Swift
summaryrefslogtreecommitdiffstats
path: root/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'Swiften/TLS/OpenSSL/OpenSSLContext.cpp')
-rw-r--r--Swiften/TLS/OpenSSL/OpenSSLContext.cpp47
1 files changed, 33 insertions, 14 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
index 8c03052..54fb7bd 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -1,4 +1,4 @@
/*
- * Copyright (c) 2010 Remko Tronçon
+ * Copyright (c) 2010-2013 Remko Tronçon
* Licensed under the GNU General Public License v3.
* See Documentation/Licenses/GPLv3.txt for more information.
@@ -16,5 +16,5 @@
#include <boost/smart_ptr/make_shared.hpp>
-#if defined(SWIFTEN_PLATFORM_MACOSX) && OPENSSL_VERSION_NUMBER < 0x00908000
+#if defined(SWIFTEN_PLATFORM_MACOSX)
#include <Security/Security.h>
#endif
@@ -26,4 +26,8 @@
#pragma GCC diagnostic ignored "-Wold-style-cast"
+#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
+#pragma clang diagnostic ignored "-Wshorten-64-to-32"
+#pragma clang diagnostic ignored "-Wcast-align"
+#pragma clang diagnostic ignored "-Wsign-conversion"
namespace Swift {
@@ -32,5 +36,5 @@ static const int MAX_FINISHED_SIZE = 4096;
static const int SSL_READ_BUFFERSIZE = 8192;
-void freeX509Stack(STACK_OF(X509)* stack) {
+static void freeX509Stack(STACK_OF(X509)* stack) {
sk_X509_free(stack);
}
@@ -38,6 +42,13 @@ void freeX509Stack(STACK_OF(X509)* stack) {
OpenSSLContext::OpenSSLContext() : state_(Start), context_(0), handle_(0), readBIO_(0), writeBIO_(0) {
ensureLibraryInitialized();
- context_ = SSL_CTX_new(TLSv1_client_method());
+ context_ = SSL_CTX_new(SSLv23_client_method());
+ SSL_CTX_set_options(context_, SSL_OP_NO_SSLv2);
+ // TODO: implement CRL checking
+ // TODO: download CRL (HTTP transport)
+ // TODO: cache CRL downloads for configurable time period
+
+ // TODO: implement OCSP support
+ // TODO: handle OCSP stapling see https://www.rfc-editor.org/rfc/rfc4366.txt
// Load system certs
#if defined(SWIFTEN_PLATFORM_WINDOWS)
@@ -59,7 +70,11 @@ OpenSSLContext::OpenSSLContext() : state_(Start), context_(0), handle_(0), readB
#elif !defined(SWIFTEN_PLATFORM_MACOSX)
SSL_CTX_load_verify_locations(context_, NULL, "/etc/ssl/certs");
-#elif defined(SWIFTEN_PLATFORM_MACOSX) && OPENSSL_VERSION_NUMBER < 0x00908000
+#elif defined(SWIFTEN_PLATFORM_MACOSX)
// On Mac OS X 10.5 (OpenSSL < 0.9.8), OpenSSL does not automatically look in the system store.
- // We therefore add all certs from the system store ourselves.
+ // On Mac OS X 10.6 (OpenSSL >= 0.9.8), OpenSSL *does* look in the system store to determine trust.
+ // However, if there is a certificate error, it will always emit the "Invalid CA" error if we didn't add
+ // the certificates first. See
+ // http://opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.c
+ // to understand why. We therefore add all certs from the system store ourselves.
X509_STORE* store = SSL_CTX_get_cert_store(context_);
CFArrayRef anchorCertificates;
@@ -206,5 +221,7 @@ bool OpenSSLContext::setClientCertificate(CertificateWithKey::ref certificate) {
EVP_PKEY* privateKeyPtr = 0;
STACK_OF(X509)* caCertsPtr = 0;
- int result = PKCS12_parse(pkcs12.get(), reinterpret_cast<const char*>(vecptr(pkcs12Certificate->getPassword())), &privateKeyPtr, &certPtr, &caCertsPtr);
+ SafeByteArray password(pkcs12Certificate->getPassword());
+ password.push_back(0);
+ int result = PKCS12_parse(pkcs12.get(), reinterpret_cast<const char*>(vecptr(password)), &privateKeyPtr, &certPtr, &caCertsPtr);
if (result != 1) {
return false;
@@ -227,12 +244,14 @@ bool OpenSSLContext::setClientCertificate(CertificateWithKey::ref certificate) {
}
-Certificate::ref OpenSSLContext::getPeerCertificate() const {
- boost::shared_ptr<X509> x509Cert(SSL_get_peer_certificate(handle_), X509_free);
- if (x509Cert) {
- return boost::make_shared<OpenSSLCertificate>(x509Cert);
- }
- else {
- return Certificate::ref();
+std::vector<Certificate::ref> OpenSSLContext::getPeerCertificateChain() const {
+ std::vector<Certificate::ref> result;
+ STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_);
+ for (int i = 0; i < sk_X509_num(chain); ++i) {
+ boost::shared_ptr<X509> x509Cert(X509_dup(sk_X509_value(chain, i)), X509_free);
+
+ Certificate::ref cert = boost::make_shared<OpenSSLCertificate>(x509Cert);
+ result.push_back(cert);
}
+ return result;
}