-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL fixes for validator list (RIPD-1558) #2275
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
//------------------------------------------------------------------------------ | ||
/* | ||
This file is part of rippled: https://github.com/ripple/rippled | ||
Copyright (c) 2016 Ripple Labs Inc. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Stale date |
||
|
||
Permission to use, copy, modify, and/or distribute this software for any | ||
purpose with or without fee is hereby granted, provided that the above | ||
copyright notice and this permission notice appear in all copies. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
ANY SPECIAL , DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
*/ | ||
//============================================================================== | ||
|
||
#ifndef RIPPLE_NET_REGISTER_SSL_CERTS_H_INCLUDED | ||
#define RIPPLE_NET_REGISTER_SSL_CERTS_H_INCLUDED | ||
|
||
#include <boost/asio/ssl/context.hpp> | ||
|
||
namespace ripple { | ||
/** Register default SSL certificates. | ||
|
||
Register the system default SSL root certificates. On linux/mac, | ||
this just calls asio's `set_default_verify_paths` to look in standard | ||
operating system locations. On windows, it uses the OS certificate | ||
store accessible via CryptoAPI. | ||
*/ | ||
void | ||
registerSSLCerts(boost::asio::ssl::context&, boost::system::error_code&); | ||
|
||
} // namespace ripple | ||
|
||
#endif |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
//------------------------------------------------------------------------------ | ||
/* | ||
This file is part of rippled: https://github.com/ripple/rippled | ||
Copyright (c) 2012, 2013 Ripple Labs Inc. | ||
|
||
Permission to use, copy, modify, and/or distribute this software for any | ||
purpose with or without fee is hereby granted, provided that the above | ||
copyright notice and this permission notice appear in all copies. | ||
|
||
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | ||
WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | ||
MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | ||
ANY SPECIAL , DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | ||
WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | ||
ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | ||
OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | ||
*/ | ||
//============================================================================== | ||
#include <BeastConfig.h> | ||
#include <ripple/net/RegisterSSLCerts.h> | ||
#include <boost/predef.h> | ||
#if BOOST_OS_WINDOWS | ||
#include <boost/asio/ssl/error.hpp> | ||
#include <boost/system/error_code.hpp> | ||
#include <memory> | ||
#include <openssl/err.h> | ||
#include <openssl/ssl.h> | ||
#include <openssl/x509.h> | ||
#include <wincrypt.h> | ||
#endif | ||
|
||
namespace ripple { | ||
|
||
void | ||
registerSSLCerts(boost::asio::ssl::context& ctx, boost::system::error_code& ec) | ||
{ | ||
#if BOOST_OS_WINDOWS | ||
auto certStoreDelete = [](void* h) { | ||
if (h != nullptr) | ||
CertCloseStore(h, 0); | ||
}; | ||
std::unique_ptr<void, decltype(certStoreDelete)> hStore{ | ||
CertOpenSystemStore(0, "ROOT"), certStoreDelete}; | ||
|
||
if (!hStore) | ||
{ | ||
ec = boost::system::error_code( | ||
GetLastError(), boost::system::system_category()); | ||
return; | ||
} | ||
|
||
ERR_clear_error(); | ||
|
||
std::unique_ptr<X509_STORE, decltype(X509_STORE_free)*> store{ | ||
X509_STORE_new(), X509_STORE_free}; | ||
|
||
if (!store) | ||
{ | ||
ec = boost::system::error_code( | ||
static_cast<int>(::ERR_get_error()), | ||
boost::asio::error::get_ssl_category()); | ||
return; | ||
} | ||
|
||
PCCERT_CONTEXT pContext = NULL; | ||
while ((pContext = CertEnumCertificatesInStore(hStore.get(), pContext)) != | ||
NULL) | ||
{ | ||
const unsigned char* pbCertEncoded = pContext->pbCertEncoded; | ||
std::unique_ptr<X509, decltype(X509_free)*> x509{ | ||
d2i_X509(NULL, &pbCertEncoded, pContext->cbCertEncoded), X509_free}; | ||
if (!x509) | ||
{ | ||
ec = boost::system::error_code( | ||
static_cast<int>(::ERR_get_error()), | ||
boost::asio::error::get_ssl_category()); | ||
return; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is ok as is (returning with |
||
} | ||
|
||
if (X509_STORE_add_cert(store.get(), x509.get()) != 1) | ||
{ | ||
ec = boost::system::error_code( | ||
static_cast<int>(::ERR_get_error()), | ||
boost::asio::error::get_ssl_category()); | ||
return; | ||
} | ||
else | ||
{ | ||
// Successfully adding to the store took ownership | ||
x509.release(); | ||
} | ||
} | ||
|
||
// This takes ownership of the store | ||
SSL_CTX_set_cert_store(ctx.native_handle(), store.release()); | ||
|
||
#else | ||
|
||
ctx.set_default_verify_paths(ec); | ||
#endif | ||
} | ||
|
||
} // namespace ripple |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: misaligned