diff options
| author | Dirk Engling <erdgeist@erdgeist.org> | 2022-05-21 00:34:50 +0200 |
|---|---|---|
| committer | Dirk Engling <erdgeist@erdgeist.org> | 2022-05-21 00:34:50 +0200 |
| commit | 03886bcebff8d0fb53414a36e3ddd7a1ab25b666 (patch) | |
| tree | 89585aef3bf7e9a647e66518317bbae5cb5d40ee | |
| parent | ee2b2043cf49560e70eb6a62fc883e5073bd2a92 (diff) | |
Handle several verify results
| -rwxr-xr-x | vchat-tls.c | 35 |
1 files changed, 27 insertions, 8 deletions
diff --git a/vchat-tls.c b/vchat-tls.c index 1156494..e43cc97 100755 --- a/vchat-tls.c +++ b/vchat-tls.c | |||
| @@ -73,7 +73,7 @@ void vc_x509store_setcertfile(vc_x509store_t *store, char *file) { | |||
| 73 | static int verify_or_store_fingerprint(const char *fingerprint) { | 73 | static int verify_or_store_fingerprint(const char *fingerprint) { |
| 74 | char *fingerprint_file_path = tilde_expand(getstroption(CF_FINGERPRINT)); | 74 | char *fingerprint_file_path = tilde_expand(getstroption(CF_FINGERPRINT)); |
| 75 | if (!fingerprint_file_path) { | 75 | if (!fingerprint_file_path) { |
| 76 | writecf(FS_ERR, "[SSL FINGERPRINT ] The CF_FINGERPRINT path is not set."); | 76 | writecf(FS_ERR, "Error: The CF_FINGERPRINT path is not set but CF_PINFINGER was requested."); |
| 77 | return -1; | 77 | return -1; |
| 78 | } | 78 | } |
| 79 | 79 | ||
| @@ -90,26 +90,28 @@ static int verify_or_store_fingerprint(const char *fingerprint) { | |||
| 90 | if (nl) *nl = 0; | 90 | if (nl) *nl = 0; |
| 91 | 91 | ||
| 92 | /* verify fingerprint matches stored version */ | 92 | /* verify fingerprint matches stored version */ |
| 93 | if (!strcmp(fingerprint, old_fingerprint)) | 93 | if (!strcmp(fingerprint, old_fingerprint)) { |
| 94 | writecf(FS_SERV, "[FINGERPRINT MATCH ]"); | ||
| 94 | goto cleanup_happy; | 95 | goto cleanup_happy; |
| 96 | } | ||
| 95 | } | 97 | } |
| 96 | 98 | ||
| 97 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] Found pinned fingerprint (in %s) %s but expected %s", r ? old_fingerprint : "<FILE READ ERROR>", getstroption(CF_FINGERPRINT), fingerprint); | 99 | snprintf(tmpstr, TMPSTRSIZE, "Error: Found pinned fingerprint (in %s) %s but expected %s", r ? old_fingerprint : "<FILE READ ERROR>", getstroption(CF_FINGERPRINT), fingerprint); |
| 98 | writecf(FS_ERR, tmpstr); | 100 | writecf(FS_ERR, tmpstr); |
| 99 | writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); | 101 | writecf(FS_ERR, "Error: Fingerprint mismatch! Server cert updated?"); |
| 100 | free(fingerprint_file_path); | 102 | free(fingerprint_file_path); |
| 101 | return 1; | 103 | return 1; |
| 102 | } else | 104 | } else |
| 103 | writecf(FS_ERR, "[WARNING] No pinned Fingerprint found!"); | 105 | writecf(FS_ERR, "Warning: No pinned fingerprint found, writing the current one."); |
| 104 | 106 | ||
| 105 | fingerprint_file = fopen(fingerprint_file_path, "w"); | 107 | fingerprint_file = fopen(fingerprint_file_path, "w"); |
| 106 | if (!fingerprint_file) { | 108 | if (!fingerprint_file) { |
| 107 | snprintf (tmpstr, TMPSTRSIZE, "[WARNING] Can't write fingerprint file, %s.", strerror(errno)); | 109 | snprintf (tmpstr, TMPSTRSIZE, "Warning: Can't write fingerprint file, %s.", strerror(errno)); |
| 108 | writecf(FS_ERR, tmpstr); | 110 | writecf(FS_ERR, tmpstr); |
| 109 | } else { | 111 | } else { |
| 110 | fputs(fingerprint, fingerprint_file); | 112 | fputs(fingerprint, fingerprint_file); |
| 111 | fclose(fingerprint_file); | 113 | fclose(fingerprint_file); |
| 112 | writecf(FS_SERV, "Stored pinned fingerprint."); | 114 | writecf(FS_SERV, "[FINGERPRINT STORED ]"); |
| 113 | } | 115 | } |
| 114 | cleanup_happy: | 116 | cleanup_happy: |
| 115 | free(fingerprint_file_path); | 117 | free(fingerprint_file_path); |
| @@ -612,7 +614,7 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store ) | |||
| 612 | if (getintoption(CF_PINFINGER) && verify_or_store_fingerprint(fingerprint)) | 614 | if (getintoption(CF_PINFINGER) && verify_or_store_fingerprint(fingerprint)) |
| 613 | return 1; | 615 | return 1; |
| 614 | } else { | 616 | } else { |
| 615 | writecf(FS_SERV, "Unable to load SHA-1 md"); | 617 | writecf(FS_ERR, "Warning: Unable to load SHA-1 md"); |
| 616 | if (getintoption(CF_PINFINGER)) { | 618 | if (getintoption(CF_PINFINGER)) { |
| 617 | writecf(FS_ERR, "ERROR: Can not compute fingerprint, but pinning check is required"); | 619 | writecf(FS_ERR, "ERROR: Can not compute fingerprint, but pinning check is required"); |
| 618 | return 1; | 620 | return 1; |
| @@ -620,6 +622,23 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store ) | |||
| 620 | } | 622 | } |
| 621 | 623 | ||
| 622 | ret = mbedtls_ssl_get_verify_result(ssl); | 624 | ret = mbedtls_ssl_get_verify_result(ssl); |
| 625 | switch (ret) { | ||
| 626 | case 0: | ||
| 627 | writecf(FS_SERV, "[TSL HANDSHAKE OK ]"); | ||
| 628 | break; | ||
| 629 | case -1: | ||
| 630 | writecf(FS_ERR, "Error: TSL verify for an unknown reason"); | ||
| 631 | return -1; | ||
| 632 | case MBEDTLS_X509_BADCERT_SKIP_VERIFY: | ||
| 633 | case MBEDTLS_X509_BADCERT_NOT_TRUSTED: | ||
| 634 | if (getintoption(CF_IGNSSL) || !getintoption(CF_VERIFYSSL)) | ||
| 635 | return 0; | ||
| 636 | vc_tls_report_error(ret, "TLS verify failed, mbedtls reports: "); | ||
| 637 | return -1; | ||
| 638 | default: | ||
| 639 | vc_tls_report_error(ret, "TLS verify failed, mbedtls reports: "); | ||
| 640 | return -1; | ||
| 641 | } | ||
| 623 | 642 | ||
| 624 | return 0; | 643 | return 0; |
| 625 | } | 644 | } |