aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorNick Zitzmann <nick@chronosnet.com>2012-12-26 17:29:50 -0800
committerDaniel Stenberg <daniel@haxx.se>2012-12-27 19:09:25 +0100
commite3ed2b82e6fdc645af630a1f6a72f7d59de013d1 (patch)
tree33be32ace586ea206747e8a6950a391e723ba398 /lib
parent311151beab0e260818339bcff183dd8bd1c52dfa (diff)
darwinssl: Fixed inability to disable peer verification
... on Snow Leopard and Lion Snow Leopard introduced the SSLSetSessionOption() function, but it doesn't disable peer verification as expected on Snow Leopard or Lion (it works as expected in Mountain Lion). So we now use sysctl() to detect whether or not the user is using Snow Leopard or Lion, and if that's the case, then we now use the deprecated SSLSetEnableCertVerify() function instead to disable peer verification.
Diffstat (limited to 'lib')
-rw-r--r--lib/curl_darwinssl.c47
1 files changed, 46 insertions, 1 deletions
diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c
index 40d4870ad..2d56b3920 100644
--- a/lib/curl_darwinssl.c
+++ b/lib/curl_darwinssl.c
@@ -38,6 +38,9 @@
#include <Security/SecureTransport.h>
#include <CoreFoundation/CoreFoundation.h>
#include <CommonCrypto/CommonDigest.h>
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+#include <sys/sysctl.h>
+#endif
#include "urldata.h"
#include "sendf.h"
@@ -623,6 +626,41 @@ CF_INLINE const char *TLSCipherNameForNumber(SSLCipherSuite cipher) {
return "TLS_NULL_WITH_NULL_NULL";
}
+CF_INLINE bool IsRunningMountainLionOrLater(void)
+{
+#if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE))
+ int mib[2];
+ char *os_version;
+ size_t os_version_len;
+ char *os_version_major/*, *os_version_minor, *os_version_point*/;
+ int os_version_major_int;
+
+ /* Get the Darwin kernel version from the kernel using sysctl(): */
+ mib[0] = CTL_KERN;
+ mib[1] = KERN_OSRELEASE;
+ if(sysctl(mib, 2, NULL, &os_version_len, NULL, 0) == -1)
+ return false;
+ os_version = malloc(os_version_len*sizeof(char));
+ if(!os_version)
+ return false;
+ if(sysctl(mib, 2, os_version, &os_version_len, NULL, 0) == -1) {
+ free(os_version);
+ return false;
+ }
+
+ /* Parse the version. If it's version 12.0.0 or later, then this user is
+ using Mountain Lion. */
+ os_version_major = strtok(os_version, ".");
+ /*os_version_minor = strtok(NULL, ".");
+ os_version_point = strtok(NULL, ".");*/
+ os_version_major_int = atoi(os_version_major);
+ free(os_version);
+ return os_version_major_int >= 12;
+#else
+ return true; /* iOS users: this doesn't concern you */
+#endif
+}
+
static CURLcode darwinssl_connect_step1(struct connectdata *conn,
int sockindex)
{
@@ -772,7 +810,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
* anyway. In the latter case the result of the verification is checked with
* SSL_get_verify_result() below. */
#if defined(__MAC_10_6) || defined(__IPHONE_5_0)
- if(SSLSetSessionOption != NULL) {
+ /* Snow Leopard introduced the SSLSetSessionOption() function, but due to
+ a library bug with the way the kSSLSessionOptionBreakOnServerAuth flag
+ works, it doesn't work as expected under Snow Leopard or Lion.
+ So we need to call SSLSetEnableCertVerify() on those older cats in order
+ to disable certificate validation if the user turned that off.
+ (SecureTransport will always validate the certificate chain by
+ default.) */
+ if(SSLSetSessionOption != NULL && IsRunningMountainLionOrLater()) {
err = SSLSetSessionOption(connssl->ssl_ctx,
kSSLSessionOptionBreakOnServerAuth,
data->set.ssl.verifypeer?false:true);