zeroc-ice · pepone · May 3, 2024 · Apr 17, 2024 · Apr 19, 2024 · Apr 19, 2024
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -9,7 +9,7 @@ RUN set -eux \
     && sudo dpkg -i packages-microsoft-prod.deb \
     && rm packages-microsoft-prod.deb \
     && sudo apt update \
-    && sudo apt-get install -y python3 python3-dev python3-passlib ruby-full \
+    && sudo apt-get install -y python3 python3-dev python3-passlib ruby-full gdb \
     && sudo apt-get install -y libbluetooth-dev libbz2-dev libdbus-1-dev libedit-dev libexpat1-dev liblmdb-dev libmcpp-dev libssl-dev libsystemd-dev \
     && sudo rm -rf /var/lib/apt/lists/* \
     && sudo apt-get clean
diff --git a/cpp/include/Ice/Certificate.h b/cpp/include/Ice/Certificate.h
@@ -18,58 +18,6 @@
 
 namespace IceSSL
 {
-    /**
-     * The reason for an IceSSL certificate verification failure.
-     */
-    enum class TrustError : std::uint8_t
-    {
-        /** The certification verification succeed  */
-        NoError = 0,
-        /** The certificate chain length is greater than the specified maximum depth **/
-        ChainTooLong,
-        /** The X509 chain is invalid because a certificate has excluded a name constraint **/
-        HasExcludedNameConstraint,
-        /** The certificate has an undefined name constraint **/
-        HasNonDefinedNameConstraint,
-        /** The certificate has a non permitted name constraint **/
-        HasNonPermittedNameConstraint,
-        /** The certificate does not support a critical extension **/
-        HasNonSupportedCriticalExtension,
-        /** The certificate does not have a supported name constraint or has a name constraint that is unsupported **/
-        HasNonSupportedNameConstraint,
-        /** A host name mismatch has occurred **/
-        HostNameMismatch,
-        /** The X509 chain is invalid due to invalid basic constraints **/
-        InvalidBasicConstraints,
-        /** The X509 chain is invalid due to an invalid extension **/
-        InvalidExtension,
-        /** The X509 chain is invalid due to invalid name constraints **/
-        InvalidNameConstraints,
-        /** The X509 chain is invalid due to invalid policy constraints **/
-        InvalidPolicyConstraints,
-        /** The supplied certificate cannot be used for the specified purpose **/
-        InvalidPurpose,
-        /** The X509 chain is invalid due to an invalid certificate signature **/
-        InvalidSignature,
-        /** The X509 chain is not valid due to an invalid time value, such as a value that indicates an expired
-            certificate **/
-        InvalidTime,
-        /** The certificate is explicitly not trusted **/
-        NotTrusted,
-        /** The X509 chain could not be built up to the root certificate **/
-        PartialChain,
-        /** It is not possible to determine whether the certificate has been revoked **/
-        RevocationStatusUnknown,
-        /** The X509 chain is invalid due to a revoked certificate **/
-        Revoked,
-        /** The X509 chain is invalid due to an untrusted root certificate **/
-        UntrustedRoot,
-        /** The X509 chain is invalid due to other unknown failure **/
-        UnknownTrustFailure,
-    };
-
-    ICE_API std::string getTrustErrorDescription(TrustError);
-
     /**
      * The key usage "digitalSignature" bit is set
      */

diff --git a/cpp/include/Ice/ClientAuthenticationOptions.h b/cpp/include/Ice/ClientAuthenticationOptions.h
diff --git a/cpp/include/Ice/Communicator.h b/cpp/include/Ice/Communicator.h
@@ -15,6 +15,7 @@
 #include "Plugin.h"
 #include "Properties.h"
 #include "Proxy.h"
+#include "ServerAuthenticationOptions.h"
 
 #ifdef ICE_SWIFT
 #    include <dispatch/dispatch.h>
@@ -141,12 +142,15 @@ namespace Ice
          * communicator as is used by the adapter. Attempts to create a named object adapter for which no configuration
          * can be found raise InitializationException.
          * @param name The object adapter name.
+         * @param serverAuthenticationOptions The SSL configuration properties for server connections.
          * @return The new object adapter.
          * @see #createObjectAdapterWithEndpoints
          * @see ObjectAdapter
          * @see Properties
          */
-        ObjectAdapterPtr createObjectAdapter(const std::string& name);
+        ObjectAdapterPtr createObjectAdapter(
+            const std::string& name,
+            const std::optional<SSL::ServerAuthenticationOptions>& serverAuthenticationOptions = std::nullopt);
 
         /**
          * Create a new object adapter with endpoints. This operation sets the property
@@ -155,12 +159,16 @@ namespace Ice
          * name.
          * @param name The object adapter name.
          * @param endpoints The endpoints for the object adapter.
+         * @param serverAuthenticationOptions The SSL configuration properties for server connections.
          * @return The new object adapter.
          * @see #createObjectAdapter
          * @see ObjectAdapter
          * @see Properties
          */
-        ObjectAdapterPtr createObjectAdapterWithEndpoints(const std::string& name, const std::string& endpoints);
+        ObjectAdapterPtr createObjectAdapterWithEndpoints(
+            const std::string& name,
+            const std::string& endpoints,
+            const std::optional<SSL::ServerAuthenticationOptions>& serverAuthenticationOptions = std::nullopt);
 
         /**
          * Create a new object adapter with a router. This operation creates a routed object adapter.

diff --git a/cpp/include/Ice/Ice.h b/cpp/include/Ice/Ice.h
@@ -20,6 +20,7 @@
 // We don't need to see the following headers when building the generated code.
 
 #    include "Certificate.h"
+#    include "ClientAuthenticationOptions.h"
 #    include "Communicator.h"
 #    include "Connection.h"
 #    include "IconvStringConverter.h"
@@ -38,6 +39,7 @@
 #    include "SSLConnectionInfo.h"
 #    include "SSLEndpointInfo.h"
 #    include "ServantLocator.h"
+#    include "ServerAuthenticationOptions.h"
 #    include "SlicedData.h"
 #    include "StringConverter.h"
 #    include "UUID.h"

diff --git a/cpp/include/Ice/Initialize.h b/cpp/include/Ice/Initialize.h
@@ -6,6 +6,7 @@
 #define ICE_INITIALIZE_H
 
 #include "BatchRequest.h"
+#include "ClientAuthenticationOptions.h"
 #include "CommunicatorF.h"
 #include "Connection.h"
 #include "Ice/BuiltinSequences.h"
@@ -330,6 +331,12 @@ namespace Ice
          * The value factory manager.
          */
         ValueFactoryManagerPtr valueFactoryManager;
+
+        /**
+         * The authentication options for SSL client connections. When set, the SSL transport ignores all IceSSL
+         * configuration properties and uses the provided options.
+         */
+        std::optional<SSL::ClientAuthenticationOptions> clientAuthenticationOptions;
     };
 
     /**

diff --git a/cpp/include/Ice/SSLConfig.h b/cpp/include/Ice/SSLConfig.h
@@ -0,0 +1,39 @@
+//
+// Copyright (c) ZeroC, Inc. All rights reserved.
+//
+
+#ifndef ICE_SSL_CONFIG
+#define ICE_SSL_CONFIG
+
+#if defined(_WIN32)
+#    define ICE_USE_SCHANNEL
+// We need to include windows.h before wincrypt.h.
+// clang-format off
+#    ifndef NOMINMAX
+#        define NOMINMAX
+#    endif
+#    include <windows.h>
+#    include <wincrypt.h>
+// clang-format on
+// SECURITY_WIN32 or SECURITY_KERNEL are defined before including security.h indicating who is compiling the code.
+#    ifdef SECURITY_WIN32
+#        undef SECURITY_WIN32
+#    endif
+#    ifdef SECURITY_KERNEL
+#        undef SECURITY_KERNEL
+#    endif
+#    define SECURITY_WIN32 1
+#    include <schannel.h>
+#    include <security.h>
+#    include <sspi.h>
+#    undef SECURITY_WIN32
+#elif defined(__APPLE__)
+#    define ICE_USE_SECURE_TRANSPORT
+#    include <Security/SecureTransport.h>
+#    include <Security/Security.h>
+#else
+#    define ICE_USE_OPENSSL
+#    include <openssl/ssl.h>
+#endif
+
+#endif
diff --git a/cpp/include/Ice/SSLConnectionInfo.h b/cpp/include/Ice/SSLConnectionInfo.h
@@ -33,22 +33,16 @@ namespace IceSSL
          * @param incoming Whether or not the connection is an incoming or outgoing connection.
          * @param adapterName The name of the adapter associated with the connection.
          * @param connectionId The connection id.
-         * @param cipher The negotiated cipher suite.
          * @param certs The certificate chain.
-         * @param verified The certificate chain verification status.
          */
         ConnectionInfo(
             const Ice::ConnectionInfoPtr& underlying,
             bool incoming,
             const std::string& adapterName,
             const std::string& connectionId,
-            const std::string& cipher,
-            const std::vector<CertificatePtr>& certs,
-            bool verified)
+            const std::vector<CertificatePtr>& certs)
             : Ice::ConnectionInfo(underlying, incoming, adapterName, connectionId),
-              cipher(cipher),
-              certs(certs),
-              verified(verified)
+              certs(certs)
         {
         }
 
@@ -57,21 +51,10 @@ namespace IceSSL
         ConnectionInfo(const ConnectionInfo&) = delete;
         ConnectionInfo& operator=(const ConnectionInfo&) = delete;
 
-        /**
-         * The negotiated cipher suite.
-         */
-        std::string cipher;
         /**
          * The certificate chain.
          */
         std::vector<CertificatePtr> certs;
-        /**
-         * The certificate chain verification status.
-         */
-        bool verified;
-
-        TrustError errorCode;
-        std::string host;
     };
 }