summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to 'Swiften/TLS/OpenSSL/OpenSSLContext.cpp')
-rw-r--r--Swiften/TLS/OpenSSL/OpenSSLContext.cpp81
1 files changed, 43 insertions, 38 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
index 490a361..b7cf178 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -121,52 +121,57 @@ OpenSSLContext::OpenSSLContext(const TLSOptions& options, Mode mode) : mode_(mod
121 121
122 // TODO: implement OCSP support 122 // TODO: implement OCSP support
123 // TODO: handle OCSP stapling see https://www.rfc-editor.org/rfc/rfc4366.txt 123 // TODO: handle OCSP stapling see https://www.rfc-editor.org/rfc/rfc4366.txt
124 // Load system certs 124
125 // Default for ignoreSystemTrustAnchors is false, i.e. load System TAs by default,
126 // to preserve previous behaviour
127 if (!options.ignoreSystemTrustAnchors) {
128 // Load system certs
125#if defined(SWIFTEN_PLATFORM_WINDOWS) 129#if defined(SWIFTEN_PLATFORM_WINDOWS)
126 X509_STORE* store = SSL_CTX_get_cert_store(context_.get()); 130 X509_STORE* store = SSL_CTX_get_cert_store(context_.get());
127 HCERTSTORE systemStore = CertOpenSystemStore(0, "ROOT"); 131 HCERTSTORE systemStore = CertOpenSystemStore(0, "ROOT");
128 if (systemStore) { 132 if (systemStore) {
129 PCCERT_CONTEXT certContext = nullptr; 133 PCCERT_CONTEXT certContext = nullptr;
130 while (true) { 134 while (true) {
131 certContext = CertFindCertificateInStore(systemStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, certContext); 135 certContext = CertFindCertificateInStore(systemStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, certContext);
132 if (!certContext) { 136 if (!certContext) {
133 break; 137 break;
134 } 138 }
135 OpenSSLCertificate cert(createByteArray(certContext->pbCertEncoded, certContext->cbCertEncoded)); 139 OpenSSLCertificate cert(createByteArray(certContext->pbCertEncoded, certContext->cbCertEncoded));
136 if (store && cert.getInternalX509()) { 140 if (store && cert.getInternalX509()) {
137 X509_STORE_add_cert(store, cert.getInternalX509().get()); 141 X509_STORE_add_cert(store, cert.getInternalX509().get());
142 }
138 } 143 }
139 } 144 }
140 }
141#elif !defined(SWIFTEN_PLATFORM_MACOSX) 145#elif !defined(SWIFTEN_PLATFORM_MACOSX)
142 SSL_CTX_set_default_verify_paths(context_.get()); 146 SSL_CTX_set_default_verify_paths(context_.get());
143#elif defined(SWIFTEN_PLATFORM_MACOSX) && !defined(SWIFTEN_PLATFORM_IPHONE) 147#elif defined(SWIFTEN_PLATFORM_MACOSX) && !defined(SWIFTEN_PLATFORM_IPHONE)
144 // On Mac OS X 10.5 (OpenSSL < 0.9.8), OpenSSL does not automatically look in the system store. 148 // On Mac OS X 10.5 (OpenSSL < 0.9.8), OpenSSL does not automatically look in the system store.
145 // On Mac OS X 10.6 (OpenSSL >= 0.9.8), OpenSSL *does* look in the system store to determine trust. 149 // On Mac OS X 10.6 (OpenSSL >= 0.9.8), OpenSSL *does* look in the system store to determine trust.
146 // However, if there is a certificate error, it will always emit the "Invalid CA" error if we didn't add 150 // However, if there is a certificate error, it will always emit the "Invalid CA" error if we didn't add
147 // the certificates first. See 151 // the certificates first. See
148 // http://opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.c 152 // http://opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.c
149 // to understand why. We therefore add all certs from the system store ourselves. 153 // to understand why. We therefore add all certs from the system store ourselves.
150 X509_STORE* store = SSL_CTX_get_cert_store(context_.get()); 154 X509_STORE* store = SSL_CTX_get_cert_store(context_.get());
151 CFArrayRef anchorCertificates; 155 CFArrayRef anchorCertificates;
152 if (SecTrustCopyAnchorCertificates(&anchorCertificates) == 0) { 156 if (SecTrustCopyAnchorCertificates(&anchorCertificates) == 0) {
153 for (int i = 0; i < CFArrayGetCount(anchorCertificates); ++i) { 157 for (int i = 0; i < CFArrayGetCount(anchorCertificates); ++i) {
154 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(const_cast<void*>(CFArrayGetValueAtIndex(anchorCertificates, i))); 158 SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(const_cast<void*>(CFArrayGetValueAtIndex(anchorCertificates, i)));
155 CSSM_DATA certCSSMData; 159 CSSM_DATA certCSSMData;
156 if (SecCertificateGetData(cert, &certCSSMData) != 0 || certCSSMData.Length == 0) { 160 if (SecCertificateGetData(cert, &certCSSMData) != 0 || certCSSMData.Length == 0) {
157 continue; 161 continue;
158 } 162 }
159 std::vector<unsigned char> certData; 163 std::vector<unsigned char> certData;
160 certData.resize(certCSSMData.Length); 164 certData.resize(certCSSMData.Length);
161 memcpy(&certData[0], certCSSMData.Data, certCSSMData.Length); 165 memcpy(&certData[0], certCSSMData.Data, certCSSMData.Length);
162 OpenSSLCertificate certificate(certData); 166 OpenSSLCertificate certificate(certData);
163 if (store && certificate.getInternalX509()) { 167 if (store && certificate.getInternalX509()) {
164 X509_STORE_add_cert(store, certificate.getInternalX509().get()); 168 X509_STORE_add_cert(store, certificate.getInternalX509().get());
169 }
165 } 170 }
171 CFRelease(anchorCertificates);
166 } 172 }
167 CFRelease(anchorCertificates);
168 }
169#endif 173#endif
174 }
170 configure(options); 175 configure(options);
171} 176}
172 177