diff --git a/.github/workflows/releases-mingw.yml b/.github/workflows/releases-mingw.yml index 3fd418e86..3e7466b5a 100644 --- a/.github/workflows/releases-mingw.yml +++ b/.github/workflows/releases-mingw.yml @@ -164,10 +164,11 @@ jobs: vcredist_x64.exe /install /quiet /norestart del vcredist_x64.exe - name: Run unittests + shell: bash run: | cd build-mingw - yass_test - yass_benchmark + ./yass_test + ./yass_benchmark - name: Upload dist tarball if: ${{ github.event_name == 'release' }} env: diff --git a/src/net/asio_ssl.cpp b/src/net/asio_ssl.cpp index 4bdcedada..2c0707916 100644 --- a/src/net/asio_ssl.cpp +++ b/src/net/asio_ssl.cpp @@ -259,6 +259,7 @@ bool IsNotAcceptableIntermediate(const bssl::ParsedCertificate* cert, const CFSt static bool found_isrg_root_x1 = false; static bool found_isrg_root_x2 = false; +static bool found_digicert_root_g2 = false; void print_openssl_error() { const char* file; @@ -287,16 +288,20 @@ static bool load_ca_cert_to_x509_trust(X509_STORE* store, bssl::UniquePtr X509_NAME_ENTRY* entry = X509_NAME_get_entry(X509_get_subject_name(cert.get()), lastpos); const ASN1_STRING* value = X509_NAME_ENTRY_get_data(entry); - std::string commonName((const char*)ASN1_STRING_get0_data(value), ASN1_STRING_length(value)); - // TODO check commonName with "ISRG Root X1" and "ISRG Root X2" - if (commonName == "ISRG Root X1") { - LOG(INFO) << "Loading ISRG Root X1 CA"; + std::string_view commonName((const char*)ASN1_STRING_get0_data(value), ASN1_STRING_length(value)); + using std::string_view_literals::operator""sv; + if (commonName == "ISRG Root X1"sv) { + VLOG(1) << "Loading ISRG Root X1 CA"; found_isrg_root_x1 = true; } - if (commonName == "ISRG Root X2") { - LOG(INFO) << "Loading ISRG Root X2 CA"; + if (commonName == "ISRG Root X2"sv) { + VLOG(1) << "Loading ISRG Root X2 CA"; found_isrg_root_x2 = true; } + if (commonName == "DigiCert Global Root G2"sv) { + VLOG(1) << "Loading DigiCert Global Root G2 CA"; + found_digicert_root_g2 = true; + } } if (X509_STORE_add_cert(store, cert.get()) == 1) { @@ -323,8 +328,8 @@ static bool load_ca_content_to_x509_trust(X509_STORE* store, std::string_view ca return load_ca_cert_to_x509_trust(store, std::move(cert)); } -static const char kEndCertificateMark[] = "-----END CERTIFICATE-----\n"; -static int load_ca_to_ssl_ctx_from_mem(SSL_CTX* ssl_ctx, const std::string_view& cadata) { +static constexpr std::string_view kEndCertificateMark = "-----END CERTIFICATE-----"; +static int load_ca_to_ssl_ctx_from_mem(SSL_CTX* ssl_ctx, std::string_view cadata) { X509_STORE* store = nullptr; int count = 0; store = SSL_CTX_get_cert_store(ssl_ctx); @@ -339,7 +344,7 @@ static int load_ca_to_ssl_ctx_from_mem(SSL_CTX* ssl_ctx, const std::string_view& } end += sizeof(kEndCertificateMark) - 1; - std::string_view cacert(cadata.data() + pos, end - pos); + std::string_view cacert = cadata.substr(pos, end); if (load_ca_content_to_x509_trust(store, cacert)) { ++count; } @@ -670,6 +675,7 @@ static int load_ca_to_ssl_ctx_system(SSL_CTX* ssl_ctx) { void load_ca_to_ssl_ctx(SSL_CTX* ssl_ctx) { found_isrg_root_x1 = false; found_isrg_root_x2 = false; + found_digicert_root_g2 = false; load_ca_to_ssl_ctx_cacert(ssl_ctx); #ifdef HAVE_BUILTIN_CA_BUNDLE_CRT @@ -696,12 +702,15 @@ void load_ca_to_ssl_ctx(SSL_CTX* ssl_ctx) { } // TODO we can add the missing CA if required - if (!found_isrg_root_x1 || !found_isrg_root_x2) { + if (!found_isrg_root_x1 || !found_isrg_root_x2 || !found_digicert_root_g2) { if (!found_isrg_root_x1) { - LOG(WARNING) << "Missing ISRG Root X1 CA"; + LOG(INFO) << "Missing ISRG Root X1 CA"; } if (!found_isrg_root_x2) { - LOG(WARNING) << "Missing ISRG Root X2 CA"; + LOG(INFO) << "Missing ISRG Root X2 CA"; + } + if (!found_digicert_root_g2) { + LOG(INFO) << "Missing DigiCert Global Root G2 CA"; } std::string_view ca_content(_binary_supplementary_ca_bundle_crt_start, _binary_supplementary_ca_bundle_crt_end - _binary_supplementary_ca_bundle_crt_start);