Minor IceSSL fixes

author: Benoit Foucher <benoit@zeroc.com> 2017-02-22 14:48:21 +0100
committer: Benoit Foucher <benoit@zeroc.com> 2017-02-22 14:48:21 +0100
commit: 7c93c219b4af7d5183ca17ad4e1a1d97c53a918d (patch)
tree: c0a09bce21d07422af0cbff088447d34dc92fb00 /cpp/src
parent: Build C++11 testsuite with VS 2017 RC (diff)
download: ice-7c93c219b4af7d5183ca17ad4e1a1d97c53a918d.tar.bz2
ice-7c93c219b4af7d5183ca17ad4e1a1d97c53a918d.tar.xz
ice-7c93c219b4af7d5183ca17ad4e1a1d97c53a918d.zip
2 files changed, 13 insertions, 28 deletions
diff --git a/cpp/src/IceSSL/SSLEngine.cpp b/cpp/src/IceSSL/SSLEngine.cpp
index c8342073d35..e10844bd078 100644
--- a/cpp/src/IceSSL/SSLEngine.cpp
+++ b/cpp/src/IceSSL/SSLEngine.cpp
@@ -142,6 +142,7 @@ IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoP
     if(_checkCertName && !info->nativeCerts.empty() && !address.empty())
     {
         const CertificatePtr cert = info->nativeCerts[0];
+
         //
         // Extract the IP addresses and the DNS names from the subject
         // alternative names.
@@ -162,13 +163,12 @@ IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoP
         }
 
         bool certNameOK = false;
-        string dn;
-        bool isIpAddress = IceInternal::isIpAddress(address);
         string addrLower = IceUtilInternal::toLower(address);
+
         //
-        // If address is and IP address compare it to the subject alt name IP adddress
+        // If address is an IP address, compare it to the subject alternative names IP adddress
         //
-        if(isIpAddress)
+        if(IceInternal::isIpAddress(address))
         {
             certNameOK = find(ipAddresses.begin(), ipAddresses.end(), addrLower) != ipAddresses.end();
         }
@@ -181,7 +181,7 @@ IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoP
             if(dnsNames.empty())
             {
                 DistinguishedName d = cert->getSubjectDN();
-                dn = IceUtilInternal::toLower(string(d));
+                string dn = IceUtilInternal::toLower(string(d));
                 string cn = "cn=" + addrLower;
                 string::size_type pos = dn.find(cn);
                 if(pos != string::npos)
@@ -194,35 +194,24 @@ IceSSL::SSLEngine::verifyPeer(const string& address, const NativeConnectionInfoP
             }
             else
             {
-                certNameOK = find(dnsNames.begin(), dnsNames.end(), addrLower) != dnsNames.end();                
+                certNameOK = find(dnsNames.begin(), dnsNames.end(), addrLower) != dnsNames.end();
             }
         }
 
         if(!certNameOK)
         {
             ostringstream ostr;
-            ostr << "IceSSL: certificate validation failure: ";
-            if(isIpAddress)
-            {
-                ostr << "IP address mismatch";
-            }
-            else
-            {
-                ostr << "Hostname mismatch";
-            }
-
+            ostr << "IceSSL: certificate validation failure: "
+                 << (isIpAddress ? "IP address mismatch" : "Hostname mismatch");
             string msg = ostr.str();
             if(_securityTraceLevel >= 1)
             {
                 Trace out(_logger, _securityTraceCategory);
                 out << msg;
             }
-            if(_checkCertName)
-            {
-                SecurityException ex(__FILE__, __LINE__);
-                ex.reason = msg;
-                throw ex;
-            }
+            SecurityException ex(__FILE__, __LINE__);
+            ex.reason = msg;
+            throw ex;
         }
     }
 #endif
diff --git a/cpp/src/IceSSL/UWPTransceiverI.cpp b/cpp/src/IceSSL/UWPTransceiverI.cpp
index 91945bd7fce..ca4bdc46afc 100644
--- a/cpp/src/IceSSL/UWPTransceiverI.cpp
+++ b/cpp/src/IceSSL/UWPTransceiverI.cpp
@@ -30,7 +30,7 @@ using namespace Windows::Security::Cryptography::Certificates;
 
 namespace
 {
-    
+
 std::string
 validationResultToString(ChainValidationResult result)
 {
@@ -143,7 +143,7 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
                 params->CurrentTimeValidationEnabled = true;
                 params->NetworkRetrievalEnabled = false;
                 params->RevocationCheckEnabled = false;
-                
+
                 //
                 // BUGFIX: It is currently not possible to set ExclusiveTrustRoots programatically
                 // it is causing a read access exception see:https://goo.gl/B6OaNx
@@ -163,10 +163,6 @@ IceSSL::TransceiverI::initialize(IceInternal::Buffer& readBuffer, IceInternal::B
                 }
 
                 ChainValidationResult result = _chain->Validate();
-                //
-                // Ignore InvalidName errors here SSLEngine::verifyPeer already checks that
-                // using IceSSL.CheckCertName settings.
-                //
                 if(result != ChainValidationResult::Success)
                 {
                     if(_engine->getVerifyPeer() == 0)
author	Benoit Foucher <benoit@zeroc.com>	2017-02-22 14:48:21 +0100
committer	Benoit Foucher <benoit@zeroc.com>	2017-02-22 14:48:21 +0100
commit	7c93c219b4af7d5183ca17ad4e1a1d97c53a918d (patch)
tree	c0a09bce21d07422af0cbff088447d34dc92fb00 /cpp/src
parent	Build C++11 testsuite with VS 2017 RC (diff)
download	ice-7c93c219b4af7d5183ca17ad4e1a1d97c53a918d.tar.bz2 ice-7c93c219b4af7d5183ca17ad4e1a1d97c53a918d.tar.xz ice-7c93c219b4af7d5183ca17ad4e1a1d97c53a918d.zip