summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemko Tronçon <git@el-tramo.be>2012-05-05 16:08:55 (GMT)
committerRemko Tronçon <git@el-tramo.be>2012-05-05 16:08:55 (GMT)
commit501a4a43c9a95b3611bf91b8693fffc8814954b4 (patch)
tree1ab0d89a982392941503832fb968b72aab09422f
parent9c11acbb8801186bafa29ff820d368512590396a (diff)
downloadswift-contrib-501a4a43c9a95b3611bf91b8693fffc8814954b4.zip
swift-contrib-501a4a43c9a95b3611bf91b8693fffc8814954b4.tar.bz2
Re-enable revocation check.
-rw-r--r--Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp8
-rw-r--r--Swiften/TLS/OpenSSL/OpenSSLContextFactory.h5
-rw-r--r--Swiften/TLS/Schannel/SchannelContext.cpp14
-rw-r--r--Swiften/TLS/Schannel/SchannelContext.h3
-rw-r--r--Swiften/TLS/Schannel/SchannelContextFactory.cpp12
-rw-r--r--Swiften/TLS/Schannel/SchannelContextFactory.h7
-rw-r--r--Swiften/TLS/TLSContextFactory.h1
7 files changed, 45 insertions, 5 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp
index 516482d..6cd3c83 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp
@@ -6,6 +6,7 @@
#include <Swiften/TLS/OpenSSL/OpenSSLContextFactory.h>
#include <Swiften/TLS/OpenSSL/OpenSSLContext.h>
+#include <Swiften/Base/Log.h>
namespace Swift {
@@ -17,4 +18,11 @@ TLSContext* OpenSSLContextFactory::createTLSContext() {
return new OpenSSLContext();
}
+void OpenSSLContextFactory::setCheckCertificateRevocation(bool) {
+ assert(false);
+ SWIFT_LOG(warning) << "CRL Checking not supported for OpenSSL" << std::endl;
+}
+
+
+
}
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h
index 4e39cd6..43ab960 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h
+++ b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h
@@ -8,10 +8,15 @@
#include <Swiften/TLS/TLSContextFactory.h>
+#include <cassert>
+
namespace Swift {
class OpenSSLContextFactory : public TLSContextFactory {
public:
bool canCreate() const;
virtual TLSContext* createTLSContext();
+
+ // Not supported
+ virtual void setCheckCertificateRevocation(bool b);
};
}
diff --git a/Swiften/TLS/Schannel/SchannelContext.cpp b/Swiften/TLS/Schannel/SchannelContext.cpp
index 2f2f2ae..641568d 100644
--- a/Swiften/TLS/Schannel/SchannelContext.cpp
+++ b/Swiften/TLS/Schannel/SchannelContext.cpp
@@ -21,7 +21,7 @@ namespace Swift {
//------------------------------------------------------------------------
-SchannelContext::SchannelContext() : m_state(Start), m_secContext(0), m_my_cert_store(NULL), m_cert_store_name("MY"), m_cert_name(), m_smartcard_reader() {
+SchannelContext::SchannelContext() : m_state(Start), m_secContext(0), m_my_cert_store(NULL), m_cert_store_name("MY"), m_cert_name(), m_smartcard_reader(), checkCertificateRevocation(true) {
m_ctxtFlags = ISC_REQ_ALLOCATE_MEMORY |
ISC_REQ_CONFIDENTIALITY |
ISC_REQ_EXTENDED_ERROR |
@@ -192,9 +192,10 @@ SECURITY_STATUS SchannelContext::validateServerCertificate() {
chainParams.RequestedUsage.Usage.cUsageIdentifier = ARRAYSIZE(usage);
chainParams.RequestedUsage.Usage.rgpszUsageIdentifier = const_cast<LPSTR*>(usage);
- // NOTE: We've turned off revocation checking due to some certificate providers causing timeouts when attempting
- // to talk to their revocation server, such as Starfield)
- DWORD chainFlags = CERT_CHAIN_CACHE_END_CERT /*| CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT*/;
+ DWORD chainFlags = CERT_CHAIN_CACHE_END_CERT;
+ if (checkCertificateRevocation) {
+ chainFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
+ }
ScopedCertChainContext pChainContext;
@@ -649,4 +650,9 @@ ByteArray SchannelContext::getFinishMessage() const {
//------------------------------------------------------------------------
+void SchannelContext::setCheckCertificateRevocation(bool b) {
+ checkCertificateRevocation = b;
+}
+
+
}
diff --git a/Swiften/TLS/Schannel/SchannelContext.h b/Swiften/TLS/Schannel/SchannelContext.h
index 58e6551..887c7de 100644
--- a/Swiften/TLS/Schannel/SchannelContext.h
+++ b/Swiften/TLS/Schannel/SchannelContext.h
@@ -76,6 +76,8 @@ namespace Swift
void handleCertificateCardRemoved();
+ virtual void setCheckCertificateRevocation(bool b);
+
private:
enum SchannelState
{
@@ -103,5 +105,6 @@ namespace Swift
////Not needed, most likely
std::string m_smartcard_reader; //Can be empty string for non SmartCard certificates
boost::shared_ptr<CAPICertificate> userCertificate;
+ bool checkCertificateRevocation;
};
}
diff --git a/Swiften/TLS/Schannel/SchannelContextFactory.cpp b/Swiften/TLS/Schannel/SchannelContextFactory.cpp
index 8ab7c6c..8b0044c 100644
--- a/Swiften/TLS/Schannel/SchannelContextFactory.cpp
+++ b/Swiften/TLS/Schannel/SchannelContextFactory.cpp
@@ -9,12 +9,22 @@
namespace Swift {
+SchannelContextFactory::SchannelContextFactory() : checkCertificateRevocation(true) {
+}
+
bool SchannelContextFactory::canCreate() const {
return true;
}
TLSContext* SchannelContextFactory::createTLSContext() {
- return new SchannelContext();
+ SchannelContext* context = new SchannelContext();
+ context->setCheckCertificateRevocation(checkCertificateRevocation);
+ return context;
}
+void SchannelContextFactory::setCheckCertificateRevocation(bool b) {
+ checkCertificateRevocation = b;
+}
+
+
}
diff --git a/Swiften/TLS/Schannel/SchannelContextFactory.h b/Swiften/TLS/Schannel/SchannelContextFactory.h
index 43c39a9..9dc835c 100644
--- a/Swiften/TLS/Schannel/SchannelContextFactory.h
+++ b/Swiften/TLS/Schannel/SchannelContextFactory.h
@@ -11,7 +11,14 @@
namespace Swift {
class SchannelContextFactory : public TLSContextFactory {
public:
+ SchannelContextFactory();
+
bool canCreate() const;
virtual TLSContext* createTLSContext();
+
+ virtual void setCheckCertificateRevocation(bool b);
+
+ public:
+ bool checkCertificateRevocation;
};
}
diff --git a/Swiften/TLS/TLSContextFactory.h b/Swiften/TLS/TLSContextFactory.h
index 849ca71..5f08925 100644
--- a/Swiften/TLS/TLSContextFactory.h
+++ b/Swiften/TLS/TLSContextFactory.h
@@ -16,5 +16,6 @@ namespace Swift {
virtual bool canCreate() const = 0;
virtual TLSContext* createTLSContext() = 0;
+ virtual void setCheckCertificateRevocation(bool b) = 0;
};
}