } - - assert(_fd != INVALID_SOCKET); - shutdownSocketReadWrite(_fd); -} - -void -IceSSL::SslTransceiver::write(Buffer& buf, int timeout) -{ - assert(_fd != INVALID_SOCKET); - - _plugin->registerThread(); - - - Buffer::Container::difference_type packetSize = - static_cast<Buffer::Container::difference_type>(buf.b.end() - buf.i); - -#ifdef _WIN32 - // - // Limit packet size to avoid performance problems on WIN32. - // - if(packetSize > 64 * 1024) - { - packetSize = 64 * 1024; - } -#endif - - // We keep writing until we're done. - while(buf.i != buf.b.end()) - { - ERR_clear_error(); - int ret = SSL_write(_sslConnection, &*buf.i, static_cast<int>(packetSize)); - switch(SSL_get_error(_sslConnection, ret)) - { - case SSL_ERROR_NONE: - break; - - case SSL_ERROR_WANT_WRITE: - { - writeSelect(timeout); - continue; - } - - // - // If session renegotiation is ever enabled this could - // occur. - // - //case SSL_ERROR_WANT_READ: - //{ - // readSelect(timeout); - // continue; - //} - - case SSL_ERROR_SYSCALL: - { - if(ret == -1) - { - // IO Error in underlying BIO - - if(interrupted()) - { - continue; - } - - if(noBuffers() && packetSize > 1024) - { - packetSize /= 2; - continue; - } - - // - // Its not clear whether this can occur, isn't - // this the same as SSL_ERROR_WANT_WRITE? - // - if(wouldBlock()) - { - writeSelect(timeout); - continue; - } - - if(connectionLost()) - { - ConnectionLostException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - else - { - SocketException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - } - // fall through - } - - case SSL_ERROR_ZERO_RETURN: - { - assert(ret == 0); - ConnectionLostException ex(__FILE__, __LINE__); - ex.error = 0; - throw ex; - } - - case SSL_ERROR_SSL: - { - ProtocolException ex(__FILE__, __LINE__); - ex.message = "encountered a violation of the ssl protocol\n"; - ex.message += IceSSL::sslGetErrors(); - throw ex; - } - - default: - { - Warning warn(_logger); - warn << "IceSSL: unexpected result from SSL_write: " << SSL_get_error(_sslConnection, ret); - } - } - - if(_traceLevels->network >= 3) - { - Trace out(_logger, _traceLevels->networkCat); - out << "sent " << ret << " of " << packetSize; out << " bytes via ssl\n" - << fdToString(SSL_get_fd(_sslConnection)); - } - - if(_stats) - { - _stats->bytesSent(type(), ret); - } - - buf.i += ret; - - if(packetSize > buf.b.end() - buf.i) - { - packetSize = static_cast<Buffer::Container::difference_type>(buf.b.end() - buf.i); - } - } -} - -void -IceSSL::SslTransceiver::read(Buffer& buf, int timeout) -{ - assert(_fd != INVALID_SOCKET); - - _plugin->registerThread(); - - Buffer::Container::difference_type packetSize = - static_cast<Buffer::Container::difference_type>(buf.b.end() - buf.i); - - while(buf.i != buf.b.end()) - { - ERR_clear_error(); - int ret = SSL_read(_sslConnection, &*buf.i, static_cast<Int>(packetSize)); - switch(SSL_get_error(_sslConnection, ret)) - { - case SSL_ERROR_NONE: - break; - - case SSL_ERROR_WANT_READ: - { - readSelect(timeout); - continue; - } - - // - // If session renegotiation is ever enabled this could - // occur. - // - //case SSL_ERROR_WANT_WRITE: - //{ - // writeSelect(timeout); - // continue; - //} - - case SSL_ERROR_SYSCALL: - { - if(ret == -1) - { - // IO Error in underlying BIO - - if(interrupted()) - { - continue; - } - - if(noBuffers() && packetSize > 1024) - { - packetSize /= 2; - continue; - } - - // - // Its not clear whether this can occur, isn't - // this the same as SSL_ERROR_WANT_READ? - // - if(wouldBlock()) - { - readSelect(timeout); - continue; - } - - if(!connectionLost()) - { - SocketException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - } - // fall throught - } - - case SSL_ERROR_ZERO_RETURN: - { - - // - // If the connection is lost when reading data, we shut - // down the write end of the socket. This helps to unblock - // threads that are stuck in send() or select() while - // sending data. Note: I don't really understand why - // send() or select() sometimes don't detect a connection - // loss. Therefore this helper to make them detect it. - // - //assert(_fd != INVALID_SOCKET); - //shutdownSocket(_fd); - - ConnectionLostException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - - case SSL_ERROR_SSL: - { - ProtocolException ex(__FILE__, __LINE__); - ex.message = "encountered a violation of the ssl protocol\n"; - ex.message += sslGetErrors(); - throw ex; - } - - default: - { - Warning warn(_logger); - warn << "IceSSL: unexpected result from SSL_write: " << SSL_get_error(_sslConnection, ret); - } - } - - if(_traceLevels->network >= 3) - { - Trace out(_logger, _traceLevels->networkCat); - out << "received " << ret << " of " << packetSize; out << " bytes via ssl\n" << toString(); - } - - if(_stats) - { - _stats->bytesReceived(type(), ret); - } - - buf.i += ret; - - if(packetSize > buf.b.end() - buf.i) - { - packetSize = static_cast<Buffer::Container::difference_type>(buf.b.end() - buf.i); - } - } -} - -string -IceSSL::SslTransceiver::type() const -{ - return "ssl"; -} - -string -IceSSL::SslTransceiver::toString() const -{ - return fdToString(_fd); -} - -void -IceSSL::SslTransceiver::initialize(int timeout) -{ - assert(_sslConnection != 0); - - if(_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) - { - Trace out(_logger, _traceLevels->securityCat); - out << "Performing handshake.\n"; - out << fdToString(SSL_get_fd(_sslConnection)); - } - - while(true) - { - ERR_clear_error(); - int result; - if(_contextType == IceSSL::Client) - { - result = SSL_connect(_sslConnection); - } - else - { - result = SSL_accept(_sslConnection); - } - - // - // Success? - // - if(result == 1) - { - assert(SSL_is_init_finished(_sslConnection)); - - // - // Init finished, look at the connection information. - // -#ifdef ICE_SSL_EXTRA_TRACING - if(_traceLevels->security >= IceSSL::SECURITY_PROTOCOL_DEBUG) - { - // - // Only in extreme cases do we enable this, partially because it doesn't use the Logger. - // - BIOJanitor bioJanitor(BIO_new_fp(stdout, BIO_NOCLOSE)); - BIO* bio = bioJanitor.get(); - - showCertificateChain(bio); - - showPeerCertificate(bio, _contextType == IceSSL::Server : "Server" ? "Client"); - - showSharedCiphers(bio); - - showSelectedCipherInfo(bio); - - showHandshakeStats(bio); - - showSessionInfo(bio); - } -#endif - return; - } - - switch(SSL_get_error(_sslConnection, result)) - { - case SSL_ERROR_WANT_READ: - { - readSelect(timeout); - continue; - } - - case SSL_ERROR_WANT_WRITE: - { - writeSelect(timeout); - continue; - } - - case SSL_ERROR_NONE: - { - continue; - } - - case SSL_ERROR_WANT_X509_LOOKUP: - { - Warning warn(_logger); - warn << "SSL_ERROR_NONE"; - continue; - } - - case SSL_ERROR_SYSCALL: - { - if(result == -1) - { - if(interrupted()) - { - break; - } - - assert(!wouldBlock()); - - if(connectionLost()) - { - ConnectionLostException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - } - - SocketException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - - case SSL_ERROR_SSL: - { - long err = SSL_get_verify_result(_sslConnection); - if(err != X509_V_OK) - { - // - // On a client we raise the CertificateVerificationException. On the - // server side we simply close the connection. - // - if(_contextType == IceSSL::Client) - { - CertificateVerificationException ex(__FILE__, __LINE__); - ex.message = getVerificationError(err); - string errors = sslGetErrors(); - if(!errors.empty()) - { - ex.message += "\n"; - ex.message += errors; - } - throw ex; - } - else - { - // - // Validation failed, close the connection. - // - throw ConnectionRefusedException(__FILE__, __LINE__); - } - } - - // - // This happens if the client or server silently drop - // the connection. That can occur if the server - // doesn't trust the client for example. - // - ProtocolException ex(__FILE__, __LINE__); - ex.message = "encountered a violation of the ssl protocol during handshake\n"; - ex.message += sslGetErrors(); - throw ex; - } - - case SSL_ERROR_ZERO_RETURN: - { - ConnectionLostException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - } - } -} - -IceSSL::SslTransceiverPtr -IceSSL::SslTransceiver::getTransceiver(SSL* sslPtr) -{ - IceUtil::StaticMutex::Lock sync(_transceiverRepositoryMutex); - - assert(sslPtr); - - SslTransceiver* transceiver = _transceiverMap[sslPtr]; - - assert(transceiver); - - return SslTransceiverPtr(transceiver); -} - -// -// Note: Do not throw exceptions from verifyCertificate - it would rip -// through the OpenSSL system, interfering with the usual handling and -// alert system of the handshake. Exceptions should be caught here -// (if they can be generated), logged and then a fail return code (0) -// should returned. -// -int -IceSSL::SslTransceiver::verifyCertificate(int preVerifyOkay, X509_STORE_CTX* x509StoreContext) -{ - // Should NEVER be able to happen. - assert(_certificateVerifier.get() != 0); - - // Get the verifier, make sure it is for OpenSSL connections - CertificateVerifierOpenSSLPtr verifier; - verifier = dynamic_cast<CertificateVerifierOpenSSL*>(_certificateVerifier.get()); - - // Check to make sure we have a proper verifier for the operation. - if(verifier) - { - // Use the verifier to verify the certificate - try - { - preVerifyOkay = verifier->verify(preVerifyOkay, x509StoreContext, _sslConnection); - } - catch(const Ice::LocalException& localEx) - { - if(_traceLevels->security >= IceSSL::SECURITY_WARNINGS) - { - Trace out(_logger, _traceLevels->networkCat); - out << "WRN exception during certificate verification: \n"; - out << localEx; - } - - preVerifyOkay = 0; - } - } - else - { - // Note: This code should NEVER be able to be reached, as we check each - // CertificateVerifier as it is added to the System. - - if(_traceLevels->security >= IceSSL::SECURITY_WARNINGS) - { - Trace out(_logger, _traceLevels->networkCat); - - if(_certificateVerifier.get()) - { - out << "WRN improper CertificateVerifier type"; - } - else - { - // NOTE: This should NEVER be able to happen, but just in case. - out << "WRN CertificateVerifier not set"; - } - } - } - - return preVerifyOkay; -} - -// -// Protected Methods -// - -void -IceSSL::SslTransceiver::internalShutdownWrite(int timeout) -{ - while(true) - { - ERR_clear_error(); - int result = SSL_shutdown(_sslConnection); - if(result == 0) - { - // - // From the documentation: - // - // The shutdown is not yet finished. Call SSL_shutdown() - // for a second time, if a bidirectional shutdown shall be - // performed. The output of SSL_get_error(3) may be - // misleading, as an erroneous SSL_ERROR_SYSCALL may be - // flagged even though no error occurred. - // - // Call it one more time. If the result is 0 then we're done. - // - result = SSL_shutdown(_sslConnection); - if(result == 0) - { - return; - } - } - if(result == 1) - { - // Shutdown successful - shut down the socket for writing. - shutdownSocketWrite(SSL_get_fd(_sslConnection)); - return; - } - else if(result == -1) - { - switch(SSL_get_error(_sslConnection, result)) - { - case SSL_ERROR_WANT_WRITE: - { - writeSelect(timeout); - continue; - } - - case SSL_ERROR_WANT_READ: - { - readSelect(timeout); - continue; - } - - case SSL_ERROR_NONE: - case SSL_ERROR_WANT_X509_LOOKUP: - { - continue; - } - - case SSL_ERROR_SYSCALL: - { - if(interrupted()) - { - continue; - } - - assert(!wouldBlock()); - - if(connectionLost()) - { - ConnectionLostException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - - // - // Non-specific socket problem. - // - SocketException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - - case SSL_ERROR_SSL: - { - // - // Error in the SSL library, usually a Protocol error. - // - - ProtocolException ex(__FILE__, __LINE__); - ex.message = "encountered a violation of the ssl protocol during shutdown\n"; - ex.message += sslGetErrors(); - throw ex; - } - - case SSL_ERROR_ZERO_RETURN: - { - // - // Indicates that the SSL connection has been - // closed. For SSLv3.0 and TLSv1.0, it indicates - // that a closure alert was received, and thus the - // connection has been closed cleanly. - // - throw CloseConnectionException(__FILE__, __LINE__); - } - } - } - } -} - -void -IceSSL::SslTransceiver::select(int timeout, bool write) -{ - int ret; - - assert(_sslConnection != 0); - SOCKET fd = SSL_get_fd(_sslConnection); - - fd_set rwFdSet; - struct timeval tv; - - if(timeout >= 0) - { - tv.tv_sec = timeout / 1000; - tv.tv_usec = (timeout - tv.tv_sec * 1000) * 1000; - } - - do - { - FD_ZERO(&rwFdSet); - FD_SET(fd, &rwFdSet); - - if(timeout >= 0) - { - if(write) - { - ret = ::select(static_cast<int>(fd + 1), 0, &rwFdSet, 0, &tv); - } - else - { - ret = ::select(static_cast<int>(fd + 1), &rwFdSet, 0, 0, &tv); - } - } - else - { - if(write) - { - ret = ::select(static_cast<int>(fd + 1), 0, &rwFdSet, 0, 0); - } - else - { - ret = ::select(static_cast<int>(fd + 1), &rwFdSet, 0, 0, 0); - } - } - } - while(ret == SOCKET_ERROR && interrupted()); - - if(ret == SOCKET_ERROR) - { - SocketException ex(__FILE__, __LINE__); - ex.error = getSocketErrno(); - throw ex; - } - - if(ret == 0) - { - throw TimeoutException(__FILE__, __LINE__); - } -} - -void -IceSSL::SslTransceiver::readSelect(int timeout) -{ - select(timeout, false); -} - -void -IceSSL::SslTransceiver::writeSelect(int timeout) -{ - select(timeout, true); -} - -// -// Static Protected -// - -void -IceSSL::SslTransceiver::addTransceiver(SSL* sslPtr, SslTransceiver* transceiver) -{ - assert(sslPtr); - assert(transceiver); - IceUtil::StaticMutex::Lock sync(_transceiverRepositoryMutex); - _transceiverMap[sslPtr] = transceiver; -} - -void -IceSSL::SslTransceiver::removeTransceiver(SSL* sslPtr) -{ - assert(sslPtr); - IceUtil::StaticMutex::Lock sync(_transceiverRepositoryMutex); - _transceiverMap.erase(sslPtr); -} - -#ifdef ICE_SSL_EXTRA_TRACING - -void -IceSSL::SslTransceiver::showCertificateChain(BIO* bio) -{ - assert(_sslConnection != 0); - assert(bio != 0); - - STACK_OF(X509)* sk; - - // Big nasty buffer - char buffer[4096]; - - if((sk = SSL_get_peer_cert_chain(_sslConnection)) != 0) - { - BIO_printf(bio,"---\nCertificate chain\n"); - - for(int i = 0; i < sk_X509_num(sk); i++) - { - X509_NAME_oneline(X509_get_subject_name(sk_X509_value(sk,i)), buffer, int(sizeof(buffer))); - BIO_printf(bio, "%2d s:%s\n", i, buffer); - - X509_NAME_oneline(X509_get_issuer_name(sk_X509_value(sk,i)), buffer, int(sizeof(buffer))); - BIO_printf(bio, " i:%s\n", buffer); - - PEM_write_bio_X509(bio, sk_X509_value(sk, i)); - } - } - else - { - BIO_printf(bio, "---\nNo peer certificate chain available.\n"); - } -} - -void -IceSSL::SslTransceiver::showPeerCertificate(BIO* bio, const char* connType) -{ - assert(_sslConnection != 0); - assert(bio != 0); - - X509* peerCert = 0; - char buffer[4096]; - - if((peerCert = SSL_get_peer_certificate(_sslConnection)) != 0) - { - BIO_printf(bio, "%s Certificate\n", connType); - PEM_write_bio_X509(bio, peerCert); - - X509_NAME_oneline(X509_get_subject_name(peerCert), buffer, int(sizeof(buffer))); - BIO_printf(bio, "subject=%s\n", buffer); - - X509_NAME_oneline(X509_get_issuer_name(peerCert), buffer, int(sizeof(buffer))); - BIO_printf(bio, "issuer=%s\n", buffer); - - EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(peerCert); - BIO_printf(bio,"%s public key is %d bit\n", connType, EVP_PKEY_bits(pktmp)); - EVP_PKEY_free(pktmp); - - X509_free(peerCert); - } - else - { - BIO_printf(bio, "No %s certificate available.\n", connType); - } -} - -void -IceSSL::SslTransceiver::showSharedCiphers(BIO* bio) -{ - assert(_sslConnection != 0); - assert(bio != 0); - - char buffer[4096]; - char* strPointer = 0; - - if((strPointer = SSL_get_shared_ciphers(_sslConnection, buffer, int(sizeof(buffer)))) != 0) - { - // This works only for SSL 2. In later protocol versions, the client does not know - // what other ciphers (in addition to the one to be used in the current connection) - // the server supports. - - BIO_printf(bio, "---\nShared Ciphers:\n"); - - int j = 0; - int i = 0; - - while(*strPointer) - { - if(*strPointer == ':') - { - BIO_write(bio, " ", (15-j%25)); - i++; - j=0; - BIO_write(bio, ((i%3)?" ":"\n"), 1); - } - else - { - BIO_write(bio, strPointer, 1); - j++; - } - - strPointer++; - } - - BIO_write(bio,"\n",1); - } -} - -void -IceSSL::SslTransceiver::showSessionInfo(BIO* bio) -{ - assert(_sslConnection != 0); - assert(bio != 0); - - if(_sslConnection->hit) - { - BIO_printf(bio, "Reused session-id\n"); - } - - PEM_write_bio_SSL_SESSION(bio, SSL_get_session(_sslConnection)); -} - -void -IceSSL::SslTransceiver::showSelectedCipherInfo(BIO* bio) -{ - assert(_sslConnection != 0); - assert(bio != 0); - - const char* str; - SSL_CIPHER* cipher; - - // Show the cipher that was finally selected. - cipher = SSL_get_current_cipher(_sslConnection); - - str = SSL_CIPHER_get_name(cipher); - BIO_printf(bio, "Cipher Name: %s\n", ((str != 0) ? str : "(NONE)")); - - str = SSL_CIPHER_get_version(cipher); - BIO_printf(bio, "Cipher Version: %s\n", ((str != 0) ? str : "(NONE)")); -} - -void -IceSSL::SslTransceiver::showHandshakeStats(BIO* bio) -{ - assert(_sslConnection != 0); - assert(bio != 0); - - BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n", - BIO_number_read(SSL_get_rbio(_sslConnection)), - BIO_number_written(SSL_get_wbio(_sslConnection))); -} - -void -IceSSL::SslTransceiver::showClientCAList(BIO* bio, const char* connType) -{ - assert(_sslConnection != 0); - assert(bio != 0); - assert(connType != 0); - - char buffer[4096]; - STACK_OF(X509_NAME)* sk = SSL_get_client_CA_list(_sslConnection); - - if((sk != 0) && (sk_X509_NAME_num(sk) > 0)) - { - BIO_printf(bio,"---\nAcceptable %s certificate CA names\n", connType); - - for(int i = 0; i < sk_X509_NAME_num(sk); i++) - { - X509_NAME_oneline(sk_X509_NAME_value(sk, i), buffer, int(sizeof(buffer))); - BIO_write(bio, buffer, int(strlen(buffer))); - BIO_write(bio,"\n", 1); - } - } - else - { - BIO_printf(bio,"---\nNo %s certificate CA names sent\n", connType); - } -} - -#endif - -// -// Private Methods -// - -IceSSL::SslTransceiver::SslTransceiver(ContextType contextType, - const OpenSSLPluginIPtr& plugin, - SOCKET fd, - const CertificateVerifierPtr& certificateVerifier, - SSL* sslConnection, - int timeout) : - _contextType(contextType), - _plugin(plugin), - _fd(fd), - _certificateVerifier(certificateVerifier), - _sslConnection(sslConnection), - _logger(plugin->getLogger()), - _traceLevels(plugin->getTraceLevels()), - _stats(plugin->getStats()) -{ - assert(sslConnection != 0); - - SSL_set_ex_data(sslConnection, 0, static_cast<void*>(plugin.get())); - - // Set the Connect Connection state for this connection. - if(contextType == IceSSL::Client) - { - SSL_set_connect_state(_sslConnection); - } - else - { - SSL_set_accept_state(_sslConnection); - } - - // Set up the SSL to be able to refer back to our connection object. - addTransceiver(_sslConnection, this); -} - -IceSSL::SslTransceiver::~SslTransceiver() -{ - assert(_sslConnection != 0); - - removeTransceiver(_sslConnection); - SSL_set_ex_data(_sslConnection, 0, 0); - SSL_free(_sslConnection); - _sslConnection = 0; -} diff --git a/cpp/src/IceSSL/SslTransceiver.h b/cpp/src/IceSSL/SslTransceiver.h deleted file mode 100644 index b76b5bcbd69..00000000000 --- a/cpp/src/IceSSL/SslTransceiver.h +++ /dev/null @@ -1,102 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_TRANSCEIVER_H -#define ICE_SSL_TRANSCEIVER_H - -#include <IceUtil/Mutex.h> -#include <Ice/LoggerF.h> -#include <Ice/StatsF.h> -#include <IceSSL/SslTransceiverF.h> -#include <IceSSL/OpenSSLPluginIF.h> -#include <IceSSL/TraceLevelsF.h> -#include <IceSSL/CertificateVerifierF.h> - -#include <IceUtil/StaticMutex.h> -#include <Ice/Transceiver.h> -#include <Ice/Buffer.h> -#include <IceSSL/CertificateVerifierOpenSSL.h> - -#include <openssl/ssl.h> -#include <map> - -namespace IceSSL -{ - -// NOTE: This is a mapping from SSL* to SslTransceiver*, for use with -// the verifyCallback. I have purposely not used SslTransceiverPtr -// here, as connections register themselves with this map on -// construction and unregister themselves in the destructor. If this -// map used SslTransceiverPtr, SslTransceiver instances would never -// destruct as there would always be a reference to them from the map. -class SslTransceiver; -typedef std::map<SSL*, SslTransceiver*> SslTransceiverMap; - -class SslTransceiver : public IceInternal::Transceiver -{ -public: - - virtual SOCKET fd(); - virtual void close(); - virtual void shutdownWrite(); - virtual void shutdownReadWrite(); - virtual void write(IceInternal::Buffer&, int); - virtual void read(IceInternal::Buffer&, int); - virtual std::string type() const; - virtual std::string toString() const; - virtual void initialize(int timeout); - - static SslTransceiverPtr getTransceiver(SSL*); - - // Callback from OpenSSL for purposes of certificate verification - int verifyCertificate(int, X509_STORE_CTX*); - -private: - - void internalShutdownWrite(int timeout); - - void select(int, bool); - void readSelect(int); - void writeSelect(int); - - static void addTransceiver(SSL*, SslTransceiver*); - static void removeTransceiver(SSL*); - -#ifdef ICE_SSL_EXTRA_TRACING - void showCertificateChain(BIO*); - void showPeerCertificate(BIO*, const char*); - void showSharedCiphers(BIO*); - void showSessionInfo(BIO*); - void showSelectedCipherInfo(BIO*); - void showHandshakeStats(BIO*); - void showClientCAList(BIO*, const char*); -#endif - - static SslTransceiverMap _transceiverMap; - static IceUtil::StaticMutex _transceiverRepositoryMutex; - - SslTransceiver(ContextType, const OpenSSLPluginIPtr&, SOCKET, const IceSSL::CertificateVerifierPtr&, SSL*, int); - virtual ~SslTransceiver(); - friend class ClientContext; - friend class ServerContext; - - // Pointer to the OpenSSL Connection structure. - const ContextType _contextType; - const OpenSSLPluginIPtr _plugin; - SOCKET _fd; - const IceSSL::CertificateVerifierPtr _certificateVerifier; - /*const*/ SSL* _sslConnection; - const Ice::LoggerPtr _logger; - const TraceLevelsPtr _traceLevels; - const Ice::StatsPtr _stats; -}; - -} - -#endif diff --git a/cpp/src/IceSSL/SslTransceiverF.h b/cpp/src/IceSSL/SslTransceiverF.h deleted file mode 100644 index 40ee2e3a2f4..00000000000 --- a/cpp/src/IceSSL/SslTransceiverF.h +++ /dev/null @@ -1,31 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_TRANSEIVER_OPENSSL_F_H -#define ICE_SSL_TRANSEIVER_OPENSSL_F_H - -#include <Ice/Handle.h> - -namespace IceSSL -{ - -class SslTransceiver; -typedef IceInternal::Handle<SslTransceiver> SslTransceiverPtr; - -} - -namespace IceInternal -{ - -void incRef(::IceSSL::SslTransceiver*); -void decRef(::IceSSL::SslTransceiver*); - -} - -#endif diff --git a/cpp/src/IceSSL/TempCerts.cpp b/cpp/src/IceSSL/TempCerts.cpp deleted file mode 100644 index 16f08acfd8a..00000000000 --- a/cpp/src/IceSSL/TempCerts.cpp +++ /dev/null @@ -1,45 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/TempCerts.h> - -IceSSL::TempCertificates::TempCertificates() -{ -} - -IceSSL::TempCertificates::~TempCertificates() -{ - _rsaCerts.clear(); - _dhParams.clear(); -} - -void -IceSSL::TempCertificates::addRSACert(CertificateDesc& certDesc) -{ - _rsaCerts.push_back(certDesc); -} - -void -IceSSL::TempCertificates::addDHParams(DiffieHellmanParamsFile& dhParams) -{ - _dhParams.push_back(dhParams); -} - -IceSSL::RSAVector& -IceSSL::TempCertificates::getRSACerts() -{ - return _rsaCerts; -} - -IceSSL::DHVector& -IceSSL::TempCertificates::getDHParams() -{ - return _dhParams; -} - diff --git a/cpp/src/IceSSL/TempCerts.h b/cpp/src/IceSSL/TempCerts.h deleted file mode 100644 index 95090b4e779..00000000000 --- a/cpp/src/IceSSL/TempCerts.h +++ /dev/null @@ -1,67 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_TEMP_CERTS_H -#define ICE_SSL_TEMP_CERTS_H - -#include <IceSSL/CertificateDesc.h> - -namespace IceSSL -{ - -class TempCertificates -{ -public: - - TempCertificates(); - ~TempCertificates(); - - void addRSACert(CertificateDesc&); - void addDHParams(DiffieHellmanParamsFile&); - - RSAVector& getRSACerts(); - DHVector& getDHParams(); - -protected: - - RSAVector _rsaCerts; - DHVector _dhParams; -}; - -template<class Stream> -inline Stream& operator << (Stream& target, TempCertificates& tmpCerts) -{ - RSAVector::iterator iRSA = tmpCerts.getRSACerts().begin(); - RSAVector::iterator eRSA = tmpCerts.getRSACerts().end(); - - while(iRSA != eRSA) - { - target << "RSA\n{\n"; - IceSSL::operator<<(target, *iRSA); - target << "}\n\n"; - iRSA++; - } - - DHVector::iterator iDHP = tmpCerts.getDHParams().begin(); - DHVector::iterator eDHP = tmpCerts.getDHParams().end(); - - while(iDHP != eDHP) - { - target << "DH\n{\n"; - IceSSL::operator<<(target, *iDHP); - target << "}\n\n"; - iDHP++; - } - - return target; -} - -} - -#endif diff --git a/cpp/src/IceSSL/TraceLevels.cpp b/cpp/src/IceSSL/TraceLevels.cpp deleted file mode 100644 index 64012d17472..00000000000 --- a/cpp/src/IceSSL/TraceLevels.cpp +++ /dev/null @@ -1,35 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <IceSSL/TraceLevels.h> -#include <Ice/Communicator.h> -#include <Ice/Properties.h> -#include <Ice/ProtocolPluginFacade.h> - -using namespace std; -using namespace Ice; - -void IceInternal::incRef(IceSSL::TraceLevels* p) { p->__incRef(); } -void IceInternal::decRef(IceSSL::TraceLevels* p) { p->__decRef(); } - -IceSSL::TraceLevels::TraceLevels(const IceInternal::ProtocolPluginFacadePtr& protocolPluginFacade) : - network(0), - security(0), - securityCat("Security") -{ - const_cast<int&>(network) = protocolPluginFacade->getNetworkTraceLevel(); - networkCat = protocolPluginFacade->getNetworkTraceCategory(); - - PropertiesPtr properties = protocolPluginFacade->getCommunicator()->getProperties(); - const_cast<int&>(security) = properties->getPropertyAsInt("IceSSL.Trace.Security"); -} - -IceSSL::TraceLevels::~TraceLevels() -{ -} diff --git a/cpp/src/IceSSL/TraceLevels.h b/cpp/src/IceSSL/TraceLevels.h deleted file mode 100644 index dd4e4dddca2..00000000000 --- a/cpp/src/IceSSL/TraceLevels.h +++ /dev/null @@ -1,36 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_TRACE_LEVELS_H -#define ICE_SSL_TRACE_LEVELS_H - -#include <IceUtil/Shared.h> -#include <Ice/ProtocolPluginFacadeF.h> -#include <IceSSL/TraceLevelsF.h> - -namespace IceSSL -{ - -class TraceLevels : public ::IceUtil::Shared -{ -public: - - TraceLevels(const IceInternal::ProtocolPluginFacadePtr&); - virtual ~TraceLevels(); - - const int network; - const char* networkCat; - - const int security; - const char* securityCat; -}; - -} - -#endif diff --git a/cpp/src/IceSSL/TraceLevelsF.h b/cpp/src/IceSSL/TraceLevelsF.h deleted file mode 100644 index d12d8fbbfa4..00000000000 --- a/cpp/src/IceSSL/TraceLevelsF.h +++ /dev/null @@ -1,31 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_TRACE_LEVELS_F_H -#define ICE_SSL_TRACE_LEVELS_F_H - -#include <Ice/Handle.h> - -namespace IceSSL -{ - -class TraceLevels; -typedef IceInternal::Handle<TraceLevels> TraceLevelsPtr; - -} - -namespace IceInternal -{ - -void incRef(IceSSL::TraceLevels*); -void decRef(IceSSL::TraceLevels*); - -} - -#endif diff --git a/cpp/src/IceSSL/TransceiverI.cpp b/cpp/src/IceSSL/TransceiverI.cpp new file mode 100644 index 00000000000..c294a0b2538 --- /dev/null +++ b/cpp/src/IceSSL/TransceiverI.cpp @@ -0,0 +1,398 @@ +// ********************************************************************** +// +// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. +// +// This copy of Ice is licensed to you under the terms described in the +// ICE_LICENSE file included in this distribution. +// +// ********************************************************************** + +#include <TransceiverI.h> +#include <Instance.h> +#include <Util.h> +#include <Ice/Communicator.h> +#include <Ice/LoggerUtil.h> +#include <Ice/Stats.h> +#include <Ice/Buffer.h> +#include <Ice/Network.h> +#include <Ice/LocalException.h> + +#include <openssl/err.h> + +using namespace std; +using namespace Ice; +using namespace IceSSL; + +SOCKET +IceSSL::TransceiverI::fd() +{ + assert(_fd != INVALID_SOCKET); + return _fd; +} + +void +IceSSL::TransceiverI::close() +{ + if(_instance->networkTraceLevel() >= 1) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "closing ssl connection\n" << toString(); + } + + assert(_fd != INVALID_SOCKET); + SSL_free(_ssl); + _ssl = 0; + _fd = INVALID_SOCKET; +} + +void +IceSSL::TransceiverI::shutdownWrite() +{ + if(_instance->networkTraceLevel() >= 2) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "shutting down ssl connection for writing\n" << toString(); + } + + int err = SSL_shutdown(_ssl); + if(err < 0) + { + Warning out(_logger); + out << "IceSSL: failure while performing SSL shutdown:\n" << _instance->sslErrors(); + } + ERR_clear_error(); + + assert(_fd != INVALID_SOCKET); + IceInternal::shutdownSocketWrite(_fd); +} + +void +IceSSL::TransceiverI::shutdownReadWrite() +{ + if(_instance->networkTraceLevel() >= 2) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "shutting down ssl connection for reading and writing\n" << toString(); + } + + int err = SSL_shutdown(_ssl); + if(err < 0) + { + Warning out(_logger); + out << "IceSSL: failure while performing SSL shutdown:\n" << _instance->sslErrors(); + } + ERR_clear_error(); + + assert(_fd != INVALID_SOCKET); + IceInternal::shutdownSocketReadWrite(_fd); +} + +void +IceSSL::TransceiverI::write(IceInternal::Buffer& buf, int timeout) +{ + IceInternal::Buffer::Container::difference_type packetSize = + static_cast<IceInternal::Buffer::Container::difference_type>(buf.b.end() - buf.i); + +#ifdef _WIN32 + // + // Limit packet size to avoid performance problems on WIN32 + // + if(_isPeerLocal && packetSize > 64 * 1024) + { + packetSize = 64 * 1024; + } +#endif + + while(buf.i != buf.b.end()) + { + assert(_fd != INVALID_SOCKET); + int ret = SSL_write(_ssl, reinterpret_cast<const void*>(&*buf.i), packetSize); + + if(ret <= 0) + { + switch(SSL_get_error(_ssl, ret)) + { + case SSL_ERROR_NONE: + assert(false); + break; + case SSL_ERROR_ZERO_RETURN: + { + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + case SSL_ERROR_WANT_READ: + { + if(!selectRead(_fd, timeout)) + { + throw TimeoutException(__FILE__, __LINE__); + } + continue; + } + case SSL_ERROR_WANT_WRITE: + { + if(!selectWrite(_fd, timeout)) + { + throw TimeoutException(__FILE__, __LINE__); + } + continue; + } + case SSL_ERROR_SYSCALL: + { + if(ret == -1) + { + if(IceInternal::interrupted()) + { + continue; + } + + if(IceInternal::noBuffers() && packetSize > 1024) + { + packetSize /= 2; + continue; + } + + if(IceInternal::wouldBlock()) + { + if(SSL_want_read(_ssl)) + { + if(!selectRead(_fd, timeout)) + { + throw TimeoutException(__FILE__, __LINE__); + } + } + else if(SSL_want_write(_ssl)) + { + if(!selectWrite(_fd, timeout)) + { + throw TimeoutException(__FILE__, __LINE__); + } + } + + continue; + } + + if(IceInternal::connectionLost()) + { + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + } + + if(ret == 0) + { + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = 0; + throw ex; + } + + SocketException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + case SSL_ERROR_SSL: + { + ProtocolException ex(__FILE__, __LINE__); + ex.reason = "SSL protocol error during write:\n" + _instance->sslErrors(); + throw ex; + } + } + } + + if(_instance->networkTraceLevel() >= 3) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "sent " << ret << " of " << packetSize << " bytes via ssl\n" << toString(); + } + + if(_stats) + { + _stats->bytesSent(type(), static_cast<Int>(ret)); + } + + buf.i += ret; + + if(packetSize > buf.b.end() - buf.i) + { + packetSize = static_cast<IceInternal::Buffer::Container::difference_type>(buf.b.end() - buf.i); + } + } +} + +void +IceSSL::TransceiverI::read(IceInternal::Buffer& buf, int timeout) +{ + IceInternal::Buffer::Container::difference_type packetSize = + static_cast<IceInternal::Buffer::Container::difference_type>(buf.b.end() - buf.i); + + while(buf.i != buf.b.end()) + { + assert(_fd != INVALID_SOCKET); + int ret = SSL_read(_ssl, reinterpret_cast<void*>(&*buf.i), packetSize); + + if(ret <= 0) + { + switch(SSL_get_error(_ssl, ret)) + { + case SSL_ERROR_NONE: + assert(false); + break; + case SSL_ERROR_ZERO_RETURN: + { + // + // If the connection is lost when reading data, we shut + // down the write end of the socket. This helps to unblock + // threads that are stuck in send() or select() while + // sending data. Note: I don't really understand why + // send() or select() sometimes don't detect a connection + // loss. Therefore this helper to make them detect it. + // + //assert(_fd != INVALID_SOCKET); + //shutdownSocketReadWrite(_fd); + + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = 0; + throw ex; + } + case SSL_ERROR_WANT_READ: + { + if(!selectRead(_fd, timeout)) + { + throw TimeoutException(__FILE__, __LINE__); + } + continue; + } + case SSL_ERROR_WANT_WRITE: + { + if(!selectWrite(_fd, timeout)) + { + throw TimeoutException(__FILE__, __LINE__); + } + continue; + } + case SSL_ERROR_SYSCALL: + { + if(ret == -1) + { + if(IceInternal::interrupted()) + { + continue; + } + + if(IceInternal::noBuffers() && packetSize > 1024) + { + packetSize /= 2; + continue; + } + + if(IceInternal::wouldBlock()) + { + if(SSL_want_read(_ssl)) + { + if(!selectRead(_fd, timeout)) + { + throw TimeoutException(__FILE__, __LINE__); + } + } + else if(SSL_want_write(_ssl)) + { + if(!selectWrite(_fd, timeout)) + { + throw TimeoutException(__FILE__, __LINE__); + } + } + + continue; + } + + if(IceInternal::connectionLost()) + { + // + // See the commment above about shutting down the + // socket if the connection is lost while reading + // data. + // + //assert(_fd != INVALID_SOCKET); + //shutdownSocketReadWrite(_fd); + + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + } + + if(ret == 0) + { + ConnectionLostException ex(__FILE__, __LINE__); + ex.error = 0; + throw ex; + } + + SocketException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + case SSL_ERROR_SSL: + { + ProtocolException ex(__FILE__, __LINE__); + ex.reason = "SSL protocol error during read:\n" + _instance->sslErrors(); + throw ex; + } + } + } + + if(_instance->networkTraceLevel() >= 3) + { + Trace out(_logger, _instance->networkTraceCategory()); + out << "received " << ret << " of " << packetSize << " bytes via ssl\n" << toString(); + } + + if(_stats) + { + _stats->bytesReceived(type(), static_cast<Int>(ret)); + } + + buf.i += ret; + + if(packetSize > buf.b.end() - buf.i) + { + packetSize = static_cast<IceInternal::Buffer::Container::difference_type>(buf.b.end() - buf.i); + } + } +} + +string +IceSSL::TransceiverI::type() const +{ + return "ssl"; +} + +string +IceSSL::TransceiverI::toString() const +{ + return _desc; +} + +void +IceSSL::TransceiverI::initialize(int) +{ +} + +IceSSL::TransceiverI::TransceiverI(const InstancePtr& instance, SSL* ssl, SOCKET fd) : + _instance(instance), + _logger(instance->communicator()->getLogger()), + _stats(instance->communicator()->getStats()), + _ssl(ssl), + _fd(fd), + _desc(IceInternal::fdToString(fd)) +#ifdef _WIN32 + , _isPeerLocal(IceInternal::isPeerLocal(fd)) +#endif +{ +} + +IceSSL::TransceiverI::~TransceiverI() +{ + assert(_fd == INVALID_SOCKET); +} diff --git a/cpp/src/IceSSL/TransceiverI.h b/cpp/src/IceSSL/TransceiverI.h new file mode 100644 index 00000000000..442b42a6758 --- /dev/null +++ b/cpp/src/IceSSL/TransceiverI.h @@ -0,0 +1,62 @@ +// ********************************************************************** +// +// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. +// +// This copy of Ice is licensed to you under the terms described in the +// ICE_LICENSE file included in this distribution. +// +// ********************************************************************** + +#ifndef ICE_SSL_TRANSCEIVER_I_H +#define ICE_SSL_TRANSCEIVER_I_H + +#include <InstanceF.h> +#include <Ice/LoggerF.h> +#include <Ice/StatsF.h> +#include <Ice/Transceiver.h> + +#include <openssl/ssl.h> + +namespace IceSSL +{ + +class ConnectorI; +class AcceptorI; + +class TransceiverI : public IceInternal::Transceiver +{ +public: + + virtual SOCKET fd(); + virtual void close(); + virtual void shutdownWrite(); + virtual void shutdownReadWrite(); + virtual void write(IceInternal::Buffer&, int); + virtual void read(IceInternal::Buffer&, int); + virtual std::string type() const; + virtual std::string toString() const; + virtual void initialize(int); + +private: + + TransceiverI(const InstancePtr&, SSL*, SOCKET); + virtual ~TransceiverI(); + friend class ConnectorI; + friend class AcceptorI; + + const InstancePtr _instance; + const Ice::LoggerPtr _logger; + const Ice::StatsPtr _stats; + + SSL* _ssl; + SOCKET _fd; + + const std::string _desc; +#ifdef _WIN32 + const bool _isPeerLocal; +#endif +}; + +} + +#endif diff --git a/cpp/src/IceSSL/Util.cpp b/cpp/src/IceSSL/Util.cpp new file mode 100644 index 00000000000..5e3beb72b04 --- /dev/null +++ b/cpp/src/IceSSL/Util.cpp @@ -0,0 +1,377 @@ +// ********************************************************************** +// +// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. +// +// This copy of Ice is licensed to you under the terms described in the +// ICE_LICENSE file included in this distribution. +// +// ********************************************************************** + +#include <Util.h> +#include <Ice/LocalException.h> + +using namespace std; +using namespace Ice; +using namespace IceSSL; + +#ifndef OPENSSL_NO_DH + +// The following arrays are predefined Diffie Hellman group parameters. +// These are known strong primes, distributed with the OpenSSL library +// in the files dh512.pem, dh1024.pem, dh2048.pem and dh4096.pem. +// They are not keys themselves, but the basis for generating DH keys +// on the fly. + +static unsigned char dh512_p[] = +{ + 0xF5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C, + 0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29, + 0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B, + 0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C, + 0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55, + 0xE9,0x2A,0x05,0x5F, +}; + +static unsigned char dh512_g[] = { 0x02 }; + +static unsigned char dh1024_p[] = +{ + 0xF4,0x88,0xFD,0x58,0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4, + 0x91,0x07,0x36,0x6B,0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C, + 0x88,0xB3,0x1C,0x7C,0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0, + 0x43,0xF0,0xA5,0x5B,0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D, + 0x38,0xD3,0x34,0xFD,0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C, + 0xDE,0x33,0x21,0x2C,0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40, + 0x18,0x11,0x8D,0x7C,0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03, + 0x19,0xC8,0x07,0x29,0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB, + 0xD0,0x0A,0x50,0x9B,0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D, + 0x41,0x9F,0x9C,0x7C,0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB, + 0xA2,0x5E,0xC3,0x55,0xE9,0x2F,0x78,0xC7, +}; + +static unsigned char dh1024_g[] = { 0x02 }; + +static unsigned char dh2048_p[] = +{ + 0xF6,0x42,0x57,0xB7,0x08,0x7F,0x08,0x17,0x72,0xA2,0xBA,0xD6, + 0xA9,0x42,0xF3,0x05,0xE8,0xF9,0x53,0x11,0x39,0x4F,0xB6,0xF1, + 0x6E,0xB9,0x4B,0x38,0x20,0xDA,0x01,0xA7,0x56,0xA3,0x14,0xE9, + 0x8F,0x40,0x55,0xF3,0xD0,0x07,0xC6,0xCB,0x43,0xA9,0x94,0xAD, + 0xF7,0x4C,0x64,0x86,0x49,0xF8,0x0C,0x83,0xBD,0x65,0xE9,0x17, + 0xD4,0xA1,0xD3,0x50,0xF8,0xF5,0x59,0x5F,0xDC,0x76,0x52,0x4F, + 0x3D,0x3D,0x8D,0xDB,0xCE,0x99,0xE1,0x57,0x92,0x59,0xCD,0xFD, + 0xB8,0xAE,0x74,0x4F,0xC5,0xFC,0x76,0xBC,0x83,0xC5,0x47,0x30, + 0x61,0xCE,0x7C,0xC9,0x66,0xFF,0x15,0xF9,0xBB,0xFD,0x91,0x5E, + 0xC7,0x01,0xAA,0xD3,0x5B,0x9E,0x8D,0xA0,0xA5,0x72,0x3A,0xD4, + 0x1A,0xF0,0xBF,0x46,0x00,0x58,0x2B,0xE5,0xF4,0x88,0xFD,0x58, + 0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4,0x91,0x07,0x36,0x6B, + 0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C,0x88,0xB3,0x1C,0x7C, + 0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0,0x43,0xF0,0xA5,0x5B, + 0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D,0x38,0xD3,0x34,0xFD, + 0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C,0xDE,0x33,0x21,0x2C, + 0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C, + 0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29, + 0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B, + 0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C, + 0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55, + 0xE9,0x32,0x0B,0x3B, +}; + +static unsigned char dh2048_g[] = { 0x02 }; + +static unsigned char dh4096_p[] = +{ + 0xFA,0x14,0x72,0x52,0xC1,0x4D,0xE1,0x5A,0x49,0xD4,0xEF,0x09, + 0x2D,0xC0,0xA8,0xFD,0x55,0xAB,0xD7,0xD9,0x37,0x04,0x28,0x09, + 0xE2,0xE9,0x3E,0x77,0xE2,0xA1,0x7A,0x18,0xDD,0x46,0xA3,0x43, + 0x37,0x23,0x90,0x97,0xF3,0x0E,0xC9,0x03,0x50,0x7D,0x65,0xCF, + 0x78,0x62,0xA6,0x3A,0x62,0x22,0x83,0xA1,0x2F,0xFE,0x79,0xBA, + 0x35,0xFF,0x59,0xD8,0x1D,0x61,0xDD,0x1E,0x21,0x13,0x17,0xFE, + 0xCD,0x38,0x87,0x9E,0xF5,0x4F,0x79,0x10,0x61,0x8D,0xD4,0x22, + 0xF3,0x5A,0xED,0x5D,0xEA,0x21,0xE9,0x33,0x6B,0x48,0x12,0x0A, + 0x20,0x77,0xD4,0x25,0x60,0x61,0xDE,0xF6,0xB4,0x4F,0x1C,0x63, + 0x40,0x8B,0x3A,0x21,0x93,0x8B,0x79,0x53,0x51,0x2C,0xCA,0xB3, + 0x7B,0x29,0x56,0xA8,0xC7,0xF8,0xF4,0x7B,0x08,0x5E,0xA6,0xDC, + 0xA2,0x45,0x12,0x56,0xDD,0x41,0x92,0xF2,0xDD,0x5B,0x8F,0x23, + 0xF0,0xF3,0xEF,0xE4,0x3B,0x0A,0x44,0xDD,0xED,0x96,0x84,0xF1, + 0xA8,0x32,0x46,0xA3,0xDB,0x4A,0xBE,0x3D,0x45,0xBA,0x4E,0xF8, + 0x03,0xE5,0xDD,0x6B,0x59,0x0D,0x84,0x1E,0xCA,0x16,0x5A,0x8C, + 0xC8,0xDF,0x7C,0x54,0x44,0xC4,0x27,0xA7,0x3B,0x2A,0x97,0xCE, + 0xA3,0x7D,0x26,0x9C,0xAD,0xF4,0xC2,0xAC,0x37,0x4B,0xC3,0xAD, + 0x68,0x84,0x7F,0x99,0xA6,0x17,0xEF,0x6B,0x46,0x3A,0x7A,0x36, + 0x7A,0x11,0x43,0x92,0xAD,0xE9,0x9C,0xFB,0x44,0x6C,0x3D,0x82, + 0x49,0xCC,0x5C,0x6A,0x52,0x42,0xF8,0x42,0xFB,0x44,0xF9,0x39, + 0x73,0xFB,0x60,0x79,0x3B,0xC2,0x9E,0x0B,0xDC,0xD4,0xA6,0x67, + 0xF7,0x66,0x3F,0xFC,0x42,0x3B,0x1B,0xDB,0x4F,0x66,0xDC,0xA5, + 0x8F,0x66,0xF9,0xEA,0xC1,0xED,0x31,0xFB,0x48,0xA1,0x82,0x7D, + 0xF8,0xE0,0xCC,0xB1,0xC7,0x03,0xE4,0xF8,0xB3,0xFE,0xB7,0xA3, + 0x13,0x73,0xA6,0x7B,0xC1,0x0E,0x39,0xC7,0x94,0x48,0x26,0x00, + 0x85,0x79,0xFC,0x6F,0x7A,0xAF,0xC5,0x52,0x35,0x75,0xD7,0x75, + 0xA4,0x40,0xFA,0x14,0x74,0x61,0x16,0xF2,0xEB,0x67,0x11,0x6F, + 0x04,0x43,0x3D,0x11,0x14,0x4C,0xA7,0x94,0x2A,0x39,0xA1,0xC9, + 0x90,0xCF,0x83,0xC6,0xFF,0x02,0x8F,0xA3,0x2A,0xAC,0x26,0xDF, + 0x0B,0x8B,0xBE,0x64,0x4A,0xF1,0xA1,0xDC,0xEE,0xBA,0xC8,0x03, + 0x82,0xF6,0x62,0x2C,0x5D,0xB6,0xBB,0x13,0x19,0x6E,0x86,0xC5, + 0x5B,0x2B,0x5E,0x3A,0xF3,0xB3,0x28,0x6B,0x70,0x71,0x3A,0x8E, + 0xFF,0x5C,0x15,0xE6,0x02,0xA4,0xCE,0xED,0x59,0x56,0xCC,0x15, + 0x51,0x07,0x79,0x1A,0x0F,0x25,0x26,0x27,0x30,0xA9,0x15,0xB2, + 0xC8,0xD4,0x5C,0xCC,0x30,0xE8,0x1B,0xD8,0xD5,0x0F,0x19,0xA8, + 0x80,0xA4,0xC7,0x01,0xAA,0x8B,0xBA,0x53,0xBB,0x47,0xC2,0x1F, + 0x6B,0x54,0xB0,0x17,0x60,0xED,0x79,0x21,0x95,0xB6,0x05,0x84, + 0x37,0xC8,0x03,0xA4,0xDD,0xD1,0x06,0x69,0x8F,0x4C,0x39,0xE0, + 0xC8,0x5D,0x83,0x1D,0xBE,0x6A,0x9A,0x99,0xF3,0x9F,0x0B,0x45, + 0x29,0xD4,0xCB,0x29,0x66,0xEE,0x1E,0x7E,0x3D,0xD7,0x13,0x4E, + 0xDB,0x90,0x90,0x58,0xCB,0x5E,0x9B,0xCD,0x2E,0x2B,0x0F,0xA9, + 0x4E,0x78,0xAC,0x05,0x11,0x7F,0xE3,0x9E,0x27,0xD4,0x99,0xE1, + 0xB9,0xBD,0x78,0xE1,0x84,0x41,0xA0,0xDF, +}; + +static unsigned char dh4096_g[] = { 0x02 }; + +// +// Convert a predefined parameter set into a DH value. +// +static DH* +convertDH(unsigned char* p, int plen, unsigned char* g, int glen) +{ + assert(p != 0); + assert(g != 0); + + DH* dh = DH_new(); + + if(dh != 0) + { + dh->p = BN_bin2bn(p, plen, 0); + dh->g = BN_bin2bn(g, glen, 0); + + if((dh->p == 0) || (dh->g == 0)) + { + DH_free(dh); + dh = 0; + } + } + + return dh; +} + +void IceSSL::incRef(DHParams* p) { p->__incRef(); } +void IceSSL::decRef(DHParams* p) { p->__decRef(); } + +IceSSL::DHParams::DHParams() : + _dh512(0), _dh1024(0), _dh2048(0), _dh4096(0) +{ +} + +IceSSL::DHParams::~DHParams() +{ + ParamList::iterator p; + for(p = _params.begin(); p != _params.end(); ++p) + { + DH_free(p->second); + } + DH_free(_dh512); + DH_free(_dh1024); + DH_free(_dh2048); + DH_free(_dh4096); +} + +bool +IceSSL::DHParams::add(int keyLength, const string& file) +{ + FILE* fp = fopen(file.c_str(), "r"); + if(!fp) + { + return false; + } + DH* dh = PEM_read_DHparams(fp, 0, 0, 0); + fclose(fp); + if(!dh) + { + return false; + } + ParamList::iterator p = _params.begin(); + while(p != _params.end() && keyLength > p->first) + { + ++p; + } + _params.insert(p, KeyParamPair(keyLength, dh)); + return true; +} + +DH* +IceSSL::DHParams::get(int keyLength) +{ + // + // First check the set of parameters specified by the user. + // Return the first set whose key length is at least keyLength. + // + ParamList::iterator p; + for(p = _params.begin(); p != _params.end(); ++p) + { + if(p->first >= keyLength) + { + return p->second; + } + } + + // + // No match found. Use one of the predefined parameter sets instead. + // + IceUtil::Mutex::Lock sync(*this); + + if(keyLength >= 4096) + { + if(!_dh4096) + { + _dh4096 = convertDH(dh4096_p, (int) sizeof(dh4096_p), dh4096_g, (int) sizeof(dh4096_g)); + } + return _dh4096; + } + else if(keyLength >= 2048) + { + if(!_dh2048) + { + _dh2048 = convertDH(dh2048_p, (int) sizeof(dh2048_p), dh2048_g, (int) sizeof(dh2048_g)); + } + return _dh2048; + } + else if(keyLength >= 1024) + { + if(!_dh1024) + { + _dh1024 = convertDH(dh1024_p, (int) sizeof(dh1024_p), dh1024_g, (int) sizeof(dh1024_g)); + } + return _dh1024; + } + else + { + if(!_dh512) + { + _dh512 = convertDH(dh512_p, (int) sizeof(dh512_p), dh512_g, (int) sizeof(dh512_g)); + } + return _dh512; + } +} + +#endif + +static bool +selectReadWrite(SOCKET fd, bool read, int timeout) +{ + fd_set rFdSet, wFdSet; + FD_ZERO(&rFdSet); + FD_ZERO(&wFdSet); + if(read) + { + FD_SET(fd, &rFdSet); + } + else + { + FD_SET(fd, &wFdSet); + } + +repeatSelect: + int ret; + if(timeout >= 0) + { + struct timeval tv; + tv.tv_sec = timeout / 1000; + tv.tv_usec = (timeout - tv.tv_sec * 1000) * 1000; + ret = ::select(fd + 1, &rFdSet, &wFdSet, 0, &tv); + } + else + { + ret = ::select(fd + 1, &rFdSet, &wFdSet, 0, 0); + } + + if(ret == 0) + { + return false; // Timeout. + } + else if(ret == SOCKET_ERROR) + { + if(IceInternal::interrupted()) + { + goto repeatSelect; + } + + SocketException ex(__FILE__, __LINE__); + ex.error = IceInternal::getSocketErrno(); + throw ex; + } + + return true; +} + +bool +IceSSL::selectRead(SOCKET fd, int timeout) +{ + return selectReadWrite(fd, true, timeout); +} + +bool +IceSSL::selectWrite(SOCKET fd, int timeout) +{ + return selectReadWrite(fd, false, timeout); +} + +bool +IceSSL::splitString(const string& str, const string& delim, bool handleQuotes, vector<string>& result) +{ + string::size_type pos = str.find_first_not_of(delim + " \t"); + if(pos == string::npos) + { + return true; + } + + string::value_type quoteChar = 0; + while(pos != string::npos) + { + if(handleQuotes && (str[pos] == '"' || str[pos] == '\'')) + { + quoteChar = str[pos]; + ++pos; + } + + string val; + while(pos < str.size()) + { + if((!handleQuotes || !quoteChar) && delim.find(str[pos]) != string::npos) + { + break; + } + if(handleQuotes) + { + if(str[pos] == '\\') + { + if(pos + 1 < str.size() && str[pos + 1] == quoteChar) + { + ++pos; + } + } + else if(str[pos] == quoteChar) + { + quoteChar = 0; + ++pos; + continue; + } + } + val.push_back(str[pos]); + ++pos; + } + + if(!val.empty()) + { + result.push_back(val); + } + + pos = str.find_first_not_of(delim, pos); + } + + if(quoteChar) // Mismatched quote. + { + return false; + } + + return true; +} diff --git a/cpp/src/IceSSL/Util.h b/cpp/src/IceSSL/Util.h new file mode 100644 index 00000000000..0d75de3872c --- /dev/null +++ b/cpp/src/IceSSL/Util.h @@ -0,0 +1,62 @@ +// ********************************************************************** +// +// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. +// +// This copy of Ice is licensed to you under the terms described in the +// ICE_LICENSE file included in this distribution. +// +// ********************************************************************** + +#ifndef ICE_SSL_UTIL_H +#define ICE_SSL_UTIL_H + +#include <UtilF.h> +#include <Ice/Network.h> +#include <IceUtil/Mutex.h> +#include <IceUtil/Shared.h> + +#include <list> +#include <openssl/ssl.h> + +namespace IceSSL +{ + +#ifndef OPENSSL_NO_DH +class DHParams : public IceUtil::Shared, public IceUtil::Mutex +{ +public: + + DHParams(); + ~DHParams(); + + bool add(int, const std::string&); + DH* get(int); + +private: + + typedef std::pair<int, DH*> KeyParamPair; + typedef std::list<KeyParamPair> ParamList; + ParamList _params; + + DH* _dh512; + DH* _dh1024; + DH* _dh2048; + DH* _dh4096; +}; +#endif + +// +// Wait for a socket to become readable. +// +bool selectRead(SOCKET, int); + +// +// Wait for a socket to become writeable. +// +bool selectWrite(SOCKET, int); + +bool splitString(const std::string&, const std::string&, bool, std::vector<std::string>&); + +} + +#endif diff --git a/cpp/src/IceSSL/DHParamsF.h b/cpp/src/IceSSL/UtilF.h index 8b6c0509b63..65f3dff703c 100644 --- a/cpp/src/IceSSL/DHParamsF.h +++ b/cpp/src/IceSSL/UtilF.h @@ -7,25 +7,23 @@ // // ********************************************************************** -#ifndef ICE_DH_PARAMS_F_H -#define ICE_DH_PARAMS_F_H +#ifndef ICE_SSL_UTIL_F_H +#define ICE_SSL_UTIL_F_H #include <Ice/Handle.h> +#include <openssl/ssl.h> + +#ifndef OPENSSL_NO_DH namespace IceSSL { class DHParams; +void incRef(DHParams*); +void decRef(DHParams*); typedef IceInternal::Handle<DHParams> DHParamsPtr; } - -namespace IceInternal -{ - -void incRef(::IceSSL::DHParams*); -void decRef(::IceSSL::DHParams*); - -} +#endif #endif diff --git a/cpp/src/IceSSL/icessl.dsp b/cpp/src/IceSSL/icessl.dsp index a31b77f109d..212187e02e5 100644 --- a/cpp/src/IceSSL/icessl.dsp +++ b/cpp/src/IceSSL/icessl.dsp @@ -106,31 +106,11 @@ PostBuild_Cmds=copy $(OutDir)\icessld.lib ..\..\lib copy $(OutDir)\icessl31d.pdb # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
# Begin Source File
-SOURCE=.\BaseCerts.cpp
+SOURCE=.\AcceptorI.cpp
# End Source File
# Begin Source File
-SOURCE=.\CertificateAuthority.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\CertificateDesc.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\CertificateVerifier.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\CertificateVerifierOpenSSL.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\ClientContext.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\ConfigParser.cpp
+SOURCE=.\ConnectorI.cpp
# End Source File
# Begin Source File
@@ -138,91 +118,23 @@ SOURCE=.\Context.cpp # End Source File
# Begin Source File
-SOURCE=.\Convert.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\DefaultCertificateVerifier.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\DHParams.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\Exception.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\GeneralConfig.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\OpenSSLJanitors.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\OpenSSLPluginI.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\OpenSSLUtils.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\Plugin.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\RSACertificateGen.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\RSAKeyPair.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\RSAPrivateKey.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\RSAPublicKey.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\ServerContext.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\SingleCertificateVerifier.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\SslAcceptor.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\SslConnector.cpp
+SOURCE=.\EndpointI.cpp
# End Source File
# Begin Source File
-SOURCE=.\SslEndpointI.cpp
+SOURCE=.\Instance.cpp
# End Source File
# Begin Source File
-SOURCE=.\SslException.cpp
+SOURCE=.\PluginI.cpp
# End Source File
# Begin Source File
-SOURCE=.\SslTransceiver.cpp
+SOURCE=.\TransceiverI.cpp
# End Source File
# Begin Source File
-SOURCE=.\TempCerts.cpp
-# End Source File
-# Begin Source File
-
-SOURCE=.\TraceLevels.cpp
+SOURCE=.\Util.cpp
# End Source File
# End Group
# Begin Group "Header Files"
@@ -230,35 +142,11 @@ SOURCE=.\TraceLevels.cpp # PROP Default_Filter "h;hpp;hxx;hm;inl"
# Begin Source File
-SOURCE=.\BaseCerts.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\CertificateAuthority.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\CertificateDesc.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\CertificateVerifier.h
+SOURCE=.\AcceptorI.h
# End Source File
# Begin Source File
-SOURCE=..\..\include\icessl\CertificateVerifierF.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\CertificateVerifierOpenSSL.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\ClientContext.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\ConfigParser.h
+SOURCE=.\ConnectorI.h
# End Source File
# Begin Source File
@@ -266,338 +154,31 @@ SOURCE=.\Context.h # End Source File
# Begin Source File
-SOURCE=.\ContextF.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\Convert.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\DefaultCertificateVerifier.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\DHParams.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\DHParamsF.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\Exception.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\GeneralConfig.h
+SOURCE=.\EndpointI.h
# End Source File
# Begin Source File
-SOURCE=.\OpenSSL.h
+SOURCE=.\Instance.h
# End Source File
# Begin Source File
-SOURCE=.\OpenSSLJanitors.h
+SOURCE=.\InstanceF.h
# End Source File
# Begin Source File
-SOURCE=.\OpenSSLPluginI.h
+SOURCE=.\PluginI.h
# End Source File
# Begin Source File
-SOURCE=.\OpenSSLPluginIF.h
+SOURCE=.\TransceiverI.h
# End Source File
# Begin Source File
-SOURCE=.\OpenSSLUtils.h
+SOURCE=.\Util.h
# End Source File
# Begin Source File
-SOURCE=..\..\include\icessl\Plugin.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\PluginF.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\RSACertificateGen.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\RSACertificateGenF.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\RSAKeyPair.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\RSAKeyPairF.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\RSAPrivateKey.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\RSAPrivateKeyF.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\RSAPublicKey.h
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\include\icessl\RSAPublicKeyF.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\ServerContext.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\SingleCertificateVerifier.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\SslAcceptor.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\SslConnection.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\SslConnectionF.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\SslConnector.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\SslEndpointI.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\SslTransceiver.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\SslTransceiverF.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\TempCerts.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\TraceLevels.h
-# End Source File
-# Begin Source File
-
-SOURCE=.\TraceLevelsF.h
-# End Source File
-# End Group
-# Begin Group "Resource Files"
-
-# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"
-# Begin Source File
-
-SOURCE=..\..\slice\icessl\CertificateVerifier.ice
-
-!IF "$(CFG)" == "icessl - Win32 Release"
-
-USERDEP__CERTI="..\..\bin\slice2cpp.exe" "..\..\lib\slice.lib"
-# Begin Custom Build
-InputPath=..\..\slice\icessl\CertificateVerifier.ice
-
-BuildCmds= \
- ..\..\bin\slice2cpp.exe --ice --dll-export ICE_SSL_API --include-dir icessl -I../../slice ../../slice/IceSSL/CertificateVerifier.ice \
- move CertificateVerifier.h ..\..\include\icessl \
-
-
-"..\..\include\icessl\CertificateVerifier.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-
-"CertificateVerifier.cpp" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-# End Custom Build
-
-!ELSEIF "$(CFG)" == "icessl - Win32 Debug"
-
-USERDEP__CERTI="..\..\bin\slice2cpp.exe" "..\..\lib\sliced.lib"
-# Begin Custom Build
-InputPath=..\..\slice\icessl\CertificateVerifier.ice
-
-BuildCmds= \
- ..\..\bin\slice2cpp.exe --ice --dll-export ICE_SSL_API --include-dir icessl -I../../slice ../../slice/IceSSL/CertificateVerifier.ice \
- move CertificateVerifier.h ..\..\include\icessl \
-
-
-"..\..\include\icessl\CertificateVerifier.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-
-"CertificateVerifier.cpp" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-# End Custom Build
-
-!ENDIF
-
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\slice\icessl\CertificateVerifierF.ice
-
-!IF "$(CFG)" == "icessl - Win32 Release"
-
-USERDEP__CERTIF="..\..\bin\slice2cpp.exe" "..\..\lib\slice.lib"
-# Begin Custom Build
-InputPath=..\..\slice\icessl\CertificateVerifierF.ice
-
-"..\..\include\icessl\CertificateVerifierF.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- ..\..\bin\slice2cpp.exe --ice --dll-export ICE_SSL_API --include-dir icessl -I../../slice ../../slice/IceSSL/CertificateVerifierF.ice
- move CertificateVerifierF.h ..\..\include\icessl
- del CertificateVerifierF.cpp
-
-# End Custom Build
-
-!ELSEIF "$(CFG)" == "icessl - Win32 Debug"
-
-USERDEP__CERTIF="..\..\bin\slice2cpp.exe" "..\..\lib\sliced.lib"
-# Begin Custom Build
-InputPath=..\..\slice\icessl\CertificateVerifierF.ice
-
-"..\..\include\icessl\CertificateVerifierF.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- ..\..\bin\slice2cpp.exe --ice --dll-export ICE_SSL_API --include-dir icessl -I../../slice ../../slice/IceSSL/CertificateVerifierF.ice
- move CertificateVerifierF.h ..\..\include\icessl
- del CertificateVerifierF.cpp
-
-# End Custom Build
-
-!ENDIF
-
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\slice\icessl\Exception.ice
-
-!IF "$(CFG)" == "icessl - Win32 Release"
-
-USERDEP__EXCEP="..\..\bin\slice2cpp.exe" "..\..\lib\slice.lib"
-# Begin Custom Build
-InputPath=..\..\slice\icessl\Exception.ice
-
-BuildCmds= \
- ..\..\bin\slice2cpp.exe --ice --dll-export ICE_SSL_API --include-dir icessl -I../../slice ../../slice/IceSSL/Exception.ice \
- move Exception.h ..\..\include\icessl \
-
-
-"..\..\include\icessl\Exception.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-
-"Exception.cpp" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-# End Custom Build
-
-!ELSEIF "$(CFG)" == "icessl - Win32 Debug"
-
-USERDEP__EXCEP="..\..\bin\slice2cpp.exe" "..\..\lib\sliced.lib"
-# Begin Custom Build
-InputPath=..\..\slice\icessl\Exception.ice
-
-BuildCmds= \
- ..\..\bin\slice2cpp.exe --ice --dll-export ICE_SSL_API --include-dir icessl -I../../slice ../../slice/IceSSL/Exception.ice \
- move Exception.h ..\..\include\icessl \
-
-
-"..\..\include\icessl\Exception.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-
-"Exception.cpp" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-# End Custom Build
-
-!ENDIF
-
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\slice\icessl\Plugin.ice
-
-!IF "$(CFG)" == "icessl - Win32 Release"
-
-USERDEP__PLUGI="..\..\bin\slice2cpp.exe" "..\..\lib\slice.lib"
-# Begin Custom Build
-InputPath=..\..\slice\icessl\Plugin.ice
-
-BuildCmds= \
- ..\..\bin\slice2cpp.exe --ice --dll-export ICE_SSL_API --include-dir icessl -I../../slice ../../slice/IceSSL/Plugin.ice \
- move Plugin.h ..\..\include\icessl \
-
-
-"..\..\include\icessl\Plugin.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-
-"Plugin.cpp" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-# End Custom Build
-
-!ELSEIF "$(CFG)" == "icessl - Win32 Debug"
-
-USERDEP__PLUGI="..\..\bin\slice2cpp.exe" "..\..\lib\sliced.lib"
-# Begin Custom Build
-InputPath=..\..\slice\icessl\Plugin.ice
-
-BuildCmds= \
- ..\..\bin\slice2cpp.exe --ice --dll-export ICE_SSL_API --include-dir icessl -I../../slice ../../slice/IceSSL/Plugin.ice \
- move Plugin.h ..\..\include\icessl \
-
-
-"..\..\include\icessl\Plugin.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-
-"Plugin.cpp" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- $(BuildCmds)
-# End Custom Build
-
-!ENDIF
-
-# End Source File
-# Begin Source File
-
-SOURCE=..\..\slice\icessl\PluginF.ice
-
-!IF "$(CFG)" == "icessl - Win32 Release"
-
-USERDEP__PLUGIN="..\..\bin\slice2cpp.exe" "..\..\lib\slice.lib"
-# Begin Custom Build
-InputPath=..\..\slice\icessl\PluginF.ice
-
-"..\..\include\icessl\PluginF.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- ..\..\bin\slice2cpp.exe --ice --dll-export ICE_SSL_API --include-dir icessl -I../../slice ../../slice/IceSSL/PluginF.ice
- move PluginF.h ..\..\include\icessl
- del PluginF.cpp
-
-# End Custom Build
-
-!ELSEIF "$(CFG)" == "icessl - Win32 Debug"
-
-USERDEP__PLUGIN="..\..\bin\slice2cpp.exe" "..\..\lib\sliced.lib"
-# Begin Custom Build
-InputPath=..\..\slice\icessl\PluginF.ice
-
-"..\..\include\icessl\PluginF.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
- ..\..\bin\slice2cpp.exe --ice --dll-export ICE_SSL_API --include-dir icessl -I../../slice ../../slice/IceSSL/PluginF.ice
- move PluginF.h ..\..\include\icessl
- del PluginF.cpp
-
-# End Custom Build
-
-!ENDIF
-
+SOURCE=.\UtilF.h
# End Source File
# End Group
# End Target
|