diff options
| author | Jose <pepone@users.noreply.github.com> | 2019-09-10 10:29:11 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-10 10:29:11 +0200 |
| commit | bad1d435dfba9b103bfe76555506757beda5c4df (patch) | |
| tree | f4a8dd87308ee80781f9b39ffabd95cee9e1ef69 /cpp/src/IceSSL/SChannelTransceiverI.cpp | |
| parent | Whitespace fixes (diff) | |
| download | ice-bad1d435dfba9b103bfe76555506757beda5c4df.tar.bz2 ice-bad1d435dfba9b103bfe76555506757beda5c4df.tar.xz ice-bad1d435dfba9b103bfe76555506757beda5c4df.zip | |
IceSSL cert name verification fixes - Close #512 (#515)
Diffstat (limited to 'cpp/src/IceSSL/SChannelTransceiverI.cpp')
| -rw-r--r-- | cpp/src/IceSSL/SChannelTransceiverI.cpp | 24 |
1 files changed, 18 insertions, 6 deletions
diff --git a/cpp/src/IceSSL/SChannelTransceiverI.cpp b/cpp/src/IceSSL/SChannelTransceiverI.cpp index ec9562d4153..3d497f3816a 100644 --- a/cpp/src/IceSSL/SChannelTransceiverI.cpp +++ b/cpp/src/IceSSL/SChannelTransceiverI.cpp @@ -746,7 +746,20 @@ SChannel::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal: throw SecurityException(__FILE__, __LINE__, "IceSSL: error reading cipher info:\n" + secStatusToString(err)); } - _engine->verifyPeer(_host, ICE_DYNAMIC_CAST(ConnectionInfo, getInfo()), toString()); + ConnectionInfoPtr info = ICE_DYNAMIC_CAST(ConnectionInfo, getInfo()); + try + { + _engine->verifyPeerCertName(_host, info); + } + catch(const Ice::SecurityException&) + { + _verified = false; + if(_engine->getVerifyPeer() > 0) + { + throw; + } + } + _engine->verifyPeer(_host, info, toString()); _state = StateHandshakeComplete; if(_instance->engine()->securityTraceLevel() >= 1) @@ -754,12 +767,11 @@ SChannel::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal: string sslCipherName; string sslKeyExchangeAlgorithm; string sslProtocolName; - SecPkgContext_ConnectionInfo info; - if(QueryContextAttributes(&_ssl, SECPKG_ATTR_CONNECTION_INFO, &info) == SEC_E_OK) + if(QueryContextAttributes(&_ssl, SECPKG_ATTR_CONNECTION_INFO, &connInfo) == SEC_E_OK) { - sslCipherName = _engine->getCipherName(info.aiCipher); - sslKeyExchangeAlgorithm = _engine->getCipherName(info.aiExch); - sslProtocolName = protocolName(info.dwProtocol); + sslCipherName = _engine->getCipherName(connInfo.aiCipher); + sslKeyExchangeAlgorithm = _engine->getCipherName(connInfo.aiExch); + sslProtocolName = protocolName(connInfo.dwProtocol); } Trace out(_instance->logger(), _instance->traceCategory()); |