diff options
Diffstat (limited to 'Swiften/TLS')
-rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp | 8 | ||||
-rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContextFactory.h | 5 | ||||
-rw-r--r-- | Swiften/TLS/Schannel/SchannelContext.cpp | 14 | ||||
-rw-r--r-- | Swiften/TLS/Schannel/SchannelContext.h | 3 | ||||
-rw-r--r-- | Swiften/TLS/Schannel/SchannelContextFactory.cpp | 12 | ||||
-rw-r--r-- | Swiften/TLS/Schannel/SchannelContextFactory.h | 7 | ||||
-rw-r--r-- | Swiften/TLS/TLSContextFactory.h | 1 |
7 files changed, 45 insertions, 5 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp index 516482d..6cd3c83 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp @@ -6,6 +6,7 @@ #include <Swiften/TLS/OpenSSL/OpenSSLContextFactory.h> #include <Swiften/TLS/OpenSSL/OpenSSLContext.h> +#include <Swiften/Base/Log.h> namespace Swift { @@ -17,4 +18,11 @@ TLSContext* OpenSSLContextFactory::createTLSContext() { return new OpenSSLContext(); } +void OpenSSLContextFactory::setCheckCertificateRevocation(bool) { + assert(false); + SWIFT_LOG(warning) << "CRL Checking not supported for OpenSSL" << std::endl; +} + + + } diff --git a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h index 4e39cd6..43ab960 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h +++ b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h @@ -8,10 +8,15 @@ #include <Swiften/TLS/TLSContextFactory.h> +#include <cassert> + namespace Swift { class OpenSSLContextFactory : public TLSContextFactory { public: bool canCreate() const; virtual TLSContext* createTLSContext(); + + // Not supported + virtual void setCheckCertificateRevocation(bool b); }; } diff --git a/Swiften/TLS/Schannel/SchannelContext.cpp b/Swiften/TLS/Schannel/SchannelContext.cpp index 2f2f2ae..641568d 100644 --- a/Swiften/TLS/Schannel/SchannelContext.cpp +++ b/Swiften/TLS/Schannel/SchannelContext.cpp @@ -21,7 +21,7 @@ namespace Swift { //------------------------------------------------------------------------ -SchannelContext::SchannelContext() : m_state(Start), m_secContext(0), m_my_cert_store(NULL), m_cert_store_name("MY"), m_cert_name(), m_smartcard_reader() { +SchannelContext::SchannelContext() : m_state(Start), m_secContext(0), m_my_cert_store(NULL), m_cert_store_name("MY"), m_cert_name(), m_smartcard_reader(), checkCertificateRevocation(true) { m_ctxtFlags = ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_CONFIDENTIALITY | ISC_REQ_EXTENDED_ERROR | @@ -192,9 +192,10 @@ SECURITY_STATUS SchannelContext::validateServerCertificate() { chainParams.RequestedUsage.Usage.cUsageIdentifier = ARRAYSIZE(usage); chainParams.RequestedUsage.Usage.rgpszUsageIdentifier = const_cast<LPSTR*>(usage); - // NOTE: We've turned off revocation checking due to some certificate providers causing timeouts when attempting - // to talk to their revocation server, such as Starfield) - DWORD chainFlags = CERT_CHAIN_CACHE_END_CERT /*| CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT*/; + DWORD chainFlags = CERT_CHAIN_CACHE_END_CERT; + if (checkCertificateRevocation) { + chainFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT; + } ScopedCertChainContext pChainContext; @@ -649,4 +650,9 @@ ByteArray SchannelContext::getFinishMessage() const { //------------------------------------------------------------------------ +void SchannelContext::setCheckCertificateRevocation(bool b) { + checkCertificateRevocation = b; +} + + } diff --git a/Swiften/TLS/Schannel/SchannelContext.h b/Swiften/TLS/Schannel/SchannelContext.h index 58e6551..887c7de 100644 --- a/Swiften/TLS/Schannel/SchannelContext.h +++ b/Swiften/TLS/Schannel/SchannelContext.h @@ -76,6 +76,8 @@ namespace Swift void handleCertificateCardRemoved(); + virtual void setCheckCertificateRevocation(bool b); + private: enum SchannelState { @@ -103,5 +105,6 @@ namespace Swift ////Not needed, most likely std::string m_smartcard_reader; //Can be empty string for non SmartCard certificates boost::shared_ptr<CAPICertificate> userCertificate; + bool checkCertificateRevocation; }; } diff --git a/Swiften/TLS/Schannel/SchannelContextFactory.cpp b/Swiften/TLS/Schannel/SchannelContextFactory.cpp index 8ab7c6c..8b0044c 100644 --- a/Swiften/TLS/Schannel/SchannelContextFactory.cpp +++ b/Swiften/TLS/Schannel/SchannelContextFactory.cpp @@ -9,12 +9,22 @@ namespace Swift { +SchannelContextFactory::SchannelContextFactory() : checkCertificateRevocation(true) { +} + bool SchannelContextFactory::canCreate() const { return true; } TLSContext* SchannelContextFactory::createTLSContext() { - return new SchannelContext(); + SchannelContext* context = new SchannelContext(); + context->setCheckCertificateRevocation(checkCertificateRevocation); + return context; } +void SchannelContextFactory::setCheckCertificateRevocation(bool b) { + checkCertificateRevocation = b; +} + + } diff --git a/Swiften/TLS/Schannel/SchannelContextFactory.h b/Swiften/TLS/Schannel/SchannelContextFactory.h index 43c39a9..9dc835c 100644 --- a/Swiften/TLS/Schannel/SchannelContextFactory.h +++ b/Swiften/TLS/Schannel/SchannelContextFactory.h @@ -11,7 +11,14 @@ namespace Swift { class SchannelContextFactory : public TLSContextFactory { public: + SchannelContextFactory(); + bool canCreate() const; virtual TLSContext* createTLSContext(); + + virtual void setCheckCertificateRevocation(bool b); + + public: + bool checkCertificateRevocation; }; } diff --git a/Swiften/TLS/TLSContextFactory.h b/Swiften/TLS/TLSContextFactory.h index 849ca71..5f08925 100644 --- a/Swiften/TLS/TLSContextFactory.h +++ b/Swiften/TLS/TLSContextFactory.h @@ -16,5 +16,6 @@ namespace Swift { virtual bool canCreate() const = 0; virtual TLSContext* createTLSContext() = 0; + virtual void setCheckCertificateRevocation(bool b) = 0; }; } |