Swiftdiff options
| author | Edwin Mons <edwin.mons@isode.com> | 2019-01-18 15:25:58 (GMT) |
|---|---|---|
| committer | Edwin Mons <edwin.mons@isode.com> | 2019-01-18 20:27:03 (GMT) |
| commit | 68dd665d51c925a118cfced4583942b7157b59de (patch) | |
| tree | fc4144d4a3284fdd68c34b8d3bf6c0d107998a6b /Swiften/TLS/OpenSSL/OpenSSLContext.cpp | |
| parent | 9b12c9751cf8fd1658dfd948c4d854b0e1407b0d (diff) | |
| download | swift-68dd665d51c925a118cfced4583942b7157b59de.zip swift-68dd665d51c925a118cfced4583942b7157b59de.tar.bz2 | |
Allow ownership transfer of certificates
OpenSSL TLS contexts assume ownership of any additional certificate
passed into it. The CertificateFactory now returns a vector of
unique_ptrs, and OpenSSLContext will do the needful with releasing
ownership at the right moment.
A unit test has been added that uses a chained certificate in
client/server context. Before the fix, this test would either fail, or
result in a segmentation fault, depending on the mood of OpenSSL.
Test-Information:
Unit tests pass on Debian 9
Ran manual tests with server test code, tested both chained and single
certificates, and no longer observed crashes when accepting a
connection.
Change-Id: I21814969e45c7d77e9a1af14f2c958c4c0311cd0
Diffstat (limited to 'Swiften/TLS/OpenSSL/OpenSSLContext.cpp')
| -rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 968ef8f..e9889bc 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp | |||
| @@ -338,14 +338,14 @@ void OpenSSLContext::sendPendingDataToApplication() { | |||
| 338 | } | 338 | } |
| 339 | } | 339 | } |
| 340 | 340 | ||
| 341 | bool OpenSSLContext::setCertificateChain(const std::vector<Certificate::ref>& certificateChain) { | 341 | bool OpenSSLContext::setCertificateChain(std::vector<std::unique_ptr<Certificate>>&& certificateChain) { |
| 342 | if (certificateChain.size() == 0) { | 342 | if (certificateChain.size() == 0) { |
| 343 | SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl; | 343 | SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl; |
| 344 | return false; | 344 | return false; |
| 345 | } | 345 | } |
| 346 | 346 | ||
| 347 | // load endpoint certificate | 347 | // load endpoint certificate |
| 348 | auto openSSLCert = std::dynamic_pointer_cast<OpenSSLCertificate>(certificateChain[0]); | 348 | auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificateChain[0].get()); |
| 349 | if (!openSSLCert) { | 349 | if (!openSSLCert) { |
| 350 | return false; | 350 | return false; |
| 351 | } | 351 | } |
| @@ -355,8 +355,8 @@ bool OpenSSLContext::setCertificateChain(const std::vector<Certificate::ref>& ce | |||
| 355 | } | 355 | } |
| 356 | 356 | ||
| 357 | if (certificateChain.size() > 1) { | 357 | if (certificateChain.size() > 1) { |
| 358 | for (auto certificate : range(certificateChain.begin() + 1, certificateChain.end())) { | 358 | for (auto certificate = certificateChain.begin() + 1; certificate != certificateChain.end(); ++certificate) { |
| 359 | auto openSSLCert = std::dynamic_pointer_cast<OpenSSLCertificate>(certificate); | 359 | auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate->get()); |
| 360 | if (!openSSLCert) { | 360 | if (!openSSLCert) { |
| 361 | return false; | 361 | return false; |
| 362 | } | 362 | } |
| @@ -364,6 +364,7 @@ bool OpenSSLContext::setCertificateChain(const std::vector<Certificate::ref>& ce | |||
| 364 | SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl; | 364 | SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl; |
| 365 | return false; | 365 | return false; |
| 366 | } | 366 | } |
| 367 | certificate->release(); | ||
| 367 | } | 368 | } |
| 368 | } | 369 | } |
| 369 | 370 | ||