SChannel certificate validation fixes

zeroc-ice · Apr 22, 2024 · f176d7d · f176d7d
1 parent c36953a
commit f176d7d
Show file tree

Hide file tree

Showing 19 changed files with 318 additions and 76 deletions.
diff --git a/cpp/include/Ice/ClientAuthenticationOptions.h b/cpp/include/Ice/ClientAuthenticationOptions.h
@@ -0,0 +1,72 @@
+//
+// Copyright (c) ZeroC, Inc. All rights reserved.
+//
+
+#ifndef ICE_CLIENT_AUTHENTICATION_OPTIONS_H
+#define ICE_CLIENT_AUTHENTICATION_OPTIONS_H
+
+#include "SSLConnectionInfo.h"
+
+#include <functional>
+
+#ifdef _WIN32
+// We need to include windows.h before wincrypt.h.
+// clang-format off
+#    ifndef NOMINMAX
+#        define NOMINMAX
+#    endif
+#    include <windows.h>
+#    include <wincrypt.h>
+// clang-format on
+// SECURITY_WIN32 or SECURITY_KERNEL, must be defined before including security.h indicating who is compiling the code.
+#    ifdef SECURITY_WIN32
+#        undef SECURITY_WIN32
+#    endif
+#    ifdef SECURITY_KERNEL
+#        undef SECURITY_KERNEL
+#    endif
+#    define SECURITY_WIN32 1
+#    include <schannel.h>
+#    include <security.h>
+#    include <sspi.h>
+#    undef SECURITY_WIN32
+#endif
+
+namespace Ice::SSL
+{
+    /**
+     * The SSL configuration properties for client connections.
+     */
+    struct ClientAuthenticationOptions
+    {
+#if defined(_WIN32)
+        /**
+         * The credentials handler to configure SSL client connections on Windows. When set the SSL transport would
+         * ignore all the IceSSL configuration properties and use the provided credentials handle.
+         *
+         * [See Schannel
+         * Credentials](https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-sch_credentials).
+         */
+        CredHandle credentialsHandler;
+
+        /**
+         * A callback that allows to manually validate the server certificate during SSL handshake on Windows. When the
+         * callback is not provided the server certificate will be validated using the platform default validation
+         * mechanism.
+         *
+         * @param context A security context is an opaque data structure that contains security data relevant to the
+         * current connection.
+         * @return true if the certificate is valid, false otherwise.
+         *
+         * [See Manually Validating Schannel
+         * Credentials](https://learn.microsoft.com/en-us/windows/win32/secauthn/manually-validating-schannel-credentials).
+         */
+        std::function<bool(CtxtHandle context, const IceSSL::ConnectionInfoPtr& info)>
+            serverCertificateValidationCallback;
+#elif defined(__APPLE__)
+#else
+#endif
+    };
+}
+
+#endif
diff --git a/cpp/include/Ice/Communicator.h b/cpp/include/Ice/Communicator.h
@@ -15,7 +15,7 @@
 #include "Plugin.h"
 #include "Properties.h"
 #include "Proxy.h"
-#include "SSL.h"
+#include "ServerAuthenticationOptions.h"
 
 #ifdef ICE_SWIFT
 #    include <dispatch/dispatch.h>

diff --git a/cpp/include/Ice/Ice.h b/cpp/include/Ice/Ice.h
@@ -20,6 +20,7 @@
 // We don't need to see the following headers when building the generated code.
 
 #    include "Certificate.h"
+#    include "ClientAuthenticationOptions.h"
 #    include "Communicator.h"
 #    include "Connection.h"
 #    include "IconvStringConverter.h"
@@ -38,6 +39,7 @@
 #    include "SSLConnectionInfo.h"
 #    include "SSLEndpointInfo.h"
 #    include "ServantLocator.h"
+#    include "ServerAuthenticationOptions.h"
 #    include "SlicedData.h"
 #    include "StringConverter.h"
 #    include "UUID.h"

diff --git a/cpp/include/Ice/Initialize.h b/cpp/include/Ice/Initialize.h
@@ -6,6 +6,7 @@
 #define ICE_INITIALIZE_H
 
 #include "BatchRequest.h"
+#include "ClientAuthenticationOptions.h"
 #include "CommunicatorF.h"
 #include "Connection.h"
 #include "Ice/BuiltinSequences.h"
@@ -15,7 +16,6 @@
 #include "Logger.h"
 #include "Plugin.h"
 #include "PropertiesF.h"
-#include "SSL.h"
 #include "ValueFactory.h"
 
 namespace Ice

diff --git a/cpp/include/Ice/SSL.h → ...include/Ice/ServerAuthenticationOptions.h b/cpp/include/Ice/SSL.h → ...include/Ice/ServerAuthenticationOptions.h
@@ -2,8 +2,8 @@
 // Copyright (c) ZeroC, Inc. All rights reserved.
 //
 
-#ifndef ICE_SSL_H
-#define ICE_SSL_H
+#ifndef ICE_SERVER_AUTHENTICATION_OPTIONS_H
+#define ICE_SERVER_AUTHENTICATION_OPTIONS_H
 
 #include "SSLConnectionInfo.h"
 
@@ -34,40 +34,6 @@
 
 namespace Ice::SSL
 {
-    /**
-     * The SSL configuration properties for client connections.
-     */
-    struct ClientAuthenticationOptions
-    {
-#if defined(_WIN32)
-        /**
-         * The credentials handler to configure SSL client connections on Windows. When set the SSL transport would
-         * ignore all the IceSSL configuration properties and use the provided credentials handle.
-         *
-         * [See Schannel
-         * Credentials](https://learn.microsoft.com/en-us/windows/win32/api/schannel/ns-schannel-sch_credentials).
-         */
-        CredHandle credentialsHandler;
-
-        /**
-         * A callback that allows to manually validate the server certificate during SSL handshake on Windows. When the
-         * callback is not provided the server certificate will be validated using the platform default validation
-         * mechanism.
-         *
-         * @param context A security context is an opaque data structure that contains security data relevant to the
-         * current connection.
-         * @return true if the certificate is valid, false otherwise.
-         *
-         * [See Manually Validating Schannel
-         * Credentials](https://learn.microsoft.com/en-us/windows/win32/secauthn/manually-validating-schannel-credentials).
-         */
-        std::function<bool(CtxtHandle context, const IceSSL::ConnectionInfoPtr& info)>
-            serverCertificateValidationCallback;
-#elif defined(__APPLE__)
-#else
-#endif
-    };
-
     /**
      * The SSL configuration properties for client connections.
      */
@@ -103,7 +69,6 @@ namespace Ice::SSL
 #else
 #endif
     };
-
 }
 
 #endif
diff --git a/cpp/src/Ice/EndpointI.h b/cpp/src/Ice/EndpointI.h
@@ -10,7 +10,7 @@
 #include "EndpointIF.h"
 #include "Ice/Endpoint.h"
 #include "Ice/EndpointSelectionType.h"
-#include "Ice/SSL.h"
+#include "Ice/ServerAuthenticationOptions.h"
 #include "TransceiverF.h"
 
 #include <optional>

diff --git a/cpp/src/Ice/ObjectAdapterI.h b/cpp/src/Ice/ObjectAdapterI.h
@@ -15,7 +15,7 @@
 #include "Ice/ObjectAdapter.h"
 #include "Ice/ObjectF.h"
 #include "Ice/Proxy.h"
-#include "Ice/SSL.h"
+#include "Ice/ServerAuthenticationOptions.h"
 #include "LocatorInfoF.h"
 #include "ObjectAdapterFactoryF.h"
 #include "RouterInfoF.h"

diff --git a/cpp/src/Ice/OpaqueEndpointI.h b/cpp/src/Ice/OpaqueEndpointI.h
@@ -7,7 +7,7 @@
 
 #include "EndpointFactory.h"
 #include "EndpointI.h"
-#include "Ice/SSL.h"
+#include "Ice/ServerAuthenticationOptions.h"
 
 #include <optional>
 

diff --git a/cpp/src/Ice/TcpEndpointI.h b/cpp/src/Ice/TcpEndpointI.h
@@ -8,6 +8,7 @@
 #include "EndpointFactory.h"
 #include "IPEndpointI.h"
 #include "IceUtil/Config.h"
+#include "Ice/ServerAuthenticationOptions.h"
 #include "Network.h" // for IceIternal::Address
 
 namespace IceInternal

diff --git a/cpp/src/Ice/UdpEndpointI.h b/cpp/src/Ice/UdpEndpointI.h
@@ -7,7 +7,7 @@
 
 #include "EndpointFactory.h"
 #include "IPEndpointI.h"
-#include "Ice/SSL.h"
+#include "Ice/ServerAuthenticationOptions.h"
 #include "IceUtil/Config.h"
 #include "Network.h"
 

diff --git a/cpp/src/Ice/WSEndpoint.h b/cpp/src/Ice/WSEndpoint.h
@@ -10,7 +10,7 @@
 #include "IPEndpointIF.h"
 #include "Ice/Endpoint.h"
 #include "Ice/InstanceF.h"
-#include "Ice/SSL.h"
+#include "Ice/ServerAuthenticationOptions.h"
 #include "ProtocolInstance.h"
 
 #include <optional>