diff options
Diffstat (limited to 'cpp/src')
36 files changed, 538 insertions, 664 deletions
diff --git a/cpp/src/Ice/CertificateAuthority.h b/cpp/src/Ice/CertificateAuthority.h index eba9f1d19b0..df3680d6236 100644 --- a/cpp/src/Ice/CertificateAuthority.h +++ b/cpp/src/Ice/CertificateAuthority.h @@ -18,8 +18,8 @@ namespace IceSSL class CertificateAuthority { - public: +
CertificateAuthority(); CertificateAuthority(std::string&, std::string&); CertificateAuthority(CertificateAuthority&); @@ -31,6 +31,7 @@ public: const std::string& getCAPath() const; private: +
std::string _fileName; std::string _path; }; diff --git a/cpp/src/Ice/CertificateDesc.h b/cpp/src/Ice/CertificateDesc.h index 8addb46a25c..b908ca981bd 100644 --- a/cpp/src/Ice/CertificateDesc.h +++ b/cpp/src/Ice/CertificateDesc.h @@ -23,8 +23,8 @@ namespace IceSSL class CertificateFile { - public: +
CertificateFile(); CertificateFile(const std::string&, const int); CertificateFile(const CertificateFile&); @@ -33,14 +33,15 @@ public: int getEncoding() const; protected: +
std::string _fileName; int _encoding; }; class DiffieHellmanParamsFile : public CertificateFile { - public: +
DiffieHellmanParamsFile(); DiffieHellmanParamsFile(const int, const std::string&, const int); DiffieHellmanParamsFile(const DiffieHellmanParamsFile&); @@ -48,13 +49,14 @@ public: int getKeySize() const; protected: +
int _keySize; }; class CertificateDesc { - public: +
CertificateDesc(); CertificateDesc(const int, const CertificateFile&, const CertificateFile&); CertificateDesc(const CertificateDesc&); @@ -65,6 +67,7 @@ public: const CertificateFile& getPrivate() const; protected: +
int _keySize; CertificateFile _public; CertificateFile _private; diff --git a/cpp/src/Ice/ConfigParser.cpp b/cpp/src/Ice/ConfigParser.cpp index 52643ce0fac..4cd66ead8f4 100644 --- a/cpp/src/Ice/ConfigParser.cpp +++ b/cpp/src/Ice/ConfigParser.cpp @@ -43,19 +43,19 @@ IceSSL::ConfigParser::ConfigParser(const string& configFile) : _configFile(configFile) { assert(!configFile.empty()); - _configPath = "./"; + _configPath = "./"; _traceLevels = 0; - _logger = 0; + _logger = 0; } IceSSL::ConfigParser::ConfigParser(const string& configFile, const string& configPath) : - _configFile(configFile), - _configPath(configPath) + _configFile(configFile), + _configPath(configPath) { assert(!configFile.empty()); assert(!configPath.empty()); _traceLevels = 0; - _logger = 0; + _logger = 0; } IceSSL::ConfigParser::~ConfigParser() @@ -87,9 +87,9 @@ IceSSL::ConfigParser::process() ConfigParserErrorReporterPtr errReporter = new ConfigParserErrorReporter(_traceLevels, _logger); assert(errReporter != 0); - // Create our parser, then attach an error handler to the parser. - // The parser will call back to methods of the ErrorHandler if it - // discovers errors during the course of parsing the XML document. + // Create our parser, then attach an error handler to the parser. + // The parser will call back to methods of the ConfigParserErrorHandler
+ // if it discovers errors during the course of parsing the XML document. DOMParser parser; parser.setValidationScheme(DOMParser::Val_Auto); parser.setDoNamespaces(false); @@ -100,13 +100,9 @@ IceSSL::ConfigParser::process() try { - string::iterator fileBegin = _configFile.begin(); - - if (*fileBegin != '/') + if (*(_configFile.begin()) != '/') { - string::reverse_iterator pathEnd = _configPath.rbegin(); - - if (*pathEnd != '/') + if (*(_configPath.rbegin()) != '/') { _configPath += "/"; } @@ -189,7 +185,6 @@ IceSSL::ConfigParser::loadClientConfig(GeneralConfig& general, CertificateAuthority& certAuth,
BaseCertificates& baseCerts) { - bool retCode = false; string clientSectionString("SSLConfig:client"); DOM_Node clientSection = find(clientSectionString); @@ -200,8 +195,8 @@ IceSSL::ConfigParser::loadClientConfig(GeneralConfig& general, { getGeneral(clientSection, general); getCertAuth(clientSection, certAuth); - getBaseCerts(clientSection, baseCerts); - retCode = true; + getBaseCerts(clientSection, baseCerts);
+ return true; } } catch (const DOM_DOMException& e) @@ -218,7 +213,7 @@ IceSSL::ConfigParser::loadClientConfig(GeneralConfig& general, throw configEx; } - return retCode; + return false; } bool @@ -227,7 +222,6 @@ IceSSL::ConfigParser::loadServerConfig(GeneralConfig& general, BaseCertificates& baseCerts, TempCertificates& tempCerts) { - bool retCode = false; string serverSectionString("SSLConfig:server"); DOM_Node serverSection = find(serverSectionString); @@ -239,8 +233,8 @@ IceSSL::ConfigParser::loadServerConfig(GeneralConfig& general, getGeneral(serverSection, general); getCertAuth(serverSection, certAuth); getBaseCerts(serverSection, baseCerts); - getTempCerts(serverSection, tempCerts); - retCode = true; + getTempCerts(serverSection, tempCerts);
+ return true; } } catch (const DOM_DOMException& e) @@ -257,7 +251,7 @@ IceSSL::ConfigParser::loadServerConfig(GeneralConfig& general, throw configEx; } - return retCode; + return false; } void @@ -318,40 +312,42 @@ IceSSL::ConfigParser::find(DOM_Node rootNode, string& nodePath) // The target node that we're looking for. DOM_Node tNode; - if (rootNode != 0) - { - string rootNodeName; - string tailNodes; + if (rootNode == 0) + {
+ return tNode;
+ } +
+ string rootNodeName; + string tailNodes; - // Pop the root off the path. - popRoot(nodePath, rootNodeName, tailNodes); + // Pop the root off the path. + popRoot(nodePath, rootNodeName, tailNodes); - DOM_Node child = rootNode.getFirstChild(); + DOM_Node child = rootNode.getFirstChild(); - while (child != 0) + while (child != 0) + { + // Ignore any other node types - we're only interested in ELEMENT_NODEs. + if (child.getNodeType() == DOM_Node::ELEMENT_NODE) { - // Ignore any other node types - we're only interested in ELEMENT_NODEs. - if (child.getNodeType() == DOM_Node::ELEMENT_NODE) - { - string nodeName = toString(child.getNodeName()); + string nodeName = toString(child.getNodeName()); - if (nodeName.compare(rootNodeName) == 0) + if (nodeName.compare(rootNodeName) == 0) + { + // No further to recurse, this must be it. + if (tailNodes.empty()) + { + tNode = child; + } + else { - // No further to recurse, this must be it. - if (tailNodes.empty()) - { - tNode = child; - } - else - { - // Recursive call. - tNode = find(child, tailNodes); - } + // Recursive call. + tNode = find(child, tailNodes); } } - - child = child.getNextSibling(); } + + child = child.getNextSibling(); } return tNode; @@ -360,64 +356,69 @@ IceSSL::ConfigParser::find(DOM_Node rootNode, string& nodePath) void IceSSL::ConfigParser::getGeneral(DOM_Node rootNode, GeneralConfig& generalConfig) { - if (rootNode != 0) - { - string generalString("general"); - DOM_Node general = find(rootNode, generalString); + if (rootNode == 0) + {
+ return;
+ } +
+ string generalString("general"); + DOM_Node general = find(rootNode, generalString); - DOM_NamedNodeMap attributes = general.getAttributes(); + DOM_NamedNodeMap attributes = general.getAttributes(); - int attrCount = attributes.getLength(); + int attrCount = attributes.getLength(); - for (int i = 0; i < attrCount; i++) - { - DOM_Node attribute = attributes.item(i); - string nodeName = toString(attribute.getNodeName()); - string nodeValue = toString(attribute.getNodeValue()); + for (int i = 0; i < attrCount; i++) + { + DOM_Node attribute = attributes.item(i); + string nodeName = toString(attribute.getNodeName()); + string nodeValue = toString(attribute.getNodeValue()); - // Set the property. - generalConfig.set(nodeName, nodeValue); - } + // Set the property. + generalConfig.set(nodeName, nodeValue); } } void IceSSL::ConfigParser::getCertAuth(DOM_Node rootNode, CertificateAuthority& certAuth) { - if (rootNode != 0) - { - string certAuthorityString("certauthority"); - DOM_Node certAuthNode = find(rootNode, certAuthorityString); - - if (certAuthNode != 0) - { - DOM_NamedNodeMap attributes = certAuthNode.getAttributes(); + if (rootNode == 0) + {
+ return;
+ } +
+ DOM_Node certAuthNode = find(rootNode, string("certauthority")); - int attrCount = attributes.getLength(); + if (certAuthNode == 0) + {
+ return;
+ } +
+ DOM_NamedNodeMap attributes = certAuthNode.getAttributes(); - for (int i = 0; i < attrCount; i++) - { - DOM_Node attribute = attributes.item(i); - string nodeName = toString(attribute.getNodeName()); - string nodeValue = toString(attribute.getNodeValue()); + int attrCount = attributes.getLength(); - if (nodeName.compare("file") == 0) - { - string filename = nodeValue; + for (int i = 0; i < attrCount; i++) + { + DOM_Node attribute = attributes.item(i); + string nodeName = toString(attribute.getNodeName()); + string nodeValue = toString(attribute.getNodeValue()); - // Just a filename, no path component, append path. - if ((filename.find("/") == string::npos) && (filename.find("\\") == string::npos)) - { - filename = _configPath + filename; - } + if (nodeName.compare("file") == 0) + { + string filename = nodeValue; - certAuth.setCAFileName(filename); - } - else if (nodeName.compare("path") == 0) - { - certAuth.setCAPath(nodeValue); - } + // Just a filename, no path component, append path. + if ((filename.find("/") == string::npos) && (filename.find("\\") == string::npos)) + { + filename = _configPath + filename; } + + certAuth.setCAFileName(filename); + } + else if (nodeName.compare("path") == 0) + { + certAuth.setCAPath(nodeValue); } } } @@ -425,60 +426,66 @@ IceSSL::ConfigParser::getCertAuth(DOM_Node rootNode, CertificateAuthority& certA void IceSSL::ConfigParser::getBaseCerts(DOM_Node rootNode, BaseCertificates& baseCerts) { - if (rootNode != 0) - { - string baseCertsString("basecerts"); - DOM_Node baseCertsRoot = find(rootNode, baseCertsString); + if (rootNode == 0) + {
+ return;
+ } +
+ DOM_Node baseCertsRoot = find(rootNode, string("basecerts")); - if (baseCertsRoot != 0) - { - CertificateDesc rsaCert; - CertificateDesc dsaCert; - DiffieHellmanParamsFile dhParams; + if (baseCertsRoot == 0) + {
+ return;
+ } +
+ CertificateDesc rsaCert; + CertificateDesc dsaCert; + DiffieHellmanParamsFile dhParams; - string rsaCertString("rsacert"); - string dsaCertString("dsacert"); - string dhParamsString("dhparams"); + string rsaCertString("rsacert"); + string dsaCertString("dsacert"); + string dhParamsString("dhparams"); - getCert(find(baseCertsRoot, rsaCertString), rsaCert); - getCert(find(baseCertsRoot, dsaCertString), dsaCert); + getCert(find(baseCertsRoot, rsaCertString), rsaCert); + getCert(find(baseCertsRoot, dsaCertString), dsaCert); - getDHParams(find(baseCertsRoot, dhParamsString), dhParams); + getDHParams(find(baseCertsRoot, dhParamsString), dhParams); - baseCerts = BaseCertificates(rsaCert, dsaCert, dhParams); - } - } + baseCerts = BaseCertificates(rsaCert, dsaCert, dhParams); } void IceSSL::ConfigParser::getTempCerts(DOM_Node rootNode, TempCertificates& tempCerts) { - if (rootNode != 0) - { - string tempCertsString("tempcerts"); - DOM_Node tempCertsRoot = find(rootNode, tempCertsString); - - if (tempCertsRoot != 0) - { - DOM_Node child = tempCertsRoot.getFirstChild(); + if (rootNode == 0) + {
+ return;
+ } +
+ DOM_Node tempCertsRoot = find(rootNode, string("tempcerts")); - while (child != 0) - { - DOMString nodeName = child.getNodeName(); - string name = toString(nodeName); + if (tempCertsRoot == 0) + {
+ return;
+ } +
+ DOM_Node child = tempCertsRoot.getFirstChild(); - if (name.compare("dhparams") == 0) - { - loadDHParams(child, tempCerts); - } - else if (name.compare("rsacert") == 0) - { - loadRSACert(child, tempCerts); - } + while (child != 0) + { + DOMString nodeName = child.getNodeName(); + string name = toString(nodeName); - child = child.getNextSibling(); - } + if (name.compare("dhparams") == 0) + { + loadDHParams(child, tempCerts); + } + else if (name.compare("rsacert") == 0) + { + loadRSACert(child, tempCerts); } + + child = child.getNextSibling(); } } @@ -505,101 +512,107 @@ IceSSL::ConfigParser::loadRSACert(DOM_Node rootNode, TempCertificates& tempCerts void IceSSL::ConfigParser::getCert(DOM_Node rootNode, CertificateDesc& certDesc) { - if (rootNode != 0) - { - CertificateFile publicFile; - CertificateFile privateFile; - int keySize = 0; + if (rootNode == 0) + {
+ return;
+ }
- DOM_NamedNodeMap attributes = rootNode.getAttributes(); - int attrCount = attributes.getLength(); + CertificateFile publicFile; + CertificateFile privateFile; + int keySize = 0; - for (int i = 0; i < attrCount; i++) - { - DOM_Node attribute = attributes.item(i); - string nodeName = toString(attribute.getNodeName()); - string nodeValue = toString(attribute.getNodeValue()); + DOM_NamedNodeMap attributes = rootNode.getAttributes(); + int attrCount = attributes.getLength(); - if (nodeName.compare("keysize") == 0) - { - keySize = atoi(nodeValue.c_str()); - } + for (int i = 0; i < attrCount; i++) + { + DOM_Node attribute = attributes.item(i); + string nodeName = toString(attribute.getNodeName()); + string nodeValue = toString(attribute.getNodeValue()); + + if (nodeName.compare("keysize") == 0) + { + keySize = atoi(nodeValue.c_str()); } + } - string publicString("public"); - string privateString("private"); + string publicString("public"); + string privateString("private"); - loadCertificateFile(find(rootNode, publicString), publicFile); - loadCertificateFile(find(rootNode, privateString), privateFile); + loadCertificateFile(find(rootNode, publicString), publicFile); + loadCertificateFile(find(rootNode, privateString), privateFile); - // Initialize the certificate description. - certDesc = CertificateDesc(keySize, publicFile, privateFile); - } + // Initialize the certificate description. + certDesc = CertificateDesc(keySize, publicFile, privateFile); } void IceSSL::ConfigParser::getDHParams(DOM_Node rootNode, DiffieHellmanParamsFile& dhParams) { - if (rootNode != 0) - { - CertificateFile certFile; - loadCertificateFile(rootNode, certFile); + if (rootNode == 0) + {
+ return;
+ }
- DOM_NamedNodeMap attributes = rootNode.getAttributes(); - int keySize = 0; - int attrCount = attributes.getLength(); + CertificateFile certFile; + loadCertificateFile(rootNode, certFile); - for (int i = 0; i < attrCount; i++) - { - DOM_Node attribute = attributes.item(i); - string nodeName = toString(attribute.getNodeName()); - string nodeValue = toString(attribute.getNodeValue()); + DOM_NamedNodeMap attributes = rootNode.getAttributes(); + int keySize = 0; + int attrCount = attributes.getLength(); - if (nodeName.compare("keysize") == 0) - { - keySize = atoi(nodeValue.c_str()); - } - } + for (int i = 0; i < attrCount; i++) + { + DOM_Node attribute = attributes.item(i); + string nodeName = toString(attribute.getNodeName()); + string nodeValue = toString(attribute.getNodeValue()); - dhParams = DiffieHellmanParamsFile(keySize, certFile.getFileName(), certFile.getEncoding()); + if (nodeName.compare("keysize") == 0) + { + keySize = atoi(nodeValue.c_str()); + } } + + dhParams = DiffieHellmanParamsFile(keySize, certFile.getFileName(), certFile.getEncoding()); } void IceSSL::ConfigParser::loadCertificateFile(DOM_Node rootNode, CertificateFile& certFile) { - if (rootNode != 0) - { - string filename; - int encoding = 0; // Initialize, to keep the compiler from complaining. + if (rootNode == 0) + {
+ return;
+ } +
+ string filename; + int encoding = 0; // Initialize, to keep the compiler from complaining. - DOM_NamedNodeMap attributes = rootNode.getAttributes(); - int attrCount = attributes.getLength(); + DOM_NamedNodeMap attributes = rootNode.getAttributes(); + int attrCount = attributes.getLength(); - for (int i = 0; i < attrCount; i++) + for (int i = 0; i < attrCount; i++) + { + DOM_Node attribute = attributes.item(i); + string nodeName = toString(attribute.getNodeName()); + string nodeValue = toString(attribute.getNodeValue()); + + if (nodeName.compare("encoding") == 0) + { + encoding = parseEncoding(nodeValue); + } + else if (nodeName.compare("filename") == 0) { - DOM_Node attribute = attributes.item(i); - string nodeName = toString(attribute.getNodeName()); - string nodeValue = toString(attribute.getNodeValue()); + filename = nodeValue; - if (nodeName.compare("encoding") == 0) - { - encoding = parseEncoding(nodeValue); - } - else if (nodeName.compare("filename") == 0) + // Just a filename, no path component, append path. + if ((filename.find("/") == string::npos) && (filename.find("\\") == string::npos)) { - filename = nodeValue; - - // Just a filename, no path component, append path. - if ((filename.find("/") == string::npos) && (filename.find("\\") == string::npos)) - { - filename = _configPath + filename; - } + filename = _configPath + filename; } } - - certFile = CertificateFile(filename, encoding); } + + certFile = CertificateFile(filename, encoding); } int diff --git a/cpp/src/Ice/ConfigParser.h b/cpp/src/Ice/ConfigParser.h index 8377d0b2473..8907a332517 100644 --- a/cpp/src/Ice/ConfigParser.h +++ b/cpp/src/Ice/ConfigParser.h @@ -26,9 +26,10 @@ namespace IceSSL class ConfigParser { - public: - // Constructor, based on the indicated file. +
+ // Construction based on the indicated config file, or config file and
+ // certificate path. ConfigParser(const std::string&); ConfigParser(const std::string&, const std::string&); ~ConfigParser(); @@ -36,7 +37,7 @@ public: // Performs a complete parsing of the file. void process(); - // Loads the Client/Server portions of the config. + // Loads the Client/Server portions of the config file. bool loadClientConfig(GeneralConfig&, CertificateAuthority&, BaseCertificates&); bool loadServerConfig(GeneralConfig&, CertificateAuthority&, BaseCertificates&, TempCertificates&); @@ -55,7 +56,7 @@ private: IceInternal::TraceLevelsPtr _traceLevels; Ice::LoggerPtr _logger; - // Tree walking utility methods. + // Parse tree walking utility methods. void popRoot(std::string&, std::string&, std::string&); DOM_Node find(std::string&); DOM_Node find(DOM_Node, std::string&); @@ -70,13 +71,16 @@ private: void loadDHParams(DOM_Node, TempCertificates&); void loadRSACert(DOM_Node, TempCertificates&); - // Populates classes with information from the indicated node in the parse tree. + // Populate with information from the indicated node in the parse tree. void getCert(DOM_Node, CertificateDesc&); void getDHParams(DOM_Node, DiffieHellmanParamsFile&); // Populate a certificate file object, basis of all certificates. void loadCertificateFile(DOM_Node, CertificateFile&); - int parseEncoding(std::string&); +
+ // Parses the certificate encoding format from a string representation
+ // to the proper integer value used by the underlying SSL framework.
+ int parseEncoding(std::string&); std::string toString(const DOMString&); }; diff --git a/cpp/src/Ice/ConfigParserErrorReporter.h b/cpp/src/Ice/ConfigParserErrorReporter.h index 5d3e61963be..5cc5f9630d6 100644 --- a/cpp/src/Ice/ConfigParserErrorReporter.h +++ b/cpp/src/Ice/ConfigParserErrorReporter.h @@ -24,7 +24,6 @@ namespace IceSSL class ConfigParserErrorReporter : public ErrorHandler, public IceUtil::Shared { - public: ConfigParserErrorReporter(const IceInternal::TraceLevelsPtr&, const Ice::LoggerPtr&); @@ -39,7 +38,8 @@ public: bool getSawErrors() const; -private: +private:
+ // This is set if we get any errors, and is queryable via a getter method. // It's used by the main code to suppress output if there are errors. bool _sawErrors; diff --git a/cpp/src/Ice/ContextOpenSSL.cpp b/cpp/src/Ice/ContextOpenSSL.cpp index edf5f9c58fb..35204470657 100644 --- a/cpp/src/Ice/ContextOpenSSL.cpp +++ b/cpp/src/Ice/ContextOpenSSL.cpp @@ -269,7 +269,7 @@ IceSSL::OpenSSL::Context::setKeyCert(const CertificateDesc& certDesc, if (!publicProperty.empty())
{
- publicKey = _properties->getProperty(publicProperty);
+ publicKey = _properties->getProperty(publicProperty);
}
if (!privateKey.empty() && !publicKey.empty())
@@ -505,9 +505,7 @@ IceSSL::OpenSSL::Context::addKeyCert(const Ice::ByteSeq& privateKey, const Ice:: }
// Make a key pair based on the DER encoded byte sequences.
- RSAKeyPair keyPair(privKey, publicKey);
-
- addKeyCert(keyPair);
+ addKeyCert(RSAKeyPair(privKey, publicKey));
}
void
@@ -526,9 +524,7 @@ IceSSL::OpenSSL::Context::addKeyCert(const std::string& privateKey, const std::s }
// Make a key pair based on the Base64 encoded strings.
- RSAKeyPair keyPair(privKey, publicKey);
-
- addKeyCert(keyPair);
+ addKeyCert(RSAKeyPair(privKey, publicKey));
}
SSL*
@@ -588,8 +584,7 @@ IceSSL::OpenSSL::Context::setDHParams(const BaseCertificates& baseCerts) std::string dhFile = baseCerts.getDHParams().getFileName();
int encoding = baseCerts.getDHParams().getEncoding();
- // File type must be PEM - that's the only way we can load
- // DH Params, apparently.
+ // File type must be PEM - that's the only way we can load DH Params, apparently.
if ((!dhFile.empty()) && (encoding == SSL_FILETYPE_PEM))
{
dh = loadDHParam(dhFile.c_str());
diff --git a/cpp/src/Ice/ContextOpenSSL.h b/cpp/src/Ice/ContextOpenSSL.h index 07030bce9d7..de8f89f388b 100644 --- a/cpp/src/Ice/ContextOpenSSL.h +++ b/cpp/src/Ice/ContextOpenSSL.h @@ -44,8 +44,8 @@ class RSAKeyPair; class Context : public IceUtil::Shared
{
-
public:
+
virtual ~Context();
bool isConfigured();
@@ -64,7 +64,7 @@ public: const IceSSL::CertificateAuthority&,
const IceSSL::BaseCertificates&);
- // Takes a socket fd.
+ // Takes a socket fd as the first parameter.
virtual ::IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&) = 0;
protected:
@@ -113,7 +113,6 @@ protected: SSL_CTX* _sslContext;
friend class IceSSL::OpenSSL::System;
-
};
}
diff --git a/cpp/src/Ice/ContextOpenSSLClient.h b/cpp/src/Ice/ContextOpenSSLClient.h index c661e306414..8bbf3ee364b 100644 --- a/cpp/src/Ice/ContextOpenSSLClient.h +++ b/cpp/src/Ice/ContextOpenSSLClient.h @@ -21,16 +21,17 @@ namespace OpenSSL class ClientContext : public Context
{
-
public:
+
virtual void configure(const IceSSL::GeneralConfig&,
const IceSSL::CertificateAuthority&,
const IceSSL::BaseCertificates&);
- // Takes a socket fd.
+ // Takes a socket fd as the first parameter.
virtual IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&);
protected:
+
ClientContext(const IceInternal::InstancePtr&);
friend class IceSSL::OpenSSL::System;
diff --git a/cpp/src/Ice/ContextOpenSSLServer.cpp b/cpp/src/Ice/ContextOpenSSLServer.cpp index b5545f413b0..c24f65be92a 100644 --- a/cpp/src/Ice/ContextOpenSSLServer.cpp +++ b/cpp/src/Ice/ContextOpenSSLServer.cpp @@ -39,15 +39,15 @@ IceSSL::OpenSSL::ServerContext::configure(const GeneralConfig& generalConfig, // Always use a new DH key when using Diffie-Hellman key agreement.
SSL_CTX_set_options(_sslContext, SSL_OP_SINGLE_DH_USE);
- // Set the RSA Callback routine in case we need to build a temporary RSA key (ephemeral RSA).
+ // Set the RSA Callback routine in case we need to build a temporary (ephemeral) RSA key.
SSL_CTX_set_tmp_rsa_callback(_sslContext, tmpRSACallback);
- // Set the DH Callback routine in case we need a temporary DH key (ephemeral DH).
+ // Set the DH Callback routine in case we need a temporary (ephemeral) DH key.
SSL_CTX_set_tmp_dh_callback(_sslContext, tmpDHCallback);
loadCertificateAuthority(certificateAuthority);
- // Set the context for the SSL system [SERVER ONLY].
+ // Set the session context for the SSL system [SERVER ONLY].
std::string connectionContext = generalConfig.getContext();
SSL_CTX_set_session_id_context(_sslContext,
reinterpret_cast<const unsigned char *>(connectionContext.c_str()),
@@ -118,24 +118,25 @@ IceSSL::OpenSSL::ServerContext::loadCertificateAuthority(const CertificateAuthor std::string caFile = certAuth.getCAFileName();
- // TODO: Check this if things stop working
- if (!caFile.empty())
+ if (caFile.empty())
{
- STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str());
+ return;
+ }
- if (certNames == 0)
- {
- if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
- {
- std::string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n";
- errorString += sslGetErrors();
- _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
- }
- }
- else
+ STACK_OF(X509_NAME)* certNames = SSL_load_client_CA_file(caFile.c_str());
+
+ if (certNames == 0)
+ {
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
{
- SSL_CTX_set_client_CA_list(_sslContext, certNames);
+ std::string errorString = "Unable to load Certificate Authorities certificate names from " + caFile + ".\n";
+ errorString += sslGetErrors();
+ _logger->trace(_traceLevels->securityCat, "WRN " + errorString);
}
}
+ else
+ {
+ SSL_CTX_set_client_CA_list(_sslContext, certNames);
+ }
}
diff --git a/cpp/src/Ice/ContextOpenSSLServer.h b/cpp/src/Ice/ContextOpenSSLServer.h index e02c0af04ae..4b6716e5daa 100644 --- a/cpp/src/Ice/ContextOpenSSLServer.h +++ b/cpp/src/Ice/ContextOpenSSLServer.h @@ -21,16 +21,17 @@ namespace OpenSSL class ServerContext : public Context
{
-
public:
+
virtual void configure(const IceSSL::GeneralConfig&,
const IceSSL::CertificateAuthority&,
const IceSSL::BaseCertificates&);
- // Takes a socket fd.
+ // Takes a socket fd as the first parameter.
virtual IceSSL::ConnectionPtr createConnection(int, const IceSSL::SystemInternalPtr&);
protected:
+
ServerContext(const IceInternal::InstancePtr&);
virtual void loadCertificateAuthority(const IceSSL::CertificateAuthority& certAuth);
diff --git a/cpp/src/Ice/DefaultCertificateVerifier.cpp b/cpp/src/Ice/DefaultCertificateVerifier.cpp index 6a4f93bfef5..0bbf51c25cb 100644 --- a/cpp/src/Ice/DefaultCertificateVerifier.cpp +++ b/cpp/src/Ice/DefaultCertificateVerifier.cpp @@ -35,10 +35,11 @@ IceSSL::OpenSSL::DefaultCertificateVerifier::verify(int preVerifyOkay, int errorDepth = X509_STORE_CTX_get_error_depth(x509StoreContext);
int verifyDepth = SSL_get_verify_depth(sslConnection);
- // Verify Depth was set
+ // A verify error has been encountered.
if (verifyError != X509_V_OK)
{
- // If we have no errors so far, and the certificate chain is too long
+ // We have a limited verify depth, and we have had to delve too deeply
+ // into the certificate chain to find an acceptable root certificate.
if ((verifyDepth != -1) && (verifyDepth < errorDepth))
{
verifyError = X509_V_ERR_CERT_CHAIN_TOO_LONG;
diff --git a/cpp/src/Ice/DefaultCertificateVerifier.h b/cpp/src/Ice/DefaultCertificateVerifier.h index 70c96d35321..fae743f833e 100644 --- a/cpp/src/Ice/DefaultCertificateVerifier.h +++ b/cpp/src/Ice/DefaultCertificateVerifier.h @@ -25,13 +25,14 @@ namespace OpenSSL class DefaultCertificateVerifier : public IceSSL::OpenSSL::CertificateVerifier
{
-
public:
+
DefaultCertificateVerifier(const IceInternal::InstancePtr&);
virtual int verify(int, X509_STORE_CTX*, SSL*);
private:
+
IceInternal::TraceLevelsPtr _traceLevels;
Ice::LoggerPtr _logger;
};
diff --git a/cpp/src/Ice/GeneralConfig.cpp b/cpp/src/Ice/GeneralConfig.cpp index 2a00718c649..24de463101e 100644 --- a/cpp/src/Ice/GeneralConfig.cpp +++ b/cpp/src/Ice/GeneralConfig.cpp @@ -29,7 +29,9 @@ IceSSL::GeneralConfig::GeneralConfig() _sslVersion = SSL_V23; _verifyMode = SSL_VERIFY_NONE; - _verifyDepth = 10; +
+ // Unlimited verifcation depth.
+ _verifyDepth = -1; _context = ""; _cipherList = ""; diff --git a/cpp/src/Ice/GeneralConfig.h b/cpp/src/Ice/GeneralConfig.h index 35617612066..228504dbebf 100644 --- a/cpp/src/Ice/GeneralConfig.h +++ b/cpp/src/Ice/GeneralConfig.h @@ -19,8 +19,8 @@ namespace IceSSL class GeneralConfig { +public:
-public: GeneralConfig(); SslProtocol getProtocol() const; diff --git a/cpp/src/Ice/OpenSSLJanitors.h b/cpp/src/Ice/OpenSSLJanitors.h index 8aed62dac54..1140d2bc6c7 100644 --- a/cpp/src/Ice/OpenSSLJanitors.h +++ b/cpp/src/Ice/OpenSSLJanitors.h @@ -23,6 +23,7 @@ namespace OpenSSL class RSAJanitor
{
public:
+
RSAJanitor(RSA*);
~RSAJanitor();
@@ -30,12 +31,14 @@ public: RSA* get() const;
private:
+
RSA* _rsa;
};
class EVP_PKEYJanitor
{
public:
+
EVP_PKEYJanitor(EVP_PKEY*);
~EVP_PKEYJanitor();
@@ -43,12 +46,14 @@ public: EVP_PKEY* get() const;
private:
+
EVP_PKEY* _evp_pkey;
};
class X509_REQJanitor
{
public:
+
X509_REQJanitor(X509_REQ*);
~X509_REQJanitor();
@@ -56,12 +61,14 @@ public: X509_REQ* get() const;
private:
+
X509_REQ* _x509_req;
};
class X509Janitor
{
public:
+
X509Janitor(X509*);
~X509Janitor();
@@ -69,12 +76,14 @@ public: X509* get() const;
private:
+
X509* _x509;
};
class BIOJanitor
{
public:
+
BIOJanitor(BIO*);
~BIOJanitor();
@@ -82,6 +91,7 @@ public: BIO* get() const;
private:
+
BIO* _bio;
};
diff --git a/cpp/src/Ice/OpenSSLUtils.cpp b/cpp/src/Ice/OpenSSLUtils.cpp index 3f9b29a57be..132778e4078 100644 --- a/cpp/src/Ice/OpenSSLUtils.cpp +++ b/cpp/src/Ice/OpenSSLUtils.cpp @@ -12,17 +12,13 @@ #include <Ice/SystemInternalF.h>
#include <Ice/SystemOpenSSL.h>
#include <Ice/SslFactory.h>
+#include <IceUtil/Mutex.h>
#include <openssl/err.h>
#include <assert.h>
using std::string;
//
-// NOTE: The following (mon, getGeneralizedTime, getUTCTime and getASN1time are routines that
-// have been abducted from the OpenSSL X509 library, and modified to work with the STL
-// basic_string template.
-
-//
// TODO: These Diffie-Hellman params have been blatantly stolen from
// OpenSSL's demo programs. We SHOULD define our own here, but
// these will suffice for testing purposes. Please note, these
@@ -46,6 +42,14 @@ unsigned char tempDiffieHellman512g[] = 0x02,
};
+// Ensures that the sslGetErrors() function is synchronized.
+static ::IceUtil::Mutex sslErrorsMutex;
+
+//
+// NOTE: The following (mon, getGeneralizedTime, getUTCTime and getASN1time)
+// are routines that have been abducted from the OpenSSL X509 library,
+// and modified to work with the STL basic_string template.
+
static const char *mon[12]=
{
"Jan","Feb","Mar","Apr","May","Jun",
@@ -178,16 +182,19 @@ IceSSL::OpenSSL::getASN1time(ASN1_TIME *tm) case V_ASN1_UTCTIME :
{
theTime = getUTCTime(tm);
+ break;
}
case V_ASN1_GENERALIZEDTIME :
{
theTime = getGeneralizedTime(tm);
+ break;
}
default :
{
theTime = "Bad time value";
+ break;
}
}
@@ -200,15 +207,11 @@ IceSSL::OpenSSL::loadDHParam(const char* dhfile) assert(dhfile != 0);
DH* ret = 0;
- BIO* bio;
-
- if ((bio = BIO_new_file(dhfile,"r")) != 0)
- {
- ret = PEM_read_bio_DHparams(bio, 0, 0, 0);
- }
+ BIO* bio = BIO_new_file(dhfile,"r");
if (bio != 0)
{
+ ret = PEM_read_bio_DHparams(bio, 0, 0, 0);
BIO_free(bio);
}
@@ -221,9 +224,9 @@ IceSSL::OpenSSL::getTempDH(unsigned char* p, int plen, unsigned char* g, int gle assert(p != 0);
assert(g != 0);
- DH* dh = 0;
+ DH* dh = DH_new();
- if ((dh = DH_new()) != 0)
+ if (dh != 0)
{
dh->p = BN_bin2bn(p, plen, 0);
@@ -251,6 +254,8 @@ IceSSL::OpenSSL::getTempDH512() string
IceSSL::OpenSSL::sslGetErrors()
{
+ IceUtil::Mutex::Lock sync(sslErrorsMutex);
+
string errorMessage;
char buf[200];
char bigBuffer[1024];
@@ -346,21 +351,7 @@ verifyCallback(int ok, X509_STORE_CTX* ctx) assert(connection != 0);
// Call the connection, get it to perform the verification.
- int retCode = connection->verifyCertificate(ok, ctx);
-
- return retCode;
-}
-
-// TODO: This is a complete hack to get this working again with the CA certificate.
-// Of course, this will have to be rewritten to handle this in the same manner
-// as the verifyCallback does.
-// -ASN
-int
-passwordCallback(char* buffer, int bufferSize, int rwFlag, void* userData)
-{
- strncpy(buffer, "demo", bufferSize);
- buffer[bufferSize - 1] = '\0';
- return strlen(buffer);
+ return connection->verifyCertificate(ok, ctx);
}
}
diff --git a/cpp/src/Ice/OpenSSLUtils.h b/cpp/src/Ice/OpenSSLUtils.h index 197f424b9fd..45307cce044 100644 --- a/cpp/src/Ice/OpenSSLUtils.h +++ b/cpp/src/Ice/OpenSSLUtils.h @@ -17,8 +17,6 @@ namespace IceSSL namespace OpenSSL
{
-extern int connectionIndex;
-
std::string getGeneralizedTime(ASN1_GENERALIZEDTIME*);
std::string getUTCTime(ASN1_UTCTIME*);
diff --git a/cpp/src/Ice/RSACertificateGen.cpp b/cpp/src/Ice/RSACertificateGen.cpp index 4eac9363f96..59efe44af32 100644 --- a/cpp/src/Ice/RSACertificateGen.cpp +++ b/cpp/src/Ice/RSACertificateGen.cpp @@ -202,7 +202,6 @@ IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& con assert(rsaKeyPair != 0);
- // Do this if we already have an RSA*
EVP_PKEYJanitor evpPkeyJanitor(EVP_PKEY_new());
EVP_PKEY* pkey = evpPkeyJanitor.get();
assert(pkey != 0);
@@ -220,7 +219,7 @@ IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& con X509* x509SelfSigned = x509Janitor.get();
assert(x509SelfSigned != 0);
- // Set version to V3
+ // Set version to V3.
assert(X509_set_version(x509SelfSigned, 2) != 0);
ASN1_INTEGER_set(X509_get_serialNumber(x509SelfSigned), 0);
@@ -232,11 +231,11 @@ IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& con // X509_NAME* subjectName = X509_REQ_get_subject_name(signingRequest);
struct X509_name_st* subjectName = X509_REQ_get_subject_name(signingRequest);
- // Set valid time period
+ // Set valid time period.
X509_gmtime_adj(X509_get_notBefore(x509SelfSigned), 0);
X509_gmtime_adj(X509_get_notAfter(x509SelfSigned), context.getSecondsValid());
- // Set up subject/issuer name
+ // Set up subject/issuer Distinguished Name (DN).
X509_NAME_add_entry_by_txt(subjectName, "C", MBSTRING_ASC, context.getCountry(), -1, -1, 0);
X509_NAME_add_entry_by_txt(subjectName, "ST", MBSTRING_ASC, context.getStateProvince(), -1, -1, 0);
X509_NAME_add_entry_by_txt(subjectName, "L", MBSTRING_ASC, context.getLocality(), -1, -1, 0);
@@ -251,26 +250,26 @@ IceSSL::OpenSSL::RSACertificateGen::generate(const RSACertificateGenContext& con // Set the public key in the self signed certificate from the request.
X509_set_pubkey(x509SelfSigned, pkey);
- // Sign the public key using an MD5 digest
+ // Sign the public key using an MD5 digest.
if (!X509_sign(x509SelfSigned, pkey, EVP_md5()))
{
throw IceSSL::CertificateSigningException(__FILE__, __LINE__);
}
- // Verify the Signature (paranoia)
+ // Verify the Signature (paranoia).
if (!X509_REQ_verify(signingRequest, pkey))
{
throw IceSSL::CertificateSignatureException(__FILE__, __LINE__);
}
- // Nasty Hack: Getting the pkey to let go of our rsaKeyPair - we own that.
+ // Nasty Hack: Getting the pkey to let go of our rsaKeyPair - we own that now.
pkey->pkey.ptr = 0;
RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaKeyPair);
RSAPublicKeyPtr pubKeyPtr = new RSAPublicKey(x509SelfSigned);
RSAKeyPair* keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr);
- // Don't let them clean up, we're keeping those around.
+ // Do not let the janitors clean up, we're keeping the keys for ourselves.
rsaJanitor.clear();
x509Janitor.clear();
@@ -283,8 +282,8 @@ IceSSL::OpenSSL::RSACertificateGen::loadKeyPair(const std::string& keyFile, cons //
// Read in the X509 Certificate Structure
//
- BIO* certBIO = BIO_new_file(certFile.c_str(), "r");
- if (certBIO == 0)
+ BIOJanitor certBIO(BIO_new_file(certFile.c_str(), "r"));
+ if (certBIO.get() == 0)
{
IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);
@@ -296,14 +295,25 @@ IceSSL::OpenSSL::RSACertificateGen::loadKeyPair(const std::string& keyFile, cons throw certLoadEx;
}
- X509Janitor x509Janitor(PEM_read_bio_X509(certBIO, 0, 0, 0));
- BIO_free(certBIO);
+ X509Janitor x509Janitor(PEM_read_bio_X509(certBIO.get(), 0, 0, 0));
+
+ if (x509Janitor.get() == 0)
+ {
+ IceSSL::OpenSSL::CertificateLoadException certLoadEx(__FILE__, __LINE__);
+
+ certLoadEx._message = "Unable to load certificate from '";
+ certLoadEx._message += certFile;
+ certLoadEx._message += "'\n";
+ certLoadEx._message += sslGetErrors();
+
+ throw certLoadEx;
+ }
//
// Read in the RSA Private Key Structure
//
- BIO* keyBIO = BIO_new_file(keyFile.c_str(), "r");
- if (keyBIO == 0)
+ BIOJanitor keyBIO(BIO_new_file(keyFile.c_str(), "r"));
+ if (keyBIO.get() == 0)
{
IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);
@@ -315,18 +325,28 @@ IceSSL::OpenSSL::RSACertificateGen::loadKeyPair(const std::string& keyFile, cons throw pklEx;
}
- RSAJanitor rsaJanitor(PEM_read_bio_RSAPrivateKey(keyBIO, 0, 0, 0));
- BIO_free(keyBIO);
+ RSAJanitor rsaJanitor(PEM_read_bio_RSAPrivateKey(keyBIO.get(), 0, 0, 0));
+
+ if (rsaJanitor.get() == 0)
+ {
+ IceSSL::OpenSSL::PrivateKeyLoadException pklEx(__FILE__, __LINE__);
+
+ pklEx._message = "Unable to load private key from '";
+ pklEx._message += keyFile;
+ pklEx._message += "'\n";
+ pklEx._message += sslGetErrors();
+
+ throw pklEx;
+ }
//
// Construct our RSAKeyPair
//
-
RSAPrivateKeyPtr privKeyPtr = new RSAPrivateKey(rsaJanitor.get());
RSAPublicKeyPtr pubKeyPtr = new RSAPublicKey(x509Janitor.get());
- RSAKeyPair* keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr);
+ RSAKeyPairPtr keyPairPtr = new RSAKeyPair(privKeyPtr, pubKeyPtr);
- // Don't let them clean up, we're keeping those around.
+ // Do not let the janitors clean up, we're keeping these keys.
rsaJanitor.clear();
x509Janitor.clear();
diff --git a/cpp/src/Ice/SingleCertificateVerifier.cpp b/cpp/src/Ice/SingleCertificateVerifier.cpp index e00590ef4cb..9b76e44aa26 100644 --- a/cpp/src/Ice/SingleCertificateVerifier.cpp +++ b/cpp/src/Ice/SingleCertificateVerifier.cpp @@ -9,6 +9,7 @@ // ********************************************************************** #include <Ice/SingleCertificateVerifier.h> +#include <Ice/SslIceUtils.h>
#include <openssl/err.h> #include <algorithm> #include <iostream> @@ -28,7 +29,7 @@ IceSSL::OpenSSL::SingleCertificateVerifier::verify(int preVerifyOkay, { // Short circuit - if the peer cert wasn't good enough for OpenSSL, // it's not good enough for us to bother checking. - if (preVerifyOkay != 1) + if (preVerifyOkay == 0) { return preVerifyOkay; } @@ -96,7 +97,7 @@ IceSSL::OpenSSL::SingleCertificateVerifier::verify(int preVerifyOkay, return preVerifyOkay; } - +
ByteSeq IceSSL::OpenSSL::SingleCertificateVerifier::toByteSeq(X509* certificate) { @@ -109,7 +110,7 @@ IceSSL::OpenSSL::SingleCertificateVerifier::toByteSeq(X509* certificate) i2d_X509(certificate, &certPtr); // Yet another conversion to a ByteSeq (easy comparison this way). - copy(certBuffer, (certBuffer + certSize), back_inserter(certByteSeq)); + IceSSL::ucharToByteSeq(certBuffer, certSize, certByteSeq);
delete []certBuffer; return certByteSeq; diff --git a/cpp/src/Ice/SingleCertificateVerifier.h b/cpp/src/Ice/SingleCertificateVerifier.h index 662206ec5ad..fe3ec7d152a 100644 --- a/cpp/src/Ice/SingleCertificateVerifier.h +++ b/cpp/src/Ice/SingleCertificateVerifier.h @@ -22,14 +22,16 @@ namespace OpenSSL class SingleCertificateVerifier : public IceSSL::OpenSSL::CertificateVerifier { -public: +public:
+ SingleCertificateVerifier(const Ice::ByteSeq&); virtual int verify(int, X509_STORE_CTX*, SSL*); - Ice::ByteSeq toByteSeq(X509* certificate); + Ice::ByteSeq toByteSeq(X509*); + +protected:
-protected: Ice::ByteSeq _publicKey; }; diff --git a/cpp/src/Ice/SslAcceptor.cpp b/cpp/src/Ice/SslAcceptor.cpp index 0d6ddb8ce41..4d7aadd8eee 100644 --- a/cpp/src/Ice/SslAcceptor.cpp +++ b/cpp/src/Ice/SslAcceptor.cpp @@ -105,7 +105,7 @@ IceInternal::SslAcceptor::accept(int timeout) _logger->trace(_traceLevels->networkCat, s.str()); } - // Get an instance of the SslSystem + // Get an instance of the SslSystem. SystemInternalPtr sslSystem = _instance->getSslSystem(); assert(sslSystem != 0); diff --git a/cpp/src/Ice/SslConnection.h b/cpp/src/Ice/SslConnection.h index a225362816f..fe77bb45ff0 100644 --- a/cpp/src/Ice/SslConnection.h +++ b/cpp/src/Ice/SslConnection.h @@ -23,7 +23,8 @@ namespace IceSSL class Connection : public IceUtil::Shared { -public: +public:
+ Connection(const IceInternal::TraceLevelsPtr&,
const Ice::LoggerPtr&,
const IceSSL::CertificateVerifierPtr&); @@ -34,7 +35,8 @@ public: virtual int read(IceInternal::Buffer&, int) = 0; virtual int write(IceInternal::Buffer&, int) = 0; -protected: +protected:
+ IceInternal::TraceLevelsPtr _traceLevels;
Ice::LoggerPtr _logger;
CertificateVerifierPtr _certificateVerifier; diff --git a/cpp/src/Ice/SslConnectionOpenSSL.cpp b/cpp/src/Ice/SslConnectionOpenSSL.cpp index cb4c9219717..7aa05a185f7 100644 --- a/cpp/src/Ice/SslConnectionOpenSSL.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSL.cpp @@ -69,14 +69,13 @@ void ::IceInternal::decRef(::IceSSL::OpenSSL::Connection* p) { p->__decRef(); } // but unfortunately, it appears that this is not properly picked up. // -IceSSL::OpenSSL::Connection::Connection(
- const IceInternal::TraceLevelsPtr& traceLevels,
- const Ice::LoggerPtr& logger,
- const IceSSL::CertificateVerifierPtr& certificateVerifier, - SSL* sslConnection,
- const IceSSL::SystemInternalPtr& system) : - IceSSL::Connection(traceLevels, logger, certificateVerifier), - _sslConnection(sslConnection) +IceSSL::OpenSSL::Connection::Connection(const IceInternal::TraceLevelsPtr& traceLevels,
+ const Ice::LoggerPtr& logger,
+ const IceSSL::CertificateVerifierPtr& certificateVerifier, + SSL* sslConnection,
+ const IceSSL::SystemInternalPtr& system) : + IceSSL::Connection(traceLevels, logger, certificateVerifier), + _sslConnection(sslConnection) { assert(_sslConnection != 0);
assert(system != 0); @@ -109,32 +108,35 @@ IceSSL::OpenSSL::Connection::~Connection() void IceSSL::OpenSSL::Connection::shutdown() { - if (_sslConnection != 0) - { - if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) - { - _logger->trace(_traceLevels->securityCat, "WRN " + - string("shutting down SSL connection\n") + - fdToString(SSL_get_fd(_sslConnection))); - } + if (_sslConnection == 0) + {
+ return;
+ } +
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS) + { + _logger->trace(_traceLevels->securityCat, "WRN " + + string("shutting down SSL connection\n") + + fdToString(SSL_get_fd(_sslConnection))); + } - int shutdown = 0; - int retries = 100; + int shutdown = 0;
+ int numRetries = 100; + int retries = -numRetries; - do - { - shutdown = SSL_shutdown(_sslConnection); - retries--; - } - while ((shutdown == 0) && (retries > 0)); + do + { + shutdown = SSL_shutdown(_sslConnection); + retries++; + } + while ((shutdown == 0) && (retries < 0)); - if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) && (shutdown <= 0)) - { - ostringstream s; - s << "SSL shutdown failure encountered: code[" << shutdown << "] retries["; - s << retries << "]\n" << fdToString(SSL_get_fd(_sslConnection)); - _logger->trace(_traceLevels->securityCat, s.str()); - } + if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) && (shutdown <= 0)) + { + ostringstream s; + s << "SSL shutdown failure encountered: code[" << shutdown << "] retries["; + s << (retries + numRetries) << "]\n" << fdToString(SSL_get_fd(_sslConnection)); + _logger->trace(_traceLevels->securityCat, s.str()); } } @@ -171,14 +173,31 @@ IceSSL::OpenSSL::Connection::verifyCertificate(int preVerifyOkay, X509_STORE_CTX assert(_certificateVerifier.get() != 0); // Get the verifier, make sure it is for OpenSSL connections - IceSSL::OpenSSL::CertificateVerifier* verifier; + IceSSL::OpenSSL::CertificateVerifierPtr verifier; verifier = dynamic_cast<IceSSL::OpenSSL::CertificateVerifier*>(_certificateVerifier.get()); // Check to make sure we have a proper verifier for the operation. if (verifier) { - // Use the verifier to verify the certificate - preVerifyOkay = verifier->verify(preVerifyOkay, x509StoreContext, _sslConnection); + // Use the verifier to verify the certificate
+ try
+ { + preVerifyOkay = verifier->verify(preVerifyOkay, x509StoreContext, _sslConnection);
+ }
+ catch (const Ice::LocalException& localEx)
+ {
+ if (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)
+ {
+ ostringstream s;
+
+ s << "WRN Exception during certificate verification: " << std::endl;
+ s << localEx << flush;
+
+ _logger->trace(_traceLevels->securityCat, s.str());
+ }
+
+ preVerifyOkay = 0;
+ } } else { @@ -324,71 +343,6 @@ IceSSL::OpenSSL::Connection::sslWrite(char* buffer, int bufferSize) return bytesWritten; } -// protocolWrite() -// -// The entire purpose of this strange little routine is to provide OpenSSL with a -// SSL_write() when they request one (this is for handshaking purposes). It writes -// nothing at all. Its entire purpose is jut to call the SSL_write() through one. -// of our defined methods. The SSL_write() will end up only writing protocol handshake -// packets, not application packets. This looks wierd, but it is essentially what -// the demo programs are doing, so I feel okay copying them. The only reason that I -// have defined the buffer[] array is so that I have a valid buffer pointer.
-/* -void -IceSSL::OpenSSL::Connection::protocolWrite() -{ - static char buffer[10]; - - memset(buffer, 0, sizeof(buffer)); - - // Note: We should be calling the write(char*,int) method here, - // not the write(Buffer&,int) method. If things start acting - // strangely, check this! - sslWrite(buffer,0); -}
-*/ - -int -IceSSL::OpenSSL::Connection::readInBuffer(Buffer& buf) -{ - IceUtil::Mutex::Lock sync(_inBufferMutex); - - int bytesRead = 0; - - if (!_inBuffer.b.empty()) - { - // Just how big is the destination? - int bufferSize = buf.b.end() - buf.i; - - // And how much do we have in our _inBuffer to copy? - int inBufferSize = _inBuffer.i - _inBuffer.b.begin(); - - // Select how many bytes we can handle. - bytesRead = min(bufferSize, inBufferSize); - - // Iterators that indicate how much of the _inBuffer we're going to copy - Buffer::Container::iterator inBufferBegin = _inBuffer.b.begin(); - Buffer::Container::iterator inBufferEndAt = (_inBuffer.b.begin() + bytesRead); - - // Copy over the bytes from the _inBuffer to our destination buffer - buf.i = copy(inBufferBegin, inBufferEndAt, buf.i); - - // Erase the data that we've copied out of the _inBuffer. - _inBuffer.b.erase(inBufferBegin, inBufferEndAt); - - if (_traceLevels->security >= IceSSL::SECURITY_PROTOCOL) - { - ostringstream protocolMsg; - protocolMsg << "Copied " << dec << bytesRead << " bytes from SSL buffer\n"; - protocolMsg << fdToString(SSL_get_fd(_sslConnection)); - - _logger->trace(_traceLevels->securityCat, protocolMsg.str()); - } - } - - return bytesRead; -}
-
int
IceSSL::OpenSSL::Connection::select(int timeout, bool write)
{
@@ -464,7 +418,7 @@ IceSSL::OpenSSL::Connection::writeSelect(int timeout) } int -IceSSL::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) +IceSSL::OpenSSL::Connection::read(Buffer& buf, int timeout) { int packetSize = buf.b.end() - buf.i; int totalBytesRead = 0; @@ -542,26 +496,7 @@ IceSSL::OpenSSL::Connection::readSSL(Buffer& buf, int timeout) } case SSL_ERROR_WANT_WRITE: - { - // TODO: This can most likely be removed.
-
- // If we get this error here, it HAS to be because the protocol wants - // to do something handshake related. As such, We're going to call - // write with an empty buffer. I've seen this done in the demo - // programs, so this should be valid. No actual application data - // will be sent, just protocol packets. - // protocolWrite(); - continue; - } - case SSL_ERROR_WANT_READ: - { - // Repeat with the same arguments! (as in the OpenSSL documentation) - // Whatever happened, the last read didn't actually read anything for - // us. This is effectively a retry. - continue; - } - case SSL_ERROR_WANT_X509_LOOKUP: { // Perform another read. The read should take care of this. @@ -724,23 +659,22 @@ IceSSL::OpenSSL::Connection::showSharedCiphers(BIO* bio) assert(bio != 0);
char buffer[4096]; - char* strpointer = 0; + char* strPointer = 0; - if ((strpointer = SSL_get_shared_ciphers(_sslConnection, buffer, sizeof(buffer))) != 0) + if ((strPointer = SSL_get_shared_ciphers(_sslConnection, buffer, sizeof(buffer))) != 0) { - // This works only for SSL 2. In later protocol - // versions, the client does not know what other - // ciphers (in addition to the one to be used - // in the current connection) the server supports. + // This works only for SSL 2. In later protocol versions, the client does not know
+ // what other ciphers (in addition to the one to be used in the current connection)
+ // the server supports. BIO_printf(bio, "---\nShared Ciphers:\n"); int j = 0; int i = 0; - while (*strpointer) + while (*strPointer) { - if (*strpointer == ':') + if (*strPointer == ':') { BIO_write(bio, " ", (15-j%25)); i++; @@ -749,11 +683,11 @@ IceSSL::OpenSSL::Connection::showSharedCiphers(BIO* bio) } else { - BIO_write(bio, strpointer, 1); + BIO_write(bio, strPointer, 1); j++; } - strpointer++; + strPointer++; } BIO_write(bio,"\n",1); diff --git a/cpp/src/Ice/SslConnectionOpenSSL.h b/cpp/src/Ice/SslConnectionOpenSSL.h index 8c7e45774c0..929ca453c1d 100644 --- a/cpp/src/Ice/SslConnectionOpenSSL.h +++ b/cpp/src/Ice/SslConnectionOpenSSL.h @@ -27,7 +27,8 @@ namespace OpenSSL class SafeFlag { -public: +public:
+ SafeFlag(bool flagVal = false) { _flag = flagVal; @@ -71,6 +72,7 @@ public: } private: +
::IceUtil::Mutex _mutex; bool _flag; }; @@ -124,7 +126,7 @@ public: virtual void shutdown(); - virtual int read(IceInternal::Buffer&, int) = 0; + virtual int read(IceInternal::Buffer&, int); virtual int write(IceInternal::Buffer&, int) = 0; virtual int init(int timeout = 0) = 0; @@ -149,19 +151,12 @@ protected: int sslRead(char*, int); int sslWrite(char*, int); -// void protocolWrite(); - - int readInBuffer(IceInternal::Buffer&); - int select(int, bool);
int readSelect(int); int writeSelect(int); int readSSL(IceInternal::Buffer&, int); - // Retrieves errors from the OpenSSL library. -// std::string sslGetErrors(); - static void addConnection(SSL*, Connection*); static void removeConnection(SSL*); @@ -185,12 +180,6 @@ protected: int _lastError; - // TODO: Review this after a healthy stint of testing - // Buffer for application data that may be returned during handshake - // (probably won't contain anything, may be removed later). - ::IceInternal::Buffer _inBuffer; - ::IceUtil::Mutex _inBufferMutex; - ::IceUtil::Mutex _handshakeWaitMutex; // IceInternal::TraceLevelsPtr _traceLevels; diff --git a/cpp/src/Ice/SslConnectionOpenSSLClient.cpp b/cpp/src/Ice/SslConnectionOpenSSLClient.cpp index 519ca3f9d7f..328d9d6a5e1 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLClient.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSLClient.cpp @@ -13,7 +13,8 @@ #include <Ice/OpenSSLUtils.h> #include <Ice/Network.h> #include <Ice/OpenSSL.h> -#include <Ice/SslException.h> +#include <Ice/SslException.h>
+#include <Ice/OpenSSLJanitors.h> #include <Ice/SslConnectionOpenSSLClient.h> #include <Ice/TraceLevels.h> @@ -45,13 +46,12 @@ using std::dec; // but unfortunately, it appears that this is not properly picked up. // -IceSSL::OpenSSL::ClientConnection::ClientConnection( - const IceInternal::TraceLevelsPtr& traceLevels, - const Ice::LoggerPtr& logger, - const IceSSL::CertificateVerifierPtr& certificateVerifier, - SSL* connection, - const IceSSL::SystemInternalPtr& system) : - Connection(traceLevels, logger, certificateVerifier, connection, system) +IceSSL::OpenSSL::ClientConnection::ClientConnection(const IceInternal::TraceLevelsPtr& traceLevels, + const Ice::LoggerPtr& logger, + const IceSSL::CertificateVerifierPtr& certificateVerifier, + SSL* connection, + const IceSSL::SystemInternalPtr& system) : + Connection(traceLevels, logger, certificateVerifier, connection, system) { assert(_sslConnection != 0); @@ -106,10 +106,7 @@ IceSSL::OpenSSL::ClientConnection::init(int timeout) int result = connect(); - // Find out what the error was (if any). - int code = getLastError(); -
- switch (code) + switch (getLastError()) { case SSL_ERROR_WANT_READ: { @@ -222,34 +219,6 @@ IceSSL::OpenSSL::ClientConnection::init(int timeout) } int -IceSSL::OpenSSL::ClientConnection::read(Buffer& buf, int timeout) -{ - int totalBytesRead = 0; - - // Initialization to 1 is a cheap trick to ensure we enter the loop. - int bytesRead = 1; - - // We keep reading until we're done. - while ((buf.i != buf.b.end()) && bytesRead) - { - // Copy over bytes from _inBuffer to buf. - bytesRead = readInBuffer(buf); - - // Nothing in the _inBuffer? - if (!bytesRead) - { - // Read from SSL. - bytesRead = readSSL(buf, timeout); - } - - // Keep track of the total number of bytes read. - totalBytesRead += bytesRead; - } - - return totalBytesRead; -} - -int IceSSL::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) { int totalBytesWritten = 0; @@ -268,21 +237,17 @@ IceSSL::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) } #endif - int initReturn = 0; - // We keep reading until we're done while (buf.i != buf.b.end()) { // Ensure we're initialized. - initReturn = initialize(timeout); - - if (initReturn <= 0) + if (initialize(timeout) <= 0) { // Retry the initialize call continue; } - // initReturn must be > 0, so we're okay to try a write + // initialize() must have returned > 0, so we're okay to try a write. // Perform a select on the socket. if (!writeSelect(timeout)) @@ -320,25 +285,7 @@ IceSSL::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) } case SSL_ERROR_WANT_WRITE: - { - // Repeat with the same arguments! (as in the OpenSSL documentation) - // Whatever happened, the last write didn't actually write anything - // for us. This is effectively a retry. - continue; - } - case SSL_ERROR_WANT_READ: - { - // TODO: Probably don't need this - remove later if not needed. - - // If we get this error here, it HAS to be because - // the protocol wants to do something handshake related. - // In the case that we might actually get some application data, - // we will use the base SSL read method, using the _inBuffer. - // readSSL(_inBuffer, timeout); - continue; - } - case SSL_ERROR_WANT_X509_LOOKUP: { // Perform another read. The read should take care of this. @@ -347,8 +294,9 @@ IceSSL::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) case SSL_ERROR_SYSCALL: { - // NOTE: The demo client only throws an exception if there were actually bytes - // written. This is considered to be an error status requiring shutdown. + // NOTE: The OpenSSL demo client only raises and error condition if there were
+ // actually bytes written. This is considered to be an error status
+ // requiring shutdown. // If nothing was written, the demo client stops writing - we continue. // This is potentially something wierd to watch out for. if (bytesWritten == -1) @@ -421,20 +369,19 @@ IceSSL::OpenSSL::ClientConnection::write(Buffer& buf, int timeout) // Protected Methods // -// This code blatantly stolen from OpenSSL demos, slightly repackaged, and completely ugly... void IceSSL::OpenSSL::ClientConnection::showConnectionInfo() { // Only in extreme cases do we enable this, partially because it doesn't use the Logger. if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL_DEBUG) && 0) - { - BIO* bio = BIO_new_fp(stdout, BIO_NOCLOSE); + {
+ BIOJanitor bioJanitor(BIO_new_fp(stdout, BIO_NOCLOSE)); + BIO* bio = bioJanitor.get(); showCertificateChain(bio); showPeerCertificate(bio,"Client"); - // Something extra for the client showClientCAList(bio, "Client"); showSharedCiphers(bio); @@ -444,11 +391,5 @@ IceSSL::OpenSSL::ClientConnection::showConnectionInfo() showHandshakeStats(bio); showSessionInfo(bio); - - if (bio != 0) - { - BIO_free(bio); - bio = 0; - } } } diff --git a/cpp/src/Ice/SslConnectionOpenSSLClient.h b/cpp/src/Ice/SslConnectionOpenSSLClient.h index d82cd5bd2bf..da6c13f1c04 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLClient.h +++ b/cpp/src/Ice/SslConnectionOpenSSLClient.h @@ -21,18 +21,18 @@ namespace OpenSSL class ClientConnection : public Connection { - public: +
ClientConnection(const IceInternal::TraceLevelsPtr&,
const Ice::LoggerPtr&,
const IceSSL::CertificateVerifierPtr&,
SSL*,
const IceSSL::SystemInternalPtr&); virtual ~ClientConnection(); +
virtual void shutdown(); virtual int init(int timeout = 0); - virtual int read(IceInternal::Buffer&, int); virtual int write(IceInternal::Buffer&, int); protected: diff --git a/cpp/src/Ice/SslConnectionOpenSSLServer.cpp b/cpp/src/Ice/SslConnectionOpenSSLServer.cpp index 550535108ef..78f13d0bbd1 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLServer.cpp +++ b/cpp/src/Ice/SslConnectionOpenSSLServer.cpp @@ -13,7 +13,8 @@ #include <Ice/OpenSSLUtils.h> #include <Ice/Network.h> #include <Ice/OpenSSL.h> -#include <Ice/SslException.h> +#include <Ice/SslException.h>
+#include <Ice/OpenSSLJanitors.h> #include <Ice/SslConnectionOpenSSLServer.h> #include <Ice/TraceLevels.h> @@ -47,13 +48,12 @@ using std::dec; // but unfortunately, it appears that this is not properly picked up. // -IceSSL::OpenSSL::ServerConnection::ServerConnection( - const IceInternal::TraceLevelsPtr& traceLevels, - const Ice::LoggerPtr& logger, - const IceSSL::CertificateVerifierPtr& certificateVerifier, - SSL* connection, - const IceSSL::SystemInternalPtr& system) : - Connection(traceLevels, logger, certificateVerifier, connection, system) +IceSSL::OpenSSL::ServerConnection::ServerConnection(const IceInternal::TraceLevelsPtr& traceLevels, + const Ice::LoggerPtr& logger, + const IceSSL::CertificateVerifierPtr& certificateVerifier, + SSL* connection, + const IceSSL::SystemInternalPtr& system) : + Connection(traceLevels, logger, certificateVerifier, connection, system) { assert(_sslConnection != 0); @@ -108,9 +108,6 @@ IceSSL::OpenSSL::ServerConnection::init(int timeout) int result = accept(); - // Find out what the error was (if any). - int code = getLastError(); - // We're doing an Accept and we don't get a retry on the socket. if ((result <= 0) && (BIO_sock_should_retry(result) == 0)) { @@ -144,7 +141,8 @@ IceSSL::OpenSSL::ServerConnection::init(int timeout) } } - switch (code) + // Find out what the error was (if any).
+ switch (getLastError()) { case SSL_ERROR_WANT_READ: { @@ -157,7 +155,6 @@ IceSSL::OpenSSL::ServerConnection::init(int timeout) _initWantWrite = 1; break; } - case SSL_ERROR_NONE: case SSL_ERROR_WANT_X509_LOOKUP: @@ -234,32 +231,6 @@ IceSSL::OpenSSL::ServerConnection::init(int timeout) } int -IceSSL::OpenSSL::ServerConnection::read(Buffer& buf, int timeout) -{ - int bytesRead = 1; - int totalBytesRead = 0; - - // We keep reading until we're done. - while ((buf.i != buf.b.end()) && bytesRead) - { - // Copy over bytes from _inBuffer to buf. - bytesRead = readInBuffer(buf); - - // Nothing in the _inBuffer? - if (!bytesRead) - { - // Read from SSL. - bytesRead = readSSL(buf, timeout); - } - - // Keep track of the total bytes read. - totalBytesRead += bytesRead; - } - - return totalBytesRead; -} - -int IceSSL::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) { int totalBytesWritten = 0; @@ -277,21 +248,17 @@ IceSSL::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) } #endif - int initReturn = 0; - // We keep writing until we're done. while (buf.i != buf.b.end()) { // Ensure we're initialized. - initReturn = initialize(timeout); - - if (initReturn <= 0) + if (initialize(timeout) <= 0) { // Retry the initialize call continue; } - // initReturn must be > 0, so we're okay to try a write + // initialize() must have returned > 0, so we're okay to try a write. // Perform a select on the socket. if (!writeSelect(timeout)) @@ -325,9 +292,9 @@ IceSSL::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) continue; } - case SSL_ERROR_WANT_WRITE: // Retry... - case SSL_ERROR_WANT_READ: // The demo server ignores this error. - case SSL_ERROR_WANT_X509_LOOKUP: // The demo server ignores this error. + case SSL_ERROR_WANT_WRITE: + case SSL_ERROR_WANT_READ: + case SSL_ERROR_WANT_X509_LOOKUP: { continue; } @@ -365,7 +332,7 @@ IceSSL::OpenSSL::ServerConnection::write(Buffer& buf, int timeout) { ProtocolException protocolEx(__FILE__, __LINE__); - // Protocol Error: Unexpected EOF + // Protocol Error: Unexpected EOF. protocolEx._message = "Encountered an EOF that violates the SSL Protocol.\n"; protocolEx._message += sslGetErrors(); @@ -405,7 +372,8 @@ IceSSL::OpenSSL::ServerConnection::showConnectionInfo() // Only in extreme cases do we enable this, partially because it doesn't use the Logger. if ((_traceLevels->security >= IceSSL::SECURITY_PROTOCOL_DEBUG) && 0) { - BIO* bio = BIO_new_fp(stdout, BIO_NOCLOSE); + BIOJanitor bioJanitor(BIO_new_fp(stdout, BIO_NOCLOSE));
+ BIO* bio = bioJanitor.get();
showCertificateChain(bio); @@ -418,11 +386,5 @@ IceSSL::OpenSSL::ServerConnection::showConnectionInfo() showHandshakeStats(bio); showSessionInfo(bio); - - if (bio != 0) - { - BIO_free(bio); - bio = 0; - } } } diff --git a/cpp/src/Ice/SslConnectionOpenSSLServer.h b/cpp/src/Ice/SslConnectionOpenSSLServer.h index 060c283bee2..e96afdb002d 100644 --- a/cpp/src/Ice/SslConnectionOpenSSLServer.h +++ b/cpp/src/Ice/SslConnectionOpenSSLServer.h @@ -21,18 +21,18 @@ namespace OpenSSL class ServerConnection : public Connection { - public: +
ServerConnection(const IceInternal::TraceLevelsPtr&,
const Ice::LoggerPtr&,
const IceSSL::CertificateVerifierPtr&,
SSL*,
const IceSSL::SystemInternalPtr&); virtual ~ServerConnection(); +
virtual void shutdown(); virtual int init(int timeout = 0); - virtual int read(IceInternal::Buffer&, int); virtual int write(IceInternal::Buffer&, int); protected: diff --git a/cpp/src/Ice/SslException2.cpp b/cpp/src/Ice/SslException2.cpp index 1298c58d6e0..d693a6f73a4 100644 --- a/cpp/src/Ice/SslException2.cpp +++ b/cpp/src/Ice/SslException2.cpp @@ -23,7 +23,6 @@ using Ice::SocketException; using Ice::Exception; using std::ostream; - void IceSSL::SslException::ice_print(ostream& out) const { diff --git a/cpp/src/Ice/SslExtensionInternal.h b/cpp/src/Ice/SslExtensionInternal.h index a4616e3913b..7f368210308 100644 --- a/cpp/src/Ice/SslExtensionInternal.h +++ b/cpp/src/Ice/SslExtensionInternal.h @@ -21,6 +21,7 @@ namespace IceSSL class SslExtensionInternal : public SslExtension
{
public:
+
SslExtensionInternal(const IceInternal::InstancePtr&);
virtual ~SslExtensionInternal();
@@ -29,8 +30,8 @@ public: virtual ::IceSSL::CertificateVerifierPtr getSingleCertVerifier(const ::Ice::ByteSeq&);
protected:
- IceInternal::InstancePtr _instance;
+ IceInternal::InstancePtr _instance;
};
}
diff --git a/cpp/src/Ice/SslFactory.cpp b/cpp/src/Ice/SslFactory.cpp index 253a913d320..77ca0314eaa 100644 --- a/cpp/src/Ice/SslFactory.cpp +++ b/cpp/src/Ice/SslFactory.cpp @@ -29,7 +29,6 @@ #error "Thread support not enabled" #endif - namespace IceSSL { @@ -44,22 +43,15 @@ extern "C" class SslLockKeeper { - public: - SslLockKeeper() - { - CRYPTO_set_locking_callback((void (*)(int, int, const char*, int))lockingCallback); - } - - ~SslLockKeeper() - { - CRYPTO_set_locking_callback(NULL); - } +
+ SslLockKeeper(); + ~SslLockKeeper(); IceUtil::Mutex sslLocks[CRYPTO_NUM_LOCKS]; }; - +
SslLockKeeper lockKeeper; } @@ -76,6 +68,16 @@ void IceSSL::lockingCallback(int mode, int type, const char *file, int line) } } +IceSSL::SslLockKeeper::SslLockKeeper()
+{
+ CRYPTO_set_locking_callback((void (*)(int, int, const char*, int))IceSSL::lockingCallback);
+}
+
+IceSSL::SslLockKeeper::~SslLockKeeper()
+{
+ CRYPTO_set_locking_callback(NULL);
+}
+
IceSSL::SystemInternalPtr IceSSL::Factory::getSystem(const IceInternal::InstancePtr& instance) { diff --git a/cpp/src/Ice/SslFactory.h b/cpp/src/Ice/SslFactory.h index 7d7c4ba03ca..2bd8742e31d 100644 --- a/cpp/src/Ice/SslFactory.h +++ b/cpp/src/Ice/SslFactory.h @@ -32,8 +32,8 @@ typedef std::map<void*, SystemInternalPtr> SslHandleSystemMap; // different definitions for getSystem(). class Factory { - public: +
static SystemInternalPtr getSystem(const IceInternal::InstancePtr&); // System Handle related methods @@ -41,7 +41,8 @@ public: static void removeSystemHandle(void*); static SystemInternalPtr getSystemFromHandle(void*); -private: +private:
+ static SslHandleSystemMap _sslHandleSystemRepository; static ::IceUtil::Mutex _systemRepositoryMutex; }; diff --git a/cpp/src/Ice/SystemOpenSSL.cpp b/cpp/src/Ice/SystemOpenSSL.cpp index aca6301513e..0b8822904e8 100644 --- a/cpp/src/Ice/SystemOpenSSL.cpp +++ b/cpp/src/Ice/SystemOpenSSL.cpp @@ -512,94 +512,95 @@ IceSSL::OpenSSL::System::~System() int IceSSL::OpenSSL::System::seedRand() { - int retCode = 1; - char buffer[1024]; - #ifdef WINDOWS RAND_screen(); #endif + char buffer[1024];
const char* file = RAND_file_name(buffer, sizeof(buffer)); - - if (file == 0 || !RAND_load_file(file, -1)) - { - retCode = 0; - } - else - { - _randSeeded = 1; - } - - return retCode; +
+ if (file == 0)
+ {
+ return 0;
+ }
+ + return RAND_load_file(file, -1); } long IceSSL::OpenSSL::System::loadRandFiles(const string& names) { - long tot = 0; - if (!names.empty()) - { - int egd; + {
+ return 0;
+ } +
+ long tot = 0;
+ int egd; - // Make a modifiable copy of the string. - char* namesString = new char[names.length() + 1]; - assert(namesString != 0); + // Make a modifiable copy of the string. + char* namesString = new char[names.length() + 1]; + assert(namesString != 0); - strcpy(namesString, names.c_str()); + strcpy(namesString, names.c_str()); - char seps[5]; + char seps[5]; - sprintf(seps, "%c", LIST_SEPARATOR_CHAR); + sprintf(seps, "%c", LIST_SEPARATOR_CHAR); - char* token = strtok(namesString, seps); + char* token = strtok(namesString, seps); - while (token != 0) - { - egd = RAND_egd(token); - - if (egd > 0) - { - tot += egd; - } - else - { - tot += RAND_load_file(token, -1); - } + while (token != 0) + { + egd = RAND_egd(token); - token = strtok(0, seps); + if (egd > 0) + { + tot += egd; } - - if (tot > 512) + else { - _randSeeded = 1; + tot += RAND_load_file(token, -1); } - delete []namesString; + token = strtok(0, seps); + } + + if (tot > 512) + { + _randSeeded = 1; } + delete []namesString; + return tot; } void IceSSL::OpenSSL::System::initRandSystem(const string& randBytesFiles) { - if (!_randSeeded) - { - long randBytesLoaded = 0; - - if (!seedRand() && randBytesFiles.empty() && !RAND_status() && - (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)) - { - _logger->trace(_traceLevels->securityCat, - "WRN There is a lack of random data, consider specifying a random data file."); - } + if (_randSeeded) + {
+ return;
+ }
+
+ long randBytesLoaded = seedRand();
- if (!randBytesFiles.empty()) - { - randBytesLoaded = loadRandFiles(randBytesFiles); - } + if (!randBytesFiles.empty())
+ {
+ randBytesLoaded += loadRandFiles(randBytesFiles);
+ }
+
+ if (!randBytesLoaded && !RAND_status() && (_traceLevels->security >= IceSSL::SECURITY_WARNINGS)) + {
+ // In this case, there are two options open to us - specify a random data file using the
+ // RANDFILE environment variable, or specify additional random data files in the
+ // SSL configuration file. + _logger->trace(_traceLevels->securityCat, + "WRN There is a lack of random data, consider specifying additional random data files."); } +
+ _randSeeded = (randBytesLoaded > 0 ? 1 : 0);
} void diff --git a/cpp/src/Ice/SystemOpenSSL.h b/cpp/src/Ice/SystemOpenSSL.h index 0a6a28dc7ad..84d7d16d35a 100644 --- a/cpp/src/Ice/SystemOpenSSL.h +++ b/cpp/src/Ice/SystemOpenSSL.h @@ -39,7 +39,8 @@ class GeneralConfig; namespace OpenSSL { - +
+// TODO: Make these map<int, RSAPrivateKeyPtr> and something similar for DH. typedef std::map<int,RSA*> RSAMap; typedef std::map<int,DH*> DHMap; @@ -116,7 +117,7 @@ private: long loadRandFiles(const std::string&); void initRandSystem(const std::string&); - // Load the temporary (ephemeral) certificates for Server operations + // Load the temporary (ephemeral) certificates for Server operations. void loadTempCerts(IceSSL::TempCertificates&); friend class IceSSL::Factory; diff --git a/cpp/src/Ice/TempCerts.h b/cpp/src/Ice/TempCerts.h index 9c70da0fc18..88f3b203e90 100644 --- a/cpp/src/Ice/TempCerts.h +++ b/cpp/src/Ice/TempCerts.h @@ -19,8 +19,8 @@ namespace IceSSL class TempCertificates { - public: +
TempCertificates(); ~TempCertificates(); @@ -30,7 +30,8 @@ public: RSAVector& getRSACerts(); DHVector& getDHParams(); -protected: +protected:
+ RSAVector _rsaCerts; DHVector _dhParams; }; diff --git a/cpp/src/Ice/ice.dsp b/cpp/src/Ice/ice.dsp index 74c83ffe409..9bfea0f2dd2 100644 --- a/cpp/src/Ice/ice.dsp +++ b/cpp/src/Ice/ice.dsp @@ -43,7 +43,7 @@ RSC=rc.exe # PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBRARY_EXPORTS" /Yu"stdafx.h" /FD /c
-# ADD CPP /nologo /MD /Ze /W3 /WX /GR /GX /O2 /I ".." /I "../../include" /D "NDEBUG" /D "WIN32" /D "_UNICODE" /D "_CONSOLE" /D "_USRDLL" /D "ICE_API_EXPORTS" /D "USE_SOCKETS" /YX /FD /c
+# ADD CPP /nologo /MD /W3 /WX /GR /GX /O2 /I ".." /I "../../include" /D "NDEBUG" /D "WIN32" /D "_UNICODE" /D "_CONSOLE" /D "_USRDLL" /D "ICE_API_EXPORTS" /D "USE_SOCKETS" /YX /FD /c
# SUBTRACT CPP /Fr
# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32
@@ -75,7 +75,7 @@ PostBuild_Cmds=copy Release\ice001.* ..\..\lib # PROP Ignore_Export_Lib 0
# PROP Target_Dir ""
# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "LIBRARY_EXPORTS" /Yu"stdafx.h" /FD /GZ /c
-# ADD CPP /nologo /MDd /Ze /W3 /WX /Gm /GR /GX /Zi /Od /I ".." /I "../../include" /D "_DEBUG" /D "USE_SOCKETS" /D "WIN32" /D "_UNICODE" /D "_CONSOLE" /D "_USRDLL" /D "ICE_API_EXPORTS" /YX /FD /GZ /c
+# ADD CPP /nologo /MDd /W3 /WX /Gm /GR /GX /Zi /Od /I ".." /I "../../include" /D "_DEBUG" /D "USE_SOCKETS" /D "WIN32" /D "_UNICODE" /D "_CONSOLE" /D "_USRDLL" /D "ICE_API_EXPORTS" /YX /FD /GZ /c
# SUBTRACT CPP /Fr
# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32
# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32
@@ -852,10 +852,6 @@ SOURCE=..\..\include\Ice\RSAPublicKeyF.h # End Source File
# Begin Source File
-SOURCE=..\..\include\Ice\Security.h
-# End Source File
-# Begin Source File
-
SOURCE=..\..\include\Ice\ServantLocator.h
# End Source File
# Begin Source File
|