[glib-networking/mcatanzaro/base-rebase: 37/45] Setup peer	certificate at the time of the verify callback
- From: Michael Catanzaro <mcatanzaro src gnome org>
- To: commits-list gnome org
- Cc: 
- Subject: [glib-networking/mcatanzaro/base-rebase: 37/45] Setup peer	certificate at the time of the verify callback
- Date: Mon, 13 May 2019 16:58:05 +0000 (UTC)
commit 0563f118186e7e0a989d364c0090c933917fef91
Author: Ignacio Casal Quinteiro <qignacio amazon com>
Date:   Fri May 10 10:59:16 2019 +0200
    Setup peer certificate at the time of the verify callback
    
    If we try to get the peer certificate out of the ssl object
    from inside the verify callback it will return null since
    the peer certificate has not been accepted yet. Instead we
    need to store the peer certificate when doing the verification
    out of the X509_CTX
 tls/openssl/gtlsconnection-openssl.c | 52 ++++++++++++++----------------------
 1 file changed, 20 insertions(+), 32 deletions(-)
---
diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c
index 75f028f..ae999e3 100644
--- a/tls/openssl/gtlsconnection-openssl.c
+++ b/tls/openssl/gtlsconnection-openssl.c
@@ -42,8 +42,7 @@ typedef struct _GTlsConnectionOpensslPrivate
 {
   BIO *bio;
 
-  GTlsCertificate *peer_certificate_tmp;
-  GTlsCertificateFlags peer_certificate_errors_tmp;
+  GTlsCertificate *peer_certificate;
 
   gboolean shutting_down;
 } GTlsConnectionOpensslPrivate;
@@ -63,7 +62,7 @@ g_tls_connection_openssl_finalize (GObject *object)
 
   priv = g_tls_connection_openssl_get_instance_private (openssl);
 
-  g_clear_object (&priv->peer_certificate_tmp);
+  g_clear_object (&priv->peer_certificate);
 
   G_OBJECT_CLASS (g_tls_connection_openssl_parent_class)->finalize (object);
 }
@@ -251,30 +250,11 @@ static GTlsCertificate *
 g_tls_connection_openssl_retrieve_peer_certificate (GTlsConnectionBase *tls)
 {
   GTlsConnectionOpenssl *openssl = G_TLS_CONNECTION_OPENSSL (tls);
-  X509 *peer;
-  STACK_OF (X509) *certs;
-  GTlsCertificateOpenssl *chain;
-  SSL *ssl;
-
-  ssl = g_tls_connection_openssl_get_ssl (openssl);
-
-  peer = SSL_get_peer_certificate (ssl);
-  if (peer == NULL)
-    return NULL;
-
-  certs = SSL_get_peer_cert_chain (ssl);
-  if (certs == NULL)
-    {
-      X509_free (peer);
-      return NULL;
-    }
+  GTlsConnectionOpensslPrivate *priv;
 
-  chain = g_tls_certificate_openssl_build_chain (peer, certs);
-  X509_free (peer);
-  if (!chain)
-    return NULL;
+  priv = g_tls_connection_openssl_get_instance_private (openssl);
 
-  return G_TLS_CERTIFICATE (chain);
+  return priv->peer_certificate;
 }
 
 static int
@@ -282,19 +262,27 @@ handshake_thread_verify_certificate_cb (int             preverify_ok,
                                         X509_STORE_CTX *x509_ctx)
 {
   GTlsConnectionOpenssl *openssl;
+  GTlsConnectionOpensslPrivate *priv;
   SSL *ssl;
+  X509 *peer;
+  STACK_OF (X509) *certs;
 
   ssl = X509_STORE_CTX_get_ex_data (x509_ctx, SSL_get_ex_data_X509_STORE_CTX_idx ());
   openssl = g_tls_connection_openssl_get_connection_from_ssl (ssl);
   g_return_val_if_fail (G_IS_TLS_CONNECTION_OPENSSL (openssl), 0);
 
-  // FIXME: Get the GTlsConnectionOpenssl out of the X509_STORE_CTX using
-  //        x509_STORE_CTX_get_ex_data... somehow. We probably have to pass
-  //        the GTlsConnectionOpenssl to the GTlsFileDatabaseOpenssl...
-  //        somehow.
-  // return !g_tls_connection_base_handshake_thread_verify_certificate (
-  /* Return 1 for the handshake to continue, 0 to terminate.
-   * Complete opposite of what GnuTLS does. */
+  priv = g_tls_connection_openssl_get_instance_private (openssl);
+
+  peer = X509_STORE_CTX_get_current_cert (x509_ctx);
+  if (peer == NULL)
+    return 0;
+
+  certs = X509_STORE_CTX_get_chain (x509_ctx);
+  if (certs == NULL)
+    return 0;
+
+  priv->peer_certificate = G_TLS_CERTIFICATE (g_tls_certificate_openssl_build_chain (peer, certs));
+
   return g_tls_connection_base_handshake_thread_verify_certificate (G_TLS_CONNECTION_BASE (openssl));
 }
 
[
Date Prev][
Date Next]   [
Thread Prev][
Thread Next]   
[
Thread Index]
[
Date Index]
[
Author Index]