wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

simplified apple header detection used in code

Browse Source
This commit is contained in:
Brett
2023-10-23 09:13:46 -06:00
parent d801dc1c85
commit 60f75ea5a8
3 changed files with 32 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
CMakeLists.txt
View File

@ -1723,10 +1723,16 @@ if(WOLFSSL_SYS_CA_CERTS)
message("Can't enable system CA certs without a filesystem.") message("Can't enable system CA certs without a filesystem.")
override_cache(WOLFSSL_SYS_CA_CERTS "no") override_cache(WOLFSSL_SYS_CA_CERTS "no")
elseif(APPLE) elseif(APPLE)
# Headers used for MacOS default system CA certs behavior. Only MacOS SDK will have this header
check_include_file("Security/SecTrustSettings.h" HAVE_SECURITY_SECTRUSTSETTINGS_H) check_include_file("Security/SecTrustSettings.h" HAVE_SECURITY_SECTRUSTSETTINGS_H)
# Headers used for Apple native cert validation. All device SDKs should have these headers
check_include_file("Security/SecCertificate.h" HAVE_SECURITY_SECCERTIFICATE_H) check_include_file("Security/SecCertificate.h" HAVE_SECURITY_SECCERTIFICATE_H)
check_include_file("Security/SecTrust.h" HAVE_SECURITY_SECTRUST_H) check_include_file("Security/SecTrust.h" HAVE_SECURITY_SECTRUST_H)
check_include_file("Security/SecPolicy.h" HAVE_SECURITY_SECPOLICY_H) check_include_file("Security/SecPolicy.h" HAVE_SECURITY_SECPOLICY_H)
# Either Security/SecTrustSettings (for MacOS cert loading), or the
# trio of Security/SecCertificate.h, Security/SecTrust.h, and
# Security/SecPolicy.h (for native trust APIs on other apple devices)
# must be present. Default to SecTrustSettings method on MacOS.
if(HAVE_SECURITY_SECTRUSTSETTINGS_H OR (HAVE_SECURITY_SECCERTIFICATE_H if(HAVE_SECURITY_SECTRUSTSETTINGS_H OR (HAVE_SECURITY_SECCERTIFICATE_H
AND HAVE_SECURITY_SECTRUST_H AND HAVE_SECURITY_SECTRUST_H
AND HAVE_SECURITY_SECPOLICY_H)) AND HAVE_SECURITY_SECPOLICY_H))
@ -1739,6 +1745,14 @@ if(WOLFSSL_SYS_CA_CERTS)
message(FATAL_ERROR "Can't enable system CA certs without Security framework.") message(FATAL_ERROR "Can't enable system CA certs without Security framework.")
endif() endif()
endif() endif()
# MacOS should not use native cert validation by default, but other apple devices should.
if(NOT HAVE_SECURITY_SECTRUSTSETTINGS_H AND HAVE_SECURITY_SECCERTIFICATE_H
AND HAVE_SECURITY_SECTRUST_H
AND HAVE_SECURITY_SECPOLICY_H)
list(APPEND WOLFSSL_DEFINITIONS "-DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION")
endif()
else() else()
message(FATAL_ERROR "Can't enable system CA certs without Apple Security.framework headers.") message(FATAL_ERROR "Can't enable system CA certs without Apple Security.framework headers.")
endif() endif()

30
configure.ac
View File

@ -8351,26 +8351,30 @@ then
case $host_os in case $host_os in
*darwin*) *darwin*)
# Creates the HAVE_SECURITY_SECXXX_H macros in config.h # Headers used for MacOS default system CA certs behavior. Only MacOS SDK will have this header
AC_CHECK_HEADERS([Security/SecTrustSettings.h]) AC_CHECK_HEADERS([Security/SecTrustSettings.h])
# Headers used for Apple native cert validation. All device SDKs should have these headers
AC_CHECK_HEADERS([Security/SecCertificate.h]) AC_CHECK_HEADERS([Security/SecCertificate.h])
AC_CHECK_HEADERS([Security/SecTrust.h]) AC_CHECK_HEADERS([Security/SecTrust.h])
AC_CHECK_HEADERS([Security/SecPolicy.h]) AC_CHECK_HEADERS([Security/SecPolicy.h])
# Either Security/SecTrustSettings (for MacOS cert loading), or the # Either Security/SecTrustSettings (for MacOS cert loading), or the
# trio of Security/SecCertificate.h, Security/SecTrust.h, and # trio of Security/SecCertificate.h, Security/SecTrust.h, and
# Security/SecPolicy.h (for native trust APIs other apple devices) # Security/SecPolicy.h (for native trust APIs on other apple devices)
# must be present # must be present. Default to SecTrustSettings method on MacOS.
AS_IF([test -n "$ac_cv_header_Security_SecTrustSettings_h" \ AS_IF([test "$ac_cv_header_Security_SecTrustSettings_h" = "yes" \
|| (test -n "$ac_cv_header_Security_SecCertificate_h" \ || (test "$ac_cv_header_Security_SecCertificate_h" = "yes" \
&& test -n "$ac_cv_header_Security_SecTrust_h" \ && test "$ac_cv_header_Security_SecTrust_h" = "yes" \
&& test -n "$ac_cv_header_Security_SecPolicy_h")], && test "$ac_cv_header_Security_SecPolicy_h" = "yes")],
[
LDFLAGS="$LDFLAGS -framework CoreFoundation -framework Security"
AS_IF([test "$ac_cv_header_Security_SecTrustSettings_h" != "yes"],
[ [
LDFLAGS="$LDFLAGS -framework CoreFoundation -framework Security" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_APPLE_NATIVE_CERT_VALIDATION"
], ])
[ ],
AC_MSG_ERROR([Unable to find Apple Security.framework headers]) [
] AC_MSG_ERROR([Unable to find Apple Security.framework headers])
) ])
;; ;;
esac esac
fi fi

5
src/ssl.c
View File

@ -8567,10 +8567,7 @@ int wolfSSL_CTX_load_system_CA_certs(WOLFSSL_CTX* ctx)
* load them manually into wolfSSL "the old way". Accessiblity of this API * load them manually into wolfSSL "the old way". Accessiblity of this API
* is indicated by the presence of the Security/SecTrustSettings.h header */ * is indicated by the presence of the Security/SecTrustSettings.h header */
ret = LoadSystemCaCertsMac(ctx, &loaded); ret = LoadSystemCaCertsMac(ctx, &loaded);
#elif defined(WOLFSSL_APPLE_NATIVE_CERT_VALIDATION) \ #elif defined(WOLFSSL_APPLE_NATIVE_CERT_VALIDATION)
|| (defined(HAVE_SECURITY_SECCERTIFICATE_H) \
&& defined(HAVE_SECURITY_SECTRUST_H) \
&& defined(HAVE_SECURITY_SECPOLICY_H))
/* For other Apple devices, Apple has removed the ability to obtain /* For other Apple devices, Apple has removed the ability to obtain
* certificates from the trust store, so we can't use wolfSSL's built-in * certificates from the trust store, so we can't use wolfSSL's built-in
* certificate validation mechanisms anymore. We instead must call into the * certificate validation mechanisms anymore. We instead must call into the