From 73af7f1cab4d6e4b73bdc8f1dc04f09fa18e6e7b Mon Sep 17 00:00:00 2001 From: Jose Date: Wed, 17 Apr 2024 14:35:25 +0200 Subject: [PATCH] Remove support for IceSSL.Ciphers (#2052) --- config/PropertyNames.xml | 1 - cpp/include/{IceSSL => Ice}/Certificate.h | 12 +- cpp/include/Ice/Ice.h | 3 + cpp/include/{IceSSL => Ice}/OpenSSL.h | 4 +- cpp/include/{IceSSL => Ice}/SChannel.h | 4 +- .../SSLConnectionInfo.h} | 6 +- .../SSLConnectionInfoF.h} | 0 .../EndpointInfo.h => Ice/SSLEndpointInfo.h} | 6 +- cpp/include/{IceSSL => Ice}/SecureTransport.h | 4 +- cpp/msbuild/ice.nuget.targets | 6 +- cpp/src/Glacier2/SessionRouterI.cpp | 4 +- cpp/src/Ice/PropertyNames.cpp | 1 - cpp/src/Ice/msbuild/ice/ice.vcxproj | 3 +- cpp/src/Ice/msbuild/ice/ice.vcxproj.filters | 3 - cpp/src/IceGrid/AdminSessionI.cpp | 2 - cpp/src/IceGrid/InternalRegistryI.cpp | 4 +- cpp/src/IceGrid/RegistryI.cpp | 2 - cpp/src/IceGrid/SessionI.cpp | 2 - cpp/src/IceSSL/CertificateI.cpp | 96 ++++ cpp/src/IceSSL/CertificateI.h | 2 +- cpp/src/IceSSL/OpenSSLCertificateI.cpp | 57 +- cpp/src/IceSSL/OpenSSLEngine.cpp | 84 +-- cpp/src/IceSSL/OpenSSLTransceiverI.cpp | 4 +- cpp/src/IceSSL/OpenSSLTransceiverI.h | 2 +- cpp/src/IceSSL/PluginI.cpp | 112 ---- cpp/src/IceSSL/RFC2253.cpp | 2 +- cpp/src/IceSSL/RFC2253.h | 4 +- cpp/src/IceSSL/SChannelCertificateI.cpp | 4 +- cpp/src/IceSSL/SChannelEngine.cpp | 138 ++--- cpp/src/IceSSL/SChannelEngine.h | 4 - cpp/src/IceSSL/SChannelEngineF.h | 2 +- cpp/src/IceSSL/SChannelTransceiverI.cpp | 2 +- cpp/src/IceSSL/SSLEndpointI.h | 2 +- cpp/src/IceSSL/SSLEngine.cpp | 7 +- cpp/src/IceSSL/SSLEngine.h | 2 +- cpp/src/IceSSL/SSLUtil.cpp | 2 +- .../IceSSL/SecureTransportCertificateI.cpp | 2 +- cpp/src/IceSSL/SecureTransportEngine.cpp | 542 +----------------- cpp/src/IceSSL/SecureTransportEngine.h | 7 - .../IceSSL/SecureTransportTransceiverI.cpp | 2 +- cpp/src/IceSSL/SecureTransportTransceiverI.h | 2 +- cpp/src/IceSSL/SecureTransportUtil.cpp | 35 +- cpp/src/IceSSL/SecureTransportUtil.h | 2 +- cpp/src/IceSSL/TrustManager.cpp | 7 +- cpp/src/IceSSL/TrustManager.h | 4 +- cpp/test/Glacier2/ssl/Server.cpp | 1 - cpp/test/Ice/info/AllTests.cpp | 2 - cpp/test/Ice/info/TestI.cpp | 1 - cpp/test/IceGrid/session/Server.cpp | 1 - cpp/test/IceSSL/configuration/AllTests.cpp | 8 +- cpp/test/IceSSL/configuration/TestI.cpp | 2 - csharp/src/Ice/PropertyNames.cs | 1 - .../com/zeroc/IceInternal/PropertyNames.java | 1 - .../main/java/com/zeroc/IceSSL/SSLEngine.java | 137 ----- matlab/src/Connection.cpp | 1 - matlab/src/Endpoint.cpp | 1 - matlab/src/Util.h | 1 - php/src/Connection.cpp | 2 +- php/src/Endpoint.cpp | 2 +- python/modules/IcePy/ConnectionInfo.cpp | 3 +- python/modules/IcePy/EndpointInfo.cpp | 2 +- ruby/src/IceRuby/Connection.cpp | 3 +- ruby/src/IceRuby/Endpoint.cpp | 3 +- swift/src/IceImpl/Config.h | 3 - 64 files changed, 267 insertions(+), 1104 deletions(-) rename cpp/include/{IceSSL => Ice}/Certificate.h (99%) rename cpp/include/{IceSSL => Ice}/OpenSSL.h (97%) rename cpp/include/{IceSSL => Ice}/SChannel.h (97%) rename cpp/include/{IceSSL/ConnectionInfo.h => Ice/SSLConnectionInfo.h} (95%) rename cpp/include/{IceSSL/ConnectionInfoF.h => Ice/SSLConnectionInfoF.h} (100%) rename cpp/include/{IceSSL/EndpointInfo.h => Ice/SSLEndpointInfo.h} (93%) rename cpp/include/{IceSSL => Ice}/SecureTransport.h (96%) delete mode 100644 cpp/src/IceSSL/PluginI.cpp diff --git a/config/PropertyNames.xml b/config/PropertyNames.xml index 6e26b6c7215..ae575cc109e 100644 --- a/config/PropertyNames.xml +++ b/config/PropertyNames.xml @@ -564,7 +564,6 @@ generated from the section label. - diff --git a/cpp/include/IceSSL/Certificate.h b/cpp/include/Ice/Certificate.h similarity index 99% rename from cpp/include/IceSSL/Certificate.h rename to cpp/include/Ice/Certificate.h index f815fd7260e..64cd4f9ab48 100644 --- a/cpp/include/IceSSL/Certificate.h +++ b/cpp/include/Ice/Certificate.h @@ -2,13 +2,13 @@ // Copyright (c) ZeroC, Inc. All rights reserved. // -#ifndef ICESSL_PLUGIN_H -#define ICESSL_PLUGIN_H +#ifndef ICE_CERTIFICATE_H +#define ICE_CERTIFICATE_H -#include "ConnectionInfoF.h" -#include "Ice/Config.h" -#include "Ice/Exception.h" -#include "Ice/Plugin.h" +#include "Config.h" +#include "Exception.h" +#include "Plugin.h" +#include "SSLConnectionInfoF.h" #include #include diff --git a/cpp/include/Ice/Ice.h b/cpp/include/Ice/Ice.h index a3ea61bb6ab..96fbdef3547 100644 --- a/cpp/include/Ice/Ice.h +++ b/cpp/include/Ice/Ice.h @@ -19,6 +19,7 @@ // We don't need to see the following headers when building the generated code. +# include "Certificate.h" # include "Communicator.h" # include "Connection.h" # include "IconvStringConverter.h" @@ -34,6 +35,8 @@ # include "Properties.h" # include "ProxyFunctions.h" # include "RegisterPlugins.h" +# include "SSLConnectionInfo.h" +# include "SSLEndpointInfo.h" # include "ServantLocator.h" # include "SlicedData.h" # include "StringConverter.h" diff --git a/cpp/include/IceSSL/OpenSSL.h b/cpp/include/Ice/OpenSSL.h similarity index 97% rename from cpp/include/IceSSL/OpenSSL.h rename to cpp/include/Ice/OpenSSL.h index 098bc850c27..38f84105a81 100644 --- a/cpp/include/IceSSL/OpenSSL.h +++ b/cpp/include/Ice/OpenSSL.h @@ -2,8 +2,8 @@ // Copyright (c) ZeroC, Inc. All rights reserved. // -#ifndef ICESSL_OPENSSL_H -#define ICESSL_OPENSSL_H +#ifndef ICE_OPENSSL_H +#define ICE_OPENSSL_H #include "Certificate.h" diff --git a/cpp/include/IceSSL/SChannel.h b/cpp/include/Ice/SChannel.h similarity index 97% rename from cpp/include/IceSSL/SChannel.h rename to cpp/include/Ice/SChannel.h index c3bba47530a..ecc3a9b1821 100644 --- a/cpp/include/IceSSL/SChannel.h +++ b/cpp/include/Ice/SChannel.h @@ -2,8 +2,8 @@ // Copyright (c) ZeroC, Inc. All rights reserved. // -#ifndef ICESSL_SCHANNEL_H -#define ICESSL_SCHANNEL_H +#ifndef ICE_SCHANNEL_H +#define ICE_SCHANNEL_H #ifdef _WIN32 # include "Certificate.h" diff --git a/cpp/include/IceSSL/ConnectionInfo.h b/cpp/include/Ice/SSLConnectionInfo.h similarity index 95% rename from cpp/include/IceSSL/ConnectionInfo.h rename to cpp/include/Ice/SSLConnectionInfo.h index a4629c465c8..76633d22c8c 100644 --- a/cpp/include/IceSSL/ConnectionInfo.h +++ b/cpp/include/Ice/SSLConnectionInfo.h @@ -2,12 +2,12 @@ // Copyright (c) ZeroC, Inc. All rights reserved. // -#ifndef ICESSL_CONNECTION_INFO_H -#define ICESSL_CONNECTION_INFO_H +#ifndef ICE_SSL_CONNECTION_INFO_H +#define ICE_SSL_CONNECTION_INFO_H #include "Certificate.h" -#include "ConnectionInfoF.h" #include "Ice/Connection.h" +#include "SSLConnectionInfoF.h" #if defined(__clang__) # pragma clang diagnostic push diff --git a/cpp/include/IceSSL/ConnectionInfoF.h b/cpp/include/Ice/SSLConnectionInfoF.h similarity index 100% rename from cpp/include/IceSSL/ConnectionInfoF.h rename to cpp/include/Ice/SSLConnectionInfoF.h diff --git a/cpp/include/IceSSL/EndpointInfo.h b/cpp/include/Ice/SSLEndpointInfo.h similarity index 93% rename from cpp/include/IceSSL/EndpointInfo.h rename to cpp/include/Ice/SSLEndpointInfo.h index 9b3ea5a1880..25e9c284b43 100644 --- a/cpp/include/IceSSL/EndpointInfo.h +++ b/cpp/include/Ice/SSLEndpointInfo.h @@ -2,10 +2,10 @@ // Copyright (c) ZeroC, Inc. All rights reserved. // -#ifndef ICESSL_ENDPOINT_INFO_H -#define ICESSL_ENDPOINT_INFO_H +#ifndef ICE_SSL_ENDPOINT_INFO_H +#define ICE_SSL_ENDPOINT_INFO_H -#include "Ice/Endpoint.h" +#include "Endpoint.h" #if defined(__clang__) # pragma clang diagnostic push diff --git a/cpp/include/IceSSL/SecureTransport.h b/cpp/include/Ice/SecureTransport.h similarity index 96% rename from cpp/include/IceSSL/SecureTransport.h rename to cpp/include/Ice/SecureTransport.h index c7516aef505..cc528f71fdb 100644 --- a/cpp/include/IceSSL/SecureTransport.h +++ b/cpp/include/Ice/SecureTransport.h @@ -2,8 +2,8 @@ // Copyright (c) ZeroC, Inc. All rights reserved. // -#ifndef ICESSL_SECURE_TRANSPORT_H -#define ICESSL_SECURE_TRANSPORT_H +#ifndef ICE_SECURE_TRANSPORT_H +#define ICE_SECURE_TRANSPORT_H #ifdef __APPLE__ diff --git a/cpp/msbuild/ice.nuget.targets b/cpp/msbuild/ice.nuget.targets index a2d9f79f519..b7ec03619a1 100644 --- a/cpp/msbuild/ice.nuget.targets +++ b/cpp/msbuild/ice.nuget.targets @@ -7,15 +7,11 @@ + Exclude="$(IceSrcRootDir)bin\$(Platform)\$(Configuration)\glacier2cryptpermissionsverifier*d.dll"/> - @@ -1006,4 +1005,4 @@ - \ No newline at end of file + diff --git a/cpp/src/Ice/msbuild/ice/ice.vcxproj.filters b/cpp/src/Ice/msbuild/ice/ice.vcxproj.filters index 87aaf8435ce..f419a8c8e36 100644 --- a/cpp/src/Ice/msbuild/ice/ice.vcxproj.filters +++ b/cpp/src/Ice/msbuild/ice/ice.vcxproj.filters @@ -615,9 +615,6 @@ Source Files\IceSSL - - Source Files\IceSSL - Source Files diff --git a/cpp/src/IceGrid/AdminSessionI.cpp b/cpp/src/IceGrid/AdminSessionI.cpp index f8b01ff8adc..9c43b00e53f 100644 --- a/cpp/src/IceGrid/AdminSessionI.cpp +++ b/cpp/src/IceGrid/AdminSessionI.cpp @@ -6,8 +6,6 @@ #include "AdminI.h" #include "Database.h" #include "Ice/Ice.h" -#include "Ice/UUID.h" -#include "IceSSL/Certificate.h" #include "RegistryI.h" #include "SynchronizationException.h" diff --git a/cpp/src/IceGrid/InternalRegistryI.cpp b/cpp/src/IceGrid/InternalRegistryI.cpp index 702e851a991..1466409b075 100644 --- a/cpp/src/IceGrid/InternalRegistryI.cpp +++ b/cpp/src/IceGrid/InternalRegistryI.cpp @@ -2,14 +2,12 @@ // Copyright (c) ZeroC, Inc. All rights reserved. // -#include "Ice/Ice.h" #include "IceUtil/DisableWarnings.h" #include "../IceSSL/RFC2253.h" #include "Database.h" #include "FileCache.h" -#include "IceSSL/Certificate.h" -#include "IceSSL/ConnectionInfo.h" +#include "Ice/Ice.h" #include "InternalRegistryI.h" #include "NodeSessionI.h" #include "ReapThread.h" diff --git a/cpp/src/IceGrid/RegistryI.cpp b/cpp/src/IceGrid/RegistryI.cpp index 9cf45c20909..8dfc50607a4 100644 --- a/cpp/src/IceGrid/RegistryI.cpp +++ b/cpp/src/IceGrid/RegistryI.cpp @@ -17,8 +17,6 @@ #include "Ice/Ice.h" #include "Ice/UUID.h" #include "IceLocatorDiscovery.h" -#include "IceSSL/Certificate.h" -#include "IceSSL/ConnectionInfo.h" #include "IceUtil/FileUtil.h" #include "InternalRegistryI.h" #include "LocatorI.h" diff --git a/cpp/src/IceGrid/SessionI.cpp b/cpp/src/IceGrid/SessionI.cpp index 708e12b96dc..0fa74cad2f9 100644 --- a/cpp/src/IceGrid/SessionI.cpp +++ b/cpp/src/IceGrid/SessionI.cpp @@ -5,9 +5,7 @@ #include "SessionI.h" #include "Database.h" #include "Ice/Ice.h" -#include "Ice/UUID.h" #include "IceGrid/Admin.h" -#include "IceSSL/Certificate.h" #include "LocatorI.h" #include "QueryI.h" diff --git a/cpp/src/IceSSL/CertificateI.cpp b/cpp/src/IceSSL/CertificateI.cpp index 0171f6c2719..66e568e5d99 100644 --- a/cpp/src/IceSSL/CertificateI.cpp +++ b/cpp/src/IceSSL/CertificateI.cpp @@ -212,3 +212,99 @@ CertificateI::toString() const os << "subject: " << string(getSubjectDN()) << "\n"; return os.str(); } + +std::string +IceSSL::getTrustErrorDescription(TrustError error) +{ + switch (error) + { + case IceSSL::TrustError::NoError: + { + return "no error"; + } + case IceSSL::TrustError::ChainTooLong: + { + return "the certificate chain length is greater than the specified maximum depth"; + } + case IceSSL::TrustError::HasExcludedNameConstraint: + { + return "the X509 chain is invalid because a certificate has excluded a name constraint"; + } + case IceSSL::TrustError::HasNonDefinedNameConstraint: + { + return "the certificate has an undefined name constraint"; + } + case IceSSL::TrustError::HasNonPermittedNameConstraint: + { + return "the certificate has a non permitted name constrain"; + } + case IceSSL::TrustError::HasNonSupportedCriticalExtension: + { + return "the certificate does not support a critical extension"; + } + case IceSSL::TrustError::HasNonSupportedNameConstraint: + { + return "the certificate does not have a supported name constraint or has a name constraint that " + "is unsupported"; + } + case IceSSL::TrustError::HostNameMismatch: + { + return "a host name mismatch has occurred"; + } + case IceSSL::TrustError::InvalidBasicConstraints: + { + return "the X509 chain is invalid due to invalid basic constraints"; + } + case IceSSL::TrustError::InvalidExtension: + { + return "the X509 chain is invalid due to an invalid extension"; + } + case IceSSL::TrustError::InvalidNameConstraints: + { + return "the X509 chain is invalid due to invalid name constraints"; + } + case IceSSL::TrustError::InvalidPolicyConstraints: + { + return "the X509 chain is invalid due to invalid policy constraints"; + } + case IceSSL::TrustError::InvalidPurpose: + { + return "the supplied certificate cannot be used for the specified purpose"; + } + case IceSSL::TrustError::InvalidSignature: + { + return "the X509 chain is invalid due to an invalid certificate signature"; + } + case IceSSL::TrustError::InvalidTime: + { + return "the X509 chain is not valid due to an invalid time value, such as a value that indicates an " + "expired certificate"; + } + case IceSSL::TrustError::NotTrusted: + { + return "the certificate is explicitly distrusted"; + } + case IceSSL::TrustError::PartialChain: + { + return "the X509 chain could not be built up to the root certificate"; + } + case IceSSL::TrustError::RevocationStatusUnknown: + { + return "it is not possible to determine whether the certificate has been revoked"; + } + case IceSSL::TrustError::Revoked: + { + return "the X509 chain is invalid due to a revoked certificate"; + } + case IceSSL::TrustError::UntrustedRoot: + { + return "the X509 chain is invalid due to an untrusted root certificate"; + } + case IceSSL::TrustError::UnknownTrustFailure: + { + return "unknown failure"; + } + } + assert(false); + return "unknown failure"; +} diff --git a/cpp/src/IceSSL/CertificateI.h b/cpp/src/IceSSL/CertificateI.h index 5495a0c3f53..0d1914fa66d 100644 --- a/cpp/src/IceSSL/CertificateI.h +++ b/cpp/src/IceSSL/CertificateI.h @@ -5,7 +5,7 @@ #ifndef ICESSL_CERTIFICATE_I_H #define ICESSL_CERTIFICATE_I_H -#include "IceSSL/Certificate.h" +#include "Ice/Certificate.h" #include #include diff --git a/cpp/src/IceSSL/OpenSSLCertificateI.cpp b/cpp/src/IceSSL/OpenSSLCertificateI.cpp index 12b9bc05607..2d28ba7cae3 100644 --- a/cpp/src/IceSSL/OpenSSLCertificateI.cpp +++ b/cpp/src/IceSSL/OpenSSLCertificateI.cpp @@ -3,7 +3,7 @@ // #include "CertificateI.h" -#include "IceSSL/OpenSSL.h" +#include "Ice/OpenSSL.h" #include "OpenSSLUtil.h" #include "RFC2253.h" @@ -132,11 +132,10 @@ namespace return alt; } - class DistinguishedNameI : public IceSSL::DistinguishedName + class DistinguishedNameI : public DistinguishedName { public: - DistinguishedNameI(X509_name_st* name) - : IceSSL::DistinguishedName(IceSSL::RFC2253::parseStrict(convertX509NameToString(name))) + DistinguishedNameI(X509_name_st* name) : DistinguishedName(RFC2253::parseStrict(convertX509NameToString(name))) { unescape(); } @@ -194,7 +193,7 @@ namespace return chrono::system_clock::time_point(chrono::seconds(mktime(&tm) - int64_t{offset} * 60 + tzone)); } - class OpenSSLX509ExtensionI : public IceSSL::X509Extension + class OpenSSLX509ExtensionI : public X509Extension { public: OpenSSLX509ExtensionI(struct X509_extension_st*, const string&, x509_st*); @@ -209,7 +208,7 @@ namespace x509_st* _cert; }; - class OpenSSLCertificateI : public IceSSL::OpenSSL::Certificate, public CertificateI + class OpenSSLCertificateI : public OpenSSL::Certificate, public CertificateI { public: OpenSSLCertificateI(x509_st*); @@ -225,9 +224,9 @@ namespace virtual chrono::system_clock::time_point getNotAfter() const; virtual chrono::system_clock::time_point getNotBefore() const; virtual string getSerialNumber() const; - virtual IceSSL::DistinguishedName getIssuerDN() const; + virtual DistinguishedName getIssuerDN() const; virtual vector> getIssuerAlternativeNames() const; - virtual IceSSL::DistinguishedName getSubjectDN() const; + virtual DistinguishedName getSubjectDN() const; virtual vector> getSubjectAlternativeNames() const; virtual int getVersion() const; virtual x509_st* getCert() const; @@ -325,7 +324,7 @@ OpenSSLCertificateI::getAuthorityKeyIdentifier() const AUTHORITY_KEYID* decoded = (AUTHORITY_KEYID*)X509V3_EXT_d2i(ext); if (!decoded) { - throw IceSSL::CertificateEncodingException(__FILE__, __LINE__, "the extension could not be decoded"); + throw CertificateEncodingException(__FILE__, __LINE__, "the extension could not be decoded"); } keyid.resize(decoded->keyid->length); memcpy(&keyid[0], decoded->keyid->data, decoded->keyid->length); @@ -348,7 +347,7 @@ OpenSSLCertificateI::getSubjectKeyIdentifier() const ASN1_OCTET_STRING* decoded = static_cast(X509V3_EXT_d2i(ext)); if (!decoded) { - throw IceSSL::CertificateEncodingException(__FILE__, __LINE__, "the extension could not be decoded"); + throw CertificateEncodingException(__FILE__, __LINE__, "the extension could not be decoded"); } keyid.resize(decoded->length); memcpy(&keyid[0], decoded->data, decoded->length); @@ -380,7 +379,7 @@ OpenSSLCertificateI::encode() const if (i <= 0) { BIO_free(out); - throw IceSSL::CertificateEncodingException(__FILE__, __LINE__, IceSSL::OpenSSL::getSslErrors(false)); + throw CertificateEncodingException(__FILE__, __LINE__, OpenSSL::getSslErrors(false)); } BUF_MEM* p; BIO_get_mem_ptr(out, &p); @@ -412,11 +411,10 @@ OpenSSLCertificateI::getSerialNumber() const return result; } -IceSSL::DistinguishedName +DistinguishedName OpenSSLCertificateI::getIssuerDN() const { - return IceSSL::DistinguishedName( - IceSSL::RFC2253::parseStrict(convertX509NameToString(X509_get_issuer_name(_cert)))); + return DistinguishedName(RFC2253::parseStrict(convertX509NameToString(X509_get_issuer_name(_cert)))); } vector> @@ -425,11 +423,10 @@ OpenSSLCertificateI::getIssuerAlternativeNames() const return convertGeneralNames(reinterpret_cast(X509_get_ext_d2i(_cert, NID_issuer_alt_name, 0, 0))); } -IceSSL::DistinguishedName +DistinguishedName OpenSSLCertificateI::getSubjectDN() const { - return IceSSL::DistinguishedName( - IceSSL::RFC2253::parseStrict(convertX509NameToString(X509_get_subject_name(_cert)))); + return DistinguishedName(RFC2253::parseStrict(convertX509NameToString(X509_get_subject_name(_cert)))); } vector> @@ -471,7 +468,7 @@ OpenSSLCertificateI::loadX509Extensions() const len = OBJ_obj2txt(&oid[0], len, obj, 1); oid.resize(len); _extensions.push_back( - dynamic_pointer_cast(make_shared(ext, oid, _cert))); + dynamic_pointer_cast(make_shared(ext, oid, _cert))); } } } @@ -564,14 +561,14 @@ OpenSSLCertificateI::getExtendedKeyUsage() const return extendedKeyUsage; } -IceSSL::OpenSSL::CertificatePtr -IceSSL::OpenSSL::Certificate::create(x509_st* cert) +OpenSSL::CertificatePtr +OpenSSL::Certificate::create(x509_st* cert) { return make_shared(cert); } -IceSSL::OpenSSL::CertificatePtr -IceSSL::OpenSSL::Certificate::load(const std::string& file) +OpenSSL::CertificatePtr +OpenSSL::Certificate::load(const std::string& file) { BIO* cert = BIO_new(BIO_s_file()); if (BIO_read_filename(cert, file.c_str()) <= 0) @@ -594,8 +591,8 @@ IceSSL::OpenSSL::Certificate::load(const std::string& file) return make_shared(x); } -IceSSL::OpenSSL::CertificatePtr -IceSSL::OpenSSL::Certificate::decode(const std::string& encoding) +OpenSSL::CertificatePtr +OpenSSL::Certificate::decode(const std::string& encoding) { BIO* cert = BIO_new_mem_buf(static_cast(const_cast(&encoding[0])), static_cast(encoding.size())); x509_st* x = PEM_read_bio_X509(cert, nullptr, nullptr, nullptr); @@ -612,14 +609,14 @@ IceSSL::OpenSSL::Certificate::decode(const std::string& encoding) return make_shared(x); } -IceSSL::CertificatePtr -IceSSL::Certificate::load(const std::string& file) +CertificatePtr +Certificate::load(const std::string& file) { - return IceSSL::OpenSSL::Certificate::load(file); + return OpenSSL::Certificate::load(file); } -IceSSL::CertificatePtr -IceSSL::Certificate::decode(const std::string& encoding) +CertificatePtr +Certificate::decode(const std::string& encoding) { - return IceSSL::OpenSSL::Certificate::decode(encoding); + return OpenSSL::Certificate::decode(encoding); } diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp index de530e0e461..0ebcf702580 100644 --- a/cpp/src/IceSSL/OpenSSLEngine.cpp +++ b/cpp/src/IceSSL/OpenSSLEngine.cpp @@ -46,11 +46,7 @@ extern "C" { sz = size - 1; } -#if defined(_WIN32) - strncpy_s(buf, size, passwd.c_str(), sz); -#else strncpy(buf, passwd.c_str(), sz); -#endif buf[sz] = '\0'; for (string::iterator i = passwd.begin(); i != passwd.end(); ++i) @@ -94,7 +90,7 @@ OpenSSL::SSLEngine::initialize() _ctx = SSL_CTX_new(TLS_method()); if (!_ctx) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to create SSL context:\n" + sslErrors()); @@ -106,7 +102,7 @@ OpenSSL::SSLEngine::initialize() SSL_CTX_set_security_level(_ctx, securityLevel); if (SSL_CTX_get_security_level(_ctx) != securityLevel) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to set SSL security level:\n" + sslErrors()); @@ -143,7 +139,7 @@ OpenSSL::SSLEngine::initialize() if (!file && !dir) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: CA certificate path not found:\n" + path); @@ -168,7 +164,7 @@ OpenSSL::SSLEngine::initialize() msg += ":\n" + err; } } - throw PluginInitializationException(__FILE__, __LINE__, msg); + throw InitializationException(__FILE__, __LINE__, msg); } } else if (properties->getPropertyAsInt("IceSSL.UsePlatformCAs") > 0) @@ -189,7 +185,7 @@ OpenSSL::SSLEngine::initialize() vector files; if (!IceUtilInternal::splitString(certFile, IceUtilInternal::pathsep, files) || files.size() > 2) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: invalid value for " + propPrefix + "CertFile:\n" + certFile); @@ -200,7 +196,7 @@ OpenSSL::SSLEngine::initialize() string resolved; if (!checkPath(file, defaultDir, false, resolved)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: certificate file not found:\n" + file); @@ -226,7 +222,7 @@ OpenSSL::SSLEngine::initialize() if (!cert || !SSL_CTX_use_certificate(_ctx, cert)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to load SSL certificate:\n" + @@ -235,7 +231,7 @@ OpenSSL::SSLEngine::initialize() if (!key || !SSL_CTX_use_PrivateKey(_ctx, key)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to load SSL private key:\n" + @@ -252,7 +248,7 @@ OpenSSL::SSLEngine::initialize() { if (!SSL_CTX_add_extra_chain_cert(_ctx, c)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to add extra SSL certificate:\n" + sslErrors()); @@ -311,7 +307,7 @@ OpenSSL::SSLEngine::initialize() msg += ":\n" + err; } } - throw PluginInitializationException(__FILE__, __LINE__, msg); + throw InitializationException(__FILE__, __LINE__, msg); } } } @@ -326,24 +322,25 @@ OpenSSL::SSLEngine::initialize() vector files; if (!IceUtilInternal::splitString(keyFile, IceUtilInternal::pathsep, files) || files.size() > 2) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: invalid value for " + propPrefix + "KeyFile:\n" + keyFile); } if (files.size() != numCerts) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: " + propPrefix + "KeyFile does not agree with " + propPrefix + "CertFile"); } + for (const auto& file : files) { string resolved; if (!checkPath(file, defaultDir, false, resolved)) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: key file not found:\n" + file); + throw InitializationException(__FILE__, __LINE__, "IceSSL: key file not found:\n" + file); } // The private key may be stored in an encrypted file. @@ -363,7 +360,7 @@ OpenSSL::SSLEngine::initialize() os << ":\n" << errStr; } } - throw PluginInitializationException(__FILE__, __LINE__, os.str()); + throw InitializationException(__FILE__, __LINE__, os.str()); } } keyLoaded = true; @@ -371,7 +368,7 @@ OpenSSL::SSLEngine::initialize() if (keyLoaded && !SSL_CTX_check_private_key(_ctx)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to validate private key(s):\n" + sslErrors()); @@ -383,7 +380,7 @@ OpenSSL::SSLEngine::initialize() vector crlFiles = properties->getPropertyAsList(propPrefix + "CertificateRevocationListFiles"); if (crlFiles.empty()) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: cannot enable revocation checks without setting certificate revocation list files"); @@ -392,16 +389,13 @@ OpenSSL::SSLEngine::initialize() X509_STORE* store = SSL_CTX_get_cert_store(_ctx); if (!store) { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: unable to obtain the certificate store"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: unable to obtain the certificate store"); } X509_LOOKUP* lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); if (!lookup) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: add lookup failed"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: add lookup failed"); } for (const string& crlFile : crlFiles) @@ -409,7 +403,7 @@ OpenSSL::SSLEngine::initialize() string resolved; if (!checkPath(crlFile, defaultDir, false, resolved)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: CRL file not found `" + crlFile + "'"); @@ -417,10 +411,7 @@ OpenSSL::SSLEngine::initialize() if (X509_LOOKUP_load_file(lookup, resolved.c_str(), X509_FILETYPE_PEM) == 0) { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: CRL load failure `" + crlFile + "'"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: CRL load failure `" + crlFile + "'"); } } @@ -457,39 +448,6 @@ OpenSSL::SSLEngine::initialize() _ctx, reinterpret_cast(this), static_cast(sizeof(this))); - - // - // Establish the cipher list. - // - string ciphersStr = properties->getProperty(propPrefix + "Ciphers"); - if (!ciphersStr.empty()) - { - if (!SSL_CTX_set_cipher_list(_ctx, ciphersStr.c_str())) - { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: unable to set ciphers using `" + ciphersStr + "':\n" + sslErrors()); - } - } - - if (securityTraceLevel() >= 1) - { - ostringstream os; - os << "enabling SSL ciphersuites:"; - - SSL* ssl = SSL_new(_ctx); - STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl); - if (ciphers) - { - for (int i = 0, length = sk_SSL_CIPHER_num(ciphers); i < length; ++i) - { - os << "\n" << SSL_CIPHER_get_name(sk_SSL_CIPHER_value(ciphers, i)); - } - } - SSL_free(ssl); - getLogger()->trace(securityTraceCategory(), os.str()); - } } catch (...) { diff --git a/cpp/src/IceSSL/OpenSSLTransceiverI.cpp b/cpp/src/IceSSL/OpenSSLTransceiverI.cpp index c2f40b79076..43e9c8086ea 100644 --- a/cpp/src/IceSSL/OpenSSLTransceiverI.cpp +++ b/cpp/src/IceSSL/OpenSSLTransceiverI.cpp @@ -8,8 +8,8 @@ #include "Ice/Communicator.h" #include "Ice/LocalException.h" #include "Ice/LoggerUtil.h" -#include "IceSSL/ConnectionInfo.h" -#include "IceSSL/OpenSSL.h" +#include "Ice/OpenSSL.h" +#include "Ice/SSLConnectionInfo.h" #include "OpenSSLEngine.h" #include "SSLEngine.h" #include "SSLInstance.h" diff --git a/cpp/src/IceSSL/OpenSSLTransceiverI.h b/cpp/src/IceSSL/OpenSSLTransceiverI.h index 9a6a97e7370..09d8d417502 100644 --- a/cpp/src/IceSSL/OpenSSLTransceiverI.h +++ b/cpp/src/IceSSL/OpenSSLTransceiverI.h @@ -9,8 +9,8 @@ #include "../Ice/StreamSocket.h" #include "../Ice/Transceiver.h" #include "../Ice/WSTransceiver.h" +#include "Ice/Certificate.h" #include "Ice/Config.h" -#include "IceSSL/Certificate.h" #include "OpenSSLEngineF.h" #include "SSLInstanceF.h" #include "SSLUtil.h" diff --git a/cpp/src/IceSSL/PluginI.cpp b/cpp/src/IceSSL/PluginI.cpp deleted file mode 100644 index 89742ba8388..00000000000 --- a/cpp/src/IceSSL/PluginI.cpp +++ /dev/null @@ -1,112 +0,0 @@ -// -// Copyright (c) ZeroC, Inc. All rights reserved. -// - -#include "../Ice/ProtocolInstance.h" -#include "../Ice/ProtocolPluginFacade.h" -#include "Ice/LocalException.h" -#include "Ice/RegisterPlugins.h" -#include "IceSSL/Certificate.h" -#include "SSLEndpointI.h" -#include "SSLEngine.h" -#include "SSLInstance.h" - -using namespace std; -using namespace Ice; -using namespace IceSSL; - -std::string -IceSSL::getTrustErrorDescription(TrustError error) -{ - switch (error) - { - case IceSSL::TrustError::NoError: - { - return "no error"; - } - case IceSSL::TrustError::ChainTooLong: - { - return "the certificate chain length is greater than the specified maximum depth"; - } - case IceSSL::TrustError::HasExcludedNameConstraint: - { - return "the X509 chain is invalid because a certificate has excluded a name constraint"; - } - case IceSSL::TrustError::HasNonDefinedNameConstraint: - { - return "the certificate has an undefined name constraint"; - } - case IceSSL::TrustError::HasNonPermittedNameConstraint: - { - return "the certificate has a non permitted name constrain"; - } - case IceSSL::TrustError::HasNonSupportedCriticalExtension: - { - return "the certificate does not support a critical extension"; - } - case IceSSL::TrustError::HasNonSupportedNameConstraint: - { - return "the certificate does not have a supported name constraint or has a name constraint that " - "is unsupported"; - } - case IceSSL::TrustError::HostNameMismatch: - { - return "a host name mismatch has occurred"; - } - case IceSSL::TrustError::InvalidBasicConstraints: - { - return "the X509 chain is invalid due to invalid basic constraints"; - } - case IceSSL::TrustError::InvalidExtension: - { - return "the X509 chain is invalid due to an invalid extension"; - } - case IceSSL::TrustError::InvalidNameConstraints: - { - return "the X509 chain is invalid due to invalid name constraints"; - } - case IceSSL::TrustError::InvalidPolicyConstraints: - { - return "the X509 chain is invalid due to invalid policy constraints"; - } - case IceSSL::TrustError::InvalidPurpose: - { - return "the supplied certificate cannot be used for the specified purpose"; - } - case IceSSL::TrustError::InvalidSignature: - { - return "the X509 chain is invalid due to an invalid certificate signature"; - } - case IceSSL::TrustError::InvalidTime: - { - return "the X509 chain is not valid due to an invalid time value, such as a value that indicates an " - "expired certificate"; - } - case IceSSL::TrustError::NotTrusted: - { - return "the certificate is explicitly distrusted"; - } - case IceSSL::TrustError::PartialChain: - { - return "the X509 chain could not be built up to the root certificate"; - } - case IceSSL::TrustError::RevocationStatusUnknown: - { - return "it is not possible to determine whether the certificate has been revoked"; - } - case IceSSL::TrustError::Revoked: - { - return "the X509 chain is invalid due to a revoked certificate"; - } - case IceSSL::TrustError::UntrustedRoot: - { - return "the X509 chain is invalid due to an untrusted root certificate"; - } - case IceSSL::TrustError::UnknownTrustFailure: - { - return "unknown failure"; - } - } - assert(false); - return "unknown failure"; -} diff --git a/cpp/src/IceSSL/RFC2253.cpp b/cpp/src/IceSSL/RFC2253.cpp index 88c9021a949..b2ca3520622 100644 --- a/cpp/src/IceSSL/RFC2253.cpp +++ b/cpp/src/IceSSL/RFC2253.cpp @@ -3,7 +3,7 @@ // #include "RFC2253.h" -#include "IceSSL/Certificate.h" +#include "Ice/Certificate.h" #include "IceUtil/StringUtil.h" #include diff --git a/cpp/src/IceSSL/RFC2253.h b/cpp/src/IceSSL/RFC2253.h index 4c54729e8f6..bfeb8c44190 100644 --- a/cpp/src/IceSSL/RFC2253.h +++ b/cpp/src/IceSSL/RFC2253.h @@ -25,14 +25,14 @@ // namespace IceSSL::RFC2253 { - typedef std::list> RDNSeq; + using RDNSeq = std::list>; struct ICE_API RDNEntry { RDNSeq rdn; bool negate; }; - typedef std::list RDNEntrySeq; + using RDNEntrySeq = std::list; // // This function separates DNs with the ';' character. A list of RDN diff --git a/cpp/src/IceSSL/SChannelCertificateI.cpp b/cpp/src/IceSSL/SChannelCertificateI.cpp index b183cbe6dab..e7e5afa6f82 100644 --- a/cpp/src/IceSSL/SChannelCertificateI.cpp +++ b/cpp/src/IceSSL/SChannelCertificateI.cpp @@ -4,9 +4,9 @@ #include "../Ice/StringUtil.h" #include "CertificateI.h" +#include "Ice/Certificate.h" +#include "Ice/SChannel.h" #include "Ice/StringConverter.h" -#include "IceSSL/Certificate.h" -#include "IceSSL/SChannel.h" #include "SSLUtil.h" #include diff --git a/cpp/src/IceSSL/SChannelEngine.cpp b/cpp/src/IceSSL/SChannelEngine.cpp index c7ec0514f6a..3ac929437d5 100644 --- a/cpp/src/IceSSL/SChannelEngine.cpp +++ b/cpp/src/IceSSL/SChannelEngine.cpp @@ -60,7 +60,7 @@ namespace { if (!CertAddCertificateContextToStore(target, next, CERT_STORE_ADD_ALWAYS, 0)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error adding certificate to store:\n" + IceUtilInternal::lastErrorToString()); @@ -81,7 +81,7 @@ namespace if (!store) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: failed to open certificate store `" + storeName + "':\n" + @@ -111,7 +111,7 @@ namespace { if (value.find(':', 0) == string::npos) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no key in `" + value + "'"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: no key in `" + value + "'"); } size_t start = 0; size_t pos; @@ -121,10 +121,7 @@ namespace if (field != "SUBJECT" && field != "SUBJECTDN" && field != "ISSUER" && field != "ISSUERDN" && field != "THUMBPRINT" && field != "SUBJECTKEYID" && field != "SERIAL") { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: unknown key in `" + value + "'"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: unknown key in `" + value + "'"); } start = pos + 1; @@ -135,7 +132,7 @@ namespace if (start == value.size()) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: missing argument in `" + value + "'"); @@ -156,7 +153,7 @@ namespace } if (end == value.size() || value[end] != value[start]) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unmatched quote in `" + value + "'"); @@ -183,7 +180,7 @@ namespace tmpStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0); if (!tmpStore) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error adding certificate to store:\n" + IceUtilInternal::lastErrorToString()); @@ -208,7 +205,7 @@ namespace DWORD length = 0; if (!CertStrToNameW(X509_ASN_ENCODING, argW.c_str(), flags[i], 0, 0, &length, 0)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property:\n" + @@ -218,7 +215,7 @@ namespace vector buffer(length); if (!CertStrToNameW(X509_ASN_ENCODING, argW.c_str(), flags[i], 0, &buffer[0], &length, 0)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property:\n" + @@ -236,7 +233,7 @@ namespace vector buffer; if (!parseBytes(arg, buffer)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: invalid `IceSSL.FindCert' property: can't decode the value"); @@ -251,7 +248,7 @@ namespace vector buffer; if (!parseBytes(arg, buffer)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: invalid value `" + value + "' for `IceSSL.FindCert' property"); @@ -273,7 +270,7 @@ namespace { if (!CertAddCertificateContextToStore(tmpStore, next, CERT_STORE_ADD_ALWAYS, 0)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error adding certificate to store:\n" + @@ -331,7 +328,7 @@ namespace readFile(file, buffer); if (buffer.empty()) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate file is empty:\n" + file); + throw InitializationException(__FILE__, __LINE__, "IceSSL: certificate file is empty:\n" + file); } string strbuf(buffer.begin(), buffer.end()); @@ -369,7 +366,7 @@ namespace 0)) { assert(GetLastError() != ERROR_MORE_DATA); // Base64 data should always be bigger than binary - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error decoding certificate:\n" + lastErrorToString()); @@ -385,7 +382,7 @@ namespace { if (GetLastError() != static_cast(CRYPT_E_EXISTS)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error decoding certificate:\n" + lastErrorToString()); @@ -396,9 +393,6 @@ namespace } } - const ALG_ID supportedCiphers[] = {CALG_3DES, CALG_AES_128, CALG_AES_256, CALG_DES, CALG_RC2, CALG_RC4}; - const int supportedCiphersSize = sizeof(supportedCiphers) / sizeof(ALG_ID); - ALG_ID algorithmId(const string& name) { @@ -566,33 +560,6 @@ SChannel::SSLEngine::initialize() // Check for a default directory. We look in this directory for files mentioned in the configuration. const string defaultDir = properties->getProperty(prefix + "DefaultDir"); - string ciphers = properties->getProperty(prefix + "Ciphers"); - if (!ciphers.empty()) - { - parseCiphers(ciphers); - } - - if (securityTraceLevel() >= 1) - { - ostringstream os; - os << "enabling SSL ciphersuites:"; - if (_ciphers.empty()) - { - for (int i = 0; i < supportedCiphersSize; ++i) - { - os << "\n " << getCipherName(supportedCiphers[i]); - } - } - else - { - for (vector::const_iterator i = _ciphers.begin(); i != _ciphers.end(); ++i) - { - os << "\n " << getCipherName(*i); - } - } - getLogger()->trace(securityTraceCategory(), os.str()); - } - string certStoreLocation = properties->getPropertyWithDefault(prefix + "CertStoreLocation", "CurrentUser"); if (certStoreLocation != "CurrentUser" && certStoreLocation != "LocalMachine") { @@ -610,7 +577,7 @@ SChannel::SSLEngine::initialize() _rootStore = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0); if (!_rootStore) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error creating in memory certificate store:\n" + lastErrorToString()); @@ -621,10 +588,7 @@ SChannel::SSLEngine::initialize() string resolved; if (!checkPath(caFile, defaultDir, false, resolved)) { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: CA certificate file not found:\n" + caFile); + throw InitializationException(__FILE__, __LINE__, "IceSSL: CA certificate file not found:\n" + caFile); } addCertificatesToStore(resolved, _rootStore); @@ -651,7 +615,7 @@ SChannel::SSLEngine::initialize() if (!CertCreateCertificateChainEngine(&config, &_chainEngine)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error creating certificate chain engine:\n" + lastErrorToString()); @@ -671,7 +635,7 @@ SChannel::SSLEngine::initialize() vector certFiles; if (!splitString(certFileValue, IceUtilInternal::pathsep, certFiles) || certFiles.size() > 2) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: invalid value for " + prefix + "CertFile:\n" + certFileValue); @@ -682,7 +646,7 @@ SChannel::SSLEngine::initialize() { if (!splitString(keyFile, IceUtilInternal::pathsep, keyFiles) || keyFiles.size() > 2) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: invalid value for " + prefix + "KeyFile:\n" + keyFile); @@ -690,7 +654,7 @@ SChannel::SSLEngine::initialize() if (certFiles.size() != keyFiles.size()) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: " + prefix + "KeyFile does not agree with " + prefix + "CertFile"); @@ -703,10 +667,7 @@ SChannel::SSLEngine::initialize() string resolved; if (!checkPath(certFile, defaultDir, false, resolved)) { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: certificate file not found:\n" + certFile); + throw InitializationException(__FILE__, __LINE__, "IceSSL: certificate file not found:\n" + certFile); } certFile = resolved; @@ -714,10 +675,7 @@ SChannel::SSLEngine::initialize() readFile(certFile, buffer); if (buffer.empty()) { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: certificate file is empty:\n" + certFile); + throw InitializationException(__FILE__, __LINE__, "IceSSL: certificate file is empty:\n" + certFile); } CRYPT_DATA_BLOB pfxBlob; @@ -768,7 +726,7 @@ SChannel::SSLEngine::initialize() } if (!cert) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: certificate error:\n" + lastErrorToString()); @@ -781,7 +739,7 @@ SChannel::SSLEngine::initialize() assert(err); if (err != CRYPT_E_BAD_ENCODE) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error decoding certificate:\n" + lastErrorToString()); @@ -790,21 +748,21 @@ SChannel::SSLEngine::initialize() // Try to load certificate & key as PEM files. if (keyFiles.empty()) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no key file specified"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: no key file specified"); } err = 0; keyFile = keyFiles[i]; if (!checkPath(keyFile, defaultDir, false, resolved)) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: key file not found:\n" + keyFile); + throw InitializationException(__FILE__, __LINE__, "IceSSL: key file not found:\n" + keyFile); } keyFile = resolved; readFile(keyFile, buffer); if (buffer.empty()) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: key file is empty:\n" + keyFile); + throw InitializationException(__FILE__, __LINE__, "IceSSL: key file is empty:\n" + keyFile); } vector outBuffer; @@ -821,7 +779,7 @@ SChannel::SSLEngine::initialize() 0, 0)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error decoding key `" + keyFile + "':\n" + lastErrorToString()); @@ -847,7 +805,7 @@ SChannel::SSLEngine::initialize() // Check that we are using an RSA Key. if (strcmp(keyInfo->Algorithm.pszObjId, szOID_RSA_RSA)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, string("IceSSL: error unknow key algorithm: `") + keyInfo->Algorithm.pszObjId + "'"); @@ -864,7 +822,7 @@ SChannel::SSLEngine::initialize() &key, &outLength)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error decoding key `" + keyFile + "':\n" + lastErrorToString()); @@ -885,7 +843,7 @@ SChannel::SSLEngine::initialize() &key, &outLength)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error decoding key `" + keyFile + "':\n" + lastErrorToString()); @@ -909,7 +867,7 @@ SChannel::SSLEngine::initialize() PROV_RSA_FULL, contextFlags)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error acquiring cryptographic " @@ -920,7 +878,7 @@ SChannel::SSLEngine::initialize() // Import the private key. if (!CryptImportKey(cryptProv, key, outLength, 0, 0, &hKey)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error importing key `" + keyFile + "':\n" + lastErrorToString()); @@ -935,7 +893,7 @@ SChannel::SSLEngine::initialize() store = CertOpenStore(CERT_STORE_PROV_MEMORY, 0, 0, 0, 0); if (!store) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error creating certificate " @@ -954,7 +912,7 @@ SChannel::SSLEngine::initialize() keyProvInfo.dwKeySpec = AT_KEYEXCHANGE; if (!CertSetCertificateContextProperty(cert, CERT_KEY_PROV_INFO_PROP_ID, 0, &keyProvInfo)) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error setting certificate " @@ -1002,7 +960,7 @@ SChannel::SSLEngine::initialize() vector certs = findCertificates(certStoreLocation, certStore, findCert, _stores); if (certs.empty()) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no certificates found"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: no certificates found"); } _allCerts.insert(_allCerts.end(), certs.begin(), certs.end()); } @@ -1122,12 +1080,6 @@ SChannel::SSLEngine::newCredentialsHandle(bool incoming) cred.dwFlags |= SCH_USE_STRONG_CRYPTO; } - if (!_ciphers.empty()) - { - cred.cSupportedAlgs = static_cast(_ciphers.size()); - cred.palgSupportedAlgs = &_ciphers[0]; - } - CredHandle credHandle; memset(&credHandle, 0, sizeof(credHandle)); @@ -1155,22 +1107,6 @@ SChannel::SSLEngine::newCredentialsHandle(bool incoming) HCERTCHAINENGINE SChannel::SSLEngine::chainEngine() const { return _chainEngine; } -void -SChannel::SSLEngine::parseCiphers(const std::string& ciphers) -{ - vector tokens; - splitString(ciphers, " \t", tokens); - for (vector::const_iterator i = tokens.begin(); i != tokens.end(); ++i) - { - ALG_ID id = algorithmId(*i); - if (id == 0) - { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no such cipher " + *i); - } - _ciphers.push_back(id); - } -} - void SChannel::SSLEngine::destroy() { diff --git a/cpp/src/IceSSL/SChannelEngine.h b/cpp/src/IceSSL/SChannelEngine.h index 5ff28a01fa7..d5137aa5ce9 100644 --- a/cpp/src/IceSSL/SChannelEngine.h +++ b/cpp/src/IceSSL/SChannelEngine.h @@ -57,8 +57,6 @@ namespace IceSSL::SChannel HCERTCHAINENGINE chainEngine() const; private: - void parseCiphers(const std::string&); - std::vector _allCerts; std::vector _importedCerts; @@ -66,8 +64,6 @@ namespace IceSSL::SChannel HCERTSTORE _rootStore; HCERTCHAINENGINE _chainEngine; - std::vector _ciphers; - const bool _strongCrypto; }; } diff --git a/cpp/src/IceSSL/SChannelEngineF.h b/cpp/src/IceSSL/SChannelEngineF.h index 713a414f029..9fcd4ea1962 100644 --- a/cpp/src/IceSSL/SChannelEngineF.h +++ b/cpp/src/IceSSL/SChannelEngineF.h @@ -7,7 +7,7 @@ #ifdef _WIN32 -# include "IceSSL/SChannel.h" +# include "Ice/SChannel.h" # include diff --git a/cpp/src/IceSSL/SChannelTransceiverI.cpp b/cpp/src/IceSSL/SChannelTransceiverI.cpp index d48d8f6a1da..e152e510027 100644 --- a/cpp/src/IceSSL/SChannelTransceiverI.cpp +++ b/cpp/src/IceSSL/SChannelTransceiverI.cpp @@ -7,7 +7,7 @@ #include "Ice/Communicator.h" #include "Ice/LocalException.h" #include "Ice/LoggerUtil.h" -#include "IceSSL/ConnectionInfo.h" +#include "Ice/SSLConnectionInfo.h" #include "IceUtil/StringUtil.h" #include "SChannelEngine.h" #include "SSLInstance.h" diff --git a/cpp/src/IceSSL/SSLEndpointI.h b/cpp/src/IceSSL/SSLEndpointI.h index 9ba82fd5f69..47eeb9d5c03 100644 --- a/cpp/src/IceSSL/SSLEndpointI.h +++ b/cpp/src/IceSSL/SSLEndpointI.h @@ -9,7 +9,7 @@ #include "../Ice/EndpointI.h" #include "../Ice/IPEndpointI.h" #include "../Ice/Network.h" -#include "IceSSL/EndpointInfo.h" +#include "Ice/SSLEndpointInfo.h" #include "SSLEngineF.h" #include "SSLInstanceF.h" diff --git a/cpp/src/IceSSL/SSLEngine.cpp b/cpp/src/IceSSL/SSLEngine.cpp index 74cd76f9b00..847355cafaa 100644 --- a/cpp/src/IceSSL/SSLEngine.cpp +++ b/cpp/src/IceSSL/SSLEngine.cpp @@ -9,7 +9,7 @@ #include "Ice/Logger.h" #include "Ice/LoggerUtil.h" #include "Ice/Properties.h" -#include "IceSSL/ConnectionInfo.h" +#include "Ice/SSLConnectionInfo.h" #include "IceUtil/StringUtil.h" #include "TrustManager.h" @@ -58,10 +58,7 @@ IceSSL::SSLEngine::initialize() if (_verifyPeer < 0 || _verifyPeer > 2) { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: invalid value for " + propPrefix + "VerifyPeer"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: invalid value for " + propPrefix + "VerifyPeer"); } _securityTraceLevel = properties->getPropertyAsInt("IceSSL.Trace.Security"); diff --git a/cpp/src/IceSSL/SSLEngine.h b/cpp/src/IceSSL/SSLEngine.h index fe93188ba95..899665f7239 100644 --- a/cpp/src/IceSSL/SSLEngine.h +++ b/cpp/src/IceSSL/SSLEngine.h @@ -7,9 +7,9 @@ #include "../Ice/Network.h" #include "../Ice/TransceiverF.h" +#include "Ice/Certificate.h" #include "Ice/CommunicatorF.h" #include "Ice/InstanceF.h" -#include "IceSSL/Certificate.h" #include "SSLEngineF.h" #include "SSLInstanceF.h" #include "SSLUtil.h" diff --git a/cpp/src/IceSSL/SSLUtil.cpp b/cpp/src/IceSSL/SSLUtil.cpp index 51467aa0da4..b8cd03da376 100644 --- a/cpp/src/IceSSL/SSLUtil.cpp +++ b/cpp/src/IceSSL/SSLUtil.cpp @@ -9,10 +9,10 @@ #include "../Ice/Base64.h" #include "../Ice/Network.h" +#include "Ice/Certificate.h" #include "Ice/LocalException.h" #include "Ice/StringConverter.h" #include "Ice/UniqueRef.h" -#include "IceSSL/Certificate.h" #include "IceUtil/FileUtil.h" #include "IceUtil/StringUtil.h" #include "SSLUtil.h" diff --git a/cpp/src/IceSSL/SecureTransportCertificateI.cpp b/cpp/src/IceSSL/SecureTransportCertificateI.cpp index aaeed897870..30ee1d0e4be 100644 --- a/cpp/src/IceSSL/SecureTransportCertificateI.cpp +++ b/cpp/src/IceSSL/SecureTransportCertificateI.cpp @@ -11,8 +11,8 @@ #include "../Ice/Base64.h" #include "CertificateI.h" #include "Ice/LocalException.h" +#include "Ice/SecureTransport.h" #include "Ice/UniqueRef.h" -#include "IceSSL/SecureTransport.h" #include "RFC2253.h" #include "SecureTransportUtil.h" diff --git a/cpp/src/IceSSL/SecureTransportEngine.cpp b/cpp/src/IceSSL/SecureTransportEngine.cpp index 3743ee82568..590e1435e38 100644 --- a/cpp/src/IceSSL/SecureTransportEngine.cpp +++ b/cpp/src/IceSSL/SecureTransportEngine.cpp @@ -3,12 +3,12 @@ // #include "SecureTransportEngine.h" +#include "Ice/Certificate.h" #include "Ice/Config.h" #include "Ice/LocalException.h" #include "Ice/Logger.h" #include "Ice/LoggerUtil.h" #include "Ice/Properties.h" -#include "IceSSL/Certificate.h" #include "IceUtil/FileUtil.h" #include "IceUtil/StringUtil.h" #include "SSLEngine.h" @@ -17,8 +17,6 @@ #include "SecureTransportTransceiverI.h" #include "SecureTransportUtil.h" -#include - // Disable deprecation warnings from SecureTransport APIs #include "IceUtil/DisableWarnings.h" @@ -31,309 +29,13 @@ using namespace IceSSL::SecureTransport; namespace { - mutex staticMutex; - - class RegExp - { - public: - RegExp(const string&); - ~RegExp(); - bool match(const string&); - - private: - regex_t _preg; - }; - using RegExpPtr = shared_ptr; - - RegExp::RegExp(const string& regexp) - { - int err = regcomp(&_preg, regexp.c_str(), REG_EXTENDED | REG_NOSUB); - if (err) - { - throw SyscallException(__FILE__, __LINE__, err); - } - } - - RegExp::~RegExp() { regfree(&_preg); } - - bool RegExp::match(const string& value) { return regexec(&_preg, value.c_str(), 0, 0, 0) == 0; } - - struct CipherExpression - { - bool negation; - string cipher; - RegExpPtr re; - }; - - class CiphersHelper - { - public: - static void initialize(); - static SSLCipherSuite cipherForName(const string& name); - static string cipherName(SSLCipherSuite cipher); - static map ciphers(); - - private: - static map _ciphers; - }; - - map CiphersHelper::_ciphers; - - // - // Initialize a dictionary with the names of ciphers - // - void CiphersHelper::initialize() - { - lock_guard sync(staticMutex); - if (_ciphers.empty()) - { - _ciphers["NULL_WITH_NULL_NULL"] = SSL_NULL_WITH_NULL_NULL; - _ciphers["RSA_WITH_NULL_MD5"] = SSL_RSA_WITH_NULL_MD5; - _ciphers["RSA_WITH_NULL_SHA"] = SSL_RSA_WITH_NULL_SHA; - _ciphers["RSA_EXPORT_WITH_RC4_40_MD5"] = SSL_RSA_EXPORT_WITH_RC4_40_MD5; - _ciphers["RSA_WITH_RC4_128_MD5"] = SSL_RSA_WITH_RC4_128_MD5; - _ciphers["RSA_WITH_RC4_128_SHA"] = SSL_RSA_WITH_RC4_128_SHA; - _ciphers["RSA_EXPORT_WITH_RC2_CBC_40_MD5"] = SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5; - _ciphers["RSA_WITH_IDEA_CBC_SHA"] = SSL_RSA_WITH_IDEA_CBC_SHA; - _ciphers["RSA_EXPORT_WITH_DES40_CBC_SHA"] = SSL_RSA_EXPORT_WITH_DES40_CBC_SHA; - _ciphers["RSA_WITH_DES_CBC_SHA"] = SSL_RSA_WITH_DES_CBC_SHA; - _ciphers["RSA_WITH_3DES_EDE_CBC_SHA"] = SSL_RSA_WITH_3DES_EDE_CBC_SHA; - _ciphers["DH_DSS_EXPORT_WITH_DES40_CBC_SHA"] = SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA; - _ciphers["DH_DSS_WITH_DES_CBC_SHA"] = SSL_DH_DSS_WITH_DES_CBC_SHA; - _ciphers["DH_DSS_WITH_3DES_EDE_CBC_SHA"] = SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA; - _ciphers["DH_RSA_EXPORT_WITH_DES40_CBC_SHA"] = SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA; - _ciphers["DH_RSA_WITH_DES_CBC_SHA"] = SSL_DH_RSA_WITH_DES_CBC_SHA; - _ciphers["DH_RSA_WITH_3DES_EDE_CBC_SHA"] = SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA; - _ciphers["DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"] = SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA; - _ciphers["DHE_DSS_WITH_DES_CBC_SHA"] = SSL_DHE_DSS_WITH_DES_CBC_SHA; - _ciphers["DHE_DSS_WITH_3DES_EDE_CBC_SHA"] = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA; - _ciphers["DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"] = SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA; - _ciphers["DHE_RSA_WITH_DES_CBC_SHA"] = SSL_DHE_RSA_WITH_DES_CBC_SHA; - _ciphers["DHE_RSA_WITH_3DES_EDE_CBC_SHA"] = SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA; - _ciphers["DH_anon_EXPORT_WITH_RC4_40_MD5"] = SSL_DH_anon_EXPORT_WITH_RC4_40_MD5; - _ciphers["DH_anon_WITH_RC4_128_MD5"] = SSL_DH_anon_WITH_RC4_128_MD5; - _ciphers["DH_anon_EXPORT_WITH_DES40_CBC_SHA"] = SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA; - _ciphers["DH_anon_WITH_DES_CBC_SHA"] = SSL_DH_anon_WITH_DES_CBC_SHA; - _ciphers["DH_anon_WITH_3DES_EDE_CBC_SHA"] = SSL_DH_anon_WITH_3DES_EDE_CBC_SHA; - _ciphers["FORTEZZA_DMS_WITH_NULL_SHA"] = SSL_FORTEZZA_DMS_WITH_NULL_SHA; - _ciphers["FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA"] = SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA; - - // - // TLS addenda using AES, per RFC 3268 - // - _ciphers["RSA_WITH_AES_128_CBC_SHA"] = TLS_RSA_WITH_AES_128_CBC_SHA; - _ciphers["DH_DSS_WITH_AES_128_CBC_SHA"] = TLS_DH_DSS_WITH_AES_128_CBC_SHA; - _ciphers["DH_RSA_WITH_AES_128_CBC_SHA"] = TLS_DH_RSA_WITH_AES_128_CBC_SHA; - _ciphers["DHE_DSS_WITH_AES_128_CBC_SHA"] = TLS_DHE_DSS_WITH_AES_128_CBC_SHA; - _ciphers["DHE_RSA_WITH_AES_128_CBC_SHA"] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; - _ciphers["DH_anon_WITH_AES_128_CBC_SHA"] = TLS_DH_anon_WITH_AES_128_CBC_SHA; - _ciphers["RSA_WITH_AES_256_CBC_SHA"] = TLS_RSA_WITH_AES_256_CBC_SHA; - _ciphers["DH_DSS_WITH_AES_256_CBC_SHA"] = TLS_DH_DSS_WITH_AES_256_CBC_SHA; - _ciphers["DH_RSA_WITH_AES_256_CBC_SHA"] = TLS_DH_RSA_WITH_AES_256_CBC_SHA; - _ciphers["DHE_DSS_WITH_AES_256_CBC_SHA"] = TLS_DHE_DSS_WITH_AES_256_CBC_SHA; - _ciphers["DHE_RSA_WITH_AES_256_CBC_SHA"] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; - _ciphers["DH_anon_WITH_AES_256_CBC_SHA"] = TLS_DH_anon_WITH_AES_256_CBC_SHA; - - // - // ECDSA addenda, RFC 4492 - // - _ciphers["ECDH_ECDSA_WITH_NULL_SHA"] = TLS_ECDH_ECDSA_WITH_NULL_SHA; - _ciphers["ECDH_ECDSA_WITH_RC4_128_SHA"] = TLS_ECDH_ECDSA_WITH_RC4_128_SHA; - _ciphers["ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"] = TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA; - _ciphers["ECDH_ECDSA_WITH_AES_128_CBC_SHA"] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA; - _ciphers["ECDH_ECDSA_WITH_AES_256_CBC_SHA"] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA; - _ciphers["ECDHE_ECDSA_WITH_NULL_SHA"] = TLS_ECDHE_ECDSA_WITH_NULL_SHA; - _ciphers["ECDHE_ECDSA_WITH_RC4_128_SHA"] = TLS_ECDHE_ECDSA_WITH_RC4_128_SHA; - _ciphers["ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"] = TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA; - _ciphers["ECDHE_ECDSA_WITH_AES_128_CBC_SHA"] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA; - _ciphers["ECDHE_ECDSA_WITH_AES_256_CBC_SHA"] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA; - _ciphers["ECDH_RSA_WITH_NULL_SHA"] = TLS_ECDH_RSA_WITH_NULL_SHA; - _ciphers["ECDH_RSA_WITH_RC4_128_SHA"] = TLS_ECDH_RSA_WITH_RC4_128_SHA; - _ciphers["ECDH_RSA_WITH_3DES_EDE_CBC_SHA"] = TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA; - _ciphers["ECDH_RSA_WITH_AES_128_CBC_SHA"] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA; - _ciphers["ECDH_RSA_WITH_AES_256_CBC_SHA"] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA; - _ciphers["ECDHE_RSA_WITH_NULL_SHA"] = TLS_ECDHE_RSA_WITH_NULL_SHA; - _ciphers["ECDHE_RSA_WITH_RC4_128_SHA"] = TLS_ECDHE_RSA_WITH_RC4_128_SHA; - _ciphers["ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"] = TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA; - _ciphers["ECDHE_RSA_WITH_AES_128_CBC_SHA"] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA; - _ciphers["ECDHE_RSA_WITH_AES_256_CBC_SHA"] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA; - _ciphers["ECDH_anon_WITH_NULL_SHA"] = TLS_ECDH_anon_WITH_NULL_SHA; - _ciphers["ECDH_anon_WITH_RC4_128_SHA"] = TLS_ECDH_anon_WITH_RC4_128_SHA; - _ciphers["ECDH_anon_WITH_3DES_EDE_CBC_SHA"] = TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA; - _ciphers["ECDH_anon_WITH_AES_128_CBC_SHA"] = TLS_ECDH_anon_WITH_AES_128_CBC_SHA; - _ciphers["ECDH_anon_WITH_AES_256_CBC_SHA"] = TLS_ECDH_anon_WITH_AES_256_CBC_SHA; - - // - // TLS 1.2 addenda, RFC 5246 - // - //_ciphers["NULL_WITH_NULL_NULL"] = TLS_NULL_WITH_NULL_NULL; - - // - // Server provided RSA certificate for key exchange. - // - //_ciphers["RSA_WITH_NULL_MD5"] = TLS_RSA_WITH_NULL_MD5; - //_ciphers["RSA_WITH_NULL_SHA"] = TLS_RSA_WITH_NULL_SHA; - //_ciphers["RSA_WITH_RC4_128_MD5"] = TLS_RSA_WITH_RC4_128_MD5; - //_ciphers["RSA_WITH_RC4_128_SHA"] = TLS_RSA_WITH_RC4_128_SHA; - //_ciphers["RSA_WITH_3DES_EDE_CBC_SHA"] = TLS_RSA_WITH_3DES_EDE_CBC_SHA; - _ciphers["RSA_WITH_NULL_SHA256"] = TLS_RSA_WITH_NULL_SHA256; - _ciphers["RSA_WITH_AES_128_CBC_SHA256"] = TLS_RSA_WITH_AES_128_CBC_SHA256; - _ciphers["RSA_WITH_AES_256_CBC_SHA256"] = TLS_RSA_WITH_AES_256_CBC_SHA256; - - // - // Server-authenticated (and optionally client-authenticated) Diffie-Hellman. - // - //_ciphers["DH_DSS_WITH_3DES_EDE_CBC_SHA"] = TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA; - //_ciphers["DH_RSA_WITH_3DES_EDE_CBC_SHA"] = TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA; - //_ciphers["DHE_DSS_WITH_3DES_EDE_CBC_SHA"] = TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA; - //_ciphers["DHE_RSA_WITH_3DES_EDE_CBC_SHA"] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA; - _ciphers["DH_DSS_WITH_AES_128_CBC_SHA256"] = TLS_DH_DSS_WITH_AES_128_CBC_SHA256; - _ciphers["DH_RSA_WITH_AES_128_CBC_SHA256"] = TLS_DH_RSA_WITH_AES_128_CBC_SHA256; - _ciphers["DHE_DSS_WITH_AES_128_CBC_SHA256"] = TLS_DHE_DSS_WITH_AES_128_CBC_SHA256; - _ciphers["DHE_RSA_WITH_AES_128_CBC_SHA256"] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256; - _ciphers["DH_DSS_WITH_AES_256_CBC_SHA256"] = TLS_DH_DSS_WITH_AES_256_CBC_SHA256; - _ciphers["DH_RSA_WITH_AES_256_CBC_SHA256"] = TLS_DH_RSA_WITH_AES_256_CBC_SHA256; - _ciphers["DHE_DSS_WITH_AES_256_CBC_SHA256"] = TLS_DHE_DSS_WITH_AES_256_CBC_SHA256; - _ciphers["DHE_RSA_WITH_AES_256_CBC_SHA256"] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA256; - - // - // Completely anonymous Diffie-Hellman - // - //_ciphers["DH_anon_WITH_RC4_128_MD5"] = TLS_DH_anon_WITH_RC4_128_MD5; - //_ciphers["DH_anon_WITH_3DES_EDE_CBC_SHA"] = TLS_DH_anon_WITH_3DES_EDE_CBC_SHA; - _ciphers["DH_anon_WITH_AES_128_CBC_SHA256"] = TLS_DH_anon_WITH_AES_128_CBC_SHA256; - _ciphers["DH_anon_WITH_AES_256_CBC_SHA256"] = TLS_DH_anon_WITH_AES_256_CBC_SHA256; - - // - // Addendum from RFC 4279, TLS PSK - // - _ciphers["PSK_WITH_RC4_128_SHA"] = TLS_PSK_WITH_RC4_128_SHA; - _ciphers["PSK_WITH_3DES_EDE_CBC_SHA"] = TLS_PSK_WITH_3DES_EDE_CBC_SHA; - _ciphers["PSK_WITH_AES_128_CBC_SHA"] = TLS_PSK_WITH_AES_128_CBC_SHA; - _ciphers["PSK_WITH_AES_256_CBC_SHA"] = TLS_PSK_WITH_AES_256_CBC_SHA; - _ciphers["DHE_PSK_WITH_RC4_128_SHA"] = TLS_DHE_PSK_WITH_RC4_128_SHA; - _ciphers["DHE_PSK_WITH_3DES_EDE_CBC_SHA"] = TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA; - _ciphers["DHE_PSK_WITH_AES_128_CBC_SHA"] = TLS_DHE_PSK_WITH_AES_128_CBC_SHA; - _ciphers["DHE_PSK_WITH_AES_256_CBC_SHA"] = TLS_DHE_PSK_WITH_AES_256_CBC_SHA; - _ciphers["RSA_PSK_WITH_RC4_128_SHA"] = TLS_RSA_PSK_WITH_RC4_128_SHA; - _ciphers["RSA_PSK_WITH_3DES_EDE_CBC_SHA"] = TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA; - _ciphers["RSA_PSK_WITH_AES_128_CBC_SHA"] = TLS_RSA_PSK_WITH_AES_128_CBC_SHA; - _ciphers["RSA_PSK_WITH_AES_256_CBC_SHA"] = TLS_RSA_PSK_WITH_AES_256_CBC_SHA; - - // - // RFC 4785 - Pre-Shared Key (PSK) Ciphersuites with NULL Encryption - // - _ciphers["PSK_WITH_NULL_SHA"] = TLS_PSK_WITH_NULL_SHA; - _ciphers["DHE_PSK_WITH_NULL_SHA"] = TLS_DHE_PSK_WITH_NULL_SHA; - _ciphers["RSA_PSK_WITH_NULL_SHA"] = TLS_RSA_PSK_WITH_NULL_SHA; - - // - // Addenda from rfc 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS. - // - _ciphers["RSA_WITH_AES_128_GCM_SHA256"] = TLS_RSA_WITH_AES_128_GCM_SHA256; - _ciphers["RSA_WITH_AES_256_GCM_SHA384"] = TLS_RSA_WITH_AES_256_GCM_SHA384; - _ciphers["DHE_RSA_WITH_AES_128_GCM_SHA256"] = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256; - _ciphers["DHE_RSA_WITH_AES_256_GCM_SHA384"] = TLS_DHE_RSA_WITH_AES_256_GCM_SHA384; - _ciphers["DH_RSA_WITH_AES_128_GCM_SHA256"] = TLS_DH_RSA_WITH_AES_128_GCM_SHA256; - _ciphers["DH_RSA_WITH_AES_256_GCM_SHA384"] = TLS_DH_RSA_WITH_AES_256_GCM_SHA384; - _ciphers["DHE_DSS_WITH_AES_128_GCM_SHA256"] = TLS_DHE_DSS_WITH_AES_128_GCM_SHA256; - _ciphers["DHE_DSS_WITH_AES_256_GCM_SHA384"] = TLS_DHE_DSS_WITH_AES_256_GCM_SHA384; - _ciphers["DH_DSS_WITH_AES_128_GCM_SHA256"] = TLS_DH_DSS_WITH_AES_128_GCM_SHA256; - _ciphers["DH_DSS_WITH_AES_256_GCM_SHA384"] = TLS_DH_DSS_WITH_AES_256_GCM_SHA384; - _ciphers["DH_anon_WITH_AES_128_GCM_SHA256"] = TLS_DH_anon_WITH_AES_128_GCM_SHA256; - _ciphers["DH_anon_WITH_AES_256_GCM_SHA384"] = TLS_DH_anon_WITH_AES_256_GCM_SHA384; - - // - // RFC 5487 - PSK with SHA-256/384 and AES GCM - // - _ciphers["PSK_WITH_AES_128_GCM_SHA256"] = TLS_PSK_WITH_AES_128_GCM_SHA256; - _ciphers["PSK_WITH_AES_256_GCM_SHA384"] = TLS_PSK_WITH_AES_256_GCM_SHA384; - _ciphers["DHE_PSK_WITH_AES_128_GCM_SHA256"] = TLS_DHE_PSK_WITH_AES_128_GCM_SHA256; - _ciphers["DHE_PSK_WITH_AES_256_GCM_SHA384"] = TLS_DHE_PSK_WITH_AES_256_GCM_SHA384; - _ciphers["RSA_PSK_WITH_AES_128_GCM_SHA256"] = TLS_RSA_PSK_WITH_AES_128_GCM_SHA256; - _ciphers["RSA_PSK_WITH_AES_256_GCM_SHA384"] = TLS_RSA_PSK_WITH_AES_256_GCM_SHA384; - - _ciphers["PSK_WITH_AES_128_CBC_SHA256"] = TLS_PSK_WITH_AES_128_CBC_SHA256; - _ciphers["PSK_WITH_AES_256_CBC_SHA384"] = TLS_PSK_WITH_AES_256_CBC_SHA384; - _ciphers["PSK_WITH_NULL_SHA256"] = TLS_PSK_WITH_NULL_SHA256; - _ciphers["PSK_WITH_NULL_SHA384"] = TLS_PSK_WITH_NULL_SHA384; - - _ciphers["DHE_PSK_WITH_AES_128_CBC_SHA256"] = TLS_DHE_PSK_WITH_AES_128_CBC_SHA256; - _ciphers["DHE_PSK_WITH_AES_256_CBC_SHA384"] = TLS_DHE_PSK_WITH_AES_256_CBC_SHA384; - _ciphers["DHE_PSK_WITH_NULL_SHA256"] = TLS_DHE_PSK_WITH_NULL_SHA256; - _ciphers["DHE_PSK_WITH_NULL_SHA384"] = TLS_DHE_PSK_WITH_NULL_SHA384; - - _ciphers["RSA_PSK_WITH_AES_128_CBC_SHA256"] = TLS_RSA_PSK_WITH_AES_128_CBC_SHA256; - _ciphers["RSA_PSK_WITH_AES_256_CBC_SHA384"] = TLS_RSA_PSK_WITH_AES_256_CBC_SHA384; - _ciphers["RSA_PSK_WITH_NULL_SHA256"] = TLS_RSA_PSK_WITH_NULL_SHA256; - _ciphers["RSA_PSK_WITH_NULL_SHA384"] = TLS_RSA_PSK_WITH_NULL_SHA384; - - // - // Addenda from rfc 5289 Elliptic Curve Cipher Suites with HMAC SHA-256/384. - // - _ciphers["ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"] = TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256; - _ciphers["ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"] = TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384; - _ciphers["ECDH_ECDSA_WITH_AES_128_CBC_SHA256"] = TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256; - _ciphers["ECDH_ECDSA_WITH_AES_256_CBC_SHA384"] = TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384; - _ciphers["ECDHE_RSA_WITH_AES_128_CBC_SHA256"] = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256; - _ciphers["ECDHE_RSA_WITH_AES_256_CBC_SHA384"] = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384; - _ciphers["ECDH_RSA_WITH_AES_128_CBC_SHA256"] = TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256; - _ciphers["ECDH_RSA_WITH_AES_256_CBC_SHA384"] = TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384; - - // - // Addenda from rfc 5289 Elliptic Curve Cipher Suites with SHA-256/384 and AES Galois Counter Mode (GCM) - // - _ciphers["ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"] = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256; - _ciphers["ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"] = TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; - _ciphers["ECDH_ECDSA_WITH_AES_128_GCM_SHA256"] = TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256; - _ciphers["ECDH_ECDSA_WITH_AES_256_GCM_SHA384"] = TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384; - _ciphers["ECDHE_RSA_WITH_AES_128_GCM_SHA256"] = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; - _ciphers["ECDHE_RSA_WITH_AES_256_GCM_SHA384"] = TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384; - _ciphers["ECDH_RSA_WITH_AES_128_GCM_SHA256"] = TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256; - _ciphers["ECDH_RSA_WITH_AES_256_GCM_SHA384"] = TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384; - - // - // RFC 5746 - Secure Renegotiation - // - _ciphers["EMPTY_RENEGOTIATION_INFO_SCSV"] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV; - - // - // Tags for SSL 2 cipher kinds that are not specified for SSL 3. - // - _ciphers["RSA_WITH_RC2_CBC_MD5"] = SSL_RSA_WITH_RC2_CBC_MD5; - _ciphers["RSA_WITH_IDEA_CBC_MD5"] = SSL_RSA_WITH_IDEA_CBC_MD5; - _ciphers["RSA_WITH_DES_CBC_MD5"] = SSL_RSA_WITH_DES_CBC_MD5; - _ciphers["RSA_WITH_3DES_EDE_CBC_MD5"] = SSL_RSA_WITH_3DES_EDE_CBC_MD5; - _ciphers["NO_SUCH_CIPHERSUITE"] = SSL_NO_SUCH_CIPHERSUITE; - - // - // TLS 1.3 standard cipher suites - // - _ciphers["TLS_AES_128_GCM_SHA256"] = TLS_AES_128_GCM_SHA256; - _ciphers["TLS_AES_256_GCM_SHA384"] = TLS_AES_256_GCM_SHA384; - _ciphers["TLS_CHACHA20_POLY1305_SHA256"] = TLS_CHACHA20_POLY1305_SHA256; - _ciphers["TLS_AES_128_CCM_SHA256"] = TLS_AES_128_CCM_SHA256; - _ciphers["TLS_AES_128_CCM_8_SHA256"] = TLS_AES_128_CCM_8_SHA256; - } - } - - SSLCipherSuite CiphersHelper::cipherForName(const string& name) - { - map::const_iterator i = _ciphers.find(name); - if (i == _ciphers.end() || i->second == SSL_NO_SUCH_CIPHERSUITE) - { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: no such cipher " + name); - } - return i->second; - } - // // Retrieve the name of a cipher, SSLCipherSuite includes duplicated values for TLS/SSL // protocol ciphers, for example SSL_RSA_WITH_RC4_128_MD5/TLS_RSA_WITH_RC4_128_MD5 // are represented by the same SSLCipherSuite value, the names return by this method // doesn't include a protocol prefix. // - string CiphersHelper::cipherName(SSLCipherSuite cipher) + string cipherName(SSLCipherSuite cipher) { switch (cipher) { @@ -731,8 +433,6 @@ namespace return ""; } } - - map CiphersHelper::ciphers() { return _ciphers; } } IceSSL::SecureTransport::SSLEngine::SSLEngine(const IceInternal::InstancePtr& instance) @@ -770,10 +470,7 @@ IceSSL::SecureTransport::SSLEngine::initialize() string resolved; if (!checkPath(caFile, defaultDir, false, resolved)) { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: CA certificate file not found:\n" + caFile); + throw InitializationException(__FILE__, __LINE__, "IceSSL: CA certificate file not found:\n" + caFile); } _certificateAuthorities.reset(loadCACertificates(resolved)); } @@ -785,7 +482,7 @@ IceSSL::SecureTransport::SSLEngine::initialize() } catch (const CertificateReadException& ce) { - throw PluginInitializationException(__FILE__, __LINE__, ce.reason); + throw InitializationException(__FILE__, __LINE__, ce.reason); } const string password = properties->getProperty("IceSSL.Password"); @@ -800,7 +497,7 @@ IceSSL::SecureTransport::SSLEngine::initialize() vector files; if (!IceUtilInternal::splitString(certFile, IceUtilInternal::pathsep, files) || files.size() > 2) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: invalid value for IceSSL.CertFile:\n" + certFile); @@ -812,14 +509,14 @@ IceSSL::SecureTransport::SSLEngine::initialize() { if (!IceUtilInternal::splitString(keyFile, IceUtilInternal::pathsep, keyFiles) || keyFiles.size() > 2) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: invalid value for IceSSL.KeyFile:\n" + keyFile); } if (files.size() != keyFiles.size()) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: IceSSL.KeyFile does not agree with IceSSL.CertFile"); @@ -835,7 +532,7 @@ IceSSL::SecureTransport::SSLEngine::initialize() if (!checkPath(file, defaultDir, false, resolved)) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: certificate file not found:\n" + file); + throw InitializationException(__FILE__, __LINE__, "IceSSL: certificate file not found:\n" + file); } file = resolved; @@ -843,7 +540,7 @@ IceSSL::SecureTransport::SSLEngine::initialize() { if (!checkPath(keyFile, defaultDir, false, resolved)) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: key file not found:\n" + keyFile); + throw InitializationException(__FILE__, __LINE__, "IceSSL: key file not found:\n" + keyFile); } keyFile = resolved; } @@ -856,12 +553,12 @@ IceSSL::SecureTransport::SSLEngine::initialize() catch (const CertificateReadException& ce) { // - // If this is the last certificate rethrow the exception as PluginInitializationException, + // If this is the last certificate rethrow the exception as InitializationException, // otherwise try the next certificate. // if (i == files.size() - 1) { - throw PluginInitializationException(__FILE__, __LINE__, ce.reason); + throw InitializationException(__FILE__, __LINE__, ce.reason); } } } @@ -870,40 +567,6 @@ IceSSL::SecureTransport::SSLEngine::initialize() { _chain.reset(findCertificateChain(keychain, keychainPassword, findCert)); } - - // - // Establish the cipher list. - // - const string ciphers = properties->getProperty("IceSSL.Ciphers"); - CiphersHelper::initialize(); - - if (!ciphers.empty()) - { - parseCiphers(ciphers); - } - - if (securityTraceLevel() >= 1) - { - ostringstream os; - os << "enabling SSL ciphersuites:"; - - if (_ciphers.empty()) - { - map enabled = CiphersHelper::ciphers(); - for (map::const_iterator i = enabled.begin(); i != enabled.end(); ++i) - { - os << "\n " << i->first; - } - } - else - { - for (vector::const_iterator i = _ciphers.begin(); i != _ciphers.end(); ++i) - { - os << "\n " << getCipherName(*i); - } - } - getLogger()->trace(securityTraceCategory(), os.str()); - } } // @@ -970,17 +633,6 @@ IceSSL::SecureTransport::SSLEngine::newContext(bool incoming) "IceSSL: error while setting the SSL context certificate:\n" + sslErrorToString(err)); } - if (!_ciphers.empty()) - { - if ((err = SSLSetEnabledCiphers(ssl, &_ciphers[0], _ciphers.size()))) - { - throw SecurityException( - __FILE__, - __LINE__, - "IceSSL: error while setting ciphers:\n" + sslErrorToString(err)); - } - } - if ((err = SSLSetSessionOption( ssl, incoming ? kSSLSessionOptionBreakOnClientAuth : kSSLSessionOptionBreakOnServerAuth, @@ -1004,175 +656,5 @@ IceSSL::SecureTransport::SSLEngine::getCertificateAuthorities() const string IceSSL::SecureTransport::SSLEngine::getCipherName(SSLCipherSuite cipher) const { - return CiphersHelper::cipherName(cipher); -} - -void -IceSSL::SecureTransport::SSLEngine::parseCiphers(const string& ciphers) -{ - vector tokens; - vector cipherExpressions; - - bool allCiphers = false; - IceUtilInternal::splitString(ciphers, " \t", tokens); - for (vector::const_iterator i = tokens.begin(); i != tokens.end(); ++i) - { - string token(*i); - if (token == "ALL") - { - if (i != tokens.begin()) - { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: `ALL' must be first in cipher list `" + ciphers + "'"); - } - allCiphers = true; - } - else if (token == "NONE") - { - if (i != tokens.begin()) - { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: `NONE' must be first in cipher list `" + ciphers + "'"); - } - } - else - { - CipherExpression ce; - if (token.find('!') == 0) - { - ce.negation = true; - if (token.size() > 1) - { - token = token.substr(1); - } - else - { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: invalid cipher expression `" + token + "'"); - } - } - else - { - ce.negation = false; - } - - if (token.find('(') == 0) - { - if (token.rfind(')') != token.size() - 1) - { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: invalid cipher expression `" + token + "'"); - } - - try - { - ce.re = make_shared(token.substr(1, token.size() - 2)); - } - catch (const Ice::SyscallException&) - { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: invalid cipher expression `" + token + "'"); - } - } - else - { - ce.cipher = token; - } - - cipherExpressions.push_back(ce); - } - } - - // - // Context used to get the cipher list - // - UniqueRef ctx(SSLCreateContext(kCFAllocatorDefault, kSSLServerSide, kSSLStreamType)); - size_t numSupportedCiphers = 0; - SSLGetNumberSupportedCiphers(ctx.get(), &numSupportedCiphers); - - vector supported; - supported.resize(numSupportedCiphers); - - OSStatus err = SSLGetSupportedCiphers(ctx.get(), &supported[0], &numSupportedCiphers); - if (err) - { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: unable to get supported ciphers list:\n" + sslErrorToString(err)); - } - - vector enabled; - if (allCiphers) - { - enabled = supported; - } - - for (vector::const_iterator i = cipherExpressions.begin(); i != cipherExpressions.end(); ++i) - { - CipherExpression ce = *i; - if (ce.negation) - { - for (vector::iterator j = enabled.begin(); j != enabled.end();) - { - string name = CiphersHelper::cipherName(*j); - if ((ce.cipher.empty() && ce.re->match(name)) || ce.cipher == name) - { - j = enabled.erase(j); - } - else - { - ++j; - } - } - } - else - { - if (ce.cipher.empty()) - { - for (vector::const_iterator j = supported.begin(); j != supported.end(); ++j) - { - SSLCipherSuite cipher = *j; - string name = CiphersHelper::cipherName(cipher); - if (ce.re->match(name)) - { - vector::const_iterator k = find(enabled.begin(), enabled.end(), cipher); - if (k == enabled.end()) - { - enabled.push_back(cipher); - } - } - } - } - else - { - SSLCipherSuite cipher = CiphersHelper::cipherForName(ce.cipher); - vector::const_iterator k = find(enabled.begin(), enabled.end(), cipher); - if (k == enabled.end()) - { - enabled.push_back(cipher); - } - } - } - } - _ciphers = enabled; - - if (_ciphers.empty()) - { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: invalid value for IceSSL.Ciphers:\n" + ciphers + - "\nThe result cipher list does not contain any entries"); - } + return cipherName(cipher); } diff --git a/cpp/src/IceSSL/SecureTransportEngine.h b/cpp/src/IceSSL/SecureTransportEngine.h index 8c52f9777d6..f6f2b49189b 100644 --- a/cpp/src/IceSSL/SecureTransportEngine.h +++ b/cpp/src/IceSSL/SecureTransportEngine.h @@ -31,15 +31,8 @@ namespace IceSSL::SecureTransport std::string getCipherName(SSLCipherSuite) const; private: - void parseCiphers(const std::string&); - IceInternal::UniqueRef _certificateAuthorities; IceInternal::UniqueRef _chain; - -# if TARGET_OS_IPHONE == 0 - std::vector _dhParams; -# endif - std::vector _ciphers; }; } #endif diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp index 4f4a51ac93e..c872fc84758 100644 --- a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp +++ b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp @@ -5,7 +5,7 @@ #include "SecureTransportTransceiverI.h" #include "Ice/LocalException.h" #include "Ice/LoggerUtil.h" -#include "IceSSL/ConnectionInfo.h" +#include "Ice/SSLConnectionInfo.h" #include "SSLInstance.h" #include "SecureTransportEngine.h" #include "SecureTransportUtil.h" diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.h b/cpp/src/IceSSL/SecureTransportTransceiverI.h index f83fec20c6f..872243179de 100644 --- a/cpp/src/IceSSL/SecureTransportTransceiverI.h +++ b/cpp/src/IceSSL/SecureTransportTransceiverI.h @@ -9,9 +9,9 @@ # include "../Ice/Network.h" # include "../Ice/Transceiver.h" +# include "Ice/Certificate.h" # include "Ice/Config.h" # include "Ice/UniqueRef.h" -# include "IceSSL/Certificate.h" # include "SSLInstanceF.h" # include "SecureTransportEngineF.h" diff --git a/cpp/src/IceSSL/SecureTransportUtil.cpp b/cpp/src/IceSSL/SecureTransportUtil.cpp index deacbfbe402..351afd7a12e 100644 --- a/cpp/src/IceSSL/SecureTransportUtil.cpp +++ b/cpp/src/IceSSL/SecureTransportUtil.cpp @@ -179,7 +179,7 @@ namespace { if ((err = SecKeychainCopyDefault(&keychain.get()))) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to retrieve default keychain:\n" + sslErrorToString(err)); @@ -201,7 +201,7 @@ namespace if ((err = SecKeychainOpen(keychainPath.c_str(), &keychain.get()))) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to open keychain: `" + keychainPath + "'\n" + sslErrorToString(err)); @@ -216,7 +216,7 @@ namespace if ((err = SecKeychainUnlock(keychain.get(), static_cast(keychainPassword.size()), pass, pass != 0))) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to unlock keychain:\n" + sslErrorToString(err)); @@ -234,7 +234,7 @@ namespace 0, &keychain.get()))) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to create keychain:\n" + sslErrorToString(err)); @@ -242,7 +242,7 @@ namespace } else { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: unable to open keychain:\n" + sslErrorToString(err)); @@ -258,7 +258,7 @@ namespace settings.lockInterval = INT_MAX; if ((err = SecKeychainSetSettings(keychain.get(), &settings))) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error setting keychain settings:\n" + sslErrorToString(err)); @@ -673,7 +673,7 @@ IceSSL::SecureTransport::findCertificateChain( string arg; if (field != "LABEL" && field != "SERIAL" && field != "SUBJECT" && field != "SUBJECTKEYID") { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unknown key in `" + value + "'"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: unknown key in `" + value + "'"); } start = pos + 1; @@ -684,7 +684,7 @@ IceSSL::SecureTransport::findCertificateChain( if (start == value.size()) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: missing argument in `" + value + "'"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: missing argument in `" + value + "'"); } if (value[start] == '"' || value[start] == '\'') @@ -701,7 +701,7 @@ IceSSL::SecureTransport::findCertificateChain( } if (end == value.size() || value[end] != value[start]) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: unmatched quote in `" + value + "'"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: unmatched quote in `" + value + "'"); } ++start; arg = value.substr(start, end - start); @@ -733,7 +733,7 @@ IceSSL::SecureTransport::findCertificateChain( vector buffer; if (!parseBytes(arg, buffer)) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: invalid value `" + value + "'"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: invalid value `" + value + "'"); } UniqueRef v(CFDataCreate(kCFAllocatorDefault, &buffer[0], static_cast(buffer.size()))); CFDictionarySetValue( @@ -746,14 +746,14 @@ IceSSL::SecureTransport::findCertificateChain( if (!valid) { - throw PluginInitializationException(__FILE__, __LINE__, "IceSSL: invalid value `" + value + "'"); + throw InitializationException(__FILE__, __LINE__, "IceSSL: invalid value `" + value + "'"); } UniqueRef cert; OSStatus err = SecItemCopyMatching(query.get(), (CFTypeRef*)&cert.get()); if (err != noErr) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: find certificate `" + value + "' failed:\n" + sslErrorToString(err)); @@ -767,7 +767,7 @@ IceSSL::SecureTransport::findCertificateChain( err = SecTrustCreateWithCertificates(reinterpret_cast(cert.get()), policy.get(), &trust.get()); if (err || !trust) { - throw PluginInitializationException( + throw InitializationException( __FILE__, __LINE__, "IceSSL: error creating trust object" + (err ? ":\n" + sslErrorToString(err) : "")); @@ -776,10 +776,7 @@ IceSSL::SecureTransport::findCertificateChain( SecTrustResultType trustResult; if ((err = SecTrustEvaluate(trust.get(), &trustResult))) { - throw PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: error evaluating trust:\n" + sslErrorToString(err)); + throw InitializationException(__FILE__, __LINE__, "IceSSL: error evaluating trust:\n" + sslErrorToString(err)); } CFIndex chainLength = SecTrustGetCertificateCount(trust.get()); @@ -811,7 +808,7 @@ IceSSL::SecureTransport::findCertificateChain( { ostringstream os; os << "IceSSL: couldn't create identity for certificate found in the keychain:\n" << sslErrorToString(err); - throw PluginInitializationException(__FILE__, __LINE__, os.str()); + throw InitializationException(__FILE__, __LINE__, os.str()); } // Now lookup the identity with the label @@ -836,7 +833,7 @@ IceSSL::SecureTransport::findCertificateChain( { ostringstream os; os << "IceSSL: couldn't create identity for certificate found in the keychain:\n" << sslErrorToString(err); - throw PluginInitializationException(__FILE__, __LINE__, os.str()); + throw InitializationException(__FILE__, __LINE__, os.str()); } CFArraySetValueAtIndex(const_cast(items.get()), 0, identity.get()); return items.release(); diff --git a/cpp/src/IceSSL/SecureTransportUtil.h b/cpp/src/IceSSL/SecureTransportUtil.h index 4d112c5af55..edf8c905c30 100644 --- a/cpp/src/IceSSL/SecureTransportUtil.h +++ b/cpp/src/IceSSL/SecureTransportUtil.h @@ -7,7 +7,7 @@ #ifdef __APPLE__ -# include "IceSSL/SecureTransport.h" +# include "Ice/SecureTransport.h" # include "SSLUtil.h" namespace IceSSL::SecureTransport diff --git a/cpp/src/IceSSL/TrustManager.cpp b/cpp/src/IceSSL/TrustManager.cpp index 542c68443e1..af69798a6bd 100644 --- a/cpp/src/IceSSL/TrustManager.cpp +++ b/cpp/src/IceSSL/TrustManager.cpp @@ -10,7 +10,7 @@ #include "Ice/Logger.h" #include "Ice/LoggerUtil.h" #include "Ice/Properties.h" -#include "IceSSL/ConnectionInfo.h" +#include "Ice/SSLConnectionInfo.h" #include "RFC2253.h" using namespace std; @@ -48,10 +48,7 @@ TrustManager::TrustManager(const IceInternal::InstancePtr& instance) : _instance } catch (const ParseException& ex) { - throw Ice::PluginInitializationException( - __FILE__, - __LINE__, - "IceSSL: invalid property " + key + ":\n" + ex.reason); + throw Ice::InitializationException(__FILE__, __LINE__, "IceSSL: invalid property " + key + ":\n" + ex.reason); } } diff --git a/cpp/src/IceSSL/TrustManager.h b/cpp/src/IceSSL/TrustManager.h index ec60ce81f96..e183cf34d22 100644 --- a/cpp/src/IceSSL/TrustManager.h +++ b/cpp/src/IceSSL/TrustManager.h @@ -5,9 +5,9 @@ #ifndef ICESSL_TRUST_MANAGER_H #define ICESSL_TRUST_MANAGER_H +#include "Ice/Certificate.h" #include "Ice/InstanceF.h" -#include "IceSSL/Certificate.h" -#include "IceSSL/ConnectionInfoF.h" +#include "Ice/SSLConnectionInfoF.h" #include "RFC2253.h" #include "TrustManagerF.h" #include diff --git a/cpp/test/Glacier2/ssl/Server.cpp b/cpp/test/Glacier2/ssl/Server.cpp index 37a0eaeeba8..e8757d44966 100644 --- a/cpp/test/Glacier2/ssl/Server.cpp +++ b/cpp/test/Glacier2/ssl/Server.cpp @@ -5,7 +5,6 @@ #include "Glacier2/PermissionsVerifier.h" #include "Glacier2/Session.h" #include "Ice/Ice.h" -#include "IceSSL/Certificate.h" #include "TestHelper.h" using namespace std; diff --git a/cpp/test/Ice/info/AllTests.cpp b/cpp/test/Ice/info/AllTests.cpp index af5c91c00ef..7d48df89e01 100644 --- a/cpp/test/Ice/info/AllTests.cpp +++ b/cpp/test/Ice/info/AllTests.cpp @@ -3,8 +3,6 @@ // #include "Ice/Ice.h" -#include "IceSSL/ConnectionInfo.h" -#include "IceSSL/EndpointInfo.h" #include "TestHelper.h" #include "TestI.h" diff --git a/cpp/test/Ice/info/TestI.cpp b/cpp/test/Ice/info/TestI.cpp index fd10d2b05ff..99f79db0ad7 100644 --- a/cpp/test/Ice/info/TestI.cpp +++ b/cpp/test/Ice/info/TestI.cpp @@ -4,7 +4,6 @@ #include "TestI.h" #include "Ice/Ice.h" -#include "IceSSL/ConnectionInfo.h" #include "TestHelper.h" using namespace std; diff --git a/cpp/test/IceGrid/session/Server.cpp b/cpp/test/IceGrid/session/Server.cpp index daab89e5cee..3fc584031df 100644 --- a/cpp/test/IceGrid/session/Server.cpp +++ b/cpp/test/IceGrid/session/Server.cpp @@ -4,7 +4,6 @@ #include "Glacier2/PermissionsVerifier.h" #include "Ice/Ice.h" -#include "IceSSL/Certificate.h" #include "TestHelper.h" using namespace std; diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp index 4ffeed64bda..d7f6242b00e 100644 --- a/cpp/test/IceSSL/configuration/AllTests.cpp +++ b/cpp/test/IceSSL/configuration/AllTests.cpp @@ -3,8 +3,6 @@ // #include "Ice/Ice.h" -#include "IceSSL/Certificate.h" -#include "IceSSL/ConnectionInfo.h" #include "Test.h" #include "TestHelper.h" @@ -2433,7 +2431,7 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) import.cleanup(); test(false); } - catch (const PluginInitializationException&) + catch (const InitializationException&) { // expected } @@ -2461,7 +2459,7 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) CommunicatorPtr comm = initialize(initData); test(false); } - catch (const PluginInitializationException&) + catch (const InitializationException&) { // expected } @@ -2565,7 +2563,7 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) printf("failed %s", failFindCertProperties[i]); test(false); } - catch (const PluginInitializationException&) + catch (const InitializationException&) { // expected } diff --git a/cpp/test/IceSSL/configuration/TestI.cpp b/cpp/test/IceSSL/configuration/TestI.cpp index 9e7bf9f066d..14151b8fad6 100644 --- a/cpp/test/IceSSL/configuration/TestI.cpp +++ b/cpp/test/IceSSL/configuration/TestI.cpp @@ -4,8 +4,6 @@ #include "TestI.h" #include "Ice/Ice.h" -#include "IceSSL/Certificate.h" -#include "IceSSL/ConnectionInfo.h" #include "TestHelper.h" using namespace std; diff --git a/csharp/src/Ice/PropertyNames.cs b/csharp/src/Ice/PropertyNames.cs index 524a294f571..4d48bcc4ce6 100644 --- a/csharp/src/Ice/PropertyNames.cs +++ b/csharp/src/Ice/PropertyNames.cs @@ -1123,7 +1123,6 @@ public sealed class PropertyNames new Property(@"^IceSSL\.CertFile$", false, null), new Property(@"^IceSSL\.CheckCertName$", false, null), new Property(@"^IceSSL\.CheckCRL$", false, null), - new Property(@"^IceSSL\.Ciphers$", false, null), new Property(@"^IceSSL\.CertificateRevocationListFiles$", false, null), new Property(@"^IceSSL\.DefaultDir$", false, null), new Property(@"^IceSSL\.FindCert$", false, null), diff --git a/java/src/Ice/src/main/java/com/zeroc/IceInternal/PropertyNames.java b/java/src/Ice/src/main/java/com/zeroc/IceInternal/PropertyNames.java index f2054ae968a..125d2f0549f 100644 --- a/java/src/Ice/src/main/java/com/zeroc/IceInternal/PropertyNames.java +++ b/java/src/Ice/src/main/java/com/zeroc/IceInternal/PropertyNames.java @@ -1147,7 +1147,6 @@ public final class PropertyNames { new Property("IceSSL\\.CertFile", false, null), new Property("IceSSL\\.CheckCertName", false, null), new Property("IceSSL\\.CheckCRL", false, null), - new Property("IceSSL\\.Ciphers", false, null), new Property("IceSSL\\.CertificateRevocationListFiles", false, null), new Property("IceSSL\\.DefaultDir", false, null), new Property("IceSSL\\.FindCert", false, null), diff --git a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java index ad3eeb36610..c075f4f1097 100644 --- a/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java +++ b/java/src/Ice/src/main/java/com/zeroc/IceSSL/SSLEngine.java @@ -27,14 +27,6 @@ public void initialize() { final String prefix = "IceSSL."; com.zeroc.Ice.Properties properties = communicator().getProperties(); - // - // Parse the cipher list. - // - String ciphers = properties.getProperty(prefix + "Ciphers"); - if (ciphers.length() > 0) { - parseCiphers(ciphers); - } - // // CheckCertName determines whether we compare the name in a peer's // certificate against its hostname. @@ -369,24 +361,6 @@ javax.net.ssl.SSLEngine createSSLEngine(boolean incoming, String host, int port) throw new com.zeroc.Ice.SecurityException("IceSSL: couldn't create SSL engine", ex); } - String[] cipherSuites = - filterCiphers(engine.getSupportedCipherSuites(), engine.getEnabledCipherSuites()); - try { - engine.setEnabledCipherSuites(cipherSuites); - } catch (IllegalArgumentException ex) { - throw new com.zeroc.Ice.SecurityException("IceSSL: invalid ciphersuite", ex); - } - - if (_securityTraceLevel >= 1) { - StringBuilder s = new StringBuilder(128); - s.append("enabling SSL ciphersuites:"); - for (String suite : cipherSuites) { - s.append("\n "); - s.append(suite); - } - _logger.trace(_securityTraceCategory, s.toString()); - } - if (incoming) { if (_verifyPeer == 0) { engine.setWantClientAuth(false); @@ -425,57 +399,6 @@ javax.net.ssl.SSLEngine createSSLEngine(boolean incoming, String host, int port) return engine; } - String[] filterCiphers(String[] supportedCiphers, String[] defaultCiphers) { - java.util.LinkedList result = new java.util.LinkedList<>(); - if (_allCiphers) { - for (String cipher : supportedCiphers) { - result.add(cipher); - } - } else if (!_noCiphers) { - for (String cipher : defaultCiphers) { - result.add(cipher); - } - } - - if (_ciphers != null) { - for (CipherExpression ce : _ciphers) { - if (ce.not) { - java.util.Iterator e = result.iterator(); - while (e.hasNext()) { - String cipher = e.next(); - if (ce.cipher != null) { - if (ce.cipher.equals(cipher)) { - e.remove(); - } - } else { - assert (ce.re != null); - java.util.regex.Matcher m = ce.re.matcher(cipher); - if (m.find()) { - e.remove(); - } - } - } - } else { - if (ce.cipher != null) { - result.add(0, ce.cipher); - } else { - assert (ce.re != null); - for (String cipher : supportedCiphers) { - java.util.regex.Matcher m = ce.re.matcher(cipher); - if (m.find()) { - result.add(0, cipher); - } - } - } - } - } - } - - String[] arr = new String[result.size()]; - result.toArray(arr); - return arr; - } - void traceConnection(String desc, javax.net.ssl.SSLEngine engine, boolean incoming) { javax.net.ssl.SSLSession session = engine.getSession(); String msg = @@ -539,56 +462,6 @@ void trustManagerFailure(boolean incoming, CertificateException ex) throws Certi } } - private void parseCiphers(String ciphers) { - java.util.ArrayList cipherList = new java.util.ArrayList<>(); - String[] expr = ciphers.split("[ \t]+"); - for (int i = 0; i < expr.length; ++i) { - if (expr[i].equals("ALL")) { - if (i != 0) { - throw new InitializationException( - "IceSSL: `ALL' must be first in cipher list `" + ciphers + "'"); - } - _allCiphers = true; - } else if (expr[i].equals("NONE")) { - if (i != 0) { - throw new InitializationException( - "IceSSL: `NONE' must be first in cipher list `" + ciphers + "'"); - } - _noCiphers = true; - } else { - CipherExpression ce = new CipherExpression(); - String exp = expr[i]; - if (exp.charAt(0) == '!') { - ce.not = true; - if (exp.length() > 1) { - exp = exp.substring(1); - } else { - throw new InitializationException("IceSSL: invalid cipher expression `" + exp + "'"); - } - } - - if (exp.charAt(0) == '(') { - if (!exp.endsWith(")")) { - throw new InitializationException("IceSSL: invalid cipher expression `" + exp + "'"); - } - - try { - ce.re = java.util.regex.Pattern.compile(exp.substring(1, exp.length() - 2)); - } catch (java.util.regex.PatternSyntaxException ex) { - throw new InitializationException( - "IceSSL: invalid cipher expression `" + exp + "'", ex); - } - } else { - ce.cipher = exp; - } - - cipherList.add(ce); - } - } - _ciphers = new CipherExpression[cipherList.size()]; - cipherList.toArray(_ciphers); - } - private java.io.InputStream openResource(String path) throws java.io.IOException { boolean isAbsolute = false; try { @@ -621,26 +494,16 @@ private java.io.InputStream openResource(String path) throws java.io.IOException return stream; } - private static class CipherExpression { - boolean not; - String cipher; - java.util.regex.Pattern re; - } - private com.zeroc.Ice.Communicator _communicator; private com.zeroc.Ice.Logger _logger; private int _securityTraceLevel; private String _securityTraceCategory; private javax.net.ssl.SSLContext _context; private String _defaultDir; - private CipherExpression[] _ciphers; - private boolean _allCiphers; - private boolean _noCiphers; private boolean _checkCertName; private boolean _serverNameIndication; private int _verifyPeer; private TrustManager _trustManager; - private InputStream _keystoreStream; private InputStream _truststoreStream; } diff --git a/matlab/src/Connection.cpp b/matlab/src/Connection.cpp index 1e6c74f923c..2b3ea7f954c 100644 --- a/matlab/src/Connection.cpp +++ b/matlab/src/Connection.cpp @@ -4,7 +4,6 @@ #include "Future.h" #include "Ice/Ice.h" -#include "IceSSL/ConnectionInfo.h" #include "Util.h" #include "ice.h" diff --git a/matlab/src/Endpoint.cpp b/matlab/src/Endpoint.cpp index 2b1330be2f6..41745b0cdb5 100644 --- a/matlab/src/Endpoint.cpp +++ b/matlab/src/Endpoint.cpp @@ -3,7 +3,6 @@ // #include "Ice/Ice.h" -#include "IceSSL/EndpointInfo.h" #include "Util.h" #include "ice.h" diff --git a/matlab/src/Util.h b/matlab/src/Util.h index a078be4415a..065d96cac34 100644 --- a/matlab/src/Util.h +++ b/matlab/src/Util.h @@ -3,7 +3,6 @@ // #include "Ice/Ice.h" -#include "IceSSL/Certificate.h" #if defined(__GNUC__) # pragma GCC diagnostic ignored "-Wredundant-decls" diff --git a/php/src/Connection.cpp b/php/src/Connection.cpp index 7883ddee72e..9f8dbf95c3d 100644 --- a/php/src/Connection.cpp +++ b/php/src/Connection.cpp @@ -4,7 +4,7 @@ #include "Connection.h" #include "Endpoint.h" -#include "IceSSL/ConnectionInfo.h" +#include "Ice/Ice.h" #include "Types.h" #include "Util.h" diff --git a/php/src/Endpoint.cpp b/php/src/Endpoint.cpp index 17d0dc5310a..2e437f30a82 100644 --- a/php/src/Endpoint.cpp +++ b/php/src/Endpoint.cpp @@ -3,7 +3,7 @@ // #include "Endpoint.h" -#include "IceSSL/EndpointInfo.h" +#include "Ice/Ice.h" #include "Util.h" using namespace std; diff --git a/python/modules/IcePy/ConnectionInfo.cpp b/python/modules/IcePy/ConnectionInfo.cpp index f588101edb3..26808e08d2a 100644 --- a/python/modules/IcePy/ConnectionInfo.cpp +++ b/python/modules/IcePy/ConnectionInfo.cpp @@ -4,8 +4,7 @@ #include "ConnectionInfo.h" #include "EndpointInfo.h" -#include "Ice/Object.h" -#include "IceSSL/ConnectionInfo.h" +#include "Ice/Ice.h" #include "Util.h" using namespace std; diff --git a/python/modules/IcePy/EndpointInfo.cpp b/python/modules/IcePy/EndpointInfo.cpp index 3dcec083861..49fe1572f51 100644 --- a/python/modules/IcePy/EndpointInfo.cpp +++ b/python/modules/IcePy/EndpointInfo.cpp @@ -3,7 +3,7 @@ // #include "EndpointInfo.h" -#include "IceSSL/EndpointInfo.h" +#include "Ice/Ice.h" #include "Util.h" using namespace std; diff --git a/ruby/src/IceRuby/Connection.cpp b/ruby/src/IceRuby/Connection.cpp index cc06c5f1ddf..8f46debb9a9 100644 --- a/ruby/src/IceRuby/Connection.cpp +++ b/ruby/src/IceRuby/Connection.cpp @@ -4,8 +4,7 @@ #include "Connection.h" #include "Endpoint.h" -#include "Ice/Object.h" -#include "IceSSL/ConnectionInfo.h" +#include "Ice/Ice.h" #include "Types.h" #include "Util.h" diff --git a/ruby/src/IceRuby/Endpoint.cpp b/ruby/src/IceRuby/Endpoint.cpp index 0b09a672854..c7f88592cf7 100644 --- a/ruby/src/IceRuby/Endpoint.cpp +++ b/ruby/src/IceRuby/Endpoint.cpp @@ -3,8 +3,7 @@ // #include "Endpoint.h" -#include "Ice/Object.h" -#include "IceSSL/EndpointInfo.h" +#include "Ice/Ice.h" #include "Util.h" using namespace std; diff --git a/swift/src/IceImpl/Config.h b/swift/src/IceImpl/Config.h index 493414a760a..8acee523b5f 100644 --- a/swift/src/IceImpl/Config.h +++ b/swift/src/IceImpl/Config.h @@ -11,9 +11,6 @@ #ifdef __cplusplus # include "Ice/Ice.h" -# include "IceSSL/Certificate.h" -# include "IceSSL/ConnectionInfo.h" -# include "IceSSL/EndpointInfo.h" # if TARGET_OS_IPHONE # include "IceIAP/IceIAP.h"