diff --git a/CMakeLists.txt b/CMakeLists.txt index 5df926cc..772b5751 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -123,8 +123,8 @@ if (USE_TLS) if (NOT USE_MBED_TLS AND NOT USE_OPEN_SSL) # unless we want something else set(USE_SECURE_TRANSPORT ON) endif() - # default to mbedtls on uwp (universal windows platform) if nothing is configured - elseif (${CMAKE_SYSTEM_NAME} MATCHES "WindowsStore") + # default to mbedtls on windows if nothing is configured + elseif (WIN32) if (NOT USE_OPEN_SSL) # unless we want something else set(USE_MBED_TLS ON) endif() diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 27167206..aae5a5b0 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -1,6 +1,10 @@ # Changelog All changes to this project will be documented in this file. +## [9.6.1] - 2020-05-17 + +(windows + tls) mbedtls is the default windows tls backend + add ability to load system certificates with mbdetls on windows + ## [9.6.0] - 2020-05-12 (ixbots) add options to limit how many messages per minute should be processed diff --git a/ixwebsocket/IXSocketMbedTLS.cpp b/ixwebsocket/IXSocketMbedTLS.cpp index 583d5e84..22620d1a 100644 --- a/ixwebsocket/IXSocketMbedTLS.cpp +++ b/ixwebsocket/IXSocketMbedTLS.cpp @@ -43,6 +43,55 @@ namespace ix mbedtls_pk_init(&_pkey); } + bool SocketMbedTLS::loadSystemCertificates(std::string& errorMsg) + { +#ifdef _WIN32 + DWORD flags = CERT_STORE_READONLY_FLAG | CERT_STORE_OPEN_EXISTING_FLAG | + CERT_SYSTEM_STORE_CURRENT_USER; + HCERTSTORE systemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, flags, L"Root"); + + if (!systemStore) + { + errorMsg = "CertOpenStore failed with "; + errorMsg += std::to_string(GetLastError()); + return false; + } + + PCCERT_CONTEXT certificateIterator = NULL; + + int certificateCount = 0; + while (certificateIterator = CertEnumCertificatesInStore(systemStore, certificateIterator)) + { + if (certificateIterator->dwCertEncodingType & X509_ASN_ENCODING) + { + int ret = mbedtls_x509_crt_parse(&_cacert, + certificateIterator->pbCertEncoded, + certificateIterator->cbCertEncoded); + if (ret == 0) + { + ++certificateCount; + } + } + } + + CertFreeCertificateContext(certificateIterator); + CertCloseStore(systemStore, 0); + + if (certificateCount == 0) + { + errorMsg = "No certificates found"; + return false; + } + + return true; +#else + // On macOS we can query the system cert location from the keychain + // On Linux we could try to fetch some local files based on the distribution + // On Android we could use JNI to get to the system certs + return false; +#endif + } + bool SocketMbedTLS::init(const std::string& host, bool isClient, std::string& errMsg) { initMBedTLS(); @@ -96,13 +145,15 @@ namespace ix } else { - mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED); - // FIXME: should we call mbedtls_ssl_conf_verify ? + mbedtls_ssl_conf_authmode(&_conf, MBEDTLS_SSL_VERIFY_REQUIRED); if (_tlsOptions.isUsingSystemDefaults()) { - ; // FIXME + if (!loadSystemCertificates(errMsg)) + { + return false; + } } else { diff --git a/ixwebsocket/IXSocketMbedTLS.h b/ixwebsocket/IXSocketMbedTLS.h index d804ddf0..032560b9 100644 --- a/ixwebsocket/IXSocketMbedTLS.h +++ b/ixwebsocket/IXSocketMbedTLS.h @@ -52,6 +52,7 @@ namespace ix bool init(const std::string& host, bool isClient, std::string& errMsg); void initMBedTLS(); + bool loadSystemCertificates(std::string& errMsg); }; } // namespace ix diff --git a/ixwebsocket/IXWebSocketVersion.h b/ixwebsocket/IXWebSocketVersion.h index f81819d9..621d2054 100644 --- a/ixwebsocket/IXWebSocketVersion.h +++ b/ixwebsocket/IXWebSocketVersion.h @@ -6,4 +6,4 @@ #pragma once -#define IX_WEBSOCKET_VERSION "9.6.0" +#define IX_WEBSOCKET_VERSION "9.6.1"