diff options
author | Dirk Engling <erdgeist@erdgeist.org> | 2016-04-15 13:31:42 +0200 |
---|---|---|
committer | Dirk Engling <erdgeist@erdgeist.org> | 2016-04-15 13:31:42 +0200 |
commit | 035058400069cd8f3c10213c1c4049746ac9133c (patch) | |
tree | 13e72f63a1f98dba2ca041f2fee405fae6dcdf48 | |
parent | 2d0c1c42afd1e50864312890c9e3909294bf21ed (diff) |
Fix fingerprint verification code
-rwxr-xr-x | vchat-ssl.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c index 2a1c28a..6699243 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c | |||
@@ -201,8 +201,8 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
201 | X509 *peercert = SSL_get_peer_certificate(sslp); | 201 | X509 *peercert = SSL_get_peer_certificate(sslp); |
202 | 202 | ||
203 | /* FIXME: this IS bad code */ | 203 | /* FIXME: this IS bad code */ |
204 | char new_fingerprint[TMPSTRSIZE] = ""; | 204 | char new_fingerprint[TMPSTRSIZE]; |
205 | char old_fingerprint[TMPSTRSIZE] = ""; | 205 | char old_fingerprint[TMPSTRSIZE]; |
206 | FILE *fingerprint_file = NULL; | 206 | FILE *fingerprint_file = NULL; |
207 | 207 | ||
208 | unsigned int fingerprint_len; | 208 | unsigned int fingerprint_len; |
@@ -216,14 +216,13 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
216 | 216 | ||
217 | /* calculate fingerprint */ | 217 | /* calculate fingerprint */ |
218 | if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) { | 218 | if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) { |
219 | char shorttmpstr[3] = "XX"; | ||
220 | int j; | 219 | int j; |
220 | assert ( ( fingerprint_len > 1 ) && (fingerprint_len * 3 < TMPSTRSIZE )); | ||
221 | char * nf = new_fingerprint; | ||
221 | for (j=0; j<(int)fingerprint_len; j++) { | 222 | for (j=0; j<(int)fingerprint_len; j++) { |
222 | if (j) | 223 | nf += snprintf(nf, 3, "%02X:", fingerprint_bin[j]); |
223 | strncat(new_fingerprint, ":", TMPSTRSIZE); | 224 | assert ( nf > new_fingerprint ); |
224 | snprintf(shorttmpstr, 3, "%02X", fingerprint_bin[j]); | 225 | nf[-1] = 0; |
225 | strncat(new_fingerprint, shorttmpstr, TMPSTRSIZE); | ||
226 | } | ||
227 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint); | 226 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint); |
228 | writecf(FS_SERV, tmpstr); | 227 | writecf(FS_SERV, tmpstr); |
229 | } | 228 | } |
@@ -233,14 +232,14 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
233 | 232 | ||
234 | fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); | 233 | fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); |
235 | if (fingerprint_file) { | 234 | if (fingerprint_file) { |
236 | fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file); | 235 | int r = fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file); |
237 | fclose(fingerprint_file); | 236 | fclose(fingerprint_file); |
238 | 237 | ||
239 | /* verify fingerprint matches stored version */ | 238 | /* verify fingerprint matches stored version */ |
240 | if (!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE)) | 239 | if ( r &&!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE)) |
241 | return 0; | 240 | return 0; |
242 | else { | 241 | else { |
243 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), old_fingerprint); | 242 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), r ? old_fingerprint : "<FILE READ ERROR>" ); |
244 | writecf(FS_ERR, tmpstr); | 243 | writecf(FS_ERR, tmpstr); |
245 | writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); | 244 | writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); |
246 | return 1; | 245 | return 1; |