OSStatus addTrustedSecCert(
SSLContextRef ctx,
SecCertificateRef secCert,
bool replaceAnchors)
{
OSStatus ortn;
CFMutableArrayRef array;
if(secCert == NULL) {
printf("***addTrustedSecCert screwup\n");
return errSecParam;
}
array = CFArrayCreateMutable(kCFAllocatorDefault,
(CFIndex)1, &kCFTypeArrayCallBacks);
if(array == NULL) {
return errSecAllocate;
}
CFArrayAppendValue(array, secCert);
ortn = SSLSetTrustedRoots(ctx, array, replaceAnchors ? true : false);
if(ortn) {
printSslErrStr("SSLSetTrustedRoots", ortn);
}
CFRelease(array);
return ortn;
}
bool
mongoc_secure_transport_setup_ca (
mongoc_stream_tls_secure_transport_t *secure_transport,
mongoc_ssl_opt_t *opt)
{
if (opt->ca_file) {
CFArrayRef items;
SecExternalItemType type = kSecItemTypeCertificate;
bool success = _mongoc_secure_transport_import_pem (
opt->ca_file, NULL, &items, &type);
if (!success) {
MONGOC_ERROR ("Can't find certificate in \"%s\"", opt->ca_file);
return false;
}
if (type == kSecItemTypeAggregate) {
CFMutableArrayRef anchors = CFArrayCreateMutable (
kCFAllocatorDefault, 0, &kCFTypeArrayCallBacks);
for (CFIndex i = 0; i < CFArrayGetCount (items); ++i) {
CFTypeID item_id = CFGetTypeID (CFArrayGetValueAtIndex (items, i));
if (item_id == SecCertificateGetTypeID ()) {
CFArrayAppendValue (anchors, CFArrayGetValueAtIndex (items, i));
}
}
secure_transport->anchors = anchors;
CFRelease (items);
} else if (type == kSecItemTypeCertificate) {
secure_transport->anchors = items;
} else {
CFRelease (items);
}
/* This should be SSLSetCertificateAuthorities But the /TLS/ tests fail
* when it is */
success = !SSLSetTrustedRoots (
secure_transport->ssl_ctx_ref, secure_transport->anchors, true);
TRACE ("Setting certificate authority %s (%s)",
success ? "succeeded" : "failed",
opt->ca_file);
return true;
}
TRACE ("%s", "No CA provided, using defaults");
return false;
}
Connection::Connection(Context& ctx, std::ios& ios, OpenMode omode)
: _ctx(&ctx)
, _context(0)
, _ios(&ios)
, _iocount(0)
, _connected(false)
, _wantRead(false)
, _isReading(false)
, _isWriting(false)
, _receivedShutdown(false)
, _sentShutdown(false)
{
Boolean isServer = (omode == Accept);
SSLNewContext(isServer, &_context);
SSLSetConnection(_context, (SSLConnectionRef) this);
SSLSetIOFuncs(_context,
&Connection::sslReadCallback,
&Connection::sslWriteCallback);
SSLSetProtocolVersionEnabled(_context, kSSLProtocolAll, false);
switch(_ctx->protocol())
{
case SSLv2:
SSLSetProtocolVersionEnabled(_context, kSSLProtocol2, true);
break;
case SSLv3or2:
SSLSetProtocolVersionEnabled(_context, kSSLProtocol2, true);
SSLSetProtocolVersionEnabled(_context, kSSLProtocol3, true);
break;
default:
case SSLv3:
SSLSetProtocolVersionEnabled(_context, kSSLProtocol3, true);
break;
case TLSv1:
SSLSetProtocolVersionEnabled(_context, kTLSProtocol1, true);
break;
}
if(isServer)
{
#ifdef PT_IOS
SSLSetEnableCertVerify(_context, false);
SSLSetSessionOption(_context, kSSLSessionOptionBreakOnClientAuth, true);
#else
if(_ctx->verifyMode() == NoVerify)
{
SSLSetClientSideAuthenticate(_context, kNeverAuthenticate);
}
else if(_ctx->verifyMode() == TryVerify)
{
SSLSetClientSideAuthenticate(_context, kTryAuthenticate);
}
else if(_ctx->verifyMode() == AlwaysVerify)
{
SSLSetClientSideAuthenticate(_context, kAlwaysAuthenticate);
}
CFArrayRef caArr = _ctx->impl()->caCertificates();
SSLSetCertificateAuthorities(_context, caArr, true);
SSLSetTrustedRoots(_context, caArr, true);
#endif
}
else
{
SSLSetEnableCertVerify(_context, false);
SSLSetSessionOption(_context, kSSLSessionOptionBreakOnServerAuth, true);
}
// certificates to present to peer
CFArrayRef certs = _ctx->impl()->certificates();
if(certs)
{
log_debug("using " << CFArrayGetCount(certs) << " certificates");
SSLSetCertificate(_context, certs);
}
}
