diff options
Diffstat (limited to 'cpp/src')
96 files changed, 2988 insertions, 2586 deletions
diff --git a/cpp/src/Glacier/GlacierI.cpp b/cpp/src/Glacier/GlacierI.cpp index 2ef6cdd84ce..3982466420b 100644 --- a/cpp/src/Glacier/GlacierI.cpp +++ b/cpp/src/Glacier/GlacierI.cpp @@ -21,7 +21,7 @@ using namespace std; using namespace Ice; using namespace Glacier; -using IceSecurity::Ssl::OpenSSL::RSAKeyPairPtr; +using IceSSL::OpenSSL::RSAKeyPairPtr; Glacier::StarterI::StarterI(const CommunicatorPtr& communicator) : @@ -80,14 +80,14 @@ Glacier::StarterI::startRouter(const string& userId, const string& password, Byt // routerPrivateKeyBase64 and routerCertificateBase64 are passed to the // router as the values for the properties - // * Ice.Security.Ssl.Overrides.Server.RSA.PrivateKey - // * Ice.Security.Ssl.Overrides.Server.RSA.Certificate + // * IceSSL.Server.Overrides.Server.RSA.PrivateKey + // * IceSSL.Server.Overrides.Server.RSA.Certificate // respectively. // // If the router is to act as a client to the Client as well, then // these values should also be passed into the router as the properties - // * Ice.Security.Ssl.Overrides.Client.RSA.PrivateKey - // * Ice.Security.Ssl.Overrides.Client.RSA.Certificate + // * IceSSL.Client.Overrides.RSA.PrivateKey + // * IceSSL.Client.Overrides.RSA.Certificate // respectively. // // The value of clientCertificateBase64 should be passed in to the router @@ -153,15 +153,16 @@ Glacier::StarterI::startRouter(const string& userId, const string& password, Byt // StringSeq args = _properties->getCommandLineOptions(); args.push_back("--Glacier.Router.Identity=" + uuid); - // +
+ // // TODO: Potential security risk, command line parameters can // be seen with `ps'. Keys and certificate should rather be // passed through a pipe? (ML will take care of this...) // - args.push_back("--Ice.Security.Ssl.Overrides.Server.RSA.PrivateKey=" + routerPrivateKeyBase64); - args.push_back("--Ice.Security.Ssl.Overrides.Server.RSA.Certificate=" + routerCertificateBase64); - args.push_back("--Ice.Security.Ssl.Overrides.Client.RSA.PrivateKey=" + routerPrivateKeyBase64); - args.push_back("--Ice.Security.Ssl.Overrides.Client.RSA.Certificate=" + routerCertificateBase64); + args.push_back("--Ice.SSL.Server.Overrides.Server.RSA.PrivateKey=" + routerPrivateKeyBase64);
+ args.push_back("--Ice.SSL.Server.Overrides.Server.RSA.Certificate=" + routerCertificateBase64);
+ args.push_back("--Ice.SSL.Client.Overrides.RSA.PrivateKey=" + routerPrivateKeyBase64);
+ args.push_back("--Ice.SSL.Client.Overrides.RSA.Certificate=" + routerCertificateBase64);
args.push_back("--Glacier.Router.AcceptCert=" + clientCertificateBase64); ostringstream s; s << "--Glacier.Router.PrintProxyOnFd=" << fds[1]; diff --git a/cpp/src/Glacier/GlacierI.h b/cpp/src/Glacier/GlacierI.h index fa535758276..a146be630cf 100644 --- a/cpp/src/Glacier/GlacierI.h +++ b/cpp/src/Glacier/GlacierI.h @@ -18,8 +18,8 @@ namespace Glacier { -using IceSecurity::Ssl::OpenSSL::RSACertificateGenContext; -using IceSecurity::Ssl::OpenSSL::RSACertificateGen; +using IceSSL::OpenSSL::RSACertificateGenContext; +using IceSSL::OpenSSL::RSACertificateGen; class StarterI : public Starter { diff --git a/cpp/src/Glacier/GlacierRouter.cpp b/cpp/src/Glacier/GlacierRouter.cpp index f1e720bc54f..63248092c5e 100644 --- a/cpp/src/Glacier/GlacierRouter.cpp +++ b/cpp/src/Glacier/GlacierRouter.cpp @@ -14,8 +14,11 @@ #include <Glacier/ClientBlobject.h> #include <Glacier/ServerBlobject.h> #include <IceUtil/Base64.h> -#include <Ice/Security.h> -#include <Glacier/CertVerifier.h> +// #include <Ice/Security.h> +// #include <Glacier/CertVerifier.h>
+#include <Ice/SslCertificateVerifierF.h>
+#include <Ice/SslSystem.h>
+#include <Ice/SslExtension.h> using namespace std; using namespace Ice; @@ -123,16 +126,20 @@ Glacier::Router::run(int argc, char* argv[]) // // Set up our CertificateVerifier - // + //
string clientCertBase64 = properties->getProperty("Glacier.Router.AcceptCert"); Ice::ByteSeq clientCert = IceUtil::Base64::decode(clientCertBase64); - string sysIdentifier = properties->getProperty("Ice.Security.Ssl.Config"); - IceSecurity::Ssl::SslContextType contextType = IceSecurity::Ssl::ClientServer; - IceSecurity::Ssl::CertificateVerifierPtr certVerifier = new CertVerifier(clientCert); - IceSecurity::Ssl::setSystemCertificateVerifier(sysIdentifier, contextType, certVerifier); - - properties->setProperty("Ice.Security.Ssl.Overrides.Server.CACertificate", clientCertBase64); -// IceSecurity::Ssl::setSystemCertAuthCertificate(sysIdentifier, contextType, clientCertBase64); + IceSSL::ContextType contextType = IceSSL::ClientServer; +
+ // Get our SSL System and an instance of the SSL Extension itself
+ IceSSL::SystemPtr sslSystem = communicator()->getSslSystem();
+ IceSSL::SslExtensionPtr sslExtension = communicator()->getSslExtension();
+
+ // Install a Certificate Verifier that only accepts the client's certificate.
+ sslSystem->setCertificateVerifier(contextType, sslExtension->getSingleCertVerifier(clientCert));
+
+ // Add the Client's certificate as a trusted certificate.
+ sslSystem->addTrustedCertificate(contextType, clientCertBase64);
// // Create routing table diff --git a/cpp/src/Glacier/Makefile b/cpp/src/Glacier/Makefile index 24874c031cd..dc426d8540b 100644 --- a/cpp/src/Glacier/Makefile +++ b/cpp/src/Glacier/Makefile @@ -26,8 +26,7 @@ OBJS = Glacier.o ROBJS = GlacierRouter.o \ RouterI.o \ ClientBlobject.o \ - ServerBlobject.o \ - CertVerifier.o + ServerBlobject.o SOBJS = GlacierStarter.o \ GlacierI.o diff --git a/cpp/src/Glacier/glacierrouter.dsp b/cpp/src/Glacier/glacierrouter.dsp index fdbb1e1b5ba..c83a0ac0541 100644 --- a/cpp/src/Glacier/glacierrouter.dsp +++ b/cpp/src/Glacier/glacierrouter.dsp @@ -91,10 +91,6 @@ LINK32=link.exe # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"
# Begin Source File
-SOURCE=.\CertVerifier.cpp
-# End Source File
-# Begin Source File
-
SOURCE=.\ClientBlobject.cpp
# End Source File
# Begin Source File
@@ -115,10 +111,6 @@ SOURCE=.\ServerBlobject.cpp # PROP Default_Filter "h;hpp;hxx;hm;inl"
# Begin Source File
-SOURCE=.\CertVerifier.h
-# End Source File
-# Begin Source File
-
SOURCE=.\ClientBlobject.h
# End Source File
# Begin Source File
diff --git a/cpp/src/Ice/CommunicatorI.cpp b/cpp/src/Ice/CommunicatorI.cpp index 168c2a02b7e..891a090d927 100644 --- a/cpp/src/Ice/CommunicatorI.cpp +++ b/cpp/src/Ice/CommunicatorI.cpp @@ -18,7 +18,9 @@ #include <Ice/UserExceptionFactoryManager.h> #include <Ice/ObjectAdapterFactory.h> #include <Ice/LoggerUtil.h> -#include <Ice/Exception.h> +#include <Ice/Exception.h>
+#include <Ice/SslExtensionInternal.h>
+#include <Ice/SslSystemInternal.h> using namespace std; using namespace Ice; @@ -227,6 +229,18 @@ Ice::CommunicatorI::setDefaultRouter(const RouterPrx& router) { _instance->referenceFactory()->setDefaultRouter(router); } +
+::IceSSL::SslExtensionPtr
+Ice::CommunicatorI::getSslExtension()
+{
+ return ::IceSSL::SslExtensionPtr(new ::IceSSL::SslExtensionInternal(_instance));
+}
+
+::IceSSL::SystemPtr
+Ice::CommunicatorI::getSslSystem()
+{
+ return ::IceSSL::SystemPtr::dynamicCast(_instance->getSslSystem());
+}
Ice::CommunicatorI::CommunicatorI(const PropertiesPtr& properties) { diff --git a/cpp/src/Ice/CommunicatorI.h b/cpp/src/Ice/CommunicatorI.h index 1b56d12e957..50691487cb4 100644 --- a/cpp/src/Ice/CommunicatorI.h +++ b/cpp/src/Ice/CommunicatorI.h @@ -15,7 +15,10 @@ #include <Ice/ThreadPoolF.h> #include <Ice/Initialize.h> -#include <Ice/Communicator.h> +#include <Ice/Communicator.h>
+#include <Ice/SslExtensionF.h>
+#include <Ice/SslSystemInternalF.h>
+#include <Ice/SslSystemF.h> namespace Ice { @@ -49,6 +52,9 @@ public: virtual void setLogger(const LoggerPtr&); virtual void setDefaultRouter(const RouterPrx&); +
+ virtual ::IceSSL::SslExtensionPtr getSslExtension();
+ virtual ::IceSSL::SystemPtr getSslSystem();
private: diff --git a/cpp/src/Ice/ConnectionFactory.cpp b/cpp/src/Ice/ConnectionFactory.cpp index 337812908bd..ae653723703 100644 --- a/cpp/src/Ice/ConnectionFactory.cpp +++ b/cpp/src/Ice/ConnectionFactory.cpp @@ -107,7 +107,7 @@ IceInternal::OutgoingConnectionFactory::create(const vector<EndpointPtr>& endpoi { exception = auto_ptr<LocalException>(dynamic_cast<LocalException*>(ex.ice_clone())); } - catch (const IceSecurity::SecurityException& ex) // TODO: bandaid to make retry w/ ssl work. + catch (const IceSSL::SecurityException& ex) // TODO: bandaid to make retry w/ ssl work. { exception = auto_ptr<LocalException>(dynamic_cast<LocalException*>(ex.ice_clone())); } @@ -327,7 +327,7 @@ IceInternal::IncomingConnectionFactory::message(BasicStream&) connection->activate(); _connections.push_back(connection); } - catch (const IceSecurity::SecurityException&) + catch (const IceSSL::SecurityException&) { // TODO: bandaid. Takes care of SSL Handshake problems during // creation of a Transceiver. Ignore, nothing we can do here. diff --git a/cpp/src/Ice/CryptKey.cpp b/cpp/src/Ice/CryptKey.cpp index cee409edea1..e9cf4c5ddfa 100644 --- a/cpp/src/Ice/CryptKey.cpp +++ b/cpp/src/Ice/CryptKey.cpp @@ -12,38 +12,38 @@ using Ice::ByteSeq; -void ::IceInternal::incRef(::IceSecurity::SecureUdp::CryptKey* p) { p->__incRef(); } -void ::IceInternal::decRef(::IceSecurity::SecureUdp::CryptKey* p) { p->__decRef(); } +void ::IceInternal::incRef(::SecureUdp::CryptKey* p) { p->__incRef(); } +void ::IceInternal::decRef(::SecureUdp::CryptKey* p) { p->__decRef(); } -IceSecurity::SecureUdp::CryptKey::CryptKey(const ByteSeq& key) : +SecureUdp::CryptKey::CryptKey(const ByteSeq& key) : _keyBytes(key) { } -IceSecurity::SecureUdp::CryptKey::~CryptKey() +SecureUdp::CryptKey::~CryptKey() { } const ByteSeq& -IceSecurity::SecureUdp::CryptKey::toByteSeq() const +SecureUdp::CryptKey::toByteSeq() const { return _keyBytes; } bool -IceSecurity::SecureUdp::CryptKey::operator == (const CryptKey& key) const +SecureUdp::CryptKey::operator == (const CryptKey& key) const { return _keyBytes == key._keyBytes; } bool -IceSecurity::SecureUdp::CryptKey::operator != (const CryptKey& key) const +SecureUdp::CryptKey::operator != (const CryptKey& key) const { return !operator==(key); } bool -IceSecurity::SecureUdp::CryptKey::operator < (const CryptKey& key) const +SecureUdp::CryptKey::operator < (const CryptKey& key) const { return _keyBytes < key._keyBytes; } diff --git a/cpp/src/Ice/CryptKey.h b/cpp/src/Ice/CryptKey.h index a673d02d3f9..4da7851e636 100644 --- a/cpp/src/Ice/CryptKey.h +++ b/cpp/src/Ice/CryptKey.h @@ -15,9 +15,6 @@ #include <Ice/Stream.h> #include <Ice/CryptKeyF.h> -namespace IceSecurity -{ - namespace SecureUdp { @@ -54,7 +51,5 @@ inline bool operator==(const CryptKeyPtr& cryptKeyPtr, const CryptKey& cryptKey) } -} - #endif diff --git a/cpp/src/Ice/CryptKeyF.h b/cpp/src/Ice/CryptKeyF.h index ff9f3151674..04060533a13 100644 --- a/cpp/src/Ice/CryptKeyF.h +++ b/cpp/src/Ice/CryptKeyF.h @@ -13,9 +13,6 @@ #include <Ice/Handle.h> -namespace IceSecurity -{ - namespace SecureUdp { @@ -24,13 +21,11 @@ typedef IceInternal::Handle<CryptKey> CryptKeyPtr; } -} - namespace IceInternal { -void incRef(::IceSecurity::SecureUdp::CryptKey*); -void decRef(::IceSecurity::SecureUdp::CryptKey*); +void incRef(::SecureUdp::CryptKey*); +void decRef(::SecureUdp::CryptKey*); } diff --git a/cpp/src/Ice/Cryptor.cpp b/cpp/src/Ice/Cryptor.cpp index 86469ef186b..563b315de5e 100644 --- a/cpp/src/Ice/Cryptor.cpp +++ b/cpp/src/Ice/Cryptor.cpp @@ -12,23 +12,23 @@ #include <Ice/CryptKey.h> #include <algorithm> -void ::IceInternal::incRef(::IceSecurity::SecureUdp::Cryptor* p) { p->__incRef(); } -void ::IceInternal::decRef(::IceSecurity::SecureUdp::Cryptor* p) { p->__decRef(); } +void ::IceInternal::incRef(::SecureUdp::Cryptor* p) { p->__incRef(); } +void ::IceInternal::decRef(::SecureUdp::Cryptor* p) { p->__decRef(); } using Ice::ByteSeq; -using IceSecurity::SecureUdp::CryptKey; -using IceSecurity::SecureUdp::CryptKeyPtr; +using SecureUdp::CryptKey; +using SecureUdp::CryptKeyPtr; -IceSecurity::SecureUdp::Cryptor::Cryptor() +SecureUdp::Cryptor::Cryptor() { } -IceSecurity::SecureUdp::Cryptor::~Cryptor() +SecureUdp::Cryptor::~Cryptor() { } const CryptKeyPtr -IceSecurity::SecureUdp::Cryptor::getNewKey() +SecureUdp::Cryptor::getNewKey() { // Gotta return a newly generated key here. ByteSeq byteSeq; @@ -56,7 +56,7 @@ IceSecurity::SecureUdp::Cryptor::getNewKey() } const CryptKeyPtr -IceSecurity::SecureUdp::Cryptor::getKey(const ByteSeq& key) +SecureUdp::Cryptor::getKey(const ByteSeq& key) { CryptKeyPtr cryptKey = new CryptKey(key); @@ -73,7 +73,7 @@ IceSecurity::SecureUdp::Cryptor::getKey(const ByteSeq& key) } const CryptKeyPtr -IceSecurity::SecureUdp::Cryptor::getOrCreateKey(const ByteSeq& key) +SecureUdp::Cryptor::getOrCreateKey(const ByteSeq& key) { CryptKeyPtr cryptKey; @@ -90,13 +90,13 @@ IceSecurity::SecureUdp::Cryptor::getOrCreateKey(const ByteSeq& key) } void -IceSecurity::SecureUdp::Cryptor::encrypt(const CryptKeyPtr& key, const ByteSeq& plainBuffer, ByteSeq& encryptedBuffer) +SecureUdp::Cryptor::encrypt(const CryptKeyPtr& key, const ByteSeq& plainBuffer, ByteSeq& encryptedBuffer) { encryptedBuffer = plainBuffer; } void -IceSecurity::SecureUdp::Cryptor::decrypt(const CryptKeyPtr& key, const ByteSeq& encryptedBuffer, ByteSeq& plainBuffer) +SecureUdp::Cryptor::decrypt(const CryptKeyPtr& key, const ByteSeq& encryptedBuffer, ByteSeq& plainBuffer) { plainBuffer = encryptedBuffer; } diff --git a/cpp/src/Ice/Cryptor.h b/cpp/src/Ice/Cryptor.h index 35554c96a35..9794baddff1 100644 --- a/cpp/src/Ice/Cryptor.h +++ b/cpp/src/Ice/Cryptor.h @@ -17,9 +17,6 @@ #include <Ice/CryptorF.h> #include <vector> -namespace IceSecurity -{ - namespace SecureUdp { @@ -49,7 +46,5 @@ protected: } -} - #endif diff --git a/cpp/src/Ice/CryptorF.h b/cpp/src/Ice/CryptorF.h index 2a37bf58fe1..f9ce75b3bc2 100644 --- a/cpp/src/Ice/CryptorF.h +++ b/cpp/src/Ice/CryptorF.h @@ -13,9 +13,6 @@ #include <Ice/Handle.h> -namespace IceSecurity -{ - namespace SecureUdp { @@ -24,13 +21,11 @@ typedef IceInternal::Handle<Cryptor> CryptorPtr; } -} - namespace IceInternal { -void incRef(::IceSecurity::SecureUdp::Cryptor*); -void decRef(::IceSecurity::SecureUdp::Cryptor*); +void incRef(::SecureUdp::Cryptor*); +void decRef(::SecureUdp::Cryptor*); } diff --git a/cpp/src/Ice/DefaultCertificateVerifier.cpp b/cpp/src/Ice/DefaultCertificateVerifier.cpp new file mode 100644 index 00000000000..2bbc6337d0a --- /dev/null +++ b/cpp/src/Ice/DefaultCertificateVerifier.cpp @@ -0,0 +1,103 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#include <Ice/OpenSSL.h>
+#include <Ice/DefaultCertificateVerifier.h>
+#include <Ice/SslOpenSSLUtils.h>
+#include <ostream>
+
+using namespace std;
+
+IceSSL::OpenSSL::DefaultCertificateVerifier::DefaultCertificateVerifier(
+ const IceInternal::InstancePtr& instance) :
+ _traceLevels(instance->traceLevels()),
+ _logger(instance->logger())
+{
+}
+
+int
+IceSSL::OpenSSL::DefaultCertificateVerifier::verify(int preVerifyOkay,
+ X509_STORE_CTX* x509StoreContext,
+ SSL* sslConnection)
+{
+ //
+ // Default verification steps.
+ //
+
+ int verifyError = X509_STORE_CTX_get_error(x509StoreContext);
+ int errorDepth = X509_STORE_CTX_get_error_depth(x509StoreContext);
+ int verifyDepth = SSL_get_verify_depth(sslConnection);
+
+ // Verify Depth was set
+ if (verifyError != X509_V_OK)
+ {
+ // If we have no errors so far, and the certificate chain is too long
+ if ((verifyDepth != -1) && (verifyDepth < errorDepth))
+ {
+ verifyError = X509_V_ERR_CERT_CHAIN_TOO_LONG;
+ X509_STORE_CTX_set_error(x509StoreContext, verifyError);
+ }
+
+ // If we have ANY errors, we bail out.
+ preVerifyOkay = 0;
+ }
+
+ // Only if ICE_PROTOCOL level logging is on do we worry about this.
+ if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL)
+ {
+ char buf[256];
+
+ X509* err_cert = X509_STORE_CTX_get_current_cert(x509StoreContext);
+
+ X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+
+ ostringstream outStringStream;
+
+ outStringStream << "depth = " << dec << errorDepth << ":" << buf << std::endl;
+
+ if (!preVerifyOkay)
+ {
+ outStringStream << "verify error: num = " << verifyError << " : "
+ << X509_verify_cert_error_string(verifyError) << endl;
+
+ }
+
+ switch (verifyError)
+ {
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+ {
+ X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf));
+ outStringStream << "issuer = " << buf << endl;
+ break;
+ }
+
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ {
+ outStringStream << "notBefore = " << getASN1time(X509_get_notBefore(err_cert)) << endl;
+ break;
+ }
+
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ {
+ outStringStream << "notAfter = " << getASN1time(X509_get_notAfter(err_cert)) << endl;
+ break;
+ }
+ }
+
+ outStringStream << "verify return = " << preVerifyOkay << endl;
+
+ _logger->trace(_traceLevels->securityCat, outStringStream.str());
+ }
+
+ return preVerifyOkay;
+}
+
diff --git a/cpp/src/Ice/DefaultCertificateVerifier.h b/cpp/src/Ice/DefaultCertificateVerifier.h new file mode 100644 index 00000000000..140e3900dd8 --- /dev/null +++ b/cpp/src/Ice/DefaultCertificateVerifier.h @@ -0,0 +1,43 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#ifndef ICE_SSL_DEFAULT_CERTIFICATE_VERIFIER_H
+#define ICE_SSL_DEFAULT_CERTIFICATE_VERIFIER_H
+
+#include <IceUtil/Config.h>
+#include <Ice/Logger.h>
+#include <Ice/TraceLevels.h>
+#include <Ice/Instance.h>
+#include <Ice/SslCertificateVerifierOpenSSL.h>
+
+namespace IceSSL
+{
+
+namespace OpenSSL
+{
+
+class DefaultCertificateVerifier : public IceSSL::OpenSSL::CertificateVerifier
+{
+
+public:
+ DefaultCertificateVerifier(const IceInternal::InstancePtr&);
+
+ virtual int verify(int, X509_STORE_CTX*, SSL*);
+
+private:
+ IceInternal::TraceLevelsPtr _traceLevels;
+ Ice::LoggerPtr _logger;
+};
+
+}
+
+}
+
+#endif
diff --git a/cpp/src/Ice/Instance.cpp b/cpp/src/Ice/Instance.cpp index 02462e9a580..efd8f5bde83 100644 --- a/cpp/src/Ice/Instance.cpp +++ b/cpp/src/Ice/Instance.cpp @@ -22,6 +22,8 @@ #include <Ice/Properties.h> #include <Ice/LoggerI.h> #include <Ice/Network.h> +#include <Ice/SslSystemInternal.h>
+#include <Ice/SslFactory.h>
#ifndef WIN32 # include <Ice/SysLoggerI.h> @@ -114,6 +116,12 @@ IceInternal::Instance::defaultHost() // No mutex lock, immutable. return _defaultHost; } +
+::IceSSL::SystemInternalPtr
+IceInternal::Instance::getSslSystem()
+{
+ return _sslSystem;
+}
RouterManagerPtr IceInternal::Instance::routerManager() @@ -291,7 +299,10 @@ IceInternal::Instance::Instance(const CommunicatorPtr& communicator, const Prope _userExceptionFactoryManager = new UserExceptionFactoryManager(); _objectAdapterFactory = new ObjectAdapterFactory(this); _threadPool = new ThreadPool(this); - __setNoDelete(false); + __setNoDelete(false);
+
+ // Get our instance of the SSL System
+ _sslSystem = IceSSL::Factory::getSystem(this); } catch(...) { @@ -417,7 +428,7 @@ IceInternal::Instance::destroy() // synchronization. // threadPool = _threadPool; - _threadPool = 0; + _threadPool = 0; } if (threadPool) diff --git a/cpp/src/Ice/Instance.h b/cpp/src/Ice/Instance.h index 4015527d9ba..afe599e6495 100644 --- a/cpp/src/Ice/Instance.h +++ b/cpp/src/Ice/Instance.h @@ -25,7 +25,9 @@ #include <Ice/ConnectionFactoryF.h> #include <Ice/ObjectFactoryManagerF.h> #include <Ice/UserExceptionFactoryManagerF.h> -#include <Ice/ObjectAdapterFactoryF.h> +#include <Ice/ObjectAdapterFactoryF.h>
+#include <Ice/SslSystemF.h>
+#include <Ice/SslSystemInternalF.h> #include <list> namespace Ice @@ -56,7 +58,8 @@ public: ObjectAdapterFactoryPtr objectAdapterFactory(); ThreadPoolPtr threadPool(); std::string defaultProtocol(); - std::string defaultHost(); + std::string defaultHost();
+ ::IceSSL::SystemInternalPtr getSslSystem(); private: @@ -79,6 +82,7 @@ private: ThreadPoolPtr _threadPool; std::string _defaultProtocol; // Immutable, not reset by destroy(). std::string _defaultHost; // Immutable, not reset by destroy(). + ::IceSSL::SystemInternalPtr _sslSystem;
// // Global state management diff --git a/cpp/src/Ice/MessageAuthenticator.cpp b/cpp/src/Ice/MessageAuthenticator.cpp index 6ec4a1b2eb3..42207fbdcfa 100644 --- a/cpp/src/Ice/MessageAuthenticator.cpp +++ b/cpp/src/Ice/MessageAuthenticator.cpp @@ -12,10 +12,10 @@ using Ice::ByteSeq; -void ::IceInternal::incRef(::IceSecurity::SecureUdp::MessageAuthenticator* p) { p->__incRef(); } -void ::IceInternal::decRef(::IceSecurity::SecureUdp::MessageAuthenticator* p) { p->__decRef(); } +void ::IceInternal::incRef(::SecureUdp::MessageAuthenticator* p) { p->__incRef(); } +void ::IceInternal::decRef(::SecureUdp::MessageAuthenticator* p) { p->__decRef(); } -IceSecurity::SecureUdp::MessageAuthenticator::MessageAuthenticator() +SecureUdp::MessageAuthenticator::MessageAuthenticator() { // TODO: Should generate a random MAC key here @@ -34,17 +34,17 @@ IceSecurity::SecureUdp::MessageAuthenticator::MessageAuthenticator() _macKeyBytes.push_back(2); } -IceSecurity::SecureUdp::MessageAuthenticator::MessageAuthenticator(const ByteSeq& macKey) +SecureUdp::MessageAuthenticator::MessageAuthenticator(const ByteSeq& macKey) { _macKeyBytes = macKey; } -IceSecurity::SecureUdp::MessageAuthenticator::~MessageAuthenticator() +SecureUdp::MessageAuthenticator::~MessageAuthenticator() { } ByteSeq -IceSecurity::SecureUdp::MessageAuthenticator::computeMAC(const ByteSeq& message) const +SecureUdp::MessageAuthenticator::computeMAC(const ByteSeq& message) const { // TODO: Should generate a REAL MAC here. ByteSeq bytes; @@ -67,14 +67,14 @@ IceSecurity::SecureUdp::MessageAuthenticator::computeMAC(const ByteSeq& message) } bool -IceSecurity::SecureUdp::MessageAuthenticator::authenticate(const ByteSeq& message, const ByteSeq& macCode) +SecureUdp::MessageAuthenticator::authenticate(const ByteSeq& message, const ByteSeq& macCode) { ByteSeq targetMAC = computeMAC(message); return targetMAC == macCode; } const ByteSeq& -IceSecurity::SecureUdp::MessageAuthenticator::getMACKey() const +SecureUdp::MessageAuthenticator::getMACKey() const { return _macKeyBytes; } diff --git a/cpp/src/Ice/MessageAuthenticator.h b/cpp/src/Ice/MessageAuthenticator.h index b20f4bbaa67..a829cc4e27b 100644 --- a/cpp/src/Ice/MessageAuthenticator.h +++ b/cpp/src/Ice/MessageAuthenticator.h @@ -15,9 +15,6 @@ #include <Ice/Stream.h> #include <Ice/MessageAuthenticatorF.h> -namespace IceSecurity -{ - namespace SecureUdp { @@ -42,7 +39,5 @@ protected: } -} - #endif diff --git a/cpp/src/Ice/MessageAuthenticatorF.h b/cpp/src/Ice/MessageAuthenticatorF.h index e37887b141a..7d0cd83f2b6 100644 --- a/cpp/src/Ice/MessageAuthenticatorF.h +++ b/cpp/src/Ice/MessageAuthenticatorF.h @@ -13,9 +13,6 @@ #include <Ice/Handle.h> -namespace IceSecurity -{ - namespace SecureUdp { @@ -24,13 +21,11 @@ typedef IceInternal::Handle<MessageAuthenticator> MessageAuthenticatorPtr; } -} - namespace IceInternal { -void incRef(::IceSecurity::SecureUdp::MessageAuthenticator*); -void decRef(::IceSecurity::SecureUdp::MessageAuthenticator*); +void incRef(::SecureUdp::MessageAuthenticator*); +void decRef(::SecureUdp::MessageAuthenticator*); } diff --git a/cpp/src/Ice/OpenSSL.h b/cpp/src/Ice/OpenSSL.h index 9481f15a98e..6fbf6aebb57 100644 --- a/cpp/src/Ice/OpenSSL.h +++ b/cpp/src/Ice/OpenSSL.h @@ -12,7 +12,7 @@ #include <openssl/ssl.h>
-namespace IceSecurity
+namespace IceSSL
{
typedef enum
@@ -24,6 +24,15 @@ typedef enum SECURITY_PROTOCOL_DEBUG
} SecurityTraceLevel;
+enum SslProtocol
+{
+ SSL_V2 = 1, // Only speak SSLv2
+ SSL_V23, // Speak SSLv2 and SSLv3
+ SSL_V3, // Only speak SSLv3
+ TLS_V1 // Only speak TLSv1
+};
+
}
+
#endif
diff --git a/cpp/src/Ice/Proxy.cpp b/cpp/src/Ice/Proxy.cpp index e304489c6fe..c89d6fcbf5d 100644 --- a/cpp/src/Ice/Proxy.cpp +++ b/cpp/src/Ice/Proxy.cpp @@ -535,7 +535,7 @@ IceProxy::Ice::Object::__handleException(const LocalException& ex, int& cnt) { ++cnt; } - catch (const IceSecurity::SecurityException&) // TODO: bandaid to make retry w/ ssl work. + catch (const IceSSL::SecurityException&) // TODO: bandaid to make retry w/ ssl work. { ++cnt; } diff --git a/cpp/src/Ice/SUdpClient.cpp b/cpp/src/Ice/SUdpClient.cpp index 9fc52e1105e..1540a95ec75 100644 --- a/cpp/src/Ice/SUdpClient.cpp +++ b/cpp/src/Ice/SUdpClient.cpp @@ -14,13 +14,13 @@ #include <Ice/SecureUdp.h> using Ice::Long; -using IceSecurity::SecureUdp::CryptKeyPtr; -using IceSecurity::SecureUdp::MessageAuthenticatorPtr; +using SecureUdp::CryptKeyPtr; +using SecureUdp::MessageAuthenticatorPtr; -void ::IceInternal::incRef(::IceSecurity::SecureUdp::SUdpClient* p) { p->__incRef(); } -void ::IceInternal::decRef(::IceSecurity::SecureUdp::SUdpClient* p) { p->__decRef(); } +void ::IceInternal::incRef(::SecureUdp::SUdpClient* p) { p->__incRef(); } +void ::IceInternal::decRef(::SecureUdp::SUdpClient* p) { p->__decRef(); } -IceSecurity::SecureUdp::SUdpClient::SUdpClient(Long clientID, +SecureUdp::SUdpClient::SUdpClient(Long clientID, const ClientChannelPrx& clientChannel, const MessageAuthenticatorPtr& messageAuthenticator) : _clientID(clientID), @@ -31,58 +31,58 @@ IceSecurity::SecureUdp::SUdpClient::SUdpClient(Long clientID, assert(_messageAuthenticator); } -IceSecurity::SecureUdp::SUdpClient::~SUdpClient() +SecureUdp::SUdpClient::~SUdpClient() { } void -IceSecurity::SecureUdp::SUdpClient::serverHello(const CryptKeyPtr& key) +SecureUdp::SUdpClient::serverHello(const CryptKeyPtr& key) { assert(_clientChannel); _clientChannel->serverHello(_clientID, key->toByteSeq()); } void -IceSecurity::SecureUdp::SUdpClient::serverKeyChange(const CryptKeyPtr& key) +SecureUdp::SUdpClient::serverKeyChange(const CryptKeyPtr& key) { assert(_clientChannel); _clientChannel->serverKeyChange(key->toByteSeq()); } void -IceSecurity::SecureUdp::SUdpClient::serverGoodbye() +SecureUdp::SUdpClient::serverGoodbye() { assert(_clientChannel); _clientChannel->serverGoodbye(); } Long -IceSecurity::SecureUdp::SUdpClient::getClientID() const +SecureUdp::SUdpClient::getClientID() const { return _clientID; } const CryptKeyPtr& -IceSecurity::SecureUdp::SUdpClient::getCryptKey() const +SecureUdp::SUdpClient::getCryptKey() const { return _cryptKey; } const CryptKeyPtr& -IceSecurity::SecureUdp::SUdpClient::getCryptKey(Long msgID) const +SecureUdp::SUdpClient::getCryptKey(Long msgID) const { // TODO: Must be able to return a CryptKey based on a msgID return _cryptKey; } const MessageAuthenticatorPtr& -IceSecurity::SecureUdp::SUdpClient::getMessageAuthenticator() const +SecureUdp::SUdpClient::getMessageAuthenticator() const { return _messageAuthenticator; } void -IceSecurity::SecureUdp::SUdpClient::setNewCryptKey(Long msgID, const CryptKeyPtr& cryptKey) +SecureUdp::SUdpClient::setNewCryptKey(Long msgID, const CryptKeyPtr& cryptKey) { _cryptKey = cryptKey; } diff --git a/cpp/src/Ice/SUdpClient.h b/cpp/src/Ice/SUdpClient.h index b78ff63da07..d64cb5c446d 100644 --- a/cpp/src/Ice/SUdpClient.h +++ b/cpp/src/Ice/SUdpClient.h @@ -18,9 +18,6 @@ #include <Ice/MessageAuthenticatorF.h> #include <Ice/CryptKeyF.h> -namespace IceSecurity -{ - namespace SecureUdp { @@ -56,8 +53,6 @@ protected: } -} - #endif diff --git a/cpp/src/Ice/SUdpClientControlChannel.cpp b/cpp/src/Ice/SUdpClientControlChannel.cpp index fd393dcc73c..3cce8b5bb40 100644 --- a/cpp/src/Ice/SUdpClientControlChannel.cpp +++ b/cpp/src/Ice/SUdpClientControlChannel.cpp @@ -25,7 +25,7 @@ using namespace std; using namespace Ice; -using namespace IceSecurity::SecureUdp; +using namespace SecureUdp; using IceInternal::BasicStream; using IceInternal::InstancePtr; using IceInternal::SUdpTransceiver; @@ -36,7 +36,7 @@ using IceInternal::Buffer; //////////////////////////////////////////////////////////////////////////////// void -IceSecurity::SecureUdp::ClientControlChannel::serverHello(Long clientID, const ByteSeq& key, const Current&) +SecureUdp::ClientControlChannel::serverHello(Long clientID, const ByteSeq& key, const Current&) { IceUtil::Mutex::Lock sync(_mutex); @@ -48,7 +48,7 @@ IceSecurity::SecureUdp::ClientControlChannel::serverHello(Long clientID, const B } void -IceSecurity::SecureUdp::ClientControlChannel::serverKeyChange(const ByteSeq& key, const Current&) +SecureUdp::ClientControlChannel::serverKeyChange(const ByteSeq& key, const Current&) { IceUtil::Mutex::Lock sync(_mutex); @@ -56,7 +56,7 @@ IceSecurity::SecureUdp::ClientControlChannel::serverKeyChange(const ByteSeq& key } void -IceSecurity::SecureUdp::ClientControlChannel::serverGoodbye(const Current&) +SecureUdp::ClientControlChannel::serverGoodbye(const Current&) { IceUtil::Mutex::Lock sync(_mutex); @@ -67,7 +67,7 @@ IceSecurity::SecureUdp::ClientControlChannel::serverGoodbye(const Current&) // Protected Methods //////////////////////////////////////////////////////////////////////////////// -IceSecurity::SecureUdp::ClientControlChannel::ClientControlChannel(SUdpTransceiver* transceiver, +SecureUdp::ClientControlChannel::ClientControlChannel(SUdpTransceiver* transceiver, const InstancePtr& instance, const std::string& host, int port) : @@ -137,7 +137,7 @@ IceSecurity::SecureUdp::ClientControlChannel::ClientControlChannel(SUdpTransceiv clientHello(); } -IceSecurity::SecureUdp::ClientControlChannel::~ClientControlChannel() +SecureUdp::ClientControlChannel::~ClientControlChannel() { // Make it impossible for the control channel to access the Transceiver // after transceiver destruction. @@ -145,7 +145,7 @@ IceSecurity::SecureUdp::ClientControlChannel::~ClientControlChannel() } void -IceSecurity::SecureUdp::ClientControlChannel::serverKeyChangeMessage(const ByteSeq& key) +SecureUdp::ClientControlChannel::serverKeyChangeMessage(const ByteSeq& key) { Long msgID = _msgID + 1; @@ -160,7 +160,7 @@ IceSecurity::SecureUdp::ClientControlChannel::serverKeyChangeMessage(const ByteS } void -IceSecurity::SecureUdp::ClientControlChannel::clientHello() +SecureUdp::ClientControlChannel::clientHello() { _serverChannel->clientHello(_clientProxy, _messageAuthenticator->getMACKey()); } @@ -171,7 +171,7 @@ IceSecurity::SecureUdp::ClientControlChannel::clientHello() //////////////////////////////////////////////////////////////////////////////// void -IceSecurity::SecureUdp::ClientControlChannel::encryptPacket(Buffer& buffer, Buffer& encryptedPacket) +SecureUdp::ClientControlChannel::encryptPacket(Buffer& buffer, Buffer& encryptedPacket) { IceUtil::Mutex::Lock sync(_mutex); @@ -216,7 +216,7 @@ IceSecurity::SecureUdp::ClientControlChannel::encryptPacket(Buffer& buffer, Buff } void -IceSecurity::SecureUdp::ClientControlChannel::clientKeyRequest() +SecureUdp::ClientControlChannel::clientKeyRequest() { _serverChannel->clientKeyRequest(_clientID); } diff --git a/cpp/src/Ice/SUdpClientControlChannel.h b/cpp/src/Ice/SUdpClientControlChannel.h index 69528333017..f30eeb910c2 100644 --- a/cpp/src/Ice/SUdpClientControlChannel.h +++ b/cpp/src/Ice/SUdpClientControlChannel.h @@ -17,9 +17,6 @@ #include <Ice/CryptKeyF.h> #include <Ice/MessageAuthenticatorF.h> -namespace IceSecurity -{ - namespace SecureUdp { @@ -64,7 +61,5 @@ protected: } -} - #endif diff --git a/cpp/src/Ice/SUdpClientF.h b/cpp/src/Ice/SUdpClientF.h index 470fe882e28..fca64750658 100644 --- a/cpp/src/Ice/SUdpClientF.h +++ b/cpp/src/Ice/SUdpClientF.h @@ -13,9 +13,6 @@ #include <Ice/Handle.h> -namespace IceSecurity -{ - namespace SecureUdp { @@ -24,13 +21,11 @@ typedef IceInternal::Handle<SUdpClient> SUdpClientPtr; } -} - namespace IceInternal { -void incRef(::IceSecurity::SecureUdp::SUdpClient*); -void decRef(::IceSecurity::SecureUdp::SUdpClient*); +void incRef(::SecureUdp::SUdpClient*); +void decRef(::SecureUdp::SUdpClient*); } diff --git a/cpp/src/Ice/SUdpControlChannel.cpp b/cpp/src/Ice/SUdpControlChannel.cpp index a82a08017fa..1711983ffca 100644 --- a/cpp/src/Ice/SUdpControlChannel.cpp +++ b/cpp/src/Ice/SUdpControlChannel.cpp @@ -17,28 +17,28 @@ using namespace std; using namespace Ice; -void ::IceInternal::incRef(::IceSecurity::SecureUdp::ControlChannel* p) { p->__incRef(); } -void ::IceInternal::decRef(::IceSecurity::SecureUdp::ControlChannel* p) { p->__decRef(); } - -IceSecurity::SecureUdp::ControlChannel::ControlChannel(IceInternal::SUdpTransceiver* transceiver, - const IceInternal::InstancePtr& instance) : - _transceiver(transceiver), - _instance(instance), - _traceLevels(instance->traceLevels()), - _logger(instance->logger()) +void ::IceInternal::incRef(::SecureUdp::ControlChannel* p) { p->__incRef(); } +void ::IceInternal::decRef(::SecureUdp::ControlChannel* p) { p->__decRef(); } + +SecureUdp::ControlChannel::ControlChannel(IceInternal::SUdpTransceiver* transceiver, + const IceInternal::InstancePtr& instance) : + _transceiver(transceiver), + _instance(instance), + _traceLevels(instance->traceLevels()), + _logger(instance->logger()) { assert(transceiver); _cryptor = new Cryptor(); } -IceSecurity::SecureUdp::ControlChannel::~ControlChannel() +SecureUdp::ControlChannel::~ControlChannel() { unsetTransceiver(); } void -IceSecurity::SecureUdp::ControlChannel::unsetTransceiver() +SecureUdp::ControlChannel::unsetTransceiver() { IceUtil::Mutex::Lock sync(_mutex); _transceiver = 0; diff --git a/cpp/src/Ice/SUdpControlChannel.h b/cpp/src/Ice/SUdpControlChannel.h index b6c7dc8e6f3..ee3be1304ec 100644 --- a/cpp/src/Ice/SUdpControlChannel.h +++ b/cpp/src/Ice/SUdpControlChannel.h @@ -20,9 +20,6 @@ #include <Ice/SUdpTransceiverF.h> #include <Ice/CryptorF.h> -namespace IceSecurity -{ - namespace SecureUdp { @@ -49,7 +46,5 @@ protected: } -} - #endif diff --git a/cpp/src/Ice/SUdpControlChannelF.h b/cpp/src/Ice/SUdpControlChannelF.h index dbe0898b33b..e19c7189bee 100644 --- a/cpp/src/Ice/SUdpControlChannelF.h +++ b/cpp/src/Ice/SUdpControlChannelF.h @@ -13,9 +13,6 @@ #include <Ice/Handle.h> -namespace IceSecurity -{ - namespace SecureUdp { @@ -24,13 +21,11 @@ typedef IceInternal::Handle<ControlChannel> ControlChannelPtr; } -} - namespace IceInternal { -void incRef(::IceSecurity::SecureUdp::ControlChannel*); -void decRef(::IceSecurity::SecureUdp::ControlChannel*); +void incRef(::SecureUdp::ControlChannel*); +void decRef(::SecureUdp::ControlChannel*); } diff --git a/cpp/src/Ice/SUdpServerControlChannel.cpp b/cpp/src/Ice/SUdpServerControlChannel.cpp index e43f62b378f..881c88caba2 100644 --- a/cpp/src/Ice/SUdpServerControlChannel.cpp +++ b/cpp/src/Ice/SUdpServerControlChannel.cpp @@ -26,14 +26,14 @@ using namespace std; using namespace Ice; -using namespace IceSecurity::SecureUdp; +using namespace SecureUdp; using IceInternal::Buffer; using IceInternal::BasicStream; using IceInternal::InstancePtr; using IceInternal::SUdpTransceiver; void -IceSecurity::SecureUdp::ServerControlChannel::clientHello(const ClientChannelPrx& client, +SecureUdp::ServerControlChannel::clientHello(const ClientChannelPrx& client, const ByteSeq& MACkey, const Current&) { @@ -55,7 +55,7 @@ IceSecurity::SecureUdp::ServerControlChannel::clientHello(const ClientChannelPrx } void -IceSecurity::SecureUdp::ServerControlChannel::clientKeyAcknowledge(Long clientID, +SecureUdp::ServerControlChannel::clientKeyAcknowledge(Long clientID, Long msgID, const ByteSeq& key, const Current&) @@ -70,7 +70,7 @@ IceSecurity::SecureUdp::ServerControlChannel::clientKeyAcknowledge(Long clientID } void -IceSecurity::SecureUdp::ServerControlChannel::clientKeyRequest(Long clientID, const Current&) +SecureUdp::ServerControlChannel::clientKeyRequest(Long clientID, const Current&) { IceUtil::Mutex::Lock sync(_mutex); @@ -82,15 +82,15 @@ IceSecurity::SecureUdp::ServerControlChannel::clientKeyRequest(Long clientID, co } void -IceSecurity::SecureUdp::ServerControlChannel::clientGoodbye(Long clientID, const Current&) +SecureUdp::ServerControlChannel::clientGoodbye(Long clientID, const Current&) { IceUtil::Mutex::Lock sync(_mutex); deleteSUdpClient(clientID); } -// IceSecurity::SecureUdp::ServerControlChannel::ServerControlChannel(const SUdpTransceiverPtr& transceiver, -IceSecurity::SecureUdp::ServerControlChannel::ServerControlChannel(SUdpTransceiver* transceiver, +// SecureUdp::ServerControlChannel::ServerControlChannel(const SUdpTransceiverPtr& transceiver, +SecureUdp::ServerControlChannel::ServerControlChannel(SUdpTransceiver* transceiver, const InstancePtr& instance, int port) : ControlChannel(transceiver, instance) @@ -123,7 +123,7 @@ IceSecurity::SecureUdp::ServerControlChannel::ServerControlChannel(SUdpTransceiv _adapter->activate(); } -IceSecurity::SecureUdp::ServerControlChannel::~ServerControlChannel() +SecureUdp::ServerControlChannel::~ServerControlChannel() { // Make it impossible for the control channel to access the Transceiver // after transceiver destruction. @@ -131,7 +131,7 @@ IceSecurity::SecureUdp::ServerControlChannel::~ServerControlChannel() } void -IceSecurity::SecureUdp::ServerControlChannel::decryptPacket(Buffer& encryptedPacket, Buffer& decryptedPacket) +SecureUdp::ServerControlChannel::decryptPacket(Buffer& encryptedPacket, Buffer& decryptedPacket) { IceUtil::Mutex::Lock sync(_mutex); @@ -195,14 +195,14 @@ IceSecurity::SecureUdp::ServerControlChannel::decryptPacket(Buffer& encryptedPac } Long -IceSecurity::SecureUdp::ServerControlChannel::getNewClientID() +SecureUdp::ServerControlChannel::getNewClientID() { IceUtil::Mutex::Lock sync(_clientIDMutex); return ++_clientIDGenerator; } SUdpClientPtr& -IceSecurity::SecureUdp::ServerControlChannel::getSUdpClient(Long clientID) +SecureUdp::ServerControlChannel::getSUdpClient(Long clientID) { IceUtil::Mutex::Lock sync(_clientMapMutex); @@ -210,7 +210,7 @@ IceSecurity::SecureUdp::ServerControlChannel::getSUdpClient(Long clientID) } void -IceSecurity::SecureUdp::ServerControlChannel::newSUdpClient(const SUdpClientPtr& sudpClient) +SecureUdp::ServerControlChannel::newSUdpClient(const SUdpClientPtr& sudpClient) { IceUtil::Mutex::Lock sync(_clientMapMutex); @@ -220,7 +220,7 @@ IceSecurity::SecureUdp::ServerControlChannel::newSUdpClient(const SUdpClientPtr& } void -IceSecurity::SecureUdp::ServerControlChannel::deleteSUdpClient(Long clientID) +SecureUdp::ServerControlChannel::deleteSUdpClient(Long clientID) { IceUtil::Mutex::Lock sync(_clientMapMutex); diff --git a/cpp/src/Ice/SUdpServerControlChannel.h b/cpp/src/Ice/SUdpServerControlChannel.h index 873bbbe829e..e6145951c99 100644 --- a/cpp/src/Ice/SUdpServerControlChannel.h +++ b/cpp/src/Ice/SUdpServerControlChannel.h @@ -18,9 +18,6 @@ #include <Ice/SUdpClientF.h> #include <map> -namespace IceSecurity -{ - namespace SecureUdp { @@ -73,7 +70,5 @@ protected: } -} - #endif diff --git a/cpp/src/Ice/SUdpTransceiver.cpp b/cpp/src/Ice/SUdpTransceiver.cpp index b8694a63c2d..8456a17b624 100644 --- a/cpp/src/Ice/SUdpTransceiver.cpp +++ b/cpp/src/Ice/SUdpTransceiver.cpp @@ -22,7 +22,7 @@ using namespace std; using namespace Ice; using namespace IceInternal; -using namespace IceSecurity::SecureUdp; +using namespace SecureUdp; void IceInternal::incRef(SUdpTransceiver* p) { p->__incRef(); } void IceInternal::decRef(SUdpTransceiver* p) { p->__decRef(); } diff --git a/cpp/src/Ice/SUdpTransceiver.h b/cpp/src/Ice/SUdpTransceiver.h index 4cc66816bc4..1a1e3375ca8 100644 --- a/cpp/src/Ice/SUdpTransceiver.h +++ b/cpp/src/Ice/SUdpTransceiver.h @@ -46,7 +46,7 @@ public: int effectivePort(); // Server Channel Implementation methods - void clientHello(const IceSecurity::SecureUdp::ClientChannelPtr&, const Ice::ByteSeq&); + void clientHello(const SecureUdp::ClientChannelPtr&, const Ice::ByteSeq&); void clientKeyAcknowledge(Ice::Long, Ice::Long, const Ice::ByteSeq&); void clientKeyRequest(Ice::Long); void clientGoodbye(Ice::Long); @@ -68,7 +68,7 @@ private: void createControlChannel(int); UdpTransceiver _udpTransceiver; - IceSecurity::SecureUdp::ControlChannelPtr _controlChannel; + SecureUdp::ControlChannelPtr _controlChannel; InstancePtr _instance; TraceLevelsPtr _traceLevels; diff --git a/cpp/src/Ice/SecurityException2.cpp b/cpp/src/Ice/SecurityException2.cpp index b51f79ec6e3..b8a0d91666e 100644 --- a/cpp/src/Ice/SecurityException2.cpp +++ b/cpp/src/Ice/SecurityException2.cpp @@ -25,7 +25,7 @@ using std::ostream; void -IceSecurity::SecurityException::ice_print(ostream& out) const +IceSSL::SecurityException::ice_print(ostream& out) const { Exception::ice_print(out); if (!_message.empty()) @@ -35,37 +35,37 @@ IceSecurity::SecurityException::ice_print(ostream& out) const } void -IceSecurity::Ssl::ConfigParseException::ice_print(ostream& out) const +IceSSL::ConfigParseException::ice_print(ostream& out) const { SecurityException::ice_print(out); } void -IceSecurity::Ssl::ShutdownException::ice_print(ostream& out) const +IceSSL::ShutdownException::ice_print(ostream& out) const { SecurityException::ice_print(out); } void -IceSecurity::Ssl::ProtocolException::ice_print(ostream& out) const +IceSSL::ProtocolException::ice_print(ostream& out) const { SecurityException::ice_print(out); } void -IceSecurity::Ssl::CertificateException::ice_print(ostream& out) const +IceSSL::CertificateException::ice_print(ostream& out) const { SecurityException::ice_print(out); } void -IceSecurity::Ssl::CertificateVerifierTypeException::ice_print(ostream& out) const +IceSSL::CertificateVerifierTypeException::ice_print(ostream& out) const { SecurityException::ice_print(out); } void -IceSecurity::Ssl::OpenSSL::ContextException::ice_print(ostream& out) const +IceSSL::OpenSSL::ContextException::ice_print(ostream& out) const { SecurityException::ice_print(out); } diff --git a/cpp/src/Glacier/CertVerifier.cpp b/cpp/src/Ice/SingleCertificateVerifier.cpp index f99ee3ae277..e00590ef4cb 100644 --- a/cpp/src/Glacier/CertVerifier.cpp +++ b/cpp/src/Ice/SingleCertificateVerifier.cpp @@ -8,20 +8,23 @@ // // ********************************************************************** -#include <Glacier/CertVerifier.h> +#include <Ice/SingleCertificateVerifier.h> #include <openssl/err.h> #include <algorithm> #include <iostream> -using namespace std; +using namespace std;
+using Ice::ByteSeq; -CertVerifier::CertVerifier(const ByteSeq& publicKey) : - _publicKey(publicKey) +IceSSL::OpenSSL::SingleCertificateVerifier::SingleCertificateVerifier(const ByteSeq& publicKey) : + _publicKey(publicKey) { } int -CertVerifier::verify(int preVerifyOkay, X509_STORE_CTX* x509StoreContext, SSL* sslConnection) +IceSSL::OpenSSL::SingleCertificateVerifier::verify(int preVerifyOkay,
+ X509_STORE_CTX* x509StoreContext,
+ SSL* sslConnection) { // Short circuit - if the peer cert wasn't good enough for OpenSSL, // it's not good enough for us to bother checking. @@ -95,7 +98,7 @@ CertVerifier::verify(int preVerifyOkay, X509_STORE_CTX* x509StoreContext, SSL* s } ByteSeq -CertVerifier::toByteSeq(X509* certificate) +IceSSL::OpenSSL::SingleCertificateVerifier::toByteSeq(X509* certificate) { ByteSeq certByteSeq; diff --git a/cpp/src/Glacier/CertVerifier.h b/cpp/src/Ice/SingleCertificateVerifier.h index d0b8490a614..6bf6e58d49d 100644 --- a/cpp/src/Glacier/CertVerifier.h +++ b/cpp/src/Ice/SingleCertificateVerifier.h @@ -8,26 +8,34 @@ // // ********************************************************************** -#ifndef GLACIER_CERT_VERIFIER_H -#define GLACIER_CERT_VERIFIER_H +#ifndef ICE_SSL_SINGLE_CERTIFICATE_VERIFIER_H +#define ICE_SSL_SINGLE_CERTIFICATE_VERIFIER_H #include <Ice/BuiltinSequences.h> #include <Ice/SslCertificateVerifierOpenSSL.h> - -using Ice::ByteSeq; - -class CertVerifier : public IceSecurity::Ssl::OpenSSL::CertificateVerifier +
+namespace IceSSL
+{
+
+namespace OpenSSL
+{
+ +class SingleCertificateVerifier : public IceSSL::OpenSSL::CertificateVerifier { public: - CertVerifier(const ByteSeq&); + SingleCertificateVerifier(const Ice::ByteSeq&); virtual int verify(int, X509_STORE_CTX*, SSL*); - ByteSeq toByteSeq(X509* certificate); + Ice::ByteSeq toByteSeq(X509* certificate); protected: - ByteSeq _publicKey; -}; + Ice::ByteSeq _publicKey; +};
+
+}
+
+} #endif diff --git a/cpp/src/Ice/SslAcceptor.cpp b/cpp/src/Ice/SslAcceptor.cpp index 39a2e4c3b40..7a2bc14b307 100644 --- a/cpp/src/Ice/SslAcceptor.cpp +++ b/cpp/src/Ice/SslAcceptor.cpp @@ -17,16 +17,15 @@ # pragma warning(disable:4786) #endif -#include <Ice/SslFactory.h> -#include <Ice/SslSystem.h> -#include <Ice/Properties.h> +#include <Ice/SslSystemInternal.h> #include <Ice/SslAcceptor.h> #include <Ice/SslTransceiver.h> #include <Ice/Instance.h> #include <Ice/TraceLevels.h> #include <Ice/Logger.h> #include <Ice/Network.h> -#include <Ice/Exception.h> +#include <Ice/Properties.h>
+#include <Ice/Exception.h>
#include <Ice/SecurityException.h> #include <sstream> @@ -36,10 +35,8 @@ using namespace IceInternal; using std::string; using std::ostringstream; -using IceSecurity::Ssl::Connection; -using IceSecurity::Ssl::Factory; -using IceSecurity::Ssl::SystemPtr; -using IceSecurity::Ssl::ShutdownException; +using IceSSL::Connection; +using IceSSL::SystemInternalPtr; SOCKET IceInternal::SslAcceptor::fd() @@ -107,38 +104,13 @@ IceInternal::SslAcceptor::accept(int timeout) s << "accepted ssl connection\n" << fdToString(fd); _logger->trace(_traceLevels->networkCat, s.str()); } +
+ // Get an instance of the SslSystem + SystemInternalPtr sslSystem = _instance->getSslSystem();
+ assert(sslSystem != 0);
- PropertiesPtr properties = _instance->properties(); - - // This is the Ice SSL Configuration File on which we will base - // all connections in this communicator. - string configFile = properties->getProperty("Ice.Security.Ssl.Config"); - - // Get an instance of the SslSystem singleton. - SystemPtr sslSystem = Factory::getSystem(configFile); - - if (!sslSystem->isTraceSet()) - { - sslSystem->setTrace(_traceLevels); - } - - if (!sslSystem->isLoggerSet()) - { - sslSystem->setLogger(_logger); - } - - if (!sslSystem->isPropertiesSet()) - { - sslSystem->setProperties(properties); - } - - // Initialize the server (if needed) - if (!sslSystem->isConfigLoaded()) - { - sslSystem->loadConfig(); - } - - TransceiverPtr transPtr = new SslTransceiver(_instance, fd, sslSystem->createServerConnection(fd)); + IceSSL::ConnectionPtr connection = sslSystem->createConnection(IceSSL::Server, fd); + TransceiverPtr transPtr = new SslTransceiver(_instance, fd, connection); return transPtr; } diff --git a/cpp/src/Ice/SslBaseCerts.cpp b/cpp/src/Ice/SslBaseCerts.cpp index eb2ace00b13..05016a5c30a 100644 --- a/cpp/src/Ice/SslBaseCerts.cpp +++ b/cpp/src/Ice/SslBaseCerts.cpp @@ -10,25 +10,43 @@ #include <Ice/SslBaseCerts.h> -using namespace IceSecurity::Ssl; +using namespace IceSSL; -IceSecurity::Ssl::BaseCertificates::BaseCertificates() +IceSSL::BaseCertificates::BaseCertificates() { } -IceSecurity::Ssl::BaseCertificates::BaseCertificates(CertificateDesc& rsaCert, - CertificateDesc& dsaCert, - DiffieHellmanParamsFile& dhParams) : - _rsaCert(rsaCert), - _dsaCert(dsaCert), - _dhParams(dhParams) +IceSSL::BaseCertificates::BaseCertificates(CertificateDesc& rsaCert,
+ CertificateDesc& dsaCert,
+ DiffieHellmanParamsFile& dhParams) : + _rsaCert(rsaCert), + _dsaCert(dsaCert), + _dhParams(dhParams) { } -IceSecurity::Ssl::BaseCertificates::BaseCertificates(BaseCertificates& baseCerts) : - _rsaCert(baseCerts._rsaCert), - _dsaCert(baseCerts._dsaCert), - _dhParams(baseCerts._dhParams) +IceSSL::BaseCertificates::BaseCertificates(BaseCertificates& baseCerts) : + _rsaCert(baseCerts._rsaCert), + _dsaCert(baseCerts._dsaCert), + _dhParams(baseCerts._dhParams) { } +const IceSSL::CertificateDesc&
+IceSSL::BaseCertificates::getRSACert() const
+{
+ return _rsaCert;
+}
+
+const IceSSL::CertificateDesc&
+IceSSL::BaseCertificates::getDSACert() const
+{
+ return _dsaCert;
+}
+
+const IceSSL::DiffieHellmanParamsFile&
+IceSSL::BaseCertificates::getDHParams() const
+{
+ return _dhParams;
+}
+
diff --git a/cpp/src/Ice/SslBaseCerts.h b/cpp/src/Ice/SslBaseCerts.h index d22102e51fa..ec42e4c5bf1 100644 --- a/cpp/src/Ice/SslBaseCerts.h +++ b/cpp/src/Ice/SslBaseCerts.h @@ -14,10 +14,7 @@ #include <Ice/SslCertificateDesc.h> #include <ostream> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { class BaseCertificates @@ -28,10 +25,10 @@ public: BaseCertificates(CertificateDesc&, CertificateDesc&, DiffieHellmanParamsFile&); BaseCertificates(BaseCertificates&); - inline const CertificateDesc& getRSACert() const { return _rsaCert; }; - inline const CertificateDesc& getDSACert() const { return _dsaCert; }; + const CertificateDesc& getRSACert() const; + const CertificateDesc& getDSACert() const; - inline const DiffieHellmanParamsFile& getDHParams() const { return _dhParams; }; + const DiffieHellmanParamsFile& getDHParams() const; protected: CertificateDesc _rsaCert; @@ -68,6 +65,4 @@ inline Stream& operator << (Stream& target, const BaseCertificates& baseCerts) } -} - #endif diff --git a/cpp/src/Ice/SslCertificateAuthority.cpp b/cpp/src/Ice/SslCertificateAuthority.cpp index 9247819d4e5..37d566334ff 100644 --- a/cpp/src/Ice/SslCertificateAuthority.cpp +++ b/cpp/src/Ice/SslCertificateAuthority.cpp @@ -12,30 +12,42 @@ using namespace std; -IceSecurity::Ssl::CertificateAuthority::CertificateAuthority() +IceSSL::CertificateAuthority::CertificateAuthority() { } -IceSecurity::Ssl::CertificateAuthority::CertificateAuthority(string& fileName, string& path) : - _fileName(fileName), - _path(path) +IceSSL::CertificateAuthority::CertificateAuthority(string& fileName, string& path) : + _fileName(fileName), + _path(path) { } -IceSecurity::Ssl::CertificateAuthority::CertificateAuthority(CertificateAuthority& certAuthority) : - _fileName(certAuthority._fileName), - _path(certAuthority._path) +IceSSL::CertificateAuthority::CertificateAuthority(CertificateAuthority& certAuthority) : + _fileName(certAuthority._fileName), + _path(certAuthority._path) { } void -IceSecurity::Ssl::CertificateAuthority::setCAFileName(string& fileName) +IceSSL::CertificateAuthority::setCAFileName(string& fileName) { _fileName = fileName; } void -IceSecurity::Ssl::CertificateAuthority::setCAPath(string& caPath) +IceSSL::CertificateAuthority::setCAPath(string& caPath) { _path = caPath; } +
+const std::string&
+IceSSL::CertificateAuthority::getCAFileName() const
+{
+ return _fileName;
+}
+
+const std::string&
+IceSSL::CertificateAuthority::getCAPath() const
+{
+ return _path;
+}
diff --git a/cpp/src/Ice/SslCertificateAuthority.h b/cpp/src/Ice/SslCertificateAuthority.h index 468dbc48fcf..eba9f1d19b0 100644 --- a/cpp/src/Ice/SslCertificateAuthority.h +++ b/cpp/src/Ice/SslCertificateAuthority.h @@ -13,10 +13,7 @@ #include <string> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { class CertificateAuthority @@ -30,8 +27,8 @@ public: void setCAFileName(std::string&); void setCAPath(std::string&); - inline const std::string& getCAFileName() const { return _fileName; }; - inline const std::string& getCAPath() const { return _path; }; + const std::string& getCAFileName() const; + const std::string& getCAPath() const; private: std::string _fileName; @@ -40,6 +37,4 @@ private: } -} - #endif diff --git a/cpp/src/Ice/SslCertificateDesc.cpp b/cpp/src/Ice/SslCertificateDesc.cpp index a5d458cb23a..2b9e8fb597f 100644 --- a/cpp/src/Ice/SslCertificateDesc.cpp +++ b/cpp/src/Ice/SslCertificateDesc.cpp @@ -20,78 +20,114 @@ #include <Ice/SslCertificateDesc.h> using namespace std; -using namespace IceSecurity::Ssl; +using namespace IceSSL; ///////////////////////// //// CertificateFile //// ///////////////////////// -IceSecurity::Ssl::CertificateFile::CertificateFile() : - _fileName(""), - _encoding(0) +IceSSL::CertificateFile::CertificateFile() : + _fileName(""), + _encoding(0) { } -IceSecurity::Ssl::CertificateFile::CertificateFile(const string& filename, const int encoding) : - _fileName(filename), - _encoding(encoding) +IceSSL::CertificateFile::CertificateFile(const string& filename, const int encoding) : + _fileName(filename), + _encoding(encoding) { } -IceSecurity::Ssl::CertificateFile::CertificateFile(const CertificateFile& certFile) : - _fileName(certFile._fileName), - _encoding(certFile._encoding) +IceSSL::CertificateFile::CertificateFile(const CertificateFile& certFile) : + _fileName(certFile._fileName), + _encoding(certFile._encoding) { } +
+std::string
+IceSSL::CertificateFile::getFileName() const
+{
+ return _fileName;
+}
+
+int
+IceSSL::CertificateFile::getEncoding() const
+{
+ return _encoding;
+}
///////////////////////////////// //// DiffieHellmanParamsFile //// ///////////////////////////////// -IceSecurity::Ssl::DiffieHellmanParamsFile::DiffieHellmanParamsFile() : - CertificateFile(), - _keySize(0) +IceSSL::DiffieHellmanParamsFile::DiffieHellmanParamsFile() : + CertificateFile(), + _keySize(0) { } -IceSecurity::Ssl::DiffieHellmanParamsFile::DiffieHellmanParamsFile(const int keySize, - const string& filename, - const int encoding) : - CertificateFile(filename, encoding), - _keySize(keySize) +IceSSL::DiffieHellmanParamsFile::DiffieHellmanParamsFile(const int keySize,
+ const string& filename,
+ const int encoding) : + CertificateFile(filename, encoding), + _keySize(keySize) { } -IceSecurity::Ssl::DiffieHellmanParamsFile::DiffieHellmanParamsFile(const DiffieHellmanParamsFile& dhParams) : - CertificateFile(dhParams._fileName, dhParams._encoding), - _keySize(dhParams._keySize) +IceSSL::DiffieHellmanParamsFile::DiffieHellmanParamsFile(const DiffieHellmanParamsFile& dhParams) : + CertificateFile(dhParams._fileName, dhParams._encoding), + _keySize(dhParams._keySize) { } +
+int
+IceSSL::DiffieHellmanParamsFile::getKeySize() const
+{
+ return _keySize;
+}
///////////////////////// //// CertificateDesc //// ///////////////////////// -IceSecurity::Ssl::CertificateDesc::CertificateDesc() : - _keySize(0), - _public(), - _private() +IceSSL::CertificateDesc::CertificateDesc() : + _keySize(0), + _public(), + _private() { } -IceSecurity::Ssl::CertificateDesc::CertificateDesc(const int keySize, - const CertificateFile& publicFile, - const CertificateFile& privateFile) : - _keySize(keySize), - _public(publicFile), - _private(privateFile) +IceSSL::CertificateDesc::CertificateDesc(const int keySize, + const CertificateFile& publicFile, + const CertificateFile& privateFile) : + _keySize(keySize), + _public(publicFile), + _private(privateFile) { } -IceSecurity::Ssl::CertificateDesc::CertificateDesc(const CertificateDesc& certDesc) : - _keySize(certDesc._keySize), - _public(certDesc._public), - _private(certDesc._private) +IceSSL::CertificateDesc::CertificateDesc(const CertificateDesc& certDesc) : + _keySize(certDesc._keySize), + _public(certDesc._public), + _private(certDesc._private) { } +int
+IceSSL::CertificateDesc::getKeySize() const
+{
+ return _keySize;
+}
+
+const CertificateFile&
+IceSSL::CertificateDesc::getPublic() const
+{
+ return _public;
+}
+
+const CertificateFile&
+IceSSL::CertificateDesc::getPrivate() const
+{
+ return _private;
+}
+
diff --git a/cpp/src/Ice/SslCertificateDesc.h b/cpp/src/Ice/SslCertificateDesc.h index 852c7d121a4..8addb46a25c 100644 --- a/cpp/src/Ice/SslCertificateDesc.h +++ b/cpp/src/Ice/SslCertificateDesc.h @@ -18,10 +18,7 @@ #include <vector> #include <ostream> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { class CertificateFile @@ -32,8 +29,8 @@ public: CertificateFile(const std::string&, const int); CertificateFile(const CertificateFile&); - inline std::string getFileName() const { return _fileName; }; - inline int getEncoding() const { return _encoding; }; + std::string getFileName() const; + int getEncoding() const; protected: std::string _fileName; @@ -48,7 +45,7 @@ public: DiffieHellmanParamsFile(const int, const std::string&, const int); DiffieHellmanParamsFile(const DiffieHellmanParamsFile&); - inline int getKeySize() const { return _keySize; }; + int getKeySize() const; protected: int _keySize; @@ -62,10 +59,10 @@ public: CertificateDesc(const int, const CertificateFile&, const CertificateFile&); CertificateDesc(const CertificateDesc&); - inline int getKeySize() const { return _keySize; }; + int getKeySize() const; - inline const CertificateFile& getPublic() const { return _public; }; - inline const CertificateFile& getPrivate() const { return _private; }; + const CertificateFile& getPublic() const; + const CertificateFile& getPrivate() const; protected: int _keySize; @@ -119,6 +116,4 @@ inline Stream& operator << (Stream& target, const CertificateDesc& certDesc) } -} - #endif diff --git a/cpp/src/Ice/SslCertificateVerifierOpenSSL.cpp b/cpp/src/Ice/SslCertificateVerifierOpenSSL.cpp index 924efcaf720..821976596f9 100644 --- a/cpp/src/Ice/SslCertificateVerifierOpenSSL.cpp +++ b/cpp/src/Ice/SslCertificateVerifierOpenSSL.cpp @@ -10,18 +10,18 @@ #include <Ice/SslCertificateVerifierOpenSSL.h>
-IceSecurity::Ssl::OpenSSL::CertificateVerifier::~CertificateVerifier()
+IceSSL::OpenSSL::CertificateVerifier::~CertificateVerifier()
{
}
void
-IceInternal::incRef(::IceSecurity::Ssl::OpenSSL::CertificateVerifier* p)
+IceInternal::incRef(::IceSSL::OpenSSL::CertificateVerifier* p)
{
p->__incRef();
}
void
-IceInternal::decRef(::IceSecurity::Ssl::OpenSSL::CertificateVerifier* p)
+IceInternal::decRef(::IceSSL::OpenSSL::CertificateVerifier* p)
{
p->__decRef();
}
diff --git a/cpp/src/Ice/SslConfig.cpp b/cpp/src/Ice/SslConfig.cpp index 960475d902f..6f076a774ab 100644 --- a/cpp/src/Ice/SslConfig.cpp +++ b/cpp/src/Ice/SslConfig.cpp @@ -33,34 +33,37 @@ #include <algorithm> using namespace std; -using namespace IceSecurity::Ssl; +using namespace IceSSL; // // Public Methods // -IceSecurity::Ssl::Parser::Parser(const string& configFile) : - _configFile(configFile) -{ +IceSSL::Parser::Parser(const string& configFile) : + _configFile(configFile) +{
+ assert(!configFile.empty()); _configPath = "./"; _traceLevels = 0; _logger = 0; } -IceSecurity::Ssl::Parser::Parser(const string& configFile, const string& configPath) : - _configFile(configFile), - _configPath(configPath) +IceSSL::Parser::Parser(const string& configFile, const string& configPath) : + _configFile(configFile), + _configPath(configPath) { + assert(!configFile.empty());
+ assert(!configPath.empty());
_traceLevels = 0; _logger = 0; } -IceSecurity::Ssl::Parser::~Parser() +IceSSL::Parser::~Parser() { } void -IceSecurity::Ssl::Parser::process() +IceSSL::Parser::process() { try { @@ -202,9 +205,7 @@ IceSecurity::Ssl::Parser::process() } bool -IceSecurity::Ssl::Parser::loadClientConfig(GeneralConfig& general, - CertificateAuthority& certAuth, - BaseCertificates& baseCerts) +IceSSL::Parser::loadClientConfig(GeneralConfig& general, CertificateAuthority& certAuth, BaseCertificates& baseCerts) { bool retCode = false; string clientSectionString("SSLConfig:client"); @@ -223,10 +224,10 @@ IceSecurity::Ssl::Parser::loadClientConfig(GeneralConfig& general, } bool -IceSecurity::Ssl::Parser::loadServerConfig(GeneralConfig& general, - CertificateAuthority& certAuth, - BaseCertificates& baseCerts, - TempCertificates& tempCerts) +IceSSL::Parser::loadServerConfig(GeneralConfig& general,
+ CertificateAuthority& certAuth,
+ BaseCertificates& baseCerts, + TempCertificates& tempCerts) { bool retCode = false; string serverSectionString("SSLConfig:server"); @@ -245,13 +246,37 @@ IceSecurity::Ssl::Parser::loadServerConfig(GeneralConfig& general, return retCode; } +void
+IceSSL::Parser::setTrace(const IceInternal::TraceLevelsPtr& traceLevels)
+{
+ _traceLevels = traceLevels;
+}
+
+bool
+IceSSL::Parser::isTraceSet() const
+{
+ return _traceLevels;
+}
+
+void
+IceSSL::Parser::setLogger(const Ice::LoggerPtr& logger)
+{
+ _logger = logger;
+}
+
+bool
+IceSSL::Parser::isLoggerSet() const
+{
+ return _logger;
+}
+
// // Private Methods // // path is of the form "sslconfig:client:general" void -IceSecurity::Ssl::Parser::popRoot(string& path, string& root, string& tail) +IceSSL::Parser::popRoot(string& path, string& root, string& tail) { string::size_type pos = path.find_first_of(':'); @@ -268,13 +293,13 @@ IceSecurity::Ssl::Parser::popRoot(string& path, string& root, string& tail) } DOM_Node -IceSecurity::Ssl::Parser::find(string& nodePath) +IceSSL::Parser::find(string& nodePath) { return find(_root, nodePath); } DOM_Node -IceSecurity::Ssl::Parser::find(DOM_Node rootNode, string& nodePath) +IceSSL::Parser::find(DOM_Node rootNode, string& nodePath) { // The target node that we're looking for. DOM_Node tNode; @@ -319,7 +344,7 @@ IceSecurity::Ssl::Parser::find(DOM_Node rootNode, string& nodePath) } void -IceSecurity::Ssl::Parser::getGeneral(DOM_Node rootNode, GeneralConfig& generalConfig) +IceSSL::Parser::getGeneral(DOM_Node rootNode, GeneralConfig& generalConfig) { if (rootNode != 0) { @@ -343,7 +368,7 @@ IceSecurity::Ssl::Parser::getGeneral(DOM_Node rootNode, GeneralConfig& generalCo } void -IceSecurity::Ssl::Parser::getCertAuth(DOM_Node rootNode, CertificateAuthority& certAuth) +IceSSL::Parser::getCertAuth(DOM_Node rootNode, CertificateAuthority& certAuth) { if (rootNode != 0) { @@ -384,7 +409,7 @@ IceSecurity::Ssl::Parser::getCertAuth(DOM_Node rootNode, CertificateAuthority& c } void -IceSecurity::Ssl::Parser::getBaseCerts(DOM_Node rootNode, BaseCertificates& baseCerts) +IceSSL::Parser::getBaseCerts(DOM_Node rootNode, BaseCertificates& baseCerts) { if (rootNode != 0) { @@ -412,7 +437,7 @@ IceSecurity::Ssl::Parser::getBaseCerts(DOM_Node rootNode, BaseCertificates& base } void -IceSecurity::Ssl::Parser::getTempCerts(DOM_Node rootNode, TempCertificates& tempCerts) +IceSSL::Parser::getTempCerts(DOM_Node rootNode, TempCertificates& tempCerts) { if (rootNode != 0) { @@ -436,10 +461,6 @@ IceSecurity::Ssl::Parser::getTempCerts(DOM_Node rootNode, TempCertificates& temp { loadRSACert(child, tempCerts); } - else if (name.compare("dsacert") == 0) - { - loadDSACert(child, tempCerts); - } child = child.getNextSibling(); } @@ -448,7 +469,7 @@ IceSecurity::Ssl::Parser::getTempCerts(DOM_Node rootNode, TempCertificates& temp } void -IceSecurity::Ssl::Parser::loadDHParams(DOM_Node rootNode, TempCertificates& tempCerts) +IceSSL::Parser::loadDHParams(DOM_Node rootNode, TempCertificates& tempCerts) { DiffieHellmanParamsFile dhParams; @@ -458,7 +479,7 @@ IceSecurity::Ssl::Parser::loadDHParams(DOM_Node rootNode, TempCertificates& temp } void -IceSecurity::Ssl::Parser::loadRSACert(DOM_Node rootNode, TempCertificates& tempCerts) +IceSSL::Parser::loadRSACert(DOM_Node rootNode, TempCertificates& tempCerts) { CertificateDesc rsaCert; @@ -468,17 +489,7 @@ IceSecurity::Ssl::Parser::loadRSACert(DOM_Node rootNode, TempCertificates& tempC } void -IceSecurity::Ssl::Parser::loadDSACert(DOM_Node rootNode, TempCertificates& tempCerts) -{ - CertificateDesc dsaCert; - - getCert(rootNode, dsaCert); - - tempCerts.addDSACert(dsaCert); -} - -void -IceSecurity::Ssl::Parser::getCert(DOM_Node rootNode, CertificateDesc& certDesc) +IceSSL::Parser::getCert(DOM_Node rootNode, CertificateDesc& certDesc) { if (rootNode != 0) { @@ -513,7 +524,7 @@ IceSecurity::Ssl::Parser::getCert(DOM_Node rootNode, CertificateDesc& certDesc) } void -IceSecurity::Ssl::Parser::getDHParams(DOM_Node rootNode, DiffieHellmanParamsFile& dhParams) +IceSSL::Parser::getDHParams(DOM_Node rootNode, DiffieHellmanParamsFile& dhParams) { if (rootNode != 0) { @@ -541,7 +552,7 @@ IceSecurity::Ssl::Parser::getDHParams(DOM_Node rootNode, DiffieHellmanParamsFile } void -IceSecurity::Ssl::Parser::loadCertificateFile(DOM_Node rootNode, CertificateFile& certFile) +IceSSL::Parser::loadCertificateFile(DOM_Node rootNode, CertificateFile& certFile) { if (rootNode != 0) { @@ -578,7 +589,7 @@ IceSecurity::Ssl::Parser::loadCertificateFile(DOM_Node rootNode, CertificateFile } int -IceSecurity::Ssl::Parser::parseEncoding(string& encodingString) +IceSSL::Parser::parseEncoding(string& encodingString) { int encoding = 0; @@ -595,7 +606,7 @@ IceSecurity::Ssl::Parser::parseEncoding(string& encodingString) } string -IceSecurity::Ssl::Parser::toString(const DOMString& domString) +IceSSL::Parser::toString(const DOMString& domString) { char* cString = domString.transcode(); diff --git a/cpp/src/Ice/SslConfig.h b/cpp/src/Ice/SslConfig.h index acc5371cd3d..91f2fce6da6 100644 --- a/cpp/src/Ice/SslConfig.h +++ b/cpp/src/Ice/SslConfig.h @@ -21,10 +21,7 @@ #include <Ice/SslTempCerts.h> #include <string> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { class Parser @@ -43,11 +40,11 @@ public: bool loadClientConfig(GeneralConfig&, CertificateAuthority&, BaseCertificates&); bool loadServerConfig(GeneralConfig&, CertificateAuthority&, BaseCertificates&, TempCertificates&); - inline void setTrace(IceInternal::TraceLevelsPtr traceLevels) { _traceLevels = traceLevels; }; - inline bool isTraceSet() const { return _traceLevels; }; + void setTrace(const IceInternal::TraceLevelsPtr&); + bool isTraceSet() const; - inline void setLogger(Ice::LoggerPtr traceLevels) { _logger = traceLevels; }; - inline bool isLoggerSet() const { return _logger; }; + void setLogger(const Ice::LoggerPtr&); + bool isLoggerSet() const; private: @@ -72,7 +69,6 @@ private: // Loading of temporary certificates/params (Ephemeral Keys). void loadDHParams(DOM_Node, TempCertificates&); void loadRSACert(DOM_Node, TempCertificates&); - void loadDSACert(DOM_Node, TempCertificates&); // Populates classes with information from the indicated node in the parse tree. void getCert(DOM_Node, CertificateDesc&); @@ -87,6 +83,4 @@ private: } -} - #endif diff --git a/cpp/src/Ice/SslConfigErrorReporter.cpp b/cpp/src/Ice/SslConfigErrorReporter.cpp index 8f84627a6b9..da605e7d8e7 100644 --- a/cpp/src/Ice/SslConfigErrorReporter.cpp +++ b/cpp/src/Ice/SslConfigErrorReporter.cpp @@ -22,9 +22,9 @@ using namespace std; void -IceSecurity::Ssl::ErrorReporter::warning(const SAXParseException& toCatch) +IceSSL::ErrorReporter::warning(const SAXParseException& toCatch) { - if (_traceLevels->security >= IceSecurity::SECURITY_PARSE_WARNINGS) + if (_traceLevels->security >= IceSSL::SECURITY_PARSE_WARNINGS) { ostringstream s; @@ -40,11 +40,11 @@ IceSecurity::Ssl::ErrorReporter::warning(const SAXParseException& toCatch) } void -IceSecurity::Ssl::ErrorReporter::error(const SAXParseException& toCatch) +IceSSL::ErrorReporter::error(const SAXParseException& toCatch) { _sawErrors = true; - if (_traceLevels->security >= IceSecurity::SECURITY_PARSE_WARNINGS) + if (_traceLevels->security >= IceSSL::SECURITY_PARSE_WARNINGS) { ostringstream s; @@ -60,11 +60,11 @@ IceSecurity::Ssl::ErrorReporter::error(const SAXParseException& toCatch) } void -IceSecurity::Ssl::ErrorReporter::fatalError(const SAXParseException& toCatch) +IceSSL::ErrorReporter::fatalError(const SAXParseException& toCatch) { _sawErrors = true; - if (_traceLevels->security >= IceSecurity::SECURITY_PARSE_WARNINGS) + if (_traceLevels->security >= IceSSL::SECURITY_PARSE_WARNINGS) { ostringstream s; @@ -80,8 +80,22 @@ IceSecurity::Ssl::ErrorReporter::fatalError(const SAXParseException& toCatch) } void -IceSecurity::Ssl::ErrorReporter::resetErrors() +IceSSL::ErrorReporter::resetErrors() { // No-op in this case } +bool
+IceSSL::ErrorReporter::getSawErrors() const
+{
+ return _sawErrors;
+}
+
+std::ostream&
+IceSSL::operator << (std::ostream& target, const DOMString& s)
+{
+ char *p = s.transcode();
+ target << p;
+ delete [] p;
+ return target;
+}
diff --git a/cpp/src/Ice/SslConfigErrorReporter.h b/cpp/src/Ice/SslConfigErrorReporter.h index defd83ed11e..2f4836d4d8c 100644 --- a/cpp/src/Ice/SslConfigErrorReporter.h +++ b/cpp/src/Ice/SslConfigErrorReporter.h @@ -18,10 +18,7 @@ #include <Ice/TraceLevelsF.h> #include <Ice/LoggerF.h> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { class ErrorReporter : public ErrorHandler @@ -44,7 +41,7 @@ public: void fatalError(const SAXParseException& toCatch); void resetErrors(); - inline bool getSawErrors() const { return _sawErrors; }; + bool getSawErrors() const; private: // This is set if we get any errors, and is queryable via a getter method. @@ -55,16 +52,7 @@ private: Ice::LoggerPtr _logger; }; -inline std::ostream& -operator << (std::ostream& target, const DOMString& s) -{ - char *p = s.transcode(); - target << p; - delete [] p; - return target; -} - -} +std::ostream& operator << (std::ostream& target, const DOMString& s); } diff --git a/cpp/src/Ice/SslConnection.cpp b/cpp/src/Ice/SslConnection.cpp index 6d74e714a0b..511344a72e6 100644 --- a/cpp/src/Ice/SslConnection.cpp +++ b/cpp/src/Ice/SslConnection.cpp @@ -10,15 +10,22 @@ #include <Ice/SslConnection.h> -void ::IceInternal::incRef(::IceSecurity::Ssl::Connection* p) { p->__incRef(); } -void ::IceInternal::decRef(::IceSecurity::Ssl::Connection* p) { p->__decRef(); } +void ::IceInternal::incRef(::IceSSL::Connection* p) { p->__incRef(); } +void ::IceInternal::decRef(::IceSSL::Connection* p) { p->__decRef(); } -IceSecurity::Ssl::Connection::Connection(const CertificateVerifierPtr& certificateVerifier) : - _certificateVerifier(certificateVerifier) -{ +IceSSL::Connection::Connection(const IceInternal::TraceLevelsPtr& traceLevels,
+ const Ice::LoggerPtr& logger,
+ const CertificateVerifierPtr& certificateVerifier) :
+ _traceLevels(traceLevels),
+ _logger(logger),
+ _certificateVerifier(certificateVerifier) +{
+ assert(_traceLevels != 0);
+ assert(_logger != 0);
+ assert(_certificateVerifier != 0); } -IceSecurity::Ssl::Connection::~Connection() -{ +IceSSL::Connection::~Connection() +{
} diff --git a/cpp/src/Ice/SslConnection.h b/cpp/src/Ice/SslConnection.h index 5623d4505c2..edfd0d3c0c3 100644 --- a/cpp/src/Ice/SslConnection.h +++ b/cpp/src/Ice/SslConnection.h @@ -18,16 +18,15 @@ #include <Ice/SslConnectionF.h> #include <Ice/SslCertificateVerifierF.h> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { class Connection : public IceUtil::Shared { public: - Connection(const IceSecurity::Ssl::CertificateVerifierPtr&); + Connection(const IceInternal::TraceLevelsPtr&,
+ const Ice::LoggerPtr&,
+ const IceSSL::CertificateVerifierPtr&); virtual ~Connection(); virtual void shutdown() = 0; @@ -35,15 +34,12 @@ public: virtual int read(IceInternal::Buffer&, int) = 0; virtual int write(IceInternal::Buffer&, int) = 0; - virtual void setTrace(const IceInternal::TraceLevelsPtr&) = 0; - virtual void setLogger(const Ice::LoggerPtr&) = 0; - protected: + IceInternal::TraceLevelsPtr _traceLevels;
+ Ice::LoggerPtr _logger;
CertificateVerifierPtr _certificateVerifier; }; } -} - #endif diff --git a/cpp/src/Ice/SslConnectionF.h b/cpp/src/Ice/SslConnectionF.h index 22e3b862a4a..5d394788405 100644 --- a/cpp/src/Ice/SslConnectionF.h +++ b/cpp/src/Ice/SslConnectionF.h @@ -13,10 +13,7 @@ #include <Ice/Handle.h> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { class Connection; @@ -24,13 +21,11 @@ typedef IceInternal::Handle<Connection> ConnectionPtr; } -} - namespace IceInternal { -void incRef(::IceSecurity::Ssl::Connection*); -void decRef(::IceSecurity::Ssl::Connection*); +void incRef(::IceSSL::Connection*); +void decRef(::IceSSL::Connection*); } diff --git a/cpp/src/Ice/SslConnectionOpenSSL.cpp b/cpp/src/Ice/SslConnectionOpenSSL.cpp index 90356d05045..26ec74d9c7c 100644 --- a/cpp/src/Ice/SslConnectionOpenSSL.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSL.cpp @@ -44,107 +44,8 @@ using Ice::Int; using std::endl; -using IceSecurity::Ssl::Factory; -using IceSecurity::Ssl::SystemPtr; - -//////////////////////////////////////////////// -////////// DefaultCertificateVerifier ////////// -//////////////////////////////////////////////// - -IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::DefaultCertificateVerifier() -{ -} - -void -IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::setTraceLevels(const TraceLevelsPtr& traceLevels) -{ - _traceLevels = traceLevels; -} - -void -IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::setLogger(const LoggerPtr& logger) -{ - _logger = logger; -} - -int -IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::verify(int preVerifyOkay, - X509_STORE_CTX* x509StoreContext, - SSL* sslConnection) -{ - // - // Default verification steps. - // - - int verifyError = X509_STORE_CTX_get_error(x509StoreContext); - int errorDepth = X509_STORE_CTX_get_error_depth(x509StoreContext); - int verifyDepth = SSL_get_verify_depth(sslConnection); - - // Verify Depth was set - if (verifyError != X509_V_OK) - { - // If we have no errors so far, and the certificate chain is too long - if ((verifyDepth != -1) && (verifyDepth < errorDepth)) - { - verifyError = X509_V_ERR_CERT_CHAIN_TOO_LONG; - X509_STORE_CTX_set_error(x509StoreContext, verifyError); - } - - // If we have ANY errors, we bail out. - preVerifyOkay = 0; - } - - // Only if ICE_PROTOCOL level logging is on do we worry about this. - if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL) - { - char buf[256]; - - X509* err_cert = X509_STORE_CTX_get_current_cert(x509StoreContext); - - X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf)); - - ostringstream outStringStream; - - outStringStream << "depth = " << dec << errorDepth << ":" << buf << std::endl; - - if (!preVerifyOkay) - { - outStringStream << "verify error: num = " << verifyError << " : " - << X509_verify_cert_error_string(verifyError) << endl; - - } - - switch (verifyError) - { - case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - { - X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf)); - outStringStream << "issuer = " << buf << endl; - break; - } - - case X509_V_ERR_CERT_NOT_YET_VALID: - case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - { - outStringStream << "notBefore = " << getASN1time(X509_get_notBefore(err_cert)) << endl; - break; - } - - case X509_V_ERR_CERT_HAS_EXPIRED: - case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - { - outStringStream << "notAfter = " << getASN1time(X509_get_notAfter(err_cert)) << endl; - break; - } - } - - outStringStream << "verify return = " << preVerifyOkay << endl; - - _logger->trace(_traceLevels->securityCat, outStringStream.str()); - } - - return preVerifyOkay; -} +using IceSSL::Factory; +using IceSSL::SystemInternalPtr; //////////////////////////////// ////////// Connection ////////// @@ -153,32 +54,34 @@ IceSecurity::Ssl::OpenSSL::DefaultCertificateVerifier::verify(int preVerifyOkay, // // Static Member Initialization // -IceSecurity::Ssl::OpenSSL::SslConnectionMap IceSecurity::Ssl::OpenSSL::Connection::_connectionMap; -::IceUtil::Mutex IceSecurity::Ssl::OpenSSL::Connection::_connectionRepositoryMutex; +IceSSL::OpenSSL::SslConnectionMap IceSSL::OpenSSL::Connection::_connectionMap; +::IceUtil::Mutex IceSSL::OpenSSL::Connection::_connectionRepositoryMutex; // // Public Methods // -void ::IceInternal::incRef(::IceSecurity::Ssl::OpenSSL::Connection* p) { p->__incRef(); } -void ::IceInternal::decRef(::IceSecurity::Ssl::OpenSSL::Connection* p) { p->__decRef(); } +void ::IceInternal::incRef(::IceSSL::OpenSSL::Connection* p) { p->__incRef(); } +void ::IceInternal::decRef(::IceSSL::OpenSSL::Connection* p) { p->__decRef(); } // Note: I would use a using directive of the form: -// using IceSecurity::Ssl::CertificateVerifierPtr; +// using IceSSL::CertificateVerifierPtr; // but unfortunately, it appears that this is not properly picked up. // -IceSecurity::Ssl::OpenSSL::Connection::Connection( - const IceSecurity::Ssl::CertificateVerifierPtr& certificateVerifier, - SSL* sslConnection, - const SystemPtr& system) : - IceSecurity::Ssl::Connection(certificateVerifier), - _sslConnection(sslConnection), - _system(system) +IceSSL::OpenSSL::Connection::Connection(
+ const IceInternal::TraceLevelsPtr& traceLevels,
+ const Ice::LoggerPtr& logger,
+ const IceSSL::CertificateVerifierPtr& certificateVerifier, + SSL* sslConnection,
+ const IceSSL::SystemInternalPtr& system) : + IceSSL::Connection(traceLevels, logger, certificateVerifier), + _sslConnection(sslConnection) { - assert(sslConnection); + assert(_sslConnection != 0);
+ assert(system != 0); - Factory::addSystemHandle(sslConnection, system); + Factory::addSystemHandle(_sslConnection, system); _lastError = SSL_ERROR_NONE; @@ -192,7 +95,7 @@ IceSecurity::Ssl::OpenSSL::Connection::Connection( addConnection(_sslConnection, this); } -IceSecurity::Ssl::OpenSSL::Connection::~Connection() +IceSSL::OpenSSL::Connection::~Connection() { if (_sslConnection != 0) { @@ -204,11 +107,11 @@ IceSecurity::Ssl::OpenSSL::Connection::~Connection() } void -IceSecurity::Ssl::OpenSSL::Connection::shutdown() +IceSSL::OpenSSL::Connection::shutdown() { if (_sslConnection != 0) { - if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS) + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) { _logger->trace(_traceLevels->securityCat, "WRN " + string("shutting down SSL connection\n") + @@ -225,7 +128,7 @@ IceSecurity::Ssl::OpenSSL::Connection::shutdown() } while ((shutdown == 0) && (retries > 0)); - if ((_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL) && (shutdown <= 0)) + if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) && (shutdown <= 0)) { ostringstream s; s << "SSL shutdown failure encountered: code[" << shutdown << "] retries["; @@ -236,25 +139,13 @@ IceSecurity::Ssl::OpenSSL::Connection::shutdown() } void -IceSecurity::Ssl::OpenSSL::Connection::setTrace(const TraceLevelsPtr& traceLevels) -{ - _traceLevels = traceLevels; -} - -void -IceSecurity::Ssl::OpenSSL::Connection::setLogger(const LoggerPtr& traceLevels) -{ - _logger = traceLevels; -} - -void -IceSecurity::Ssl::OpenSSL::Connection::setHandshakeReadTimeout(int timeout) -{ +IceSSL::OpenSSL::Connection::setHandshakeReadTimeout(int timeout) +{
_handshakeReadTimeout = timeout; } -IceSecurity::Ssl::OpenSSL::ConnectionPtr -IceSecurity::Ssl::OpenSSL::Connection::getConnection(SSL* sslPtr) +IceSSL::OpenSSL::ConnectionPtr +IceSSL::OpenSSL::Connection::getConnection(SSL* sslPtr) { IceUtil::Mutex::Lock sync(_connectionRepositoryMutex); @@ -268,14 +159,14 @@ IceSecurity::Ssl::OpenSSL::Connection::getConnection(SSL* sslPtr) } int -IceSecurity::Ssl::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX* x509StoreContext) +IceSSL::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX* x509StoreContext) { // Should NEVER be able to happen. assert(_certificateVerifier.get() != 0); // Get the verifier, make sure it is for OpenSSL connections - IceSecurity::Ssl::OpenSSL::CertificateVerifier* verifier; - verifier = dynamic_cast<IceSecurity::Ssl::OpenSSL::CertificateVerifier*>(_certificateVerifier.get()); + IceSSL::OpenSSL::CertificateVerifier* verifier; + verifier = dynamic_cast<IceSSL::OpenSSL::CertificateVerifier*>(_certificateVerifier.get()); // Check to make sure we have a proper verifier for the operation. if (verifier) @@ -288,7 +179,7 @@ IceSecurity::Ssl::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509 // Note: This code should NEVER be able to be reached, as we check each // CertificateVerifier as it is added to the System. - if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS) + if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) { string errorString; @@ -314,7 +205,7 @@ IceSecurity::Ssl::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509 // int -IceSecurity::Ssl::OpenSSL::Connection::connect() +IceSSL::OpenSSL::Connection::connect() { int result = SSL_connect(_sslConnection); @@ -324,7 +215,7 @@ IceSecurity::Ssl::OpenSSL::Connection::connect() } int -IceSecurity::Ssl::OpenSSL::Connection::accept() +IceSSL::OpenSSL::Connection::accept() { int result = SSL_accept(_sslConnection); @@ -334,18 +225,18 @@ IceSecurity::Ssl::OpenSSL::Connection::accept() } int -IceSecurity::Ssl::OpenSSL::Connection::renegotiate() +IceSSL::OpenSSL::Connection::renegotiate() { return SSL_renegotiate(_sslConnection); } int -IceSecurity::Ssl::OpenSSL::Connection::initialize(int timeout) +IceSSL::OpenSSL::Connection::initialize(int timeout) { int retCode = 0; while (true) - { + {
// One lucky thread will get the honor of carrying out the hanshake, // if there is one to perform. The HandshakeSentinel effectively // establishes a first-come, first-serve policy. One thread will own @@ -383,8 +274,20 @@ IceSecurity::Ssl::OpenSSL::Connection::initialize(int timeout) return retCode; } +int
+IceSSL::OpenSSL::Connection::pending()
+{
+ return SSL_pending(_sslConnection);
+}
+
+int
+IceSSL::OpenSSL::Connection::getLastError() const
+{
+ return SSL_get_error(_sslConnection, _lastError);
+}
+
int -IceSecurity::Ssl::OpenSSL::Connection::sslRead(char* buffer, int bufferSize) +IceSSL::OpenSSL::Connection::sslRead(char* buffer, int bufferSize) { int bytesRead = SSL_read(_sslConnection, buffer, bufferSize); @@ -394,7 +297,7 @@ IceSecurity::Ssl::OpenSSL::Connection::sslRead(char* buffer, int bufferSize) } int -IceSecurity::Ssl::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize) +IceSSL::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize) { int bytesWritten = SSL_write(_sslConnection, buffer, bufferSize); @@ -413,7 +316,7 @@ IceSecurity::Ssl::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize) // the demo programs are doing, so I feel okay copying them. The only reason that I // have defined the buffer[] array is so that I have a valid buffer pointer. void -IceSecurity::Ssl::OpenSSL::Connection::protocolWrite() +IceSSL::OpenSSL::Connection::protocolWrite() { static char buffer[10]; @@ -426,7 +329,7 @@ IceSecurity::Ssl::OpenSSL::Connection::protocolWrite() } int -IceSecurity::Ssl::OpenSSL::Connection::readInBuffer(Buffer& buf) +IceSSL::OpenSSL::Connection::readInBuffer(Buffer& buf) { IceUtil::Mutex::Lock sync(_inBufferMutex); @@ -453,7 +356,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readInBuffer(Buffer& buf) // Erase the data that we've copied out of the _inBuffer. _inBuffer.b.erase(inBufferBegin, inBufferEndAt); - if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL) + if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) { ostringstream protocolMsg; protocolMsg << "Copied " << dec << bytesRead << " bytes from SSL buffer\n"; @@ -467,7 +370,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readInBuffer(Buffer& buf) } int -IceSecurity::Ssl::OpenSSL::Connection::readSelect(int timeout) +IceSSL::OpenSSL::Connection::readSelect(int timeout) { int ret; SOCKET fd = SSL_get_fd(_sslConnection); @@ -513,7 +416,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readSelect(int timeout) } int -IceSecurity::Ssl::OpenSSL::Connection::writeSelect(int timeout) +IceSSL::OpenSSL::Connection::writeSelect(int timeout) { int ret; SOCKET fd = SSL_get_fd(_sslConnection); @@ -559,7 +462,7 @@ IceSecurity::Ssl::OpenSSL::Connection::writeSelect(int timeout) } int -IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) +IceSSL::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) { int packetSize = buf.b.end() - buf.i; int totalBytesRead = 0; @@ -600,7 +503,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) if (!bytesPending) { - if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL) + if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) { _logger->trace(_traceLevels->securityCat, "No pending application-level bytes."); } @@ -730,7 +633,7 @@ IceSecurity::Ssl::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) } string -IceSecurity::Ssl::OpenSSL::Connection::sslGetErrors() +IceSSL::OpenSSL::Connection::sslGetErrors() { string errorMessage; char buf[200]; @@ -773,7 +676,7 @@ IceSecurity::Ssl::OpenSSL::Connection::sslGetErrors() } void -IceSecurity::Ssl::OpenSSL::Connection::addConnection(SSL* sslPtr, Connection* connection) +IceSSL::OpenSSL::Connection::addConnection(SSL* sslPtr, Connection* connection) { assert(sslPtr); assert(connection); @@ -782,7 +685,7 @@ IceSecurity::Ssl::OpenSSL::Connection::addConnection(SSL* sslPtr, Connection* co } void -IceSecurity::Ssl::OpenSSL::Connection::removeConnection(SSL* sslPtr) +IceSSL::OpenSSL::Connection::removeConnection(SSL* sslPtr) { assert(sslPtr); IceUtil::Mutex::Lock sync(_connectionRepositoryMutex); @@ -790,7 +693,7 @@ IceSecurity::Ssl::OpenSSL::Connection::removeConnection(SSL* sslPtr) } void -IceSecurity::Ssl::OpenSSL::Connection::showCertificateChain(BIO* bio) +IceSSL::OpenSSL::Connection::showCertificateChain(BIO* bio) { STACK_OF(X509)* sk; @@ -819,7 +722,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showCertificateChain(BIO* bio) } void -IceSecurity::Ssl::OpenSSL::Connection::showPeerCertificate(BIO* bio, const char* connType) +IceSSL::OpenSSL::Connection::showPeerCertificate(BIO* bio, const char* connType) { X509* peerCert = 0; char buffer[4096]; @@ -849,7 +752,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showPeerCertificate(BIO* bio, const char* } void -IceSecurity::Ssl::OpenSSL::Connection::showSharedCiphers(BIO* bio) +IceSSL::OpenSSL::Connection::showSharedCiphers(BIO* bio) { char buffer[4096]; char* strpointer = 0; @@ -889,7 +792,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showSharedCiphers(BIO* bio) } void -IceSecurity::Ssl::OpenSSL::Connection::showSessionInfo(BIO* bio) +IceSSL::OpenSSL::Connection::showSessionInfo(BIO* bio) { if (_sslConnection->hit) { @@ -900,7 +803,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showSessionInfo(BIO* bio) } void -IceSecurity::Ssl::OpenSSL::Connection::showSelectedCipherInfo(BIO* bio) +IceSSL::OpenSSL::Connection::showSelectedCipherInfo(BIO* bio) { const char* str; SSL_CIPHER* cipher; @@ -916,7 +819,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showSelectedCipherInfo(BIO* bio) } void -IceSecurity::Ssl::OpenSSL::Connection::showHandshakeStats(BIO* bio) +IceSSL::OpenSSL::Connection::showHandshakeStats(BIO* bio) { BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n", BIO_number_read(SSL_get_rbio(_sslConnection)), @@ -924,7 +827,7 @@ IceSecurity::Ssl::OpenSSL::Connection::showHandshakeStats(BIO* bio) } void -IceSecurity::Ssl::OpenSSL::Connection::showClientCAList(BIO* bio, const char* connType) +IceSSL::OpenSSL::Connection::showClientCAList(BIO* bio, const char* connType) { char buffer[4096]; STACK_OF(X509_NAME)* sk = SSL_get_client_CA_list(_sslConnection); diff --git a/cpp/src/Ice/SslConnectionOpenSSL.h b/cpp/src/Ice/SslConnectionOpenSSL.h index ddd5467cdfb..d82fa73789f 100644 --- a/cpp/src/Ice/SslConnectionOpenSSL.h +++ b/cpp/src/Ice/SslConnectionOpenSSL.h @@ -15,14 +15,11 @@ #include <openssl/ssl.h> #include <IceUtil/Mutex.h> #include <Ice/SslConnection.h> -#include <Ice/SslSystemF.h> +#include <Ice/SslSystemInternalF.h> #include <Ice/SslConnectionOpenSSLF.h> #include <Ice/SslCertificateVerifierOpenSSL.h> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { namespace OpenSSL @@ -107,22 +104,6 @@ private: SafeFlag& _flag; }; -class DefaultCertificateVerifier : public IceSecurity::Ssl::OpenSSL::CertificateVerifier -{ - -public: - DefaultCertificateVerifier(); - - void setTraceLevels(const IceInternal::TraceLevelsPtr&); - void setLogger(const Ice::LoggerPtr&); - - virtual int verify(int, X509_STORE_CTX*, SSL*); - -private: - IceInternal::TraceLevelsPtr _traceLevels; - Ice::LoggerPtr _logger; -}; - // NOTE: This is a mapping from SSL* to Connection*, for use with the verifyCallback. // I have purposely not used ConnectionPtr here, as connections register themselves // with this map on construction and unregister themselves in the destructor. If @@ -130,11 +111,15 @@ private: // would always be a reference to them from the map. typedef std::map<SSL*, Connection*> SslConnectionMap; -class Connection : public IceSecurity::Ssl::Connection +class Connection : public IceSSL::Connection { public: - Connection(const IceSecurity::Ssl::CertificateVerifierPtr&, SSL*, const SystemPtr&); + Connection(const IceInternal::TraceLevelsPtr&,
+ const Ice::LoggerPtr&,
+ const IceSSL::CertificateVerifierPtr&,
+ SSL*,
+ const IceSSL::SystemInternalPtr&); virtual ~Connection(); virtual void shutdown(); @@ -144,9 +129,6 @@ public: virtual int init(int timeout = 0) = 0; - void setTrace(const IceInternal::TraceLevelsPtr& traceLevels); - void setLogger(const Ice::LoggerPtr& traceLevels); - void setHandshakeReadTimeout(int timeout); static ConnectionPtr getConnection(SSL*); @@ -161,8 +143,8 @@ protected: int renegotiate(); int initialize(int timeout); - inline int pending() { return SSL_pending(_sslConnection); }; - inline int getLastError() const { return SSL_get_error(_sslConnection, _lastError); }; + int pending(); + int getLastError() const; int sslRead(char*, int); int sslWrite(char*, int); @@ -199,7 +181,6 @@ protected: // Pointer to the OpenSSL Connection structure. SSL* _sslConnection; - SystemPtr _system; int _lastError; @@ -211,8 +192,8 @@ protected: ::IceUtil::Mutex _handshakeWaitMutex; - IceInternal::TraceLevelsPtr _traceLevels; - Ice::LoggerPtr _logger; + // IceInternal::TraceLevelsPtr _traceLevels; + // Ice::LoggerPtr _logger; SafeFlag _handshakeFlag; int _initWantRead; @@ -225,6 +206,4 @@ protected: } -} - #endif diff --git a/cpp/src/Ice/SslConnectionOpenSSLClient.cpp b/cpp/src/Ice/SslConnectionOpenSSLClient.cpp index 45917272ceb..f564d8ffd69 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLClient.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSLClient.cpp @@ -18,8 +18,8 @@ #include <Ice/TraceLevels.h> #include <Ice/Logger.h> -using IceSecurity::Ssl::ShutdownException; -using IceSecurity::Ssl::SystemPtr; +using IceSSL::ShutdownException; +using IceSSL::SystemInternalPtr; using Ice::ConnectionLostException; using Ice::SocketException; @@ -40,36 +40,39 @@ using std::dec; // // Note: I would use a using directive of the form: -// using IceSecurity::Ssl::CertificateVerifierPtr; +// using IceSSL::CertificateVerifierPtr; // but unfortunately, it appears that this is not properly picked up. // -IceSecurity::Ssl::OpenSSL::ClientConnection::ClientConnection( - const IceSecurity::Ssl::CertificateVerifierPtr& certificateVerifier, - SSL* connection, - const SystemPtr& system) : - Connection(certificateVerifier, - connection, system) -{ +IceSSL::OpenSSL::ClientConnection::ClientConnection(
+ const IceInternal::TraceLevelsPtr& traceLevels,
+ const Ice::LoggerPtr& logger,
+ const IceSSL::CertificateVerifierPtr& certificateVerifier, + SSL* connection,
+ const IceSSL::SystemInternalPtr& system) : + Connection(traceLevels, logger, certificateVerifier, connection, system) +{
+ // Set the Connect Connection state for this connection.
+ SSL_set_connect_state(_sslConnection);
} -IceSecurity::Ssl::OpenSSL::ClientConnection::~ClientConnection() +IceSSL::OpenSSL::ClientConnection::~ClientConnection() { } void -IceSecurity::Ssl::OpenSSL::ClientConnection::shutdown() +IceSSL::OpenSSL::ClientConnection::shutdown() { Connection::shutdown(); } int -IceSecurity::Ssl::OpenSSL::ClientConnection::init(int timeout) +IceSSL::OpenSSL::ClientConnection::init(int timeout) { int retCode = SSL_is_init_finished(_sslConnection); while (!retCode) - { + {
int i = 0; _readTimeout = timeout > _handshakeReadTimeout ? timeout : _handshakeReadTimeout; @@ -193,7 +196,7 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::init(int timeout) } int -IceSecurity::Ssl::OpenSSL::ClientConnection::read(Buffer& buf, int timeout) +IceSSL::OpenSSL::ClientConnection::read(Buffer& buf, int timeout) { int totalBytesRead = 0; @@ -221,7 +224,7 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::read(Buffer& buf, int timeout) } int -IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) +IceSSL::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) { int totalBytesWritten = 0; int bytesWritten = 0; @@ -243,7 +246,7 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) // We keep reading until we're done while (buf.i != buf.b.end()) - { + {
// Ensure we're initialized. initReturn = initialize(timeout); @@ -392,10 +395,10 @@ IceSecurity::Ssl::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) // This code blatantly stolen from OpenSSL demos, slightly repackaged, and completely ugly... void -IceSecurity::Ssl::OpenSSL::ClientConnection::showConnectionInfo() +IceSSL::OpenSSL::ClientConnection::showConnectionInfo() { // Only in extreme cases do we enable this, partially because it doesn't use the Logger. - if ((_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL_DEBUG) && 0) + if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL_DEBUG) && 0) { BIO* bio = BIO_new_fp(stdout, BIO_NOCLOSE); diff --git a/cpp/src/Ice/SslConnectionOpenSSLClient.h b/cpp/src/Ice/SslConnectionOpenSSLClient.h index 1ed809c758b..d82cd5bd2bf 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLClient.h +++ b/cpp/src/Ice/SslConnectionOpenSSLClient.h @@ -13,10 +13,7 @@ #include <Ice/SslConnectionOpenSSL.h> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { namespace OpenSSL @@ -26,7 +23,11 @@ class ClientConnection : public Connection { public: - ClientConnection(const IceSecurity::Ssl::CertificateVerifierPtr&, SSL*, const IceSecurity::Ssl::SystemPtr&); + ClientConnection(const IceInternal::TraceLevelsPtr&,
+ const Ice::LoggerPtr&,
+ const IceSSL::CertificateVerifierPtr&,
+ SSL*,
+ const IceSSL::SystemInternalPtr&); virtual ~ClientConnection(); virtual void shutdown(); virtual int init(int timeout = 0); @@ -43,6 +44,4 @@ protected: } -} - #endif diff --git a/cpp/src/Ice/SslConnectionOpenSSLF.h b/cpp/src/Ice/SslConnectionOpenSSLF.h index c5f23022411..69a536facea 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLF.h +++ b/cpp/src/Ice/SslConnectionOpenSSLF.h @@ -13,10 +13,7 @@ #include <Ice/Handle.h> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { namespace OpenSSL
@@ -29,13 +26,11 @@ typedef IceInternal::Handle<Connection> ConnectionPtr; } -} - namespace IceInternal { -void incRef(::IceSecurity::Ssl::OpenSSL::Connection*); -void decRef(::IceSecurity::Ssl::OpenSSL::Connection*); +void incRef(::IceSSL::OpenSSL::Connection*); +void decRef(::IceSSL::OpenSSL::Connection*); } diff --git a/cpp/src/Ice/SslConnectionOpenSSLServer.cpp b/cpp/src/Ice/SslConnectionOpenSSLServer.cpp index 54497011d7b..07f16c809a1 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLServer.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSLServer.cpp @@ -18,9 +18,9 @@ #include <Ice/TraceLevels.h> #include <Ice/Logger.h> -using IceSecurity::Ssl::CertificateException; -using IceSecurity::Ssl::ProtocolException; -using IceSecurity::Ssl::SystemPtr; +using IceSSL::CertificateException; +using IceSSL::ProtocolException; +using IceSSL::SystemInternalPtr; using Ice::ConnectionLostException; using Ice::SocketException; @@ -42,33 +42,35 @@ using std::dec; // // Note: I would use a using directive of the form: -// using IceSecurity::Ssl::CertificateVerifierPtr; +// using IceSSL::CertificateVerifierPtr; // but unfortunately, it appears that this is not properly picked up. // -IceSecurity::Ssl::OpenSSL::ServerConnection::ServerConnection( - const IceSecurity::Ssl::CertificateVerifierPtr& certificateVerifier, - SSL* connection, - const SystemPtr& system) : - Connection(certificateVerifier, - connection, - system) +IceSSL::OpenSSL::ServerConnection::ServerConnection( + const IceInternal::TraceLevelsPtr& traceLevels,
+ const Ice::LoggerPtr& logger,
+ const IceSSL::CertificateVerifierPtr& certificateVerifier, + SSL* connection,
+ const IceSSL::SystemInternalPtr& system) : + Connection(traceLevels, logger, certificateVerifier, connection, system) { + // Set the Accept Connection state for this connection.
+ SSL_set_accept_state(_sslConnection);
} -IceSecurity::Ssl::OpenSSL::ServerConnection::~ServerConnection() +IceSSL::OpenSSL::ServerConnection::~ServerConnection() { } void -IceSecurity::Ssl::OpenSSL::ServerConnection::shutdown() +IceSSL::OpenSSL::ServerConnection::shutdown() { Connection::shutdown(); } int -IceSecurity::Ssl::OpenSSL::ServerConnection::init(int timeout) -{ +IceSSL::OpenSSL::ServerConnection::init(int timeout) +{
int retCode = SSL_is_init_finished(_sslConnection); while (!retCode) @@ -152,7 +154,7 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::init(int timeout) } case SSL_ERROR_SYSCALL: - { + {
// This is a SOCKET_ERROR, but we don't use // this define here as OpenSSL doesn't refer // to it as a SOCKET_ERROR (but that's what it is @@ -207,7 +209,7 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::init(int timeout) } retCode = SSL_is_init_finished(_sslConnection); - +
if (retCode > 0) { // Init finished, look at the connection information. @@ -219,7 +221,7 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::init(int timeout) } int -IceSecurity::Ssl::OpenSSL::ServerConnection::read(Buffer& buf, int timeout) +IceSSL::OpenSSL::ServerConnection::read(Buffer& buf, int timeout) { int bytesRead = 1; int totalBytesRead = 0; @@ -245,7 +247,7 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::read(Buffer& buf, int timeout) } int -IceSecurity::Ssl::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) +IceSSL::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) { int totalBytesWritten = 0; int bytesWritten = 0; @@ -385,10 +387,10 @@ IceSecurity::Ssl::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) // void -IceSecurity::Ssl::OpenSSL::ServerConnection::showConnectionInfo() -{ +IceSSL::OpenSSL::ServerConnection::showConnectionInfo() +{
// Only in extreme cases do we enable this, partially because it doesn't use the Logger. - if ((_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL_DEBUG) && 0) + if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL_DEBUG) && 0) { BIO* bio = BIO_new_fp(stdout, BIO_NOCLOSE); diff --git a/cpp/src/Ice/SslConnectionOpenSSLServer.h b/cpp/src/Ice/SslConnectionOpenSSLServer.h index 09675377236..060c283bee2 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLServer.h +++ b/cpp/src/Ice/SslConnectionOpenSSLServer.h @@ -13,10 +13,7 @@ #include <Ice/SslConnectionOpenSSL.h> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { namespace OpenSSL @@ -26,7 +23,11 @@ class ServerConnection : public Connection { public: - ServerConnection(const IceSecurity::Ssl::CertificateVerifierPtr&, SSL*, const IceSecurity::Ssl::SystemPtr&); + ServerConnection(const IceInternal::TraceLevelsPtr&,
+ const Ice::LoggerPtr&,
+ const IceSSL::CertificateVerifierPtr&,
+ SSL*,
+ const IceSSL::SystemInternalPtr&); virtual ~ServerConnection(); virtual void shutdown(); virtual int init(int timeout = 0); @@ -43,6 +44,4 @@ protected: } -} - #endif diff --git a/cpp/src/Ice/SslConnector.cpp b/cpp/src/Ice/SslConnector.cpp index 4df3a76b1e4..d8682ba595e 100644 --- a/cpp/src/Ice/SslConnector.cpp +++ b/cpp/src/Ice/SslConnector.cpp @@ -14,11 +14,10 @@ // The MSDN Library recommends that you put this pragma directive // in place to avoid the warnings. #ifdef WIN32 -#pragma warning(disable:4786) +# pragma warning(disable:4786) #endif -#include <Ice/SslFactory.h> -#include <Ice/SslSystem.h> +#include <Ice/SslSystemInternal.h> #include <Ice/SslConnector.h> #include <Ice/SslTransceiver.h> #include <Ice/Instance.h> @@ -36,9 +35,8 @@ using namespace IceInternal; using std::ostringstream; using std::string; -using IceSecurity::Ssl::Connection; -using IceSecurity::Ssl::Factory; -using IceSecurity::Ssl::SystemPtr; +using IceSSL::Connection; +using IceSSL::SystemInternalPtr; TransceiverPtr IceInternal::SslConnector::connect(int timeout) @@ -60,37 +58,12 @@ IceInternal::SslConnector::connect(int timeout) _logger->trace(_traceLevels->networkCat, s.str()); } - PropertiesPtr properties = _instance->properties(); + // Get an instance of the SslSystem + SystemInternalPtr sslSystem = _instance->getSslSystem();
+ assert(sslSystem != 0); - // This is the Ice SSL Configuration File on which we will base - // all connections in this communicator. - string configFile = properties->getProperty("Ice.Security.Ssl.Config"); - - // Get an instance of the SslOpenSSL singleton. - SystemPtr sslSystem = Factory::getSystem(configFile); - - if (!sslSystem->isTraceSet()) - { - sslSystem->setTrace(_traceLevels); - } - - if (!sslSystem->isLoggerSet()) - { - sslSystem->setLogger(_logger); - } - - if (!sslSystem->isPropertiesSet()) - { - sslSystem->setProperties(properties); - } - - // Initialize the server (if needed) - if (!sslSystem->isConfigLoaded()) - { - sslSystem->loadConfig(); - } - - TransceiverPtr transPtr = new SslTransceiver(_instance, fd, sslSystem->createClientConnection(fd)); + IceSSL::ConnectionPtr connection = sslSystem->createConnection(IceSSL::Client, fd);
+ TransceiverPtr transPtr = new SslTransceiver(_instance, fd, connection);
return transPtr; } @@ -102,9 +75,9 @@ IceInternal::SslConnector::toString() const } IceInternal::SslConnector::SslConnector(const InstancePtr& instance, const string& host, int port) : - _instance(instance), - _traceLevels(instance->traceLevels()), - _logger(instance->logger()) + _instance(instance), + _traceLevels(instance->traceLevels()), + _logger(instance->logger()) { getAddress(host.c_str(), port, _addr); } diff --git a/cpp/src/Ice/SslContextOpenSSL.cpp b/cpp/src/Ice/SslContextOpenSSL.cpp new file mode 100644 index 00000000000..76f78a2490e --- /dev/null +++ b/cpp/src/Ice/SslContextOpenSSL.cpp @@ -0,0 +1,619 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#include <Ice/Instance.h>
+#include <Ice/Properties.h>
+
+#include <Ice/DefaultCertificateVerifier.h>
+#include <Ice/SecurityException.h>
+#include <Ice/SslRSAKeyPair.h>
+#include <Ice/SslRSAPublicKey.h>
+#include <Ice/SslCertificateDesc.h>
+#include <Ice/SslConnectionOpenSSL.h>
+#include <Ice/SslContextOpenSSL.h>
+
+#include <Ice/SslJanitors.h>
+#include <Ice/SslOpenSSLUtils.h>
+
+using IceSSL::ConnectionPtr;
+
+IceSSL::OpenSSL::Context::~Context()
+{
+ if (_sslContext != 0)
+ {
+ SSL_CTX_free(_sslContext);
+
+ _sslContext = 0;
+ }
+}
+
+bool
+IceSSL::OpenSSL::Context::isConfigured()
+{
+ return (_sslContext != 0 ? true : false);
+}
+
+void
+IceSSL::OpenSSL::Context::setCertificateVerifier(const CertificateVerifierPtr& verifier)
+{
+ _certificateVerifier = verifier;
+}
+
+void
+IceSSL::OpenSSL::Context::addTrustedCertificate(const std::string& trustedCertString)
+{
+ if (_sslContext == 0)
+ {
+ // ContextNotConfiguredException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "SSL Context not configured.";
+
+ throw contextEx;
+ }
+
+ RSAPublicKey pubKey(trustedCertString);
+
+ X509_STORE* certStore = SSL_CTX_get_cert_store(_sslContext);
+
+ int addedCertAuthorityCert = X509_STORE_add_cert(certStore, pubKey.getX509PublicKey());
+
+ // TODO: Make this an exception?
+ assert(addedCertAuthorityCert != 0);
+}
+
+void
+IceSSL::OpenSSL::Context::setRSAKeysBase64(const std::string& privateKey,
+ const std::string& publicKey)
+{
+ if (_sslContext == 0)
+ {
+ // ContextNotConfiguredException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "SSL Context not configured.";
+
+ throw contextEx;
+ }
+
+ addKeyCert(privateKey, publicKey);
+}
+
+void
+IceSSL::OpenSSL::Context::setRSAKeys(const Ice::ByteSeq& privateKey, const Ice::ByteSeq& publicKey)
+{
+ if (_sslContext == 0)
+ {
+ // ContextNotConfiguredException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "SSL Context not configured.";
+
+ throw contextEx;
+ }
+
+ addKeyCert(privateKey, publicKey);
+}
+
+void
+IceSSL::OpenSSL::Context::configure(const GeneralConfig& generalConfig,
+ const CertificateAuthority& certificateAuthority,
+ const BaseCertificates& baseCertificates)
+{
+ // Create an SSL Context based on the context params.
+ createContext(generalConfig.getProtocol());
+
+ // Get the cipherlist and set it in the context.
+ setCipherList(generalConfig.getCipherList());
+
+ // Set the certificate verification mode.
+ SSL_CTX_set_verify(_sslContext, generalConfig.getVerifyMode(), verifyCallback);
+
+ // Set the certificate verify depth
+ SSL_CTX_set_verify_depth(_sslContext, generalConfig.getVerifyDepth());
+
+ // Process the RSA Certificate
+ setKeyCert(baseCertificates.getRSACert(), _rsaPrivateKeyProperty, _rsaPublicKeyProperty);
+
+ // Process the DSA Certificate
+ setKeyCert(baseCertificates.getDSACert(), _dsaPrivateKeyProperty, _dsaPublicKeyProperty);
+
+ // Set the DH key agreement parameters.
+ if (baseCertificates.getDHParams().getKeySize() != 0)
+ {
+ setDHParams(baseCertificates);
+ }
+}
+
+//
+// Protected
+//
+
+IceSSL::OpenSSL::Context::Context(const IceInternal::InstancePtr& instance) :
+ _traceLevels(instance->traceLevels()),
+ _logger(instance->logger()),
+ _properties(instance->properties())
+{
+ assert(_traceLevels != 0);
+ assert(_logger != 0);
+ assert(_properties != 0);
+
+ _certificateVerifier = new DefaultCertificateVerifier(instance);
+ _sslContext = 0;
+}
+
+SSL_METHOD*
+IceSSL::OpenSSL::Context::getSslMethod(SslProtocol sslVersion)
+{
+ SSL_METHOD* sslMethod = 0;
+
+ switch (sslVersion)
+ {
+ case SSL_V2 :
+ {
+ sslMethod = SSLv2_method();
+ break;
+ }
+
+ case SSL_V23 :
+ {
+ sslMethod = SSLv23_method();
+ break;
+ }
+
+ case SSL_V3 :
+ {
+ sslMethod = SSLv3_method();
+ break;
+ }
+
+ case TLS_V1 :
+ {
+ sslMethod = TLSv1_method();
+ break;
+ }
+
+ default :
+ {
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
+ {
+ std::string errorString;
+
+ errorString = "SSL Version ";
+ errorString += sslVersion;
+ errorString += " not supported - defaulting to SSL_V23.";
+ _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
+ }
+
+ sslMethod = SSLv23_method();
+ }
+ }
+
+ return sslMethod;
+}
+
+void
+IceSSL::OpenSSL::Context::createContext(SslProtocol sslProtocol)
+{
+ if (_sslContext != 0)
+ {
+ SSL_CTX_free(_sslContext);
+ _sslContext = 0;
+ }
+
+ _sslContext = SSL_CTX_new(getSslMethod(sslProtocol));
+
+ if (_sslContext == 0)
+ {
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Unable to create SSL Context.\n" + sslGetErrors();
+
+ throw contextEx;
+ }
+
+ // Turn off session caching, supposedly fixes a problem with multithreading.
+ SSL_CTX_set_session_cache_mode(_sslContext, SSL_SESS_CACHE_OFF);
+}
+
+void
+IceSSL::OpenSSL::Context::loadCertificateAuthority(const CertificateAuthority& certAuth)
+{
+ std::string fileName = certAuth.getCAFileName();
+ std::string certPath = certAuth.getCAPath();
+
+ const char* caFile = 0;
+ const char* caPath = 0;
+
+ // The following checks are required to send the expected values to the OpenSSL library.
+ // It does not like receiving "", but prefers NULLs.
+
+ if (!fileName.empty())
+ {
+ caFile = fileName.c_str();
+ }
+
+ if (!certPath.length())
+ {
+ caPath = certPath.c_str();
+ }
+
+ // SSL_CTX_set_default_passwd_cb(sslContext, passwordCallback);
+
+ // Check the Certificate Authority file(s).
+ int loadVerifyRet = SSL_CTX_load_verify_locations(_sslContext, caFile, caPath);
+
+ if (!loadVerifyRet)
+ {
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN Unable to load Certificate Authorities.");
+ }
+ }
+ else
+ {
+ int setDefaultVerifyPathsRet = SSL_CTX_set_default_verify_paths(_sslContext);
+
+
+ if (!setDefaultVerifyPathsRet && (_traceLevels->security >= IceSSL::SECURITY_WARNINGS))
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN Unable to verify Certificate Authorities.");
+ }
+ }
+
+ // Now we add whatever override/addition that we wish to put into the trusted certificates list
+ std::string caCertBase64 = _properties->getProperty(_caCertificateProperty);
+ if (!caCertBase64.empty())
+ {
+ addTrustedCertificate(caCertBase64);
+ }
+}
+
+void
+IceSSL::OpenSSL::Context::setKeyCert(const CertificateDesc& certDesc,
+ const std::string& privateProperty,
+ const std::string& publicProperty)
+{
+ std::string privateKey;
+ std::string publicKey;
+
+ if (!privateProperty.empty())
+ {
+ privateKey = _properties->getProperty(privateProperty);
+ }
+
+ if (!publicProperty.empty())
+ {
+ publicKey = _properties->getProperty(publicProperty);
+ }
+
+ if (!privateKey.empty() && !publicKey.empty())
+ {
+ addKeyCert(privateKey, publicKey);
+ }
+ else if (certDesc.getKeySize() != 0)
+ {
+ const CertificateFile& privateKey = certDesc.getPrivate();
+ const CertificateFile& publicKey = certDesc.getPublic();
+
+ addKeyCert(privateKey, publicKey);
+ }
+}
+
+void
+IceSSL::OpenSSL::Context::addKeyCert(const CertificateFile& privateKey, const CertificateFile& publicCert)
+{
+ if (!publicCert.getFileName().empty())
+ {
+ std::string publicCertFile = publicCert.getFileName();
+ const char* publicFile = publicCertFile.c_str();
+ int publicEncoding = publicCert.getEncoding();
+
+ std::string privCertFile = privateKey.getFileName();
+ const char* privKeyFile = privCertFile.c_str();
+ int privKeyFileType = privateKey.getEncoding();
+
+ // Set which Public Key file to use.
+ if (SSL_CTX_use_certificate_file(_sslContext, publicFile, publicEncoding) <= 0)
+ {
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Unable to get certificate from '";
+ contextEx._message += publicFile;
+ contextEx._message += "'\n";
+ contextEx._message += sslGetErrors();
+
+ throw contextEx;
+ }
+
+ if (privateKey.getFileName().empty())
+ {
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
+ }
+
+ privKeyFile = publicFile;
+ privKeyFileType = publicEncoding;
+ }
+
+ // Set which Private Key file to use.
+ if (SSL_CTX_use_PrivateKey_file(_sslContext, privKeyFile, privKeyFileType) <= 0)
+ {
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Unable to get private key from '";
+ contextEx._message += privKeyFile;
+ contextEx._message += "'\n";
+ contextEx._message += sslGetErrors();
+
+ throw contextEx;
+ }
+
+ // Check to see if the Private and Public keys that have been
+ // set against the SSL context match up.
+ if (!SSL_CTX_check_private_key(_sslContext))
+ {
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Private key does not match the certificate public key.";
+ std::string sslError = sslGetErrors();
+
+ if (!sslError.empty())
+ {
+ contextEx._message += "\n";
+ contextEx._message += sslError;
+ }
+
+ throw contextEx;
+ }
+ }
+}
+
+//
+// TODO: Merge base functionality of addKeyCert()'s so they call a base.
+//
+
+void
+IceSSL::OpenSSL::Context::addKeyCert(const Ice::ByteSeq& privateKey, const Ice::ByteSeq& publicKey)
+{
+ Ice::ByteSeq privKey = privateKey;
+
+ if (privKey.empty())
+ {
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
+ }
+
+ privKey = publicKey;
+ }
+
+ // Make a key pair based on the Base64 encoded strings
+ RSAKeyPair keyPair(privKey, publicKey);
+
+ // Janitors to ensure that everything gets cleaned up properly
+ RSAJanitor rsaJanitor(keyPair.getRSAPrivateKey());
+ X509Janitor x509Janitor(keyPair.getX509PublicKey());
+
+ // Set which Public Key file to use.
+ if (SSL_CTX_use_certificate(_sslContext, x509Janitor.get()) <= 0)
+ {
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Unable to set certificate from memory.";
+ std::string sslError = sslGetErrors();
+
+ if (!sslError.empty())
+ {
+ contextEx._message += "\n";
+ contextEx._message += sslError;
+ }
+
+ throw contextEx;
+ }
+
+ x509Janitor.clear();
+
+ // Set which Private Key file to use.
+ if (SSL_CTX_use_RSAPrivateKey(_sslContext, rsaJanitor.get()) <= 0)
+ {
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Unable to set private key from memory.";
+ std::string sslError = sslGetErrors();
+
+ if (!sslError.empty())
+ {
+ contextEx._message += "\n";
+ contextEx._message += sslError;
+ }
+
+ throw contextEx;
+ }
+
+ rsaJanitor.clear();
+
+ // Check to see if the Private and Public keys that have been
+ // set against the SSL context match up.
+ if (!SSL_CTX_check_private_key(_sslContext))
+ {
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Private key does not match the certificate public key.";
+ std::string sslError = sslGetErrors();
+
+ if (!sslError.empty())
+ {
+ contextEx._message += "\n";
+ contextEx._message += sslError;
+ }
+
+ throw contextEx;
+ }
+}
+
+void
+IceSSL::OpenSSL::Context::addKeyCert(const std::string& privateKey, const std::string& publicKey)
+{
+ std::string privKey = privateKey;
+
+ if (privKey.empty())
+ {
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate.");
+ }
+
+ privKey = publicKey;
+ }
+
+ // Make a key pair based on the Base64 encoded strings
+ RSAKeyPair keyPair(privKey, publicKey);
+
+ // Janitors to ensure that everything gets cleaned up properly
+ RSAJanitor rsaJanitor(keyPair.getRSAPrivateKey());
+ X509Janitor x509Janitor(keyPair.getX509PublicKey());
+
+ // Set which Public Key file to use.
+ if (SSL_CTX_use_certificate(_sslContext, x509Janitor.get()) <= 0)
+ {
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Unable to set certificate from memory.";
+ std::string sslError = sslGetErrors();
+
+ if (!sslError.empty())
+ {
+ contextEx._message += "\n";
+ contextEx._message += sslError;
+ }
+
+ throw contextEx;
+ }
+
+ x509Janitor.clear();
+
+ // Set which Private Key file to use.
+ if (SSL_CTX_use_RSAPrivateKey(_sslContext, rsaJanitor.get()) <= 0)
+ {
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Unable to set private key from memory.";
+ std::string sslError = sslGetErrors();
+
+ if (!sslError.empty())
+ {
+ contextEx._message += "\n";
+ contextEx._message += sslError;
+ }
+
+ throw contextEx;
+ }
+
+ rsaJanitor.clear();
+
+ // Check to see if the Private and Public keys that have been
+ // set against the SSL context match up.
+ if (!SSL_CTX_check_private_key(_sslContext))
+ {
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "Private key does not match the certificate public key.";
+ std::string sslError = sslGetErrors();
+
+ if (!sslError.empty())
+ {
+ contextEx._message += "\n";
+ contextEx._message += sslError;
+ }
+
+ throw contextEx;
+ }
+}
+
+SSL*
+IceSSL::OpenSSL::Context::createSSLConnection(int socket)
+{
+ SSL* sslConnection = SSL_new(_sslContext);
+
+ SSL_clear(sslConnection);
+
+ SSL_set_fd(sslConnection, socket);
+
+ return sslConnection;
+}
+
+void
+IceSSL::OpenSSL::Context::connectionSetup(const ConnectionPtr& connection)
+{
+ // Set the Post-Hanshake Read timeout
+ // This timeout is implemented once on the first read after hanshake.
+ int handshakeReadTimeout;
+ std::string value = _properties->getProperty(_handshakeTimeoutProperty);
+
+ if (!value.empty())
+ {
+ handshakeReadTimeout = atoi(value.c_str());
+ }
+ else
+ {
+ handshakeReadTimeout = 5000;
+ }
+
+ connection->setHandshakeReadTimeout(handshakeReadTimeout);
+}
+
+void
+IceSSL::OpenSSL::Context::setCipherList(const std::string& cipherList)
+{
+ if (!cipherList.empty() && (!SSL_CTX_set_cipher_list(_sslContext, cipherList.c_str())) &&
+ (_traceLevels->security >= IceSSL::SECURITY_WARNINGS))
+ {
+ std::string errorString = "WRN Error setting cipher list " + cipherList + " - using default list.\n";
+ errorString += sslGetErrors();
+ _logger->trace(_traceLevels->securityCat, errorString);
+ }
+}
+
+void
+IceSSL::OpenSSL::Context::setDHParams(const BaseCertificates& baseCerts)
+{
+ DH* dh = 0;
+
+ std::string dhFile = baseCerts.getDHParams().getFileName();
+ int encoding = baseCerts.getDHParams().getEncoding();
+
+ // File type must be PEM - that's the only way we can load
+ // DH Params, apparently.
+ if ((!dhFile.empty()) && (encoding == SSL_FILETYPE_PEM))
+ {
+ dh = loadDHParam(dhFile.c_str());
+ }
+
+ if (dh == 0)
+ {
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
+ {
+ _logger->trace(_traceLevels->securityCat,
+ "WRN Could not load Diffie-Hellman params, generating a temporary 512bit key.");
+ }
+
+ dh = getTempDH512();
+ }
+
+ if (dh != 0)
+ {
+ SSL_CTX_set_tmp_dh(_sslContext, dh);
+
+ DH_free(dh);
+ }
+}
+
diff --git a/cpp/src/Ice/SslContextOpenSSL.h b/cpp/src/Ice/SslContextOpenSSL.h new file mode 100644 index 00000000000..de26f046987 --- /dev/null +++ b/cpp/src/Ice/SslContextOpenSSL.h @@ -0,0 +1,113 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#ifndef ICE_SSL_CONTEXT_OPENSSL_H
+#define ICE_SSL_CONTEXT_OPENSSL_H
+
+#include <IceUtil/Config.h>
+#include <IceUtil/Shared.h>
+#include <Ice/InstanceF.h>
+#include <Ice/TraceLevelsF.h>
+#include <Ice/LoggerF.h>
+#include <Ice/PropertiesF.h>
+#include <Ice/BuiltinSequences.h>
+
+#include <Ice/OpenSSL.h>
+
+#include <Ice/SslCertificateVerifierOpenSSL.h>
+
+#include <Ice/SslGeneralConfig.h>
+#include <Ice/SslCertificateAuthority.h>
+#include <Ice/SslBaseCerts.h>
+#include <Ice/SslTempCerts.h>
+
+#include <Ice/SslConnectionF.h>
+#include <Ice/SslConnectionOpenSSLF.h>
+#include <Ice/SslContextOpenSSLF.h>
+
+namespace IceSSL
+{
+
+namespace OpenSSL
+{
+
+class System;
+
+class Context : public IceUtil::Shared
+{
+
+public:
+ virtual ~Context();
+
+ bool isConfigured();
+
+ virtual void setCertificateVerifier(const CertificateVerifierPtr&);
+
+ virtual void addTrustedCertificate(const std::string&);
+
+ virtual void setRSAKeysBase64(const std::string&, const std::string&);
+
+ virtual void setRSAKeys(const Ice::ByteSeq&, const Ice::ByteSeq&);
+
+ virtual void configure(const IceSSL::GeneralConfig&,
+ const IceSSL::CertificateAuthority&,
+ const IceSSL::BaseCertificates&);
+
+ // Takes a socket fd.
+ virtual ::IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&) = 0;
+
+protected:
+ Context(const IceInternal::InstancePtr&);
+
+ SSL_METHOD* getSslMethod(SslProtocol);
+ void createContext(SslProtocol);
+
+ virtual void loadCertificateAuthority(const CertificateAuthority&);
+
+ void setKeyCert(const IceSSL::CertificateDesc&, const std::string&, const std::string&);
+
+ void addKeyCert(const IceSSL::CertificateFile&, const IceSSL::CertificateFile&);
+
+ void addKeyCert(const Ice::ByteSeq&, const Ice::ByteSeq&);
+
+ void addKeyCert(const std::string&, const std::string&);
+
+ SSL* createSSLConnection(int);
+
+ void connectionSetup(const IceSSL::OpenSSL::ConnectionPtr& connection);
+
+ void setCipherList(const std::string&);
+
+ void setDHParams(const IceSSL::BaseCertificates&);
+
+ IceInternal::TraceLevelsPtr _traceLevels;
+ Ice::LoggerPtr _logger;
+ Ice::PropertiesPtr _properties;
+
+ std::string _rsaPrivateKeyProperty;
+ std::string _rsaPublicKeyProperty;
+ std::string _dsaPrivateKeyProperty;
+ std::string _dsaPublicKeyProperty;
+ std::string _caCertificateProperty;
+ std::string _handshakeTimeoutProperty;
+
+ IceSSL::CertificateVerifierPtr _certificateVerifier;
+
+ SSL_CTX* _sslContext;
+
+ friend class IceSSL::OpenSSL::System;
+
+};
+
+}
+
+}
+
+#endif
diff --git a/cpp/src/Ice/SslContextOpenSSLClient.cpp b/cpp/src/Ice/SslContextOpenSSLClient.cpp new file mode 100644 index 00000000000..b1111dfdae6 --- /dev/null +++ b/cpp/src/Ice/SslContextOpenSSLClient.cpp @@ -0,0 +1,89 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#include <Ice/SecurityException.h>
+#include <Ice/SslConnectionOpenSSL.h>
+#include <Ice/SslContextOpenSSLClient.h>
+#include <Ice/SslConnectionOpenSSLClient.h>
+
+#include <Ice/TraceLevels.h>
+#include <Ice/Logger.h>
+
+#include <iostream>
+
+using IceSSL::ConnectionPtr;
+using IceSSL::SystemInternalPtr;
+
+IceSSL::OpenSSL::ClientContext::ClientContext(const IceInternal::InstancePtr& instance) :
+ Context(instance)
+{
+ _rsaPrivateKeyProperty = "Ice.SSL.Client.Overrides.RSA.PrivateKey";
+ _rsaPublicKeyProperty = "Ice.SSL.Client.Overrides.RSA.Certificate";
+ _dsaPrivateKeyProperty = "Ice.SSL.Client.Overrides.DSA.PrivateKey";
+ _dsaPublicKeyProperty = "Ice.SSL.Client.Overrides.DSA.Certificate";
+ _caCertificateProperty = "Ice.SSL.Client.Overrides.CACertificate";
+ _handshakeTimeoutProperty = "Ice.SSL.Client.Handshake.ReadTimeout";
+}
+
+void
+IceSSL::OpenSSL::ClientContext::configure(const GeneralConfig& generalConfig,
+ const CertificateAuthority& certificateAuthority,
+ const BaseCertificates& baseCertificates)
+{
+ Context::configure(generalConfig, certificateAuthority, baseCertificates);
+
+ loadCertificateAuthority(certificateAuthority);
+
+ if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL)
+ {
+ std::ostringstream s;
+
+ s << std::endl;
+ s << "General Configuration - Client" << std::endl;
+ s << "------------------------------" << std::endl;
+ s << generalConfig << std::endl << std::endl;
+
+ s << "Certificate Authority - Client" << std::endl;
+ s << "------------------------------" << std::endl;
+ s << "File: " << certificateAuthority.getCAFileName() << std::endl;
+ s << "Path: " << certificateAuthority.getCAPath() << std::endl;
+
+ s << "Base Certificates - Client" << std::endl;
+ s << "--------------------------" << std::endl;
+ s << baseCertificates << std::endl;
+
+ _logger->trace(_traceLevels->securityCat, s.str());
+ }
+}
+
+IceSSL::ConnectionPtr
+IceSSL::OpenSSL::ClientContext::createConnection(int socket, const SystemInternalPtr& system)
+{
+ if (_sslContext == 0)
+ {
+ // ContextNotConfiguredException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "SSL Context not configured.";
+
+ throw contextEx;
+ }
+
+ ConnectionPtr connection = new ClientConnection(_traceLevels,
+ _logger,
+ _certificateVerifier,
+ createSSLConnection(socket),
+ system);
+
+ connectionSetup(connection);
+
+ return connection;
+}
+
diff --git a/cpp/src/Ice/SslContextOpenSSLClient.h b/cpp/src/Ice/SslContextOpenSSLClient.h new file mode 100644 index 00000000000..fb95c7899fc --- /dev/null +++ b/cpp/src/Ice/SslContextOpenSSLClient.h @@ -0,0 +1,43 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#ifndef ICE_SSL_CONTEXT_OPENSSL_CLIENT_H
+#define ICE_SSL_CONTEXT_OPENSSL_CLIENT_H
+
+#include <Ice/SslContextOpenSSL.h>
+
+namespace IceSSL
+{
+
+namespace OpenSSL
+{
+
+class ClientContext : public Context
+{
+
+public:
+ virtual void configure(const IceSSL::GeneralConfig&,
+ const IceSSL::CertificateAuthority&,
+ const IceSSL::BaseCertificates&);
+
+ // Takes a socket fd.
+ virtual IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&);
+
+protected:
+ ClientContext(const IceInternal::InstancePtr&);
+
+ friend class IceSSL::OpenSSL::System;
+};
+
+}
+
+}
+
+#endif
diff --git a/cpp/src/Ice/SslContextOpenSSLF.h b/cpp/src/Ice/SslContextOpenSSLF.h new file mode 100644 index 00000000000..322c3d0b5aa --- /dev/null +++ b/cpp/src/Ice/SslContextOpenSSLF.h @@ -0,0 +1,37 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#ifndef ICE_SSL_CONTEXT_OPENSSL_F_H
+#define ICE_SSL_CONTEXT_OPENSSL_F_H
+
+#include <Ice/Handle.h>
+
+namespace IceSSL
+{
+
+namespace OpenSSL
+{
+
+class Context;
+typedef IceInternal::Handle<Context> ContextPtr;
+
+}
+
+}
+
+namespace IceInternal
+{
+
+void incRef(::IceSSL::OpenSSL::Context*);
+void decRef(::IceSSL::OpenSSL::Context*);
+
+}
+
+#endif
diff --git a/cpp/src/Ice/SslContextOpenSSLServer.cpp b/cpp/src/Ice/SslContextOpenSSLServer.cpp new file mode 100644 index 00000000000..8b38fc8f68b --- /dev/null +++ b/cpp/src/Ice/SslContextOpenSSLServer.cpp @@ -0,0 +1,142 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#include <Ice/SecurityException.h>
+#include <Ice/SslConnectionOpenSSL.h>
+#include <Ice/SslContextOpenSSLServer.h>
+#include <Ice/SslConnectionOpenSSLServer.h>
+#include <Ice/SslOpenSSLUtils.h>
+
+#include <Ice/TraceLevels.h>
+#include <Ice/Logger.h>
+
+#include <iostream.h>
+
+using IceSSL::ConnectionPtr;
+using IceSSL::SystemInternalPtr;
+
+void
+IceSSL::OpenSSL::ServerContext::configure(const GeneralConfig& generalConfig,
+ const CertificateAuthority& certificateAuthority,
+ const BaseCertificates& baseCertificates)
+{
+ Context::configure(generalConfig, certificateAuthority, baseCertificates);
+
+ assert(_sslContext != 0);
+
+ // On servers, Attempt to use non-export (strong) encryption
+ // first. This option does not always work, and in the OpenSSL
+ // documentation is declared as 'broken'.
+ // SSL_CTX_set_options(_sslContext, SSL_OP_NON_EXPORT_FIRST);
+
+ // Always use a new DH key when using Diffie-Hellman key agreement.
+ SSL_CTX_set_options(_sslContext, SSL_OP_SINGLE_DH_USE);
+
+ // Set the RSA Callback routine in case we need to build a temporary RSA key (ephemeral RSA).
+ SSL_CTX_set_tmp_rsa_callback(_sslContext, tmpRSACallback);
+
+ // Set the DH Callback routine in case we need a temporary DH key (ephemeral DH).
+ SSL_CTX_set_tmp_dh_callback(_sslContext, tmpDHCallback);
+
+ loadCertificateAuthority(certificateAuthority);
+
+ // Set the context for the SSL system [SERVER ONLY].
+ std::string connectionContext = generalConfig.getContext();
+ SSL_CTX_set_session_id_context(_sslContext,
+ reinterpret_cast<const unsigned char *>(connectionContext.c_str()),
+ connectionContext.size());
+
+ if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL)
+ {
+ std::ostringstream s;
+
+ s << std::endl;
+ s << "General Configuration - Server" << std::endl;
+ s << "------------------------------" << std::endl;
+ s << generalConfig << std::endl << std::endl;
+
+ s << "CA File: " << certificateAuthority.getCAFileName() << std::endl;
+ s << "CA Path: " << certificateAuthority.getCAPath() << std::endl;
+
+ s << "Base Certificates - Server" << std::endl;
+ s << "--------------------------" << std::endl;
+ s << baseCertificates << std::endl << std::endl;
+
+ _logger->trace(_traceLevels->securityCat, s.str());
+ }
+}
+
+IceSSL::ConnectionPtr
+IceSSL::OpenSSL::ServerContext::createConnection(int socket, const SystemInternalPtr& system)
+{
+ if (_sslContext == 0)
+ {
+ // ContextNotConfiguredException contextEx(__FILE__, __LINE__);
+ IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ contextEx._message = "SSL Context not configured.";
+
+ throw contextEx;
+ }
+
+ ConnectionPtr connection = new ServerConnection(_traceLevels,
+ _logger,
+ _certificateVerifier,
+ createSSLConnection(socket),
+ system);
+
+ connectionSetup(connection);
+
+ return connection;
+}
+
+//
+// Protected
+//
+
+IceSSL::OpenSSL::ServerContext::ServerContext(const IceInternal::InstancePtr& instance) :
+ Context(instance)
+{
+ _rsaPrivateKeyProperty = "Ice.SSL.Server.Overrides.RSA.PrivateKey";
+ _rsaPublicKeyProperty = "Ice.SSL.Server.Overrides.RSA.Certificate";
+ _dsaPrivateKeyProperty = "Ice.SSL.Server.Overrides.DSA.PrivateKey";
+ _dsaPublicKeyProperty = "Ice.SSL.Server.Overrides.DSA.Certificate";
+ _caCertificateProperty = "Ice.SSL.Server.Overrides.CACertificate";
+ _handshakeTimeoutProperty = "Ice.SSL.Server.Handshake.ReadTimeout";
+}
+
+void
+IceSSL::OpenSSL::ServerContext::loadCertificateAuthority(const CertificateAuthority& certAuth)
+{
+ Context::loadCertificateAuthority(certAuth);
+
+ std::string caFile = certAuth.getCAFileName();
+
+ // TODO: Check this if things stop working
+ if (!caFile.empty())
+ {
+ STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str());
+
+ if (certNames == 0)
+ {
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
+ {
+ std::string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n";
+ errorString += sslGetErrors();
+ _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
+ }
+ }
+ else
+ {
+ SSL_CTX_set_client_CA_list(_sslContext, certNames);
+ }
+ }
+}
+
diff --git a/cpp/src/Ice/SslContextOpenSSLServer.h b/cpp/src/Ice/SslContextOpenSSLServer.h new file mode 100644 index 00000000000..7b092911e41 --- /dev/null +++ b/cpp/src/Ice/SslContextOpenSSLServer.h @@ -0,0 +1,45 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#ifndef ICE_SSL_CONTEXT_OPENSSL_SERVER_H
+#define ICE_SSL_CONTEXT_OPENSSL_SERVER_H
+
+#include <Ice/SslContextOpenSSL.h>
+
+namespace IceSSL
+{
+
+namespace OpenSSL
+{
+
+class ServerContext : public Context
+{
+
+public:
+ virtual void configure(const IceSSL::GeneralConfig&,
+ const IceSSL::CertificateAuthority&,
+ const IceSSL::BaseCertificates&);
+
+ // Takes a socket fd.
+ virtual IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&);
+
+protected:
+ ServerContext(const IceInternal::InstancePtr&);
+
+ virtual void loadCertificateAuthority(const IceSSL::CertificateAuthority& certAuth);
+
+ friend class IceSSL::OpenSSL::System;
+};
+
+}
+
+}
+
+#endif
diff --git a/cpp/src/Ice/SslExtensionInternal.cpp b/cpp/src/Ice/SslExtensionInternal.cpp new file mode 100644 index 00000000000..fe8d8006593 --- /dev/null +++ b/cpp/src/Ice/SslExtensionInternal.cpp @@ -0,0 +1,36 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#include <Ice/SslExtensionInternal.h>
+#include <Ice/DefaultCertificateVerifier.h>
+#include <Ice/SingleCertificateVerifier.h>
+#include <Ice/BuiltinSequences.h>
+
+IceSSL::SslExtensionInternal::SslExtensionInternal(const IceInternal::InstancePtr& instance) :
+ _instance(instance)
+{
+}
+
+IceSSL::SslExtensionInternal::~SslExtensionInternal()
+{
+}
+
+::IceSSL::CertificateVerifierPtr
+IceSSL::SslExtensionInternal::getDefaultCertVerifier()
+{
+ return ::IceSSL::CertificateVerifierPtr(new IceSSL::OpenSSL::DefaultCertificateVerifier(_instance));
+}
+
+::IceSSL::CertificateVerifierPtr
+IceSSL::SslExtensionInternal::getSingleCertVerifier(const ::Ice::ByteSeq& certSeq)
+{
+ return ::IceSSL::CertificateVerifierPtr(new IceSSL::OpenSSL::SingleCertificateVerifier(certSeq));
+}
+
diff --git a/cpp/src/Ice/SslExtensionInternal.h b/cpp/src/Ice/SslExtensionInternal.h new file mode 100644 index 00000000000..449dbcecdd9 --- /dev/null +++ b/cpp/src/Ice/SslExtensionInternal.h @@ -0,0 +1,38 @@ +// **********************************************************************
+//
+// Copyright (c) 2002
+// MutableRealms, Inc.
+// Huntsville, AL, USA
+//
+// All Rights Reserved
+//
+// **********************************************************************
+
+#ifndef ICE_SSL_EXTENSION_INTERNAL_H
+#define ICE_SSL_EXTENSION_INTERNAL_H
+
+#include <Ice/InstanceF.h>
+#include <Ice/SslExtension.h>
+#include <Ice/SslCertificateVerifierF.h>
+
+namespace IceSSL
+{
+
+class SslExtensionInternal : public SslExtension
+{
+public:
+ SslExtensionInternal(const IceInternal::InstancePtr&);
+ virtual ~SslExtensionInternal();
+
+ virtual ::IceSSL::CertificateVerifierPtr getDefaultCertVerifier();
+
+ virtual ::IceSSL::CertificateVerifierPtr getSingleCertVerifier(const ::Ice::ByteSeq&);
+
+protected:
+ IceInternal::InstancePtr _instance;
+
+};
+
+}
+
+#endif
diff --git a/cpp/src/Ice/SslFactory.cpp b/cpp/src/Ice/SslFactory.cpp index 0503e256919..bdde9bfa6a4 100644 --- a/cpp/src/Ice/SslFactory.cpp +++ b/cpp/src/Ice/SslFactory.cpp @@ -16,7 +16,8 @@ #ifdef WIN32 #pragma warning(disable:4786) #endif - +
+#include <Ice/Instance.h>
#include <Ice/SslFactory.h> #include <Ice/SslSystemOpenSSL.h> #include <Ice/OpenSSL.h> @@ -29,17 +30,12 @@ #endif -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { // Static member instantiations. IceUtil::Mutex Factory::_systemRepositoryMutex; -SystemMap Factory::_systemRepository; SslHandleSystemMap Factory::_sslHandleSystemRepository; -int Factory::_evict = 0; extern "C" { @@ -68,9 +64,7 @@ SslLockKeeper lockKeeper; } -} - -void IceSecurity::Ssl::lockingCallback(int mode, int type, const char *file, int line) +void IceSSL::lockingCallback(int mode, int type, const char *file, int line) { if (mode & CRYPTO_LOCK) { @@ -82,167 +76,46 @@ void IceSecurity::Ssl::lockingCallback(int mode, int type, const char *file, int } } -IceSecurity::Ssl::SystemPtr -IceSecurity::Ssl::Factory::getSystem(const string& systemIdentifier) +IceSSL::SystemInternalPtr +IceSSL::Factory::getSystem(const IceInternal::InstancePtr& instance) { - IceUtil::Mutex::Lock sync(_systemRepositoryMutex); - - SystemPtr system = _systemRepository[systemIdentifier]; - - // Don't have that System. - if (!system) - { - // In our case, the systemIdentifier happens to be the - // SSL Configuration file. - - // This line would change based on the flavor of System that we're - // creating for the caller. - system = new OpenSSL::System(); - - if (system) - { - _systemRepository[systemIdentifier] = system; - } - } - - assert(system); - - reapSystems(); - + SystemInternalPtr system = new OpenSSL::System(instance); +
+ assert(system != 0); +
return system; } void -IceSecurity::Ssl::Factory::addSystemHandle(void* sslHandle, const SystemPtr& system) +IceSSL::Factory::addSystemHandle(void* sslHandle, const SystemInternalPtr& system) { - assert(system); - assert(sslHandle); + IceUtil::Mutex::Lock sync(_systemRepositoryMutex);
+
+ assert(system != 0); + assert(sslHandle != 0); _sslHandleSystemRepository[sslHandle] = system; } void -IceSecurity::Ssl::Factory::removeSystemHandle(void* sslHandle) +IceSSL::Factory::removeSystemHandle(void* sslHandle) { - assert(sslHandle); + IceUtil::Mutex::Lock sync(_systemRepositoryMutex);
+
+ assert(sslHandle != 0); _sslHandleSystemRepository.erase(sslHandle); } -IceSecurity::Ssl::SystemPtr -IceSecurity::Ssl::Factory::getSystemFromHandle(void* sslHandle) +IceSSL::SystemInternalPtr +IceSSL::Factory::getSystemFromHandle(void* sslHandle) { IceUtil::Mutex::Lock sync(_systemRepositoryMutex); - assert(sslHandle); + assert(sslHandle != 0); - SystemPtr& system = _sslHandleSystemRepository[sslHandle]; + SystemInternalPtr& system = _sslHandleSystemRepository[sslHandle]; - assert(system); - - reapSystems(); + assert(system != 0); return system; } -void -IceSecurity::Ssl::Factory::reapSystems() -{ - if (++_evict >= 10) - { - // Note: Double Eviction! We keep two maps, one keyed on the config file - // name that the System is based on (_systemRepository), the other - // keyed on a SSL* that was generated by the system in question - // (_sslHandleSystemRepository). - - _evict = 0; - - SystemMap::iterator p = _systemRepository.begin(); - - while (p != _systemRepository.end()) - { - // Check the reference count on each System - if ((*p).second->__getRef() == 1) - { - // If the Factory System Repository is the only one with a ref to it, erase - _systemRepository.erase(p++); - } - else - { - ++p; - } - } - -/* - SslHandleSystemMap::iterator r = _sslHandleSystemRepository.begin(); - - while (r != _sslHandleSystemRepository.end()) - { - // Check the reference count on each System - if ((*r).second->__getRef() == 1) - { - // If the SSL Handle System Repository is the only one with a ref to it, erase - _sslHandleSystemRepository.erase(r++); - } - else - { - ++r; - } - } -*/ - } -} - -void -IceSecurity::Ssl::setSystemCertificateVerifier(const string& systemIdentifier, - SslContextType contextType, - const CertificateVerifierPtr& certificateVerifier) -{ - SystemPtr sslSystem = Factory::getSystem(systemIdentifier); - - if ((contextType == Client) || (contextType == ClientServer)) - { - sslSystem->setClientCertificateVerifier(certificateVerifier); - } - - if ((contextType == Server) || (contextType == ClientServer)) - { - sslSystem->setServerCertificateVerifier(certificateVerifier); - } -} - -void -IceSecurity::Ssl::setSystemCertAuthCertificate(const string& systemIdentifier, - SslContextType contextType, - const string& caCertString) -{ - SystemPtr sslSystem = Factory::getSystem(systemIdentifier); - - if ((contextType == Client) || (contextType == ClientServer)) - { - sslSystem->setClientCertAuthorityCertificate(caCertString); - } - - if ((contextType == Server) || (contextType == ClientServer)) - { - sslSystem->setServerCertAuthorityCertificate(caCertString); - } -} - -void -IceSecurity::Ssl::setSystemRSAKeysBase64(const string& systemIdentifier, - SslContextType contextType, - const string& privateKey, - const string& publicKey) -{ - SystemPtr sslSystem = Factory::getSystem(systemIdentifier); - - if ((contextType == Client) || (contextType == ClientServer)) - { - sslSystem->setClientRSAKeysBase64(privateKey, publicKey); - } - - if ((contextType == Server) || (contextType == ClientServer)) - { - sslSystem->setServerRSAKeysBase64(privateKey, publicKey); - } -} - diff --git a/cpp/src/Ice/SslFactory.h b/cpp/src/Ice/SslFactory.h index ed9c1c05af7..927541ba97c 100644 --- a/cpp/src/Ice/SslFactory.h +++ b/cpp/src/Ice/SslFactory.h @@ -11,21 +11,18 @@ #ifndef ICE_SSL_FACTORY_H #define ICE_SSL_FACTORY_H -#include <string> -#include <map> -#include <IceUtil/Mutex.h> -#include <Ice/SslSystemF.h> +#include <IceUtil/Mutex.h>
+#include <Ice/InstanceF.h>
+#include <Ice/SslSystemInternalF.h> #include <Ice/SslCertificateVerifierF.h> -#include <Ice/Security.h> -namespace IceSecurity +#include <string>
+#include <map>
+
+namespace IceSSL { -namespace Ssl -{ - -typedef std::map<std::string, SystemPtr> SystemMap; -typedef std::map<void*, SystemPtr> SslHandleSystemMap; +typedef std::map<void*, SystemInternalPtr> SslHandleSystemMap; // This is defined as a class so as to ensure encapsulation. We don't // want just anybody creating System instances - when all this is moved @@ -37,24 +34,18 @@ class Factory { public: - static SystemPtr getSystem(const std::string&); + static SystemInternalPtr getSystem(const IceInternal::InstancePtr&); // System Handle related methods - static void addSystemHandle(void*, const SystemPtr&); + static void addSystemHandle(void*, const SystemInternalPtr&); static void removeSystemHandle(void*); - static SystemPtr getSystemFromHandle(void*); + static SystemInternalPtr getSystemFromHandle(void*); private: static SslHandleSystemMap _sslHandleSystemRepository; - static SystemMap _systemRepository; static ::IceUtil::Mutex _systemRepositoryMutex; - static int _evict; - - static void reapSystems(); }; } -} - #endif diff --git a/cpp/src/Ice/SslGeneralConfig.cpp b/cpp/src/Ice/SslGeneralConfig.cpp index 4178ed85de7..c8863c84b9b 100644 --- a/cpp/src/Ice/SslGeneralConfig.cpp +++ b/cpp/src/Ice/SslGeneralConfig.cpp @@ -24,7 +24,7 @@ using namespace std; -IceSecurity::Ssl::GeneralConfig::GeneralConfig() +IceSSL::GeneralConfig::GeneralConfig() { _sslVersion = SSL_V23; @@ -35,9 +35,45 @@ IceSecurity::Ssl::GeneralConfig::GeneralConfig() _cipherList = ""; _randomBytesFiles = ""; } +
+IceSSL::SslProtocol
+IceSSL::GeneralConfig::getProtocol() const
+{
+ return _sslVersion;
+}
+
+int
+IceSSL::GeneralConfig::getVerifyMode() const
+{
+ return _verifyMode;
+}
+
+int
+IceSSL::GeneralConfig::getVerifyDepth() const
+{
+ return _verifyDepth;
+}
+
+std::string
+IceSSL::GeneralConfig::getContext() const
+{
+ return _context;
+}
+
+std::string
+IceSSL::GeneralConfig::getCipherList() const
+{
+ return _cipherList;
+}
+
+std::string
+IceSSL::GeneralConfig::getRandomBytesFiles() const
+{
+ return _randomBytesFiles;
+}
void -IceSecurity::Ssl::GeneralConfig::set(string& name, string& value) +IceSSL::GeneralConfig::set(string& name, string& value) { if (name.compare("version") == 0) { @@ -71,7 +107,7 @@ IceSecurity::Ssl::GeneralConfig::set(string& name, string& value) // void -IceSecurity::Ssl::GeneralConfig::parseVersion(string& value) +IceSSL::GeneralConfig::parseVersion(string& value) { if (value.compare("SSLv2") == 0) { @@ -94,7 +130,7 @@ IceSecurity::Ssl::GeneralConfig::parseVersion(string& value) } void -IceSecurity::Ssl::GeneralConfig::parseVerifyMode(string& value) +IceSSL::GeneralConfig::parseVerifyMode(string& value) { const string delim = " |\t\n\r"; diff --git a/cpp/src/Ice/SslGeneralConfig.h b/cpp/src/Ice/SslGeneralConfig.h index 5ef95e94bcd..35617612066 100644 --- a/cpp/src/Ice/SslGeneralConfig.h +++ b/cpp/src/Ice/SslGeneralConfig.h @@ -11,13 +11,10 @@ #ifndef ICE_SSL_GENERAL_CONFIG_H #define ICE_SSL_GENERAL_CONFIG_H -#include <Ice/SslSystemOpenSSL.h> +#include <Ice/OpenSSL.h> #include <string> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { class GeneralConfig @@ -26,13 +23,13 @@ class GeneralConfig public: GeneralConfig(); - inline SslProtocol getProtocol() const { return _sslVersion; }; - inline int getVerifyMode() const { return _verifyMode; }; - inline int getVerifyDepth() const { return _verifyDepth; }; + SslProtocol getProtocol() const; + int getVerifyMode() const; + int getVerifyDepth() const; - inline std::string getContext() const { return _context; }; - inline std::string getCipherList() const { return _cipherList; }; - inline std::string getRandomBytesFiles() const { return _randomBytesFiles; }; + std::string getContext() const; + std::string getCipherList() const; + std::string getRandomBytesFiles() const; // General method - it will figure out how to properly parse the data. void set(std::string&, std::string&); @@ -67,6 +64,4 @@ Stream& operator << (Stream& target, const GeneralConfig& generalConfig) } -} - #endif diff --git a/cpp/src/Ice/SslIceUtils.cpp b/cpp/src/Ice/SslIceUtils.cpp index 2a443f75d18..69858fb51df 100644 --- a/cpp/src/Ice/SslIceUtils.cpp +++ b/cpp/src/Ice/SslIceUtils.cpp @@ -13,14 +13,15 @@ #include <iterator> void -IceSecurity::Ssl::ucharToByteSeq(unsigned char* ucharBuffer, int length, Ice::ByteSeq& destBuffer) -{ +IceSSL::ucharToByteSeq(unsigned char* ucharBuffer, int length, Ice::ByteSeq& destBuffer) +{
+ assert(ucharBuffer != 0); destBuffer.reserve(length); std::copy(ucharBuffer, (ucharBuffer + length), std::back_inserter(destBuffer)); } unsigned char* -IceSecurity::Ssl::byteSeqToUChar(const Ice::ByteSeq& sequence) +IceSSL::byteSeqToUChar(const Ice::ByteSeq& sequence) { int seqSize = sequence.size(); diff --git a/cpp/src/Ice/SslIceUtils.h b/cpp/src/Ice/SslIceUtils.h index 274d66c36dc..e30626469d3 100644 --- a/cpp/src/Ice/SslIceUtils.h +++ b/cpp/src/Ice/SslIceUtils.h @@ -14,10 +14,7 @@ #include <IceUtil/Config.h> #include <Ice/BuiltinSequences.h> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { void ucharToByteSeq(unsigned char*, int, Ice::ByteSeq&); @@ -26,7 +23,5 @@ unsigned char* byteSeqToUChar(const Ice::ByteSeq&); } -} - #endif diff --git a/cpp/src/Ice/SslJanitors.cpp b/cpp/src/Ice/SslJanitors.cpp index 66a70421dec..d9e1f1c2982 100644 --- a/cpp/src/Ice/SslJanitors.cpp +++ b/cpp/src/Ice/SslJanitors.cpp @@ -10,12 +10,12 @@ #include <Ice/SslJanitors.h>
-IceSecurity::Ssl::OpenSSL::RSAJanitor::RSAJanitor(RSA* rsa) :
- _rsa(rsa)
+IceSSL::OpenSSL::RSAJanitor::RSAJanitor(RSA* rsa) :
+ _rsa(rsa)
{
}
-IceSecurity::Ssl::OpenSSL::RSAJanitor::~RSAJanitor()
+IceSSL::OpenSSL::RSAJanitor::~RSAJanitor()
{
if (_rsa)
{
@@ -24,24 +24,24 @@ IceSecurity::Ssl::OpenSSL::RSAJanitor::~RSAJanitor() }
void
-IceSecurity::Ssl::OpenSSL::RSAJanitor::clear()
+IceSSL::OpenSSL::RSAJanitor::clear()
{
_rsa = 0;
}
RSA*
-IceSecurity::Ssl::OpenSSL::RSAJanitor::get() const
+IceSSL::OpenSSL::RSAJanitor::get() const
{
return _rsa;
}
-IceSecurity::Ssl::OpenSSL::EVP_PKEYJanitor::EVP_PKEYJanitor(EVP_PKEY* evp_pkey) :
- _evp_pkey(evp_pkey)
+IceSSL::OpenSSL::EVP_PKEYJanitor::EVP_PKEYJanitor(EVP_PKEY* evp_pkey) :
+ _evp_pkey(evp_pkey)
{
}
-IceSecurity::Ssl::OpenSSL::EVP_PKEYJanitor::~EVP_PKEYJanitor()
+IceSSL::OpenSSL::EVP_PKEYJanitor::~EVP_PKEYJanitor()
{
if (_evp_pkey)
{
@@ -50,23 +50,23 @@ IceSecurity::Ssl::OpenSSL::EVP_PKEYJanitor::~EVP_PKEYJanitor() }
void
-IceSecurity::Ssl::OpenSSL::EVP_PKEYJanitor::clear()
+IceSSL::OpenSSL::EVP_PKEYJanitor::clear()
{
_evp_pkey = 0;
}
EVP_PKEY*
-IceSecurity::Ssl::OpenSSL::EVP_PKEYJanitor::get() const
+IceSSL::OpenSSL::EVP_PKEYJanitor::get() const
{
return _evp_pkey;
}
-IceSecurity::Ssl::OpenSSL::X509_REQJanitor::X509_REQJanitor(X509_REQ* x509_req) :
- _x509_req(x509_req)
+IceSSL::OpenSSL::X509_REQJanitor::X509_REQJanitor(X509_REQ* x509_req) :
+ _x509_req(x509_req)
{
}
-IceSecurity::Ssl::OpenSSL::X509_REQJanitor::~X509_REQJanitor()
+IceSSL::OpenSSL::X509_REQJanitor::~X509_REQJanitor()
{
if (_x509_req)
{
@@ -75,25 +75,25 @@ IceSecurity::Ssl::OpenSSL::X509_REQJanitor::~X509_REQJanitor() }
void
-IceSecurity::Ssl::OpenSSL::X509_REQJanitor::clear()
+IceSSL::OpenSSL::X509_REQJanitor::clear()
{
_x509_req = 0;
}
X509_REQ*
-IceSecurity::Ssl::OpenSSL::X509_REQJanitor::get() const
+IceSSL::OpenSSL::X509_REQJanitor::get() const
{
return _x509_req;
}
-IceSecurity::Ssl::OpenSSL::X509Janitor::X509Janitor(X509* x509) :
- _x509(x509)
+IceSSL::OpenSSL::X509Janitor::X509Janitor(X509* x509) :
+ _x509(x509)
{
}
-IceSecurity::Ssl::OpenSSL::X509Janitor::~X509Janitor()
+IceSSL::OpenSSL::X509Janitor::~X509Janitor()
{
if (_x509)
{
@@ -102,13 +102,13 @@ IceSecurity::Ssl::OpenSSL::X509Janitor::~X509Janitor() }
void
-IceSecurity::Ssl::OpenSSL::X509Janitor::clear()
+IceSSL::OpenSSL::X509Janitor::clear()
{
_x509 = 0;
}
X509*
-IceSecurity::Ssl::OpenSSL::X509Janitor::get() const
+IceSSL::OpenSSL::X509Janitor::get() const
{
return _x509;
}
diff --git a/cpp/src/Ice/SslJanitors.h b/cpp/src/Ice/SslJanitors.h index ddec6a60ec0..2073793daa0 100644 --- a/cpp/src/Ice/SslJanitors.h +++ b/cpp/src/Ice/SslJanitors.h @@ -14,10 +14,7 @@ #include <IceUtil/Config.h>
#include <openssl/ssl.h>
-namespace IceSecurity
-{
-
-namespace Ssl
+namespace IceSSL
{
namespace OpenSSL
@@ -79,6 +76,4 @@ private: }
-}
-
#endif
diff --git a/cpp/src/Ice/SslOpenSSLUtils.cpp b/cpp/src/Ice/SslOpenSSLUtils.cpp index fe4dc2a3694..f4eb3bb29e2 100644 --- a/cpp/src/Ice/SslOpenSSLUtils.cpp +++ b/cpp/src/Ice/SslOpenSSLUtils.cpp @@ -9,6 +9,11 @@ // **********************************************************************
#include <Ice/SslOpenSSLUtils.h>
+#include <Ice/SslSystemInternalF.h>
+#include <Ice/SslSystemOpenSSL.h>
+#include <Ice/SslFactory.h>
+#include <openssl/err.h>
+#include <assert.h>
using std::string;
@@ -17,6 +22,30 @@ using std::string; // have been abducted from the OpenSSL X509 library, and modified to work with the STL
// basic_string template.
+//
+// TODO: These Diffie-Hellman params have been blatantly stolen from
+// OpenSSL's demo programs. We SHOULD define our own here, but
+// these will suffice for testing purposes. Please note, these
+// are not keys themselves, simply a DH Group that allows OpenSSL
+// to create Diffie-Hellman keys.
+//
+
+// Instantiation of temporary Diffie-Hellman 512bit key.
+unsigned char tempDiffieHellman512p[] =
+{
+ 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+ 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+ 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+ 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+ 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+ 0x47,0x74,0xE8,0x33,
+};
+
+unsigned char tempDiffieHellman512g[] =
+{
+ 0x02,
+};
+
static const char *mon[12]=
{
"Jan","Feb","Mar","Apr","May","Jun",
@@ -24,8 +53,10 @@ static const char *mon[12]= };
string
-IceSecurity::Ssl::OpenSSL::getGeneralizedTime(ASN1_GENERALIZEDTIME *tm)
+IceSSL::OpenSSL::getGeneralizedTime(ASN1_GENERALIZEDTIME *tm)
{
+ assert(tm != 0);
+
char buf[30];
int gmt = 0, y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;
@@ -77,8 +108,10 @@ err: }
string
-IceSecurity::Ssl::OpenSSL::getUTCTime(ASN1_UTCTIME *tm)
+IceSSL::OpenSSL::getUTCTime(ASN1_UTCTIME *tm)
{
+ assert(tm != 0);
+
char buf[30];
int gmt = 0, y = 0, M = 0, d = 0, h = 0, m = 0, s = 0;
@@ -134,8 +167,10 @@ err: }
string
-IceSecurity::Ssl::OpenSSL::getASN1time(ASN1_TIME *tm)
+IceSSL::OpenSSL::getASN1time(ASN1_TIME *tm)
{
+ assert(tm != 0);
+
string theTime;
switch (tm->type)
@@ -159,3 +194,174 @@ IceSecurity::Ssl::OpenSSL::getASN1time(ASN1_TIME *tm) return theTime;
}
+DH*
+IceSSL::OpenSSL::loadDHParam(const char* dhfile)
+{
+ assert(dhfile);
+
+ DH* ret = 0;
+ BIO* bio;
+
+ if ((bio = BIO_new_file(dhfile,"r")) != 0)
+ {
+ ret = PEM_read_bio_DHparams(bio, 0, 0, 0);
+ }
+
+ if (bio != 0)
+ {
+ BIO_free(bio);
+ }
+
+ return ret;
+}
+
+DH*
+IceSSL::OpenSSL::getTempDH(unsigned char* p, int plen, unsigned char* g, int glen)
+{
+ assert(p != 0);
+ assert(g != 0);
+
+ DH* dh = 0;
+
+ if ((dh = DH_new()) != 0)
+ {
+ dh->p = BN_bin2bn(p, plen, 0);
+
+ dh->g = BN_bin2bn(g, glen, 0);
+
+ if ((dh->p == 0) || (dh->g == 0))
+ {
+ DH_free(dh);
+ dh = 0;
+ }
+ }
+
+ return dh;
+}
+
+DH*
+IceSSL::OpenSSL::getTempDH512()
+{
+ DH* dh = getTempDH(tempDiffieHellman512p, sizeof(tempDiffieHellman512p),
+ tempDiffieHellman512g, sizeof(tempDiffieHellman512g));
+
+ return dh;
+}
+
+string
+IceSSL::OpenSSL::sslGetErrors()
+{
+ string errorMessage;
+ char buf[200];
+ char bigBuffer[1024];
+ const char* file = 0;
+ const char* data = 0;
+ int line = 0;
+ int flags = 0;
+ unsigned errorCode = 0;
+ int errorNum = 1;
+
+ unsigned long es = CRYPTO_thread_id();
+
+ while ((errorCode = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0)
+ {
+ sprintf(bigBuffer,"%6d - Thread ID: %lu\n", errorNum, es);
+ errorMessage += bigBuffer;
+
+ sprintf(bigBuffer,"%6d - Error: %u\n", errorNum, errorCode);
+ errorMessage += bigBuffer;
+
+ // Request an error from the OpenSSL library
+ ERR_error_string_n(errorCode, buf, sizeof(buf));
+ sprintf(bigBuffer,"%6d - Message: %s\n", errorNum, buf);
+ errorMessage += bigBuffer;
+
+ sprintf(bigBuffer,"%6d - Location: %s, %d\n", errorNum, file, line);
+ errorMessage += bigBuffer;
+
+ if (flags & ERR_TXT_STRING)
+ {
+ sprintf(bigBuffer,"%6d - Data: %s\n", errorNum, data);
+ errorMessage += bigBuffer;
+ }
+
+ errorNum++;
+ }
+
+ ERR_clear_error();
+
+ return errorMessage;
+}
+
+extern "C"
+{
+
+RSA*
+tmpRSACallback(SSL* sslConnection, int isExport, int keyLength)
+{
+ assert(sslConnection != 0);
+
+ IceSSL::SystemInternalPtr sslSystem = IceSSL::Factory::getSystemFromHandle(sslConnection);
+ assert(sslSystem != 0);
+
+ IceSSL::OpenSSL::System* openSslSystem = dynamic_cast<IceSSL::OpenSSL::System*>(sslSystem.get());
+ assert(openSslSystem != 0);
+
+ RSA* rsaKey = openSslSystem->getRSAKey(isExport, keyLength);
+ assert(rsaKey != 0);
+
+ return rsaKey;
+}
+
+DH*
+tmpDHCallback(SSL* sslConnection, int isExport, int keyLength)
+{
+ assert(sslConnection != 0);
+
+ IceSSL::SystemInternalPtr sslSystem = IceSSL::Factory::getSystemFromHandle(sslConnection);
+ assert(sslSystem != 0);
+
+ IceSSL::OpenSSL::System* openSslSystem = dynamic_cast<IceSSL::OpenSSL::System*>(sslSystem.get());
+ assert(openSslSystem != 0);
+
+ DH* dh = openSslSystem->getDHParams(isExport, keyLength);
+ assert(dh != 0);
+
+ return dh;
+}
+
+// verifyCallback - Certificate Verification callback function.
+int
+verifyCallback(int ok, X509_STORE_CTX* ctx)
+{
+ assert(ctx != 0);
+
+ // Tricky method to get access to our connection. I would use SSL_get_ex_data() to get
+ // the Connection object, if only I had some way to retrieve the index of the object
+ // in this function. Hence, we have to invent our own reference system here.
+ SSL* sslConnection = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()));
+ assert(sslConnection != 0);
+
+ IceSSL::OpenSSL::ConnectionPtr connection = IceSSL::OpenSSL::Connection::getConnection(sslConnection);
+ assert(connection != 0);
+
+ // Call the connection, get it to perform the verification.
+ int retCode = connection->verifyCertificate(ok, ctx);
+
+ return retCode;
+}
+
+// TODO: This is a complete hack to get this working again with the CA certificate.
+// Of course, this will have to be rewritten to handle this in the same manner
+// as the verifyCallback does.
+// -ASN
+int
+passwordCallback(char* buffer, int bufferSize, int rwFlag, void* userData)
+{
+ strncpy(buffer, "demo", bufferSize);
+ buffer[bufferSize - 1] = '\0';
+ return strlen(buffer);
+}
+
+}
+
diff --git a/cpp/src/Ice/SslOpenSSLUtils.h b/cpp/src/Ice/SslOpenSSLUtils.h index 56434e1ee79..197f424b9fd 100644 --- a/cpp/src/Ice/SslOpenSSLUtils.h +++ b/cpp/src/Ice/SslOpenSSLUtils.h @@ -11,23 +11,41 @@ #include <openssl/ssl.h>
#include <string>
-namespace IceSecurity
-{
-
-namespace Ssl
+namespace IceSSL
{
namespace OpenSSL
{
-std::string getGeneralizedTime(ASN1_GENERALIZEDTIME *tm);
+extern int connectionIndex;
+
+std::string getGeneralizedTime(ASN1_GENERALIZEDTIME*);
+
+std::string getUTCTime(ASN1_UTCTIME*);
+
+std::string getASN1time(ASN1_TIME*);
+
+DH* loadDHParam(const char*);
+
+DH* getTempDH(unsigned char*, int, unsigned char*, int);
-std::string getUTCTime(ASN1_UTCTIME *tm);
+DH* getTempDH512();
-std::string getASN1time(ASN1_TIME *tm);
+std::string sslGetErrors();
}
}
+extern "C"
+{
+
+RSA* tmpRSACallback(SSL*, int, int);
+
+DH* tmpDHCallback(SSL*, int, int);
+
+int verifyCallback(int, X509_STORE_CTX*);
+
+int passwordCallback(char*, int, int, void*);
+
}
diff --git a/cpp/src/Ice/SslRSACertificateGen.cpp b/cpp/src/Ice/SslRSACertificateGen.cpp index b0a8ba06a08..0669983e94e 100644 --- a/cpp/src/Ice/SslRSACertificateGen.cpp +++ b/cpp/src/Ice/SslRSACertificateGen.cpp @@ -20,155 +20,155 @@ using std::string;
using std::back_inserter;
-using namespace IceSecurity::Ssl::OpenSSL;
+using namespace IceSSL::OpenSSL;
long
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::minutesToSeconds(long minutes)
+IceSSL::OpenSSL::RSACertificateGenContext::minutesToSeconds(long minutes)
{
return minutes * 60L;
}
long
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::hoursToSeconds(long hours)
+IceSSL::OpenSSL::RSACertificateGenContext::hoursToSeconds(long hours)
{
return minutesToSeconds(hours * 60L);
}
long
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::daysToSeconds(long days)
+IceSSL::OpenSSL::RSACertificateGenContext::daysToSeconds(long days)
{
return hoursToSeconds(days * 24L);
}
long
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::weeksToSeconds(long weeks)
+IceSSL::OpenSSL::RSACertificateGenContext::weeksToSeconds(long weeks)
{
return daysToSeconds(weeks * 7L);
}
long
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::yearsToSeconds(long years)
+IceSSL::OpenSSL::RSACertificateGenContext::yearsToSeconds(long years)
{
return weeksToSeconds(years * 365L);
}
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::RSACertificateGenContext() :
- _modulusLength(0),
- _secondsValid(0)
+IceSSL::OpenSSL::RSACertificateGenContext::RSACertificateGenContext() :
+ _modulusLength(0),
+ _secondsValid(0)
{
}
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::~RSACertificateGenContext()
+IceSSL::OpenSSL::RSACertificateGenContext::~RSACertificateGenContext()
{
}
void
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::setCountry(const string& country)
+IceSSL::OpenSSL::RSACertificateGenContext::setCountry(const string& country)
{
_country = country;
}
void
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::setStateProvince(const string& stateProvince)
+IceSSL::OpenSSL::RSACertificateGenContext::setStateProvince(const string& stateProvince)
{
_stateProvince = stateProvince;
}
void
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::setLocality(const string& locality)
+IceSSL::OpenSSL::RSACertificateGenContext::setLocality(const string& locality)
{
_locality = locality;
}
void
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::setOrganization(const string& organization)
+IceSSL::OpenSSL::RSACertificateGenContext::setOrganization(const string& organization)
{
_organization = organization;
}
void
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::setOrgainizationalUnit(const string& organizationalUnit)
+IceSSL::OpenSSL::RSACertificateGenContext::setOrgainizationalUnit(const string& organizationalUnit)
{
_organizationalUnit = organizationalUnit;
}
void
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::setCommonName(const string& commonName)
+IceSSL::OpenSSL::RSACertificateGenContext::setCommonName(const string& commonName)
{
_commonName = commonName;
}
void
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::setBitStrength(int bitStrength)
+IceSSL::OpenSSL::RSACertificateGenContext::setBitStrength(int bitStrength)
{
_modulusLength = bitStrength;
}
void
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::setSecondsValid(long secondsValid)
+IceSSL::OpenSSL::RSACertificateGenContext::setSecondsValid(long secondsValid)
{
_secondsValid = secondsValid;
}
unsigned char*
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::getCountry() const
+IceSSL::OpenSSL::RSACertificateGenContext::getCountry() const
{
return reinterpret_cast<unsigned char *>(const_cast<char*>(_country.c_str()));
}
unsigned char*
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::getStateProvince() const
+IceSSL::OpenSSL::RSACertificateGenContext::getStateProvince() const
{
return reinterpret_cast<unsigned char *>(const_cast<char*>(_stateProvince.c_str()));
}
unsigned char*
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::getLocality() const
+IceSSL::OpenSSL::RSACertificateGenContext::getLocality() const
{
return reinterpret_cast<unsigned char *>(const_cast<char*>(_locality.c_str()));
}
unsigned char*
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::getOrganization() const
+IceSSL::OpenSSL::RSACertificateGenContext::getOrganization() const
{
return reinterpret_cast<unsigned char *>(const_cast<char*>(_organization.c_str()));
}
unsigned char*
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::getOrgainizationalUnit() const
+IceSSL::OpenSSL::RSACertificateGenContext::getOrgainizationalUnit() const
{
return reinterpret_cast<unsigned char *>(const_cast<char*>(_organizationalUnit.c_str()));
}
unsigned char*
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::getCommonName() const
+IceSSL::OpenSSL::RSACertificateGenContext::getCommonName() const
{
return reinterpret_cast<unsigned char *>(const_cast<char*>(_commonName.c_str()));
}
int
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::getModulusLength() const
+IceSSL::OpenSSL::RSACertificateGenContext::getModulusLength() const
{
return _modulusLength;
}
long
-IceSecurity::Ssl::OpenSSL::RSACertificateGenContext::getSecondsValid() const
+IceSSL::OpenSSL::RSACertificateGenContext::getSecondsValid() const
{
return _secondsValid;
}
-IceSecurity::Ssl::OpenSSL::RSACertificateGen::RSACertificateGen()
+IceSSL::OpenSSL::RSACertificateGen::RSACertificateGen()
{
ERR_load_crypto_strings();
}
-IceSecurity::Ssl::OpenSSL::RSACertificateGen::~RSACertificateGen()
+IceSSL::OpenSSL::RSACertificateGen::~RSACertificateGen()
{
}
-IceSecurity::Ssl::OpenSSL::RSAKeyPair*
-IceSecurity::Ssl::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& context)
+IceSSL::OpenSSL::RSAKeyPair*
+IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& context)
{
// Generate an RSA key pair.
RSAJanitor rsaJanitor(RSA_generate_key(context.getModulusLength(), RSA_F4, 0, 0));
diff --git a/cpp/src/Ice/SslRSAKeyPair.cpp b/cpp/src/Ice/SslRSAKeyPair.cpp index 9f18a5e3af3..4ffe2033976 100644 --- a/cpp/src/Ice/SslRSAKeyPair.cpp +++ b/cpp/src/Ice/SslRSAKeyPair.cpp @@ -15,69 +15,73 @@ #include <Ice/SslRSAPublicKey.h>
#include <assert.h>
-void ::IceInternal::incRef(::IceSecurity::Ssl::OpenSSL::RSAKeyPair* p) { p->__incRef(); }
-void ::IceInternal::decRef(::IceSecurity::Ssl::OpenSSL::RSAKeyPair* p) { p->__decRef(); }
+void ::IceInternal::incRef(::IceSSL::OpenSSL::RSAKeyPair* p) { p->__incRef(); }
+void ::IceInternal::decRef(::IceSSL::OpenSSL::RSAKeyPair* p) { p->__decRef(); }
using std::back_inserter;
using std::string;
using Ice::ByteSeq;
using IceUtil::Base64;
-IceSecurity::Ssl::OpenSSL::RSAKeyPair::RSAKeyPair(const string& key, const string& cert) :
- _privateKey(new RSAPrivateKey(key)),
- _publicKey(new RSAPublicKey(cert))
+IceSSL::OpenSSL::RSAKeyPair::RSAKeyPair(const string& key, const string& cert) :
+ _privateKey(new RSAPrivateKey(key)),
+ _publicKey(new RSAPublicKey(cert))
{
+ assert(_privateKey != 0);
+ assert(_publicKey != 0);
}
-IceSecurity::Ssl::OpenSSL::RSAKeyPair::RSAKeyPair(const ByteSeq& keySeq, const ByteSeq& certSeq) :
- _privateKey(new RSAPrivateKey(keySeq)),
- _publicKey(new RSAPublicKey(certSeq))
+IceSSL::OpenSSL::RSAKeyPair::RSAKeyPair(const ByteSeq& keySeq, const ByteSeq& certSeq) :
+ _privateKey(new RSAPrivateKey(keySeq)),
+ _publicKey(new RSAPublicKey(certSeq))
{
+ assert(_privateKey != 0);
+ assert(_publicKey != 0);
}
-IceSecurity::Ssl::OpenSSL::RSAKeyPair::~RSAKeyPair()
+IceSSL::OpenSSL::RSAKeyPair::~RSAKeyPair()
{
}
void
-IceSecurity::Ssl::OpenSSL::RSAKeyPair::keyToBase64(string& b64Key)
+IceSSL::OpenSSL::RSAKeyPair::keyToBase64(string& b64Key)
{
_privateKey->keyToBase64(b64Key);
}
void
-IceSecurity::Ssl::OpenSSL::RSAKeyPair::certToBase64(string& b64Cert)
+IceSSL::OpenSSL::RSAKeyPair::certToBase64(string& b64Cert)
{
_publicKey->certToBase64(b64Cert);
}
void
-IceSecurity::Ssl::OpenSSL::RSAKeyPair::keyToByteSeq(ByteSeq& keySeq)
+IceSSL::OpenSSL::RSAKeyPair::keyToByteSeq(ByteSeq& keySeq)
{
_privateKey->keyToByteSeq(keySeq);
}
void
-IceSecurity::Ssl::OpenSSL::RSAKeyPair::certToByteSeq(ByteSeq& certSeq)
+IceSSL::OpenSSL::RSAKeyPair::certToByteSeq(ByteSeq& certSeq)
{
_publicKey->certToByteSeq(certSeq);
}
RSA*
-IceSecurity::Ssl::OpenSSL::RSAKeyPair::getRSAPrivateKey() const
+IceSSL::OpenSSL::RSAKeyPair::getRSAPrivateKey() const
{
return _privateKey->getRSAPrivateKey();
}
X509*
-IceSecurity::Ssl::OpenSSL::RSAKeyPair::getX509PublicKey() const
+IceSSL::OpenSSL::RSAKeyPair::getX509PublicKey() const
{
return _publicKey->getX509PublicKey();
}
-IceSecurity::Ssl::OpenSSL::RSAKeyPair::RSAKeyPair(const RSAPrivateKeyPtr& rsa, const RSAPublicKeyPtr& x509) :
- _privateKey(rsa),
- _publicKey(x509)
+IceSSL::OpenSSL::RSAKeyPair::RSAKeyPair(const RSAPrivateKeyPtr& rsa, const RSAPublicKeyPtr& x509) :
+ _privateKey(rsa),
+ _publicKey(x509)
{
}
diff --git a/cpp/src/Ice/SslRSAPrivateKey.cpp b/cpp/src/Ice/SslRSAPrivateKey.cpp index 6f2f3229a74..1f58a81d4c9 100644 --- a/cpp/src/Ice/SslRSAPrivateKey.cpp +++ b/cpp/src/Ice/SslRSAPrivateKey.cpp @@ -14,34 +14,41 @@ #include <Ice/SslIceUtils.h>
#include <assert.h>
-void ::IceInternal::incRef(::IceSecurity::Ssl::OpenSSL::RSAPrivateKey* p) { p->__incRef(); }
-void ::IceInternal::decRef(::IceSecurity::Ssl::OpenSSL::RSAPrivateKey* p) { p->__decRef(); }
+void ::IceInternal::incRef(::IceSSL::OpenSSL::RSAPrivateKey* p) { p->__incRef(); }
+void ::IceInternal::decRef(::IceSSL::OpenSSL::RSAPrivateKey* p) { p->__decRef(); }
using std::back_inserter;
using std::string;
using Ice::ByteSeq;
using IceUtil::Base64;
-IceSecurity::Ssl::OpenSSL::RSAPrivateKey::RSAPrivateKey(const string& key)
+IceSSL::OpenSSL::RSAPrivateKey::RSAPrivateKey(const string& key)
{
+ assert(!key.empty());
+
_privateKey = 0;
+
ByteSeq keySeq = Base64::decode(key);
+
byteSeqToKey(keySeq);
}
-IceSecurity::Ssl::OpenSSL::RSAPrivateKey::RSAPrivateKey(const ByteSeq& keySeq)
+IceSSL::OpenSSL::RSAPrivateKey::RSAPrivateKey(const ByteSeq& keySeq)
{
+ assert(!keySeq.empty());
+
_privateKey = 0;
+
byteSeqToKey(keySeq);
}
-IceSecurity::Ssl::OpenSSL::RSAPrivateKey::~RSAPrivateKey()
+IceSSL::OpenSSL::RSAPrivateKey::~RSAPrivateKey()
{
RSA_free(_privateKey);
}
void
-IceSecurity::Ssl::OpenSSL::RSAPrivateKey::keyToBase64(string& b64Key)
+IceSSL::OpenSSL::RSAPrivateKey::keyToBase64(string& b64Key)
{
ByteSeq keySeq;
keyToByteSeq(keySeq);
@@ -49,7 +56,7 @@ IceSecurity::Ssl::OpenSSL::RSAPrivateKey::keyToBase64(string& b64Key) }
void
-IceSecurity::Ssl::OpenSSL::RSAPrivateKey::keyToByteSeq(ByteSeq& keySeq)
+IceSSL::OpenSSL::RSAPrivateKey::keyToByteSeq(ByteSeq& keySeq)
{
assert(_privateKey);
@@ -64,24 +71,25 @@ IceSecurity::Ssl::OpenSSL::RSAPrivateKey::keyToByteSeq(ByteSeq& keySeq) unsigned char* privKeyBuff = privateKeyBuffer;
i2d_RSAPrivateKey(_privateKey, &privKeyBuff);
- IceSecurity::Ssl::ucharToByteSeq(privateKeyBuffer, privKeySize, keySeq);
+ IceSSL::ucharToByteSeq(privateKeyBuffer, privKeySize, keySeq);
delete []privateKeyBuffer;
}
RSA*
-IceSecurity::Ssl::OpenSSL::RSAPrivateKey::getRSAPrivateKey() const
+IceSSL::OpenSSL::RSAPrivateKey::getRSAPrivateKey() const
{
return _privateKey;
}
-IceSecurity::Ssl::OpenSSL::RSAPrivateKey::RSAPrivateKey(RSA* rsa) :
- _privateKey(rsa)
+IceSSL::OpenSSL::RSAPrivateKey::RSAPrivateKey(RSA* rsa) :
+ _privateKey(rsa)
{
+ assert(_privateKey != 0);
}
void
-IceSecurity::Ssl::OpenSSL::RSAPrivateKey::byteSeqToKey(const ByteSeq& keySeq)
+IceSSL::OpenSSL::RSAPrivateKey::byteSeqToKey(const ByteSeq& keySeq)
{
unsigned char* privateKeyBuffer = byteSeqToUChar(keySeq);
assert(privateKeyBuffer);
diff --git a/cpp/src/Ice/SslRSAPublicKey.cpp b/cpp/src/Ice/SslRSAPublicKey.cpp index 0ff14313738..829d8462c14 100644 --- a/cpp/src/Ice/SslRSAPublicKey.cpp +++ b/cpp/src/Ice/SslRSAPublicKey.cpp @@ -14,16 +14,18 @@ #include <Ice/SslIceUtils.h>
#include <assert.h>
-void ::IceInternal::incRef(::IceSecurity::Ssl::OpenSSL::RSAPublicKey* p) { p->__incRef(); }
-void ::IceInternal::decRef(::IceSecurity::Ssl::OpenSSL::RSAPublicKey* p) { p->__decRef(); }
+void ::IceInternal::incRef(::IceSSL::OpenSSL::RSAPublicKey* p) { p->__incRef(); }
+void ::IceInternal::decRef(::IceSSL::OpenSSL::RSAPublicKey* p) { p->__decRef(); }
using std::back_inserter;
using std::string;
using Ice::ByteSeq;
using IceUtil::Base64;
-IceSecurity::Ssl::OpenSSL::RSAPublicKey::RSAPublicKey(const string& cert)
+IceSSL::OpenSSL::RSAPublicKey::RSAPublicKey(const string& cert)
{
+ assert(!cert.empty());
+
_publicKey = 0;
ByteSeq certSeq = Base64::decode(cert);
@@ -31,19 +33,22 @@ IceSecurity::Ssl::OpenSSL::RSAPublicKey::RSAPublicKey(const string& cert) byteSeqToCert(certSeq);
}
-IceSecurity::Ssl::OpenSSL::RSAPublicKey::RSAPublicKey(const ByteSeq& certSeq)
+IceSSL::OpenSSL::RSAPublicKey::RSAPublicKey(const ByteSeq& certSeq)
{
+ assert(!certSeq.empty());
+
_publicKey = 0;
+
byteSeqToCert(certSeq);
}
-IceSecurity::Ssl::OpenSSL::RSAPublicKey::~RSAPublicKey()
+IceSSL::OpenSSL::RSAPublicKey::~RSAPublicKey()
{
X509_free(_publicKey);
}
void
-IceSecurity::Ssl::OpenSSL::RSAPublicKey::certToBase64(string& b64Cert)
+IceSSL::OpenSSL::RSAPublicKey::certToBase64(string& b64Cert)
{
ByteSeq certSeq;
certToByteSeq(certSeq);
@@ -51,7 +56,7 @@ IceSecurity::Ssl::OpenSSL::RSAPublicKey::certToBase64(string& b64Cert) }
void
-IceSecurity::Ssl::OpenSSL::RSAPublicKey::certToByteSeq(ByteSeq& certSeq)
+IceSSL::OpenSSL::RSAPublicKey::certToByteSeq(ByteSeq& certSeq)
{
assert(_publicKey);
@@ -66,24 +71,24 @@ IceSecurity::Ssl::OpenSSL::RSAPublicKey::certToByteSeq(ByteSeq& certSeq) unsigned char* pubKeyBuff = publicKeyBuffer;
i2d_X509(_publicKey, &pubKeyBuff);
- IceSecurity::Ssl::ucharToByteSeq(publicKeyBuffer, pubKeySize, certSeq);
+ IceSSL::ucharToByteSeq(publicKeyBuffer, pubKeySize, certSeq);
delete []publicKeyBuffer;
}
X509*
-IceSecurity::Ssl::OpenSSL::RSAPublicKey::getX509PublicKey() const
+IceSSL::OpenSSL::RSAPublicKey::getX509PublicKey() const
{
return _publicKey;
}
-IceSecurity::Ssl::OpenSSL::RSAPublicKey::RSAPublicKey(X509* x509) :
+IceSSL::OpenSSL::RSAPublicKey::RSAPublicKey(X509* x509) :
_publicKey(x509)
{
}
void
-IceSecurity::Ssl::OpenSSL::RSAPublicKey::byteSeqToCert(const ByteSeq& certSeq)
+IceSSL::OpenSSL::RSAPublicKey::byteSeqToCert(const ByteSeq& certSeq)
{
unsigned char* publicKeyBuffer = byteSeqToUChar(certSeq);
assert(publicKeyBuffer);
diff --git a/cpp/src/Ice/SslSystem.cpp b/cpp/src/Ice/SslSystem.cpp deleted file mode 100644 index c8b2528875a..00000000000 --- a/cpp/src/Ice/SslSystem.cpp +++ /dev/null @@ -1,73 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2001 -// MutableRealms, Inc. -// Huntsville, AL, USA -// -// All Rights Reserved -// -// ********************************************************************** - -#include <string> -#include <Ice/SslSystem.h> - -using namespace std; -using IceSecurity::Ssl::CertificateVerifierPtr; -using Ice::LoggerPtr; -using Ice::PropertiesPtr; -using IceInternal::TraceLevelsPtr; - -void ::IceInternal::incRef(::IceSecurity::Ssl::System* p) { p->__incRef(); } -void ::IceInternal::decRef(::IceSecurity::Ssl::System* p) { p->__decRef(); } - -// -// Public Methods -// - -void -IceSecurity::Ssl::System::setTrace(const TraceLevelsPtr& traceLevels) -{ - _traceLevels = traceLevels; -} - -bool -IceSecurity::Ssl::System::isTraceSet() const -{ - return _traceLevels; -} - -void -IceSecurity::Ssl::System::setLogger(const LoggerPtr& traceLevels) -{ - _logger = traceLevels; -} - -bool -IceSecurity::Ssl::System::isLoggerSet() const -{ - return _logger; -} - -void -IceSecurity::Ssl::System::setProperties(const PropertiesPtr& properties) -{ - _properties = properties; -} - -bool -IceSecurity::Ssl::System::isPropertiesSet() const -{ - return _properties; -} - -// -// Protected Methods -// - -IceSecurity::Ssl::System::System() -{ -} - -IceSecurity::Ssl::System::~System() -{ -} diff --git a/cpp/src/Ice/SslSystem.h b/cpp/src/Ice/SslSystem.h deleted file mode 100644 index a92b9833e0e..00000000000 --- a/cpp/src/Ice/SslSystem.h +++ /dev/null @@ -1,76 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2001 -// MutableRealms, Inc. -// Huntsville, AL, USA -// -// All Rights Reserved -// -// ********************************************************************** - -#ifndef ICE_SSL_SYSTEM_H -#define ICE_SSL_SYSTEM_H - -#include <string> -#include <IceUtil/Shared.h> -#include <Ice/SslConnectionF.h> -#include <Ice/Properties.h> -#include <Ice/SslSystemF.h> -#include <Ice/SslCertificateVerifierF.h> -#include <Ice/TraceLevels.h> -#include <Ice/LoggerF.h> - -namespace IceSecurity -{ - -namespace Ssl -{ - -class Factory; - -class System : public IceUtil::Shared -{ -public: - - virtual bool isConfigLoaded() = 0; - virtual void loadConfig() = 0; - virtual void shutdown() = 0; - - virtual Connection* createServerConnection(int) = 0; - virtual Connection* createClientConnection(int) = 0; - - virtual void setServerCertificateVerifier(const CertificateVerifierPtr&) = 0; - virtual void setClientCertificateVerifier(const CertificateVerifierPtr&) = 0; - - virtual void setServerCertAuthorityCertificate(const std::string&) = 0; - virtual void setClientCertAuthorityCertificate(const std::string&) = 0; - - virtual void setServerRSAKeysBase64(const std::string&, const std::string&) = 0; - virtual void setClientRSAKeysBase64(const std::string&, const std::string&) = 0; - - virtual void setTrace(const IceInternal::TraceLevelsPtr&); - bool isTraceSet() const; - - virtual void setLogger(const Ice::LoggerPtr&); - bool isLoggerSet() const; - - void setProperties(const Ice::PropertiesPtr&); - bool isPropertiesSet() const; - -protected: - - System(); - virtual ~System(); - - IceInternal::TraceLevelsPtr _traceLevels; - Ice::LoggerPtr _logger; - Ice::PropertiesPtr _properties; - - friend class Factory; -}; - -} - -} - -#endif diff --git a/cpp/src/Ice/SslSystemInternal.cpp b/cpp/src/Ice/SslSystemInternal.cpp new file mode 100644 index 00000000000..faee8e4f933 --- /dev/null +++ b/cpp/src/Ice/SslSystemInternal.cpp @@ -0,0 +1,40 @@ +// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#include <Ice/Instance.h> +#include <Ice/SslSystemInternal.h> +#include <string>
+ +using namespace std; +using IceSSL::CertificateVerifierPtr; +using Ice::LoggerPtr; +using Ice::PropertiesPtr; +using IceInternal::TraceLevelsPtr; + +void ::IceInternal::incRef(::IceSSL::SystemInternal* p) { p->__incRef(); } +void ::IceInternal::decRef(::IceSSL::SystemInternal* p) { p->__decRef(); } + +// +// Protected Methods +// + +IceSSL::SystemInternal::SystemInternal(const IceInternal::InstancePtr& instance) :
+ _traceLevels(instance->traceLevels()),
+ _logger(instance->logger()),
+ _properties(instance->properties()) +{
+ assert(_traceLevels != 0);
+ assert(_logger != 0);
+ assert(_properties != 0); +} + +IceSSL::SystemInternal::~SystemInternal() +{ +} diff --git a/cpp/src/Ice/SslSystemInternal.h b/cpp/src/Ice/SslSystemInternal.h new file mode 100644 index 00000000000..7055927dd8d --- /dev/null +++ b/cpp/src/Ice/SslSystemInternal.h @@ -0,0 +1,66 @@ +// ********************************************************************** +// +// Copyright (c) 2001 +// MutableRealms, Inc. +// Huntsville, AL, USA +// +// All Rights Reserved +// +// ********************************************************************** + +#ifndef ICE_SSL_SYSTEM_H +#define ICE_SSL_SYSTEM_H + +#include <string> +#include <Ice/SslSystem.h>
+#include <Ice/InstanceF.h>
+// #include <Ice/Security.h> +#include <Ice/SslConnectionF.h> +#include <Ice/Properties.h> +#include <Ice/SslSystemInternalF.h> +#include <Ice/SslCertificateVerifierF.h> +#include <Ice/TraceLevelsF.h> +#include <Ice/LoggerF.h> + +namespace IceSSL +{ + +class Factory; + +class SystemInternal : public System +{ +public: + + virtual void shutdown() = 0; + + virtual ConnectionPtr createConnection(ContextType, int) = 0;
+ + virtual bool isConfigured(ContextType) = 0;
+
+ virtual void configure(ContextType) = 0;
+
+ virtual void loadConfig(ContextType, const ::std::string&, const ::std::string&) = 0;
+
+ virtual void setCertificateVerifier(ContextType, const CertificateVerifierPtr&) = 0; + + virtual void addTrustedCertificate(ContextType, const std::string&) = 0; + + virtual void setRSAKeysBase64(ContextType, const std::string&, const std::string&) = 0; + + virtual void setRSAKeys(ContextType, const ::Ice::ByteSeq&, const ::Ice::ByteSeq&) = 0;
+
+protected: + + SystemInternal(const IceInternal::InstancePtr&); + virtual ~SystemInternal(); + + IceInternal::TraceLevelsPtr _traceLevels; + Ice::LoggerPtr _logger; + Ice::PropertiesPtr _properties; + + friend class Factory; +}; + +} + +#endif diff --git a/cpp/src/Ice/SslSystemF.h b/cpp/src/Ice/SslSystemInternalF.h index 15e64b717b9..adc33454842 100644 --- a/cpp/src/Ice/SslSystemF.h +++ b/cpp/src/Ice/SslSystemInternalF.h @@ -13,24 +13,19 @@ #include <Ice/Handle.h> -namespace IceSecurity +namespace IceSSL { -namespace Ssl -{ - -class System; -typedef IceInternal::Handle<System> SystemPtr; - -} +class SystemInternal; +typedef IceInternal::Handle<SystemInternal> SystemInternalPtr; } namespace IceInternal { -void incRef(IceSecurity::Ssl::System*); -void decRef(IceSecurity::Ssl::System*); +void incRef(IceSSL::SystemInternal*); +void decRef(IceSSL::SystemInternal*); } diff --git a/cpp/src/Ice/SslSystemOpenSSL.cpp b/cpp/src/Ice/SslSystemOpenSSL.cpp index c3ac40dd945..f9da8810099 100644 --- a/cpp/src/Ice/SslSystemOpenSSL.cpp +++ b/cpp/src/Ice/SslSystemOpenSSL.cpp @@ -22,331 +22,57 @@ // without our configuration settings. // #include <IceUtil/Config.h> - -#include <sstream> #include <IceUtil/Mutex.h> -#include <openssl/err.h> -#include <openssl/e_os.h> -#include <openssl/rand.h> -#include <Ice/OpenSSL.h> -#include <Ice/SslSystem.h> -#include <Ice/SecurityException.h> -#include <Ice/SslConnectionOpenSSLClient.h> -#include <Ice/SslConnectionOpenSSLServer.h> -#include <Ice/SslConfig.h> -#include <Ice/SslRSAKeyPair.h> -#include <Ice/SslRSAPublicKey.h> -#include <Ice/SslJanitors.h> -#include <Ice/SslCertificateVerifierOpenSSL.h> - +#include <Ice/SslConnectionOpenSSL.h>
+#include <Ice/SslSystemOpenSSL.h>
+#include <Ice/SecurityException.h>
+#include <Ice/SslConfig.h>
#include <Ice/TraceLevels.h> #include <Ice/Logger.h> +
+#include <openssl/e_os.h>
+#include <openssl/rand.h>
+
+#include <sstream>
using namespace std; using IceInternal::TraceLevelsPtr; using Ice::LoggerPtr; -namespace IceSecurity -{ - -namespace Ssl -{ - -namespace OpenSSL -{ - -// -// TODO: These Diffie-Hellman params have been blatantly stolen from -// OpenSSL's demo programs. We SHOULD define our own here, but -// these will suffice for testing purposes. Please note, these -// are not keys themselves, simply a DH Group that allows OpenSSL -// to create Diffie-Hellman keys. -// - -// Instantiation of temporary Diffie-Hellman 512bit key. -unsigned char System::_tempDiffieHellman512p[] = -{ - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, - 0x47,0x74,0xE8,0x33, -}; - -unsigned char System::_tempDiffieHellman512g[] = -{ - 0x02, -}; - -// TODO: Very possibly a problem later if we have mutliple loggers going on simultaneously. -// This is a horrible necessity in order to make the trace levels -// and logger available to the bio_dump_cb() callback function. -// Otherwise, we would have to jump through hoops, creating a mapping -// from BIO pointers to the relevent System object. The system object -// will initialize these. NOTE: If we SHOULD have multiple loggers -// going on simultaneously, this will definitely cause a problem. -TraceLevelsPtr System::_globalTraceLevels = 0; -LoggerPtr System::_globalLogger = 0; - -} - -} - -} - -using IceSecurity::Ssl::OpenSSL::ContextException; -using IceSecurity::Ssl::SystemPtr; - -extern "C" -{ - -RSA* -tmpRSACallback(SSL *s, int isExport, int keyLength) -{ - IceSecurity::Ssl::SystemPtr sslSystem = IceSecurity::Ssl::Factory::getSystemFromHandle(s); - - IceSecurity::Ssl::OpenSSL::System* openSslSystem = 0; - openSslSystem = dynamic_cast<IceSecurity::Ssl::OpenSSL::System*>(sslSystem.get()); - - RSA* rsaKey = openSslSystem->getRSAKey(s, isExport, keyLength); - - return rsaKey; -} - -DH* -tmpDHCallback(SSL *s, int isExport, int keyLength) -{ - IceSecurity::Ssl::SystemPtr sslSystem = IceSecurity::Ssl::Factory::getSystemFromHandle(s); - - IceSecurity::Ssl::OpenSSL::System* openSslSystem = 0; - openSslSystem = dynamic_cast<IceSecurity::Ssl::OpenSSL::System*>(sslSystem.get()); - - DH* dh = openSslSystem->getDHParams(s, isExport, keyLength); - - return dh; -} - -// verifyCallback - Certificate Verification callback function. -int -verifyCallback(int ok, X509_STORE_CTX *ctx) -{ - // Tricky method to get access to our connection. I would use SSL_get_ex_data() to get - // the Connection object, if only I had some way to retrieve the index of the object - // in this function. Hence, we have to invent our own reference system here. - SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); - IceSecurity::Ssl::OpenSSL::ConnectionPtr connection = 0; - connection = IceSecurity::Ssl::OpenSSL::Connection::getConnection(ssl); - assert(connection); - - // Call the connection, get it to perform the verification. - return connection->verifyCertificate(ok, ctx); -} - -// TODO: This is a complete hack to get this working again with the CA certificate. -// Of course, this will have to be rewritten to handle this in the same manner -// as the verifyCallback does. -// -ASN -int -passwordCallback(char* buffer, int bufferSize, int rwFlag, void* userData) -{ - strncpy(buffer, "demo", bufferSize); - buffer[bufferSize - 1] = '\0'; - return strlen(buffer); -} - -// This code duplicates functionality that existed in the BIO library of -// OpenSSL, but outputs to a Logger compatible source (ostringstream). -void -dump(ostringstream& outStringStream, const char* s, int len) -{ - unsigned char ch; - char hexStr[8]; - - int trunc = 0; - - // Calculate how much white space we're truncating. - for(; (len > 0) && ((s[len - 1] == ' ') || (s[len - 1] == '\0')); len--) - { - trunc++; - } - - int dump_width = 12; - - int rows = len / dump_width; - - if ((rows * dump_width) < len) - { - rows++; - } - - if (rows > 0) - { - outStringStream << endl; - } - - for(int i = 0; i < rows; i++) - { - // Would like to have not used sprintf(), but - // I could not find an appropriate STL methodology - // for preserving the field width. - sprintf(hexStr,"%04x",(i * dump_width)); - outStringStream << hexStr << " - "; - - int j; - - // Hex Dump - for(j = 0; j < dump_width; j++) - { - if (((i * dump_width) + j) >= len) - { - outStringStream << " "; - } - else - { - char sep = (j == 7 ? '-' : ' '); - - // Get a character from the dump we've been handed. - ch = ((unsigned char)*(s + i * dump_width + j)) & 0xff; - - // Would like to have not used sprintf(), but - // I could not find an appropriate STL methodology - // for preserving the field width. - sprintf(hexStr,"%02x",ch); - outStringStream << hexStr << sep; - } - } - - outStringStream << " "; - - // Printable characters dump. - for(j = 0; j < dump_width; j++) - { - if (((i * dump_width) + j) >= len) - { - break; - } - - ch = ((unsigned char) * (s + i * dump_width + j)) & 0xff; - - // Print printables only. - ch = ((ch >= ' ') && (ch <= '~')) ? ch : '.'; - - outStringStream << ch; - } - - outStringStream << endl; - } - - if (trunc > 0) - { - outStringStream << hex << (len + trunc) << " - " << "<SPACES/NULS>" << endl; - } -} - -long -bio_dump_cb(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret) -{ - if (IceSecurity::Ssl::OpenSSL::System::_globalTraceLevels->security >= IceSecurity::SECURITY_PROTOCOL) - { - ostringstream outStringStream; - - outStringStream << "PTC "; - - if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) - { - outStringStream << "read from " << hex << (void *)bio << " [" << hex << (void *)argp; - outStringStream << "] (" << dec << argi << " bytes => " << ret << " (0x"; - outStringStream << hex << ret << "))"; -// dump(outStringStream, argp,(int)ret); - } - else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) - { - outStringStream << "write to " << hex << (void *)bio << " [" << hex << (void *)argp; - outStringStream << "] (" << dec << argi << " bytes => " << ret << " (0x"; - outStringStream << hex << ret << "))"; - // dump(outStringStream, argp,(int)ret); - } - - if (cmd == (BIO_CB_READ|BIO_CB_RETURN) || cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) - { - IceSecurity::Ssl::OpenSSL::System::_globalLogger->trace( - IceSecurity::Ssl::OpenSSL::System::_globalTraceLevels->securityCat, outStringStream.str()); - } - } - - return ret; -} - -} - -IceSecurity::Ssl::Connection* -IceSecurity::Ssl::OpenSSL::System::createServerConnection(int socket) -{ - if (_sslServerContext == 0) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Server context has not been set up - "; - contextEx._message += "please specify an SSL server configuration file."; - - throw contextEx; - } - - SSL* sslConnection = createConnection(_sslServerContext, socket); - - // Set the Accept Connection state for this connection. - SSL_set_accept_state(sslConnection); - - Connection* connection = new ServerConnection(_serverVerifier, sslConnection, SystemPtr(this)); - - commonConnectionSetup(connection); - - return connection; -} - -IceSecurity::Ssl::Connection* -IceSecurity::Ssl::OpenSSL::System::createClientConnection(int socket) -{ - if (_sslClientContext == 0) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Client context has not been set up - "; - contextEx._message += "please specify an SSL client configuration file."; - - throw contextEx; - } - - SSL* sslConnection = createConnection(_sslClientContext, socket); - - // Set the Connect Connection state for this connection. - SSL_set_connect_state(sslConnection); - - Connection* connection = new ClientConnection(_clientVerifier, sslConnection, SystemPtr(this)); - - commonConnectionSetup(connection); - +using IceSSL::OpenSSL::ContextException; +using IceSSL::SystemInternalPtr; + +IceSSL::ConnectionPtr +IceSSL::OpenSSL::System::createConnection(ContextType connectionType, int socket) +{
+ if (connectionType == ClientServer)
+ {
+ // TODO: Throw exception, Unsupported Context Type?
+ }
+
+ // Configure the context if need be.
+ if (!isConfigured(connectionType))
+ {
+ configure(connectionType);
+ }
+
+ IceSSL::ConnectionPtr connection;
+
+ if (connectionType == Client)
+ {
+ connection = _clientContext.createConnection(socket, this);
+ }
+ else if (connectionType == Server)
+ {
+ connection = _serverContext.createConnection(socket, this);
+ }
+
return connection; } void -IceSecurity::Ssl::OpenSSL::System::shutdown() +IceSSL::OpenSSL::System::shutdown() { - if (_sslServerContext != 0) - { - SSL_CTX_free(_sslServerContext); - - _sslServerContext = 0; - } - - if (_sslClientContext != 0) - { - SSL_CTX_free(_sslClientContext); - - _sslClientContext = 0; - } - // Free our temporary RSA keys. RSAMap::iterator iRSA = _tempRSAKeys.begin(); RSAMap::iterator eRSA = _tempRSAKeys.end(); @@ -368,145 +94,172 @@ IceSecurity::Ssl::OpenSSL::System::shutdown() } } -void -IceSecurity::Ssl::OpenSSL::System::setTrace(const TraceLevelsPtr& traceLevels) -{ - // Note: Due to a known bug with VC++, I cannot simply call the base-class - // implementation here, I get a C2352 error about calling a static function. - // Bug# Q153801 - _traceLevels = traceLevels; - - DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get()); - DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get()); - - if (clientVerifier) - { - clientVerifier->setTraceLevels(traceLevels); - } - - if (serverVerifier) - { - serverVerifier->setTraceLevels(traceLevels); - } -} - -void -IceSecurity::Ssl::OpenSSL::System::setLogger(const LoggerPtr& logger) -{ - // Note: Due to a known bug with VC++, I cannot simply call the base-class - // implementation here, I get a C2352 error about calling a static function. - // Bug# Q153801 - _logger = logger; - - DefaultCertificateVerifier* clientVerifier = dynamic_cast<DefaultCertificateVerifier*>(_clientVerifier.get()); - DefaultCertificateVerifier* serverVerifier = dynamic_cast<DefaultCertificateVerifier*>(_serverVerifier.get()); - - if (clientVerifier) - { - clientVerifier->setLogger(logger); - } - - if (serverVerifier) - { - serverVerifier->setLogger(logger); - } -} - bool -IceSecurity::Ssl::OpenSSL::System::isConfigLoaded() -{ - return _configLoaded; +IceSSL::OpenSSL::System::isConfigured(ContextType contextType) +{
+ bool retCode = false;
+
+ switch (contextType)
+ {
+ case Client :
+ {
+ retCode = _clientContext.isConfigured();
+ break;
+ }
+
+ case Server :
+ {
+ retCode = _serverContext.isConfigured();
+ break;
+ }
+
+ case ClientServer :
+ {
+ retCode = _clientContext.isConfigured() && _serverContext.isConfigured();
+ break;
+ }
+ }
+
+ return retCode; +}
+
+void
+IceSSL::OpenSSL::System::configure(ContextType contextType)
+{
+ switch (contextType)
+ {
+ case Client :
+ {
+ string configFile = _properties->getProperty("Ice.SSL.Client.Config");
+ string certPath = _properties->getProperty("Ice.SSL.Client.CertPath");
+ loadConfig(Client, configFile, certPath);
+ break;
+ }
+
+ case Server :
+ {
+ string configFile = _properties->getProperty("Ice.SSL.Server.Config");
+ string certPath = _properties->getProperty("Ice.SSL.Server.CertPath");
+ loadConfig(Server, configFile, certPath);
+ break;
+ }
+
+ case ClientServer :
+ {
+ string clientConfigFile = _properties->getProperty("Ice.SSL.Client.Config");
+ string clientCertPath = _properties->getProperty("Ice.SSL.Client.CertPath");
+ string serverConfigFile = _properties->getProperty("Ice.SSL.Server.Config");
+ string serverCertPath = _properties->getProperty("Ice.SSL.Server.CertPath");
+
+ // Short cut, so that we only have to load the file once.
+ if ((clientConfigFile == serverConfigFile) && (clientCertPath == serverCertPath))
+ {
+ loadConfig(ClientServer, clientConfigFile, clientCertPath);
+ }
+ else
+ {
+ loadConfig(Client, clientConfigFile, clientCertPath);
+ loadConfig(Server, serverConfigFile, serverCertPath);
+ }
+ break;
+ }
+ }
} void -IceSecurity::Ssl::OpenSSL::System::loadConfig() -{ - // This step is required in order to supply callback functions - // with access to the TraceLevels and Logger. - if (_globalTraceLevels == 0) - { - _globalTraceLevels = _traceLevels; - _globalLogger = _logger; - } - - string configFile = _properties->getProperty("Ice.Security.Ssl.Config"); - string certificatePath = _properties->getProperty("Ice.Security.Ssl.CertPath"); - Parser sslConfig(configFile, certificatePath); +IceSSL::OpenSSL::System::loadConfig(ContextType contextType,
+ const std::string& configFile,
+ const std::string& certPath) +{
+ if (configFile.empty())
+ { + IceSSL::OpenSSL::ContextException contextEx(__FILE__, __LINE__);
+
+ string contextString;
+
+ switch (contextType)
+ {
+ case Client :
+ {
+ contextString = "Client";
+ break;
+ }
+
+ case Server :
+ {
+ contextString = "Server";
+ break;
+ }
+
+ case ClientServer :
+ {
+ contextString = "Client/Server";
+ break;
+ }
+ }
+
+ contextEx._message = "No SSL configuration file specified for ";
+ contextEx._message += contextString;
+ contextEx._message += ".";
+
+ throw contextEx;
+ }
+
+ Parser sslConfig(configFile, certPath); sslConfig.setTrace(_traceLevels); sslConfig.setLogger(_logger); // Actually parse the file now. sslConfig.process(); - - GeneralConfig clientGeneral; - CertificateAuthority clientCertAuth; - BaseCertificates clientBaseCerts; - - // Walk the parse tree, get the Client configuration. - if (sslConfig.loadClientConfig(clientGeneral, clientCertAuth, clientBaseCerts)) - { - if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL) - { - ostringstream s; - - s << endl; - s << "General Configuration - Client" << endl; - s << "------------------------------" << endl; - s << clientGeneral << endl << endl; - - s << "CA File: " << clientCertAuth.getCAFileName() << endl; - s << "CA Path: " << clientCertAuth.getCAPath() << endl; - - s << "Base Certificates - Client" << endl; - s << "--------------------------" << endl; - s << clientBaseCerts << endl; - - _logger->trace(_traceLevels->securityCat, s.str()); - } - - initClient(clientGeneral, clientCertAuth, clientBaseCerts); - } - - GeneralConfig serverGeneral; - CertificateAuthority serverCertAuth; - BaseCertificates serverBaseCerts; - TempCertificates serverTempCerts; - - // Walk the parse tree, get the Server configuration. - if (sslConfig.loadServerConfig(serverGeneral, serverCertAuth, serverBaseCerts, serverTempCerts)) - { - if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL) - { - ostringstream s; - - s << endl; - s << "General Configuration - Server" << endl; - s << "------------------------------" << endl; - s << serverGeneral << endl << endl; - - s << "CA File: " << serverCertAuth.getCAFileName() << endl; - s << "CA Path: " << serverCertAuth.getCAPath() << endl; - - s << "Base Certificates - Server" << endl; - s << "--------------------------" << endl; - s << serverBaseCerts << endl << endl; - - s << "Temp Certificates - Server" << endl; - s << "--------------------------" << endl; - s << serverTempCerts << endl; - - _logger->trace(_traceLevels->securityCat, s.str()); - } - - initServer(serverGeneral, serverCertAuth, serverBaseCerts, serverTempCerts); +
+ if (contextType == Client || contextType == ClientServer)
+ { + GeneralConfig clientGeneral; + CertificateAuthority clientCertAuth; + BaseCertificates clientBaseCerts; +
+ // Walk the parse tree, get the Client configuration. + if (sslConfig.loadClientConfig(clientGeneral, clientCertAuth, clientBaseCerts)) + { + initRandSystem(clientGeneral.getRandomBytesFiles());
+
+ _clientContext.configure(clientGeneral, clientCertAuth, clientBaseCerts);
+ }
+ } + + if (contextType == Server || contextType == ClientServer)
+ {
+ GeneralConfig serverGeneral; + CertificateAuthority serverCertAuth; + BaseCertificates serverBaseCerts; + TempCertificates serverTempCerts; + + // Walk the parse tree, get the Server configuration. + if (sslConfig.loadServerConfig(serverGeneral, serverCertAuth, serverBaseCerts, serverTempCerts)) + { + initRandSystem(serverGeneral.getRandomBytesFiles());
+
+ loadTempCerts(serverTempCerts);
+
+ _serverContext.configure(serverGeneral, serverCertAuth, serverBaseCerts);
+
+ if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL)
+ {
+ ostringstream s;
+
+ s << "Temp Certificates - Server" << endl;
+ s << "--------------------------" << endl;
+ s << serverTempCerts << endl;
+
+ _logger->trace(_traceLevels->securityCat, s.str());
+ }
+ }
} - - _configLoaded = true; } RSA* -IceSecurity::Ssl::OpenSSL::System::getRSAKey(SSL *s, int isExport, int keyLength) +IceSSL::OpenSSL::System::getRSAKey(int isExport, int keyLength) { IceUtil::Mutex::Lock sync(_tempRSAKeysMutex); @@ -586,7 +339,7 @@ IceSecurity::Ssl::OpenSSL::System::getRSAKey(SSL *s, int isExport, int keyLength } DH* -IceSecurity::Ssl::OpenSSL::System::getDHParams(SSL *s, int isExport, int keyLength) +IceSSL::OpenSSL::System::getDHParams(int isExport, int keyLength) { IceUtil::Mutex::Lock sync(_tempDHKeysMutex); @@ -622,124 +375,92 @@ IceSecurity::Ssl::OpenSSL::System::getDHParams(SSL *s, int isExport, int keyLeng return dh_tmp; } -IceSecurity::Ssl::OpenSSL::CertificateVerifierPtr -IceSecurity::Ssl::OpenSSL::System::certificateVerifierTypeCheck(const IceSecurity::Ssl::CertificateVerifierPtr& verifier) -{ - // IceSecurity::Ssl::CertificateVerifier* passedVerifier = verifier.get(); - // IceSecurity::Ssl::OpenSSL::CertificateVerifier* castVerifier; - // castVerifier = dynamic_cast<IceSecurity::Ssl::OpenSSL::CertificateVerifier*>(passedVerifier); - - IceSecurity::Ssl::OpenSSL::CertificateVerifierPtr castVerifier; - castVerifier = IceSecurity::Ssl::OpenSSL::CertificateVerifierPtr::dynamicCast(verifier); - - if (!castVerifier.get()) - { - IceSecurity::Ssl::CertificateVerifierTypeException cvtEx(__FILE__, __LINE__); - throw cvtEx; - } - - return castVerifier; -} - -void -IceSecurity::Ssl::OpenSSL::System::setServerCertificateVerifier(const IceSecurity::Ssl::CertificateVerifierPtr& serverVerifier) -{ - _serverVerifier = certificateVerifierTypeCheck(serverVerifier); -} - -void -IceSecurity::Ssl::OpenSSL::System::setClientCertificateVerifier(const IceSecurity::Ssl::CertificateVerifierPtr& clientVerifier) -{ - _clientVerifier = certificateVerifierTypeCheck(clientVerifier); -} - void -IceSecurity::Ssl::OpenSSL::System::setServerCertAuthorityCertificate(const string& caCertString) -{ - if (_sslServerContext == 0) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Server context has not been set up - "; - contextEx._message += "please specify an SSL server configuration file."; - - throw contextEx; - } - - assert(_sslClientContext); - - RSAPublicKey pubKey(caCertString); - - X509_STORE* certStore = SSL_CTX_get_cert_store(_sslServerContext); - - int addedCertAuthorityCert = X509_STORE_add_cert(certStore, pubKey.getX509PublicKey()); - - assert(addedCertAuthorityCert != 0); -} - -void -IceSecurity::Ssl::OpenSSL::System::setClientCertAuthorityCertificate(const string& caCertString) -{ - if (_sslClientContext == 0) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Client context has not been set up - "; - contextEx._message += "please specify an SSL client configuration file."; - - throw contextEx; - } - - assert(_sslClientContext); - - RSAPublicKey pubKey(caCertString); - - X509_STORE* certStore = SSL_CTX_get_cert_store(_sslClientContext); - - int addedCertAuthorityCert = X509_STORE_add_cert(certStore, pubKey.getX509PublicKey()); - - assert(addedCertAuthorityCert != 0); -} - -void -IceSecurity::Ssl::OpenSSL::System::setServerRSAKeysBase64(const std::string& privateKey, const std::string& publicKey) -{ - assert(_sslServerContext); - addKeyCert(_sslServerContext, privateKey, publicKey); -} - -void -IceSecurity::Ssl::OpenSSL::System::setClientRSAKeysBase64(const std::string& privateKey, const std::string& publicKey) -{ - assert(_sslClientContext); - addKeyCert(_sslClientContext, privateKey, publicKey); -} - +IceSSL::OpenSSL::System::setCertificateVerifier(ContextType contextType,
+ const IceSSL::CertificateVerifierPtr& verifier) +{
+ CertificateVerifierPtr castVerifier = CertificateVerifierPtr::dynamicCast(verifier);
+
+ if (!castVerifier.get())
+ {
+ IceSSL::CertificateVerifierTypeException cvtEx(__FILE__, __LINE__);
+ throw cvtEx;
+ }
+
+ if (contextType == Client || contextType == ClientServer)
+ {
+ _clientContext.setCertificateVerifier(castVerifier);
+ } +
+ if (contextType == Server || contextType == ClientServer)
+ {
+ _serverContext.setCertificateVerifier(castVerifier);
+ }
+} + +void
+IceSSL::OpenSSL::System::addTrustedCertificate(ContextType contextType, const string& certString)
+{
+ if (contextType == Client || contextType == ClientServer)
+ {
+ _clientContext.addTrustedCertificate(certString);
+ }
+
+ if (contextType == Server || contextType == ClientServer)
+ {
+ _serverContext.addTrustedCertificate(certString);
+ }
+}
+
+void
+IceSSL::OpenSSL::System::setRSAKeysBase64(ContextType contextType,
+ const std::string& privateKey,
+ const std::string& publicKey)
+{
+ if (contextType == Client || contextType == ClientServer)
+ {
+ _clientContext.setRSAKeysBase64(privateKey, publicKey);
+ }
+
+ if (contextType == Server || contextType == ClientServer)
+ {
+ _serverContext.setRSAKeysBase64(privateKey, publicKey);
+ }
+}
+
+void
+IceSSL::OpenSSL::System::setRSAKeys(ContextType contextType,
+ const ::Ice::ByteSeq& privateKey,
+ const ::Ice::ByteSeq& publicKey)
+{
+ if (contextType == Client || contextType == ClientServer)
+ {
+ _clientContext.setRSAKeys(privateKey, publicKey);
+ }
+
+ if (contextType == Server || contextType == ClientServer)
+ {
+ _serverContext.setRSAKeys(privateKey, publicKey);
+ }
+}
+
// // Protected // -IceSecurity::Ssl::OpenSSL::System::System() +IceSSL::OpenSSL::System::System(const IceInternal::InstancePtr& instance) :
+ IceSSL::SystemInternal(instance),
+ _serverContext(instance),
+ _clientContext(instance) { - _configLoaded = false; - - _sessionContext = "iceServer"; - _randSeeded = 0; - _sslServerContext = 0; - _sslClientContext = 0; - - // Here we create a default verifier, which does very little other - // than check the verification depth. This can be overridden. - _clientVerifier = new DefaultCertificateVerifier(); - _serverVerifier = _clientVerifier; SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); } -IceSecurity::Ssl::OpenSSL::System::~System() +IceSSL::OpenSSL::System::~System() { shutdown(); } @@ -748,658 +469,8 @@ IceSecurity::Ssl::OpenSSL::System::~System() // Private // -void -IceSecurity::Ssl::OpenSSL::System::setKeyCert(SSL_CTX* context, - const CertificateDesc& certDesc, - const string& privateKey, - const string& publicKey) -{ - if (!privateKey.empty() && !publicKey.empty()) - { - addKeyCert(context, privateKey, publicKey); - } - else if (certDesc.getKeySize() != 0) - { - processCertificate(context, certDesc); - } -} - -void -IceSecurity::Ssl::OpenSSL::System::initClient(GeneralConfig& general, - CertificateAuthority& certAuth, - BaseCertificates& baseCerts) -{ - // Init the Random Number System. - initRandSystem(general.getRandomBytesFiles()); - - // Create an SSL Context based on the context params. - _sslClientContext = createContext(general.getProtocol()); - - // Begin setting up the SSL Context. - if (_sslClientContext != 0) - { - // Get the cipherlist and set it in the context. - setCipherList(_sslClientContext, general.getCipherList()); - - // Set the certificate verification mode. - SSL_CTX_set_verify(_sslClientContext, general.getVerifyMode(), verifyCallback); - - // Set the certificate verify depth - SSL_CTX_set_verify_depth(_sslClientContext, general.getVerifyDepth()); - - // Process the RSA Certificate - string privateRSAKey = _properties->getProperty("Ice.Security.Ssl.Overrides.Client.RSA.PrivateKey"); - string publicRSAKey = _properties->getProperty("Ice.Security.Ssl.Overrides.Client.RSA.Certificate"); - setKeyCert(_sslClientContext, baseCerts.getRSACert(), privateRSAKey, publicRSAKey); - - // Process the DSA Certificate - string privateDSAKey; // = _properties->getProperty("Ice.Security.Ssl.Overrides.Client.DSA.PrivateKey"); - string publicDSAKey; // = _properties->getProperty("Ice.Security.Ssl.Overrides.Client.DSA.Certificate"); - setKeyCert(_sslClientContext, baseCerts.getDSACert(), privateDSAKey, publicDSAKey); - - // Set the DH key agreement parameters. - if (baseCerts.getDHParams().getKeySize() != 0) - { - setDHParams(_sslClientContext, baseCerts); - } - - // Load the Certificate Authority files, and check them. - loadCAFiles(_sslClientContext, certAuth); - } -} - -void -IceSecurity::Ssl::OpenSSL::System::initServer(GeneralConfig& general, - CertificateAuthority& certAuth, - BaseCertificates& baseCerts, - TempCertificates& tempCerts) -{ - // Init the Random Number System. - initRandSystem(general.getRandomBytesFiles()); - - // Create an SSL Context based on the context params. - _sslServerContext = createContext(general.getProtocol()); - - // Begin setting up the SSL Context. - if (_sslServerContext != 0) - { - // On servers, Attempt to use non-export (strong) encryption - // first. This option does not always work, and in the OpenSSL - // documentation is declared as 'broken'. - // SSL_CTX_set_options(_sslServerContext,SSL_OP_NON_EXPORT_FIRST); - - // Always use a new DH key when using Diffie-Hellman key agreement. - SSL_CTX_set_options(_sslServerContext, SSL_OP_SINGLE_DH_USE); - - loadTempCerts(tempCerts); - - // Load the Certificate Authority files, and check them. - loadAndCheckCAFiles(_sslServerContext, certAuth); - - // Process the RSA Certificate - string privateRSAKey = _properties->getProperty("Ice.Security.Ssl.Overrides.Server.RSA.PrivateKey"); - string publicRSAKey = _properties->getProperty("Ice.Security.Ssl.Overrides.Server.RSA.Certificate"); - setKeyCert(_sslServerContext, baseCerts.getRSACert(), privateRSAKey, publicRSAKey); - - // Process the DSA Certificate - string privateDSAKey; // = _properties->getProperty("Ice.Security.Ssl.Overrides.Server.DSA.PrivateKey"); - string publicDSAKey; // = _properties->getProperty("Ice.Security.Ssl.Overrides.Server.DSA.Certificate"); - setKeyCert(_sslServerContext, baseCerts.getDSACert(), privateDSAKey, publicDSAKey); - - // Set the DH key agreement parameters. - if (baseCerts.getDHParams().getKeySize() != 0) - { - setDHParams(_sslServerContext, baseCerts); - } - - // Set the RSA Callback routine in case we need to build a temporary RSA key. - SSL_CTX_set_tmp_rsa_callback(_sslServerContext, tmpRSACallback); - - // Set the DH Callback routine in case we need a temporary DH key. - SSL_CTX_set_tmp_dh_callback(_sslServerContext, tmpDHCallback); - - // Get the cipherlist and set it in the context. - setCipherList(_sslServerContext, general.getCipherList()); - - // Set the certificate verification mode. - SSL_CTX_set_verify(_sslServerContext, general.getVerifyMode(), verifyCallback); - - // Set the certificate verify depth - SSL_CTX_set_verify_depth(_sslServerContext, general.getVerifyDepth()); - - // Set the default context for the SSL system (can be overridden if needed) [SERVER ONLY]. - SSL_CTX_set_session_id_context(_sslServerContext, - reinterpret_cast<const unsigned char *>(_sessionContext.c_str()), - _sessionContext.size()); - } -} - -SSL_METHOD* -IceSecurity::Ssl::OpenSSL::System::getSslMethod(SslProtocol sslVersion) -{ - SSL_METHOD* sslMethod = 0; - - switch (sslVersion) - { - case SSL_V2 : - { - sslMethod = SSLv2_method(); - break; - } - - case SSL_V23 : - { - sslMethod = SSLv23_method(); - break; - } - - case SSL_V3 : - { - sslMethod = SSLv3_method(); - break; - } - - case TLS_V1 : - { - sslMethod = TLSv1_method(); - break; - } - - default : - { - if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS) - { - string errorString; - - errorString = "SSL Version "; - errorString += sslVersion; - errorString += " not supported - defaulting to SSL_V23."; - _logger->trace(_traceLevels->securityCat, "WRN " + errorString); - } - - sslMethod = SSLv23_method(); - } - } - - return sslMethod; -} - -void -IceSecurity::Ssl::OpenSSL::System::processCertificate(SSL_CTX* sslContext, const CertificateDesc& certificateDesc) -{ - const CertificateFile& publicCert = certificateDesc.getPublic(); - const CertificateFile& privateKey = certificateDesc.getPrivate(); - - addKeyCert(sslContext, publicCert, privateKey); -} - -void -IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext, - const CertificateFile& publicCert, - const CertificateFile& privateKey) -{ - if (!publicCert.getFileName().empty()) - { - string publicCertFile = publicCert.getFileName(); - const char* publicFile = publicCertFile.c_str(); - int publicEncoding = publicCert.getEncoding(); - - string privCertFile = privateKey.getFileName(); - const char* privKeyFile = privCertFile.c_str(); - int privKeyFileType = privateKey.getEncoding(); - - // Set which Public Key file to use. - if (SSL_CTX_use_certificate_file(sslContext, publicFile, publicEncoding) <= 0) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Unable to get certificate from '"; - contextEx._message += publicFile; - contextEx._message += "'\n"; - contextEx._message += sslGetErrors(); - - throw contextEx; - } - - if (privateKey.getFileName().empty()) - { - if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS) - { - _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate."); - } - - privKeyFile = publicFile; - privKeyFileType = publicEncoding; - } - - // Set which Private Key file to use. - if (SSL_CTX_use_PrivateKey_file(sslContext, privKeyFile, privKeyFileType) <= 0) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Unable to get private key from '"; - contextEx._message += privKeyFile; - contextEx._message += "'\n"; - contextEx._message += sslGetErrors(); - - throw contextEx; - } - - // Check to see if the Private and Public keys that have been - // set against the SSL context match up. - if (!SSL_CTX_check_private_key(sslContext)) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Private key does not match the certificate public key."; - string sslError = sslGetErrors(); - - if (!sslError.empty()) - { - contextEx._message += "\n"; - contextEx._message += sslError; - } - - throw contextEx; - } - } -} - -void -IceSecurity::Ssl::OpenSSL::System::addKeyCert(SSL_CTX* sslContext, - const string& privateKey, - const string& publicKey) -{ - string privKey = privateKey; - - if (privKey.empty()) - { - if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS) - { - _logger->trace(_traceLevels->securityCat, "WRN No private key specified - using the certificate."); - } - - privKey = publicKey; - } - - // Make a key pair based on the Base64 encoded strings - RSAKeyPair keyPair(privateKey, publicKey); - - // Janitors to ensure that everything gets cleaned up properly - RSAJanitor rsaJanitor(keyPair.getRSAPrivateKey()); - X509Janitor x509Janitor(keyPair.getX509PublicKey()); - - // Set which Public Key file to use. - if (SSL_CTX_use_certificate(sslContext, x509Janitor.get()) <= 0) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Unable to set certificate from memory."; - string sslError = sslGetErrors(); - - if (!sslError.empty()) - { - contextEx._message += "\n"; - contextEx._message += sslError; - } - - throw contextEx; - } - - x509Janitor.clear(); - - // Set which Private Key file to use. - if (SSL_CTX_use_RSAPrivateKey(sslContext, rsaJanitor.get()) <= 0) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Unable to set private key from memory."; - string sslError = sslGetErrors(); - - if (!sslError.empty()) - { - contextEx._message += "\n"; - contextEx._message += sslError; - } - - throw contextEx; - } - - rsaJanitor.clear(); - - // Check to see if the Private and Public keys that have been - // set against the SSL context match up. - if (!SSL_CTX_check_private_key(sslContext)) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Private key does not match the certificate public key."; - string sslError = sslGetErrors(); - - if (!sslError.empty()) - { - contextEx._message += "\n"; - contextEx._message += sslError; - } - - throw contextEx; - } -} - - -SSL_CTX* -IceSecurity::Ssl::OpenSSL::System::createContext(SslProtocol sslProtocol) -{ - SSL_CTX* context = SSL_CTX_new(getSslMethod(sslProtocol)); - - if (context == 0) - { - ContextException contextEx(__FILE__, __LINE__); - - contextEx._message = "Unable to create SSL Context.\n" + sslGetErrors(); - - throw contextEx; - } - - // Turn off session caching, supposedly fixes a problem with multithreading. - SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF); - - return context; -} - - -string -IceSecurity::Ssl::OpenSSL::System::sslGetErrors() -{ - string errorMessage; - char buf[200]; - char bigBuffer[1024]; - const char* file = 0; - const char* data = 0; - int line = 0; - int flags = 0; - unsigned errorCode = 0; - int errorNum = 1; - - unsigned long es = CRYPTO_thread_id(); - - while ((errorCode = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) - { - sprintf(bigBuffer,"%6d - Thread ID: %lu\n", errorNum, es); - errorMessage += bigBuffer; - - sprintf(bigBuffer,"%6d - Error: %u\n", errorNum, errorCode); - errorMessage += bigBuffer; - - // Request an error from the OpenSSL library - ERR_error_string_n(errorCode, buf, sizeof(buf)); - sprintf(bigBuffer,"%6d - Message: %s\n", errorNum, buf); - errorMessage += bigBuffer; - - sprintf(bigBuffer,"%6d - Location: %s, %d\n", errorNum, file, line); - errorMessage += bigBuffer; - - if (flags & ERR_TXT_STRING) - { - sprintf(bigBuffer,"%6d - Data: %s\n", errorNum, data); - errorMessage += bigBuffer; - } - - errorNum++; - } - - ERR_clear_error(); - - return errorMessage; -} - -void -IceSecurity::Ssl::OpenSSL::System::commonConnectionSetup(IceSecurity::Ssl::OpenSSL::Connection* connection) -{ - connection->setTrace(_traceLevels); - connection->setLogger(_logger); - - // Set the Post-Hanshake Read timeout - // This timeout is implemented once on the first read after hanshake. - int handshakeReadTimeout; - string value = _properties->getProperty("Ice.Security.Ssl.Handshake.ReadTimeout"); - - if (!value.empty()) - { - handshakeReadTimeout = atoi(value.c_str()); - } - else - { - handshakeReadTimeout = 5000; - } - - connection->setHandshakeReadTimeout(handshakeReadTimeout); -} - -SSL* -IceSecurity::Ssl::OpenSSL::System::createConnection(SSL_CTX* sslContext, int socket) -{ - SSL* sslConnection = SSL_new(sslContext); - - SSL_clear(sslConnection); - - SSL_set_fd(sslConnection, socket); - - if (_traceLevels->security >= IceSecurity::SECURITY_PROTOCOL_DEBUG) - { - sslConnection->debug = 1; - BIO_set_callback(SSL_get_rbio(sslConnection), bio_dump_cb); - BIO_set_callback_arg(SSL_get_rbio(sslConnection), 0); - BIO_set_callback(SSL_get_wbio(sslConnection), bio_dump_cb); - BIO_set_callback_arg(SSL_get_rbio(sslConnection), 0); - } - - return sslConnection; -} - -void -IceSecurity::Ssl::OpenSSL::System::loadCAFiles(SSL_CTX* sslContext, CertificateAuthority& certAuth) -{ - assert(sslContext); - - string caFile = certAuth.getCAFileName(); - string caPath = certAuth.getCAPath(); - - loadCAFiles(sslContext, caFile.c_str(), caPath.c_str()); -} - -void -IceSecurity::Ssl::OpenSSL::System::loadCAFiles(SSL_CTX* sslContext, const char* caFile, const char* caPath) -{ - assert(sslContext); - - // The following checks are required to send the expected values to the OpenSSL library. - // It does not like receiving "", but prefers NULLs. - if ((caFile != 0) && (strlen(caFile) == 0)) - { - caFile = 0; - } - - if ((caPath != 0) && (strlen(caPath) == 0)) - { - caPath = 0; - } - - // SSL_CTX_set_default_passwd_cb(sslContext, passwordCallback); - - // Check the Certificate Authority file(s). - int loadVerifyRet = SSL_CTX_load_verify_locations(sslContext, caFile, caPath); - - if (!loadVerifyRet) - { - if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS) - { - _logger->trace(_traceLevels->securityCat, "WRN Unable to load Certificate Authorities."); - } - } - else - { - int setDefaultVerifyPathsRet = SSL_CTX_set_default_verify_paths(sslContext); - - - if (!setDefaultVerifyPathsRet && (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)) - { - _logger->trace(_traceLevels->securityCat, "WRN Unable to verify Certificate Authorities."); - } - } -} - -void -IceSecurity::Ssl::OpenSSL::System::loadAndCheckCAFiles(SSL_CTX* sslContext, CertificateAuthority& certAuth) -{ - assert(sslContext); - - string caFile = certAuth.getCAFileName(); - string caPath = certAuth.getCAPath(); - - // Check the Certificate Authority file(s). - loadCAFiles(sslContext, caFile.c_str(), caPath.c_str()); - - // NOTE: This might require some cleaning up. - string caCertBase64 = _properties->getProperty("Ice.Security.Ssl.Overrides.Server.CACertificate"); - if (!caCertBase64.empty()) - { - setServerCertAuthorityCertificate(caCertBase64); - } - - // TODO: Check this if things stop working - if (!caFile.empty()) - { - STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str()); - - if (certNames == 0) - { - if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS) - { - string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n"; - errorString += sslGetErrors(); - _logger->trace(_traceLevels->securityCat, "WRN " + errorString); - } - } - else - { - SSL_CTX_set_client_CA_list(sslContext, certNames); - } - } -} - -DH* -IceSecurity::Ssl::OpenSSL::System::loadDHParam(const char* dhfile) -{ - assert(dhfile); - - DH* ret = 0; - BIO* bio; - - if ((bio = BIO_new_file(dhfile,"r")) != 0) - { - ret = PEM_read_bio_DHparams(bio, 0, 0, 0); - } - - if (bio != 0) - { - BIO_free(bio); - } - - return ret; -} - -DH* -IceSecurity::Ssl::OpenSSL::System::getTempDH(unsigned char* p, int plen, unsigned char* g, int glen) -{ - DH* dh = 0; - - if ((dh = DH_new()) != 0) - { - dh->p = BN_bin2bn(p, plen, 0); - - dh->g = BN_bin2bn(g, glen, 0); - - if ((dh->p == 0) || (dh->g == 0)) - { - DH_free(dh); - dh = 0; - } - } - - return dh; -} - -DH* -IceSecurity::Ssl::OpenSSL::System::getTempDH512() -{ - DH* dh = getTempDH(_tempDiffieHellman512p, sizeof(_tempDiffieHellman512p), - _tempDiffieHellman512g, sizeof(_tempDiffieHellman512g)); - - return dh; -} - -void -IceSecurity::Ssl::OpenSSL::System::setDHParams(SSL_CTX* sslContext, BaseCertificates& baseCerts) -{ - string dhFile; - int encoding = 0; - - // TODO: This just looks plain wrong. RSA instead of DH params??? -ASN - - if (baseCerts.getDHParams().getKeySize() != 0) - { - dhFile = baseCerts.getDHParams().getFileName(); - encoding = baseCerts.getDHParams().getEncoding(); - } - else if (baseCerts.getRSACert().getKeySize() != 0) - { - dhFile = baseCerts.getRSACert().getPublic().getFileName(); - encoding = baseCerts.getRSACert().getPublic().getEncoding(); - } - - DH* dh = 0; - - // File type must be PEM - that's the only way we can load - // DH Params, apparently. - if ((!dhFile.empty()) && (encoding == SSL_FILETYPE_PEM)) - { - dh = loadDHParam(dhFile.c_str()); - } - - if (dh == 0) - { - if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS) - { - _logger->trace(_traceLevels->securityCat, - "WRN Could not load Diffie-Hellman params, generating a temporary 512bit key."); - } - - dh = getTempDH512(); - } - - if (dh != 0) - { - SSL_CTX_set_tmp_dh(sslContext, dh); - - DH_free(dh); - } -} - -void -IceSecurity::Ssl::OpenSSL::System::setCipherList(SSL_CTX* sslContext, const string& cipherList) -{ - if (!cipherList.empty() && (!SSL_CTX_set_cipher_list(sslContext, cipherList.c_str())) && - (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)) - { - string errorString = "WRN Error setting cipher list " + cipherList + " - using default list.\n"; - errorString += sslGetErrors(); - _logger->trace(_traceLevels->securityCat, errorString); - } -} - int -IceSecurity::Ssl::OpenSSL::System::seedRand() +IceSSL::OpenSSL::System::seedRand() { int retCode = 1; char buffer[1024]; @@ -1423,7 +494,7 @@ IceSecurity::Ssl::OpenSSL::System::seedRand() } long -IceSecurity::Ssl::OpenSSL::System::loadRandFiles(const string& names) +IceSSL::OpenSSL::System::loadRandFiles(const string& names) { long tot = 0; @@ -1469,14 +540,14 @@ IceSecurity::Ssl::OpenSSL::System::loadRandFiles(const string& names) } void -IceSecurity::Ssl::OpenSSL::System::initRandSystem(const string& randBytesFiles) +IceSSL::OpenSSL::System::initRandSystem(const string& randBytesFiles) { if (!_randSeeded) { long randBytesLoaded = 0; if (!seedRand() && randBytesFiles.empty() && !RAND_status() && - (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)) + (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)) { _logger->trace(_traceLevels->securityCat, "WRN There is a lack of random data, consider specifying a random data file."); @@ -1490,7 +561,7 @@ IceSecurity::Ssl::OpenSSL::System::initRandSystem(const string& randBytesFiles) } void -IceSecurity::Ssl::OpenSSL::System::loadTempCerts(TempCertificates& tempCerts) +IceSSL::OpenSSL::System::loadTempCerts(TempCertificates& tempCerts) { RSAVector::iterator iRSA = tempCerts.getRSACerts().begin(); RSAVector::iterator eRSA = tempCerts.getRSACerts().end(); @@ -1501,15 +572,6 @@ IceSecurity::Ssl::OpenSSL::System::loadTempCerts(TempCertificates& tempCerts) iRSA++; } - DSAVector::iterator iDSA = tempCerts.getDSACerts().begin(); - DSAVector::iterator eDSA = tempCerts.getDSACerts().end(); - - while (iDSA != eDSA) - { - _tempDSAFileMap[(*iDSA).getKeySize()] = *iDSA; - iDSA++; - } - DHVector::iterator iDHP = tempCerts.getDHParams().begin(); DHVector::iterator eDHP = tempCerts.getDHParams().end(); diff --git a/cpp/src/Ice/SslSystemOpenSSL.h b/cpp/src/Ice/SslSystemOpenSSL.h index 6eb1c1f41ea..34853a981b2 100644 --- a/cpp/src/Ice/SslSystemOpenSSL.h +++ b/cpp/src/Ice/SslSystemOpenSSL.h @@ -1,6 +1,6 @@ // ********************************************************************** // -// Copyright (c) 2001 +// Copyright (c) 2002 // MutableRealms, Inc. // Huntsville, AL, USA // @@ -10,50 +10,28 @@ #ifndef ICE_SSL_SYSTEM_OPENSSL_H #define ICE_SSL_SYSTEM_OPENSSL_H -#include <openssl/ssl.h> -#include <string> -#include <map> -#include <Ice/Config.h> -#include <Ice/TraceLevelsF.h> -#include <Ice/LoggerF.h> -#include <Ice/SslFactory.h> -#include <Ice/SslSystem.h> - -namespace IceSecurity -{ - -namespace Ssl -{ - -enum SslProtocol -{ - SSL_V2 = 1, // Only speak SSLv2 - SSL_V23, // Speak SSLv2 and SSLv3 - SSL_V3, // Only speak SSLv3 - TLS_V1 // Only speak TLSv1 -}; - -} - -} +#include <Ice/Config.h>
+#include <Ice/TraceLevelsF.h>
+#include <Ice/LoggerF.h>
#include <Ice/SslGeneralConfig.h> #include <Ice/SslCertificateDesc.h> #include <Ice/SslCertificateAuthority.h> #include <Ice/SslBaseCerts.h> #include <Ice/SslTempCerts.h> -#include <Ice/SslConnectionOpenSSL.h> - -extern "C" -{ - RSA* tmpRSACallback(SSL*, int, int); - DH* tmpDHCallback(SSL*, int, int); -} - -namespace IceSecurity -{ - -namespace Ssl +
+#include <Ice/SslContextOpenSSLServer.h> +#include <Ice/SslContextOpenSSLClient.h>
+#include <Ice/SslConnectionOpenSSL.h>
+#include <Ice/SslSystemInternal.h>
+#include <Ice/SslFactory.h>
+ +#include <Ice/SslOpenSSLUtils.h>
+#include <openssl/ssl.h>
+#include <string>
+#include <map>
+
+namespace IceSSL { class GeneralConfig; @@ -65,70 +43,50 @@ typedef std::map<int,RSA*> RSAMap; typedef std::map<int,DH*> DHMap; typedef std::map<int,CertificateDesc> RSACertMap; -typedef std::map<int,CertificateDesc> DSACertMap; typedef std::map<int,DiffieHellmanParamsFile> DHParamsMap; -class System : public IceSecurity::Ssl::System +class System : public IceSSL::SystemInternal { public: - - // This is how we create a Server connection. - virtual IceSecurity::Ssl::Connection* createServerConnection(int); - - // This is how we create a Client connection. - virtual IceSecurity::Ssl::Connection* createClientConnection(int); +
+ virtual IceSSL::ConnectionPtr createConnection(ContextType, int);
// Shuts down the SSL System. virtual void shutdown(); - virtual void setTrace(const IceInternal::TraceLevelsPtr&); - virtual void setLogger(const Ice::LoggerPtr&); - - virtual bool isConfigLoaded(); - virtual void loadConfig(); + virtual bool isConfigured(ContextType); + virtual void configure(ContextType);
+ virtual void loadConfig(ContextType, const ::std::string&, const ::std::string&); // Returns the desired RSA Key, or creates it if not already created. // This is public because the tmpRSACallback must be able to access it. - RSA* getRSAKey(SSL*, int, int); + RSA* getRSAKey(int, int); // Returns the desired DH Params. If the Params do not already exist, and the key // requested is a 512bit or 1024bit key, we use the compiled-in temporary params. // If the key is some other length, we read the desired key, based on length, // from a DH Param file. // This is public because the tmpDHCallback must be able to access it. - DH* getDHParams(SSL*, int, int); + DH* getDHParams(int, int); - CertificateVerifierPtr certificateVerifierTypeCheck(const IceSecurity::Ssl::CertificateVerifierPtr&); - virtual void setServerCertificateVerifier(const IceSecurity::Ssl::CertificateVerifierPtr&); - virtual void setClientCertificateVerifier(const IceSecurity::Ssl::CertificateVerifierPtr&); + virtual void setCertificateVerifier(ContextType, const IceSSL::CertificateVerifierPtr&); - virtual void setServerCertAuthorityCertificate(const std::string&); - virtual void setClientCertAuthorityCertificate(const std::string&); + virtual void addTrustedCertificate(ContextType, const std::string&); - virtual void setServerRSAKeysBase64(const std::string&, const std::string&); - virtual void setClientRSAKeysBase64(const std::string&, const std::string&); - - static IceInternal::TraceLevelsPtr _globalTraceLevels; - static Ice::LoggerPtr _globalLogger; + virtual void setRSAKeysBase64(ContextType, const std::string&, const std::string&); + virtual void setRSAKeys(ContextType, const Ice::ByteSeq&, const Ice::ByteSeq&);
+
protected: - System(); + System(const IceInternal::InstancePtr&); ~System(); -private: - - CertificateVerifierPtr _clientVerifier; - CertificateVerifierPtr _serverVerifier; - - // Base Diffie-Hellman 512bit key (only to be used for key exchange). - static unsigned char _tempDiffieHellman512p[]; - static unsigned char _tempDiffieHellman512g[]; +private:
+
+ ServerContext _serverContext; + ClientContext _clientContext;
- // Default SSL Contexts, for both Server and Client connections. - SSL_CTX* _sslServerContext; - SSL_CTX* _sslClientContext; - // Keep a cache of all temporary RSA keys. RSAMap _tempRSAKeys; ::IceUtil::Mutex _tempRSAKeysMutex; @@ -141,70 +99,24 @@ private: // The files themselves will not be loaded until // needed. RSACertMap _tempRSAFileMap; - DSACertMap _tempDSAFileMap; DHParamsMap _tempDHParamsFileMap; - // The Session ID Context (Server Only). - std::string _sessionContext; - // Flag as to whether the Random Number system has been seeded. int _randSeeded; - bool _configLoaded; - - void setKeyCert(SSL_CTX*, const IceSecurity::Ssl::CertificateDesc&, - const std::string&, const std::string&); - - // Call to initialize the SSL system. - void initClient(IceSecurity::Ssl::GeneralConfig&, IceSecurity::Ssl::CertificateAuthority&, - IceSecurity::Ssl::BaseCertificates&); - void initServer(IceSecurity::Ssl::GeneralConfig&, IceSecurity::Ssl::CertificateAuthority&, - IceSecurity::Ssl::BaseCertificates&, IceSecurity::Ssl::TempCertificates&); - - SSL_METHOD* getSslMethod(SslProtocol); - - void processCertificate(SSL_CTX*, const IceSecurity::Ssl::CertificateDesc&); - void addKeyCert(SSL_CTX*, const IceSecurity::Ssl::CertificateFile&, - const IceSecurity::Ssl::CertificateFile&); - void addKeyCert(SSL_CTX*, const std::string&, const std::string&); - - SSL_CTX* createContext(IceSecurity::Ssl::SslProtocol); - - // Retrieves errors from the OpenSSL library. - std::string sslGetErrors(); - - void commonConnectionSetup(IceSecurity::Ssl::OpenSSL::Connection*); - - // Create a connection. - SSL* createConnection(SSL_CTX*, int); - - // Methods for loading CAFiles into a Context. - void loadCAFiles(SSL_CTX*, IceSecurity::Ssl::CertificateAuthority&); - void loadCAFiles(SSL_CTX*, const char*, const char*); - void loadAndCheckCAFiles(SSL_CTX*, IceSecurity::Ssl::CertificateAuthority&); - - DH* loadDHParam(const char *); - DH* getTempDH(unsigned char*, int, unsigned char*, int); - DH* getTempDH512(); - void setDHParams(SSL_CTX*, IceSecurity::Ssl::BaseCertificates&); - - void setCipherList(SSL_CTX*, const std::string&); - // Cryptographic Random Number System related routines. int seedRand(); long loadRandFiles(const std::string&); void initRandSystem(const std::string&); +
+ // Load the temporary (ephemeral) certificates for Server operations + void loadTempCerts(IceSSL::TempCertificates&); - void loadTempCerts(IceSecurity::Ssl::TempCertificates&); - - friend class IceSecurity::Ssl::Factory; - friend class Connection; + friend class IceSSL::Factory; }; } } -} - #endif diff --git a/cpp/src/Ice/SslTempCerts.cpp b/cpp/src/Ice/SslTempCerts.cpp index 6397175865b..e05a65bdeee 100644 --- a/cpp/src/Ice/SslTempCerts.cpp +++ b/cpp/src/Ice/SslTempCerts.cpp @@ -10,32 +10,37 @@ #include <Ice/SslTempCerts.h> -IceSecurity::Ssl::TempCertificates::TempCertificates() +IceSSL::TempCertificates::TempCertificates() { } -IceSecurity::Ssl::TempCertificates::~TempCertificates() +IceSSL::TempCertificates::~TempCertificates() { _rsaCerts.clear(); - _dsaCerts.clear(); - _rsaCerts.clear(); + _dhParams.clear(); } void -IceSecurity::Ssl::TempCertificates::addRSACert(CertificateDesc& certDesc) +IceSSL::TempCertificates::addRSACert(CertificateDesc& certDesc) { _rsaCerts.push_back(certDesc); } void -IceSecurity::Ssl::TempCertificates::addDSACert(CertificateDesc& certDesc) -{ - _dsaCerts.push_back(certDesc); -} - -void -IceSecurity::Ssl::TempCertificates::addDHParams(DiffieHellmanParamsFile& dhParams) +IceSSL::TempCertificates::addDHParams(DiffieHellmanParamsFile& dhParams) { _dhParams.push_back(dhParams); } +IceSSL::RSAVector&
+IceSSL::TempCertificates::getRSACerts()
+{
+ return _rsaCerts;
+}
+
+IceSSL::DHVector&
+IceSSL::TempCertificates::getDHParams()
+{
+ return _dhParams;
+}
+
diff --git a/cpp/src/Ice/SslTempCerts.h b/cpp/src/Ice/SslTempCerts.h index a0fc4160489..d4b40097068 100644 --- a/cpp/src/Ice/SslTempCerts.h +++ b/cpp/src/Ice/SslTempCerts.h @@ -14,10 +14,7 @@ #include <Ice/SslCertificateDesc.h> #include <ostream> -namespace IceSecurity -{ - -namespace Ssl +namespace IceSSL { class TempCertificates @@ -28,16 +25,13 @@ public: ~TempCertificates(); void addRSACert(CertificateDesc&); - void addDSACert(CertificateDesc&); void addDHParams(DiffieHellmanParamsFile&); - inline RSAVector& getRSACerts() { return _rsaCerts; }; - inline DSAVector& getDSACerts() { return _dsaCerts; }; - inline DHVector& getDHParams() { return _dhParams; }; + RSAVector& getRSACerts(); + DHVector& getDHParams(); protected: RSAVector _rsaCerts; - DSAVector _dsaCerts; DHVector _dhParams; }; @@ -55,17 +49,6 @@ inline Stream& operator << (Stream& target, TempCertificates& tmpCerts) iRSA++; } - DSAVector::iterator iDSA = tmpCerts.getDSACerts().begin(); - DSAVector::iterator eDSA = tmpCerts.getDSACerts().end(); - - while (iDSA != eDSA) - { - target << "DSA" << std::endl << "{" << std::endl; - target << *iDSA; - target << "}" << std::endl << std::endl; - iDSA++; - } - DHVector::iterator iDHP = tmpCerts.getDHParams().begin(); DHVector::iterator eDHP = tmpCerts.getDHParams().end(); @@ -82,6 +65,4 @@ inline Stream& operator << (Stream& target, TempCertificates& tmpCerts) } -} - #endif diff --git a/cpp/src/Ice/SslTransceiver.cpp b/cpp/src/Ice/SslTransceiver.cpp index ef38b60eb3e..f9a4dde64ae 100644 --- a/cpp/src/Ice/SslTransceiver.cpp +++ b/cpp/src/Ice/SslTransceiver.cpp @@ -22,7 +22,7 @@ using namespace std; using namespace Ice; using namespace IceInternal; -using IceSecurity::Ssl::ConnectionPtr; +using IceSSL::ConnectionPtr; SOCKET IceInternal::SslTransceiver::fd() @@ -63,7 +63,7 @@ IceInternal::SslTransceiver::shutdown() void IceInternal::SslTransceiver::write(Buffer& buf, int timeout) -{ +{
_sslConnection->write(buf, timeout); } @@ -72,16 +72,10 @@ IceInternal::SslTransceiver::read(Buffer& buf, int timeout) { if (!_sslConnection->read(buf, timeout)) { - if (_traceLevels->security >= IceSecurity::SECURITY_WARNINGS)
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
{
_logger->trace(_traceLevels->securityCat, "WRN Connection::read() returning no bytes read.");
}
- - // TODO: Perhaps this should be a NoApplicationDataException ??? - // ICE_WARNING("Throwing ConnectionLostException."); - // ConnectionLostException clEx(__FILE__, __LINE__); - // clEx.error = 0; - // throw clEx; } } diff --git a/cpp/src/Ice/SslTransceiver.h b/cpp/src/Ice/SslTransceiver.h index 7f52e930996..840139124a1 100644 --- a/cpp/src/Ice/SslTransceiver.h +++ b/cpp/src/Ice/SslTransceiver.h @@ -36,7 +36,7 @@ public: private: - SslTransceiver(const InstancePtr&, SOCKET, const ::IceSecurity::Ssl::ConnectionPtr&); + SslTransceiver(const InstancePtr&, SOCKET, const ::IceSSL::ConnectionPtr&); virtual ~SslTransceiver(); friend class SslConnector; @@ -49,7 +49,7 @@ private: fd_set _rFdSet; fd_set _wFdSet; - ::IceSecurity::Ssl::ConnectionPtr _sslConnection; + ::IceSSL::ConnectionPtr _sslConnection; }; } diff --git a/cpp/src/Ice/ice.dsp b/cpp/src/Ice/ice.dsp index 8417de4a001..5a4764fae8f 100644 --- a/cpp/src/Ice/ice.dsp +++ b/cpp/src/Ice/ice.dsp @@ -25,7 +25,7 @@ CFG=Ice - Win32 Debug # PROP AllowPerConfigDependencies 0
# PROP Scc_ProjName ""
# PROP Scc_LocalPath ""
-CPP=xicl6.exe
+CPP=cl.exe
MTL=midl.exe
RSC=rc.exe
@@ -52,7 +52,7 @@ RSC=rc.exe BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
-LINK32=xilink6.exe
+LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386
# ADD LINK32 ws2_32.lib libeay32.lib ssleay32.lib xerces-c_1.lib /nologo /dll /machine:I386 /out:"Release/ice001.dll"
# SUBTRACT LINK32 /pdb:none /debug /nodefaultlib
@@ -84,7 +84,7 @@ PostBuild_Cmds=copy Release\ice001.* ..\..\lib BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
-LINK32=xilink6.exe
+LINK32=link.exe
# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept
# ADD LINK32 ws2_32.lib libeay32.lib ssleay32.lib xerces-c_1D.lib /nologo /dll /debug /machine:I386 /out:"Debug/ice001d.dll" /pdbtype:sept
# SUBTRACT LINK32 /pdb:none /nodefaultlib
@@ -148,6 +148,10 @@ SOURCE=.\Current.cpp # End Source File
# Begin Source File
+SOURCE=.\DefaultCertificateVerifier.cpp
+# End Source File
+# Begin Source File
+
SOURCE=.\Direct.cpp
# End Source File
# Begin Source File
@@ -296,6 +300,10 @@ SOURCE=.\ServantLocator.cpp # End Source File
# Begin Source File
+SOURCE=.\SingleCertificateVerifier.cpp
+# End Source File
+# Begin Source File
+
SOURCE=.\SslAcceptor.cpp
# End Source File
# Begin Source File
@@ -348,6 +356,26 @@ SOURCE=.\SslConnector.cpp # End Source File
# Begin Source File
+SOURCE=.\SslContextOpenSSL.cpp
+# End Source File
+# Begin Source File
+
+SOURCE=.\SslContextOpenSSLClient.cpp
+# End Source File
+# Begin Source File
+
+SOURCE=.\SslContextOpenSSLServer.cpp
+# End Source File
+# Begin Source File
+
+SOURCE=.\SslExtension.cpp
+# End Source File
+# Begin Source File
+
+SOURCE=.\SslExtensionInternal.cpp
+# End Source File
+# Begin Source File
+
SOURCE=.\SslFactory.cpp
# End Source File
# Begin Source File
@@ -388,6 +416,10 @@ SOURCE=.\SslSystem.cpp # End Source File
# Begin Source File
+SOURCE=.\SslSystemInternal.cpp
+# End Source File
+# Begin Source File
+
SOURCE=.\SslSystemOpenSSL.cpp
# End Source File
# Begin Source File
@@ -548,6 +580,10 @@ SOURCE=..\..\include\Ice\Current.h # End Source File
# Begin Source File
+SOURCE=.\DefaultCertificateVerifier.h
+# End Source File
+# Begin Source File
+
SOURCE=..\..\include\Ice\Direct.h
# End Source File
# Begin Source File
@@ -812,6 +848,10 @@ SOURCE=..\..\include\Ice\ServantLocatorF.h # End Source File
# Begin Source File
+SOURCE=.\SingleCertificateVerifier.h
+# End Source File
+# Begin Source File
+
SOURCE=.\SslAcceptor.h
# End Source File
# Begin Source File
@@ -856,6 +896,10 @@ SOURCE=.\SslConnection.h # End Source File
# Begin Source File
+SOURCE=.\SslConnectionF.h
+# End Source File
+# Begin Source File
+
SOURCE=.\SslConnectionOpenSSL.h
# End Source File
# Begin Source File
@@ -876,6 +920,34 @@ SOURCE=.\SslConnector.h # End Source File
# Begin Source File
+SOURCE=.\SslContextOpenSSL.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\SslContextOpenSSLClient.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\SslContextOpenSSLF.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\SslContextOpenSSLServer.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\include\Ice\SslExtension.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\include\Ice\SslExtensionF.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\SslExtensionInternal.h
+# End Source File
+# Begin Source File
+
SOURCE=.\SslFactory.h
# End Source File
# Begin Source File
@@ -928,7 +1000,19 @@ SOURCE=..\..\include\Ice\SslRSAPublicKeyF.h # End Source File
# Begin Source File
-SOURCE=.\SslSystem.h
+SOURCE=..\..\include\Ice\SslSystem.h
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\include\Ice\SslSystemF.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\SslSystemInternal.h
+# End Source File
+# Begin Source File
+
+SOURCE=.\SslSystemInternalF.h
# End Source File
# Begin Source File
@@ -2068,6 +2152,108 @@ InputPath=..\..\slice\Ice\SslCertificateVerifierF.ice # End Source File
# Begin Source File
+SOURCE=..\..\slice\Ice\SslExtension.ice
+
+!IF "$(CFG)" == "Ice - Win32 Release"
+
+!ELSEIF "$(CFG)" == "Ice - Win32 Debug"
+
+USERDEP__SSLEX="../../bin/slice2cpp.exe"
+# Begin Custom Build
+InputPath=..\..\slice\Ice\SslExtension.ice
+
+BuildCmds= \
+ set PATH=%PATH%;..\..\lib \
+ ..\..\bin\slice2cpp.exe --dll-export ICE_API --include-dir Ice -I../../slice ../../slice/Ice/SslExtension.ice \
+ move SslExtension.h ..\..\include\Ice \
+
+
+"..\..\include\Ice\SslExtension.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ $(BuildCmds)
+
+"SslExtension.cpp" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ $(BuildCmds)
+# End Custom Build
+
+!ENDIF
+
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\slice\Ice\SslExtensionF.ice
+
+!IF "$(CFG)" == "Ice - Win32 Release"
+
+!ELSEIF "$(CFG)" == "Ice - Win32 Debug"
+
+USERDEP__SSLEXT="../../bin/slice2cpp.exe"
+# Begin Custom Build
+InputPath=..\..\slice\Ice\SslExtensionF.ice
+
+"..\..\include\Ice\SslExtensionF.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ set PATH=%PATH%;..\..\lib
+ ..\..\bin\slice2cpp.exe --dll-export ICE_API --include-dir Ice -I../../slice ../../slice/Ice/SslExtensionF.ice
+ move SslExtensionF.h ..\..\include\Ice
+ del SslExtensionF.cpp
+
+# End Custom Build
+
+!ENDIF
+
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\slice\Ice\SslSystem.ice
+
+!IF "$(CFG)" == "Ice - Win32 Release"
+
+!ELSEIF "$(CFG)" == "Ice - Win32 Debug"
+
+USERDEP__SSLSY="../../bin/slice2cpp.exe"
+# Begin Custom Build
+InputPath=..\..\slice\Ice\SslSystem.ice
+
+BuildCmds= \
+ set PATH=%PATH%;..\..\lib \
+ ..\..\bin\slice2cpp.exe --dll-export ICE_API --include-dir Ice -I../../slice ../../slice/Ice/SslSystem.ice \
+ move SslSystem.h ..\..\include\Ice \
+
+
+"..\..\include\Ice\SslSystem.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ $(BuildCmds)
+
+"SslSystem.cpp" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ $(BuildCmds)
+# End Custom Build
+
+!ENDIF
+
+# End Source File
+# Begin Source File
+
+SOURCE=..\..\slice\Ice\SslSystemF.ice
+
+!IF "$(CFG)" == "Ice - Win32 Release"
+
+!ELSEIF "$(CFG)" == "Ice - Win32 Debug"
+
+USERDEP__SSLSYS="../../bin/slice2cpp.exe"
+# Begin Custom Build
+InputPath=..\..\slice\Ice\SslSystemF.ice
+
+"..\..\include\Ice\SslSystemF.h" : $(SOURCE) "$(INTDIR)" "$(OUTDIR)"
+ set PATH=%PATH%;..\..\lib
+ ..\..\bin\slice2cpp.exe --dll-export ICE_API --include-dir Ice -I../../slice ../../slice/Ice/SslSystemF.ice
+ move SslSystemF.h ..\..\include\Ice
+ del SslSystemF.cpp
+
+# End Custom Build
+
+!ENDIF
+
+# End Source File
+# Begin Source File
+
SOURCE=..\..\slice\Ice\Stream.ice
!IF "$(CFG)" == "Ice - Win32 Release"
|