Swiftdiff options
| author | Remko Tronçon <git@el-tramo.be> | 2011-04-18 17:41:05 (GMT) |
|---|---|---|
| committer | Remko Tronçon <git@el-tramo.be> | 2011-04-18 17:41:05 (GMT) |
| commit | e494f9a206cbb44903f3a032f858b0ef35a039d1 (patch) | |
| tree | 7ca1110f6efb325874a3ea1dcdeb4ce8e8d9b979 | |
| parent | f0cc7282e0e60de3a0deebd3975c535dd96d4c34 (diff) | |
| download | swift-e494f9a206cbb44903f3a032f858b0ef35a039d1.zip swift-e494f9a206cbb44903f3a032f858b0ef35a039d1.tar.bz2 | |
Explicitly add system store trust anchors on Mac OS X 10.5.swift-1.0
| -rw-r--r-- | BuildTools/SCons/SConstruct | 1 | ||||
| -rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 25 |
2 files changed, 26 insertions, 0 deletions
diff --git a/BuildTools/SCons/SConstruct b/BuildTools/SCons/SConstruct index 86f4cda..bd40f1f 100644 --- a/BuildTools/SCons/SConstruct +++ b/BuildTools/SCons/SConstruct @@ -160,6 +160,7 @@ if env.get("mac105", 0) : "-mmacosx-version-min=10.5", "-isysroot", "/Developer/SDKs/MacOSX10.5.sdk", "-arch", "i386"]) + env.Append(FRAMEWORKS = ["Security"]) # If we build shared libs on AMD64, we need -fPIC. # This should have no performance impact om AMD64 diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 21e377f..378b6aa 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp @@ -14,6 +14,9 @@ #include <openssl/err.h> #include <openssl/pkcs12.h> +#if defined(SWIFTEN_PLATFORM_MACOSX) && OPENSSL_VERSION_NUMBER < 0x00908000 +#include <Security/Security.h> +#endif #include "Swiften/TLS/OpenSSL/OpenSSLContext.h" #include "Swiften/TLS/OpenSSL/OpenSSLCertificate.h" @@ -54,6 +57,28 @@ OpenSSLContext::OpenSSLContext() : state_(Start), context_(0), handle_(0), readB } #elif !defined(SWIFTEN_PLATFORM_MACOSX) SSL_CTX_load_verify_locations(context_, NULL, "/etc/ssl/certs"); +#elif defined(SWIFTEN_PLATFORM_MACOSX) && OPENSSL_VERSION_NUMBER < 0x00908000 + // On Mac OS X 10.5 (OpenSSL < 0.9.8), OpenSSL does not automatically look in the system store. + // We therefore add all certs from the system store ourselves. + X509_STORE* store = SSL_CTX_get_cert_store(context_); + CFArrayRef anchorCertificates; + if (SecTrustCopyAnchorCertificates(&anchorCertificates) == 0) { + for (int i = 0; i < CFArrayGetCount(anchorCertificates); ++i) { + SecCertificateRef cert = reinterpret_cast<SecCertificateRef>(const_cast<void*>(CFArrayGetValueAtIndex(anchorCertificates, i))); + CSSM_DATA certCSSMData; + if (SecCertificateGetData(cert, &certCSSMData) != 0 || certCSSMData.Length == 0) { + continue; + } + std::vector<unsigned char> certData; + certData.resize(certCSSMData.Length); + memcpy(&certData[0], certCSSMData.Data, certCSSMData.Length); + OpenSSLCertificate certificate(certData); + if (store && certificate.getInternalX509()) { + X509_STORE_add_cert(store, certificate.getInternalX509().get()); + } + } + CFRelease(anchorCertificates); + } #endif } |