Fix for bug 4194, you can now turn off certificate validity period checking

of peer certificates. See the IceSSL.Client.IgnoreValidPeriod and IceSSL.Server.IgnoreValidPeriod properties.
author: Anthony Neal <aneal@zeroc.com> 2004-02-12 21:59:52 +0000
committer: Anthony Neal <aneal@zeroc.com> 2004-02-12 21:59:52 +0000
commit: af18d6bf6d51018be5418b061dce4c6e3e056ed2 (patch)
tree: 7eee5d58f59f69b66eee44a25b7058ea866cdc00 /cpp/src
parent: Fix (diff)
download: ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.tar.bz2
ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.tar.xz
ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.zip
9 files changed, 100 insertions, 9 deletions
diff --git a/cpp/src/Ice/PropertiesI.cpp b/cpp/src/Ice/PropertiesI.cpp
index af9500ccfd1..5a8a4a2416c 100644
--- a/cpp/src/Ice/PropertiesI.cpp
+++ b/cpp/src/Ice/PropertiesI.cpp
@@ -205,6 +205,7 @@ static const string iceSSLProps[] =
     "Client.CertPath*",
     "Client.Config",
     "Client.Handshake.Retries",
+    "Client.IgnoreValidPeriod",
     "Client.Overrides.CACertificate",
     "Client.Overrides.DSA.Certificate",
     "Client.Overrides.DSA.PrivateKey",
@@ -213,6 +214,7 @@ static const string iceSSLProps[] =
     "Client.Passphrase.Retries",
     "Server.CertPath*",
     "Server.Config",
+    "Server.IgnoreValidPeriod",
     "Server.Overrides.CACertificate",
     "Server.Overrides.DSA.Certificate",
     "Server.Overrides.DSA.PrivateKey",
diff --git a/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp b/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp
index 8ab27aa8dcf..9af66e69394 100644
--- a/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp
+++ b/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp
@@ -19,6 +19,12 @@ IceSSL::CertificateVerifierOpenSSL::~CertificateVerifierOpenSSL()
 }
 
 void
+IceSSL::CertificateVerifierOpenSSL::setContext(::IceSSL::ContextType contextType)
+{
+    _contextType = contextType;
+}
+
+void
 IceInternal::incRef(::IceSSL::CertificateVerifierOpenSSL* p)
 {
     p->__incRef();
diff --git a/cpp/src/IceSSL/ClientContext.cpp b/cpp/src/IceSSL/ClientContext.cpp
index 8708ca58508..81ba2394be6 100644
--- a/cpp/src/IceSSL/ClientContext.cpp
+++ b/cpp/src/IceSSL/ClientContext.cpp
@@ -73,7 +73,7 @@ IceSSL::ClientContext::createTransceiver(int socket, const OpenSSLPluginIPtr& pl
 }
 
 IceSSL::ClientContext::ClientContext(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) :
-    Context(traceLevels, communicator)
+    Context(traceLevels, communicator, Client)
 {
     _rsaPrivateKeyProperty = "IceSSL.Client.Overrides.RSA.PrivateKey";
     _rsaPublicKeyProperty  = "IceSSL.Client.Overrides.RSA.Certificate";
diff --git a/cpp/src/IceSSL/Context.cpp b/cpp/src/IceSSL/Context.cpp
index eef654b3e7e..99d67a67d7a 100644
--- a/cpp/src/IceSSL/Context.cpp
+++ b/cpp/src/IceSSL/Context.cpp
@@ -61,6 +61,7 @@ void
 IceSSL::Context::setCertificateVerifier(const CertificateVerifierPtr& verifier)
 {
     _certificateVerifier = verifier;
+    _certificateVerifier->setContext(_contextType);
 }
 
 void
@@ -153,11 +154,14 @@ IceSSL::Context::configure(const GeneralConfig& generalConfig,
 // Protected
 //
 
-IceSSL::Context::Context(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) :
+IceSSL::Context::Context(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator,
+                         const ContextType& type) :
     _traceLevels(traceLevels),
-    _communicator(communicator)
+    _communicator(communicator),
+    _contextType(type)
 {
     _certificateVerifier = new DefaultCertificateVerifier(traceLevels, communicator);
+    _certificateVerifier->setContext(_contextType);
     _sslContext = 0;
 
     _maxPassphraseRetriesDefault = "4";
diff --git a/cpp/src/IceSSL/Context.h b/cpp/src/IceSSL/Context.h
index 337b7e533b9..a6945eedb15 100644
--- a/cpp/src/IceSSL/Context.h
+++ b/cpp/src/IceSSL/Context.h
@@ -61,7 +61,7 @@ public:
 
 protected:
 
-    Context(const TraceLevelsPtr&, const Ice::CommunicatorPtr&);
+    Context(const TraceLevelsPtr&, const Ice::CommunicatorPtr&, const ContextType&);
 
     SSL_METHOD* getSslMethod(SslProtocol);
     void createContext(SslProtocol);
@@ -92,6 +92,7 @@ protected:
 
     TraceLevelsPtr _traceLevels;
     Ice::CommunicatorPtr _communicator;
+    ContextType _contextType;
 
     std::string _rsaPrivateKeyProperty;
     std::string _rsaPublicKeyProperty;
diff --git a/cpp/src/IceSSL/DefaultCertificateVerifier.cpp b/cpp/src/IceSSL/DefaultCertificateVerifier.cpp
index d0f46e8c224..633a16b50cf 100644
--- a/cpp/src/IceSSL/DefaultCertificateVerifier.cpp
+++ b/cpp/src/IceSSL/DefaultCertificateVerifier.cpp
@@ -13,6 +13,7 @@
 // **********************************************************************
 
 #include <Ice/Communicator.h>
+#include <Ice/Properties.h>
 #include <Ice/LoggerUtil.h>
 #include <IceSSL/OpenSSL.h>
 #include <IceSSL/DefaultCertificateVerifier.h>
@@ -52,8 +53,82 @@ IceSSL::DefaultCertificateVerifier::verify(int preVerifyOkay, X509_STORE_CTX* x5
             X509_STORE_CTX_set_error(x509StoreContext, verifyError);
         }
 
-        // If we have ANY errors, we bail out.
-        preVerifyOkay = 0;
+        bool checkIgnoreValid = false;
+
+        switch(verifyError)
+        {
+            case X509_V_ERR_CERT_NOT_YET_VALID:
+            case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+            {
+                checkIgnoreValid = true;
+                break;
+            }
+
+            case X509_V_ERR_CERT_HAS_EXPIRED:
+            case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+            {
+                checkIgnoreValid = true;
+                break;
+            }
+
+            default :
+            {
+                // If we have any other errors, we bail out.
+                preVerifyOkay = 0;
+                break;
+            }
+        }
+
+        if(checkIgnoreValid)
+        {
+            ::Ice::PropertiesPtr properties = _communicator->getProperties();
+
+            switch(_contextType)
+            {
+                case Client :
+                {
+                    if(properties->getPropertyAsIntWithDefault("IceSSL.Client.IgnoreValidPeriod", 0) == 0)
+                    {
+                        // Unless we're told to ignore this result, we bail out.
+                        preVerifyOkay = 0;
+                    }
+                    else
+                    {
+                        preVerifyOkay = 1;
+                    }
+                    break;
+                }
+
+                case Server :
+                {
+                    if(properties->getPropertyAsIntWithDefault("IceSSL.Server.IgnoreValidPeriod", 0) == 0)
+                    {
+                        // Unless we're told to ignore this result, we bail out.
+                        preVerifyOkay = 0;
+                    }
+                    else
+                    {
+                        preVerifyOkay = 1;
+                    }
+                    break;
+                }
+
+                case ClientServer:
+                {
+                    if(properties->getPropertyAsIntWithDefault("IceSSL.Client.IgnoreValidPeriod", 0) == 0 && 
+                        properties->getPropertyAsIntWithDefault("IceSSL.Server.IgnoreValidPeriod", 0) == 0)
+                    {
+                        // Unless we're told to ignore this result, we bail out.
+                        preVerifyOkay = 0;
+                    }
+                    else
+                    {
+                        preVerifyOkay = 1;
+                    }
+                    break;
+                }
+            }
+        }
     }
 
     // Only if ICE_PROTOCOL level logging is on do we worry about this.
diff --git a/cpp/src/IceSSL/OpenSSLPluginI.cpp b/cpp/src/IceSSL/OpenSSLPluginI.cpp
index b4cc3d60bac..1e8e1abbe30 100644
--- a/cpp/src/IceSSL/OpenSSLPluginI.cpp
+++ b/cpp/src/IceSSL/OpenSSLPluginI.cpp
@@ -232,6 +232,7 @@ IceSSL::OpenSSLPluginI::~OpenSSLPluginI()
 
     ERR_free_strings();
     unregisterThreads();
+    ERR_remove_state(0);
 
     EVP_cleanup();
 
@@ -640,6 +641,8 @@ IceSSL::OpenSSLPluginI::setCertificateVerifier(ContextType contextType,
         throw cvtEx;
     }
 
+    castVerifier->setContext(contextType);
+
     if(contextType == Client || contextType == ClientServer)
     {
         _clientContext.setCertificateVerifier(castVerifier);
diff --git a/cpp/src/IceSSL/ServerContext.cpp b/cpp/src/IceSSL/ServerContext.cpp
index a7270c801cd..1ceb4d77255 100644
--- a/cpp/src/IceSSL/ServerContext.cpp
+++ b/cpp/src/IceSSL/ServerContext.cpp
@@ -98,7 +98,7 @@ IceSSL::ServerContext::createTransceiver(int socket, const OpenSSLPluginIPtr& pl
 //
 
 IceSSL::ServerContext::ServerContext(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) :
-    Context(traceLevels, communicator)
+    Context(traceLevels, communicator, Server)
 {
     _rsaPrivateKeyProperty = "IceSSL.Server.Overrides.RSA.PrivateKey";
     _rsaPublicKeyProperty  = "IceSSL.Server.Overrides.RSA.Certificate";
diff --git a/cpp/src/IceSSL/SingleCertificateVerifier.cpp b/cpp/src/IceSSL/SingleCertificateVerifier.cpp
index 914117e8c90..d9950ba68ad 100644
--- a/cpp/src/IceSSL/SingleCertificateVerifier.cpp
+++ b/cpp/src/IceSSL/SingleCertificateVerifier.cpp
@@ -28,8 +28,8 @@ IceSSL::SingleCertificateVerifier::SingleCertificateVerifier(const ByteSeq& publ
 
 int
 IceSSL::SingleCertificateVerifier::verify(int preVerifyOkay,
-                                                   X509_STORE_CTX* x509StoreContext,
-                                                   SSL* sslConnection)
+                                          X509_STORE_CTX* x509StoreContext,
+                                          SSL* sslConnection)
 {
     // For getting the CA certificate
     X509* trustedCert = 0;
author	Anthony Neal <aneal@zeroc.com>	2004-02-12 21:59:52 +0000
committer	Anthony Neal <aneal@zeroc.com>	2004-02-12 21:59:52 +0000
commit	af18d6bf6d51018be5418b061dce4c6e3e056ed2 (patch)
tree	7eee5d58f59f69b66eee44a25b7058ea866cdc00 /cpp/src
parent	Fix (diff)
download	ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.tar.bz2 ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.tar.xz ice-af18d6bf6d51018be5418b061dce4c6e3e056ed2.zip