Swiftdiff options
| author | Tim Costen <tim.costen@isode.com> | 2019-10-16 15:23:48 (GMT) |
|---|---|---|
| committer | Tim Costen <timcosten64@gmail.com> | 2019-10-18 13:58:43 (GMT) |
| commit | 8e0a9cd6a608ee2bf83b52c9eb9ac556bf10293f (patch) | |
| tree | be534baf4c71d58c08244bdd5de296f5c3570445 | |
| parent | 7de9a3489c3e2ddc4c0ab78f43649c5d6be20aca (diff) | |
| download | swift-8e0a9cd6a608ee2bf83b52c9eb9ac556bf10293f.zip swift-8e0a9cd6a608ee2bf83b52c9eb9ac556bf10293f.tar.bz2 | |
Extend getPeerCertificateChain
Extend getPeerCertificateChain so that it uses the correct SSL
methods for Server and Client mode contexts, i.e.
SSL_get_peer_certificate as well as get_peer_cert_chain
when this is a server-mode context.
Tidy up error message logged on certificate verification
failure.
Always return "1" from verifyCallback; check result
of certificate verification by a call to
getPeerCertificateVerificationError() once the
TLS session is established.
JIRA: LINK-1814
Bug:
Release-notes:
Manual:
Change-Id: Ica1d90998187ec5ce2584d48bd6fbfb8f9a667c9
Test-information:
| -rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 28 |
1 files changed, 26 insertions, 2 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 6dd75d6..490a361 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp | |||
| @@ -281,14 +281,18 @@ static int verifyCallback(int preverifyOk, X509_STORE_CTX* ctx) | |||
| 281 | X509_NAME* issuerName = X509_get_issuer_name(errCert); | 281 | X509_NAME* issuerName = X509_get_issuer_name(errCert); |
| 282 | issuerString = X509_NAME_to_text(issuerName); | 282 | issuerString = X509_NAME_to_text(issuerName); |
| 283 | } | 283 | } |
| 284 | SWIFT_LOG(error) << "verifyCallback: verification error" << | 284 | SWIFT_LOG(error) << "verifyCallback: verification error " << |
| 285 | X509_verify_cert_error_string(err) << " depth: " << | 285 | X509_verify_cert_error_string(err) << " depth: " << |
| 286 | depth << " issuer: " << ((issuerString.length() > 0) ? issuerString : "<unknown>") << std::endl; | 286 | depth << " issuer: " << ((issuerString.length() > 0) ? issuerString : "<unknown>") << std::endl; |
| 287 | } else { | 287 | } else { |
| 288 | SWIFT_LOG(info) << "verifyCallback: SSL depth: " << depth << " Subject: " << | 288 | SWIFT_LOG(info) << "verifyCallback: SSL depth: " << depth << " Subject: " << |
| 289 | ((subjectString.length() > 0) ? subjectString : "<>") << std::endl; | 289 | ((subjectString.length() > 0) ? subjectString : "<>") << std::endl; |
| 290 | } | 290 | } |
| 291 | return preverifyOk; | 291 | // Always return "OK", as check on verification status |
| 292 | // will be performed once TLS handshake has completed, | ||
| 293 | // by calling OpenSSLContext::getVerificationErrorTypeForResult() to | ||
| 294 | // get the value set via X509_STORE_CTX_set_error() above. | ||
| 295 | return 1; | ||
| 292 | } | 296 | } |
| 293 | 297 | ||
| 294 | bool OpenSSLContext::configure(const TLSOptions &options) | 298 | bool OpenSSLContext::configure(const TLSOptions &options) |
| @@ -746,13 +750,33 @@ bool OpenSSLContext::setDiffieHellmanParameters(const ByteArray& parametersInOpe | |||
| 746 | 750 | ||
| 747 | std::vector<Certificate::ref> OpenSSLContext::getPeerCertificateChain() const { | 751 | std::vector<Certificate::ref> OpenSSLContext::getPeerCertificateChain() const { |
| 748 | std::vector<Certificate::ref> result; | 752 | std::vector<Certificate::ref> result; |
| 753 | |||
| 754 | // When this context is a server, the peer (client) certificate | ||
| 755 | // is obtained via SSL_get_peer_certificate, and any other | ||
| 756 | // certificates set by the peer are available via SSL_get_peer_cert_chain. | ||
| 757 | // When this context is a client, all of the server's certificates are | ||
| 758 | // obtained using SSL_get_peer_cert_chain | ||
| 759 | if (mode_ == Mode::Server) { | ||
| 760 | auto cert = SSL_get_peer_certificate(handle_.get()); | ||
| 761 | if (cert) { | ||
| 762 | // Do not need to copy the returned cert as SSL_get_peer_certificate | ||
| 763 | // increments the reference count on the certificate | ||
| 764 | std::shared_ptr<X509> x509Cert(cert, X509_free); | ||
| 765 | Certificate::ref cert = std::make_shared<OpenSSLCertificate>(x509Cert); | ||
| 766 | result.push_back(cert); | ||
| 767 | } | ||
| 768 | } | ||
| 769 | |||
| 749 | STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_.get()); | 770 | STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_.get()); |
| 750 | for (int i = 0; i < sk_X509_num(chain); ++i) { | 771 | for (int i = 0; i < sk_X509_num(chain); ++i) { |
| 772 | // Here we do need to copy the returned cert, since SSL_get_peer_cert_chain | ||
| 773 | // does not increment the reference count on each certificate | ||
| 751 | std::shared_ptr<X509> x509Cert(X509_dup(sk_X509_value(chain, i)), X509_free); | 774 | std::shared_ptr<X509> x509Cert(X509_dup(sk_X509_value(chain, i)), X509_free); |
| 752 | 775 | ||
| 753 | Certificate::ref cert = std::make_shared<OpenSSLCertificate>(x509Cert); | 776 | Certificate::ref cert = std::make_shared<OpenSSLCertificate>(x509Cert); |
| 754 | result.push_back(cert); | 777 | result.push_back(cert); |
| 755 | } | 778 | } |
| 779 | |||
| 756 | return result; | 780 | return result; |
| 757 | } | 781 | } |
| 758 | 782 | ||