diff options
Diffstat (limited to 'cpp/src')
| -rw-r--r-- | cpp/src/Ice/ContextOpenSSL.cpp | 48 | ||||
| -rw-r--r-- | cpp/src/Ice/ContextOpenSSL.h | 4 | ||||
| -rw-r--r-- | cpp/src/Ice/ContextOpenSSLClient.cpp | 1 | ||||
| -rw-r--r-- | cpp/src/Ice/ContextOpenSSLServer.cpp | 1 |
4 files changed, 52 insertions, 2 deletions
diff --git a/cpp/src/Ice/ContextOpenSSL.cpp b/cpp/src/Ice/ContextOpenSSL.cpp index e0885f456b3..7c9565ba103 100644 --- a/cpp/src/Ice/ContextOpenSSL.cpp +++ b/cpp/src/Ice/ContextOpenSSL.cpp @@ -113,6 +113,13 @@ IceSSL::OpenSSL::Context::configure(const GeneralConfig& generalConfig, // Set the certificate verify depth SSL_CTX_set_verify_depth(_sslContext, generalConfig.getVerifyDepth()); + // Determine the number of retries the user gets on passphrase entry. + std::string passphraseRetries = _properties->getPropertyWithDefault(_passphraseRetriesProperty, + _maxPassphraseRetriesDefault); + int retries = atoi(passphraseRetries.c_str()); + retries = (retries < 0 ? 0 : retries); + _maxPassphraseTries = retries + 1; + // Process the RSA Certificate setKeyCert(baseCertificates.getRSACert(), _rsaPrivateKeyProperty, _rsaPublicKeyProperty); @@ -141,6 +148,8 @@ IceSSL::OpenSSL::Context::Context(const IceInternal::InstancePtr& instance) : _certificateVerifier = new DefaultCertificateVerifier(instance); _sslContext = 0; + + _maxPassphraseRetriesDefault = "4"; } SSL_METHOD* @@ -392,8 +401,43 @@ IceSSL::OpenSSL::Context::addKeyCert(const CertificateFile& privateKey, const Ce privKeyFileType = publicEncoding; } - // Set which Private Key file to use. - if (SSL_CTX_use_PrivateKey_file(_sslContext, privKeyFile, privKeyFileType) <= 0) + int retryCount = 0; + int pkLoadResult; + int errCode = 0; + + while (retryCount != _maxPassphraseTries) + { + // We ignore the errors and remove them from the stack. + std::string errorString = sslGetErrors(); + + // Set which Private Key file to use. + pkLoadResult = SSL_CTX_use_PrivateKey_file(_sslContext, privKeyFile, privKeyFileType); + + if (pkLoadResult <= 0) + { + errCode = ERR_GET_REASON(ERR_peek_error()); + } + else + { + // The load went fine - continue on. + break; + } + + // PEM errors, most likely related to a bad passphrase. + if (errCode != PEM_R_BAD_PASSWORD_READ && + errCode != PEM_R_BAD_DECRYPT && + errCode != PEM_R_BAD_BASE64_DECODE) + { + // Other errors get dealt with below. + break; + } + + std::cout << "Passphrase error!" << std::endl; + + retryCount++; + } + + if (pkLoadResult <= 0) { int errCode = ERR_GET_REASON(ERR_peek_error()); diff --git a/cpp/src/Ice/ContextOpenSSL.h b/cpp/src/Ice/ContextOpenSSL.h index c8225795ecc..c5c4d61d30e 100644 --- a/cpp/src/Ice/ContextOpenSSL.h +++ b/cpp/src/Ice/ContextOpenSSL.h @@ -107,11 +107,15 @@ protected: std::string _dsaPublicKeyProperty; std::string _caCertificateProperty; std::string _handshakeTimeoutProperty; + std::string _passphraseRetriesProperty; + std::string _maxPassphraseRetriesDefault; IceSSL::CertificateVerifierPtr _certificateVerifier; SSL_CTX* _sslContext; + int _maxPassphraseTries; + friend class IceSSL::OpenSSL::System; }; diff --git a/cpp/src/Ice/ContextOpenSSLClient.cpp b/cpp/src/Ice/ContextOpenSSLClient.cpp index ac0beb99b53..87fee400687 100644 --- a/cpp/src/Ice/ContextOpenSSLClient.cpp +++ b/cpp/src/Ice/ContextOpenSSLClient.cpp @@ -82,5 +82,6 @@ IceSSL::OpenSSL::ClientContext::ClientContext(const IceInternal::InstancePtr& in _dsaPublicKeyProperty = "Ice.SSL.Client.Overrides.DSA.Certificate"; _caCertificateProperty = "Ice.SSL.Client.Overrides.CACertificate"; _handshakeTimeoutProperty = "Ice.SSL.Client.Handshake.ReadTimeout"; + _passphraseRetriesProperty = "Ice.SSL.Client.Passphrase.Retries"; } diff --git a/cpp/src/Ice/ContextOpenSSLServer.cpp b/cpp/src/Ice/ContextOpenSSLServer.cpp index 89ee2b7c78a..bc198cecea2 100644 --- a/cpp/src/Ice/ContextOpenSSLServer.cpp +++ b/cpp/src/Ice/ContextOpenSSLServer.cpp @@ -107,6 +107,7 @@ IceSSL::OpenSSL::ServerContext::ServerContext(const IceInternal::InstancePtr& in _dsaPublicKeyProperty = "Ice.SSL.Server.Overrides.DSA.Certificate"; _caCertificateProperty = "Ice.SSL.Server.Overrides.CACertificate"; _handshakeTimeoutProperty = "Ice.SSL.Server.Handshake.ReadTimeout"; + _passphraseRetriesProperty = "Ice.SSL.Server.Passphrase.Retries"; } void |