diff options
Diffstat (limited to 'Swiften/TLS/OpenSSL/OpenSSLContext.cpp')
| -rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 81 |
1 files changed, 43 insertions, 38 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 490a361..b7cf178 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp | |||
| @@ -121,52 +121,57 @@ OpenSSLContext::OpenSSLContext(const TLSOptions& options, Mode mode) : mode_(mod | |||
| 121 | 121 | ||
| 122 | // TODO: implement OCSP support | 122 | // TODO: implement OCSP support |
| 123 | // TODO: handle OCSP stapling see https://www.rfc-editor.org/rfc/rfc4366.txt | 123 | // TODO: handle OCSP stapling see https://www.rfc-editor.org/rfc/rfc4366.txt |
| 124 | // Load system certs | 124 | |
| 125 | // Default for ignoreSystemTrustAnchors is false, i.e. load System TAs by default, | ||
| 126 | // to preserve previous behaviour | ||
| 127 | if (!options.ignoreSystemTrustAnchors) { | ||
| 128 | // Load system certs | ||
| 125 | #if defined(SWIFTEN_PLATFORM_WINDOWS) | 129 | #if defined(SWIFTEN_PLATFORM_WINDOWS) |
| 126 | X509_STORE* store = SSL_CTX_get_cert_store(context_.get()); | 130 | X509_STORE* store = SSL_CTX_get_cert_store(context_.get()); |
| 127 | HCERTSTORE systemStore = CertOpenSystemStore(0, "ROOT"); | 131 | HCERTSTORE systemStore = CertOpenSystemStore(0, "ROOT"); |
| 128 | if (systemStore) { | 132 | if (systemStore) { |
| 129 | PCCERT_CONTEXT certContext = nullptr; | 133 | PCCERT_CONTEXT certContext = nullptr; |
| 130 | while (true) { | 134 | while (true) { |
| 131 | certContext = CertFindCertificateInStore(systemStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, certContext); | 135 | certContext = CertFindCertificateInStore(systemStore, X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0, CERT_FIND_ANY, nullptr, certContext); |
| 132 | if (!certContext) { | 136 | if (!certContext) { |
| 133 | break; | 137 | break; |
| 134 | } | 138 | } |
| 135 | OpenSSLCertificate cert(createByteArray(certContext->pbCertEncoded, certContext->cbCertEncoded)); | 139 | OpenSSLCertificate cert(createByteArray(certContext->pbCertEncoded, certContext->cbCertEncoded)); |
| 136 | if (store && cert.getInternalX509()) { | 140 | if (store && cert.getInternalX509()) { |
| 137 | X509_STORE_add_cert(store, cert.getInternalX509().get()); | 141 | X509_STORE_add_cert(store, cert.getInternalX509().get()); |
| 142 | } | ||
| 138 | } | 143 | } |
| 139 | } | 144 | } |
| 140 | } | ||
| 141 | #elif !defined(SWIFTEN_PLATFORM_MACOSX) | 145 | #elif !defined(SWIFTEN_PLATFORM_MACOSX) |
| 142 | SSL_CTX_set_default_verify_paths(context_.get()); | 146 | SSL_CTX_set_default_verify_paths(context_.get()); |
| 143 | #elif defined(SWIFTEN_PLATFORM_MACOSX) && !defined(SWIFTEN_PLATFORM_IPHONE) | 147 | #elif defined(SWIFTEN_PLATFORM_MACOSX) && !defined(SWIFTEN_PLATFORM_IPHONE) |
| 144 | // On Mac OS X 10.5 (OpenSSL < 0.9.8), OpenSSL does not automatically look in the system store. | 148 | // On Mac OS X 10.5 (OpenSSL < 0.9.8), OpenSSL does not automatically look in the system store. |
| 145 | // On Mac OS X 10.6 (OpenSSL >= 0.9.8), OpenSSL *does* look in the system store to determine trust. | 149 | // On Mac OS X 10.6 (OpenSSL >= 0.9.8), OpenSSL *does* look in the system store to determine trust. |
| 146 | // However, if there is a certificate error, it will always emit the "Invalid CA" error if we didn't add | 150 | // However, if there is a certificate error, it will always emit the "Invalid CA" error if we didn't add |
| 147 | // the certificates first. See | 151 | // the certificates first. See |
| 148 | // http://opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.c | 152 | // http://opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.c |
| 149 | // to understand why. We therefore add all certs from the system store ourselves. | 153 | // to understand why. We therefore add all certs from the system store ourselves. |
| 150 | X509_STORE* store = SSL_CTX_get_cert_store(context_.get()); | 154 | X509_STORE* store = SSL_CTX_get_cert_store(context_.get()); |
| 151 | CFArrayRef anchorCertificates; | 155 | CFArrayRef anchorCertificates; |
| 152 | if (SecTrustCopyAnchorCertificates(&anchorCertificates) == 0) { | 156 | if (SecTrustCopyAnchorCertificates(&anchorCertificates) == 0) { |
| 153 | for (int i = 0; i < CFArrayGetCount(anchorCertificates); ++i) { | 157 | for (int i = 0; i < CFArrayGetCount(anchorCertificates); ++i) { |
| 154 | SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(const_cast<void*>(CFArrayGetValueAtIndex(anchorCertificates, i))); | 158 | SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(const_cast<void*>(CFArrayGetValueAtIndex(anchorCertificates, i))); |
| 155 | CSSM_DATA certCSSMData; | 159 | CSSM_DATA certCSSMData; |
| 156 | if (SecCertificateGetData(cert, &certCSSMData) != 0 || certCSSMData.Length == 0) { | 160 | if (SecCertificateGetData(cert, &certCSSMData) != 0 || certCSSMData.Length == 0) { |
| 157 | continue; | 161 | continue; |
| 158 | } | 162 | } |
| 159 | std::vector<unsigned char> certData; | 163 | std::vector<unsigned char> certData; |
| 160 | certData.resize(certCSSMData.Length); | 164 | certData.resize(certCSSMData.Length); |
| 161 | memcpy(&certData[0], certCSSMData.Data, certCSSMData.Length); | 165 | memcpy(&certData[0], certCSSMData.Data, certCSSMData.Length); |
| 162 | OpenSSLCertificate certificate(certData); | 166 | OpenSSLCertificate certificate(certData); |
| 163 | if (store && certificate.getInternalX509()) { | 167 | if (store && certificate.getInternalX509()) { |
| 164 | X509_STORE_add_cert(store, certificate.getInternalX509().get()); | 168 | X509_STORE_add_cert(store, certificate.getInternalX509().get()); |
| 169 | } | ||
| 165 | } | 170 | } |
| 171 | CFRelease(anchorCertificates); | ||
| 166 | } | 172 | } |
| 167 | CFRelease(anchorCertificates); | ||
| 168 | } | ||
| 169 | #endif | 173 | #endif |
| 174 | } | ||
| 170 | configure(options); | 175 | configure(options); |
| 171 | } | 176 | } |
| 172 | 177 | ||
Swift