diff options
Diffstat (limited to 'cpp/src')
| -rw-r--r-- | cpp/src/Ice/ConnectionFactory.cpp | 4 | ||||
| -rw-r--r-- | cpp/src/Ice/Proxy.cpp | 2 | ||||
| -rw-r--r-- | cpp/src/Ice/SecurityException2.cpp | 82 | ||||
| -rw-r--r-- | cpp/src/Ice/SslConnectionOpenSSLServer.cpp | 14 | ||||
| -rw-r--r-- | cpp/src/Ice/SslContextOpenSSL.cpp | 93 | ||||
| -rw-r--r-- | cpp/src/Ice/SslContextOpenSSLClient.cpp | 5 | ||||
| -rw-r--r-- | cpp/src/Ice/SslContextOpenSSLServer.cpp | 5 | ||||
| -rw-r--r-- | cpp/src/Ice/SslRSACertificateGen.cpp | 9 | ||||
| -rw-r--r-- | cpp/src/Ice/SslSystemOpenSSL.cpp | 19 |
9 files changed, 153 insertions, 80 deletions
diff --git a/cpp/src/Ice/ConnectionFactory.cpp b/cpp/src/Ice/ConnectionFactory.cpp index ae653723703..31c5dc291ef 100644 --- a/cpp/src/Ice/ConnectionFactory.cpp +++ b/cpp/src/Ice/ConnectionFactory.cpp @@ -107,7 +107,7 @@ IceInternal::OutgoingConnectionFactory::create(const vector<EndpointPtr>& endpoi { exception = auto_ptr<LocalException>(dynamic_cast<LocalException*>(ex.ice_clone())); } - catch (const IceSSL::SecurityException& ex) // TODO: bandaid to make retry w/ ssl work. + catch (const IceSSL::SslException& ex) // TODO: bandaid to make retry w/ ssl work. { exception = auto_ptr<LocalException>(dynamic_cast<LocalException*>(ex.ice_clone())); } @@ -327,7 +327,7 @@ IceInternal::IncomingConnectionFactory::message(BasicStream&) connection->activate(); _connections.push_back(connection); } - catch (const IceSSL::SecurityException&) + catch (const IceSSL::SslException&) { // TODO: bandaid. Takes care of SSL Handshake problems during // creation of a Transceiver. Ignore, nothing we can do here. diff --git a/cpp/src/Ice/Proxy.cpp b/cpp/src/Ice/Proxy.cpp index c89d6fcbf5d..30e93847900 100644 --- a/cpp/src/Ice/Proxy.cpp +++ b/cpp/src/Ice/Proxy.cpp @@ -535,7 +535,7 @@ IceProxy::Ice::Object::__handleException(const LocalException& ex, int& cnt) { ++cnt; } - catch (const IceSSL::SecurityException&) // TODO: bandaid to make retry w/ ssl work. + catch (const IceSSL::SslException&) // TODO: bandaid to make retry w/ ssl work. { ++cnt; } diff --git a/cpp/src/Ice/SecurityException2.cpp b/cpp/src/Ice/SecurityException2.cpp index b8a0d91666e..a29bb926fab 100644 --- a/cpp/src/Ice/SecurityException2.cpp +++ b/cpp/src/Ice/SecurityException2.cpp @@ -25,7 +25,7 @@ using std::ostream; void -IceSSL::SecurityException::ice_print(ostream& out) const +IceSSL::SslException::ice_print(ostream& out) const { Exception::ice_print(out); if (!_message.empty()) @@ -34,39 +34,105 @@ IceSSL::SecurityException::ice_print(ostream& out) const } } +void
+IceSSL::ConfigurationLoadingException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
void IceSSL::ConfigParseException::ice_print(ostream& out) const { - SecurityException::ice_print(out); + SslException::ice_print(out); } void IceSSL::ShutdownException::ice_print(ostream& out) const { - SecurityException::ice_print(out); + SslException::ice_print(out); } void IceSSL::ProtocolException::ice_print(ostream& out) const { - SecurityException::ice_print(out); + SslException::ice_print(out); } void IceSSL::CertificateException::ice_print(ostream& out) const { - SecurityException::ice_print(out); + SslException::ice_print(out); } +void
+IceSSL::CertificateVerificationException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
+void
+IceSSL::CertificateSigningException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
+void
+IceSSL::CertificateSignatureException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
void IceSSL::CertificateVerifierTypeException::ice_print(ostream& out) const { - SecurityException::ice_print(out); + SslException::ice_print(out); } void IceSSL::OpenSSL::ContextException::ice_print(ostream& out) const { - SecurityException::ice_print(out); + SslException::ice_print(out); } - +
+void
+IceSSL::OpenSSL::ContextInitializationException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
+void
+IceSSL::OpenSSL::ContextNotConfiguredException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
+void
+IceSSL::OpenSSL::UnsupportedContextException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
+void
+IceSSL::OpenSSL::CertificateLoadException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
+void
+IceSSL::OpenSSL::PrivateKeyLoadException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
+void
+IceSSL::OpenSSL::CertificateKeyMatchException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
+void
+IceSSL::OpenSSL::TrustedCertificateAddException::ice_print(ostream& out) const
+{
+ SslException::ice_print(out);
+}
+
diff --git a/cpp/src/Ice/SslConnectionOpenSSLServer.cpp b/cpp/src/Ice/SslConnectionOpenSSLServer.cpp index 96392f0e551..7df78b3d32d 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLServer.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSLServer.cpp @@ -119,11 +119,19 @@ IceSSL::OpenSSL::ServerConnection::init(int timeout) if (verify_error != X509_V_OK) { - CertificateException certEx(__FILE__, __LINE__); + CertificateVerificationException certVerEx(__FILE__, __LINE__); - certEx._message = "SSL certificate verification error."; + certVerEx._message = "SSL certificate verification error.";
+
+ string errors = sslGetErrors();
+
+ if (!errors.empty())
+ {
+ certVerEx._message += "\n";
+ certVerEx._message += errors;
+ } - throw certEx; + throw certVerEx; } else { diff --git a/cpp/src/Ice/SslContextOpenSSL.cpp b/cpp/src/Ice/SslContextOpenSSL.cpp index 384b287df4e..7b78c3c2ea1 100644 --- a/cpp/src/Ice/SslContextOpenSSL.cpp +++ b/cpp/src/Ice/SslContextOpenSSL.cpp @@ -54,22 +54,27 @@ IceSSL::OpenSSL::Context::addTrustedCertificate(const std::string& trustedCertSt {
if (_sslContext == 0)
{
- // ContextNotConfiguredException contextEx(__FILE__, __LINE__);
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);
- contextEx._message = "SSL Context not configured.";
+ contextConfigEx._message = "SSL Context not configured.";
- throw contextEx;
+ throw contextConfigEx;
}
RSAPublicKey pubKey(trustedCertString);
X509_STORE* certStore = SSL_CTX_get_cert_store(_sslContext);
- int addedCertAuthorityCert = X509_STORE_add_cert(certStore, pubKey.getX509PublicKey());
+ assert(certStore != 0);
- // TODO: Make this an exception?
- assert(addedCertAuthorityCert != 0);
+ if (X509_STORE_add_cert(certStore, pubKey.getX509PublicKey()) == 0)
+ {
+ IceSSL::OpenSSL::TrustedCertificateAddException trustEx(__FILE__, __LINE__);
+
+ trustEx._message = sslGetErrors();
+
+ throw trustEx;
+ }
}
void
@@ -78,12 +83,11 @@ IceSSL::OpenSSL::Context::setRSAKeysBase64(const std::string& privateKey, {
if (_sslContext == 0)
{
- // ContextNotConfiguredException contextEx(__FILE__, __LINE__);
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);
- contextEx._message = "SSL Context not configured.";
+ contextConfigEx._message = "SSL Context not configured.";
- throw contextEx;
+ throw contextConfigEx;
}
addKeyCert(privateKey, publicKey);
@@ -94,12 +98,11 @@ IceSSL::OpenSSL::Context::setRSAKeys(const Ice::ByteSeq& privateKey, const Ice:: {
if (_sslContext == 0)
{
- // ContextNotConfiguredException contextEx(__FILE__, __LINE__);
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);
- contextEx._message = "SSL Context not configured.";
+ contextConfigEx._message = "SSL Context not configured.";
- throw contextEx;
+ throw contextConfigEx;
}
addKeyCert(privateKey, publicKey);
@@ -215,11 +218,11 @@ IceSSL::OpenSSL::Context::createContext(SslProtocol sslProtocol) if (_sslContext == 0)
{
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::ContextInitializationException contextInitEx(__FILE__, __LINE__);
- contextEx._message = "Unable to create SSL Context.\n" + sslGetErrors();
+ contextInitEx._message = "Unable to create SSL Context.\n" + sslGetErrors();
- throw contextEx;
+ throw contextInitEx;
}
// Turn off session caching, supposedly fixes a problem with multithreading.
@@ -321,18 +324,18 @@ IceSSL::OpenSSL::Context::checkKeyCert() // set against the SSL context match up.
if (!SSL_CTX_check_private_key(_sslContext))
{
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::CertificateKeyMatchException certKeyMatchEx(__FILE__, __LINE__);
- contextEx._message = "Private key does not match the certificate public key.";
+ certKeyMatchEx._message = "Private key does not match the certificate public key.";
std::string sslError = sslGetErrors();
if (!sslError.empty())
{
- contextEx._message += "\n";
- contextEx._message += sslError;
+ certKeyMatchEx._message += "\n";
+ certKeyMatchEx._message += sslError;
}
- throw contextEx;
+ throw certKeyMatchEx;
}
}
@@ -354,14 +357,14 @@ IceSSL::OpenSSL::Context::addKeyCert(const CertificateFile& privateKey, const Ce // Set which Public Key file to use.
if (SSL_CTX_use_certificate_file(_sslContext, publicFile, publicEncoding) <= 0)
{
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);
- contextEx._message = "Unable to get certificate from '";
- contextEx._message += publicFile;
- contextEx._message += "'\n";
- contextEx._message += sslGetErrors();
+ certLoadEx._message = "Unable to get certificate from '";
+ certLoadEx._message += publicFile;
+ certLoadEx._message += "'\n";
+ certLoadEx._message += sslGetErrors();
- throw contextEx;
+ throw certLoadEx;
}
if (privateKey.getFileName().empty())
@@ -378,14 +381,14 @@ IceSSL::OpenSSL::Context::addKeyCert(const CertificateFile& privateKey, const Ce // Set which Private Key file to use.
if (SSL_CTX_use_PrivateKey_file(_sslContext, privKeyFile, privKeyFileType) <= 0)
{
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);
- contextEx._message = "Unable to get private key from '";
- contextEx._message += privKeyFile;
- contextEx._message += "'\n";
- contextEx._message += sslGetErrors();
+ pklEx._message = "Unable to get private key from '";
+ pklEx._message += privKeyFile;
+ pklEx._message += "'\n";
+ pklEx._message += sslGetErrors();
- throw contextEx;
+ throw pklEx;
}
checkKeyCert();
@@ -402,18 +405,18 @@ IceSSL::OpenSSL::Context::addKeyCert(const RSAKeyPair& keyPair) // Set which Public Key file to use.
if (SSL_CTX_use_certificate(_sslContext, x509Janitor.get()) <= 0)
{
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);
- contextEx._message = "Unable to set certificate from memory.";
+ certLoadEx._message = "Unable to set certificate from memory.";
std::string sslError = sslGetErrors();
if (!sslError.empty())
{
- contextEx._message += "\n";
- contextEx._message += sslError;
+ certLoadEx._message += "\n";
+ certLoadEx._message += sslError;
}
- throw contextEx;
+ throw certLoadEx;
}
x509Janitor.clear();
@@ -421,18 +424,18 @@ IceSSL::OpenSSL::Context::addKeyCert(const RSAKeyPair& keyPair) // Set which Private Key file to use.
if (SSL_CTX_use_RSAPrivateKey(_sslContext, rsaJanitor.get()) <= 0)
{
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);
- contextEx._message = "Unable to set private key from memory.";
+ pklEx._message = "Unable to set private key from memory.";
std::string sslError = sslGetErrors();
if (!sslError.empty())
{
- contextEx._message += "\n";
- contextEx._message += sslError;
+ pklEx._message += "\n";
+ pklEx._message += sslError;
}
- throw contextEx;
+ throw pklEx;
}
rsaJanitor.clear();
diff --git a/cpp/src/Ice/SslContextOpenSSLClient.cpp b/cpp/src/Ice/SslContextOpenSSLClient.cpp index 375931c65df..2958a24a7ed 100644 --- a/cpp/src/Ice/SslContextOpenSSLClient.cpp +++ b/cpp/src/Ice/SslContextOpenSSLClient.cpp @@ -57,10 +57,7 @@ IceSSL::OpenSSL::ClientContext::createConnection(int socket, const SystemInterna {
if (_sslContext == 0)
{
- // ContextNotConfiguredException contextEx(__FILE__, __LINE__);
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
-
- contextEx._message = "SSL Context not configured.";
+ IceSSL::OpenSSL::ContextNotConfiguredException contextEx(__FILE__, __LINE__);
throw contextEx;
}
diff --git a/cpp/src/Ice/SslContextOpenSSLServer.cpp b/cpp/src/Ice/SslContextOpenSSLServer.cpp index bf158f8afee..1c90ed169f7 100644 --- a/cpp/src/Ice/SslContextOpenSSLServer.cpp +++ b/cpp/src/Ice/SslContextOpenSSLServer.cpp @@ -78,10 +78,7 @@ IceSSL::OpenSSL::ServerContext::createConnection(int socket, const SystemInterna {
if (_sslContext == 0)
{
- // ContextNotConfiguredException contextEx(__FILE__, __LINE__);
- IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
-
- contextEx._message = "SSL Context not configured.";
+ IceSSL::OpenSSL::ContextNotConfiguredException contextEx(__FILE__, __LINE__);
throw contextEx;
}
diff --git a/cpp/src/Ice/SslRSACertificateGen.cpp b/cpp/src/Ice/SslRSACertificateGen.cpp index db9264bf707..0768abded71 100644 --- a/cpp/src/Ice/SslRSACertificateGen.cpp +++ b/cpp/src/Ice/SslRSACertificateGen.cpp @@ -14,6 +14,7 @@ #include <Ice/SslRSAKeyPair.h>
#include <Ice/SslRSAPrivateKey.h>
#include <Ice/SslRSAPublicKey.h>
+#include <Ice/SecurityException.h>
#include <openssl/err.h>
#include <openssl/ssl.h>
@@ -252,17 +253,13 @@ IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& con // Sign the public key using an MD5 digest
if (!X509_sign(x509SelfSigned, pkey, EVP_md5()))
{
- // TODO: Throw exception here.
- // throw CertificateSigningException(__FILE__, __LINE__);
- return 0;
+ throw IceSSL::CertificateSigningException(__FILE__, __LINE__);
}
// Verify the Signature (paranoia)
if (!X509_REQ_verify(signingRequest, pkey))
{
- // TODO: Throw exception here (signature verification)
- // throw CertificateSignatureException(__FILE__, __LINE__);
- return 0;
+ throw IceSSL::CertificateSignatureException(__FILE__, __LINE__);
}
// Nasty Hack: Getting the pkey to let go of our rsaKeyPair - we own that.
diff --git a/cpp/src/Ice/SslSystemOpenSSL.cpp b/cpp/src/Ice/SslSystemOpenSSL.cpp index 3b86f2bf1aa..aa53b1e31a5 100644 --- a/cpp/src/Ice/SslSystemOpenSSL.cpp +++ b/cpp/src/Ice/SslSystemOpenSSL.cpp @@ -40,7 +40,8 @@ using namespace std; using IceInternal::TraceLevelsPtr; using Ice::LoggerPtr; -using IceSSL::OpenSSL::ContextException; +using IceSSL::OpenSSL::ContextException;
+using IceSSL::OpenSSL::UnsupportedContextException; using IceSSL::SystemInternalPtr; IceSSL::ConnectionPtr @@ -48,7 +49,11 @@ IceSSL::OpenSSL::System::createConnection(ContextType connectionType, int socket {
if (connectionType == ClientServer)
{
- // TODO: Throw exception, Unsupported Context Type?
+ UnsupportedContextException unsupportedException(__FILE__, __LINE__);
+
+ unsupportedException._message = "Unable to create ClientServer connections.";
+
+ throw unsupportedException;
}
// Configure the context if need be.
@@ -174,7 +179,7 @@ IceSSL::OpenSSL::System::loadConfig(ContextType contextType, {
if (configFile.empty())
{ - IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+ IceSSL::ConfigurationLoadingException configEx(__FILE__, __LINE__);
string contextString;
@@ -199,11 +204,11 @@ IceSSL::OpenSSL::System::loadConfig(ContextType contextType, }
}
- contextEx._message = "No SSL configuration file specified for ";
- contextEx._message += contextString;
- contextEx._message += ".";
+ configEx._message = "No SSL configuration file specified for ";
+ configEx._message += contextString;
+ configEx._message += ".";
- throw contextEx;
+ throw configEx;
}
Parser sslConfig(configFile, certPath); |