interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Minor fixes to compile and run the CA trust store adapter from Windows to openopenSSL

This commit is contained in:
unknown 2016-01-27 16:30:50 -05:00
parent 9d7fcba575
commit 504881fc6f
1 changed files with 18 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
src/context.c
View File

@ -144,13 +144,15 @@ static void set_ub_edns_maximum_udp_payload_size(struct getdns_context*,
// Add code to open the trust store using wincrypt API and add // Add code to open the trust store using wincrypt API and add
// the root certs into openssl trust store // the root certs into openssl trust store
static int static int
add_WIN_cacerts_to_openssl_store(SSL_CTX *tls_ctx) add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)
{ {
HCERTSTORE hSystemStore; HCERTSTORE hSystemStore;
PCCERT_CONTEXT pTargetCert = NULL; PCCERT_CONTEXT pTargetCert = NULL;
if !(tls_ctx) // load just once per context lifetime for this version of getdns
return 1; // TODO: dynamically update CA trust changes as they are available
if (!tls_ctx)
return 0;
// Call wincrypt's CertOpenStore to open the CA root store. // Call wincrypt's CertOpenStore to open the CA root store.
@ -158,30 +160,33 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX *tls_ctx)
CERT_STORE_PROV_SYSTEM, CERT_STORE_PROV_SYSTEM,
0, 0,
NULL, NULL,
// mingw does not have this const: replace with 1 << 16 from code // NOTE: mingw does not have this const: replace with 1 << 16 from code
// CERT_SYSTEM_STORE_CURRENT_USER, // CERT_SYSTEM_STORE_CURRENT_USER,
1 << 16, 1 << 16,
L"root")) == 0) L"root")) == 0)
{ {
return 1; return 0;
} }
X509_STORE *store = SSL_CTX_get_cert_store(tls_ctx); X509_STORE* store = SSL_CTX_get_cert_store(tls_ctx);
if (!store) if (!store)
return 1; return 0;
// iterate over the windows cert store and add to openssl store // iterate over the windows cert store and add to openssl store
while (pTargetCert = CertEnumCertificatesInStore( while (pTargetCert = CertEnumCertificatesInStore(
hSystemStore, hSystemStore,
pTargetCert)) pTargetCert))
{ {
BYTE* cert = pTargetCert->pbCertEncoded;
X509 *cert1 = d2i_X509(NULL, (const unsigned char **)&pTargetCert->pbCertEncoded, pTargetCert->cbCertEncoded); X509 *cert1 = d2i_X509(NULL, (const unsigned char **)&pTargetCert->pbCertEncoded, pTargetCert->cbCertEncoded);
if (!cert1) if (!cert1)
return 1; // do not return if a cert fails, continue and retrieve the rest
DEBUG_STUB("*** %s(%s)\n", __FUNCTION__,
"unable to parse certificate in memory");
else { else {
// do not return if a cert add to store fails, continue and retrieve the rest
if (X509_STORE_add_cert(store, cert1) == 0) if (X509_STORE_add_cert(store, cert1) == 0)
return 1; DEBUG_STUB("*** %s(%s)\n", __FUNCTION__,
"error adding certificate");
X509_free(cert1); X509_free(cert1);
} }
} }
@ -193,9 +198,9 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX *tls_ctx)
{ {
if (!CertCloseStore( if (!CertCloseStore(
hSystemStore, 0)) hSystemStore, 0))
return 1;
}
return 0; return 0;
}
return 1;
} }
#endif #endif
@ -2719,7 +2724,7 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
#ifndef USE_WINSOCK #ifndef USE_WINSOCK
if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) { if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) {
#else #else
if (!add_WIN_cacerts_to_openssl_store(context)) { if (!add_WIN_cacerts_to_openssl_store(context->tls_ctx)) {
#endif /* USE_WINSOCK */ #endif /* USE_WINSOCK */
if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED)
return GETDNS_RETURN_BAD_CONTEXT; return GETDNS_RETURN_BAD_CONTEXT;