Swiftdiff options
| author | Tobias Markmann <tm@ayena.de> | 2018-01-26 18:04:17 (GMT) |
|---|---|---|
| committer | Tobias Markmann <tm@ayena.de> | 2018-03-12 09:02:00 (GMT) |
| commit | ff600776577ce4e3bbf9aa66f5980bc9cf1042a0 (patch) | |
| tree | f4dcd3484d481d8a7b78bdbf29a3481f0e6b7e83 /Swiften/TLS/OpenSSL/OpenSSLContext.cpp | |
| parent | 3a540816280691e7ca3191867d3c73beba465674 (diff) | |
| download | swift-ff600776577ce4e3bbf9aa66f5980bc9cf1042a0.zip swift-ff600776577ce4e3bbf9aa66f5980bc9cf1042a0.tar.bz2 | |
Add getPeerFinishMessage() method and OpenSSL TLS backend
This method allows to calculate the TLS finish message of the
peer of a TLS connection. It can be used to provide SASL
channel binding for TLS servers.
Test-Information:
Added unit test that verifies the finish messages of a server
TLS context with the finish messages of a client TLS context.
Tests pass on macOS 10.13.3 with OpenSSL.
Change-Id: Ia5ba539e1fb6d1bef6b4436bb59c7384b57a69b0
Diffstat (limited to 'Swiften/TLS/OpenSSL/OpenSSLContext.cpp')
| -rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 47e7175..6c27e22 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp @@ -463,65 +463,73 @@ bool OpenSSLContext::setClientCertificate(CertificateWithKey::ref certificate) { SSL_CTX_add_extra_chain_cert(context_.get(), sk_X509_value(caCerts.get(), i)); } return true; } std::vector<Certificate::ref> OpenSSLContext::getPeerCertificateChain() const { std::vector<Certificate::ref> result; STACK_OF(X509)* chain = SSL_get_peer_cert_chain(handle_.get()); for (int i = 0; i < sk_X509_num(chain); ++i) { std::shared_ptr<X509> x509Cert(X509_dup(sk_X509_value(chain, i)), X509_free); Certificate::ref cert = std::make_shared<OpenSSLCertificate>(x509Cert); result.push_back(cert); } return result; } std::shared_ptr<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const { int verifyResult = SSL_get_verify_result(handle_.get()); if (verifyResult != X509_V_OK) { return std::make_shared<CertificateVerificationError>(getVerificationErrorTypeForResult(verifyResult)); } else { return std::shared_ptr<CertificateVerificationError>(); } } ByteArray OpenSSLContext::getFinishMessage() const { ByteArray data; data.resize(MAX_FINISHED_SIZE); - size_t size = SSL_get_finished(handle_.get(), vecptr(data), data.size()); + auto size = SSL_get_finished(handle_.get(), vecptr(data), data.size()); data.resize(size); return data; } +ByteArray OpenSSLContext::getPeerFinishMessage() const { + ByteArray data; + data.resize(MAX_FINISHED_SIZE); + auto size = SSL_get_peer_finished(handle_.get(), vecptr(data), data.size()); + data.resize(size); + return data; + } + CertificateVerificationError::Type OpenSSLContext::getVerificationErrorTypeForResult(int result) { assert(result != 0); switch (result) { case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: return CertificateVerificationError::NotYetValid; case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: return CertificateVerificationError::Expired; case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: return CertificateVerificationError::SelfSigned; case X509_V_ERR_CERT_UNTRUSTED: return CertificateVerificationError::Untrusted; case X509_V_ERR_CERT_REJECTED: return CertificateVerificationError::Rejected; case X509_V_ERR_INVALID_PURPOSE: return CertificateVerificationError::InvalidPurpose; case X509_V_ERR_PATH_LENGTH_EXCEEDED: return CertificateVerificationError::PathLengthExceeded; case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: case X509_V_ERR_CERT_SIGNATURE_FAILURE: case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: |