From 501a4a43c9a95b3611bf91b8693fffc8814954b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Remko=20Tron=C3=A7on?= Date: Sat, 5 May 2012 18:08:55 +0200 Subject: Re-enable revocation check. diff --git a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp index 516482d..6cd3c83 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.cpp @@ -6,6 +6,7 @@ #include #include +#include namespace Swift { @@ -17,4 +18,11 @@ TLSContext* OpenSSLContextFactory::createTLSContext() { return new OpenSSLContext(); } +void OpenSSLContextFactory::setCheckCertificateRevocation(bool) { + assert(false); + SWIFT_LOG(warning) << "CRL Checking not supported for OpenSSL" << std::endl; +} + + + } diff --git a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h index 4e39cd6..43ab960 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h +++ b/Swiften/TLS/OpenSSL/OpenSSLContextFactory.h @@ -8,10 +8,15 @@ #include +#include + namespace Swift { class OpenSSLContextFactory : public TLSContextFactory { public: bool canCreate() const; virtual TLSContext* createTLSContext(); + + // Not supported + virtual void setCheckCertificateRevocation(bool b); }; } diff --git a/Swiften/TLS/Schannel/SchannelContext.cpp b/Swiften/TLS/Schannel/SchannelContext.cpp index 2f2f2ae..641568d 100644 --- a/Swiften/TLS/Schannel/SchannelContext.cpp +++ b/Swiften/TLS/Schannel/SchannelContext.cpp @@ -21,7 +21,7 @@ namespace Swift { //------------------------------------------------------------------------ -SchannelContext::SchannelContext() : m_state(Start), m_secContext(0), m_my_cert_store(NULL), m_cert_store_name("MY"), m_cert_name(), m_smartcard_reader() { +SchannelContext::SchannelContext() : m_state(Start), m_secContext(0), m_my_cert_store(NULL), m_cert_store_name("MY"), m_cert_name(), m_smartcard_reader(), checkCertificateRevocation(true) { m_ctxtFlags = ISC_REQ_ALLOCATE_MEMORY | ISC_REQ_CONFIDENTIALITY | ISC_REQ_EXTENDED_ERROR | @@ -192,9 +192,10 @@ SECURITY_STATUS SchannelContext::validateServerCertificate() { chainParams.RequestedUsage.Usage.cUsageIdentifier = ARRAYSIZE(usage); chainParams.RequestedUsage.Usage.rgpszUsageIdentifier = const_cast(usage); - // NOTE: We've turned off revocation checking due to some certificate providers causing timeouts when attempting - // to talk to their revocation server, such as Starfield) - DWORD chainFlags = CERT_CHAIN_CACHE_END_CERT /*| CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT*/; + DWORD chainFlags = CERT_CHAIN_CACHE_END_CERT; + if (checkCertificateRevocation) { + chainFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT; + } ScopedCertChainContext pChainContext; @@ -649,4 +650,9 @@ ByteArray SchannelContext::getFinishMessage() const { //------------------------------------------------------------------------ +void SchannelContext::setCheckCertificateRevocation(bool b) { + checkCertificateRevocation = b; +} + + } diff --git a/Swiften/TLS/Schannel/SchannelContext.h b/Swiften/TLS/Schannel/SchannelContext.h index 58e6551..887c7de 100644 --- a/Swiften/TLS/Schannel/SchannelContext.h +++ b/Swiften/TLS/Schannel/SchannelContext.h @@ -76,6 +76,8 @@ namespace Swift void handleCertificateCardRemoved(); + virtual void setCheckCertificateRevocation(bool b); + private: enum SchannelState { @@ -103,5 +105,6 @@ namespace Swift ////Not needed, most likely std::string m_smartcard_reader; //Can be empty string for non SmartCard certificates boost::shared_ptr userCertificate; + bool checkCertificateRevocation; }; } diff --git a/Swiften/TLS/Schannel/SchannelContextFactory.cpp b/Swiften/TLS/Schannel/SchannelContextFactory.cpp index 8ab7c6c..8b0044c 100644 --- a/Swiften/TLS/Schannel/SchannelContextFactory.cpp +++ b/Swiften/TLS/Schannel/SchannelContextFactory.cpp @@ -9,12 +9,22 @@ namespace Swift { +SchannelContextFactory::SchannelContextFactory() : checkCertificateRevocation(true) { +} + bool SchannelContextFactory::canCreate() const { return true; } TLSContext* SchannelContextFactory::createTLSContext() { - return new SchannelContext(); + SchannelContext* context = new SchannelContext(); + context->setCheckCertificateRevocation(checkCertificateRevocation); + return context; } +void SchannelContextFactory::setCheckCertificateRevocation(bool b) { + checkCertificateRevocation = b; +} + + } diff --git a/Swiften/TLS/Schannel/SchannelContextFactory.h b/Swiften/TLS/Schannel/SchannelContextFactory.h index 43c39a9..9dc835c 100644 --- a/Swiften/TLS/Schannel/SchannelContextFactory.h +++ b/Swiften/TLS/Schannel/SchannelContextFactory.h @@ -11,7 +11,14 @@ namespace Swift { class SchannelContextFactory : public TLSContextFactory { public: + SchannelContextFactory(); + bool canCreate() const; virtual TLSContext* createTLSContext(); + + virtual void setCheckCertificateRevocation(bool b); + + public: + bool checkCertificateRevocation; }; } diff --git a/Swiften/TLS/TLSContextFactory.h b/Swiften/TLS/TLSContextFactory.h index 849ca71..5f08925 100644 --- a/Swiften/TLS/TLSContextFactory.h +++ b/Swiften/TLS/TLSContextFactory.h @@ -16,5 +16,6 @@ namespace Swift { virtual bool canCreate() const = 0; virtual TLSContext* createTLSContext() = 0; + virtual void setCheckCertificateRevocation(bool b) = 0; }; } -- cgit v0.10.2-6-g49f6