Date: 19 Jul 2011 14:27:48 -0000 From: Michael Gmelin <freebsd@grem.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: shoesoft@gmx.net Subject: ports/159031: [PATCH] devel/Ice: Fix close socket and incorporate security patch for IceGrid Message-ID: <20110719142748.46906.qmail@mail.bindone.de> Resent-Message-ID: <201107191430.p6JEUCWv097395@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 159031 >Category: ports >Synopsis: [PATCH] devel/Ice: Fix close socket and incorporate security patch for IceGrid >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Jul 19 14:30:11 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Michael Gmelin >Release: FreeBSD 8.2-RELEASE-p1 >Organization: Grem Equity GmbH >Environment: System: FreeBSD srv06 8.2-RELEASE-p1 FreeBSD 8.2-RELEASE-p1 #0 r221593: Sat May 7 15:12:25 CEST 2011 >Description: Fixes a compatibility issue with FreeBSD's implementation of close(2) which results in Ice reporting errno ECONNRESET (connection reset by peer). See http://www.zeroc.com/forums/patches/5435-patch-network-cpp-freebsd-econnreset-close-2-problem.html for details. Incorporates a patch orginally written by myself (and "donated" to ZeroC) that has been perfected and integrated by Benoit Foucher of ZeroC and will most likely be part of the next release of Ice (which is still a couple of months away). Controlled by the properties IceGrid.Registry.RequireNodeCertCN and IceGrid.Registry.RequireReplicaCertCN the patch enables IceGrid to verify that the common name (CN) of a client certificate presented to the IceGrid Registry matches the name the IceGrid Node respectively IceGrid Replica Registry transmitted in the request and therefore helps to tighten security in an SSL enabled environment. See http://www.zeroc.com/forums/help-center/5416-icegrid-security-question.html for a description of the general idea, the rest of the communication happened directly via e-mail. Added file(s): - files/patch-config-PropertyNames.xml - files/patch-cpp-demo-IceGrid-secure-README - files/patch-cpp-demo-IceGrid-secure-application.xml - files/patch-cpp-demo-IceGrid-secure-config.admin - files/patch-cpp-demo-IceGrid-secure-config.client - files/patch-cpp-demo-IceGrid-secure-config.master - files/patch-cpp-demo-IceGrid-secure-config.node - files/patch-cpp-demo-IceGrid-secure-config.registry - files/patch-cpp-demo-IceGrid-secure-config.slave - files/patch-cpp-demo-IceGrid-secure-makecerts.py - files/patch-cpp-src-Ice-Network.cpp - files/patch-cpp-src-Ice-PropertyNames.cpp - files/patch-cpp-src-Ice-PropertyNames.h - files/patch-cpp-src-IceGrid-Internal.ice - files/patch-cpp-src-IceGrid-InternalRegistryI.cpp - files/patch-cpp-src-IceGrid-InternalRegistryI.h - files/patch-cpp-src-IceGrid-NodeSessionManager.cpp - files/patch-cpp-src-IceGrid-ReplicaSessionManager.cpp - files/patch-cs-src-Ice-PropertyNames.cs - files/patch-java-src-IceInternal-PropertyNames.java Port maintainer (shoesoft@gmx.net) is cc'd. Generated with FreeBSD Port Tools 0.99 >How-To-Repeat: >Fix: --- Ice-3.4.2_1.patch begins here --- diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/Makefile /usr/ports/devel/ice/Makefile --- /usr/ports/devel/ice.orig/Makefile 2011-06-28 15:43:59.000000000 +0200 +++ /usr/ports/devel/ice/Makefile 2011-07-18 23:53:27.000000000 +0200 @@ -7,6 +7,7 @@ PORTNAME= Ice PORTVERSION= 3.4.2 +PORTREVISION= 1 CATEGORIES= devel MASTER_SITES= http://download.zeroc.com/Ice/3.4/ diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-config-PropertyNames.xml /usr/ports/devel/ice/files/patch-config-PropertyNames.xml --- /usr/ports/devel/ice.orig/files/patch-config-PropertyNames.xml 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-config-PropertyNames.xml 2011-07-19 02:26:15.000000000 +0200 @@ -0,0 +1,11 @@ +--- config/PropertyNames.xml.orig Wed Jun 15 19:43:59 2011 ++++ config/PropertyNames.xml Tue Jul 12 15:32:00 2011 +@@ -437,6 +437,8 @@ generated from the section label. + <property name="Registry.PermissionsVerifier" class="proxy" /> + <property name="Registry.ReplicaName" /> + <property name="Registry.ReplicaSessionTimeout" /> ++ <property name="Registry.RequireNodeCertCN" /> ++ <property name="Registry.RequireReplicaCertCN" /> + <property name="Registry.Server" class="objectadapter" /> + <property name="Registry.SessionFilters" /> + <property name="Registry.SessionManager" class="objectadapter" /> diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-README /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-README --- /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-README 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-README 2011-07-18 23:48:42.000000000 +0200 @@ -0,0 +1,14 @@ +--- cpp/demo/IceGrid/secure/README.orig Wed Jun 15 19:44:00 2011 ++++ cpp/demo/IceGrid/secure/README Tue Jul 12 15:32:00 2011 +@@ -31,9 +31,10 @@ so you might as well use a certificate without a password and rely on + the filesystem permissions to restrict access to the certificate. + + Once the certificates are generated, you can start the IceGrid +-registry, node, and Glacier2 router: ++registries, node, and Glacier2 router: + +-$ icegridregistry --Ice.Config=config.registry ++$ icegridregistry --Ice.Config=config.master ++$ icegridregistry --Ice.Config=config.slave + $ icegridnode --Ice.Config=config.node + $ glacier2router --Ice.Config=config.glacier2 diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-application.xml /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-application.xml --- /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-application.xml 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-application.xml 2011-07-18 23:48:37.000000000 +0200 @@ -0,0 +1,14 @@ +--- cpp/demo/IceGrid/secure/application.xml.orig Wed Jun 15 19:43:58 2011 ++++ cpp/demo/IceGrid/secure/application.xml Tue Jul 12 15:32:00 2011 +@@ -20,8 +20,9 @@ + <property name="IceSSL.DefaultDir" value="certs"/> + + <property name="Ice.Admin.Endpoints" value="ssl -h 127.0.0.1"/> +- <property name="IceSSL.TrustOnly.Client" value="CN=IceGrid Registry"/> +- <property name="IceSSL.TrustOnly.Server.Ice.Admin" value="CN=IceGrid Node"/> ++ <property name="IceSSL.TrustOnly.Client" value="CN=Master;CN=Slave"/> ++ <property name="IceSSL.TrustOnly.Client" value="CN=Master;CN=Slave"/> ++ <property name="IceSSL.TrustOnly.Server.Ice.Admin" value="CN=Node"/> + </properties> + + <node name="Node"> diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.admin /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.admin --- /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.admin 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.admin 2011-07-18 23:48:41.000000000 +0200 @@ -0,0 +1,11 @@ +--- cpp/demo/IceGrid/secure/config.admin.orig Wed Jun 15 19:43:58 2011 ++++ cpp/demo/IceGrid/secure/config.admin Tue Jul 12 15:32:00 2011 +@@ -14,7 +14,7 @@ IceGridAdmin.Password=dummy + # SSL Configuration + # + IceSSL.DefaultDir=certs +-IceSSL.TrustOnly.Client=CN="IceGrid Registry";CN="Glacier2" ++IceSSL.TrustOnly.Client=CN="Master";CN="Slave";CN="Glacier2" + + # C++ configuration + Ice.Plugin.IceSSL.cpp=IceSSL:createIceSSL diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.client /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.client --- /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.client 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.client 2011-07-18 23:48:37.000000000 +0200 @@ -0,0 +1,11 @@ +--- cpp/demo/IceGrid/secure/config.client.orig Wed Jun 15 19:43:59 2011 ++++ cpp/demo/IceGrid/secure/config.client Tue Jul 12 15:32:00 2011 +@@ -1,7 +1,7 @@ + # + # The IceGrid locator proxy. + # +-Ice.Default.Locator=DemoIceGrid/Locator:tcp -p 4061 ++Ice.Default.Locator=DemoIceGrid/Locator:tcp -p 4061:tcp -p 14061 + + # + # Trace properties. diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.master /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.master --- /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.master 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.master 2011-07-18 23:47:56.000000000 +0200 @@ -0,0 +1,64 @@ +--- /dev/null ++++ cpp/demo/IceGrid/secure/config.master Tue Jul 12 15:32:00 2011 +@@ -0,0 +1,61 @@ ++# ++# The IceGrid instance name. ++# ++IceGrid.InstanceName=DemoIceGrid ++ ++# ++# IceGrid registry configuration. ++# ++IceGrid.Registry.Client.Endpoints=tcp -p 4061 -t 10000:ssl -p 4062 -t 10000 ++IceGrid.Registry.Server.Endpoints=ssl -t 10000 ++IceGrid.Registry.Internal.Endpoints=ssl -t 10000 ++IceGrid.Registry.Data=db/master ++ ++# ++# Ensure that nodes and slaves connecting to this registry have a name ++# matching the certificate CN. ++# ++IceGrid.Registry.RequireNodeCertCN=1 ++IceGrid.Registry.RequireReplicaCertCN=1 ++ ++# ++# IceGrid admin clients must use a secure connection to connect to the ++# registry or use Glacier2. ++# ++IceGrid.Registry.AdminSessionManager.Endpoints=ssl -t 10000 ++IceGrid.Registry.AdminPermissionsVerifier=DemoIceGrid/NullPermissionsVerifier ++ ++# ++# IceGrid SQL configuration if using SQL database. ++# ++#Ice.Plugin.DB=IceGridSqlDB:createSqlDB ++#IceGrid.SQL.DatabaseType=QSQLITE ++#IceGrid.SQL.DatabaseName=db/master/Registry.db ++ ++# ++# Trace properties. ++# ++Ice.ProgramName=Master ++IceGrid.Registry.Trace.Node=2 ++IceGrid.Registry.Trace.Replica=2 ++ ++# ++# SSL Configuration ++# ++Ice.Plugin.IceSSL=IceSSL:createIceSSL ++IceSSL.DefaultDir=certs ++IceSSL.CertAuthFile=ca_cert.pem ++IceSSL.CertFile=master_cert.pem ++IceSSL.KeyFile=master_key.pem ++ ++# ++# Don't require certificates. This is useful for admin clients that don't ++# use certificate but still need to establish a secure connection for the ++# username/password authentication ++# ++IceSSL.VerifyPeer=1 ++ ++IceSSL.TrustOnly.Client=CN="Master";CN="Slave";CN="Node";CN="Glacier2" ++IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server" ++IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="Node";CN="Master";CN="Slave" ++IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2" diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.node /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.node --- /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.node 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.node 2011-07-18 23:48:37.000000000 +0200 @@ -0,0 +1,19 @@ +--- cpp/demo/IceGrid/secure/config.node.orig Wed Jun 15 19:43:58 2011 ++++ cpp/demo/IceGrid/secure/config.node Tue Jul 12 15:32:00 2011 +@@ -1,7 +1,7 @@ + # + # The IceGrid locator proxy. + # +-Ice.Default.Locator=DemoIceGrid/Locator:ssl -p 4062 -t 10000 ++Ice.Default.Locator=DemoIceGrid/Locator:ssl -p 4062 -t 10000:ssl -p 14062 -t 10000 + + # + # IceGrid node configuration. +@@ -26,5 +26,5 @@ IceSSL.CertAuthFile=ca_cert.pem + IceSSL.CertFile=node_cert.pem + IceSSL.KeyFile=node_key.pem + +-IceSSL.TrustOnly.Client=CN="Server";CN="IceGrid Registry" +-IceSSL.TrustOnly.Server=CN="IceGrid Registry" ++IceSSL.TrustOnly.Client=CN="Server";CN="Master";CN="Slave" ++IceSSL.TrustOnly.Server=CN="Master";CN="Slave" diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.registry /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.registry --- /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.registry 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.registry 2011-07-18 23:48:40.000000000 +0200 @@ -0,0 +1,57 @@ +--- cpp/demo/IceGrid/secure/config.registry Wed Jun 15 19:43:58 2011 ++++ /dev/null +@@ -1,54 +0,0 @@ +-# +-# The IceGrid instance name. +-# +-IceGrid.InstanceName=DemoIceGrid +- +-# +-# IceGrid registry configuration. +-# +-IceGrid.Registry.Client.Endpoints=tcp -p 4061 -t 10000:ssl -p 4062 -t 10000 +-IceGrid.Registry.Server.Endpoints=ssl -t 10000 +-IceGrid.Registry.Internal.Endpoints=ssl -t 10000 +-IceGrid.Registry.Data=db/registry +- +-# +-# IceGrid admin clients must use a secure connection to connect to the +-# registry or use Glacier2. +-# +-IceGrid.Registry.AdminSessionManager.Endpoints=ssl -t 10000 +-IceGrid.Registry.AdminPermissionsVerifier=DemoIceGrid/NullPermissionsVerifier +- +-# +-# IceGrid SQL configuration if using SQL database. +-# +-#Ice.Plugin.DB=IceGridSqlDB:createSqlDB +-#IceGrid.SQL.DatabaseType=QSQLITE +-#IceGrid.SQL.DatabaseName=db/registry/Registry.db +- +-# +-# Trace properties. +-# +-Ice.ProgramName=Registry +-IceGrid.Registry.Trace.Node=2 +-IceGrid.Registry.Trace.Replica=2 +- +-# +-# SSL Configuration +-# +-Ice.Plugin.IceSSL=IceSSL:createIceSSL +-IceSSL.DefaultDir=certs +-IceSSL.CertAuthFile=ca_cert.pem +-IceSSL.CertFile=registry_cert.pem +-IceSSL.KeyFile=registry_key.pem +- +-# +-# Don't require certificates. This is useful for admin clients that don't +-# use certificate but still need to establish a secure connection for the +-# username/password authentication +-# +-IceSSL.VerifyPeer=1 +- +-IceSSL.TrustOnly.Client=CN="IceGrid Registry";CN="IceGrid Node";CN="Glacier2" +-IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server" +-IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="IceGrid Node";CN="IceGrid Registry" +-IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2" diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.slave /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.slave --- /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-config.slave 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-config.slave 2011-07-18 23:47:58.000000000 +0200 @@ -0,0 +1,69 @@ +--- /dev/null ++++ cpp/demo/IceGrid/secure/config.slave Tue Jul 12 15:32:00 2011 +@@ -0,0 +1,66 @@ ++# ++# The IceGrid locator proxy. ++# ++Ice.Default.Locator=DemoIceGrid/Locator:ssl -p 4062 -t 10000 ++ ++# ++# The IceGrid instance name. ++# ++IceGrid.InstanceName=DemoIceGrid ++ ++# ++# IceGrid registry configuration. ++# ++IceGrid.Registry.Client.Endpoints=tcp -p 14061 -t 10000:ssl -p 14062 -t 10000 ++IceGrid.Registry.Server.Endpoints=ssl -t 10000 ++IceGrid.Registry.Internal.Endpoints=ssl -t 10000 ++IceGrid.Registry.Data=db/slave ++IceGrid.Registry.ReplicaName=Slave ++ ++# ++# Ensure that nodes connecting to this registry have a name matching ++# the certificate CN. ++# ++IceGrid.Registry.RequireNodeCertCN=1 ++ ++# ++# IceGrid admin clients must use a secure connection to connect to the ++# registry or use Glacier2. ++# ++IceGrid.Registry.AdminSessionManager.Endpoints=ssl -t 10000 ++IceGrid.Registry.AdminPermissionsVerifier=DemoIceGrid/NullPermissionsVerifier ++ ++# ++# IceGrid SQL configuration if using SQL database. ++# ++#Ice.Plugin.DB=IceGridSqlDB:createSqlDB ++#IceGrid.SQL.DatabaseType=QSQLITE ++#IceGrid.SQL.DatabaseName=db/slave/Registry.db ++ ++# ++# Trace properties. ++# ++Ice.ProgramName=Slave ++IceGrid.Registry.Trace.Node=2 ++IceGrid.Registry.Trace.Replica=2 ++ ++# ++# SSL Configuration ++# ++Ice.Plugin.IceSSL=IceSSL:createIceSSL ++IceSSL.DefaultDir=certs ++IceSSL.CertAuthFile=ca_cert.pem ++IceSSL.CertFile=slave_cert.pem ++IceSSL.KeyFile=slave_key.pem ++ ++# ++# Don't require certificates. This is useful for admin clients that don't ++# use certificate but still need to establish a secure connection for the ++# username/password authentication ++# ++IceSSL.VerifyPeer=1 ++ ++IceSSL.TrustOnly.Client=CN="Master";CN="Slave";CN="Node";CN="Glacier2" ++IceSSL.TrustOnly.Server.IceGrid.Registry.Server=CN="Server" ++IceSSL.TrustOnly.Server.IceGrid.Registry.Internal=CN="Node";CN="Master";CN="Slave" ++IceSSL.TrustOnly.Server.IceGrid.Registry.AdminSessionManager=CN="Glacier2" diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-makecerts.py /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-makecerts.py --- /usr/ports/devel/ice.orig/files/patch-cpp-demo-IceGrid-secure-makecerts.py 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-demo-IceGrid-secure-makecerts.py 2011-07-18 23:48:40.000000000 +0200 @@ -0,0 +1,13 @@ +--- cpp/demo/IceGrid/secure/makecerts.py.orig Wed Jun 15 19:43:58 2011 ++++ cpp/demo/IceGrid/secure/makecerts.py Tue Jul 12 15:32:00 2011 +@@ -44,8 +44,9 @@ runIceca("init --overwrite --no-password") + print + print + +-createCertificate("registry", "IceGrid Registry") +-createCertificate("node", "IceGrid Node") ++createCertificate("master", "Master") ++createCertificate("slave", "Slave") ++createCertificate("node", "Node") + createCertificate("glacier2", "Glacier2") + createCertificate("server", "Server") diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-src-Ice-Network.cpp /usr/ports/devel/ice/files/patch-cpp-src-Ice-Network.cpp --- /usr/ports/devel/ice.orig/files/patch-cpp-src-Ice-Network.cpp 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-src-Ice-Network.cpp 2011-07-18 23:48:36.000000000 +0200 @@ -0,0 +1,15 @@ +--- cpp/src/Ice/Network.cpp.orig Wed Jun 15 19:43:59 2011 ++++ cpp/src/Ice/Network.cpp Fri 15 23:40:26 2011 +@@ -715,7 +715,11 @@ + WSASetLastError(error); + #else + int error = errno; +- if(close(fd) == SOCKET_ERROR) ++ if(close(fd) == SOCKET_ERROR ++# if defined(__FreeBSD__) ++ && getSocketErrno() != ECONNRESET ++# endif ++ ) + { + SocketException ex(__FILE__, __LINE__); + ex.error = getSocketErrno(); diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-src-Ice-PropertyNames.cpp /usr/ports/devel/ice/files/patch-cpp-src-Ice-PropertyNames.cpp --- /usr/ports/devel/ice.orig/files/patch-cpp-src-Ice-PropertyNames.cpp 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-src-Ice-PropertyNames.cpp 2011-07-18 23:48:39.000000000 +0200 @@ -0,0 +1,20 @@ +--- cpp/src/Ice/PropertyNames.cpp.orig Wed Jun 15 19:43:59 2011 ++++ cpp/src/Ice/PropertyNames.cpp Tue Jul 12 15:32:00 2011 +@@ -8,7 +8,7 @@ + // ********************************************************************** + + // +-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011 ++// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011 + + // IMPORTANT: Do not edit this file -- any edits made here will be lost! + +@@ -335,6 +335,8 @@ const IceInternal::Property IceGridPropsData[] = + IceInternal::Property("IceGrid.Registry.PermissionsVerifier", false, 0), + IceInternal::Property("IceGrid.Registry.ReplicaName", false, 0), + IceInternal::Property("IceGrid.Registry.ReplicaSessionTimeout", false, 0), ++ IceInternal::Property("IceGrid.Registry.RequireNodeCertCN", false, 0), ++ IceInternal::Property("IceGrid.Registry.RequireReplicaCertCN", false, 0), + IceInternal::Property("IceGrid.Registry.Server.ACM", false, 0), + IceInternal::Property("IceGrid.Registry.Server.AdapterId", false, 0), + IceInternal::Property("IceGrid.Registry.Server.Endpoints", false, 0), diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-src-Ice-PropertyNames.h /usr/ports/devel/ice/files/patch-cpp-src-Ice-PropertyNames.h --- /usr/ports/devel/ice.orig/files/patch-cpp-src-Ice-PropertyNames.h 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-src-Ice-PropertyNames.h 2011-07-18 23:48:36.000000000 +0200 @@ -0,0 +1,10 @@ +--- cpp/src/Ice/PropertyNames.h.orig Wed Jun 15 19:43:59 2011 ++++ cpp/src/Ice/PropertyNames.h Tue Jul 12 15:32:00 2011 +@@ -8,7 +8,7 @@ + // ********************************************************************** + + // +-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011 ++// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011 + + // IMPORTANT: Do not edit this file -- any edits made here will be lost! diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-src-IceGrid-Internal.ice /usr/ports/devel/ice/files/patch-cpp-src-IceGrid-Internal.ice --- /usr/ports/devel/ice.orig/files/patch-cpp-src-IceGrid-Internal.ice 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-src-IceGrid-Internal.ice 2011-07-18 23:48:39.000000000 +0200 @@ -0,0 +1,20 @@ +--- cpp/src/IceGrid/Internal.ice.orig Wed Jun 15 19:43:59 2011 ++++ cpp/src/IceGrid/Internal.ice Tue Jul 12 15:32:00 2011 +@@ -702,7 +702,7 @@ interface InternalRegistry extends FileReader + * + **/ + NodeSession* registerNode(InternalNodeInfo info, Node* prx, LoadInfo loadInf) +- throws NodeActiveException; ++ throws NodeActiveException, PermissionDeniedException; + + /** + * +@@ -721,7 +721,7 @@ interface InternalRegistry extends FileReader + * + **/ + ReplicaSession* registerReplica(InternalReplicaInfo info, InternalRegistry* prx) +- throws ReplicaActiveException; ++ throws ReplicaActiveException, PermissionDeniedException; + + /** + * diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-src-IceGrid-InternalRegistryI.cpp /usr/ports/devel/ice/files/patch-cpp-src-IceGrid-InternalRegistryI.cpp --- /usr/ports/devel/ice.orig/files/patch-cpp-src-IceGrid-InternalRegistryI.cpp 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-src-IceGrid-InternalRegistryI.cpp 2011-07-18 23:48:35.000000000 +0200 @@ -0,0 +1,136 @@ +--- cpp/src/IceGrid/InternalRegistryI.cpp.orig Wed Jun 15 19:43:59 2011 ++++ cpp/src/IceGrid/InternalRegistryI.cpp Tue Jul 12 15:32:00 2011 +@@ -19,6 +19,8 @@ + #include <IceGrid/ReplicaSessionI.h> + #include <IceGrid/ReplicaSessionManager.h> + #include <IceGrid/FileCache.h> ++#include <IceSSL/IceSSL.h> ++#include <IceSSL/RFC2253.h> + + using namespace std; + using namespace IceGrid; +@@ -38,6 +40,8 @@ InternalRegistryI::InternalRegistryI(const RegistryIPtr& registry, + Ice::PropertiesPtr properties = database->getCommunicator()->getProperties(); + _nodeSessionTimeout = properties->getPropertyAsIntWithDefault("IceGrid.Registry.NodeSessionTimeout", 30); + _replicaSessionTimeout = properties->getPropertyAsIntWithDefault("IceGrid.Registry.ReplicaSessionTimeout", 30); ++ _requireNodeCertCN = properties->getPropertyAsIntWithDefault("IceGrid.Registry.RequireNodeCertCN", 0); ++ _requireReplicaCertCN = properties->getPropertyAsIntWithDefault("IceGrid.Registry.RequireNodeCertCN", 0); + } + + InternalRegistryI::~InternalRegistryI() +@@ -50,7 +54,56 @@ InternalRegistryI::registerNode(const InternalNodeInfoPtr& info, + const LoadInfo& load, + const Ice::Current& current) + { +- const Ice::LoggerPtr logger = _database->getTraceLevels()->logger; ++ const TraceLevelsPtr traceLevels = _database->getTraceLevels(); ++ const Ice::LoggerPtr logger = traceLevels->logger; ++ if(!info || !node) ++ { ++ return 0; ++ } ++ ++ if(_requireNodeCertCN) ++ { ++ try ++ { ++ IceSSL::ConnectionInfoPtr sslConnInfo = IceSSL::ConnectionInfoPtr::dynamicCast(current.con->getInfo()); ++ if(sslConnInfo) ++ { ++ if (sslConnInfo->certs.empty() || ++ !IceSSL::Certificate::decode(sslConnInfo->certs[0])->getSubjectDN().match("CN=" + info->name)) ++ { ++ if(traceLevels->node > 0) ++ { ++ Ice::Trace out(logger, traceLevels->nodeCat); ++ out << "certificate CN doesn't match node name `" << info->name << "'"; ++ } ++ throw PermissionDeniedException("certificate CN doesn't match node name `" + info->name + "'"); ++ } ++ } ++ else ++ { ++ if(traceLevels->node > 0) ++ { ++ Ice::Trace out(logger, traceLevels->nodeCat); ++ out << "node certificate for `" << info->name << "' is required to connect to this registry"; ++ } ++ throw PermissionDeniedException("node certificate is required to connect to this registry"); ++ } ++ } ++ catch(const PermissionDeniedException& ex) ++ { ++ throw ex; ++ } ++ catch(const IceUtil::Exception&) ++ { ++ if(traceLevels->node > 0) ++ { ++ Ice::Trace out(logger, traceLevels->nodeCat); ++ out << "unexpected exception while verifying certificate for node `" << info->name << "'"; ++ } ++ throw PermissionDeniedException("unable to verify certificate for node `" + info->name + "'"); ++ } ++ } ++ + try + { + NodeSessionIPtr session = new NodeSessionI(_database, node, info, _nodeSessionTimeout, load); +@@ -68,7 +121,56 @@ InternalRegistryI::registerReplica(const InternalReplicaInfoPtr& info, + const InternalRegistryPrx& prx, + const Ice::Current& current) + { +- const Ice::LoggerPtr logger = _database->getTraceLevels()->logger; ++ const TraceLevelsPtr traceLevels = _database->getTraceLevels(); ++ const Ice::LoggerPtr logger = traceLevels->logger; ++ if(!info || !prx) ++ { ++ return 0; ++ } ++ ++ if(_requireReplicaCertCN) ++ { ++ try ++ { ++ IceSSL::ConnectionInfoPtr sslConnInfo = IceSSL::ConnectionInfoPtr::dynamicCast(current.con->getInfo()); ++ if(sslConnInfo) ++ { ++ if (sslConnInfo->certs.empty() || ++ !IceSSL::Certificate::decode(sslConnInfo->certs[0])->getSubjectDN().match("CN=" + info->name)) ++ { ++ if(traceLevels->replica > 0) ++ { ++ Ice::Trace out(logger, traceLevels->replicaCat); ++ out << "certificate CN doesn't match replica name `" << info->name << "'"; ++ } ++ throw PermissionDeniedException("certificate CN doesn't match replica name `" + info->name + "'"); ++ } ++ } ++ else ++ { ++ if(traceLevels->replica > 0) ++ { ++ Ice::Trace out(logger, traceLevels->replicaCat); ++ out << "replica certificate for `" << info->name << "' is required to connect to this registry"; ++ } ++ throw PermissionDeniedException("replica certificate is required to connect to this registry"); ++ } ++ } ++ catch(const PermissionDeniedException& ex) ++ { ++ throw ex; ++ } ++ catch(const IceUtil::Exception&) ++ { ++ if(traceLevels->replica > 0) ++ { ++ Ice::Trace out(logger, traceLevels->replicaCat); ++ out << "unexpected exception while verifying certificate for replica `" << info->name << "'"; ++ } ++ throw PermissionDeniedException("unable to verify certificate for replica `" + info->name + "'"); ++ } ++ } ++ + try + { + ReplicaSessionIPtr s = new ReplicaSessionI(_database, _wellKnownObjects, info, prx, _replicaSessionTimeout); diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-src-IceGrid-InternalRegistryI.h /usr/ports/devel/ice/files/patch-cpp-src-IceGrid-InternalRegistryI.h --- /usr/ports/devel/ice.orig/files/patch-cpp-src-IceGrid-InternalRegistryI.h 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-src-IceGrid-InternalRegistryI.h 2011-07-18 23:48:38.000000000 +0200 @@ -0,0 +1,11 @@ +--- cpp/src/IceGrid/InternalRegistryI.h.orig Wed Jun 15 19:43:59 2011 ++++ cpp/src/IceGrid/InternalRegistryI.h Tue Jul 12 15:32:00 2011 +@@ -68,6 +68,8 @@ private: + ReplicaSessionManager& _session; + int _nodeSessionTimeout; + int _replicaSessionTimeout; ++ bool _requireNodeCertCN; ++ bool _requireReplicaCertCN; + }; + + }; diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-src-IceGrid-NodeSessionManager.cpp /usr/ports/devel/ice/files/patch-cpp-src-IceGrid-NodeSessionManager.cpp --- /usr/ports/devel/ice.orig/files/patch-cpp-src-IceGrid-NodeSessionManager.cpp 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-src-IceGrid-NodeSessionManager.cpp 2011-07-18 23:48:43.000000000 +0200 @@ -0,0 +1,17 @@ +--- cpp/src/IceGrid/NodeSessionManager.cpp.orig Wed Jun 15 19:43:59 2011 ++++ cpp/src/IceGrid/NodeSessionManager.cpp Tue Jul 12 15:32:00 2011 +@@ -110,6 +110,14 @@ NodeSessionKeepAliveThread::createSession(InternalRegistryPrx& registry, IceUtil + } + exception.reset(ex.ice_clone()); + } ++ catch(const PermissionDeniedException& ex) ++ { ++ if(traceLevels) ++ { ++ traceLevels->logger->error("connection to the the registry `" + _name + "' was denied:\n" + ex.reason); ++ } ++ exception.reset(ex.ice_clone()); ++ } + catch(const Ice::Exception& ex) + { + exception.reset(ex.ice_clone()); diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cpp-src-IceGrid-ReplicaSessionManager.cpp /usr/ports/devel/ice/files/patch-cpp-src-IceGrid-ReplicaSessionManager.cpp --- /usr/ports/devel/ice.orig/files/patch-cpp-src-IceGrid-ReplicaSessionManager.cpp 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cpp-src-IceGrid-ReplicaSessionManager.cpp 2011-07-18 23:48:38.000000000 +0200 @@ -0,0 +1,17 @@ +--- cpp/src/IceGrid/ReplicaSessionManager.cpp.orig Wed Jun 15 19:43:59 2011 ++++ cpp/src/IceGrid/ReplicaSessionManager.cpp Tue Jul 12 15:32:00 2011 +@@ -500,6 +500,14 @@ ReplicaSessionManager::createSession(InternalRegistryPrx& registry, IceUtil::Tim + } + exception.reset(ex.ice_clone()); + } ++ catch(const PermissionDeniedException& ex) ++ { ++ if(_traceLevels) ++ { ++ _traceLevels->logger->error("connection to the the registry `" + _name + "' was denied:\n" + ex.reason); ++ } ++ exception.reset(ex.ice_clone()); ++ } + catch(const Ice::Exception& ex) + { + exception.reset(ex.ice_clone()); diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-cs-src-Ice-PropertyNames.cs /usr/ports/devel/ice/files/patch-cs-src-Ice-PropertyNames.cs --- /usr/ports/devel/ice.orig/files/patch-cs-src-Ice-PropertyNames.cs 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-cs-src-Ice-PropertyNames.cs 2011-07-19 02:26:15.000000000 +0200 @@ -0,0 +1,20 @@ +--- cs/src/Ice/PropertyNames.cs.orig Wed Jun 15 19:43:59 2011 ++++ cs/src/Ice/PropertyNames.cs Tue Jul 12 15:32:00 2011 +@@ -8,7 +8,7 @@ + // ********************************************************************** + + // +-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011 ++// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011 + + // IMPORTANT: Do not edit this file -- any edits made here will be lost! + +@@ -325,6 +325,8 @@ namespace IceInternal + new Property(@"^IceGrid\.Registry\.PermissionsVerifier$", false, null), + new Property(@"^IceGrid\.Registry\.ReplicaName$", false, null), + new Property(@"^IceGrid\.Registry\.ReplicaSessionTimeout$", false, null), ++ new Property(@"^IceGrid\.Registry\.RequireNodeCertCN$", false, null), ++ new Property(@"^IceGrid\.Registry\.RequireReplicaCertCN$", false, null), + new Property(@"^IceGrid\.Registry\.Server\.ACM$", false, null), + new Property(@"^IceGrid\.Registry\.Server\.AdapterId$", false, null), + new Property(@"^IceGrid\.Registry\.Server\.Endpoints$", false, null), diff -ruN --exclude=CVS /usr/ports/devel/ice.orig/files/patch-java-src-IceInternal-PropertyNames.java /usr/ports/devel/ice/files/patch-java-src-IceInternal-PropertyNames.java --- /usr/ports/devel/ice.orig/files/patch-java-src-IceInternal-PropertyNames.java 1970-01-01 01:00:00.000000000 +0100 +++ /usr/ports/devel/ice/files/patch-java-src-IceInternal-PropertyNames.java 2011-07-19 02:26:15.000000000 +0200 @@ -0,0 +1,20 @@ +--- java/src/IceInternal/PropertyNames.java.orig Wed Jun 15 19:43:59 2011 ++++ java/src/IceInternal/PropertyNames.java Tue Jul 12 15:32:00 2011 +@@ -8,7 +8,7 @@ + // ********************************************************************** + + // +-// Generated by makeprops.py from file ..\config\PropertyNames.xml, Mon May 09 07:39:43 2011 ++// Generated by makeprops.py from file ../config/PropertyNames.xml, Tue Jul 12 07:22:34 2011 + + // IMPORTANT: Do not edit this file -- any edits made here will be lost! + +@@ -325,6 +325,8 @@ public final class PropertyNames + new Property("IceGrid\\.Registry\\.PermissionsVerifier", false, null), + new Property("IceGrid\\.Registry\\.ReplicaName", false, null), + new Property("IceGrid\\.Registry\\.ReplicaSessionTimeout", false, null), ++ new Property("IceGrid\\.Registry\\.RequireNodeCertCN", false, null), ++ new Property("IceGrid\\.Registry\\.RequireReplicaCertCN", false, null), + new Property("IceGrid\\.Registry\\.Server\\.ACM", false, null), + new Property("IceGrid\\.Registry\\.Server\\.AdapterId", false, null), + new Property("IceGrid\\.Registry\\.Server\\.Endpoints", false, null), --- Ice-3.4.2_1.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110719142748.46906.qmail>