[Pkg-corba-commits] r152 - in /trunk/omniorb4: include/omniORB4/ include/omniORB4/sslContext.h src/lib/omniORB/ src/lib/omniORB/orbcore/ src/lib/omniORB/orbcore/ssl/ src/lib/omniORB/orbcore/ssl/sslContext.cc
tgg at users.alioth.debian.org
tgg at users.alioth.debian.org
Thu Apr 3 09:20:48 UTC 2008
Author: tgg
Date: Thu Apr 3 09:20:48 2008
New Revision: 152
URL: http://svn.debian.org/wsvn/pkg-corba/?sc=1&rev=152
Log:
add sslContext files from 4.1.2 to try to make them ABI compatible with 4.1.1
Added:
trunk/omniorb4/include/omniORB4/
trunk/omniorb4/include/omniORB4/sslContext.h
trunk/omniorb4/src/lib/omniORB/
trunk/omniorb4/src/lib/omniORB/orbcore/
trunk/omniorb4/src/lib/omniORB/orbcore/ssl/
trunk/omniorb4/src/lib/omniORB/orbcore/ssl/sslContext.cc
Added: trunk/omniorb4/include/omniORB4/sslContext.h
URL: http://svn.debian.org/wsvn/pkg-corba/trunk/omniorb4/include/omniORB4/sslContext.h?rev=152&op=file
==============================================================================
--- trunk/omniorb4/include/omniORB4/sslContext.h (added)
+++ trunk/omniorb4/include/omniORB4/sslContext.h Thu Apr 3 09:20:48 2008
@@ -1,0 +1,167 @@
+// -*- Mode: C++; -*-
+// Package : omniORB
+// sslContext.h Created on: 29 May 2001
+// Author : Sai Lai Lo (sll)
+//
+// Copyright (C) 2001 AT&T Laboratories Cambridge
+//
+// This file is part of the omniORB library
+//
+// The omniORB library is free software; you can redistribute it and/or
+// modify it under the terms of the GNU Library General Public
+// License as published by the Free Software Foundation; either
+// version 2 of the License, or (at your option) any later version.
+//
+// This library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// Library General Public License for more details.
+//
+// You should have received a copy of the GNU Library General Public
+// License along with this library; if not, write to the Free
+// Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+// 02111-1307, USA
+//
+//
+// Description:
+// *** PROPRIETORY INTERFACE ***
+//
+
+/*
+ $Log: sslContext.h,v $
+ Revision 1.1.4.5 2008/02/14 13:50:03 dgrisby
+ Initialise openssl only if necessary. Thanks Teemu Torma.
+
+ Revision 1.1.4.4 2006/01/10 12:24:04 dgrisby
+ Merge from omni4_0_develop pre 4.0.7 release.
+
+ Revision 1.1.4.3 2005/09/05 17:12:20 dgrisby
+ Merge again. Mainly SSL transport changes.
+
+ Revision 1.1.4.2 2005/01/06 23:08:22 dgrisby
+ Big merge from omni4_0_develop.
+
+ Revision 1.1.4.1 2003/03/23 21:04:02 dgrisby
+ Start of omniORB 4.1.x development branch.
+
+ Revision 1.1.2.5 2002/09/05 14:29:01 dgrisby
+ Link force mechanism wasn't working with gcc.
+
+ Revision 1.1.2.4 2002/02/25 11:17:11 dpg1
+ Use tracedmutexes everywhere.
+
+ Revision 1.1.2.3 2001/09/14 11:10:35 sll
+ Do the right dllimport for win32.
+
+ Revision 1.1.2.2 2001/09/13 15:36:00 sll
+ Provide hooks to openssl for thread safety.
+ Switched to select v2 or v3 methods but accept only v3 or tls v1 protocol.
+ Added extra method set_supported_versions.
+
+ Revision 1.1.2.1 2001/06/11 18:11:07 sll
+ *** empty log message ***
+
+*/
+
+#ifndef __SSLCONTEXT_H__
+#define __SSLCONTEXT_H__
+
+#include <omniORB4/linkHacks.h>
+
+OMNI_FORCE_LINK(omnisslTP);
+
+
+#ifdef _core_attr
+# error "A local CPP macro _core_attr has already been defined."
+#endif
+
+#if defined(_OMNIORB_SSL_LIBRARY)
+# define _core_attr
+#else
+# define _core_attr _OMNIORB_NTDLL_IMPORT
+#endif
+
+#define crypt _openssl_broken_crypt
+#include <openssl/ssl.h>
+#undef crypt
+
+OMNI_NAMESPACE_BEGIN(omni)
+ class omni_sslTransport_initialiser;
+OMNI_NAMESPACE_END(omni)
+
+class sslContext {
+ public:
+ sslContext(const char* cafile, const char* keyfile, const char* password);
+
+ SSL_CTX* get_SSL_CTX() const { return pd_ctx; }
+
+ // These four parameters must be set or else the default way to
+ // initialise a sslContext singleton will not be used.
+ static _core_attr const char* certificate_authority_file; // In PEM format
+ static _core_attr const char* key_file; // In PEM format
+ static _core_attr const char* key_file_password;
+ static _core_attr int verify_mode;
+
+ static _core_attr sslContext* singleton;
+
+ virtual ~sslContext();
+
+ protected:
+ virtual SSL_METHOD* set_method();
+ // Default to return SSLv23_method().
+
+ virtual void set_supported_versions();
+ // Default to SSL_CTX_set_options(ssL_ctx, SSL_OP_NO_SSLv2); That is
+ // only accept SSL version 3 or TLS version 1.
+
+ virtual void set_CA();
+ // Default to read the certificates of the Certificate Authorities in the
+ // file named by the static member certificate_authority_file.
+
+ virtual void set_certificate();
+ // Default to read the certificate of this server from the file named
+ // by the static member key_file.
+
+ virtual void set_cipher();
+ // Default to call OpenSSL_add_all_algorithms().
+
+ virtual void set_privatekey();
+ // Default to read the private key of this server from the file named
+ // by the static member key_file. Notice that this file also contains
+ // the server's certificate.
+
+ virtual void seed_PRNG();
+ // On systems that does not provide a /dev/urandom, default to provide
+ // a seed for the PRNG using process ID and time of date. This is not
+ // a very good seed cryptographically. Secure applications should definitely
+ // override this method to provide a better seed.
+
+ virtual void set_DH();
+
+ virtual void set_ephemeralRSA();
+
+ virtual int set_verify_mode();
+ // Set the SSL verify mode.
+ // Defaults to return SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT.
+
+ sslContext();
+
+ friend class _OMNI_NS(omni_sslTransport_initialiser);
+ private:
+
+ void thread_setup();
+ void thread_cleanup();
+
+ virtual void internal_initialise();
+
+ const char* pd_cafile;
+ const char* pd_keyfile;
+ const char* pd_password;
+ SSL_CTX* pd_ctx;
+ omni_tracedmutex* pd_locks;
+ CORBA::Boolean pd_ssl_owner;
+};
+
+#undef _core_attr
+
+#endif // __SSLCONTEXT_H__
Added: trunk/omniorb4/src/lib/omniORB/orbcore/ssl/sslContext.cc
URL: http://svn.debian.org/wsvn/pkg-corba/trunk/omniorb4/src/lib/omniORB/orbcore/ssl/sslContext.cc?rev=152&op=file
==============================================================================
--- trunk/omniorb4/src/lib/omniORB/orbcore/ssl/sslContext.cc (added)
+++ trunk/omniorb4/src/lib/omniORB/orbcore/ssl/sslContext.cc Thu Apr 3 09:20:48 2008
@@ -1,0 +1,430 @@
+// -*- Mode: C++; -*-
+// Package : omniORB
+// sslContext.cc Created on: 29 May 2001
+// Author : Sai Lai Lo (sll)
+//
+// Copyright (C) 2001 AT&T Laboratories Cambridge
+//
+// This file is part of the omniORB library
+//
+// The omniORB library is free software; you can redistribute it and/or
+// modify it under the terms of the GNU Library General Public
+// License as published by the Free Software Foundation; either
+// version 2 of the License, or (at your option) any later version.
+//
+// This library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+// Library General Public License for more details.
+//
+// You should have received a copy of the GNU Library General Public
+// License along with this library; if not, write to the Free
+// Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA
+// 02111-1307, USA
+//
+//
+// Description:
+// *** PROPRIETORY INTERFACE ***
+//
+
+/*
+ $Log: sslContext.cc,v $
+ Revision 1.1.4.5 2008/02/14 13:50:03 dgrisby
+ Initialise openssl only if necessary. Thanks Teemu Torma.
+
+ Revision 1.1.4.4 2005/09/05 17:12:20 dgrisby
+ Merge again. Mainly SSL transport changes.
+
+ Revision 1.1.4.3 2005/03/30 23:35:59 dgrisby
+ Another merge from omni4_0_develop.
+
+ Revision 1.1.4.2 2005/01/06 23:10:53 dgrisby
+ Big merge from omni4_0_develop.
+
+ Revision 1.1.4.1 2003/03/23 21:01:59 dgrisby
+ Start of omniORB 4.1.x development branch.
+
+ Revision 1.1.2.12 2002/12/19 12:23:02 dgrisby
+ Don't set SSL verify depth to 1.
+
+ Revision 1.1.2.11 2002/12/19 11:49:33 dgrisby
+ Vladimir Panov's SSL fixes.
+
+ Revision 1.1.2.10 2002/04/16 12:44:27 dpg1
+ Fix SSL accept bug, clean up logging.
+
+ Revision 1.1.2.9 2002/02/25 11:17:14 dpg1
+ Use tracedmutexes everywhere.
+
+ Revision 1.1.2.8 2002/02/11 17:10:18 dpg1
+ Cast result of pthread_self().
+
+ Revision 1.1.2.7 2001/09/13 16:45:03 sll
+ Changed thread id callback function for the openssl library.
+ Only provide one for non-win32 platform and use pthread_self() directly.
+
+ Revision 1.1.2.6 2001/09/13 15:36:01 sll
+ Provide hooks to openssl for thread safety.
+ Switched to select v2 or v3 methods but accept only v3 or tls v1 protocol.
+ Added extra method set_supported_versions.
+
+ Revision 1.1.2.5 2001/09/13 15:22:12 sll
+ Correct test macro for WIN32.
+
+ Revision 1.1.2.4 2001/08/03 17:41:25 sll
+ System exception minor code overhaul. When a system exeception is raised,
+ a meaning minor code is provided.
+
+ Revision 1.1.2.3 2001/07/26 16:37:21 dpg1
+ Make sure static initialisers always run.
+
+ Revision 1.1.2.2 2001/06/20 18:53:34 sll
+ Rearrange the declaration of for-loop index variable to work with old and
+ standard C++.
+
+ Revision 1.1.2.1 2001/06/11 18:11:06 sll
+ *** empty log message ***
+
+*/
+
+#include <omniORB4/CORBA.h>
+
+#include <stdlib.h>
+#ifndef __WIN32__
+#include <unistd.h>
+#else
+#include <process.h>
+#endif
+#include <sys/stat.h>
+#include <omniORB4/minorCode.h>
+#include <omniORB4/sslContext.h>
+#include <exceptiondefs.h>
+#include <ssl/sslTransportImpl.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <omniORB4/linkHacks.h>
+
+OMNI_EXPORT_LINK_FORCE_SYMBOL(sslContext);
+
+OMNI_USING_NAMESPACE(omni)
+
+static void report_error();
+
+const char* sslContext::certificate_authority_file = 0;
+const char* sslContext::key_file = 0;
+const char* sslContext::key_file_password = 0;
+int sslContext::verify_mode = (SSL_VERIFY_PEER |
+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
+
+sslContext* sslContext::singleton = 0;
+
+
+/////////////////////////////////////////////////////////////////////////
+sslContext::sslContext(const char* cafile,
+ const char* keyfile,
+ const char* password) :
+ pd_cafile(cafile), pd_keyfile(keyfile), pd_password(password), pd_ctx(0),
+ pd_locks(0), pd_ssl_owner(0) {}
+
+
+/////////////////////////////////////////////////////////////////////////
+sslContext::sslContext() :
+ pd_cafile(0), pd_keyfile(0), pd_password(0), pd_ctx(0),
+ pd_locks(0), pd_ssl_owner(0) {
+}
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::internal_initialise() {
+
+ if (pd_ctx) return;
+
+ // Assume we own the ssl if no locking callback yet.
+ pd_ssl_owner = CRYPTO_get_locking_callback() == 0;
+
+ if (pd_ssl_owner) {
+ SSL_library_init();
+ set_cipher();
+ SSL_load_error_strings();
+ }
+
+ pd_ctx = SSL_CTX_new(set_method());
+ if (!pd_ctx) {
+ report_error();
+ OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,
+ CORBA::COMPLETED_NO);
+ }
+ set_supported_versions();
+ seed_PRNG();
+ set_certificate();
+ set_privatekey();
+ set_CA();
+ set_DH();
+ set_ephemeralRSA();
+ // Allow the user to overwrite the SSL verification types.
+ SSL_CTX_set_verify(pd_ctx,set_verify_mode(),NULL);
+ if (pd_ssl_owner)
+ thread_setup();
+}
+
+/////////////////////////////////////////////////////////////////////////
+sslContext::~sslContext() {
+ if (pd_ctx) {
+ SSL_CTX_free(pd_ctx);
+ }
+ if (pd_ssl_owner)
+ thread_cleanup();
+}
+
+/////////////////////////////////////////////////////////////////////////
+SSL_METHOD*
+sslContext::set_method() {
+ return SSLv23_method();
+}
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::set_supported_versions() {
+ SSL_CTX_set_options(pd_ctx, SSL_OP_NO_SSLv2);
+}
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::set_CA() {
+
+ {
+ struct stat buf;
+ if (!pd_cafile || stat(pd_cafile,&buf) < 0) {
+ if (omniORB::trace(1)) {
+ omniORB::logger log;
+ log << "Error: sslContext CA file is not set "
+ << "or cannot be found\n";
+ }
+ OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,
+ CORBA::COMPLETED_NO);
+ }
+ }
+
+ if (!(SSL_CTX_load_verify_locations(pd_ctx,pd_cafile,0))) {
+ report_error();
+ OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,CORBA::COMPLETED_NO);
+ }
+
+ // We no longer set the verify depth to 1, to use the default of 9.
+ // SSL_CTX_set_verify_depth(pd_ctx,1);
+
+}
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::set_certificate() {
+ {
+ struct stat buf;
+ if (!pd_keyfile || stat(pd_keyfile,&buf) < 0) {
+ if (omniORB::trace(5)) {
+ omniORB::logger log;
+ log << "sslContext certificate file is not set "
+ << "or cannot be found\n";
+ }
+ return;
+ }
+ }
+
+ if(!(SSL_CTX_use_certificate_file(pd_ctx,pd_keyfile,SSL_FILETYPE_PEM))) {
+ report_error();
+ OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,CORBA::COMPLETED_NO);
+ }
+}
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::set_cipher() {
+ OpenSSL_add_all_algorithms();
+}
+
+/////////////////////////////////////////////////////////////////////////
+static const char* ssl_password = 0;
+
+extern "C"
+int sslContext_password_cb (char *buf,int num,int,void *) {
+ int size = strlen(ssl_password);
+ if (num < size+1) return 0;
+ strcpy(buf,ssl_password);
+ return size;
+}
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::set_privatekey() {
+
+ if (!pd_password) {
+ if (omniORB::trace(5)) {
+ omniORB::logger log;
+ log << "sslContext private key is not set\n";
+ }
+ return;
+ }
+
+ ssl_password = pd_password;
+ SSL_CTX_set_default_passwd_cb(pd_ctx,sslContext_password_cb);
+ if(!(SSL_CTX_use_PrivateKey_file(pd_ctx,pd_keyfile,SSL_FILETYPE_PEM))) {
+ report_error();
+ OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,CORBA::COMPLETED_NO);
+ }
+}
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::seed_PRNG() {
+ // Seed the PRNG if it has not been done
+ if (!RAND_status()) {
+
+ // This is not necessary on systems with /dev/urandom. Otherwise, the
+ // application is strongly adviced to seed the PRNG using one of the
+ // seeding functions: RAND_seed(), RAND_add(), RAND_event() or
+ // RAND_screen().
+ // What we do here is a last resort and does not necessarily give a very
+ // good seed!
+
+ int* data = new int[256];
+
+#if ! defined(__WIN32__)
+ srand(getuid() + getpid());
+#else
+ srand(_getpid());
+#endif
+ int i;
+ for(i = 0 ; i < 128 ; ++i)
+ data[i] = rand();
+
+ unsigned long abs_sec, abs_nsec;
+ omni_thread::get_time(&abs_sec,&abs_nsec);
+ srand(abs_sec + abs_nsec);
+ for(i = 128 ; i < 256 ; ++i)
+ data[i] = rand();
+
+ RAND_seed((unsigned char *)data, (256 * (sizeof(int))));
+
+ if (omniORB::trace(1)) {
+ omniORB::logger log;
+ log << "SSL: the pseudo random number generator has not been seeded.\n"
+ << "A seed is generated but it is not consided to be of crypto strength.\n"
+ << "The application should call one of the OpenSSL seed functions,\n"
+ << "e.g. RAND_event() to initialise the PRNG before calling sslTransportImpl::initialise().\n";
+ }
+ }
+}
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::set_DH() {
+
+ DH* dh = DH_new();
+ if(dh == 0) {
+ OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,CORBA::COMPLETED_NO);
+ }
+
+ unsigned char dh512_p[] = {
+ 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+ 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+ 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+ 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+ 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+ 0x47,0x74,0xE8,0x33
+ };
+
+ unsigned char dh512_g[] = {
+ 0x02
+ };
+
+ dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), 0);
+ dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), 0);
+ if( !dh->p || !dh->g) {
+ OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,CORBA::COMPLETED_NO);
+ }
+
+ SSL_CTX_set_tmp_dh(pd_ctx, dh);
+ DH_free(dh);
+}
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::set_ephemeralRSA() {
+
+ RSA *rsa;
+
+ rsa = RSA_generate_key(512,RSA_F4,NULL,NULL);
+
+ if (!SSL_CTX_set_tmp_rsa(pd_ctx,rsa)) {
+ OMNIORB_THROW(INITIALIZE,INITIALIZE_TransportError,CORBA::COMPLETED_NO);
+ }
+ RSA_free(rsa);
+}
+
+
+/////////////////////////////////////////////////////////////////////////
+int
+sslContext::set_verify_mode() {
+ return sslContext::verify_mode;
+}
+
+
+/////////////////////////////////////////////////////////////////////////
+static omni_tracedmutex *openssl_locks = 0;
+
+extern "C"
+void sslContext_locking_callback(int mode, int type, const char *,int) {
+
+ if (mode & CRYPTO_LOCK) {
+ openssl_locks[type].lock();
+ }
+ else {
+ OMNIORB_ASSERT(mode & CRYPTO_UNLOCK);
+ openssl_locks[type].unlock();
+ }
+}
+
+/////////////////////////////////////////////////////////////////////////
+#ifndef __WIN32__
+extern "C"
+unsigned long sslContext_thread_id(void) {
+ unsigned long id = (unsigned long)pthread_self();
+ return id;
+}
+#endif
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::thread_setup() {
+ pd_locks = new omni_tracedmutex[CRYPTO_num_locks()];
+ openssl_locks = pd_locks;
+ CRYPTO_set_locking_callback(sslContext_locking_callback);
+#ifndef __WIN32__
+ CRYPTO_set_id_callback(sslContext_thread_id);
+#endif
+}
+
+/////////////////////////////////////////////////////////////////////////
+void
+sslContext::thread_cleanup() {
+ CRYPTO_set_locking_callback(NULL);
+#ifndef __WIN32__
+ CRYPTO_set_id_callback(NULL);
+#endif
+ if (pd_locks) {
+ delete [] pd_locks;
+ openssl_locks = 0;
+ }
+}
+
+/////////////////////////////////////////////////////////////////////////
+static void report_error() {
+
+ if (omniORB::trace(1)) {
+ char buf[128];
+ ERR_error_string_n(ERR_get_error(),buf,128);
+ omniORB::logger log;
+ log << "sslContext.cc : " << (const char*) buf << "\n";
+ }
+}
+
More information about the Pkg-corba-commits
mailing list