diff options
| author | Anthony Neal <aneal@zeroc.com> | 2004-02-12 21:59:52 +0000 |
|---|---|---|
| committer | Anthony Neal <aneal@zeroc.com> | 2004-02-12 21:59:52 +0000 |
| commit | af18d6bf6d51018be5418b061dce4c6e3e056ed2 (patch) | |
| tree | 7eee5d58f59f69b66eee44a25b7058ea866cdc00 | |
| parent | Fix (diff) | |
| download | ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.tar.bz2 ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.tar.xz ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.zip | |
Fix for bug 4194, you can now turn off certificate validity period checking
of peer certificates. See the IceSSL.Client.IgnoreValidPeriod and
IceSSL.Server.IgnoreValidPeriod properties.
| -rw-r--r-- | cpp/doc/Properties.sgml | 20 | ||||
| -rw-r--r-- | cpp/include/IceSSL/CertificateVerifierOpenSSL.h | 7 | ||||
| -rw-r--r-- | cpp/slice/IceSSL/CertificateVerifier.ice | 11 | ||||
| -rw-r--r-- | cpp/src/Ice/PropertiesI.cpp | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp | 6 | ||||
| -rw-r--r-- | cpp/src/IceSSL/ClientContext.cpp | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Context.cpp | 8 | ||||
| -rw-r--r-- | cpp/src/IceSSL/Context.h | 3 | ||||
| -rw-r--r-- | cpp/src/IceSSL/DefaultCertificateVerifier.cpp | 79 | ||||
| -rw-r--r-- | cpp/src/IceSSL/OpenSSLPluginI.cpp | 3 | ||||
| -rw-r--r-- | cpp/src/IceSSL/ServerContext.cpp | 2 | ||||
| -rw-r--r-- | cpp/src/IceSSL/SingleCertificateVerifier.cpp | 4 | ||||
| -rw-r--r-- | cpp/test/IceSSL/certificateVerifier/CertificateVerifier.cpp | 2 |
13 files changed, 140 insertions, 9 deletions
diff --git a/cpp/doc/Properties.sgml b/cpp/doc/Properties.sgml index 1ac37ffa3e4..7cb0dfa14d0 100644 --- a/cpp/doc/Properties.sgml +++ b/cpp/doc/Properties.sgml @@ -1243,6 +1243,26 @@ There are no default values for these properties. </section> </section> +<section><title>IceSSL.Client.IgnoreValidPeriod, IceSSL.Server.IgnoreValidPeriod</title> +<section><title>Synopsis</title> +<synopsis> +IceSSL.Client.IgnoreValidPeriod=<replaceable>0 | 1</replaceable> +IceSSL.Server.IgnoreValidPeriod=<replaceable>0 | 1</replaceable> +</synopsis> +</section> +<section> +<title>Description</title> +<para> +These properties will cause the DefaultCertificateVerifier to ignore the +certificate validity period on peer certificates if set to 1. Normal behavior +will occur otherwise. +</para> +<para> +The default value for these properties is 0. +</para> +</section> +</section> + </section> <!-- ********************************************************************** --> diff --git a/cpp/include/IceSSL/CertificateVerifierOpenSSL.h b/cpp/include/IceSSL/CertificateVerifierOpenSSL.h index 722d1426f19..6c9a2344d43 100644 --- a/cpp/include/IceSSL/CertificateVerifierOpenSSL.h +++ b/cpp/include/IceSSL/CertificateVerifierOpenSSL.h @@ -17,6 +17,7 @@ #include <IceSSL/Config.h> #include <IceSSL/CertificateVerifier.h> +#include <IceSSL/Plugin.h> #include <openssl/ssl.h> namespace IceSSL @@ -28,7 +29,13 @@ public: virtual ~CertificateVerifierOpenSSL(); + void setContext(ContextType); + virtual int verify(int, X509_STORE_CTX*, SSL*) = 0; + +protected: + + ContextType _contextType; }; typedef IceInternal::Handle<IceSSL::CertificateVerifierOpenSSL> CertificateVerifierOpenSSLPtr; diff --git a/cpp/slice/IceSSL/CertificateVerifier.ice b/cpp/slice/IceSSL/CertificateVerifier.ice index 758c4421660..a1f03fc7523 100644 --- a/cpp/slice/IceSSL/CertificateVerifier.ice +++ b/cpp/slice/IceSSL/CertificateVerifier.ice @@ -15,6 +15,8 @@ #ifndef ICE_SSL_CERTIFICATE_VERIFIER_ICE #define ICE_SSL_CERTIFICATE_VERIFIER_ICE +#include <IceSSL/Plugin.ice> + module IceSSL { @@ -37,6 +39,15 @@ module IceSSL **/ local interface CertificateVerifier { + /** + * + * Set the context type of this Certificate Verifier. + * + * @param type The type of context that is using this CertificateVerifier, + * Client, Server or ClientServer. + * + **/ + void setContext(ContextType type); }; }; diff --git a/cpp/src/Ice/PropertiesI.cpp b/cpp/src/Ice/PropertiesI.cpp index af9500ccfd1..5a8a4a2416c 100644 --- a/cpp/src/Ice/PropertiesI.cpp +++ b/cpp/src/Ice/PropertiesI.cpp @@ -205,6 +205,7 @@ static const string iceSSLProps[] = "Client.CertPath*", "Client.Config", "Client.Handshake.Retries", + "Client.IgnoreValidPeriod", "Client.Overrides.CACertificate", "Client.Overrides.DSA.Certificate", "Client.Overrides.DSA.PrivateKey", @@ -213,6 +214,7 @@ static const string iceSSLProps[] = "Client.Passphrase.Retries", "Server.CertPath*", "Server.Config", + "Server.IgnoreValidPeriod", "Server.Overrides.CACertificate", "Server.Overrides.DSA.Certificate", "Server.Overrides.DSA.PrivateKey", diff --git a/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp b/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp index 8ab27aa8dcf..9af66e69394 100644 --- a/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp +++ b/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp @@ -19,6 +19,12 @@ IceSSL::CertificateVerifierOpenSSL::~CertificateVerifierOpenSSL() } void +IceSSL::CertificateVerifierOpenSSL::setContext(::IceSSL::ContextType contextType) +{ + _contextType = contextType; +} + +void IceInternal::incRef(::IceSSL::CertificateVerifierOpenSSL* p) { p->__incRef(); diff --git a/cpp/src/IceSSL/ClientContext.cpp b/cpp/src/IceSSL/ClientContext.cpp index 8708ca58508..81ba2394be6 100644 --- a/cpp/src/IceSSL/ClientContext.cpp +++ b/cpp/src/IceSSL/ClientContext.cpp @@ -73,7 +73,7 @@ IceSSL::ClientContext::createTransceiver(int socket, const OpenSSLPluginIPtr& pl } IceSSL::ClientContext::ClientContext(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) : - Context(traceLevels, communicator) + Context(traceLevels, communicator, Client) { _rsaPrivateKeyProperty = "IceSSL.Client.Overrides.RSA.PrivateKey"; _rsaPublicKeyProperty = "IceSSL.Client.Overrides.RSA.Certificate"; diff --git a/cpp/src/IceSSL/Context.cpp b/cpp/src/IceSSL/Context.cpp index eef654b3e7e..99d67a67d7a 100644 --- a/cpp/src/IceSSL/Context.cpp +++ b/cpp/src/IceSSL/Context.cpp @@ -61,6 +61,7 @@ void IceSSL::Context::setCertificateVerifier(const CertificateVerifierPtr& verifier) { _certificateVerifier = verifier; + _certificateVerifier->setContext(_contextType); } void @@ -153,11 +154,14 @@ IceSSL::Context::configure(const GeneralConfig& generalConfig, // Protected // -IceSSL::Context::Context(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) : +IceSSL::Context::Context(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator, + const ContextType& type) : _traceLevels(traceLevels), - _communicator(communicator) + _communicator(communicator), + _contextType(type) { _certificateVerifier = new DefaultCertificateVerifier(traceLevels, communicator); + _certificateVerifier->setContext(_contextType); _sslContext = 0; _maxPassphraseRetriesDefault = "4"; diff --git a/cpp/src/IceSSL/Context.h b/cpp/src/IceSSL/Context.h index 337b7e533b9..a6945eedb15 100644 --- a/cpp/src/IceSSL/Context.h +++ b/cpp/src/IceSSL/Context.h @@ -61,7 +61,7 @@ public: protected: - Context(const TraceLevelsPtr&, const Ice::CommunicatorPtr&); + Context(const TraceLevelsPtr&, const Ice::CommunicatorPtr&, const ContextType&); SSL_METHOD* getSslMethod(SslProtocol); void createContext(SslProtocol); @@ -92,6 +92,7 @@ protected: TraceLevelsPtr _traceLevels; Ice::CommunicatorPtr _communicator; + ContextType _contextType; std::string _rsaPrivateKeyProperty; std::string _rsaPublicKeyProperty; diff --git a/cpp/src/IceSSL/DefaultCertificateVerifier.cpp b/cpp/src/IceSSL/DefaultCertificateVerifier.cpp index d0f46e8c224..633a16b50cf 100644 --- a/cpp/src/IceSSL/DefaultCertificateVerifier.cpp +++ b/cpp/src/IceSSL/DefaultCertificateVerifier.cpp @@ -13,6 +13,7 @@ // ********************************************************************** #include <Ice/Communicator.h> +#include <Ice/Properties.h> #include <Ice/LoggerUtil.h> #include <IceSSL/OpenSSL.h> #include <IceSSL/DefaultCertificateVerifier.h> @@ -52,8 +53,82 @@ IceSSL::DefaultCertificateVerifier::verify(int preVerifyOkay, X509_STORE_CTX* x5 X509_STORE_CTX_set_error(x509StoreContext, verifyError); } - // If we have ANY errors, we bail out. - preVerifyOkay = 0; + bool checkIgnoreValid = false; + + switch(verifyError) + { + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + { + checkIgnoreValid = true; + break; + } + + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + { + checkIgnoreValid = true; + break; + } + + default : + { + // If we have any other errors, we bail out. + preVerifyOkay = 0; + break; + } + } + + if(checkIgnoreValid) + { + ::Ice::PropertiesPtr properties = _communicator->getProperties(); + + switch(_contextType) + { + case Client : + { + if(properties->getPropertyAsIntWithDefault("IceSSL.Client.IgnoreValidPeriod", 0) == 0) + { + // Unless we're told to ignore this result, we bail out. + preVerifyOkay = 0; + } + else + { + preVerifyOkay = 1; + } + break; + } + + case Server : + { + if(properties->getPropertyAsIntWithDefault("IceSSL.Server.IgnoreValidPeriod", 0) == 0) + { + // Unless we're told to ignore this result, we bail out. + preVerifyOkay = 0; + } + else + { + preVerifyOkay = 1; + } + break; + } + + case ClientServer: + { + if(properties->getPropertyAsIntWithDefault("IceSSL.Client.IgnoreValidPeriod", 0) == 0 && + properties->getPropertyAsIntWithDefault("IceSSL.Server.IgnoreValidPeriod", 0) == 0) + { + // Unless we're told to ignore this result, we bail out. + preVerifyOkay = 0; + } + else + { + preVerifyOkay = 1; + } + break; + } + } + } } // Only if ICE_PROTOCOL level logging is on do we worry about this. diff --git a/cpp/src/IceSSL/OpenSSLPluginI.cpp b/cpp/src/IceSSL/OpenSSLPluginI.cpp index b4cc3d60bac..1e8e1abbe30 100644 --- a/cpp/src/IceSSL/OpenSSLPluginI.cpp +++ b/cpp/src/IceSSL/OpenSSLPluginI.cpp @@ -232,6 +232,7 @@ IceSSL::OpenSSLPluginI::~OpenSSLPluginI() ERR_free_strings(); unregisterThreads(); + ERR_remove_state(0); EVP_cleanup(); @@ -640,6 +641,8 @@ IceSSL::OpenSSLPluginI::setCertificateVerifier(ContextType contextType, throw cvtEx; } + castVerifier->setContext(contextType); + if(contextType == Client || contextType == ClientServer) { _clientContext.setCertificateVerifier(castVerifier); diff --git a/cpp/src/IceSSL/ServerContext.cpp b/cpp/src/IceSSL/ServerContext.cpp index a7270c801cd..1ceb4d77255 100644 --- a/cpp/src/IceSSL/ServerContext.cpp +++ b/cpp/src/IceSSL/ServerContext.cpp @@ -98,7 +98,7 @@ IceSSL::ServerContext::createTransceiver(int socket, const OpenSSLPluginIPtr& pl // IceSSL::ServerContext::ServerContext(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) : - Context(traceLevels, communicator) + Context(traceLevels, communicator, Server) { _rsaPrivateKeyProperty = "IceSSL.Server.Overrides.RSA.PrivateKey"; _rsaPublicKeyProperty = "IceSSL.Server.Overrides.RSA.Certificate"; diff --git a/cpp/src/IceSSL/SingleCertificateVerifier.cpp b/cpp/src/IceSSL/SingleCertificateVerifier.cpp index 914117e8c90..d9950ba68ad 100644 --- a/cpp/src/IceSSL/SingleCertificateVerifier.cpp +++ b/cpp/src/IceSSL/SingleCertificateVerifier.cpp @@ -28,8 +28,8 @@ IceSSL::SingleCertificateVerifier::SingleCertificateVerifier(const ByteSeq& publ int IceSSL::SingleCertificateVerifier::verify(int preVerifyOkay, - X509_STORE_CTX* x509StoreContext, - SSL* sslConnection) + X509_STORE_CTX* x509StoreContext, + SSL* sslConnection) { // For getting the CA certificate X509* trustedCert = 0; diff --git a/cpp/test/IceSSL/certificateVerifier/CertificateVerifier.cpp b/cpp/test/IceSSL/certificateVerifier/CertificateVerifier.cpp index de9d85286f7..586a9a8ccc7 100644 --- a/cpp/test/IceSSL/certificateVerifier/CertificateVerifier.cpp +++ b/cpp/test/IceSSL/certificateVerifier/CertificateVerifier.cpp @@ -29,12 +29,14 @@ using namespace Ice; class BadCertificateVerifier : virtual public ::IceSSL::CertificateVerifier { public: + virtual void setContext(IceSSL::ContextType type) { }; }; class GoodCertificateVerifier : virtual public ::IceSSL::CertificateVerifierOpenSSL { public: virtual int verify(int, X509_STORE_CTX*, SSL*); + virtual void setContext(IceSSL::ContextType type) { }; }; int |