Update libraries and make it build on windows.

Still gets some warnings because compilers have changed. But should work.
2026-05-01 00:07:19 +02:00 · 2025-06-25 22:34:23 +03:00
parent 520a5eacc5
commit f2b7499f85
3038 changed files with 251668 additions and 273857 deletions
@@ -136,9 +136,24 @@ public:
 		SECURITY_LEVEL_256_BITS = 5
 	};

+	enum KeyDHGroup
+	{
+		// MODP
+		//KEY_DH_GROUP_768  = 1,  // (768-bit)
+		KEY_DH_GROUP_1024 = 2,  // (1024-bit)
+		//KEY_DH_GROUP_1536 = 5,  // (1536-bit)
+		KEY_DH_GROUP_2048 = 14, // (2048-bit)
+		//KEY_DH_GROUP_3072 = 15, // (3072-bit)
+
+		// ECP
+		//KEY_DH_GROUP_256 = 19, // (256-bit random)
+		//KEY_DH_GROUP_384 = 20, // (384-bit random)
+		//KEY_DH_GROUP_521 = 21  // (521-bit random)
+	};
+
 	struct NetSSL_API Params
 	{
-		Params();
+		Params(KeyDHGroup dhBits = KEY_DH_GROUP_2048);
 			/// Initializes the struct with default values.

 		std::string privateKeyFile;
@@ -176,12 +191,21 @@ public:
 		std::string cipherList;
 			/// Specifies the supported ciphers in OpenSSL notation.
 			/// Defaults to "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH".
+			/// Note: The cipher list only applies for TLS 1.2 and 
+			/// earlier versions. To configure TLS 1.3 cipher suites, 
+			/// please use the cipherSuites member variable.
+
+		std::string cipherSuites;
+			/// Specifies the supported TLS 1.3 cipher suites.
+			/// If left empty, the OpenSSL default cipher suites
+			/// are used. Please refer to the OpenSSL documentation
+			/// for available cipher suite names.

 		std::string dhParamsFile;
 			/// Specifies a file containing Diffie-Hellman parameters.
 			/// If empty, the default parameters are used.

-		bool dhUse2048Bits;
+		KeyDHGroup dhGroup;
 			/// If set to true, will use 2048-bit MODP Group with 256-bit
 			/// prime order subgroup (RFC5114) instead of 1024-bit for DH.

@@ -289,7 +313,7 @@ public:
 	void addCertificateAuthority(const Poco::Crypto::X509Certificate& certificate);
 		/// Add one trusted certification authority to be used by the Context.

-	//@deprecated
+	//POCO_DEPRECATED("")
 	void usePrivateKey(const Poco::Crypto::RSAKey& key);
 		/// Sets the private key to be used by the Context.
 		///
@@ -439,11 +463,26 @@ public:
 	void setSecurityLevel(SecurityLevel level);
 		/// Sets the security level.

+	void ignoreUnexpectedEof(bool flag = true);
+		/// Enable or disable SSL/TLS SSL_OP_IGNORE_UNEXPECTED_EOF
+		///
+		/// Some TLS implementations do not send the mandatory close_notify alert on shutdown.
+		/// If the application tries to wait for the close_notify alert
+		/// but the peer closes the connection without sending it, an error is generated.
+		/// When this option is enabled the peer does not need to send the close_notify alert
+		/// and a closed connection will be treated as if the close_notify alert was received.
+
+	void setQuietShutdown(bool flag = true);
+		/// Normally, when an SSL connection is finished, the parties must send out close_notify alert messages for a clean shutdown.
+		/// When setting the "quiet shutdown" flag to true, the SecureSocketImpl::shutdown() will set the SSL shutdown flags,
+		/// but no close_notify alert is sent to the peer. This behaviour violates the TLS standard.
+		/// The default is a normal shutdown behaviour as described by the TLS standard.
+
 private:
 	void init(const Params& params);
 		/// Initializes the Context with the given parameters.

-	void initDH(bool use2048Bits, const std::string& dhFile);
+	void initDH(KeyDHGroup keyDHGroup, const std::string& dhFile);
 		/// Initializes the Context with Diffie-Hellman parameters.

 	void initECDH(const std::string& curve);
@@ -78,10 +78,12 @@ public:
 	HTTPSClientSession();
 		/// Creates an unconnected HTTPSClientSession.

-	explicit HTTPSClientSession(const SecureStreamSocket& socket);
+	explicit HTTPSClientSession(const SecureStreamSocket& socket, const std::string& host, Poco::UInt16 port = HTTPS_PORT);
 		/// Creates a HTTPSClientSession using the given socket.
 		/// The socket must not be connected. The session
 		/// takes ownership of the socket.
+		///
+		/// The given host name is used for certificate verification.

 	HTTPSClientSession(const SecureStreamSocket& socket, Session::Ptr pSession);
 		/// Creates a HTTPSClientSession using the given socket.
@@ -20,8 +20,8 @@
 #define NetSSL_NetSSL_INCLUDED


-#include "Poco/Crypto/Crypto.h"
 #include "Poco/Net/Net.h"
+#include "Poco/Crypto/Crypto.h"


 //
@@ -287,6 +287,10 @@ protected:
 		/// Returns the index for SSL_CTX_set_ex_data() and SSL_CTX_get_ex_data() to
 		/// store the Context* in the underlying SSL_CTX.

+	int socketIndex() const;
+		/// Returns the index for SSL_set_ex_data() and SSL_get_ex_data() to
+		/// store the SecureSocketImpl* in the underlying SSL.
+
 private:
 	SSLManager();
 		/// Creates the SSLManager.
@@ -320,6 +324,7 @@ private:
 	PrivateKeyPassphraseHandlerPtr   _ptrClientPassphraseHandler;
 	InvalidCertificateHandlerPtr     _ptrClientCertificateHandler;
 	int                              _contextIndex;
+	int                              _socketIndex;
 	Poco::FastMutex                  _mutex;

 	static const std::string CFG_PRIV_KEY_FILE;
@@ -359,6 +364,7 @@ private:

 	friend class Poco::SingletonHolder<SSLManager>;
 	friend class Context;
+	friend class SecureSocketImpl;
 };


@@ -405,6 +411,12 @@ inline int SSLManager::contextIndex() const
 }


+inline int SSLManager::socketIndex() const
+{
+	return _socketIndex;
+}
+
+
 } } // namespace Poco::Net


@@ -148,10 +148,11 @@ public:
 		/// number of connections that can be queued
 		/// for this socket.

-	void shutdown();
+	int shutdown();
 		/// Shuts down the connection by attempting
 		/// an orderly SSL shutdown, then actually
-		/// shutting down the TCP connection.
+		/// shutting down the TCP connection in the
+		/// send direction.

 	void close();
 		/// Close the socket.
@@ -161,15 +162,6 @@ public:
 		/// underlying TCP connection. No orderly SSL shutdown
 		/// is performed.

-	void setBlocking(bool flag);
-		/// Sets the socket in blocking mode if flag is true,
-		/// disables blocking mode if flag is false.
-
-	bool getBlocking() const;
-		/// Returns the blocking mode of the socket.
-		/// This method will only work if the blocking modes of
-		/// the socket are changed via the setBlocking method!
-
 	int sendBytes(const void* buffer, int length, int flags = 0);
 		/// Sends the contents of the given buffer through
 		/// the socket. Any specified flags are ignored.
@@ -239,6 +231,12 @@ public:
 		/// Returns true iff a reused session was negotiated during
 		/// the handshake.

+	SocketImpl* socket();
+		/// Returns the underlying SocketImpl.
+		
+	const SocketImpl* socket() const;
+		/// Returns the underlying SocketImpl.
+
 protected:
 	void acceptSSL();
 		/// Performs a server-side SSL handshake and certificate verification.
@@ -280,25 +278,45 @@ protected:
 		/// Note that simply closing a socket is not sufficient
 		/// to be able to re-use it again.

+	static int onSessionCreated(SSL* pSSL, SSL_SESSION* pSession);
+		/// Callback to handle new session data sent by server.
+
 private:
+	using MutexT = Poco::FastMutex;
+	using LockT = MutexT::ScopedLock;
+	using UnLockT = Poco::ScopedLockWithUnlock<MutexT>;
+
 	SecureSocketImpl(const SecureSocketImpl&);
 	SecureSocketImpl& operator = (const SecureSocketImpl&);

-	SSL* _pSSL;
+	std::atomic<SSL*> _pSSL;
 	Poco::AutoPtr<SocketImpl> _pSocket;
 	Context::Ptr _pContext;
 	bool _needHandshake;
 	std::string _peerHostName;
 	Session::Ptr _pSession;
-	bool _bidirectShutdown = true;
+	mutable MutexT _mutex;

 	friend class SecureStreamSocketImpl;
+	friend class Context;
 };


 //
 // inlines
 //
+inline SocketImpl* SecureSocketImpl::socket()
+{
+	return _pSocket.get();
+}
+
+
+inline const SocketImpl* SecureSocketImpl::socket() const
+{
+	return _pSocket.get();
+}
+
+
 inline poco_socket_t SecureSocketImpl::sockfd()
 {
 	return _pSocket->sockfd();
@@ -53,8 +53,9 @@ class NetSSL_API SecureStreamSocket: public StreamSocket
 public:
 	enum
 	{
-		ERR_SSL_WANT_READ  = -1,
-		ERR_SSL_WANT_WRITE = -2
+		ERR_SSL_WOULD_BLOCK = -1,
+		ERR_SSL_WANT_READ  = -2,
+		ERR_SSL_WANT_WRITE = -3
 	};

 	SecureStreamSocket();
@@ -108,6 +109,12 @@ public:
 		///
 		/// The given host name is used for certificate verification.

+	SecureStreamSocket(const std::string& hostName);
+		/// Creates a secure stream socket using the default
+		/// client SSL context. The created socket is not connected.
+		///
+		/// The given host name is used for certificate verification.
+
 	SecureStreamSocket(const SocketAddress& address, const std::string& hostName, Context::Ptr pContext);
 		/// Creates a secure stream socket using the given
 		/// client SSL context and connects it to
@@ -115,6 +122,12 @@ public:
 		///
 		/// The given host name is used for certificate verification.

+	SecureStreamSocket(const std::string& hostName, Context::Ptr pContext);
+		/// Creates a secure stream socket using the given
+		/// client SSL context. The created socket is not connected.
+		///
+		/// The given host name is used for certificate verification.
+
 	SecureStreamSocket(const SocketAddress& address, const std::string& hostName, Context::Ptr pContext, Session::Ptr pSession);
 		/// Creates a secure stream socket using the given
 		/// client SSL context and connects it to
@@ -132,7 +145,7 @@ public:
 		/// a SecureStreamSocketImpl, otherwise an InvalidArgumentException
 		/// will be thrown.

-	virtual ~SecureStreamSocket();
+	~SecureStreamSocket() override;
 		/// Destroys the StreamSocket.

 	SecureStreamSocket& operator = (const Socket& socket);
@@ -39,12 +39,12 @@ public:
 	SecureStreamSocketImpl(StreamSocketImpl* pStreamSocket, Context::Ptr pContext);
 		/// Creates the SecureStreamSocketImpl.

-	SocketImpl* acceptConnection(SocketAddress& clientAddr);
+	SocketImpl* acceptConnection(SocketAddress& clientAddr) override;
 		/// Not supported by a SecureStreamSocket.
 		///
 		/// Throws a Poco::InvalidAccessException.

-	void connect(const SocketAddress& address);
+	void connect(const SocketAddress& address) override;
 		/// Initializes the socket and establishes a connection to
 		/// the TCP server at the given address.
 		///
@@ -52,57 +52,57 @@ public:
 		/// connection is established. Instead, incoming and outgoing
 		/// packets are restricted to the specified address.

-	void connect(const SocketAddress& address, const Poco::Timespan& timeout);
+	void connect(const SocketAddress& address, const Poco::Timespan& timeout) override;
 		/// Initializes the socket, sets the socket timeout and
 		/// establishes a connection to the TCP server at the given address.

-	void connectNB(const SocketAddress& address);
+	void connectNB(const SocketAddress& address) override;
 		/// Initializes the socket and establishes a connection to
 		/// the TCP server at the given address. Prior to opening the
 		/// connection the socket is set to nonblocking mode.

-	void bind(const SocketAddress& address, bool reuseAddress = false);
+	void bind(const SocketAddress& address, bool reuseAddress = false) override;
 		/// Not supported by a SecureStreamSocket.
 		///
 		/// Throws a Poco::InvalidAccessException.

-	void listen(int backlog = 64);
+	void listen(int backlog = 64) override;
 		/// Not supported by a SecureStreamSocket.
 		///
 		/// Throws a Poco::InvalidAccessException.

-	void close();
+	void close() override;
 		/// Close the socket.

-	int sendBytes(const void* buffer, int length, int flags = 0);
+	int sendBytes(const void* buffer, int length, int flags = 0) override;
 		/// Sends the contents of the given buffer through
 		/// the socket. Any specified flags are ignored.
 		///
 		/// Returns the number of bytes sent, which may be
 		/// less than the number of bytes specified.

-	int receiveBytes(void* buffer, int length, int flags = 0);
+	int receiveBytes(void* buffer, int length, int flags = 0) override;
 		/// Receives data from the socket and stores it
 		/// in buffer. Up to length bytes are received.
 		///
 		/// Returns the number of bytes received.

-	int sendTo(const void* buffer, int length, const SocketAddress& address, int flags = 0);
+	int sendTo(const void* buffer, int length, const SocketAddress& address, int flags = 0) override;
 		/// Not supported by a SecureStreamSocket.
 		///
 		/// Throws a Poco::InvalidAccessException.

-	int receiveFrom(void* buffer, int length, SocketAddress& address, int flags = 0);
+	int receiveFrom(void* buffer, int length, SocketAddress& address, int flags = 0) override;
 		/// Not supported by a SecureStreamSocket.
 		///
 		/// Throws a Poco::InvalidAccessException.

-	void sendUrgent(unsigned char data);
+	void sendUrgent(unsigned char data) override;
 		/// Not supported by a SecureStreamSocket.
 		///
 		/// Throws a Poco::InvalidAccessException.

-	int available();
+	int available() override;
 		/// Returns the number of bytes available that can be read
 		/// without causing the socket to block.
 		///
@@ -110,26 +110,37 @@ public:
 		/// can be read from the currently buffered SSL record,
 		/// before a new record is read from the underlying socket.

-	void shutdownReceive();
+	void shutdownReceive() override;
 		/// Shuts down the receiving part of the socket connection.
 		///
 		/// Since SSL does not support a half shutdown, this does
 		/// nothing.

-	void shutdownSend();
+	int shutdownSend() override;
 		/// Shuts down the receiving part of the socket connection.
 		///
-		/// Since SSL does not support a half shutdown, this does
-		/// nothing.
+		/// Sends a close notify shutdown alert message to the peer
+		/// (if not sent yet), then calls shutdownSend() on the
+		/// underlying socket.
+		///
+		/// Returns 0 if the message has been sent.
+		/// Returns 1 if the message has been sent, but the peer
+		/// has not yet sent its shutdown alert message.
+		/// In case of a non-blocking socket, returns < 0 if the
+		/// message cannot be sent at the moment. In this case,
+		/// the call to shutdownSend() must be retried after the
+		/// underlying socket becomes writable again.

-	void shutdown();
+	int shutdown() override;
 		/// Shuts down the SSL connection.
+		///
+		/// Same as shutdownSend().

 	void abort();
 		/// Aborts the connection by closing the underlying
 		/// TCP connection. No orderly SSL shutdown is performed.

-	bool secure() const;
+	bool secure() const override;
 		/// Returns true iff the socket's connection is secure
 		/// (using SSL or TLS).

@@ -196,6 +207,12 @@ public:
 		/// Returns true iff a reused session was negotiated during
 		/// the handshake.

+	// SocketImpl
+	virtual void setBlocking(bool flag) override;
+	virtual bool getBlocking() const override;
+	virtual void setRawOption(int level, int option, const void* value, poco_socklen_t length) override;
+	virtual void getRawOption(int level, int option, void* value, poco_socklen_t& length) override;
+	
 protected:
 	void acceptSSL();
 		/// Performs a SSL server-side handshake.
@@ -203,7 +220,7 @@ protected:
 	void connectSSL();
 		/// Performs a SSL client-side handshake on an already connected TCP socket.

-	~SecureStreamSocketImpl();
+	~SecureStreamSocketImpl() override;
 		/// Destroys the SecureStreamSocketImpl.

 	static int lastError();
@@ -42,6 +42,9 @@ public:
 	SSL_SESSION* sslSession() const;
 		/// Returns the stored OpenSSL SSL_SESSION object.

+	bool isResumable() const;
+		/// Returns true if the session is resumable.
+
 protected:
 	Session(SSL_SESSION* pSession);
 		/// Creates a new Session object, using the given