feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #5767 from haydenroche5/load_system_root_certs

Browse Source 
Improve logic for enabling system CA certs on Apple devices.
This commit is contained in:
David Garske
2022-11-07 15:15:13 -08:00
committed by GitHub
parent 829fd71714 0fc303e1fc
commit 887b4bd9f0
7 changed files with 68 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
CMakeLists.txt
View File

@ -66,18 +66,6 @@ if(CMAKE_C_COMPILER_ID STREQUAL "AppleClang")
set(CMAKE_CXX_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>") set(CMAKE_CXX_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
endif() endif()
if(APPLE)
find_library(CORE_FOUNDATION_FRAMEWORK CoreFoundation)
if(NOT CORE_FOUNDATION_FRAMEWORK)
message(FATAL_ERROR "Couldn't find CoreFoundation framework.")
endif()
find_library(SECURITY_FRAMEWORK Security)
if(NOT SECURITY_FRAMEWORK)
message(FATAL_ERROR "Couldn't find Security framework.")
endif()
endif()
include(CheckIncludeFile) include(CheckIncludeFile)
check_include_file("arpa/inet.h" HAVE_ARPA_INET_H) check_include_file("arpa/inet.h" HAVE_ARPA_INET_H)
@ -1673,10 +1661,33 @@ add_option("WOLFSSL_OPTFLAGS"
add_option("WOLFSSL_SYS_CA_CERTS" add_option("WOLFSSL_SYS_CA_CERTS"
"Enable ability to load CA certs from OS (default: enabled)" "Enable ability to load CA certs from OS (default: enabled)"
"yes" "yes;no") "yes" "yes;no")
if(WOLFSSL_SYS_CA_CERTS) if(WOLFSSL_SYS_CA_CERTS)
if(NOT WOLFSSL_FILESYSTEM) if(NOT WOLFSSL_FILESYSTEM)
message(FATAL_ERROR "Cannot use system CA certs without a filesystem.") message("Can't enable system CA certs without a filesystem.")
else() override_cache(WOLFSSL_SYS_CA_CERTS "no")
elseif(APPLE)
check_include_file("Security/SecTrustSettings.h" HAVE_SECURITY_SECTRUSTSETTINGS_H)
if(NOT HAVE_SECURITY_SECTRUSTSETTINGS_H)
message("Can't enable system CA certs without Security/SecTrustSettings.h.")
override_cache(WOLFSSL_SYS_CA_CERTS "no")
else()
find_library(CORE_FOUNDATION_FRAMEWORK CoreFoundation)
if(NOT CORE_FOUNDATION_FRAMEWORK)
message("Can't enable system CA certs without CoreFoundation framework.")
override_cache(WOLFSSL_SYS_CA_CERTS "no")
else()
find_library(SECURITY_FRAMEWORK Security)
if(NOT SECURITY_FRAMEWORK)
message("Can't enable system CA certs without Security framework.")
override_cache(WOLFSSL_SYS_CA_CERTS "no")
endif()
endif()
endif()
endif()
if(WOLFSSL_SYS_CA_CERTS)
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SYS_CA_CERTS") list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_SYS_CA_CERTS")
endif() endif()
endif() endif()
@ -1931,9 +1942,11 @@ if(WIN32)
target_link_libraries(wolfssl PUBLIC target_link_libraries(wolfssl PUBLIC
$<$<PLATFORM_ID:Windows>:ws2_32>) $<$<PLATFORM_ID:Windows>:ws2_32>)
elseif(APPLE) elseif(APPLE)
target_link_libraries(wolfssl PUBLIC if(WOLFSSL_SYS_CA_CERTS)
${CORE_FOUNDATION_FRAMEWORK} target_link_libraries(wolfssl PUBLIC
${SECURITY_FRAMEWORK}) ${CORE_FOUNDATION_FRAMEWORK}
${SECURITY_FRAMEWORK})
endif()
else() else()
# DH requires math (m) library # DH requires math (m) library
target_link_libraries(wolfssl target_link_libraries(wolfssl

3
cmake/config.in
View File

@ -34,6 +34,9 @@
/* Define to 1 if you have the <sys/time.h> header file. */ /* Define to 1 if you have the <sys/time.h> header file. */
#cmakedefine HAVE_SYS_TIME_H @HAVE_SYS_TIME_H@ #cmakedefine HAVE_SYS_TIME_H @HAVE_SYS_TIME_H@
/* Define to 1 if you have the <Security/SecTrustSettings.h> header file. */
#cmakedefine HAVE_SECURITY_SECTRUSTSETTINGS_H @HAVE_SECURITY_SECTRUSTSETTINGS_H@
/* Define to 1 if the system has the type `__uint128_t'. */ /* Define to 1 if the system has the type `__uint128_t'. */
#cmakedefine HAVE___UINT128_T @HAVE___UINT128_T@ #cmakedefine HAVE___UINT128_T @HAVE___UINT128_T@

19
configure.ac
View File

@ -7443,6 +7443,21 @@ then
then then
ENABLED_SYS_CA_CERTS="no" ENABLED_SYS_CA_CERTS="no"
fi fi
case $host_os in
*darwin*)
AC_CHECK_HEADERS([Security/SecTrustSettings.h],
[
# For Mac we need these frameworks to load system CA certs
LDFLAGS="$LDFLAGS -framework CoreFoundation -framework Security"
],
[
AC_MSG_NOTICE([Can't enable system CA certs without Security/SecTrustSettings.h])
ENABLED_SYS_CA_CERTS="no"
]
)
;;
esac
fi fi
if test "x$ENABLED_WOLFCLU" = "xyes" if test "x$ENABLED_WOLFCLU" = "xyes"
@ -8059,10 +8074,6 @@ case $host_os in
MINGW_LIB_WARNING="yes" MINGW_LIB_WARNING="yes"
fi fi
fi ;; fi ;;
*darwin*)
# For Mac we need these frameworks to load system CA certs
LDFLAGS="$LDFLAGS -framework CoreFoundation -framework Security"
;;
esac esac
if test "$enable_shared" = "no"; then if test "$enable_shared" = "no"; then

8
src/ssl.c
View File

@ -162,16 +162,20 @@
#endif #endif
#endif /* !WOLFCRYPT_ONLY || OPENSSL_EXTRA */ #endif /* !WOLFCRYPT_ONLY || OPENSSL_EXTRA */
#ifdef WOLFSSL_SYS_CA_CERTS
#ifdef _WIN32 #ifdef _WIN32
#include <windows.h> #include <windows.h>
#include <Wincrypt.h> #include <Wincrypt.h>
#pragma comment(lib, "crypt32") #pragma comment(lib, "crypt32")
#endif #endif
#ifdef __APPLE__ #if defined(__APPLE__) && defined(HAVE_SECURITY_SECTRUSTSETTINGS_H)
# include <Security/SecTrustSettings.h> #include <Security/SecTrustSettings.h>
#endif #endif
#endif /* WOLFSSL_SYS_CA_CERTS */
/* /*
* OPENSSL_COMPATIBLE_DEFAULTS: * OPENSSL_COMPATIBLE_DEFAULTS:
* Enable default behaviour that is compatible with OpenSSL. For example * Enable default behaviour that is compatible with OpenSSL. For example

3
wolfcrypt/src/port/arm/armv8-32-curve25519.S
View File

@ -24,6 +24,9 @@
* ruby ./x25519/x25519.rb arm32 ../wolfssl/wolfcrypt/src/port/arm/armv8-32-curve25519.S * ruby ./x25519/x25519.rb arm32 ../wolfssl/wolfcrypt/src/port/arm/armv8-32-curve25519.S
*/ */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif /* HAVE_CONFIG_H */
#include <wolfssl/wolfcrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#ifdef WOLFSSL_ARMASM #ifdef WOLFSSL_ARMASM

3
wolfcrypt/src/port/arm/armv8-32-curve25519_c.c
View File

@ -24,6 +24,9 @@
* ruby ./x25519/x25519.rb arm32 ../wolfssl/wolfcrypt/src/port/arm/armv8-32-curve25519.c * ruby ./x25519/x25519.rb arm32 ../wolfssl/wolfcrypt/src/port/arm/armv8-32-curve25519.c
*/ */
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif /* HAVE_CONFIG_H */
#include <wolfssl/wolfcrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#ifdef WOLFSSL_ARMASM #ifdef WOLFSSL_ARMASM

10
wolfssl/wolfcrypt/settings.h
View File

@ -2862,11 +2862,17 @@ extern void uITRON4_free(void *p) ;
#ifdef WOLFSSL_SYS_CA_CERTS #ifdef WOLFSSL_SYS_CA_CERTS
#ifdef NO_FILESYSTEM #ifdef NO_FILESYSTEM
#warning "Turning off WOLFSSL_SYS_CA_CERTS b/c NO_FILESYSTEM is defined." /* Turning off WOLFSSL_SYS_CA_CERTS b/c NO_FILESYSTEM is defined */
#undef WOLFSSL_SYS_CA_CERTS #undef WOLFSSL_SYS_CA_CERTS
#endif #endif
#ifdef NO_CERTS #ifdef NO_CERTS
#warning "Turning off WOLFSSL_SYS_CA_CERTS b/c NO_CERTS is defined." /* Turning off WOLFSSL_SYS_CA_CERTS b/c NO_CERTS is defined */
#undef WOLFSSL_SYS_CA_CERTS
#endif
#if defined(__APPLE__) && !defined(HAVE_SECURITY_SECTRUSTSETTINGS_H)
/* Turning off WOLFSSL_SYS_CA_CERTS b/c no Security/SecTrustSettings.h header */
#undef WOLFSSL_SYS_CA_CERTS #undef WOLFSSL_SYS_CA_CERTS
#endif #endif
#endif /* WOLFSSL_SYS_CA_CERTS */ #endif /* WOLFSSL_SYS_CA_CERTS */