Fix (6462) - Consider changing some IceSSL checks to use native APIs

1 files changed, 37 insertions, 61 deletions

diff --git a/cpp/src/IceSSL/SSLEngine.cpp b/cpp/src/IceSSL/SSLEngine.cpp
index 2bc0b574627..c8342073d35 100644
--- a/cpp/src/IceSSL/SSLEngine.cpp
+++ b/cpp/src/IceSSL/SSLEngine.cpp
@@ -132,12 +132,14 @@ IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoP
 {
     const CertificateVerifierPtr verifier = getCertificateVerifier();
 
-#if !defined(ICE_USE_SECURE_TRANSPORT_IOS)
+#if defined(ICE_USE_SCHANNEL) || \
+    (defined(ICE_USE_OPENSSL) && defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10002000L)
+
     //
     // For an outgoing connection, we compare the proxy address (if any) against
     // fields in the server's certificate (if any).
     //
-    if(!info->nativeCerts.empty() && !address.empty())
+    if(_checkCertName && !info->nativeCerts.empty() && !address.empty())
     {
         const CertificatePtr cert = info->nativeCerts[0];
         //
@@ -159,82 +161,56 @@ IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoP
             }
         }
 
-        //
-        // Compare the peer's address against the common name.
-        //
         bool certNameOK = false;
         string dn;
+        bool isIpAddress = IceInternal::isIpAddress(address);
         string addrLower = IceUtilInternal::toLower(address);
-        {
-            DistinguishedName d = cert->getSubjectDN();
-            dn = IceUtilInternal::toLower(string(d));
-            string cn = "cn=" + addrLower;
-            string::size_type pos = dn.find(cn);
-            if(pos != string::npos)
-            {
-                //
-                // Ensure we match the entire common name.
-                //
-                certNameOK = (pos + cn.size() == dn.size()) || (dn[pos + cn.size()] == ',');
-            }
-        }
-
         //
-        // Compare the peer's address against the dnsName and ipAddress
-        // values in the subject alternative name.
+        // If address is and IP address compare it to the subject alt name IP adddress
         //
-        if(!certNameOK)
+        if(isIpAddress)
         {
             certNameOK = find(ipAddresses.begin(), ipAddresses.end(), addrLower) != ipAddresses.end();
         }
-        if(!certNameOK)
-        {
-            certNameOK = find(dnsNames.begin(), dnsNames.end(), addrLower) != dnsNames.end();
-        }
-
-        //
-        // Log a message if the name comparison fails. If CheckCertName is defined,
-        // we also raise an exception to abort the connection. Don't log a message if
-        // CheckCertName is not defined and a verifier is present.
-        //
-        if(!certNameOK && (_checkCertName || (_securityTraceLevel >= 1 && !verifier)))
+        else
         {
-            ostringstream ostr;
-            ostr << "IceSSL: ";
-            if(!_checkCertName)
+            //
+            // If subjectAlt is empty compare it ot the subject CN, othewise
+            // compare it to the to the subject alt name dnsNames
+            //
+            if(dnsNames.empty())
             {
-                ostr << "ignoring ";
+                DistinguishedName d = cert->getSubjectDN();
+                dn = IceUtilInternal::toLower(string(d));
+                string cn = "cn=" + addrLower;
+                string::size_type pos = dn.find(cn);
+                if(pos != string::npos)
+                {
+                    //
+                    // Ensure we match the entire common name.
+                    //
+                    certNameOK = (pos + cn.size() == dn.size()) || (dn[pos + cn.size()] == ',');
+                }
             }
-            ostr << "certificate validation failure:\npeer certificate does not have `" << address
-                    << "' as its commonName or in its subjectAltName extension";
-            if(!dn.empty())
+            else
             {
-                ostr << "\nSubject DN: " << dn;
+                certNameOK = find(dnsNames.begin(), dnsNames.end(), addrLower) != dnsNames.end();                
             }
-            if(!dnsNames.empty())
+        }
+
+        if(!certNameOK)
+        {
+            ostringstream ostr;
+            ostr << "IceSSL: certificate validation failure: ";
+            if(isIpAddress)
             {
-                ostr << "\nDNS names found in certificate: ";
-                for(vector<string>::const_iterator p = dnsNames.begin(); p != dnsNames.end(); ++p)
-                {
-                    if(p != dnsNames.begin())
-                    {
-                        ostr << ", ";
-                    }
-                    ostr << *p;
-                }
+                ostr << "IP address mismatch";
             }
-            if(!ipAddresses.empty())
+            else
             {
-                ostr << "\nIP addresses found in certificate: ";
-                for(vector<string>::const_iterator p = ipAddresses.begin(); p != ipAddresses.end(); ++p)
-                {
-                    if(p != ipAddresses.begin())
-                    {
-                        ostr << ", ";
-                    }
-                    ostr << *p;
-                }
+                ostr << "Hostname mismatch";
             }
+
             string msg = ostr.str();
             if(_securityTraceLevel >= 1)
             {