1 files changed, 141 insertions, 0 deletions
diff --git a/cpp/src/Ice/ContextOpenSSLServer.cpp b/cpp/src/Ice/ContextOpenSSLServer.cpp
new file mode 100644
index 00000000000..b5545f413b0
--- /dev/null
+++ b/cpp/src/Ice/ContextOpenSSLServer.cpp
@@ -0,0 +1,141 @@
+// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#include <Ice/SslException.h>
+#include <Ice/SslConnectionOpenSSL.h>
+#include <Ice/ContextOpenSSLServer.h>
+#include <Ice/SslConnectionOpenSSLServer.h>
+#include <Ice/OpenSSLUtils.h>
+
+#include <Ice/TraceLevels.h>
+#include <Ice/Logger.h>
+
+#include <iostream.h>
+
+using IceSSL::ConnectionPtr;
+using IceSSL::SystemInternalPtr;
+
+void
+IceSSL::OpenSSL::ServerContext::configure(const GeneralConfig& generalConfig,
+                                          const CertificateAuthority& certificateAuthority,
+                                          const BaseCertificates& baseCertificates)
+{
+    Context::configure(generalConfig, certificateAuthority, baseCertificates);
+
+    assert(_sslContext != 0);
+
+    // On servers, Attempt to use non-export (strong) encryption
+    // first.  This option does not always work, and in the OpenSSL
+    // documentation is declared as 'broken'.
+    // SSL_CTX_set_options(_sslContext, SSL_OP_NON_EXPORT_FIRST);
+
+    // Always use a new DH key when using Diffie-Hellman key agreement.
+    SSL_CTX_set_options(_sslContext, SSL_OP_SINGLE_DH_USE);
+
+    // Set the RSA Callback routine in case we need to build a temporary RSA key (ephemeral RSA).
+    SSL_CTX_set_tmp_rsa_callback(_sslContext, tmpRSACallback);
+
+    // Set the DH Callback routine in case we need a temporary DH key (ephemeral DH).
+    SSL_CTX_set_tmp_dh_callback(_sslContext, tmpDHCallback);
+
+    loadCertificateAuthority(certificateAuthority);
+
+    // Set the context for the SSL system [SERVER ONLY].
+    std::string connectionContext = generalConfig.getContext();
+    SSL_CTX_set_session_id_context(_sslContext,
+                                   reinterpret_cast<const unsigned char *>(connectionContext.c_str()),
+                                   connectionContext.size());
+
+    if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL)
+    {
+        std::ostringstream s;
+
+        s << std::endl;
+        s << "General Configuration - Server" << std::endl;
+        s << "------------------------------" << std::endl;
+        s << generalConfig   << std::endl << std::endl;
+
+        s << "CA File: " << certificateAuthority.getCAFileName() << std::endl;
+        s << "CA Path: " << certificateAuthority.getCAPath() << std::endl;
+
+        s << "Base Certificates - Server" << std::endl;
+        s << "--------------------------" << std::endl;
+        s << baseCertificates << std::endl << std::endl;
+
+        _logger->trace(_traceLevels->securityCat, s.str());
+    }
+}
+
+IceSSL::ConnectionPtr 
+IceSSL::OpenSSL::ServerContext::createConnection(int socket, const SystemInternalPtr& system)
+{
+    if (_sslContext == 0)
+    {
+        IceSSL::OpenSSL::ContextNotConfiguredException contextEx(__FILE__, __LINE__);
+
+        throw contextEx;
+    }
+
+    ConnectionPtr connection = new ServerConnection(_traceLevels,
+                                                    _logger,
+                                                    _certificateVerifier,
+                                                    createSSLConnection(socket),
+                                                    system);
+
+    connectionSetup(connection);
+
+    return connection;
+}
+
+//
+// Protected
+//
+
+IceSSL::OpenSSL::ServerContext::ServerContext(const IceInternal::InstancePtr& instance) :
+                                         Context(instance)
+{
+    _rsaPrivateKeyProperty = "Ice.SSL.Server.Overrides.RSA.PrivateKey";
+    _rsaPublicKeyProperty  = "Ice.SSL.Server.Overrides.RSA.Certificate";
+    _dsaPrivateKeyProperty = "Ice.SSL.Server.Overrides.DSA.PrivateKey";
+    _dsaPublicKeyProperty  = "Ice.SSL.Server.Overrides.DSA.Certificate";
+    _caCertificateProperty = "Ice.SSL.Server.Overrides.CACertificate";
+    _handshakeTimeoutProperty = "Ice.SSL.Server.Handshake.ReadTimeout";
+}
+
+void
+IceSSL::OpenSSL::ServerContext::loadCertificateAuthority(const CertificateAuthority& certAuth)
+{
+    assert(_sslContext != 0);
+
+    Context::loadCertificateAuthority(certAuth);
+
+    std::string caFile = certAuth.getCAFileName();
+
+    // TODO: Check this if things stop working
+    if (!caFile.empty())
+    {
+        STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str());
+
+        if (certNames == 0)
+        {
+            if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
+            {
+                std::string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n";
+                errorString += sslGetErrors();
+                _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
+            }
+        }
+        else
+        {
+            SSL_CTX_set_client_CA_list(_sslContext, certNames);
+        }
+    }
+}
+