#3299: NetSSL: Allow per-Context InvalidCertificateHandler

NetSSL_OpenSSL/include/Poco/Net/AcceptCertificateHandler.h

@@ -27,7 +27,7 @@ namespace Net {
 
 
 class NetSSL_API AcceptCertificateHandler: public InvalidCertificateHandler
-	/// A AcceptCertificateHandler is invoked whenever an error 
+	/// A AcceptCertificateHandler is invoked whenever an error
 	/// occurs verifying the certificate. It always accepts
 	/// the certificate.
 	///

NetSSL_OpenSSL/include/Poco/Net/Context.h

@@ -20,10 +20,12 @@
 
 #include "Poco/Net/NetSSL.h"
 #include "Poco/Net/SocketDefs.h"
+#include "Poco/Net/InvalidCertificateHandler.h"
 #include "Poco/Crypto/X509Certificate.h"
 #include "Poco/Crypto/EVPPKey.h"
 #include "Poco/Crypto/RSAKey.h"
 #include "Poco/RefCountedObject.h"
+#include "Poco/SharedPtr.h"
 #include "Poco/AutoPtr.h"
 #include <openssl/ssl.h>
 #include <cstdlib>
@@ -188,6 +190,8 @@ class NetSSL_API Context: public Poco::RefCountedObject
 			///   "X448:X25519:ffdhe4096:ffdhe3072:ffdhe2048:ffdhe6144:ffdhe8192:P-521:P-384:P-256"
 	};
 
+	using InvalidCertificateHandlerPtr = Poco::SharedPtr<InvalidCertificateHandler>;
+
 	Context(Usage usage, const Params& params);
 		/// Creates a Context using the given parameters.
 		///
@@ -397,6 +401,16 @@ class NetSSL_API Context: public Poco::RefCountedObject
 		/// preferences. When called, the SSL/TLS server will choose following its own
 		/// preferences.
 
+	void setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificageHandler);
+		/// Sets a Context-specific InvalidCertificateHandler.
+		///
+		/// If specified, this InvalidCertificateHandler will be used instead of the
+		/// one globally set in the SSLManager.
+
+	InvalidCertificateHandlerPtr getInvalidCertificateHandler() const;
+		/// Returns the InvalidCertificateHandler set for this Context,
+		/// or a null pointer if none has been set.
+
 private:
 	void init(const Params& params);
 		/// Initializes the Context with the given parameters.
@@ -415,6 +429,7 @@ class NetSSL_API Context: public Poco::RefCountedObject
 	VerificationMode _mode;
 	SSL_CTX* _pSSLContext;
 	bool _extendedCertificateVerification;
+	InvalidCertificateHandlerPtr _pInvalidCertificateHandler;
 };
 
 
@@ -456,6 +471,12 @@ inline bool Context::extendedCertificateVerificationEnabled() const
 }
 
 
+inline Context::InvalidCertificateHandlerPtr Context::getInvalidCertificateHandler() const
+{
+	return _pInvalidCertificateHandler;
+}
+
+
 } } // namespace Poco::Net
 
 

NetSSL_OpenSSL/include/Poco/Net/InvalidCertificateHandler.h

@@ -19,20 +19,22 @@
 
 
 #include "Poco/Net/NetSSL.h"
-#include "Poco/Net/VerificationErrorArgs.h"
 
 
 namespace Poco {
 namespace Net {
 
 
+class VerificationErrorArgs;
+
+
 class NetSSL_API InvalidCertificateHandler
 	/// A InvalidCertificateHandler is invoked whenever an error occurs verifying the certificate. It allows the user
 	/// to inspect and accept/reject the certificate.
 	/// One can install one's own InvalidCertificateHandler by implementing this interface. Note that
-	/// in the implementation file of the subclass the following code must be present (assuming you use the namespace My_API 
+	/// in the implementation file of the subclass the following code must be present (assuming you use the namespace My_API
 	/// and the name of your handler class is MyGuiHandler):
-	///    
+	///
 	///    #include "Poco/Net/CertificateHandlerFactory.h"
 	///    ...
 	///    POCO_REGISTER_CHFACTORY(My_API, MyGuiHandler)
@@ -43,7 +45,7 @@ class NetSSL_API InvalidCertificateHandler
 	///
 	/// or in case one uses Poco::Util::Application one can rely on an XML configuration and put the following entry
 	/// under the path openSSL.invalidCertificateHandler:
-	///    
+	///
 	///    <invalidCertificateHandler>
 	///        <name>MyGuiHandler<name>
 	///        <options>
@@ -56,7 +58,7 @@ class NetSSL_API InvalidCertificateHandler
 public:
 	InvalidCertificateHandler(bool handleErrorsOnServerSide);
 		/// Creates the InvalidCertificateHandler.
-		/// 
+		///
 		/// Set handleErrorsOnServerSide to true if the certificate handler is used on the server side.
 		/// Automatically registers at one of the SSLManager::VerificationError events.
 

NetSSL_OpenSSL/include/Poco/Net/SSLManager.h

@@ -278,6 +278,10 @@ class NetSSL_API SSLManager
 		/// Throws a InvalidStateException if not application instance
 		/// is available.
 
+	int contextIndex() const;
+		/// Returns the index for SSL_CTX_set_ex_data() and SSL_CTX_get_ex_data() to
+		/// store the Context* in the underlying SSL_CTX.
+
 private:
 	SSLManager();
 		/// Creates the SSLManager.
@@ -310,6 +314,7 @@ class NetSSL_API SSLManager
 	Context::Ptr                     _ptrDefaultClientContext;
 	PrivateKeyPassphraseHandlerPtr   _ptrClientPassphraseHandler;
 	InvalidCertificateHandlerPtr     _ptrClientCertificateHandler;
+	int                              _contextIndex;
 	Poco::FastMutex                  _mutex;
 
 	static const std::string CFG_PRIV_KEY_FILE;
@@ -389,6 +394,12 @@ inline int SSLManager::verifyClientCallback(int ok, X509_STORE_CTX* pStore)
 }
 
 
+inline int SSLManager::contextIndex() const
+{
+	return _contextIndex;
+}
+
+
 } } // namespace Poco::Net
 
 

NetSSL_OpenSSL/include/Poco/Net/VerificationErrorArgs.h

@@ -20,6 +20,7 @@
 
 #include "Poco/Net/NetSSL.h"
 #include "Poco/Net/X509Certificate.h"
+#include "Poco/Net/Context.h"
 
 
 namespace Poco {
@@ -30,12 +31,15 @@ class NetSSL_API VerificationErrorArgs
 	/// A utility class for certificate error handling.
 {
 public:
-	VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg);
+	VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg);
 		/// Creates the VerificationErrorArgs. _ignoreError is per default set to false.
 
 	~VerificationErrorArgs();
 		/// Destroys the VerificationErrorArgs.
 
+	Poco::Net::Context::Ptr context() const;
+		/// Returns the Context of the underlying connection causing the error.
+
 	const X509Certificate& certificate() const;
 		/// Returns the certificate that caused the error.
 
@@ -55,6 +59,7 @@ class NetSSL_API VerificationErrorArgs
 		/// returns the value of _ignoreError
 
 private:
+	Poco::Net::Context::Ptr _pContext;
 	X509Certificate	_cert;
 	int             _errorDepth;
 	int             _errorNumber;
@@ -66,6 +71,12 @@ class NetSSL_API VerificationErrorArgs
 //
 // inlines
 //
+inline Poco::Net::Context::Ptr VerificationErrorArgs::context() const
+{
+	return _pContext;
+}
+
+
 inline const X509Certificate& VerificationErrorArgs::certificate() const
 {
 	return _cert;

NetSSL_OpenSSL/src/AcceptCertificateHandler.cpp

@@ -13,6 +13,7 @@
 
 
 #include "Poco/Net/AcceptCertificateHandler.h"
+#include "Poco/Net/VerificationErrorArgs.h"
 
 
 namespace Poco {

NetSSL_OpenSSL/src/ConsoleCertificateHandler.cpp

@@ -13,6 +13,7 @@
 
 
 #include "Poco/Net/ConsoleCertificateHandler.h"
+#include "Poco/Net/VerificationErrorArgs.h"
 #include <iostream>
 
 

NetSSL_OpenSSL/src/Context.cpp

@@ -174,6 +174,7 @@ void Context::init(const Params& params)
 		SSL_CTX_set_verify_depth(_pSSLContext, params.verificationDepth);
 		SSL_CTX_set_mode(_pSSLContext, SSL_MODE_AUTO_RETRY);
 		SSL_CTX_set_session_cache_mode(_pSSLContext, SSL_SESS_CACHE_OFF);
+		SSL_CTX_set_ex_data(_pSSLContext, SSLManager::instance().contextIndex(), this);
 
 		initDH(params.dhUse2048Bits, params.dhParamsFile);
 		initECDH(params.ecdhCurve);
@@ -463,6 +464,12 @@ void Context::preferServerCiphers()
 }
 
 
+void Context::setInvalidCertificateHandler(InvalidCertificateHandlerPtr pInvalidCertificateHandler)
+{
+	_pInvalidCertificateHandler = pInvalidCertificateHandler;
+}
+
+
 void Context::createSSLContext()
 {
 	int minTLSVersion = 0;

NetSSL_OpenSSL/src/InvalidCertificateHandler.cpp

@@ -26,26 +26,11 @@ namespace Net {
 
 InvalidCertificateHandler::InvalidCertificateHandler(bool handleErrorsOnServerSide): _handleErrorsOnServerSide(handleErrorsOnServerSide)
 {
-	if (_handleErrorsOnServerSide)
-		SSLManager::instance().ServerVerificationError += Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
-	else
-		SSLManager::instance().ClientVerificationError += Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
 }
 
 
 InvalidCertificateHandler::~InvalidCertificateHandler()
 {
-	try
-	{
-		if (_handleErrorsOnServerSide)
-			SSLManager::instance().ServerVerificationError -= Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
-		else
-			SSLManager::instance().ClientVerificationError -= Delegate<InvalidCertificateHandler, VerificationErrorArgs>(this, &InvalidCertificateHandler::onInvalidCertificate);
-	}
-	catch (...)
-	{
-		poco_unexpected();
-	}
 }
 
 

NetSSL_OpenSSL/src/RejectCertificateHandler.cpp

@@ -13,6 +13,7 @@
 
 
 #include "Poco/Net/RejectCertificateHandler.h"
+#include "Poco/Net/VerificationErrorArgs.h"
 
 
 namespace Poco {

NetSSL_OpenSSL/src/SSLManager.cpp

@@ -67,7 +67,8 @@ const bool        SSLManager::VAL_FIPS_MODE(false);
 #endif
 
 
-SSLManager::SSLManager()
+SSLManager::SSLManager():
+	_contextIndex(SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, NULL))
 {
 }
 
@@ -204,16 +205,45 @@ int SSLManager::verifyCallback(bool server, int ok, X509_STORE_CTX* pStore)
 {
 	if (!ok)
 	{
+		SSLManager& sslManager = SSLManager::instance();
+		SSL* pSSL = reinterpret_cast<SSL*>(X509_STORE_CTX_get_ex_data(pStore, SSL_get_ex_data_X509_STORE_CTX_idx()));
+		poco_assert_dbg (pSSL);
+		SSL_CTX* pSSLContext = SSL_get_SSL_CTX(pSSL);
+		poco_assert_dbg (pSSLContext);
+
+		Context* pContext = reinterpret_cast<Context*>(SSL_CTX_get_ex_data(pSSLContext, sslManager.contextIndex()));
+		poco_assert_dbg (pContext);
+
 		X509* pCert = X509_STORE_CTX_get_current_cert(pStore);
 		X509Certificate x509(pCert, true);
 		int depth = X509_STORE_CTX_get_error_depth(pStore);
 		int err = X509_STORE_CTX_get_error(pStore);
 		std::string error(X509_verify_cert_error_string(err));
-		VerificationErrorArgs args(x509, depth, err, error);
+		VerificationErrorArgs args(Context::Ptr(pContext, true), x509, depth, err, error);
 		if (server)
-			SSLManager::instance().ServerVerificationError.notify(&SSLManager::instance(), args);
+		{
+			if (pContext->getInvalidCertificateHandler())
+			{
+				pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
+			}
+			else if (sslManager._ptrServerCertificateHandler)
+			{
+				sslManager._ptrServerCertificateHandler->onInvalidCertificate(&sslManager, args);
+			}
+			sslManager.ServerVerificationError.notify(&sslManager, args);
+		}
 		else
-			SSLManager::instance().ClientVerificationError.notify(&SSLManager::instance(), args);
+		{
+			if (pContext->getInvalidCertificateHandler())
+			{
+				pContext->getInvalidCertificateHandler()->onInvalidCertificate(&sslManager, args);
+			}
+			else if (sslManager._ptrClientCertificateHandler)
+			{
+				sslManager._ptrClientCertificateHandler->onInvalidCertificate(&sslManager, args);
+			}
+			sslManager.ClientVerificationError.notify(&sslManager, args);
+		}
 		ok = args.getIgnoreError() ? 1 : 0;
 	}
 

NetSSL_OpenSSL/src/VerificationErrorArgs.cpp

@@ -19,7 +19,8 @@ namespace Poco {
 namespace Net {
 
 
-VerificationErrorArgs::VerificationErrorArgs(const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg):
+VerificationErrorArgs::VerificationErrorArgs(Poco::Net::Context::Ptr pContext, const X509Certificate& cert, int errDepth, int errNum, const std::string& errMsg):
+	_pContext(pContext),
 	_cert(cert),
 	_errorDepth(errDepth),
 	_errorNumber(errNum),