You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@geode.apache.org by bb...@apache.org on 2020/01/07 22:05:06 UTC
[geode-native] branch develop updated: GEODE-7625: Remove broken
Diffie-Hellman code
This is an automated email from the ASF dual-hosted git repository.
bbender pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/geode-native.git
The following commit(s) were added to refs/heads/develop by this push:
new de672d7 GEODE-7625: Remove broken Diffie-Hellman code
de672d7 is described below
commit de672d7faded5b17c8c22ecabaa6aaf3deab24cb
Author: Jacob Barrett <jb...@pivotal.io>
AuthorDate: Tue Jan 7 14:04:58 2020 -0800
GEODE-7625: Remove broken Diffie-Hellman code
* GEODE-7625: Remove broken DH.
Replace with error message when DH is configured.
* Windows changes
* clang-tidy fixes
---
CMakeLists.txt | 1 -
clicache/integration-test/test.bat.in | 2 -
cppcache/include/geode/SystemProperties.hpp | 15 +-
cppcache/integration-test/CMakeLists.txt | 4 +-
cppcache/integration-test/test.bat.in | 1 -
cppcache/integration-test/test.sh.in | 1 -
.../integration-test/testThinClientSecurityDH.cpp | 471 --------------
.../testThinClientSecurityDH_MU.cpp | 503 ---------------
cppcache/integration/test/CMakeLists.txt | 2 +-
cppcache/src/DiffieHellman.cpp | 198 ------
cppcache/src/DiffieHellman.hpp | 109 ----
cppcache/src/DistributedSystem.hpp | 1 -
cppcache/src/DistributedSystemImpl.cpp | 5 +-
cppcache/src/DistributedSystemImpl.hpp | 2 -
cppcache/src/SystemProperties.cpp | 6 +-
cppcache/src/TcrConnection.cpp | 144 +----
cppcache/src/TcrConnection.hpp | 23 -
cppcache/src/TcrMessage.cpp | 44 +-
cppcache/src/TcrMessage.hpp | 4 +-
cppcache/src/ThinClientBaseDM.cpp | 8 +-
cryptoimpl/CMakeLists.txt | 2 -
cryptoimpl/DHImpl.cpp | 713 ---------------------
cryptoimpl/DHImpl.hpp | 100 ---
dhimpl/CMakeLists.txt | 45 --
dhimpl/DHImpl.cpp | 612 ------------------
dhimpl/DHImpl.hpp | 69 --
.../configuring/sysprops.html.md.erb | 2 +-
.../security/security-systemprops.html.md.erb | 2 +-
.../configuring/sysprops.html.md.erb | 2 +-
.../security/security-systemprops.html.md.erb | 2 +-
templates/security/CMakeLists.txt | 2 -
templates/security/PkcsAuthInit.cpp | 192 ------
templates/security/PkcsAuthInit.hpp | 96 ---
tests/cli/CMakeLists.txt | 1 -
tests/cli/NewFwkLib/CacheServer.cs | 53 --
tests/cli/NewFwkLib/NewFwkLib.csproj.in | 5 -
tests/cli/PkcsWrapper/CMakeLists.txt | 57 --
tests/cli/PkcsWrapper/PkcsAuthInitMN.cpp | 47 --
tests/cli/PkcsWrapper/PkcsAuthInitMN.hpp | 65 --
tests/cli/SecurityUtil/CredentialGeneratorN.cs | 2 -
tests/cli/SecurityUtil/SecurityUtil.csproj.in | 5 -
.../SecurityUtil/XmlAuthzCredentialGeneratorN.cs | 12 -
tests/cpp/security/CMakeLists.txt | 2 -
tests/cpp/security/PkcsAuthInit.cpp | 220 -------
tests/cpp/security/PkcsAuthInit.hpp | 100 ---
45 files changed, 55 insertions(+), 3897 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index c1e6b38..cf9c5e4 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -366,7 +366,6 @@ add_subdirectory(dependencies)
add_subdirectory(openssl-compat)
add_subdirectory(cppcache)
add_subdirectory(cryptoimpl)
-add_subdirectory(dhimpl)
add_subdirectory(sqliteimpl)
add_subdirectory(templates/security)
add_subdirectory(docs/api)
diff --git a/clicache/integration-test/test.bat.in b/clicache/integration-test/test.bat.in
index 5c358c4..87874b1 100644
--- a/clicache/integration-test/test.bat.in
+++ b/clicache/integration-test/test.bat.in
@@ -22,9 +22,7 @@ set PATH=$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:framework>>;%PATH%
set PATH=$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:testobject>>;%PATH%
set PATH=$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:SqLiteImpl>>;%PATH%
set PATH=$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:cryptoImpl>>;%PATH%
-set PATH=$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:DHImpl>>;%PATH%
set PATH=$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:securityImpl>>;%PATH%
-set PATH=$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:PkcsWrapper>>;%PATH%
set PATH=$<JOIN:$<SHELL_PATH:${PATH}>,;>;%PATH%
set PATH=c:\Program Files (x86)\Nunit 2.6.4\bin;%PATH%
diff --git a/cppcache/include/geode/SystemProperties.hpp b/cppcache/include/geode/SystemProperties.hpp
index f00d6aa..ab4963e 100644
--- a/cppcache/include/geode/SystemProperties.hpp
+++ b/cppcache/include/geode/SystemProperties.hpp
@@ -283,7 +283,12 @@ class APACHE_GEODE_EXPORT SystemProperties {
m_onClientDisconnectClearPdxTypeIds = set;
}
- /** Return the security Diffie-Hellman secret key algorithm */
+ /**
+ * @return Empty string
+ * @deprecated Diffie-Hellman based credentials encryption is not supported.
+ */
+ _GEODE_DEPRECATED_(
+ "Diffie-Hellman based credentials encryption is not supported.")
const std::string& securityClientDhAlgo() const {
return m_securityClientDhAlgo;
}
@@ -308,10 +313,12 @@ class APACHE_GEODE_EXPORT SystemProperties {
}
/**
- * Check whether Diffie-Hellman based credentials encryption is on.
- * @return bool flag to indicate whether DH for credentials is on.
+ * @deprecated Diffie-Hellman based credentials encryption is not supported.
+ * @return false.
*/
- bool isDhOn() const { return !m_securityClientDhAlgo.empty(); }
+ _GEODE_DEPRECATED_(
+ "Diffie-Hellman based credentials encryption is not supported.")
+ bool isDhOn() const { return false; }
/**
* Whether a non durable client starts to receive and process
diff --git a/cppcache/integration-test/CMakeLists.txt b/cppcache/integration-test/CMakeLists.txt
index f231bf8..dc2d6b5 100644
--- a/cppcache/integration-test/CMakeLists.txt
+++ b/cppcache/integration-test/CMakeLists.txt
@@ -124,7 +124,7 @@ foreach(FILE ${SOURCES})
endif()
# Some tests depend on these library
- add_dependencies(${TEST} securityImpl cryptoImpl DHImpl SqLiteImpl)
+ add_dependencies(${TEST} securityImpl cryptoImpl SqLiteImpl)
add_clangformat(${TEST})
@@ -232,8 +232,6 @@ set_property(TEST testThinClientSecurityAuthentication PROPERTY LABELS OMITTED)
set_property(TEST testThinClientSecurityAuthenticationMU PROPERTY LABELS OMITTED)
set_property(TEST testThinClientSecurityAuthorization PROPERTY LABELS OMITTED)
set_property(TEST testThinClientSecurityAuthorizationMU PROPERTY LABELS OMITTED)
-set_property(TEST testThinClientSecurityDH PROPERTY LABELS OMITTED)
-set_property(TEST testThinClientSecurityDH_MU PROPERTY LABELS OMITTED)
set_property(TEST testThinClientSecurityDurableCQAuthorizationMU PROPERTY LABELS OMITTED)
set_property(TEST testThinClientSecurityPostAuthorization PROPERTY LABELS OMITTED)
set_property(TEST testThinClientTicket303 PROPERTY LABELS OMITTED)
diff --git a/cppcache/integration-test/test.bat.in b/cppcache/integration-test/test.bat.in
index ba99c08..8bf1f6b 100644
--- a/cppcache/integration-test/test.bat.in
+++ b/cppcache/integration-test/test.bat.in
@@ -22,7 +22,6 @@ set PATH=%PATH%;$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:framework>>
set PATH=%PATH%;$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:testobject>>
set PATH=%PATH%;$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:SqLiteImpl>>
set PATH=%PATH%;$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:cryptoImpl>>
-set PATH=%PATH%;$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:DHImpl>>
set PATH=%PATH%;$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:securityImpl>>
set PATH=%PATH%;$<SHELL_PATH:$<TARGET_LINKER_FILE_DIR:unit_test_callbacks>>
set PATH=%PATH%;$<JOIN:$<SHELL_PATH:${PATH}>,;>
diff --git a/cppcache/integration-test/test.sh.in b/cppcache/integration-test/test.sh.in
index 033d0a1..920cf9b 100644
--- a/cppcache/integration-test/test.sh.in
+++ b/cppcache/integration-test/test.sh.in
@@ -23,7 +23,6 @@ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$<TARGET_LINKER_FILE_DIR:framework>
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$<TARGET_LINKER_FILE_DIR:testobject>
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$<TARGET_LINKER_FILE_DIR:SqLiteImpl>
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$<TARGET_LINKER_FILE_DIR:cryptoImpl>
-export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$<TARGET_LINKER_FILE_DIR:DHImpl>
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$<TARGET_LINKER_FILE_DIR:securityImpl>
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$<TARGET_LINKER_FILE_DIR:unit_test_callbacks>
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$<JOIN:${LD_LIBRARY_PATH},:>
diff --git a/cppcache/integration-test/testThinClientSecurityDH.cpp b/cppcache/integration-test/testThinClientSecurityDH.cpp
deleted file mode 100644
index 776f584..0000000
--- a/cppcache/integration-test/testThinClientSecurityDH.cpp
+++ /dev/null
@@ -1,471 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#include "fw_dunit.hpp"
-#include "ThinClientHelper.hpp"
-#include <ace/OS.h>
-#include <ace/High_Res_Timer.h>
-
-#include "ThinClientSecurity.hpp"
-
-/* Test Coverage DH Algo
-BF1 - Blowfish:128 , BF2 - Blowfish:448
-AES1- AES:128, AES2- AES:192, AES3- AES:256
-DES- DESede:192
-
-ATTENTION: Blowfish:448, AES:192 and AES:256 needs Unlimited security strength
-policy. For this
-1- Downloaded jce_policy-6.zip from
-http://java.sun.com/javase/downloads/index.jsp.
-2- Unzip and replace 2 jar files in $gfe.dir/jre/lib/security folder.
- Above mentioned Algo are commented as we can't ship product folder with above
-mentioned Jar files.
- To test this test fully, please make above changes and uncomment related Algo
-portion in this test.
-*/
-
-#define BF1 "Blowfish:128"
-#define BF2 "Blowfish:448"
-#define AES1 "AES:128"
-#define AES2 "AES:192"
-#define AES3 "AES:256"
-#define DES "DESede"
-
-#define CLIENT1 s1p1
-#define CLIENT2 s1p2
-#define CLIENT3 s2p1
-#define LOCATORSERVER s2p2
-
-#define CORRECT_CREDENTIALS 'C'
-#define INCORRECT_CREDENTIALS 'I'
-
-using apache::geode::client::testframework::security::CredentialGenerator;
-
-const char *locHostPort =
- CacheHelper::getLocatorHostPort(isLocator, isLocalServer, 1);
-const char *regionNamesAuth[] = {"DistRegionAck", "DistRegionNoAck"};
-std::shared_ptr<CredentialGenerator> credentialGeneratorHandler;
-
-std::string getXmlPath() {
- char xmlPath[1000] = {'\0'};
- const char *path = ACE_OS::getenv("TESTSRC");
- ASSERT(path != nullptr,
- "Environment variable TESTSRC for test source directory is not set.");
- strncpy(xmlPath, path, strlen(path) - strlen("cppcache"));
- strncat(xmlPath, "xml/Security/", sizeof(xmlPath) - strlen(xmlPath) - 1);
- return std::string(xmlPath);
-}
-
-void initCredentialGenerator() {
- static int loopNum = 1;
-
- switch (loopNum) {
- case 1: {
- credentialGeneratorHandler = CredentialGenerator::create("DUMMY");
- LOG("Creating Dummy Credential Generator");
- break;
- }
- case 2: {
- credentialGeneratorHandler = CredentialGenerator::create("LDAP");
- LOG("Creating LDAP Credential Generator");
- break;
- }
- default:
- case 3: {
- credentialGeneratorHandler = CredentialGenerator::create("PKCS");
- LOG("Creating PKCS Credential Generator");
- break;
- }
- }
-
- if (credentialGeneratorHandler == nullptr) {
- FAIL("credentialGeneratorHandler is nullptr");
- }
-
- loopNum++;
- if (loopNum > 3) loopNum = 1;
-}
-
-void initClientAuth(char credentialsType, const char *dhAlgo) {
- printf("Initializing Client with %s credential and %s DH Algo\n",
- credentialsType == CORRECT_CREDENTIALS ? "Valid" : "Invalid", dhAlgo);
-
- auto config = Properties::create();
-
- config->insert("security-client-dhalgo", dhAlgo);
- std::string testsrc = ACE_OS::getenv("TESTSRC");
- testsrc += "/keystore/geode.pem";
- printf("KeyStore Path is: %s", testsrc.c_str());
- config->insert("security-client-kspath", testsrc.c_str());
-
- if (credentialGeneratorHandler == nullptr) {
- FAIL("credentialGeneratorHandler is nullptr");
- }
- bool insertAuthInit = true;
- switch (credentialsType) {
- case CORRECT_CREDENTIALS:
- credentialGeneratorHandler->getValidCredentials(config);
- config->insert("security-password",
- config->find("security-username")->value().c_str());
- printf("Username is %s and Password is %s ",
- config->find("security-username")->value().c_str(),
- config->find("security-password")->value().c_str());
- break;
- case INCORRECT_CREDENTIALS:
- credentialGeneratorHandler->getInvalidCredentials(config);
- config->insert("security-password", "junk");
- printf("Username is %s and Password is %s ",
- config->find("security-username")->value().c_str(),
- config->find("security-password")->value().c_str());
- break;
- default:
- insertAuthInit = false;
- break;
- }
- if (insertAuthInit) {
- credentialGeneratorHandler->getAuthInit(config);
- }
-
- try {
- initClient(true, config);
- } catch (...) {
- throw;
- }
-}
-
-void InitIncorrectClients(const char *dhAlgo) {
- try {
- initClientAuth(INCORRECT_CREDENTIALS, dhAlgo);
- } catch (const apache::geode::client::Exception &other) {
- LOG(other.getStackTrace());
- LOG(other.what());
- }
-
- try {
- createRegionForSecurity(regionNamesAuth[0], USE_ACK, true);
- FAIL("Should have thrown AuthenticationFailedException.");
- } catch (const apache::geode::client::AuthenticationFailedException &other) {
- LOG(other.getStackTrace());
- LOG(other.what());
- } catch (const apache::geode::client::Exception &other) {
- LOG(other.getStackTrace());
- LOG(other.what());
- FAIL("Only AuthenticationFailedException is expected");
- }
- LOG("InitIncorrectClients Completed");
-}
-
-void InitCorrectClients(const char *dhAlgo) {
- try {
- initClientAuth(CORRECT_CREDENTIALS, dhAlgo);
- } catch (const apache::geode::client::Exception &other) {
- LOG(other.getStackTrace());
- LOG(other.what());
- }
- try {
- createRegionForSecurity(regionNamesAuth[0], USE_ACK, true);
- createEntry(regionNamesAuth[0], keys[0], vals[0]);
- updateEntry(regionNamesAuth[0], keys[0], nvals[0]);
- } catch (const apache::geode::client::Exception &other) {
- LOG(other.getStackTrace());
- FAIL(other.what());
- }
- LOG("Handshake and Authentication successfully completed");
-}
-
-void DoNetSearch() {
- try {
- createRegionForSecurity(regionNamesAuth[1], USE_ACK, true);
- auto regPtr0 = getHelper()->getRegion(regionNamesAuth[0]);
- auto keyPtr = CacheableKey::create(keys[0]);
- auto checkPtr =
- std::dynamic_pointer_cast<CacheableString>(regPtr0->get(keyPtr));
- if (checkPtr != nullptr && !strcmp(nvals[0], checkPtr->value().c_str())) {
- LOG("checkPtr is not null");
- char buf[1024];
- sprintf(buf, "In net search, get returned %s for key %s",
- checkPtr->value().c_str(), keys[0]);
- LOG(buf);
- } else {
- LOG("checkPtr is nullptr");
- }
- } catch (const apache::geode::client::Exception &other) {
- LOG(other.getStackTrace());
- FAIL(other.what());
- }
- LOG("Handshake and Authentication successfully completed after FailOver");
-}
-
-void initSecurityServer(int instance) {
- std::string cmdServerAuthenticator;
- if (credentialGeneratorHandler == nullptr) {
- FAIL("credentialGeneratorHandler is nullptr");
- }
-
- try {
- if (isLocalServer) {
- cmdServerAuthenticator = credentialGeneratorHandler->getServerCmdParams(
- "authenticator", getXmlPath());
-
- std::string testsrc = ACE_OS::getenv("TESTSRC");
- if (instance == 1) {
- testsrc += "/keystore/geode1.keystore";
- cmdServerAuthenticator += " security-server-kspath=";
- cmdServerAuthenticator += testsrc;
- cmdServerAuthenticator +=
- " security-server-ksalias=geode1 "
- "security-server-kspasswd=geode";
- } else if (instance == 2) {
- testsrc += "/keystore/geode2.keystore";
- cmdServerAuthenticator += " security-server-kspath=";
- cmdServerAuthenticator += testsrc;
- cmdServerAuthenticator +=
- " security-server-ksalias=geode2 "
- "security-server-kspasswd=geode";
- }
-
- printf("Input to server cmd is --> %s\n",
- cmdServerAuthenticator.c_str());
- CacheHelper::initServer(
- instance, nullptr, locHostPort,
- const_cast<char *>(cmdServerAuthenticator.c_str()));
- }
- } catch (...) {
- printf("this is some exception");
- }
-}
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CreateLocator)
- {
- if (isLocator) CacheHelper::initLocator(1);
- LOG("Locator1 started");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CreateServer1)
- {
- initCredentialGenerator();
- initSecurityServer(1);
- LOG("Server1 started");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CreateServer2)
- {
- initSecurityServer(2);
- LOG("Server2 started");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, C1UpDownIncorrectBF1)
- {
- initCredentialGenerator();
- InitIncorrectClients(BF1);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, C2UpDownIncorrectAES1)
- {
- initCredentialGenerator();
- InitIncorrectClients(AES1);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, C3UpDownIncorrectDES)
- {
- initCredentialGenerator();
- InitIncorrectClients(DES);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, C1UpCorrectBF1)
- {
- InitCorrectClients(BF1);
- LOG("Client created");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, C2UpCorrectAES1)
- {
- InitCorrectClients(AES1);
- LOG("Client created");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, C3UpCorrectDES)
- {
- InitCorrectClients(DES);
- LOG("Client created");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, C1UpDownIncorrectBF2)
- {
- InitIncorrectClients(BF2);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, C2UpDownIncorrectAES2)
- {
- InitIncorrectClients(AES2);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, C3UpDownIncorrectAES3)
- {
- InitIncorrectClients(AES3);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, C1UpDownCorrectBF2)
- {
- InitCorrectClients(BF2);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, C2UpDownCorrectAES2)
- {
- InitCorrectClients(AES2);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, C3UpDownCorrectAES3)
- {
- InitCorrectClients(AES3);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, C1NetSearch)
- {
- SLEEP(1000);
- DoNetSearch();
- LOG("StepFive Completed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, C2NetSearch)
- {
- DoNetSearch();
- LOG("StepFive Completed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, C3NetSearch)
- {
- DoNetSearch();
- LOG("StepFive Completed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, CloseCache1)
- { cleanProc(); }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, CloseCache2)
- { cleanProc(); }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, CloseCache3)
- { cleanProc(); }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CloseServer1)
- {
- if (isLocalServer) {
- CacheHelper::closeServer(1);
- LOG("SERVER1 stopped");
- }
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CloseServer2)
- {
- if (isLocalServer) {
- CacheHelper::closeServer(2);
- LOG("SERVER2 stopped");
- }
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CloseLocator)
- {
- if (isLocator) {
- CacheHelper::closeLocator(1);
- LOG("Locator1 stopped");
- }
- }
-END_TASK_DEFINITION
-
-void doThinClientSecurityDH() {
- CALL_TASK(CreateLocator);
- CALL_TASK(CreateServer1);
- CALL_TASK(C1UpDownIncorrectBF1);
- CALL_TASK(C2UpDownIncorrectAES1);
- CALL_TASK(C3UpDownIncorrectDES);
- CALL_TASK(C1UpCorrectBF1);
- CALL_TASK(C2UpCorrectAES1);
- CALL_TASK(C3UpCorrectDES);
- CALL_TASK(CreateServer2);
- CALL_TASK(CloseServer1);
- CALL_TASK(C1NetSearch);
- CALL_TASK(C2NetSearch);
- CALL_TASK(C3NetSearch);
- CALL_TASK(CloseCache1);
- CALL_TASK(CloseCache2);
- CALL_TASK(CloseCache3);
-
- // Commented for Unlimited Security strength policy : See comment at top of
- // testThinClientSecurityDH.cpp
- // CALL_TASK(C1UpDownIncorrectBF2);
- // CALL_TASK(C2UpDownIncorrectAES2);
- // CALL_TASK(C3UpDownIncorrectAES3);
- // CALL_TASK(C1UpDownCorrectBF2);
- // CALL_TASK(C2UpDownCorrectAES2);
- // CALL_TASK(C3UpDownCorrectAES3);
- CALL_TASK(CloseServer2);
- CALL_TASK(CloseLocator);
-}
-
-DUNIT_MAIN
- { doThinClientSecurityDH(); }
-END_MAIN
diff --git a/cppcache/integration-test/testThinClientSecurityDH_MU.cpp b/cppcache/integration-test/testThinClientSecurityDH_MU.cpp
deleted file mode 100644
index 68a62d0..0000000
--- a/cppcache/integration-test/testThinClientSecurityDH_MU.cpp
+++ /dev/null
@@ -1,503 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define ROOT_NAME "testThinClientSecurityDH_MU"
-
-#include "fw_dunit.hpp"
-#include "ThinClientHelper.hpp"
-#include <ace/OS.h>
-#include <ace/High_Res_Timer.h>
-
-#include "ThinClientSecurity.hpp"
-
-/* Test Coverage DH Algo
-BF1 - Blowfish:128 , BF2 - Blowfish:448
-AES1- AES:128, AES2- AES:192, AES3- AES:256
-DES- DESede:192
-
-ATTENTION: Blowfish:448, AES:192 and AES:256 needs Unlimited security strength
-policy. For this
-1- Downloaded jce_policy-6.zip from
-http://java.sun.com/javase/downloads/index.jsp.
-2- Unzip and replace 2 jar files in $gfe.dir/jre/lib/security folder.
- Above mentioned Algo are commented as we can't ship product folder with above
-mentioned Jar files.
- To test this test fully, please make above changes and uncomment related Algo
-portion in this test.
-*/
-
-#define BF1 "Blowfish:128"
-#define BF2 "Blowfish:448"
-#define AES1 "AES:128"
-#define AES2 "AES:192"
-#define AES3 "AES:256"
-#define DES "DESede"
-
-#define CLIENT1 s1p1
-#define CLIENT2 s1p2
-#define CLIENT3 s2p1
-#define LOCATORSERVER s2p2
-
-#define CORRECT_CREDENTIALS 'C'
-#define INCORRECT_CREDENTIALS 'I'
-
-using apache::geode::client::testframework::security::CredentialGenerator;
-
-const char *locHostPort =
- CacheHelper::getLocatorHostPort(isLocator, isLocalServer, 1);
-const char *regionNamesAuth[] = {"DistRegionAck", "DistRegionNoAck"};
-std::shared_ptr<CredentialGenerator> credentialGeneratorHandler;
-
-std::string getXmlPath() {
- char xmlPath[1000] = {'\0'};
- const char *path = ACE_OS::getenv("TESTSRC");
- ASSERT(path != nullptr,
- "Environment variable TESTSRC for test source directory is not set.");
- strncpy(xmlPath, path, strlen(path) - strlen("cppcache"));
- strncat(xmlPath, "xml/Security/", sizeof(xmlPath) - strlen(xmlPath) - 1);
- return std::string(xmlPath);
-}
-
-void initCredentialGenerator() {
- static int loopNum = 1;
-
- switch (loopNum) {
- case 1: {
- credentialGeneratorHandler = CredentialGenerator::create("DUMMY");
- LOG("Creating Dummy Credential Generator");
- break;
- }
- case 2: {
- credentialGeneratorHandler = CredentialGenerator::create("LDAP");
- LOG("Creating LDAP Credential Generator");
- break;
- }
- default:
- case 3: {
- credentialGeneratorHandler = CredentialGenerator::create("PKCS");
- LOG("Creating PKCS Credential Generator");
- break;
- }
- }
-
- if (credentialGeneratorHandler == nullptr) {
- FAIL("credentialGeneratorHandler is nullptr");
- }
-
- loopNum++;
- if (loopNum > 2) loopNum = 1;
-}
-
-static std::shared_ptr<Properties> userCreds;
-
-void initClientAuth(char credentialsType, const char *dhAlgo) {
- printf("Initializing Client with %s credential and %s DH Algo\n",
- credentialsType == CORRECT_CREDENTIALS ? "Valid" : "Invalid", dhAlgo);
-
- auto config = Properties::create();
- userCreds = Properties::create();
-
- config->insert("security-client-dhalgo", dhAlgo);
- std::string testsrc = ACE_OS::getenv("TESTSRC");
- testsrc += "/keystore/geode.pem";
- printf("KeyStore Path is: %s", testsrc.c_str());
- config->insert("security-client-kspath", testsrc.c_str());
-
- if (credentialGeneratorHandler == nullptr) {
- FAIL("credentialGeneratorHandler is nullptr");
- }
- bool insertAuthInit = true;
- switch (credentialsType) {
- case CORRECT_CREDENTIALS:
- credentialGeneratorHandler->getValidCredentials(userCreds);
- userCreds->insert("security-password",
- userCreds->find("security-username")->value().c_str());
- printf("Username is %s and Password is %s ",
- userCreds->find("security-username")->value().c_str(),
- userCreds->find("security-password")->value().c_str());
- break;
- case INCORRECT_CREDENTIALS:
- credentialGeneratorHandler->getInvalidCredentials(userCreds);
- userCreds->insert("security-password", "junk");
- printf("Username is %s and Password is %s ",
- userCreds->find("security-username")->value().c_str(),
- userCreds->find("security-password")->value().c_str());
- break;
- default:
- insertAuthInit = false;
- break;
- }
- if (insertAuthInit) {
- // credentialGeneratorHandler->getAuthInit(config);
- }
-
- try {
- initClient(true, config);
- } catch (...) {
- throw;
- }
-}
-
-void InitIncorrectClients(const char *dhAlgo) {
- try {
- initClientAuth(INCORRECT_CREDENTIALS, dhAlgo);
- } catch (const apache::geode::client::Exception &other) {
- LOG(other.getStackTrace());
- LOG(other.what());
- }
-
- try {
- createRegionForSecurity(regionNamesAuth[0], USE_ACK, false, nullptr, false,
- -1, true, 0);
- auto pool = getPool(regionNamesAuth[0]);
- LOG(" 6");
- if (pool != nullptr) {
- LOG(" 7");
- auto virtualCache = getVirtualCache(userCreds, pool);
- LOG(" 8");
- virtualCache.getRegion(regionNamesAuth[0])->put(keys[0], vals[0]);
- LOG("Operation allowed, something is wrong.");
- }
- FAIL("Should have thrown AuthenticationFailedException.");
- } catch (const apache::geode::client::AuthenticationFailedException &other) {
- LOG(other.getStackTrace());
- LOG(other.what());
- } catch (const apache::geode::client::Exception &other) {
- LOG(other.getStackTrace());
- LOG(other.what());
- FAIL("Only AuthenticationFailedException is expected");
- }
- LOG("InitIncorrectClients Completed");
-}
-
-void InitCorrectClients(const char *dhAlgo) {
- try {
- initClientAuth(CORRECT_CREDENTIALS, dhAlgo);
- } catch (const apache::geode::client::Exception &other) {
- LOG(other.getStackTrace());
- LOG(other.what());
- }
- try {
- createRegionForSecurity(regionNamesAuth[0], USE_ACK, false, nullptr, false,
- -1, true, 0);
- auto pool = getPool(regionNamesAuth[0]);
- LOG(" 6");
-
- LOG(" 7");
- auto virtualCache = getVirtualCache(userCreds, pool);
- LOG(" 8");
- auto regionPtr = virtualCache.getRegion(regionNamesAuth[0]);
-
- for (int i = 0; i < 100; i++) regionPtr->put(keys[0], vals[0]);
- } catch (const apache::geode::client::Exception &other) {
- LOG(other.getStackTrace());
- FAIL(other.what());
- }
- LOG("Handshake and Authentication successfully completed");
-}
-
-void DoNetSearch() {
- try {
- createRegionForSecurity(regionNamesAuth[1], USE_ACK, false, nullptr, false,
- -1, true, 0);
- auto pool = getPool(regionNamesAuth[1]);
- LOG(" 6");
-
- LOG(" 7");
- auto virtualCache = getVirtualCache(userCreds, pool);
- LOG(" 8");
- auto regionPtr = virtualCache.getRegion(regionNamesAuth[1]);
-
- auto keyPtr = CacheableKey::create(keys[0]);
- auto checkPtr =
- std::dynamic_pointer_cast<CacheableString>(regionPtr->get(keyPtr));
- if (checkPtr != nullptr && !strcmp(vals[0], checkPtr->value().c_str())) {
- LOG("checkPtr is not null");
- char buf[1024];
- sprintf(buf, "In net search, get returned %s for key %s",
- checkPtr->value().c_str(), keys[0]);
- LOG(buf);
- } else {
- LOG("checkPtr is nullptr");
- }
- } catch (const apache::geode::client::Exception &other) {
- LOG(other.getStackTrace());
- FAIL(other.what());
- }
- LOG("Handshake and Authentication successfully completed after FailOver");
-}
-
-void initSecurityServer(int instance) {
- std::string cmdServerAuthenticator;
- if (credentialGeneratorHandler == nullptr) {
- FAIL("credentialGeneratorHandler is nullptr");
- }
-
- try {
- if (isLocalServer) {
- cmdServerAuthenticator = credentialGeneratorHandler->getServerCmdParams(
- "authenticator", getXmlPath());
-
- std::string testsrc = ACE_OS::getenv("TESTSRC");
- if (instance == 1) {
- testsrc += "/keystore/geode1.keystore";
- cmdServerAuthenticator += " security-server-kspath=";
- cmdServerAuthenticator += testsrc;
- cmdServerAuthenticator +=
- " security-server-ksalias=geode1 "
- "security-server-kspasswd=geode";
- } else if (instance == 2) {
- testsrc += "/keystore/geode2.keystore";
- cmdServerAuthenticator += " security-server-kspath=";
- cmdServerAuthenticator += testsrc;
- cmdServerAuthenticator +=
- " security-server-ksalias=geode2 "
- "security-server-kspasswd=geode";
- }
-
- printf("Input to server cmd is --> %s\n",
- cmdServerAuthenticator.c_str());
- CacheHelper::initServer(
- instance, nullptr, locHostPort,
- const_cast<char *>(cmdServerAuthenticator.c_str()));
- }
- } catch (...) {
- printf("this is some exception");
- }
-}
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CreateLocator)
- {
- if (isLocator) CacheHelper::initLocator(1);
- LOG("Locator1 started");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CreateServer1)
- {
- initCredentialGenerator();
- initSecurityServer(1);
- LOG("Server1 started");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CreateServer2)
- {
- initSecurityServer(2);
- LOG("Server2 started");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, C1UpDownIncorrectBF1)
- {
- initCredentialGenerator();
- InitIncorrectClients(BF1);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, C2UpDownIncorrectAES1)
- {
- initCredentialGenerator();
- InitIncorrectClients(AES1);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, C3UpDownIncorrectDES)
- {
- initCredentialGenerator();
- InitIncorrectClients(DES);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, C1UpCorrectBF1)
- {
- InitCorrectClients(BF1);
- LOG("Client created");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, C2UpCorrectAES1)
- {
- InitCorrectClients(AES1);
- LOG("Client created");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, C3UpCorrectDES)
- {
- InitCorrectClients(DES);
- LOG("Client created");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, C1UpDownIncorrectBF2)
- {
- InitIncorrectClients(BF2);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, C2UpDownIncorrectAES2)
- {
- InitIncorrectClients(AES2);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, C3UpDownIncorrectAES3)
- {
- InitIncorrectClients(AES3);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, C1UpDownCorrectBF2)
- {
- InitCorrectClients(BF2);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, C2UpDownCorrectAES2)
- {
- InitCorrectClients(AES2);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, C3UpDownCorrectAES3)
- {
- InitCorrectClients(AES3);
- LOG("Client created");
- cleanProc();
- LOG("Client closed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, C1NetSearch)
- {
- SLEEP(1000);
- DoNetSearch();
- LOG("StepFive Completed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, C2NetSearch)
- {
- DoNetSearch();
- LOG("StepFive Completed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, C3NetSearch)
- {
- DoNetSearch();
- LOG("StepFive Completed");
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT1, CloseCache1)
- { cleanProc(); }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT2, CloseCache2)
- { cleanProc(); }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(CLIENT3, CloseCache3)
- { cleanProc(); }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CloseServer1)
- {
- if (isLocalServer) {
- CacheHelper::closeServer(1);
- LOG("SERVER1 stopped");
- }
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CloseServer2)
- {
- if (isLocalServer) {
- CacheHelper::closeServer(2);
- LOG("SERVER2 stopped");
- }
- }
-END_TASK_DEFINITION
-
-DUNIT_TASK_DEFINITION(LOCATORSERVER, CloseLocator)
- {
- if (isLocator) {
- CacheHelper::closeLocator(1);
- LOG("Locator1 stopped");
- }
- }
-END_TASK_DEFINITION
-
-void doThinClientSecurityDH() {
- CALL_TASK(CreateLocator);
- CALL_TASK(CreateServer1);
- CALL_TASK(C1UpDownIncorrectBF1);
- CALL_TASK(C2UpDownIncorrectAES1);
- CALL_TASK(C3UpDownIncorrectDES);
- CALL_TASK(C1UpCorrectBF1);
- CALL_TASK(C2UpCorrectAES1);
- CALL_TASK(C3UpCorrectDES);
- CALL_TASK(CreateServer2);
- CALL_TASK(CloseServer1);
- CALL_TASK(C1NetSearch);
- CALL_TASK(C2NetSearch);
- CALL_TASK(C3NetSearch);
- CALL_TASK(CloseCache1);
- CALL_TASK(CloseCache2);
- CALL_TASK(CloseCache3);
-
- // Commented for Unlimited Security strength policy : See comment at top of
- // testThinClientSecurityDH.cpp
- // CALL_TASK(C1UpDownIncorrectBF2);
- // CALL_TASK(C2UpDownIncorrectAES2);
- // CALL_TASK(C3UpDownIncorrectAES3);
- // CALL_TASK(C1UpDownCorrectBF2);
- // CALL_TASK(C2UpDownCorrectAES2);
- // CALL_TASK(C3UpDownCorrectAES3);
- CALL_TASK(CloseServer2);
- CALL_TASK(CloseLocator);
-}
-
-DUNIT_MAIN
- { doThinClientSecurityDH(); }
-END_MAIN
diff --git a/cppcache/integration/test/CMakeLists.txt b/cppcache/integration/test/CMakeLists.txt
index f76aab8..4c583ed 100644
--- a/cppcache/integration/test/CMakeLists.txt
+++ b/cppcache/integration/test/CMakeLists.txt
@@ -72,7 +72,7 @@ target_link_libraries(cpp-integration-test
internal
)
-add_dependencies(cpp-integration-test cryptoImpl DHImpl)
+add_dependencies(cpp-integration-test cryptoImpl)
if(WIN32)
target_compile_definitions(cpp-integration-test
diff --git a/cppcache/src/DiffieHellman.cpp b/cppcache/src/DiffieHellman.cpp
deleted file mode 100644
index fc0c81d..0000000
--- a/cppcache/src/DiffieHellman.cpp
+++ /dev/null
@@ -1,198 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "DiffieHellman.hpp"
-
-#include <ace/Guard_T.h>
-
-#include <geode/ExceptionTypes.hpp>
-#include <geode/SystemProperties.hpp>
-
-#include "util/Log.hpp"
-namespace apache {
-namespace geode {
-namespace client {
-
-ACE_DLL DiffieHellman::m_dll;
-
-#define INIT_DH_FUNC_PTR(OrigName) \
- DiffieHellman::OrigName##_Type DiffieHellman::OrigName##_Ptr = nullptr;
-
-INIT_DH_FUNC_PTR(gf_initDhKeys)
-INIT_DH_FUNC_PTR(gf_clearDhKeys)
-INIT_DH_FUNC_PTR(gf_getPublicKey)
-INIT_DH_FUNC_PTR(gf_setPublicKeyOther)
-INIT_DH_FUNC_PTR(gf_computeSharedSecret)
-INIT_DH_FUNC_PTR(gf_encryptDH)
-INIT_DH_FUNC_PTR(gf_decryptDH)
-INIT_DH_FUNC_PTR(gf_verifyDH)
-
-void* DiffieHellman::getOpenSSLFuncPtr(const char* function_name) {
- void* func = m_dll.symbol(function_name);
- if (func == nullptr) {
- char msg[1000];
- std::snprintf(msg, 1000, "cannot find function %s in library %s",
- function_name, "cryptoImpl");
- LOGERROR(msg);
- throw IllegalStateException(msg);
- }
- return func;
-}
-
-void DiffieHellman::initOpenSSLFuncPtrs() {
- static bool inited = false;
-
- if (inited) {
- return;
- }
-
- const char* libName = "cryptoImpl";
-
- if (m_dll.open(libName, ACE_DEFAULT_SHLIB_MODE, 0) == -1) {
- char msg[1000];
- std::snprintf(msg, 1000, "cannot open library: %s", libName);
- LOGERROR(msg);
- throw FileNotFoundException(msg);
- }
-
-#define ASSIGN_DH_FUNC_PTR(OrigName) \
- OrigName##_Ptr = (OrigName##_Type)getOpenSSLFuncPtr(#OrigName);
-
- ASSIGN_DH_FUNC_PTR(gf_initDhKeys)
- ASSIGN_DH_FUNC_PTR(gf_clearDhKeys)
- ASSIGN_DH_FUNC_PTR(gf_getPublicKey)
- ASSIGN_DH_FUNC_PTR(gf_setPublicKeyOther)
- ASSIGN_DH_FUNC_PTR(gf_computeSharedSecret)
- ASSIGN_DH_FUNC_PTR(gf_encryptDH)
- ASSIGN_DH_FUNC_PTR(gf_decryptDH)
- ASSIGN_DH_FUNC_PTR(gf_verifyDH)
-
- inited = true;
-}
-
-void DiffieHellman::initDhKeys(const std::shared_ptr<Properties>& props) {
- m_dhCtx = nullptr;
-
- const auto& dhAlgo = props->find(SecurityClientDhAlgo);
- const auto& ksPath = props->find(SecurityClientKsPath);
-
- // Null check only for DH Algo
- if (dhAlgo == nullptr) {
- LOGFINE("DH algo not available");
- return;
- }
-
- int error =
- gf_initDhKeys_Ptr(&m_dhCtx, dhAlgo->value().c_str(),
- ksPath != nullptr ? ksPath->value().c_str() : nullptr);
-
- if (error == DH_ERR_UNSUPPORTED_ALGO) { // Unsupported Algorithm
- char msg[64] = {'\0'};
- std::snprintf(msg, 64, "Algorithm %s is not supported.",
- dhAlgo->value().c_str());
- throw IllegalArgumentException(msg);
- } else if (error == DH_ERR_ILLEGAL_KEYSIZE) { // Illegal Key size
- char msg[64] = {'\0'};
- std::snprintf(msg, 64, "Illegal key size for algorithm %s.",
- dhAlgo->value().c_str());
- throw IllegalArgumentException(msg);
- } else if (m_dhCtx == nullptr) {
- throw IllegalStateException(
- "Could not initialize the Diffie-Hellman helper");
- }
-}
-
-void DiffieHellman::clearDhKeys(void) {
- // Sanity check for accidental calls
- if (gf_clearDhKeys_Ptr == nullptr) {
- return;
- }
-
- gf_clearDhKeys_Ptr(m_dhCtx);
-
- m_dhCtx = nullptr;
-
- return;
-}
-std::shared_ptr<CacheableBytes> DiffieHellman::getPublicKey(void) {
- int keyLen = 0;
- auto pubKeyPtr = gf_getPublicKey_Ptr(m_dhCtx, &keyLen);
- return CacheableBytes::create(
- std::vector<int8_t>(pubKeyPtr, pubKeyPtr + keyLen));
-}
-
-void DiffieHellman::setPublicKeyOther(
- const std::shared_ptr<CacheableBytes>& pubkey) {
- return gf_setPublicKeyOther_Ptr(
- m_dhCtx, reinterpret_cast<const uint8_t*>(pubkey->value().data()),
- pubkey->length());
-}
-
-void DiffieHellman::computeSharedSecret(void) {
- return gf_computeSharedSecret_Ptr(m_dhCtx);
-}
-std::shared_ptr<CacheableBytes> DiffieHellman::encrypt(
- const std::shared_ptr<CacheableBytes>& cleartext) {
- return encrypt(reinterpret_cast<const uint8_t*>(cleartext->value().data()),
- cleartext->length());
-}
-std::shared_ptr<CacheableBytes> DiffieHellman::encrypt(const uint8_t* cleartext,
- int len) {
- int cipherLen = 0;
- auto ciphertextPtr = gf_encryptDH_Ptr(m_dhCtx, cleartext, len, &cipherLen);
- return CacheableBytes::create(
- std::vector<int8_t>(ciphertextPtr, ciphertextPtr + cipherLen));
-}
-std::shared_ptr<CacheableBytes> DiffieHellman::decrypt(
- const std::shared_ptr<CacheableBytes>& cleartext) {
- return decrypt(reinterpret_cast<const uint8_t*>(cleartext->value().data()),
- cleartext->length());
-}
-std::shared_ptr<CacheableBytes> DiffieHellman::decrypt(const uint8_t* cleartext,
- int len) {
- int cipherLen = 0;
- auto ciphertextPtr = gf_decryptDH_Ptr(m_dhCtx, cleartext, len, &cipherLen);
- return CacheableBytes::create(
- std::vector<int8_t>(ciphertextPtr, ciphertextPtr + cipherLen));
-}
-
-bool DiffieHellman::verify(const std::shared_ptr<CacheableString>& subject,
- const std::shared_ptr<CacheableBytes>& challenge,
- const std::shared_ptr<CacheableBytes>& response) {
- int errCode = DH_ERR_NO_ERROR;
- LOGDEBUG("DiffieHellman::verify");
- bool result = gf_verifyDH_Ptr(
- m_dhCtx, subject->value().c_str(),
- reinterpret_cast<const uint8_t*>(challenge->value().data()),
- challenge->length(),
- reinterpret_cast<const uint8_t*>(response->value().data()),
- response->length(), &errCode);
- LOGDEBUG("DiffieHellman::verify 2");
- if (errCode == DH_ERR_SUBJECT_NOT_FOUND) {
- LOGERROR("Subject name %s not found in imported certificates.",
- subject->value().c_str());
- } else if (errCode == DH_ERR_NO_CERTIFICATES) {
- LOGERROR("No imported certificates.");
- } else if (errCode == DH_ERR_INVALID_SIGN) {
- LOGERROR("Signature varification failed.");
- }
-
- return result;
-}
-} // namespace client
-} // namespace geode
-} // namespace apache
diff --git a/cppcache/src/DiffieHellman.hpp b/cppcache/src/DiffieHellman.hpp
deleted file mode 100644
index 234cac9..0000000
--- a/cppcache/src/DiffieHellman.hpp
+++ /dev/null
@@ -1,109 +0,0 @@
-#pragma once
-
-#ifndef GEODE_DIFFIEHELLMAN_H_
-#define GEODE_DIFFIEHELLMAN_H_
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#include <string>
-
-#include <ace/DLL.h>
-
-#include <geode/CacheableBuiltins.hpp>
-#include <geode/Properties.hpp>
-
-#define DH_ERR_NO_ERROR 0
-#define DH_ERR_UNSUPPORTED_ALGO 1
-#define DH_ERR_ILLEGAL_KEYSIZE 2
-#define DH_ERR_SUBJECT_NOT_FOUND 3
-#define DH_ERR_NO_CERTIFICATES 4
-#define DH_ERR_INVALID_SIGN 5
-
-const char SecurityClientDhAlgo[] = "security-client-dhalgo";
-const char SecurityClientKsPath[] = "security-client-kspath";
-
-namespace apache {
-namespace geode {
-namespace client {
-
-class DiffieHellman {
- public:
- void initDhKeys(const std::shared_ptr<Properties>& props);
- void clearDhKeys(void);
- std::shared_ptr<CacheableBytes> getPublicKey(void);
- void setPublicKeyOther(const std::shared_ptr<CacheableBytes>& pubkey);
- void computeSharedSecret(void);
- std::shared_ptr<CacheableBytes> encrypt(
- const std::shared_ptr<CacheableBytes>& cleartext);
- std::shared_ptr<CacheableBytes> encrypt(const uint8_t* cleartext, int len);
- std::shared_ptr<CacheableBytes> decrypt(
- const std::shared_ptr<CacheableBytes>& cleartext);
- std::shared_ptr<CacheableBytes> decrypt(const uint8_t* cleartext, int len);
- bool verify(const std::shared_ptr<CacheableString>& subject,
- const std::shared_ptr<CacheableBytes>& challenge,
- const std::shared_ptr<CacheableBytes>& response);
-
- static void initOpenSSLFuncPtrs();
-
- DiffieHellman() : m_dhCtx(nullptr) {}
-
- private:
- void* m_dhCtx;
- static void* getOpenSSLFuncPtr(const char* function_name);
-
- // OpenSSL Func Ptrs: Declare Func Ptr type and a static variable of
- // std::shared_ptr<Func> type. Convention: <Orig Func Name>_Type and <Orig
- // Func Name>_Ptr
- typedef int (*gf_initDhKeys_Type)(void** dhCtx, const char* dhAlgo,
- const char* ksPath);
- typedef void (*gf_clearDhKeys_Type)(void* dhCtx);
- typedef unsigned char* (*gf_getPublicKey_Type)(void* dhCtx, int* len);
- typedef void (*gf_setPublicKeyOther_Type)(void* dhCtx,
- const unsigned char* pubkey,
- int length);
- typedef void (*gf_computeSharedSecret_Type)(void* dhCtx);
- typedef unsigned char* (*gf_encryptDH_Type)(void* dhCtx,
- const unsigned char* cleartext,
- int len, int* retLen);
- typedef unsigned char* (*gf_decryptDH_Type)(void* dhCtx,
- const unsigned char* cleartext,
- int len, int* retLen);
- typedef bool (*gf_verifyDH_Type)(void* dhCtx, const char* subject,
- const unsigned char* challenge,
- int challengeLen,
- const unsigned char* response,
- int responseLen, int* reason);
-
-#define DECLARE_DH_FUNC_PTR(OrigName) static OrigName##_Type OrigName##_Ptr;
-
- DECLARE_DH_FUNC_PTR(gf_initDhKeys)
- DECLARE_DH_FUNC_PTR(gf_clearDhKeys)
- DECLARE_DH_FUNC_PTR(gf_getPublicKey)
- DECLARE_DH_FUNC_PTR(gf_setPublicKeyOther)
- DECLARE_DH_FUNC_PTR(gf_computeSharedSecret)
- DECLARE_DH_FUNC_PTR(gf_encryptDH)
- DECLARE_DH_FUNC_PTR(gf_decryptDH)
- DECLARE_DH_FUNC_PTR(gf_verifyDH)
-
- static ACE_DLL m_dll;
-
-}; // class DiffieHellman
-} // namespace client
-} // namespace geode
-} // namespace apache
-
-#endif // GEODE_DIFFIEHELLMAN_H_
diff --git a/cppcache/src/DistributedSystem.hpp b/cppcache/src/DistributedSystem.hpp
index f3ba16f..a03ea6c 100644
--- a/cppcache/src/DistributedSystem.hpp
+++ b/cppcache/src/DistributedSystem.hpp
@@ -48,7 +48,6 @@ namespace client {
class SystemProperties;
class DistributedSystemImpl;
class CacheRegionHelper;
-class DiffieHellman;
class TcrConnection;
class APACHE_GEODE_EXPORT DistributedSystem {
diff --git a/cppcache/src/DistributedSystemImpl.cpp b/cppcache/src/DistributedSystemImpl.cpp
index a648232..2e20823 100644
--- a/cppcache/src/DistributedSystemImpl.cpp
+++ b/cppcache/src/DistributedSystemImpl.cpp
@@ -51,9 +51,6 @@ DistributedSystemImpl::DistributedSystemImpl(
m_implementee(implementee),
m_sysProps(std::move(sysProps)),
m_connected(false) {
- if (!m_sysProps->securityClientDhAlgo().empty()) {
- DiffieHellman::initOpenSSLFuncPtrs();
- }
logSystemInformation();
}
@@ -62,7 +59,7 @@ DistributedSystemImpl::~DistributedSystemImpl() {
}
void DistributedSystemImpl::connect() {
- if (m_connected == true) {
+ if (m_connected) {
throw AlreadyConnectedException(
"DistributedSystem::connect: already connected, call getInstance to "
"get it");
diff --git a/cppcache/src/DistributedSystemImpl.hpp b/cppcache/src/DistributedSystemImpl.hpp
index ff3e2cc..457c9ea 100644
--- a/cppcache/src/DistributedSystemImpl.hpp
+++ b/cppcache/src/DistributedSystemImpl.hpp
@@ -27,7 +27,6 @@
#include <geode/internal/geode_globals.hpp>
-#include "DiffieHellman.hpp"
#include "DistributedSystem.hpp"
#include "statistics/StatisticsManager.hpp"
@@ -68,7 +67,6 @@ class APACHE_GEODE_EXPORT DistributedSystemImpl {
std::string m_name;
DistributedSystem* m_implementee;
- DiffieHellman m_dh;
/**
* @brief constructors
diff --git a/cppcache/src/SystemProperties.cpp b/cppcache/src/SystemProperties.cpp
index bc69dc9..9e86b01 100644
--- a/cppcache/src/SystemProperties.cpp
+++ b/cppcache/src/SystemProperties.cpp
@@ -268,7 +268,8 @@ void SystemProperties::processProperty(const std::string& property,
m_securityPropertiesPtr->insert(property, value);
if (property == SecurityClientDhAlgo) {
- m_securityClientDhAlgo = value;
+ throw IllegalArgumentException(
+ "Diffie-Hellman based credentials encryption is not supported.");
} else if (property == SecurityClientKsPath) {
m_securityClientKsPath = value;
}
@@ -454,9 +455,6 @@ void SystemProperties::logSettings() {
settings += "\n redundancy-monitor-interval = ";
settings += to_string(redundancyMonitorInterval());
- settings += "\n security-client-dhalgo = ";
- settings += securityClientDhAlgo();
-
settings += "\n security-client-kspath = ";
settings += securityClientKsPath();
diff --git a/cppcache/src/TcrConnection.cpp b/cppcache/src/TcrConnection.cpp
index d23d5d9..51e5c09 100644
--- a/cppcache/src/TcrConnection.cpp
+++ b/cppcache/src/TcrConnection.cpp
@@ -27,7 +27,6 @@
#include "ClientProxyMembershipID.hpp"
#include "Connector.hpp"
-#include "DiffieHellman.hpp"
#include "DistributedSystemImpl.hpp"
#include "TcpSslConn.hpp"
#include "TcrConnectionManager.hpp"
@@ -47,10 +46,10 @@ const int8_t LAST_CHUNK_MASK = 0x1;
const int64_t INITIAL_CONNECTION_ID = 26739;
#define throwException(ex) \
- { \
+ do { \
LOGFINEST(ex.getName() + ": " + ex.getMessage()); \
throw ex; \
- }
+ } while (0)
struct FinalizeProcessChunk {
private:
@@ -79,7 +78,6 @@ bool TcrConnection::initTcrConnection(
// m_connected = isConnected;
m_hasServerQueue = NON_REDUNDANT_SERVER;
m_queueSize = 0;
- m_dh = nullptr;
// m_chunksProcessSema = 0;
m_creationTime = clock::now();
connectionId = INITIAL_CONNECTION_ID;
@@ -192,7 +190,6 @@ bool TcrConnection::initTcrConnection(
}
handShakeMsg.writeInt(static_cast<int32_t>(1));
- bool isDhOn = false;
bool requireServerAuth = false;
std::shared_ptr<Properties> credentials;
std::shared_ptr<CacheableBytes> serverChallenge;
@@ -201,29 +198,18 @@ bool TcrConnection::initTcrConnection(
handShakeMsg.write(getOverrides(&sysProp));
bool tmpIsSecurityOn = nullptr != cacheImpl->getAuthInitialize();
- isDhOn = sysProp.isDhOn();
if (m_endpointObj) {
- tmpIsSecurityOn = tmpIsSecurityOn || this->m_endpointObj->isMultiUserMode();
- auto dhalgo =
- sysProp.getSecurityProperties()->find("security-client-dhalgo");
-
- LOGDEBUG("TcrConnection this->m_endpointObj->isMultiUserMode() = %d ",
- this->m_endpointObj->isMultiUserMode());
- if (this->m_endpointObj->isMultiUserMode()) {
- if (dhalgo != nullptr && dhalgo->length() > 0) isDhOn = true;
- }
+ tmpIsSecurityOn = tmpIsSecurityOn || m_endpointObj->isMultiUserMode();
}
LOGDEBUG(
- "TcrConnection algo name %s tmpIsSecurityOn = %d isDhOn = %d "
- "isNotificationChannel = %d ",
- sysProp.securityClientDhAlgo().c_str(), tmpIsSecurityOn, isDhOn,
- isNotificationChannel);
+ "TcrConnection tmpIsSecurityOn = %d isNotificationChannel = "
+ "%d ",
+ tmpIsSecurityOn, isNotificationChannel);
bool doIneedToSendCreds = true;
if (isNotificationChannel && m_endpointObj &&
this->m_endpointObj->isMultiUserMode()) {
- isDhOn = false;
tmpIsSecurityOn = false;
doIneedToSendCreds = false;
}
@@ -231,10 +217,6 @@ bool TcrConnection::initTcrConnection(
if (isNotificationChannel && !doIneedToSendCreds) {
handShakeMsg.write(
static_cast<uint8_t>(SECURITY_MULTIUSER_NOTIFICATIONCHANNEL));
- } else if (isDhOn) {
- m_dh = new DiffieHellman();
- m_dh->initDhKeys(sysProp.getSecurityProperties());
- handShakeMsg.write(static_cast<uint8_t>(SECURITY_CREDENTIALS_DHENCRYPT));
} else if (tmpIsSecurityOn) {
handShakeMsg.write(static_cast<uint8_t>(SECURITY_CREDENTIALS_NORMAL));
} else {
@@ -261,38 +243,9 @@ bool TcrConnection::initTcrConnection(
credentials = tmpAuthIniSecurityProperties;
}
}
-
- if (isDhOn) {
- auto ksPath = tmpSecurityProperties->find("security-client-kspath");
- requireServerAuth = (ksPath != nullptr && ksPath->length() > 0);
- handShakeMsg.writeBoolean(requireServerAuth);
- LOGFINE(
- "HandShake: Server authentication using RSA signature %s required",
- requireServerAuth ? "is" : "not");
-
- // Send the symmetric key algorithm name string
- handShakeMsg.writeString(sysProp.securityClientDhAlgo());
-
- // Send the client's DH public key to the server
- auto dhPubKey = m_dh->getPublicKey();
- LOGDEBUG("DH pubkey send len is %d", dhPubKey->length());
- dhPubKey->toData(handShakeMsg);
-
- if (requireServerAuth) {
- char serverChallengeBytes[64] = {0};
- RandGen getrand;
- for (int pos = 0; pos < 64; pos++) {
- serverChallengeBytes[pos] = getrand(255);
- }
- serverChallenge = CacheableBytes::create(std::vector<int8_t>(
- serverChallengeBytes, serverChallengeBytes + 64));
- serverChallenge->toData(handShakeMsg);
- }
- } else { // if isDhOn
- if (isClientNotification) { //:only for backward connection
- credentials->toData(handShakeMsg);
- }
- } // else isDhOn
+ if (isClientNotification) {
+ credentials->toData(handShakeMsg);
+ }
} catch (const AuthenticationRequiredException&) {
LOGDEBUG("AuthenticationRequiredException got");
throw;
@@ -330,77 +283,6 @@ bool TcrConnection::initTcrConnection(
throwException(ex);
}
- // if diffie-hellman based credential encryption is enabled
- if (isDhOn && acceptanceCode[0] == REPLY_OK) {
- // read the server's DH public key
- auto pubKeyBytes = readHandshakeByteArray(connectTimeout);
- LOGDEBUG(" Handshake: Got pubKeySize %d", pubKeyBytes->length());
-
- // set the server's public key on client's DH side
- // DiffieHellman::setPublicKeyOther(pubKeyBytes);
- m_dh->setPublicKeyOther(pubKeyBytes);
-
- // Note: SK Algo is set in DistributedSystem::connect()
- // DiffieHellman::computeSharedSecret();
- m_dh->computeSharedSecret();
-
- if (requireServerAuth) {
- // Read Subject Name
- auto subjectName = readHandshakeString(connectTimeout);
- LOGDEBUG("Got subject %s", subjectName->value().c_str());
- // read the server's signature bytes
- auto responseBytes = readHandshakeByteArray(connectTimeout);
- LOGDEBUG("Handshake: Got response size %d", responseBytes->length());
- LOGDEBUG("Handshake: Got serverChallenge size %d",
- serverChallenge->length());
- if (!m_dh->verify(subjectName, serverChallenge, responseBytes)) {
- throwException(AuthenticationFailedException(
- "Handshake: failed to verify server challenge response"));
- }
- LOGFINE("HandShake: Verified server challenge response");
- }
-
- // read the challenge bytes from the server
- auto challengeBytes = readHandshakeByteArray(connectTimeout);
- LOGDEBUG("Handshake: Got challengeSize %d", challengeBytes->length());
-
- // encrypt the credentials and challenge bytes
- auto cleartext = cacheImpl->createDataOutput();
- if (isClientNotification) { //:only for backward connection
- credentials->toData(cleartext);
- }
- challengeBytes->toData(cleartext);
- auto ciphertext = m_dh->encrypt(
- cleartext.getBuffer(), static_cast<int>(cleartext.getBufferLength()));
-
- auto sendCreds = cacheImpl->createDataOutput();
- ciphertext->toData(sendCreds);
- size_t credLength;
- auto credData = reinterpret_cast<char*>(
- const_cast<uint8_t*>(sendCreds.getBuffer(&credLength)));
- // send the encrypted bytes and check the response
- error = sendData(credData, credLength, connectTimeout, false);
-
- if (error == CONN_NOERR) {
- acceptanceCode = readHandshakeData(1, connectTimeout);
- LOGDEBUG("Handshake: Got acceptanceCode Finally %d", acceptanceCode[0]);
- } else {
- int32_t lastError = ACE_OS::last_error();
- LOGERROR("Handshake failed, errno: %d, server may not be running",
- lastError);
- GF_SAFE_DELETE_CON(m_conn);
- if (error & CONN_TIMEOUT) {
- throwException(TimeoutException(
- "TcrConnection::TcrConnection: "
- "connection timed out during diffie-hellman handshake"));
- } else {
- throwException(
- GeodeIOException("TcrConnection::TcrConnection: "
- "Handshake failure during diffie-hellman"));
- }
- }
- }
-
auto serverQueueStatus = readHandshakeData(1, connectTimeout);
// TESTING: Durable clients - set server queue status.
@@ -685,9 +567,10 @@ char* TcrConnection::sendRequest(const char* buffer, size_t len,
send(timeSpent, buffer, len, sendTimeoutSec);
- if (timeSpent >= receiveTimeoutSec)
+ if (timeSpent >= receiveTimeoutSec) {
throwException(
TimeoutException("TcrConnection::send: connection timed out"));
+ }
receiveTimeoutSec -= timeSpent;
ConnErrType opErr = CONN_NOERR;
@@ -1400,11 +1283,6 @@ TcrConnection::~TcrConnection() {
m_conn->close();
GF_SAFE_DELETE_CON(m_conn);
}
-
- if (m_dh != nullptr) {
- m_dh->clearDhKeys();
- _GEODE_SAFE_DELETE(m_dh);
- }
}
bool TcrConnection::setAndGetBeingUsed(volatile bool isBeingUsed,
diff --git a/cppcache/src/TcrConnection.hpp b/cppcache/src/TcrConnection.hpp
index c3d09cf..18969e1 100644
--- a/cppcache/src/TcrConnection.hpp
+++ b/cppcache/src/TcrConnection.hpp
@@ -30,7 +30,6 @@
#include <geode/internal/geode_globals.hpp>
#include "Connector.hpp"
-#include "DiffieHellman.hpp"
#include "TcrMessage.hpp"
#include "util/synchronized_set.hpp"
@@ -41,7 +40,6 @@
#define UNSUCCESSFUL_SERVER_TO_CLIENT 106
#define CLIENT_TO_SERVER 100
#define REPLY_OK 59
-#define REPLY_OK_CS43 58
#define REPLY_REFUSED 60
#define REPLY_INVALID 61
#define REPLY_SSL_ENABLED 21
@@ -51,7 +49,6 @@
#define SECURITY_CREDENTIALS_NONE 0
#define SECURITY_CREDENTIALS_NORMAL 1
-#define SECURITY_CREDENTIALS_DHENCRYPT 2
#define SECURITY_MULTIUSER_NOTIFICATIONCHANNEL 3
/** Closes and Deletes connection only if it exists */
@@ -135,7 +132,6 @@ class APACHE_GEODE_EXPORT TcrConnection {
volatile const bool& isConnected)
: connectionId(0),
m_connectionManager(&connectionManager),
- m_dh(nullptr),
m_endpoint(nullptr),
m_endpointObj(nullptr),
m_connected(isConnected),
@@ -308,28 +304,9 @@ class APACHE_GEODE_EXPORT TcrConnection {
return *m_connectionManager;
}
- std::shared_ptr<CacheableBytes> encryptBytes(
- std::shared_ptr<CacheableBytes> data) {
- if (m_dh != nullptr) {
- return m_dh->encrypt(data);
- } else {
- return data;
- }
- }
-
- std::shared_ptr<CacheableBytes> decryptBytes(
- std::shared_ptr<CacheableBytes> data) {
- if (m_dh != nullptr) {
- return m_dh->decrypt(data);
- } else {
- return data;
- }
- }
-
private:
int64_t connectionId;
const TcrConnectionManager* m_connectionManager;
- DiffieHellman* m_dh;
std::chrono::microseconds calculateHeaderTimeout(
std::chrono::microseconds receiveTimeout, bool retry);
diff --git a/cppcache/src/TcrMessage.cpp b/cppcache/src/TcrMessage.cpp
index aeb3917..aa8361d 100644
--- a/cppcache/src/TcrMessage.cpp
+++ b/cppcache/src/TcrMessage.cpp
@@ -604,11 +604,11 @@ void TcrMessage::readUniqueIDObjectPart(DataInput& input) {
}
}
-int64_t TcrMessage::getConnectionId(TcrConnection* conn) {
- if (m_connectionIDBytes != nullptr) {
- auto tmp = conn->decryptBytes(m_connectionIDBytes);
+int64_t TcrMessage::getConnectionId() {
+ if (m_connectionIDBytes) {
auto di = m_tcdm->getConnectionManager().getCacheImpl()->createDataInput(
- reinterpret_cast<const uint8_t*>(tmp->value().data()), tmp->length());
+ reinterpret_cast<const uint8_t*>(m_connectionIDBytes->value().data()),
+ m_connectionIDBytes->length());
return di.readInt64();
} else {
LOGWARN("Returning 0 as internal connection ID msgtype = %d ", m_msgType);
@@ -616,14 +616,12 @@ int64_t TcrMessage::getConnectionId(TcrConnection* conn) {
}
}
-int64_t TcrMessage::getUniqueId(TcrConnection* conn) {
- if (m_value != nullptr) {
- auto encryptBytes = std::dynamic_pointer_cast<CacheableBytes>(m_value);
-
- auto tmp = conn->decryptBytes(encryptBytes);
-
+int64_t TcrMessage::getUniqueId() {
+ if (auto cacheableBytes =
+ std::dynamic_pointer_cast<CacheableBytes>(m_value)) {
auto di = m_tcdm->getConnectionManager().getCacheImpl()->createDataInput(
- reinterpret_cast<const uint8_t*>(tmp->value().data()), tmp->length());
+ reinterpret_cast<const uint8_t*>(cacheableBytes->value().data()),
+ cacheableBytes->length());
return di.readInt64();
}
return 0;
@@ -2787,7 +2785,7 @@ TcrMessageRemoveUserAuth::TcrMessageRemoveUserAuth(
.c_str());
}
-void TcrMessage::createUserCredentialMessage(TcrConnection* conn) {
+void TcrMessage::createUserCredentialMessage(TcrConnection*) {
m_request->reset();
m_isSecurityHeaderAdded = false;
writeHeader(m_msgType, 1);
@@ -2799,8 +2797,7 @@ void TcrMessage::createUserCredentialMessage(TcrConnection* conn) {
auto credBytes = CacheableBytes::create(std::vector<int8_t>(
dOut.getBuffer(), dOut.getBuffer() + dOut.getBufferLength()));
- auto encryptBytes = conn->encryptBytes(credBytes);
- writeObjectPart(encryptBytes);
+ writeObjectPart(credBytes);
writeMessageLength();
LOGDEBUG("TcrMessage::createUserCredentialMessage msg = %s ",
@@ -2831,21 +2828,18 @@ void TcrMessage::addSecurityPart(int64_t connectionId, int64_t unique_id,
auto bytes = CacheableBytes::create(std::vector<int8_t>(
dOutput.getBuffer(), dOutput.getBuffer() + dOutput.getBufferLength()));
- auto encryptBytes = conn->encryptBytes(bytes);
-
LOGDEBUG("TcrMessage::addSecurityPart [%p] length = %" PRId32
", encrypted ID = %s ",
- conn, encryptBytes->length(),
- Utils::convertBytesToString(encryptBytes->value().data(),
- encryptBytes->length())
+ conn, bytes->length(),
+ Utils::convertBytesToString(bytes->value().data(), bytes->length())
.c_str());
- writeObjectPart(encryptBytes);
+ writeObjectPart(bytes);
writeMessageLength();
- m_securityHeaderLength = 4 + 1 + encryptBytes->length();
+ m_securityHeaderLength = 4 + 1 + bytes->length();
}
-void TcrMessage::addSecurityPart(int64_t connectionId, TcrConnection* conn) {
+void TcrMessage::addSecurityPart(int64_t connectionId, TcrConnection*) {
LOGDEBUG("TcrMessage::addSecurityPart m_isSecurityHeaderAdded = %d ",
m_isSecurityHeaderAdded);
if (m_isSecurityHeaderAdded) {
@@ -2865,11 +2859,9 @@ void TcrMessage::addSecurityPart(int64_t connectionId, TcrConnection* conn) {
auto bytes = CacheableBytes::create(std::vector<int8_t>(
dOutput.getBuffer(), dOutput.getBuffer() + dOutput.getBufferLength()));
- auto encryptBytes = conn->encryptBytes(bytes);
-
- writeObjectPart(encryptBytes);
+ writeObjectPart(bytes);
writeMessageLength();
- m_securityHeaderLength = 4 + 1 + encryptBytes->length();
+ m_securityHeaderLength = 4 + 1 + bytes->length();
LOGDEBUG("TcrMessage addspCC = %s ",
Utils::convertBytesToString(m_request->getBuffer(),
m_request->getBufferLength())
diff --git a/cppcache/src/TcrMessage.hpp b/cppcache/src/TcrMessage.hpp
index 89d4870..007dbd1 100644
--- a/cppcache/src/TcrMessage.hpp
+++ b/cppcache/src/TcrMessage.hpp
@@ -302,9 +302,9 @@ class TcrMessage {
void addSecurityPart(int64_t connectionId, TcrConnection* conn);
- int64_t getConnectionId(TcrConnection* conn);
+ int64_t getConnectionId();
- int64_t getUniqueId(TcrConnection* conn);
+ int64_t getUniqueId();
void createUserCredentialMessage(TcrConnection* conn);
diff --git a/cppcache/src/ThinClientBaseDM.cpp b/cppcache/src/ThinClientBaseDM.cpp
index a1d741a..82bcea0 100644
--- a/cppcache/src/ThinClientBaseDM.cpp
+++ b/cppcache/src/ThinClientBaseDM.cpp
@@ -300,17 +300,17 @@ void ThinClientBaseDM::afterSendingRequest(const TcrMessage& request,
if (TcrMessage::RESPONSE == reply.getMessageType()) {
if (this->isMultiUserMode()) {
UserAttributes::threadLocalUserAttributes->setConnectionAttributes(
- conn->getEndpointObject(), reply.getUniqueId(conn));
+ conn->getEndpointObject(), reply.getUniqueId());
} else {
- conn->getEndpointObject()->setUniqueId(reply.getUniqueId(conn));
+ conn->getEndpointObject()->setUniqueId(reply.getUniqueId());
}
}
- conn->setConnectionId(reply.getConnectionId(conn));
+ conn->setConnectionId(reply.getConnectionId());
} else if (TcrMessage::isUserInitiativeOps(request)) {
// bugfix: if noack op then reuse previous security token.
conn->setConnectionId(reply.getMessageType() == TcrMessage::INVALID
? conn->getConnectionId()
- : reply.getConnectionId(conn));
+ : reply.getConnectionId());
}
}
}
diff --git a/cryptoimpl/CMakeLists.txt b/cryptoimpl/CMakeLists.txt
index 22a3856..3852e2b 100644
--- a/cryptoimpl/CMakeLists.txt
+++ b/cryptoimpl/CMakeLists.txt
@@ -17,8 +17,6 @@ project(cryptoImpl LANGUAGES CXX)
add_library(cryptoImpl SHARED
${CMAKE_CURRENT_BINARY_DIR}/cryptoimpl_export.h
- DHImpl.hpp
- DHImpl.cpp
Ssl.hpp
SSLImpl.hpp
SSLImpl.cpp
diff --git a/cryptoimpl/DHImpl.cpp b/cryptoimpl/DHImpl.cpp
deleted file mode 100644
index 1365d32..0000000
--- a/cryptoimpl/DHImpl.cpp
+++ /dev/null
@@ -1,713 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "DHImpl.hpp"
-
-#include <openssl-compat.h>
-#include <openssl/aes.h>
-#include <openssl/asn1.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/pem.h>
-#include <openssl/pkcs12.h>
-#include <openssl/rsa.h>
-#include <openssl/stack.h>
-#include <openssl/x509.h>
-
-#include <cctype>
-#include <cstring>
-#include <memory>
-
-/*
-static DH * m_dh = nullptr;
-static string m_skAlgo;
-static int m_keySize = 0;
-static BIGNUM * m_pubKeyOther = nullptr;
-static unsigned char m_key[128] = {0};
-static std::vector<X509*> m_serverCerts;
-*/
-
-static const char *dhP =
- "13528702063991073999718992897071702177131142188276542919088770094024269"
- "73079899070080419278066109785292538223079165925365098181867673946"
- "34756714063947534092593553024224277712367371302394452615862654308"
- "11180902979719649450105660478776364198726078338308557022096810447"
- "3500348898008043285865193451061481841186553";
-
-static const char *dhG =
- "13058345680719715096166513407513969537624553636623932169016704425008150"
- "56576152779768716554354314319087014857769741104157332735258102835"
- "93126577393912282416840649805564834470583437473176415335737232689"
- "81480201869671811010996732593655666464627559582258861254878896534"
- "1273697569202082715873518528062345259949959";
-
-static const int dhL = 1023;
-
-static int DH_PUBKEY_set(DH_PUBKEY **x, EVP_PKEY *pkey);
-static EVP_PKEY *DH_PUBKEY_get(DH_PUBKEY *key);
-/*
-static const EVP_CIPHER* getCipherFunc();
-static int setSkAlgo(const char * skalgo);
-*/
-
-ASN1_SEQUENCE(
- DH_PUBKEY) = {ASN1_SIMPLE(DH_PUBKEY, algor, X509_ALGOR),
- ASN1_SIMPLE(DH_PUBKEY, public_key,
- ASN1_BIT_STRING)} ASN1_SEQUENCE_END(DH_PUBKEY)
-
- // This gives us the i2d/d2i x.509 (ASN1 DER) encode/decode functions
- IMPLEMENT_ASN1_FUNCTIONS(DH_PUBKEY)
-
- // Returns Error code
- int gf_initDhKeys(void **dhCtx, const char *dhAlgo, const char *ksPath) {
- int errorCode = DH_ERR_NO_ERROR; // No error;
-
- auto dhimpl = new DHImpl();
- *dhCtx = dhimpl;
-
- // ksPath can be null
- if (dhimpl->m_dh || !dhAlgo || strlen(dhAlgo) == 0) {
- return errorCode;
- }
-
- // set the symmetric cipher algorithm name
- errorCode = dhimpl->setSkAlgo(dhAlgo);
- if (errorCode != DH_ERR_NO_ERROR) {
- return errorCode;
- }
-
- // do add-all here or outside in DS::connect?
- if (!DHImpl::m_init) {
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
- DHImpl::m_init = true;
- }
-
- dhimpl->m_dh = DH_new();
-
- BIGNUM *pbn = nullptr;
- BIGNUM *gbn = nullptr;
- DH_get0_pqg(dhimpl->m_dh, const_cast<const BIGNUM **>(&pbn), nullptr,
- const_cast<const BIGNUM **>(&gbn));
- BN_dec2bn(&pbn, dhP);
-
- LOGDH(" DHInit: P ptr is %p", pbn);
- LOGDH(" DHInit: G ptr is %p", gbn);
- LOGDH(" DHInit: length is %d", DH_get_length(dhimpl->m_dh));
-
- BN_dec2bn(&gbn, dhG);
-
- DH_set_length(dhimpl->m_dh, dhL);
-
- DH_generate_key(dhimpl->m_dh);
-
- const BIGNUM *pub_key, *priv_key;
- DH_get0_key(dhimpl->m_dh, &pub_key, &priv_key);
- BN_num_bits(priv_key);
-
- BN_num_bits(pub_key);
-
- int codes = 0;
- DH_check(dhimpl->m_dh, &codes);
- LOGDH(" DHInit: DH_check codes is 0x%04X", codes);
- LOGDH(" DHInit: DH_size is %d", DH_size(dhimpl->m_dh));
-
- // load the server's RSA public key for server authentication
- // note that OpenSSL 0.9.8g has a bug where it can read only the first one in
- // the keystore
-
- LOGDH(" Loading keystore...");
-
- if (ksPath == nullptr || strlen(ksPath) == 0) {
- LOGDH("Property \"security-client-kspath\" 's value is nullptr.");
- return errorCode;
- }
- FILE *keyStoreFP = nullptr;
- keyStoreFP = fopen(ksPath, "r");
-
- LOGDH(" kspath is [%s]", ksPath);
- LOGDH(" keystore FILE ptr is %p", keyStoreFP);
-
- // Read from pem file and put into.
- X509 *cert = nullptr;
- do {
- cert = PEM_read_X509(keyStoreFP, nullptr, nullptr, nullptr);
-
- if (cert != nullptr) {
- dhimpl->m_serverCerts.push_back(cert);
- }
- } while (cert != nullptr);
-
- LOGDH(" Total certificats imported # %zd", dhimpl->m_serverCerts.size());
-
- fclose(keyStoreFP);
-
- return errorCode;
-}
-
-void gf_clearDhKeys(void *dhCtx) {
- DHImpl *dhimpl = reinterpret_cast<DHImpl *>(dhCtx);
-
- if (dhimpl->m_dh != nullptr) {
- DH_free(dhimpl->m_dh);
- dhimpl->m_dh = nullptr;
- }
-
- std::vector<X509 *>::const_iterator iter;
- for (iter = dhimpl->m_serverCerts.begin();
- iter != dhimpl->m_serverCerts.end(); ++iter) {
- X509_free(*iter);
- }
-
- dhimpl->m_serverCerts.clear();
-
- if (dhimpl->m_pubKeyOther != nullptr) {
- BN_free(dhimpl->m_pubKeyOther);
- dhimpl->m_pubKeyOther = nullptr;
- }
-
- memset(dhimpl->m_key, 0, 128);
-
- // EVP_cleanup();
-}
-
-unsigned char *gf_getPublicKey(void *dhCtx, int *pLen) {
- DHImpl *dhimpl = reinterpret_cast<DHImpl *>(dhCtx);
-
- const BIGNUM *pub_key, *priv_key;
- DH_get0_key(dhimpl->m_dh, &pub_key, &priv_key);
-
- if (pub_key == nullptr || pLen == nullptr) {
- return nullptr;
- }
-
- int numBytes = BN_num_bytes(pub_key);
-
- if (numBytes <= 0) {
- return nullptr;
- }
-
- EVP_PKEY *evppubkey = EVP_PKEY_new();
- LOGDH(" before assign DH ptr is %p\n", dhimpl->m_dh);
- EVP_PKEY_assign_DH(evppubkey, dhimpl->m_dh);
- LOGDH(" after assign DH ptr is %p\n", dhimpl->m_dh);
- DH_PUBKEY *dhpubkey = nullptr;
- DH_PUBKEY_set(&dhpubkey, evppubkey);
- int len = i2d_DH_PUBKEY(dhpubkey, nullptr);
- unsigned char *pubkey = new unsigned char[len];
- unsigned char *temp = pubkey;
- //
- // Note, this temp pointer is needed because OpenSSL increments the pointer
- // passed in
- // so that following encoding can be done at the current output location, this
- // will cause a
- // problem if we try to free the pointer which has been moved by OpenSSL.
- //
- i2d_DH_PUBKEY(dhpubkey, &temp);
-
- // TODO: uncomment this - causing problem in computeSecret?
- // DH_PUBKEY_free(dhpubkey);
- // EVP_PKEY_free(evppubkey);
-
- LOGDH(" after evp free DH ptr is %p\n", dhimpl->m_dh);
- *pLen = len;
- return pubkey;
-}
-
-void gf_setPublicKeyOther(void *dhCtx, const unsigned char *pubkey,
- int length) {
- DHImpl *dhimpl = reinterpret_cast<DHImpl *>(dhCtx);
-
- if (dhimpl->m_pubKeyOther != nullptr) {
- BN_free(dhimpl->m_pubKeyOther);
- dhimpl->m_pubKeyOther = nullptr;
- }
-
- const unsigned char *temp = pubkey;
- DH_PUBKEY *dhpubkey = d2i_DH_PUBKEY(nullptr, &temp, length);
- LOGDH(" setPubKeyOther: after d2i_dhpubkey ptr is %p\n", dhpubkey);
- EVP_PKEY *evppkey = DH_PUBKEY_get(dhpubkey);
- LOGDH(" setPubKeyOther: after dhpubkey get evp ptr is %p\n", evppkey);
- LOGDH(" setPubKeyOther: before BNdup ptr is %p\n", dhimpl->m_pubKeyOther);
-
- const BIGNUM *pub_key, *priv_key;
- DH *dh = EVP_PKEY_get1_DH(evppkey);
- DH_get0_key(dh, &pub_key, &priv_key);
- dhimpl->m_pubKeyOther = BN_dup(pub_key);
- LOGDH(" setPubKeyOther: after BNdup ptr is %p\n", dhimpl->m_pubKeyOther);
- EVP_PKEY_free(evppkey);
- DH_PUBKEY_free(dhpubkey);
-
- int codes = 0;
- DH_check_pub_key(dhimpl->m_dh, dhimpl->m_pubKeyOther, &codes);
- LOGDH(" DHInit: DH check_pub_key codes is 0x%04X\n", codes);
-}
-
-void gf_computeSharedSecret(void *dhCtx) {
- DHImpl *dhimpl = reinterpret_cast<DHImpl *>(dhCtx);
-
- LOGDH("COMPUTE: DH ptr %p, pubkeyOther ptr %p", dhimpl->m_dh,
- dhimpl->m_pubKeyOther);
-
- LOGDH("DHcomputeKey DHSize is %d", DH_size(dhimpl->m_dh));
- DH_compute_key(dhimpl->m_key, dhimpl->m_pubKeyOther, dhimpl->m_dh);
- LOGDH("DHcomputeKey : Compute err(%d): %s", ERR_get_error(),
- ERR_error_string(ERR_get_error(), nullptr));
-}
-
-int DHImpl::setSkAlgo(const char *skalgo) {
- int errCode = DH_ERR_NO_ERROR;
-
- std::string inAlgo(skalgo);
- size_t colIdx = inAlgo.find(':');
- std::string algoStr =
- (colIdx == std::string::npos) ? inAlgo : inAlgo.substr(0, colIdx);
- int keySize = 0;
-
- // Convert input algo to lower case to support case insensitivity
- for (unsigned int i = 0; i < algoStr.size(); i++) {
- algoStr[i] = tolower(algoStr[i]);
- }
-
- if (algoStr == "aes") {
- keySize = (colIdx == std::string::npos)
- ? 128
- : atoi(inAlgo.substr(colIdx + 1).c_str());
- if (keySize == 128 || keySize == 192 || keySize == 256) {
- m_skAlgo = "AES";
- m_keySize = keySize;
- } else {
- return DH_ERR_ILLEGAL_KEYSIZE;
- }
- } else if (algoStr == "blowfish") {
- keySize = (colIdx == std::string::npos)
- ? 128
- : atoi(inAlgo.substr(colIdx + 1).c_str());
- if (keySize >= 128 && keySize <= 448) {
- m_skAlgo = "Blowfish";
- m_keySize = keySize;
- } else {
- return DH_ERR_ILLEGAL_KEYSIZE;
- }
- } else if (algoStr == "desede") { // No keysize should be given
- if (colIdx == std::string::npos) {
- m_skAlgo = "DESede";
- m_keySize = 192;
- } else {
- return DH_ERR_ILLEGAL_KEYSIZE;
- }
- } else {
- return DH_ERR_UNSUPPORTED_ALGO;
- }
-
- LOGDH(" DH: Got SK algo as %s", m_skAlgo.c_str());
- LOGDH(" DH: Got keySize as %d", m_keySize);
-
- return errCode;
-}
-
-const EVP_CIPHER *DHImpl::getCipherFunc() {
- if (m_skAlgo == "AES") {
- if (m_keySize == 192) {
- return EVP_aes_192_cbc();
- } else if (m_keySize == 256) {
- return EVP_aes_256_cbc();
- } else { // Default
- return EVP_aes_128_cbc();
- }
- } else if (m_skAlgo == "Blowfish") {
- return EVP_bf_cbc();
- } else if (m_skAlgo == "DESede") {
- return EVP_des_ede3_cbc();
- } else {
- LOGDH("ERROR: Unsupported DH Algorithm");
- return nullptr;
- }
-}
-
-unsigned char *gf_encryptDH(void *dhCtx, const unsigned char *cleartext,
- int len, int *retLen) {
- DHImpl *dhimpl = reinterpret_cast<DHImpl *>(dhCtx);
-
- // Validation
- if (cleartext == nullptr || len < 1 || retLen == nullptr) {
- return nullptr;
- }
-
- LOGDH(" DH: gf_encryptDH using sk algo: %s, Keysize: %d",
- dhimpl->m_skAlgo.c_str(), dhimpl->m_keySize);
-
- auto ciphertext = std::unique_ptr<unsigned char[]>(
- new unsigned char[len + 50]); // give enough room for padding
- int outlen, tmplen;
- EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
-
- const EVP_CIPHER *cipherFunc = dhimpl->getCipherFunc();
-
- // init openssl cipher context
- if (dhimpl->m_skAlgo == "AES") {
- int keySize = dhimpl->m_keySize > 128 ? dhimpl->m_keySize / 8 : 16;
- EVP_EncryptInit_ex(ctx, cipherFunc, nullptr, dhimpl->m_key,
- dhimpl->m_key + keySize);
- } else if (dhimpl->m_skAlgo == "Blowfish") {
- int keySize = dhimpl->m_keySize > 128 ? dhimpl->m_keySize / 8 : 16;
- EVP_EncryptInit_ex(ctx, cipherFunc, nullptr, nullptr,
- dhimpl->m_key + keySize);
- EVP_CIPHER_CTX_set_key_length(ctx, keySize);
- LOGDH("DHencrypt: BF keysize is %d", keySize);
- EVP_EncryptInit_ex(ctx, nullptr, nullptr, dhimpl->m_key, nullptr);
- } else if (dhimpl->m_skAlgo == "DESede") {
- EVP_EncryptInit_ex(ctx, cipherFunc, nullptr, dhimpl->m_key,
- dhimpl->m_key + 24);
- }
-
- if (!EVP_EncryptUpdate(ctx, ciphertext.get(), &outlen, cleartext, len)) {
- LOGDH(" DHencrypt: enc update ret nullptr");
- return nullptr;
- }
- /* Buffer passed to EVP_EncryptFinal() must be after data just
- * encrypted to avoid overwriting it.
- */
- tmplen = 0;
-
- if (!EVP_EncryptFinal_ex(ctx, ciphertext.get() + outlen, &tmplen)) {
- LOGDH("DHencrypt: enc final ret nullptr");
- return nullptr;
- }
-
- outlen += tmplen;
-
- EVP_CIPHER_CTX_free(ctx);
-
- LOGDH("DHencrypt: in len is %d, out len is %d", len, outlen);
-
- *retLen = outlen;
- return ciphertext.release();
-}
-
-unsigned char *gf_decryptDH(void *dhCtx, const unsigned char *cleartext,
- int len, int *retLen) {
- DHImpl *dhimpl = reinterpret_cast<DHImpl *>(dhCtx);
-
- // Validation
- if (cleartext == nullptr || len < 1 || retLen == nullptr) {
- return nullptr;
- }
-
- LOGDH(" DH: gf_encryptDH using sk algo: %s, Keysize: %d",
- dhimpl->m_skAlgo.c_str(), dhimpl->m_keySize);
-
- auto ciphertext = std::unique_ptr<unsigned char[]>(
- new unsigned char[len + 50]); // give enough room for padding
- int outlen, tmplen;
- EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
-
- auto cipherFunc = dhimpl->getCipherFunc();
-
- // init openssl cipher context
- if (dhimpl->m_skAlgo == "AES") {
- int keySize = dhimpl->m_keySize > 128 ? dhimpl->m_keySize / 8 : 16;
- EVP_DecryptInit_ex(ctx, cipherFunc, nullptr, dhimpl->m_key,
- dhimpl->m_key + keySize);
- } else if (dhimpl->m_skAlgo == "Blowfish") {
- int keySize = dhimpl->m_keySize > 128 ? dhimpl->m_keySize / 8 : 16;
- EVP_DecryptInit_ex(ctx, cipherFunc, nullptr, nullptr,
- dhimpl->m_key + keySize);
- EVP_CIPHER_CTX_set_key_length(ctx, keySize);
- LOGDH("DHencrypt: BF keysize is %d", keySize);
- EVP_DecryptInit_ex(ctx, nullptr, nullptr, dhimpl->m_key, nullptr);
- } else if (dhimpl->m_skAlgo == "DESede") {
- EVP_DecryptInit_ex(ctx, cipherFunc, nullptr, dhimpl->m_key,
- dhimpl->m_key + 24);
- }
-
- if (!EVP_DecryptUpdate(ctx, ciphertext.get(), &outlen, cleartext, len)) {
- LOGDH(" DHencrypt: enc update ret nullptr");
- return nullptr;
- }
- /* Buffer passed to EVP_EncryptFinal() must be after data just
- * encrypted to avoid overwriting it.
- */
- tmplen = 0;
-
- if (!EVP_DecryptFinal_ex(ctx, ciphertext.get() + outlen, &tmplen)) {
- LOGDH("DHencrypt: enc final ret nullptr");
- return nullptr;
- }
-
- outlen += tmplen;
-
- EVP_CIPHER_CTX_free(ctx);
-
- LOGDH("DHencrypt: in len is %d, out len is %d", len, outlen);
-
- *retLen = outlen;
- return ciphertext.release();
-}
-
-// std::shared_ptr<CacheableBytes> decrypt(const uint8_t * ciphertext, int len)
-// {
-// LOGDH("DH: Used unimplemented decrypt!");
-// return nullptr;
-//}
-
-bool gf_verifyDH(void *dhCtx, const char *subject,
- const unsigned char *challenge, int challengeLen,
- const unsigned char *response, int responseLen, int *reason) {
- DHImpl *dhimpl = reinterpret_cast<DHImpl *>(dhCtx);
-
- LOGDH(" In Verify - looking for subject %s", subject);
-
- EVP_PKEY *evpkey = nullptr;
- X509 *cert = nullptr;
-
- char *certsubject = nullptr;
-
- int32_t count = static_cast<int32_t>(dhimpl->m_serverCerts.size());
- if (count == 0) {
- *reason = DH_ERR_NO_CERTIFICATES;
- return false;
- }
-
- for (int item = 0; item < count; item++) {
- certsubject = X509_NAME_oneline(
- X509_get_subject_name(dhimpl->m_serverCerts[item]), nullptr, 0);
-
- // Ignore first letter for comparision, openssl adds / before subject name
- // e.g. /CN=geode1
- if (strcmp(certsubject + 1, subject) == 0) {
- evpkey = X509_get_pubkey(dhimpl->m_serverCerts[item]);
- cert = dhimpl->m_serverCerts[item];
- LOGDH("Found subject [%s] in stored certificates", certsubject);
- break;
- }
- }
-
- if (evpkey == nullptr || cert == nullptr) {
- *reason = DH_ERR_SUBJECT_NOT_FOUND;
- LOGDH("Certificate not found!");
- return false;
- }
-
- const ASN1_OBJECT *macobj;
- const X509_ALGOR *algorithm = nullptr;
- X509_ALGOR_get0(&macobj, nullptr, nullptr, algorithm);
- if (algorithm == nullptr) {
- LOGDH("algo is null \n");
- }
-
- const EVP_MD *signatureDigest = EVP_get_digestbyobj(macobj);
- LOGDH("after EVP_get_digestbyobj : err(%d): %s", ERR_get_error(),
- ERR_error_string(ERR_get_error(), nullptr));
- EVP_MD_CTX *signatureCtx = EVP_MD_CTX_new();
-
- int result1 = EVP_VerifyInit_ex(signatureCtx, signatureDigest, nullptr);
- LOGDH("after EVP_VerifyInit_ex ret %d : err(%d): %s", result1,
- ERR_get_error(), ERR_error_string(ERR_get_error(), nullptr));
- LOGDH(" Result of VerifyInit is %s \n", ERR_lib_error_string(result1));
- LOGDH(" Result of VerifyInit is %s \n", ERR_func_error_string(result1));
- LOGDH(" Result of VerifyInit is %s \n", ERR_reason_error_string(result1));
-
- LOGDH(" Result of VerifyInit is %d", result1);
-
- int result2 = EVP_VerifyUpdate(signatureCtx, challenge, challengeLen);
- LOGDH(" Result of VerifyUpdate is %d", result2);
-
- int result3 = EVP_VerifyFinal(signatureCtx, response, responseLen, evpkey);
- LOGDH(" Result of VerifyFinal is %d", result3);
-
- bool result = (result1 == 1 && result2 == 1 && result3 == 1);
-
- EVP_MD_CTX_free(signatureCtx);
-
- if (result == false) {
- *reason = DH_ERR_INVALID_SIGN;
- }
-
- return result;
-}
-
-int DH_PUBKEY_set(DH_PUBKEY **x, EVP_PKEY *pkey) {
- DH_PUBKEY *pk = nullptr;
- X509_ALGOR *a;
- ASN1_OBJECT *o;
- unsigned char *s, *p = nullptr;
- int i;
- ASN1_INTEGER *asn1int = nullptr;
- DH *dh = EVP_PKEY_get1_DH(pkey);
-
- if (x == nullptr) return (0);
-
- if ((pk = DH_PUBKEY_new()) == nullptr) goto err;
- a = pk->algor;
-
- LOGDH(" key type for OBJ NID is %d", EVP_PKEY_base_id(pkey));
-
- /* set the algorithm id */
- if ((o = OBJ_nid2obj(EVP_PKEY_base_id(pkey))) == nullptr) goto err;
- ASN1_OBJECT_free(a->algorithm);
- a->algorithm = o;
-
- /* Set the parameter list */
- if (EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) {
- if ((a->parameter == nullptr) || (a->parameter->type != V_ASN1_NULL)) {
- ASN1_TYPE_free(a->parameter);
- if (!(a->parameter = ASN1_TYPE_new())) {
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- a->parameter->type = V_ASN1_NULL;
- }
- } else if (EVP_PKEY_base_id(pkey) == EVP_PKEY_DH) {
- unsigned char *pp;
- ASN1_TYPE_free(a->parameter);
- if ((i = i2d_DHparams(dh, nullptr)) <= 0) goto err;
- if (!(p = reinterpret_cast<unsigned char *>(OPENSSL_malloc(i)))) {
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- pp = p;
- i2d_DHparams(dh, &pp);
- if (!(a->parameter = ASN1_TYPE_new())) {
- OPENSSL_free(p);
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- a->parameter->type = V_ASN1_SEQUENCE;
- if (!(a->parameter->value.sequence = ASN1_STRING_new())) {
- OPENSSL_free(p);
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- if (!ASN1_STRING_set(a->parameter->value.sequence, p, i)) {
- OPENSSL_free(p);
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- OPENSSL_free(p);
- } else if (1) {
- X509err(X509_F_X509_PUBKEY_SET, X509_R_UNSUPPORTED_ALGORITHM);
- goto err;
- }
-
- const BIGNUM *pub_key, *priv_key;
- DH_get0_key(dh, &pub_key, &priv_key);
-
- asn1int = BN_to_ASN1_INTEGER(pub_key, nullptr);
- if ((i = i2d_ASN1_INTEGER(asn1int, nullptr)) <= 0) goto err;
- if ((s = reinterpret_cast<unsigned char *>(OPENSSL_malloc(i + 1))) ==
- nullptr) {
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- p = s;
- i2d_ASN1_INTEGER(asn1int, &p);
- if (!ASN1_BIT_STRING_set(static_cast<ASN1_STRING *>(pk->public_key), s, i)) {
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- /* Set number of unused bits to zero */
- pk->public_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
- pk->public_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
-
- OPENSSL_free(s);
-
- if (*x != nullptr) DH_PUBKEY_free(*x);
-
- *x = pk;
-
- return 1;
-err:
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (pk != nullptr) DH_PUBKEY_free(pk);
- return 0;
-}
-
-EVP_PKEY *DH_PUBKEY_get(DH_PUBKEY *key) {
- EVP_PKEY *ret = nullptr;
- decltype(asn1_string_st::length) j;
- const unsigned char *p;
- const unsigned char *cp;
- X509_ALGOR *a;
- ASN1_INTEGER *asn1int = nullptr;
-
- if (key == nullptr) {
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (ret != nullptr) EVP_PKEY_free(ret);
- return (nullptr);
- }
-
- if (key->pkey != nullptr) {
- EVP_PKEY_up_ref(key->pkey);
- return (key->pkey);
- }
-
- if (key->public_key == nullptr) {
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (ret != nullptr) EVP_PKEY_free(ret);
- return (nullptr);
- }
-
- if ((ret = EVP_PKEY_new()) == nullptr) {
- X509err(X509_F_X509_PUBKEY_DECODE, ERR_R_MALLOC_FAILURE);
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (ret != nullptr) EVP_PKEY_free(ret);
- return (nullptr);
- }
-
- LOGDH(" DHPUBKEY evppkey type is %d", EVP_PKEY_base_id(ret));
-
- /* the parameters must be extracted before the public key */
-
- a = key->algor;
-
- if (EVP_PKEY_base_id(ret) == EVP_PKEY_DH) {
- if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE)) {
- if ((EVP_PKEY_set1_DH(ret, DH_new())) == 0) {
- X509err(X509_F_X509_PUBKEY_DECODE, ERR_R_MALLOC_FAILURE);
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (ret != nullptr) EVP_PKEY_free(ret);
- return (nullptr);
- }
- cp = p = a->parameter->value.sequence->data;
- j = a->parameter->value.sequence->length;
- DH *dh = EVP_PKEY_get1_DH(ret);
- if (!d2i_DHparams(&dh, &cp, j)) {
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (ret != nullptr) EVP_PKEY_free(ret);
- return (nullptr);
- }
- }
- }
-
- p = key->public_key->data;
- j = key->public_key->length;
-
- asn1int = d2i_ASN1_INTEGER(nullptr, &p, j);
- LOGDH("after d2i asn1 integer ptr is %p", asn1int);
-
- DH *dh = EVP_PKEY_get1_DH(ret);
- DH_set0_key(dh, ASN1_INTEGER_to_BN(asn1int, nullptr), nullptr);
- // LOGDH(" after asn1int to bn ptr is %p", ret->pkey.dh->pub_key);
-
- key->pkey = ret;
- EVP_PKEY_up_ref(ret);
-
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- return (ret);
-}
diff --git a/cryptoimpl/DHImpl.hpp b/cryptoimpl/DHImpl.hpp
deleted file mode 100644
index 94b49a5..0000000
--- a/cryptoimpl/DHImpl.hpp
+++ /dev/null
@@ -1,100 +0,0 @@
-#pragma once
-
-#ifndef GEODE_CRYPTOIMPL_DHIMPL_H_
-#define GEODE_CRYPTOIMPL_DHIMPL_H_
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <openssl/asn1t.h>
-#include <openssl/dh.h>
-#include <openssl/x509.h>
-
-#include <cstring>
-#include <string>
-#include <vector>
-
-#include "cryptoimpl_export.h"
-
-#define DH_ERR_NO_ERROR 0
-#define DH_ERR_UNSUPPORTED_ALGO 1
-#define DH_ERR_ILLEGAL_KEYSIZE 2
-#define DH_ERR_SUBJECT_NOT_FOUND 3
-#define DH_ERR_NO_CERTIFICATES 4
-#define DH_ERR_INVALID_SIGN 5
-
-#ifdef _DEBUG
-#define LOGDH printf
-#else
-#define LOGDH(...)
-#endif
-
-// We need to declare our own structures and macros for
-// DH public key x509 encoding because it's not available in
-// OpenSSL yet.
-typedef struct DH_pubkey_st {
- X509_ALGOR* algor;
- ASN1_BIT_STRING* public_key;
- EVP_PKEY* pkey;
-} DH_PUBKEY;
-
-extern "C" {
-CRYPTOIMPL_EXPORT int gf_initDhKeys(void** dhCtx, const char* dhAlgo,
- const char* ksPath);
-CRYPTOIMPL_EXPORT void gf_clearDhKeys(void* dhCtx);
-CRYPTOIMPL_EXPORT unsigned char* gf_getPublicKey(void* dhCtx, int* len);
-CRYPTOIMPL_EXPORT void gf_setPublicKeyOther(void* dhCtx,
- const unsigned char* pubkey,
- int length);
-CRYPTOIMPL_EXPORT void gf_computeSharedSecret(void* dhCtx);
-CRYPTOIMPL_EXPORT unsigned char* gf_encryptDH(void* dhCtx,
- const unsigned char* cleartext,
- int len, int* retLen);
-CRYPTOIMPL_EXPORT unsigned char* gf_decryptDH(void* dhCtx,
- const unsigned char* cleartext,
- int len, int* retLen);
-CRYPTOIMPL_EXPORT bool gf_verifyDH(void* dhCtx, const char* subject,
- const unsigned char* challenge,
- int challengeLen,
- const unsigned char* response,
- int responseLen, int* reason);
-}
-
-class DHImpl {
- public:
- DH* m_dh;
- std::string m_skAlgo;
- int m_keySize;
- BIGNUM* m_pubKeyOther;
- unsigned char m_key[128];
- std::vector<X509*> m_serverCerts;
-
- const EVP_CIPHER* getCipherFunc();
- int setSkAlgo(const char* skalgo);
-
- DHImpl() : m_dh(nullptr), m_keySize(0), m_pubKeyOther(nullptr) {
- /* adongre
- * CID 28924: Uninitialized scalar field (UNINIT_CTOR)
- */
- std::memset(m_key, 0, sizeof(m_key));
- }
- static bool m_init;
-};
-
-bool DHImpl::m_init = false;
-
-#endif // GEODE_CRYPTOIMPL_DHIMPL_H_
diff --git a/dhimpl/CMakeLists.txt b/dhimpl/CMakeLists.txt
deleted file mode 100644
index 538b9f9..0000000
--- a/dhimpl/CMakeLists.txt
+++ /dev/null
@@ -1,45 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-project(DHImpl LANGUAGES CXX)
-
-add_library(DHImpl SHARED
- DHImpl.cpp
- DHImpl.hpp
-)
-
-set_target_properties(DHImpl PROPERTIES
- FOLDER cpp/test/integration
-)
-
-include(GenerateExportHeader)
-generate_export_header(DHImpl)
-
-target_include_directories(DHImpl
- PUBLIC
- $<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>
-)
-
-target_link_libraries(DHImpl
- PUBLIC
- apache-geode
- OpenSSL::Crypto
- c++11
- PRIVATE
- openssl-compat
- _WarningsAsError
-)
-
-add_clangformat(DHImpl)
diff --git a/dhimpl/DHImpl.cpp b/dhimpl/DHImpl.cpp
deleted file mode 100644
index 3b7ea74..0000000
--- a/dhimpl/DHImpl.cpp
+++ /dev/null
@@ -1,612 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "DHImpl.hpp"
-
-#include <openssl/aes.h>
-#include <openssl/asn1.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/pem.h>
-#include <openssl/pkcs12.h>
-#include <openssl/rsa.h>
-#include <openssl/stack.h>
-#include <openssl/x509.h>
-
-#include <cctype>
-#include <cstdint>
-#include <cstring>
-#include <memory>
-
-static DH *m_dh = nullptr;
-static std::string m_skAlgo;
-static int m_keySize = 0;
-static BIGNUM *m_pubKeyOther = nullptr;
-static unsigned char m_key[128] = {0};
-static std::vector<X509 *> m_serverCerts;
-
-static const char *dhP =
- "13528702063991073999718992897071702177131142188276542919088770094024269"
- "73079899070080419278066109785292538223079165925365098181867673946"
- "34756714063947534092593553024224277712367371302394452615862654308"
- "11180902979719649450105660478776364198726078338308557022096810447"
- "3500348898008043285865193451061481841186553";
-
-static const int dhL = 1023;
-
-static int DH_PUBKEY_set(DH_PUBKEY **x, EVP_PKEY *pkey);
-static EVP_PKEY *DH_PUBKEY_get(DH_PUBKEY *key);
-static const EVP_CIPHER *getCipherFunc();
-static int setSkAlgo(const char *skalgo);
-
-ASN1_SEQUENCE(
- DH_PUBKEY) = {ASN1_SIMPLE(DH_PUBKEY, algor, X509_ALGOR),
- ASN1_SIMPLE(DH_PUBKEY, public_key,
- ASN1_BIT_STRING)} ASN1_SEQUENCE_END(DH_PUBKEY)
-
- // This gives us the i2d/d2i x.509 (ASN1 DER) encode/decode functions
- IMPLEMENT_ASN1_FUNCTIONS(DH_PUBKEY)
-
- // Returns Error code
- int gf_initDhKeys(const char *dhAlgo, const char *ksPath) {
- int errorCode = DH_ERR_NO_ERROR; // No error;
-
- // ksPath can be null
- if (m_dh || !dhAlgo || strlen(dhAlgo) == 0) {
- return errorCode;
- }
-
- // set the symmetric cipher algorithm name
- errorCode = setSkAlgo(dhAlgo);
- if (errorCode != DH_ERR_NO_ERROR) {
- return errorCode;
- }
-
- // do add-all here or outside in DS::connect?
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
-
- m_dh = DH_new();
-
- BIGNUM *pbn = nullptr;
- BIGNUM *gbn = nullptr;
- DH_get0_pqg(m_dh, const_cast<const BIGNUM **>(&pbn), nullptr,
- const_cast<const BIGNUM **>(&gbn));
- BN_dec2bn(&pbn, dhP);
-
- LOGDH(" DHInit: P ptr is %p", pbn);
- LOGDH(" DHInit: G ptr is %p", gbn);
- LOGDH(" DHInit: length is %d", DH_get_length(m_dh));
-
- BN_dec2bn(&gbn, dhP);
-
- DH_set_length(m_dh, dhL);
-
- DH_generate_key(m_dh);
-
- const BIGNUM *pub_key, *priv_key;
- DH_get0_key(m_dh, &pub_key, &priv_key);
-
- int codes = 0;
- DH_check(m_dh, &codes);
- LOGDH(" DHInit: DH_check codes is 0x%04X", codes);
- LOGDH(" DHInit: DH_size is %d", DH_size(m_dh));
-
- // load the server's RSA public key for server authentication
- // note that OpenSSL 0.9.8g has a bug where it can read only the first one in
- // the keystore
-
- LOGDH(" Loading keystore...");
-
- if (ksPath == nullptr || strlen(ksPath) == 0) {
- LOGDH("Property \"security-client-kspath\" 's value is nullptr.");
- return errorCode;
- }
- FILE *keyStoreFP = nullptr;
- keyStoreFP = fopen(ksPath, "r");
-
- LOGDH(" kspath is [%s]", ksPath);
- LOGDH(" keystore FILE ptr is %p", keyStoreFP);
-
- // Read from pem file and put into.
- X509 *cert = nullptr;
- do {
- cert = PEM_read_X509(keyStoreFP, nullptr, nullptr, nullptr);
-
- if (cert != nullptr) {
- m_serverCerts.push_back(cert);
- }
- } while (cert != nullptr);
-
- LOGDH(" Total certificats imported # %zd", m_serverCerts.size());
-
- fclose(keyStoreFP);
-
- return errorCode;
-}
-
-void gf_clearDhKeys(void) {
- if (m_dh != nullptr) {
- DH_free(m_dh);
- m_dh = nullptr;
- }
-
- std::vector<X509 *>::const_iterator iter;
- for (iter = m_serverCerts.begin(); iter != m_serverCerts.end(); ++iter) {
- X509_free(*iter);
- }
-
- m_serverCerts.clear();
-
- if (m_pubKeyOther != nullptr) {
- BN_free(m_pubKeyOther);
- m_pubKeyOther = nullptr;
- }
-
- memset(m_key, 0, 128);
-
- EVP_cleanup();
-}
-
-unsigned char *gf_getPublicKey(int *pLen) {
- const BIGNUM *pub_key, *priv_key;
- DH_get0_key(m_dh, &pub_key, &priv_key);
-
- if (pub_key == nullptr || pLen == nullptr) {
- return nullptr;
- }
-
- int numBytes = BN_num_bytes(pub_key);
-
- if (numBytes <= 0) {
- return nullptr;
- }
-
- EVP_PKEY *evppubkey = EVP_PKEY_new();
- LOGDH(" before assign DH ptr is %p", m_dh);
- EVP_PKEY_assign_DH(evppubkey, m_dh);
- LOGDH(" after assign DH ptr is %p", m_dh);
- DH_PUBKEY *dhpubkey = nullptr;
- DH_PUBKEY_set(&dhpubkey, evppubkey);
- int len = i2d_DH_PUBKEY(dhpubkey, nullptr);
- unsigned char *pubkey = new unsigned char[len];
- unsigned char *temp = pubkey;
- //
- // Note, this temp pointer is needed because OpenSSL increments the pointer
- // passed in
- // so that following encoding can be done at the current output location,
- // this will cause a problem if we try to free the pointer which has been
- // moved by OpenSSL.
- //
- i2d_DH_PUBKEY(dhpubkey, &temp);
-
- // TODO: uncomment this - causing problem in computeSecret?
- // DH_PUBKEY_free(dhpubkey);
- // EVP_PKEY_free(evppubkey);
-
- LOGDH(" after evp free DH ptr is %p", m_dh);
- *pLen = len;
- return pubkey;
-}
-
-void gf_setPublicKeyOther(const unsigned char *pubkey, int length) {
- if (m_pubKeyOther != nullptr) {
- BN_free(m_pubKeyOther);
- m_pubKeyOther = nullptr;
- }
-
- const unsigned char *temp = pubkey;
- DH_PUBKEY *dhpubkey = d2i_DH_PUBKEY(nullptr, &temp, length);
- LOGDH(" setPubKeyOther: after d2i_dhpubkey ptr is %p", dhpubkey);
- EVP_PKEY *evppkey = DH_PUBKEY_get(dhpubkey);
- LOGDH(" setPubKeyOther: after dhpubkey get evp ptr is %p", evppkey);
- LOGDH(" setPubKeyOther: before BNdup ptr is %p", m_pubKeyOther);
-
- const BIGNUM *pub_key, *priv_key;
- DH *dh = EVP_PKEY_get1_DH(evppkey);
- DH_get0_key(dh, &pub_key, &priv_key);
- m_pubKeyOther = BN_dup(pub_key);
- LOGDH(" setPubKeyOther: after BNdup ptr is %p", m_pubKeyOther);
- EVP_PKEY_free(evppkey);
- DH_PUBKEY_free(dhpubkey);
-
-#ifdef _DEBUG
- int codes = 0;
- int ret = DH_check_pub_key(m_dh, m_pubKeyOther, &codes);
- LOGDH(" DHInit: DH_check_pub_key ret %d", ret);
- LOGDH(" DHInit: DH check_pub_key codes is 0x%04X", codes);
-#endif
-}
-
-void gf_computeSharedSecret() {
- LOGDH("COMPUTE: DH ptr %p, pubkeyOther ptr %p", m_dh, m_pubKeyOther);
-
- LOGDH("DHcomputeKey DHSize is %d", DH_size(m_dh));
-#ifdef _DEBUG
- int ret = DH_compute_key(m_key, m_pubKeyOther, m_dh);
- LOGDH("DHcomputeKey ret %d : Compute err(%d): %s", ret, ERR_get_error(),
- ERR_error_string(ERR_get_error(), nullptr));
-#endif
-}
-
-int setSkAlgo(const char *skalgo) {
- int errCode = DH_ERR_NO_ERROR;
-
- std::string inAlgo(skalgo);
- size_t colIdx = inAlgo.find(':');
- std::string algoStr =
- (colIdx == std::string::npos) ? inAlgo : inAlgo.substr(0, colIdx);
- int keySize = 0;
-
- // Convert input algo to lower case to support case insensitivity
- for (unsigned int i = 0; i < algoStr.size(); i++) {
- algoStr[i] = tolower(algoStr[i]);
- }
-
- if (algoStr == "aes") {
- keySize = (colIdx == std::string::npos)
- ? 128
- : atoi(inAlgo.substr(colIdx + 1).c_str());
- if (keySize == 128 || keySize == 192 || keySize == 256) {
- m_skAlgo = "AES";
- m_keySize = keySize;
- } else {
- return DH_ERR_ILLEGAL_KEYSIZE;
- }
- } else if (algoStr == "blowfish") {
- keySize = (colIdx == std::string::npos)
- ? 128
- : atoi(inAlgo.substr(colIdx + 1).c_str());
- if (keySize >= 128 && keySize <= 448) {
- m_skAlgo = "Blowfish";
- m_keySize = keySize;
- } else {
- return DH_ERR_ILLEGAL_KEYSIZE;
- }
- } else if (algoStr == "desede") { // No keysize should be given
- if (colIdx == std::string::npos) {
- m_skAlgo = "DESede";
- m_keySize = 192;
- } else {
- return DH_ERR_ILLEGAL_KEYSIZE;
- }
- } else {
- return DH_ERR_UNSUPPORTED_ALGO;
- }
-
- LOGDH(" DH: Got SK algo as %s", m_skAlgo.c_str());
- LOGDH(" DH: Got keySize as %d", m_keySize);
-
- return errCode;
-}
-
-const EVP_CIPHER *getCipherFunc() {
- if (m_skAlgo == "AES") {
- if (m_keySize == 192) {
- return EVP_aes_192_cbc();
- } else if (m_keySize == 256) {
- return EVP_aes_256_cbc();
- } else { // Default
- return EVP_aes_128_cbc();
- }
- } else if (m_skAlgo == "Blowfish") {
- return EVP_bf_cbc();
- } else if (m_skAlgo == "DESede") {
- return EVP_des_ede3_cbc();
- } else {
- LOGDH("ERROR: Unsupported DH Algorithm");
- return nullptr;
- }
-}
-
-unsigned char *gf_encryptDH(const unsigned char *cleartext, int len,
- int *retLen) {
- // Validation
- if (cleartext == nullptr || len < 1 || retLen == nullptr) {
- return nullptr;
- }
-
- LOGDH(" DH: gf_encryptDH using sk algo: %s, Keysize: %d", m_skAlgo.c_str(),
- m_keySize);
-
- auto ciphertext = std::unique_ptr<unsigned char[]>(
- new unsigned char[len + 50]); // give enough room for padding
- int outlen, tmplen;
- auto ctx = EVP_CIPHER_CTX_new();
-
- auto cipherFunc = getCipherFunc();
-
- // init openssl cipher context
- if (m_skAlgo == "AES") {
- int keySize = m_keySize > 128 ? m_keySize / 8 : 16;
- EVP_EncryptInit_ex(ctx, cipherFunc, nullptr, m_key, m_key + keySize);
- } else if (m_skAlgo == "Blowfish") {
- int keySize = m_keySize > 128 ? m_keySize / 8 : 16;
- EVP_EncryptInit_ex(ctx, cipherFunc, nullptr, nullptr, m_key + keySize);
- EVP_CIPHER_CTX_set_key_length(ctx, keySize);
- LOGDH("DHencrypt: BF keysize is %d", keySize);
- EVP_EncryptInit_ex(ctx, nullptr, nullptr, m_key, nullptr);
- } else if (m_skAlgo == "DESede") {
- EVP_EncryptInit_ex(ctx, cipherFunc, nullptr, m_key, m_key + 24);
- }
-
- if (!EVP_EncryptUpdate(ctx, ciphertext.get(), &outlen, cleartext, len)) {
- LOGDH(" DHencrypt: enc update ret nullptr");
- return nullptr;
- }
- /* Buffer passed to EVP_EncryptFinal() must be after data just
- * encrypted to avoid overwriting it.
- */
- tmplen = 0;
-
- if (!EVP_EncryptFinal_ex(ctx, ciphertext.get() + outlen, &tmplen)) {
- LOGDH("DHencrypt: enc final ret nullptr");
- return nullptr;
- }
-
- outlen += tmplen;
-
- EVP_CIPHER_CTX_cleanup(ctx);
-
- LOGDH("DHencrypt: in len is %d, out len is %d", len, outlen);
-
- *retLen = outlen;
- return ciphertext.release();
-}
-
-// std::shared_ptr<CacheableBytes> decrypt(const uint8_t * ciphertext, int
-// len)
-// {
-// LOGDH("DH: Used unimplemented decrypt!");
-// return nullptr;
-//}
-
-bool gf_verifyDH(const char *subject, const unsigned char *challenge,
- int challengeLen, const unsigned char *response,
- int responseLen, int *reason) {
- LOGDH(" In Verify - looking for subject %s", subject);
-
- EVP_PKEY *evpkey = nullptr;
- X509 *cert = nullptr;
-
- char *certsubject = nullptr;
-
- int32_t count = static_cast<int32_t>(m_serverCerts.size());
- if (count == 0) {
- *reason = DH_ERR_NO_CERTIFICATES;
- return false;
- }
-
- for (int item = 0; item < count; item++) {
- certsubject = X509_NAME_oneline(X509_get_subject_name(m_serverCerts[item]),
- nullptr, 0);
-
- // Ignore first letter for comparision, openssl adds / before subject name
- // e.g. /CN=geode1
- if (strcmp(certsubject + 1, subject) == 0) {
- evpkey = X509_get_pubkey(m_serverCerts[item]);
- cert = m_serverCerts[item];
- LOGDH("Found subject [%s] in stored certificates", certsubject);
- break;
- }
- }
-
- if (evpkey == nullptr || cert == nullptr) {
- *reason = DH_ERR_SUBJECT_NOT_FOUND;
- LOGDH("Certificate not found!");
- return false;
- }
-
- const ASN1_OBJECT *macobj;
- const X509_ALGOR *algorithm = nullptr;
- X509_ALGOR_get0(&macobj, nullptr, nullptr, algorithm);
-
- const EVP_MD *signatureDigest = EVP_get_digestbyobj(macobj);
- EVP_MD_CTX *signatureCtx = EVP_MD_CTX_new();
-
- int result1 = EVP_VerifyInit_ex(signatureCtx, signatureDigest, nullptr);
- LOGDH(" Result of VerifyInit is %d", result1);
-
- int result2 = EVP_VerifyUpdate(signatureCtx, challenge, challengeLen);
- LOGDH(" Result of VerifyUpdate is %d", result2);
-
- int result3 = EVP_VerifyFinal(signatureCtx, response, responseLen, evpkey);
- LOGDH(" Result of VerifyFinal is %d", result3);
-
- bool result = (result1 == 1 && result2 == 1 && result3 == 1);
-
- EVP_MD_CTX_free(signatureCtx);
-
- if (result == false) {
- *reason = DH_ERR_INVALID_SIGN;
- }
-
- return result;
-}
-
-int DH_PUBKEY_set(DH_PUBKEY **x, EVP_PKEY *pkey) {
- DH_PUBKEY *pk = nullptr;
- X509_ALGOR *a;
- ASN1_OBJECT *o;
- unsigned char *s, *p = nullptr;
- int i;
- ASN1_INTEGER *asn1int = nullptr;
- DH *dh = EVP_PKEY_get1_DH(pkey);
-
- if (x == nullptr) return (0);
-
- if ((pk = DH_PUBKEY_new()) == nullptr) goto err;
- a = pk->algor;
-
- LOGDH(" key type for OBJ NID is %d", EVP_PKEY_base_id(pkey));
-
- /* set the algorithm id */
- if ((o = OBJ_nid2obj(EVP_PKEY_base_id(pkey))) == nullptr) goto err;
- ASN1_OBJECT_free(a->algorithm);
- a->algorithm = o;
-
- /* Set the parameter list */
- if (EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) {
- if ((a->parameter == nullptr) || (a->parameter->type != V_ASN1_NULL)) {
- ASN1_TYPE_free(a->parameter);
- if (!(a->parameter = ASN1_TYPE_new())) {
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- a->parameter->type = V_ASN1_NULL;
- }
- } else if (EVP_PKEY_base_id(pkey) == EVP_PKEY_DH) {
- unsigned char *pp;
-
- const BIGNUM *pub_key, *priv_key;
- DH_get0_key(dh, &pub_key, &priv_key);
- ASN1_TYPE_free(a->parameter);
- if ((i = i2d_DHparams(dh, nullptr)) <= 0) goto err;
- if (!(p = reinterpret_cast<unsigned char *>(OPENSSL_malloc(i)))) {
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- pp = p;
- i2d_DHparams(dh, &pp);
- if (!(a->parameter = ASN1_TYPE_new())) {
- OPENSSL_free(p);
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- a->parameter->type = V_ASN1_SEQUENCE;
- if (!(a->parameter->value.sequence = ASN1_STRING_new())) {
- OPENSSL_free(p);
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- if (!ASN1_STRING_set(a->parameter->value.sequence, p, i)) {
- OPENSSL_free(p);
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- OPENSSL_free(p);
- } else if (1) {
- X509err(X509_F_X509_PUBKEY_SET, X509_R_UNSUPPORTED_ALGORITHM);
- goto err;
- }
-
- const BIGNUM *pub_key, *priv_key;
- DH_get0_key(dh, &pub_key, &priv_key);
-
- asn1int = BN_to_ASN1_INTEGER(pub_key, nullptr);
- if ((i = i2d_ASN1_INTEGER(asn1int, nullptr)) <= 0) goto err;
- if ((s = reinterpret_cast<unsigned char *>(OPENSSL_malloc(i + 1))) ==
- nullptr) {
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- p = s;
- i2d_ASN1_INTEGER(asn1int, &p);
- if (!ASN1_BIT_STRING_set(pk->public_key, s, i)) {
- X509err(X509_F_X509_PUBKEY_SET, ERR_R_MALLOC_FAILURE);
- goto err;
- }
- /* Set number of unused bits to zero */
- pk->public_key->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
- pk->public_key->flags |= ASN1_STRING_FLAG_BITS_LEFT;
-
- OPENSSL_free(s);
-
- if (*x != nullptr) DH_PUBKEY_free(*x);
-
- *x = pk;
-
- return 1;
-err:
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (pk != nullptr) DH_PUBKEY_free(pk);
- return 0;
-}
-
-EVP_PKEY *DH_PUBKEY_get(DH_PUBKEY *key) {
- EVP_PKEY *ret = nullptr;
- decltype(asn1_string_st::length) j;
- const unsigned char *p;
- const unsigned char *cp;
- X509_ALGOR *a;
- ASN1_INTEGER *asn1int = nullptr;
-
- if (key == nullptr) {
- return (nullptr);
- }
-
- if (key->pkey != nullptr) {
- EVP_PKEY_up_ref(key->pkey);
- return (key->pkey);
- }
-
- if (key->public_key == nullptr) {
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (ret != nullptr) EVP_PKEY_free(ret);
- return (nullptr);
- }
-
- if ((ret = EVP_PKEY_new()) == nullptr) {
- X509err(X509_F_X509_PUBKEY_DECODE, ERR_R_MALLOC_FAILURE);
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (ret != nullptr) EVP_PKEY_free(ret);
- return (nullptr);
- }
-
- LOGDH(" DHPUBKEY evppkey type is %d", EVP_PKEY_base_id(ret));
-
- /* the parameters must be extracted before the public key */
-
- a = key->algor;
-
- if (EVP_PKEY_base_id(ret) == EVP_PKEY_DH) {
- if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE)) {
- if ((EVP_PKEY_set1_DH(ret, DH_new())) == 0) {
- X509err(X509_F_X509_PUBKEY_DECODE, ERR_R_MALLOC_FAILURE);
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (ret != nullptr) EVP_PKEY_free(ret);
- return (nullptr);
- }
- cp = p = a->parameter->value.sequence->data;
- j = a->parameter->value.sequence->length;
- DH *dh = EVP_PKEY_get1_DH(ret);
- if (!d2i_DHparams(&dh, &cp, j)) {
- if (asn1int != nullptr) ASN1_INTEGER_free(asn1int);
- if (ret != nullptr) EVP_PKEY_free(ret);
- return (nullptr);
- }
- }
- }
-
- p = key->public_key->data;
- j = key->public_key->length;
-
- asn1int = d2i_ASN1_INTEGER(nullptr, &p, j);
- LOGDH("after d2i asn1 integer ptr is %p", asn1int);
-
- DH *dh = EVP_PKEY_get1_DH(ret);
- DH_set0_key(dh, ASN1_INTEGER_to_BN(asn1int, nullptr), nullptr);
-
- key->pkey = ret;
- EVP_PKEY_up_ref(key->pkey);
-
- if (asn1int) {
- ASN1_INTEGER_free(asn1int);
- }
- return (ret);
-}
diff --git a/dhimpl/DHImpl.hpp b/dhimpl/DHImpl.hpp
deleted file mode 100644
index 38ba3c8..0000000
--- a/dhimpl/DHImpl.hpp
+++ /dev/null
@@ -1,69 +0,0 @@
-#pragma once
-
-#ifndef GEODE_DHIMPL_DHIMPL_H_
-#define GEODE_DHIMPL_DHIMPL_H_
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <openssl-compat.h>
-#include <openssl/asn1t.h>
-#include <openssl/x509.h>
-
-#include <string>
-#include <vector>
-
-#include "dhimpl_export.h"
-
-#define DH_ERR_NO_ERROR 0
-#define DH_ERR_UNSUPPORTED_ALGO 1
-#define DH_ERR_ILLEGAL_KEYSIZE 2
-#define DH_ERR_SUBJECT_NOT_FOUND 3
-#define DH_ERR_NO_CERTIFICATES 4
-#define DH_ERR_INVALID_SIGN 5
-
-#ifdef _DEBUG
-#define LOGDH printf
-#else
-#define LOGDH(...)
-#endif
-
-// We need to declare our own structures and macros for
-// DH public key x509 encoding because it's not available in
-// OpenSSL yet.
-typedef struct DH_pubkey_st {
- X509_ALGOR* algor;
- ASN1_BIT_STRING* public_key;
- EVP_PKEY* pkey;
-} DH_PUBKEY;
-
-extern "C" {
-DHIMPL_EXPORT int gf_initDhKeys(const char* dhAlgo, const char* ksPath);
-DHIMPL_EXPORT void gf_clearDhKeys(void);
-DHIMPL_EXPORT unsigned char* gf_getPublicKey(int* len);
-DHIMPL_EXPORT void gf_setPublicKeyOther(const unsigned char* pubkey,
- int length);
-DHIMPL_EXPORT void gf_computeSharedSecret(void);
-DHIMPL_EXPORT unsigned char* gf_encryptDH(const unsigned char* cleartext,
- int len, int* retLen);
-DHIMPL_EXPORT bool gf_verifyDH(const char* subject,
- const unsigned char* challenge, int challengeLen,
- const unsigned char* response, int responseLen,
- int* reason);
-}
-
-#endif // GEODE_DHIMPL_DHIMPL_H_
diff --git a/docs/geode-native-docs-cpp/configuring/sysprops.html.md.erb b/docs/geode-native-docs-cpp/configuring/sysprops.html.md.erb
index caa55ad..c9314f5 100644
--- a/docs/geode-native-docs-cpp/configuring/sysprops.html.md.erb
+++ b/docs/geode-native-docs-cpp/configuring/sysprops.html.md.erb
@@ -256,7 +256,7 @@ See [SSL Client/Server Communication](../security/sslclientserver.html).
</tr>
<tr class="odd">
<td><code class="ph codeph">security-client-dhalgo</code></td>
-<td>Returns the Diffie-Hellman secret key cipher algorithm.</td>
+<td>Diffie-Hellman based credentials encryption is not supported.</td>
<td>null</td>
</tr>
<tr class="even">
diff --git a/docs/geode-native-docs-cpp/security/security-systemprops.html.md.erb b/docs/geode-native-docs-cpp/security/security-systemprops.html.md.erb
index 81eba0e..b7f73c6 100644
--- a/docs/geode-native-docs-cpp/security/security-systemprops.html.md.erb
+++ b/docs/geode-native-docs-cpp/security/security-systemprops.html.md.erb
@@ -32,7 +32,7 @@ The table describes the security-related system properties in the `geode.propert
<tbody>
<tr class="odd">
<td><code class="ph codeph">security-client-dhalgo</code></td>
-<td>Returns the Diffie-Hellman secret key cipher algorithm.</td>
+<td>Diffie-Hellman based credentials encryption is not supported.</td>
</tr>
<tr class="even">
<td><code class="ph codeph">security-client-kspath</code></td>
diff --git a/docs/geode-native-docs-dotnet/configuring/sysprops.html.md.erb b/docs/geode-native-docs-dotnet/configuring/sysprops.html.md.erb
index ae58777..6191c59 100644
--- a/docs/geode-native-docs-dotnet/configuring/sysprops.html.md.erb
+++ b/docs/geode-native-docs-dotnet/configuring/sysprops.html.md.erb
@@ -256,7 +256,7 @@ See [SSL Client/Server Communication](../security/sslclientserver.html).
</tr>
<tr class="odd">
<td><code class="ph codeph">security-client-dhalgo</code></td>
-<td>Returns the Diffie-Hellman secret key cipher algorithm.</td>
+<td>Diffie-Hellman based credentials encryption is not supported.</td>
<td>null</td>
</tr>
<tr class="even">
diff --git a/docs/geode-native-docs-dotnet/security/security-systemprops.html.md.erb b/docs/geode-native-docs-dotnet/security/security-systemprops.html.md.erb
index 81eba0e..b7f73c6 100644
--- a/docs/geode-native-docs-dotnet/security/security-systemprops.html.md.erb
+++ b/docs/geode-native-docs-dotnet/security/security-systemprops.html.md.erb
@@ -32,7 +32,7 @@ The table describes the security-related system properties in the `geode.propert
<tbody>
<tr class="odd">
<td><code class="ph codeph">security-client-dhalgo</code></td>
-<td>Returns the Diffie-Hellman secret key cipher algorithm.</td>
+<td>Diffie-Hellman based credentials encryption is not supported.</td>
</tr>
<tr class="even">
<td><code class="ph codeph">security-client-kspath</code></td>
diff --git a/templates/security/CMakeLists.txt b/templates/security/CMakeLists.txt
index 0bf308e..36ce124 100644
--- a/templates/security/CMakeLists.txt
+++ b/templates/security/CMakeLists.txt
@@ -17,8 +17,6 @@ cmake_minimum_required(VERSION 3.10)
project(templates.security LANGUAGES CXX)
add_library(securityImpl SHARED
- PkcsAuthInit.cpp
- PkcsAuthInit.hpp
UserPasswordAuthInit.cpp
UserPasswordAuthInit.hpp
CMakeLists.txt.forInstall
diff --git a/templates/security/PkcsAuthInit.cpp b/templates/security/PkcsAuthInit.cpp
deleted file mode 100644
index 1150289..0000000
--- a/templates/security/PkcsAuthInit.cpp
+++ /dev/null
@@ -1,192 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "PkcsAuthInit.hpp"
-
-#include <openssl-compat.h>
-
-#include <cstdio>
-#include <string>
-
-#include <geode/CacheableBuiltins.hpp>
-#include <geode/ExceptionTypes.hpp>
-#include <geode/Properties.hpp>
-
-#include "geode/CacheableBuiltins.hpp"
-#include "geode/ExceptionTypes.hpp"
-#include "geode/Properties.hpp"
-#include "securityimpl_export.h"
-
-namespace apache {
-namespace geode {
-namespace client {
-
-extern "C" {
-SECURITYIMPL_EXPORT AuthInitialize* createPKCSAuthInitInstance() {
- return new PKCSAuthInit();
-}
-
-uint8_t* createSignature(EVP_PKEY* key, X509* cert,
- const unsigned char* inputBuffer,
- uint32_t inputBufferLen, unsigned int* signatureLen) {
- if (!key || !cert || !inputBuffer) {
- return nullptr;
- }
-
- const ASN1_OBJECT* macobj;
- X509_ALGOR_get0(&macobj, nullptr, nullptr, nullptr);
- const EVP_MD* signatureDigest = EVP_get_digestbyobj(macobj);
-
- EVP_MD_CTX* signatureCtx = EVP_MD_CTX_new();
- uint8_t* signatureData = new uint8_t[EVP_PKEY_size(key)];
-
- bool result = (EVP_SignInit_ex(signatureCtx, signatureDigest, nullptr) &&
- EVP_SignUpdate(signatureCtx, inputBuffer, inputBufferLen) &&
- EVP_SignFinal(signatureCtx, signatureData, signatureLen, key));
-
- EVP_MD_CTX_free(signatureCtx);
- if (result) {
- return signatureData;
- }
- return nullptr;
-}
-
-bool readPKCSPublicPrivateKey(FILE* keyStoreFP, const char* keyStorePassword,
- EVP_PKEY** outPrivateKey, X509** outCertificate) {
- PKCS12* p12;
-
- if (!keyStoreFP || !keyStorePassword || (keyStorePassword[0] == '\0')) {
- return (false);
- }
-
- p12 = d2i_PKCS12_fp(keyStoreFP, nullptr);
-
- if (p12) {
- return (false);
- }
-
- if (!PKCS12_parse(p12, keyStorePassword, outPrivateKey, outCertificate,
- nullptr)) {
- return (false);
- }
-
- PKCS12_free(p12);
-
- return (outPrivateKey && outCertificate);
-}
-
-bool openSSLInit() {
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
-
- return true;
-}
-
-static bool s_initDone = openSSLInit();
-}
-// end of extern "C"
-
-std::shared_ptr<Properties> PKCSAuthInit::getCredentials(
- const std::shared_ptr<Properties>& securityprops, const std::string&) {
- if (!s_initDone) {
- throw AuthenticationFailedException(
- "PKCSAuthInit::getCredentials: "
- "OpenSSL initialization failed.");
- }
- if (securityprops == nullptr || securityprops->getSize() <= 0) {
- throw AuthenticationRequiredException(
- "PKCSAuthInit::getCredentials: "
- "No security-* properties are set.");
- }
-
- auto keyStoreptr = securityprops->find(KEYSTORE_FILE_PATH);
-
- const char* keyStorePath = keyStoreptr->value().c_str();
-
- if (!keyStorePath) {
- throw AuthenticationFailedException(
- "PKCSAuthInit::getCredentials: "
- "key-store file path property KEYSTORE_FILE_PATH not set.");
- }
-
- auto aliasptr = securityprops->find(KEYSTORE_ALIAS);
-
- const char* alias = aliasptr->value().c_str();
-
- if (!alias) {
- throw AuthenticationFailedException(
- "PKCSAuthInit::getCredentials: "
- "key-store alias property KEYSTORE_ALIAS not set.");
- }
-
- auto keyStorePassptr = securityprops->find(KEYSTORE_PASSWORD);
-
- const char* keyStorePass = keyStorePassptr->value().c_str();
-
- if (!keyStorePass) {
- throw AuthenticationFailedException(
- "PKCSAuthInit::getCredentials: "
- "key-store password property KEYSTORE_PASSWORD not set.");
- }
-
- FILE* keyStoreFP = fopen(keyStorePath, "r");
- if (!keyStoreFP) {
- char msg[1024];
- sprintf(msg, "PKCSAuthInit::getCredentials: Unable to open keystore %s",
- keyStorePath);
- throw AuthenticationFailedException(msg);
- }
-
- EVP_PKEY* privateKey = nullptr;
- X509* cert = nullptr;
-
- /* Read the Public and Private Key from keystore in file */
- if (!readPKCSPublicPrivateKey(keyStoreFP, keyStorePass, &privateKey, &cert)) {
- fclose(keyStoreFP);
- char msg[1024];
- sprintf(msg,
- "PKCSAuthInit::getCredentials: Unable to read PKCS "
- "public key from %s",
- keyStorePath);
- throw AuthenticationFailedException(msg);
- }
-
- fclose(keyStoreFP);
-
- unsigned int lengthEncryptedData = 0;
-
- auto signatureData = createSignature(
- privateKey, cert, reinterpret_cast<const unsigned char*>(alias),
- static_cast<uint32_t>(strlen(alias)), &lengthEncryptedData);
- EVP_PKEY_free(privateKey);
- X509_free(cert);
- if (signatureData == nullptr) {
- throw AuthenticationFailedException(
- "PKCSAuthInit::getCredentials: "
- "Unable to create signature");
- }
- auto signatureValPtr = CacheableBytes::create(
- std::vector<int8_t>(signatureData, signatureData + lengthEncryptedData));
-
- auto credentials = Properties::create();
- credentials->insert(KEYSTORE_ALIAS, alias);
- credentials->insert(CacheableString::create(SIGNATURE_DATA), signatureValPtr);
- return credentials;
-}
-} // namespace client
-} // namespace geode
-} // namespace apache
diff --git a/templates/security/PkcsAuthInit.hpp b/templates/security/PkcsAuthInit.hpp
deleted file mode 100644
index 5e3c94a..0000000
--- a/templates/security/PkcsAuthInit.hpp
+++ /dev/null
@@ -1,96 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef __PKCSAUTHINIT__
-#define __PKCSAUTHINIT__
-
-#include <cstdio>
-#include <cstdlib>
-
-#pragma error_messages(off, macroredef)
-
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/pem.h>
-#include <openssl/pkcs12.h>
-#include <openssl/rsa.h>
-#include <openssl/ssl.h>
-#include <openssl/x509.h>
-
-#pragma error_messages(on, macroredef)
-
-#include <geode/AuthInitialize.hpp>
-
-/**
- * @file
- */
-
-const char KEYSTORE_FILE_PATH[] = "security-keystorepath";
-
-const char KEYSTORE_ALIAS[] = "security-alias";
-
-const char KEYSTORE_PASSWORD[] = "security-keystorepass";
-
-const char SIGNATURE_DATA[] = "security-signature";
-
-namespace apache {
-namespace geode {
-namespace client {
-
-/**
- * @class PKCSAuthInit Implementation PKCSAuthInit.hpp
- * PKCSAuthInit API for getCredentials.
- * The PKCSAuthInit class derives from AuthInitialize base class.
- * It uses the provided alias, password and corresponding keystore to obtain the
- * private key and
- * encrypts data. This data is sent to server for authentication.
- *
- */
-
-class PKCSAuthInit : public AuthInitialize {
- public:
- PKCSAuthInit() = default;
- ~PKCSAuthInit() noexcept override = default;
-
- /**@brief initialize with the given set of security properties
- * and return the credentials for the client as properties.
- * @param props the set of security properties provided to the
- * <code>DistributedSystem.connect</code> method
- * @param server it is the ID of the current endpoint.
- * The format expected is "host:port".
- * @returns the credentials to be used for the given <code>server</code>
- */
- std::shared_ptr<Properties> getCredentials(
- const std::shared_ptr<Properties>& securityprops,
- const std::string& server) override;
-
- /**
- * @brief Invoked before the cache goes down.
- */
- void close() override { return; }
-
- /**
- * @brief private members
- */
-
- private:
-};
-} // namespace client
-} // namespace geode
-} // namespace apache
-#endif //__PKCSAUTHINIT__
diff --git a/tests/cli/CMakeLists.txt b/tests/cli/CMakeLists.txt
index 973a690..1d81e62 100644
--- a/tests/cli/CMakeLists.txt
+++ b/tests/cli/CMakeLists.txt
@@ -16,7 +16,6 @@
cmake_minimum_required(VERSION 3.10)
project(nativeclient.tests LANGUAGES NONE)
-add_subdirectory(PkcsWrapper)
add_subdirectory(QueryHelper)
add_subdirectory(PdxClassLibrary)
diff --git a/tests/cli/NewFwkLib/CacheServer.cs b/tests/cli/NewFwkLib/CacheServer.cs
index 8365786..afa1025 100644
--- a/tests/cli/NewFwkLib/CacheServer.cs
+++ b/tests/cli/NewFwkLib/CacheServer.cs
@@ -4351,59 +4351,6 @@ private void checkUpdatedValue(TKey key, TVal value)
};
}
}
- else
- {
- FwkInfo("Security Scheme is {0}", SecurityCode);
- for (Int32 i = 0; i < userSize; i++)
- {
- Properties<string, string> userProp = new Properties<string, string>();
- PkcsAuthInit pkcs = new PkcsAuthInit();
- if (pkcs == null) {
- FwkException("NULL PKCS Credential Generator");
- }
- userName = (String)userList[i];
- string dataDir = Util.GetFwkLogDir(Util.SystemType) + "/data";
- userProp.Insert(KeyStoreFileProp, GetKeyStoreDir(dataDir) +
- userName + ".keystore");
- userProp.Insert(KeyStoreAliasProp, userName);
- userProp.Insert(KeyStorePasswordProp, "geode");
- //mu_cache = pool.CreateSecureUserCache(userProp);
- //IRegionService mu_cache = CacheHelper<TKey, TVal>.DCache.CreateAuthenticatedView(userProp, pool.Name);
- IRegionService mu_cache = CacheHelper<TKey, TVal>.DCache.CreateAuthenticatedView(
- CacheHelper<TKey, TVal>.GetPkcsCredentialsForMU(
- pkcs.GetCredentials(userProp, "0:0")), pool.Name);
- authCacheMap.Add(userName, mu_cache);
- IRegion<TKey, TVal> m_region = mu_cache.GetRegion<TKey, TVal>(regionName);
- proxyRegionMap.Add(userName, m_region);
- Dictionary<string, int> opMAP = new Dictionary<string, int>();
- Dictionary<string, int> expMAP = new Dictionary<string, int>();
- operationMap[userName] = opMAP;
- exceptionMap[userName] = expMAP;
- Utility.GetClientProperties(gen.AuthInit, null, ref userProp);
- FwkInfo("Security properties entries: {0}", userProp);
- switch (i)
- {
- case 0:
- case 1:
- setAdminRole(userName);
- break;
- case 2:
- case 3:
- case 4:
- setReaderRole(userName);
- break;
- case 5:
- case 6:
- case 7:
- setWriterRole(userName);
- break;
- case 8:
- case 9:
- setQueryRole(userName);
- break;
- };
- }
- }
}
public string GetKeyStoreDir(string dataDir)
diff --git a/tests/cli/NewFwkLib/NewFwkLib.csproj.in b/tests/cli/NewFwkLib/NewFwkLib.csproj.in
index f64d801..71abeff 100644
--- a/tests/cli/NewFwkLib/NewFwkLib.csproj.in
+++ b/tests/cli/NewFwkLib/NewFwkLib.csproj.in
@@ -125,11 +125,6 @@
<Project>{5055633B-6D1C-488D-B934-1AC482C915F7}</Project>
<Name>PdxVersion2Lib</Name>
</ProjectReference>
- <ProjectReference Include="..\PkcsWrapper\PkcsWrapper.vcxproj">
- <CopyLocalSatelliteAssemblies>true</CopyLocalSatelliteAssemblies>
- <ReferenceOutputAssembly>true</ReferenceOutputAssembly>
- <Name>PkcsWrapper</Name>
- </ProjectReference>
<ProjectReference Include="..\QueryHelper\QueryWrapper.vcxproj">
<CopyLocalSatelliteAssemblies>true</CopyLocalSatelliteAssemblies>
<ReferenceOutputAssembly>true</ReferenceOutputAssembly>
diff --git a/tests/cli/PkcsWrapper/CMakeLists.txt b/tests/cli/PkcsWrapper/CMakeLists.txt
deleted file mode 100644
index 366f185..0000000
--- a/tests/cli/PkcsWrapper/CMakeLists.txt
+++ /dev/null
@@ -1,57 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-cmake_minimum_required(VERSION 3.10)
-project(PkcsWrapper LANGUAGES CXX)
-
-add_library(PkcsWrapper SHARED
- PkcsAuthInitMN.cpp
- PkcsAuthInitMN.hpp
-)
-
-target_compile_options(${PROJECT_NAME}
- PRIVATE
- # disabled warnings
- /wd4947
-)
-
-set_target_properties(PkcsWrapper PROPERTIES
- VS_GLOBAL_CLRSupport "true"
- VS_GLOBAL_KEYWORD "ManagedCProj"
- VS_GLOBAL_PROJECT_TYPES "{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}"
- VS_GLOBAL_ROOTNAMESPACE "Apache.Geode.Client.Tests"
- VS_DOTNET_REFERENCES "System;System.Xml"
-)
-
-target_link_libraries(PkcsWrapper
- PUBLIC
- # Apache.Geode #- Causes include of .lib
- PRIVATE
- c++cli
- c++11
- security
-)
-
-# Makes project only reference, no .lib.
-add_dependencies(PkcsWrapper Apache.Geode)
-
-include_directories(${CMAKE_SOURCE_DIR}/clicache/src)
-include_directories(${CMAKE_SOURCE_DIR}/tests/cpp/security)
-
-string(REPLACE "/RTC1" "" CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG}")
-set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${SHARED_LINKER_FLAGS_STRONG_KEY}")
-
-# For Visual Studio organization
-set_target_properties(PkcsWrapper PROPERTIES FOLDER cli/test/integration)
diff --git a/tests/cli/PkcsWrapper/PkcsAuthInitMN.cpp b/tests/cli/PkcsWrapper/PkcsAuthInitMN.cpp
deleted file mode 100644
index 86c1772..0000000
--- a/tests/cli/PkcsWrapper/PkcsAuthInitMN.cpp
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "PkcsAuthInitMN.hpp"
-#include "begin_native.hpp"
-#include <geode/Properties.hpp>
-#include "end_native.hpp"
-
-using namespace System;
-using namespace Apache::Geode::Client::Tests;
-using namespace Apache::Geode::Client;
-
-PkcsAuthInit::PkcsAuthInit()
-{
-
-}
-
-PkcsAuthInit::~PkcsAuthInit()
-{
-
-}
-
-void PkcsAuthInit::Close()
-{
-}
-
-//generic <class TPropKey, class TPropValue>
-Apache::Geode::Client::Properties<String^, Object^>^
-PkcsAuthInit::GetCredentials(
- Apache::Geode::Client::Properties<String^, String^> ^props, System::String ^server)
-{
- throw gcnew System::NotImplementedException();
-}
diff --git a/tests/cli/PkcsWrapper/PkcsAuthInitMN.hpp b/tests/cli/PkcsWrapper/PkcsAuthInitMN.hpp
deleted file mode 100644
index 249863a..0000000
--- a/tests/cli/PkcsWrapper/PkcsAuthInitMN.hpp
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#pragma once
-
-#include <memory>
-#include "native_shared_ptr.hpp"
-#include "PkcsAuthInit.hpp"
-
-using namespace System;
-
-using namespace Apache::Geode::Client;
-
-namespace Apache
-{
- namespace Geode
- {
- namespace Client
- {
- namespace Tests
- {
- public ref class PkcsAuthInit sealed
- : public Apache::Geode::Client::IAuthInitialize
- {
- public:
-
- PkcsAuthInit();
-
- ~PkcsAuthInit();
-
- //generic <class TPropKey, class TPropValue>
- virtual Apache::Geode::Client::Properties<String^, Object^> ^
- GetCredentials(
- Apache::Geode::Client::Properties<String^, String^>^ props, String^ server);
-
- virtual void Close();
-
- internal:
- PkcsAuthInit(const std::shared_ptr<apache::geode::client::PKCSAuthInitInternal>& nativeptr)
- {
- m_nativeptr = gcnew native_shared_ptr<apache::geode::client::PKCSAuthInitInternal>(nativeptr);
- }
-
- private:
- native_shared_ptr<apache::geode::client::PKCSAuthInitInternal>^ m_nativeptr;
- };
- }
- }
- }
-}
-
diff --git a/tests/cli/SecurityUtil/CredentialGeneratorN.cs b/tests/cli/SecurityUtil/CredentialGeneratorN.cs
index 0471ea2..3f5185c 100644
--- a/tests/cli/SecurityUtil/CredentialGeneratorN.cs
+++ b/tests/cli/SecurityUtil/CredentialGeneratorN.cs
@@ -112,8 +112,6 @@ namespace Apache.Geode.Client.Tests
return null;
case ClassCode.LDAP:
return new LDAPCredentialGenerator();
- case ClassCode.PKCS:
- return new PKCSCredentialGenerator(isMultiUser);
case ClassCode.SSL:
// return new SSLCredentialGenerator();
return null;
diff --git a/tests/cli/SecurityUtil/SecurityUtil.csproj.in b/tests/cli/SecurityUtil/SecurityUtil.csproj.in
index 0ecf164..a6ae959 100644
--- a/tests/cli/SecurityUtil/SecurityUtil.csproj.in
+++ b/tests/cli/SecurityUtil/SecurityUtil.csproj.in
@@ -110,7 +110,6 @@
<Compile Include="$(CMAKE_CURRENT_SOURCE_DIR)\SecurityUtil\CredentialGeneratorN.cs" />
<Compile Include="$(CMAKE_CURRENT_SOURCE_DIR)\SecurityUtil\DummyAuthorization3N.cs" />
<Compile Include="$(CMAKE_CURRENT_SOURCE_DIR)\SecurityUtil\LdapCredentialGeneratorN.cs" />
- <Compile Include="$(CMAKE_CURRENT_SOURCE_DIR)\SecurityUtil\PKCSCredentialGeneratorN.cs" />
<Compile Include="$(CMAKE_CURRENT_SOURCE_DIR)\SecurityUtil\XmlAuthzCredentialGeneratorN.cs" />
</ItemGroup>
<ItemGroup>
@@ -118,10 +117,6 @@
<Project>{796727E8-3A6A-46BE-A2DB-584A4774CD51}</Project>
<Name>DUnitFramework</Name>
</ProjectReference>
- <ProjectReference Include="..\PkcsWrapper\PkcsWrapper.vcxproj">
- <CopyLocalSatelliteAssemblies>true</CopyLocalSatelliteAssemblies>
- <ReferenceOutputAssembly>true</ReferenceOutputAssembly>
- </ProjectReference>
</ItemGroup>
<Import Project="$(MSBuildBinPath)\Microsoft.CSharp.targets" />
<!-- To modify your build process, add your task inside one of the targets below and uncomment it.
diff --git a/tests/cli/SecurityUtil/XmlAuthzCredentialGeneratorN.cs b/tests/cli/SecurityUtil/XmlAuthzCredentialGeneratorN.cs
index e10160a..29b1f7f 100644
--- a/tests/cli/SecurityUtil/XmlAuthzCredentialGeneratorN.cs
+++ b/tests/cli/SecurityUtil/XmlAuthzCredentialGeneratorN.cs
@@ -143,8 +143,6 @@ namespace Apache.Geode.Client.Tests
return GetDummyPrincipal(roleType, index);
case CredentialGenerator.ClassCode.LDAP:
return GetLdapPrincipal(roleType, index);
- case CredentialGenerator.ClassCode.PKCS:
- return GetPKCSPrincipal(roleType, index);
}
return null;
}
@@ -176,8 +174,6 @@ namespace Apache.Geode.Client.Tests
return GetDummyPrincipal(disallowedRoleType, index);
case CredentialGenerator.ClassCode.LDAP:
return GetLdapPrincipal(disallowedRoleType, index);
- case CredentialGenerator.ClassCode.PKCS:
- return GetPKCSPrincipal(disallowedRoleType, index);
}
return null;
}
@@ -212,14 +208,6 @@ namespace Apache.Geode.Client.Tests
return GetUserPrincipal(GetLdapUser(roleType, index));
}
- private Properties<string, string> GetPKCSPrincipal(Role roleType, int index)
- {
- string userName = GetLdapUser(roleType, index);
- Properties<string, string> props = new Properties<string, string>();
- props.Insert(PKCSCredentialGenerator.KeyStoreAliasProp, userName);
- return props;
- }
-
private string GetLdapUser(Role roleType, int index)
{
const string userPrefix = "geode";
diff --git a/tests/cpp/security/CMakeLists.txt b/tests/cpp/security/CMakeLists.txt
index cee20a6..8396cc2 100644
--- a/tests/cpp/security/CMakeLists.txt
+++ b/tests/cpp/security/CMakeLists.txt
@@ -24,8 +24,6 @@ add_library(security STATIC
DummyCredentialGenerator3.hpp
LdapUserCredentialGenerator.hpp
NoopCredentialGenerator.hpp
- PkcsAuthInit.cpp
- PkcsAuthInit.hpp
PkcsCredentialGenerator.hpp
typedefs.hpp
XmlAuthzCredentialGenerator.hpp
diff --git a/tests/cpp/security/PkcsAuthInit.cpp b/tests/cpp/security/PkcsAuthInit.cpp
deleted file mode 100644
index 9f75914..0000000
--- a/tests/cpp/security/PkcsAuthInit.cpp
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "PkcsAuthInit.hpp"
-
-#include <openssl-compat.h>
-
-#include <cstdio>
-#include <string>
-#include <util/Log.hpp>
-
-#include <geode/CacheableBuiltins.hpp>
-#include <geode/ExceptionTypes.hpp>
-#include <geode/Properties.hpp>
-
-#include "SerializationRegistry.hpp"
-#include "security_export.h"
-
-namespace apache {
-namespace geode {
-namespace client {
-std::shared_ptr<CacheableString> convertBytesToString(const uint8_t* bytes,
- int32_t length,
- size_t maxLength) {
- if (bytes) {
- std::string str;
- size_t totalBytes = 0;
- char byteStr[20];
- for (int32_t index = 0; index < length; ++index) {
- int len = sprintf(byteStr, "%d ", bytes[index]);
- totalBytes += len;
- // no use going beyond maxLength since LOG* methods will truncate
- // in any case
- if (maxLength > 0 && totalBytes > maxLength) {
- break;
- }
- str.append(byteStr, len);
- }
- return CacheableString::create(str);
- }
- return CacheableString::create("");
-}
-
-extern "C" {
-SECURITY_EXPORT AuthInitialize* createPKCSAuthInitInstance() {
- return new PKCSAuthInitInternal();
-}
-
-uint8_t* createSignature(EVP_PKEY* key, X509* cert,
- const unsigned char* inputBuffer,
- uint32_t inputBufferLen, unsigned int* signatureLen) {
- if (!key || !cert || !inputBuffer) {
- return nullptr;
- }
- const ASN1_OBJECT* macobj;
- const X509_ALGOR* algorithm = nullptr;
- X509_ALGOR_get0(&macobj, nullptr, nullptr, algorithm);
- const EVP_MD* signatureDigest = EVP_get_digestbyobj(macobj);
- EVP_MD_CTX* signatureCtx = EVP_MD_CTX_new();
- auto signatureData =
- std::unique_ptr<uint8_t[]>(new uint8_t[EVP_PKEY_size(key)]);
- bool result =
- (EVP_SignInit_ex(signatureCtx, signatureDigest, nullptr) &&
- EVP_SignUpdate(signatureCtx, inputBuffer, inputBufferLen) &&
- EVP_SignFinal(signatureCtx, signatureData.get(), signatureLen, key));
- EVP_MD_CTX_free(signatureCtx);
- if (result) {
- return signatureData.release();
- }
- return nullptr;
-}
-
-bool readPKCSPublicPrivateKey(FILE* keyStoreFP, const char* keyStorePassword,
- EVP_PKEY** outPrivateKey, X509** outCertificate) {
- PKCS12* p12;
-
- if (!keyStoreFP || !keyStorePassword || (keyStorePassword[0] == '\0')) {
- return (false);
- }
-
- p12 = d2i_PKCS12_fp(keyStoreFP, nullptr);
-
- if (!p12) {
- return (false);
- }
-
- if (!PKCS12_parse(p12, keyStorePassword, outPrivateKey, outCertificate,
- nullptr)) {
- return (false);
- }
-
- PKCS12_free(p12);
-
- return (outPrivateKey && outCertificate);
-}
-
-bool openSSLInit() {
- OpenSSL_add_all_algorithms();
- ERR_load_crypto_strings();
-
- return true;
-}
-
-static bool s_initDone = openSSLInit();
-}
-// end of extern "C"
-std::shared_ptr<Properties> PKCSAuthInitInternal::getCredentials(
- const std::shared_ptr<Properties>& securityprops, const std::string&) {
- if (!s_initDone) {
- throw AuthenticationFailedException(
- "PKCSAuthInit::getCredentials: "
- "OpenSSL initialization failed.");
- }
- if (securityprops == nullptr || securityprops->getSize() <= 0) {
- throw AuthenticationRequiredException(
- "PKCSAuthInit::getCredentials: "
- "No security-* properties are set.");
- }
-
- auto keyStoreptr = securityprops->find(KEYSTORE_FILE_PATH1);
-
- const char* keyStorePath = keyStoreptr->value().c_str();
-
- if (!keyStorePath) {
- throw AuthenticationFailedException(
- "PKCSAuthInit::getCredentials: "
- "key-store file path property KEYSTORE_FILE_PATH not set.");
- }
-
- auto aliasptr = securityprops->find(KEYSTORE_ALIAS1);
-
- const char* alias = aliasptr->value().c_str();
-
- if (!alias) {
- throw AuthenticationFailedException(
- "PKCSAuthInit::getCredentials: "
- "key-store alias property KEYSTORE_ALIAS not set.");
- }
-
- auto keyStorePassptr = securityprops->find(KEYSTORE_PASSWORD1);
-
- const char* keyStorePass = keyStorePassptr->value().c_str();
-
- if (!keyStorePass) {
- throw AuthenticationFailedException(
- "PKCSAuthInit::getCredentials: "
- "key-store password property KEYSTORE_PASSWORD not set.");
- }
-
- FILE* keyStoreFP = fopen(keyStorePath, "r");
- if (!keyStoreFP) {
- char msg[1024];
- sprintf(msg, "PKCSAuthInit::getCredentials: Unable to open keystore %s",
- keyStorePath);
- throw AuthenticationFailedException(msg);
- }
-
- EVP_PKEY* privateKey = nullptr;
- X509* cert = nullptr;
-
- /* Read the Public and Private Key from keystore in file */
- if (!readPKCSPublicPrivateKey(keyStoreFP, keyStorePass, &privateKey, &cert)) {
- fclose(keyStoreFP);
- char msg[1024];
- sprintf(msg,
- "PKCSAuthInit::getCredentials: Unable to read PKCS "
- "public key from %s",
- keyStorePath);
- throw AuthenticationFailedException(msg);
- }
-
- fclose(keyStoreFP);
- unsigned int lengthEncryptedData = 0;
-
- auto signatureData = std::unique_ptr<uint8_t[]>(createSignature(
- privateKey, cert, reinterpret_cast<const unsigned char*>(alias),
- static_cast<uint32_t>(strlen(alias)), &lengthEncryptedData));
- EVP_PKEY_free(privateKey);
- X509_free(cert);
- if (!signatureData) {
- throw AuthenticationFailedException(
- "PKCSAuthInit::getCredentials: "
- "Unable to create signature");
- }
- std::shared_ptr<Cacheable> signatureValPtr;
- if (m_stringCredentials) {
- // convert signature bytes to base64
- signatureValPtr =
- convertBytesToString(signatureData.get(), lengthEncryptedData, 2048);
- LOGINFO(" Converting CREDS to STRING: %s",
- signatureValPtr->toString().c_str());
- } else {
- signatureValPtr = CacheableBytes::create(std::vector<int8_t>(
- signatureData.get(), signatureData.get() + lengthEncryptedData));
- LOGINFO(" Converting CREDS to BYTES: %s",
- signatureValPtr->toString().c_str());
- }
- auto credentials = Properties::create();
- credentials->insert(KEYSTORE_ALIAS1, alias);
- credentials->insert(CacheableString::create(SIGNATURE_DATA1),
- signatureValPtr);
- return credentials;
-}
-} // namespace client
-} // namespace geode
-} // namespace apache
diff --git a/tests/cpp/security/PkcsAuthInit.hpp b/tests/cpp/security/PkcsAuthInit.hpp
deleted file mode 100644
index 3eb03da..0000000
--- a/tests/cpp/security/PkcsAuthInit.hpp
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#pragma once
-
-#ifndef GEODE_SECURITY_PKCSAUTHINIT_H_
-#define GEODE_SECURITY_PKCSAUTHINIT_H_
-
-#include <cstdio>
-#include <cstdlib>
-
-#pragma error_messages(off, macroredef)
-
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/pem.h>
-#include <openssl/pkcs12.h>
-#include <openssl/rsa.h>
-#include <openssl/ssl.h>
-#include <openssl/x509.h>
-
-#pragma error_messages(on, macroredef)
-
-#include <geode/AuthInitialize.hpp>
-
-/**
- * @file
- */
-const char KEYSTORE_FILE_PATH1[] = "security-keystorepath";
-
-const char KEYSTORE_ALIAS1[] = "security-alias";
-
-const char KEYSTORE_PASSWORD1[] = "security-keystorepass";
-
-const char SIGNATURE_DATA1[] = "security-signature";
-
-namespace apache {
-namespace geode {
-namespace client {
-
-/**
- * @class PKCSAuthInit Implementation PKCSAuthInit.hpp
- * PKCSAuthInit API for getCredentials.
- * The PKCSAuthInit class derives from AuthInitialize base class.
- * It uses the provided alias, password and corresponding keystore to obtain the
- * private key and
- * encrypts data. This data is sent to server for authentication.
- *
- */
-
-class PKCSAuthInitInternal : public AuthInitialize {
- public:
- explicit PKCSAuthInitInternal(bool makeString = false)
- : m_stringCredentials(makeString) {}
- ~PKCSAuthInitInternal() noexcept override = default;
-
- /**@brief initialize with the given set of security properties
- * and return the credentials for the client as properties.
- * @param props the set of security properties provided to the
- * <code>DistributedSystem.connect</code> method
- * @param server it is the ID of the current endpoint.
- * The format expected is "host:port".
- * @returns the credentials to be used for the given <code>server</code>
- */
- std::shared_ptr<Properties> getCredentials(
- const std::shared_ptr<Properties>& securityprops,
- const std::string& server) override;
-
- /**
- * @brief Invoked before the cache goes down.
- */
- void close() override { return; }
-
- /**
- * @brief private members
- */
-
- private:
- bool m_stringCredentials;
-};
-} // namespace client
-} // namespace geode
-} // namespace apache
-
-#endif // GEODE_SECURITY_PKCSAUTHINIT_H_