zeroc-ice 3.7.6 → 3.7.7
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/ext/Config.h +5 -0
- data/ext/ice/cpp/include/Ice/Functional.h +3 -1
- data/ext/ice/cpp/include/Ice/Object.h +2 -0
- data/ext/ice/cpp/include/Ice/Proxy.h +25 -16
- data/ext/ice/cpp/include/IceSSL/Plugin.h +84 -0
- data/ext/ice/cpp/include/IceUtil/Config.h +2 -2
- data/ext/ice/cpp/include/IceUtil/Functional.h +3 -1
- data/ext/ice/cpp/include/IceUtil/ResourceConfig.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/BuiltinSequences.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Communicator.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/CommunicatorF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Connection.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ConnectionF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Current.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Endpoint.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/EndpointF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/EndpointTypes.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/FacetMap.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Identity.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ImplicitContext.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ImplicitContextF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Instrumentation.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/InstrumentationF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/LocalException.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Locator.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/LocatorF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Logger.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/LoggerF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Metrics.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ObjectAdapter.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ObjectAdapterF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ObjectFactory.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Plugin.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/PluginF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Process.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ProcessF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Properties.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/PropertiesAdmin.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/PropertiesF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/RemoteLogger.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Router.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/RouterF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ServantLocator.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ServantLocatorF.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/SliceChecksumDict.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/ValueFactory.h +2 -2
- data/ext/ice/cpp/include/generated/Ice/Version.h +2 -2
- data/ext/ice/cpp/include/generated/IceSSL/ConnectionInfo.h +2 -2
- data/ext/ice/cpp/include/generated/IceSSL/ConnectionInfoF.h +2 -2
- data/ext/ice/cpp/include/generated/IceSSL/EndpointInfo.h +2 -2
- data/ext/ice/cpp/src/Ice/BuiltinSequences.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Communicator.cpp +2 -2
- data/ext/ice/cpp/src/Ice/CommunicatorF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Connection.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ConnectionF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ConnectionFactory.cpp +3 -3
- data/ext/ice/cpp/src/Ice/Current.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Endpoint.cpp +2 -2
- data/ext/ice/cpp/src/Ice/EndpointF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/EndpointTypes.cpp +2 -2
- data/ext/ice/cpp/src/Ice/FacetMap.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Identity.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ImplicitContext.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ImplicitContextF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Instrumentation.cpp +2 -2
- data/ext/ice/cpp/src/Ice/InstrumentationF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/LocalException.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Locator.cpp +2 -2
- data/ext/ice/cpp/src/Ice/LocatorF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/LocatorInfo.cpp +3 -3
- data/ext/ice/cpp/src/Ice/Logger.cpp +2 -2
- data/ext/ice/cpp/src/Ice/LoggerF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Metrics.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ObjectAdapter.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ObjectAdapterF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ObjectAdapterFactory.cpp +4 -4
- data/ext/ice/cpp/src/Ice/ObjectAdapterI.cpp +8 -8
- data/ext/ice/cpp/src/Ice/ObjectFactory.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Plugin.cpp +2 -2
- data/ext/ice/cpp/src/Ice/PluginF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Process.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ProcessF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Properties.cpp +2 -2
- data/ext/ice/cpp/src/Ice/PropertiesAdmin.cpp +2 -2
- data/ext/ice/cpp/src/Ice/PropertiesF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/PropertyNames.cpp +5 -2
- data/ext/ice/cpp/src/Ice/PropertyNames.h +1 -1
- data/ext/ice/cpp/src/Ice/RemoteLogger.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Router.cpp +2 -2
- data/ext/ice/cpp/src/Ice/RouterF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/RouterInfo.cpp +6 -2
- data/ext/ice/cpp/src/Ice/SHA1.cpp +2 -0
- data/ext/ice/cpp/src/Ice/ServantLocator.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ServantLocatorF.cpp +2 -2
- data/ext/ice/cpp/src/Ice/SliceChecksumDict.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Thread.cpp +2 -2
- data/ext/ice/cpp/src/Ice/ThreadPool.cpp +5 -1
- data/ext/ice/cpp/src/Ice/ValueFactory.cpp +2 -2
- data/ext/ice/cpp/src/Ice/Version.cpp +2 -2
- data/ext/ice/cpp/src/IceDiscovery/IceDiscovery.cpp +2 -2
- data/ext/ice/cpp/src/IceDiscovery/IceDiscovery.h +2 -2
- data/ext/ice/cpp/src/IceLocatorDiscovery/IceLocatorDiscovery.cpp +2 -2
- data/ext/ice/cpp/src/IceLocatorDiscovery/IceLocatorDiscovery.h +2 -2
- data/ext/ice/cpp/src/IceSSL/CertificateI.cpp +23 -1
- data/ext/ice/cpp/src/IceSSL/ConnectionInfo.cpp +2 -2
- data/ext/ice/cpp/src/IceSSL/ConnectionInfoF.cpp +2 -2
- data/ext/ice/cpp/src/IceSSL/EndpointInfo.cpp +2 -2
- data/ext/ice/cpp/src/IceSSL/OpenSSLCertificateI.cpp +110 -5
- data/ext/ice/cpp/src/IceSSL/OpenSSLEngine.cpp +60 -1
- data/ext/ice/cpp/src/IceSSL/OpenSSLUtil.cpp +2 -0
- data/ext/ice/cpp/src/IceSSL/PluginI.h +11 -0
- data/ext/ice/cpp/src/IceSSL/SChannelCertificateI.cpp +142 -1
- data/ext/ice/cpp/src/IceSSL/SChannelTransceiverI.cpp +45 -30
- data/ext/ice/cpp/src/IceSSL/SSLEngine.cpp +20 -1
- data/ext/ice/cpp/src/IceSSL/SSLEngine.h +4 -0
- data/ext/ice/cpp/src/IceSSL/SecureTransportCertificateI.cpp +133 -2
- data/ext/ice/cpp/src/IceSSL/SecureTransportTransceiverI.cpp +38 -17
- data/ext/ice/cpp/src/IceUtil/StringConverter.cpp +6 -0
- data/ext/ice/cpp/src/Slice/Parser.cpp +4 -0
- data/ext/ice/cpp/src/Slice/Parser.h +2 -2
- data/ext/ice/cpp/src/Slice/PythonUtil.cpp +8 -0
- data/ice.gemspec +1 -1
- data/lib/Glacier2/Metrics.rb +1 -1
- data/lib/Glacier2/PermissionsVerifier.rb +1 -1
- data/lib/Glacier2/PermissionsVerifierF.rb +1 -1
- data/lib/Glacier2/Router.rb +1 -1
- data/lib/Glacier2/RouterF.rb +1 -1
- data/lib/Glacier2/SSLInfo.rb +1 -1
- data/lib/Glacier2/Session.rb +1 -1
- data/lib/Ice/BuiltinSequences.rb +1 -1
- data/lib/Ice/Communicator.rb +1 -1
- data/lib/Ice/CommunicatorF.rb +1 -1
- data/lib/Ice/Connection.rb +1 -1
- data/lib/Ice/ConnectionF.rb +1 -1
- data/lib/Ice/Current.rb +1 -1
- data/lib/Ice/Endpoint.rb +1 -1
- data/lib/Ice/EndpointF.rb +1 -1
- data/lib/Ice/EndpointTypes.rb +1 -1
- data/lib/Ice/FacetMap.rb +1 -1
- data/lib/Ice/Identity.rb +1 -1
- data/lib/Ice/ImplicitContext.rb +1 -1
- data/lib/Ice/ImplicitContextF.rb +1 -1
- data/lib/Ice/Instrumentation.rb +1 -1
- data/lib/Ice/InstrumentationF.rb +1 -1
- data/lib/Ice/LocalException.rb +1 -1
- data/lib/Ice/Locator.rb +1 -1
- data/lib/Ice/LocatorF.rb +1 -1
- data/lib/Ice/Logger.rb +1 -1
- data/lib/Ice/LoggerF.rb +1 -1
- data/lib/Ice/Metrics.rb +1 -1
- data/lib/Ice/ObjectAdapter.rb +1 -1
- data/lib/Ice/ObjectAdapterF.rb +1 -1
- data/lib/Ice/ObjectFactory.rb +1 -1
- data/lib/Ice/Plugin.rb +1 -1
- data/lib/Ice/PluginF.rb +1 -1
- data/lib/Ice/Process.rb +1 -1
- data/lib/Ice/ProcessF.rb +1 -1
- data/lib/Ice/Properties.rb +1 -1
- data/lib/Ice/PropertiesAdmin.rb +1 -1
- data/lib/Ice/PropertiesF.rb +1 -1
- data/lib/Ice/RemoteLogger.rb +1 -1
- data/lib/Ice/Router.rb +1 -1
- data/lib/Ice/RouterF.rb +1 -1
- data/lib/Ice/ServantLocator.rb +1 -1
- data/lib/Ice/ServantLocatorF.rb +1 -1
- data/lib/Ice/SliceChecksumDict.rb +1 -1
- data/lib/Ice/ValueFactory.rb +1 -1
- data/lib/Ice/Version.rb +1 -1
- data/lib/IceBox/IceBox.rb +1 -1
- data/lib/IceGrid/Admin.rb +1 -1
- data/lib/IceGrid/Descriptor.rb +1 -1
- data/lib/IceGrid/Exception.rb +1 -1
- data/lib/IceGrid/FileParser.rb +1 -1
- data/lib/IceGrid/PluginFacade.rb +1 -1
- data/lib/IceGrid/Registry.rb +1 -1
- data/lib/IceGrid/Session.rb +1 -1
- data/lib/IceGrid/UserAccountMapper.rb +1 -1
- data/lib/IcePatch2/FileInfo.rb +1 -1
- data/lib/IcePatch2/FileServer.rb +1 -1
- data/lib/IceStorm/IceStorm.rb +1 -1
- data/lib/IceStorm/Metrics.rb +1 -1
- metadata +2 -2
@@ -20,6 +20,10 @@ using namespace std;
|
|
20
20
|
using namespace Ice;
|
21
21
|
using namespace IceSSL;
|
22
22
|
|
23
|
+
#ifndef CERT_CHAIN_DISABLE_AIA
|
24
|
+
# define CERT_CHAIN_DISABLE_AIA 0x00002000
|
25
|
+
#endif
|
26
|
+
|
23
27
|
namespace
|
24
28
|
{
|
25
29
|
|
@@ -55,13 +59,25 @@ trustStatusToTrustError(DWORD status)
|
|
55
59
|
{
|
56
60
|
return IceSSL::ICE_ENUM(TrustError, NoError);
|
57
61
|
}
|
58
|
-
if (status &
|
62
|
+
if ((status & CERT_TRUST_IS_UNTRUSTED_ROOT) ||
|
63
|
+
(status & CERT_TRUST_IS_CYCLIC) ||
|
64
|
+
(status & CERT_TRUST_CTL_IS_NOT_TIME_VALID) ||
|
65
|
+
(status & CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID) ||
|
66
|
+
(status & CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE))
|
59
67
|
{
|
60
|
-
return IceSSL::ICE_ENUM(TrustError,
|
68
|
+
return IceSSL::ICE_ENUM(TrustError, UntrustedRoot);
|
61
69
|
}
|
62
|
-
if (status &
|
70
|
+
if (status & CERT_TRUST_IS_EXPLICIT_DISTRUST)
|
63
71
|
{
|
64
|
-
return IceSSL::ICE_ENUM(TrustError,
|
72
|
+
return IceSSL::ICE_ENUM(TrustError, NotTrusted);
|
73
|
+
}
|
74
|
+
if (status & CERT_TRUST_IS_PARTIAL_CHAIN)
|
75
|
+
{
|
76
|
+
return IceSSL::ICE_ENUM(TrustError, PartialChain);
|
77
|
+
}
|
78
|
+
if (status & CERT_TRUST_INVALID_BASIC_CONSTRAINTS)
|
79
|
+
{
|
80
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidBasicConstraints);
|
65
81
|
}
|
66
82
|
if (status & CERT_TRUST_IS_NOT_SIGNATURE_VALID)
|
67
83
|
{
|
@@ -71,17 +87,9 @@ trustStatusToTrustError(DWORD status)
|
|
71
87
|
{
|
72
88
|
return IceSSL::ICE_ENUM(TrustError, InvalidPurpose);
|
73
89
|
}
|
74
|
-
if (
|
75
|
-
(status & CERT_TRUST_IS_CYCLIC) ||
|
76
|
-
(status & CERT_TRUST_CTL_IS_NOT_TIME_VALID) ||
|
77
|
-
(status & CERT_TRUST_CTL_IS_NOT_SIGNATURE_VALID) ||
|
78
|
-
(status & CERT_TRUST_CTL_IS_NOT_VALID_FOR_USAGE))
|
79
|
-
{
|
80
|
-
return IceSSL::ICE_ENUM(TrustError, UntrustedRoot);
|
81
|
-
}
|
82
|
-
if (status & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
|
90
|
+
if (status & CERT_TRUST_IS_REVOKED)
|
83
91
|
{
|
84
|
-
return IceSSL::ICE_ENUM(TrustError,
|
92
|
+
return IceSSL::ICE_ENUM(TrustError, Revoked);
|
85
93
|
}
|
86
94
|
if (status & CERT_TRUST_INVALID_EXTENSION)
|
87
95
|
{
|
@@ -91,10 +99,6 @@ trustStatusToTrustError(DWORD status)
|
|
91
99
|
{
|
92
100
|
return IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints);
|
93
101
|
}
|
94
|
-
if (status & CERT_TRUST_INVALID_BASIC_CONSTRAINTS)
|
95
|
-
{
|
96
|
-
return IceSSL::ICE_ENUM(TrustError, InvalidBasicConstraints);
|
97
|
-
}
|
98
102
|
if (status & CERT_TRUST_INVALID_NAME_CONSTRAINTS)
|
99
103
|
{
|
100
104
|
return IceSSL::ICE_ENUM(TrustError, InvalidNameConstraints);
|
@@ -115,25 +119,22 @@ trustStatusToTrustError(DWORD status)
|
|
115
119
|
{
|
116
120
|
return IceSSL::ICE_ENUM(TrustError, HasExcludedNameConstraint);
|
117
121
|
}
|
118
|
-
if (status & CERT_TRUST_IS_OFFLINE_REVOCATION)
|
119
|
-
{
|
120
|
-
return IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown);
|
121
|
-
}
|
122
122
|
if (status & CERT_TRUST_NO_ISSUANCE_CHAIN_POLICY)
|
123
123
|
{
|
124
124
|
return IceSSL::ICE_ENUM(TrustError, InvalidPolicyConstraints);
|
125
125
|
}
|
126
|
-
if (status & CERT_TRUST_IS_EXPLICIT_DISTRUST)
|
127
|
-
{
|
128
|
-
return IceSSL::ICE_ENUM(TrustError, NotTrusted);
|
129
|
-
}
|
130
126
|
if (status & CERT_TRUST_HAS_NOT_SUPPORTED_CRITICAL_EXT)
|
131
127
|
{
|
132
128
|
return IceSSL::ICE_ENUM(TrustError, HasNonSupportedCriticalExtension);
|
133
129
|
}
|
134
|
-
if (status &
|
130
|
+
if (status & CERT_TRUST_IS_OFFLINE_REVOCATION ||
|
131
|
+
status & CERT_TRUST_REVOCATION_STATUS_UNKNOWN)
|
135
132
|
{
|
136
|
-
return IceSSL::ICE_ENUM(TrustError,
|
133
|
+
return IceSSL::ICE_ENUM(TrustError, RevocationStatusUnknown);
|
134
|
+
}
|
135
|
+
if (status & CERT_TRUST_IS_NOT_TIME_VALID)
|
136
|
+
{
|
137
|
+
return IceSSL::ICE_ENUM(TrustError, InvalidTime);
|
137
138
|
}
|
138
139
|
return IceSSL::ICE_ENUM(TrustError, UnknownTrustFailure);
|
139
140
|
}
|
@@ -765,8 +766,22 @@ SChannel::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal:
|
|
765
766
|
|
766
767
|
string trustError;
|
767
768
|
PCCERT_CHAIN_CONTEXT certChain;
|
768
|
-
|
769
|
-
|
769
|
+
DWORD dwFlags = 0;
|
770
|
+
int revocationCheck = _engine->getRevocationCheck();
|
771
|
+
if(revocationCheck > 0)
|
772
|
+
{
|
773
|
+
if(_engine->getRevocationCheckCacheOnly())
|
774
|
+
{
|
775
|
+
// Disable network I/O for revocation checks.
|
776
|
+
dwFlags = CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY | CERT_CHAIN_DISABLE_AIA;
|
777
|
+
}
|
778
|
+
|
779
|
+
dwFlags |= (revocationCheck == 1 ?
|
780
|
+
CERT_CHAIN_REVOCATION_CHECK_END_CERT :
|
781
|
+
CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT);
|
782
|
+
}
|
783
|
+
|
784
|
+
if(!CertGetCertificateChain(_engine->chainEngine(), cert, 0, cert->hCertStore, &chainP, dwFlags, 0, &certChain))
|
770
785
|
{
|
771
786
|
CertFreeCertificateContext(cert);
|
772
787
|
trustError = IceUtilInternal::lastErrorToString();
|
@@ -27,7 +27,9 @@ IceSSL::SSLEngine::SSLEngine(const Ice::CommunicatorPtr& communicator) :
|
|
27
27
|
_initialized(false),
|
28
28
|
_communicator(communicator),
|
29
29
|
_logger(communicator->getLogger()),
|
30
|
-
_trustManager(new TrustManager(communicator))
|
30
|
+
_trustManager(new TrustManager(communicator)),
|
31
|
+
_revocationCheckCacheOnly(false),
|
32
|
+
_revocationCheck(0)
|
31
33
|
{
|
32
34
|
}
|
33
35
|
|
@@ -135,6 +137,11 @@ IceSSL::SSLEngine::initialize()
|
|
135
137
|
|
136
138
|
_securityTraceLevel = properties->getPropertyAsInt("IceSSL.Trace.Security");
|
137
139
|
_securityTraceCategory = "Security";
|
140
|
+
|
141
|
+
const_cast<bool&>(_revocationCheckCacheOnly) =
|
142
|
+
properties->getPropertyAsIntWithDefault("IceSSL.RevocationCheckCacheOnly", 1) > 0;
|
143
|
+
const_cast<int&>(_revocationCheck) =
|
144
|
+
properties->getPropertyAsIntWithDefault("IceSSL.RevocationCheck", 0);
|
138
145
|
}
|
139
146
|
|
140
147
|
void
|
@@ -292,3 +299,15 @@ IceSSL::SSLEngine::securityTraceCategory() const
|
|
292
299
|
{
|
293
300
|
return _securityTraceCategory;
|
294
301
|
}
|
302
|
+
|
303
|
+
bool
|
304
|
+
IceSSL::SSLEngine::getRevocationCheckCacheOnly() const
|
305
|
+
{
|
306
|
+
return _revocationCheckCacheOnly;
|
307
|
+
}
|
308
|
+
|
309
|
+
int
|
310
|
+
IceSSL::SSLEngine::getRevocationCheck() const
|
311
|
+
{
|
312
|
+
return _revocationCheck;
|
313
|
+
}
|
@@ -66,6 +66,8 @@ public:
|
|
66
66
|
bool getServerNameIndication() const;
|
67
67
|
int getVerifyPeer() const;
|
68
68
|
int securityTraceLevel() const;
|
69
|
+
bool getRevocationCheckCacheOnly() const;
|
70
|
+
int getRevocationCheck() const;
|
69
71
|
std::string securityTraceCategory() const;
|
70
72
|
|
71
73
|
protected:
|
@@ -89,6 +91,8 @@ private:
|
|
89
91
|
int _verifyPeer;
|
90
92
|
int _securityTraceLevel;
|
91
93
|
std::string _securityTraceCategory;
|
94
|
+
const bool _revocationCheckCacheOnly;
|
95
|
+
const int _revocationCheck;
|
92
96
|
};
|
93
97
|
|
94
98
|
}
|
@@ -8,7 +8,7 @@
|
|
8
8
|
//
|
9
9
|
#include <IceUtil/DisableWarnings.h>
|
10
10
|
|
11
|
-
#include <IceSSL/
|
11
|
+
#include <IceSSL/PluginI.h>
|
12
12
|
#include <IceSSL/SecureTransport.h>
|
13
13
|
#include <IceSSL/CertificateI.h>
|
14
14
|
#include <IceSSL/SecureTransportUtil.h>
|
@@ -32,6 +32,29 @@ using namespace std;
|
|
32
32
|
namespace
|
33
33
|
{
|
34
34
|
|
35
|
+
static unsigned char _ekuAnyKeyUsage[4] = {0x55, 0x1d, 0x25, 0x00};
|
36
|
+
static unsigned char _ekuServerAuthentication[8] = {0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01};
|
37
|
+
static unsigned char _ekuClientAuthentication[8] = {0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02};
|
38
|
+
static unsigned char _ekuCodeSigning[8] = {0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x03};
|
39
|
+
static unsigned char _ekuEmailProtection[8] = {0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x04};
|
40
|
+
static unsigned char _ekuTimeStamping[8] = {0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x08};
|
41
|
+
static unsigned char _ekuOCSPSigning[8] = {0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x09};
|
42
|
+
|
43
|
+
static CFDataRef ekuAnyKeyUsage =
|
44
|
+
CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, _ekuAnyKeyUsage, 4, kCFAllocatorNull);
|
45
|
+
static CFDataRef ekuServerAuthentication =
|
46
|
+
CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, _ekuServerAuthentication, 8, kCFAllocatorNull);
|
47
|
+
static CFDataRef ekuClientAuthentication =
|
48
|
+
CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, _ekuClientAuthentication, 8, kCFAllocatorNull);
|
49
|
+
static CFDataRef ekuCodeSigning =
|
50
|
+
CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, _ekuCodeSigning, 8, kCFAllocatorNull);
|
51
|
+
static CFDataRef ekuEmailProtection =
|
52
|
+
CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, _ekuEmailProtection, 8, kCFAllocatorNull);
|
53
|
+
static CFDataRef ekuTimeStamping =
|
54
|
+
CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, _ekuTimeStamping, 8, kCFAllocatorNull);
|
55
|
+
static CFDataRef ekuOCSPSigning =
|
56
|
+
CFDataCreateWithBytesNoCopy(kCFAllocatorDefault, _ekuOCSPSigning, 8, kCFAllocatorNull);
|
57
|
+
|
35
58
|
string
|
36
59
|
certificateOIDAlias(const string& name)
|
37
60
|
{
|
@@ -226,7 +249,8 @@ private:
|
|
226
249
|
#endif
|
227
250
|
|
228
251
|
class SecureTransportCertificateI ICE_FINAL : public IceSSL::SecureTransport::Certificate,
|
229
|
-
public IceSSL::CertificateI
|
252
|
+
public IceSSL::CertificateI,
|
253
|
+
public IceSSL::CertificateExtendedInfo
|
230
254
|
{
|
231
255
|
public:
|
232
256
|
|
@@ -254,6 +278,8 @@ public:
|
|
254
278
|
virtual vector<pair<int, string> > getSubjectAlternativeNames() const;
|
255
279
|
virtual int getVersion() const;
|
256
280
|
virtual SecCertificateRef getCert() const;
|
281
|
+
virtual unsigned int getKeyUsage() const;
|
282
|
+
virtual unsigned int getExtendedKeyUsage() const;
|
257
283
|
|
258
284
|
private:
|
259
285
|
|
@@ -792,6 +818,111 @@ SecureTransportCertificateI::initializeAttributes() const
|
|
792
818
|
}
|
793
819
|
#endif
|
794
820
|
|
821
|
+
unsigned int
|
822
|
+
SecureTransportCertificateI::getKeyUsage() const
|
823
|
+
{
|
824
|
+
#ifdef ICE_USE_SECURE_TRANSPORT_IOS
|
825
|
+
throw Ice::FeatureNotSupportedException(__FILE__, __LINE__);
|
826
|
+
#else
|
827
|
+
unsigned int keyUsage = 0;
|
828
|
+
UniqueRef<CFDictionaryRef> property(getCertificateProperty(_cert.get(), kSecOIDKeyUsage));
|
829
|
+
if(property)
|
830
|
+
{
|
831
|
+
CFNumberRef value = static_cast<CFNumberRef>(CFDictionaryGetValue(property.get(), kSecPropertyKeyValue));
|
832
|
+
if(value)
|
833
|
+
{
|
834
|
+
unsigned int usageBits = 0;
|
835
|
+
CFNumberGetValue(value, kCFNumberSInt32Type, &usageBits);
|
836
|
+
if(usageBits & kSecKeyUsageDigitalSignature)
|
837
|
+
{
|
838
|
+
keyUsage |= KEY_USAGE_DIGITAL_SIGNATURE;
|
839
|
+
}
|
840
|
+
if(usageBits & kSecKeyUsageNonRepudiation)
|
841
|
+
{
|
842
|
+
keyUsage |= KEY_USAGE_NON_REPUDIATION;
|
843
|
+
}
|
844
|
+
if(usageBits & kSecKeyUsageKeyEncipherment)
|
845
|
+
{
|
846
|
+
keyUsage |= KEY_USAGE_KEY_ENCIPHERMENT;
|
847
|
+
}
|
848
|
+
if(usageBits & kSecKeyUsageDataEncipherment)
|
849
|
+
{
|
850
|
+
keyUsage |= KEY_USAGE_DATA_ENCIPHERMENT;
|
851
|
+
}
|
852
|
+
if(usageBits & kSecKeyUsageKeyAgreement)
|
853
|
+
{
|
854
|
+
keyUsage |= KEY_USAGE_KEY_AGREEMENT;
|
855
|
+
}
|
856
|
+
if(usageBits & kSecKeyUsageKeyCertSign)
|
857
|
+
{
|
858
|
+
keyUsage |= KEY_USAGE_KEY_CERT_SIGN;
|
859
|
+
}
|
860
|
+
if(usageBits & kSecKeyUsageCRLSign)
|
861
|
+
{
|
862
|
+
keyUsage |= KEY_USAGE_CRL_SIGN;
|
863
|
+
}
|
864
|
+
if(usageBits & kSecKeyUsageEncipherOnly)
|
865
|
+
{
|
866
|
+
keyUsage |= KEY_USAGE_ENCIPHER_ONLY;
|
867
|
+
}
|
868
|
+
if(usageBits & kSecKeyUsageDecipherOnly)
|
869
|
+
{
|
870
|
+
keyUsage |= KEY_USAGE_DECIPHER_ONLY;
|
871
|
+
}
|
872
|
+
}
|
873
|
+
}
|
874
|
+
return keyUsage;
|
875
|
+
#endif
|
876
|
+
}
|
877
|
+
|
878
|
+
unsigned int
|
879
|
+
SecureTransportCertificateI::getExtendedKeyUsage() const
|
880
|
+
{
|
881
|
+
#ifdef ICE_USE_SECURE_TRANSPORT_IOS
|
882
|
+
throw Ice::FeatureNotSupportedException(__FILE__, __LINE__);
|
883
|
+
#else
|
884
|
+
unsigned int extendedKeyUsage = 0;
|
885
|
+
UniqueRef<CFDictionaryRef> property(getCertificateProperty(_cert.get(), kSecOIDExtendedKeyUsage));
|
886
|
+
if(property)
|
887
|
+
{
|
888
|
+
CFArrayRef usages = static_cast<CFArrayRef>(CFDictionaryGetValue(property.get(), kSecPropertyKeyValue));
|
889
|
+
if(usages)
|
890
|
+
{
|
891
|
+
long size = CFArrayGetCount(usages);
|
892
|
+
if (CFArrayContainsValue(usages, CFRangeMake(0, size), ekuAnyKeyUsage))
|
893
|
+
{
|
894
|
+
extendedKeyUsage |= EXTENDED_KEY_USAGE_ANY_KEY_USAGE;
|
895
|
+
}
|
896
|
+
if (CFArrayContainsValue(usages, CFRangeMake(0, size), ekuServerAuthentication))
|
897
|
+
{
|
898
|
+
extendedKeyUsage |= EXTENDED_KEY_USAGE_SERVER_AUTH;
|
899
|
+
}
|
900
|
+
if (CFArrayContainsValue(usages, CFRangeMake(0, size), ekuClientAuthentication))
|
901
|
+
{
|
902
|
+
extendedKeyUsage |= EXTENDED_KEY_USAGE_CLIENT_AUTH;
|
903
|
+
}
|
904
|
+
if (CFArrayContainsValue(usages, CFRangeMake(0, size), ekuCodeSigning))
|
905
|
+
{
|
906
|
+
extendedKeyUsage |= EXTENDED_KEY_USAGE_CODE_SIGNING;
|
907
|
+
}
|
908
|
+
if (CFArrayContainsValue(usages, CFRangeMake(0, size), ekuEmailProtection))
|
909
|
+
{
|
910
|
+
extendedKeyUsage |= EXTENDED_KEY_USAGE_EMAIL_PROTECTION;
|
911
|
+
}
|
912
|
+
if (CFArrayContainsValue(usages, CFRangeMake(0, size), ekuTimeStamping))
|
913
|
+
{
|
914
|
+
extendedKeyUsage |= EXTENDED_KEY_USAGE_TIME_STAMPING;
|
915
|
+
}
|
916
|
+
if (CFArrayContainsValue(usages, CFRangeMake(0, size), ekuOCSPSigning))
|
917
|
+
{
|
918
|
+
extendedKeyUsage |= EXTENDED_KEY_USAGE_OCSP_SIGNING;
|
919
|
+
}
|
920
|
+
}
|
921
|
+
}
|
922
|
+
return extendedKeyUsage;
|
923
|
+
#endif
|
924
|
+
}
|
925
|
+
|
795
926
|
IceSSL::SecureTransport::CertificatePtr
|
796
927
|
IceSSL::SecureTransport::Certificate::create(SecCertificateRef cert)
|
797
928
|
{
|
@@ -155,37 +155,58 @@ checkTrustResult(SecTrustRef trust,
|
|
155
155
|
UniqueRef<CFErrorRef> trustErr;
|
156
156
|
if(trust)
|
157
157
|
{
|
158
|
-
|
159
|
-
{
|
160
|
-
throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + sslErrorToString(err));
|
161
|
-
}
|
162
|
-
|
163
|
-
//
|
164
|
-
// Disable network fetch, we don't want this to block.
|
165
|
-
//
|
158
|
+
// Do not allow to fetch missing intermediate certificates from the network.
|
166
159
|
if((err = SecTrustSetNetworkFetchAllowed(trust, false)))
|
167
160
|
{
|
168
161
|
throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + sslErrorToString(err));
|
169
162
|
}
|
170
163
|
|
171
|
-
|
172
|
-
// Add SSL trust policy if we need to check the certificate name.
|
173
|
-
//
|
164
|
+
UniqueRef<CFMutableArrayRef> policies(CFArrayCreateMutable(kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks));
|
165
|
+
// Add SSL trust policy if we need to check the certificate name, otherwise use basic x509 policy.
|
174
166
|
if(engine->getCheckCertName() && !host.empty())
|
175
167
|
{
|
176
168
|
UniqueRef<CFStringRef> hostref(toCFString(host));
|
177
169
|
UniqueRef<SecPolicyRef> policy(SecPolicyCreateSSL(true, hostref.get()));
|
178
|
-
|
179
|
-
|
170
|
+
CFArrayAppendValue(policies.get(), policy.get());
|
171
|
+
}
|
172
|
+
else
|
173
|
+
{
|
174
|
+
UniqueRef<SecPolicyRef> policy(SecPolicyCreateBasicX509());
|
175
|
+
CFArrayAppendValue(policies.get(), policy.get());
|
176
|
+
}
|
177
|
+
|
178
|
+
int revocationCheck = engine->getRevocationCheck();
|
179
|
+
if(revocationCheck > 0)
|
180
|
+
{
|
181
|
+
CFOptionFlags revocationFlags = kSecRevocationUseAnyAvailableMethod | kSecRevocationRequirePositiveResponse;
|
182
|
+
if(engine->getRevocationCheckCacheOnly())
|
180
183
|
{
|
181
|
-
|
184
|
+
revocationFlags |= kSecRevocationNetworkAccessDisabled;
|
185
|
+
}
|
186
|
+
|
187
|
+
UniqueRef<SecPolicyRef> revocationPolicy(SecPolicyCreateRevocation(revocationFlags));
|
188
|
+
if(!revocationPolicy)
|
189
|
+
{
|
190
|
+
throw SecurityException(__FILE__,
|
191
|
+
__LINE__,
|
192
|
+
"IceSSL: handshake failure: error creating revocation policy");
|
182
193
|
}
|
183
|
-
|
184
|
-
|
185
|
-
|
194
|
+
CFArrayAppendValue(policies.get(), revocationPolicy.get());
|
195
|
+
}
|
196
|
+
|
197
|
+
if((err = SecTrustSetPolicies(trust, policies.get())))
|
198
|
+
{
|
199
|
+
throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + sslErrorToString(err));
|
200
|
+
}
|
201
|
+
|
202
|
+
CFArrayRef certificateAuthorities = engine->getCertificateAuthorities();
|
203
|
+
if(certificateAuthorities != 0)
|
204
|
+
{
|
205
|
+
if((err = SecTrustSetAnchorCertificates(trust, certificateAuthorities)))
|
186
206
|
{
|
187
207
|
throw SecurityException(__FILE__, __LINE__, "IceSSL: handshake failure:\n" + sslErrorToString(err));
|
188
208
|
}
|
209
|
+
SecTrustSetAnchorCertificatesOnly(trust, true);
|
189
210
|
}
|
190
211
|
|
191
212
|
//
|
@@ -2,6 +2,12 @@
|
|
2
2
|
// Copyright (c) ZeroC, Inc. All rights reserved.
|
3
3
|
//
|
4
4
|
|
5
|
+
#if defined(_MSC_VER) && (_MSVC_LANG >= 201703L)
|
6
|
+
// TODO codecvt was deprecated in C++17 and cause build failures with VC++ compiler
|
7
|
+
// we should replace this code with MultiByteToWideChar() and WideCharToMultiByte()
|
8
|
+
# define _SILENCE_CXX17_CODECVT_HEADER_DEPRECATION_WARNING
|
9
|
+
#endif
|
10
|
+
|
5
11
|
#include <IceUtil/StringConverter.h>
|
6
12
|
#include <IceUtil/MutexPtrLock.h>
|
7
13
|
#include <IceUtil/Mutex.h>
|
@@ -1107,7 +1107,11 @@ Slice::Contained::Contained(const ContainerPtr& container, const string& name) :
|
|
1107
1107
|
void
|
1108
1108
|
Slice::Container::destroy()
|
1109
1109
|
{
|
1110
|
+
#ifdef ICE_CPP11_COMPILER
|
1111
|
+
for_each(_contents.begin(), _contents.end(), [](const SyntaxTreeBasePtr& it) { it->destroy(); });
|
1112
|
+
#else
|
1110
1113
|
for_each(_contents.begin(), _contents.end(), ::IceUtil::voidMemFun(&SyntaxTreeBase::destroy));
|
1114
|
+
#endif
|
1111
1115
|
_contents.clear();
|
1112
1116
|
_introducedMap.clear();
|
1113
1117
|
SyntaxTreeBase::destroy();
|
@@ -181,7 +181,7 @@ struct OptionalDef
|
|
181
181
|
// CICompare -- function object to do case-insensitive string comparison.
|
182
182
|
// ----------------------------------------------------------------------
|
183
183
|
|
184
|
-
class CICompare
|
184
|
+
class CICompare
|
185
185
|
{
|
186
186
|
public:
|
187
187
|
|
@@ -197,7 +197,7 @@ bool cICompare(const std::string&, const std::string&);
|
|
197
197
|
// most-derived to least-derived order.
|
198
198
|
// ----------------------------------------------------------------------
|
199
199
|
|
200
|
-
class DerivedToBaseCompare
|
200
|
+
class DerivedToBaseCompare
|
201
201
|
{
|
202
202
|
public:
|
203
203
|
|
@@ -949,7 +949,15 @@ Slice::Python::CodeVisitor::visitClassDefStart(const ClassDefPtr& p)
|
|
949
949
|
//
|
950
950
|
ClassList allBases = p->allBases();
|
951
951
|
StringList ids;
|
952
|
+
#ifdef ICE_CPP11_COMPILER
|
953
|
+
transform(allBases.begin(), allBases.end(), back_inserter(ids),
|
954
|
+
[](const ContainedPtr& it)
|
955
|
+
{
|
956
|
+
return it->scoped();
|
957
|
+
});
|
958
|
+
#else
|
952
959
|
transform(allBases.begin(), allBases.end(), back_inserter(ids), IceUtil::constMemFun(&Contained::scoped));
|
960
|
+
#endif
|
953
961
|
StringList other;
|
954
962
|
other.push_back(scoped);
|
955
963
|
other.push_back("::Ice::Object");
|
data/ice.gemspec
CHANGED
data/lib/Glacier2/Metrics.rb
CHANGED
data/lib/Glacier2/Router.rb
CHANGED
data/lib/Glacier2/RouterF.rb
CHANGED
data/lib/Glacier2/SSLInfo.rb
CHANGED
data/lib/Glacier2/Session.rb
CHANGED
data/lib/Ice/BuiltinSequences.rb
CHANGED
data/lib/Ice/Communicator.rb
CHANGED
data/lib/Ice/CommunicatorF.rb
CHANGED
data/lib/Ice/Connection.rb
CHANGED
data/lib/Ice/ConnectionF.rb
CHANGED
data/lib/Ice/Current.rb
CHANGED
data/lib/Ice/Endpoint.rb
CHANGED
data/lib/Ice/EndpointF.rb
CHANGED
data/lib/Ice/EndpointTypes.rb
CHANGED