zeroc-ice 3.8.1 → 3.8.2

data/dist/ice/cpp/src/Ice/ReferenceFactory.cpp

@@ -93,13 +93,14 @@ IceInternal::ReferenceFactory::create(string_view str, const string& propertyPre
         return nullptr;
     }
 
-    const string delim = " \t\r\n";
+    static constexpr const char* whitespace = " \t\r\n";
+    static constexpr const char* whitespaceOrSeparator = " \t\r\n:@";
 
-    string s(str);
+    string s{str};
     string::size_type beg;
     string::size_type end = 0;
 
-    beg = s.find_first_not_of(delim, end);
+    beg = s.find_first_not_of(whitespace, end);
     if (beg == string::npos)
     {
         throw ParseException(__FILE__, __LINE__, "no non-whitespace characters found in proxy string '" + s + "'");
@@ -117,7 +118,7 @@ IceInternal::ReferenceFactory::create(string_view str, const string& propertyPre
     }
     else if (end == 0)
     {
-        end = s.find_first_of(delim + ":@", beg);
+        end = s.find_first_of(whitespaceOrSeparator, beg);
         if (end == string::npos)
         {
             end = s.size();
@@ -144,7 +145,7 @@ IceInternal::ReferenceFactory::create(string_view str, const string& propertyPre
         // a null proxy, but only if nothing follows the
         // quotes.
         //
-        if (s.find_first_not_of(delim, end) != string::npos)
+        if (s.find_first_not_of(whitespace, end) != string::npos)
         {
             throw ParseException(__FILE__, __LINE__, "invalid characters after identity in proxy string '" + s + "'");
         }
@@ -167,7 +168,7 @@ IceInternal::ReferenceFactory::create(string_view str, const string& propertyPre
 
     while (true)
     {
-        beg = s.find_first_not_of(delim, end);
+        beg = s.find_first_not_of(whitespace, end);
         if (beg == string::npos)
         {
             break;
@@ -178,7 +179,7 @@ IceInternal::ReferenceFactory::create(string_view str, const string& propertyPre
             break;
         }
 
-        end = s.find_first_of(delim + ":@", beg);
+        end = s.find_first_of(whitespaceOrSeparator, beg);
         if (end == string::npos)
         {
             end = s.length();
@@ -204,7 +205,7 @@ IceInternal::ReferenceFactory::create(string_view str, const string& propertyPre
         // quotation marks.
         //
         string argument;
-        string::size_type argumentBeg = s.find_first_not_of(delim, end);
+        string::size_type argumentBeg = s.find_first_not_of(whitespace, end);
         if (argumentBeg != string::npos)
         {
             if (s[argumentBeg] != '@' && s[argumentBeg] != ':' && s[argumentBeg] != '-')
@@ -220,7 +221,7 @@ IceInternal::ReferenceFactory::create(string_view str, const string& propertyPre
                 }
                 else if (end == 0)
                 {
-                    end = s.find_first_of(delim + ":@", beg);
+                    end = s.find_first_of(whitespaceOrSeparator, beg);
                     if (end == string::npos)
                     {
                         end = s.size();
@@ -493,7 +494,7 @@ IceInternal::ReferenceFactory::create(string_view str, const string& propertyPre
         }
         case '@':
         {
-            beg = s.find_first_not_of(delim, beg + 1);
+            beg = s.find_first_not_of(whitespace, beg + 1);
             if (beg == string::npos)
             {
                 throw ParseException(__FILE__, __LINE__, "missing adapter id in proxy string '" + s + "'");
@@ -510,7 +511,7 @@ IceInternal::ReferenceFactory::create(string_view str, const string& propertyPre
             }
             else if (end == 0)
             {
-                end = s.find_first_of(delim, beg);
+                end = s.find_first_of(whitespace, beg);
                 if (end == string::npos)
                 {
                     end = s.size();
@@ -525,7 +526,7 @@ IceInternal::ReferenceFactory::create(string_view str, const string& propertyPre
             }
 
             // Check for trailing whitespace.
-            if (end != string::npos && s.find_first_not_of(delim, end) != string::npos)
+            if (end != string::npos && s.find_first_not_of(whitespace, end) != string::npos)
             {
                 throw ParseException(
                     __FILE__,
@@ -610,7 +611,9 @@ IceInternal::ReferenceFactory::create(Identity ident, InputStream* s)
     vector<EndpointIPtr> endpoints;
     string adapterId;
 
-    int32_t sz = s->readSize();
+    // Each endpoint occupies at least 8 bytes on the wire (a 2-byte type plus a 6-byte minimum
+    // encapsulation), so readAndCheckSeqSize rejects an oversized count before we allocate.
+    int32_t sz = s->readAndCheckSeqSize(8);
 
     if (sz > 0)
     {

data/dist/ice/cpp/src/Ice/ResourceConfig.h

@@ -5,8 +5,8 @@
 
 #include "winver.h"
 
-#define ICE_VERSION 3, 8, 1, 0
-#define ICE_STRING_VERSION "3.8.1\0"
+#define ICE_VERSION 3, 8, 2, 0
+#define ICE_STRING_VERSION "3.8.2\0"
 #define ICE_SO_VERSION "38\0"
 #define ICE_COMPANY_NAME "ZeroC, Inc.\0"
 #define ICE_COPYRIGHT "\251 ZeroC, Inc.\0"

data/dist/ice/cpp/src/Ice/SSL/OpenSSLEngine.cpp

@@ -72,7 +72,14 @@ namespace
 
 OpenSSL::SSLEngine::SSLEngine(const IceInternal::InstancePtr& instance) : Ice::SSL::SSLEngine(instance) {}
 
-OpenSSL::SSLEngine::~SSLEngine() = default;
+OpenSSL::SSLEngine::~SSLEngine()
+{
+    if (_ctx)
+    {
+        SSL_CTX_free(_ctx);
+        _ctx = nullptr;
+    }
+}
 
 void
 OpenSSL::SSLEngine::initialize()
@@ -91,6 +98,10 @@ OpenSSL::SSLEngine::initialize()
             throw InitializationException(__FILE__, __LINE__, "IceSSL: unable to create SSL context:\n" + sslErrors());
         }
 
+        // Reject peer-initiated TLS renegotiation: it is a CPU-asymmetric denial-of-service primitive
+        // on TLS 1.2 and is removed entirely in TLS 1.3.
+        SSL_CTX_set_options(_ctx, SSL_OP_NO_RENEGOTIATION);
+
         // Check for a default directory. We look in this directory for files mentioned in the configuration.
         const string defaultDir = properties->getIceProperty("IceSSL.DefaultDir");
 
@@ -509,13 +520,3 @@ OpenSSL::SSLEngine::sslErrors() const
 {
     return getErrors();
 }
-
-void
-OpenSSL::SSLEngine::destroy()
-{
-    if (_ctx)
-    {
-        SSL_CTX_free(_ctx);
-        _ctx = nullptr;
-    }
-}

data/dist/ice/cpp/src/Ice/SSL/OpenSSLEngine.h

@@ -17,10 +17,9 @@ namespace Ice::SSL::OpenSSL
     {
     public:
         SSLEngine(const IceInternal::InstancePtr&);
-        ~SSLEngine();
+        ~SSLEngine() override;
 
         void initialize() final;
-        void destroy() final;
         [[nodiscard]] std::string sslErrors() const;
         [[nodiscard]] std::string password() const { return _password; }
         [[nodiscard]] Ice::SSL::ClientAuthenticationOptions

data/dist/ice/cpp/src/Ice/SSL/SSLEndpointI.cpp

@@ -232,7 +232,7 @@ Ice::SSL::EndpointI::endpoint(const IceInternal::EndpointIPtr& delEndp) const
 {
     if (delEndp.get() == _delegate.get())
     {
-        return dynamic_pointer_cast<EndpointI>(const_cast<EndpointI*>(this)->shared_from_this());
+        return static_pointer_cast<EndpointI>(const_cast<EndpointI*>(this)->shared_from_this());
     }
     else
     {

data/dist/ice/cpp/src/Ice/SSL/SSLEngine.h

@@ -23,7 +23,7 @@ namespace Ice::SSL
     {
     public:
         SSLEngine(const IceInternal::InstancePtr&);
-        ~SSLEngine();
+        virtual ~SSLEngine();
 
         [[nodiscard]] Ice::LoggerPtr getLogger() const;
         [[nodiscard]] Ice::PropertiesPtr getProperties() const;
@@ -34,9 +34,6 @@ namespace Ice::SSL
         // Setup the engine.
         virtual void initialize() = 0;
 
-        // Destroy the engine.
-        virtual void destroy() = 0;
-
         // Verify peer certificate.
         virtual void verifyPeer(const ConnectionInfoPtr&) const;
 

data/dist/ice/cpp/src/Ice/SSL/SchannelEngine.cpp

@@ -743,6 +743,56 @@ Schannel::SSLEngine::SSLEngine(const IceInternal::InstancePtr& instance)
 {
 }
 
+Schannel::SSLEngine::~SSLEngine()
+{
+    // Best-effort cleanup. We catch every exception (e.g. std::bad_alloc from the per-cert vector
+    // allocation below) so nothing escapes the destructor and triggers std::terminate.
+    try
+    {
+        if (_chainEngine && _chainEngine != HCCE_CURRENT_USER && _chainEngine != HCCE_LOCAL_MACHINE)
+        {
+            CertFreeCertificateChainEngine(_chainEngine);
+        }
+
+        if (_rootStore)
+        {
+            CertCloseStore(_rootStore, 0);
+        }
+
+        for (vector<PCCERT_CONTEXT>::const_iterator i = _importedCerts.begin(); i != _importedCerts.end(); ++i)
+        {
+            // Retrieve the certificate CERT_KEY_PROV_INFO_PROP_ID property, we use the CRYPT_KEY_PROV_INFO data to
+            // remove the key set associated with the certificate.
+            DWORD length = 0;
+            if (!CertGetCertificateContextProperty(*i, CERT_KEY_PROV_INFO_PROP_ID, 0, &length))
+            {
+                continue;
+            }
+            vector<char> buf(length);
+            if (!CertGetCertificateContextProperty(*i, CERT_KEY_PROV_INFO_PROP_ID, &buf[0], &length))
+            {
+                continue;
+            }
+            CRYPT_KEY_PROV_INFO* key = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&buf[0]);
+            HCRYPTPROV prov = 0;
+            CryptAcquireContextW(&prov, key->pwszContainerName, key->pwszProvName, key->dwProvType, CRYPT_DELETEKEYSET);
+        }
+
+        for (vector<PCCERT_CONTEXT>::const_iterator i = _allCerts.begin(); i != _allCerts.end(); ++i)
+        {
+            CertFreeCertificateContext(*i);
+        }
+
+        for (vector<HCERTSTORE>::const_iterator i = _stores.begin(); i != _stores.end(); ++i)
+        {
+            CertCloseStore(*i, 0);
+        }
+    }
+    catch (...)
+    {
+    }
+}
+
 void
 Schannel::SSLEngine::initialize()
 {
@@ -1210,49 +1260,6 @@ Schannel::SSLEngine::getCipherName(ALG_ID cipher) const
     }
 }
 
-void
-Schannel::SSLEngine::destroy()
-{
-    if (_chainEngine && _chainEngine != HCCE_CURRENT_USER && _chainEngine != HCCE_LOCAL_MACHINE)
-    {
-        CertFreeCertificateChainEngine(_chainEngine);
-    }
-
-    if (_rootStore)
-    {
-        CertCloseStore(_rootStore, 0);
-    }
-
-    for (vector<PCCERT_CONTEXT>::const_iterator i = _importedCerts.begin(); i != _importedCerts.end(); ++i)
-    {
-        // Retrieve the certificate CERT_KEY_PROV_INFO_PROP_ID property, we use the CRYPT_KEY_PROV_INFO data to remove
-        // the key set associated with the certificate.
-        DWORD length = 0;
-        if (!CertGetCertificateContextProperty(*i, CERT_KEY_PROV_INFO_PROP_ID, 0, &length))
-        {
-            continue;
-        }
-        vector<char> buf(length);
-        if (!CertGetCertificateContextProperty(*i, CERT_KEY_PROV_INFO_PROP_ID, &buf[0], &length))
-        {
-            continue;
-        }
-        CRYPT_KEY_PROV_INFO* key = reinterpret_cast<CRYPT_KEY_PROV_INFO*>(&buf[0]);
-        HCRYPTPROV prov = 0;
-        CryptAcquireContextW(&prov, key->pwszContainerName, key->pwszProvName, key->dwProvType, CRYPT_DELETEKEYSET);
-    }
-
-    for (vector<PCCERT_CONTEXT>::const_iterator i = _allCerts.begin(); i != _allCerts.end(); ++i)
-    {
-        CertFreeCertificateContext(*i);
-    }
-
-    for (vector<HCERTSTORE>::const_iterator i = _stores.begin(); i != _stores.end(); ++i)
-    {
-        CertCloseStore(*i, 0);
-    }
-}
-
 Ice::SSL::ClientAuthenticationOptions
 Schannel::SSLEngine::createClientAuthenticationOptions(const string& host) const
 {

data/dist/ice/cpp/src/Ice/SSL/SchannelEngine.h

@@ -22,17 +22,13 @@ namespace Ice::SSL::Schannel
     {
     public:
         SSLEngine(const IceInternal::InstancePtr&);
+        ~SSLEngine() override;
 
         //
         // Setup the engine.
         //
         void initialize() final;
 
-        //
-        // Destroy the engine.
-        //
-        void destroy() final;
-
         [[nodiscard]] std::string getCipherName(ALG_ID) const;
 
         [[nodiscard]] Ice::SSL::ClientAuthenticationOptions

data/dist/ice/cpp/src/Ice/SSL/SchannelTransceiverI.cpp

@@ -552,6 +552,15 @@ Schannel::TransceiverI::decryptMessage(IceInternal::Buffer& buffer)
         }
         else if (err == SEC_I_RENEGOTIATE)
         {
+            if (_incoming)
+            {
+                // Reject peer-initiated TLS renegotiation on the server side: it is a CPU-asymmetric
+                // denial-of-service primitive on TLS 1.2 and is removed entirely in TLS 1.3.
+                throw ProtocolException(
+                    __FILE__,
+                    __LINE__,
+                    "SSL transport: peer-initiated TLS renegotiation is not supported on the server side.");
+            }
             if (_sslConnectionRenegotiating)
             {
                 throw ProtocolException(

data/dist/ice/cpp/src/Ice/SSL/SecureTransportEngine.cpp

@@ -9,10 +9,17 @@
 #include "Ice/Logger.h"
 #include "Ice/Properties.h"
 #include "Ice/SSL/SSLException.h"
+#include "Ice/UUID.h"
 #include "SSLEngine.h"
 #include "SSLUtil.h"
 #include "SecureTransportUtil.h"
 
+#include <cerrno>
+#include <climits>
+#include <cstring>
+#include <unistd.h>
+#include <vector>
+
 // Disable deprecation warnings from SecureTransport APIs
 #include "../DisableWarnings.h"
 
@@ -547,6 +554,43 @@ namespace
             }
         }
     }
+
+#if defined(ICE_USE_SECURE_TRANSPORT_MACOS)
+    // Creates a private temporary directory to hold a short-lived keychain, and returns its path.
+    // Uses confstr(_CS_DARWIN_USER_TEMP_DIR) rather than $TMPDIR so the location can't be
+    // redirected through the process environment.
+    string createTemporaryKeychainDirectory()
+    {
+        char base[PATH_MAX];
+        size_t len = confstr(_CS_DARWIN_USER_TEMP_DIR, base, sizeof(base));
+        if (len == 0 || len > sizeof(base))
+        {
+            int error = errno;
+
+            ostringstream os;
+            os << "SSL transport: confstr(_CS_DARWIN_USER_TEMP_DIR) failed";
+            if (error != 0)
+            {
+                os << ": " << strerror(error);
+            }
+            throw InitializationException(__FILE__, __LINE__, os.str());
+        }
+
+        string tmpl = string{base} + "ice-keychain-XXXXXX";
+        vector<char> buffer(tmpl.begin(), tmpl.end());
+        buffer.push_back('\0');
+
+        char* dir = mkdtemp(buffer.data());
+        if (dir == nullptr)
+        {
+            int error = errno;
+            ostringstream os;
+            os << "SSL transport: mkdtemp failed: " << strerror(error);
+            throw InitializationException(__FILE__, __LINE__, os.str());
+        }
+        return dir;
+    }
+#endif
 }
 
 SecureTransport::SSLEngine::SSLEngine(const IceInternal::InstancePtr& instance)
@@ -556,7 +600,25 @@ SecureTransport::SSLEngine::SSLEngine(const IceInternal::InstancePtr& instance)
 {
 }
 
-SecureTransport::SSLEngine::~SSLEngine() = default;
+SecureTransport::SSLEngine::~SSLEngine()
+{
+#if defined(ICE_USE_SECURE_TRANSPORT_MACOS)
+    if (!_temporaryKeychainDir.empty())
+    {
+        // Remove the temporary keychain and its enclosing directory created by initialize().
+        // The cleanup lives in the destructor (not destroy()) so it also runs when initialize()
+        // throws after the directory has been created.
+        _chain.reset();
+        const string keychainPath = _temporaryKeychainDir + "/ice.keychain";
+        UniqueRef<SecKeychainRef> keychain;
+        if (SecKeychainOpen(keychainPath.c_str(), &keychain.get()) == noErr && keychain.get())
+        {
+            SecKeychainDelete(keychain.get());
+        }
+        rmdir(_temporaryKeychainDir.c_str());
+    }
+#endif
+}
 
 //
 // Setup the engine.
@@ -636,6 +698,18 @@ SecureTransport::SSLEngine::initialize()
             keyFile = *resolved;
         }
 
+#if defined(ICE_USE_SECURE_TRANSPORT_MACOS)
+        if (keychain.empty())
+        {
+            // Import the certificate into a temporary keychain rather than the user's login keychain.
+            // A private key in the login keychain cannot complete a forward-secret (ECDHE) handshake
+            // on the server side. The keychain and its enclosing directory are removed by the destructor.
+            _temporaryKeychainDir = createTemporaryKeychainDirectory();
+            keychain = _temporaryKeychainDir + "/ice.keychain";
+            keychainPassword = Ice::generateUUID();
+        }
+#endif
+
         try
         {
             _chain.reset(loadCertificateChain(certFile, keyFile, keychain, keychainPassword, password));
@@ -651,14 +725,6 @@ SecureTransport::SSLEngine::initialize()
     }
 }
 
-//
-// Destroy the engine.
-//
-void
-SecureTransport::SSLEngine::destroy()
-{
-}
-
 ClientAuthenticationOptions
 SecureTransport::SSLEngine::createClientAuthenticationOptions(const string& host) const
 {
@@ -721,15 +787,15 @@ SecureTransport::SSLEngine::createServerAuthenticationOptions() const
 SSLContextRef
 SecureTransport::SSLEngine::newContext(bool incoming) const
 {
-    SSLContextRef ssl =
-        SSLCreateContext(kCFAllocatorDefault, incoming ? kSSLServerSide : kSSLClientSide, kSSLStreamType);
-    if (!ssl)
+    UniqueRef<SSLContextRef> ssl(
+        SSLCreateContext(kCFAllocatorDefault, incoming ? kSSLServerSide : kSSLClientSide, kSSLStreamType));
+    if (!ssl.get())
     {
         throw SecurityException(__FILE__, __LINE__, "SSL transport: unable to create SSL context");
     }
 
     OSStatus err = SSLSetSessionOption(
-        ssl,
+        ssl.get(),
         incoming ? kSSLSessionOptionBreakOnClientAuth : kSSLSessionOptionBreakOnServerAuth,
         true);
 
@@ -741,7 +807,34 @@ SecureTransport::SSLEngine::newContext(bool incoming) const
             "SSL transport: error while setting SSL option:\n" + sslErrorToString(err));
     }
 
-    return ssl;
+    // Require TLS 1.2 or later. SecureTransport otherwise negotiates down to TLS 1.0 on macOS.
+    err = SSLSetProtocolVersionMin(ssl.get(), kTLSProtocol12);
+    if (err != noErr)
+    {
+        throw SecurityException(
+            __FILE__,
+            __LINE__,
+            "SSL transport: error while setting the minimum protocol version:\n" + sslErrorToString(err));
+    }
+
+    // Enable only forward-secret cipher suites: the Mozilla "Intermediate" recommendation for TLS 1.2
+    // intersected with what SecureTransport can negotiate — ECDHE key exchange with AES-GCM.
+    // SecureTransport's own default set also includes static-RSA suites (no forward secrecy) and 3DES.
+    const SSLCipherSuite ciphers[] = {
+        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384};
+    err = SSLSetEnabledCiphers(ssl.get(), ciphers, sizeof(ciphers) / sizeof(SSLCipherSuite));
+    if (err != noErr)
+    {
+        throw SecurityException(
+            __FILE__,
+            __LINE__,
+            "SSL transport: error while setting ciphers:\n" + sslErrorToString(err));
+    }
+
+    return ssl.release();
 }
 
 bool

data/dist/ice/cpp/src/Ice/SSL/SecureTransportEngine.h

@@ -20,10 +20,9 @@ namespace Ice::SSL::SecureTransport
     {
     public:
         SSLEngine(const IceInternal::InstancePtr&);
-        ~SSLEngine();
+        ~SSLEngine() override;
 
         void initialize() final;
-        void destroy() final;
 
         [[nodiscard]] Ice::SSL::ClientAuthenticationOptions
         createClientAuthenticationOptions(const std::string& host) const final;
@@ -37,6 +36,12 @@ namespace Ice::SSL::SecureTransport
     private:
         IceInternal::UniqueRef<CFArrayRef> _certificateAuthorities;
         IceInternal::UniqueRef<CFArrayRef> _chain;
+
+#    if defined(ICE_USE_SECURE_TRANSPORT_MACOS)
+        // Path of the temporary directory holding the imported certificate's keychain, removed by the destructor.
+        // Empty when IceSSL.Keychain is set or no certificate is configured.
+        std::string _temporaryKeychainDir;
+#    endif
     };
 }
 #endif

data/dist/ice/cpp/src/Ice/TcpEndpointI.cpp

@@ -169,7 +169,7 @@ AcceptorPtr
 IceInternal::TcpEndpointI::acceptor(const string&, const optional<Ice::SSL::ServerAuthenticationOptions>&) const
 {
     return make_shared<TcpAcceptor>(
-        dynamic_pointer_cast<TcpEndpointI>(const_cast<TcpEndpointI*>(this)->shared_from_this()),
+        static_pointer_cast<TcpEndpointI>(const_cast<TcpEndpointI*>(this)->shared_from_this()),
         _instance,
         _host,
         _port);
@@ -181,7 +181,7 @@ IceInternal::TcpEndpointI::endpoint(const TcpAcceptorPtr& acceptor) const
     int port = acceptor->effectivePort();
     if (_port == port)
     {
-        return dynamic_pointer_cast<TcpEndpointI>(const_cast<TcpEndpointI*>(this)->shared_from_this());
+        return static_pointer_cast<TcpEndpointI>(const_cast<TcpEndpointI*>(this)->shared_from_this());
     }
     else
     {

data/dist/ice/cpp/src/Ice/UdpEndpointI.cpp

@@ -162,7 +162,7 @@ TransceiverPtr
 IceInternal::UdpEndpointI::transceiver() const
 {
     return make_shared<UdpTransceiver>(
-        dynamic_pointer_cast<UdpEndpointI>(const_cast<UdpEndpointI*>(this)->shared_from_this()),
+        static_pointer_cast<UdpEndpointI>(const_cast<UdpEndpointI*>(this)->shared_from_this()),
         _instance,
         _host,
         _port,
@@ -181,7 +181,7 @@ IceInternal::UdpEndpointI::endpoint(const UdpTransceiverPtr& transceiver) const
     int port = transceiver->effectivePort();
     if (port == _port)
     {
-        return dynamic_pointer_cast<UdpEndpointI>(const_cast<UdpEndpointI*>(this)->shared_from_this());
+        return static_pointer_cast<UdpEndpointI>(const_cast<UdpEndpointI*>(this)->shared_from_this());
     }
     else
     {

data/dist/ice/cpp/src/Ice/WSAcceptor.cpp

@@ -56,7 +56,7 @@ IceInternal::WSAcceptor::accept()
     // WebSocket handshaking is performed in TransceiverI::initialize, since
     // accept must not block.
     //
-    return make_shared<WSTransceiver>(_instance, _delegate->accept());
+    return make_shared<WSTransceiver>(_instance, _delegate->accept(), _allowedOrigins);
 }
 
 string
@@ -77,10 +77,15 @@ IceInternal::WSAcceptor::toDetailedString() const
     return _delegate->toDetailedString();
 }
 
-IceInternal::WSAcceptor::WSAcceptor(WSEndpointPtr endpoint, ProtocolInstancePtr instance, AcceptorPtr del)
+IceInternal::WSAcceptor::WSAcceptor(
+    WSEndpointPtr endpoint,
+    ProtocolInstancePtr instance,
+    AcceptorPtr del,
+    set<string> allowedOrigins)
     : _endpoint(std::move(endpoint)),
       _instance(std::move(instance)),
-      _delegate(std::move(del))
+      _delegate(std::move(del)),
+      _allowedOrigins(std::move(allowedOrigins))
 {
 }
 

data/dist/ice/cpp/src/Ice/WSAcceptor.h

@@ -9,6 +9,9 @@
 #include "ProtocolInstance.h"
 #include "TransceiverF.h"
 
+#include <set>
+#include <string>
+
 namespace IceInternal
 {
     class WSEndpoint;
@@ -16,7 +19,7 @@ namespace IceInternal
     class WSAcceptor final : public Acceptor, public NativeInfo
     {
     public:
-        WSAcceptor(WSEndpointPtr, ProtocolInstancePtr, AcceptorPtr);
+        WSAcceptor(WSEndpointPtr, ProtocolInstancePtr, AcceptorPtr, std::set<std::string> allowedOrigins);
         ~WSAcceptor() override;
         NativeInfoPtr getNativeInfo() final;
 #if defined(ICE_USE_IOCP)
@@ -40,6 +43,7 @@ namespace IceInternal
         WSEndpointPtr _endpoint;
         const ProtocolInstancePtr _instance;
         const AcceptorPtr _delegate;
+        const std::set<std::string> _allowedOrigins;
     };
 }