TAO_SSLIOP: SSLIOP_Acceptor.cpp Source File

00001 #include "orbsvcs/SSLIOP/SSLIOP_Acceptor.h"
00002 #include "orbsvcs/SSLIOP/SSLIOP_Profile.h"
00003 
00004 #include "tao/MProfile.h"
00005 #include "tao/ORB_Core.h"
00006 #include "tao/Server_Strategy_Factory.h"
00007 #include "tao/Codeset_Manager.h"
00008 #include "tao/CDR.h"
00009 #include "tao/debug.h"
00010 
00011 #if !defined(__ACE_INLINE__)
00012 #include "orbsvcs/SSLIOP/SSLIOP_Acceptor.i"
00013 #endif /* __ACE_INLINE__ */
00014 
00015 
00016 ACE_RCSID (SSLIOP,
00017            SSLIOP_Acceptor,
00018            "SSLIOP_Acceptor.cpp,v 1.53 2006/05/17 19:12:45 dai_y Exp")
00019 
00020 TAO_BEGIN_VERSIONED_NAMESPACE_DECL
00021 
00022 TAO::SSLIOP::Acceptor::Acceptor (::Security::QOP qop,
00023                                  const ACE_Time_Value & timeout)
00024   : TAO::IIOP_SSL_Acceptor (),
00025     ssl_acceptor_ (),
00026     creation_strategy_ (0),
00027     concurrency_strategy_ (0),
00028     accept_strategy_ (0),
00029     timeout_ (timeout)
00030 {
00031   // --- CSIv1 ---
00032 
00033   // Clear all bits in the SSLIOP::SSL association option fields.
00034   this->ssl_component_.target_supports = 0;
00035   this->ssl_component_.target_requires = 0;
00036 
00037   // SSLIOP requires these Security::AssociationOptions by default.
00038   ACE_SET_BITS (this->ssl_component_.target_requires,
00039                 ::Security::Integrity
00040                 | ::Security::Confidentiality
00041                 | ::Security::NoDelegation);
00042 
00043   // SSLIOP supports these Security::AssociationOptions by default.
00044   ACE_SET_BITS (this->ssl_component_.target_supports,
00045                 ::Security::Integrity
00046                 | ::Security::Confidentiality
00047                 | ::Security::EstablishTrustInTarget
00048                 | ::Security::NoDelegation);
00049 
00050   // Initialize the default SSL port to zero (wild card port).
00051   this->ssl_component_.port = 0;
00052 
00053   // @@ This should go away once we support setting security
00054   //    association options through policies.
00055   if (qop == ::Security::SecQOPNoProtection)
00056     ACE_SET_BITS (this->ssl_component_.target_supports,
00057                   ::Security::NoProtection);
00058 
00059 
00060   // --- CSIv2 ---
00061 
00062   // Clear all bits in the CSIIOP::TLS_SEC_TRANS association option
00063   // fields.
00064   this->csiv2_component_.target_supports = 0;
00065   this->csiv2_component_.target_requires = 0;
00066 
00067   // SSLIOP requires these CSIIOP::AssociationOptions by default.
00068   ACE_SET_BITS (this->csiv2_component_.target_requires,
00069                 CSIIOP::Integrity
00070                 | CSIIOP::Confidentiality
00071                 | CSIIOP::NoDelegation);
00072 
00073   // SSLIOP supports these CSIIOP::AssociationOptions by default.
00074   ACE_SET_BITS (this->csiv2_component_.target_supports,
00075                 CSIIOP::Integrity
00076                 | CSIIOP::Confidentiality
00077                 | CSIIOP::EstablishTrustInTarget
00078                 | CSIIOP::NoDelegation);
00079 
00080   // @@ This should go away once we support setting security
00081   //    association options through policies.
00082   if (qop == CSIIOP::NoProtection)
00083     ACE_SET_BITS (this->csiv2_component_.target_supports,
00084                   CSIIOP::NoProtection);
00085 }
00086 
00087 TAO::SSLIOP::Acceptor::~Acceptor (void)
00088 {
00089   // Make sure we are closed before we start destroying the
00090   // strategies.
00091   this->close ();
00092 
00093   delete this->creation_strategy_;
00094   delete this->concurrency_strategy_;
00095   delete this->accept_strategy_;
00096 }
00097 
00098 int
00099 TAO::SSLIOP::Acceptor::create_profile (const TAO::ObjectKey &object_key,
00100                                        TAO_MProfile &mprofile,
00101                                        CORBA::Short priority)
00102 {
00103   // Sanity check.
00104   if (this->endpoint_count_ == 0)
00105     return -1;
00106 
00107   // Check if multiple endpoints should be put in one profile or
00108   // if they should be spread across multiple profiles.
00109   if (priority == TAO_INVALID_PRIORITY)
00110     return this->create_new_profile (object_key,
00111                                      mprofile,
00112                                      priority);
00113   else
00114     return this->create_shared_profile (object_key,
00115                                         mprofile,
00116                                         priority);
00117 }
00118 
00119 int
00120 TAO::SSLIOP::Acceptor::create_new_profile (const TAO::ObjectKey &object_key,
00121                                            TAO_MProfile &mprofile,
00122                                            CORBA::Short priority)
00123 {
00124   // Adding this->endpoint_count_ to the TAO_MProfile.
00125   const int count = mprofile.profile_count ();
00126   if ((mprofile.size () - count) < this->endpoint_count_
00127       && mprofile.grow (count + this->endpoint_count_) == -1)
00128     return -1;
00129 
00130   // Create a profile for each acceptor endpoint.
00131   for (size_t i = 0; i < this->endpoint_count_; ++i)
00132     {
00133       TAO_SSLIOP_Profile *pfile = 0;
00134 
00135       // @@ We need to create an SSLIOP::SSL component for the object
00136       //    we're creating an MProfile for.  This will allow us to
00137       //    properly embed secure invocation policies in the generated
00138       //    IOR, i.e. secure invocation policies on a per-object
00139       //    basis, rather than on a per-endpoint basis.  If no secure
00140       //    invocation policies have been set then we should use the
00141       //    below default SSLIOP::SSL component.
00142       ACE_NEW_RETURN (pfile,
00143                       TAO_SSLIOP_Profile (this->hosts_[i],
00144                                             this->addrs_[i].get_port_number (),
00145                                             object_key,
00146                                             this->addrs_[i],
00147                                             this->version_,
00148                                             this->orb_core_,
00149                                             &(this->ssl_component_)),
00150                       -1);
00151       pfile->endpoint ()->priority (priority);
00152 
00153       if (mprofile.give_profile (pfile) == -1)
00154         {
00155           pfile->_decr_refcnt ();
00156           pfile = 0;
00157           return -1;
00158         }
00159 
00160       if (this->orb_core_->orb_params ()->std_profile_components () == 0)
00161         continue;
00162 
00163       pfile->tagged_components ().set_orb_type (TAO_ORB_TYPE);
00164 
00165       TAO_Codeset_Manager *csm = this->orb_core_->codeset_manager();
00166       if (csm)
00167         csm->set_codeset (pfile->tagged_components());
00168 
00169       IOP::TaggedComponent component;
00170       component.tag = ::SSLIOP::TAG_SSL_SEC_TRANS;
00171 
00172       // @@???? Check this code, only intended as guideline...
00173       TAO_OutputCDR cdr;
00174       cdr << TAO_OutputCDR::from_boolean (TAO_ENCAP_BYTE_ORDER);
00175 
00176       // @@ We need to create an SSLIOP::SSL component for the object
00177       //    we're creating an MProfile for.  This will allow us to
00178       //    properly embed secure invocation policies in the generated
00179       //    IOR, i.e. secure invocation policies on a per-object
00180       //    basis, rather than on a per-endpoint basis.  If no secure
00181       //    invocation policies have been set then we should use the
00182       //    below default SSLIOP::SSL component.
00183       cdr << this->ssl_component_;
00184 
00185       // TAO extension, replace the contents of the octet sequence with
00186       // the CDR stream
00187       const CORBA::ULong length = cdr.total_length ();
00188       component.component_data.length (length);
00189       CORBA::Octet *buf = component.component_data.get_buffer ();
00190       for (const ACE_Message_Block *i = cdr.begin ();
00191            i != 0;
00192            i = i->cont ())
00193         {
00194           ACE_OS::memcpy (buf, i->rd_ptr (), i->length ());
00195           buf += i->length ();
00196         }
00197 
00198       pfile->tagged_components ().set_component (component);
00199     }
00200 
00201   return 0;
00202 }
00203 
00204 
00205 int
00206 TAO::SSLIOP::Acceptor::create_shared_profile (const TAO::ObjectKey &object_key,
00207                                               TAO_MProfile &mprofile,
00208                                               CORBA::Short priority)
00209 {
00210   size_t index = 0;
00211   TAO_Profile *pfile = 0;
00212   TAO_SSLIOP_Profile *ssliop_profile = 0;
00213 
00214   // First see if <mprofile> already contains a SSLIOP profile.
00215   for (TAO_PHandle i = 0; i != mprofile.profile_count (); ++i)
00216     {
00217       pfile = mprofile.get_profile (i);
00218       if (pfile->tag () == IOP::TAG_INTERNET_IOP)
00219         {
00220           ssliop_profile = dynamic_cast<TAO_SSLIOP_Profile *> (pfile);
00221           if (ssliop_profile == 0)
00222             return -1;
00223           break;
00224         }
00225     }
00226 
00227   // If <mprofile> doesn't contain SSLIOP_Profile, we need to create
00228   // one.
00229   if (ssliop_profile == 0)
00230     {
00231       // @@ We need to create an SSLIOP::SSL component for the object
00232       //    we're creating an MProfile for.  This will allow us to
00233       //    properly embed secure invocation policies in the generated
00234       //    IOR, i.e. secure invocation policies on a per-object
00235       //    basis, rather than on a per-endpoint basis.  If no secure
00236       //    invocation policies have been set then we should use the
00237       //    below default SSLIOP::SSL component.
00238       ACE_NEW_RETURN (ssliop_profile,
00239                       TAO_SSLIOP_Profile (this->hosts_[0],
00240                                             this->addrs_[0].get_port_number (),
00241                                             object_key,
00242                                             this->addrs_[0],
00243                                             this->version_,
00244                                             this->orb_core_,
00245                                             &(this->ssl_component_)),
00246                       -1);
00247 
00248       TAO_SSLIOP_Endpoint *ssliop_endp =
00249         dynamic_cast<TAO_SSLIOP_Endpoint *> (ssliop_profile->endpoint ());
00250 
00251       ssliop_endp->priority (priority);
00252       ssliop_endp->iiop_endpoint ()->priority (priority);
00253 
00254       if (mprofile.give_profile (ssliop_profile) == -1)
00255         {
00256           ssliop_profile->_decr_refcnt ();
00257           ssliop_profile = 0;
00258           return -1;
00259         }
00260 
00261       if (this->orb_core_->orb_params ()->std_profile_components () != 0)
00262         {
00263           ssliop_profile->tagged_components ().set_orb_type (TAO_ORB_TYPE);
00264 
00265           TAO_Codeset_Manager *csm = this->orb_core_->codeset_manager();
00266           if (csm)
00267             csm->set_codeset(ssliop_profile->tagged_components());
00268 
00269           IOP::TaggedComponent component;
00270           component.tag = ::SSLIOP::TAG_SSL_SEC_TRANS;
00271           // @@???? Check this code, only intended as guideline...
00272           TAO_OutputCDR cdr;
00273           cdr << TAO_OutputCDR::from_boolean (TAO_ENCAP_BYTE_ORDER);
00274 
00275           // @@ We need to create an SSLIOP::SSL component for the
00276           //    object we're creating an MProfile for.  This will
00277           //    allow us to properly embed secure invocation policies
00278           //    in the generated IOR, i.e. secure invocation policies
00279           //    on a per-object basis, rather than on a per-endpoint
00280           //    basis.  If no secure invocation policies have been set
00281           //    then we should use the below default SSLIOP::SSL
00282           //    component.
00283           cdr << this->ssl_component_;
00284 
00285           // TAO extension, replace the contents of the octet sequence with
00286           // the CDR stream
00287           CORBA::ULong length = cdr.total_length ();
00288           component.component_data.length (length);
00289           CORBA::Octet *buf = component.component_data.get_buffer ();
00290           for (const ACE_Message_Block *i = cdr.begin ();
00291                i != 0;
00292                i = i->cont ())
00293             {
00294               ACE_OS::memcpy (buf, i->rd_ptr (), i->length ());
00295               buf += i->length ();
00296             }
00297 
00298           ssliop_profile->tagged_components ().set_component (component);
00299         }
00300 
00301       index = 1;
00302     }
00303 
00304   // Add any remaining endpoints to the SSLIOP_Profile.
00305   for (;
00306        index < this->endpoint_count_;
00307        ++index)
00308     {
00309       TAO_SSLIOP_Endpoint *ssl_endp = 0;
00310       TAO_IIOP_Endpoint *iiop_endp = 0;
00311       ACE_NEW_RETURN (iiop_endp,
00312                       TAO_IIOP_Endpoint (this->hosts_[index],
00313                                          this->addrs_[index].get_port_number (),
00314                                          this->addrs_[index]),
00315                       -1);
00316       iiop_endp->priority (priority);
00317 
00318       ACE_NEW_RETURN (ssl_endp,
00319                       TAO_SSLIOP_Endpoint (&(this->ssl_component_),
00320                                            iiop_endp),
00321                       -1);
00322 
00323       ssl_endp->priority (priority);
00324       ssliop_profile->add_endpoint (ssl_endp);
00325     }
00326 
00327   return 0;
00328 }
00329 
00330 int
00331 TAO::SSLIOP::Acceptor::is_collocated (const TAO_Endpoint *endpoint)
00332 {
00333   const TAO_SSLIOP_Endpoint *endp =
00334     dynamic_cast<const TAO_SSLIOP_Endpoint *> (endpoint);
00335 
00336   // Make sure the dynamically cast pointer is valid.
00337   if (endp == 0)
00338     return 0;
00339 
00340   for (size_t i = 0; i < this->endpoint_count_; ++i)
00341     {
00342       // @@ TODO The following code looks funky, why only the address
00343       //    is compared?  What about the IIOP address?  Why force a
00344       //    DNS lookup every time an SSLIOP object is decoded:
00345       //
00346       // http://deuce.doc.wustl.edu/bugzilla/show_bug.cgi?id=1220
00347       //
00348       if (endp->iiop_endpoint ()->object_addr () == this->addrs_[i])
00349         return 1;  // Collocated
00350     }
00351 
00352   return 0;  // Not collocated
00353 }
00354 
00355 int
00356 TAO::SSLIOP::Acceptor::close (void)
00357 {
00358   int r = this->ssl_acceptor_.close ();
00359   if (this->IIOP_SSL_Acceptor::close () != 0)
00360     r = -1;
00361 
00362   return r;
00363 }
00364 
00365 int
00366 TAO::SSLIOP::Acceptor::open (TAO_ORB_Core *orb_core,
00367                              ACE_Reactor *reactor,
00368                              int major,
00369                              int minor,
00370                              const char *address,
00371                              const char *options)
00372 {
00373   // Ensure that neither the endpoint configuration nor the ORB
00374   // configuration violate security measures.
00375   if (this->verify_secure_configuration (orb_core,
00376                                          major,
00377                                          minor) != 0)
00378     return -1;
00379 
00380   ACE_INET_Addr addr;
00381   ACE_CString specified_hostname;
00382   if (this->parse_address (address, addr, specified_hostname) == -1)
00383     return -1;
00384 
00385   // Open the non-SSL enabled endpoints, then open the SSL enabled
00386   // endpoints.
00387   if (this->IIOP_SSL_Acceptor::open (orb_core,
00388                                      reactor,
00389                                      major,
00390                                      minor,
00391                                      address,
00392                                      options) != 0)
00393     return -1;
00394 
00395   // The SSL port is set in the parse_options() method. All we have
00396   // to do is call open_i()
00397   addr.set_port_number (this->ssl_component_.port);
00398 
00399   return this->ssliop_open_i (orb_core,
00400                               addr,
00401                               reactor);
00402 }
00403 
00404 int
00405 TAO::SSLIOP::Acceptor::open_default (TAO_ORB_Core *orb_core,
00406                                      ACE_Reactor *reactor,
00407                                      int major,
00408                                      int minor,
00409                                      const char *options)
00410 {
00411   // Ensure that neither the endpoint configuration nor the ORB
00412   // configuration violate security measures.
00413   if (this->verify_secure_configuration (orb_core,
00414                                          major,
00415                                          minor) != 0)
00416     return -1;
00417 
00418   // Open the non-SSL enabled endpoints, then open the SSL enabled
00419   // endpoints.
00420   if (this->IIOP_SSL_Acceptor::open_default (orb_core,
00421                                              reactor,
00422                                              major,
00423                                              minor,
00424                                              options) == -1)
00425     return -1;
00426 
00427   // Now that each network interface's hostname has been cached, open
00428   // an endpoint on each network interface using the INADDR_ANY
00429   // address.
00430   ACE_INET_Addr addr;
00431 
00432   // this->ssl_component_.port is initialized to zero or it is set in
00433   // this->parse_options().
00434   if (addr.set (this->ssl_component_.port,
00435                 static_cast<ACE_UINT32> (INADDR_ANY),
00436                 1) != 0)
00437     return -1;
00438 
00439   return this->ssliop_open_i (orb_core,
00440                               addr,
00441                               reactor);
00442 }
00443 
00444 int
00445 TAO::SSLIOP::Acceptor::ssliop_open_i (TAO_ORB_Core *orb_core,
00446                                       const ACE_INET_Addr& addr,
00447                                       ACE_Reactor *reactor)
00448 {
00449   this->orb_core_ = orb_core;
00450 
00451   // Explicitly disable GIOPlite support since it introduces security
00452   // holes.
00453   static const int giop_lite = 0;
00454 
00455   ACE_NEW_RETURN (this->creation_strategy_,
00456                   CREATION_STRATEGY (this->orb_core_,
00457                                      giop_lite),
00458                   -1);
00459 
00460   ACE_NEW_RETURN (this->concurrency_strategy_,
00461                   CONCURRENCY_STRATEGY (this->orb_core_),
00462                   -1);
00463 
00464   ACE_NEW_RETURN (this->accept_strategy_,
00465                   ACCEPT_STRATEGY (this->orb_core_,
00466                                    this->timeout_),
00467                   -1);
00468 
00469   u_short requested_port = addr.get_port_number ();
00470   if (requested_port == 0)
00471     {
00472       // don't care, i.e., let the OS choose an ephemeral port
00473       if (this->ssl_acceptor_.open (addr,
00474                                     reactor,
00475                                     this->creation_strategy_,
00476                                     this->accept_strategy_,
00477                                     this->concurrency_strategy_,
00478                                     0, 0, 0, 1,
00479                                     this->reuse_addr_) == -1)
00480         {
00481           if (TAO_debug_level > 0)
00482             ACE_DEBUG ((LM_DEBUG,
00483                         ACE_TEXT ("\n\nTAO (%P|%t) ")
00484                         ACE_TEXT ("SSLIOP_Acceptor::open_i - %p\n\n"),
00485                         ACE_TEXT ("cannot open acceptor")));
00486           return -1;
00487         }
00488     }
00489   else
00490     {
00491       ACE_INET_Addr a(addr);
00492 
00493       int found_a_port = 0;
00494       ACE_UINT32 last_port = requested_port + this->port_span_ - 1;
00495       if (last_port > ACE_MAX_DEFAULT_PORT)
00496         {
00497           last_port = ACE_MAX_DEFAULT_PORT;
00498         }
00499 
00500       for (ACE_UINT32 p = requested_port; p <= last_port; p++)
00501         {
00502           if (TAO_debug_level > 5)
00503             ACE_DEBUG ((LM_DEBUG,
00504                         ACE_TEXT ("TAO (%P|%t) IIOP_Acceptor::open_i() ")
00505                         ACE_TEXT ("trying to listen on port %d\n"), p));
00506 
00507           // Now try to actually open on that port
00508           a.set_port_number ((u_short)p);
00509           if (this->ssl_acceptor_.open (a,
00510                                         reactor,
00511                                         this->creation_strategy_,
00512                                         this->accept_strategy_,
00513                                         this->concurrency_strategy_,
00514                                         0, 0, 0, 1,
00515                                         this->reuse_addr_) != -1)
00516             {
00517               found_a_port = 1;
00518               break;
00519             }
00520         }
00521 
00522       // Now, if we couldn't locate a port, we punt
00523       if (! found_a_port)
00524         {
00525           if (TAO_debug_level > 0)
00526             ACE_DEBUG ((LM_DEBUG,
00527                         ACE_TEXT ("\n\nTAO (%P|%t) ")
00528                         ACE_TEXT ("SSLIOP_Acceptor::open_i - %p\n\n"),
00529                         ACE_TEXT ("cannot open acceptor")));
00530           return -1;
00531         }
00532     }
00533 
00534   ACE_INET_Addr ssl_address;
00535 
00536   // We do this to make sure the port number the endpoint is listening
00537   // on gets set in the addr.
00538   if (this->ssl_acceptor_.acceptor ().get_local_addr (ssl_address) != 0)
00539     {
00540       // @@ Should this be a catastrophic error???
00541       if (TAO_debug_level > 0)
00542         ACE_DEBUG ((LM_DEBUG,
00543                     ACE_TEXT ("\n\nTAO (%P|%t) ")
00544                     ACE_TEXT ("SSLIOP_Acceptor::open_i - %p\n\n"),
00545                     ACE_TEXT ("cannot get local addr")));
00546       return -1;
00547     }
00548 
00549   // Reset the SSL endpoint port to the one chosen by the OS (or by
00550   // the user if provided.
00551   this->ssl_component_.port = ssl_address.get_port_number ();
00552 
00553   (void) this->ssl_acceptor_.acceptor().enable (ACE_CLOEXEC);
00554   // This avoids having child processes acquire the listen socket
00555   // thereby denying the server the opportunity to restart on a
00556   // well-known endpoint.  This does not affect the aberrent behavior
00557   // on Win32 platforms.
00558 
00559   if (TAO_debug_level > 5)
00560     {
00561       for (size_t i = 0; i < this->endpoint_count_; ++i)
00562         {
00563           ACE_DEBUG ((LM_DEBUG,
00564                       ACE_TEXT ("TAO (%P|%t) ")
00565                       ACE_TEXT ("SSLIOP_Acceptor::open_i - ")
00566                       ACE_TEXT ("listening on: <%s:%u>\n"),
00567                       this->hosts_[i],
00568                       this->ssl_component_.port));
00569         }
00570     }
00571 
00572   return 0;
00573 }
00574 
00575 int
00576 TAO::SSLIOP::Acceptor::parse_options_i (int &argc, ACE_CString ** argv)
00577 {
00578   //first, do the base class parser, then parse the leftovers.
00579   int result = this->IIOP_SSL_Acceptor::parse_options_i(argc,argv);
00580   if (result == -1)
00581     return result;
00582 
00583   // then parse out our own options.
00584   int i = 0;
00585   while (i < argc)
00586     {
00587       // since the base class has already iterated over the list once,
00588       // it has vound any ill-formed options. Therefore we don't need
00589       // to do that again here.
00590       int slot = argv[i]->find ("=");
00591       ACE_CString name = argv[i]->substring (0, slot);
00592       ACE_CString value = argv[i]->substring (slot + 1);
00593 
00594       if (name == "priority")
00595         {
00596           ACE_ERROR_RETURN ((LM_ERROR,
00597                              ACE_TEXT ("TAO (%P|%t) Invalid SSLIOP endpoint format: ")
00598                              ACE_TEXT ("endpoint priorities no longer supported. \n"),
00599                              value.c_str ()),
00600                             -1);
00601         }
00602       else if (ACE_OS::strcmp (name.c_str (), "ssl_port") == 0)
00603         {
00604           int ssl_port = ACE_OS::atoi (value.c_str ());
00605 
00606           if (ssl_port >= 0 && ssl_port < 65536)
00607             this->ssl_component_.port = ssl_port;
00608           else
00609             ACE_ERROR_RETURN ((LM_ERROR,
00610                                ACE_TEXT ("TAO (%P|%t) Invalid ")
00611                                ACE_TEXT ("IIOP/SSL endpoint ")
00612                                ACE_TEXT ("port: <%s>\n"),
00613                                value.c_str ()),
00614                               -1);
00615         }
00616       else
00617         {
00618           // the name is not known, skip to the next option
00619           i++;
00620           continue;
00621         }
00622       // at the end, we've consumed this argument. Shift the list and
00623       // put this one on the end. This technique has the effect of
00624       // putting them in reverse order, but that doesn't matter, since
00625       // these arguments are only whole strings.
00626       argc--;
00627       ACE_CString *temp = argv[i];
00628       for (int j = i; j <= argc-1; j++)
00629         argv[j] = argv[j+1];
00630       argv[argc] = temp;
00631 
00632     }
00633   return 0;
00634 }
00635 
00636 int
00637 TAO::SSLIOP::Acceptor::verify_secure_configuration (TAO_ORB_Core *orb_core,
00638                                                     int major,
00639                                                     int minor)
00640 {
00641   // Sanity check.
00642   if (major < 1)
00643     {
00644       // There is no such thing as IIOP 0.x.
00645       errno = EINVAL;
00646       return -1;
00647     }
00648 
00649   // In order to support a secure connection, the SSLIOP::SSL tagged
00650   // component must be embedded in the IOR.  This isn't possible if
00651   // the user elects to disable standard profile components.
00652   // Similarly, IIOP 1.0 does not support tagged components, which
00653   // makes it impossible to embed the SSLIOP::SSL tagged component
00654   // within the IOR.  If the given object explicitly disallows
00655   // insecure invocations and standard profile components are
00656   // disabled, then return with an error since secure invocations
00657   // cannot be supported without standard profile components.
00658   //
00659   // Note that it isn't enough to support NoProtection.  NoProtection
00660   // must be required since "support" does not preclude the secure
00661   // port from being used.
00662 
00663   if ((orb_core->orb_params ()->std_profile_components () == 0
00664        || (major == 1 && minor == 0))
00665       && ACE_BIT_DISABLED (this->ssl_component_.target_requires,
00666                            ::Security::NoProtection))
00667     {
00668       if (TAO_debug_level > 0)
00669         ACE_ERROR ((LM_ERROR,
00670                     ACE_TEXT ("(%P|%t) Cannot support secure ")
00671                     ACE_TEXT ("IIOP over SSL connection if\n")
00672                     ACE_TEXT ("(%P|%t) standard profile ")
00673                     ACE_TEXT ("components are disabled\n")
00674                     ACE_TEXT ("(%P|%t) or IIOP 1.0 endpoint is ")
00675                     ACE_TEXT ("used.\n")));
00676 
00677       errno = EINVAL;
00678       return -1;
00679     }
00680 
00681   return 0;
00682 }
00683 
00684 TAO_END_VERSIONED_NAMESPACE_DECL