thijn/SqMod
1
0
Fork 0
mirror of https://github.com/VCMP-SqMod/SqMod.git synced 2025-09-08 16:17:11 +02:00
Code Releases Activity

Update POCO to 1.11.0

Browse Source
This commit is contained in:
Sandu Liviu Catalin
2021-08-22 18:07:06 +03:00
parent 151077c799
commit 7a3d92d1d1
450 changed files with 25219 additions and 6528 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
vendor/POCO/NetSSL_OpenSSL/src/AcceptCertificateHandler.cpp vendored
View File

@@ -13,6 +13,7 @@
#include "Poco/Net/AcceptCertificateHandler.h"
#include "Poco/Net/VerificationErrorArgs.h"
namespace Poco {

1
vendor/POCO/NetSSL_OpenSSL/src/ConsoleCertificateHandler.cpp vendored
View File

@@ -13,6 +13,7 @@
#include "Poco/Net/ConsoleCertificateHandler.h"
#include "Poco/Net/VerificationErrorArgs.h"
#include <iostream>

40
vendor/POCO/NetSSL_OpenSSL/src/Context.cpp vendored
View File

@@ -34,6 +34,7 @@ Context::Params::Params():
verificationMode(VERIFY_RELAXED),
verificationDepth(9),
loadDefaultCAs(false),
ocspStaplingVerification(false),
cipherList("ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"),
dhUse2048Bits(false)
{
@@ -44,7 +45,8 @@ Context::Context(Usage usage, const Params& params):
_usage(usage),
_mode(params.verificationMode),
_pSSLContext(0),
_extendedCertificateVerification(true)
_extendedCertificateVerification(true),
_ocspStaplingResponseVerification(false)
{
init(params);
}
@@ -62,7 +64,8 @@ Context::Context(
_usage(usage),
_mode(verificationMode),
_pSSLContext(0),
_extendedCertificateVerification(true)
_extendedCertificateVerification(true),
_ocspStaplingResponseVerification(false)
{
Params params;
params.privateKeyFile = privateKeyFile;
@@ -86,7 +89,8 @@ Context::Context(
_usage(usage),
_mode(verificationMode),
_pSSLContext(0),
_extendedCertificateVerification(true)
_extendedCertificateVerification(true),
_ocspStaplingResponseVerification(false)
{
Params params;
params.caLocation = caLocation;
@@ -155,13 +159,15 @@ void Context::init(const Params& params)
}
}
if (!params.certificateFile.empty())
std::string certificateFile = params.certificateFile;
if (certificateFile.empty()) certificateFile = params.privateKeyFile;
if (!certificateFile.empty())
{
errCode = SSL_CTX_use_certificate_chain_file(_pSSLContext, Poco::Path::transcode(params.certificateFile).c_str());
errCode = SSL_CTX_use_certificate_chain_file(_pSSLContext, Poco::Path::transcode(certificateFile).c_str());
if (errCode != 1)
{
std::string errMsg = Utility::getLastError();
throw SSLContextException(std::string("Error loading certificate from file ") + params.certificateFile, errMsg);
throw SSLContextException(std::string("Error loading certificate from file ") + certificateFile, errMsg);
}
}
@@ -174,6 +180,18 @@ void Context::init(const Params& params)
SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth);
SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
SSL_CTX_set_ex_data(_pSSLContext, SSLManager::instance().contextIndex(), this);
if (!isForServerUse() && params.ocspStaplingVerification)
{
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
_ocspStaplingResponseVerification = true;
SSL_CTX_set_tlsext_status_cb(_pSSLContext, &SSLManager::verifyOCSPResponseCallback);
SSL_CTX_set_tlsext_status_arg(_pSSLContext, this);
#else
throw SSLContextException("OCSP Stapling is not supported by this OpenSSL version");
#endif
}
initDH(params.dhUse2048Bits, params.dhParamsFile);
initECDH(params.ecdhCurve);
@@ -395,7 +413,7 @@ void Context::requireMinimumProtocol(Protocols protocol)
case PROTO_SSLV2:
throw Poco::InvalidArgumentException("SSLv2 is no longer supported");
case PROTO_SSLV3:
version = SSL3_VERSION;
throw Poco::InvalidArgumentException("SSLv3 is no longer supported");
break;
case PROTO_TLSV1:
version = TLS1_VERSION;
@@ -424,7 +442,7 @@ void Context::requireMinimumProtocol(Protocols protocol)
throw Poco::InvalidArgumentException("SSLv2 is no longer supported");
case PROTO_SSLV3:
disableProtocols(PROTO_SSLV2);
throw Poco::InvalidArgumentException("SSLv3 is no longer supported");
break;
case PROTO_TLSV1:
@@ -463,6 +481,12 @@ void Context::preferServerCiphers()
}
void Context::setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificateHandler)
{
_pInvalidCertificateHandler = pInvalidCertificateHandler;
}
void Context::createSSLContext()
{
int minTLSVersion = 0;

6
vendor/POCO/NetSSL_OpenSSL/src/HTTPSClientSession.cpp vendored
View File

@@ -140,7 +140,7 @@ void HTTPSClientSession::connect(const SocketAddress& address)
if (getProxyHost().empty() || bypassProxy())
{
SecureStreamSocket sss(socket());
if (sss.getPeerHostName().empty())
if (sss.getPeerHostName().empty())
{
sss.setPeerHostName(getHost());
}
@@ -172,8 +172,8 @@ int HTTPSClientSession::read(char* buffer, std::streamsize length)
try
{
return HTTPSession::read(buffer, length);
}
catch(SSLConnectionUnexpectedlyClosedException&)
}
catch (SSLConnectionUnexpectedlyClosedException&)
{
return 0;
}

5
vendor/POCO/NetSSL_OpenSSL/src/HTTPSSessionInstantiator.cpp vendored
View File

@@ -41,10 +41,9 @@ HTTPClientSession* HTTPSSessionInstantiator::createClientSession(const Poco::URI
{
poco_assert (uri.getScheme() == "https");
HTTPSClientSession* pSession = _pContext.isNull() ? new HTTPSClientSession(uri.getHost(), uri.getPort()) : new HTTPSClientSession(uri.getHost(), uri.getPort(), _pContext);
if (!proxyHost().empty())
if (!getProxyConfig().host.empty())
{
pSession->setProxy(proxyHost(), proxyPort());
pSession->setProxyCredentials(proxyUsername(), proxyPassword());
pSession->setProxyConfig(getProxyConfig());
}
return pSession;
}

15
vendor/POCO/NetSSL_OpenSSL/src/InvalidCertificateHandler.cpp vendored
View File

@@ -26,26 +26,11 @@ namespace Net {
InvalidCertificateHandler::InvalidCertificateHandler(bool handleErrorsOnServerSide): _handleErrorsOnServerSide(handleErrorsOnServerSide)
{
if (_handleErrorsOnServerSide)
SSLManager::instance().ServerVerificationError += Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
else
SSLManager::instance().ClientVerificationError += Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
}
InvalidCertificateHandler::~InvalidCertificateHandler()
{
try
{
if (_handleErrorsOnServerSide)
SSLManager::instance().ServerVerificationError -= Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
else
SSLManager::instance().ClientVerificationError -= Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
}
catch (...)
{
poco_unexpected();
}
}

1
vendor/POCO/NetSSL_OpenSSL/src/RejectCertificateHandler.cpp vendored
View File

@@ -13,6 +13,7 @@
#include "Poco/Net/RejectCertificateHandler.h"
#include "Poco/Net/VerificationErrorArgs.h"
namespace Poco {

186
vendor/POCO/NetSSL_OpenSSL/src/SSLManager.cpp vendored
View File

@@ -12,6 +12,11 @@
//
#if defined(_MSC_VER)
#pragma warning(disable:4996) // deprecation warnings
#endif
#include "Poco/Net/SSLManager.h"
#include "Poco/Net/Context.h"
#include "Poco/Net/Utility.h"
@@ -24,6 +29,10 @@
#include "Poco/StringTokenizer.h"
#include "Poco/Util/Application.h"
#include "Poco/Util/OptionException.h"
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
#include <openssl/ocsp.h>
#include <openssl/tls1.h>
#endif
namespace Poco {
@@ -67,7 +76,8 @@ const bool SSLManager::VAL_FIPS_MODE(false);
#endif
SSLManager::SSLManager()
SSLManager::SSLManager():
_contextIndex(SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL))
{
}
@@ -204,16 +214,45 @@ int SSLManager::verifyCallback(bool server, int ok, X509_STORE_CTX* pStore)
{
if (!ok)
{
SSLManager& sslManager = SSLManager::instance();
SSL* pSSL = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(pStore, SSL_get_ex_data_X509_STORE_CTX_idx()));
poco_assert_dbg (pSSL);
SSL_CTX* pSSLContext = SSL_get_SSL_CTX(pSSL);
poco_assert_dbg (pSSLContext);
Context* pContext = reinterpret_cast<Context*>(SSL_CTX_get_ex_data(pSSLContext, sslManager.contextIndex()));
poco_assert_dbg (pContext);
X509* pCert = X509_STORE_CTX_get_current_cert(pStore);
X509Certificate x509(pCert, true);
int depth = X509_STORE_CTX_get_error_depth(pStore);
int err = X509_STORE_CTX_get_error(pStore);
std::string error(X509_verify_cert_error_string(err));
VerificationErrorArgs args(x509, depth, err, error);
VerificationErrorArgs args(Context::Ptr(pContext, true), x509, depth, err, error);
if (server)
SSLManager::instance().ServerVerificationError.notify(&SSLManager::instance(), args);
{
if (pContext->getInvalidCertificateHandler())
{
pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
}
else if (sslManager._ptrServerCertificateHandler)
{
sslManager._ptrServerCertificateHandler->onInvalidCertificate(&sslManager, args);
}
sslManager.ServerVerificationError.notify(&sslManager, args);
}
else
SSLManager::instance().ClientVerificationError.notify(&SSLManager::instance(), args);
{
if (pContext->getInvalidCertificateHandler())
{
pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
}
else if (sslManager._ptrClientCertificateHandler)
{
sslManager._ptrClientCertificateHandler->onInvalidCertificate(&sslManager, args);
}
sslManager.ClientVerificationError.notify(&sslManager, args);
}
ok = args.getIgnoreError() ? 1 : 0;
}
@@ -235,6 +274,145 @@ int SSLManager::privateKeyPassphraseCallback(char* pBuf, int size, int flag, voi
}
int SSLManager::verifyOCSPResponseCallback(SSL* pSSL, void* arg)
{
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
const long OCSP_VALIDITY_LEEWAY = 5*60;
Poco::Net::Context* pContext = static_cast<Poco::Net::Context*>(arg);
// Fetch the OSCP verify flag
bool ocspVerifyFlag = pContext->ocspStaplingResponseVerificationEnabled();
const unsigned char* pResp;
int len = SSL_get_tlsext_status_ocsp_resp(pSSL, &pResp);
if (!pResp)
{
// OCSP response not received
return ocspVerifyFlag ? 0 : 1;
}
OCSP_RESPONSE* pOcspResp = d2i_OCSP_RESPONSE(NULL, &pResp, len);
if (!pOcspResp) return 0;
if (OCSP_response_status(pOcspResp) != OCSP_RESPONSE_STATUS_SUCCESSFUL)
{
OCSP_RESPONSE_free(pOcspResp);
return 0;
}
OCSP_BASICRESP* pBasicResp = OCSP_response_get1_basic(pOcspResp);
if (!pBasicResp)
{
OCSP_RESPONSE_free(pOcspResp);
return 0;
}
X509* pPeerCert = SSL_get_peer_certificate(pSSL);
if (!pPeerCert)
{
OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0;
}
X509* pPeerIssuerCert = NULL;
STACK_OF(X509)* pCertChain = SSL_get_peer_cert_chain(pSSL);
unsigned certChainLen = sk_X509_num(pCertChain);
for (int i= 0; i < certChainLen ; i++)
{
if (!pPeerIssuerCert)
{
X509* pIssuerCert = sk_X509_value(pCertChain, i);
if (X509_check_issued(pIssuerCert, pPeerCert) == X509_V_OK)
{
pPeerIssuerCert = pIssuerCert;
break;
}
}
}
if (!pPeerIssuerCert)
{
X509_free(pPeerCert);
OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0;
}
STACK_OF(X509)* pCerts = sk_X509_new_null();
if (pCerts)
{
X509* pCert = X509_dup(pPeerIssuerCert);
if (pCert && !sk_X509_push(pCerts, pCert))
{
X509_free(pCert);
sk_X509_free(pCerts);
pCerts = NULL;
}
}
X509_STORE* pStore = SSL_CTX_get_cert_store(SSL_get_SSL_CTX(pSSL));
int verifyStatus = OCSP_basic_verify(pBasicResp, pCerts, pStore, OCSP_TRUSTOTHER);
sk_X509_pop_free(pCerts, X509_free);
if (verifyStatus <= 0)
{
X509_free(pPeerCert);
OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0;
}
OCSP_CERTID* pCertId = OCSP_cert_to_id(NULL, pPeerCert, pPeerIssuerCert);
if (!pCertId)
{
X509_free(pPeerCert);
OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0;
}
X509_free(pPeerCert);
ASN1_GENERALIZEDTIME* pRevTime;
ASN1_GENERALIZEDTIME* pThisUpdate;
ASN1_GENERALIZEDTIME* pNextUpdate;
int certStatus;
int reason;
if (!OCSP_resp_find_status(pBasicResp, pCertId, &certStatus, &reason, &pRevTime, &pThisUpdate, &pNextUpdate))
{
OCSP_CERTID_free(pCertId);
OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0;
}
OCSP_CERTID_free(pCertId);
if (certStatus != V_OCSP_CERTSTATUS_GOOD)
{
OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0;
}
if (!OCSP_check_validity(pThisUpdate, pNextUpdate, OCSP_VALIDITY_LEEWAY, -1))
{
OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
return 0;
}
OCSP_BASICRESP_free(pBasicResp);
OCSP_RESPONSE_free(pOcspResp);
#endif
return 1;
}
void SSLManager::initDefaultContext(bool server)
{
if (server && _ptrDefaultServerContext) return;

31
vendor/POCO/NetSSL_OpenSSL/src/SecureServerSocketImpl.cpp vendored
View File

@@ -54,13 +54,20 @@ void SecureServerSocketImpl::connect(const SocketAddress& address, const Poco::T
{
throw Poco::InvalidAccessException("Cannot connect() a SecureServerSocket");
}
void SecureServerSocketImpl::connectNB(const SocketAddress& address)
{
throw Poco::InvalidAccessException("Cannot connect() a SecureServerSocket");
}
void SecureServerSocketImpl::bind(const SocketAddress& address, bool reuseAddress)
{
_impl.bind(address, reuseAddress);
reset(_impl.sockfd());
}
void SecureServerSocketImpl::bind(const SocketAddress& address, bool reuseAddress, bool reusePort)
{
@@ -68,20 +75,34 @@ void SecureServerSocketImpl::bind(const SocketAddress& address, bool reuseAddres
reset(_impl.sockfd());
}
void SecureServerSocketImpl::bind6(const SocketAddress& address, bool reuseAddress, bool ipV6Only)
{
_impl.bind6(address, reuseAddress, ipV6Only);
reset(_impl.sockfd());
}
void SecureServerSocketImpl::bind6(const SocketAddress& address, bool reuseAddress, bool reusePort, bool ipV6Only)
{
_impl.bind6(address, reuseAddress, reusePort, ipV6Only);
reset(_impl.sockfd());
}
void SecureServerSocketImpl::listen(int backlog)
{
_impl.listen(backlog);
reset(_impl.sockfd());
}
void SecureServerSocketImpl::close()
{
reset();
_impl.close();
}
int SecureServerSocketImpl::sendBytes(const void* buffer, int length, int flags)
{

31
vendor/POCO/NetSSL_OpenSSL/src/SecureSocketImpl.cpp vendored
View File

@@ -164,6 +164,13 @@ void SecureSocketImpl::connectSSL(bool performHandshake)
}
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
if(_pContext->ocspStaplingResponseVerificationEnabled())
{
SSL_set_tlsext_status_type(_pSSL, TLSEXT_STATUSTYPE_ocsp);
}
#endif
if (_pSession)
{
SSL_set_session(_pSSL, _pSession->sslSession());
@@ -192,6 +199,14 @@ void SecureSocketImpl::connectSSL(bool performHandshake)
}
void SecureSocketImpl::bind(const SocketAddress& address, bool reuseAddress)
{
poco_check_ptr (_pSocket);
_pSocket->bind(address, reuseAddress);
}
void SecureSocketImpl::bind(const SocketAddress& address, bool reuseAddress, bool reusePort)
{
poco_check_ptr (_pSocket);
@@ -200,6 +215,22 @@ void SecureSocketImpl::bind(const SocketAddress& address, bool reuseAddress, boo
}
void SecureSocketImpl::bind6(const SocketAddress& address, bool reuseAddress, bool ipV6Only)
{
poco_check_ptr (_pSocket);
_pSocket->bind6(address, reuseAddress, ipV6Only);
}
void SecureSocketImpl::bind6(const SocketAddress& address, bool reuseAddress, bool reusePort, bool ipV6Only)
{
poco_check_ptr (_pSocket);
_pSocket->bind6(address, reuseAddress, reusePort, ipV6Only);
}
void SecureSocketImpl::listen(int backlog)
{
poco_check_ptr (_pSocket);

3
vendor/POCO/NetSSL_OpenSSL/src/VerificationErrorArgs.cpp vendored
View File

@@ -19,7 +19,8 @@ namespace Poco {
namespace Net {
VerificationErrorArgs::VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg):
VerificationErrorArgs::VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg):
_pContext(pContext),
_cert(cert),
_errorDepth(errDepth),
_errorNumber(errNum),