[commit] isync_1_1_branch: fix acceptance of trusted SSL certs

Sat, 08 Nov 2014 05:05:50 -0800 

commit 6f7d416bb80bda2c48243628527831c0966fe8bb
Author: Oswald Buddenhagen <[email protected]>
Date:   Sat Nov 8 13:50:59 2014 +0100

    fix acceptance of trusted SSL certs
    
    we should make no assumptions about the layout of OpenSSL's certificate
    store, in particular when they are wrong. so copy the interesting part
    instead of "deep-linking" into it.
    
    this code is uglier than it should be, but OpenSSL's extensive use of
    macros to manage data types would force us to include the ssl headers
    into our headers otherwise, which would be even uglier.
    
    REFMAIL: <[email protected]>

 src/socket.c |    8 ++++----
 src/socket.h |    3 ++-
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/socket.c b/src/socket.c
index f47e375..fc06f8b 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -178,11 +178,11 @@ ssl_verify_callback( int ok, X509_STORE_CTX *ctx )
 
        if (!conn->force_trusted) {
                X509 *cert = sk_X509_value( ctx->chain, 0 );
-               STACK_OF(X509_OBJECT) *trusted = ctx->ctx->objs;
-               unsigned i;
+               STACK_OF(X509_OBJECT) *trusted = (STACK_OF(X509_OBJECT) 
*)conn->conf->trusted_certs;
+               int i;
 
                conn->force_trusted = -1;
-               for (i = 0; i < conn->conf->num_trusted; i++) {
+               for (i = 0; i < sk_X509_OBJECT_num( trusted ); i++) {
                        if (!X509_cmp( cert, sk_X509_OBJECT_value( trusted, i 
)->data.x509 )) {
                                conn->force_trusted = 1;
                                break;
@@ -227,7 +227,7 @@ init_ssl_ctx( const server_conf_t *conf )
                       conf->cert_file, ERR_error_string( ERR_get_error(), 0 ) 
);
                return 0;
        }
-       mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( 
mconf->SSLContext )->objs );
+       mconf->trusted_certs = (_STACK *)sk_X509_OBJECT_dup( 
SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
        if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
                warn( "Warning: Unable to load default certificate files: %s\n",
                      ERR_error_string( ERR_get_error(), 0 ) );
diff --git a/src/socket.h b/src/socket.h
index 1545b39..193330e 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -27,6 +27,7 @@
 
 typedef struct ssl_st SSL;
 typedef struct ssl_ctx_st SSL_CTX;
+typedef struct stack_st _STACK;
 
 typedef struct server_conf {
        char *tunnel;
@@ -39,7 +40,7 @@ typedef struct server_conf {
 
        /* these are actually variables and are leaked at the end */
        char ssl_ctx_valid;
-       unsigned num_trusted;
+       _STACK *trusted_certs;
        SSL_CTX *SSLContext;
 #endif
 } server_conf_t;

------------------------------------------------------------------------------
_______________________________________________
isync-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/isync-devel

Reply via email to