summaryrefslogtreecommitdiff
path: root/cpp/src
diff options
context:
space:
mode:
Diffstat (limited to 'cpp/src')
-rw-r--r--cpp/src/Ice/PropertiesI.cpp2
-rw-r--r--cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp6
-rw-r--r--cpp/src/IceSSL/ClientContext.cpp2
-rw-r--r--cpp/src/IceSSL/Context.cpp8
-rw-r--r--cpp/src/IceSSL/Context.h3
-rw-r--r--cpp/src/IceSSL/DefaultCertificateVerifier.cpp79
-rw-r--r--cpp/src/IceSSL/OpenSSLPluginI.cpp3
-rw-r--r--cpp/src/IceSSL/ServerContext.cpp2
-rw-r--r--cpp/src/IceSSL/SingleCertificateVerifier.cpp4
9 files changed, 100 insertions, 9 deletions
diff --git a/cpp/src/Ice/PropertiesI.cpp b/cpp/src/Ice/PropertiesI.cpp
index af9500ccfd1..5a8a4a2416c 100644
--- a/cpp/src/Ice/PropertiesI.cpp
+++ b/cpp/src/Ice/PropertiesI.cpp
@@ -205,6 +205,7 @@ static const string iceSSLProps[] =
"Client.CertPath*",
"Client.Config",
"Client.Handshake.Retries",
+ "Client.IgnoreValidPeriod",
"Client.Overrides.CACertificate",
"Client.Overrides.DSA.Certificate",
"Client.Overrides.DSA.PrivateKey",
@@ -213,6 +214,7 @@ static const string iceSSLProps[] =
"Client.Passphrase.Retries",
"Server.CertPath*",
"Server.Config",
+ "Server.IgnoreValidPeriod",
"Server.Overrides.CACertificate",
"Server.Overrides.DSA.Certificate",
"Server.Overrides.DSA.PrivateKey",
diff --git a/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp b/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp
index 8ab27aa8dcf..9af66e69394 100644
--- a/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp
+++ b/cpp/src/IceSSL/CertificateVerifierOpenSSL.cpp
@@ -19,6 +19,12 @@ IceSSL::CertificateVerifierOpenSSL::~CertificateVerifierOpenSSL()
}
void
+IceSSL::CertificateVerifierOpenSSL::setContext(::IceSSL::ContextType contextType)
+{
+ _contextType = contextType;
+}
+
+void
IceInternal::incRef(::IceSSL::CertificateVerifierOpenSSL* p)
{
p->__incRef();
diff --git a/cpp/src/IceSSL/ClientContext.cpp b/cpp/src/IceSSL/ClientContext.cpp
index 8708ca58508..81ba2394be6 100644
--- a/cpp/src/IceSSL/ClientContext.cpp
+++ b/cpp/src/IceSSL/ClientContext.cpp
@@ -73,7 +73,7 @@ IceSSL::ClientContext::createTransceiver(int socket, const OpenSSLPluginIPtr& pl
}
IceSSL::ClientContext::ClientContext(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) :
- Context(traceLevels, communicator)
+ Context(traceLevels, communicator, Client)
{
_rsaPrivateKeyProperty = "IceSSL.Client.Overrides.RSA.PrivateKey";
_rsaPublicKeyProperty = "IceSSL.Client.Overrides.RSA.Certificate";
diff --git a/cpp/src/IceSSL/Context.cpp b/cpp/src/IceSSL/Context.cpp
index eef654b3e7e..99d67a67d7a 100644
--- a/cpp/src/IceSSL/Context.cpp
+++ b/cpp/src/IceSSL/Context.cpp
@@ -61,6 +61,7 @@ void
IceSSL::Context::setCertificateVerifier(const CertificateVerifierPtr& verifier)
{
_certificateVerifier = verifier;
+ _certificateVerifier->setContext(_contextType);
}
void
@@ -153,11 +154,14 @@ IceSSL::Context::configure(const GeneralConfig& generalConfig,
// Protected
//
-IceSSL::Context::Context(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) :
+IceSSL::Context::Context(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator,
+ const ContextType& type) :
_traceLevels(traceLevels),
- _communicator(communicator)
+ _communicator(communicator),
+ _contextType(type)
{
_certificateVerifier = new DefaultCertificateVerifier(traceLevels, communicator);
+ _certificateVerifier->setContext(_contextType);
_sslContext = 0;
_maxPassphraseRetriesDefault = "4";
diff --git a/cpp/src/IceSSL/Context.h b/cpp/src/IceSSL/Context.h
index 337b7e533b9..a6945eedb15 100644
--- a/cpp/src/IceSSL/Context.h
+++ b/cpp/src/IceSSL/Context.h
@@ -61,7 +61,7 @@ public:
protected:
- Context(const TraceLevelsPtr&, const Ice::CommunicatorPtr&);
+ Context(const TraceLevelsPtr&, const Ice::CommunicatorPtr&, const ContextType&);
SSL_METHOD* getSslMethod(SslProtocol);
void createContext(SslProtocol);
@@ -92,6 +92,7 @@ protected:
TraceLevelsPtr _traceLevels;
Ice::CommunicatorPtr _communicator;
+ ContextType _contextType;
std::string _rsaPrivateKeyProperty;
std::string _rsaPublicKeyProperty;
diff --git a/cpp/src/IceSSL/DefaultCertificateVerifier.cpp b/cpp/src/IceSSL/DefaultCertificateVerifier.cpp
index d0f46e8c224..633a16b50cf 100644
--- a/cpp/src/IceSSL/DefaultCertificateVerifier.cpp
+++ b/cpp/src/IceSSL/DefaultCertificateVerifier.cpp
@@ -13,6 +13,7 @@
// **********************************************************************
#include <Ice/Communicator.h>
+#include <Ice/Properties.h>
#include <Ice/LoggerUtil.h>
#include <IceSSL/OpenSSL.h>
#include <IceSSL/DefaultCertificateVerifier.h>
@@ -52,8 +53,82 @@ IceSSL::DefaultCertificateVerifier::verify(int preVerifyOkay, X509_STORE_CTX* x5
X509_STORE_CTX_set_error(x509StoreContext, verifyError);
}
- // If we have ANY errors, we bail out.
- preVerifyOkay = 0;
+ bool checkIgnoreValid = false;
+
+ switch(verifyError)
+ {
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ {
+ checkIgnoreValid = true;
+ break;
+ }
+
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ {
+ checkIgnoreValid = true;
+ break;
+ }
+
+ default :
+ {
+ // If we have any other errors, we bail out.
+ preVerifyOkay = 0;
+ break;
+ }
+ }
+
+ if(checkIgnoreValid)
+ {
+ ::Ice::PropertiesPtr properties = _communicator->getProperties();
+
+ switch(_contextType)
+ {
+ case Client :
+ {
+ if(properties->getPropertyAsIntWithDefault("IceSSL.Client.IgnoreValidPeriod", 0) == 0)
+ {
+ // Unless we're told to ignore this result, we bail out.
+ preVerifyOkay = 0;
+ }
+ else
+ {
+ preVerifyOkay = 1;
+ }
+ break;
+ }
+
+ case Server :
+ {
+ if(properties->getPropertyAsIntWithDefault("IceSSL.Server.IgnoreValidPeriod", 0) == 0)
+ {
+ // Unless we're told to ignore this result, we bail out.
+ preVerifyOkay = 0;
+ }
+ else
+ {
+ preVerifyOkay = 1;
+ }
+ break;
+ }
+
+ case ClientServer:
+ {
+ if(properties->getPropertyAsIntWithDefault("IceSSL.Client.IgnoreValidPeriod", 0) == 0 &&
+ properties->getPropertyAsIntWithDefault("IceSSL.Server.IgnoreValidPeriod", 0) == 0)
+ {
+ // Unless we're told to ignore this result, we bail out.
+ preVerifyOkay = 0;
+ }
+ else
+ {
+ preVerifyOkay = 1;
+ }
+ break;
+ }
+ }
+ }
}
// Only if ICE_PROTOCOL level logging is on do we worry about this.
diff --git a/cpp/src/IceSSL/OpenSSLPluginI.cpp b/cpp/src/IceSSL/OpenSSLPluginI.cpp
index b4cc3d60bac..1e8e1abbe30 100644
--- a/cpp/src/IceSSL/OpenSSLPluginI.cpp
+++ b/cpp/src/IceSSL/OpenSSLPluginI.cpp
@@ -232,6 +232,7 @@ IceSSL::OpenSSLPluginI::~OpenSSLPluginI()
ERR_free_strings();
unregisterThreads();
+ ERR_remove_state(0);
EVP_cleanup();
@@ -640,6 +641,8 @@ IceSSL::OpenSSLPluginI::setCertificateVerifier(ContextType contextType,
throw cvtEx;
}
+ castVerifier->setContext(contextType);
+
if(contextType == Client || contextType == ClientServer)
{
_clientContext.setCertificateVerifier(castVerifier);
diff --git a/cpp/src/IceSSL/ServerContext.cpp b/cpp/src/IceSSL/ServerContext.cpp
index a7270c801cd..1ceb4d77255 100644
--- a/cpp/src/IceSSL/ServerContext.cpp
+++ b/cpp/src/IceSSL/ServerContext.cpp
@@ -98,7 +98,7 @@ IceSSL::ServerContext::createTransceiver(int socket, const OpenSSLPluginIPtr& pl
//
IceSSL::ServerContext::ServerContext(const TraceLevelsPtr& traceLevels, const CommunicatorPtr& communicator) :
- Context(traceLevels, communicator)
+ Context(traceLevels, communicator, Server)
{
_rsaPrivateKeyProperty = "IceSSL.Server.Overrides.RSA.PrivateKey";
_rsaPublicKeyProperty = "IceSSL.Server.Overrides.RSA.Certificate";
diff --git a/cpp/src/IceSSL/SingleCertificateVerifier.cpp b/cpp/src/IceSSL/SingleCertificateVerifier.cpp
index 914117e8c90..d9950ba68ad 100644
--- a/cpp/src/IceSSL/SingleCertificateVerifier.cpp
+++ b/cpp/src/IceSSL/SingleCertificateVerifier.cpp
@@ -28,8 +28,8 @@ IceSSL::SingleCertificateVerifier::SingleCertificateVerifier(const ByteSeq& publ
int
IceSSL::SingleCertificateVerifier::verify(int preVerifyOkay,
- X509_STORE_CTX* x509StoreContext,
- SSL* sslConnection)
+ X509_STORE_CTX* x509StoreContext,
+ SSL* sslConnection)
{
// For getting the CA certificate
X509* trustedCert = 0;
generated by cgit v1.2.3 (git 2.46.0) at 2025-08-05 00:13:36 +0000