[glib-networking/mcatanzaro/base-rebase] Setup peer certificate at the time of the verify callback
- From: Ignacio Casal Quinteiro <icq src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking/mcatanzaro/base-rebase] Setup peer certificate at the time of the verify callback
- Date: Fri, 10 May 2019 09:01:09 +0000 (UTC)
commit c7f582de7cd2ca559becb5344922d47948a405ba
Author: Ignacio Casal Quinteiro <qignacio amazon com>
Date: Fri May 10 10:59:16 2019 +0200
Setup peer certificate at the time of the verify callback
If we try to get the peer certificate out of the ssl object
from inside the verify callback it will return null since
the peer certificate has not been accepted yet. Instead we
need to store the peer certificate when doing the verification
out of the X509_CTX
tls/openssl/gtlsconnection-openssl.c | 52 ++++++++++++++----------------------
1 file changed, 20 insertions(+), 32 deletions(-)
---
diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c
index 75f028f..ae999e3 100644
--- a/tls/openssl/gtlsconnection-openssl.c
+++ b/tls/openssl/gtlsconnection-openssl.c
@@ -42,8 +42,7 @@ typedef struct _GTlsConnectionOpensslPrivate
{
BIO *bio;
- GTlsCertificate *peer_certificate_tmp;
- GTlsCertificateFlags peer_certificate_errors_tmp;
+ GTlsCertificate *peer_certificate;
gboolean shutting_down;
} GTlsConnectionOpensslPrivate;
@@ -63,7 +62,7 @@ g_tls_connection_openssl_finalize (GObject *object)
priv = g_tls_connection_openssl_get_instance_private (openssl);
- g_clear_object (&priv->peer_certificate_tmp);
+ g_clear_object (&priv->peer_certificate);
G_OBJECT_CLASS (g_tls_connection_openssl_parent_class)->finalize (object);
}
@@ -251,30 +250,11 @@ static GTlsCertificate *
g_tls_connection_openssl_retrieve_peer_certificate (GTlsConnectionBase *tls)
{
GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
- X509 *peer;
- STACK_OF (X509) *certs;
- GTlsCertificateOpenssl *chain;
- SSL *ssl;
-
- ssl = g_tls_connection_openssl_get_ssl (openssl);
-
- peer = SSL_get_peer_certificate (ssl);
- if (peer == NULL)
- return NULL;
-
- certs = SSL_get_peer_cert_chain (ssl);
- if (certs == NULL)
- {
- X509_free (peer);
- return NULL;
- }
+ GTlsConnectionOpensslPrivate *priv;
- chain = g_tls_certificate_openssl_build_chain (peer, certs);
- X509_free (peer);
- if (!chain)
- return NULL;
+ priv = g_tls_connection_openssl_get_instance_private (openssl);
- return G_TLS_CERTIFICATE (chain);
+ return priv->peer_certificate;
}
static int
@@ -282,19 +262,27 @@ handshake_thread_verify_certificate_cb (int preverify_ok,
X509_STORE_CTX *x509_ctx)
{
GTlsConnectionOpenssl *openssl;
+ GTlsConnectionOpensslPrivate *priv;
SSL *ssl;
+ X509 *peer;
+ STACK_OF (X509) *certs;
ssl = X509_STORE_CTX_get_ex_data (x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx ());
openssl = g_tls_connection_openssl_get_connection_from_ssl (ssl);
g_return_val_if_fail (G_IS_TLS_CONNECTION_OPENSSL (openssl), 0);
- // FIXME: Get the GTlsConnectionOpenssl out of the X509_STORE_CTX using
- // x509_STORE_CTX_get_ex_data... somehow. We probably have to pass
- // the GTlsConnectionOpenssl to the GTlsFileDatabaseOpenssl...
- // somehow.
- // return !g_tls_connection_base_handshake_thread_verify_certificate (
- /* Return 1 for the handshake to continue, 0 to terminate.
- * Complete opposite of what GnuTLS does. */
+ priv = g_tls_connection_openssl_get_instance_private (openssl);
+
+ peer = X509_STORE_CTX_get_current_cert (x509_ctx);
+ if (peer == NULL)
+ return 0;
+
+ certs = X509_STORE_CTX_get_chain (x509_ctx);
+ if (certs == NULL)
+ return 0;
+
+ priv->peer_certificate = G_TLS_CERTIFICATE (g_tls_certificate_openssl_build_chain (peer, certs));
+
return g_tls_connection_base_handshake_thread_verify_certificate (G_TLS_CONNECTION_BASE (openssl));
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]