version 0.19

  * fixed version string display
  * failing on SSL verify failures
  * removed ignssl option
  * reenabled ciphers options
  * added verifyssl option (cert verify depth)

13 files changed, 91 insertions, 47 deletions

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..9433213
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+*.c ident
diff --git a/debian/changelog b/debian/changelog
index 1c5752f..eb2b185 100755
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+vchat-client (0.19-1) unstable; urgency=high
+
+  * fixed version string display
+  * failing on SSL verify failures
+  * removed ignssl option
+  * reenabled ciphers options
+  * added verifyssl option (cert verify depth)
+
+ -- Andreas Kotes <count@flatline.de>  Wed, 16 Apr 2014 15:12:23 +0200
+
 vchat-client (0.18-1) unstable; urgency=high
 
   * updated to use TLSv1 or later
diff --git a/vchat-client.c b/vchat-client.c
index f5cd516..1efcd7d 100755
--- a/vchat-client.c
+++ b/vchat-client.c
@@ -32,7 +32,7 @@
 #include "vchat-user.h"
 
 /* version of this module */
-char *vchat_cl_version = "$Id$";
+const char *vchat_cl_version = "$Id$";
 
 /* externally used variables */
 /*   we're logged in */
@@ -442,6 +442,17 @@ void usage( char *name) {
        puts  ("   -n   set nickname");
     printf   ("   -f   set from (default \"%s\")\n",getstroption(CF_FROM));
     puts     ("   -h   gives this help");
+    puts     ("   -v   show module versions");
+}
+
+void versions() {
+  puts (vchat_cl_version);
+  puts (vchat_ui_version);
+  puts (vchat_io_version);
+  puts (vchat_us_version);
+  puts (vchat_cm_version);
+  puts (vchat_ssl_version);
+  puts (vchat_ssl_version_external);
 }
 
 /* main - d'oh */
@@ -456,9 +467,12 @@ main (int argc, char **argv)
   loadconfig (GLOBAL_CONFIG_FILE);
   loadconfig (getstroption (CF_CONFIGFILE));
 
+  /* make SSL version used visible */
+  vchat_ssl_get_version_external();
+
   /* parse commandline */
   while (cmdsunparsed) {
-      pchar = getopt(argc,argv,"C:F:lzs:p:c:n:f:kKL:h");
+      pchar = getopt(argc,argv,"C:F:lzs:p:c:n:f:kKL:hv");
 #ifdef DEBUG
       fprintf(stderr,"parse commandline: %d ('%c'): %s\n",pchar,pchar,optarg);
 #endif
@@ -475,6 +489,7 @@ main (int argc, char **argv)
           case 'n': own_nick_set(optarg);  break;
           case 'f': setstroption(CF_FROM,optarg); break;
           case 'h': usage(argv[0]); exit(0); break;
+          case 'v': versions(); exit(0); break;
           default : usage(argv[0]); exit(1);
       }
   }
diff --git a/vchat-client.sgml b/vchat-client.sgml
index 6b35fe1..3d6fbc7 100755
--- a/vchat-client.sgml
+++ b/vchat-client.sgml
@@ -101,7 +101,7 @@ overridden in the configfile.</para></listitem>
 
 <varlistentry>
 <term><option>-f</option> <replaceable>from</replaceable></term>
-<listitem><para>set from (default "vc-alpha-0.18")</para></listitem>
+<listitem><para>set from (default "vc-alpha-0.19")</para></listitem>
 </varlistentry>
 
 <varlistentry>
@@ -144,7 +144,7 @@ configure the behavior of vchat-client</para>
 
 <varlistentry>
 <term><option>from</option></term>
-<listitem><para>Sets the from (default is "vc-alpha-0.18")</para></listitem>
+<listitem><para>Sets the from (default is "vc-alpha-0.19")</para></listitem>
 </varlistentry>
 
 <varlistentry>
@@ -159,7 +159,7 @@ configure the behavior of vchat-client</para>
 
 <varlistentry>
 <term><option>ciphers</option></term>
-<listitem><para>Set ciphers ("HIGH:MEDIUM")</para></listitem>
+<listitem><para>Set ciphers (autodetected)</para></listitem>
 </varlistentry>
 
 <varlistentry>
diff --git a/vchat-commands.c b/vchat-commands.c
index 2c3d68b..5ade188 100755
--- a/vchat-commands.c
+++ b/vchat-commands.c
@@ -29,7 +29,7 @@
 #include "vchat-user.h"
 
 /* version of this module */
-char *vchat_cm_version = "$Id$";
+const char *vchat_cm_version = "$Id$";
 
 /* from vchat-client.c */
 extern int ownquit;
@@ -452,6 +452,8 @@ command_version(char *tail)
   writeout (vchat_io_version);
   writeout (vchat_us_version);
   writeout (vchat_cm_version);
+  writeout (vchat_ssl_version);
+  writeout (vchat_ssl_version_external);
   showout();
 }
 
diff --git a/vchat-config.h b/vchat-config.h
index d2f29a0..2628dc1 100755
--- a/vchat-config.h
+++ b/vchat-config.h
@@ -29,10 +29,10 @@ extern unsigned int hscroll;
 static volatile configoption configoptions[] = {
 /* config-option   type    name in file  default value           value       localvar  */
   {CF_NICK,        CO_STR, "nick",       NULL,                   NULL,       { NULL }  },
-  {CF_FROM,        CO_STR, "from",       "vc-alpha-0.18",        NULL,       { NULL }  },
+  {CF_FROM,        CO_STR, "from",       "vc-alpha-0.19",        NULL,       { NULL }  },
   {CF_SERVERHOST,  CO_STR, "host",       "localhost",            NULL,       { NULL }  },
   {CF_SERVERPORT,  CO_STR, "port",       "2325",                 NULL,       { NULL }  },
-  {CF_CIPHERSUITE, CO_STR, "ciphers",    "HIGH:MEDIUM",          NULL,       { NULL }  },
+  {CF_CIPHERSUITE, CO_STR, "ciphers",    NULL,                   NULL,       { NULL }  },
   {CF_CONFIGFILE,  CO_STR, "conffile",   "~/.vchat/config",      NULL,       { NULL }  },
   {CF_CERTFILE,    CO_STR, "certfile",   "~/.vchat/cert",        NULL,       { NULL }  },
   {CF_KEYFILE,     CO_STR, "keyfile",    "~/.vchat/key",         NULL,       { NULL }  },
@@ -40,7 +40,7 @@ static volatile configoption configoptions[] = {
   {CF_LOGINSCRIPT, CO_STR, "loginscript","~/.vchat/loginscript", NULL,       { NULL }  },
   {CF_ENCODING,    CO_STR, "encoding",   NULL,                   NULL,       { .pstr = &encoding }},
   {CF_USESSL,      CO_INT, "usessl",     (char *) 1,             (char *)-1, { NULL }  },
-  {CF_IGNSSL,      CO_INT, "ignssl",     (char *) 0,             (char *)-1, { NULL }  },
+  {CF_VERIFYSSL,   CO_INT, "verifyssl",  (char *) 2,             (char *)-1, { NULL }  },
   {CF_USECERT,     CO_INT, "usecert",    (char *) 1,             (char *)-1, { NULL }  },
   {CF_USETIME,     CO_INT, "usetime",    (char *) 1,             (char *)-1, { .pint = &usetime } },
   {CF_USETOPIC,    CO_INT, "usetopicbar",(char *) 1,             (char *)-1, { NULL }  },
diff --git a/vchat-howto b/vchat-howto
index 0ace213..27f8e14 100755
--- a/vchat-howto
+++ b/vchat-howto
@@ -69,11 +69,7 @@ type:
 
 $ echo host=vchat.berlin.ccc.de >> ~/.vchat/config
 
-If you want to ignore SSL-warnings due to missing CA-files, type:
-
-$ echo ignssl=1 >> ~/.vchat/config
-
-If you don't want to ignore SSL-warnings, get the root-certificates from:
+You don't want to ignore SSL-warnings, get the root-certificates from:
 
    http://www.cacert.org/certs/class3.txt
    and
@@ -87,10 +83,10 @@ and copy them into your openssl-certs directory. For example:
    # ln -s root.txt `openssl x509 -in root.txt -hash | head -n 1`.0
    # ln -s class3.txt `openssl x509 -in class3.txt -hash | head -n 1`.0
 
-Now you can type:
-   
-   $ echo ignssl=0 >> ~/.vchat/config
-   
+NOTE: some openssl versions deliberately disable EC for unknown reasons, you
+need to manually (re)set the cipher string to a lower security variant there:
+
+$ echo ciphers=DHE-RSA-AES256-SHA >> ~/.vchat/config
 
 If you want a seperate private message window, type:
 
diff --git a/vchat-protocol.c b/vchat-protocol.c
index e676b28..6cf9724 100755
--- a/vchat-protocol.c
+++ b/vchat-protocol.c
@@ -35,7 +35,7 @@
 #include "vchat-ssl.h"
 
 /* version of this module */
-char *vchat_io_version = "$Id$";
+const char *vchat_io_version = "$Id$";
 
 /* externally used variables */
 int serverfd = -1;
diff --git a/vchat-ssl.c b/vchat-ssl.c
index d4a6029..999d6b8 100755
--- a/vchat-ssl.c
+++ b/vchat-ssl.c
@@ -32,7 +32,7 @@
 #include "vchat.h"
 #include "vchat-ssl.h"
 
-char *vchat_ssl_version = "$Id$";
+const char *vchat_ssl_version = "$Id$";
 
 #define VC_CTX_ERR_EXIT(se, cx) do { \
       snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \
@@ -72,12 +72,14 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store )
    store = NULL;
    /* Disable some insecure protocols explicitly */
    SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
-   if( OPENSSL_VERSION_NUMBER < 0x10000000L )
+   if (getstroption(CF_CIPHERSUITE))
+     SSL_CTX_set_cipher_list(ctx, getstroption(CF_CIPHERSUITE));
+   else if( OPENSSL_VERSION_NUMBER < 0x10000000L )
      SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA");
    else
      SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384");
 
-   SSL_CTX_set_verify_depth (ctx, 2);
+   SSL_CTX_set_verify_depth (ctx, getintoption(CF_VERIFYSSL));
 
    if( !(verify_callback = vc_store->callback) )
       verify_callback = vc_verify_callback;
@@ -139,6 +141,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
     BIO_push( ssl_conn, *conn );
     *conn = ssl_conn;
     fflush(stdout);
+
     if( BIO_do_handshake( *conn ) > 0 ) {
       /* Show information about cipher used */
       const SSL *sslp = NULL;
@@ -156,11 +159,14 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
         snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!");
         writecf(FS_ERR, tmpstr);
       }
-      return 0;
+
+      /* Accept being connected, _if_ verification passed */
+      if (sslp && SSL_get_verify_result(sslp) == X509_V_OK)
+        return 0;
     }
   }
 
-  snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL));
+  snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL));
   writecf(FS_ERR, tmpstr);
 
   return 1;
@@ -230,17 +236,11 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store)
 int vc_verify_callback(int ok, X509_STORE_CTX *store)
 {
    if(!ok) {
-      /* XXX handle action/abort */
-      if(!(ok=getintoption(CF_IGNSSL)))
-         snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", 
+      snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s", 
                X509_verify_cert_error_string(store->error));
-      else
-         snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s (ignored)", 
-               X509_verify_cert_error_string(store->error));
-
       writecf(FS_ERR, tmpstr);
    }
-   return(ok);
+   return ok;
 }
 
 void vc_x509store_setflags(vc_x509store_t *store, int flags)
@@ -326,6 +326,14 @@ void vc_cleanup_x509store(vc_x509store_t *s)
    free(s->use_keyfile);
    free(s->use_key);
    sk_X509_free(s->certs);
-   sk_X509_free(s->crls);
+   sk_X509_CRL_free(s->crls);
    sk_X509_free(s->use_certs);
 }
+
+const char *vchat_ssl_version_external = "OpenSSL implementation; version unknown";
+void vchat_ssl_get_version_external()
+{
+   char tmpstr[TMPSTRSIZE];
+   snprintf(tmpstr, TMPSTRSIZE, "%s with %s", SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS));
+   vchat_ssl_version_external = strdup(tmpstr);
+}
diff --git a/vchat-ssl.h b/vchat-ssl.h
index baaa3c4..12d5fdb 100755
--- a/vchat-ssl.h
+++ b/vchat-ssl.h
@@ -36,6 +36,7 @@ void vc_x509store_setflags(vc_x509store_t *, int);
 void vc_x509store_clearflags(vc_x509store_t *, int);
 int vc_verify_callback(int, X509_STORE_CTX *);
 X509_STORE * vc_x509store_create(vc_x509store_t *);
+char *vc_ssl_version(char *, int);
 
 #define VC_X509S_NODEF_CAFILE                      0x01
 #define VC_X509S_NODEF_CAPATH                      0x02
diff --git a/vchat-ui.c b/vchat-ui.c
index f8bcc45..d4ea668 100755
--- a/vchat-ui.c
+++ b/vchat-ui.c
@@ -36,11 +36,11 @@
 #include "vchat-user.h"
 
 /* version of this module */
-char *vchat_ui_version = "$Id$";
+const char *vchat_ui_version = "$Id$";
 
 /* externally used variables */
 /*   current string in topic window */
-char topicstr[TOPICSTRSIZE] = "[] VChat 0.18";
+char topicstr[TOPICSTRSIZE] = "[] VChat 0.19";
 /*   current string in console window */
 char consolestr[CONSOLESTRSIZE] = "[ Get help: .h for server /h for client commands";
 
@@ -117,7 +117,7 @@ static void forceredraw_wrapper (int a) {forceredraw();}
 static void drawwin          (WINDOW *win, struct sb_data  *sb);
 static int  writescr         (WINDOW *win, struct sb_entry *entry);
 static int  testfilter       (             struct sb_entry *entry);
-static int  gettextwidth     (char *textbuffer);
+static int  gettextwidth     (const char *textbuffer);
 static void resize_output    (void);
 static int  getsbeheight     (struct sb_entry *entry, const int xwidth, int needstime );
 static int  getsbdataheight  (struct sb_data *data, const int xwidth, int needstime );
@@ -308,7 +308,7 @@ sb_clear ( struct sb_data **sb ) {
 }*/
 
 static struct sb_entry*
-sb_add (struct sb_data *sb, char *line, time_t when) {
+sb_add (struct sb_data *sb, const char *line, time_t when) {
   struct sb_entry *newone = malloc (sizeof(struct sb_entry));
   if( newone ) {
       if( sb->count == sb->scroll ) sb->scroll++;
@@ -350,7 +350,7 @@ void showout (void)
   resize(0);
 }
 
-void writeout (char *str)
+void writeout (const char *str)
 {
   int i;
   sb_add(sb_out,str,time(NULL));
@@ -865,7 +865,7 @@ resize (int signal)
 }
 
 static int
-gettextwidth (char *textbuffer)
+gettextwidth (const char *textbuffer)
 {
   int  width       = 0;
 
diff --git a/vchat.h b/vchat.h
index 1a24973..a0797d5 100755
--- a/vchat.h
+++ b/vchat.h
@@ -31,7 +31,7 @@ typedef struct servermessage servermessage;
 typedef enum { CO_NIL, CO_STR, CO_INT } conftype;
 typedef enum { CF_NIL, CF_NICK, CF_FROM, CF_SERVERHOST, CF_SERVERPORT,
 CF_CIPHERSUITE, CF_CONFIGFILE, CF_CERTFILE, CF_KEYFILE, CF_FORMFILE, CF_LOGINSCRIPT,
-CF_USESSL, CF_IGNSSL, CF_USECERT, CF_PRIVHEIGHT, CF_PRIVCOLLAPS, CF_HSCROLL, CF_CHANNEL, CF_USETIME,
+CF_USESSL, CF_VERIFYSSL, CF_USECERT, CF_PRIVHEIGHT, CF_PRIVCOLLAPS, CF_HSCROLL, CF_CHANNEL, CF_USETIME,
 CF_USETOPIC, CF_SCROLLBPRIV, CF_SCROLLBACK, CF_SCROLLBPRIVT, CF_SCROLLBACKT,
 CF_ENCODING, CF_BELLPRIV, CF_CASEFIRST, CF_AUTORECONN, CF_KEEPALIVE } confopt;
 
@@ -80,7 +80,7 @@ extern unsigned int want_tcp_keepalive;
 /* vchat-client.c */
 #define ERRSTRSIZE 1024
 extern char errstr[];
-extern char *vchat_cl_version;
+extern const char *vchat_cl_version;
 void loadcfg (char *file,int complain,void (*lineparser) (char *));
 void loadformats (char *file);
 void cleanup(int signal);
@@ -93,7 +93,7 @@ int getintoption (confopt option);
 void setintoption (confopt option, int value);
 
 /* vchat-ui.c */
-extern char *vchat_ui_version;
+extern const char *vchat_ui_version;
 
 /*   topic and console strings */
 #define TOPICSTRSIZE 1024
@@ -112,7 +112,7 @@ void userinput (void);
 /*   display various messages */
 int   writechan (char *str);
 int   writepriv (char *str, int maybeep );
-void  writeout  (char *str);
+void  writeout  (const char *str);
 void  showout   (void);
 void  flushout  (void);
 #define  msgout(STR) {flushout();writeout(STR);showout();}
@@ -140,7 +140,7 @@ void         clearfilters     ( char colour );
 void         handlequery      ( char *line );
 
 /* vchat-protocol.c */
-extern char *vchat_io_version;
+extern const char *vchat_io_version;
 
 /*   connect/disconnect */
 int  vcconnect    (char *server, char *port);
@@ -156,7 +156,7 @@ void ownleave (int channel);
 void ownnickchange (char *newnick);
 
 /* vchat-commands.c */
-extern char *vchat_cm_version;
+extern const char *vchat_cm_version;
 void   command_version ( char *tail);
 
 /*   user input */
@@ -171,3 +171,8 @@ typedef struct {
   char  *short_help;
   char  *help;
 } commandentry;
+
+/* vchat-ssl.c */
+extern const char *vchat_ssl_version;
+extern const char *vchat_ssl_version_external;
+void vchat_ssl_get_version_external();
diff --git a/vchatrc.ex b/vchatrc.ex
index 5d2a98f..c66d1f9 100755
--- a/vchatrc.ex
+++ b/vchatrc.ex
@@ -4,7 +4,7 @@
 #nick = noname
 
 # Auto-set from-tag during login
-#from = vc-alpha-0.18
+#from = vc-alpha-0.19
 
 # Server-host to connect to
 #host = pulse.flatline.de
@@ -15,7 +15,10 @@
 # Type of ciphers at the SSL-handshake; 
 # further information in the 
 # OpenSSL/mod_ssl/Apache-documentation
-#ciphers = HIGH:MEDIUM
+# default used before OpenSSL 1.0.0:
+#ciphers = DHE-RSA-AES256-SHA
+# default used after OpenSSL 1.0.0:
+#ciphers = ECDHE-RSA-AES256-GCM-SHA384
 
 # Location of the config-file
 #conffile = ~/.vchat/config
@@ -36,6 +39,9 @@
 # Use the certificate for connecting [0|1]
 #usecert = 1
 
+# Verify depth for peer certificate
+#verifyssl = 2
+
 # Show the time of the message at start of line [0|1]
 #usetime = 1