zeroc-ice 3.7.2 → 3.7.3

data/ext/ice/cpp/src/IceSSL/CertificateI.cpp

@@ -46,7 +46,7 @@ const CertificateOID IceSSL::certificateOIDS[] =
 const int IceSSL::certificateOIDSSize = sizeof(IceSSL::certificateOIDS) / sizeof(CertificateOID);
 
 CertificateReadException::CertificateReadException(const char* file, int line, const string& r) :
-    ExceptionHelper<CertificateReadException>(file, line),
+    IceUtil::ExceptionHelper<CertificateReadException>(file, line),
     reason(r)
 {
 }
@@ -72,7 +72,7 @@ CertificateReadException::ice_clone() const
 #endif
 
 CertificateEncodingException::CertificateEncodingException(const char* file, int line, const string& r) :
-    ExceptionHelper<CertificateEncodingException>(file, line),
+    IceUtil::ExceptionHelper<CertificateEncodingException>(file, line),
     reason(r)
 {
 }
@@ -98,7 +98,7 @@ CertificateEncodingException::ice_clone() const
 #endif
 
 ParseException::ParseException(const char* file, int line, const string& r) :
-    ExceptionHelper<ParseException>(file, line),
+    IceUtil::ExceptionHelper<ParseException>(file, line),
     reason(r)
 {
 }

data/ext/ice/cpp/src/IceSSL/ConnectionInfo.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.2
+// Ice version 3.7.3
 //
 // <auto-generated>
 //
@@ -34,10 +34,10 @@
 #   if ICE_INT_VERSION / 100 != 307
 #       error Ice version mismatch!
 #   endif
-#   if ICE_INT_VERSION % 100 > 50
+#   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 2
+#   if ICE_INT_VERSION % 100 < 3
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceSSL/ConnectionInfoF.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.2
+// Ice version 3.7.3
 //
 // <auto-generated>
 //
@@ -32,10 +32,10 @@
 #   if ICE_INT_VERSION / 100 != 307
 #       error Ice version mismatch!
 #   endif
-#   if ICE_INT_VERSION % 100 > 50
+#   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 2
+#   if ICE_INT_VERSION % 100 < 3
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceSSL/EndpointInfo.cpp

@@ -2,7 +2,7 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 //
-// Ice version 3.7.2
+// Ice version 3.7.3
 //
 // <auto-generated>
 //
@@ -34,10 +34,10 @@
 #   if ICE_INT_VERSION / 100 != 307
 #       error Ice version mismatch!
 #   endif
-#   if ICE_INT_VERSION % 100 > 50
+#   if ICE_INT_VERSION % 100 >= 50
 #       error Beta header file detected
 #   endif
-#   if ICE_INT_VERSION % 100 < 2
+#   if ICE_INT_VERSION % 100 < 3
 #       error Ice patch level mismatch!
 #   endif
 #endif

data/ext/ice/cpp/src/IceSSL/OpenSSLEngine.cpp

@@ -84,7 +84,7 @@ IceSSL_opensslThreadIdCallback()
     // On some platforms, pthread_t is a pointer to a per-thread structure.
     //
     return reinterpret_cast<unsigned long>(pthread_self());
-#  elif defined(__linux) || defined(__sun) || defined(__hpux) || defined(_AIX) || defined(__GLIBC__)
+#  elif defined(__linux__) || defined(__sun) || defined(__hpux) || defined(_AIX) || defined(__GLIBC__)
     //
     // On Linux, Solaris, HP-UX and AIX, pthread_t is an integer.
     //
@@ -609,14 +609,14 @@ OpenSSL::SSLEngine::initialize()
                                 if(!cert || !SSL_CTX_use_certificate(_ctx, cert))
                                 {
                                     throw PluginInitializationException(__FILE__, __LINE__,
-                                                                "IceSSL: unable to establish SSL certificate:\n" +
+                                                                "IceSSL: unable to load SSL certificate:\n" +
                                                                 (cert ? sslErrors() : "certificate not found"));
                                 }
 
                                 if(!key || !SSL_CTX_use_PrivateKey(_ctx, key))
                                 {
                                     throw PluginInitializationException(__FILE__, __LINE__,
-                                                                "IceSSL: unable to establish SSL private key:\n" +
+                                                                "IceSSL: unable to load SSL private key:\n" +
                                                                 (key ? sslErrors() : "key not found"));
                                 }
                                 keyLoaded = true;
@@ -931,22 +931,10 @@ OpenSSL::SSLEngine::destroy()
     if(_ctx)
     {
         SSL_CTX_free(_ctx);
+        _ctx = 0;
     }
 }
 
-void
-OpenSSL::SSLEngine::verifyPeer(const string& address, const IceSSL::ConnectionInfoPtr& info, const string& desc)
-{
-#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10002000L
-    //
-    // Peer hostname verification is new in OpenSSL 1.0.2 for older versions
-    //  we use IceSSL build in hostname verification.
-    //
-    verifyPeerCertName(address, info);
-#endif
-    IceSSL::SSLEngine::verifyPeer(address, info, desc);
-}
-
 IceInternal::TransceiverPtr
 OpenSSL::SSLEngine::createTransceiver(const InstancePtr& instance,
                                       const IceInternal::TransceiverPtr& delegate,

data/ext/ice/cpp/src/IceSSL/OpenSSLEngine.h

@@ -26,7 +26,6 @@ public:
 
     virtual void initialize();
     virtual void destroy();
-    virtual void verifyPeer(const std::string&, const IceSSL::ConnectionInfoPtr&, const std::string&);
     virtual IceInternal::TransceiverPtr
     createTransceiver(const IceSSL::InstancePtr&, const IceInternal::TransceiverPtr&, const std::string&, bool);
 

data/ext/ice/cpp/src/IceSSL/OpenSSLTransceiverI.cpp

@@ -171,22 +171,41 @@ OpenSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::
             // Hostname verification was included in OpenSSL 1.0.2
             //
 #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10002000L
-            if(_engine->getCheckCertName() && !_host.empty() && (sslVerifyMode & SSL_VERIFY_PEER))
+            if(_engine->getCheckCertName() && !_host.empty())
             {
                 X509_VERIFY_PARAM* param = SSL_get0_param(_ssl);
                 if(IceInternal::isIpAddress(_host))
                 {
-                    X509_VERIFY_PARAM_set1_ip_asc(param, _host.c_str());
+                    if(!X509_VERIFY_PARAM_set1_ip_asc(param, _host.c_str()))
+                    {
+                        throw SecurityException(__FILE__, __LINE__, "IceSSL: error setting the expected IP address `"
+                                                + _host + "'");
+                    }
                 }
                 else
                 {
-                    X509_VERIFY_PARAM_set1_host(param, _host.c_str(), 0);
+                    if(!X509_VERIFY_PARAM_set1_host(param, _host.c_str(), 0))
+                    {
+                        throw SecurityException(__FILE__, __LINE__, "IceSSL: error setting the expected host name `"
+                                                + _host + "'");
+                    }
                 }
             }
 #endif
 
             SSL_set_verify(_ssl, sslVerifyMode, IceSSL_opensslVerifyCallback);
         }
+
+        //
+        // Enable SNI
+        //
+        if(!_incoming && _engine->getServerNameIndication() && !_host.empty() && !IceInternal::isIpAddress(_host))
+        {
+            if(!SSL_set_tlsext_host_name(_ssl, _host.c_str()))
+            {
+                throw SecurityException(__FILE__, __LINE__, "IceSSL: setting SNI host failed `" + _host + "'");
+            }
+        }
     }
 
     while(!SSL_is_init_finished(_ssl))
@@ -320,6 +339,24 @@ OpenSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::
     }
 
     _cipher = SSL_get_cipher_name(_ssl); // Nothing needs to be free'd.
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10002000L
+    try
+    {
+        //
+        // Peer hostname verification is new in OpenSSL 1.0.2 for older versions
+        // We use IceSSL built-in hostname verification.
+        //
+        _engine->verifyPeerCertName(address, info);
+    }
+    catch(const SecurityException&)
+    {
+        _verified = false;
+        if(_engine->getVerifyPeer() > 0)
+        {
+            throw;
+        }
+    }
+#endif
     _engine->verifyPeer(_host, ICE_DYNAMIC_CAST(ConnectionInfo, getInfo()), toString());
 
     if(_engine->securityTraceLevel() >= 1)

data/ext/ice/cpp/src/IceSSL/SChannelEngine.cpp

@@ -1273,13 +1273,6 @@ SChannel::SSLEngine::destroy()
     }
 }
 
-void
-SChannel::SSLEngine::verifyPeer(const string& address, const IceSSL::ConnectionInfoPtr& info, const string& desc)
-{
-    verifyPeerCertName(address, info);
-    IceSSL::SSLEngine::verifyPeer(address, info, desc);
-}
-
 IceInternal::TransceiverPtr
 SChannel::SSLEngine::createTransceiver(const InstancePtr& instance,
                                        const IceInternal::TransceiverPtr& delegate,

data/ext/ice/cpp/src/IceSSL/SChannelEngine.h

@@ -91,8 +91,6 @@ public:
     //
     virtual void destroy();
 
-    virtual void verifyPeer(const std::string&, const ConnectionInfoPtr&, const std::string&);
-
     std::string getCipherName(ALG_ID) const;
 
     CredHandle newCredentialsHandle(bool);

data/ext/ice/cpp/src/IceSSL/SChannelTransceiverI.cpp

@@ -746,7 +746,20 @@ SChannel::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal:
         throw SecurityException(__FILE__, __LINE__, "IceSSL: error reading cipher info:\n" + secStatusToString(err));
     }
 
-    _engine->verifyPeer(_host, ICE_DYNAMIC_CAST(ConnectionInfo, getInfo()), toString());
+    ConnectionInfoPtr info = ICE_DYNAMIC_CAST(ConnectionInfo, getInfo());
+    try
+    {
+        _engine->verifyPeerCertName(_host, info);
+    }
+    catch(const Ice::SecurityException&)
+    {
+        _verified = false;
+        if(_engine->getVerifyPeer() > 0)
+        {
+            throw;
+        }
+    }
+    _engine->verifyPeer(_host, info, toString());
     _state = StateHandshakeComplete;
 
     if(_instance->engine()->securityTraceLevel() >= 1)
@@ -754,12 +767,11 @@ SChannel::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal:
         string sslCipherName;
         string sslKeyExchangeAlgorithm;
         string sslProtocolName;
-        SecPkgContext_ConnectionInfo info;
-        if(QueryContextAttributes(&_ssl, SECPKG_ATTR_CONNECTION_INFO, &info) == SEC_E_OK)
+        if(QueryContextAttributes(&_ssl, SECPKG_ATTR_CONNECTION_INFO, &connInfo) == SEC_E_OK)
         {
-            sslCipherName = _engine->getCipherName(info.aiCipher);
-            sslKeyExchangeAlgorithm = _engine->getCipherName(info.aiExch);
-            sslProtocolName = protocolName(info.dwProtocol);
+            sslCipherName = _engine->getCipherName(connInfo.aiCipher);
+            sslKeyExchangeAlgorithm = _engine->getCipherName(connInfo.aiExch);
+            sslProtocolName = protocolName(connInfo.dwProtocol);
         }
 
         Trace out(_instance->logger(), _instance->traceCategory());

data/ext/ice/cpp/src/IceSSL/SSLEngine.cpp

@@ -109,6 +109,12 @@ IceSSL::SSLEngine::initialize()
     //
     _checkCertName = properties->getPropertyAsIntWithDefault(propPrefix + "CheckCertName", 0) > 0;
 
+    //
+    // CheckCertName > 1 enables SNI, the SNI extension applies to client connections,
+    // indicating the hostname to the server (must be DNS hostname, not an IP address).
+    //
+    _serverNameIndication = properties->getPropertyAsIntWithDefault(propPrefix + "CheckCertName", 0) > 1;
+
     //
     // VerifyDepthMax establishes the maximum length of a peer's certificate
     // chain, including the peer's certificate. A value of 0 means there is
@@ -201,19 +207,19 @@ IceSSL::SSLEngine::verifyPeerCertName(const string& address, const ConnectionInf
         if(!certNameOK)
         {
             ostringstream ostr;
-            ostr << "IceSSL: certificate validation failure: "
-                 << (isIpAddress ? "IP address mismatch" : "Hostname mismatch");
+            ostr << "IceSSL: ";
+            if(_verifyPeer > 0)
+            {
+                ostr << "ignoring ";
+            }
+            ostr << "certificate verification failure " << (isIpAddress ? "IP address mismatch" : "Hostname mismatch");
             string msg = ostr.str();
             if(_securityTraceLevel >= 1)
             {
                 Trace out(_logger, _securityTraceCategory);
                 out << msg;
             }
-
-            if(_verifyPeer > 0)
-            {
-                throw SecurityException(__FILE__, __LINE__, msg);
-            }
+            throw SecurityException(__FILE__, __LINE__, msg);
         }
     }
 }
@@ -263,6 +269,12 @@ IceSSL::SSLEngine::getCheckCertName() const
     return _checkCertName;
 }
 
+bool
+IceSSL::SSLEngine::getServerNameIndication() const
+{
+    return _serverNameIndication;
+}
+
 int
 IceSSL::SSLEngine::getVerifyPeer() const
 {

data/ext/ice/cpp/src/IceSSL/SSLEngine.h

@@ -63,6 +63,7 @@ public:
     void setPassword(const std::string& password);
 
     bool getCheckCertName() const;
+    bool getServerNameIndication() const;
     int getVerifyPeer() const;
     int securityTraceLevel() const;
     std::string securityTraceCategory() const;
@@ -83,6 +84,7 @@ private:
     PasswordPromptPtr _prompt;
 
     bool _checkCertName;
+    bool _serverNameIndication;
     int _verifyDepthMax;
     int _verifyPeer;
     int _securityTraceLevel;

data/ext/ice/cpp/src/IceSSL/SecureTransportCertificateI.cpp

@@ -2,6 +2,12 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 
+//
+// Disable deprecation warnings for SecCertificateCopyNormalizedIssuerContent and
+// SecCertificateCopyNormalizedSubjectContent
+//
+#include <IceUtil/DisableWarnings.h>
+
 #include <IceSSL/Plugin.h>
 #include <IceSSL/SecureTransport.h>
 #include <IceSSL/CertificateI.h>
@@ -77,7 +83,11 @@ class ASN1Parser
 {
 public:
 
-    ASN1Parser(CFDataRef data) : _data(CFDataGetBytePtr(data)), _length(CFDataGetLength(data)), _p(_data), _next(0)
+    ASN1Parser(CFDataRef data) :
+        _data(CFDataGetBytePtr(data)),
+        _length(static_cast<size_t>(CFDataGetLength(data))),
+        _p(_data),
+        _next(0)
     {
     }
 
@@ -164,7 +174,7 @@ public:
     parseUTF8String()
     {
         int length = parseLength(0);
-        string v(reinterpret_cast<const char*>(_p), length);
+        string v(reinterpret_cast<const char*>(_p), static_cast<size_t>(length));
         _p += length;
         return v;
     }
@@ -293,8 +303,8 @@ getX509Name(SecCertificateRef cert, CFTypeRef key)
     if(property)
     {
         CFArrayRef dn = static_cast<CFArrayRef>(CFDictionaryGetValue(property.get(), kSecPropertyKeyValue));
-        int size = CFArrayGetCount(dn);
-        for(int i = 0; i < size; ++i)
+        CFIndex size = CFArrayGetCount(dn);
+        for(CFIndex i = 0; i < size; ++i)
         {
             CFDictionaryRef dict = static_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(dn, i));
             rdnPairs.push_front(make_pair(
@@ -317,9 +327,9 @@ getX509AltName(SecCertificateRef cert, CFTypeRef key)
     if(property)
     {
         CFArrayRef names = static_cast<CFArrayRef>(CFDictionaryGetValue(property.get(), kSecPropertyKeyValue));
-        int size = CFArrayGetCount(names);
+        CFIndex size = CFArrayGetCount(names);
 
-        for(int i = 0; i < size; ++i)
+        for(CFIndex i = 0; i < size; ++i)
         {
             CFDictionaryRef dict = static_cast<CFDictionaryRef>(CFArrayGetValueAtIndex(names, i));
 
@@ -341,7 +351,7 @@ getX509AltName(SecCertificateRef cert, CFTypeRef key)
                 {
                     CFArrayRef section = (CFArrayRef)v;
                     ostringstream os;
-                    for(int j = 0, count = CFArrayGetCount(section); j < count;)
+                    for(CFIndex j = 0, count = CFArrayGetCount(section); j < count;)
                     {
                         CFDictionaryRef d = (CFDictionaryRef)CFArrayGetValueAtIndex(section, j);
 
@@ -434,7 +444,7 @@ SecureTransportCertificateI::getAuthorityKeyIdentifier() const
     if(property)
     {
         CFTypeRef type = 0;
-        CFTypeRef value;
+        CFTypeRef value = 0;
         if(CFDictionaryGetValueIfPresent(property.get(), kSecPropertyKeyType, &type))
         {
             if(CFEqual(type, kSecPropertyTypeSection))
@@ -453,8 +463,8 @@ SecureTransportCertificateI::getAuthorityKeyIdentifier() const
             {
                 CFDataRef data = static_cast<CFDataRef>(
                     CFDictionaryGetValue(static_cast<CFDictionaryRef>(value), kSecPropertyKeyValue));
-                keyid.resize(CFDataGetLength(data));
-                memcpy(&keyid[0], CFDataGetBytePtr(data), CFDataGetLength(data));
+                keyid.resize(static_cast<size_t>(CFDataGetLength(data)));
+                memcpy(&keyid[0], CFDataGetBytePtr(data), static_cast<size_t>(CFDataGetLength(data)));
             }
         }
     }
@@ -473,7 +483,7 @@ SecureTransportCertificateI::getSubjectKeyIdentifier() const
     if(property)
     {
         CFTypeRef type = 0;
-        CFTypeRef value;
+        CFTypeRef value = 0;
         if(CFDictionaryGetValueIfPresent(property.get(), kSecPropertyKeyType, &type))
         {
             if(CFEqual(type, kSecPropertyTypeSection))
@@ -492,8 +502,8 @@ SecureTransportCertificateI::getSubjectKeyIdentifier() const
             {
                 CFDataRef data = static_cast<CFDataRef>(
                     CFDictionaryGetValue(static_cast<CFDictionaryRef>(value), kSecPropertyKeyValue));
-                keyid.resize(CFDataGetLength(data));
-                memcpy(&keyid[0], CFDataGetBytePtr(data), CFDataGetLength(data));
+                keyid.resize(static_cast<size_t>(CFDataGetLength(data)));
+                memcpy(&keyid[0], CFDataGetBytePtr(data), static_cast<size_t>(CFDataGetLength(data)));
             }
         }
     }
@@ -574,7 +584,7 @@ SecureTransportCertificateI::encode() const
     ostringstream os;
     os << "-----BEGIN CERTIFICATE-----\n";
     os << IceInternal::Base64::encode(data);
-    os << "-----END CERTIFICATE-----\n";
+    os << "\n-----END CERTIFICATE-----\n";
     return os.str();
 #else // macOS
     UniqueRef<CFDataRef> exported;
@@ -583,7 +593,8 @@ SecureTransportCertificateI::encode() const
     {
         throw CertificateEncodingException(__FILE__, __LINE__, sslErrorToString(err));
     }
-    return string(reinterpret_cast<const char*>(CFDataGetBytePtr(exported.get())), CFDataGetLength(exported.get()));
+    return string(reinterpret_cast<const char*>(CFDataGetBytePtr(exported.get())),
+                  static_cast<size_t>(CFDataGetLength(exported.get())));
 #endif
 }
 
@@ -805,23 +816,23 @@ IceSSL::SecureTransport::CertificatePtr
 IceSSL::SecureTransport::Certificate::decode(const std::string& encoding)
 {
 #ifdef ICE_USE_SECURE_TRANSPORT_IOS
-    string::size_type size, startpos, endpos = 0;
-    startpos = encoding.find("-----BEGIN CERTIFICATE-----", endpos);
+    string::size_type size = 0;
+    string::size_type startpos = 0;
+    startpos = encoding.find("-----BEGIN CERTIFICATE-----", 0);
     if(startpos != string::npos)
     {
         startpos += sizeof("-----BEGIN CERTIFICATE-----");
-        endpos = encoding.find("-----END CERTIFICATE-----", startpos);
+        string::size_type endpos = encoding.find("-----END CERTIFICATE-----", startpos);
         size = endpos - startpos;
     }
     else
     {
         startpos = 0;
-        endpos = string::npos;
         size = encoding.size();
     }
 
     vector<unsigned char> data(IceInternal::Base64::decode(string(&encoding[startpos], size)));
-    UniqueRef<CFDataRef> certdata(CFDataCreate(kCFAllocatorDefault, &data[0], data.size()));
+    UniqueRef<CFDataRef> certdata(CFDataCreate(kCFAllocatorDefault, &data[0], static_cast<CFIndex>(data.size())));
     SecCertificateRef cert = SecCertificateCreateWithData(0, certdata.get());
     if(!cert)
     {
@@ -833,7 +844,7 @@ IceSSL::SecureTransport::Certificate::decode(const std::string& encoding)
     UniqueRef<CFDataRef> data(
         CFDataCreateWithBytesNoCopy(kCFAllocatorDefault,
                                     reinterpret_cast<const UInt8*>(encoding.c_str()),
-                                    encoding.size(), kCFAllocatorNull));
+                                    static_cast<CFIndex>(encoding.size()), kCFAllocatorNull));
 
     SecExternalFormat format = kSecFormatUnknown;
     SecExternalItemType type = kSecItemTypeCertificate;