Skip to content

load SSL certificates from windows system certificate store #5313

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arvidn merged 1 commit into from
Nov 30, 2020
Merged

load SSL certificates from windows system certificate store #5313

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -586,7 +586,7 @@ if (WIN32)
target_link_libraries(torrent-rasterbar
PRIVATE
wsock32 ws2_32 Iphlpapi
debug dbghelp
debug dbghelp crypt32
)

add_definitions(-D_WIN32_WINNT=0x0600) # target Windows Vista or later
Expand Down
1 change: 1 addition & 0 deletions ChangeLog
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
* load SSL certificates from windows system certificate store, to authenticate trackers
* introduce mitigation for Server Side Request Forgery in tracker announces
* fix error handling for pool allocation failure

Expand Down
5 changes: 4 additions & 1 deletion Jamfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -517,10 +517,13 @@ lib advapi32 : : <name>advapi32 ;
lib user32 : : <name>user32 ;
lib shell32 : : <name>shell32 ;
lib gdi32 : : <name>gdi32 ;
lib crypt32 : : <name>crypt32 ;
lib z : : <link>shared <name>z ;

# openssl libraries on windows
alias ssl-deps : advapi32 user32 shell32 gdi32 ;
# technically, crypt32 is not an OpenSSL dependency, but libtorrent needs it on
# windows to access the system certificate store, for authenticating trackers
alias ssl-deps : advapi32 user32 shell32 gdi32 crypt32 ;

# pre OpenSSL 1.1 windows
lib crypto : ssl-deps : <target-os>windows <openssl-version>pre1.1 <name>libeay32
Expand Down
31 changes: 31 additions & 0 deletions src/session_impl.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,6 +171,10 @@ namespace {
}
#endif

#ifdef TORRENT_WINDOWS
#include <wincrypt.h>
#endif

#endif // TORRENT_USE_OPENSSL

#ifdef TORRENT_WINDOWS
Expand Down Expand Up @@ -559,6 +563,33 @@ namespace aux {
m_ssl_ctx.set_verify_mode(boost::asio::ssl::context::verify_none, ec);
m_ssl_ctx.set_default_verify_paths(ec);
m_peer_ssl_ctx.set_verify_mode(boost::asio::ssl::context::verify_none, ec);
#ifdef TORRENT_WINDOWS
// load certificates from the windows system certificate store
X509_STORE* store = X509_STORE_new();
if (store)
{
HCERTSTORE system_store = CertOpenSystemStoreA(0, "ROOT");
// this is best effort
if (system_store)
{
CERT_CONTEXT const* ctx = nullptr;
while ((ctx = CertEnumCertificatesInStore(system_store, ctx)) != nullptr)
{
unsigned char const* cert_ptr = reinterpret_cast<unsigned char const*>(ctx->pbCertEncoded);
X509* x509 = d2i_X509(nullptr, &cert_ptr, ctx->cbCertEncoded);
// this is best effort
if (!x509) continue;
X509_STORE_add_cert(store, x509);
X509_free(x509);
}
CertFreeCertificateContext(ctx);
CertCloseStore(system_store, 0);
}
}

SSL_CTX* ssl_ctx = m_ssl_ctx.native_handle();
SSL_CTX_set_cert_store(ssl_ctx, store);
#endif
#if OPENSSL_VERSION_NUMBER >= 0x90812f
aux::openssl_set_tlsext_servername_callback(m_peer_ssl_ctx.native_handle()
, servername_callback);
Expand Down