7 files changed, 97 insertions, 26 deletions

diff --git a/cpp/src/Ice/ConfigParser.cpp b/cpp/src/Ice/ConfigParser.cpp
index dea372829e0..52643ce0fac 100644
--- a/cpp/src/Ice/ConfigParser.cpp
+++ b/cpp/src/Ice/ConfigParser.cpp
@@ -185,7 +185,9 @@ IceSSL::ConfigParser::process()
 }
 
 bool
-IceSSL::ConfigParser::loadClientConfig(GeneralConfig& general, CertificateAuthority& certAuth, BaseCertificates& baseCerts)
+IceSSL::ConfigParser::loadClientConfig(GeneralConfig& general,

+                                       CertificateAuthority& certAuth,

+                                       BaseCertificates& baseCerts)
 {
     bool retCode = false;
     string clientSectionString("SSLConfig:client");
@@ -221,9 +223,9 @@ IceSSL::ConfigParser::loadClientConfig(GeneralConfig& general, CertificateAuthor
 
 bool
 IceSSL::ConfigParser::loadServerConfig(GeneralConfig& general,
-                                 CertificateAuthority& certAuth,
-                                 BaseCertificates& baseCerts,
-                                 TempCertificates& tempCerts)
+                                       CertificateAuthority& certAuth,
+                                       BaseCertificates& baseCerts,
+                                       TempCertificates& tempCerts)
 {
     bool retCode = false;
     string serverSectionString("SSLConfig:server");
diff --git a/cpp/src/Ice/ContextOpenSSL.cpp b/cpp/src/Ice/ContextOpenSSL.cpp
index b8185d2546a..1e0ce4e6a81 100644
--- a/cpp/src/Ice/ContextOpenSSL.cpp
+++ b/cpp/src/Ice/ContextOpenSSL.cpp
@@ -50,7 +50,7 @@ IceSSL::OpenSSL::Context::setCertificateVerifier(const CertificateVerifierPtr& v
 }

 

 void

-IceSSL::OpenSSL::Context::addTrustedCertificate(const std::string& trustedCertString)

+IceSSL::OpenSSL::Context::addTrustedCertificateBase64(const std::string& trustedCertString)

 {

     if (_sslContext == 0)

     {

@@ -78,6 +78,34 @@ IceSSL::OpenSSL::Context::addTrustedCertificate(const std::string& trustedCertSt
 }

 

 void

+IceSSL::OpenSSL::Context::addTrustedCertificate(const Ice::ByteSeq& trustedCert)

+{

+    if (_sslContext == 0)

+    {

+        IceSSL::OpenSSL::ContextNotConfiguredException contextConfigEx(__FILE__, __LINE__);

+

+        contextConfigEx._message = "SSL Context not configured.";

+

+        throw contextConfigEx;

+    }

+

+    RSAPublicKey pubKey(trustedCert);

+

+    X509_STORE* certStore = SSL_CTX_get_cert_store(_sslContext);

+

+    assert(certStore != 0);

+

+    if (X509_STORE_add_cert(certStore, pubKey.getX509PublicKey()) == 0)

+    {

+        IceSSL::OpenSSL::TrustedCertificateAddException trustEx(__FILE__, __LINE__);

+

+        trustEx._message = sslGetErrors();

+

+        throw trustEx;

+    }

+}

+

+void

 IceSSL::OpenSSL::Context::setRSAKeysBase64(const std::string& privateKey,

                                            const std::string& publicKey)

 {

@@ -280,7 +308,7 @@ IceSSL::OpenSSL::Context::loadCertificateAuthority(const CertificateAuthority& c
     std::string caCertBase64 = _properties->getProperty(_caCertificateProperty);

     if (!caCertBase64.empty())

     {

-         addTrustedCertificate(caCertBase64);

+         addTrustedCertificateBase64(caCertBase64);

     }

 }

 

diff --git a/cpp/src/Ice/ContextOpenSSL.h b/cpp/src/Ice/ContextOpenSSL.h
index 401e35ece39..cbab0409776 100644
--- a/cpp/src/Ice/ContextOpenSSL.h
+++ b/cpp/src/Ice/ContextOpenSSL.h
@@ -51,7 +51,9 @@ public:
 

     virtual void setCertificateVerifier(const CertificateVerifierPtr&);

 

-    virtual void addTrustedCertificate(const std::string&);

+    virtual void addTrustedCertificateBase64(const std::string&);

+

+    virtual void addTrustedCertificate(const Ice::ByteSeq&);

 

     virtual void setRSAKeysBase64(const std::string&, const std::string&);

 

diff --git a/cpp/src/Ice/SystemInternal.h b/cpp/src/Ice/SystemInternal.h
index 760a55be3f1..66c77095eb9 100644
--- a/cpp/src/Ice/SystemInternal.h
+++ b/cpp/src/Ice/SystemInternal.h
@@ -42,8 +42,10 @@ public:
 
     virtual void setCertificateVerifier(ContextType, const CertificateVerifierPtr&) = 0;
 
-    virtual void addTrustedCertificate(ContextType, const std::string&) = 0;
-
+    virtual void addTrustedCertificateBase64(ContextType, const std::string&) = 0;

+

+    virtual void addTrustedCertificate(ContextType, const Ice::ByteSeq&) = 0;

+

     virtual void setRSAKeysBase64(ContextType, const std::string&, const std::string&) = 0;
 
     virtual void setRSAKeys(ContextType, const ::Ice::ByteSeq&, const ::Ice::ByteSeq&) = 0;
diff --git a/cpp/src/Ice/SystemOpenSSL.cpp b/cpp/src/Ice/SystemOpenSSL.cpp
index 098f09daaba..9a242da85ce 100644
--- a/cpp/src/Ice/SystemOpenSSL.cpp
+++ b/cpp/src/Ice/SystemOpenSSL.cpp
@@ -23,6 +23,7 @@
 //
 #include <IceUtil/Config.h>
 #include <IceUtil/Mutex.h>
+#include <IceUtil/RecMutex.h>

 #include <Ice/SslConnectionOpenSSL.h>
 #include <Ice/SystemOpenSSL.h>
 #include <Ice/SslException.h>
@@ -47,6 +48,8 @@ using IceSSL::SystemInternalPtr;
 IceSSL::ConnectionPtr
 IceSSL::OpenSSL::System::createConnection(ContextType connectionType, int socket)
 {
+    IceUtil::RecMutex::Lock sync(_configMutex);

+

     if (connectionType == ClientServer)
     {
         UnsupportedContextException unsupportedException(__FILE__, __LINE__);
@@ -103,6 +106,8 @@ IceSSL::OpenSSL::System::shutdown()
 bool
 IceSSL::OpenSSL::System::isConfigured(ContextType contextType)
 {
+    IceUtil::RecMutex::Lock sync(_configMutex);

+

     bool retCode = false;
 
     switch (contextType)
@@ -132,6 +137,8 @@ IceSSL::OpenSSL::System::isConfigured(ContextType contextType)
 void
 IceSSL::OpenSSL::System::configure(ContextType contextType)
 {
+    IceUtil::RecMutex::Lock sync(_configMutex);

+

     switch (contextType)
     {
         case Client :
@@ -158,7 +165,7 @@ IceSSL::OpenSSL::System::configure(ContextType contextType)
             string serverCertPath   = _properties->getProperty("Ice.SSL.Server.CertPath");
 
             // Short cut, so that we only have to load the file once.
-            if ((clientConfigFile == serverConfigFile) && (clientCertPath == serverCertPath))
+            if ((clientConfigFile == serverConfigFile) && (clientCertPath == serverCertPath))

             {
                 loadConfig(ClientServer, clientConfigFile, clientCertPath);
             }
@@ -170,7 +177,10 @@ IceSSL::OpenSSL::System::configure(ContextType contextType)
             break;
         }
     }
-}
+}

+

+

+
 
 void
 IceSSL::OpenSSL::System::loadConfig(ContextType contextType,
@@ -218,8 +228,8 @@ IceSSL::OpenSSL::System::loadConfig(ContextType contextType,
 
     // Actually parse the file now.
     sslConfig.process();
-
-    if (contextType == Client || contextType == ClientServer)
+

+    if ((contextType == Client || contextType == ClientServer))
     {
         GeneralConfig clientGeneral;
         CertificateAuthority clientCertAuth;
@@ -233,8 +243,8 @@ IceSSL::OpenSSL::System::loadConfig(ContextType contextType,
             _clientContext.configure(clientGeneral, clientCertAuth, clientBaseCerts);
         }
     }
-
-    if (contextType == Server || contextType == ClientServer)
+

+    if ((contextType == Server || contextType == ClientServer))
     {
         GeneralConfig serverGeneral;
         CertificateAuthority serverCertAuth;
@@ -387,6 +397,8 @@ void
 IceSSL::OpenSSL::System::setCertificateVerifier(ContextType contextType,
                                                 const IceSSL::CertificateVerifierPtr& verifier)
 {
+    IceUtil::RecMutex::Lock sync(_configMutex);

+

     CertificateVerifierPtr castVerifier = CertificateVerifierPtr::dynamicCast(verifier);
 
     if (!castVerifier.get())
@@ -407,24 +419,44 @@ IceSSL::OpenSSL::System::setCertificateVerifier(ContextType contextType,
 }
 
 void
-IceSSL::OpenSSL::System::addTrustedCertificate(ContextType contextType, const string& certString)
+IceSSL::OpenSSL::System::addTrustedCertificateBase64(ContextType contextType, const string& certString)
 {
+    IceUtil::RecMutex::Lock sync(_configMutex);

+

     if (contextType == Client || contextType == ClientServer)
     {
-        _clientContext.addTrustedCertificate(certString);
+        _clientContext.addTrustedCertificateBase64(certString);
     }
 
     if (contextType == Server || contextType == ClientServer)
     {
-        _serverContext.addTrustedCertificate(certString);
+        _serverContext.addTrustedCertificateBase64(certString);
     }
 }
 
+void

+IceSSL::OpenSSL::System::addTrustedCertificate(ContextType contextType, const Ice::ByteSeq& certSeq)

+{

+    IceUtil::RecMutex::Lock sync(_configMutex);

+

+    if (contextType == Client || contextType == ClientServer)

+    {

+        _clientContext.addTrustedCertificate(certSeq);

+    }

+

+    if (contextType == Server || contextType == ClientServer)

+    {

+        _serverContext.addTrustedCertificate(certSeq);

+    }

+}

+

 void
 IceSSL::OpenSSL::System::setRSAKeysBase64(ContextType contextType,
                                           const std::string& privateKey,
                                           const std::string& publicKey)
 {
+    IceUtil::RecMutex::Lock sync(_configMutex);

+

     if (contextType == Client || contextType == ClientServer)
     {
         _clientContext.setRSAKeysBase64(privateKey, publicKey);
@@ -441,6 +473,8 @@ IceSSL::OpenSSL::System::setRSAKeys(ContextType contextType,
                                     const ::Ice::ByteSeq& privateKey,
                                     const ::Ice::ByteSeq& publicKey)
 {
+    IceUtil::RecMutex::Lock sync(_configMutex);

+

     if (contextType == Client || contextType == ClientServer)
     {
         _clientContext.setRSAKeys(privateKey, publicKey);
diff --git a/cpp/src/Ice/SystemOpenSSL.h b/cpp/src/Ice/SystemOpenSSL.h
index 1edc1944f9d..0a6a28dc7ad 100644
--- a/cpp/src/Ice/SystemOpenSSL.h
+++ b/cpp/src/Ice/SystemOpenSSL.h
@@ -10,9 +10,10 @@
 #ifndef ICE_SSL_SYSTEM_OPENSSL_H
 #define ICE_SSL_SYSTEM_OPENSSL_H
 
-#include <Ice/Config.h>
+#include <Ice/Config.h>

 #include <Ice/TraceLevelsF.h>
-#include <Ice/LoggerF.h>
+#include <Ice/LoggerF.h>

+#include <IceUtil/RecMutex.h>
 
 #include <Ice/GeneralConfig.h>
 #include <Ice/CertificateDesc.h>
@@ -71,8 +72,10 @@ public:
 
     virtual void setCertificateVerifier(ContextType, const IceSSL::CertificateVerifierPtr&);
 
-    virtual void addTrustedCertificate(ContextType, const std::string&);
+    virtual void addTrustedCertificateBase64(ContextType, const std::string&);
 
+    virtual void addTrustedCertificate(ContextType, const Ice::ByteSeq&);

+

     virtual void setRSAKeysBase64(ContextType, const std::string&, const std::string&);
 
     virtual void setRSAKeys(ContextType, const Ice::ByteSeq&, const Ice::ByteSeq&);
@@ -86,7 +89,11 @@ private:
 
     ServerContext _serverContext;
     ClientContext _clientContext;
-    
+    

+    // Mutex to ensure synchronization of calls to configure

+    // the contexts and calls to create connections.

+    ::IceUtil::RecMutex _configMutex;
+

     // Keep a cache of all temporary RSA keys.
     RSAMap _tempRSAKeys;
     ::IceUtil::Mutex _tempRSAKeysMutex;
diff --git a/cpp/src/Ice/ice.dsp b/cpp/src/Ice/ice.dsp
index 934978edb61..60ba6c29250 100644
--- a/cpp/src/Ice/ice.dsp
+++ b/cpp/src/Ice/ice.dsp
@@ -508,10 +508,6 @@ SOURCE=..\..\include\Ice\CertificateVerifierOpenSSL.h
 # End Source File

 # Begin Source File

 

-SOURCE=.\CertificateVerifierOpenSSL.h

-# End Source File

-# Begin Source File

-

 SOURCE=..\..\include\Ice\Communicator.h

 # End Source File

 # Begin Source File