/* snag a copy of current connection's peer certs so we can
* examine them later after the connection is closed */
static OSStatus copyPeerCerts(
SSLContext *ctx,
CFArrayRef *peerCerts) // mallocd & RETURNED
{
#if USE_COPY_PEER_CERTS
OSStatus ortn = SSLCopyPeerCertificates(ctx, peerCerts);
#else
OSStatus ortn = SSLGetPeerCertificates(ctx, peerCerts);
#endif
if(ortn) {
printf("***Error obtaining peer certs: %s\n",
sslGetSSLErrString(ortn));
}
return ortn;
}
SECURITY_STATUS schan_imp_get_session_peer_certificate(schan_imp_session session,
PCCERT_CONTEXT *cert)
{
struct mac_session* s = (struct mac_session*)session;
SECURITY_STATUS ret = SEC_E_INTERNAL_ERROR;
CFArrayRef certs;
OSStatus status;
TRACE("(%p/%p, %p)\n", s, s->context, cert);
status = SSLCopyPeerCertificates(s->context, &certs);
if (status == noErr && certs)
{
SecCertificateRef mac_cert;
CFDataRef data;
if (CFArrayGetCount(certs) &&
(mac_cert = (SecCertificateRef)CFArrayGetValueAtIndex(certs, 0)) &&
(SecKeychainItemExport(mac_cert, kSecFormatX509Cert, 0, NULL, &data) == noErr))
{
*cert = CertCreateCertificateContext(X509_ASN_ENCODING,
CFDataGetBytePtr(data), CFDataGetLength(data));
if (*cert)
ret = SEC_E_OK;
else
{
ret = GetLastError();
WARN("CertCreateCertificateContext failed: %x\n", ret);
}
CFRelease(data);
}
else
WARN("Couldn't extract certificate data\n");
CFRelease(certs);
}
else
WARN("SSLCopyPeerCertificates failed: %ld\n", (long)status);
return ret;
}
static CURLcode
darwinssl_connect_step3(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CFStringRef server_cert_summary;
char server_cert_summary_c[128];
CFArrayRef server_certs;
SecCertificateRef server_cert;
OSStatus err;
CFIndex i, count;
/* There is no step 3!
* Well, okay, if verbose mode is on, let's print the details of the
* server certificates. */
err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
if(err == noErr) {
count = CFArrayGetCount(server_certs);
for(i = 0L ; i < count ; i++) {
server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs, i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(server_certs);
}
connssl->connecting_state = ssl_connect_done;
return CURLE_OK;
}
static CURLcode
darwinssl_connect_step3(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CFStringRef server_cert_summary;
char server_cert_summary_c[128];
CFArrayRef server_certs;
SecCertificateRef server_cert;
OSStatus err;
CFIndex i, count;
SecTrustRef trust;
/* There is no step 3!
* Well, okay, if verbose mode is on, let's print the details of the
* server certificates. */
#if defined(__MAC_10_7) || defined(__IPHONE_5_0)
if(SecTrustGetCertificateCount != NULL) {
#pragma unused(server_certs)
err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
if(err == noErr) {
count = SecTrustGetCertificateCount(trust);
for(i = 0L ; i < count ; i++) {
server_cert = SecTrustGetCertificateAtIndex(trust, i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(trust);
}
}
else {
#elif TARGET_OS_EMBEDDED == 0
#pragma unused(trust)
err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
if(err == noErr) {
count = CFArrayGetCount(server_certs);
for(i = 0L ; i < count ; i++) {
server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs, i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(server_certs);
}
#endif /* defined(__MAC_10_7) || defined(__IPHONE_5_0) */
#if defined(__MAC_10_7) || defined(__IPHONE_5_0)
}
#endif /* defined(__MAC_10_7) || defined(__IPHONE_5_0) */
connssl->connecting_state = ssl_connect_done;
return CURLE_OK;
}
SECURITY_STATUS schan_imp_get_session_peer_certificate(schan_imp_session session, HCERTSTORE store,
PCCERT_CONTEXT *ret_cert)
{
struct mac_session* s = (struct mac_session*)session;
SECURITY_STATUS ret = SEC_E_OK;
PCCERT_CONTEXT cert = NULL;
SecCertificateRef mac_cert;
CFArrayRef cert_array;
int status;
CFIndex cnt, i;
CFDataRef data;
BOOL res;
TRACE("(%p/%p, %p)\n", s, s->context, cert);
#ifdef HAVE_SSLCOPYPEERCERTIFICATES
status = SSLCopyPeerCertificates(s->context, &cert_array);
#else
status = SSLGetPeerCertificates(s->context, &cert_array);
#endif
if (status != noErr || !cert_array)
{
WARN("SSLCopyPeerCertificates failed: %d\n", status);
return SEC_E_INTERNAL_ERROR;
}
cnt = CFArrayGetCount(cert_array);
for (i=0; i < cnt; i++) {
if (!(mac_cert = (SecCertificateRef)CFArrayGetValueAtIndex(cert_array, i)) ||
(SecKeychainItemExport(mac_cert, kSecFormatX509Cert, 0, NULL, &data) != noErr))
{
WARN("Couldn't extract certificate data\n");
ret = SEC_E_INTERNAL_ERROR;
break;
}
res = CertAddEncodedCertificateToStore(store, X509_ASN_ENCODING, CFDataGetBytePtr(data), CFDataGetLength(data),
CERT_STORE_ADD_REPLACE_EXISTING, i ? NULL : &cert);
CFRelease(data);
if (!res)
{
ret = GetLastError();
WARN("CertAddEncodedCertificateToStore failed: %x\n", ret);
break;
}
}
#ifndef HAVE_SSLCOPYPEERCERTIFICATES
/* This is why SSLGetPeerCertificates was deprecated */
CFArrayApplyFunction(cert_array, CFRangeMake(0, CFArrayGetCount(cert_array)),
schan_imp_cf_release, NULL);
#endif
CFRelease(cert_array);
if (ret != SEC_E_OK) {
if(cert)
CertFreeCertificateContext(cert);
return ret;
}
*ret_cert = cert;
return SEC_E_OK;
}
static gboolean copy_certificate_chain(PurpleSslConnection *gsc /* IN */, CFArrayRef *result /* OUT */) {
PurpleSslCDSAData *cdsa_data = PURPLE_SSL_CDSA_DATA(gsc);
return SSLCopyPeerCertificates(cdsa_data->ssl_ctx, result) == noErr;
}
/*
* ssl_cdsa_handshake_cb
*/
static void
ssl_cdsa_handshake_cb(gpointer data, gint source, PurpleInputCondition cond)
{
PurpleSslConnection *gsc = (PurpleSslConnection *)data;
PurpleAccount *account = gsc->account;
PurpleSslCDSAData *cdsa_data = PURPLE_SSL_CDSA_DATA(gsc);
OSStatus err;
purple_debug_info("cdsa", "Connecting\n");
/*
* do the negotiation that sets up the SSL connection between
* here and there.
*/
err = SSLHandshake(cdsa_data->ssl_ctx);
if (err == errSSLPeerBadRecordMac
&& !purple_account_get_bool(account, PURPLE_SSL_CDSA_BUGGY_TLS_WORKAROUND, false)
&& !strcmp(purple_account_get_protocol_id(account),"prpl-jabber")) {
/*
* Set a flag so we know to explicitly disable TLS 1.1 and 1.2 on our next (immediate) connection attempt for this account.
* Some XMPP servers use buggy TLS stacks that incorrectly report their capabilities, which breaks things with 10.8's new support
* for TLS 1.1 and 1.2.
*/
purple_debug_info("cdsa", "SSLHandshake reported that the server rejected our MAC, which most likely means it lied about the TLS versions it supports.");
purple_debug_info("cdsa", "Setting a flag in this account to only use TLS 1.0 and below on the next connection attempt.");
purple_account_set_bool(account, PURPLE_SSL_CDSA_BUGGY_TLS_WORKAROUND, true);
if (gsc->error_cb != NULL)
gsc->error_cb(gsc, PURPLE_SSL_HANDSHAKE_FAILED, gsc->connect_cb_data);
purple_ssl_close(gsc);
return;
} else if (err != noErr) {
if(err == errSSLWouldBlock)
return;
fprintf(stderr,"cdsa: SSLHandshake failed with error %d\n",(int)err);
purple_debug_error("cdsa", "SSLHandshake failed with error %d\n",(int)err);
if (gsc->error_cb != NULL)
gsc->error_cb(gsc, PURPLE_SSL_HANDSHAKE_FAILED,
gsc->connect_cb_data);
purple_ssl_close(gsc);
return;
}
SSLCipherSuite cipher;
SSLProtocol protocol;
err = SSLGetNegotiatedCipher(cdsa_data->ssl_ctx, &cipher);
if (err == noErr) {
err = SSLGetNegotiatedProtocolVersion(cdsa_data->ssl_ctx, &protocol);
purple_debug_info("cdsa", "Your connection is using %s with %s encryption, using %s for message authentication and %s key exchange (%X).\n",
SSLVersionToString(protocol),
SSLCipherName(cipher),
SSLMACName(cipher),
SSLKeyExchangeName(cipher),
cipher);
}
purple_input_remove(cdsa_data->handshake_handler);
cdsa_data->handshake_handler = 0;
purple_debug_info("cdsa", "SSL_connect: verifying certificate\n");
if(certificate_ui_cb) { // does the application want to verify the certificate?
struct query_cert_userdata *userdata = (struct query_cert_userdata*)malloc(sizeof(struct query_cert_userdata));
size_t hostnamelen = 0;
SSLGetPeerDomainNameLength(cdsa_data->ssl_ctx, &hostnamelen);
userdata->hostname = (char*)malloc(hostnamelen+1);
SSLGetPeerDomainName(cdsa_data->ssl_ctx, userdata->hostname, &hostnamelen);
userdata->hostname[hostnamelen] = '\0'; // just make sure it's zero-terminated
userdata->cond = cond;
userdata->gsc = gsc;
SSLCopyPeerCertificates(cdsa_data->ssl_ctx, &userdata->certs);
certificate_ui_cb(gsc, userdata->hostname, userdata->certs, query_cert_result, userdata);
} else {
purple_debug_info("cdsa", "SSL_connect complete (did not verify certificate)\n");
/* SSL connected now */
gsc->connect_cb(gsc->connect_cb_data, gsc, cond);
}
SSLCipherSuite suite;
SSLGetNegotiatedCipher(cdsa_data->ssl_ctx, &suite);
purple_debug_info("cdsa", "Using cipher %x.\n", suite);
}
static int st_validateServerCertificate (vlc_tls_t *session, const char *hostname) {
int result = -1;
vlc_tls_sys_t *sys = session->sys;
SecCertificateRef leaf_cert = NULL;
SecTrustRef trust = NULL;
OSStatus ret = SSLCopyPeerTrust (sys->p_context, &trust);
if (ret != noErr || trust == NULL) {
msg_Err(session, "error getting certifictate chain");
return -1;
}
CFStringRef cfHostname = CFStringCreateWithCString(kCFAllocatorDefault,
hostname,
kCFStringEncodingUTF8);
/* enable default root / anchor certificates */
ret = SecTrustSetAnchorCertificates (trust, NULL);
if (ret != noErr) {
msg_Err(session, "error setting anchor certificates");
result = -1;
goto out;
}
SecTrustResultType trust_eval_result = 0;
ret = SecTrustEvaluate(trust, &trust_eval_result);
if(ret != noErr) {
msg_Err(session, "error calling SecTrustEvaluate");
result = -1;
goto out;
}
switch (trust_eval_result) {
case kSecTrustResultUnspecified:
case kSecTrustResultProceed:
msg_Dbg(session, "cerfificate verification successful, result is %d", trust_eval_result);
result = 0;
goto out;
case kSecTrustResultRecoverableTrustFailure:
case kSecTrustResultDeny:
default:
msg_Warn(session, "cerfificate verification failed, result is %d", trust_eval_result);
}
/* get leaf certificate */
/* SSLCopyPeerCertificates is only available on OSX 10.5 or later */
#if !TARGET_OS_IPHONE
CFArrayRef cert_chain = NULL;
ret = SSLCopyPeerCertificates (sys->p_context, &cert_chain);
if (ret != noErr || !cert_chain) {
result = -1;
goto out;
}
if (CFArrayGetCount (cert_chain) == 0) {
CFRelease (cert_chain);
result = -1;
goto out;
}
leaf_cert = (SecCertificateRef)CFArrayGetValueAtIndex (cert_chain, 0);
CFRetain (leaf_cert);
CFRelease (cert_chain);
#else
/* SecTrustGetCertificateAtIndex is only available on 10.7 or iOS */
if (SecTrustGetCertificateCount (trust) == 0) {
result = -1;
goto out;
}
leaf_cert = SecTrustGetCertificateAtIndex (trust, 0);
CFRetain (leaf_cert);
#endif
/* check if leaf already accepted */
CFIndex max = CFArrayGetCount (sys->p_cred->whitelist);
for (CFIndex i = 0; i < max; ++i) {
CFDictionaryRef dict = CFArrayGetValueAtIndex (sys->p_cred->whitelist, i);
CFStringRef knownHost = (CFStringRef)CFDictionaryGetValue (dict, cfKeyHost);
SecCertificateRef knownCert = (SecCertificateRef)CFDictionaryGetValue (dict, cfKeyCertificate);
if (!knownHost || !knownCert)
continue;
if (CFEqual (knownHost, cfHostname) && CFEqual (knownCert, leaf_cert)) {
msg_Warn(session, "certificate already accepted, continuing");
result = 0;
goto out;
}
}
/* We do not show more certificate details yet because there is no proper API to get
a summary of the certificate. SecCertificateCopySubjectSummary is the only method
available on iOS and 10.6. More promising API functions such as
SecCertificateCopyLongDescription also print out the subject only, more or less.
But only showing the certificate subject is of no real help for the user.
We could use SecCertificateCopyValues, but then we need to parse all OID values for
ourself. This is too mad for just printing information the user will never check
anyway.
*/
const char *msg = N_("You attempted to reach %s. "
"However the security certificate presented by the server "
"is unknown and could not be authenticated by any trusted "
"Certification Authority. "
"This problem may be caused by a configuration error "
"or an attempt to breach your security or your privacy.\n\n"
"If in doubt, abort now.\n");
int answer = dialog_Question (session, _("Insecure site"), vlc_gettext (msg),
_("Abort"), _("Accept certificate temporarily"), NULL, hostname);
if(answer == 2) {
msg_Warn(session, "Proceeding despite of failed certificate validation");
/* save leaf certificate in whitelist */
const void *keys[] = {cfKeyHost, cfKeyCertificate};
const void *values[] = {cfHostname, leaf_cert};
CFDictionaryRef dict = CFDictionaryCreate (kCFAllocatorDefault,
keys, values, 2,
&kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
if(!dict) {
msg_Err (session, "error creating dict");
result = -1;
goto out;
}
CFArrayAppendValue (sys->p_cred->whitelist, dict);
CFRelease (dict);
result = 0;
goto out;
} else {
result = -1;
goto out;
}
out:
CFRelease (trust);
if (cfHostname)
CFRelease (cfHostname);
if (leaf_cert)
CFRelease (leaf_cert);
return result;
}
static CURLcode
darwinssl_connect_step3(struct connectdata *conn,
int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CFStringRef server_cert_summary;
char server_cert_summary_c[128];
CFArrayRef server_certs;
SecCertificateRef server_cert;
OSStatus err;
CFIndex i, count;
SecTrustRef trust;
/* There is no step 3!
* Well, okay, if verbose mode is on, let's print the details of the
* server certificates. */
#if defined(__MAC_10_7) || defined(__IPHONE_5_0)
#if (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)
#pragma unused(server_certs)
err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
if(err == noErr) {
count = SecTrustGetCertificateCount(trust);
for(i = 0L ; i < count ; i++) {
server_cert = SecTrustGetCertificateAtIndex(trust, i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(trust);
}
#else
/* SSLCopyPeerCertificates() is deprecated as of Mountain Lion.
The function SecTrustGetCertificateAtIndex() is officially present
in Lion, but it is unfortunately also present in Snow Leopard as
private API and doesn't work as expected. So we have to look for
a different symbol to make sure this code is only executed under
Lion or later. */
if(SecTrustEvaluateAsync != NULL) {
#pragma unused(server_certs)
err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust);
if(err == noErr) {
count = SecTrustGetCertificateCount(trust);
for(i = 0L ; i < count ; i++) {
server_cert = SecTrustGetCertificateAtIndex(trust, i);
server_cert_summary =
SecCertificateCopyLongDescription(NULL, server_cert, NULL);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(trust);
}
}
else {
err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
if(err == noErr) {
count = CFArrayGetCount(server_certs);
for(i = 0L ; i < count ; i++) {
server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs,
i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(server_certs);
}
}
#endif /* (TARGET_OS_EMBEDDED || TARGET_OS_IPHONE) */
#else
#pragma unused(trust)
err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs);
if(err == noErr) {
count = CFArrayGetCount(server_certs);
for(i = 0L ; i < count ; i++) {
server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs, i);
server_cert_summary = SecCertificateCopySubjectSummary(server_cert);
memset(server_cert_summary_c, 0, 128);
if(CFStringGetCString(server_cert_summary,
server_cert_summary_c,
128,
kCFStringEncodingUTF8)) {
infof(data, "Server certificate: %s\n", server_cert_summary_c);
}
CFRelease(server_cert_summary);
}
CFRelease(server_certs);
}
#endif /* defined(__MAC_10_7) || defined(__IPHONE_5_0) */
connssl->connecting_state = ssl_connect_done;
return CURLE_OK;
}
