Swiftdiff options
| author | Tim Costen <tim.costen@isode.com> | 2019-08-01 11:05:53 (GMT) |
|---|---|---|
| committer | Tim Costen <timcosten64@gmail.com> | 2019-09-03 10:14:51 (GMT) |
| commit | 415870c04a7e6cabf13e6acf3a94bb0f68732907 (patch) | |
| tree | c1d2a509cdfa341efbc9e1d575ad3bb2383100c0 /Swiften/TLS/OpenSSL/OpenSSLContext.h | |
| parent | c62b7b6ce35a77d0a8236ef48155187fe5c30d12 (diff) | |
| download | swift-415870c04a7e6cabf13e6acf3a94bb0f68732907.zip swift-415870c04a7e6cabf13e6acf3a94bb0f68732907.tar.bz2 | |
Add enhanced OpenSSL configuration
Adds TLSOptions to the OpenSSLContext, which invokes a new private
'configure' method which allows various OpenSSL options to be set.
Also add standard verification callbacks and external (via a
std::function field in TLSOptions) to allow the user
to specify their own method which will perform client certificate
checking when a new TLS connection is accepted. Only set up
the internal verifyCertCallback if the user-supplied hook is set.
All callback hooks are set up in the 'configure' method, and only
then if TLSOptions.verifyMode is present (i.e. not defaulted
to boost::none), to preserve compatibility for users of
this class (e.g. Swift) which want to use OpenSSL's own
internal validation functions rather than setting the
callbacks.
Test-information:
Used new code under development in M-Link when setting up a TLSContext,
setting verify-mode=require, and set up verifyCertCallback with a local
method. Making a client TLS connection which includes a client
certificate results in the local verify callback being invoked.
Change-Id: Idbb7279e1711fca8123f430bfca0dcfb65bc8da6
Diffstat (limited to 'Swiften/TLS/OpenSSL/OpenSSLContext.h')
| -rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.h | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h index c18a6f4..885b1fe 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.h +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h @@ -16,6 +16,7 @@ #include <Swiften/Base/ByteArray.h> #include <Swiften/TLS/CertificateWithKey.h> #include <Swiften/TLS/TLSContext.h> +#include <Swiften/TLS/TLSOptions.h> namespace std { template<> @@ -38,7 +39,7 @@ namespace std { namespace Swift { class OpenSSLContext : public TLSContext, boost::noncopyable { public: - OpenSSLContext(Mode mode); + OpenSSLContext(const TLSOptions& options, Mode mode); virtual ~OpenSSLContext() override final; void accept() override final; @@ -60,7 +61,11 @@ namespace Swift { virtual ByteArray getFinishMessage() const override final; virtual ByteArray getPeerFinishMessage() const override final; + void setX509StoreContext(X509_STORE_CTX *ptr) { x509_store_ctx = ptr; } + std::function<int (const TLSContext *)> getVerifyCertCallback() { return verifyCertCallback; } + private: + bool configure(const TLSOptions& options); static void ensureLibraryInitialized(); static int handleServerNameCallback(SSL *ssl, int *ad, void *arg); static CertificateVerificationError::Type getVerificationErrorTypeForResult(int); @@ -81,5 +86,7 @@ namespace Swift { BIO* readBIO_ = nullptr; BIO* writeBIO_ = nullptr; bool abortTLSHandshake_ = false; - }; + X509_STORE_CTX *x509_store_ctx = nullptr; + std::function<int (const TLSContext *)> verifyCertCallback = nullptr; + }; } |