diff --git a/cpp/include/Ice/ClientAuthenticationOptions.h b/cpp/include/Ice/ClientAuthenticationOptions.h index b1c97e266d9..bdb6154977a 100644 --- a/cpp/include/Ice/ClientAuthenticationOptions.h +++ b/cpp/include/Ice/ClientAuthenticationOptions.h @@ -46,10 +46,10 @@ namespace Ice::SSL { #if defined(_WIN32) /** - * A callback that allows selecting the client credentials based on the target server host name. + * A callback that allows selecting the client's credentials based on the target server host name. * * @param host The target server host name. - * @return The server credentials. The credentials must remain valid for the duration of the connection. + * @return The client credentials. The credentials must remain valid for the duration of the connection. * * [See Detailed Schannel documentation on Schannel credentials]( * https://learn.microsoft.com/en-us/windows/win32/secauthn/acquirecredentialshandle--schannel) @@ -57,9 +57,8 @@ namespace Ice::SSL std::function clientCredentialsSelectionCallback; /** - * A callback that allows manual validation of the client server's certificate chain during the SSL handshake. - * This callback allows for implementing custom verification logic. When the verification callback returns - * false, the connection will be aborted with an Ice::SecurityException. + * A callback that allows manually validating the server certificate chain. When the verification callback + * returns false, the connection will be aborted with an Ice::SecurityException. * * @param context A CtxtHandle representing the security context associated with the current connection. This * context contains security data relevant for validation, such as the server's certificate chain and cipher @@ -83,7 +82,7 @@ namespace Ice::SSL * @return The client's certificate chain. The certificate chain must remain valid for the duration of the * connection. * - * The requirements for the Secure Transport certificates are documented in + * The requirements for the Secure Transport certificate chain are documented in * https://developer.apple.com/documentation/security/1392400-sslsetcertificate?changes=_3&language=objc */ std::function clientCertificateSelectionCallback; @@ -143,10 +142,8 @@ namespace Ice::SSL std::function sslNewSessionCallback; /** - * A callback that allows manual validation of the server certificate chain during the SSL handshake. This - * callback is called from the SSL_verify_cb function in OpenSSL and provides an interface for custom - * verification logic beyond the standard certificate checking process. When the verification callback returns - * false, the connection will be aborted with an Ice::SecurityException. + * A callback that allows manually validating the server certificate chain. When the verification callback + * returns false, the connection will be aborted with an Ice::SecurityException. * * @param verified A boolean indicating whether the preliminary certificate verification done by OpenSSL's * built-in mechanisms succeeded or failed. True if the preliminary checks passed, false otherwise. diff --git a/cpp/include/Ice/SSLConnectionInfo.h b/cpp/include/Ice/SSLConnectionInfo.h index a6adf549969..4ccda67c19c 100644 --- a/cpp/include/Ice/SSLConnectionInfo.h +++ b/cpp/include/Ice/SSLConnectionInfo.h @@ -34,18 +34,15 @@ namespace IceSSL * @param adapterName The name of the adapter associated with the connection. * @param connectionId The connection id. * @param certs The certificate chain. - * @param host The host name. */ ConnectionInfo( const Ice::ConnectionInfoPtr& underlying, bool incoming, const std::string& adapterName, const std::string& connectionId, - const std::vector& certs, - const std::string& host) + const std::vector& certs) : Ice::ConnectionInfo(underlying, incoming, adapterName, connectionId), - certs(certs), - host(host) + certs(certs) { } @@ -56,8 +53,6 @@ namespace IceSSL * The certificate chain. */ std::vector certs; - std::string host; - std::string desc; }; } diff --git a/cpp/include/Ice/ServerAuthenticationOptions.h b/cpp/include/Ice/ServerAuthenticationOptions.h index b4f21684a3d..27ee2c2ecb8 100644 --- a/cpp/include/Ice/ServerAuthenticationOptions.h +++ b/cpp/include/Ice/ServerAuthenticationOptions.h @@ -62,10 +62,8 @@ namespace Ice::SSL bool clientCertificateRequired; /** - * A callback that allows manual validation of the client certificate chain during the SSL handshake. Unlike - * other implementations, Schannel does not automatically validate the client certificate chain. This callback - * allows for implementing custom verification logic. When the verification callback returns false, the - * connection will be aborted with an Ice::SecurityException. + * A callback that allows manually validating the client certificate chain. When the verification callback + * returns false, the connection will be aborted with an Ice::SecurityException. * * @param context A CtxtHandle representing the security context associated with the current connection. This * context contains security data relevant for validation, such as the client's certificate chain and cipher @@ -156,10 +154,8 @@ namespace Ice::SSL std::function sslNewSessionCallback; /** - * A callback that allows manual validation of the client certificate chain during the SSL handshake. This - * callback is called from the SSL_verify_cb function in OpenSSL and provides an interface for custom - * verification logic beyond the standard certificate checking process. When the verification callback returns - * false, the connection will be aborted with an Ice::SecurityException. + * A callback that allows manually validating the client certificate chain. When the verification callback + * returns false, the connection will be aborted with an Ice::SecurityException. * * @param verified A boolean indicating whether the preliminary certificate verification done by OpenSSL's * built-in mechanisms succeeded or failed. True if the preliminary checks passed, false otherwise. diff --git a/cpp/src/Ice/ObjectAdapterFactory.cpp b/cpp/src/Ice/ObjectAdapterFactory.cpp index 1730bbe58c2..b5ef3906ff4 100644 --- a/cpp/src/Ice/ObjectAdapterFactory.cpp +++ b/cpp/src/Ice/ObjectAdapterFactory.cpp @@ -116,8 +116,8 @@ IceInternal::ObjectAdapterFactory::updateObservers(void (ObjectAdapterI::*fn)()) ObjectAdapterPtr IceInternal::ObjectAdapterFactory::createObjectAdapter( - const std::string& name, - const std::optional& router, + const string& name, + const optional& router, const optional& serverAuthenticationOptions) { shared_ptr adapter; diff --git a/cpp/src/Ice/ObjectAdapterI.h b/cpp/src/Ice/ObjectAdapterI.h index 3cc9c1709d1..5bfae1fed2f 100644 --- a/cpp/src/Ice/ObjectAdapterI.h +++ b/cpp/src/Ice/ObjectAdapterI.h @@ -99,12 +99,12 @@ namespace Ice void decDirectCount(); IceInternal::ThreadPoolPtr getThreadPool() const; - void setAdapterOnConnection(const Ice::ConnectionIPtr&); + void setAdapterOnConnection(const ConnectionIPtr&); size_t messageSizeMax() const { return _messageSizeMax; } // The dispatch pipeline is the dispatcher plus the logger and observer middleware. They are installed in the // dispatch pipeline only when the communicator configuration enables them. - const Ice::ObjectPtr& dispatchPipeline() const noexcept { return _dispatchPipeline; } + const ObjectPtr& dispatchPipeline() const noexcept { return _dispatchPipeline; } ObjectAdapterI( const IceInternal::InstancePtr&, @@ -112,10 +112,10 @@ namespace Ice const IceInternal::ObjectAdapterFactoryPtr&, const std::string&, bool, - const std::optional&); + const std::optional&); virtual ~ObjectAdapterI(); - std::optional getServerAuthenticationOptions() const + std::optional getServerAuthenticationOptions() const { return _serverAuthenticationOptions; } @@ -130,8 +130,8 @@ namespace Ice void checkForDeactivation() const; std::vector parseEndpoints(const std::string&, bool) const; std::vector computePublishedEndpoints(); - void updateLocatorRegistry(const IceInternal::LocatorInfoPtr&, const std::optional&); - bool filterProperties(Ice::StringSeq&); + void updateLocatorRegistry(const IceInternal::LocatorInfoPtr&, const std::optional&); + bool filterProperties(StringSeq&); enum State { @@ -168,7 +168,7 @@ namespace Ice size_t _messageSizeMax; mutable std::recursive_mutex _mutex; std::condition_variable_any _conditionVariable; - const std::optional _serverAuthenticationOptions; + const std::optional _serverAuthenticationOptions; }; } diff --git a/cpp/src/Ice/WSEndpoint.cpp b/cpp/src/Ice/WSEndpoint.cpp index df90dfdf478..8be02fd794b 100644 --- a/cpp/src/Ice/WSEndpoint.cpp +++ b/cpp/src/Ice/WSEndpoint.cpp @@ -240,7 +240,7 @@ IceInternal::WSEndpoint::connectorsAsync( AcceptorPtr IceInternal::WSEndpoint::acceptor( const string& adapterName, - const optional& serverAuthenticationOptions) const + const optional& serverAuthenticationOptions) const { AcceptorPtr acceptor = _delegate->acceptor(adapterName, serverAuthenticationOptions); return make_shared(const_cast(this)->shared_from_this(), _instance, acceptor); diff --git a/cpp/src/IceBT/EndpointI.cpp b/cpp/src/IceBT/EndpointI.cpp index 0b5ed68d2fb..084299249f5 100644 --- a/cpp/src/IceBT/EndpointI.cpp +++ b/cpp/src/IceBT/EndpointI.cpp @@ -179,7 +179,7 @@ IceBT::EndpointI::connectorsAsync( } IceInternal::AcceptorPtr -IceBT::EndpointI::acceptor(const string& adapterName, const std::optional&) const +IceBT::EndpointI::acceptor(const string& adapterName, const std::optional&) const { return make_shared( const_cast(this)->shared_from_this(), diff --git a/cpp/src/IceSSL/SSLEngine.cpp b/cpp/src/IceSSL/SSLEngine.cpp index 97d8d0d65a1..5f163e9e22a 100644 --- a/cpp/src/IceSSL/SSLEngine.cpp +++ b/cpp/src/IceSSL/SSLEngine.cpp @@ -163,7 +163,7 @@ IceSSL::SSLEngine::verifyPeer(const ConnectionInfoPtr& info) const string msg = string(info->incoming ? "incoming" : "outgoing") + " connection rejected by trust manager"; if (_securityTraceLevel >= 1) { - getLogger()->trace(_securityTraceCategory, msg + "\n" + info->desc); + getLogger()->trace(_securityTraceCategory, msg); } throw SecurityException(__FILE__, __LINE__, msg); } diff --git a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp index abd079c5437..310a1039e52 100644 --- a/cpp/src/IceSSL/SecureTransportTransceiverI.cpp +++ b/cpp/src/IceSSL/SecureTransportTransceiverI.cpp @@ -466,7 +466,6 @@ IceSSL::SecureTransport::TransceiverI::getInfo() const info->incoming = _incoming; info->adapterName = _adapterName; info->certs = _certs; - info->host = _host; return info; } diff --git a/cpp/src/IceSSL/TrustManager.cpp b/cpp/src/IceSSL/TrustManager.cpp index b8215698859..a9022af597d 100644 --- a/cpp/src/IceSSL/TrustManager.cpp +++ b/cpp/src/IceSSL/TrustManager.cpp @@ -135,7 +135,6 @@ TrustManager::verify(const ConnectionInfoPtr& info) const trace << "trust manager evaluating server:\n" << "subject = " << string(subject) << '\n'; } - trace << info->desc; } // Fail if we match anything in the reject set. diff --git a/cpp/test/IceSSL/configuration/AllTests.cpp b/cpp/test/IceSSL/configuration/AllTests.cpp index f7d8554c3b5..5717d2ed33c 100644 --- a/cpp/test/IceSSL/configuration/AllTests.cpp +++ b/cpp/test/IceSSL/configuration/AllTests.cpp @@ -803,8 +803,7 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) d = createServerProps(props, p12, "s_rsa_ca1_cn1", "cacert1"); server = fact->createServer(d); - info = dynamic_pointer_cast(server->ice_getConnection()->getInfo()); - test(info->host == "localhost"); + server->ice_ping(); fact->destroyServer(server); comm->destroy(); @@ -854,8 +853,7 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) // Expected. } #else - info = dynamic_pointer_cast(server->ice_getConnection()->getInfo()); - test(info->host == "localhost"); + server->ice_ping(); #endif fact->destroyServer(server); @@ -922,8 +920,7 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) d = createServerProps(defaultProps, p12, "s_rsa_ca1_cn6", "cacert1"); server = fact->createServer(d); - info = dynamic_pointer_cast(server->ice_getConnection()->getInfo()); - test(info->host == "127.0.0.1"); + server->ice_ping(); fact->destroyServer(server); comm->destroy(); @@ -2917,11 +2914,7 @@ allTests(Test::TestHelper* helper, const string& /*testDir*/, bool p12) { try { - Ice::WSConnectionInfoPtr wsinfo = - dynamic_pointer_cast(p->ice_getConnection()->getInfo()); - IceSSL::ConnectionInfoPtr sslInfo = - dynamic_pointer_cast(wsinfo->underlying); - test(sslInfo->host == "zeroc.com"); + p->ice_ping(); break; } catch (const Ice::LocalException& ex) diff --git a/swift/src/Ice/ConnectionInfoFactory.swift b/swift/src/Ice/ConnectionInfoFactory.swift index 3d8d05b3142..ed46164718f 100644 --- a/swift/src/Ice/ConnectionInfoFactory.swift +++ b/swift/src/Ice/ConnectionInfoFactory.swift @@ -96,15 +96,12 @@ private class WSConnectionInfoI: ConnectionInfoI, WSConnectionInfo { } private class SSLConnectionInfoI: ConnectionInfoI, SSLConnectionInfo { - var cipher: String var certs: [SecCertificate] - var verified: Bool init( underlying: ConnectionInfo?, incoming: Bool, adapterName: String, connectionId: String, - cipher: String, certs: StringSeq, verified: Bool + certs: StringSeq ) { - self.cipher = cipher self.certs = [] let beginPrefix = "-----BEGIN CERTIFICATE-----\n" let endPrefix = "\n-----END CERTIFICATE-----\n" @@ -122,7 +119,6 @@ private class SSLConnectionInfoI: ConnectionInfoI, SSLConnectionInfo { } } } - self.verified = verified super.init( underlying: underlying, incoming: incoming, adapterName: adapterName, connectionId: connectionId) @@ -249,17 +245,14 @@ class ConnectionInfoFactory: ICEConnectionInfoFactory { incoming: Bool, adapterName: String, connectionId: String, - cipher: String, - certs: [String], verified: Bool + certs: [String] ) -> Any { return SSLConnectionInfoI( underlying: getUnderlying(underlying), incoming: incoming, adapterName: adapterName, connectionId: connectionId, - cipher: cipher, - certs: certs, - verified: verified) + certs: certs) } #if os(iOS) || os(watchOS) || os(tvOS) diff --git a/swift/src/Ice/SSLConnectionInfo.swift b/swift/src/Ice/SSLConnectionInfo.swift index 10979b469e4..f98a4a5f12b 100644 --- a/swift/src/Ice/SSLConnectionInfo.swift +++ b/swift/src/Ice/SSLConnectionInfo.swift @@ -1,26 +1,11 @@ // // Copyright (c) ZeroC, Inc. All rights reserved. // -// -// Ice version 3.7.10 -// -// -// -// Generated from file `ConnectionInfo.ice' -// -// Warning: do not edit this file. -// -// -// import Foundation /// Provides access to the connection details of an SSL connection public protocol SSLConnectionInfo: ConnectionInfo { - /// The negotiated cipher suite. - var cipher: Swift.String { get set } /// The certificate chain. var certs: [SecCertificate] { get set } - /// The certificate chain verification status. - var verified: Swift.Bool { get set } } diff --git a/swift/src/IceImpl/Connection.h b/swift/src/IceImpl/Connection.h index 51616a3bd67..87b20d12923 100644 --- a/swift/src/IceImpl/Connection.h +++ b/swift/src/IceImpl/Connection.h @@ -82,9 +82,7 @@ ICEIMPL_API @protocol ICEConnectionInfoFactory incoming:(BOOL)incoming adapterName:(NSString*)adapterName connectionId:(NSString*)connectionId - cipher:(NSString*)cipher - certs:(NSArray*)certs - verified:(BOOL)verified; + certs:(NSArray*)certs; #if TARGET_OS_IPHONE diff --git a/swift/src/IceImpl/Connection.mm b/swift/src/IceImpl/Connection.mm index 42faee48855..d0aaf1820e1 100644 --- a/swift/src/IceImpl/Connection.mm +++ b/swift/src/IceImpl/Connection.mm @@ -329,9 +329,7 @@ - (BOOL)throwException:(NSError**)error incoming:sslInfo->incoming adapterName:toNSString(sslInfo->adapterName) connectionId:toNSString(sslInfo->connectionId) - cipher:toNSString(sslInfo->cipher) - certs:toNSArray(sslInfo->certs) - verified:sslInfo->verified]; + certs:toNSArray(sslInfo->certs)]; } #if TARGET_OS_IPHONE diff --git a/swift/test/IceSSL/configuration/AllTests.swift b/swift/test/IceSSL/configuration/AllTests.swift index 93c47801854..d8097f10d8f 100644 --- a/swift/test/IceSSL/configuration/AllTests.swift +++ b/swift/test/IceSSL/configuration/AllTests.swift @@ -111,7 +111,6 @@ public func allTests(_ helper: TestHelper, _ defaultDir: String) throws -> SSLSe // and doesn't trust the server certificate. // let properties = createClientProps(defaultProperties: defaultProperties, cert: "", ca: "") - properties.setProperty(key: "IceSSL.VerifyPeer", value: "0") let comm = try helper.initialize(properties) let fact = try checkedCast( prx: comm.stringToProxy(factoryRef)!, type: SSLServerFactoryPrx.self)! @@ -120,8 +119,14 @@ public func allTests(_ helper: TestHelper, _ defaultDir: String) throws -> SSLSe d["IceSSL.VerifyPeer"] = "0" let server = try fact.createServer(d)! - try server.noCert() - try test(!(server.ice_getConnection()!.getInfo() as! SSLConnectionInfo).verified) + do { + try server.noCert() + try test(false) + } catch is SecurityException { + // Expected, if reported as an SSL alert by the server. + } catch is ConnectionLostException { + // Expected. + } try fact.destroyServer(server) comm.destroy() } @@ -142,7 +147,6 @@ public func allTests(_ helper: TestHelper, _ defaultDir: String) throws -> SSLSe var server = try fact.createServer(d)! do { try server.noCert() - try test((server.ice_getConnection()!.getInfo() as! SSLConnectionInfo).verified) } try fact.destroyServer(server) // diff --git a/swift/test/IceSSL/configuration/Test.ice b/swift/test/IceSSL/configuration/Test.ice index ee33a5d8f8d..4390c390648 100644 --- a/swift/test/IceSSL/configuration/Test.ice +++ b/swift/test/IceSSL/configuration/Test.ice @@ -13,7 +13,6 @@ interface Server { void noCert(); void checkCert(string subjectDN, string issuerDN); - void checkCipher(string cipher); } dictionary Properties; diff --git a/swift/test/IceSSL/configuration/TestI.swift b/swift/test/IceSSL/configuration/TestI.swift index 1f5b691e41e..e2b01a18677 100644 --- a/swift/test/IceSSL/configuration/TestI.swift +++ b/swift/test/IceSSL/configuration/TestI.swift @@ -26,22 +26,12 @@ class ServerI: SSLServer { func checkCert(subjectDN _: String, issuerDN _: String, current: Ice.Current) throws { do { let info = try current.con!.getInfo() as! SSLConnectionInfo - try _helper.test(info.verified) try _helper.test(info.certs.count == 2) } catch is Ice.LocalException { try _helper.test(false) } } - func checkCipher(cipher: String, current: Ice.Current) throws { - do { - let info = try current.con!.getInfo() as! SSLConnectionInfo - try _helper.test(info.cipher.contains(cipher)) - } catch is Ice.LocalException { - try _helper.test(false) - } - } - func destroy() throws { _communicator.destroy() }