| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2017, the Dart project authors. Please see the AUTHORS file |
| 2 // for details. All rights reserved. Use of this source code is governed by a |
| 3 // BSD-style license that can be found in the LICENSE file. |
| 4 |
| 5 #if !defined(DART_IO_DISABLED) && !defined(DART_IO_SECURE_SOCKET_DISABLED) |
| 6 |
| 7 #include "platform/globals.h" |
| 8 #if defined(HOST_OS_LINUX) |
| 9 |
| 10 #include "bin/security_context.h" |
| 11 |
| 12 #include <openssl/bio.h> |
| 13 #include <openssl/ssl.h> |
| 14 #include <openssl/x509.h> |
| 15 |
| 16 #include "bin/directory.h" |
| 17 #include "bin/file.h" |
| 18 #include "bin/log.h" |
| 19 #include "bin/secure_socket_filter.h" |
| 20 #include "bin/secure_socket_utils.h" |
| 21 |
| 22 namespace dart { |
| 23 namespace bin { |
| 24 |
| 25 // The security context won't necessarily use the compiled-in root certificates, |
| 26 // but since there is no way to update the size of the allocation after creating |
| 27 // the weak persistent handle, we assume that it will. Note that when the |
| 28 // root certs aren't compiled in, |root_certificates_pem_length| is 0. |
| 29 const intptr_t SSLCertContext::kApproximateSize = |
| 30 sizeof(SSLCertContext) + root_certificates_pem_length; |
| 31 |
| 32 const char* commandline_root_certs_file = NULL; |
| 33 const char* commandline_root_certs_cache = NULL; |
| 34 |
| 35 void SSLCertContext::TrustBuiltinRoots() { |
| 36 // First, try to use locations specified on the command line. |
| 37 if (commandline_root_certs_file != NULL) { |
| 38 LoadRootCertFile(commandline_root_certs_file); |
| 39 return; |
| 40 } |
| 41 |
| 42 if (commandline_root_certs_cache != NULL) { |
| 43 LoadRootCertCache(commandline_root_certs_cache); |
| 44 return; |
| 45 } |
| 46 |
| 47 // On Linux, we use the compiled-in trusted certs as a last resort. First, |
| 48 // we try to find the trusted certs in various standard locations. A good |
| 49 // discussion of the complexities of this endeavor can be found here: |
| 50 // |
| 51 // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certif
icate-stores-and-platforms/ |
| 52 const char* bundle = "/etc/pki/tls/certs/ca-bundle.crt"; |
| 53 const char* cachedir = "/etc/ssl/certs"; |
| 54 if (File::Exists(bundle)) { |
| 55 LoadRootCertFile(bundle); |
| 56 return; |
| 57 } |
| 58 |
| 59 if (Directory::Exists(cachedir) == Directory::EXISTS) { |
| 60 LoadRootCertCache(cachedir); |
| 61 return; |
| 62 } |
| 63 |
| 64 // Fall back on the compiled-in certs if the standard locations don't exist, |
| 65 // or we aren't on Linux. |
| 66 if (SSL_LOG_STATUS) { |
| 67 Log::Print("Trusting compiled-in roots\n"); |
| 68 } |
| 69 AddCompiledInCerts(); |
| 70 } |
| 71 |
| 72 |
| 73 void SSLCertContext::RegisterCallbacks(SSL* ssl) { |
| 74 // No callbacks to register for implementations using BoringSSL's built-in |
| 75 // verification mechanism. |
| 76 } |
| 77 |
| 78 } // namespace bin |
| 79 } // namespace dart |
| 80 |
| 81 #endif // defined(HOST_OS_LINUX) |
| 82 |
| 83 #endif // !defined(DART_IO_DISABLED) && |
| 84 // !defined(DART_IO_SECURE_SOCKET_DISABLED) |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2903743002:
Porting SecureSocket to use BoringSSL on OSX (Closed)
