[glib-networking/mcatanzaro/base-rebase] Setup peer certificate at the time of the verify callback

[Ignacio Casal Quinteiro <icq src gnome org>]

commit c7f582de7cd2ca559becb5344922d47948a405ba
Author: Ignacio Casal Quinteiro <qignacio amazon com>
Date:   Fri May 10 10:59:16 2019 +0200

    Setup peer certificate at the time of the verify callback
    
    If we try to get the peer certificate out of the ssl object
    from inside the verify callback it will return null since
    the peer certificate has not been accepted yet. Instead we
    need to store the peer certificate when doing the verification
    out of the X509_CTX

 tls/openssl/gtlsconnection-openssl.c | 52 ++++++++++++++----------------------
 1 file changed, 20 insertions(+), 32 deletions(-)
---
diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c
index 75f028f..ae999e3 100644
--- a/tls/openssl/gtlsconnection-openssl.c
+++ b/tls/openssl/gtlsconnection-openssl.c
@@ -42,8 +42,7 @@ typedef struct _GTlsConnectionOpensslPrivate
 {
   BIO *bio;
 
-  GTlsCertificate *peer_certificate_tmp;
-  GTlsCertificateFlags peer_certificate_errors_tmp;
+  GTlsCertificate *peer_certificate;
 
   gboolean shutting_down;
 } GTlsConnectionOpensslPrivate;
@@ -63,7 +62,7 @@ g_tls_connection_openssl_finalize (GObject *object)
 
   priv = g_tls_connection_openssl_get_instance_private (openssl);
 
-  g_clear_object (&priv->peer_certificate_tmp);
+  g_clear_object (&priv->peer_certificate);
 
   G_OBJECT_CLASS (g_tls_connection_openssl_parent_class)->finalize (object);
 }
@@ -251,30 +250,11 @@ static GTlsCertificate *
 g_tls_connection_openssl_retrieve_peer_certificate (GTlsConnectionBase *tls)
 {
   GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
-  X509 *peer;
-  STACK_OF (X509) *certs;
-  GTlsCertificateOpenssl *chain;
-  SSL *ssl;
-
-  ssl = g_tls_connection_openssl_get_ssl (openssl);
-
-  peer = SSL_get_peer_certificate (ssl);
-  if (peer == NULL)
-    return NULL;
-
-  certs = SSL_get_peer_cert_chain (ssl);
-  if (certs == NULL)
-    {
-      X509_free (peer);
-      return NULL;
-    }
+  GTlsConnectionOpensslPrivate *priv;
 
-  chain = g_tls_certificate_openssl_build_chain (peer, certs);
-  X509_free (peer);
-  if (!chain)
-    return NULL;
+  priv = g_tls_connection_openssl_get_instance_private (openssl);
 
-  return G_TLS_CERTIFICATE (chain);
+  return priv->peer_certificate;
 }
 
 static int
@@ -282,19 +262,27 @@ handshake_thread_verify_certificate_cb (int             preverify_ok,
                                         X509_STORE_CTX *x509_ctx)
 {
   GTlsConnectionOpenssl *openssl;
+  GTlsConnectionOpensslPrivate *priv;
   SSL *ssl;
+  X509 *peer;
+  STACK_OF (X509) *certs;
 
   ssl = X509_STORE_CTX_get_ex_data (x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx ());
   openssl = g_tls_connection_openssl_get_connection_from_ssl (ssl);
   g_return_val_if_fail (G_IS_TLS_CONNECTION_OPENSSL (openssl), 0);
 
-  // FIXME: Get the GTlsConnectionOpenssl out of the X509_STORE_CTX using
-  //        x509_STORE_CTX_get_ex_data... somehow. We probably have to pass
-  //        the GTlsConnectionOpenssl to the GTlsFileDatabaseOpenssl...
-  //        somehow.
-  // return !g_tls_connection_base_handshake_thread_verify_certificate (
-  /* Return 1 for the handshake to continue, 0 to terminate.
-   * Complete opposite of what GnuTLS does. */
+  priv = g_tls_connection_openssl_get_instance_private (openssl);
+
+  peer = X509_STORE_CTX_get_current_cert (x509_ctx);
+  if (peer == NULL)
+    return 0;
+
+  certs = X509_STORE_CTX_get_chain (x509_ctx);
+  if (certs == NULL)
+    return 0;
+
+  priv->peer_certificate = G_TLS_CERTIFICATE (g_tls_certificate_openssl_build_chain (peer, certs));
+
   return g_tls_connection_base_handshake_thread_verify_certificate (G_TLS_CONNECTION_BASE (openssl));
 }