FskErr KplLibraryLoad(FskLibrary *libraryOut, const char *path) { FskErr err; FskLibrary library = NULL; char *nativePath = NULL; err = FskMemPtrNewClear(sizeof(FskLibraryRecord), (FskMemPtr *)&library); if (err) goto bail; err = FskFilePathToNative(path, &nativePath); if (err) goto bail; library->module = dlopen(nativePath, RTLD_NOW); if (NULL == library->module) { err = kFskErrOperationFailed; } bail: FskMemPtrDispose(nativePath); if (err) { KplLibraryUnload(library); library = NULL; } *libraryOut = library; return err; }
FskErr winTextAddFontFile(FskTextEngineState state, const char *path) { FskErr err; WCHAR *nativePath = NULL; err = FskFilePathToNative(path, (char **)&nativePath); BAIL_IF_ERR(err); if (0 == AddFontResourceExW(nativePath, FR_PRIVATE, 0)) BAIL(kFskErrOperationFailed); bail: FskMemPtrDispose(nativePath); return err; }
Boolean FskSSLCheckServerCert(SSL *ssl, char *hostname) { long err; X509 *peer; char peer_CN[256]; err = SSL_get_verify_result(ssl); #if 0 if ((err != X509_V_OK) && (err != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) && (err != X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) { ERR_print_errors_fp(stderr); fprintf(stderr, "[%s] cert for %s didn't verify %d %s\n", threadTag(FskThreadGetCurrent()), hostname, err, X509_verify_cert_error_string(err)); #else if (err != X509_V_OK) { if ((NULL != FskStrStr(hostname, "google.com")) || (NULL != FskStrStr(hostname, "googleapis.com")) || (NULL != FskStrStr(hostname, "twitter.com")) || (NULL != FskStrStr(hostname, "yammer.com")) || (NULL != FskStrStr(hostname, "facebook.com")) || (NULL != FskStrStr(hostname, "foursquare.com")) || (NULL != FskStrStr(hostname, "akamaihd.net")) || (NULL != FskStrStr(hostname, "fbcdn.net")) || (NULL != FskStrStr(hostname, "radiotime.com")) || (NULL != FskStrStr(hostname, "s3.amazonaws.com")) || (NULL != FskStrStr(hostname, "orb.com"))) { if ((err != X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) && (err != X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) { return false; } myprintf((stderr, "b) cert didn't verify because %d %s\n", err, X509_verify_cert_error_string(err))); myprintf((stderr, " but since it's %s we'll let it through\n", hostname)); } else { #endif return false; } } peer = SSL_get_peer_certificate(ssl); X509_NAME_get_text_by_NID(X509_get_subject_name(peer), NID_commonName, peer_CN, 256); //fprintf(stderr, "comparing peer_CN %s with hostname %s\n", peer_CN, hostname); if (FskStrCompareCaseInsensitive(peer_CN, hostname)) { int pos, L, subL; char *match = peer_CN + 1; subL = FskStrLen(match); L = FskStrLen(hostname); if (peer_CN[0] == '*') { pos = L - subL; if (0 == FskStrCompareCaseInsensitive(match, hostname + pos)) { //fprintf(stderr, "Matched wildcard %s and %s\n", match, hostname + pos); return true; } } if ( (FskStrEndsWith(match, "akamaihd.net") && FskStrEndsWith(hostname, "akamai.net")) || (FskStrEndsWith(match, "akamai.net") && FskStrEndsWith(hostname, "akamaihd.net")) ) { return true; } myprintf((stderr, "cert common name %s and host %s don't match\n", peer_CN, hostname)); return false; } return true; } //SSL_CTX *FskSSLInitialize(char *keyfile, char *password) static SSL_CTX *FskOpenSSLInitialize(const char *calistpath) { SSL_METHOD *method; SSL_CTX *context; if (gSSLContext) { return gSSLContext; } else { SSL_library_init(); SSL_load_error_strings(); // not necessary, but useful } method = SSLv23_method(); context = SSL_CTX_new(method); #if 0 if (FskStrLen(keyfile) > 0) { keyfile = FskEnvironmentDoApply(FskStrDoCopy(keyfile)); if (!SSL_CTX_use_certificate_chain_file(context, keyfile)) doSSLError("Can't read certificate file"); fprintf(stderr, "keyfile is %s\n", keyfile); if (FskStrLen(password) > 0) { gSSLPassword = FskStrDoCopy(password); SSL_CTX_set_default_passwd_cb(context, passwordCallback); if (!SSL_CTX_use_PrivateKey_file(context, keyfile, SSL_FILETYPE_PEM)) doSSLError( "Can't read private keyfile"); } FskMemPtrDispose(keyfile); } #endif #if TARGET_OS_WIN32 { // try to make the path 8.3 safe to avoid nightmares with multibyte character paths, etc. UInt16 *nativePath; if (kFskErrNone == FskFilePathToNative(calistpath, (char **)&nativePath)) { DWORD shortLen; shortLen = GetShortPathNameW(nativePath, NULL, 0); if (0 != shortLen) { UInt16 *eightDotThree; if (kFskErrNone == FskMemPtrNewClear(shortLen * 2, (FskMemPtr *)&eightDotThree)) { if (0 != GetShortPathNameW(nativePath, eightDotThree, shortLen)) { char *utf8; UInt32 utf8Len; if (kFskErrNone == FskTextUnicode16LEToUTF8(eightDotThree, shortLen * 2, &utf8, &utf8Len)) { char *enc; if (kFskErrNone == FskTextToPlatform(utf8, utf8Len, &enc, NULL)) { FskMemPtrDispose(calistpath); calistpath = enc; } FskMemPtrDispose(utf8); } } FskMemPtrDispose(eightDotThree); } } FskMemPtrDispose(nativePath); } } #endif if (!(SSL_CTX_load_verify_locations(context, calistpath, 0))) { doSSLError("Can't read default CA list"); } SSL_CTX_set_verify_depth(context, 0); // SSL_CTX_set_verify(context, SSL_VERIFY_PEER, 0); gSSLContext = context; return context; }