diff --git a/NetSSL_OpenSSL/include/Poco/Net/AcceptCertificateHandler.h b/NetSSL_OpenSSL/include/Poco/Net/AcceptCertificateHandler.h index 2d92c629a..b7495b3ca 100644 --- a/NetSSL_OpenSSL/include/Poco/Net/AcceptCertificateHandler.h +++ b/NetSSL_OpenSSL/include/Poco/Net/AcceptCertificateHandler.h @@ -27,7 +27,7 @@ namespace Net { class NetSSL_API AcceptCertificateHandler: public InvalidCertificateHandler - /// A AcceptCertificateHandler is invoked whenever an error + /// A AcceptCertificateHandler is invoked whenever an error /// occurs verifying the certificate. It always accepts /// the certificate. /// diff --git a/NetSSL_OpenSSL/include/Poco/Net/Context.h b/NetSSL_OpenSSL/include/Poco/Net/Context.h index 35b640a45..754fcc945 100644 --- a/NetSSL_OpenSSL/include/Poco/Net/Context.h +++ b/NetSSL_OpenSSL/include/Poco/Net/Context.h @@ -20,10 +20,12 @@ #include "Poco/Net/NetSSL.h" #include "Poco/Net/SocketDefs.h" +#include "Poco/Net/InvalidCertificateHandler.h" #include "Poco/Crypto/X509Certificate.h" #include "Poco/Crypto/EVPPKey.h" #include "Poco/Crypto/RSAKey.h" #include "Poco/RefCountedObject.h" +#include "Poco/SharedPtr.h" #include "Poco/AutoPtr.h" #include #include @@ -188,6 +190,8 @@ public: /// "X448:X25519:ffdhe4096:ffdhe3072:ffdhe2048:ffdhe6144:ffdhe8192:P-521:P-384:P-256" }; + using InvalidCertificateHandlerPtr = Poco::SharedPtr; + Context(Usage usage, const Params& params); /// Creates a Context using the given parameters. /// @@ -397,6 +401,16 @@ public: /// preferences. When called, the SSL/TLS server will choose following its own /// preferences. + void setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificageHandler); + /// Sets a Context-specific InvalidCertificateHandler. + /// + /// If specified, this InvalidCertificateHandler will be used instead of the + /// one globally set in the SSLManager. + + InvalidCertificateHandlerPtr getInvalidCertificateHandler() const; + /// Returns the InvalidCertificateHandler set for this Context, + /// or a null pointer if none has been set. + private: void init(const Params& params); /// Initializes the Context with the given parameters. @@ -415,6 +429,7 @@ private: VerificationMode _mode; SSL_CTX* _pSSLContext; bool _extendedCertificateVerification; + InvalidCertificateHandlerPtr _pInvalidCertificateHandler; }; @@ -456,6 +471,12 @@ inline bool Context::extendedCertificateVerificationEnabled() const } +inline Context::InvalidCertificateHandlerPtr Context::getInvalidCertificateHandler() const +{ + return _pInvalidCertificateHandler; +} + + } } // namespace Poco::Net diff --git a/NetSSL_OpenSSL/include/Poco/Net/InvalidCertificateHandler.h b/NetSSL_OpenSSL/include/Poco/Net/InvalidCertificateHandler.h index e10faf3cd..8cf538e50 100644 --- a/NetSSL_OpenSSL/include/Poco/Net/InvalidCertificateHandler.h +++ b/NetSSL_OpenSSL/include/Poco/Net/InvalidCertificateHandler.h @@ -19,20 +19,22 @@ #include "Poco/Net/NetSSL.h" -#include "Poco/Net/VerificationErrorArgs.h" namespace Poco { namespace Net { +class VerificationErrorArgs; + + class NetSSL_API InvalidCertificateHandler /// A InvalidCertificateHandler is invoked whenever an error occurs verifying the certificate. It allows the user /// to inspect and accept/reject the certificate. /// One can install one's own InvalidCertificateHandler by implementing this interface. Note that - /// in the implementation file of the subclass the following code must be present (assuming you use the namespace My_API + /// in the implementation file of the subclass the following code must be present (assuming you use the namespace My_API /// and the name of your handler class is MyGuiHandler): - /// + /// /// #include "Poco/Net/CertificateHandlerFactory.h" /// ... /// POCO_REGISTER_CHFACTORY(My_API, MyGuiHandler) @@ -43,7 +45,7 @@ class NetSSL_API InvalidCertificateHandler /// /// or in case one uses Poco::Util::Application one can rely on an XML configuration and put the following entry /// under the path openSSL.invalidCertificateHandler: - /// + /// /// /// MyGuiHandler /// @@ -56,7 +58,7 @@ class NetSSL_API InvalidCertificateHandler public: InvalidCertificateHandler(bool handleErrorsOnServerSide); /// Creates the InvalidCertificateHandler. - /// + /// /// Set handleErrorsOnServerSide to true if the certificate handler is used on the server side. /// Automatically registers at one of the SSLManager::VerificationError events. diff --git a/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h b/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h index 33a902a80..fa2052b74 100644 --- a/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h +++ b/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h @@ -278,6 +278,10 @@ protected: /// Throws a InvalidStateException if not application instance /// is available. + int contextIndex() const; + /// Returns the index for SSL_CTX_set_ex_data() and SSL_CTX_get_ex_data() to + /// store the Context* in the underlying SSL_CTX. + private: SSLManager(); /// Creates the SSLManager. @@ -310,6 +314,7 @@ private: Context::Ptr _ptrDefaultClientContext; PrivateKeyPassphraseHandlerPtr _ptrClientPassphraseHandler; InvalidCertificateHandlerPtr _ptrClientCertificateHandler; + int _contextIndex; Poco::FastMutex _mutex; static const std::string CFG_PRIV_KEY_FILE; @@ -389,6 +394,12 @@ inline int SSLManager::verifyClientCallback(int ok, X509_STORE_CTX* pStore) } +inline int SSLManager::contextIndex() const +{ + return _contextIndex; +} + + } } // namespace Poco::Net diff --git a/NetSSL_OpenSSL/include/Poco/Net/VerificationErrorArgs.h b/NetSSL_OpenSSL/include/Poco/Net/VerificationErrorArgs.h index 55ef897bb..2503ae284 100644 --- a/NetSSL_OpenSSL/include/Poco/Net/VerificationErrorArgs.h +++ b/NetSSL_OpenSSL/include/Poco/Net/VerificationErrorArgs.h @@ -20,6 +20,7 @@ #include "Poco/Net/NetSSL.h" #include "Poco/Net/X509Certificate.h" +#include "Poco/Net/Context.h" namespace Poco { @@ -30,12 +31,15 @@ class NetSSL_API VerificationErrorArgs /// A utility class for certificate error handling. { public: - VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg); + VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg); /// Creates the VerificationErrorArgs. _ignoreError is per default set to false. ~VerificationErrorArgs(); /// Destroys the VerificationErrorArgs. + Poco::Net::Context::Ptr context() const; + /// Returns the Context of the underlying connection causing the error. + const X509Certificate& certificate() const; /// Returns the certificate that caused the error. @@ -55,6 +59,7 @@ public: /// returns the value of _ignoreError private: + Poco::Net::Context::Ptr _pContext; X509Certificate _cert; int _errorDepth; int _errorNumber; @@ -66,6 +71,12 @@ private: // // inlines // +inline Poco::Net::Context::Ptr VerificationErrorArgs::context() const +{ + return _pContext; +} + + inline const X509Certificate& VerificationErrorArgs::certificate() const { return _cert; diff --git a/NetSSL_OpenSSL/src/AcceptCertificateHandler.cpp b/NetSSL_OpenSSL/src/AcceptCertificateHandler.cpp index 84017f7c3..94d853c1b 100644 --- a/NetSSL_OpenSSL/src/AcceptCertificateHandler.cpp +++ b/NetSSL_OpenSSL/src/AcceptCertificateHandler.cpp @@ -13,6 +13,7 @@ #include "Poco/Net/AcceptCertificateHandler.h" +#include "Poco/Net/VerificationErrorArgs.h" namespace Poco { diff --git a/NetSSL_OpenSSL/src/ConsoleCertificateHandler.cpp b/NetSSL_OpenSSL/src/ConsoleCertificateHandler.cpp index db64752e7..4fa1585c6 100644 --- a/NetSSL_OpenSSL/src/ConsoleCertificateHandler.cpp +++ b/NetSSL_OpenSSL/src/ConsoleCertificateHandler.cpp @@ -13,6 +13,7 @@ #include "Poco/Net/ConsoleCertificateHandler.h" +#include "Poco/Net/VerificationErrorArgs.h" #include diff --git a/NetSSL_OpenSSL/src/Context.cpp b/NetSSL_OpenSSL/src/Context.cpp index 23a08af3b..43dde8404 100644 --- a/NetSSL_OpenSSL/src/Context.cpp +++ b/NetSSL_OpenSSL/src/Context.cpp @@ -174,6 +174,7 @@ void Context::init(const Params& params) SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth); SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY); SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF); + SSL_CTX_set_ex_data(_pSSLContext, SSLManager::instance().contextIndex(), this); initDH(params.dhUse2048Bits, params.dhParamsFile); initECDH(params.ecdhCurve); @@ -463,6 +464,12 @@ void Context::preferServerCiphers() } +void Context::setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificateHandler) +{ + _pInvalidCertificateHandler = pInvalidCertificateHandler; +} + + void Context::createSSLContext() { int minTLSVersion = 0; diff --git a/NetSSL_OpenSSL/src/InvalidCertificateHandler.cpp b/NetSSL_OpenSSL/src/InvalidCertificateHandler.cpp index 7cf68613c..3afd6a9bc 100644 --- a/NetSSL_OpenSSL/src/InvalidCertificateHandler.cpp +++ b/NetSSL_OpenSSL/src/InvalidCertificateHandler.cpp @@ -26,26 +26,11 @@ namespace Net { InvalidCertificateHandler::InvalidCertificateHandler(bool handleErrorsOnServerSide): _handleErrorsOnServerSide(handleErrorsOnServerSide) { - if (_handleErrorsOnServerSide) - SSLManager::instance().ServerVerificationError += Delegate(this, &InvalidCertificateHandler::onInvalidCertificate); - else - SSLManager::instance().ClientVerificationError += Delegate(this, &InvalidCertificateHandler::onInvalidCertificate); } InvalidCertificateHandler::~InvalidCertificateHandler() { - try - { - if (_handleErrorsOnServerSide) - SSLManager::instance().ServerVerificationError -= Delegate(this, &InvalidCertificateHandler::onInvalidCertificate); - else - SSLManager::instance().ClientVerificationError -= Delegate(this, &InvalidCertificateHandler::onInvalidCertificate); - } - catch (...) - { - poco_unexpected(); - } } diff --git a/NetSSL_OpenSSL/src/RejectCertificateHandler.cpp b/NetSSL_OpenSSL/src/RejectCertificateHandler.cpp index 1502a13e8..cc2a39ffc 100644 --- a/NetSSL_OpenSSL/src/RejectCertificateHandler.cpp +++ b/NetSSL_OpenSSL/src/RejectCertificateHandler.cpp @@ -13,6 +13,7 @@ #include "Poco/Net/RejectCertificateHandler.h" +#include "Poco/Net/VerificationErrorArgs.h" namespace Poco { diff --git a/NetSSL_OpenSSL/src/SSLManager.cpp b/NetSSL_OpenSSL/src/SSLManager.cpp index bf5ef4600..f469adb69 100644 --- a/NetSSL_OpenSSL/src/SSLManager.cpp +++ b/NetSSL_OpenSSL/src/SSLManager.cpp @@ -67,7 +67,8 @@ const bool SSLManager::VAL_FIPS_MODE(false); #endif -SSLManager::SSLManager() +SSLManager::SSLManager(): + _contextIndex(SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL)) { } @@ -204,16 +205,45 @@ int SSLManager::verifyCallback(bool server, int ok, X509_STORE_CTX* pStore) { if (!ok) { + SSLManager& sslManager = SSLManager::instance(); + SSL* pSSL = reinterpret_cast(X509_STORE_CTX_get_ex_data(pStore, SSL_get_ex_data_X509_STORE_CTX_idx())); + poco_assert_dbg (pSSL); + SSL_CTX* pSSLContext = SSL_get_SSL_CTX(pSSL); + poco_assert_dbg (pSSLContext); + + Context* pContext = reinterpret_cast(SSL_CTX_get_ex_data(pSSLContext, sslManager.contextIndex())); + poco_assert_dbg (pContext); + X509* pCert = X509_STORE_CTX_get_current_cert(pStore); X509Certificate x509(pCert, true); int depth = X509_STORE_CTX_get_error_depth(pStore); int err = X509_STORE_CTX_get_error(pStore); std::string error(X509_verify_cert_error_string(err)); - VerificationErrorArgs args(x509, depth, err, error); + VerificationErrorArgs args(Context::Ptr(pContext, true), x509, depth, err, error); if (server) - SSLManager::instance().ServerVerificationError.notify(&SSLManager::instance(), args); + { + if (pContext->getInvalidCertificateHandler()) + { + pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args); + } + else if (sslManager._ptrServerCertificateHandler) + { + sslManager._ptrServerCertificateHandler->onInvalidCertificate(&sslManager, args); + } + sslManager.ServerVerificationError.notify(&sslManager, args); + } else - SSLManager::instance().ClientVerificationError.notify(&SSLManager::instance(), args); + { + if (pContext->getInvalidCertificateHandler()) + { + pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args); + } + else if (sslManager._ptrClientCertificateHandler) + { + sslManager._ptrClientCertificateHandler->onInvalidCertificate(&sslManager, args); + } + sslManager.ClientVerificationError.notify(&sslManager, args); + } ok = args.getIgnoreError() ? 1 : 0; } diff --git a/NetSSL_OpenSSL/src/VerificationErrorArgs.cpp b/NetSSL_OpenSSL/src/VerificationErrorArgs.cpp index f7f6451b1..8c4f7d812 100644 --- a/NetSSL_OpenSSL/src/VerificationErrorArgs.cpp +++ b/NetSSL_OpenSSL/src/VerificationErrorArgs.cpp @@ -19,7 +19,8 @@ namespace Poco { namespace Net { -VerificationErrorArgs::VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg): +VerificationErrorArgs::VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg): + _pContext(pContext), _cert(cert), _errorDepth(errDepth), _errorNumber(errNum), diff --git a/NetSSL_OpenSSL/testsuite/src/TCPServerTest.cpp b/NetSSL_OpenSSL/testsuite/src/TCPServerTest.cpp index 8948178a8..50831f2be 100644 --- a/NetSSL_OpenSSL/testsuite/src/TCPServerTest.cpp +++ b/NetSSL_OpenSSL/testsuite/src/TCPServerTest.cpp @@ -18,6 +18,8 @@ #include "Poco/Net/SecureStreamSocket.h" #include "Poco/Net/SecureServerSocket.h" #include "Poco/Net/Context.h" +#include "Poco/Net/RejectCertificateHandler.h" +#include "Poco/Net/AcceptCertificateHandler.h" #include "Poco/Net/Session.h" #include "Poco/Net/SSLManager.h" #include "Poco/Util/Application.h" @@ -70,6 +72,26 @@ namespace } } }; + + class NullConnection: public TCPServerConnection + { + public: + NullConnection(const StreamSocket& s): TCPServerConnection(s) + { + } + + void run() + { + SecureStreamSocket& ss = static_cast(socket()); + try + { + ss.completeHandshake(); + } + catch (...) + { + } + } + }; } @@ -381,6 +403,50 @@ void TCPServerTest::testReuseSession() } +void TCPServerTest::testContextInvalidCertificateHandler() +{ + SecureServerSocket svs(0); + TCPServer srv(new TCPServerConnectionFactoryImpl(), svs); + srv.start(); + + Context::Ptr pClientContext = new Context( + Context::CLIENT_USE, + "", + "", + "", + Context::VERIFY_RELAXED, + 9, + true, + "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); + + pClientContext->setInvalidCertificateHandler(new Poco::Net::RejectCertificateHandler(false)); + + SocketAddress sa("127.0.0.1", svs.address().port()); + + try + { + SecureStreamSocket ss1(sa, pClientContext); + fail("must throw with RejectCertificateHandler"); + } + catch (...) + { + } + + pClientContext->setInvalidCertificateHandler(new Poco::Net::AcceptCertificateHandler(false)); + + try + { + SecureStreamSocket ss1(sa, pClientContext); + } + catch (...) + { + fail("must not throw with AcceptCertificateHandler"); + } + + srv.stop(); +} + + void TCPServerTest::setUp() { } @@ -400,6 +466,7 @@ CppUnit::Test* TCPServerTest::suite() CppUnit_addTest(pSuite, TCPServerTest, testMultiConnections); CppUnit_addTest(pSuite, TCPServerTest, testReuseSocket); CppUnit_addTest(pSuite, TCPServerTest, testReuseSession); + CppUnit_addTest(pSuite, TCPServerTest, testContextInvalidCertificateHandler); return pSuite; } diff --git a/NetSSL_OpenSSL/testsuite/src/TCPServerTest.h b/NetSSL_OpenSSL/testsuite/src/TCPServerTest.h index f3b42c911..a252d6204 100644 --- a/NetSSL_OpenSSL/testsuite/src/TCPServerTest.h +++ b/NetSSL_OpenSSL/testsuite/src/TCPServerTest.h @@ -29,6 +29,7 @@ public: void testMultiConnections(); void testReuseSocket(); void testReuseSession(); + void testContextInvalidCertificateHandler(); void setUp(); void tearDown();