Add support for use of shared certificate chain when setting up TLS context

Actual implementation is in OpenSSL subclass. This allows a permanent vector of shared certificates to be used when creating multiple OpenSSL contexts. This replaces the existing use of a vector of unique pointers to certificates which handed over responsibility for the underlying OpenSSL certs to the OpenSSL context. To enable this to work, a new method is added to the OpenSSLCertificate class which enables the reference count on the the contained OpenSSL certificate to be incremented - this stops the OpenSSL certificate being deleted when the OpenSSL context is freed. Use of conditional compilation was necessary to get the reference counting to build with the different versions of OpenSSL in use. Modify the method in OpenSSLCertificateFactory (and stub in CertificateFactory) which generates a vector of certificates, so that it generates a vector of shared_ptrs rather than unique_ptrs. Add test of CreateCertificateChain to Swiften CertificateTest class, together with sample certificate file in PEM form. JIRA: LINK-1763 Bug: Release-notes: Manual: Test-information: Tested via development version of Mystique - created multiple TLS sessions using single certificate chain. Swift unit tests now build and run again. New Swiften TLS unit test builds and runs. Change-Id: I7fa4888b640c94b68712a6bff1f7aa334a358df2
author: Tim Costen <tim.costen@isode.com> 2019-09-06 10:32:12 (GMT)
committer: Tim Costen <tim.costen@isode.com> 2019-09-19 15:27:01 (GMT)
commit: e58cf7d5d7d3bab330bccf6a098dd476fbf4dc86 (patch)
tree: f3632c379e2d92022bdb8af5d980b44883cc2360 /Swiften/TLS/OpenSSL/OpenSSLContext.cpp
parent: 8051f94932b6932a2e3eb60a26c758fbfed6d6ad (diff)
download: swift-e58cf7d5d7d3bab330bccf6a098dd476fbf4dc86.zip
swift-e58cf7d5d7d3bab330bccf6a098dd476fbf4dc86.tar.bz2
1 files changed, 7 insertions, 2 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
index 5c80976..32d6470 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -567,7 +567,7 @@ void OpenSSLContext::sendPendingDataToApplication() {
    }
 }
-bool OpenSSLContext::setCertificateChain(std::vector<std::unique_ptr<Certificate>>&& certificateChain) {
+bool OpenSSLContext::setCertificateChain(const std::vector<std::shared_ptr<Certificate>>& certificateChain) {
    if (certificateChain.size() == 0) {
        SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl;
        return false;
@@ -583,17 +583,22 @@ bool OpenSSLContext::setCertificateChain(std::vector<std::unique_ptr<Certificate
        return false;
    }
+    // Increment reference count on certificate so that it does not get freed when the SSL context is destroyed
+    openSSLCert->incrementReferenceCount();
    if (certificateChain.size() > 1) {
        for (auto certificate = certificateChain.begin() + 1; certificate != certificateChain.end(); ++certificate) {
            auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate->get());
            if (!openSSLCert) {
                return false;
            }
            if (SSL_CTX_add_extra_chain_cert(context_.get(), openSSLCert->getInternalX509().get()) != 1) {
                SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl;
                return false;
            }
-            certificate->release();
+            openSSLCert->incrementReferenceCount();
        }
    }
author	Tim Costen <tim.costen@isode.com>	2019-09-06 10:32:12 (GMT)
committer	Tim Costen <tim.costen@isode.com>	2019-09-19 15:27:01 (GMT)
commit	e58cf7d5d7d3bab330bccf6a098dd476fbf4dc86 (patch)
tree	f3632c379e2d92022bdb8af5d980b44883cc2360 /Swiften/TLS/OpenSSL/OpenSSLContext.cpp
parent	8051f94932b6932a2e3eb60a26c758fbfed6d6ad (diff)
download	swift-e58cf7d5d7d3bab330bccf6a098dd476fbf4dc86.zip swift-e58cf7d5d7d3bab330bccf6a098dd476fbf4dc86.tar.bz2

diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 5c80976..32d6470 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -567,7 +567,7 @@ void OpenSSLContext::sendPendingDataToApplication() {
567	}	567	}
568	}	568	}
569		569
570	bool OpenSSLContext::setCertificateChain(std::vector<std::unique_ptr<Certificate>>&& certificateChain) {	570	bool OpenSSLContext::setCertificateChain(const std::vector<std::shared_ptr<Certificate>>& certificateChain) {
571	if (certificateChain.size() == 0) {	571	if (certificateChain.size() == 0) {
572	SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl;	572	SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl;
573	return false;	573	return false;
@@ -583,17 +583,22 @@ bool OpenSSLContext::setCertificateChain(std::vector<std::unique_ptr<Certificate
583	return false;	583	return false;
584	}	584	}
585		585
		586	// Increment reference count on certificate so that it does not get freed when the SSL context is destroyed
		587	openSSLCert->incrementReferenceCount();
		588
586	if (certificateChain.size() > 1) {	589	if (certificateChain.size() > 1) {
587	for (auto certificate = certificateChain.begin() + 1; certificate != certificateChain.end(); ++certificate) {	590	for (auto certificate = certificateChain.begin() + 1; certificate != certificateChain.end(); ++certificate) {
588	auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate->get());	591	auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate->get());
589	if (!openSSLCert) {	592	if (!openSSLCert) {
590	return false;	593	return false;
591	}	594	}
		595
592	if (SSL_CTX_add_extra_chain_cert(context_.get(), openSSLCert->getInternalX509().get()) != 1) {	596	if (SSL_CTX_add_extra_chain_cert(context_.get(), openSSLCert->getInternalX509().get()) != 1) {
593	SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl;	597	SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl;
594	return false;	598	return false;
595	}	599	}
596	certificate->release();	600
		601	openSSLCert->incrementReferenceCount();
597	}	602	}
598	}	603	}
599		604