Swiftdiff options
Diffstat (limited to 'Swiften/TLS')
| -rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 15 | ||||
| -rw-r--r-- | Swiften/TLS/TLSOptions.h | 6 |
2 files changed, 21 insertions, 0 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index d9560de..6dd75d6 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp @@ -390,18 +390,33 @@ bool OpenSSLContext::configure(const TLSOptions &options) updateOptionIfPresent(options.workaroundTLSBlockPadding, SSL_OP_TLS_BLOCK_PADDING_BUG); updateOptionIfPresent(options.workaroundDontInsertEmptyFragments, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); updateOptionIfPresent(options.workaroundAll, SSL_OP_ALL); updateOptionIfPresent(options.suppressSSLv2, SSL_OP_NO_SSLv2); updateOptionIfPresent(options.suppressSSLv3, SSL_OP_NO_SSLv3); updateOptionIfPresent(options.suppressTLSv1, SSL_OP_NO_TLSv1); updateOptionIfPresent(options.disableTLSRollBackBug, SSL_OP_TLS_ROLLBACK_BUG); updateOptionIfPresent(options.singleDHUse, SSL_OP_SINGLE_DH_USE); + if (options.trustAnchors) { + // Add any additional Trust Anchors which are present in the TLSOptions + X509_STORE* store = SSL_CTX_get_cert_store(context_.get()); + + if (store) { + for (auto& certificate : *options.trustAnchors) { + auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate.get()); + if (openSSLCert && openSSLCert->getInternalX509()) { + X509_STORE_add_cert(store, openSSLCert->getInternalX509().get()); + // Don't need to increment reference count as X509_STORE_add_cert does thiS + } + } + } + } + return true; } void OpenSSLContext::accept() { assert(mode_ == Mode::Server); handle_ = std::unique_ptr<SSL>(SSL_new(context_.get())); if (!handle_) { state_ = State::Error; diff --git a/Swiften/TLS/TLSOptions.h b/Swiften/TLS/TLSOptions.h index 56648a3..4109096 100644 --- a/Swiften/TLS/TLSOptions.h +++ b/Swiften/TLS/TLSOptions.h @@ -2,18 +2,19 @@ * Copyright (c) 2015 Isode Limited. * All rights reserved. * See the COPYING file for more information. */ #pragma once namespace Swift { class TLSContext; + class Certificate; class TLSOptions { public: TLSOptions() : schannelTLS1_0Workaround(false) { } /** * A bug in the Windows SChannel TLS stack, combined with @@ -56,11 +57,16 @@ namespace Swift { Optional }; boost::optional<VerifyMode> verifyMode; /** * Callback for certificate verification */ boost::optional<std::function<int(const TLSContext *)>> verifyCertificateCallback; + + /** + * Allows specification of application-specific Trust Anchors + */ + boost::optional<std::vector<std::shared_ptr<Certificate>>> trustAnchors; }; } |