From fa88cbe2683d8410338254eb2c2623cc7b36f1e0 Mon Sep 17 00:00:00 2001
From: Benjamin Sergeant <bsergean@gmail.com>
Date: Sat, 4 Apr 2020 18:09:54 -0700
Subject: [PATCH] load default windows certs

---
 .github/workflows/ccpp.yml      | 84 +++++++--------------------------
 ixwebsocket/IXSocketOpenSSL.cpp | 57 ++++++++++++++++++++++
 2 files changed, 74 insertions(+), 67 deletions(-)

diff --git a/.github/workflows/ccpp.yml b/.github/workflows/ccpp.yml
index 66218e03..f3c679b0 100644
--- a/.github/workflows/ccpp.yml
+++ b/.github/workflows/ccpp.yml
@@ -5,74 +5,24 @@ on:
     - 'docs/**'
 
 jobs:
-  linux:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v1
-    - name: make test
-      run: make test
-
-  mac_tsan_sectransport:
-    runs-on: macOS-latest
-    steps:
-    - uses: actions/checkout@v1
-    - name: make test_tsan
-      run: make test_tsan
-
-  mac_tsan_openssl:
-    runs-on: macOS-latest
-    steps:
-    - uses: actions/checkout@v1
-    - name: install openssl
-      run: brew install openssl
-    - name: make test
-      run: make test_tsan_openssl
-
-  mac_tsan_mbedtls:
-    runs-on: macOS-latest
-    steps:
-    - uses: actions/checkout@v1
-    - name: install mbedtls
-      run: brew install mbedtls
-    - name: make test
-      run: make test_tsan_mbedtls
-
-  windows_mbedtls:
-    runs-on: windows-latest
-    steps:
-    - uses: actions/checkout@v1
-    - uses: seanmiddleditch/gha-setup-vsdevenv@master
-    - run: |
-        vcpkg install zlib:x64-windows
-        vcpkg install mbedtls:x64-windows
-    - run: |
-        mkdir build
-        cd build
-        cmake -DCMAKE_TOOLCHAIN_FILE=c:/vcpkg/scripts/buildsystems/vcpkg.cmake -DCMAKE_CXX_COMPILER=cl.exe -DUSE_MBED_TLS=1 -DUSE_TLS=1 -DUSE_WS=1 -DUSE_TEST=1 ..
-    - run: cmake --build build
-
-    # Running the unittest does not work, the binary cannot be found
-    #- run: ../build/test/ixwebsocket_unittest.exe
-    # working-directory: test
-
 #
 #   Windows with OpenSSL is working but disabled as it takes 13 minutes (10 for openssl) to build with vcpkg
 #
-#   windows_openssl:
-#     runs-on: windows-latest
-#     steps:
-#     - uses: actions/checkout@v1
-#     - uses: seanmiddleditch/gha-setup-vsdevenv@master
-#     - run: |
-#         vcpkg install zlib:x64-windows
-#         vcpkg install openssl:x64-windows
-#     - run: |
-#         mkdir build
-#         cd build
-#         cmake -DCMAKE_TOOLCHAIN_FILE=c:/vcpkg/scripts/buildsystems/vcpkg.cmake -DCMAKE_CXX_COMPILER=cl.exe -DUSE_OPEN_SSL=1 -DUSE_TLS=1 -DUSE_WS=1 -DUSE_TEST=1 ..
-#     - run: cmake --build build
-# 
-#     # Running the unittest does not work, the binary cannot be found
-#     #- run: ../build/test/ixwebsocket_unittest.exe
-#     # working-directory: test
+windows_openssl:
+  runs-on: windows-latest
+  steps:
+  - uses: actions/checkout@v1
+  - uses: seanmiddleditch/gha-setup-vsdevenv@master
+  - run: |
+      vcpkg install zlib:x64-windows
+      vcpkg install openssl:x64-windows
+  - run: |
+      mkdir build
+      cd build
+      cmake -DCMAKE_TOOLCHAIN_FILE=c:/vcpkg/scripts/buildsystems/vcpkg.cmake -DCMAKE_CXX_COMPILER=cl.exe -DUSE_OPEN_SSL=1 -DUSE_TLS=1 -DUSE_WS=1 -DUSE_TEST=1 ..
+  - run: cmake --build build
+
+  # Running the unittest does not work, the binary cannot be found
+  #- run: ../build/test/ixwebsocket_unittest.exe
+  # working-directory: test
 
diff --git a/ixwebsocket/IXSocketOpenSSL.cpp b/ixwebsocket/IXSocketOpenSSL.cpp
index 9e07cf34..fd4391e2 100644
--- a/ixwebsocket/IXSocketOpenSSL.cpp
+++ b/ixwebsocket/IXSocketOpenSSL.cpp
@@ -21,6 +21,56 @@
 #endif
 #define socketerrno errno
 
+#ifdef _WIN32
+namespace
+{
+    bool loadWindowsSystemCertificates(SSL_CTX* ssl, std::string& errorMsg)
+    {
+        DWORD flags = CERT_STORE_READONLY_FLAG | CERT_STORE_OPEN_EXISTING_FLAG |
+                      CERT_SYSTEM_STORE_CURRENT_USER;
+        HCERTSTORE systemStore = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, flags, L"Root");
+
+        if (!systemStore)
+        {
+            errorMsg = "CertOpenStore failed with " errorMsg += std::to_string(GetLastError());
+            return false;
+        }
+
+        PCCERT_CONTEXT certificateIterator = NULL;
+        X509_STORE* opensslStore = SSL_CTX_get_cert_store(ssl);
+
+        int certificateCount = 0;
+        while (certificateIterator = CertEnumCertificatesInStore(systemStore, certificateIterator))
+        {
+            X509* x509 = d2i_X509(NULL,
+                                  (const unsigned char**) &certificateIterator->pbCertEncoded,
+                                  certificateIterator->cbCertEncoded);
+
+            if (x509)
+            {
+                if (X509_STORE_add_cert(opensslStore, x509) == 1)
+                {
+                    ++certificateCount;
+                }
+
+                X509_free(x509);
+            }
+        }
+
+        CertFreeCertificateContext(certificateIterator);
+        CertCloseStore(systemStore, 0);
+
+        if (certificateCount == 0)
+        {
+            errorMsg = "No certificates found";
+            return false;
+        }
+
+        return true;
+    }
+} // namespace
+#endif
+
 namespace ix
 {
     const std::string kDefaultCiphers =
@@ -336,6 +386,12 @@ namespace ix
         {
             if (_tlsOptions.isUsingSystemDefaults())
             {
+#ifdef _WIN32
+                if (!loadWindowsSystemCertificates(_ssl_context))
+                {
+                    return false;
+                }
+#else
                 if (SSL_CTX_set_default_verify_paths(_ssl_context) == 0)
                 {
                     auto sslErr = ERR_get_error();
@@ -343,6 +399,7 @@ namespace ix
                     errMsg += ERR_error_string(sslErr, nullptr);
                     return false;
                 }
+#endif
             }
             else if (SSL_CTX_load_verify_locations(
                          _ssl_context, _tlsOptions.caFile.c_str(), NULL) != 1)