diff options
| author | Marc Laukien <marc@zeroc.com> | 2002-04-02 17:08:47 +0000 |
|---|---|---|
| committer | Marc Laukien <marc@zeroc.com> | 2002-04-02 17:08:47 +0000 |
| commit | c98649e0be8c8bcbc8eba686f9a08f1ed17d36cb (patch) | |
| tree | cd9ddef90cf2f5496be9abc07e3018bb294d8213 /cpp/src | |
| parent | removed shutdown() from acceptor (diff) | |
| download | ice-c98649e0be8c8bcbc8eba686f9a08f1ed17d36cb.tar.bz2 ice-c98649e0be8c8bcbc8eba686f9a08f1ed17d36cb.tar.xz ice-c98649e0be8c8bcbc8eba686f9a08f1ed17d36cb.zip | |
cleanup
Diffstat (limited to 'cpp/src')
52 files changed, 3233 insertions, 3234 deletions
diff --git a/cpp/src/Ice/CertificateAuthority.h b/cpp/src/Ice/CertificateAuthority.h index df3680d6236..99b723ae182 100644 --- a/cpp/src/Ice/CertificateAuthority.h +++ b/cpp/src/Ice/CertificateAuthority.h @@ -19,7 +19,7 @@ namespace IceSSL class CertificateAuthority { public: -
+ CertificateAuthority(); CertificateAuthority(std::string&, std::string&); CertificateAuthority(CertificateAuthority&); @@ -31,7 +31,7 @@ public: const std::string& getCAPath() const; private: -
+ std::string _fileName; std::string _path; }; diff --git a/cpp/src/Ice/CertificateDesc.h b/cpp/src/Ice/CertificateDesc.h index b908ca981bd..abb406ee1ea 100644 --- a/cpp/src/Ice/CertificateDesc.h +++ b/cpp/src/Ice/CertificateDesc.h @@ -24,7 +24,7 @@ namespace IceSSL class CertificateFile { public: -
+ CertificateFile(); CertificateFile(const std::string&, const int); CertificateFile(const CertificateFile&); @@ -33,7 +33,7 @@ public: int getEncoding() const; protected: -
+ std::string _fileName; int _encoding; }; @@ -41,7 +41,7 @@ protected: class DiffieHellmanParamsFile : public CertificateFile { public: -
+ DiffieHellmanParamsFile(); DiffieHellmanParamsFile(const int, const std::string&, const int); DiffieHellmanParamsFile(const DiffieHellmanParamsFile&); @@ -49,14 +49,14 @@ public: int getKeySize() const; protected: -
+ int _keySize; }; class CertificateDesc { public: -
+ CertificateDesc(); CertificateDesc(const int, const CertificateFile&, const CertificateFile&); CertificateDesc(const CertificateDesc&); @@ -67,7 +67,7 @@ public: const CertificateFile& getPrivate() const; protected: -
+ int _keySize; CertificateFile _public; CertificateFile _private; diff --git a/cpp/src/Ice/CertificateVerifierOpenSSL.cpp b/cpp/src/Ice/CertificateVerifierOpenSSL.cpp index e6c5f3a67c1..1ddd5554af1 100644 --- a/cpp/src/Ice/CertificateVerifierOpenSSL.cpp +++ b/cpp/src/Ice/CertificateVerifierOpenSSL.cpp @@ -1,28 +1,28 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <Ice/CertificateVerifierOpenSSL.h>
-
-IceSSL::OpenSSL::CertificateVerifier::~CertificateVerifier()
-{
-}
-
-void
-IceInternal::incRef(::IceSSL::OpenSSL::CertificateVerifier* p)
-{
- p->__incRef();
-}
-
-void
-IceInternal::decRef(::IceSSL::OpenSSL::CertificateVerifier* p)
-{
- p->__decRef();
-}
-
+// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <Ice/CertificateVerifierOpenSSL.h> + +IceSSL::OpenSSL::CertificateVerifier::~CertificateVerifier() +{ +} + +void +IceInternal::incRef(::IceSSL::OpenSSL::CertificateVerifier* p) +{ + p->__incRef(); +} + +void +IceInternal::decRef(::IceSSL::OpenSSL::CertificateVerifier* p) +{ + p->__decRef(); +} + diff --git a/cpp/src/Ice/CommunicatorI.cpp b/cpp/src/Ice/CommunicatorI.cpp index f62aa6f4ec4..bc98c080681 100644 --- a/cpp/src/Ice/CommunicatorI.cpp +++ b/cpp/src/Ice/CommunicatorI.cpp @@ -18,8 +18,8 @@ #include <Ice/UserExceptionFactoryManager.h> #include <Ice/ObjectAdapterFactory.h> #include <Ice/LoggerUtil.h> -#include <Ice/Exception.h>
-#include <Ice/SslExtensionInternal.h>
+#include <Ice/Exception.h> +#include <Ice/SslExtensionInternal.h> #include <Ice/SystemInternal.h> using namespace std; @@ -229,18 +229,18 @@ Ice::CommunicatorI::setDefaultRouter(const RouterPrx& router) { _instance->referenceFactory()->setDefaultRouter(router); } -
-::IceSSL::SslExtensionPtr
-Ice::CommunicatorI::getSslExtension()
-{
- return ::IceSSL::SslExtensionPtr(new ::IceSSL::SslExtensionInternal(_instance));
-}
-
-::IceSSL::SystemPtr
-Ice::CommunicatorI::getSslSystem()
-{
- return ::IceSSL::SystemPtr::dynamicCast(_instance->getSslSystem());
-}
+ +::IceSSL::SslExtensionPtr +Ice::CommunicatorI::getSslExtension() +{ + return ::IceSSL::SslExtensionPtr(new ::IceSSL::SslExtensionInternal(_instance)); +} + +::IceSSL::SystemPtr +Ice::CommunicatorI::getSslSystem() +{ + return ::IceSSL::SystemPtr::dynamicCast(_instance->getSslSystem()); +} Ice::CommunicatorI::CommunicatorI(const PropertiesPtr& properties) { diff --git a/cpp/src/Ice/ConfigParser.h b/cpp/src/Ice/ConfigParser.h index 8907a332517..10d2ffb5335 100644 --- a/cpp/src/Ice/ConfigParser.h +++ b/cpp/src/Ice/ConfigParser.h @@ -27,8 +27,8 @@ namespace IceSSL class ConfigParser { public: -
- // Construction based on the indicated config file, or config file and
+ + // Construction based on the indicated config file, or config file and // certificate path. ConfigParser(const std::string&); ConfigParser(const std::string&, const std::string&); @@ -77,9 +77,9 @@ private: // Populate a certificate file object, basis of all certificates. void loadCertificateFile(DOM_Node, CertificateFile&); -
- // Parses the certificate encoding format from a string representation
- // to the proper integer value used by the underlying SSL framework.
+ + // Parses the certificate encoding format from a string representation + // to the proper integer value used by the underlying SSL framework. int parseEncoding(std::string&); std::string toString(const DOMString&); diff --git a/cpp/src/Ice/ConfigParserErrorReporter.h b/cpp/src/Ice/ConfigParserErrorReporter.h index 5cc5f9630d6..fb8127bfd5d 100644 --- a/cpp/src/Ice/ConfigParserErrorReporter.h +++ b/cpp/src/Ice/ConfigParserErrorReporter.h @@ -11,7 +11,7 @@ #ifndef ICE_SSL_CONFIG_ERROR_REPORTER_H #define ICE_SSL_CONFIG_ERROR_REPORTER_H -#include <iostream>
+#include <iostream> #include <IceUtil/Shared.h> #include <util/XercesDefs.hpp> #include <dom/DOMString.hpp> @@ -38,7 +38,7 @@ public: bool getSawErrors() const; -private:
+private: // This is set if we get any errors, and is queryable via a getter method. // It's used by the main code to suppress output if there are errors. @@ -47,19 +47,19 @@ private: IceInternal::TraceLevelsPtr _traceLevels; Ice::LoggerPtr _logger; }; -
-typedef IceInternal::Handle<ConfigParserErrorReporter> ConfigParserErrorReporterPtr;
+ +typedef IceInternal::Handle<ConfigParserErrorReporter> ConfigParserErrorReporterPtr; std::ostream& operator << (std::ostream& target, const DOMString& s); } -namespace IceInternal
-{
-
-void incRef(::IceSSL::ConfigParserErrorReporter*);
-void decRef(::IceSSL::ConfigParserErrorReporter*);
-
-}
-
+namespace IceInternal +{ + +void incRef(::IceSSL::ConfigParserErrorReporter*); +void decRef(::IceSSL::ConfigParserErrorReporter*); + +} + #endif diff --git a/cpp/src/Ice/ContextOpenSSL.cpp b/cpp/src/Ice/ContextOpenSSL.cpp index 3275f65d432..b301d1c4ff4 100644 --- a/cpp/src/Ice/ContextOpenSSL.cpp +++ b/cpp/src/Ice/ContextOpenSSL.cpp @@ -1,611 +1,611 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <Ice/Instance.h>
-#include <Ice/Properties.h>
-
-#include <Ice/DefaultCertificateVerifier.h>
-#include <Ice/SslException.h>
-#include <Ice/RSAKeyPair.h>
-#include <Ice/CertificateDesc.h>
-#include <Ice/SslConnectionOpenSSL.h>
-#include <Ice/ContextOpenSSL.h>
-
-#include <Ice/OpenSSLJanitors.h>
-#include <Ice/OpenSSLUtils.h>
-#include <openssl/err.h>
-
-using IceSSL::ConnectionPtr;
-
-void ::IceInternal::incRef(::IceSSL::OpenSSL::Context* p) { p->__incRef(); }
-void ::IceInternal::decRef(::IceSSL::OpenSSL::Context* p) { p->__decRef(); }
-
-IceSSL::OpenSSL::Context::~Context()
-{
- if (_sslContext != 0)
- {
- SSL_CTX_free(_sslContext);
-
- _sslContext = 0;
- }
-}
-
-bool
-IceSSL::OpenSSL::Context::isConfigured()
-{
- return (_sslContext != 0 ? true : false);
-}
-
-void
-IceSSL::OpenSSL::Context::setCertificateVerifier(const CertificateVerifierPtr& verifier)
-{
- _certificateVerifier = verifier;
-}
-
-void
-IceSSL::OpenSSL::Context::addTrustedCertificateBase64(const std::string& trustedCertString)
-{
- RSAPublicKey pubKey(trustedCertString);
-
- addTrustedCertificate(pubKey);
-}
-
-void
-IceSSL::OpenSSL::Context::addTrustedCertificate(const Ice::ByteSeq& trustedCert)
-{
- RSAPublicKey pubKey(trustedCert);
-
- addTrustedCertificate(pubKey);
-}
-
-void
-IceSSL::OpenSSL::Context::setRSAKeysBase64(const std::string& privateKey,
- const std::string& publicKey)
-{
- addKeyCert(privateKey, publicKey);
-}
-
-void
-IceSSL::OpenSSL::Context::setRSAKeys(const Ice::ByteSeq& privateKey, const Ice::ByteSeq& publicKey)
-{
- addKeyCert(privateKey, publicKey);
-}
-
-void
-IceSSL::OpenSSL::Context::configure(const GeneralConfig& generalConfig,
- const CertificateAuthority& certificateAuthority,
- const BaseCertificates& baseCertificates)
-{
- // Create an SSL Context based on the context params.
- createContext(generalConfig.getProtocol());
-
- // Get the cipherlist and set it in the context.
- setCipherList(generalConfig.getCipherList());
-
- // Set the certificate verification mode.
- SSL_CTX_set_verify(_sslContext, generalConfig.getVerifyMode(), verifyCallback);
-
- // Set the certificate verify depth
- SSL_CTX_set_verify_depth(_sslContext, generalConfig.getVerifyDepth());
-
- // Process the RSA Certificate
- setKeyCert(baseCertificates.getRSACert(), _rsaPrivateKeyProperty, _rsaPublicKeyProperty);
-
- // Process the DSA Certificate
- setKeyCert(baseCertificates.getDSACert(), _dsaPrivateKeyProperty, _dsaPublicKeyProperty);
-
- // Set the DH key agreement parameters.
- if (baseCertificates.getDHParams().getKeySize() != 0)
- {
- setDHParams(baseCertificates);
- }
-}
-
-//
-// Protected
-//
-
-IceSSL::OpenSSL::Context::Context(const IceInternal::InstancePtr& instance) :
- _traceLevels(instance->traceLevels()),
- _logger(instance->logger()),
- _properties(instance->properties())
-{
- assert(_traceLevels != 0);
- assert(_logger != 0);
- assert(_properties != 0);
-
- _certificateVerifier = new DefaultCertificateVerifier(instance);
- _sslContext = 0;
-}
-
-SSL_METHOD*
-IceSSL::OpenSSL::Context::getSslMethod(SslProtocol sslVersion)
-{
- SSL_METHOD* sslMethod = 0;
-
- switch (sslVersion)
- {
- case SSL_V2 :
- {
- sslMethod = SSLv2_method();
- break;
- }
-
- case SSL_V23 :
- {
- sslMethod = SSLv23_method();
- break;
- }
-
- case SSL_V3 :
- {
- sslMethod = SSLv3_method();
- break;
- }
-
- case TLS_V1 :
- {
- sslMethod = TLSv1_method();
- break;
- }
-
- default :
- {
- if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
- {
- std::string errorString;
-
- errorString = "ssl version ";
- errorString += sslVersion;
- errorString += " not supported (defaulting to SSL_V23)";
- _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
- }
-
- sslMethod = SSLv23_method();
- }
- }
-
- return sslMethod;
-}
-
-void
-IceSSL::OpenSSL::Context::createContext(SslProtocol sslProtocol)
-{
- if (_sslContext != 0)
- {
- SSL_CTX_free(_sslContext);
- _sslContext = 0;
- }
-
- _sslContext = SSL_CTX_new(getSslMethod(sslProtocol));
-
- if (_sslContext == 0)
- {
- IceSSL::OpenSSL::ContextInitializationException contextInitEx(__FILE__, __LINE__);
-
- contextInitEx._message = "unable to create ssl context\n" + sslGetErrors();
-
- throw contextInitEx;
- }
-
- // Turn off session caching, supposedly fixes a problem with multithreading.
- SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF);
-}
-
-void
-IceSSL::OpenSSL::Context::loadCertificateAuthority(const CertificateAuthority& certAuth)
-{
- assert(_sslContext != 0);
-
- std::string fileName = certAuth.getCAFileName();
- std::string certPath = certAuth.getCAPath();
-
- const char* caFile = 0;
- const char* caPath = 0;
-
- // The following checks are required to send the expected values to the OpenSSL library.
- // It does not like receiving "", but prefers NULLs.
-
- if (!fileName.empty())
- {
- caFile = fileName.c_str();
- }
-
- if (!certPath.length())
- {
- caPath = certPath.c_str();
- }
-
- // SSL_CTX_set_default_passwd_cb(sslContext, passwordCallback);
-
- // Check the Certificate Authority file(s).
- int loadVerifyRet = SSL_CTX_load_verify_locations(_sslContext, caFile, caPath);
-
- if (!loadVerifyRet)
- {
- if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
- {
- _logger->trace(_traceLevels->securityCat, "WRN unable to load certificate authorities.");
- }
- }
- else
- {
- int setDefaultVerifyPathsRet = SSL_CTX_set_default_verify_paths(_sslContext);
-
-
- if (!setDefaultVerifyPathsRet && (_traceLevels->security >= IceSSL::SECURITY_WARNINGS))
- {
- _logger->trace(_traceLevels->securityCat, "WRN unable to verify certificate authorities.");
- }
- }
-
- // Now we add whatever override/addition that we wish to put into the trusted certificates list
- std::string caCertBase64 = _properties->getProperty(_caCertificateProperty);
- if (!caCertBase64.empty())
- {
- addTrustedCertificateBase64(caCertBase64);
- }
-}
-
-void
-IceSSL::OpenSSL::Context::setKeyCert(const CertificateDesc& certDesc,
- const std::string& privateProperty,
- const std::string& publicProperty)
-{
- std::string privateKey;
- std::string publicKey;
-
- if (!privateProperty.empty())
- {
- privateKey = _properties->getProperty(privateProperty);
- }
-
- if (!publicProperty.empty())
- {
- publicKey = _properties->getProperty(publicProperty);
- }
-
- if (!privateKey.empty() && !publicKey.empty())
- {
- addKeyCert(privateKey, publicKey);
- }
- else if (certDesc.getKeySize() != 0)
- {
- const CertificateFile& privateKey = certDesc.getPrivate();
- const CertificateFile& publicKey = certDesc.getPublic();
-
- addKeyCert(privateKey, publicKey);
- }
-}
-
-void
-IceSSL::OpenSSL::Context::checkKeyCert()
-{
- assert(_sslContext != 0);
-
- // Check to see if the Private and Public keys that have been
- // set against the SSL context match up.
- if (!SSL_CTX_check_private_key(_sslContext))
- {
- IceSSL::OpenSSL::CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__);
-
- certKeyMatchEx._message = "private key does not match the certificate public key";
- std::string sslError = sslGetErrors();
-
- if (!sslError.empty())
- {
- certKeyMatchEx._message += "\n";
- certKeyMatchEx._message += sslError;
- }
-
- throw certKeyMatchEx;
- }
-}
-
-void
-IceSSL::OpenSSL::Context::addTrustedCertificate(const RSAPublicKey& trustedCertificate)
-{
- if (_sslContext == 0)
- {
- IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);
-
- contextConfigEx._message = "ssl context not configured";
-
- throw contextConfigEx;
- }
-
- X509_STORE* certStore = SSL_CTX_get_cert_store(_sslContext);
-
- assert(certStore != 0);
-
- if (X509_STORE_add_cert(certStore, trustedCertificate.getX509PublicKey()) == 0)
- {
- IceSSL::OpenSSL::TrustedCertificateAddException trustEx(__FILE__, __LINE__);
-
- trustEx._message = sslGetErrors();
-
- throw trustEx;
- }
-}
-
-void
-IceSSL::OpenSSL::Context::addKeyCert(const CertificateFile& privateKey, const CertificateFile& publicCert)
-{
- assert(_sslContext != 0);
-
- if (!publicCert.getFileName().empty())
- {
- std::string publicCertFile = publicCert.getFileName();
- const char* publicFile = publicCertFile.c_str();
- int publicEncoding = publicCert.getEncoding();
-
- std::string privCertFile = privateKey.getFileName();
- const char* privKeyFile = privCertFile.c_str();
- int privKeyFileType = privateKey.getEncoding();
-
- // Set which Public Key file to use.
- if (SSL_CTX_use_certificate_file(_sslContext, publicFile, publicEncoding) <= 0)
- {
- IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);
-
- certLoadEx._message = "unable to load certificate from '";
- certLoadEx._message += publicFile;
- certLoadEx._message += "'\n";
- certLoadEx._message += sslGetErrors();
-
- throw certLoadEx;
- }
-
- if (privateKey.getFileName().empty())
- {
- if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
- {
- _logger->trace(_traceLevels->securityCat, "WRN no private key specified -- using the certificate");
- }
-
- privKeyFile = publicFile;
- privKeyFileType = publicEncoding;
- }
-
- // Set which Private Key file to use.
- if (SSL_CTX_use_PrivateKey_file(_sslContext, privKeyFile, privKeyFileType) <= 0)
- {
- int errCode = ERR_GET_REASON(ERR_peek_error());
-
- // Note: Because OpenSSL currently (V0.9.6b) performs a check to see if the
- // key matches the private key when calling SSL_CTX_use_PrivateKey_file().
- if (errCode == X509_R_KEY_VALUES_MISMATCH || errCode == X509_R_KEY_TYPE_MISMATCH)
- {
- IceSSL::OpenSSL::CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__);
-
- certKeyMatchEx._message = "private key does not match the certificate public key";
- std::string sslError = sslGetErrors();
-
- if (!sslError.empty())
- {
- certKeyMatchEx._message += "\n";
- certKeyMatchEx._message += sslError;
- }
-
- throw certKeyMatchEx;
- }
- else
- {
- IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);
-
- pklEx._message = "unable to load private key from '";
- pklEx._message += privKeyFile;
- pklEx._message += "'\n";
- pklEx._message += sslGetErrors();
-
- throw pklEx;
- }
- }
-
- checkKeyCert();
- }
-}
-
-void
-IceSSL::OpenSSL::Context::addKeyCert(const RSAKeyPair& keyPair)
-{
- if (_sslContext == 0)
- {
- IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);
-
- contextConfigEx._message = "ssl context not configured";
-
- throw contextConfigEx;
- }
-
- // Note: Normally I would use an X509Janitor and RSAJanitor to ensure that
- // memory was being freed properly when exceptions are thrown, but
- // both SSL_CTX_use_certificate and SSL_CTX_use_RSAPrivateKey free
- // certificate/key memory regardless if the call succeeded.
-
- // Set which Public Key file to use.
- if (SSL_CTX_use_certificate(_sslContext, keyPair.getX509PublicKey()) <= 0)
- {
- IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);
-
- certLoadEx._message = "unable to set certificate from memory";
- std::string sslError = sslGetErrors();
-
- if (!sslError.empty())
- {
- certLoadEx._message += "\n";
- certLoadEx._message += sslError;
- }
-
- throw certLoadEx;
- }
-
- // Set which Private Key file to use.
- if (SSL_CTX_use_RSAPrivateKey(_sslContext, keyPair.getRSAPrivateKey()) <= 0)
- {
- int errCode = ERR_GET_REASON(ERR_peek_error());
-
- // Note: Because OpenSSL currently (V0.9.6b) performs a check to see if the
- // key matches the private key when calling SSL_CTX_use_PrivateKey_file().
- if (errCode == X509_R_KEY_VALUES_MISMATCH || errCode == X509_R_KEY_TYPE_MISMATCH)
- {
- IceSSL::OpenSSL::CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__);
-
- certKeyMatchEx._message = "private key does not match the certificate public key";
- std::string sslError = sslGetErrors();
-
- if (!sslError.empty())
- {
- certKeyMatchEx._message += "\n";
- certKeyMatchEx._message += sslError;
- }
-
- throw certKeyMatchEx;
- }
- else
- {
- IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);
-
- pklEx._message = "unable to set private key from memory";
- std::string sslError = sslGetErrors();
-
- if (!sslError.empty())
- {
- pklEx._message += "\n";
- pklEx._message += sslError;
- }
-
- throw pklEx;
- }
- }
-
- checkKeyCert();
-}
-
-void
-IceSSL::OpenSSL::Context::addKeyCert(const Ice::ByteSeq& privateKey, const Ice::ByteSeq& publicKey)
-{
- Ice::ByteSeq privKey = privateKey;
-
- if (privKey.empty())
- {
- if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
- {
- _logger->trace(_traceLevels->securityCat, "WRN no private key specified -- using the certificate");
- }
-
- privKey = publicKey;
- }
-
- // Make a key pair based on the DER encoded byte sequences.
- addKeyCert(RSAKeyPair(privKey, publicKey));
-}
-
-void
-IceSSL::OpenSSL::Context::addKeyCert(const std::string& privateKey, const std::string& publicKey)
-{
- std::string privKey = privateKey;
-
- if (privKey.empty())
- {
- if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
- {
- _logger->trace(_traceLevels->securityCat, "WRN no private key specified -- using the certificate");
- }
-
- privKey = publicKey;
- }
-
- // Make a key pair based on the Base64 encoded strings.
- addKeyCert(RSAKeyPair(privKey, publicKey));
-}
-
-SSL*
-IceSSL::OpenSSL::Context::createSSLConnection(int socket)
-{
- assert(_sslContext != 0);
-
- SSL* sslConnection = SSL_new(_sslContext);
- assert(sslConnection != 0);
-
- SSL_clear(sslConnection);
-
- SSL_set_fd(sslConnection, socket);
-
- return sslConnection;
-}
-
-void
-IceSSL::OpenSSL::Context::connectionSetup(const ConnectionPtr& connection)
-{
- // Set the Post-Handshake Read timeout
- // This timeout is implemented once on the first read after hanshake.
- int handshakeReadTimeout;
- std::string value = _properties->getProperty(_handshakeTimeoutProperty);
-
- if (!value.empty())
- {
- handshakeReadTimeout = atoi(value.c_str());
- }
- else
- {
- handshakeReadTimeout = 5000;
- }
-
- connection->setHandshakeReadTimeout(handshakeReadTimeout);
-}
-
-void
-IceSSL::OpenSSL::Context::setCipherList(const std::string& cipherList)
-{
- assert(_sslContext != 0);
-
- if (!cipherList.empty() && (!SSL_CTX_set_cipher_list(_sslContext, cipherList.c_str())) &&
- (_traceLevels->security >= IceSSL::SECURITY_WARNINGS))
- {
- std::string errorString = "WRN error setting cipher list " + cipherList + " -- using default list\n";
- errorString += sslGetErrors();
- _logger->trace(_traceLevels->securityCat, errorString);
- }
-}
-
-void
-IceSSL::OpenSSL::Context::setDHParams(const BaseCertificates& baseCerts)
-{
- DH* dh = 0;
-
- std::string dhFile = baseCerts.getDHParams().getFileName();
- int encoding = baseCerts.getDHParams().getEncoding();
-
- // File type must be PEM - that's the only way we can load DH Params, apparently.
- if ((!dhFile.empty()) && (encoding == SSL_FILETYPE_PEM))
- {
- dh = loadDHParam(dhFile.c_str());
- }
-
- if (dh == 0)
- {
- if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
- {
- _logger->trace(_traceLevels->securityCat,
- "WRN Could not load Diffie-Hellman params, generating a temporary 512bit key.");
- }
-
- dh = getTempDH512();
- }
-
- if (dh != 0)
- {
- SSL_CTX_set_tmp_dh(_sslContext, dh);
-
- DH_free(dh);
- }
-}
-
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <Ice/Instance.h> +#include <Ice/Properties.h> + +#include <Ice/DefaultCertificateVerifier.h> +#include <Ice/SslException.h> +#include <Ice/RSAKeyPair.h> +#include <Ice/CertificateDesc.h> +#include <Ice/SslConnectionOpenSSL.h> +#include <Ice/ContextOpenSSL.h> + +#include <Ice/OpenSSLJanitors.h> +#include <Ice/OpenSSLUtils.h> +#include <openssl/err.h> + +using IceSSL::ConnectionPtr; + +void ::IceInternal::incRef(::IceSSL::OpenSSL::Context* p) { p->__incRef(); } +void ::IceInternal::decRef(::IceSSL::OpenSSL::Context* p) { p->__decRef(); } + +IceSSL::OpenSSL::Context::~Context() +{ + if (_sslContext != 0) + { + SSL_CTX_free(_sslContext); + + _sslContext = 0; + } +} + +bool +IceSSL::OpenSSL::Context::isConfigured() +{ + return (_sslContext != 0 ? true : false); +} + +void +IceSSL::OpenSSL::Context::setCertificateVerifier(const CertificateVerifierPtr& verifier) +{ + _certificateVerifier = verifier; +} + +void +IceSSL::OpenSSL::Context::addTrustedCertificateBase64(const std::string& trustedCertString) +{ + RSAPublicKey pubKey(trustedCertString); + + addTrustedCertificate(pubKey); +} + +void +IceSSL::OpenSSL::Context::addTrustedCertificate(const Ice::ByteSeq& trustedCert) +{ + RSAPublicKey pubKey(trustedCert); + + addTrustedCertificate(pubKey); +} + +void +IceSSL::OpenSSL::Context::setRSAKeysBase64(const std::string& privateKey, + const std::string& publicKey) +{ + addKeyCert(privateKey, publicKey); +} + +void +IceSSL::OpenSSL::Context::setRSAKeys(const Ice::ByteSeq& privateKey, const Ice::ByteSeq& publicKey) +{ + addKeyCert(privateKey, publicKey); +} + +void +IceSSL::OpenSSL::Context::configure(const GeneralConfig& generalConfig, + const CertificateAuthority& certificateAuthority, + const BaseCertificates& baseCertificates) +{ + // Create an SSL Context based on the context params. + createContext(generalConfig.getProtocol()); + + // Get the cipherlist and set it in the context. + setCipherList(generalConfig.getCipherList()); + + // Set the certificate verification mode. + SSL_CTX_set_verify(_sslContext, generalConfig.getVerifyMode(), verifyCallback); + + // Set the certificate verify depth + SSL_CTX_set_verify_depth(_sslContext, generalConfig.getVerifyDepth()); + + // Process the RSA Certificate + setKeyCert(baseCertificates.getRSACert(), _rsaPrivateKeyProperty, _rsaPublicKeyProperty); + + // Process the DSA Certificate + setKeyCert(baseCertificates.getDSACert(), _dsaPrivateKeyProperty, _dsaPublicKeyProperty); + + // Set the DH key agreement parameters. + if (baseCertificates.getDHParams().getKeySize() != 0) + { + setDHParams(baseCertificates); + } +} + +// +// Protected +// + +IceSSL::OpenSSL::Context::Context(const IceInternal::InstancePtr& instance) : + _traceLevels(instance->traceLevels()), + _logger(instance->logger()), + _properties(instance->properties()) +{ + assert(_traceLevels != 0); + assert(_logger != 0); + assert(_properties != 0); + + _certificateVerifier = new DefaultCertificateVerifier(instance); + _sslContext = 0; +} + +SSL_METHOD* +IceSSL::OpenSSL::Context::getSslMethod(SslProtocol sslVersion) +{ + SSL_METHOD* sslMethod = 0; + + switch (sslVersion) + { + case SSL_V2 : + { + sslMethod = SSLv2_method(); + break; + } + + case SSL_V23 : + { + sslMethod = SSLv23_method(); + break; + } + + case SSL_V3 : + { + sslMethod = SSLv3_method(); + break; + } + + case TLS_V1 : + { + sslMethod = TLSv1_method(); + break; + } + + default : + { + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) + { + std::string errorString; + + errorString = "ssl version "; + errorString += sslVersion; + errorString += " not supported (defaulting to SSL_V23)"; + _logger->trace(_traceLevels->securityCat, "WRN " + errorString); + } + + sslMethod = SSLv23_method(); + } + } + + return sslMethod; +} + +void +IceSSL::OpenSSL::Context::createContext(SslProtocol sslProtocol) +{ + if (_sslContext != 0) + { + SSL_CTX_free(_sslContext); + _sslContext = 0; + } + + _sslContext = SSL_CTX_new(getSslMethod(sslProtocol)); + + if (_sslContext == 0) + { + IceSSL::OpenSSL::ContextInitializationException contextInitEx(__FILE__, __LINE__); + + contextInitEx._message = "unable to create ssl context\n" + sslGetErrors(); + + throw contextInitEx; + } + + // Turn off session caching, supposedly fixes a problem with multithreading. + SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF); +} + +void +IceSSL::OpenSSL::Context::loadCertificateAuthority(const CertificateAuthority& certAuth) +{ + assert(_sslContext != 0); + + std::string fileName = certAuth.getCAFileName(); + std::string certPath = certAuth.getCAPath(); + + const char* caFile = 0; + const char* caPath = 0; + + // The following checks are required to send the expected values to the OpenSSL library. + // It does not like receiving "", but prefers NULLs. + + if (!fileName.empty()) + { + caFile = fileName.c_str(); + } + + if (!certPath.length()) + { + caPath = certPath.c_str(); + } + + // SSL_CTX_set_default_passwd_cb(sslContext, passwordCallback); + + // Check the Certificate Authority file(s). + int loadVerifyRet = SSL_CTX_load_verify_locations(_sslContext, caFile, caPath); + + if (!loadVerifyRet) + { + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) + { + _logger->trace(_traceLevels->securityCat, "WRN unable to load certificate authorities."); + } + } + else + { + int setDefaultVerifyPathsRet = SSL_CTX_set_default_verify_paths(_sslContext); + + + if (!setDefaultVerifyPathsRet && (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)) + { + _logger->trace(_traceLevels->securityCat, "WRN unable to verify certificate authorities."); + } + } + + // Now we add whatever override/addition that we wish to put into the trusted certificates list + std::string caCertBase64 = _properties->getProperty(_caCertificateProperty); + if (!caCertBase64.empty()) + { + addTrustedCertificateBase64(caCertBase64); + } +} + +void +IceSSL::OpenSSL::Context::setKeyCert(const CertificateDesc& certDesc, + const std::string& privateProperty, + const std::string& publicProperty) +{ + std::string privateKey; + std::string publicKey; + + if (!privateProperty.empty()) + { + privateKey = _properties->getProperty(privateProperty); + } + + if (!publicProperty.empty()) + { + publicKey = _properties->getProperty(publicProperty); + } + + if (!privateKey.empty() && !publicKey.empty()) + { + addKeyCert(privateKey, publicKey); + } + else if (certDesc.getKeySize() != 0) + { + const CertificateFile& privateKey = certDesc.getPrivate(); + const CertificateFile& publicKey = certDesc.getPublic(); + + addKeyCert(privateKey, publicKey); + } +} + +void +IceSSL::OpenSSL::Context::checkKeyCert() +{ + assert(_sslContext != 0); + + // Check to see if the Private and Public keys that have been + // set against the SSL context match up. + if (!SSL_CTX_check_private_key(_sslContext)) + { + IceSSL::OpenSSL::CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__); + + certKeyMatchEx._message = "private key does not match the certificate public key"; + std::string sslError = sslGetErrors(); + + if (!sslError.empty()) + { + certKeyMatchEx._message += "\n"; + certKeyMatchEx._message += sslError; + } + + throw certKeyMatchEx; + } +} + +void +IceSSL::OpenSSL::Context::addTrustedCertificate(const RSAPublicKey& trustedCertificate) +{ + if (_sslContext == 0) + { + IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__); + + contextConfigEx._message = "ssl context not configured"; + + throw contextConfigEx; + } + + X509_STORE* certStore = SSL_CTX_get_cert_store(_sslContext); + + assert(certStore != 0); + + if (X509_STORE_add_cert(certStore, trustedCertificate.getX509PublicKey()) == 0) + { + IceSSL::OpenSSL::TrustedCertificateAddException trustEx(__FILE__, __LINE__); + + trustEx._message = sslGetErrors(); + + throw trustEx; + } +} + +void +IceSSL::OpenSSL::Context::addKeyCert(const CertificateFile& privateKey, const CertificateFile& publicCert) +{ + assert(_sslContext != 0); + + if (!publicCert.getFileName().empty()) + { + std::string publicCertFile = publicCert.getFileName(); + const char* publicFile = publicCertFile.c_str(); + int publicEncoding = publicCert.getEncoding(); + + std::string privCertFile = privateKey.getFileName(); + const char* privKeyFile = privCertFile.c_str(); + int privKeyFileType = privateKey.getEncoding(); + + // Set which Public Key file to use. + if (SSL_CTX_use_certificate_file(_sslContext, publicFile, publicEncoding) <= 0) + { + IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__); + + certLoadEx._message = "unable to load certificate from '"; + certLoadEx._message += publicFile; + certLoadEx._message += "'\n"; + certLoadEx._message += sslGetErrors(); + + throw certLoadEx; + } + + if (privateKey.getFileName().empty()) + { + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) + { + _logger->trace(_traceLevels->securityCat, "WRN no private key specified -- using the certificate"); + } + + privKeyFile = publicFile; + privKeyFileType = publicEncoding; + } + + // Set which Private Key file to use. + if (SSL_CTX_use_PrivateKey_file(_sslContext, privKeyFile, privKeyFileType) <= 0) + { + int errCode = ERR_GET_REASON(ERR_peek_error()); + + // Note: Because OpenSSL currently (V0.9.6b) performs a check to see if the + // key matches the private key when calling SSL_CTX_use_PrivateKey_file(). + if (errCode == X509_R_KEY_VALUES_MISMATCH || errCode == X509_R_KEY_TYPE_MISMATCH) + { + IceSSL::OpenSSL::CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__); + + certKeyMatchEx._message = "private key does not match the certificate public key"; + std::string sslError = sslGetErrors(); + + if (!sslError.empty()) + { + certKeyMatchEx._message += "\n"; + certKeyMatchEx._message += sslError; + } + + throw certKeyMatchEx; + } + else + { + IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__); + + pklEx._message = "unable to load private key from '"; + pklEx._message += privKeyFile; + pklEx._message += "'\n"; + pklEx._message += sslGetErrors(); + + throw pklEx; + } + } + + checkKeyCert(); + } +} + +void +IceSSL::OpenSSL::Context::addKeyCert(const RSAKeyPair& keyPair) +{ + if (_sslContext == 0) + { + IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__); + + contextConfigEx._message = "ssl context not configured"; + + throw contextConfigEx; + } + + // Note: Normally I would use an X509Janitor and RSAJanitor to ensure that + // memory was being freed properly when exceptions are thrown, but + // both SSL_CTX_use_certificate and SSL_CTX_use_RSAPrivateKey free + // certificate/key memory regardless if the call succeeded. + + // Set which Public Key file to use. + if (SSL_CTX_use_certificate(_sslContext, keyPair.getX509PublicKey()) <= 0) + { + IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__); + + certLoadEx._message = "unable to set certificate from memory"; + std::string sslError = sslGetErrors(); + + if (!sslError.empty()) + { + certLoadEx._message += "\n"; + certLoadEx._message += sslError; + } + + throw certLoadEx; + } + + // Set which Private Key file to use. + if (SSL_CTX_use_RSAPrivateKey(_sslContext, keyPair.getRSAPrivateKey()) <= 0) + { + int errCode = ERR_GET_REASON(ERR_peek_error()); + + // Note: Because OpenSSL currently (V0.9.6b) performs a check to see if the + // key matches the private key when calling SSL_CTX_use_PrivateKey_file(). + if (errCode == X509_R_KEY_VALUES_MISMATCH || errCode == X509_R_KEY_TYPE_MISMATCH) + { + IceSSL::OpenSSL::CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__); + + certKeyMatchEx._message = "private key does not match the certificate public key"; + std::string sslError = sslGetErrors(); + + if (!sslError.empty()) + { + certKeyMatchEx._message += "\n"; + certKeyMatchEx._message += sslError; + } + + throw certKeyMatchEx; + } + else + { + IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__); + + pklEx._message = "unable to set private key from memory"; + std::string sslError = sslGetErrors(); + + if (!sslError.empty()) + { + pklEx._message += "\n"; + pklEx._message += sslError; + } + + throw pklEx; + } + } + + checkKeyCert(); +} + +void +IceSSL::OpenSSL::Context::addKeyCert(const Ice::ByteSeq& privateKey, const Ice::ByteSeq& publicKey) +{ + Ice::ByteSeq privKey = privateKey; + + if (privKey.empty()) + { + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) + { + _logger->trace(_traceLevels->securityCat, "WRN no private key specified -- using the certificate"); + } + + privKey = publicKey; + } + + // Make a key pair based on the DER encoded byte sequences. + addKeyCert(RSAKeyPair(privKey, publicKey)); +} + +void +IceSSL::OpenSSL::Context::addKeyCert(const std::string& privateKey, const std::string& publicKey) +{ + std::string privKey = privateKey; + + if (privKey.empty()) + { + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) + { + _logger->trace(_traceLevels->securityCat, "WRN no private key specified -- using the certificate"); + } + + privKey = publicKey; + } + + // Make a key pair based on the Base64 encoded strings. + addKeyCert(RSAKeyPair(privKey, publicKey)); +} + +SSL* +IceSSL::OpenSSL::Context::createSSLConnection(int socket) +{ + assert(_sslContext != 0); + + SSL* sslConnection = SSL_new(_sslContext); + assert(sslConnection != 0); + + SSL_clear(sslConnection); + + SSL_set_fd(sslConnection, socket); + + return sslConnection; +} + +void +IceSSL::OpenSSL::Context::connectionSetup(const ConnectionPtr& connection) +{ + // Set the Post-Handshake Read timeout + // This timeout is implemented once on the first read after hanshake. + int handshakeReadTimeout; + std::string value = _properties->getProperty(_handshakeTimeoutProperty); + + if (!value.empty()) + { + handshakeReadTimeout = atoi(value.c_str()); + } + else + { + handshakeReadTimeout = 5000; + } + + connection->setHandshakeReadTimeout(handshakeReadTimeout); +} + +void +IceSSL::OpenSSL::Context::setCipherList(const std::string& cipherList) +{ + assert(_sslContext != 0); + + if (!cipherList.empty() && (!SSL_CTX_set_cipher_list(_sslContext, cipherList.c_str())) && + (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)) + { + std::string errorString = "WRN error setting cipher list " + cipherList + " -- using default list\n"; + errorString += sslGetErrors(); + _logger->trace(_traceLevels->securityCat, errorString); + } +} + +void +IceSSL::OpenSSL::Context::setDHParams(const BaseCertificates& baseCerts) +{ + DH* dh = 0; + + std::string dhFile = baseCerts.getDHParams().getFileName(); + int encoding = baseCerts.getDHParams().getEncoding(); + + // File type must be PEM - that's the only way we can load DH Params, apparently. + if ((!dhFile.empty()) && (encoding == SSL_FILETYPE_PEM)) + { + dh = loadDHParam(dhFile.c_str()); + } + + if (dh == 0) + { + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) + { + _logger->trace(_traceLevels->securityCat, + "WRN Could not load Diffie-Hellman params, generating a temporary 512bit key."); + } + + dh = getTempDH512(); + } + + if (dh != 0) + { + SSL_CTX_set_tmp_dh(_sslContext, dh); + + DH_free(dh); + } +} + diff --git a/cpp/src/Ice/ContextOpenSSL.h b/cpp/src/Ice/ContextOpenSSL.h index de8f89f388b..c8225795ecc 100644 --- a/cpp/src/Ice/ContextOpenSSL.h +++ b/cpp/src/Ice/ContextOpenSSL.h @@ -1,122 +1,122 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_SSL_CONTEXT_OPENSSL_H
-#define ICE_SSL_CONTEXT_OPENSSL_H
-
-#include <IceUtil/Config.h>
-#include <IceUtil/Shared.h>
-#include <Ice/InstanceF.h>
-#include <Ice/TraceLevelsF.h>
-#include <Ice/LoggerF.h>
-#include <Ice/PropertiesF.h>
-#include <Ice/BuiltinSequences.h>
-
-#include <Ice/OpenSSL.h>
-
-#include <Ice/CertificateVerifierOpenSSL.h>
-
-#include <Ice/GeneralConfig.h>
-#include <Ice/CertificateAuthority.h>
-#include <Ice/BaseCerts.h>
-#include <Ice/TempCerts.h>
-
-#include <Ice/SslConnectionF.h>
-#include <Ice/SslConnectionOpenSSLF.h>
-#include <Ice/ContextOpenSSLF.h>
-#include <Ice/RSAPublicKey.h>
-
-namespace IceSSL
-{
-
-namespace OpenSSL
-{
-
-class System;
-class RSAKeyPair;
-
-class Context : public IceUtil::Shared
-{
-public:
-
- virtual ~Context();
-
- bool isConfigured();
-
- virtual void setCertificateVerifier(const CertificateVerifierPtr&);
-
- virtual void addTrustedCertificateBase64(const std::string&);
-
- virtual void addTrustedCertificate(const Ice::ByteSeq&);
-
- virtual void setRSAKeysBase64(const std::string&, const std::string&);
-
- virtual void setRSAKeys(const Ice::ByteSeq&, const Ice::ByteSeq&);
-
- virtual void configure(const IceSSL::GeneralConfig&,
- const IceSSL::CertificateAuthority&,
- const IceSSL::BaseCertificates&);
-
- // Takes a socket fd as the first parameter.
- virtual ::IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&) = 0;
-
-protected:
- Context(const IceInternal::InstancePtr&);
-
- SSL_METHOD* getSslMethod(SslProtocol);
- void createContext(SslProtocol);
-
- virtual void loadCertificateAuthority(const CertificateAuthority&);
-
- void setKeyCert(const IceSSL::CertificateDesc&, const std::string&, const std::string&);
-
- void checkKeyCert();
-
- void addTrustedCertificate(const IceSSL::OpenSSL::RSAPublicKey&);
-
- void addKeyCert(const IceSSL::CertificateFile&, const IceSSL::CertificateFile&);
-
- void addKeyCert(const RSAKeyPair&);
-
- void addKeyCert(const Ice::ByteSeq&, const Ice::ByteSeq&);
-
- void addKeyCert(const std::string&, const std::string&);
-
- SSL* createSSLConnection(int);
-
- void connectionSetup(const IceSSL::OpenSSL::ConnectionPtr& connection);
-
- void setCipherList(const std::string&);
-
- void setDHParams(const IceSSL::BaseCertificates&);
-
- IceInternal::TraceLevelsPtr _traceLevels;
- Ice::LoggerPtr _logger;
- Ice::PropertiesPtr _properties;
-
- std::string _rsaPrivateKeyProperty;
- std::string _rsaPublicKeyProperty;
- std::string _dsaPrivateKeyProperty;
- std::string _dsaPublicKeyProperty;
- std::string _caCertificateProperty;
- std::string _handshakeTimeoutProperty;
-
- IceSSL::CertificateVerifierPtr _certificateVerifier;
-
- SSL_CTX* _sslContext;
-
- friend class IceSSL::OpenSSL::System;
-};
-
-}
-
-}
-
-#endif
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#ifndef ICE_SSL_CONTEXT_OPENSSL_H +#define ICE_SSL_CONTEXT_OPENSSL_H + +#include <IceUtil/Config.h> +#include <IceUtil/Shared.h> +#include <Ice/InstanceF.h> +#include <Ice/TraceLevelsF.h> +#include <Ice/LoggerF.h> +#include <Ice/PropertiesF.h> +#include <Ice/BuiltinSequences.h> + +#include <Ice/OpenSSL.h> + +#include <Ice/CertificateVerifierOpenSSL.h> + +#include <Ice/GeneralConfig.h> +#include <Ice/CertificateAuthority.h> +#include <Ice/BaseCerts.h> +#include <Ice/TempCerts.h> + +#include <Ice/SslConnectionF.h> +#include <Ice/SslConnectionOpenSSLF.h> +#include <Ice/ContextOpenSSLF.h> +#include <Ice/RSAPublicKey.h> + +namespace IceSSL +{ + +namespace OpenSSL +{ + +class System; +class RSAKeyPair; + +class Context : public IceUtil::Shared +{ +public: + + virtual ~Context(); + + bool isConfigured(); + + virtual void setCertificateVerifier(const CertificateVerifierPtr&); + + virtual void addTrustedCertificateBase64(const std::string&); + + virtual void addTrustedCertificate(const Ice::ByteSeq&); + + virtual void setRSAKeysBase64(const std::string&, const std::string&); + + virtual void setRSAKeys(const Ice::ByteSeq&, const Ice::ByteSeq&); + + virtual void configure(const IceSSL::GeneralConfig&, + const IceSSL::CertificateAuthority&, + const IceSSL::BaseCertificates&); + + // Takes a socket fd as the first parameter. + virtual ::IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&) = 0; + +protected: + Context(const IceInternal::InstancePtr&); + + SSL_METHOD* getSslMethod(SslProtocol); + void createContext(SslProtocol); + + virtual void loadCertificateAuthority(const CertificateAuthority&); + + void setKeyCert(const IceSSL::CertificateDesc&, const std::string&, const std::string&); + + void checkKeyCert(); + + void addTrustedCertificate(const IceSSL::OpenSSL::RSAPublicKey&); + + void addKeyCert(const IceSSL::CertificateFile&, const IceSSL::CertificateFile&); + + void addKeyCert(const RSAKeyPair&); + + void addKeyCert(const Ice::ByteSeq&, const Ice::ByteSeq&); + + void addKeyCert(const std::string&, const std::string&); + + SSL* createSSLConnection(int); + + void connectionSetup(const IceSSL::OpenSSL::ConnectionPtr& connection); + + void setCipherList(const std::string&); + + void setDHParams(const IceSSL::BaseCertificates&); + + IceInternal::TraceLevelsPtr _traceLevels; + Ice::LoggerPtr _logger; + Ice::PropertiesPtr _properties; + + std::string _rsaPrivateKeyProperty; + std::string _rsaPublicKeyProperty; + std::string _dsaPrivateKeyProperty; + std::string _dsaPublicKeyProperty; + std::string _caCertificateProperty; + std::string _handshakeTimeoutProperty; + + IceSSL::CertificateVerifierPtr _certificateVerifier; + + SSL_CTX* _sslContext; + + friend class IceSSL::OpenSSL::System; +}; + +} + +} + +#endif diff --git a/cpp/src/Ice/ContextOpenSSLClient.cpp b/cpp/src/Ice/ContextOpenSSLClient.cpp index 3689f00151b..ac0beb99b53 100644 --- a/cpp/src/Ice/ContextOpenSSLClient.cpp +++ b/cpp/src/Ice/ContextOpenSSLClient.cpp @@ -1,86 +1,86 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <Ice/SslException.h>
-#include <Ice/SslConnectionOpenSSL.h>
-#include <Ice/ContextOpenSSLClient.h>
-#include <Ice/SslConnectionOpenSSLClient.h>
-
-#include <Ice/TraceLevels.h>
-#include <Ice/Logger.h>
-
-#include <iostream>
-
-using IceSSL::ConnectionPtr;
-using IceSSL::SystemInternalPtr;
-
-void
-IceSSL::OpenSSL::ClientContext::configure(const GeneralConfig& generalConfig,
- const CertificateAuthority& certificateAuthority,
- const BaseCertificates& baseCertificates)
-{
- Context::configure(generalConfig, certificateAuthority, baseCertificates);
-
- loadCertificateAuthority(certificateAuthority);
-
- if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL)
- {
- std::ostringstream s;
-
- s << std::endl;
- s << "general configuration (client)" << std::endl;
- s << "------------------------------" << std::endl;
- s << generalConfig << std::endl << std::endl;
-
- s << "certificate authority (client)" << std::endl;
- s << "------------------------------" << std::endl;
- s << "file: " << certificateAuthority.getCAFileName() << std::endl;
- s << "path: " << certificateAuthority.getCAPath() << std::endl;
-
- s << "base certificates (client)" << std::endl;
- s << "--------------------------" << std::endl;
- s << baseCertificates << std::endl;
-
- _logger->trace(_traceLevels->securityCat, s.str());
- }
-}
-
-IceSSL::ConnectionPtr
-IceSSL::OpenSSL::ClientContext::createConnection(int socket, const SystemInternalPtr& system)
-{
- if (_sslContext == 0)
- {
- IceSSL::OpenSSL::ContextNotConfiguredException contextEx(__FILE__, __LINE__);
-
- throw contextEx;
- }
-
- ConnectionPtr connection = new ClientConnection(_traceLevels,
- _logger,
- _certificateVerifier,
- createSSLConnection(socket),
- system);
-
- connectionSetup(connection);
-
- return connection;
-}
-
-IceSSL::OpenSSL::ClientContext::ClientContext(const IceInternal::InstancePtr& instance) :
- Context(instance)
-{
- _rsaPrivateKeyProperty = "Ice.SSL.Client.Overrides.RSA.PrivateKey";
- _rsaPublicKeyProperty = "Ice.SSL.Client.Overrides.RSA.Certificate";
- _dsaPrivateKeyProperty = "Ice.SSL.Client.Overrides.DSA.PrivateKey";
- _dsaPublicKeyProperty = "Ice.SSL.Client.Overrides.DSA.Certificate";
- _caCertificateProperty = "Ice.SSL.Client.Overrides.CACertificate";
- _handshakeTimeoutProperty = "Ice.SSL.Client.Handshake.ReadTimeout";
-}
-
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <Ice/SslException.h> +#include <Ice/SslConnectionOpenSSL.h> +#include <Ice/ContextOpenSSLClient.h> +#include <Ice/SslConnectionOpenSSLClient.h> + +#include <Ice/TraceLevels.h> +#include <Ice/Logger.h> + +#include <iostream> + +using IceSSL::ConnectionPtr; +using IceSSL::SystemInternalPtr; + +void +IceSSL::OpenSSL::ClientContext::configure(const GeneralConfig& generalConfig, + const CertificateAuthority& certificateAuthority, + const BaseCertificates& baseCertificates) +{ + Context::configure(generalConfig, certificateAuthority, baseCertificates); + + loadCertificateAuthority(certificateAuthority); + + if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) + { + std::ostringstream s; + + s << std::endl; + s << "general configuration (client)" << std::endl; + s << "------------------------------" << std::endl; + s << generalConfig << std::endl << std::endl; + + s << "certificate authority (client)" << std::endl; + s << "------------------------------" << std::endl; + s << "file: " << certificateAuthority.getCAFileName() << std::endl; + s << "path: " << certificateAuthority.getCAPath() << std::endl; + + s << "base certificates (client)" << std::endl; + s << "--------------------------" << std::endl; + s << baseCertificates << std::endl; + + _logger->trace(_traceLevels->securityCat, s.str()); + } +} + +IceSSL::ConnectionPtr +IceSSL::OpenSSL::ClientContext::createConnection(int socket, const SystemInternalPtr& system) +{ + if (_sslContext == 0) + { + IceSSL::OpenSSL::ContextNotConfiguredException contextEx(__FILE__, __LINE__); + + throw contextEx; + } + + ConnectionPtr connection = new ClientConnection(_traceLevels, + _logger, + _certificateVerifier, + createSSLConnection(socket), + system); + + connectionSetup(connection); + + return connection; +} + +IceSSL::OpenSSL::ClientContext::ClientContext(const IceInternal::InstancePtr& instance) : + Context(instance) +{ + _rsaPrivateKeyProperty = "Ice.SSL.Client.Overrides.RSA.PrivateKey"; + _rsaPublicKeyProperty = "Ice.SSL.Client.Overrides.RSA.Certificate"; + _dsaPrivateKeyProperty = "Ice.SSL.Client.Overrides.DSA.PrivateKey"; + _dsaPublicKeyProperty = "Ice.SSL.Client.Overrides.DSA.Certificate"; + _caCertificateProperty = "Ice.SSL.Client.Overrides.CACertificate"; + _handshakeTimeoutProperty = "Ice.SSL.Client.Handshake.ReadTimeout"; +} + diff --git a/cpp/src/Ice/ContextOpenSSLClient.h b/cpp/src/Ice/ContextOpenSSLClient.h index 8bbf3ee364b..0a848eb5d78 100644 --- a/cpp/src/Ice/ContextOpenSSLClient.h +++ b/cpp/src/Ice/ContextOpenSSLClient.h @@ -1,44 +1,44 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_SSL_CONTEXT_OPENSSL_CLIENT_H
-#define ICE_SSL_CONTEXT_OPENSSL_CLIENT_H
-
-#include <Ice/ContextOpenSSL.h>
-
-namespace IceSSL
-{
-
-namespace OpenSSL
-{
-
-class ClientContext : public Context
-{
-public:
-
- virtual void configure(const IceSSL::GeneralConfig&,
- const IceSSL::CertificateAuthority&,
- const IceSSL::BaseCertificates&);
-
- // Takes a socket fd as the first parameter.
- virtual IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&);
-
-protected:
-
- ClientContext(const IceInternal::InstancePtr&);
-
- friend class IceSSL::OpenSSL::System;
-};
-
-}
-
-}
-
-#endif
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#ifndef ICE_SSL_CONTEXT_OPENSSL_CLIENT_H +#define ICE_SSL_CONTEXT_OPENSSL_CLIENT_H + +#include <Ice/ContextOpenSSL.h> + +namespace IceSSL +{ + +namespace OpenSSL +{ + +class ClientContext : public Context +{ +public: + + virtual void configure(const IceSSL::GeneralConfig&, + const IceSSL::CertificateAuthority&, + const IceSSL::BaseCertificates&); + + // Takes a socket fd as the first parameter. + virtual IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&); + +protected: + + ClientContext(const IceInternal::InstancePtr&); + + friend class IceSSL::OpenSSL::System; +}; + +} + +} + +#endif diff --git a/cpp/src/Ice/ContextOpenSSLF.h b/cpp/src/Ice/ContextOpenSSLF.h index 322c3d0b5aa..fd338e10a58 100644 --- a/cpp/src/Ice/ContextOpenSSLF.h +++ b/cpp/src/Ice/ContextOpenSSLF.h @@ -1,37 +1,37 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_SSL_CONTEXT_OPENSSL_F_H
-#define ICE_SSL_CONTEXT_OPENSSL_F_H
-
-#include <Ice/Handle.h>
-
-namespace IceSSL
-{
-
-namespace OpenSSL
-{
-
-class Context;
-typedef IceInternal::Handle<Context> ContextPtr;
-
-}
-
-}
-
-namespace IceInternal
-{
-
-void incRef(::IceSSL::OpenSSL::Context*);
-void decRef(::IceSSL::OpenSSL::Context*);
-
-}
-
-#endif
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#ifndef ICE_SSL_CONTEXT_OPENSSL_F_H +#define ICE_SSL_CONTEXT_OPENSSL_F_H + +#include <Ice/Handle.h> + +namespace IceSSL +{ + +namespace OpenSSL +{ + +class Context; +typedef IceInternal::Handle<Context> ContextPtr; + +} + +} + +namespace IceInternal +{ + +void incRef(::IceSSL::OpenSSL::Context*); +void decRef(::IceSSL::OpenSSL::Context*); + +} + +#endif diff --git a/cpp/src/Ice/ContextOpenSSLServer.cpp b/cpp/src/Ice/ContextOpenSSLServer.cpp index 97775069a12..89ee2b7c78a 100644 --- a/cpp/src/Ice/ContextOpenSSLServer.cpp +++ b/cpp/src/Ice/ContextOpenSSLServer.cpp @@ -1,142 +1,142 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <Ice/SslException.h>
-#include <Ice/SslConnectionOpenSSL.h>
-#include <Ice/ContextOpenSSLServer.h>
-#include <Ice/SslConnectionOpenSSLServer.h>
-#include <Ice/OpenSSLUtils.h>
-
-#include <Ice/TraceLevels.h>
-#include <Ice/Logger.h>
-
-#include <iostream.h>
-
-using IceSSL::ConnectionPtr;
-using IceSSL::SystemInternalPtr;
-
-void
-IceSSL::OpenSSL::ServerContext::configure(const GeneralConfig& generalConfig,
- const CertificateAuthority& certificateAuthority,
- const BaseCertificates& baseCertificates)
-{
- Context::configure(generalConfig, certificateAuthority, baseCertificates);
-
- assert(_sslContext != 0);
-
- // On servers, Attempt to use non-export (strong) encryption
- // first. This option does not always work, and in the OpenSSL
- // documentation is declared as 'broken'.
- // SSL_CTX_set_options(_sslContext, SSL_OP_NON_EXPORT_FIRST);
-
- // Always use a new DH key when using Diffie-Hellman key agreement.
- SSL_CTX_set_options(_sslContext, SSL_OP_SINGLE_DH_USE);
-
- // Set the RSA Callback routine in case we need to build a temporary (ephemeral) RSA key.
- SSL_CTX_set_tmp_rsa_callback(_sslContext, tmpRSACallback);
-
- // Set the DH Callback routine in case we need a temporary (ephemeral) DH key.
- SSL_CTX_set_tmp_dh_callback(_sslContext, tmpDHCallback);
-
- loadCertificateAuthority(certificateAuthority);
-
- // Set the session context for the SSL system [SERVER ONLY].
- std::string connectionContext = generalConfig.getContext();
- SSL_CTX_set_session_id_context(_sslContext,
- reinterpret_cast<const unsigned char *>(connectionContext.c_str()),
- connectionContext.size());
-
- if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL)
- {
- std::ostringstream s;
-
- s << std::endl;
- s << "general configuration (server)" << std::endl;
- s << "------------------------------" << std::endl;
- s << generalConfig << std::endl << std::endl;
-
- s << "CA file: " << certificateAuthority.getCAFileName() << std::endl;
- s << "CA path: " << certificateAuthority.getCAPath() << std::endl;
-
- s << "base certificates (server)" << std::endl;
- s << "--------------------------" << std::endl;
- s << baseCertificates << std::endl << std::endl;
-
- _logger->trace(_traceLevels->securityCat, s.str());
- }
-}
-
-IceSSL::ConnectionPtr
-IceSSL::OpenSSL::ServerContext::createConnection(int socket, const SystemInternalPtr& system)
-{
- if (_sslContext == 0)
- {
- IceSSL::OpenSSL::ContextNotConfiguredException contextEx(__FILE__, __LINE__);
-
- throw contextEx;
- }
-
- ConnectionPtr connection = new ServerConnection(_traceLevels,
- _logger,
- _certificateVerifier,
- createSSLConnection(socket),
- system);
-
- connectionSetup(connection);
-
- return connection;
-}
-
-//
-// Protected
-//
-
-IceSSL::OpenSSL::ServerContext::ServerContext(const IceInternal::InstancePtr& instance) :
- Context(instance)
-{
- _rsaPrivateKeyProperty = "Ice.SSL.Server.Overrides.RSA.PrivateKey";
- _rsaPublicKeyProperty = "Ice.SSL.Server.Overrides.RSA.Certificate";
- _dsaPrivateKeyProperty = "Ice.SSL.Server.Overrides.DSA.PrivateKey";
- _dsaPublicKeyProperty = "Ice.SSL.Server.Overrides.DSA.Certificate";
- _caCertificateProperty = "Ice.SSL.Server.Overrides.CACertificate";
- _handshakeTimeoutProperty = "Ice.SSL.Server.Handshake.ReadTimeout";
-}
-
-void
-IceSSL::OpenSSL::ServerContext::loadCertificateAuthority(const CertificateAuthority& certAuth)
-{
- assert(_sslContext != 0);
-
- Context::loadCertificateAuthority(certAuth);
-
- std::string caFile = certAuth.getCAFileName();
-
- if (caFile.empty())
- {
- return;
- }
-
- STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str());
-
- if (certNames == 0)
- {
- if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
- {
- std::string errorString = "unable to load certificate authorities certificate names from " + caFile + "\n";
- errorString += sslGetErrors();
- _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
- }
- }
- else
- {
- SSL_CTX_set_client_CA_list(_sslContext, certNames);
- }
-}
-
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <Ice/SslException.h> +#include <Ice/SslConnectionOpenSSL.h> +#include <Ice/ContextOpenSSLServer.h> +#include <Ice/SslConnectionOpenSSLServer.h> +#include <Ice/OpenSSLUtils.h> + +#include <Ice/TraceLevels.h> +#include <Ice/Logger.h> + +#include <iostream.h> + +using IceSSL::ConnectionPtr; +using IceSSL::SystemInternalPtr; + +void +IceSSL::OpenSSL::ServerContext::configure(const GeneralConfig& generalConfig, + const CertificateAuthority& certificateAuthority, + const BaseCertificates& baseCertificates) +{ + Context::configure(generalConfig, certificateAuthority, baseCertificates); + + assert(_sslContext != 0); + + // On servers, Attempt to use non-export (strong) encryption + // first. This option does not always work, and in the OpenSSL + // documentation is declared as 'broken'. + // SSL_CTX_set_options(_sslContext, SSL_OP_NON_EXPORT_FIRST); + + // Always use a new DH key when using Diffie-Hellman key agreement. + SSL_CTX_set_options(_sslContext, SSL_OP_SINGLE_DH_USE); + + // Set the RSA Callback routine in case we need to build a temporary (ephemeral) RSA key. + SSL_CTX_set_tmp_rsa_callback(_sslContext, tmpRSACallback); + + // Set the DH Callback routine in case we need a temporary (ephemeral) DH key. + SSL_CTX_set_tmp_dh_callback(_sslContext, tmpDHCallback); + + loadCertificateAuthority(certificateAuthority); + + // Set the session context for the SSL system [SERVER ONLY]. + std::string connectionContext = generalConfig.getContext(); + SSL_CTX_set_session_id_context(_sslContext, + reinterpret_cast<const unsigned char *>(connectionContext.c_str()), + connectionContext.size()); + + if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) + { + std::ostringstream s; + + s << std::endl; + s << "general configuration (server)" << std::endl; + s << "------------------------------" << std::endl; + s << generalConfig << std::endl << std::endl; + + s << "CA file: " << certificateAuthority.getCAFileName() << std::endl; + s << "CA path: " << certificateAuthority.getCAPath() << std::endl; + + s << "base certificates (server)" << std::endl; + s << "--------------------------" << std::endl; + s << baseCertificates << std::endl << std::endl; + + _logger->trace(_traceLevels->securityCat, s.str()); + } +} + +IceSSL::ConnectionPtr +IceSSL::OpenSSL::ServerContext::createConnection(int socket, const SystemInternalPtr& system) +{ + if (_sslContext == 0) + { + IceSSL::OpenSSL::ContextNotConfiguredException contextEx(__FILE__, __LINE__); + + throw contextEx; + } + + ConnectionPtr connection = new ServerConnection(_traceLevels, + _logger, + _certificateVerifier, + createSSLConnection(socket), + system); + + connectionSetup(connection); + + return connection; +} + +// +// Protected +// + +IceSSL::OpenSSL::ServerContext::ServerContext(const IceInternal::InstancePtr& instance) : + Context(instance) +{ + _rsaPrivateKeyProperty = "Ice.SSL.Server.Overrides.RSA.PrivateKey"; + _rsaPublicKeyProperty = "Ice.SSL.Server.Overrides.RSA.Certificate"; + _dsaPrivateKeyProperty = "Ice.SSL.Server.Overrides.DSA.PrivateKey"; + _dsaPublicKeyProperty = "Ice.SSL.Server.Overrides.DSA.Certificate"; + _caCertificateProperty = "Ice.SSL.Server.Overrides.CACertificate"; + _handshakeTimeoutProperty = "Ice.SSL.Server.Handshake.ReadTimeout"; +} + +void +IceSSL::OpenSSL::ServerContext::loadCertificateAuthority(const CertificateAuthority& certAuth) +{ + assert(_sslContext != 0); + + Context::loadCertificateAuthority(certAuth); + + std::string caFile = certAuth.getCAFileName(); + + if (caFile.empty()) + { + return; + } + + STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str()); + + if (certNames == 0) + { + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) + { + std::string errorString = "unable to load certificate authorities certificate names from " + caFile + "\n"; + errorString += sslGetErrors(); + _logger->trace(_traceLevels->securityCat, "WRN " + errorString); + } + } + else + { + SSL_CTX_set_client_CA_list(_sslContext, certNames); + } +} + diff --git a/cpp/src/Ice/ContextOpenSSLServer.h b/cpp/src/Ice/ContextOpenSSLServer.h index 4b6716e5daa..da5e094a367 100644 --- a/cpp/src/Ice/ContextOpenSSLServer.h +++ b/cpp/src/Ice/ContextOpenSSLServer.h @@ -1,46 +1,46 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_SSL_CONTEXT_OPENSSL_SERVER_H
-#define ICE_SSL_CONTEXT_OPENSSL_SERVER_H
-
-#include <Ice/ContextOpenSSL.h>
-
-namespace IceSSL
-{
-
-namespace OpenSSL
-{
-
-class ServerContext : public Context
-{
-public:
-
- virtual void configure(const IceSSL::GeneralConfig&,
- const IceSSL::CertificateAuthority&,
- const IceSSL::BaseCertificates&);
-
- // Takes a socket fd as the first parameter.
- virtual IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&);
-
-protected:
-
- ServerContext(const IceInternal::InstancePtr&);
-
- virtual void loadCertificateAuthority(const IceSSL::CertificateAuthority& certAuth);
-
- friend class IceSSL::OpenSSL::System;
-};
-
-}
-
-}
-
-#endif
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#ifndef ICE_SSL_CONTEXT_OPENSSL_SERVER_H +#define ICE_SSL_CONTEXT_OPENSSL_SERVER_H + +#include <Ice/ContextOpenSSL.h> + +namespace IceSSL +{ + +namespace OpenSSL +{ + +class ServerContext : public Context +{ +public: + + virtual void configure(const IceSSL::GeneralConfig&, + const IceSSL::CertificateAuthority&, + const IceSSL::BaseCertificates&); + + // Takes a socket fd as the first parameter. + virtual IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&); + +protected: + + ServerContext(const IceInternal::InstancePtr&); + + virtual void loadCertificateAuthority(const IceSSL::CertificateAuthority& certAuth); + + friend class IceSSL::OpenSSL::System; +}; + +} + +} + +#endif diff --git a/cpp/src/Ice/DHParams.cpp b/cpp/src/Ice/DHParams.cpp index c67ade7e5e6..232923a213c 100644 --- a/cpp/src/Ice/DHParams.cpp +++ b/cpp/src/Ice/DHParams.cpp @@ -1,35 +1,35 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <Ice/DHParams.h>
-
-void ::IceInternal::incRef(::IceSSL::OpenSSL::DHParams* p) { p->__incRef(); }
-void ::IceInternal::decRef(::IceSSL::OpenSSL::DHParams* p) { p->__decRef(); }
-
-IceSSL::OpenSSL::DHParams::DHParams(DH* dhParams) :
- _dhParams(dhParams)
-{
- assert(_dhParams != 0);
-}
-
-IceSSL::OpenSSL::DHParams::~DHParams()
-{
- if (_dhParams != 0)
- {
- DH_free(_dhParams);
- }
-}
-
-DH*
-IceSSL::OpenSSL::DHParams::get() const
-{
- return _dhParams;
-}
-
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <Ice/DHParams.h> + +void ::IceInternal::incRef(::IceSSL::OpenSSL::DHParams* p) { p->__incRef(); } +void ::IceInternal::decRef(::IceSSL::OpenSSL::DHParams* p) { p->__decRef(); } + +IceSSL::OpenSSL::DHParams::DHParams(DH* dhParams) : + _dhParams(dhParams) +{ + assert(_dhParams != 0); +} + +IceSSL::OpenSSL::DHParams::~DHParams() +{ + if (_dhParams != 0) + { + DH_free(_dhParams); + } +} + +DH* +IceSSL::OpenSSL::DHParams::get() const +{ + return _dhParams; +} + diff --git a/cpp/src/Ice/DHParams.h b/cpp/src/Ice/DHParams.h index f55d7670890..922a82da230 100644 --- a/cpp/src/Ice/DHParams.h +++ b/cpp/src/Ice/DHParams.h @@ -1,46 +1,46 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_DH_PARAMS_H
-#define ICE_DH_PARAMS_H
-
-#include <IceUtil/Config.h>
-#include <IceUtil/Shared.h>
-#include <openssl/ssl.h>
-#include <Ice/DHParamsF.h>
-
-namespace IceSSL
-{
-
-namespace OpenSSL
-{
-
-class DHParams : public IceUtil::Shared
-{
-public:
-
- // Construction from DH Params structure (simple initialization).
- DHParams(DH*);
-
- ~DHParams();
-
- // Get the internal key structure as per the OpenSSL implementation.
- DH* get() const;
-
-private:
-
- DH* _dhParams;
-};
-
-}
-
-}
-
-#endif
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#ifndef ICE_DH_PARAMS_H +#define ICE_DH_PARAMS_H + +#include <IceUtil/Config.h> +#include <IceUtil/Shared.h> +#include <openssl/ssl.h> +#include <Ice/DHParamsF.h> + +namespace IceSSL +{ + +namespace OpenSSL +{ + +class DHParams : public IceUtil::Shared +{ +public: + + // Construction from DH Params structure (simple initialization). + DHParams(DH*); + + ~DHParams(); + + // Get the internal key structure as per the OpenSSL implementation. + DH* get() const; + +private: + + DH* _dhParams; +}; + +} + +} + +#endif diff --git a/cpp/src/Ice/DHParamsF.h b/cpp/src/Ice/DHParamsF.h index b8b8274ec88..abe97b9f4e6 100644 --- a/cpp/src/Ice/DHParamsF.h +++ b/cpp/src/Ice/DHParamsF.h @@ -1,37 +1,37 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_DH_PARAMS_F_H
-#define ICE_DH_PARAMS_F_H
-
-#include <Ice/Handle.h>
-
-namespace IceSSL
-{
-
-namespace OpenSSL
-{
-
-class DHParams;
-typedef IceInternal::Handle<DHParams> DHParamsPtr;
-
-}
-
-}
-
-namespace IceInternal
-{
-
-void incRef(::IceSSL::OpenSSL::DHParams*);
-void decRef(::IceSSL::OpenSSL::DHParams*);
-
-}
-
-#endif
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#ifndef ICE_DH_PARAMS_F_H +#define ICE_DH_PARAMS_F_H + +#include <Ice/Handle.h> + +namespace IceSSL +{ + +namespace OpenSSL +{ + +class DHParams; +typedef IceInternal::Handle<DHParams> DHParamsPtr; + +} + +} + +namespace IceInternal +{ + +void incRef(::IceSSL::OpenSSL::DHParams*); +void decRef(::IceSSL::OpenSSL::DHParams*); + +} + +#endif diff --git a/cpp/src/Ice/DefaultCertificateVerifier.cpp b/cpp/src/Ice/DefaultCertificateVerifier.cpp index 0bbf51c25cb..ef68e432374 100644 --- a/cpp/src/Ice/DefaultCertificateVerifier.cpp +++ b/cpp/src/Ice/DefaultCertificateVerifier.cpp @@ -1,104 +1,104 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <Ice/OpenSSL.h>
-#include <Ice/DefaultCertificateVerifier.h>
-#include <Ice/OpenSSLUtils.h>
-#include <ostream>
-
-using namespace std;
-
-IceSSL::OpenSSL::DefaultCertificateVerifier::DefaultCertificateVerifier(
- const IceInternal::InstancePtr& instance) :
- _traceLevels(instance->traceLevels()),
- _logger(instance->logger())
-{
-}
-
-int
-IceSSL::OpenSSL::DefaultCertificateVerifier::verify(int preVerifyOkay,
- X509_STORE_CTX* x509StoreContext,
- SSL* sslConnection)
-{
- //
- // Default verification steps.
- //
-
- int verifyError = X509_STORE_CTX_get_error(x509StoreContext);
- int errorDepth = X509_STORE_CTX_get_error_depth(x509StoreContext);
- int verifyDepth = SSL_get_verify_depth(sslConnection);
-
- // A verify error has been encountered.
- if (verifyError != X509_V_OK)
- {
- // We have a limited verify depth, and we have had to delve too deeply
- // into the certificate chain to find an acceptable root certificate.
- if ((verifyDepth != -1) && (verifyDepth < errorDepth))
- {
- verifyError = X509_V_ERR_CERT_CHAIN_TOO_LONG;
- X509_STORE_CTX_set_error(x509StoreContext, verifyError);
- }
-
- // If we have ANY errors, we bail out.
- preVerifyOkay = 0;
- }
-
- // Only if ICE_PROTOCOL level logging is on do we worry about this.
- if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL)
- {
- char buf[256];
-
- X509* err_cert = X509_STORE_CTX_get_current_cert(x509StoreContext);
-
- X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
-
- ostringstream outStringStream;
-
- outStringStream << "depth = " << dec << errorDepth << ":" << buf << std::endl;
-
- if (!preVerifyOkay)
- {
- outStringStream << "verify error: num = " << verifyError << " : "
- << X509_verify_cert_error_string(verifyError) << endl;
-
- }
-
- switch (verifyError)
- {
- case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- {
- X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf));
- outStringStream << "issuer = " << buf << endl;
- break;
- }
-
- case X509_V_ERR_CERT_NOT_YET_VALID:
- case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
- {
- outStringStream << "notBefore = " << getASN1time(X509_get_notBefore(err_cert)) << endl;
- break;
- }
-
- case X509_V_ERR_CERT_HAS_EXPIRED:
- case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
- {
- outStringStream << "notAfter = " << getASN1time(X509_get_notAfter(err_cert)) << endl;
- break;
- }
- }
-
- outStringStream << "verify return = " << preVerifyOkay << endl;
-
- _logger->trace(_traceLevels->securityCat, outStringStream.str());
- }
-
- return preVerifyOkay;
-}
-
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <Ice/OpenSSL.h> +#include <Ice/DefaultCertificateVerifier.h> +#include <Ice/OpenSSLUtils.h> +#include <ostream> + +using namespace std; + +IceSSL::OpenSSL::DefaultCertificateVerifier::DefaultCertificateVerifier( + const IceInternal::InstancePtr& instance) : + _traceLevels(instance->traceLevels()), + _logger(instance->logger()) +{ +} + +int +IceSSL::OpenSSL::DefaultCertificateVerifier::verify(int preVerifyOkay, + X509_STORE_CTX* x509StoreContext, + SSL* sslConnection) +{ + // + // Default verification steps. + // + + int verifyError = X509_STORE_CTX_get_error(x509StoreContext); + int errorDepth = X509_STORE_CTX_get_error_depth(x509StoreContext); + int verifyDepth = SSL_get_verify_depth(sslConnection); + + // A verify error has been encountered. + if (verifyError != X509_V_OK) + { + // We have a limited verify depth, and we have had to delve too deeply + // into the certificate chain to find an acceptable root certificate. + if ((verifyDepth != -1) && (verifyDepth < errorDepth)) + { + verifyError = X509_V_ERR_CERT_CHAIN_TOO_LONG; + X509_STORE_CTX_set_error(x509StoreContext, verifyError); + } + + // If we have ANY errors, we bail out. + preVerifyOkay = 0; + } + + // Only if ICE_PROTOCOL level logging is on do we worry about this. + if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) + { + char buf[256]; + + X509* err_cert = X509_STORE_CTX_get_current_cert(x509StoreContext); + + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf)); + + ostringstream outStringStream; + + outStringStream << "depth = " << dec << errorDepth << ":" << buf << std::endl; + + if (!preVerifyOkay) + { + outStringStream << "verify error: num = " << verifyError << " : " + << X509_verify_cert_error_string(verifyError) << endl; + + } + + switch (verifyError) + { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: + { + X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf)); + outStringStream << "issuer = " << buf << endl; + break; + } + + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + { + outStringStream << "notBefore = " << getASN1time(X509_get_notBefore(err_cert)) << endl; + break; + } + + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + { + outStringStream << "notAfter = " << getASN1time(X509_get_notAfter(err_cert)) << endl; + break; + } + } + + outStringStream << "verify return = " << preVerifyOkay << endl; + + _logger->trace(_traceLevels->securityCat, outStringStream.str()); + } + + return preVerifyOkay; +} + diff --git a/cpp/src/Ice/DefaultCertificateVerifier.h b/cpp/src/Ice/DefaultCertificateVerifier.h index fae743f833e..7731f17d2f5 100644 --- a/cpp/src/Ice/DefaultCertificateVerifier.h +++ b/cpp/src/Ice/DefaultCertificateVerifier.h @@ -1,44 +1,44 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_SSL_DEFAULT_CERTIFICATE_VERIFIER_H
-#define ICE_SSL_DEFAULT_CERTIFICATE_VERIFIER_H
-
-#include <IceUtil/Config.h>
-#include <Ice/Logger.h>
-#include <Ice/TraceLevels.h>
-#include <Ice/Instance.h>
-#include <Ice/CertificateVerifierOpenSSL.h>
-
-namespace IceSSL
-{
-
-namespace OpenSSL
-{
-
-class DefaultCertificateVerifier : public IceSSL::OpenSSL::CertificateVerifier
-{
-public:
-
- DefaultCertificateVerifier(const IceInternal::InstancePtr&);
-
- virtual int verify(int, X509_STORE_CTX*, SSL*);
-
-private:
-
- IceInternal::TraceLevelsPtr _traceLevels;
- Ice::LoggerPtr _logger;
-};
-
-}
-
-}
-
-#endif
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#ifndef ICE_SSL_DEFAULT_CERTIFICATE_VERIFIER_H +#define ICE_SSL_DEFAULT_CERTIFICATE_VERIFIER_H + +#include <IceUtil/Config.h> +#include <Ice/Logger.h> +#include <Ice/TraceLevels.h> +#include <Ice/Instance.h> +#include <Ice/CertificateVerifierOpenSSL.h> + +namespace IceSSL +{ + +namespace OpenSSL +{ + +class DefaultCertificateVerifier : public IceSSL::OpenSSL::CertificateVerifier +{ +public: + + DefaultCertificateVerifier(const IceInternal::InstancePtr&); + + virtual int verify(int, X509_STORE_CTX*, SSL*); + +private: + + IceInternal::TraceLevelsPtr _traceLevels; + Ice::LoggerPtr _logger; +}; + +} + +} + +#endif diff --git a/cpp/src/Ice/Endpoint.cpp b/cpp/src/Ice/Endpoint.cpp index f95044baa34..b88afdc2bcf 100644 --- a/cpp/src/Ice/Endpoint.cpp +++ b/cpp/src/Ice/Endpoint.cpp @@ -66,7 +66,7 @@ IceInternal::Endpoint::endpointFromString(const InstancePtr& instance, const str { return new UdpEndpoint(instance, str.substr(end)); } -
+ throw EndpointParseException(__FILE__, __LINE__); } @@ -95,7 +95,7 @@ IceInternal::Endpoint::streamRead(BasicStream* s, EndpointPtr& v) v = new UdpEndpoint(s); break; } -
+ default: { v = new UnknownEndpoint(type, s); @@ -552,7 +552,7 @@ IceInternal::TcpEndpoint::operator<(const Endpoint& r) const { return false; // tcp is not "less than" udp } -
+ if (dynamic_cast<const UnknownEndpoint*>(&r)) { return false; // tcp is not "less than" unknown @@ -887,7 +887,7 @@ IceInternal::SslEndpoint::operator<(const Endpoint& r) const { return false; // ssl is not "less than" udp } -
+ if (dynamic_cast<const UnknownEndpoint*>(&r)) { return false; // ssl is not "less than" unknown @@ -1217,7 +1217,7 @@ IceInternal::UdpEndpoint::operator<(const Endpoint& r) const { return true; // udp is "less than" tcp } -
+ if (dynamic_cast<const UnknownEndpoint*>(&r)) { return false; // udp is not "less than" unknown @@ -1270,4 +1270,4 @@ IceInternal::UdpEndpoint::operator<(const Endpoint& r) const return false; } -
+ diff --git a/cpp/src/Ice/GeneralConfig.cpp b/cpp/src/Ice/GeneralConfig.cpp index 24de463101e..9eabc98d548 100644 --- a/cpp/src/Ice/GeneralConfig.cpp +++ b/cpp/src/Ice/GeneralConfig.cpp @@ -29,8 +29,8 @@ IceSSL::GeneralConfig::GeneralConfig() _sslVersion = SSL_V23; _verifyMode = SSL_VERIFY_NONE; -
- // Unlimited verifcation depth.
+ + // Unlimited verifcation depth. _verifyDepth = -1; _context = ""; diff --git a/cpp/src/Ice/GeneralConfig.h b/cpp/src/Ice/GeneralConfig.h index 228504dbebf..db9938fb70c 100644 --- a/cpp/src/Ice/GeneralConfig.h +++ b/cpp/src/Ice/GeneralConfig.h @@ -19,7 +19,7 @@ namespace IceSSL class GeneralConfig { -public:
+public: GeneralConfig(); diff --git a/cpp/src/Ice/OpenSSL.h b/cpp/src/Ice/OpenSSL.h index 6fbf6aebb57..ddb4219e321 100644 --- a/cpp/src/Ice/OpenSSL.h +++ b/cpp/src/Ice/OpenSSL.h @@ -1,38 +1,38 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-#ifndef ICE_OPENSSL_H
-#define ICE_OPENSSL_H
-
-#include <openssl/ssl.h>
-
-namespace IceSSL
-{
-
-typedef enum
-{
- NO_SECURITY_TRACE = 0,
- SECURITY_WARNINGS,
- SECURITY_PARSE_WARNINGS,
- SECURITY_PROTOCOL,
- SECURITY_PROTOCOL_DEBUG
-} SecurityTraceLevel;
-
-enum SslProtocol
-{
- SSL_V2 = 1, // Only speak SSLv2
- SSL_V23, // Speak SSLv2 and SSLv3
- SSL_V3, // Only speak SSLv3
- TLS_V1 // Only speak TLSv1
-};
-
-}
-
-
-#endif
+// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** +#ifndef ICE_OPENSSL_H +#define ICE_OPENSSL_H + +#include <openssl/ssl.h> + +namespace IceSSL +{ + +typedef enum +{ + NO_SECURITY_TRACE = 0, + SECURITY_WARNINGS, + SECURITY_PARSE_WARNINGS, + SECURITY_PROTOCOL, + SECURITY_PROTOCOL_DEBUG +} SecurityTraceLevel; + +enum SslProtocol +{ + SSL_V2 = 1, // Only speak SSLv2 + SSL_V23, // Speak SSLv2 and SSLv3 + SSL_V3, // Only speak SSLv3 + TLS_V1 // Only speak TLSv1 +}; + +} + + +#endif diff --git a/cpp/src/Ice/OpenSSLJanitors.cpp b/cpp/src/Ice/OpenSSLJanitors.cpp index 197b5c6dedd..f28564789b2 100644 --- a/cpp/src/Ice/OpenSSLJanitors.cpp +++ b/cpp/src/Ice/OpenSSLJanitors.cpp @@ -1,142 +1,142 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <Ice/OpenSSLJanitors.h>
-
-IceSSL::OpenSSL::RSAJanitor::RSAJanitor(RSA* rsa) :
- _rsa(rsa)
-{
- assert(_rsa != 0);
-}
-
-IceSSL::OpenSSL::RSAJanitor::~RSAJanitor()
-{
- if (_rsa)
- {
- RSA_free(_rsa);
- }
-}
-
-void
-IceSSL::OpenSSL::RSAJanitor::clear()
-{
- _rsa = 0;
-}
-
-RSA*
-IceSSL::OpenSSL::RSAJanitor::get() const
-{
- return _rsa;
-}
-
-IceSSL::OpenSSL::EVP_PKEYJanitor::EVP_PKEYJanitor(EVP_PKEY* evp_pkey) :
- _evp_pkey(evp_pkey)
-{
- assert(_evp_pkey != 0);
-}
-
-IceSSL::OpenSSL::EVP_PKEYJanitor::~EVP_PKEYJanitor()
-{
- if (_evp_pkey)
- {
- EVP_PKEY_free(_evp_pkey);
- }
-}
-
-void
-IceSSL::OpenSSL::EVP_PKEYJanitor::clear()
-{
- _evp_pkey = 0;
-}
-
-EVP_PKEY*
-IceSSL::OpenSSL::EVP_PKEYJanitor::get() const
-{
- return _evp_pkey;
-}
-
-IceSSL::OpenSSL::X509_REQJanitor::X509_REQJanitor(X509_REQ* x509_req) :
- _x509_req(x509_req)
-{
- assert(_x509_req != 0);
-}
-
-IceSSL::OpenSSL::X509_REQJanitor::~X509_REQJanitor()
-{
- if (_x509_req)
- {
- X509_REQ_free(_x509_req);
- }
-}
-
-void
-IceSSL::OpenSSL::X509_REQJanitor::clear()
-{
- _x509_req = 0;
-}
-
-X509_REQ*
-IceSSL::OpenSSL::X509_REQJanitor::get() const
-{
- return _x509_req;
-}
-
-IceSSL::OpenSSL::X509Janitor::X509Janitor(X509* x509) :
- _x509(x509)
-{
- assert(_x509 != 0);
-}
-
-IceSSL::OpenSSL::X509Janitor::~X509Janitor()
-{
- if (_x509)
- {
- X509_free(_x509);
- }
-}
-
-void
-IceSSL::OpenSSL::X509Janitor::clear()
-{
- _x509 = 0;
-}
-
-X509*
-IceSSL::OpenSSL::X509Janitor::get() const
-{
- return _x509;
-}
-
-IceSSL::OpenSSL::BIOJanitor::BIOJanitor(BIO* bio) :
- _bio(bio)
-{
- assert(_bio != 0);
-}
-
-IceSSL::OpenSSL::BIOJanitor::~BIOJanitor()
-{
- if (_bio)
- {
- BIO_free(_bio);
- }
-}
-
-void
-IceSSL::OpenSSL::BIOJanitor::clear()
-{
- _bio = 0;
-}
-
-BIO*
-IceSSL::OpenSSL::BIOJanitor::get() const
-{
- return _bio;
-}
-
+// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <Ice/OpenSSLJanitors.h> + +IceSSL::OpenSSL::RSAJanitor::RSAJanitor(RSA* rsa) : + _rsa(rsa) +{ + assert(_rsa != 0); +} + +IceSSL::OpenSSL::RSAJanitor::~RSAJanitor() +{ + if (_rsa) + { + RSA_free(_rsa); + } +} + +void +IceSSL::OpenSSL::RSAJanitor::clear() +{ + _rsa = 0; +} + +RSA* +IceSSL::OpenSSL::RSAJanitor::get() const +{ + return _rsa; +} + +IceSSL::OpenSSL::EVP_PKEYJanitor::EVP_PKEYJanitor(EVP_PKEY* evp_pkey) : + _evp_pkey(evp_pkey) +{ + assert(_evp_pkey != 0); +} + +IceSSL::OpenSSL::EVP_PKEYJanitor::~EVP_PKEYJanitor() +{ + if (_evp_pkey) + { + EVP_PKEY_free(_evp_pkey); + } +} + +void +IceSSL::OpenSSL::EVP_PKEYJanitor::clear() +{ + _evp_pkey = 0; +} + +EVP_PKEY* +IceSSL::OpenSSL::EVP_PKEYJanitor::get() const +{ + return _evp_pkey; +} + +IceSSL::OpenSSL::X509_REQJanitor::X509_REQJanitor(X509_REQ* x509_req) : + _x509_req(x509_req) +{ + assert(_x509_req != 0); +} + +IceSSL::OpenSSL::X509_REQJanitor::~X509_REQJanitor() +{ + if (_x509_req) + { + X509_REQ_free(_x509_req); + } +} + +void +IceSSL::OpenSSL::X509_REQJanitor::clear() +{ + _x509_req = 0; +} + +X509_REQ* +IceSSL::OpenSSL::X509_REQJanitor::get() const +{ + return _x509_req; +} + +IceSSL::OpenSSL::X509Janitor::X509Janitor(X509* x509) : + _x509(x509) +{ + assert(_x509 != 0); +} + +IceSSL::OpenSSL::X509Janitor::~X509Janitor() +{ + if (_x509) + { + X509_free(_x509); + } +} + +void +IceSSL::OpenSSL::X509Janitor::clear() +{ + _x509 = 0; +} + +X509* +IceSSL::OpenSSL::X509Janitor::get() const +{ + return _x509; +} + +IceSSL::OpenSSL::BIOJanitor::BIOJanitor(BIO* bio) : + _bio(bio) +{ + assert(_bio != 0); +} + +IceSSL::OpenSSL::BIOJanitor::~BIOJanitor() +{ + if (_bio) + { + BIO_free(_bio); + } +} + +void +IceSSL::OpenSSL::BIOJanitor::clear() +{ + _bio = 0; +} + +BIO* +IceSSL::OpenSSL::BIOJanitor::get() const +{ + return _bio; +} + diff --git a/cpp/src/Ice/OpenSSLJanitors.h b/cpp/src/Ice/OpenSSLJanitors.h index 1140d2bc6c7..63802ae50ba 100644 --- a/cpp/src/Ice/OpenSSLJanitors.h +++ b/cpp/src/Ice/OpenSSLJanitors.h @@ -1,102 +1,102 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_SSL_JANITORS_H
-#define ICE_SSL_JANITORS_H
-
-#include <IceUtil/Config.h>
-#include <openssl/ssl.h>
-
-namespace IceSSL
-{
-
-namespace OpenSSL
-{
-
-class RSAJanitor
-{
-public:
-
- RSAJanitor(RSA*);
- ~RSAJanitor();
-
- void clear();
- RSA* get() const;
-
-private:
-
- RSA* _rsa;
-};
-
-class EVP_PKEYJanitor
-{
-public:
-
- EVP_PKEYJanitor(EVP_PKEY*);
- ~EVP_PKEYJanitor();
-
- void clear();
- EVP_PKEY* get() const;
-
-private:
-
- EVP_PKEY* _evp_pkey;
-};
-
-class X509_REQJanitor
-{
-public:
-
- X509_REQJanitor(X509_REQ*);
- ~X509_REQJanitor();
-
- void clear();
- X509_REQ* get() const;
-
-private:
-
- X509_REQ* _x509_req;
-};
-
-class X509Janitor
-{
-public:
-
- X509Janitor(X509*);
- ~X509Janitor();
-
- void clear();
- X509* get() const;
-
-private:
-
- X509* _x509;
-};
-
-class BIOJanitor
-{
-public:
-
- BIOJanitor(BIO*);
- ~BIOJanitor();
-
- void clear();
- BIO* get() const;
-
-private:
-
- BIO* _bio;
-};
-
-}
-
-}
-
-#endif
+// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#ifndef ICE_SSL_JANITORS_H +#define ICE_SSL_JANITORS_H + +#include <IceUtil/Config.h> +#include <openssl/ssl.h> + +namespace IceSSL +{ + +namespace OpenSSL +{ + +class RSAJanitor +{ +public: + + RSAJanitor(RSA*); + ~RSAJanitor(); + + void clear(); + RSA* get() const; + +private: + + RSA* _rsa; +}; + +class EVP_PKEYJanitor +{ +public: + + EVP_PKEYJanitor(EVP_PKEY*); + ~EVP_PKEYJanitor(); + + void clear(); + EVP_PKEY* get() const; + +private: + + EVP_PKEY* _evp_pkey; +}; + +class X509_REQJanitor +{ +public: + + X509_REQJanitor(X509_REQ*); + ~X509_REQJanitor(); + + void clear(); + X509_REQ* get() const; + +private: + + X509_REQ* _x509_req; +}; + +class X509Janitor +{ +public: + + X509Janitor(X509*); + ~X509Janitor(); + + void clear(); + X509* get() const; + +private: + + X509* _x509; +}; + +class BIOJanitor +{ +public: + + BIOJanitor(BIO*); + ~BIOJanitor(); + + void clear(); + BIO* get() const; + +private: + + BIO* _bio; +}; + +} + +} + +#endif diff --git a/cpp/src/Ice/OpenSSLUtils.cpp b/cpp/src/Ice/OpenSSLUtils.cpp index 132778e4078..ecd5e1cc62a 100644 --- a/cpp/src/Ice/OpenSSLUtils.cpp +++ b/cpp/src/Ice/OpenSSLUtils.cpp @@ -1,358 +1,358 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <Ice/OpenSSLUtils.h>
-#include <Ice/SystemInternalF.h>
-#include <Ice/SystemOpenSSL.h>
-#include <Ice/SslFactory.h>
-#include <IceUtil/Mutex.h>
-#include <openssl/err.h>
-#include <assert.h>
-
-using std::string;
-
-//
-// TODO: These Diffie-Hellman params have been blatantly stolen from
-// OpenSSL's demo programs. We SHOULD define our own here, but
-// these will suffice for testing purposes. Please note, these
-// are not keys themselves, simply a DH Group that allows OpenSSL
-// to create Diffie-Hellman keys.
-//
-
-// Instantiation of temporary Diffie-Hellman 512bit key.
-unsigned char tempDiffieHellman512p[] =
-{
- 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
- 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
- 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
- 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
- 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
- 0x47,0x74,0xE8,0x33,
-};
-
-unsigned char tempDiffieHellman512g[] =
-{
- 0x02,
-};
-
-// Ensures that the sslGetErrors() function is synchronized.
-static ::IceUtil::Mutex sslErrorsMutex;
-
-//
-// NOTE: The following (mon, getGeneralizedTime, getUTCTime and getASN1time)
-// are routines that have been abducted from the OpenSSL X509 library,
-// and modified to work with the STL basic_string template.
-
-static const char *mon[12]=
-{
- "Jan","Feb","Mar","Apr","May","Jun",
- "Jul","Aug","Sep","Oct","Nov","Dec"
-};
-
-string
-IceSSL::OpenSSL::getGeneralizedTime(ASN1_GENERALIZEDTIME *tm)
-{
- assert(tm != 0);
-
- char buf[30];
- int gmt = 0, y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;
-
- int i = tm->length;
-
- char* v = (char *) tm->data;
-
- if (i < 12)
- {
- goto err;
- }
-
- if (v[i-1] == 'Z')
- {
- gmt=1;
- }
-
- for (i=0; i<12; i++)
- {
- if ((v[i] > '9') || (v[i] < '0'))
- {
- goto err;
- }
- }
-
- y = (v[0] - '0') * 1000 + (v[1] - '0') * 100 + (v[2] - '0') * 10 + (v[3] - '0');
- M = (v[4] - '0') * 10 + (v[5] - '0');
-
- if ((M > 12) || (M < 1))
- {
- goto err;
- }
-
- d = (v[6] - '0') * 10 + (v[7] - '0');
- h = (v[8] - '0') * 10 + (v[9] - '0');
- m = (v[10] - '0') * 10 + (v[11] - '0');
-
- if ((v[12] >= '0') && (v[12] <= '9') &&
- (v[13] >= '0') && (v[13] <= '9'))
- {
- s = (v[12] - '0') * 10 + (v[13] - '0');
- }
-
- sprintf(buf, "%s %2d %02d:%02d:%02d %d%s", mon[M-1], d, h, m, s, y, (gmt)?" GMT":"");
- return string(buf);
-
-err:
- return string("Bad time value");
-}
-
-string
-IceSSL::OpenSSL::getUTCTime(ASN1_UTCTIME *tm)
-{
- assert(tm != 0);
-
- char buf[30];
- int gmt = 0, y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;
-
- int i = tm->length;
- char* v = (char *) tm->data;
-
- if (i < 10)
- {
- goto err;
- }
-
- if (v[i-1] == 'Z')
- {
- gmt=1;
- }
-
- for (i = 0; i < 10; i++)
- {
- if ((v[i] > '9') || (v[i] < '0'))
- {
- goto err;
- }
- }
-
- y = (v[0] - '0') * 10 + (v[1] - '0');
-
- if (y < 50)
- {
- y+=100;
- }
-
- M = (v[2] - '0') * 10 + (v[3] - '0');
-
- if ((M > 12) || (M < 1))
- {
- goto err;
- }
-
- d = (v[4] - '0') * 10 + (v[5] - '0');
- h = (v[6] - '0') * 10 + (v[7] - '0');
- m = (v[8] - '0') * 10 + (v[9] - '0');
-
- if ((v[10] >= '0') && (v[10] <= '9') && (v[11] >= '0') && (v[11] <= '9'))
- {
- s = (v[10] - '0') * 10 + (v[11] - '0');
- }
-
- sprintf(buf, "%s %2d %02d:%02d:%02d %d%s", mon[M-1], d, h, m, s, y+1900, (gmt)?" GMT":"");
- return string(buf);
-
-err:
- return string("Bad time value");
-}
-
-string
-IceSSL::OpenSSL::getASN1time(ASN1_TIME *tm)
-{
- assert(tm != 0);
-
- string theTime;
-
- switch (tm->type)
- {
- case V_ASN1_UTCTIME :
- {
- theTime = getUTCTime(tm);
- break;
- }
-
- case V_ASN1_GENERALIZEDTIME :
- {
- theTime = getGeneralizedTime(tm);
- break;
- }
-
- default :
- {
- theTime = "Bad time value";
- break;
- }
- }
-
- return theTime;
-}
-
-DH*
-IceSSL::OpenSSL::loadDHParam(const char* dhfile)
-{
- assert(dhfile != 0);
-
- DH* ret = 0;
- BIO* bio = BIO_new_file(dhfile,"r");
-
- if (bio != 0)
- {
- ret = PEM_read_bio_DHparams(bio, 0, 0, 0);
- BIO_free(bio);
- }
-
- return ret;
-}
-
-DH*
-IceSSL::OpenSSL::getTempDH(unsigned char* p, int plen, unsigned char* g, int glen)
-{
- assert(p != 0);
- assert(g != 0);
-
- DH* dh = DH_new();
-
- if (dh != 0)
- {
- dh->p = BN_bin2bn(p, plen, 0);
-
- dh->g = BN_bin2bn(g, glen, 0);
-
- if ((dh->p == 0) || (dh->g == 0))
- {
- DH_free(dh);
- dh = 0;
- }
- }
-
- return dh;
-}
-
-DH*
-IceSSL::OpenSSL::getTempDH512()
-{
- DH* dh = getTempDH(tempDiffieHellman512p, sizeof(tempDiffieHellman512p),
- tempDiffieHellman512g, sizeof(tempDiffieHellman512g));
-
- return dh;
-}
-
-string
-IceSSL::OpenSSL::sslGetErrors()
-{
- IceUtil::Mutex::Lock sync(sslErrorsMutex);
-
- string errorMessage;
- char buf[200];
- char bigBuffer[1024];
- const char* file = 0;
- const char* data = 0;
- int line = 0;
- int flags = 0;
- unsigned errorCode = 0;
- int errorNum = 1;
-
- unsigned long es = CRYPTO_thread_id();
-
- while ((errorCode = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0)
- {
- sprintf(bigBuffer,"%6d - Thread ID: %lu\n", errorNum, es);
- errorMessage += bigBuffer;
-
- sprintf(bigBuffer,"%6d - Error: %u\n", errorNum, errorCode);
- errorMessage += bigBuffer;
-
- // Request an error from the OpenSSL library
- ERR_error_string_n(errorCode, buf, sizeof(buf));
- sprintf(bigBuffer,"%6d - Message: %s\n", errorNum, buf);
- errorMessage += bigBuffer;
-
- sprintf(bigBuffer,"%6d - Location: %s, %d\n", errorNum, file, line);
- errorMessage += bigBuffer;
-
- if (flags & ERR_TXT_STRING)
- {
- sprintf(bigBuffer,"%6d - Data: %s\n", errorNum, data);
- errorMessage += bigBuffer;
- }
-
- errorNum++;
- }
-
- ERR_clear_error();
-
- return errorMessage;
-}
-
-extern "C"
-{
-
-RSA*
-tmpRSACallback(SSL* sslConnection, int isExport, int keyLength)
-{
- assert(sslConnection != 0);
-
- IceSSL::SystemInternalPtr sslSystem = IceSSL::Factory::getSystemFromHandle(sslConnection);
- assert(sslSystem != 0);
-
- IceSSL::OpenSSL::System* openSslSystem = dynamic_cast<IceSSL::OpenSSL::System*>(sslSystem.get());
- assert(openSslSystem != 0);
-
- RSA* rsaKey = openSslSystem->getRSAKey(isExport, keyLength);
- assert(rsaKey != 0);
-
- return rsaKey;
-}
-
-DH*
-tmpDHCallback(SSL* sslConnection, int isExport, int keyLength)
-{
- assert(sslConnection != 0);
-
- IceSSL::SystemInternalPtr sslSystem = IceSSL::Factory::getSystemFromHandle(sslConnection);
- assert(sslSystem != 0);
-
- IceSSL::OpenSSL::System* openSslSystem = dynamic_cast<IceSSL::OpenSSL::System*>(sslSystem.get());
- assert(openSslSystem != 0);
-
- DH* dh = openSslSystem->getDHParams(isExport, keyLength);
- assert(dh != 0);
-
- return dh;
-}
-
-// verifyCallback - Certificate Verification callback function.
-int
-verifyCallback(int ok, X509_STORE_CTX* ctx)
-{
- assert(ctx != 0);
-
- // Tricky method to get access to our connection. I would use SSL_get_ex_data() to get
- // the Connection object, if only I had some way to retrieve the index of the object
- // in this function. Hence, we have to invent our own reference system here.
- SSL* sslConnection = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
- assert(sslConnection != 0);
-
- IceSSL::OpenSSL::ConnectionPtr connection = IceSSL::OpenSSL::Connection::getConnection(sslConnection);
- assert(connection != 0);
-
- // Call the connection, get it to perform the verification.
- return connection->verifyCertificate(ok, ctx);
-}
-
-}
-
+// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <Ice/OpenSSLUtils.h> +#include <Ice/SystemInternalF.h> +#include <Ice/SystemOpenSSL.h> +#include <Ice/SslFactory.h> +#include <IceUtil/Mutex.h> +#include <openssl/err.h> +#include <assert.h> + +using std::string; + +// +// TODO: These Diffie-Hellman params have been blatantly stolen from +// OpenSSL's demo programs. We SHOULD define our own here, but +// these will suffice for testing purposes. Please note, these +// are not keys themselves, simply a DH Group that allows OpenSSL +// to create Diffie-Hellman keys. +// + +// Instantiation of temporary Diffie-Hellman 512bit key. +unsigned char tempDiffieHellman512p[] = +{ + 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, + 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, + 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, + 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, + 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, + 0x47,0x74,0xE8,0x33, +}; + +unsigned char tempDiffieHellman512g[] = +{ + 0x02, +}; + +// Ensures that the sslGetErrors() function is synchronized. +static ::IceUtil::Mutex sslErrorsMutex; + +// +// NOTE: The following (mon, getGeneralizedTime, getUTCTime and getASN1time) +// are routines that have been abducted from the OpenSSL X509 library, +// and modified to work with the STL basic_string template. + +static const char *mon[12]= +{ + "Jan","Feb","Mar","Apr","May","Jun", + "Jul","Aug","Sep","Oct","Nov","Dec" +}; + +string +IceSSL::OpenSSL::getGeneralizedTime(ASN1_GENERALIZEDTIME *tm) +{ + assert(tm != 0); + + char buf[30]; + int gmt = 0, y = 0, M = 0, d = 0, h = 0, m = 0, s = 0; + + int i = tm->length; + + char* v = (char *) tm->data; + + if (i < 12) + { + goto err; + } + + if (v[i-1] == 'Z') + { + gmt=1; + } + + for (i=0; i<12; i++) + { + if ((v[i] > '9') || (v[i] < '0')) + { + goto err; + } + } + + y = (v[0] - '0') * 1000 + (v[1] - '0') * 100 + (v[2] - '0') * 10 + (v[3] - '0'); + M = (v[4] - '0') * 10 + (v[5] - '0'); + + if ((M > 12) || (M < 1)) + { + goto err; + } + + d = (v[6] - '0') * 10 + (v[7] - '0'); + h = (v[8] - '0') * 10 + (v[9] - '0'); + m = (v[10] - '0') * 10 + (v[11] - '0'); + + if ((v[12] >= '0') && (v[12] <= '9') && + (v[13] >= '0') && (v[13] <= '9')) + { + s = (v[12] - '0') * 10 + (v[13] - '0'); + } + + sprintf(buf, "%s %2d %02d:%02d:%02d %d%s", mon[M-1], d, h, m, s, y, (gmt)?" GMT":""); + return string(buf); + +err: + return string("Bad time value"); +} + +string +IceSSL::OpenSSL::getUTCTime(ASN1_UTCTIME *tm) +{ + assert(tm != 0); + + char buf[30]; + int gmt = 0, y = 0, M = 0, d = 0, h = 0, m = 0, s = 0; + + int i = tm->length; + char* v = (char *) tm->data; + + if (i < 10) + { + goto err; + } + + if (v[i-1] == 'Z') + { + gmt=1; + } + + for (i = 0; i < 10; i++) + { + if ((v[i] > '9') || (v[i] < '0')) + { + goto err; + } + } + + y = (v[0] - '0') * 10 + (v[1] - '0'); + + if (y < 50) + { + y+=100; + } + + M = (v[2] - '0') * 10 + (v[3] - '0'); + + if ((M > 12) || (M < 1)) + { + goto err; + } + + d = (v[4] - '0') * 10 + (v[5] - '0'); + h = (v[6] - '0') * 10 + (v[7] - '0'); + m = (v[8] - '0') * 10 + (v[9] - '0'); + + if ((v[10] >= '0') && (v[10] <= '9') && (v[11] >= '0') && (v[11] <= '9')) + { + s = (v[10] - '0') * 10 + (v[11] - '0'); + } + + sprintf(buf, "%s %2d %02d:%02d:%02d %d%s", mon[M-1], d, h, m, s, y+1900, (gmt)?" GMT":""); + return string(buf); + +err: + return string("Bad time value"); +} + +string +IceSSL::OpenSSL::getASN1time(ASN1_TIME *tm) +{ + assert(tm != 0); + + string theTime; + + switch (tm->type) + { + case V_ASN1_UTCTIME : + { + theTime = getUTCTime(tm); + break; + } + + case V_ASN1_GENERALIZEDTIME : + { + theTime = getGeneralizedTime(tm); + break; + } + + default : + { + theTime = "Bad time value"; + break; + } + } + + return theTime; +} + +DH* +IceSSL::OpenSSL::loadDHParam(const char* dhfile) +{ + assert(dhfile != 0); + + DH* ret = 0; + BIO* bio = BIO_new_file(dhfile,"r"); + + if (bio != 0) + { + ret = PEM_read_bio_DHparams(bio, 0, 0, 0); + BIO_free(bio); + } + + return ret; +} + +DH* +IceSSL::OpenSSL::getTempDH(unsigned char* p, int plen, unsigned char* g, int glen) +{ + assert(p != 0); + assert(g != 0); + + DH* dh = DH_new(); + + if (dh != 0) + { + dh->p = BN_bin2bn(p, plen, 0); + + dh->g = BN_bin2bn(g, glen, 0); + + if ((dh->p == 0) || (dh->g == 0)) + { + DH_free(dh); + dh = 0; + } + } + + return dh; +} + +DH* +IceSSL::OpenSSL::getTempDH512() +{ + DH* dh = getTempDH(tempDiffieHellman512p, sizeof(tempDiffieHellman512p), + tempDiffieHellman512g, sizeof(tempDiffieHellman512g)); + + return dh; +} + +string +IceSSL::OpenSSL::sslGetErrors() +{ + IceUtil::Mutex::Lock sync(sslErrorsMutex); + + string errorMessage; + char buf[200]; + char bigBuffer[1024]; + const char* file = 0; + const char* data = 0; + int line = 0; + int flags = 0; + unsigned errorCode = 0; + int errorNum = 1; + + unsigned long es = CRYPTO_thread_id(); + + while ((errorCode = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) + { + sprintf(bigBuffer,"%6d - Thread ID: %lu\n", errorNum, es); + errorMessage += bigBuffer; + + sprintf(bigBuffer,"%6d - Error: %u\n", errorNum, errorCode); + errorMessage += bigBuffer; + + // Request an error from the OpenSSL library + ERR_error_string_n(errorCode, buf, sizeof(buf)); + sprintf(bigBuffer,"%6d - Message: %s\n", errorNum, buf); + errorMessage += bigBuffer; + + sprintf(bigBuffer,"%6d - Location: %s, %d\n", errorNum, file, line); + errorMessage += bigBuffer; + + if (flags & ERR_TXT_STRING) + { + sprintf(bigBuffer,"%6d - Data: %s\n", errorNum, data); + errorMessage += bigBuffer; + } + + errorNum++; + } + + ERR_clear_error(); + + return errorMessage; +} + +extern "C" +{ + +RSA* +tmpRSACallback(SSL* sslConnection, int isExport, int keyLength) +{ + assert(sslConnection != 0); + + IceSSL::SystemInternalPtr sslSystem = IceSSL::Factory::getSystemFromHandle(sslConnection); + assert(sslSystem != 0); + + IceSSL::OpenSSL::System* openSslSystem = dynamic_cast<IceSSL::OpenSSL::System*>(sslSystem.get()); + assert(openSslSystem != 0); + + RSA* rsaKey = openSslSystem->getRSAKey(isExport, keyLength); + assert(rsaKey != 0); + + return rsaKey; +} + +DH* +tmpDHCallback(SSL* sslConnection, int isExport, int keyLength) +{ + assert(sslConnection != 0); + + IceSSL::SystemInternalPtr sslSystem = IceSSL::Factory::getSystemFromHandle(sslConnection); + assert(sslSystem != 0); + + IceSSL::OpenSSL::System* openSslSystem = dynamic_cast<IceSSL::OpenSSL::System*>(sslSystem.get()); + assert(openSslSystem != 0); + + DH* dh = openSslSystem->getDHParams(isExport, keyLength); + assert(dh != 0); + + return dh; +} + +// verifyCallback - Certificate Verification callback function. +int +verifyCallback(int ok, X509_STORE_CTX* ctx) +{ + assert(ctx != 0); + + // Tricky method to get access to our connection. I would use SSL_get_ex_data() to get + // the Connection object, if only I had some way to retrieve the index of the object + // in this function. Hence, we have to invent our own reference system here. + SSL* sslConnection = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); + assert(sslConnection != 0); + + IceSSL::OpenSSL::ConnectionPtr connection = IceSSL::OpenSSL::Connection::getConnection(sslConnection); + assert(connection != 0); + + // Call the connection, get it to perform the verification. + return connection->verifyCertificate(ok, ctx); +} + +} + diff --git a/cpp/src/Ice/OpenSSLUtils.h b/cpp/src/Ice/OpenSSLUtils.h index 45307cce044..76baab9c269 100644 --- a/cpp/src/Ice/OpenSSLUtils.h +++ b/cpp/src/Ice/OpenSSLUtils.h @@ -1,49 +1,49 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <openssl/ssl.h>
-#include <string>
-
-namespace IceSSL
-{
-
-namespace OpenSSL
-{
-
-std::string getGeneralizedTime(ASN1_GENERALIZEDTIME*);
-
-std::string getUTCTime(ASN1_UTCTIME*);
-
-std::string getASN1time(ASN1_TIME*);
-
-DH* loadDHParam(const char*);
-
-DH* getTempDH(unsigned char*, int, unsigned char*, int);
-
-DH* getTempDH512();
-
-std::string sslGetErrors();
-
-}
-
-}
-
-extern "C"
-{
-
-RSA* tmpRSACallback(SSL*, int, int);
-
-DH* tmpDHCallback(SSL*, int, int);
-
-int verifyCallback(int, X509_STORE_CTX*);
-
-int passwordCallback(char*, int, int, void*);
-
-}
+// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <openssl/ssl.h> +#include <string> + +namespace IceSSL +{ + +namespace OpenSSL +{ + +std::string getGeneralizedTime(ASN1_GENERALIZEDTIME*); + +std::string getUTCTime(ASN1_UTCTIME*); + +std::string getASN1time(ASN1_TIME*); + +DH* loadDHParam(const char*); + +DH* getTempDH(unsigned char*, int, unsigned char*, int); + +DH* getTempDH512(); + +std::string sslGetErrors(); + +} + +} + +extern "C" +{ + +RSA* tmpRSACallback(SSL*, int, int); + +DH* tmpDHCallback(SSL*, int, int); + +int verifyCallback(int, X509_STORE_CTX*); + +int passwordCallback(char*, int, int, void*); + +} diff --git a/cpp/src/Ice/RSACertificateGen.cpp b/cpp/src/Ice/RSACertificateGen.cpp index 379b5f5a1b5..0845fca915c 100644 --- a/cpp/src/Ice/RSACertificateGen.cpp +++ b/cpp/src/Ice/RSACertificateGen.cpp @@ -1,354 +1,354 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <IceUtil/Config.h>
-#include <Ice/RSACertificateGen.h>
-#include <Ice/OpenSSLJanitors.h>
-#include <Ice/RSAKeyPair.h>
-#include <Ice/RSAPrivateKey.h>
-#include <Ice/RSAPublicKey.h>
-#include <Ice/SslException.h>
-#include <Ice/OpenSSLUtils.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-
-using std::string;
-using std::back_inserter;
-
-using namespace IceSSL::OpenSSL;
-
-long
-IceSSL::OpenSSL::RSACertificateGenContext::minutesToSeconds(long minutes)
-{
- return minutes * 60L;
-}
-
-long
-IceSSL::OpenSSL::RSACertificateGenContext::hoursToSeconds(long hours)
-{
- return minutesToSeconds(hours * 60L);
-}
-
-long
-IceSSL::OpenSSL::RSACertificateGenContext::daysToSeconds(long days)
-{
- return hoursToSeconds(days * 24L);
-}
-
-long
-IceSSL::OpenSSL::RSACertificateGenContext::weeksToSeconds(long weeks)
-{
- return daysToSeconds(weeks * 7L);
-}
-
-long
-IceSSL::OpenSSL::RSACertificateGenContext::yearsToSeconds(long years)
-{
- return weeksToSeconds(years * 365L);
-}
-
-IceSSL::OpenSSL::RSACertificateGenContext::RSACertificateGenContext() :
- _modulusLength(0),
- _secondsValid(0)
-{
-}
-
-IceSSL::OpenSSL::RSACertificateGenContext::~RSACertificateGenContext()
-{
-}
-
-void
-IceSSL::OpenSSL::RSACertificateGenContext::setCountry(const string& country)
-{
- _country = country;
-}
-
-void
-IceSSL::OpenSSL::RSACertificateGenContext::setStateProvince(const string& stateProvince)
-{
- _stateProvince = stateProvince;
-}
-
-void
-IceSSL::OpenSSL::RSACertificateGenContext::setLocality(const string& locality)
-{
- _locality = locality;
-}
-
-void
-IceSSL::OpenSSL::RSACertificateGenContext::setOrganization(const string& organization)
-{
- _organization = organization;
-}
-
-void
-IceSSL::OpenSSL::RSACertificateGenContext::setOrgainizationalUnit(const string& organizationalUnit)
-{
- _organizationalUnit = organizationalUnit;
-}
-
-void
-IceSSL::OpenSSL::RSACertificateGenContext::setCommonName(const string& commonName)
-{
- _commonName = commonName;
-}
-
-void
-IceSSL::OpenSSL::RSACertificateGenContext::setBitStrength(int bitStrength)
-{
- _modulusLength = bitStrength;
-}
-
-void
-IceSSL::OpenSSL::RSACertificateGenContext::setSecondsValid(long secondsValid)
-{
- _secondsValid = secondsValid;
-}
-
-unsigned char*
-IceSSL::OpenSSL::RSACertificateGenContext::getCountry() const
-{
- unsigned char* country = reinterpret_cast<unsigned char *>(const_cast<char*>(_country.c_str()));
-
- assert(country != 0);
-
- return country;
-}
-
-unsigned char*
-IceSSL::OpenSSL::RSACertificateGenContext::getStateProvince() const
-{
- unsigned char* stateProvince = reinterpret_cast<unsigned char *>(const_cast<char*>(_stateProvince.c_str()));
-
- assert(stateProvince != 0);
-
- return stateProvince;
-}
-
-unsigned char*
-IceSSL::OpenSSL::RSACertificateGenContext::getLocality() const
-{
- unsigned char* locality = reinterpret_cast<unsigned char *>(const_cast<char*>(_locality.c_str()));
-
- assert(locality != 0);
-
- return locality;
-}
-
-unsigned char*
-IceSSL::OpenSSL::RSACertificateGenContext::getOrganization() const
-{
- unsigned char* organization = reinterpret_cast<unsigned char *>(const_cast<char*>(_organization.c_str()));
-
- assert(organization != 0);
-
- return organization;
-}
-
-unsigned char*
-IceSSL::OpenSSL::RSACertificateGenContext::getOrgainizationalUnit() const
-{
- unsigned char* orgUnit = reinterpret_cast<unsigned char *>(const_cast<char*>(_organizationalUnit.c_str()));
-
- assert(orgUnit != 0);
-
- return orgUnit;
-}
-
-unsigned char*
-IceSSL::OpenSSL::RSACertificateGenContext::getCommonName() const
-{
- unsigned char* commonName = reinterpret_cast<unsigned char *>(const_cast<char*>(_commonName.c_str()));
-
- assert(commonName != 0);
-
- return commonName;
-}
-
-int
-IceSSL::OpenSSL::RSACertificateGenContext::getModulusLength() const
-{
- return _modulusLength;
-}
-
-long
-IceSSL::OpenSSL::RSACertificateGenContext::getSecondsValid() const
-{
- return _secondsValid;
-}
-
-IceSSL::OpenSSL::RSACertificateGen::RSACertificateGen()
-{
- ERR_load_crypto_strings();
-}
-
-IceSSL::OpenSSL::RSACertificateGen::~RSACertificateGen()
-{
-}
-
-IceSSL::OpenSSL::RSAKeyPairPtr
-IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& context)
-{
- // Generate an RSA key pair.
- RSAJanitor rsaJanitor(RSA_generate_key(context.getModulusLength(), RSA_F4, 0, 0));
- RSA* rsaKeyPair = rsaJanitor.get();
-
- assert(rsaKeyPair != 0);
-
- EVP_PKEYJanitor evpPkeyJanitor(EVP_PKEY_new());
- EVP_PKEY* pkey = evpPkeyJanitor.get();
- assert(pkey != 0);
- EVP_PKEY_assign_RSA(pkey, rsaKeyPair);
-
- // The RSA structure now belongs (temporarily) to the EVP_PKEY
- rsaJanitor.clear();
-
- // Create a signing request
- X509_REQJanitor x509ReqJanitor(X509_REQ_new());
- X509_REQ* signingRequest = x509ReqJanitor.get();
- assert(signingRequest != 0);
-
- X509Janitor x509Janitor(X509_new());
- X509* x509SelfSigned = x509Janitor.get();
- assert(x509SelfSigned != 0);
-
- // Set version to V3.
- assert(X509_set_version(x509SelfSigned, 2) != 0);
-
- ASN1_INTEGER_set(X509_get_serialNumber(x509SelfSigned), 0);
-
- // NOTE: This is wierd. It looks like, for some reason, that the typedef of
- // X509_NAME gets lost in this code module. I am using the straight struct
- // here because X509_NAME isn't here.
-
- // X509_NAME* subjectName = X509_REQ_get_subject_name(signingRequest);
- struct X509_name_st* subjectName = X509_REQ_get_subject_name(signingRequest);
-
- // Set valid time period.
- X509_gmtime_adj(X509_get_notBefore(x509SelfSigned), 0);
- X509_gmtime_adj(X509_get_notAfter(x509SelfSigned), context.getSecondsValid());
-
- // Set up subject/issuer Distinguished Name (DN).
- X509_NAME_add_entry_by_txt(subjectName, "C", MBSTRING_ASC, context.getCountry(), -1, -1, 0);
- X509_NAME_add_entry_by_txt(subjectName, "ST", MBSTRING_ASC, context.getStateProvince(), -1, -1, 0);
- X509_NAME_add_entry_by_txt(subjectName, "L", MBSTRING_ASC, context.getLocality(), -1, -1, 0);
- X509_NAME_add_entry_by_txt(subjectName, "O", MBSTRING_ASC, context.getOrganization(), -1, -1, 0);
- X509_NAME_add_entry_by_txt(subjectName, "OU", MBSTRING_ASC, context.getOrgainizationalUnit(), -1, -1, 0);
- X509_NAME_add_entry_by_txt(subjectName, "CN", MBSTRING_ASC, context.getCommonName(), -1, -1, 0);
-
- // Self signed - set issuer and subject names identical
- X509_set_issuer_name(x509SelfSigned, subjectName);
- X509_set_subject_name(x509SelfSigned, subjectName);
-
- // Set the public key in the self signed certificate from the request.
- X509_set_pubkey(x509SelfSigned, pkey);
-
- // Sign the public key using an MD5 digest.
- if (!X509_sign(x509SelfSigned, pkey, EVP_md5()))
- {
- throw IceSSL::CertificateSigningException(__FILE__, __LINE__);
- }
-
- // Verify the Signature (paranoia).
- if (!X509_REQ_verify(signingRequest, pkey))
- {
- throw IceSSL::CertificateSignatureException(__FILE__, __LINE__);
- }
-
- // Nasty Hack: Getting the pkey to let go of our rsaKeyPair - we own that now.
- pkey->pkey.ptr = 0;
-
- RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaKeyPair);
- RSAPublicKeyPtr pubKeyPtr = new RSAPublicKey(x509SelfSigned);
- RSAKeyPair* keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr);
-
- // Do not let the janitors clean up, we're keeping the keys for ourselves.
- rsaJanitor.clear();
- x509Janitor.clear();
-
- return keyPairPtr;
-}
-
-IceSSL::OpenSSL::RSAKeyPairPtr
-IceSSL::OpenSSL::RSACertificateGen::loadKeyPair(const std::string& keyFile, const std::string& certFile)
-{
- //
- // Read in the X509 Certificate Structure
- //
- BIOJanitor certBIO(BIO_new_file(certFile.c_str(), "r"));
- if (certBIO.get() == 0)
- {
- IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);
-
- certLoadEx._message = "unable to load certificate from '";
- certLoadEx._message += certFile;
- certLoadEx._message += "'\n";
- certLoadEx._message += sslGetErrors();
-
- throw certLoadEx;
- }
-
- X509Janitor x509Janitor(PEM_read_bio_X509(certBIO.get(), 0, 0, 0));
-
- if (x509Janitor.get() == 0)
- {
- IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);
-
- certLoadEx._message = "unable to load certificate from '";
- certLoadEx._message += certFile;
- certLoadEx._message += "'\n";
- certLoadEx._message += sslGetErrors();
-
- throw certLoadEx;
- }
-
- //
- // Read in the RSA Private Key Structure
- //
- BIOJanitor keyBIO(BIO_new_file(keyFile.c_str(), "r"));
- if (keyBIO.get() == 0)
- {
- IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);
-
- pklEx._message = "unable to load private key from '";
- pklEx._message += keyFile;
- pklEx._message += "'\n";
- pklEx._message += sslGetErrors();
-
- throw pklEx;
- }
-
- RSAJanitor rsaJanitor(PEM_read_bio_RSAPrivateKey(keyBIO.get(), 0, 0, 0));
-
- if (rsaJanitor.get() == 0)
- {
- IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);
-
- pklEx._message = "unable to load private key from '";
- pklEx._message += keyFile;
- pklEx._message += "'\n";
- pklEx._message += sslGetErrors();
-
- throw pklEx;
- }
-
- //
- // Construct our RSAKeyPair
- //
- RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaJanitor.get());
- RSAPublicKeyPtr pubKeyPtr = new RSAPublicKey(x509Janitor.get());
- RSAKeyPairPtr keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr);
-
- // Do not let the janitors clean up, we're keeping these keys.
- rsaJanitor.clear();
- x509Janitor.clear();
-
- return keyPairPtr;
-}
+// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <IceUtil/Config.h> +#include <Ice/RSACertificateGen.h> +#include <Ice/OpenSSLJanitors.h> +#include <Ice/RSAKeyPair.h> +#include <Ice/RSAPrivateKey.h> +#include <Ice/RSAPublicKey.h> +#include <Ice/SslException.h> +#include <Ice/OpenSSLUtils.h> +#include <openssl/err.h> +#include <openssl/ssl.h> + +using std::string; +using std::back_inserter; + +using namespace IceSSL::OpenSSL; + +long +IceSSL::OpenSSL::RSACertificateGenContext::minutesToSeconds(long minutes) +{ + return minutes * 60L; +} + +long +IceSSL::OpenSSL::RSACertificateGenContext::hoursToSeconds(long hours) +{ + return minutesToSeconds(hours * 60L); +} + +long +IceSSL::OpenSSL::RSACertificateGenContext::daysToSeconds(long days) +{ + return hoursToSeconds(days * 24L); +} + +long +IceSSL::OpenSSL::RSACertificateGenContext::weeksToSeconds(long weeks) +{ + return daysToSeconds(weeks * 7L); +} + +long +IceSSL::OpenSSL::RSACertificateGenContext::yearsToSeconds(long years) +{ + return weeksToSeconds(years * 365L); +} + +IceSSL::OpenSSL::RSACertificateGenContext::RSACertificateGenContext() : + _modulusLength(0), + _secondsValid(0) +{ +} + +IceSSL::OpenSSL::RSACertificateGenContext::~RSACertificateGenContext() +{ +} + +void +IceSSL::OpenSSL::RSACertificateGenContext::setCountry(const string& country) +{ + _country = country; +} + +void +IceSSL::OpenSSL::RSACertificateGenContext::setStateProvince(const string& stateProvince) +{ + _stateProvince = stateProvince; +} + +void +IceSSL::OpenSSL::RSACertificateGenContext::setLocality(const string& locality) +{ + _locality = locality; +} + +void +IceSSL::OpenSSL::RSACertificateGenContext::setOrganization(const string& organization) +{ + _organization = organization; +} + +void +IceSSL::OpenSSL::RSACertificateGenContext::setOrgainizationalUnit(const string& organizationalUnit) +{ + _organizationalUnit = organizationalUnit; +} + +void +IceSSL::OpenSSL::RSACertificateGenContext::setCommonName(const string& commonName) +{ + _commonName = commonName; +} + +void +IceSSL::OpenSSL::RSACertificateGenContext::setBitStrength(int bitStrength) +{ + _modulusLength = bitStrength; +} + +void +IceSSL::OpenSSL::RSACertificateGenContext::setSecondsValid(long secondsValid) +{ + _secondsValid = secondsValid; +} + +unsigned char* +IceSSL::OpenSSL::RSACertificateGenContext::getCountry() const +{ + unsigned char* country = reinterpret_cast<unsigned char *>(const_cast<char*>(_country.c_str())); + + assert(country != 0); + + return country; +} + +unsigned char* +IceSSL::OpenSSL::RSACertificateGenContext::getStateProvince() const +{ + unsigned char* stateProvince = reinterpret_cast<unsigned char *>(const_cast<char*>(_stateProvince.c_str())); + + assert(stateProvince != 0); + + return stateProvince; +} + +unsigned char* +IceSSL::OpenSSL::RSACertificateGenContext::getLocality() const +{ + unsigned char* locality = reinterpret_cast<unsigned char *>(const_cast<char*>(_locality.c_str())); + + assert(locality != 0); + + return locality; +} + +unsigned char* +IceSSL::OpenSSL::RSACertificateGenContext::getOrganization() const +{ + unsigned char* organization = reinterpret_cast<unsigned char *>(const_cast<char*>(_organization.c_str())); + + assert(organization != 0); + + return organization; +} + +unsigned char* +IceSSL::OpenSSL::RSACertificateGenContext::getOrgainizationalUnit() const +{ + unsigned char* orgUnit = reinterpret_cast<unsigned char *>(const_cast<char*>(_organizationalUnit.c_str())); + + assert(orgUnit != 0); + + return orgUnit; +} + +unsigned char* +IceSSL::OpenSSL::RSACertificateGenContext::getCommonName() const +{ + unsigned char* commonName = reinterpret_cast<unsigned char *>(const_cast<char*>(_commonName.c_str())); + + assert(commonName != 0); + + return commonName; +} + +int +IceSSL::OpenSSL::RSACertificateGenContext::getModulusLength() const +{ + return _modulusLength; +} + +long +IceSSL::OpenSSL::RSACertificateGenContext::getSecondsValid() const +{ + return _secondsValid; +} + +IceSSL::OpenSSL::RSACertificateGen::RSACertificateGen() +{ + ERR_load_crypto_strings(); +} + +IceSSL::OpenSSL::RSACertificateGen::~RSACertificateGen() +{ +} + +IceSSL::OpenSSL::RSAKeyPairPtr +IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& context) +{ + // Generate an RSA key pair. + RSAJanitor rsaJanitor(RSA_generate_key(context.getModulusLength(), RSA_F4, 0, 0)); + RSA* rsaKeyPair = rsaJanitor.get(); + + assert(rsaKeyPair != 0); + + EVP_PKEYJanitor evpPkeyJanitor(EVP_PKEY_new()); + EVP_PKEY* pkey = evpPkeyJanitor.get(); + assert(pkey != 0); + EVP_PKEY_assign_RSA(pkey, rsaKeyPair); + + // The RSA structure now belongs (temporarily) to the EVP_PKEY + rsaJanitor.clear(); + + // Create a signing request + X509_REQJanitor x509ReqJanitor(X509_REQ_new()); + X509_REQ* signingRequest = x509ReqJanitor.get(); + assert(signingRequest != 0); + + X509Janitor x509Janitor(X509_new()); + X509* x509SelfSigned = x509Janitor.get(); + assert(x509SelfSigned != 0); + + // Set version to V3. + assert(X509_set_version(x509SelfSigned, 2) != 0); + + ASN1_INTEGER_set(X509_get_serialNumber(x509SelfSigned), 0); + + // NOTE: This is wierd. It looks like, for some reason, that the typedef of + // X509_NAME gets lost in this code module. I am using the straight struct + // here because X509_NAME isn't here. + + // X509_NAME* subjectName = X509_REQ_get_subject_name(signingRequest); + struct X509_name_st* subjectName = X509_REQ_get_subject_name(signingRequest); + + // Set valid time period. + X509_gmtime_adj(X509_get_notBefore(x509SelfSigned), 0); + X509_gmtime_adj(X509_get_notAfter(x509SelfSigned), context.getSecondsValid()); + + // Set up subject/issuer Distinguished Name (DN). + X509_NAME_add_entry_by_txt(subjectName, "C", MBSTRING_ASC, context.getCountry(), -1, -1, 0); + X509_NAME_add_entry_by_txt(subjectName, "ST", MBSTRING_ASC, context.getStateProvince(), -1, -1, 0); + X509_NAME_add_entry_by_txt(subjectName, "L", MBSTRING_ASC, context.getLocality(), -1, -1, 0); + X509_NAME_add_entry_by_txt(subjectName, "O", MBSTRING_ASC, context.getOrganization(), -1, -1, 0); + X509_NAME_add_entry_by_txt(subjectName, "OU", MBSTRING_ASC, context.getOrgainizationalUnit(), -1, -1, 0); + X509_NAME_add_entry_by_txt(subjectName, "CN", MBSTRING_ASC, context.getCommonName(), -1, -1, 0); + + // Self signed - set issuer and subject names identical + X509_set_issuer_name(x509SelfSigned, subjectName); + X509_set_subject_name(x509SelfSigned, subjectName); + + // Set the public key in the self signed certificate from the request. + X509_set_pubkey(x509SelfSigned, pkey); + + // Sign the public key using an MD5 digest. + if (!X509_sign(x509SelfSigned, pkey, EVP_md5())) + { + throw IceSSL::CertificateSigningException(__FILE__, __LINE__); + } + + // Verify the Signature (paranoia). + if (!X509_REQ_verify(signingRequest, pkey)) + { + throw IceSSL::CertificateSignatureException(__FILE__, __LINE__); + } + + // Nasty Hack: Getting the pkey to let go of our rsaKeyPair - we own that now. + pkey->pkey.ptr = 0; + + RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaKeyPair); + RSAPublicKeyPtr pubKeyPtr = new RSAPublicKey(x509SelfSigned); + RSAKeyPair* keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr); + + // Do not let the janitors clean up, we're keeping the keys for ourselves. + rsaJanitor.clear(); + x509Janitor.clear(); + + return keyPairPtr; +} + +IceSSL::OpenSSL::RSAKeyPairPtr +IceSSL::OpenSSL::RSACertificateGen::loadKeyPair(const std::string& keyFile, const std::string& certFile) +{ + // + // Read in the X509 Certificate Structure + // + BIOJanitor certBIO(BIO_new_file(certFile.c_str(), "r")); + if (certBIO.get() == 0) + { + IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__); + + certLoadEx._message = "unable to load certificate from '"; + certLoadEx._message += certFile; + certLoadEx._message += "'\n"; + certLoadEx._message += sslGetErrors(); + + throw certLoadEx; + } + + X509Janitor x509Janitor(PEM_read_bio_X509(certBIO.get(), 0, 0, 0)); + + if (x509Janitor.get() == 0) + { + IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__); + + certLoadEx._message = "unable to load certificate from '"; + certLoadEx._message += certFile; + certLoadEx._message += "'\n"; + certLoadEx._message += sslGetErrors(); + + throw certLoadEx; + } + + // + // Read in the RSA Private Key Structure + // + BIOJanitor keyBIO(BIO_new_file(keyFile.c_str(), "r")); + if (keyBIO.get() == 0) + { + IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__); + + pklEx._message = "unable to load private key from '"; + pklEx._message += keyFile; + pklEx._message += "'\n"; + pklEx._message += sslGetErrors(); + + throw pklEx; + } + + RSAJanitor rsaJanitor(PEM_read_bio_RSAPrivateKey(keyBIO.get(), 0, 0, 0)); + + if (rsaJanitor.get() == 0) + { + IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__); + + pklEx._message = "unable to load private key from '"; + pklEx._message += keyFile; + pklEx._message += "'\n"; + pklEx._message += sslGetErrors(); + + throw pklEx; + } + + // + // Construct our RSAKeyPair + // + RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaJanitor.get()); + RSAPublicKeyPtr pubKeyPtr = new RSAPublicKey(x509Janitor.get()); + RSAKeyPairPtr keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr); + + // Do not let the janitors clean up, we're keeping these keys. + rsaJanitor.clear(); + x509Janitor.clear(); + + return keyPairPtr; +} diff --git a/cpp/src/Ice/RSAKeyPair.cpp b/cpp/src/Ice/RSAKeyPair.cpp index f6ccedff747..3cae356d441 100644 --- a/cpp/src/Ice/RSAKeyPair.cpp +++ b/cpp/src/Ice/RSAKeyPair.cpp @@ -1,87 +1,87 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <IceUtil/Config.h>
-#include <IceUtil/Base64.h>
-#include <Ice/RSAKeyPair.h>
-#include <Ice/RSAPrivateKey.h>
-#include <Ice/RSAPublicKey.h>
-#include <assert.h>
-
-void ::IceInternal::incRef(::IceSSL::OpenSSL::RSAKeyPair* p) { p->__incRef(); }
-void ::IceInternal::decRef(::IceSSL::OpenSSL::RSAKeyPair* p) { p->__decRef(); }
-
-using std::back_inserter;
-using std::string;
-using Ice::ByteSeq;
-using IceUtil::Base64;
-
-IceSSL::OpenSSL::RSAKeyPair::RSAKeyPair(const string& key, const string& cert) :
- _privateKey(new RSAPrivateKey(key)),
- _publicKey(new RSAPublicKey(cert))
-{
- assert(_privateKey != 0);
- assert(_publicKey != 0);
-}
-
-IceSSL::OpenSSL::RSAKeyPair::RSAKeyPair(const ByteSeq& keySeq, const ByteSeq& certSeq) :
- _privateKey(new RSAPrivateKey(keySeq)),
- _publicKey(new RSAPublicKey(certSeq))
-{
- assert(_privateKey != 0);
- assert(_publicKey != 0);
-}
-
-IceSSL::OpenSSL::RSAKeyPair::~RSAKeyPair()
-{
-}
-
-void
-IceSSL::OpenSSL::RSAKeyPair::keyToBase64(string& b64Key)
-{
- _privateKey->keyToBase64(b64Key);
-}
-
-void
-IceSSL::OpenSSL::RSAKeyPair::certToBase64(string& b64Cert)
-{
- _publicKey->certToBase64(b64Cert);
-}
-
-void
-IceSSL::OpenSSL::RSAKeyPair::keyToByteSeq(ByteSeq& keySeq)
-{
- _privateKey->keyToByteSeq(keySeq);
-}
-
-void
-IceSSL::OpenSSL::RSAKeyPair::certToByteSeq(ByteSeq& certSeq)
-{
- _publicKey->certToByteSeq(certSeq);
-}
-
-RSA*
-IceSSL::OpenSSL::RSAKeyPair::getRSAPrivateKey() const
-{
- return _privateKey->get();
-}
-
-X509*
-IceSSL::OpenSSL::RSAKeyPair::getX509PublicKey() const
-{
- return _publicKey->getX509PublicKey();
-}
-
-IceSSL::OpenSSL::RSAKeyPair::RSAKeyPair(const RSAPrivateKeyPtr& rsa, const RSAPublicKeyPtr& x509) :
- _privateKey(rsa),
- _publicKey(x509)
-{
-}
-
+// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <IceUtil/Config.h> +#include <IceUtil/Base64.h> +#include <Ice/RSAKeyPair.h> +#include <Ice/RSAPrivateKey.h> +#include <Ice/RSAPublicKey.h> +#include <assert.h> + +void ::IceInternal::incRef(::IceSSL::OpenSSL::RSAKeyPair* p) { p->__incRef(); } +void ::IceInternal::decRef(::IceSSL::OpenSSL::RSAKeyPair* p) { p->__decRef(); } + +using std::back_inserter; +using std::string; +using Ice::ByteSeq; +using IceUtil::Base64; + +IceSSL::OpenSSL::RSAKeyPair::RSAKeyPair(const string& key, const string& cert) : + _privateKey(new RSAPrivateKey(key)), + _publicKey(new RSAPublicKey(cert)) +{ + assert(_privateKey != 0); + assert(_publicKey != 0); +} + +IceSSL::OpenSSL::RSAKeyPair::RSAKeyPair(const ByteSeq& keySeq, const ByteSeq& certSeq) : + _privateKey(new RSAPrivateKey(keySeq)), + _publicKey(new RSAPublicKey(certSeq)) +{ + assert(_privateKey != 0); + assert(_publicKey != 0); +} + +IceSSL::OpenSSL::RSAKeyPair::~RSAKeyPair() +{ +} + +void +IceSSL::OpenSSL::RSAKeyPair::keyToBase64(string& b64Key) +{ + _privateKey->keyToBase64(b64Key); +} + +void +IceSSL::OpenSSL::RSAKeyPair::certToBase64(string& b64Cert) +{ + _publicKey->certToBase64(b64Cert); +} + +void +IceSSL::OpenSSL::RSAKeyPair::keyToByteSeq(ByteSeq& keySeq) +{ + _privateKey->keyToByteSeq(keySeq); +} + +void +IceSSL::OpenSSL::RSAKeyPair::certToByteSeq(ByteSeq& certSeq) +{ + _publicKey->certToByteSeq(certSeq); +} + +RSA* +IceSSL::OpenSSL::RSAKeyPair::getRSAPrivateKey() const +{ + return _privateKey->get(); +} + +X509* +IceSSL::OpenSSL::RSAKeyPair::getX509PublicKey() const +{ + return _publicKey->getX509PublicKey(); +} + +IceSSL::OpenSSL::RSAKeyPair::RSAKeyPair(const RSAPrivateKeyPtr& rsa, const RSAPublicKeyPtr& x509) : + _privateKey(rsa), + _publicKey(x509) +{ +} + diff --git a/cpp/src/Ice/RSAPrivateKey.cpp b/cpp/src/Ice/RSAPrivateKey.cpp index d099ede789f..8df0f157fce 100644 --- a/cpp/src/Ice/RSAPrivateKey.cpp +++ b/cpp/src/Ice/RSAPrivateKey.cpp @@ -1,121 +1,121 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <IceUtil/Config.h>
-#include <IceUtil/Base64.h>
-#include <Ice/RSAPrivateKey.h>
-#include <Ice/SslIceUtils.h>
-#include <Ice/OpenSSLUtils.h>
-#include <Ice/SslException.h>
-#include <assert.h>
-
-void ::IceInternal::incRef(::IceSSL::OpenSSL::RSAPrivateKey* p) { p->__incRef(); }
-void ::IceInternal::decRef(::IceSSL::OpenSSL::RSAPrivateKey* p) { p->__decRef(); }
-
-using std::back_inserter;
-using std::string;
-using Ice::ByteSeq;
-using IceUtil::Base64;
-
-IceSSL::OpenSSL::RSAPrivateKey::RSAPrivateKey(const string& key)
-{
- assert(!key.empty());
-
- _privateKey = 0;
-
- ByteSeq keySeq = Base64::decode(key);
-
- byteSeqToKey(keySeq);
-}
-
-IceSSL::OpenSSL::RSAPrivateKey::RSAPrivateKey(const ByteSeq& keySeq)
-{
- assert(!keySeq.empty());
-
- _privateKey = 0;
-
- byteSeqToKey(keySeq);
-}
-
-IceSSL::OpenSSL::RSAPrivateKey::RSAPrivateKey(RSA* rsa) :
- _privateKey(rsa)
-{
- assert(_privateKey != 0);
-}
-
-IceSSL::OpenSSL::RSAPrivateKey::~RSAPrivateKey()
-{
- if (_privateKey != 0)
- {
- RSA_free(_privateKey);
- }
-}
-
-void
-IceSSL::OpenSSL::RSAPrivateKey::keyToBase64(string& b64Key)
-{
- ByteSeq keySeq;
- keyToByteSeq(keySeq);
- b64Key = Base64::encode(keySeq);
-}
-
-void
-IceSSL::OpenSSL::RSAPrivateKey::keyToByteSeq(ByteSeq& keySeq)
-{
- assert(_privateKey);
-
- // Output the Private Key to a char buffer
- unsigned int privKeySize = i2d_RSAPrivateKey(_privateKey, 0);
-
- assert(privKeySize > 0);
-
- unsigned char* privateKeyBuffer = new unsigned char[privKeySize];
- assert(privateKeyBuffer != 0);
-
- // We have to do this because i2d_RSAPrivateKey changes the pointer.
- unsigned char* privKeyBuff = privateKeyBuffer;
- i2d_RSAPrivateKey(_privateKey, &privKeyBuff);
-
- IceSSL::ucharToByteSeq(privateKeyBuffer, privKeySize, keySeq);
-
- delete [] privateKeyBuffer;
-}
-
-RSA*
-IceSSL::OpenSSL::RSAPrivateKey::get() const
-{
- return _privateKey;
-}
-
-void
-IceSSL::OpenSSL::RSAPrivateKey::byteSeqToKey(const ByteSeq& keySeq)
-{
- unsigned char* privateKeyBuffer = byteSeqToUChar(keySeq);
- assert(privateKeyBuffer != 0);
-
- unsigned char* privKeyBuff = privateKeyBuffer;
- unsigned char** privKeyBuffpp = &privKeyBuff;
- RSA** rsapp = &_privateKey;
-
- _privateKey = d2i_RSAPrivateKey(rsapp, privKeyBuffpp, (long)keySeq.size());
-
- if (_privateKey == 0)
- {
- IceSSL::PrivateKeyParseException pkParseException(__FILE__, __LINE__);
-
- pkParseException._message = "unable to parse provided private key\n" + sslGetErrors();
-
- throw pkParseException;
- }
-
- // ML: Not deleted if an exception is raised!
- delete [] privateKeyBuffer;
-}
-
+// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <IceUtil/Config.h> +#include <IceUtil/Base64.h> +#include <Ice/RSAPrivateKey.h> +#include <Ice/SslIceUtils.h> +#include <Ice/OpenSSLUtils.h> +#include <Ice/SslException.h> +#include <assert.h> + +void ::IceInternal::incRef(::IceSSL::OpenSSL::RSAPrivateKey* p) { p->__incRef(); } +void ::IceInternal::decRef(::IceSSL::OpenSSL::RSAPrivateKey* p) { p->__decRef(); } + +using std::back_inserter; +using std::string; +using Ice::ByteSeq; +using IceUtil::Base64; + +IceSSL::OpenSSL::RSAPrivateKey::RSAPrivateKey(const string& key) +{ + assert(!key.empty()); + + _privateKey = 0; + + ByteSeq keySeq = Base64::decode(key); + + byteSeqToKey(keySeq); +} + +IceSSL::OpenSSL::RSAPrivateKey::RSAPrivateKey(const ByteSeq& keySeq) +{ + assert(!keySeq.empty()); + + _privateKey = 0; + + byteSeqToKey(keySeq); +} + +IceSSL::OpenSSL::RSAPrivateKey::RSAPrivateKey(RSA* rsa) : + _privateKey(rsa) +{ + assert(_privateKey != 0); +} + +IceSSL::OpenSSL::RSAPrivateKey::~RSAPrivateKey() +{ + if (_privateKey != 0) + { + RSA_free(_privateKey); + } +} + +void +IceSSL::OpenSSL::RSAPrivateKey::keyToBase64(string& b64Key) +{ + ByteSeq keySeq; + keyToByteSeq(keySeq); + b64Key = Base64::encode(keySeq); +} + +void +IceSSL::OpenSSL::RSAPrivateKey::keyToByteSeq(ByteSeq& keySeq) +{ + assert(_privateKey); + + // Output the Private Key to a char buffer + unsigned int privKeySize = i2d_RSAPrivateKey(_privateKey, 0); + + assert(privKeySize > 0); + + unsigned char* privateKeyBuffer = new unsigned char[privKeySize]; + assert(privateKeyBuffer != 0); + + // We have to do this because i2d_RSAPrivateKey changes the pointer. + unsigned char* privKeyBuff = privateKeyBuffer; + i2d_RSAPrivateKey(_privateKey, &privKeyBuff); + + IceSSL::ucharToByteSeq(privateKeyBuffer, privKeySize, keySeq); + + delete [] privateKeyBuffer; +} + +RSA* +IceSSL::OpenSSL::RSAPrivateKey::get() const +{ + return _privateKey; +} + +void +IceSSL::OpenSSL::RSAPrivateKey::byteSeqToKey(const ByteSeq& keySeq) +{ + unsigned char* privateKeyBuffer = byteSeqToUChar(keySeq); + assert(privateKeyBuffer != 0); + + unsigned char* privKeyBuff = privateKeyBuffer; + unsigned char** privKeyBuffpp = &privKeyBuff; + RSA** rsapp = &_privateKey; + + _privateKey = d2i_RSAPrivateKey(rsapp, privKeyBuffpp, (long)keySeq.size()); + + if (_privateKey == 0) + { + IceSSL::PrivateKeyParseException pkParseException(__FILE__, __LINE__); + + pkParseException._message = "unable to parse provided private key\n" + sslGetErrors(); + + throw pkParseException; + } + + // ML: Not deleted if an exception is raised! + delete [] privateKeyBuffer; +} + diff --git a/cpp/src/Ice/RSAPublicKey.cpp b/cpp/src/Ice/RSAPublicKey.cpp index f40076d8111..b8918884522 100644 --- a/cpp/src/Ice/RSAPublicKey.cpp +++ b/cpp/src/Ice/RSAPublicKey.cpp @@ -1,122 +1,122 @@ -// **********************************************************************
-//
-// Copyright (c) 2001
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <IceUtil/Config.h>
-#include <IceUtil/Base64.h>
-#include <Ice/RSAPublicKey.h>
-#include <Ice/SslIceUtils.h>
-#include <Ice/OpenSSLUtils.h>
-#include <Ice/SslException.h>
-#include <assert.h>
-
-void ::IceInternal::incRef(::IceSSL::OpenSSL::RSAPublicKey* p) { p->__incRef(); }
-void ::IceInternal::decRef(::IceSSL::OpenSSL::RSAPublicKey* p) { p->__decRef(); }
-
-using std::back_inserter;
-using std::string;
-using Ice::ByteSeq;
-using IceUtil::Base64;
-
-IceSSL::OpenSSL::RSAPublicKey::RSAPublicKey(const string& cert)
-{
- assert(!cert.empty());
-
- _publicKey = 0;
-
- ByteSeq certSeq = Base64::decode(cert);
-
- byteSeqToCert(certSeq);
-}
-
-IceSSL::OpenSSL::RSAPublicKey::RSAPublicKey(const ByteSeq& certSeq)
-{
- assert(!certSeq.empty());
-
- _publicKey = 0;
-
- byteSeqToCert(certSeq);
-}
-
-IceSSL::OpenSSL::RSAPublicKey::~RSAPublicKey()
-{
- if (_publicKey != 0)
- {
- X509_free(_publicKey);
- }
-}
-
-void
-IceSSL::OpenSSL::RSAPublicKey::certToBase64(string& b64Cert)
-{
- ByteSeq certSeq;
- certToByteSeq(certSeq);
- b64Cert = Base64::encode(certSeq);
-}
-
-void
-IceSSL::OpenSSL::RSAPublicKey::certToByteSeq(ByteSeq& certSeq)
-{
- assert(_publicKey);
-
- // Output the Public Key to a char buffer
- unsigned int pubKeySize = i2d_X509(_publicKey, 0);
-
- assert(pubKeySize > 0);
-
- unsigned char* publicKeyBuffer = new unsigned char[pubKeySize];
- assert(publicKeyBuffer != 0);
-
- // We have to do this because i2d_X509_PUBKEY changes the pointer.
- unsigned char* pubKeyBuff = publicKeyBuffer;
- i2d_X509(_publicKey, &pubKeyBuff);
-
- IceSSL::ucharToByteSeq(publicKeyBuffer, pubKeySize, certSeq);
-
- delete []publicKeyBuffer;
-}
-
-X509*
-IceSSL::OpenSSL::RSAPublicKey::getX509PublicKey() const
-{
- return _publicKey;
-}
-
-IceSSL::OpenSSL::RSAPublicKey::RSAPublicKey(X509* x509) :
- _publicKey(x509)
-{
-}
-
-void
-IceSSL::OpenSSL::RSAPublicKey::byteSeqToCert(const ByteSeq& certSeq)
-{
- unsigned char* publicKeyBuffer = byteSeqToUChar(certSeq);
- assert(publicKeyBuffer != 0);
-
- // We have to do this because d2i_X509 changes the pointer.
- unsigned char* pubKeyBuff = publicKeyBuffer;
- unsigned char** pubKeyBuffpp = &pubKeyBuff;
-
- X509** x509pp = &_publicKey;
-
- _publicKey = d2i_X509(x509pp, pubKeyBuffpp, (long)certSeq.size());
-
- if (_publicKey == 0)
- {
- IceSSL::CertificateParseException certParseException(__FILE__, __LINE__);
-
- certParseException._message = "unable to parse provided public key\n" + sslGetErrors();
-
- throw certParseException;
- }
-
- delete []publicKeyBuffer;
-}
-
-
+// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <IceUtil/Config.h> +#include <IceUtil/Base64.h> +#include <Ice/RSAPublicKey.h> +#include <Ice/SslIceUtils.h> +#include <Ice/OpenSSLUtils.h> +#include <Ice/SslException.h> +#include <assert.h> + +void ::IceInternal::incRef(::IceSSL::OpenSSL::RSAPublicKey* p) { p->__incRef(); } +void ::IceInternal::decRef(::IceSSL::OpenSSL::RSAPublicKey* p) { p->__decRef(); } + +using std::back_inserter; +using std::string; +using Ice::ByteSeq; +using IceUtil::Base64; + +IceSSL::OpenSSL::RSAPublicKey::RSAPublicKey(const string& cert) +{ + assert(!cert.empty()); + + _publicKey = 0; + + ByteSeq certSeq = Base64::decode(cert); + + byteSeqToCert(certSeq); +} + +IceSSL::OpenSSL::RSAPublicKey::RSAPublicKey(const ByteSeq& certSeq) +{ + assert(!certSeq.empty()); + + _publicKey = 0; + + byteSeqToCert(certSeq); +} + +IceSSL::OpenSSL::RSAPublicKey::~RSAPublicKey() +{ + if (_publicKey != 0) + { + X509_free(_publicKey); + } +} + +void +IceSSL::OpenSSL::RSAPublicKey::certToBase64(string& b64Cert) +{ + ByteSeq certSeq; + certToByteSeq(certSeq); + b64Cert = Base64::encode(certSeq); +} + +void +IceSSL::OpenSSL::RSAPublicKey::certToByteSeq(ByteSeq& certSeq) +{ + assert(_publicKey); + + // Output the Public Key to a char buffer + unsigned int pubKeySize = i2d_X509(_publicKey, 0); + + assert(pubKeySize > 0); + + unsigned char* publicKeyBuffer = new unsigned char[pubKeySize]; + assert(publicKeyBuffer != 0); + + // We have to do this because i2d_X509_PUBKEY changes the pointer. + unsigned char* pubKeyBuff = publicKeyBuffer; + i2d_X509(_publicKey, &pubKeyBuff); + + IceSSL::ucharToByteSeq(publicKeyBuffer, pubKeySize, certSeq); + + delete []publicKeyBuffer; +} + +X509* +IceSSL::OpenSSL::RSAPublicKey::getX509PublicKey() const +{ + return _publicKey; +} + +IceSSL::OpenSSL::RSAPublicKey::RSAPublicKey(X509* x509) : + _publicKey(x509) +{ +} + +void +IceSSL::OpenSSL::RSAPublicKey::byteSeqToCert(const ByteSeq& certSeq) +{ + unsigned char* publicKeyBuffer = byteSeqToUChar(certSeq); + assert(publicKeyBuffer != 0); + + // We have to do this because d2i_X509 changes the pointer. + unsigned char* pubKeyBuff = publicKeyBuffer; + unsigned char** pubKeyBuffpp = &pubKeyBuff; + + X509** x509pp = &_publicKey; + + _publicKey = d2i_X509(x509pp, pubKeyBuffpp, (long)certSeq.size()); + + if (_publicKey == 0) + { + IceSSL::CertificateParseException certParseException(__FILE__, __LINE__); + + certParseException._message = "unable to parse provided public key\n" + sslGetErrors(); + + throw certParseException; + } + + delete []publicKeyBuffer; +} + + diff --git a/cpp/src/Ice/SingleCertificateVerifier.cpp b/cpp/src/Ice/SingleCertificateVerifier.cpp index 9b76e44aa26..2467bd1e7f2 100644 --- a/cpp/src/Ice/SingleCertificateVerifier.cpp +++ b/cpp/src/Ice/SingleCertificateVerifier.cpp @@ -9,12 +9,12 @@ // ********************************************************************** #include <Ice/SingleCertificateVerifier.h> -#include <Ice/SslIceUtils.h>
+#include <Ice/SslIceUtils.h> #include <openssl/err.h> #include <algorithm> #include <iostream> -using namespace std;
+using namespace std; using Ice::ByteSeq; IceSSL::OpenSSL::SingleCertificateVerifier::SingleCertificateVerifier(const ByteSeq& publicKey) : @@ -23,8 +23,8 @@ IceSSL::OpenSSL::SingleCertificateVerifier::SingleCertificateVerifier(const Byte } int -IceSSL::OpenSSL::SingleCertificateVerifier::verify(int preVerifyOkay,
- X509_STORE_CTX* x509StoreContext,
+IceSSL::OpenSSL::SingleCertificateVerifier::verify(int preVerifyOkay, + X509_STORE_CTX* x509StoreContext, SSL* sslConnection) { // Short circuit - if the peer cert wasn't good enough for OpenSSL, @@ -97,7 +97,7 @@ IceSSL::OpenSSL::SingleCertificateVerifier::verify(int preVerifyOkay, return preVerifyOkay; } -
+ ByteSeq IceSSL::OpenSSL::SingleCertificateVerifier::toByteSeq(X509* certificate) { @@ -110,7 +110,7 @@ IceSSL::OpenSSL::SingleCertificateVerifier::toByteSeq(X509* certificate) i2d_X509(certificate, &certPtr); // Yet another conversion to a ByteSeq (easy comparison this way). - IceSSL::ucharToByteSeq(certBuffer, certSize, certByteSeq);
+ IceSSL::ucharToByteSeq(certBuffer, certSize, certByteSeq); delete []certBuffer; return certByteSeq; diff --git a/cpp/src/Ice/SingleCertificateVerifier.h b/cpp/src/Ice/SingleCertificateVerifier.h index fe3ec7d152a..20a0c78324c 100644 --- a/cpp/src/Ice/SingleCertificateVerifier.h +++ b/cpp/src/Ice/SingleCertificateVerifier.h @@ -22,7 +22,7 @@ namespace OpenSSL class SingleCertificateVerifier : public IceSSL::OpenSSL::CertificateVerifier { -public:
+public: SingleCertificateVerifier(const Ice::ByteSeq&); @@ -30,7 +30,7 @@ public: Ice::ByteSeq toByteSeq(X509*); -protected:
+protected: Ice::ByteSeq _publicKey; }; diff --git a/cpp/src/Ice/SslConnection.cpp b/cpp/src/Ice/SslConnection.cpp index 511344a72e6..30a00540caf 100644 --- a/cpp/src/Ice/SslConnection.cpp +++ b/cpp/src/Ice/SslConnection.cpp @@ -13,19 +13,19 @@ void ::IceInternal::incRef(::IceSSL::Connection* p) { p->__incRef(); } void ::IceInternal::decRef(::IceSSL::Connection* p) { p->__decRef(); } -IceSSL::Connection::Connection(const IceInternal::TraceLevelsPtr& traceLevels,
- const Ice::LoggerPtr& logger,
- const CertificateVerifierPtr& certificateVerifier) :
- _traceLevels(traceLevels),
- _logger(logger),
+IceSSL::Connection::Connection(const IceInternal::TraceLevelsPtr& traceLevels, + const Ice::LoggerPtr& logger, + const CertificateVerifierPtr& certificateVerifier) : + _traceLevels(traceLevels), + _logger(logger), _certificateVerifier(certificateVerifier) -{
- assert(_traceLevels != 0);
- assert(_logger != 0);
+{ + assert(_traceLevels != 0); + assert(_logger != 0); assert(_certificateVerifier != 0); } IceSSL::Connection::~Connection() -{
+{ } diff --git a/cpp/src/Ice/SslConnection.h b/cpp/src/Ice/SslConnection.h index fe77bb45ff0..3acfd387c08 100644 --- a/cpp/src/Ice/SslConnection.h +++ b/cpp/src/Ice/SslConnection.h @@ -23,10 +23,10 @@ namespace IceSSL class Connection : public IceUtil::Shared { -public:
+public: - Connection(const IceInternal::TraceLevelsPtr&,
- const Ice::LoggerPtr&,
+ Connection(const IceInternal::TraceLevelsPtr&, + const Ice::LoggerPtr&, const IceSSL::CertificateVerifierPtr&); virtual ~Connection(); @@ -35,10 +35,10 @@ public: virtual int read(IceInternal::Buffer&, int) = 0; virtual int write(IceInternal::Buffer&, int) = 0; -protected:
+protected: - IceInternal::TraceLevelsPtr _traceLevels;
- Ice::LoggerPtr _logger;
+ IceInternal::TraceLevelsPtr _traceLevels; + Ice::LoggerPtr _logger; CertificateVerifierPtr _certificateVerifier; }; diff --git a/cpp/src/Ice/SslConnectionOpenSSL.cpp b/cpp/src/Ice/SslConnectionOpenSSL.cpp index 289015b64a1..7bc74e0559d 100644 --- a/cpp/src/Ice/SslConnectionOpenSSL.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSL.cpp @@ -20,7 +20,7 @@ #include <openssl/err.h> #include <string> #include <sstream> -#include <Ice/Network.h>
+#include <Ice/Network.h> #include <Ice/OpenSSL.h> #include <Ice/SslException.h> #include <Ice/SslFactory.h> @@ -69,15 +69,15 @@ void ::IceInternal::decRef(::IceSSL::OpenSSL::Connection* p) { p->__decRef(); } // but unfortunately, it appears that this is not properly picked up. // -IceSSL::OpenSSL::Connection::Connection(const IceInternal::TraceLevelsPtr& traceLevels,
- const Ice::LoggerPtr& logger,
+IceSSL::OpenSSL::Connection::Connection(const IceInternal::TraceLevelsPtr& traceLevels, + const Ice::LoggerPtr& logger, const IceSSL::CertificateVerifierPtr& certificateVerifier, - SSL* sslConnection,
+ SSL* sslConnection, const IceSSL::SystemInternalPtr& system) : IceSSL::Connection(traceLevels, logger, certificateVerifier), _sslConnection(sslConnection) { - assert(_sslConnection != 0);
+ assert(_sslConnection != 0); assert(system != 0); Factory::addSystemHandle(_sslConnection, system); @@ -109,10 +109,10 @@ void IceSSL::OpenSSL::Connection::shutdown() { if (_sslConnection == 0) - {
- return;
+ { + return; } -
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) { _logger->trace(_traceLevels->securityCat, "WRN " + @@ -120,7 +120,7 @@ IceSSL::OpenSSL::Connection::shutdown() fdToString(SSL_get_fd(_sslConnection))); } - int shutdown = 0;
+ int shutdown = 0; int numRetries = 100; int retries = -numRetries; @@ -142,7 +142,7 @@ IceSSL::OpenSSL::Connection::shutdown() void IceSSL::OpenSSL::Connection::setHandshakeReadTimeout(int timeout) -{
+{ _handshakeReadTimeout = timeout; } @@ -160,12 +160,12 @@ IceSSL::OpenSSL::Connection::getConnection(SSL* sslPtr) return ConnectionPtr(connection); } -//
-// Note: Do not throw exceptions from verifyCertificate - it would rip through the OpenSSL system,
-// interfering with the usual handling and alert system of the handshake. Exceptions should
-// be caught here (if they can be generated), logged and then a fail return code (0) should
-// returned.
-//
+// +// Note: Do not throw exceptions from verifyCertificate - it would rip through the OpenSSL system, +// interfering with the usual handling and alert system of the handshake. Exceptions should +// be caught here (if they can be generated), logged and then a fail return code (0) should +// returned. +// int IceSSL::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX* x509StoreContext) { @@ -179,24 +179,24 @@ IceSSL::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX // Check to make sure we have a proper verifier for the operation. if (verifier) { - // Use the verifier to verify the certificate
- try
+ // Use the verifier to verify the certificate + try { - preVerifyOkay = verifier->verify(preVerifyOkay, x509StoreContext, _sslConnection);
- }
- catch (const Ice::LocalException& localEx)
- {
- if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
- {
- ostringstream s;
-
- s << "WRN exception during certificate verification: " << std::endl;
- s << localEx << flush;
-
- _logger->trace(_traceLevels->securityCat, s.str());
- }
-
- preVerifyOkay = 0;
+ preVerifyOkay = verifier->verify(preVerifyOkay, x509StoreContext, _sslConnection); + } + catch (const Ice::LocalException& localEx) + { + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) + { + ostringstream s; + + s << "WRN exception during certificate verification: " << std::endl; + s << localEx << flush; + + _logger->trace(_traceLevels->securityCat, s.str()); + } + + preVerifyOkay = 0; } } else @@ -232,8 +232,8 @@ IceSSL::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX int IceSSL::OpenSSL::Connection::connect() { - assert(_sslConnection != 0);
-
+ assert(_sslConnection != 0); + int result = SSL_connect(_sslConnection); setLastError(result); @@ -244,20 +244,20 @@ IceSSL::OpenSSL::Connection::connect() int IceSSL::OpenSSL::Connection::accept() { - assert(_sslConnection != 0);
-
+ assert(_sslConnection != 0); + int result = SSL_accept(_sslConnection); setLastError(result); return result; } -
+ // NOTE: Currently not used, maybe later. int IceSSL::OpenSSL::Connection::renegotiate() { - assert(_sslConnection != 0);
+ assert(_sslConnection != 0); return SSL_renegotiate(_sslConnection); } @@ -267,7 +267,7 @@ IceSSL::OpenSSL::Connection::initialize(int timeout) int retCode = 0; while (true) - {
+ { // One lucky thread will get the honor of carrying out the hanshake, // if there is one to perform. The HandshakeSentinel effectively // establishes a first-come, first-serve policy. One thread will own @@ -305,25 +305,25 @@ IceSSL::OpenSSL::Connection::initialize(int timeout) return retCode; } -int
-IceSSL::OpenSSL::Connection::pending()
-{
- assert(_sslConnection != 0);
- return SSL_pending(_sslConnection);
-}
-
-int
-IceSSL::OpenSSL::Connection::getLastError() const
-{
- assert(_sslConnection != 0);
- return SSL_get_error(_sslConnection, _lastError);
-}
-
+int +IceSSL::OpenSSL::Connection::pending() +{ + assert(_sslConnection != 0); + return SSL_pending(_sslConnection); +} + +int +IceSSL::OpenSSL::Connection::getLastError() const +{ + assert(_sslConnection != 0); + return SSL_get_error(_sslConnection, _lastError); +} + int IceSSL::OpenSSL::Connection::sslRead(char* buffer, int bufferSize) { - assert(_sslConnection != 0);
-
+ assert(_sslConnection != 0); + int bytesRead = SSL_read(_sslConnection, buffer, bufferSize); setLastError(bytesRead); @@ -334,8 +334,8 @@ IceSSL::OpenSSL::Connection::sslRead(char* buffer, int bufferSize) int IceSSL::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize) { - assert(_sslConnection != 0);
-
+ assert(_sslConnection != 0); + int bytesWritten = SSL_write(_sslConnection, buffer, bufferSize); setLastError(bytesWritten); @@ -343,78 +343,78 @@ IceSSL::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize) return bytesWritten; } -int
-IceSSL::OpenSSL::Connection::select(int timeout, bool write)
-{
- int ret;
-
- assert(_sslConnection != 0);
- SOCKET fd = SSL_get_fd(_sslConnection);
-
- fd_set rwFdSet;
- struct timeval tv;
-
- if (timeout >= 0)
- {
- tv.tv_sec = timeout / 1000;
- tv.tv_usec = (timeout - tv.tv_sec * 1000) * 1000;
- }
-
- do
- {
- FD_ZERO(&rwFdSet);
- FD_SET(fd, &rwFdSet);
-
- if (timeout >= 0)
- {
- if (write)
- {
- ret = ::select(fd + 1, 0, &rwFdSet, 0, &tv);
- }
- else
- {
- ret = ::select(fd + 1, &rwFdSet, 0, 0, &tv);
- }
- }
- else
- {
- if (write)
- {
- ret = ::select(fd + 1, 0, &rwFdSet, 0, 0);
- }
- else
- {
- ret = ::select(fd + 1, &rwFdSet, 0, 0, 0);
- }
- }
- }
- while (ret == SOCKET_ERROR && interrupted());
-
- if (ret == SOCKET_ERROR)
- {
- SocketException ex(__FILE__, __LINE__);
- ex.error = getSocketErrno();
- throw ex;
- }
-
- if (ret == 0)
- {
- throw TimeoutException(__FILE__, __LINE__);
- }
-
- return FD_ISSET(fd, &rwFdSet);
+int +IceSSL::OpenSSL::Connection::select(int timeout, bool write) +{ + int ret; + + assert(_sslConnection != 0); + SOCKET fd = SSL_get_fd(_sslConnection); + + fd_set rwFdSet; + struct timeval tv; + + if (timeout >= 0) + { + tv.tv_sec = timeout / 1000; + tv.tv_usec = (timeout - tv.tv_sec * 1000) * 1000; + } + + do + { + FD_ZERO(&rwFdSet); + FD_SET(fd, &rwFdSet); + + if (timeout >= 0) + { + if (write) + { + ret = ::select(fd + 1, 0, &rwFdSet, 0, &tv); + } + else + { + ret = ::select(fd + 1, &rwFdSet, 0, 0, &tv); + } + } + else + { + if (write) + { + ret = ::select(fd + 1, 0, &rwFdSet, 0, 0); + } + else + { + ret = ::select(fd + 1, &rwFdSet, 0, 0, 0); + } + } + } + while (ret == SOCKET_ERROR && interrupted()); + + if (ret == SOCKET_ERROR) + { + SocketException ex(__FILE__, __LINE__); + ex.error = getSocketErrno(); + throw ex; + } + + if (ret == 0) + { + throw TimeoutException(__FILE__, __LINE__); + } + + return FD_ISSET(fd, &rwFdSet); } int IceSSL::OpenSSL::Connection::readSelect(int timeout) { - return select(timeout, false);
+ return select(timeout, false); } int IceSSL::OpenSSL::Connection::writeSelect(int timeout) -{
- return select(timeout, true);
+{ + return select(timeout, true); } int @@ -569,14 +569,14 @@ IceSSL::OpenSSL::Connection::read(Buffer& buf, int timeout) return totalBytesRead; } -
+ void IceSSL::OpenSSL::Connection::addConnection(SSL* sslPtr, Connection* connection) { assert(sslPtr); assert(connection); IceUtil::Mutex::Lock sync(_connectionRepositoryMutex); - _connectionMap[sslPtr] = connection;
+ _connectionMap[sslPtr] = connection; } void @@ -589,10 +589,10 @@ IceSSL::OpenSSL::Connection::removeConnection(SSL* sslPtr) void IceSSL::OpenSSL::Connection::showCertificateChain(BIO* bio) -{
- assert(_sslConnection != 0);
- assert(bio != 0);
-
+{ + assert(_sslConnection != 0); + assert(bio != 0); + STACK_OF(X509)* sk; // Big nasty buffer @@ -622,9 +622,9 @@ IceSSL::OpenSSL::Connection::showCertificateChain(BIO* bio) void IceSSL::OpenSSL::Connection::showPeerCertificate(BIO* bio, const char* connType) { - assert(_sslConnection != 0);
- assert(bio != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + X509* peerCert = 0; char buffer[4096]; @@ -655,16 +655,16 @@ IceSSL::OpenSSL::Connection::showPeerCertificate(BIO* bio, const char* connType) void IceSSL::OpenSSL::Connection::showSharedCiphers(BIO* bio) { - assert(_sslConnection != 0);
- assert(bio != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + char buffer[4096]; char* strPointer = 0; if ((strPointer = SSL_get_shared_ciphers(_sslConnection, buffer, sizeof(buffer))) != 0) { - // This works only for SSL 2. In later protocol versions, the client does not know
- // what other ciphers (in addition to the one to be used in the current connection)
+ // This works only for SSL 2. In later protocol versions, the client does not know + // what other ciphers (in addition to the one to be used in the current connection) // the server supports. BIO_printf(bio, "---\nShared Ciphers:\n"); @@ -697,9 +697,9 @@ IceSSL::OpenSSL::Connection::showSharedCiphers(BIO* bio) void IceSSL::OpenSSL::Connection::showSessionInfo(BIO* bio) { - assert(_sslConnection != 0);
- assert(bio != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + if (_sslConnection->hit) { BIO_printf(bio, "Reused session-id\n"); @@ -711,9 +711,9 @@ IceSSL::OpenSSL::Connection::showSessionInfo(BIO* bio) void IceSSL::OpenSSL::Connection::showSelectedCipherInfo(BIO* bio) { - assert(_sslConnection != 0);
- assert(bio != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + const char* str; SSL_CIPHER* cipher; @@ -730,9 +730,9 @@ IceSSL::OpenSSL::Connection::showSelectedCipherInfo(BIO* bio) void IceSSL::OpenSSL::Connection::showHandshakeStats(BIO* bio) { - assert(_sslConnection != 0);
- assert(bio != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n", BIO_number_read(SSL_get_rbio(_sslConnection)), BIO_number_written(SSL_get_wbio(_sslConnection))); @@ -741,10 +741,10 @@ IceSSL::OpenSSL::Connection::showHandshakeStats(BIO* bio) void IceSSL::OpenSSL::Connection::showClientCAList(BIO* bio, const char* connType) { - assert(_sslConnection != 0);
- assert(bio != 0);
- assert(connType != 0);
-
+ assert(_sslConnection != 0); + assert(bio != 0); + assert(connType != 0); + char buffer[4096]; STACK_OF(X509_NAME)* sk = SSL_get_client_CA_list(_sslConnection); diff --git a/cpp/src/Ice/SslConnectionOpenSSL.h b/cpp/src/Ice/SslConnectionOpenSSL.h index 929ca453c1d..e755e002cc1 100644 --- a/cpp/src/Ice/SslConnectionOpenSSL.h +++ b/cpp/src/Ice/SslConnectionOpenSSL.h @@ -27,7 +27,7 @@ namespace OpenSSL class SafeFlag { -public:
+public: SafeFlag(bool flagVal = false) { @@ -72,7 +72,7 @@ public: } private: -
+ ::IceUtil::Mutex _mutex; bool _flag; }; @@ -117,10 +117,10 @@ class Connection : public IceSSL::Connection { public: - Connection(const IceInternal::TraceLevelsPtr&,
- const Ice::LoggerPtr&,
- const IceSSL::CertificateVerifierPtr&,
- SSL*,
+ Connection(const IceInternal::TraceLevelsPtr&, + const Ice::LoggerPtr&, + const IceSSL::CertificateVerifierPtr&, + SSL*, const IceSSL::SystemInternalPtr&); virtual ~Connection(); @@ -151,7 +151,7 @@ protected: int sslRead(char*, int); int sslWrite(char*, int); - int select(int, bool);
+ int select(int, bool); int readSelect(int); int writeSelect(int); diff --git a/cpp/src/Ice/SslConnectionOpenSSLClient.cpp b/cpp/src/Ice/SslConnectionOpenSSLClient.cpp index b07b9566b71..9519309ece5 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLClient.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSLClient.cpp @@ -13,7 +13,7 @@ #include <Ice/OpenSSLUtils.h> #include <Ice/Network.h> #include <Ice/OpenSSL.h> -#include <Ice/SslException.h>
+#include <Ice/SslException.h> #include <Ice/OpenSSLJanitors.h> #include <Ice/SslConnectionOpenSSLClient.h> @@ -170,39 +170,39 @@ IceSSL::OpenSSL::ClientConnection::init(int timeout) protocolEx._message = "encountered an EOF during handshake that violates the ssl protocol\n"; protocolEx._message += sslGetErrors(); - throw protocolEx;
+ throw protocolEx; } } case SSL_ERROR_SSL: { - int verifyError = SSL_get_verify_result(_sslConnection);
-
- if (verifyError != X509_V_OK && verifyError != 1)
- {
- CertificateVerificationException certVerEx(__FILE__, __LINE__);
-
- certVerEx._message = "ssl certificate verification error";
-
- string errors = sslGetErrors();
-
- if (!errors.empty())
- {
- certVerEx._message += "\n";
- certVerEx._message += errors;
- }
-
- throw certVerEx;
- }
- else
- {
+ int verifyError = SSL_get_verify_result(_sslConnection); + + if (verifyError != X509_V_OK && verifyError != 1) + { + CertificateVerificationException certVerEx(__FILE__, __LINE__); + + certVerEx._message = "ssl certificate verification error"; + + string errors = sslGetErrors(); + + if (!errors.empty()) + { + certVerEx._message += "\n"; + certVerEx._message += errors; + } + + throw certVerEx; + } + else + { ProtocolException protocolEx(__FILE__, __LINE__); protocolEx._message = "encountered a violation of the ssl protocol during handshake\n"; protocolEx._message += sslGetErrors(); throw protocolEx; - }
+ } } } @@ -294,8 +294,8 @@ IceSSL::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) case SSL_ERROR_SYSCALL: { - // NOTE: The OpenSSL demo client only raises and error condition if there were
- // actually bytes written. This is considered to be an error status
+ // NOTE: The OpenSSL demo client only raises and error condition if there were + // actually bytes written. This is considered to be an error status // requiring shutdown. // If nothing was written, the demo client stops writing - we continue. // This is potentially something wierd to watch out for. @@ -374,7 +374,7 @@ IceSSL::OpenSSL::ClientConnection::showConnectionInfo() { // Only in extreme cases do we enable this, partially because it doesn't use the Logger. if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL_DEBUG) && 0) - {
+ { BIOJanitor bioJanitor(BIO_new_fp(stdout, BIO_NOCLOSE)); BIO* bio = bioJanitor.get(); diff --git a/cpp/src/Ice/SslConnectionOpenSSLClient.h b/cpp/src/Ice/SslConnectionOpenSSLClient.h index da6c13f1c04..27547898961 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLClient.h +++ b/cpp/src/Ice/SslConnectionOpenSSLClient.h @@ -22,14 +22,14 @@ namespace OpenSSL class ClientConnection : public Connection { public: -
- ClientConnection(const IceInternal::TraceLevelsPtr&,
- const Ice::LoggerPtr&,
- const IceSSL::CertificateVerifierPtr&,
- SSL*,
+ + ClientConnection(const IceInternal::TraceLevelsPtr&, + const Ice::LoggerPtr&, + const IceSSL::CertificateVerifierPtr&, + SSL*, const IceSSL::SystemInternalPtr&); virtual ~ClientConnection(); -
+ virtual void shutdown(); virtual int init(int timeout = 0); diff --git a/cpp/src/Ice/SslConnectionOpenSSLF.h b/cpp/src/Ice/SslConnectionOpenSSLF.h index 69a536facea..4c35b8166a3 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLF.h +++ b/cpp/src/Ice/SslConnectionOpenSSLF.h @@ -16,13 +16,13 @@ namespace IceSSL { -namespace OpenSSL
-{
-
+namespace OpenSSL +{ + class Connection; typedef IceInternal::Handle<Connection> ConnectionPtr; -
-}
+ +} } diff --git a/cpp/src/Ice/SslConnectionOpenSSLServer.cpp b/cpp/src/Ice/SslConnectionOpenSSLServer.cpp index a86f18edede..86f169fd3c7 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLServer.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSLServer.cpp @@ -13,7 +13,7 @@ #include <Ice/OpenSSLUtils.h> #include <Ice/Network.h> #include <Ice/OpenSSL.h> -#include <Ice/SslException.h>
+#include <Ice/SslException.h> #include <Ice/OpenSSLJanitors.h> #include <Ice/SslConnectionOpenSSLServer.h> @@ -141,7 +141,7 @@ IceSSL::OpenSSL::ServerConnection::init(int timeout) } } - // Find out what the error was (if any).
+ // Find out what the error was (if any). switch (getLastError()) { case SSL_ERROR_WANT_READ: @@ -372,8 +372,8 @@ IceSSL::OpenSSL::ServerConnection::showConnectionInfo() // Only in extreme cases do we enable this, partially because it doesn't use the Logger. if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL_DEBUG) && 0) { - BIOJanitor bioJanitor(BIO_new_fp(stdout, BIO_NOCLOSE));
- BIO* bio = bioJanitor.get();
+ BIOJanitor bioJanitor(BIO_new_fp(stdout, BIO_NOCLOSE)); + BIO* bio = bioJanitor.get(); showCertificateChain(bio); diff --git a/cpp/src/Ice/SslConnectionOpenSSLServer.h b/cpp/src/Ice/SslConnectionOpenSSLServer.h index e96afdb002d..599be04efb2 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLServer.h +++ b/cpp/src/Ice/SslConnectionOpenSSLServer.h @@ -22,14 +22,14 @@ namespace OpenSSL class ServerConnection : public Connection { public: -
- ServerConnection(const IceInternal::TraceLevelsPtr&,
- const Ice::LoggerPtr&,
- const IceSSL::CertificateVerifierPtr&,
- SSL*,
+ + ServerConnection(const IceInternal::TraceLevelsPtr&, + const Ice::LoggerPtr&, + const IceSSL::CertificateVerifierPtr&, + SSL*, const IceSSL::SystemInternalPtr&); virtual ~ServerConnection(); -
+ virtual void shutdown(); virtual int init(int timeout = 0); diff --git a/cpp/src/Ice/SslException2.cpp b/cpp/src/Ice/SslException2.cpp index d693a6f73a4..a6f297b61a6 100644 --- a/cpp/src/Ice/SslException2.cpp +++ b/cpp/src/Ice/SslException2.cpp @@ -33,12 +33,12 @@ IceSSL::SslException::ice_print(ostream& out) const } } -void
-IceSSL::ConfigurationLoadingException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
+void +IceSSL::ConfigurationLoadingException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + void IceSSL::ConfigParseException::ice_print(ostream& out) const { @@ -57,48 +57,48 @@ IceSSL::ProtocolException::ice_print(ostream& out) const SslException::ice_print(out); } -void
-IceSSL::CertificateVerificationException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::CertificateException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::CertificateSigningException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::CertificateSignatureException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::CertificateParseException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::PrivateKeyException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::PrivateKeyParseException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
+void +IceSSL::CertificateVerificationException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::CertificateException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::CertificateSigningException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::CertificateSignatureException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::CertificateParseException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::PrivateKeyException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::PrivateKeyParseException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + void IceSSL::CertificateVerifierTypeException::ice_print(ostream& out) const { @@ -110,46 +110,46 @@ IceSSL::OpenSSL::ContextException::ice_print(ostream& out) const { SslException::ice_print(out); } -
-void
-IceSSL::OpenSSL::ContextInitializationException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::OpenSSL::ContextNotConfiguredException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::OpenSSL::UnsupportedContextException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::OpenSSL::CertificateLoadException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::OpenSSL::PrivateKeyLoadException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::OpenSSL::CertificateKeyMatchException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
-void
-IceSSL::OpenSSL::TrustedCertificateAddException::ice_print(ostream& out) const
-{
- SslException::ice_print(out);
-}
-
+ +void +IceSSL::OpenSSL::ContextInitializationException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::OpenSSL::ContextNotConfiguredException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::OpenSSL::UnsupportedContextException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::OpenSSL::CertificateLoadException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::OpenSSL::PrivateKeyLoadException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::OpenSSL::CertificateKeyMatchException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + +void +IceSSL::OpenSSL::TrustedCertificateAddException::ice_print(ostream& out) const +{ + SslException::ice_print(out); +} + diff --git a/cpp/src/Ice/SslExtensionInternal.cpp b/cpp/src/Ice/SslExtensionInternal.cpp index fe8d8006593..328649abd51 100644 --- a/cpp/src/Ice/SslExtensionInternal.cpp +++ b/cpp/src/Ice/SslExtensionInternal.cpp @@ -1,36 +1,36 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#include <Ice/SslExtensionInternal.h>
-#include <Ice/DefaultCertificateVerifier.h>
-#include <Ice/SingleCertificateVerifier.h>
-#include <Ice/BuiltinSequences.h>
-
-IceSSL::SslExtensionInternal::SslExtensionInternal(const IceInternal::InstancePtr& instance) :
- _instance(instance)
-{
-}
-
-IceSSL::SslExtensionInternal::~SslExtensionInternal()
-{
-}
-
-::IceSSL::CertificateVerifierPtr
-IceSSL::SslExtensionInternal::getDefaultCertVerifier()
-{
- return ::IceSSL::CertificateVerifierPtr(new IceSSL::OpenSSL::DefaultCertificateVerifier(_instance));
-}
-
-::IceSSL::CertificateVerifierPtr
-IceSSL::SslExtensionInternal::getSingleCertVerifier(const ::Ice::ByteSeq& certSeq)
-{
- return ::IceSSL::CertificateVerifierPtr(new IceSSL::OpenSSL::SingleCertificateVerifier(certSeq));
-}
-
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <Ice/SslExtensionInternal.h> +#include <Ice/DefaultCertificateVerifier.h> +#include <Ice/SingleCertificateVerifier.h> +#include <Ice/BuiltinSequences.h> + +IceSSL::SslExtensionInternal::SslExtensionInternal(const IceInternal::InstancePtr& instance) : + _instance(instance) +{ +} + +IceSSL::SslExtensionInternal::~SslExtensionInternal() +{ +} + +::IceSSL::CertificateVerifierPtr +IceSSL::SslExtensionInternal::getDefaultCertVerifier() +{ + return ::IceSSL::CertificateVerifierPtr(new IceSSL::OpenSSL::DefaultCertificateVerifier(_instance)); +} + +::IceSSL::CertificateVerifierPtr +IceSSL::SslExtensionInternal::getSingleCertVerifier(const ::Ice::ByteSeq& certSeq) +{ + return ::IceSSL::CertificateVerifierPtr(new IceSSL::OpenSSL::SingleCertificateVerifier(certSeq)); +} + diff --git a/cpp/src/Ice/SslExtensionInternal.h b/cpp/src/Ice/SslExtensionInternal.h index 7f368210308..f1e8ec65ce5 100644 --- a/cpp/src/Ice/SslExtensionInternal.h +++ b/cpp/src/Ice/SslExtensionInternal.h @@ -1,39 +1,39 @@ -// **********************************************************************
-//
-// Copyright (c) 2002
-// MutableRealms, Inc.
-// Huntsville, AL, USA
-//
-// All Rights Reserved
-//
-// **********************************************************************
-
-#ifndef ICE_SSL_EXTENSION_INTERNAL_H
-#define ICE_SSL_EXTENSION_INTERNAL_H
-
-#include <Ice/InstanceF.h>
-#include <Ice/SslExtension.h>
-#include <Ice/CertificateVerifierF.h>
-
-namespace IceSSL
-{
-
-class SslExtensionInternal : public SslExtension
-{
-public:
-
- SslExtensionInternal(const IceInternal::InstancePtr&);
- virtual ~SslExtensionInternal();
-
- virtual ::IceSSL::CertificateVerifierPtr getDefaultCertVerifier();
-
- virtual ::IceSSL::CertificateVerifierPtr getSingleCertVerifier(const ::Ice::ByteSeq&);
-
-protected:
-
- IceInternal::InstancePtr _instance;
-};
-
-}
-
-#endif
+// ********************************************************************** +// +// Copyright (c) 2002 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#ifndef ICE_SSL_EXTENSION_INTERNAL_H +#define ICE_SSL_EXTENSION_INTERNAL_H + +#include <Ice/InstanceF.h> +#include <Ice/SslExtension.h> +#include <Ice/CertificateVerifierF.h> + +namespace IceSSL +{ + +class SslExtensionInternal : public SslExtension +{ +public: + + SslExtensionInternal(const IceInternal::InstancePtr&); + virtual ~SslExtensionInternal(); + + virtual ::IceSSL::CertificateVerifierPtr getDefaultCertVerifier(); + + virtual ::IceSSL::CertificateVerifierPtr getSingleCertVerifier(const ::Ice::ByteSeq&); + +protected: + + IceInternal::InstancePtr _instance; +}; + +} + +#endif diff --git a/cpp/src/Ice/SslFactory.cpp b/cpp/src/Ice/SslFactory.cpp index 77ca0314eaa..791cce078aa 100644 --- a/cpp/src/Ice/SslFactory.cpp +++ b/cpp/src/Ice/SslFactory.cpp @@ -44,14 +44,14 @@ extern "C" class SslLockKeeper { public: -
+ SslLockKeeper(); ~SslLockKeeper(); IceUtil::Mutex sslLocks[CRYPTO_NUM_LOCKS]; }; -
+ SslLockKeeper lockKeeper; } @@ -68,16 +68,16 @@ void IceSSL::lockingCallback(int mode, int type, const char *file, int line) } } -IceSSL::SslLockKeeper::SslLockKeeper()
-{
- CRYPTO_set_locking_callback((void (*)(int, int, const char*, int))IceSSL::lockingCallback);
-}
-
-IceSSL::SslLockKeeper::~SslLockKeeper()
-{
- CRYPTO_set_locking_callback(NULL);
-}
-
+IceSSL::SslLockKeeper::SslLockKeeper() +{ + CRYPTO_set_locking_callback((void (*)(int, int, const char*, int))IceSSL::lockingCallback); +} + +IceSSL::SslLockKeeper::~SslLockKeeper() +{ + CRYPTO_set_locking_callback(NULL); +} + IceSSL::SystemInternalPtr IceSSL::Factory::getSystem(const IceInternal::InstancePtr& instance) { diff --git a/cpp/src/Ice/SslFactory.h b/cpp/src/Ice/SslFactory.h index 2bd8742e31d..ec84b840cba 100644 --- a/cpp/src/Ice/SslFactory.h +++ b/cpp/src/Ice/SslFactory.h @@ -33,7 +33,7 @@ typedef std::map<void*, SystemInternalPtr> SslHandleSystemMap; class Factory { public: -
+ static SystemInternalPtr getSystem(const IceInternal::InstancePtr&); // System Handle related methods @@ -41,7 +41,7 @@ public: static void removeSystemHandle(void*); static SystemInternalPtr getSystemFromHandle(void*); -private:
+private: static SslHandleSystemMap _sslHandleSystemRepository; static ::IceUtil::Mutex _systemRepositoryMutex; diff --git a/cpp/src/Ice/SslIceUtils.cpp b/cpp/src/Ice/SslIceUtils.cpp index 20dea0c15ae..92f8cd35c5f 100644 --- a/cpp/src/Ice/SslIceUtils.cpp +++ b/cpp/src/Ice/SslIceUtils.cpp @@ -14,7 +14,7 @@ void IceSSL::ucharToByteSeq(unsigned char* ucharBuffer, int length, Ice::ByteSeq& destBuffer) -{
+{ assert(ucharBuffer != 0); destBuffer.reserve(length); std::copy(ucharBuffer, (ucharBuffer + length), std::back_inserter(destBuffer)); @@ -27,9 +27,9 @@ IceSSL::byteSeqToUChar(const Ice::ByteSeq& sequence) assert(seqSize > 0); - unsigned char* ucharSeq = new unsigned char[seqSize];
-
- assert(ucharSeq != 0);
+ unsigned char* ucharSeq = new unsigned char[seqSize]; + + assert(ucharSeq != 0); unsigned char* ucharPtr = ucharSeq; std::copy(sequence.begin(), sequence.end(), ucharPtr); diff --git a/cpp/src/Ice/SslTransceiver.cpp b/cpp/src/Ice/SslTransceiver.cpp index f8a17d761ee..8d967b85765 100644 --- a/cpp/src/Ice/SslTransceiver.cpp +++ b/cpp/src/Ice/SslTransceiver.cpp @@ -102,5 +102,5 @@ IceInternal::SslTransceiver::SslTransceiver(const InstancePtr& instance, IceInternal::SslTransceiver::~SslTransceiver() { - assert(_fd == INVALID_SOCKET);
+ assert(_fd == INVALID_SOCKET); } diff --git a/cpp/src/Ice/SystemInternal.h b/cpp/src/Ice/SystemInternal.h index 6c8fb0718c4..5563fbae64a 100644 --- a/cpp/src/Ice/SystemInternal.h +++ b/cpp/src/Ice/SystemInternal.h @@ -40,10 +40,10 @@ public: virtual void setCertificateVerifier(ContextType, const CertificateVerifierPtr&) = 0; - virtual void addTrustedCertificateBase64(ContextType, const std::string&) = 0;
-
- virtual void addTrustedCertificate(ContextType, const Ice::ByteSeq&) = 0;
-
+ virtual void addTrustedCertificateBase64(ContextType, const std::string&) = 0; + + virtual void addTrustedCertificate(ContextType, const Ice::ByteSeq&) = 0; + virtual void setRSAKeysBase64(ContextType, const std::string&, const std::string&) = 0; virtual void setRSAKeys(ContextType, const ::Ice::ByteSeq&, const ::Ice::ByteSeq&) = 0; diff --git a/cpp/src/Ice/SystemOpenSSL.h b/cpp/src/Ice/SystemOpenSSL.h index 0b8a70c16b4..8536c3e1301 100644 --- a/cpp/src/Ice/SystemOpenSSL.h +++ b/cpp/src/Ice/SystemOpenSSL.h @@ -10,9 +10,9 @@ #ifndef ICE_SSL_SYSTEM_OPENSSL_H #define ICE_SSL_SYSTEM_OPENSSL_H -#include <Ice/Config.h>
+#include <Ice/Config.h> #include <Ice/TraceLevelsF.h> -#include <Ice/LoggerF.h>
+#include <Ice/LoggerF.h> #include <IceUtil/RecMutex.h> #include <Ice/GeneralConfig.h> @@ -31,9 +31,9 @@ #include <openssl/ssl.h> #include <string> #include <map> -
-#include <Ice/RSAPrivateKeyF.h>
-#include <Ice/DHParamsF.h>
+ +#include <Ice/RSAPrivateKeyF.h> +#include <Ice/DHParamsF.h> namespace IceSSL { @@ -42,9 +42,9 @@ class GeneralConfig; namespace OpenSSL { -
-typedef std::map<int,RSAPrivateKeyPtr> RSAMap;
-typedef std::map<int,DHParamsPtr> DHMap;
+ +typedef std::map<int,RSAPrivateKeyPtr> RSAMap; +typedef std::map<int,DHParamsPtr> DHMap; typedef std::map<int,CertificateDesc> RSACertMap; typedef std::map<int,DiffieHellmanParamsFile> DHParamsMap; @@ -74,8 +74,8 @@ public: virtual void addTrustedCertificateBase64(ContextType, const std::string&); - virtual void addTrustedCertificate(ContextType, const Ice::ByteSeq&);
-
+ virtual void addTrustedCertificate(ContextType, const Ice::ByteSeq&); + virtual void setRSAKeysBase64(ContextType, const std::string&, const std::string&); virtual void setRSAKeys(ContextType, const Ice::ByteSeq&, const Ice::ByteSeq&); @@ -89,11 +89,11 @@ private: ServerContext _serverContext; ClientContext _clientContext; -
- // Mutex to ensure synchronization of calls to configure
- // the contexts and calls to create connections.
+ + // Mutex to ensure synchronization of calls to configure + // the contexts and calls to create connections. ::IceUtil::RecMutex _configMutex; -
+ // Keep a cache of all temporary RSA keys. RSAMap _tempRSAKeys; ::IceUtil::Mutex _tempRSAKeysMutex; diff --git a/cpp/src/Ice/TempCerts.h b/cpp/src/Ice/TempCerts.h index 88f3b203e90..029292d76ca 100644 --- a/cpp/src/Ice/TempCerts.h +++ b/cpp/src/Ice/TempCerts.h @@ -20,7 +20,7 @@ namespace IceSSL class TempCertificates { public: -
+ TempCertificates(); ~TempCertificates(); @@ -30,7 +30,7 @@ public: RSAVector& getRSACerts(); DHVector& getDHParams(); -protected:
+protected: RSAVector _rsaCerts; DHVector _dhParams; diff --git a/cpp/src/IceBox/.depend b/cpp/src/IceBox/.depend index 1b8329277ee..cb0130e7e31 100644 --- a/cpp/src/IceBox/.depend +++ b/cpp/src/IceBox/.depend @@ -1,5 +1,4 @@ IceBox.o: IceBox.cpp ../../include/Ice/Stream.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ObjectF.h ../../include/Ice/Handle.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalException.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/StreamF.h ../../include/Ice/BuiltinSequences.h ../../include/IceBox/IceBox.h ../../include/Ice/Proxy.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionF.h ../../include/Ice/EndpointF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/Object.h ../../include/Ice/Outgoing.h ../../include/IceUtil/Monitor.h ../../include/IceUtil/Cond.h ../../include/Ice/BasicStream.h ../../include/Ice/InstanceF.h ../../include/Ice/Buffer.h ../../include/Ice/Incoming.h ../../include/Ice/Direct.h ../../include/Ice/ServantLocatorF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactory.h -Exception.o: Exception.cpp ../../include/IceBox/IceBox.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ObjectF.h ../../include/Ice/Handle.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalException.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/StreamF.h ../../include/Ice/Proxy.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionF.h ../../include/Ice/EndpointF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/Object.h ../../include/Ice/Outgoing.h ../../include/IceUtil/Monitor.h ../../include/IceUtil/Cond.h ../../include/Ice/BasicStream.h ../../include/Ice/InstanceF.h ../../include/Ice/Buffer.h ../../include/Ice/Incoming.h ../../include/Ice/Direct.h ../../include/Ice/ServantLocatorF.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/CommunicatorF.h ../../include/Ice/PropertiesF.h ../../include/Ice/Stream.h ServiceManagerI.o: ServiceManagerI.cpp ../../include/Ice/Ice.h ../../include/Ice/Initialize.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ObjectF.h ../../include/Ice/Handle.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalException.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/InstanceF.h ../../include/Ice/Properties.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Logger.h ../../include/Ice/LoggerUtil.h ../../include/Ice/LoggerF.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionF.h ../../include/Ice/EndpointF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/Object.h ../../include/Ice/Outgoing.h ../../include/IceUtil/Monitor.h ../../include/IceUtil/Cond.h ../../include/Ice/BasicStream.h ../../include/Ice/Buffer.h ../../include/Ice/Incoming.h ../../include/Ice/Direct.h ../../include/Ice/ServantLocatorF.h ../../include/Ice/UserExceptionFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/SystemF.h ../../include/Ice/SslExtensionF.h ../../include/Ice/ObjectFactory.h ../../include/Ice/UserExceptionFactory.h ../../include/Ice/ObjectAdapter.h ../../include/Ice/ServantLocator.h ../../include/Ice/IdentityUtil.h ../../include/Ice/DynamicLibrary.h ../../include/Ice/DynamicLibraryF.h ../IceBox/ServiceManagerI.h ../../include/IceBox/IceBox.h Server.o: Server.cpp ../../include/Ice/Ice.h ../../include/Ice/Initialize.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ObjectF.h ../../include/Ice/Handle.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalException.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/InstanceF.h ../../include/Ice/Properties.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Logger.h ../../include/Ice/LoggerUtil.h ../../include/Ice/LoggerF.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionF.h ../../include/Ice/EndpointF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/Object.h ../../include/Ice/Outgoing.h ../../include/IceUtil/Monitor.h ../../include/IceUtil/Cond.h ../../include/Ice/BasicStream.h ../../include/Ice/Buffer.h ../../include/Ice/Incoming.h ../../include/Ice/Direct.h ../../include/Ice/ServantLocatorF.h ../../include/Ice/UserExceptionFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/SystemF.h ../../include/Ice/SslExtensionF.h ../../include/Ice/ObjectFactory.h ../../include/Ice/UserExceptionFactory.h ../../include/Ice/ObjectAdapter.h ../../include/Ice/ServantLocator.h ../../include/Ice/IdentityUtil.h ../IceBox/ServiceManagerI.h ../../include/IceBox/IceBox.h ../../include/Ice/DynamicLibraryF.h Admin.o: Admin.cpp ../../include/Ice/Application.h ../../include/Ice/Ice.h ../../include/Ice/Initialize.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProxyF.h ../../include/Ice/ProxyHandle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ObjectF.h ../../include/Ice/Handle.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalException.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/InstanceF.h ../../include/Ice/Properties.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Logger.h ../../include/Ice/LoggerUtil.h ../../include/Ice/LoggerF.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionF.h ../../include/Ice/EndpointF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/Object.h ../../include/Ice/Outgoing.h ../../include/IceUtil/Monitor.h ../../include/IceUtil/Cond.h ../../include/Ice/BasicStream.h ../../include/Ice/Buffer.h ../../include/Ice/Incoming.h ../../include/Ice/Direct.h ../../include/Ice/ServantLocatorF.h ../../include/Ice/UserExceptionFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/SystemF.h ../../include/Ice/SslExtensionF.h ../../include/Ice/ObjectFactory.h ../../include/Ice/UserExceptionFactory.h ../../include/Ice/ObjectAdapter.h ../../include/Ice/ServantLocator.h ../../include/Ice/IdentityUtil.h ../../include/IceBox/IceBox.h |