diff options
author | Phil Mesnier <mesnier_p@ociweb.com> | 2015-03-17 17:04:29 -0500 |
---|---|---|
committer | Phil Mesnier <mesnier_p@ociweb.com> | 2015-03-17 17:04:29 -0500 |
commit | abba99954a4df6c680aeb4764ece28885f199e14 (patch) | |
tree | 6c8d9737e2702499948a8c0fb9e48afa0ff038ce | |
parent | a4f928e8bf747aa2d20f7c367b3fd6beb078345b (diff) | |
download | ATCD-abba99954a4df6c680aeb4764ece28885f199e14.tar.gz |
Added SSLIOP enhancements as factory config options. See SSLIOP-USAGE.html
for descriptions of -SSLCheckHost, -SSLPassword, and -SSLVersionList.
-SSLCheckHost enforces verification of peer-host identity in certificate
-SSLPassword supports password protected private keys
-SSLVersionList limits allowed crypto library versions
-rw-r--r-- | TAO/NEWS | 10 | ||||
-rw-r--r-- | TAO/docs/Security/SSLIOP-USAGE.html | 24 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.cpp | 31 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.h | 4 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Acceptor.cpp | 12 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Acceptor.h | 5 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connection_Handler.cpp | 17 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connection_Handler.h | 8 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connector.cpp | 22 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connector.h | 6 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Endpoint.cpp | 35 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp | 327 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h | 22 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_ORBInitializer.cpp | 9 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_ORBInitializer.h | 10 | ||||
-rw-r--r-- | TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Profile.cpp | 2 |
16 files changed, 376 insertions, 168 deletions
@@ -1,6 +1,16 @@ USER VISIBLE CHANGES BETWEEN TAO-2.3.1 and TAO-2.3.2 ==================================================== +. New SSLIOP Factory option -SSLPassword <password descriptor> facilitates + distributing password protected private keys. + +. New SSLIOP Factory option -SSLVersionList <list> constrains the list of + cypher versions allowed. + +. New SSLIOP Factory option -SSLCheckHost enables a second layer of + authentication by comparing the sending hostname to the name or names in + the supplied certificate + USER VISIBLE CHANGES BETWEEN TAO-2.3.0 and TAO-2.3.1 ==================================================== diff --git a/TAO/docs/Security/SSLIOP-USAGE.html b/TAO/docs/Security/SSLIOP-USAGE.html index 8db70f6cd6b..32e44812fbe 100644 --- a/TAO/docs/Security/SSLIOP-USAGE.html +++ b/TAO/docs/Security/SSLIOP-USAGE.html @@ -163,6 +163,30 @@ function MM_nbGroup(event, grpName) { //v3.0 the client preferences. When not set, the SSL server will always follow the clients preferences.</td> </tr> + <tr> + <td><code>-SSLCAfile</code> <em>filename</em></td> + <td>Provide a file containing a trusted certificate, overriding the file named by SSL_CERT_FILE environment variable.</td> + </tr> + <tr> + <td><code>-SSLCApath</code> <em>directory</em></td> + <td>Provide a directory from which all files are read for trusted certificates overriding the directory named by SSL_CERT_DIR environment variable.<</td> + </tr> + <tr> + <td><code>-SSLrand</code> <em>filelist</em></td> + <td>Provide additional entropy from the named sources. Works in conjuction with any value supplied via SSL_RAND_FILE environment variable.</td> + </tr> + <tr> + <td><code>-SSLVersionList</code> <em>versions</em></td> + <td>Unlike the cipher list option, this takes a list of SSL versions to support. List is a comma separated string containing any of SSLv2, SSLv3, TLSv1, TLSv1.1, or TLSv1.2. If <code>-SSLVersionList</code> is not supplied, SSL will support all of these versions. </td> + </tr> + <tr> + <td><code>-SSLPassword</code> <em>specifier</em></td> + <td>if the supplied <code>-SSLPrivateKey</code> is password protected, this option enables overriding the default password entry. The supplied specifier can be <code>prompt:</code><em>message</em> to prompt a user for entry, <code>file:</code><em>filename</em> reads a plain text file, <code>env:</code><em>envvarname</em>, or simply <em>thepassword</em>. Clearly using any option apart from prompt: weakens the protection. </td> + </tr> + <tr> + <td><code>-SSLCheckHost</code></td> + <td>Adds a verification of the peer address to the connection completion process. This feature requires OpenSSL 1.0.2 or newer and performs a reverse DNS lookup to find the originating hostname. If the version of ssl used does not support <code>X509_check_host()</code>, the peer address does not map to a cannonical host name, or the peer did not provide an X.509 certificate, the connection will fail. </td> + </tr> </table> <h4>Environment variables</h4> diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.cpp index 03f8216ea7f..48cd4f5ecc4 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.cpp @@ -1,13 +1,16 @@ #include "orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.h" +#include "orbsvcs/Log_Macros.h" +#include "tao/debug.h" TAO_BEGIN_VERSIONED_NAMESPACE_DECL -TAO::SSLIOP::Accept_Strategy::Accept_Strategy ( - TAO_ORB_Core * orb_core, - const ACE_Time_Value & timeout) +TAO::SSLIOP::Accept_Strategy::Accept_Strategy (TAO_ORB_Core * orb_core, + const ACE_Time_Value & timeout, + bool check_host) : TAO_Accept_Strategy<TAO::SSLIOP::Connection_Handler, ACE_SSL_SOCK_Acceptor> (orb_core), - timeout_ (timeout) + timeout_ (timeout), + check_host_ (check_host) { } @@ -55,8 +58,24 @@ TAO::SSLIOP::Accept_Strategy::accept_svc_handler (handler_type * svc_handler) // #REFCOUNT# is zero at this point. return -1; } - else - return 0; + + // If required, verify the host in the endpoint match the cert + if (this->check_host_ && !svc_handler->check_host ()) + { + // Close the handler. + svc_handler->close (); + + if (TAO_debug_level > 0) + { + ORBSVCS_ERROR ((LM_ERROR, + "TAO (%P|%t) - SLIIOP_Accept_Strategy::accept, " + "hostname verification failed\n")); + } + + return -1; + } + + return 0; } TAO_END_VERSIONED_NAMESPACE_DECL diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.h b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.h index c99d0010a5d..d1a43e114a0 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.h +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Accept_Strategy.h @@ -68,7 +68,8 @@ namespace TAO /// Constructor. Accept_Strategy (TAO_ORB_Core * orb_core, - const ACE_Time_Value & timeout); + const ACE_Time_Value & timeout, + bool check_host); /// Overridden method that forces a passive connection timeout value /// to be passed to the underlying acceptor. @@ -83,6 +84,7 @@ namespace TAO * handshake. */ const ACE_Time_Value timeout_; + bool check_host_; }; } // End SSLIOP namespace diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Acceptor.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Acceptor.cpp index e357aade7c7..f613f9af443 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Acceptor.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Acceptor.cpp @@ -16,13 +16,15 @@ TAO_BEGIN_VERSIONED_NAMESPACE_DECL TAO::SSLIOP::Acceptor::Acceptor (::Security::QOP qop, - const ACE_Time_Value & timeout) + const ACE_Time_Value & timeout, + bool check_host) : TAO::IIOP_SSL_Acceptor (), ssl_acceptor_ (this), creation_strategy_ (0), concurrency_strategy_ (0), accept_strategy_ (0), - timeout_ (timeout) + timeout_ (timeout), + check_host_ (check_host) { // --- CSIv1 --- @@ -102,7 +104,8 @@ TAO::SSLIOP::Acceptor::create_profile (const TAO::ObjectKey &object_key, // Check if multiple endpoints should be put in one profile or // if they should be spread across multiple profiles. - if (priority == TAO_INVALID_PRIORITY) + if (priority == TAO_INVALID_PRIORITY && + this->orb_core_->orb_params ()->shared_profile () == 0) return this->create_new_profile (object_key, mprofile, priority); @@ -457,7 +460,8 @@ TAO::SSLIOP::Acceptor::ssliop_open_i (TAO_ORB_Core *orb_core, ACE_NEW_RETURN (this->accept_strategy_, ACCEPT_STRATEGY (this->orb_core_, - this->timeout_), + this->timeout_, + this->check_host_), -1); u_short requested_port = addr.get_port_number (); diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Acceptor.h b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Acceptor.h index d843e91ae7a..f193f4090ee 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Acceptor.h +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Acceptor.h @@ -49,7 +49,8 @@ namespace TAO /// Constructor. Acceptor (::Security::QOP qop, - const ACE_Time_Value & timeout); + const ACE_Time_Value & timeout, + bool check_host); /// Destructor. ~Acceptor (void); @@ -150,6 +151,8 @@ namespace TAO */ ACE_Time_Value const timeout_; + bool check_host_; + }; } // End SSLIOP namespace. diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connection_Handler.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connection_Handler.cpp index 49233b8b01d..7df1ee6c32a 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connection_Handler.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connection_Handler.cpp @@ -14,6 +14,7 @@ #include "tao/Protocols_Hooks.h" #include "ace/os_include/netinet/os_tcp.h" #include "ace/os_include/os_netdb.h" +#include "ace/SSL/SSL_Context.h" #if !defined (__ACE_INLINE__) # include "orbsvcs/SSLIOP/SSLIOP_Connection_Handler.inl" @@ -25,8 +26,7 @@ TAO::SSLIOP::Connection_Handler::Connection_Handler ( ACE_Thread_Manager *t) : SVC_HANDLER (t, 0 , 0), TAO_Connection_Handler (0), - current_ (), - tcp_properties_ (0) + current_ () { // This constructor should *never* get called, it is just here to // make the compiler happy: the default implementation of the @@ -39,8 +39,7 @@ TAO::SSLIOP::Connection_Handler::Connection_Handler ( TAO::SSLIOP::Connection_Handler::Connection_Handler (TAO_ORB_Core *orb_core) : SVC_HANDLER (orb_core->thr_mgr (), 0, 0), TAO_Connection_Handler (orb_core), - current_ (), - tcp_properties_ (0) + current_ () { this->current_ = TAO::SSLIOP::Util::current (orb_core); @@ -459,4 +458,14 @@ TAO::SSLIOP::Connection_Handler::handle_write_ready (const ACE_Time_Value *t) return ACE::handle_write_ready (this->peer ().get_handle (), t); } +bool +TAO::SSLIOP::Connection_Handler::check_host (void) +{ + ACE_SSL_Context *ssl_ctx = ACE_SSL_Context::instance (); + ACE_INET_Addr remote_addr; + if (this->peer ().get_remote_addr (remote_addr) == -1) + return -1; + return ssl_ctx->check_host (remote_addr, this->peer ().ssl ()); +} + TAO_END_VERSIONED_NAMESPACE_DECL diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connection_Handler.h b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connection_Handler.h index 21d3c80ffe1..59ab1a9ff8c 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connection_Handler.h +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connection_Handler.h @@ -103,6 +103,10 @@ namespace TAO TAO::SSLIOP::Current_Impl *previous_current_impl, bool &setup_done); + /// Return true if the host name matches the name/domain in the peer + /// certificate. + bool check_host (void); + protected: //@{ @@ -120,10 +124,6 @@ namespace TAO /// access to the low-level management methods). TAO::SSLIOP::Current_var current_; - private: - - /// TCP configuration for this connection. - TAO_IIOP_Properties *tcp_properties_; }; // **************************************************************** diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connector.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connector.cpp index 99828bd5367..6b17c141510 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connector.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connector.cpp @@ -22,9 +22,10 @@ TAO_BEGIN_VERSIONED_NAMESPACE_DECL -TAO::SSLIOP::Connector::Connector (::Security::QOP qop) +TAO::SSLIOP::Connector::Connector (::Security::QOP qop, bool check_host) : TAO::IIOP_SSL_Connector (), qop_ (qop), + check_host_ (check_host), connect_strategy_ (), base_connector_ (0) { @@ -682,6 +683,23 @@ TAO::SSLIOP::Connector::ssliop_connect ( svc_handler->cancel_pending_connection (); } + // If required, verify the host in the endpoint match the cert + if (this->check_host_ && !svc_handler->check_host ()) + { + // Close the handler. + svc_handler->close (); + + if (TAO_debug_level > 0) + { + ORBSVCS_ERROR ((LM_ERROR, + "TAO (%P|%t) - SLIIOP_Connector::ssliop_connect, " + "hostname verification failed\n")); + } + + return 0; + } + + // At this point, the connection has be successfully connected. // #REFCOUNT# is one. if (TAO_debug_level > 2) @@ -698,7 +716,7 @@ TAO::SSLIOP::Connector::ssliop_connect ( transport); // Failure in adding to cache. - if (retval == -1) + if (retval == -1) { // Close the handler. svc_handler->close (); diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connector.h b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connector.h index 9ac5cd6fa59..67f8eadd7fc 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connector.h +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Connector.h @@ -55,7 +55,7 @@ namespace TAO public: /// Constructor. - Connector (::Security::QOP qop); + Connector (::Security::QOP qop, bool check_host); /** * @name The TAO_Connector methods @@ -135,6 +135,10 @@ namespace TAO /// Otherwise, connect to the insecure IIOP port. ::Security::QOP qop_; + /// if true, do a match between the host name we connected to and what is + /// in the server's certificate. + bool check_host_; + /// Our connect strategy CONNECT_STRATEGY connect_strategy_; diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Endpoint.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Endpoint.cpp index 278c6aa27a2..077725fc096 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Endpoint.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Endpoint.cpp @@ -103,41 +103,6 @@ TAO_SSLIOP_Endpoint::~TAO_SSLIOP_Endpoint (void) delete this->iiop_endpoint_; } -#if 0 -static void -dump_endpoint (const char* msg, const TAO_Endpoint *other_endpoint) -{ - - TAO_Endpoint *endpt = const_cast<TAO_Endpoint *> (other_endpoint); - - TAO_SSLIOP_Endpoint *endpoint = - dynamic_cast<TAO_SSLIOP_Endpoint *> (endpt); - - if (endpoint == 0) - { - ORBSVCS_DEBUG ((LM_DEBUG, "TAO (%P|%t) endpoint - %s: Unable to cast an endpoint to SSLIOP_Endpoint\n", msg)); - return; - } - - char hostaddr[MAXHOSTNAMELEN + 16]; - int gothost = endpoint->addr_to_string (hostaddr, sizeof hostaddr); - - ORBSVCS_DEBUG ((LM_INFO, "TAO (%P|%t) SSLIOPEndpoint %s - %@ {%s, ssl=%d, iiop=%d," - " qop=%d, trst=(%d,%d), c=%@, crdh=0x%x}, h=0x%x\n", - msg, - endpoint, - (gothost == 0 ? hostaddr : "*UNKNOWN*"), - endpoint->ssl_component ().port , - endpoint->iiop_endpoint ()->port (), - endpoint->qop() , - endpoint->trust().trust_in_target , - endpoint->trust().trust_in_client , - endpoint->credentials() , - (endpoint->credentials_set () ? endpoint->credentials()->hash () : 0) , - endpoint->hash ())); -} -#endif /* 0 */ - int TAO_SSLIOP_Endpoint::addr_to_string (char *buffer, size_t length) { diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp index bfeee3ecb36..94cae7a4550 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.cpp @@ -4,6 +4,16 @@ #include "orbsvcs/SSLIOP/SSLIOP_Connector.h" #include "orbsvcs/SSLIOP/SSLIOP_ORBInitializer.h" #include "ace/OS_NS_strings.h" +#include "ace/Read_Buffer.h" +#include "ace/Malloc_Base.h" +#include "ace/OS_NS_stdio.h" +#include "ace/OS_NS_string.h" +#include "ace/OS_NS_unistd.h" +#if defined (ACE_WIN32) +# include <conio.h> +#else +# include <termios.h> +#endif /* ACE_WIN32 */ #include "orbsvcs/Security/Security_ORBInitializer.h" /// @todo should go away @@ -31,6 +41,66 @@ static ACE_TCHAR const TAO_PATH_SEPARATOR_STRING[] = #endif TAO_BEGIN_VERSIONED_NAMESPACE_DECL +namespace +{ + size_t + secret_input (char *buf, size_t max) + { + size_t len = 0; + char c = '\0'; +#if defined (ACE_WIN32) + if (!ACE_OS::isatty (stdin->_file)) + { + len = ACE_OS::fread (buf, 1, max, stdin); + buf[len] = 0; + return len; + } +#else + struct termios old_tio, new_tio; + + if (ACE_OS::isatty (ACE_STDIN)) + { + ::tcgetattr (ACE_STDIN, &old_tio); + new_tio = old_tio; + new_tio.c_lflag &= (~ICANON & ~ECHO); + ::tcsetattr (ACE_STDIN, TCSANOW, &new_tio); + } +#endif /* ACE_WIN32 */ + + for (len = 0; len < max; ) + { +#if defined (ACE_WIN32) + c = ::_getch (); +#else + c = ::getchar (); +#endif /* ACE_WIN32 */ + if (c >= ' ' && c <= '~') + { + buf[len++] = c; + ACE_OS::printf ("%c", '*'); + } + else if (len > 0 && (c == 8 || c == 127)) + { + buf[--len] = 0; + ACE_OS::printf ("\b \b"); + } + else if (c == '\n' || c == '\r' || c == '\0') + { + break; + } + } + buf[len] = 0; + +#if !defined (ACE_WIN32) + if (ACE_OS::isatty (ACE_STDIN)) + { + /* restore the former settings */ + ::tcsetattr (ACE_STDIN, TCSANOW, &old_tio); + } +#endif /* !ACE_WIN32 */ + return len; + } +} namespace TAO { @@ -41,10 +111,125 @@ namespace TAO } } +ACE_CString TAO::SSLIOP::Protocol_Factory::pem_passwd_; +const ACE_CString key_prompt("prompt:"); +const ACE_CString key_file("file:"); +const ACE_CString key_env("env:"); + +int +TAO::SSLIOP::Protocol_Factory::pem_passwd_cb (char *buf, int size, int , void *the_passwd) +{ + const char *passwd_str = reinterpret_cast<const char *>(the_passwd); + int len = 0; + if (the_passwd != 0) + { + len = ACE_Utils::truncate_cast<size_t> (ACE_OS::strlen (passwd_str)); + } + else + { + if (pem_passwd_.length() == 0) + { + return 0; + } + if (pem_passwd_.find (key_prompt) == 0) + { + size_t ofs = key_prompt.length(); + // do prompt + const char *prompt = pem_passwd_.length() == ofs ? + "Enter password" : pem_passwd_.c_str() + ofs; + ACE_OS::printf ("%s: ",prompt); + pem_passwd_.resize (size); + pem_passwd_.clear (); + len = secret_input (buf, size); + ACE_OS::printf ("\n"); + pem_passwd_ = buf; + return len; + } + else if (pem_passwd_.find (key_file) == 0) + { + size_t ofs = key_file.length(); + const char *fname = pem_passwd_.c_str() + ofs; + // do file + FILE* file = ACE_OS::fopen (fname,ACE_TEXT("r")); + + if (file == 0) + { + if (TAO_debug_level > 0) + ORBSVCS_DEBUG ((LM_DEBUG, + ACE_TEXT ("TAO (%P|%t) SSLIOP_Factory::pem_passwd_cb ") + ACE_TEXT ("cannot open file: %s\n"), + fname)); + pem_passwd_ = ""; + } + else + { + ACE_Read_Buffer reader (file, true); + char* string = reader.read (); + if (string != 0) + { + pem_passwd_ = string; + reader.alloc ()->free (string); + } + else + { + if (TAO_debug_level > 0) + ORBSVCS_DEBUG ((LM_DEBUG, + ACE_TEXT ("TAO (%P|%t) SSLIOP_Factory::pem_passwd_cb ") + ACE_TEXT ("cannot read file: %s\n"), + fname)); + pem_passwd_ = ""; + } + ACE_OS::fclose (file); + } + } + else if (pem_passwd_.find (key_env) == 0) + { + size_t ofs = key_env.length(); + // do env + const char *env = pem_passwd_.length() == ofs ? + "TAO_PEM_PASSWORD" : pem_passwd_.c_str() + ofs; + char *pwd = ACE_OS::getenv (env); + if (pwd != 0) + { + pem_passwd_ = pwd; + } + else + { + if (TAO_debug_level > 0) + ORBSVCS_DEBUG ((LM_DEBUG, + ACE_TEXT ("TAO (%P|%t) SSLIOP_Factory::pem_passwd_cb ") + ACE_TEXT ("invalid env: %s\n"), + env)); + pem_passwd_ = ""; + } + } + + len = ACE_Utils::truncate_cast<size_t> (pem_passwd_.length()); + if (len >= size) + { + if (TAO_debug_level > 0) + ORBSVCS_DEBUG ((LM_DEBUG, + ACE_TEXT ("TAO (%P|%t) SSLIOP_Factory::pem_passwd_cb truncating ") + ACE_TEXT ("supplied password from len %d to %d\n"), + len, size - 1)); + len = size - 1; + pem_passwd_ = pem_passwd_.substr(0,len); + } + passwd_str = pem_passwd_.c_str (); + ::SSL_CTX_set_default_passwd_cb_userdata (ACE_SSL_Context::instance ()->context(), + (void *) passwd_str); + } + + ACE_OS::strncpy (buf, pem_passwd_.c_str(), len); + buf[len] = 0; + return len; +} + TAO::SSLIOP::Protocol_Factory::Protocol_Factory (void) : TAO_Protocol_Factory (IOP::TAG_INTERNET_IOP), qop_ (::Security::SecQOPIntegrityAndConfidentiality), - timeout_ (TAO::SSLIOP::ACCEPT_TIMEOUT) + timeout_ (TAO::SSLIOP::ACCEPT_TIMEOUT), + check_host_ (false) { } @@ -83,7 +268,8 @@ TAO::SSLIOP::Protocol_Factory::make_acceptor (void) ACE_NEW_RETURN (acceptor, TAO::SSLIOP::Acceptor (this->qop_, - this->timeout_), + this->timeout_, + this->check_host_), 0); return acceptor; @@ -108,7 +294,6 @@ TAO::SSLIOP::Protocol_Factory::parse_x509_file (char *arg, char *&path) return -1; } - int TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) { @@ -125,11 +310,6 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) int prevdebug = -1; - CSIIOP::AssociationOptions csiv2_target_supports = - CSIIOP::Integrity | CSIIOP::Confidentiality; - CSIIOP::AssociationOptions csiv2_target_requires = - CSIIOP::Integrity | CSIIOP::Confidentiality; - // Force the Singleton instance to be initialized/instantiated. // Some SSLIOP option combinations below will result in the // Singleton instance never being initialized. In that case, @@ -201,12 +381,6 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) // overridden by a SecurityLevel2::QOPPolicy in the object // reference. this->qop_ = ::Security::SecQOPNoProtection; - - ACE_SET_BITS (csiv2_target_supports, - CSIIOP::NoProtection); - - ACE_CLR_BITS (csiv2_target_requires, - CSIIOP::Confidentiality); } else if (ACE_OS::strcasecmp (argv[curarg], @@ -245,23 +419,12 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) else if (ACE_OS::strcasecmp (argv[curarg], ACE_TEXT("SERVER")) == 0) { mode = SSL_VERIFY_PEER; - - ACE_SET_BITS (csiv2_target_supports, - CSIIOP::EstablishTrustInTarget - | CSIIOP::EstablishTrustInClient); } else if (ACE_OS::strcasecmp (argv[curarg], ACE_TEXT("CLIENT")) == 0 || ACE_OS::strcasecmp (argv[curarg], ACE_TEXT("SERVER_AND_CLIENT")) == 0) { mode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - - ACE_SET_BITS (csiv2_target_supports, - CSIIOP::EstablishTrustInTarget - | CSIIOP::EstablishTrustInClient); - - ACE_SET_BITS (csiv2_target_requires, - CSIIOP::EstablishTrustInClient); } ssl_ctx->default_verify_mode (mode); @@ -356,9 +519,37 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) } } #endif + else if (ACE_OS::strcasecmp (argv[curarg], + ACE_TEXT("-SSLVersionList")) == 0) + { + curarg++; + if (curarg < argc) + { + ssl_ctx->filter_versions (ACE_TEXT_ALWAYS_CHAR(argv[curarg])); + } + } + else if (ACE_OS::strcasecmp (argv[curarg], + ACE_TEXT("-SSLPassword")) == 0) + { + curarg++; + if (curarg < argc) + { + pem_passwd_ = ACE_TEXT_ALWAYS_CHAR(argv[curarg]); + } + } + else if (ACE_OS::strcasecmp (argv[curarg], + ACE_TEXT("-SSLCheckHost")) == 0) + { + this->check_host_ = true; + } } + if (pem_passwd_.length() > 0) + { + ::SSL_CTX_set_default_passwd_cb (ssl_ctx->context(), pem_passwd_cb); + } + // Load some (more) entropy from the user specified sources // in addition to what's pointed to by ACE_SSL_RAND_FILE_ENV if (rand_path != 0) @@ -534,8 +725,7 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) } } - if (this->register_orb_initializer (csiv2_target_supports, - csiv2_target_requires) != 0) + if (this->register_orb_initializer () != 0) return -1; if (prevdebug != -1) @@ -545,9 +735,7 @@ TAO::SSLIOP::Protocol_Factory::init (int argc, ACE_TCHAR* argv[]) } int -TAO::SSLIOP::Protocol_Factory::register_orb_initializer ( - CSIIOP::AssociationOptions csiv2_target_supports, - CSIIOP::AssociationOptions csiv2_target_requires) +TAO::SSLIOP::Protocol_Factory::register_orb_initializer (void) { try { @@ -557,62 +745,39 @@ TAO::SSLIOP::Protocol_Factory::register_orb_initializer ( PortableInterceptor::ORBInitializer_ptr tmp; ACE_NEW_THROW_EX (tmp, TAO::Security::ORBInitializer, - CORBA::NO_MEMORY ( - CORBA::SystemException::_tao_minor_code ( - TAO::VMCID, - ENOMEM), - CORBA::COMPLETED_NO)); - + CORBA::NO_MEMORY + (CORBA::SystemException::_tao_minor_code + (TAO::VMCID, ENOMEM), CORBA::COMPLETED_NO)); PortableInterceptor::ORBInitializer_var initializer = tmp; - PortableInterceptor::ORBInitializer_ptr temp_dll_initializer = + PortableInterceptor::ORBInitializer_ptr tmp_dll = PortableInterceptor::ORBInitializer::_nil (); - - ACE_NEW_THROW_EX (temp_dll_initializer, - PortableInterceptor::DLL_Resident_ORB_Initializer( - initializer.in (), - ACE_TEXT ("TAO_Security")), - CORBA::NO_MEMORY ( - CORBA::SystemException::_tao_minor_code ( - TAO::VMCID, - ENOMEM), - CORBA::COMPLETED_NO)); - - PortableInterceptor::ORBInitializer_var dll_initializer - = temp_dll_initializer; - - PortableInterceptor::register_orb_initializer (dll_initializer.in ()); - - + ACE_NEW_THROW_EX (tmp_dll, + PortableInterceptor::DLL_Resident_ORB_Initializer + (initializer.in (), ACE_TEXT ("TAO_Security")), + CORBA::NO_MEMORY + (CORBA::SystemException::_tao_minor_code + (TAO::VMCID, ENOMEM), CORBA::COMPLETED_NO)); + + PortableInterceptor::ORBInitializer_var dll_initializer = tmp_dll; + PortableInterceptor::register_orb_initializer (dll_initializer.in ()); // Register the SSLIOP ORB initializer. ACE_NEW_THROW_EX (tmp, - TAO::SSLIOP::ORBInitializer (this->qop_, - csiv2_target_supports, - csiv2_target_requires), - CORBA::NO_MEMORY ( - CORBA::SystemException::_tao_minor_code ( - TAO::VMCID, - ENOMEM), - CORBA::COMPLETED_NO)); + TAO::SSLIOP::ORBInitializer (this->qop_), + CORBA::NO_MEMORY + (CORBA::SystemException::_tao_minor_code + (TAO::VMCID, ENOMEM), CORBA::COMPLETED_NO)); initializer = tmp; - - temp_dll_initializer = PortableInterceptor::ORBInitializer::_nil (); - - ACE_NEW_THROW_EX (temp_dll_initializer, - PortableInterceptor::DLL_Resident_ORB_Initializer( - initializer.in (), - ACE_TEXT ("TAO_SSLIOP")), - CORBA::NO_MEMORY ( - CORBA::SystemException::_tao_minor_code ( - TAO::VMCID, - ENOMEM), - CORBA::COMPLETED_NO)); - - dll_initializer = temp_dll_initializer; - - PortableInterceptor::register_orb_initializer (dll_initializer.in ()); - + tmp_dll = PortableInterceptor::ORBInitializer::_nil (); + ACE_NEW_THROW_EX (tmp_dll, + PortableInterceptor::DLL_Resident_ORB_Initializer + (initializer.in (), ACE_TEXT ("TAO_SSLIOP")), + CORBA::NO_MEMORY + (CORBA::SystemException::_tao_minor_code + (TAO::VMCID, ENOMEM), CORBA::COMPLETED_NO)); + dll_initializer = tmp_dll; + PortableInterceptor::register_orb_initializer (dll_initializer.in ()); } catch (const CORBA::Exception& ex) { @@ -628,10 +793,10 @@ TAO::SSLIOP::Protocol_Factory::register_orb_initializer ( TAO_Connector * TAO::SSLIOP::Protocol_Factory::make_connector (void) { - TAO_Connector *connector = 0; + TAO::SSLIOP::Connector *connector = 0; ACE_NEW_RETURN (connector, - TAO::SSLIOP::Connector (this->qop_), + TAO::SSLIOP::Connector (this->qop_, this->check_host_), 0); return connector; } diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h index 2f05106078e..7fcacc9fbf5 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Factory.h @@ -94,12 +94,16 @@ namespace TAO /// static int parse_x509_file (char *arg, char *&path); - /// Create and register the SSLIOP ORB initializer. - int register_orb_initializer ( - CSIIOP::AssociationOptions csiv2_target_supports, - CSIIOP::AssociationOptions csiv2_target_requires); + /// Callback for supplying a password to be used accessing a private key. + /// Key initialized by env var or supplied in arg list. + /// This callback is only used when a password is configured. + static int pem_passwd_cb (char *buf, int size, int , void *); - private: + /// The stored password + static ACE_CString pem_passwd_; + + /// Create and register the SSLIOP ORB initializer. + int register_orb_initializer (void); /// Default quality-of-protection settings for the SSLIOP /// pluggable protocol. @@ -113,13 +117,7 @@ namespace TAO */ ACE_Time_Value timeout_; - /// The SSLIOP-specific CSIv2 transport mechanism component. - /** - * This SSLIOP-specific structure is embedded in the CSIv2 transport - * mechanism list of the @c CSIIOP::CompoundSecMechList IOR tagged - * component. - */ - // CSIIOP::TLS_SEC_TRANS * csiv2_component_; + bool check_host_; }; } // End SSLIOP namespace. diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_ORBInitializer.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_ORBInitializer.cpp index 0c1db080bad..b081f4a6d0a 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_ORBInitializer.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_ORBInitializer.cpp @@ -20,13 +20,8 @@ TAO_BEGIN_VERSIONED_NAMESPACE_DECL -TAO::SSLIOP::ORBInitializer::ORBInitializer ( - ::Security::QOP qop, - CSIIOP::AssociationOptions csiv2_target_supports, - CSIIOP::AssociationOptions csiv2_target_requires) - : qop_ (qop), - csiv2_target_supports_ (csiv2_target_supports), - csiv2_target_requires_ (csiv2_target_requires) +TAO::SSLIOP::ORBInitializer::ORBInitializer (::Security::QOP qop) + : qop_ (qop) { } diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_ORBInitializer.h b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_ORBInitializer.h index 67c7d93663a..074ab7dd4ed 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_ORBInitializer.h +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_ORBInitializer.h @@ -54,9 +54,7 @@ namespace TAO public: /// Constructor. - ORBInitializer (::Security::QOP qop, - CSIIOP::AssociationOptions csiv2_target_supports, - CSIIOP::AssociationOptions csiv2_target_requires); + ORBInitializer (::Security::QOP qop); virtual void pre_init (PortableInterceptor::ORBInitInfo_ptr info); @@ -71,12 +69,6 @@ namespace TAO /// The default quality-of-protection settings in use. ::Security::QOP qop_; - - /// Default support CSIv2 association options. - CSIIOP::AssociationOptions csiv2_target_supports_; - - /// Default required CSIv2 association options. - CSIIOP::AssociationOptions csiv2_target_requires_; }; } // End SSLIOP namespace. diff --git a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Profile.cpp b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Profile.cpp index bed025cbb60..dcca6d01808 100644 --- a/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Profile.cpp +++ b/TAO/orbsvcs/orbsvcs/SSLIOP/SSLIOP_Profile.cpp @@ -234,7 +234,7 @@ TAO_SSLIOP_Profile::encode_endpoints (void) // Encode the data structure. TAO_OutputCDR out_cdr; - if ((out_cdr << ACE_OutputCDR::from_boolean (TAO_ENCAP_BYTE_ORDER) + if (((out_cdr << ACE_OutputCDR::from_boolean (TAO_ENCAP_BYTE_ORDER)) == 0) || (out_cdr << endpoints) == 0) return -1; |