Swiftdiff options
| author | Tim Costen <tim.costen@isode.com> | 2019-10-04 14:51:06 (GMT) |
|---|---|---|
| committer | Kevin Smith <kevin.smith@isode.com> | 2019-10-07 09:30:04 (GMT) |
| commit | 2239cdae45b39e675877ae32c86c47bcadce3090 (patch) | |
| tree | 5ee18af14ee9e9ee6f8616d352b4e808cfd95e4b | |
| parent | 2ad1938c50f9fe57fe3dd98eb9f4bb711ac52acd (diff) | |
| download | swift-2239cdae45b39e675877ae32c86c47bcadce3090.zip swift-2239cdae45b39e675877ae32c86c47bcadce3090.tar.bz2 | |
Add ability to set external Trust Anchors to Swift OpenSSL context
Add a new (optional) field to TLSContext, which allows a vector
of Trust Anchor certificates to be specified.
Inside OpenSSLContext::configure, pass the X509 components of
these certificates into the OpenSSL context: these are now
available for client certificate verification in any callback
method set via TLSOptions.verifyCertificateCallback.
JIRA: LINK-1765
Test-information:
Tested via MLink unit tests. No leaks reported.
Change-Id: Ie9cc2051ee212249a12a4bc71b62306b5bce3013
| -rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 15 | ||||
| -rw-r--r-- | Swiften/TLS/TLSOptions.h | 6 |
2 files changed, 21 insertions, 0 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index d9560de..6dd75d6 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp | |||
| @@ -396,6 +396,21 @@ bool OpenSSLContext::configure(const TLSOptions &options) | |||
| 396 | updateOptionIfPresent(options.disableTLSRollBackBug, SSL_OP_TLS_ROLLBACK_BUG); | 396 | updateOptionIfPresent(options.disableTLSRollBackBug, SSL_OP_TLS_ROLLBACK_BUG); |
| 397 | updateOptionIfPresent(options.singleDHUse, SSL_OP_SINGLE_DH_USE); | 397 | updateOptionIfPresent(options.singleDHUse, SSL_OP_SINGLE_DH_USE); |
| 398 | 398 | ||
| 399 | if (options.trustAnchors) { | ||
| 400 | // Add any additional Trust Anchors which are present in the TLSOptions | ||
| 401 | X509_STORE* store = SSL_CTX_get_cert_store(context_.get()); | ||
| 402 | |||
| 403 | if (store) { | ||
| 404 | for (auto& certificate : *options.trustAnchors) { | ||
| 405 | auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate.get()); | ||
| 406 | if (openSSLCert && openSSLCert->getInternalX509()) { | ||
| 407 | X509_STORE_add_cert(store, openSSLCert->getInternalX509().get()); | ||
| 408 | // Don't need to increment reference count as X509_STORE_add_cert does thiS | ||
| 409 | } | ||
| 410 | } | ||
| 411 | } | ||
| 412 | } | ||
| 413 | |||
| 399 | return true; | 414 | return true; |
| 400 | } | 415 | } |
| 401 | 416 | ||
diff --git a/Swiften/TLS/TLSOptions.h b/Swiften/TLS/TLSOptions.h index 56648a3..4109096 100644 --- a/Swiften/TLS/TLSOptions.h +++ b/Swiften/TLS/TLSOptions.h | |||
| @@ -8,6 +8,7 @@ | |||
| 8 | 8 | ||
| 9 | namespace Swift { | 9 | namespace Swift { |
| 10 | class TLSContext; | 10 | class TLSContext; |
| 11 | class Certificate; | ||
| 11 | 12 | ||
| 12 | class TLSOptions { | 13 | class TLSOptions { |
| 13 | public: | 14 | public: |
| @@ -62,5 +63,10 @@ namespace Swift { | |||
| 62 | */ | 63 | */ |
| 63 | 64 | ||
| 64 | boost::optional<std::function<int(const TLSContext *)>> verifyCertificateCallback; | 65 | boost::optional<std::function<int(const TLSContext *)>> verifyCertificateCallback; |
| 66 | |||
| 67 | /** | ||
| 68 | * Allows specification of application-specific Trust Anchors | ||
| 69 | */ | ||
| 70 | boost::optional<std::vector<std::shared_ptr<Certificate>>> trustAnchors; | ||
| 65 | }; | 71 | }; |
| 66 | } | 72 | } |