From badb81769a32c263e4a1d4d161688bb67fbf940d Mon Sep 17 00:00:00 2001 From: Nick Zitzmann Date: Fri, 7 Sep 2012 20:01:08 -0600 Subject: [PATCH] darwinssl: fixed for older Mac OS X versions SSL didn't work on older cats if built on a newer cat with weak-linking turned on to support the older cat --- lib/curl_darwinssl.c | 58 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 45 insertions(+), 13 deletions(-) diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c index 78f31029e..d5685bede 100644 --- a/lib/curl_darwinssl.c +++ b/lib/curl_darwinssl.c @@ -614,7 +614,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } } else { -#elif TARGET_OS_EMBEDDED == 0 +#if TARGET_OS_EMBEDDED == 0 /* the older API does not exist on iOS */ + if(connssl->ssl_ctx) + (void)SSLDisposeContext(connssl->ssl_ctx); + err = SSLNewContext(false, &(connssl->ssl_ctx)); + if(err != noErr) { + failf(data, "SSL: couldn't create a context: OSStatus %d", err); + return CURLE_OUT_OF_MEMORY; + } +#endif /* TARGET_OS_EMBEDDED == 0 */ + } +#else if(connssl->ssl_ctx) (void)SSLDisposeContext(connssl->ssl_ctx); err = SSLNewContext(false, &(connssl->ssl_ctx)); @@ -623,9 +633,6 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, return CURLE_OUT_OF_MEMORY; } #endif /* defined(__MAC_10_8) || defined(__IPHONE_5_0) */ -#if defined(__MAC_10_8) || defined(__IPHONE_5_0) - } -#endif /* defined(__MAC_10_8) || defined(__IPHONE_5_0) */ /* check to see if we've been told to use an explicit SSL/TLS version */ #if defined(__MAC_10_8) || defined(__IPHONE_5_0) @@ -740,7 +747,16 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } } else { -#elif TARGET_OS_EMBEDDED == 0 +#if TARGET_OS_EMBEDDED == 0 + err = SSLSetEnableCertVerify(connssl->ssl_ctx, + data->set.ssl.verifypeer?true:false); + if(err != noErr) { + failf(data, "SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err); + return CURLE_SSL_CONNECT_ERROR; + } +#endif /* TARGET_OS_EMBEDDED == 0 */ + } +#else err = SSLSetEnableCertVerify(connssl->ssl_ctx, data->set.ssl.verifypeer?true:false); if(err != noErr) { @@ -748,9 +764,6 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } #endif /* defined(__MAC_10_6) || defined(__IPHONE_5_0) */ -#if defined(__MAC_10_6) || defined(__IPHONE_5_0) - } -#endif /* defined(__MAC_10_6) || defined(__IPHONE_5_0) */ /* If this is a domain name and not an IP address, then configure SNI: */ if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) && @@ -889,7 +902,7 @@ darwinssl_connect_step3(struct connectdata *conn, * Well, okay, if verbose mode is on, let's print the details of the * server certificates. */ #if defined(__MAC_10_7) || defined(__IPHONE_5_0) - if(SecTrustGetCertificateCount != NULL) { + if(SecTrustEvaluateAsync != NULL) { #pragma unused(server_certs) err = SSLCopyPeerTrust(connssl->ssl_ctx, &trust); if(err == noErr) { @@ -910,7 +923,29 @@ darwinssl_connect_step3(struct connectdata *conn, } } else { -#elif TARGET_OS_EMBEDDED == 0 +#if TARGET_OS_EMBEDDED == 0 + err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs); + if(err == noErr) { + count = CFArrayGetCount(server_certs); + for(i = 0L ; i < count ; i++) { + server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs, + i); + + server_cert_summary = SecCertificateCopySubjectSummary(server_cert); + memset(server_cert_summary_c, 0, 128); + if(CFStringGetCString(server_cert_summary, + server_cert_summary_c, + 128, + kCFStringEncodingUTF8)) { + infof(data, "Server certificate: %s\n", server_cert_summary_c); + } + CFRelease(server_cert_summary); + } + CFRelease(server_certs); + } +#endif /* TARGET_OS_EMBEDDED == 0 */ + } +#else #pragma unused(trust) err = SSLCopyPeerCertificates(connssl->ssl_ctx, &server_certs); if(err == noErr) { @@ -931,9 +966,6 @@ darwinssl_connect_step3(struct connectdata *conn, CFRelease(server_certs); } #endif /* defined(__MAC_10_7) || defined(__IPHONE_5_0) */ -#if defined(__MAC_10_7) || defined(__IPHONE_5_0) - } -#endif /* defined(__MAC_10_7) || defined(__IPHONE_5_0) */ connssl->connecting_state = ssl_connect_done; return CURLE_OK;