diff options
author | Dirk Engling <erdgeist@erdgeist.org> | 2022-05-20 03:09:24 +0200 |
---|---|---|
committer | Dirk Engling <erdgeist@erdgeist.org> | 2022-05-20 03:09:24 +0200 |
commit | 8c821b3f20b99ca1f05dd28aba92c897a7c9a10e (patch) | |
tree | 87425d8427632275eccaa31cd7313870cbfb3286 | |
parent | 133a4bbe527dc8067238e426a43fc90e44972e7d (diff) |
Check for more errors and dump the cert info to the user
-rwxr-xr-x | vchat-tls.c | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/vchat-tls.c b/vchat-tls.c index dbfd927..ad66334 100755 --- a/vchat-tls.c +++ b/vchat-tls.c | |||
@@ -462,16 +462,20 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store ) | |||
462 | mbedtls_x509_crt_init(&s->_cacert); | 462 | mbedtls_x509_crt_init(&s->_cacert); |
463 | mbedtls_x509_crt_init(&s->_cert); | 463 | mbedtls_x509_crt_init(&s->_cert); |
464 | mbedtls_pk_init(&s->_key); | 464 | mbedtls_pk_init(&s->_key); |
465 | 465 | mbedtls_ssl_init(ssl); | |
466 | mbedtls_ssl_config_init(conf); | 466 | mbedtls_ssl_config_init(conf); |
467 | mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); | 467 | |
468 | if (mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT)) { | ||
469 | writecf(FS_ERR, "Out of memory"); | ||
470 | return -1; | ||
471 | } | ||
472 | |||
468 | /* TODO: Always verify peer */ | 473 | /* TODO: Always verify peer */ |
469 | mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); | 474 | mbedtls_ssl_conf_authmode(conf, getintoption(CF_IGNSSL) ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_REQUIRED); |
470 | mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &s->_ctr_drbg); | 475 | mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &s->_ctr_drbg); |
471 | 476 | ||
472 | /* mbedtls_ssl_conf_ciphersuites( */ | 477 | /* mbedtls_ssl_conf_ciphersuites( */ |
473 | 478 | ||
474 | /* Read in all certs */ | ||
475 | if (vc_store->cafile) { | 479 | if (vc_store->cafile) { |
476 | mbedtls_x509_crt_parse_file(&s->_cacert, vc_store->cafile); | 480 | mbedtls_x509_crt_parse_file(&s->_cacert, vc_store->cafile); |
477 | mbedtls_ssl_conf_ca_chain(conf, &s->_cacert, NULL); | 481 | mbedtls_ssl_conf_ca_chain(conf, &s->_cacert, NULL); |
@@ -505,11 +509,13 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store ) | |||
505 | fprintf(stderr, "KEYPAIR MISSMATCH\n"); | 509 | fprintf(stderr, "KEYPAIR MISSMATCH\n"); |
506 | } | 510 | } |
507 | #endif | 511 | #endif |
508 | mbedtls_ssl_conf_own_cert(conf, &s->_cert, &s->_key); | 512 | if ((ret = mbedtls_ssl_conf_own_cert(conf, &s->_cert, &s->_key)) != 0) { |
513 | vc_tls_report_error(ret, "Setting key and cert to tls session fails, mbedtls reports: "); | ||
514 | return -1; | ||
515 | } | ||
509 | 516 | ||
510 | /* Config constructed, pass to ssl */ | 517 | /* Config constructed, pass to ssl */ |
511 | /* Init ssl and config structs and configure ssl ctx */ | 518 | /* Init ssl and config structs and configure ssl ctx */ |
512 | mbedtls_ssl_init(ssl); | ||
513 | mbedtls_ssl_setup(ssl, conf); | 519 | mbedtls_ssl_setup(ssl, conf); |
514 | /* TODO: mbedtls_ssl_set_hostname(&ssl, SERVER_NAME) */ | 520 | /* TODO: mbedtls_ssl_set_hostname(&ssl, SERVER_NAME) */ |
515 | 521 | ||
@@ -522,6 +528,16 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store ) | |||
522 | } | 528 | } |
523 | } | 529 | } |
524 | 530 | ||
531 | snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER ] %s", mbedtls_ssl_get_ciphersuite(ssl)); | ||
532 | writecf(FS_SERV, tmpstr); | ||
533 | |||
534 | const mbedtls_x509_crt* peer_cert = mbedtls_ssl_get_peer_cert(ssl); | ||
535 | mbedtls_x509_crt_info(tmpstr, sizeof(tmpstr), "[SSL PEER INFO ] ", peer_cert); | ||
536 | char *token = strtok(tmpstr, "\n"); | ||
537 | do { | ||
538 | writecf(FS_SERV, token); | ||
539 | } while ((token = strtok(NULL, "\n"))); | ||
540 | |||
525 | mbedtls_ssl_get_verify_result(ssl); | 541 | mbedtls_ssl_get_verify_result(ssl); |
526 | 542 | ||
527 | return 0; | 543 | return 0; |