integrated changes from 1.3.5

2025-10-20 22:31:31 +02:00 · 2009-06-16 16:56:28 +00:00
parent 29bd22fe69
commit 99c48cff49
66 changed files with 2831 additions and 2086 deletions
--- a/NetSSL_OpenSSL/src/Context.cpp
+++ b/NetSSL_OpenSSL/src/Context.cpp
@@ -1,7 +1,7 @@
 //
 // Context.cpp
 //
-// $Id: //poco/Main/NetSSL_OpenSSL/src/Context.cpp#17 $
+// $Id: //poco/Main/NetSSL_OpenSSL/src/Context.cpp#18 $
 //
 // Library: NetSSL_OpenSSL
 // Package: SSLCore
@@ -63,7 +63,11 @@ Context::Context(
 	_pSSLContext(0)
 {
 	_pSSLContext = SSL_CTX_new(SSLv23_method());
-	if (!_pSSLContext) throw SSLException("Cannot create SSL_CTX object");
+	if (!_pSSLContext) 
+	{
+		unsigned long err = ERR_get_error();
+		throw SSLException("Cannot create SSL_CTX object", ERR_error_string(err, 0));
+	}
 	SSL_CTX_set_default_passwd_cb(_pSSLContext, &SSLManager::privateKeyPasswdCallback);
 	Utility::clearErrorStack();
 	
--- a/NetSSL_OpenSSL/src/SSLInitializer.cpp
+++ b/NetSSL_OpenSSL/src/SSLInitializer.cpp
@@ -1,148 +0,0 @@
-//
-// SSLInitializer.cpp
-//
-// $Id: //poco/Main/NetSSL_OpenSSL/src/SSLInitializer.cpp#11 $
-//
-// Library: NetSSL_OpenSSL
-// Package: SSLCore
-// Module:  SSLInitializer
-//
-// Copyright (c) 2006-2009, Applied Informatics Software Engineering GmbH.
-// and Contributors.
-//
-// Permission is hereby granted, free of charge, to any person or organization
-// obtaining a copy of the software and accompanying documentation covered by
-// this license (the "Software") to use, reproduce, display, distribute,
-// execute, and transmit the Software, and to prepare derivative works of the
-// Software, and to permit third-parties to whom the Software is furnished to
-// do so, all subject to the following:
-// 
-// The copyright notices in the Software and this entire statement, including
-// the above license grant, this restriction and the following disclaimer,
-// must be included in all copies of the Software, in whole or in part, and
-// all derivative works of the Software, unless such copies or derivative
-// works are solely in the form of machine-executable object code generated by
-// a source language processor.
-// 
-// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-// FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT
-// SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE
-// FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,
-// ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
-// DEALINGS IN THE SOFTWARE.
-//
-
-
-#include "Poco/Net/SSLInitializer.h"
-#include "Poco/Net/KeyConsoleHandler.h"
-#include "Poco/Net/KeyFileHandler.h"
-#include "Poco/RandomStream.h"
-#include "Poco/Thread.h"
-#include <openssl/ssl.h>
-#include <openssl/rand.h>
-#include <openssl/crypto.h>
-
-
-using Poco::RandomInputStream;
-using Poco::Thread;
-using Poco::FastMutex;
-
-
-namespace Poco {
-namespace Net {
-
-
-FastMutex* SSLInitializer::_mutexes(0);
-int SSLInitializer::_rc(0);
-
-
-static SSLInitializer initializer;
-
-
-SSLInitializer::SSLInitializer()
-{
-	initialize();
-}
-
-
-SSLInitializer::~SSLInitializer()
-{
-	uninitialize();
-}
-
-
-void SSLInitializer::initialize()
-{
-	if (++_rc == 1)
-	{
-		poco_assert (1 == SSL_library_init()); // always returns 1
-		SSL_load_error_strings();
-		
-		char seed[SEEDSIZE];
-		RandomInputStream rnd;
-		rnd.read(seed, sizeof(seed));
-		RAND_seed(seed, SEEDSIZE);
-		
-		int nMutexes = CRYPTO_num_locks();
-		_mutexes = new FastMutex[nMutexes];
-		CRYPTO_set_locking_callback(&SSLInitializer::lock);
-#ifndef POCO_OS_FAMILY_WINDOWS // SF# 1828231: random unhandled exceptions when linking with ssl
-		CRYPTO_set_id_callback(&SSLInitializer::id);
-#endif
-		CRYPTO_set_dynlock_create_callback(&SSLInitializer::dynlockCreate);
-		CRYPTO_set_dynlock_lock_callback(&SSLInitializer::dynlock);
-		CRYPTO_set_dynlock_destroy_callback(&SSLInitializer::dynlockDestroy);
-	}
-}
-
-
-void SSLInitializer::uninitialize()
-{
-	if (--_rc == 0)
-	{
-		delete [] _mutexes;
-	}
-}
-
-
-void SSLInitializer::lock(int mode, int n, const char* file, int line)
-{
-	if (mode & CRYPTO_LOCK)
-		_mutexes[n].lock();
-	else
-		_mutexes[n].unlock();
-}
-
-
-unsigned long SSLInitializer::id()
-{
-	Thread* pThread = Thread::current();
-	return pThread ? pThread->id() : 0;
-}
-
-
-struct CRYPTO_dynlock_value* SSLInitializer::dynlockCreate(const char* file, int line)
-{
-	return new CRYPTO_dynlock_value;
-}
-
-
-void SSLInitializer::dynlock(int mode, struct CRYPTO_dynlock_value* lock, const char* file, int line)
-{
-	poco_check_ptr (lock);
-
-	if (mode & CRYPTO_LOCK)
-		lock->_mutex.lock();
-	else
-		lock->_mutex.unlock();
-}
-
-
-void SSLInitializer::dynlockDestroy(struct CRYPTO_dynlock_value* lock, const char* file, int line)
-{
-	delete lock;
-}
-
-
-} } // namespace Poco::Net
--- a/NetSSL_OpenSSL/src/SSLManager.cpp
+++ b/NetSSL_OpenSSL/src/SSLManager.cpp
@@ -1,7 +1,7 @@
 //
 // SSLManager.cpp
 //
-// $Id: //poco/Main/NetSSL_OpenSSL/src/SSLManager.cpp#14 $
+// $Id: //poco/Main/NetSSL_OpenSSL/src/SSLManager.cpp#15 $
 //
 // Library: NetSSL_OpenSSL
 // Package: SSLCore
@@ -38,7 +38,7 @@
 #include "Poco/Net/Context.h"
 #include "Poco/Net/Utility.h"
 #include "Poco/Net/PrivateKeyPassphraseHandler.h"
-#include "Poco/Net/SSLInitializer.h"
+#include "Poco/Crypto/OpenSSLInitializer.h"
 #include "Poco/Net/SSLException.h"
 #include "Poco/SingletonHolder.h"
 #include "Poco/Delegate.h"
@@ -72,7 +72,7 @@ const std::string SSLManager::CFG_CLIENT_PREFIX("openSSL.client.");

 SSLManager::SSLManager()
 {
-	SSLInitializer::initialize();
+	Poco::Crypto::OpenSSLInitializer::initialize();
 }


@@ -81,7 +81,9 @@ SSLManager::~SSLManager()
 	PrivateKeyPassPhrase.clear();
 	ClientVerificationError.clear();
 	ServerVerificationError.clear();
-	SSLInitializer::uninitialize();
+	_ptrDefaultServerContext = 0; // ensure all Context objects go away before we uninitialize OpenSSL.
+	_ptrDefaultClientContext = 0;
+	Poco::Crypto::OpenSSLInitializer::uninitialize();
 }


--- a/NetSSL_OpenSSL/src/SecureSocketImpl.cpp
+++ b/NetSSL_OpenSSL/src/SecureSocketImpl.cpp
@@ -1,7 +1,7 @@
 //
 // SecureSocketImpl.cpp
 //
-// $Id: //poco/Main/NetSSL_OpenSSL/src/SecureSocketImpl.cpp#29 $
+// $Id: //poco/Main/NetSSL_OpenSSL/src/SecureSocketImpl.cpp#30 $
 //
 // Library: NetSSL_OpenSSL
 // Package: SSLSockets
@@ -237,17 +237,14 @@ void SecureSocketImpl::shutdown()
 {
 	if (_pSSL)
 	{
-		// if we can't get a clean SSL shutdown after 10
-		// attempts, something's probably wrong with the
-		// peer and we give up.
-		int rc;
-		int attempts = 0;
-		do
-		{
-			rc = SSL_shutdown(_pSSL);
-			++attempts;
-		}
-		while (rc == 0 && attempts < 10);
+		// A proper clean shutdown would require us to
+		// retry the shutdown if we get a zero return
+		// value, until SSL_shutdown() returns 1.
+		// However, this will lead to problems with
+		// most web browsers, so we just set the shutdown
+		// flag by calling SSL_shutdown() once and be
+		// done with it.
+		int rc = SSL_shutdown(_pSSL);
 		if (rc < 0) handleError(rc);
 		SSL_clear(_pSSL);
 		SSL_free(_pSSL);
@@ -304,7 +301,7 @@ int SecureSocketImpl::receiveBytes(void* buffer, int length, int flags)
 long SecureSocketImpl::verifyCertificate(const std::string& hostName)
 {
 	Context::VerificationMode mode = _pContext->verificationMode();
-	if (mode == Context::VERIFY_NONE || isLocalHost(hostName) && mode != Context::VERIFY_STRICT)
+	if (mode == Context::VERIFY_NONE || (isLocalHost(hostName) && mode != Context::VERIFY_STRICT))
 	{
 		return X509_V_OK;
 	}
--- a/NetSSL_OpenSSL/src/X509Certificate.cpp
+++ b/NetSSL_OpenSSL/src/X509Certificate.cpp
@@ -1,7 +1,7 @@
 //
 // X509Certificate.cpp
 //
-// $Id: //poco/Main/NetSSL_OpenSSL/src/X509Certificate.cpp#13 $
+// $Id: //poco/Main/NetSSL_OpenSSL/src/X509Certificate.cpp#14 $
 //
 // Library: NetSSL_OpenSSL
 // Package: SSLCore
@@ -54,73 +54,30 @@ namespace Net {


 X509Certificate::X509Certificate(std::istream& istr):
-	_pCert(0)
+	Poco::Crypto::X509Certificate(istr)
 {	
-	// copy certificate to a temporary file so that it
-	// can be read by OpenSSL.
-	Poco::TemporaryFile certFile;
-	std::string path = certFile.path();
-	Poco::FileOutputStream ostr(path);
-	Poco::StreamCopier::copyStream(istr, ostr);
-	ostr.close();
-	
-	BIO *pBIO = BIO_new(BIO_s_file());
-	if (!pBIO) throw SSLException("Cannot create BIO for reading certificate file");
-	if (!BIO_read_filename(pBIO, path.c_str()))
-	{
-		BIO_free(pBIO);
-		throw Poco::OpenFileException("Cannot open certificate file for reading");
-	}
-
-	_pCert = PEM_read_bio_X509(pBIO, 0, 0, 0);
-	BIO_free(pBIO);
-	
-	if (!_pCert) throw SSLException("Faild to load certificate");
-
-	init();
 }


 X509Certificate::X509Certificate(const std::string& path):
-	_pCert(0)
+	Poco::Crypto::X509Certificate(path)
 {
-	BIO *pBIO = BIO_new(BIO_s_file());
-	if (!pBIO) throw SSLException("Cannot create BIO for reading certificate file");
-	if (!BIO_read_filename(pBIO, path.c_str()))
-	{
-		BIO_free(pBIO);
-		throw Poco::OpenFileException("Cannot open certificate file for reading");
-	}
-	
-	_pCert = PEM_read_bio_X509(pBIO, 0, 0, 0);
-	BIO_free(pBIO);
-	
-	if (!_pCert) throw SSLException("Faild to load certificate from " + path);
-
-	init();
 }


 X509Certificate::X509Certificate(X509* pCert):
-	_pCert(pCert)
+	Poco::Crypto::X509Certificate(pCert)
 {
-	poco_check_ptr(_pCert);
-	
-	_pCert = X509_dup(_pCert);
-	init();
 }


-X509Certificate::X509Certificate(const X509Certificate& cert):
-	_issuerName(cert._issuerName),
-	_subjectName(cert._subjectName),
-	_pCert(cert._pCert)
+X509Certificate::X509Certificate(const Poco::Crypto::X509Certificate& cert):
+	Poco::Crypto::X509Certificate(cert)
 {
-	_pCert = X509_dup(_pCert);
 }


-X509Certificate& X509Certificate::operator = (const X509Certificate& cert)
+X509Certificate& X509Certificate::operator = (const Poco::Crypto::X509Certificate& cert)
 {
 	X509Certificate tmp(cert);
 	swap(tmp);
@@ -128,41 +85,27 @@ X509Certificate& X509Certificate::operator = (const X509Certificate& cert)
 }


-void X509Certificate::swap(X509Certificate& cert)
-{
-	using std::swap;
-	swap(cert._issuerName, _issuerName);
-	swap(cert._subjectName, _subjectName);
-	swap(cert._pCert, _pCert);
-}
-
-
 X509Certificate::~X509Certificate()
 {
-	X509_free(_pCert);
-}
-
-
-void X509Certificate::init()
-{
-	char buffer[NAME_BUFFER_SIZE];
-	X509_NAME_oneline(X509_get_issuer_name(_pCert), buffer, sizeof(buffer));
-	_issuerName = buffer;
-	X509_NAME_oneline(X509_get_subject_name(_pCert), buffer, sizeof(buffer));
-	_subjectName = buffer;
 }


 long X509Certificate::verify(const std::string& hostName) const
+{
+	return verify(*this, hostName);
+}
+
+
+long X509Certificate::verify(const Poco::Crypto::X509Certificate& certificate, const std::string& hostName)
 {		
 	std::string commonName;
 	std::set<std::string> dnsNames;
-	extractNames(commonName, dnsNames);
+	certificate.extractNames(commonName, dnsNames);
 	bool ok = (dnsNames.find(hostName) != dnsNames.end());

 	char buffer[NAME_BUFFER_SIZE];
 	X509_NAME* subj = 0;
-	if (!ok && (subj = X509_get_subject_name(_pCert)) && X509_NAME_get_text_by_NID(subj, NID_commonName, buffer, sizeof(buffer)) > 0)
+	if (!ok && (subj = X509_get_subject_name(const_cast<X509*>(certificate.certificate()))) && X509_NAME_get_text_by_NID(subj, NID_commonName, buffer, sizeof(buffer)) > 0)
 	{
 		buffer[NAME_BUFFER_SIZE - 1] = 0;
 		std::string commonName(buffer); // commonName can contain wildcards like *.appinf.com
@@ -241,60 +184,4 @@ bool X509Certificate::matchByAlias(const std::string& alias, const HostEntry& he
 }


-std::string X509Certificate::commonName() const
-{
-	if (X509_NAME* subj = X509_get_subject_name(_pCert))
-    {
-		char buffer[NAME_BUFFER_SIZE];
-		X509_NAME_get_text_by_NID(subj, NID_commonName, buffer, sizeof(buffer));
-		return std::string(buffer);
-    }
-    else return std::string();
-}
-
-
-void X509Certificate::extractNames(std::string& cmnName, std::set<std::string>& domainNames) const
-{
-	domainNames.clear(); 
-	if (STACK_OF(GENERAL_NAME)* names = static_cast<STACK_OF(GENERAL_NAME)*>(X509_get_ext_d2i(_pCert, NID_subject_alt_name, 0, 0)))
-    {
-		for (int i = 0; i < sk_GENERAL_NAME_num(names); ++i)
-        {
-			const GENERAL_NAME* name = sk_GENERAL_NAME_value(names, i);
-			if (name->type == GEN_DNS)
-			{
-				const char* data = reinterpret_cast<char*>(ASN1_STRING_data(name->d.ia5));
-				std::size_t len = ASN1_STRING_length(name->d.ia5);
-				domainNames.insert(std::string(data, len));
-            }
-		}
-		GENERAL_NAMES_free(names);
-	}
- 
-	cmnName = commonName();
-	if (!cmnName.empty() && domainNames.empty())
-	{
-		domainNames.insert(cmnName);
-	}
-}
-
-
-Poco::DateTime X509Certificate::validFrom() const
-{
-	ASN1_TIME* certTime = X509_get_notBefore(_pCert);
-	std::string dateTime(reinterpret_cast<char*>(certTime->data));
-	int tzd;
-	return DateTimeParser::parse("%y%m%d%H%M%S", dateTime, tzd);
-}
-
-	
-Poco::DateTime X509Certificate::expiresOn() const
-{
-	ASN1_TIME* certTime = X509_get_notAfter(_pCert);
-	std::string dateTime(reinterpret_cast<char*>(certTime->data));
-	int tzd;
-	return DateTimeParser::parse("%y%m%d%H%M%S", dateTime, tzd);
-}
-
-
 } } // namespace Poco::Net