diff options
Diffstat (limited to 'cpp/src')
| -rw-r--r-- | cpp/src/IceSSL/.depend | 13 | ||||
| -rw-r--r-- | cpp/src/IceSSL/AcceptorI.cpp | 15 | ||||
| -rw-r--r-- | cpp/src/IceSSL/ConnectorI.cpp | 17 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Context.cpp | 763 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Context.h | 60 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Instance.cpp | 775 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Instance.h | 35 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Makefile | 1 | ||||
| -rw-r--r-- | cpp/src/IceSSL/PluginI.cpp | 24 | ||||
| -rw-r--r-- | cpp/src/IceSSL/PluginI.h | 12 |
10 files changed, 815 insertions, 900 deletions
diff --git a/cpp/src/IceSSL/.depend b/cpp/src/IceSSL/.depend index 4efb03cdc63..b434b736e3d 100644 --- a/cpp/src/IceSSL/.depend +++ b/cpp/src/IceSSL/.depend @@ -1,9 +1,8 @@ -AcceptorI.o: AcceptorI.cpp ./AcceptorI.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../Ice/TransceiverF.h ../Ice/Acceptor.h ../Ice/AcceptorF.h ./InstanceF.h ./Instance.h ./Context.h ./UtilF.h ../Ice/Network.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./TransceiverI.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LoggerUtil.h +AcceptorI.o: AcceptorI.cpp ./AcceptorI.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../Ice/TransceiverF.h ../Ice/Acceptor.h ../Ice/AcceptorF.h ./InstanceF.h ./Instance.h ./UtilF.h ../../include/Ice/CommunicatorF.h ../Ice/Network.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./TransceiverI.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LoggerUtil.h Certificate.o: Certificate.cpp ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/IceUtil/Config.h ../../include/Ice/Plugin.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ConnectionF.h ./Util.h ./UtilF.h ../Ice/Network.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/IceUtil/StaticMutex.h -Context.o: Context.cpp ./Context.h ./InstanceF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ./UtilF.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../Ice/Network.h ./Instance.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Logger.h ../../include/Ice/LoggerUtil.h ../../include/Ice/Properties.h ../../include/IceUtil/DisableWarnings.h -ConnectorI.o: ConnectorI.cpp ./ConnectorI.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../Ice/TransceiverF.h ../Ice/Connector.h ../Ice/ConnectorF.h ./InstanceF.h ./Instance.h ./Context.h ./UtilF.h ../Ice/Network.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./TransceiverI.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LoggerUtil.h -EndpointI.o: EndpointI.cpp ./EndpointI.h ../Ice/EndpointI.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Config.h ../../include/Ice/Endpoint.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/EndpointIF.h ../../include/Ice/InstanceF.h ../Ice/TransceiverF.h ../Ice/ConnectorF.h ../Ice/AcceptorF.h ../../include/Ice/EndpointFactory.h ../../include/Ice/EndpointFactoryF.h ./InstanceF.h ./AcceptorI.h ../../include/Ice/LoggerF.h ../Ice/Acceptor.h ./ConnectorI.h ../Ice/Connector.h ./TransceiverI.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./Instance.h ./Context.h ./UtilF.h ../Ice/Network.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/Ice/BasicStream.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/Buffer.h ../../include/Ice/Protocol.h ../../include/IceUtil/AutoArray.h ../../include/IceUtil/Unicode.h ../../include/Ice/LocalException.h ../../include/Ice/Proxy.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/BuiltinSequences.h ../Ice/DefaultsAndOverrides.h ../Ice/DefaultsAndOverridesF.h ../../include/Ice/PropertiesF.h -Instance.o: Instance.cpp ./Instance.h ./InstanceF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ./Context.h ./UtilF.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../Ice/Network.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./EndpointI.h ../Ice/EndpointI.h ../../include/Ice/Endpoint.h ../../include/Ice/EndpointIF.h ../../include/Ice/InstanceF.h ../Ice/TransceiverF.h ../Ice/ConnectorF.h ../Ice/AcceptorF.h ../../include/Ice/EndpointFactory.h ../../include/Ice/EndpointFactoryF.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Logger.h ../../include/Ice/Properties.h ../../include/Ice/ProtocolPluginFacade.h -PluginI.o: PluginI.cpp ./PluginI.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/IceUtil/Config.h ../../include/Ice/Plugin.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ConnectionF.h ./InstanceF.h ../../include/Ice/CommunicatorF.h ./Instance.h ./Context.h ./UtilF.h ../../include/Ice/LoggerF.h ../Ice/Network.h ../../include/Ice/ProtocolPluginFacadeF.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/Communicator.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/Logger.h ../../include/Ice/Properties.h ../../include/IceUtil/StaticMutex.h ../Ice/ConnectionI.h ../../include/IceUtil/Monitor.h ../../include/IceUtil/Cond.h ../../include/IceUtil/Thread.h ../../include/Ice/Connection.h ../../include/Ice/ConnectionFactoryF.h ../../include/Ice/InstanceF.h ../Ice/TransceiverF.h ../../include/Ice/ServantManagerF.h ../Ice/TraceLevelsF.h ../Ice/EventHandler.h ../Ice/EventHandlerF.h ../Ice/ThreadPoolF.h ../../include/Ice/BasicStream.h ../../include/Ice/Buffer.h ../../include/Ice/Protocol.h ../../include/IceUtil/AutoArray.h ../../include/IceUtil/Unicode.h ../IceSSL/TransceiverI.h ../Ice/Transceiver.h -TransceiverI.o: TransceiverI.cpp ./TransceiverI.h ./InstanceF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ../Ice/TransceiverF.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./Instance.h ./Context.h ./UtilF.h ../Ice/Network.h ../../include/Ice/CommunicatorF.h ../../include/Ice/ProtocolPluginFacadeF.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LoggerUtil.h ../../include/Ice/Stats.h ../../include/Ice/Buffer.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h +ConnectorI.o: ConnectorI.cpp ./ConnectorI.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../Ice/TransceiverF.h ../Ice/Connector.h ../Ice/ConnectorF.h ./InstanceF.h ./Instance.h ./UtilF.h ../../include/Ice/CommunicatorF.h ../Ice/Network.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./TransceiverI.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/LoggerUtil.h +EndpointI.o: EndpointI.cpp ./EndpointI.h ../Ice/EndpointI.h ../../include/IceUtil/Shared.h ../../include/IceUtil/Config.h ../../include/Ice/Endpoint.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/EndpointIF.h ../../include/Ice/InstanceF.h ../Ice/TransceiverF.h ../Ice/ConnectorF.h ../Ice/AcceptorF.h ../../include/Ice/EndpointFactory.h ../../include/Ice/EndpointFactoryF.h ./InstanceF.h ./AcceptorI.h ../../include/Ice/LoggerF.h ../Ice/Acceptor.h ./ConnectorI.h ../Ice/Connector.h ./TransceiverI.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./Instance.h ./UtilF.h ../../include/Ice/CommunicatorF.h ../Ice/Network.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/Ice/BasicStream.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/Buffer.h ../../include/Ice/Protocol.h ../../include/IceUtil/AutoArray.h ../../include/IceUtil/Unicode.h ../../include/Ice/LocalException.h ../../include/Ice/Proxy.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/BuiltinSequences.h ../Ice/DefaultsAndOverrides.h ../Ice/DefaultsAndOverridesF.h ../../include/Ice/PropertiesF.h +Instance.o: Instance.cpp ./Instance.h ./InstanceF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ./UtilF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/LoggerF.h ../Ice/Network.h ../../include/Ice/ProtocolPluginFacadeF.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./EndpointI.h ../Ice/EndpointI.h ../../include/Ice/Endpoint.h ../../include/Ice/EndpointIF.h ../../include/Ice/InstanceF.h ../Ice/TransceiverF.h ../Ice/ConnectorF.h ../Ice/AcceptorF.h ../../include/Ice/EndpointFactory.h ../../include/Ice/EndpointFactoryF.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/StatsF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Logger.h ../../include/Ice/LoggerUtil.h ../../include/Ice/Properties.h ../../include/Ice/ProtocolPluginFacade.h ../../include/IceUtil/DisableWarnings.h +PluginI.o: PluginI.cpp ./PluginI.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/IceUtil/Config.h ../../include/Ice/Plugin.h ../../include/Ice/LocalObjectF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ConnectionF.h ./InstanceF.h ../../include/Ice/CommunicatorF.h ./Instance.h ./UtilF.h ../../include/Ice/LoggerF.h ../Ice/Network.h ../../include/Ice/ProtocolPluginFacadeF.h ./TransceiverI.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ../Ice/TransceiverF.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/BuiltinSequences.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/Communicator.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LocalException.h ../../include/Ice/Logger.h ../../include/Ice/Properties.h ../../include/IceUtil/StaticMutex.h ../Ice/ConnectionI.h ../../include/IceUtil/Monitor.h ../../include/IceUtil/Cond.h ../../include/IceUtil/Thread.h ../../include/Ice/Connection.h ../../include/Ice/ConnectionFactoryF.h ../../include/Ice/InstanceF.h ../../include/Ice/ServantManagerF.h ../Ice/TraceLevelsF.h ../Ice/EventHandler.h ../Ice/EventHandlerF.h ../Ice/ThreadPoolF.h ../../include/Ice/BasicStream.h ../../include/Ice/Buffer.h ../../include/Ice/Protocol.h ../../include/IceUtil/AutoArray.h ../../include/IceUtil/Unicode.h +TransceiverI.o: TransceiverI.cpp ./TransceiverI.h ./InstanceF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../../include/Ice/LoggerF.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/IceUtil/Shared.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/StatsF.h ../Ice/Transceiver.h ../Ice/TransceiverF.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/ConnectionF.h ./Instance.h ./UtilF.h ../../include/Ice/CommunicatorF.h ../Ice/Network.h ../../include/Ice/ProtocolPluginFacadeF.h ./Util.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/Ice/Communicator.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/PropertiesF.h ../../include/Ice/ObjectFactoryF.h ../../include/Ice/RouterF.h ../../include/Ice/LocatorF.h ../../include/Ice/PluginF.h ../../include/Ice/LoggerUtil.h ../../include/Ice/Stats.h ../../include/Ice/Buffer.h ../../include/Ice/LocalException.h ../../include/Ice/BuiltinSequences.h Util.o: Util.cpp ./Util.h ./UtilF.h ../../include/Ice/Handle.h ../../include/IceUtil/Handle.h ../../include/IceUtil/Exception.h ../../include/IceUtil/Config.h ../../include/Ice/Config.h ../../include/Ice/ProxyHandle.h ../Ice/Network.h ../../include/IceUtil/Mutex.h ../../include/IceUtil/Lock.h ../../include/IceUtil/ThreadException.h ../../include/IceUtil/Shared.h ../../include/IceSSL/Plugin.h ../../include/IceUtil/Time.h ../../include/Ice/Plugin.h ../../include/Ice/LocalObjectF.h ../../include/Ice/ProxyF.h ../../include/Ice/ObjectF.h ../../include/Ice/Exception.h ../../include/Ice/LocalObject.h ../../include/Ice/UndefSysMacros.h ../../include/Ice/ConnectionF.h ../../include/Ice/LocalException.h ../../include/Ice/Proxy.h ../../include/Ice/ProxyFactoryF.h ../../include/Ice/ConnectionIF.h ../../include/Ice/EndpointIF.h ../../include/Ice/Endpoint.h ../../include/Ice/ObjectAdapterF.h ../../include/Ice/ReferenceF.h ../../include/Ice/OutgoingAsyncF.h ../../include/Ice/Current.h ../../include/Ice/Identity.h ../../include/Ice/StreamF.h ../../include/Ice/CommunicatorF.h ../../include/Ice/BuiltinSequences.h ../../include/IceUtil/DisableWarnings.h diff --git a/cpp/src/IceSSL/AcceptorI.cpp b/cpp/src/IceSSL/AcceptorI.cpp index 25c77f9d4d2..c993f7279fe 100644 --- a/cpp/src/IceSSL/AcceptorI.cpp +++ b/cpp/src/IceSSL/AcceptorI.cpp @@ -65,9 +65,14 @@ IceInternal::TransceiverPtr IceSSL::AcceptorI::accept(int timeout) { // - // The plugin may not be fully initialized. + // The plugin may not be initialized. // - ContextPtr ctx = _instance->context(); + if(!_instance->context()) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: plugin is not initialized"; + throw ex; + } SOCKET fd = IceInternal::doAccept(_fd, timeout); IceInternal::setBlock(fd, false); @@ -91,7 +96,7 @@ IceSSL::AcceptorI::accept(int timeout) throw ex; } - SSL* ssl = SSL_new(ctx->ctx()); + SSL* ssl = SSL_new(_instance->context()); if(!ssl) { BIO_free(bio); // Also closes the socket. @@ -205,7 +210,7 @@ IceSSL::AcceptorI::accept(int timeout) } while(!SSL_is_init_finished(ssl)); - _instance->context()->verifyPeer(ssl, fd, "", true); + _instance->verifyPeer(ssl, fd, "", true); } catch(...) { @@ -221,7 +226,7 @@ IceSSL::AcceptorI::accept(int timeout) if(_instance->securityTraceLevel() >= 1) { - _instance->context()->traceConnection(ssl, true); + _instance->traceConnection(ssl, true); } return new TransceiverI(_instance, ssl, fd); diff --git a/cpp/src/IceSSL/ConnectorI.cpp b/cpp/src/IceSSL/ConnectorI.cpp index cdec88b1ae8..dd233b9f9da 100644 --- a/cpp/src/IceSSL/ConnectorI.cpp +++ b/cpp/src/IceSSL/ConnectorI.cpp @@ -16,7 +16,7 @@ #include <Ice/LoggerUtil.h> #include <Ice/Network.h> -#include <openssl/err.h> +//#include <openssl/err.h> using namespace std; using namespace Ice; @@ -26,9 +26,14 @@ IceInternal::TransceiverPtr IceSSL::ConnectorI::connect(int timeout) { // - // The plugin may not be fully initialized. + // The plugin may not be initialized. // - ContextPtr ctx = _instance->context(); + if(!_instance->context()) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: plugin is not initialized"; + throw ex; + } if(_instance->networkTraceLevel() >= 2) { @@ -49,7 +54,7 @@ IceSSL::ConnectorI::connect(int timeout) throw ex; } - SSL* ssl = SSL_new(ctx->ctx()); + SSL* ssl = SSL_new(_instance->context()); if(!ssl) { BIO_free(bio); // Also closes the socket. @@ -145,7 +150,7 @@ IceSSL::ConnectorI::connect(int timeout) } while(!SSL_is_init_finished(ssl)); - _instance->context()->verifyPeer(ssl, fd, _host, false); + _instance->verifyPeer(ssl, fd, _host, false); } catch(...) { @@ -161,7 +166,7 @@ IceSSL::ConnectorI::connect(int timeout) if(_instance->securityTraceLevel() >= 1) { - _instance->context()->traceConnection(ssl, false); + _instance->traceConnection(ssl, false); } return new TransceiverI(_instance, ssl, fd); diff --git a/cpp/src/IceSSL/Context.cpp b/cpp/src/IceSSL/Context.cpp deleted file mode 100644 index 36c34d3ee30..00000000000 --- a/cpp/src/IceSSL/Context.cpp +++ /dev/null @@ -1,763 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#include <Context.h> -#include <Instance.h> -#include <Util.h> -#include <Ice/Communicator.h> -#include <Ice/LocalException.h> -#include <Ice/Logger.h> -#include <Ice/LoggerUtil.h> -#include <Ice/Properties.h> - -#include <openssl/err.h> - -#include <IceUtil/DisableWarnings.h> - -using namespace std; -using namespace Ice; -using namespace IceSSL; - -static int -opensslPasswordCallback(char* buf, int size, int flag, void* userData) -{ - IceSSL::Context* c = reinterpret_cast<IceSSL::Context*>(userData); - string passwd = c->password(flag == 1); - int sz = static_cast<int>(passwd.size()); - if(sz > size) - { - sz = size - 1; - } - strncpy(buf, passwd.c_str(), sz); - buf[sz] = '\0'; - return sz; -} - -#ifndef OPENSSL_NO_DH -static DH* -opensslDHCallback(SSL* ssl, int /*isExport*/, int keyLength) -{ - IceSSL::Context* c = reinterpret_cast<IceSSL::Context*>(SSL_CTX_get_ex_data(ssl->ctx, 0)); - return c->dhParams(keyLength); -} -#endif - -static int -opensslVerifyCallback(int ok, X509_STORE_CTX* ctx) -{ - SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); - IceSSL::Context* c = reinterpret_cast<IceSSL::Context*>(SSL_CTX_get_ex_data(ssl->ctx, 0)); - return c->verifyCallback(ok, ssl, ctx); -} - -static bool -passwordError() -{ - int reason = ERR_GET_REASON(ERR_peek_error()); - return (reason == PEM_R_BAD_BASE64_DECODE || - reason == PEM_R_BAD_DECRYPT || - reason == PEM_R_BAD_PASSWORD_READ || - reason == PEM_R_PROBLEMS_GETTING_PASSWORD); -} - -// -// Context. -// -IceSSL::Context::Context(const InstancePtr& instance, SSL_CTX* ctx) : - _instance(instance), - _logger(instance->communicator()->getLogger()), - _ctx(ctx) -{ - if(_ctx) - { - return; - } - - _ctx = SSL_CTX_new(SSLv23_method()); - if(!_ctx) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: unable to create SSL context:\n" + _instance->sslErrors(); - throw ex; - } - - try - { - // - // Store a pointer to ourself for use in OpenSSL callbacks. - // - SSL_CTX_set_ex_data(_ctx, 0, this); - - // - // This is necessary for successful interop with Java. Without it, a Java - // client would fail to reestablish a connection: the server gets the - // error "session id context uninitialized" and the client receives - // "SSLHandshakeException: Remote host closed connection during handshake". - // - SSL_CTX_set_session_cache_mode(_ctx, SSL_SESS_CACHE_OFF); - - PropertiesPtr properties = _instance->communicator()->getProperties(); - const string propPrefix = "IceSSL."; - - // - // Check for a default directory. We look in this directory for - // files mentioned in the configuration. - // - { - _defaultDir = properties->getProperty(propPrefix + "DefaultDir"); - } - - // - // Select protocols. - // - { - string protocols = properties->getProperty(propPrefix + "Protocols"); - if(!protocols.empty()) - { - parseProtocols(protocols); - } - } - - // - // CheckCertName determines whether we compare the name in a peer's - // certificate against its hostname. - // - { - _checkCertName = properties->getPropertyAsIntWithDefault(propPrefix + "CheckCertName", 0) > 0; - } - - // - // Determine whether a certificate is required from the peer. - // - { - int verifyPeer = properties->getPropertyAsIntWithDefault(propPrefix + "VerifyPeer", 2); - int sslVerifyMode; - switch(verifyPeer) - { - case 0: - sslVerifyMode = SSL_VERIFY_NONE; - break; - case 1: - sslVerifyMode = SSL_VERIFY_PEER; - break; - case 2: - sslVerifyMode = SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - break; - default: - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: invalid value for " + propPrefix + "VerifyPeer"; - throw ex; - } - } - SSL_CTX_set_verify(_ctx, sslVerifyMode, opensslVerifyCallback); - } - - // - // If the configuration defines a password, or the application has supplied - // a password prompt object, then register a password callback. Otherwise, - // let OpenSSL use its default behavior. - // - { - // TODO: Support quoted value? - string password = properties->getProperty(propPrefix + "Password"); - if(!password.empty() || _instance->passwordPrompt()) - { - SSL_CTX_set_default_passwd_cb(_ctx, opensslPasswordCallback); - SSL_CTX_set_default_passwd_cb_userdata(_ctx, this); - _password = password; - } - } - - int passwordRetryMax = properties->getPropertyAsIntWithDefault(propPrefix + "PasswordRetryMax", 3); - - // - // Establish the location of CA certificates. - // - { - string caFile = properties->getProperty(propPrefix + "CertAuthFile"); - string caDir = properties->getPropertyWithDefault(propPrefix + "CertAuthDir", _defaultDir); - const char* file = 0; - const char* dir = 0; - if(!caFile.empty()) - { - if(!checkPath(caFile, _defaultDir, false)) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: CA certificate file not found:\n" + caFile; - throw ex; - } - file = caFile.c_str(); - } - if(!caDir.empty()) - { - if(!checkPath(caDir, _defaultDir, true)) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: CA certificate directory not found:\n" + caDir; - throw ex; - } - dir = caDir.c_str(); - } - if(file || dir) - { - // - // The certificate may be stored in an encrypted file, so handle - // password retries. - // - int count = 0; - int err; - while(count < passwordRetryMax) - { - ERR_clear_error(); - err = SSL_CTX_load_verify_locations(_ctx, file, dir); - if(err || !passwordError()) - { - break; - } - ++count; - } - if(err == 0) - { - string msg = "IceSSL: unable to establish CA certificates"; - if(passwordError()) - { - msg += ":\ninvalid password"; - } - else - { - string err = _instance->sslErrors(); - if(!err.empty()) - { - msg += ":\n" + err; - } - } - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = msg; - throw ex; - } - } - } - - // - // Establish the certificate chains and private keys. One RSA certificate and - // one DSA certificate are allowed. - // - { -#ifdef _WIN32 - const string sep = ";"; -#else - const string sep = ":"; -#endif - string certFile = properties->getProperty(propPrefix + "CertFile"); - string keyFile = properties->getProperty(propPrefix + "KeyFile"); - vector<string>::size_type numCerts = 0; - if(!certFile.empty()) - { - vector<string> files; - if(!splitString(certFile, sep, false, files) || files.size() > 2) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: invalid value for " + propPrefix + "CertFile:\n" + certFile; - throw ex; - } - numCerts = files.size(); - for(vector<string>::iterator p = files.begin(); p != files.end(); ++p) - { - string file = *p; - if(!checkPath(file, _defaultDir, false)) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: certificate file not found:\n" + file; - throw ex; - } - // - // The certificate may be stored in an encrypted file, so handle - // password retries. - // - int count = 0; - int err; - while(count < passwordRetryMax) - { - ERR_clear_error(); - err = SSL_CTX_use_certificate_chain_file(_ctx, file.c_str()); - if(err || !passwordError()) - { - break; - } - ++count; - } - if(err == 0) - { - string msg = "IceSSL: unable to load certificate chain from file " + file; - if(passwordError()) - { - msg += ":\ninvalid password"; - } - else - { - string err = _instance->sslErrors(); - if(!err.empty()) - { - msg += ":\n" + err; - } - } - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = msg; - throw ex; - } - } - } - if(keyFile.empty()) - { - keyFile = certFile; // Assume the certificate file also contains the private key. - } - if(!keyFile.empty()) - { - vector<string> files; - if(!splitString(keyFile, sep, false, files) || files.size() > 2) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: invalid value for " + propPrefix + "KeyFile:\n" + keyFile; - throw ex; - } - if(files.size() != numCerts) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: " + propPrefix + "KeyFile does not agree with " + propPrefix + "CertFile"; - throw ex; - } - for(vector<string>::iterator p = files.begin(); p != files.end(); ++p) - { - string file = *p; - if(!checkPath(file, _defaultDir, false)) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: key file not found:\n" + file; - throw ex; - } - // - // The private key may be stored in an encrypted file, so handle - // password retries. - // - int count = 0; - int err; - while(count < passwordRetryMax) - { - ERR_clear_error(); - err = SSL_CTX_use_PrivateKey_file(_ctx, file.c_str(), SSL_FILETYPE_PEM); - if(err || !passwordError()) - { - break; - } - ++count; - } - if(err == 0) - { - string msg = "IceSSL: unable to load private key from file " + file; - if(passwordError()) - { - msg += ":\ninvalid password"; - } - else - { - string err = _instance->sslErrors(); - if(!err.empty()) - { - msg += ":\n" + err; - } - } - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = msg; - throw ex; - } - } - if(!SSL_CTX_check_private_key(_ctx)) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: unable to validate private key(s):\n" + _instance->sslErrors(); - throw ex; - } - } - } - - // - // Establish the cipher list. - // - { - string ciphers = properties->getProperty(propPrefix + "Ciphers"); - if(!ciphers.empty()) - { - if(!SSL_CTX_set_cipher_list(_ctx, ciphers.c_str())) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: unable to set ciphers using `" + ciphers + "':\n" + _instance->sslErrors(); - throw ex; - } - } - } - - // - // Establish the maximum verify depth. - // - { - int depth = properties->getPropertyAsIntWithDefault(propPrefix + "VerifyDepthMax", 2); - if(depth >= 0) - { - SSL_CTX_set_verify_depth(_ctx, depth); - } - } - - // - // Diffie Hellman configuration. - // - { -#ifndef OPENSSL_NO_DH - _dhParams = new DHParams; - SSL_CTX_set_options(_ctx, SSL_OP_SINGLE_DH_USE); - SSL_CTX_set_tmp_dh_callback(_ctx, opensslDHCallback); -#endif - // - // Properties have the following form: - // - // ...DH.<keyLength>=file - // - const string dhPrefix = propPrefix + "DH."; - PropertyDict d = properties->getPropertiesForPrefix(dhPrefix); - if(!d.empty()) - { -#ifdef OPENSSL_NO_DH - _logger->warning("IceSSL: OpenSSL is not configured for Diffie Hellman"); -#else - for(PropertyDict::iterator p = d.begin(); p != d.end(); ++p) - { - string s = p->first.substr(dhPrefix.size()); - int keyLength = atoi(s.c_str()); - if(keyLength > 0) - { - string file = p->second; - if(!checkPath(file, _defaultDir, false)) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: DH parameter file not found:\n" + file; - throw ex; - } - if(!_dhParams->add(keyLength, file)) - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: unable to read DH parameter file " + file; - throw ex; - } - } - } -#endif - } - } - } - catch(...) - { - SSL_CTX_free(_ctx); - throw; - } -} - -IceSSL::Context::~Context() -{ - if(_ctx) - { - SSL_CTX_free(_ctx); - } -} - -SSL_CTX* -IceSSL::Context::ctx() const -{ - return _ctx; -} - -void -IceSSL::Context::verifyPeer(SSL* ssl, SOCKET fd, const string& address, bool incoming) -{ - long result = SSL_get_verify_result(ssl); - if(result != X509_V_OK) - { - ostringstream ostr; - ostr << "IceSSL: certificate verification failed:\n" << X509_verify_cert_error_string(result); - string msg = ostr.str(); - if(_instance->securityTraceLevel() >= 1) - { - _logger->trace(_instance->securityTraceCategory(), msg); - } - SecurityException ex(__FILE__, __LINE__); - ex.reason = msg; - throw ex; - } - - X509* rawCert = SSL_get_peer_certificate(ssl); - CertificatePtr cert; - if(rawCert != 0) - { - cert = new Certificate(rawCert); - } - - CertificateVerifierPtr verifier = _instance->certificateVerifier(); - - // - // Extract the ip addresses and the dns names from the subject - // alternative names. - // - if(cert) - { - vector<pair<int, string> > subjectAltNames = cert->getSubjectAlternativeNames(); - vector<string> ipAddresses; - vector<string> dnsNames; - for(vector<pair<int, string> >::const_iterator p = subjectAltNames.begin(); p != subjectAltNames.end(); ++p) - { - if(p->first == 7) - { - ipAddresses.push_back(p->second); - } - else if(p->first == 2) - { - dnsNames.push_back(p->second); - } - } - - // - // Compare the peer's address against the dnsName and ipAddress values. - // This is only relevant for an outgoing connection. - // - if(!address.empty()) - { - bool certNameOK = false; - - for(vector<string>::const_iterator p = ipAddresses.begin(); p != ipAddresses.end() && !certNameOK; ++p) - { - if(address == *p) - { - certNameOK = true; - break; - } - } - - if(!certNameOK && !dnsNames.empty()) - { - string host = address; - transform(host.begin(), host.end(), host.begin(), ::tolower); - for(vector<string>::const_iterator p = dnsNames.begin(); p != dnsNames.end() && !certNameOK; ++p) - { - string s = *p; - transform(s.begin(), s.end(), s.begin(), ::tolower); - if(host == s) - { - certNameOK = true; - } - } - } - - // - // Log a message if the name comparison fails. If CheckCertName is defined, - // we also raise an exception to abort the connection. Don't log a message if - // CheckCertName is not defined and a verifier is present. - // - if(!certNameOK && (_checkCertName || (_instance->securityTraceLevel() >= 1 && !verifier))) - { - ostringstream ostr; - ostr << "IceSSL: "; - if(!_checkCertName) - { - ostr << "ignoring "; - } - ostr << "certificate validation failure:\npeer certificate does not contain `" - << address << "' in its subjectAltName extension"; - if(!dnsNames.empty()) - { - ostr << "\nDNS names found in certificate: "; - for(vector<string>::const_iterator p = dnsNames.begin(); p != dnsNames.end(); ++p) - { - if(p != dnsNames.begin()) - { - ostr << ", "; - } - ostr << *p; - } - } - if(!ipAddresses.empty()) - { - ostr << "\nIP addresses found in certificate: "; - for(vector<string>::const_iterator p = ipAddresses.begin(); p != ipAddresses.end(); ++p) - { - if(p != ipAddresses.begin()) - { - ostr << ", "; - } - ostr << *p; - } - } - string msg = ostr.str(); - if(_instance->securityTraceLevel() >= 1) - { - Trace out(_logger, _instance->securityTraceCategory()); - out << msg; - } - if(_checkCertName) - { - SecurityException ex(__FILE__, __LINE__); - ex.reason = msg; - throw ex; - } - } - } - } - - if(verifier) - { - ConnectionInfo info = populateConnectionInfo(ssl, fd); - if(!verifier->verify(info)) - { - string msg = string(incoming ? "incoming" : "outgoing") + " connection rejected by certificate verifier"; - if(_instance->securityTraceLevel() >= 1) - { - _logger->trace(_instance->securityTraceCategory(), msg + "\n" + - IceInternal::fdToString(SSL_get_fd(ssl))); - } - SecurityException ex(__FILE__, __LINE__); - ex.reason = msg; - throw ex; - } - } -} - -string -IceSSL::Context::password(bool /*encrypting*/) -{ - PasswordPromptPtr prompt = _instance->passwordPrompt(); - if(prompt) - { - try - { - return prompt->getPassword(); - } - catch(...) - { - // - // Don't allow exceptions to cross an OpenSSL boundary. - // - return string(); - } - } - else - { - return _password; - } -} - -#ifndef OPENSSL_NO_DH -DH* -IceSSL::Context::dhParams(int keyLength) -{ - return _dhParams->get(keyLength); -} -#endif - -int -IceSSL::Context::verifyCallback(int ok, SSL* ssl, X509_STORE_CTX* c) -{ - if(!ok && _instance->securityTraceLevel() >= 1) - { - X509* cert = X509_STORE_CTX_get_current_cert(c); - int err = X509_STORE_CTX_get_error(c); - char buf[256]; - - Trace out(_logger, _instance->securityTraceCategory()); - out << "certificate verification failure\n"; - - X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); - out << "issuer = " << buf << '\n'; - X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); - out << "subject = " << buf << '\n'; - out << "depth = " << X509_STORE_CTX_get_error_depth(c) << '\n'; - out << "error = " << X509_verify_cert_error_string(err) << '\n'; - out << IceInternal::fdToString(SSL_get_fd(ssl)); - } - return ok; -} - -void -IceSSL::Context::traceConnection(SSL* ssl, bool incoming) -{ - Trace out(_logger, _instance->securityTraceCategory()); - out << "SSL summary for " << (incoming ? "incoming" : "outgoing") << " connection\n"; - SSL_CIPHER* cipher = SSL_get_current_cipher(ssl); - if(!cipher) - { - out << "unknown cipher\n"; - } - else - { - out << "cipher = " << SSL_CIPHER_get_name(cipher) << "\n"; - out << "bits = " << SSL_CIPHER_get_bits(cipher, 0) << "\n"; - out << "protocol = " << SSL_get_version(ssl) << "\n"; - } - out << IceInternal::fdToString(SSL_get_fd(ssl)); -} - -void -IceSSL::Context::parseProtocols(const string& val) -{ - const string delim = ", "; - bool sslv3 = false, tlsv1 = false; - string::size_type pos = 0; - while(pos != string::npos) - { - pos = val.find_first_not_of(delim, pos); - if(pos == string::npos) - { - break; - } - - string prot; - string::size_type end = val.find_first_of(delim, pos); - if(end == string::npos) - { - prot = val.substr(pos); - } - else - { - prot = val.substr(pos, end - pos); - } - pos = end; - - if(prot == "ssl3" || prot == "sslv3") - { - sslv3 = true; - } - else if(prot == "tls" || prot == "tls1" || prot == "tlsv1") - { - tlsv1 = true; - } - else - { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: unrecognized protocol `" + prot + "'"; - throw ex; - } - } - - long opts = SSL_OP_NO_SSLv2; // SSLv2 is not supported. - if(!sslv3) - { - opts |= SSL_OP_NO_SSLv3; - } - if(!tlsv1) - { - opts |= SSL_OP_NO_TLSv1; - } - SSL_CTX_set_options(_ctx, opts); -} diff --git a/cpp/src/IceSSL/Context.h b/cpp/src/IceSSL/Context.h deleted file mode 100644 index fa684a225fb..00000000000 --- a/cpp/src/IceSSL/Context.h +++ /dev/null @@ -1,60 +0,0 @@ -// ********************************************************************** -// -// Copyright (c) 2003-2006 ZeroC, Inc. All rights reserved. -// -// This copy of Ice is licensed to you under the terms described in the -// ICE_LICENSE file included in this distribution. -// -// ********************************************************************** - -#ifndef ICE_SSL_CONTEXT_H -#define ICE_SSL_CONTEXT_H - -#include <InstanceF.h> -#include <UtilF.h> -#include <Ice/LoggerF.h> -#include <Ice/Network.h> - -namespace IceSSL -{ - -class Context : public IceUtil::Shared -{ -public: - - Context(const InstancePtr&, SSL_CTX*); - ~Context(); - - SSL_CTX* ctx() const; - - void verifyPeer(SSL*, SOCKET, const std::string&, bool); - - std::string password(bool); - -#ifndef OPENSSL_NO_DH - DH* dhParams(int); -#endif - - int verifyCallback(int, SSL*, X509_STORE_CTX*); - - void traceConnection(SSL*, bool); - -protected: - - void parseProtocols(const std::string&); - - InstancePtr _instance; - Ice::LoggerPtr _logger; - SSL_CTX* _ctx; - std::string _defaultDir; - bool _checkCertName; - std::string _password; -#ifndef OPENSSL_NO_DH - DHParamsPtr _dhParams; -#endif -}; -typedef IceUtil::Handle<Context> ContextPtr; - -} - -#endif diff --git a/cpp/src/IceSSL/Instance.cpp b/cpp/src/IceSSL/Instance.cpp index 716b0102392..b85abc3e64e 100644 --- a/cpp/src/IceSSL/Instance.cpp +++ b/cpp/src/IceSSL/Instance.cpp @@ -13,9 +13,15 @@ #include <Ice/Communicator.h> #include <Ice/LocalException.h> #include <Ice/Logger.h> +#include <Ice/LoggerUtil.h> #include <Ice/Properties.h> #include <Ice/ProtocolPluginFacade.h> +#include <openssl/err.h> + +#include <IceUtil/DisableWarnings.h> + + using namespace std; using namespace Ice; using namespace IceSSL; @@ -23,29 +29,62 @@ using namespace IceSSL; void IceInternal::incRef(IceSSL::Instance* p) { p->__incRef(); } void IceInternal::decRef(IceSSL::Instance* p) { p->__decRef(); } -IceSSL::Instance::Instance(const CommunicatorPtr& communicator) +static int +opensslPasswordCallback(char* buf, int size, int flag, void* userData) { - __setNoDelete(true); + IceSSL::Instance* p = reinterpret_cast<IceSSL::Instance*>(userData); + string passwd = p->password(flag == 1); + int sz = static_cast<int>(passwd.size()); + if(sz > size) + { + sz = size - 1; + } + strncpy(buf, passwd.c_str(), sz); + buf[sz] = '\0'; + return sz; +} + +#ifndef OPENSSL_NO_DH +static DH* +opensslDHCallback(SSL* ssl, int /*isExport*/, int keyLength) +{ + IceSSL::Instance* p = reinterpret_cast<IceSSL::Instance*>(SSL_CTX_get_ex_data(ssl->ctx, 0)); + return p->dhParams(keyLength); +} +#endif + +static int +opensslVerifyCallback(int ok, X509_STORE_CTX* ctx) +{ + SSL* ssl = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx())); + IceSSL::Instance* p = reinterpret_cast<IceSSL::Instance*>(SSL_CTX_get_ex_data(ssl->ctx, 0)); + return p->verifyCallback(ok, ssl, ctx); +} + +static bool +passwordError() +{ + int reason = ERR_GET_REASON(ERR_peek_error()); + return (reason == PEM_R_BAD_BASE64_DECODE || + reason == PEM_R_BAD_DECRYPT || + reason == PEM_R_BAD_PASSWORD_READ || + reason == PEM_R_PROBLEMS_GETTING_PASSWORD); +} - PropertiesPtr properties = communicator->getProperties(); +IceSSL::Instance::Instance(const CommunicatorPtr& communicator) : + _logger(communicator->getLogger()), + _ctx(0) +{ + __setNoDelete(true); _facade = IceInternal::getProtocolPluginFacade(communicator); - _securityTraceLevel = properties->getPropertyAsInt("IceSSL.Trace.Security"); + _securityTraceLevel = communicator->getProperties()->getPropertyAsInt("IceSSL.Trace.Security"); _securityTraceCategory = "Security"; // - // Create the context. - // - // If IceSSL.DelayInit=1, postpone the creation of the context until - // the application manually initializes the plugin. - // - if(properties->getPropertyAsInt("IceSSL.DelayInit") == 0) - { - _context = new Context(this, 0); - } - - // - // Register the endpoint factory. + // Register the endpoint factory. We have to do this now, rather than + // in initialize, because the communicator may need to interpret + // proxies before the plugin is fully initialized. // _facade->addEndpointFactory(new EndpointFactoryI(this)); @@ -53,21 +92,422 @@ IceSSL::Instance::Instance(const CommunicatorPtr& communicator) } void -IceSSL::Instance::initialize(SSL_CTX* context) +IceSSL::Instance::initialize() { - if(_context) + if(_ctx) { - SecurityException ex(__FILE__, __LINE__); - ex.reason = "plugin is already initialized"; + return; + } + + _ctx = SSL_CTX_new(SSLv23_method()); + if(!_ctx) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: unable to create SSL context:\n" + sslErrors(); throw ex; } - else + + try { - _context = new Context(this, context); + // + // Store a pointer to ourself for use in OpenSSL callbacks. + // + SSL_CTX_set_ex_data(_ctx, 0, this); + + // + // This is necessary for successful interop with Java. Without it, a Java + // client would fail to reestablish a connection: the server gets the + // error "session id context uninitialized" and the client receives + // "SSLHandshakeException: Remote host closed connection during handshake". + // + SSL_CTX_set_session_cache_mode(_ctx, SSL_SESS_CACHE_OFF); + + PropertiesPtr properties = communicator()->getProperties(); + const string propPrefix = "IceSSL."; + + // + // Check for a default directory. We look in this directory for + // files mentioned in the configuration. + // + { + _defaultDir = properties->getProperty(propPrefix + "DefaultDir"); + } + + // + // Select protocols. + // + { + string protocols = properties->getProperty(propPrefix + "Protocols"); + if(!protocols.empty()) + { + parseProtocols(protocols); + } + } + + // + // CheckCertName determines whether we compare the name in a peer's + // certificate against its hostname. + // + { + _checkCertName = properties->getPropertyAsIntWithDefault(propPrefix + "CheckCertName", 0) > 0; + } + + // + // Determine whether a certificate is required from the peer. + // + { + int verifyPeer = properties->getPropertyAsIntWithDefault(propPrefix + "VerifyPeer", 2); + int sslVerifyMode; + switch(verifyPeer) + { + case 0: + sslVerifyMode = SSL_VERIFY_NONE; + break; + case 1: + sslVerifyMode = SSL_VERIFY_PEER; + break; + case 2: + sslVerifyMode = SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT; + break; + default: + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: invalid value for " + propPrefix + "VerifyPeer"; + throw ex; + } + } + SSL_CTX_set_verify(_ctx, sslVerifyMode, opensslVerifyCallback); + } + + // + // If the configuration defines a password, or the application has supplied + // a password prompt object, then register a password callback. Otherwise, + // let OpenSSL use its default behavior. + // + { + // TODO: Support quoted value? + string password = properties->getProperty(propPrefix + "Password"); + if(!password.empty() || _prompt) + { + SSL_CTX_set_default_passwd_cb(_ctx, opensslPasswordCallback); + SSL_CTX_set_default_passwd_cb_userdata(_ctx, this); + _password = password; + } + } + + int passwordRetryMax = properties->getPropertyAsIntWithDefault(propPrefix + "PasswordRetryMax", 3); + + // + // Establish the location of CA certificates. + // + { + string caFile = properties->getProperty(propPrefix + "CertAuthFile"); + string caDir = properties->getPropertyWithDefault(propPrefix + "CertAuthDir", _defaultDir); + const char* file = 0; + const char* dir = 0; + if(!caFile.empty()) + { + if(!checkPath(caFile, _defaultDir, false)) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: CA certificate file not found:\n" + caFile; + throw ex; + } + file = caFile.c_str(); + } + if(!caDir.empty()) + { + if(!checkPath(caDir, _defaultDir, true)) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: CA certificate directory not found:\n" + caDir; + throw ex; + } + dir = caDir.c_str(); + } + if(file || dir) + { + // + // The certificate may be stored in an encrypted file, so handle + // password retries. + // + int count = 0; + int err; + while(count < passwordRetryMax) + { + ERR_clear_error(); + err = SSL_CTX_load_verify_locations(_ctx, file, dir); + if(err || !passwordError()) + { + break; + } + ++count; + } + if(err == 0) + { + string msg = "IceSSL: unable to establish CA certificates"; + if(passwordError()) + { + msg += ":\ninvalid password"; + } + else + { + string err = sslErrors(); + if(!err.empty()) + { + msg += ":\n" + err; + } + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } + } + + // + // Establish the certificate chains and private keys. One RSA certificate and + // one DSA certificate are allowed. + // + { +#ifdef _WIN32 + const string sep = ";"; +#else + const string sep = ":"; +#endif + string certFile = properties->getProperty(propPrefix + "CertFile"); + string keyFile = properties->getProperty(propPrefix + "KeyFile"); + vector<string>::size_type numCerts = 0; + if(!certFile.empty()) + { + vector<string> files; + if(!splitString(certFile, sep, false, files) || files.size() > 2) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: invalid value for " + propPrefix + "CertFile:\n" + certFile; + throw ex; + } + numCerts = files.size(); + for(vector<string>::iterator p = files.begin(); p != files.end(); ++p) + { + string file = *p; + if(!checkPath(file, _defaultDir, false)) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: certificate file not found:\n" + file; + throw ex; + } + // + // The certificate may be stored in an encrypted file, so handle + // password retries. + // + int count = 0; + int err; + while(count < passwordRetryMax) + { + ERR_clear_error(); + err = SSL_CTX_use_certificate_chain_file(_ctx, file.c_str()); + if(err || !passwordError()) + { + break; + } + ++count; + } + if(err == 0) + { + string msg = "IceSSL: unable to load certificate chain from file " + file; + if(passwordError()) + { + msg += ":\ninvalid password"; + } + else + { + string err = sslErrors(); + if(!err.empty()) + { + msg += ":\n" + err; + } + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } + } + if(keyFile.empty()) + { + keyFile = certFile; // Assume the certificate file also contains the private key. + } + if(!keyFile.empty()) + { + vector<string> files; + if(!splitString(keyFile, sep, false, files) || files.size() > 2) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: invalid value for " + propPrefix + "KeyFile:\n" + keyFile; + throw ex; + } + if(files.size() != numCerts) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: " + propPrefix + "KeyFile does not agree with " + propPrefix + "CertFile"; + throw ex; + } + for(vector<string>::iterator p = files.begin(); p != files.end(); ++p) + { + string file = *p; + if(!checkPath(file, _defaultDir, false)) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: key file not found:\n" + file; + throw ex; + } + // + // The private key may be stored in an encrypted file, so handle + // password retries. + // + int count = 0; + int err; + while(count < passwordRetryMax) + { + ERR_clear_error(); + err = SSL_CTX_use_PrivateKey_file(_ctx, file.c_str(), SSL_FILETYPE_PEM); + if(err || !passwordError()) + { + break; + } + ++count; + } + if(err == 0) + { + string msg = "IceSSL: unable to load private key from file " + file; + if(passwordError()) + { + msg += ":\ninvalid password"; + } + else + { + string err = sslErrors(); + if(!err.empty()) + { + msg += ":\n" + err; + } + } + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } + if(!SSL_CTX_check_private_key(_ctx)) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: unable to validate private key(s):\n" + sslErrors(); + throw ex; + } + } + } + + // + // Establish the cipher list. + // + { + string ciphers = properties->getProperty(propPrefix + "Ciphers"); + if(!ciphers.empty()) + { + if(!SSL_CTX_set_cipher_list(_ctx, ciphers.c_str())) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: unable to set ciphers using `" + ciphers + "':\n" + sslErrors(); + throw ex; + } + } + } + + // + // Establish the maximum verify depth. + // + { + int depth = properties->getPropertyAsIntWithDefault(propPrefix + "VerifyDepthMax", 2); + if(depth >= 0) + { + SSL_CTX_set_verify_depth(_ctx, depth); + } + } + + // + // Diffie Hellman configuration. + // + { +#ifndef OPENSSL_NO_DH + _dhParams = new DHParams; + SSL_CTX_set_options(_ctx, SSL_OP_SINGLE_DH_USE); + SSL_CTX_set_tmp_dh_callback(_ctx, opensslDHCallback); +#endif + // + // Properties have the following form: + // + // ...DH.<keyLength>=file + // + const string dhPrefix = propPrefix + "DH."; + PropertyDict d = properties->getPropertiesForPrefix(dhPrefix); + if(!d.empty()) + { +#ifdef OPENSSL_NO_DH + _logger->warning("IceSSL: OpenSSL is not configured for Diffie Hellman"); +#else + for(PropertyDict::iterator p = d.begin(); p != d.end(); ++p) + { + string s = p->first.substr(dhPrefix.size()); + int keyLength = atoi(s.c_str()); + if(keyLength > 0) + { + string file = p->second; + if(!checkPath(file, _defaultDir, false)) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: DH parameter file not found:\n" + file; + throw ex; + } + if(!_dhParams->add(keyLength, file)) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: unable to read DH parameter file " + file; + throw ex; + } + } + } +#endif + } + } + } + catch(...) + { + SSL_CTX_free(_ctx); + _ctx = 0; + throw; } } void +IceSSL::Instance::context(SSL_CTX* context) +{ + if(_ctx) + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: plugin is already initialized"; + throw ex; + } + + _ctx = context; +} + +SSL_CTX* +IceSSL::Instance::context() const +{ + return _ctx; +} + +void IceSSL::Instance::setCertificateVerifier(const CertificateVerifierPtr& verifier) { _verifier = verifier; @@ -115,28 +555,154 @@ IceSSL::Instance::securityTraceCategory() const return _securityTraceCategory; } -ContextPtr -IceSSL::Instance::context() const +void +IceSSL::Instance::verifyPeer(SSL* ssl, SOCKET fd, const string& address, bool incoming) { - if(!_context) + long result = SSL_get_verify_result(ssl); + if(result != X509_V_OK) { - PluginInitializationException ex(__FILE__, __LINE__); - ex.reason = "IceSSL: plugin is not fully initialized"; + ostringstream ostr; + ostr << "IceSSL: certificate verification failed:\n" << X509_verify_cert_error_string(result); + string msg = ostr.str(); + if(_securityTraceLevel >= 1) + { + _logger->trace(_securityTraceCategory, msg); + } + SecurityException ex(__FILE__, __LINE__); + ex.reason = msg; throw ex; } - return _context; -} -CertificateVerifierPtr -IceSSL::Instance::certificateVerifier() const -{ - return _verifier; -} + X509* rawCert = SSL_get_peer_certificate(ssl); + CertificatePtr cert; + if(rawCert != 0) + { + cert = new Certificate(rawCert); + } -PasswordPromptPtr -IceSSL::Instance::passwordPrompt() const -{ - return _prompt; + // + // Extract the IP addresses and the DNS names from the subject + // alternative names. + // + if(cert) + { + vector<pair<int, string> > subjectAltNames = cert->getSubjectAlternativeNames(); + vector<string> ipAddresses; + vector<string> dnsNames; + for(vector<pair<int, string> >::const_iterator p = subjectAltNames.begin(); p != subjectAltNames.end(); ++p) + { + if(p->first == 7) + { + ipAddresses.push_back(p->second); + } + else if(p->first == 2) + { + dnsNames.push_back(p->second); + } + } + + // + // Compare the peer's address against the dnsName and ipAddress values. + // This is only relevant for an outgoing connection. + // + if(!address.empty()) + { + bool certNameOK = false; + + for(vector<string>::const_iterator p = ipAddresses.begin(); p != ipAddresses.end() && !certNameOK; ++p) + { + if(address == *p) + { + certNameOK = true; + break; + } + } + + if(!certNameOK && !dnsNames.empty()) + { + string host = address; + transform(host.begin(), host.end(), host.begin(), ::tolower); + for(vector<string>::const_iterator p = dnsNames.begin(); p != dnsNames.end() && !certNameOK; ++p) + { + string s = *p; + transform(s.begin(), s.end(), s.begin(), ::tolower); + if(host == s) + { + certNameOK = true; + } + } + } + + // + // Log a message if the name comparison fails. If CheckCertName is defined, + // we also raise an exception to abort the connection. Don't log a message if + // CheckCertName is not defined and a verifier is present. + // + if(!certNameOK && (_checkCertName || (_securityTraceLevel >= 1 && !_verifier))) + { + ostringstream ostr; + ostr << "IceSSL: "; + if(!_checkCertName) + { + ostr << "ignoring "; + } + ostr << "certificate validation failure:\npeer certificate does not contain `" + << address << "' in its subjectAltName extension"; + if(!dnsNames.empty()) + { + ostr << "\nDNS names found in certificate: "; + for(vector<string>::const_iterator p = dnsNames.begin(); p != dnsNames.end(); ++p) + { + if(p != dnsNames.begin()) + { + ostr << ", "; + } + ostr << *p; + } + } + if(!ipAddresses.empty()) + { + ostr << "\nIP addresses found in certificate: "; + for(vector<string>::const_iterator p = ipAddresses.begin(); p != ipAddresses.end(); ++p) + { + if(p != ipAddresses.begin()) + { + ostr << ", "; + } + ostr << *p; + } + } + string msg = ostr.str(); + if(_securityTraceLevel >= 1) + { + Trace out(_logger, _securityTraceCategory); + out << msg; + } + if(_checkCertName) + { + SecurityException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } + } + } + + if(_verifier) + { + ConnectionInfo info = populateConnectionInfo(ssl, fd); + if(!_verifier->verify(info)) + { + string msg = string(incoming ? "incoming" : "outgoing") + " connection rejected by certificate verifier"; + if(_securityTraceLevel >= 1) + { + _logger->trace(_securityTraceCategory, msg + "\n" + IceInternal::fdToString(SSL_get_fd(ssl))); + } + SecurityException ex(__FILE__, __LINE__); + ex.reason = msg; + throw ex; + } + } } string @@ -149,5 +715,136 @@ void IceSSL::Instance::destroy() { _facade = 0; - _context = 0; + + if(_ctx) + { + SSL_CTX_free(_ctx); + } +} + +string +IceSSL::Instance::password(bool /*encrypting*/) +{ + if(_prompt) + { + try + { + return _prompt->getPassword(); + } + catch(...) + { + // + // Don't allow exceptions to cross an OpenSSL boundary. + // + return string(); + } + } + else + { + return _password; + } +} + +int +IceSSL::Instance::verifyCallback(int ok, SSL* ssl, X509_STORE_CTX* c) +{ + if(!ok && _securityTraceLevel >= 1) + { + X509* cert = X509_STORE_CTX_get_current_cert(c); + int err = X509_STORE_CTX_get_error(c); + char buf[256]; + + Trace out(_logger, _securityTraceCategory); + out << "certificate verification failure\n"; + + X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); + out << "issuer = " << buf << '\n'; + X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); + out << "subject = " << buf << '\n'; + out << "depth = " << X509_STORE_CTX_get_error_depth(c) << '\n'; + out << "error = " << X509_verify_cert_error_string(err) << '\n'; + out << IceInternal::fdToString(SSL_get_fd(ssl)); + } + return ok; +} + +#ifndef OPENSSL_NO_DH +DH* +IceSSL::Instance::dhParams(int keyLength) +{ + return _dhParams->get(keyLength); +} +#endif + +void +IceSSL::Instance::traceConnection(SSL* ssl, bool incoming) +{ + Trace out(_logger, _securityTraceCategory); + out << "SSL summary for " << (incoming ? "incoming" : "outgoing") << " connection\n"; + SSL_CIPHER* cipher = SSL_get_current_cipher(ssl); + if(!cipher) + { + out << "unknown cipher\n"; + } + else + { + out << "cipher = " << SSL_CIPHER_get_name(cipher) << "\n"; + out << "bits = " << SSL_CIPHER_get_bits(cipher, 0) << "\n"; + out << "protocol = " << SSL_get_version(ssl) << "\n"; + } + out << IceInternal::fdToString(SSL_get_fd(ssl)); +} + +void +IceSSL::Instance::parseProtocols(const string& val) +{ + const string delim = ", "; + bool sslv3 = false, tlsv1 = false; + string::size_type pos = 0; + while(pos != string::npos) + { + pos = val.find_first_not_of(delim, pos); + if(pos == string::npos) + { + break; + } + + string prot; + string::size_type end = val.find_first_of(delim, pos); + if(end == string::npos) + { + prot = val.substr(pos); + } + else + { + prot = val.substr(pos, end - pos); + } + pos = end; + + if(prot == "ssl3" || prot == "sslv3") + { + sslv3 = true; + } + else if(prot == "tls" || prot == "tls1" || prot == "tlsv1") + { + tlsv1 = true; + } + else + { + PluginInitializationException ex(__FILE__, __LINE__); + ex.reason = "IceSSL: unrecognized protocol `" + prot + "'"; + throw ex; + } + } + + long opts = SSL_OP_NO_SSLv2; // SSLv2 is not supported. + if(!sslv3) + { + opts |= SSL_OP_NO_SSLv3; + } + if(!tlsv1) + { + opts |= SSL_OP_NO_TLSv1; + } + SSL_CTX_set_options(_ctx, opts); } diff --git a/cpp/src/IceSSL/Instance.h b/cpp/src/IceSSL/Instance.h index cb8d5d5caee..5ab35519f90 100644 --- a/cpp/src/IceSSL/Instance.h +++ b/cpp/src/IceSSL/Instance.h @@ -11,8 +11,10 @@ #define ICE_SSL_INSTANCE_H #include <InstanceF.h> -#include <Context.h> +#include <UtilF.h> #include <Ice/CommunicatorF.h> +#include <Ice/LoggerF.h> +#include <Ice/Network.h> #include <Ice/ProtocolPluginFacadeF.h> #include <IceSSL/Plugin.h> @@ -25,7 +27,9 @@ public: Instance(const Ice::CommunicatorPtr&); - void initialize(SSL_CTX*); + void initialize(); + void context(SSL_CTX*); + SSL_CTX* context() const; void setCertificateVerifier(const CertificateVerifierPtr&); void setPasswordPrompt(const PasswordPromptPtr&); @@ -36,21 +40,38 @@ public: int securityTraceLevel() const; std::string securityTraceCategory() const; - ContextPtr context() const; - - CertificateVerifierPtr certificateVerifier() const; - PasswordPromptPtr passwordPrompt() const; + void verifyPeer(SSL*, SOCKET, const std::string&, bool); std::string sslErrors() const; + void traceConnection(SSL*, bool); + void destroy(); + // + // OpenSSL callbacks. + // + std::string password(bool); + int verifyCallback(int, SSL*, X509_STORE_CTX*); +#ifndef OPENSSL_NO_DH + DH* dhParams(int); +#endif + private: + void parseProtocols(const std::string&); + + Ice::LoggerPtr _logger; IceInternal::ProtocolPluginFacadePtr _facade; int _securityTraceLevel; std::string _securityTraceCategory; - ContextPtr _context; + SSL_CTX* _ctx; + std::string _defaultDir; + bool _checkCertName; + std::string _password; +#ifndef OPENSSL_NO_DH + DHParamsPtr _dhParams; +#endif CertificateVerifierPtr _verifier; PasswordPromptPtr _prompt; }; diff --git a/cpp/src/IceSSL/Makefile b/cpp/src/IceSSL/Makefile index a2155aa6a2e..1a56c4842d1 100644 --- a/cpp/src/IceSSL/Makefile +++ b/cpp/src/IceSSL/Makefile @@ -17,7 +17,6 @@ TARGETS = $(call mklibtargets,$(libdir)/$(LIBFILENAME),$(libdir)/$(SONAME),$(li OBJS = AcceptorI.o \ Certificate.o \ - Context.o \ ConnectorI.o \ EndpointI.o \ Instance.o \ diff --git a/cpp/src/IceSSL/PluginI.cpp b/cpp/src/IceSSL/PluginI.cpp index e00993a6af0..c391cb5d008 100644 --- a/cpp/src/IceSSL/PluginI.cpp +++ b/cpp/src/IceSSL/PluginI.cpp @@ -9,6 +9,7 @@ #include <PluginI.h> #include <Instance.h> +#include <TransceiverI.h> #include <Util.h> #include <Ice/BuiltinSequences.h> #include <Ice/Communicator.h> @@ -18,7 +19,6 @@ #include <IceUtil/StaticMutex.h> #include <Ice/ConnectionI.h> // For implementation of getConnectionInfo. -#include <IceSSL/TransceiverI.h> // For implementation of getConnectionInfo. #include <openssl/crypto.h> #include <openssl/err.h> @@ -99,6 +99,12 @@ IceSSL::PluginI::PluginI(const Ice::CommunicatorPtr& communicator) } void +IceSSL::PluginI::initialize() +{ + _instance->initialize(); +} + +void IceSSL::PluginI::destroy() { _instance->destroy(); @@ -108,9 +114,15 @@ IceSSL::PluginI::destroy() } void -IceSSL::PluginI::initialize(SSL_CTX* context) +IceSSL::PluginI::setContext(SSL_CTX* context) +{ + _instance->context(context); +} + +SSL_CTX* +IceSSL::PluginI::getContext() { - _instance->initialize(context); + return _instance->context(); } void @@ -125,12 +137,6 @@ IceSSL::PluginI::setPasswordPrompt(const PasswordPromptPtr& prompt) _instance->setPasswordPrompt(prompt); } -SSL_CTX* -IceSSL::PluginI::context() -{ - return _instance->context()->ctx(); -} - void IceSSL::PluginI::setupSSL(const CommunicatorPtr& communicator) { diff --git a/cpp/src/IceSSL/PluginI.h b/cpp/src/IceSSL/PluginI.h index ac00379e60a..00584bfcb24 100644 --- a/cpp/src/IceSSL/PluginI.h +++ b/cpp/src/IceSSL/PluginI.h @@ -24,14 +24,20 @@ public: PluginI(const Ice::CommunicatorPtr&); + // + // From Ice::Plugin. + // + virtual void initialize(); virtual void destroy(); - virtual void initialize(SSL_CTX* = 0); + // + // From IceSSL::Plugin. + // + virtual void setContext(SSL_CTX*); + virtual SSL_CTX* getContext(); virtual void setCertificateVerifier(const CertificateVerifierPtr&); virtual void setPasswordPrompt(const PasswordPromptPtr&); - virtual SSL_CTX* context(); - private: void setupSSL(const Ice::CommunicatorPtr&); |