isync

mailbox synchronization program
git clone https://git.code.sf.net/p/isync/isync
Log | Files | Refs | README | LICENSE
commit 6f7d416bb80bda2c48243628527831c0966fe8bb
parent 47897d2403f2ef5e9c7e53eac129144526ed7654
Author: Oswald Buddenhagen <ossi@users.sf.net>
Date:   Sat,  8 Nov 2014 13:50:59 +0100

fix acceptance of trusted SSL certs

we should make no assumptions about the layout of OpenSSL's certificate
store, in particular when they are wrong. so copy the interesting part
instead of "deep-linking" into it.

this code is uglier than it should be, but OpenSSL's extensive use of
macros to manage data types would force us to include the ssl headers
into our headers otherwise, which would be even uglier.

REFMAIL: <545442CC.9020400@nodivisions.com>

Diffstat:

Msrc/socket.c | 8++++----


Msrc/socket.h | 3++-


2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/socket.c b/src/socket.c
@@ -178,11 +178,11 @@ ssl_verify_callback( int ok, X509_STORE_CTX *ctx )
 
 	if (!conn->force_trusted) {
 		X509 *cert = sk_X509_value( ctx->chain, 0 );
-		STACK_OF(X509_OBJECT) *trusted = ctx->ctx->objs;
-		unsigned i;
+		STACK_OF(X509_OBJECT) *trusted = (STACK_OF(X509_OBJECT) *)conn->conf->trusted_certs;
+		int i;
 
 		conn->force_trusted = -1;
-		for (i = 0; i < conn->conf->num_trusted; i++) {
+		for (i = 0; i < sk_X509_OBJECT_num( trusted ); i++) {
 			if (!X509_cmp( cert, sk_X509_OBJECT_value( trusted, i )->data.x509 )) {
 				conn->force_trusted = 1;
 				break;
@@ -227,7 +227,7 @@ init_ssl_ctx( const server_conf_t *conf )
 		       conf->cert_file, ERR_error_string( ERR_get_error(), 0 ) );
 		return 0;
 	}
-	mconf->num_trusted = sk_X509_OBJECT_num( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
+	mconf->trusted_certs = (_STACK *)sk_X509_OBJECT_dup( SSL_CTX_get_cert_store( mconf->SSLContext )->objs );
 	if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
 		warn( "Warning: Unable to load default certificate files: %s\n",
 		      ERR_error_string( ERR_get_error(), 0 ) );
diff --git a/src/socket.h b/src/socket.h
@@ -27,6 +27,7 @@
 
 typedef struct ssl_st SSL;
 typedef struct ssl_ctx_st SSL_CTX;
+typedef struct stack_st _STACK;
 
 typedef struct server_conf {
 	char *tunnel;
@@ -39,7 +40,7 @@ typedef struct server_conf {
 
 	/* these are actually variables and are leaked at the end */
 	char ssl_ctx_valid;
-	unsigned num_trusted;
+	_STACK *trusted_certs;
 	SSL_CTX *SSLContext;
 #endif
 } server_conf_t;