summaryrefslogtreecommitdiff
path: root/cpp/src
diff options
context:
space:
mode:
Diffstat (limited to 'cpp/src')
-rw-r--r--cpp/src/Ice/PropertyNames.cpp23
-rw-r--r--cpp/src/Ice/PropertyNames.h2
-rw-r--r--cpp/src/IceSSL/RFC2253.cpp24
-rw-r--r--cpp/src/IceSSL/RFC2253.h19
-rw-r--r--cpp/src/IceSSL/TrustManager.cpp125
-rw-r--r--cpp/src/IceSSL/TrustManager.h15
6 files changed, 157 insertions, 51 deletions
diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp
index 28865e12b26..8837d3c740a 100644
--- a/cpp/src/Ice/PropertyNames.cpp
+++ b/cpp/src/Ice/PropertyNames.cpp
@@ -8,7 +8,7 @@
// **********************************************************************
//
-// Generated by makeprops.py from file ../config/PropertyNames.xml, Mon May 18 11:29:29 2009
+// Generated by makeprops.py from file ../config/PropertyNames.xml, Wed Jul 29 10:07:20 2009
// IMPORTANT: Do not edit this file -- any edits made here will be lost!
@@ -31,6 +31,7 @@ const IceInternal::Property IcePropsData[] =
IceInternal::Property("Ice.Admin.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("Ice.Admin.ThreadPool.StackSize", false, 0),
IceInternal::Property("Ice.Admin.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("Ice.Admin.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("Ice.Admin.DelayCreation", false, 0),
IceInternal::Property("Ice.Admin.Facets", false, 0),
IceInternal::Property("Ice.Admin.InstanceName", false, 0),
@@ -153,6 +154,7 @@ const IceInternal::Property IceBoxPropsData[] =
IceInternal::Property("IceBox.ServiceManager.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("IceBox.ServiceManager.ThreadPool.StackSize", false, 0),
IceInternal::Property("IceBox.ServiceManager.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("IceBox.ServiceManager.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("IceBox.Trace.ServiceObserver", false, 0),
IceInternal::Property("IceBox.UseSharedCommunicator.*", false, 0),
};
@@ -208,6 +210,7 @@ const IceInternal::Property IceGridPropsData[] =
IceInternal::Property("IceGrid.Node.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("IceGrid.Node.ThreadPool.StackSize", false, 0),
IceInternal::Property("IceGrid.Node.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("IceGrid.Node.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("IceGrid.Node.AllowRunningServersAsRoot", false, 0),
IceInternal::Property("IceGrid.Node.AllowEndpointsOverride", false, 0),
IceInternal::Property("IceGrid.Node.CollocateRegistry", false, 0),
@@ -258,6 +261,7 @@ const IceInternal::Property IceGridPropsData[] =
IceInternal::Property("IceGrid.Registry.AdminSessionManager.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("IceGrid.Registry.AdminSessionManager.ThreadPool.StackSize", false, 0),
IceInternal::Property("IceGrid.Registry.AdminSessionManager.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("IceGrid.Registry.AdminSessionManager.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("IceGrid.Registry.AdminSSLPermissionsVerifier.EndpointSelection", false, 0),
IceInternal::Property("IceGrid.Registry.AdminSSLPermissionsVerifier.ConnectionCached", false, 0),
IceInternal::Property("IceGrid.Registry.AdminSSLPermissionsVerifier.PreferSecure", false, 0),
@@ -280,6 +284,7 @@ const IceInternal::Property IceGridPropsData[] =
IceInternal::Property("IceGrid.Registry.Client.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("IceGrid.Registry.Client.ThreadPool.StackSize", false, 0),
IceInternal::Property("IceGrid.Registry.Client.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("IceGrid.Registry.Client.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("IceGrid.Registry.CryptPasswords", false, 0),
IceInternal::Property("IceGrid.Registry.Data", false, 0),
IceInternal::Property("IceGrid.Registry.DefaultTemplates", false, 0),
@@ -297,6 +302,7 @@ const IceInternal::Property IceGridPropsData[] =
IceInternal::Property("IceGrid.Registry.Internal.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("IceGrid.Registry.Internal.ThreadPool.StackSize", false, 0),
IceInternal::Property("IceGrid.Registry.Internal.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("IceGrid.Registry.Internal.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("IceGrid.Registry.NodeSessionTimeout", false, 0),
IceInternal::Property("IceGrid.Registry.PermissionsVerifier.EndpointSelection", false, 0),
IceInternal::Property("IceGrid.Registry.PermissionsVerifier.ConnectionCached", false, 0),
@@ -322,6 +328,7 @@ const IceInternal::Property IceGridPropsData[] =
IceInternal::Property("IceGrid.Registry.Server.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("IceGrid.Registry.Server.ThreadPool.StackSize", false, 0),
IceInternal::Property("IceGrid.Registry.Server.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("IceGrid.Registry.Server.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("IceGrid.Registry.SessionFilters", false, 0),
IceInternal::Property("IceGrid.Registry.SessionManager.AdapterId", false, 0),
IceInternal::Property("IceGrid.Registry.SessionManager.Endpoints", false, 0),
@@ -336,6 +343,7 @@ const IceInternal::Property IceGridPropsData[] =
IceInternal::Property("IceGrid.Registry.SessionManager.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("IceGrid.Registry.SessionManager.ThreadPool.StackSize", false, 0),
IceInternal::Property("IceGrid.Registry.SessionManager.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("IceGrid.Registry.SessionManager.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("IceGrid.Registry.SessionTimeout", false, 0),
IceInternal::Property("IceGrid.Registry.SSLPermissionsVerifier.EndpointSelection", false, 0),
IceInternal::Property("IceGrid.Registry.SSLPermissionsVerifier.ConnectionCached", false, 0),
@@ -380,6 +388,7 @@ const IceInternal::Property IcePatch2PropsData[] =
IceInternal::Property("IcePatch2.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("IcePatch2.ThreadPool.StackSize", false, 0),
IceInternal::Property("IcePatch2.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("IcePatch2.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("IcePatch2.Admin.AdapterId", true, 0),
IceInternal::Property("IcePatch2.Admin.Endpoints", true, 0),
IceInternal::Property("IcePatch2.Admin.Locator", true, 0),
@@ -427,15 +436,15 @@ const IceInternal::Property IceSSLPropsData[] =
IceInternal::Property("IceSSL.Protocols", false, 0),
IceInternal::Property("IceSSL.Random", false, 0),
IceInternal::Property("IceSSL.Trace.Security", false, 0),
+ IceInternal::Property("IceSSL.TrustOnly", false, 0),
+ IceInternal::Property("IceSSL.TrustOnly.Client", false, 0),
+ IceInternal::Property("IceSSL.TrustOnly.Server", false, 0),
+ IceInternal::Property("IceSSL.TrustOnly.Server.*", false, 0),
IceInternal::Property("IceSSL.Truststore", false, 0),
IceInternal::Property("IceSSL.TruststorePassword", false, 0),
IceInternal::Property("IceSSL.TruststoreType", false, 0),
IceInternal::Property("IceSSL.VerifyDepthMax", false, 0),
IceInternal::Property("IceSSL.VerifyPeer", false, 0),
- IceInternal::Property("IceSSL.TrustOnly", false, 0),
- IceInternal::Property("IceSSL.TrustOnly.Client", false, 0),
- IceInternal::Property("IceSSL.TrustOnly.Server", false, 0),
- IceInternal::Property("IceSSL.TrustOnly.Server.*", false, 0),
};
const IceInternal::PropertyArray
@@ -478,6 +487,7 @@ const IceInternal::Property Glacier2PropsData[] =
IceInternal::Property("Glacier2.Client.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("Glacier2.Client.ThreadPool.StackSize", false, 0),
IceInternal::Property("Glacier2.Client.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("Glacier2.Client.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("Glacier2.Client.AlwaysBatch", false, 0),
IceInternal::Property("Glacier2.Client.Buffered", false, 0),
IceInternal::Property("Glacier2.Client.ForwardContext", false, 0),
@@ -527,6 +537,7 @@ const IceInternal::Property Glacier2PropsData[] =
IceInternal::Property("Glacier2.Server.ThreadPool.SizeWarn", false, 0),
IceInternal::Property("Glacier2.Server.ThreadPool.StackSize", false, 0),
IceInternal::Property("Glacier2.Server.ThreadPool.Serialize", false, 0),
+ IceInternal::Property("Glacier2.Server.ThreadPool.ThreadPriority", false, 0),
IceInternal::Property("Glacier2.Server.AlwaysBatch", false, 0),
IceInternal::Property("Glacier2.Server.Buffered", false, 0),
IceInternal::Property("Glacier2.Server.ForwardContext", false, 0),
@@ -576,9 +587,7 @@ const IceInternal::Property FreezePropsData[] =
IceInternal::Property("Freeze.Evictor.*.RollbackOnUserException", false, 0),
IceInternal::Property("Freeze.Evictor.*.SavePeriod", false, 0),
IceInternal::Property("Freeze.Evictor.*.SaveSizeTrigger", false, 0),
- IceInternal::Property("Freeze.Evictor.*.SaveThreadPriority", false, 0),
IceInternal::Property("Freeze.Evictor.*.StreamTimeout", false, 0),
- IceInternal::Property("Freeze.Evictor.*.WatchDogThreadPriority", false, 0),
IceInternal::Property("Freeze.Map.*.BtreeMinKey", false, 0),
IceInternal::Property("Freeze.Map.*.Checksum", false, 0),
IceInternal::Property("Freeze.Map.*.PageSize", false, 0),
diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h
index 2d3377b148a..0c130f16ce3 100644
--- a/cpp/src/Ice/PropertyNames.h
+++ b/cpp/src/Ice/PropertyNames.h
@@ -8,7 +8,7 @@
// **********************************************************************
//
-// Generated by makeprops.py from file ../config/PropertyNames.xml, Mon May 18 11:29:29 2009
+// Generated by makeprops.py from file ../config/PropertyNames.xml, Wed Jul 29 10:07:20 2009
// IMPORTANT: Do not edit this file -- any edits made here will be lost!
diff --git a/cpp/src/IceSSL/RFC2253.cpp b/cpp/src/IceSSL/RFC2253.cpp
index 67987d49dea..d622969448b 100644
--- a/cpp/src/IceSSL/RFC2253.cpp
+++ b/cpp/src/IceSSL/RFC2253.cpp
@@ -34,15 +34,26 @@ static string parsePair(const string&, size_t&);
static string parseHexPair(const string&, size_t&, bool);
static void eatWhite(const string&, size_t&);
-IceSSL::RFC2253::RDNSeqSeq
+IceSSL::RFC2253::RDNEntrySeq
IceSSL::RFC2253::parse(const string& data)
{
- RDNSeqSeq results;
- RDNSeq current;
+ RDNEntrySeq results;
+ RDNEntry current;
+ current.negate = false;
size_t pos = 0;
while(pos < data.size())
{
- current.push_back(parseNameComponent(data, pos));
+ eatWhite(data, pos);
+ if(pos < data.size() && data[pos] == '!')
+ {
+ if(!current.rdn.empty())
+ {
+ throw ParseException(__FILE__, __LINE__, "negation symbol '!' must appear at start of list");
+ }
+ ++pos;
+ current.negate = true;
+ }
+ current.rdn.push_back(parseNameComponent(data, pos));
eatWhite(data, pos);
if(pos < data.size() && data[pos] == ',')
{
@@ -52,14 +63,15 @@ IceSSL::RFC2253::parse(const string& data)
{
++pos;
results.push_back(current);
- current.clear();
+ current.rdn.clear();
+ current.negate = false;
}
else if(pos < data.size())
{
throw ParseException(__FILE__, __LINE__, "expected ',' or ';' at `" + data.substr(pos) + "'");
}
}
- if(!current.empty())
+ if(!current.rdn.empty())
{
results.push_back(current);
}
diff --git a/cpp/src/IceSSL/RFC2253.h b/cpp/src/IceSSL/RFC2253.h
index f3da3156dca..3dec2d00c19 100644
--- a/cpp/src/IceSSL/RFC2253.h
+++ b/cpp/src/IceSSL/RFC2253.h
@@ -32,19 +32,26 @@ namespace RFC2253
{
typedef std::list< std::pair<std::string, std::string> > RDNSeq;
-typedef std::list<RDNSeq> RDNSeqSeq;
+
+struct RDNEntry
+{
+ RDNSeq rdn;
+ bool negate;
+};
+typedef std::list<RDNEntry> RDNEntrySeq;
//
-// This method separates DNs with the ';' character and returns
-// a list of list of RDN pairs. Any failure in parsing results in a
-// ParseException being thrown.
+// This function separates DNs with the ';' character. A list of RDN
+// pairs may optionally be prefixed with '!' to indicate a negation.
+// The function returns a list of RDNEntry structures. Any failure in
+// parsing results in a ParseException being thrown.
//
-RDNSeqSeq parse(const std::string&);
+RDNEntrySeq parse(const std::string&);
//
// RDNs are separated with ',' and ';'.
//
-// This method returns a list of RDN pairs. Any failure in parsing
+// This function returns a list of RDN pairs. Any failure in parsing
// results in a ParseException being thrown.
//
RDNSeq parseStrict(const std::string&);
diff --git a/cpp/src/IceSSL/TrustManager.cpp b/cpp/src/IceSSL/TrustManager.cpp
index dbafb0a2aac..cc36d651ddc 100644
--- a/cpp/src/IceSSL/TrustManager.cpp
+++ b/cpp/src/IceSSL/TrustManager.cpp
@@ -31,17 +31,26 @@ TrustManager::TrustManager(const Ice::CommunicatorPtr& communicator) :
try
{
key = "IceSSL.TrustOnly";
- _all = parse(properties->getProperty(key));
+ parse(properties->getProperty(key), _rejectAll, _acceptAll);
key = "IceSSL.TrustOnly.Client";
- _client = parse(properties->getProperty(key));
+ parse(properties->getProperty(key), _rejectClient, _acceptClient);
key = "IceSSL.TrustOnly.Server";
- _allServer = parse(properties->getProperty(key));
+ parse(properties->getProperty(key), _rejectAllServer, _acceptAllServer);
Ice::PropertyDict dict = properties->getPropertiesForPrefix("IceSSL.TrustOnly.Server.");
for(Ice::PropertyDict::const_iterator p = dict.begin(); p != dict.end(); ++p)
{
string name = p->first.substr(string("IceSSL.TrustOnly.Server.").size());
key = p->first;
- _server[name] = parse(p->second);
+ list<DistinguishedName> reject, accept;
+ parse(p->second, reject, accept);
+ if(!reject.empty())
+ {
+ _rejectServer[name] = reject;
+ }
+ if(!accept.empty())
+ {
+ _acceptServer[name] = accept;
+ }
}
}
catch(const ParseException& e)
@@ -55,39 +64,66 @@ TrustManager::TrustManager(const Ice::CommunicatorPtr& communicator) :
bool
TrustManager::verify(const ConnectionInfo& info)
{
- list<list<DistinguishedName> > trustset;
- if(_all.size() > 0)
+ list<list<DistinguishedName> > reject, accept;
+
+ if(_rejectAll.size() > 0)
{
- trustset.push_back(_all);
+ reject.push_back(_rejectAll);
+ }
+ if(info.incoming)
+ {
+ if(_rejectAllServer.size() > 0)
+ {
+ reject.push_back(_rejectAllServer);
+ }
+ if(info.adapterName.size() > 0)
+ {
+ map<string, list<DistinguishedName> >::const_iterator p = _rejectServer.find(info.adapterName);
+ if(p != _rejectServer.end())
+ {
+ reject.push_back(p->second);
+ }
+ }
+ }
+ else
+ {
+ if(_rejectClient.size() > 0)
+ {
+ reject.push_back(_rejectClient);
+ }
}
+ if(_acceptAll.size() > 0)
+ {
+ accept.push_back(_acceptAll);
+ }
if(info.incoming)
{
- if(_allServer.size() > 0)
+ if(_acceptAllServer.size() > 0)
{
- trustset.push_back(_allServer);
+ accept.push_back(_acceptAllServer);
}
if(info.adapterName.size() > 0)
{
- map<string, list<DistinguishedName> >::const_iterator p = _server.find(info.adapterName);
- if(p != _server.end())
+ map<string, list<DistinguishedName> >::const_iterator p = _acceptServer.find(info.adapterName);
+ if(p != _acceptServer.end())
{
- trustset.push_back(p->second);
+ accept.push_back(p->second);
}
}
}
else
{
- if(_client.size() > 0)
+ if(_acceptClient.size() > 0)
{
- trustset.push_back(_client);
+ accept.push_back(_acceptClient);
}
}
//
// If there is nothing to match against, then we accept the cert.
//
- if(trustset.size() == 0)
+ if(reject.empty() && accept.empty())
{
return true;
}
@@ -141,16 +177,42 @@ TrustManager::verify(const ConnectionInfo& info)
}
}
}
-
+
+ list<list<DistinguishedName> >::const_iterator p;
+
//
- // Try matching against everything in the trust set.
+ // Fail if we match anything in the reject set.
//
- for(list<list<DistinguishedName> >::const_iterator p = trustset.begin(); p != trustset.end(); ++p)
+ for(p = reject.begin(); p != reject.end(); ++p)
{
if(_traceLevel > 1)
{
Ice::Trace trace(_communicator->getLogger(), "Security");
- trace << "trust manager matching PDNs:\n";
+ trace << "trust manager rejecting PDNs:\n";
+ for(list<DistinguishedName>::const_iterator r = p->begin(); r != p->end(); ++r)
+ {
+ if(r != p->begin())
+ {
+ trace << ';';
+ }
+ trace << string(*r);
+ }
+ }
+ if(match(*p, subject))
+ {
+ return false;
+ }
+ }
+
+ //
+ // Succeed if we match anything in the accept set.
+ //
+ for(p = accept.begin(); p != accept.end(); ++p)
+ {
+ if(_traceLevel > 1)
+ {
+ Ice::Trace trace(_communicator->getLogger(), "Security");
+ trace << "trust manager accepting PDNs:\n";
for(list<DistinguishedName>::const_iterator r = p->begin(); r != p->end(); ++r)
{
if(r != p->begin())
@@ -165,6 +227,11 @@ TrustManager::verify(const ConnectionInfo& info)
return true;
}
}
+
+ //
+ // At this point we accept the connection if there are no explicit accept rules.
+ //
+ return accept.empty();
}
return false;
@@ -183,17 +250,23 @@ TrustManager::match(const list< DistinguishedName>& matchSet, const Distinguishe
return false;
}
-list<DistinguishedName>
-TrustManager::parse(const string& value) const
+void
+TrustManager::parse(const string& value, list<DistinguishedName>& reject, list<DistinguishedName>& accept) const
{
- list<DistinguishedName> result;
if(!value.empty())
{
- RFC2253::RDNSeqSeq dns = RFC2253::parse(value);
- for(RFC2253::RDNSeqSeq::const_iterator p = dns.begin(); p != dns.end(); ++p)
+ RFC2253::RDNEntrySeq dns = RFC2253::parse(value);
+
+ for(RFC2253::RDNEntrySeq::const_iterator p = dns.begin(); p != dns.end(); ++p)
{
- result.push_back(DistinguishedName(*p));
+ if(p->negate)
+ {
+ reject.push_back(DistinguishedName(p->rdn));
+ }
+ else
+ {
+ accept.push_back(DistinguishedName(p->rdn));
+ }
}
}
- return result;
}
diff --git a/cpp/src/IceSSL/TrustManager.h b/cpp/src/IceSSL/TrustManager.h
index a98802d0db7..1e8eb09db2d 100644
--- a/cpp/src/IceSSL/TrustManager.h
+++ b/cpp/src/IceSSL/TrustManager.h
@@ -30,15 +30,20 @@ public:
private:
bool match(const std::list< DistinguishedName> &, const DistinguishedName&) const;
- std::list<DistinguishedName> parse(const std::string&) const;
+ void parse(const std::string&, std::list<DistinguishedName>&, std::list<DistinguishedName>&) const;
const Ice::CommunicatorPtr _communicator;
int _traceLevel;
- std::list<DistinguishedName> _all;
- std::list<DistinguishedName> _client;
- std::list<DistinguishedName> _allServer;
- std::map<std::string, std::list<DistinguishedName> > _server;
+ std::list<DistinguishedName> _rejectAll;
+ std::list<DistinguishedName> _rejectClient;
+ std::list<DistinguishedName> _rejectAllServer;
+ std::map<std::string, std::list<DistinguishedName> > _rejectServer;
+
+ std::list<DistinguishedName> _acceptAll;
+ std::list<DistinguishedName> _acceptClient;
+ std::list<DistinguishedName> _acceptAllServer;
+ std::map<std::string, std::list<DistinguishedName> > _acceptServer;
};
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-04 03:01:09 +0000