From 856f970d14c5c32b80fc5ea359d4e567b51578a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Remko=20Tron=C3=A7on?= <git@el-tramo.be>
Date: Tue, 24 Apr 2012 20:50:22 +0200
Subject: Re-enable revocation check.

Added a method on TLSContextFactory to disable revocation checks if
wanted.

diff --git a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp
index 516482d..6cd3c83 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp
@@ -6,6 +6,7 @@
 
 #include <Swiften/TLS/OpenSSL/OpenSSLContextFactory.h>
 #include <Swiften/TLS/OpenSSL/OpenSSLContext.h>
+#include <Swiften/Base/Log.h>
 
 namespace Swift {
 
@@ -17,4 +18,11 @@ TLSContext* OpenSSLContextFactory::createTLSContext() {
 	return new OpenSSLContext();
 }
 
+void OpenSSLContextFactory::setCheckCertificateRevocation(bool) {
+	assert(false);
+	SWIFT_LOG(warning) << "CRL Checking not supported for OpenSSL" << std::endl;
+}
+
+
+
 }
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h
index 4e39cd6..43ab960 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h
+++ b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h
@@ -8,10 +8,15 @@
 
 #include <Swiften/TLS/TLSContextFactory.h>
 
+#include <cassert>
+
 namespace Swift {
 	class OpenSSLContextFactory : public TLSContextFactory {
 		public:
 			bool canCreate() const;
 			virtual TLSContext* createTLSContext();
+
+			// Not supported
+			virtual void setCheckCertificateRevocation(bool b);
 	};
 }
diff --git a/Swiften/TLS/Schannel/SchannelContext.cpp b/Swiften/TLS/Schannel/SchannelContext.cpp
index 279c36b..20cb7d3 100644
--- a/Swiften/TLS/Schannel/SchannelContext.cpp
+++ b/Swiften/TLS/Schannel/SchannelContext.cpp
@@ -21,7 +21,7 @@ namespace Swift {
 
 //------------------------------------------------------------------------
 
-SchannelContext::SchannelContext() : m_state(Start), m_secContext(0), m_my_cert_store(NULL), m_cert_store_name("MY"), m_cert_name(), m_smartcard_reader() {
+SchannelContext::SchannelContext() : m_state(Start), m_secContext(0), m_my_cert_store(NULL), m_cert_store_name("MY"), m_cert_name(), m_smartcard_reader(), checkCertificateRevocation(true) {
 	m_ctxtFlags = ISC_REQ_ALLOCATE_MEMORY |
 				ISC_REQ_CONFIDENTIALITY |
 				ISC_REQ_EXTENDED_ERROR |
@@ -192,9 +192,10 @@ SECURITY_STATUS SchannelContext::validateServerCertificate() {
 	chainParams.RequestedUsage.Usage.cUsageIdentifier = ARRAYSIZE(usage);
 	chainParams.RequestedUsage.Usage.rgpszUsageIdentifier = const_cast<LPSTR*>(usage);
 
-	// NOTE: We've turned off revocation checking due to some certificate providers causing timeouts when attempting
-	// to talk to their revocation server, such as Starfield)
-	DWORD chainFlags = CERT_CHAIN_CACHE_END_CERT /*| CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT*/;
+	DWORD chainFlags = CERT_CHAIN_CACHE_END_CERT;
+	if (checkCertificateRevocation) {
+		chainFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
+	}
 
 	ScopedCertChainContext pChainContext;
 
@@ -647,4 +648,9 @@ ByteArray SchannelContext::getFinishMessage() const {
 
 //------------------------------------------------------------------------
 
+void SchannelContext::setCheckCertificateRevocation(bool b) {
+	checkCertificateRevocation = b;
+}
+
+
 }
diff --git a/Swiften/TLS/Schannel/SchannelContext.h b/Swiften/TLS/Schannel/SchannelContext.h
index 7c2601b..62c0da2 100644
--- a/Swiften/TLS/Schannel/SchannelContext.h
+++ b/Swiften/TLS/Schannel/SchannelContext.h
@@ -74,6 +74,8 @@ namespace Swift
 
 		void			handleCertificateCardRemoved();
 
+		virtual void setCheckCertificateRevocation(bool b);
+
 	private:
 		enum SchannelState
 		{
@@ -101,5 +103,6 @@ namespace Swift
 ////Not needed, most likely
 		std::string		m_smartcard_reader;	//Can be empty string for non SmartCard certificates
 		boost::shared_ptr<CAPICertificate> userCertificate;
+		bool checkCertificateRevocation;
 	};
 }
diff --git a/Swiften/TLS/Schannel/SchannelContextFactory.cpp b/Swiften/TLS/Schannel/SchannelContextFactory.cpp
index 8ab7c6c..8b0044c 100644
--- a/Swiften/TLS/Schannel/SchannelContextFactory.cpp
+++ b/Swiften/TLS/Schannel/SchannelContextFactory.cpp
@@ -9,12 +9,22 @@
 
 namespace Swift {
 
+SchannelContextFactory::SchannelContextFactory() : checkCertificateRevocation(true) {
+}
+
 bool SchannelContextFactory::canCreate() const {
 	return true;
 }
 
 TLSContext* SchannelContextFactory::createTLSContext() {
-	return new SchannelContext();
+	SchannelContext* context = new SchannelContext();
+	context->setCheckCertificateRevocation(checkCertificateRevocation);
+	return context;
 }
 
+void SchannelContextFactory::setCheckCertificateRevocation(bool b) {
+	checkCertificateRevocation = b;
+}
+
+
 }
diff --git a/Swiften/TLS/Schannel/SchannelContextFactory.h b/Swiften/TLS/Schannel/SchannelContextFactory.h
index 43c39a9..9dc835c 100644
--- a/Swiften/TLS/Schannel/SchannelContextFactory.h
+++ b/Swiften/TLS/Schannel/SchannelContextFactory.h
@@ -11,7 +11,14 @@
 namespace Swift {
 	class SchannelContextFactory : public TLSContextFactory {
 		public:
+			SchannelContextFactory();
+
 			bool canCreate() const;
 			virtual TLSContext* createTLSContext();
+
+			virtual void setCheckCertificateRevocation(bool b);
+
+		public:
+			bool checkCertificateRevocation;
 	};
 }
diff --git a/Swiften/TLS/TLSContextFactory.h b/Swiften/TLS/TLSContextFactory.h
index 849ca71..5f08925 100644
--- a/Swiften/TLS/TLSContextFactory.h
+++ b/Swiften/TLS/TLSContextFactory.h
@@ -16,5 +16,6 @@ namespace Swift {
 			virtual bool canCreate() const = 0;
 
 			virtual TLSContext* createTLSContext() = 0;
+			virtual void setCheckCertificateRevocation(bool b) = 0;
 	};
 }
-- 
cgit v0.10.2-6-g49f6