diff options
| author | Andreas Kotes <count@flatline.de> | 2014-04-16 15:20:49 +0200 |
|---|---|---|
| committer | Andreas Kotes <count@flatline.de> | 2014-04-16 15:20:49 +0200 |
| commit | 0171de7653dbc409f8a936e80a8c9bc3ab3d1bdb (patch) | |
| tree | 9417f66bc1bd4e5f2f882060b81e042dda7faa11 /vchat-ssl.c | |
| parent | cc89915d8cc8361c29318ee954f4fff14d862cb7 (diff) | |
version 0.19
* fixed version string display
* failing on SSL verify failures
* removed ignssl option
* reenabled ciphers options
* added verifyssl option (cert verify depth)
Diffstat (limited to 'vchat-ssl.c')
| -rwxr-xr-x | vchat-ssl.c | 36 |
1 files changed, 22 insertions, 14 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c index d4a6029..999d6b8 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c | |||
| @@ -32,7 +32,7 @@ | |||
| 32 | #include "vchat.h" | 32 | #include "vchat.h" |
| 33 | #include "vchat-ssl.h" | 33 | #include "vchat-ssl.h" |
| 34 | 34 | ||
| 35 | char *vchat_ssl_version = "$Id$"; | 35 | const char *vchat_ssl_version = "$Id$"; |
| 36 | 36 | ||
| 37 | #define VC_CTX_ERR_EXIT(se, cx) do { \ | 37 | #define VC_CTX_ERR_EXIT(se, cx) do { \ |
| 38 | snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ | 38 | snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ |
| @@ -72,12 +72,14 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) | |||
| 72 | store = NULL; | 72 | store = NULL; |
| 73 | /* Disable some insecure protocols explicitly */ | 73 | /* Disable some insecure protocols explicitly */ |
| 74 | SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); | 74 | SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); |
| 75 | if( OPENSSL_VERSION_NUMBER < 0x10000000L ) | 75 | if (getstroption(CF_CIPHERSUITE)) |
| 76 | SSL_CTX_set_cipher_list(ctx, getstroption(CF_CIPHERSUITE)); | ||
| 77 | else if( OPENSSL_VERSION_NUMBER < 0x10000000L ) | ||
| 76 | SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); | 78 | SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); |
| 77 | else | 79 | else |
| 78 | SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); | 80 | SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); |
| 79 | 81 | ||
| 80 | SSL_CTX_set_verify_depth (ctx, 2); | 82 | SSL_CTX_set_verify_depth (ctx, getintoption(CF_VERIFYSSL)); |
| 81 | 83 | ||
| 82 | if( !(verify_callback = vc_store->callback) ) | 84 | if( !(verify_callback = vc_store->callback) ) |
| 83 | verify_callback = vc_verify_callback; | 85 | verify_callback = vc_verify_callback; |
| @@ -139,6 +141,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
| 139 | BIO_push( ssl_conn, *conn ); | 141 | BIO_push( ssl_conn, *conn ); |
| 140 | *conn = ssl_conn; | 142 | *conn = ssl_conn; |
| 141 | fflush(stdout); | 143 | fflush(stdout); |
| 144 | |||
| 142 | if( BIO_do_handshake( *conn ) > 0 ) { | 145 | if( BIO_do_handshake( *conn ) > 0 ) { |
| 143 | /* Show information about cipher used */ | 146 | /* Show information about cipher used */ |
| 144 | const SSL *sslp = NULL; | 147 | const SSL *sslp = NULL; |
| @@ -156,11 +159,14 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
| 156 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); | 159 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); |
| 157 | writecf(FS_ERR, tmpstr); | 160 | writecf(FS_ERR, tmpstr); |
| 158 | } | 161 | } |
| 159 | return 0; | 162 | |
| 163 | /* Accept being connected, _if_ verification passed */ | ||
| 164 | if (sslp && SSL_get_verify_result(sslp) == X509_V_OK) | ||
| 165 | return 0; | ||
| 160 | } | 166 | } |
| 161 | } | 167 | } |
| 162 | 168 | ||
| 163 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); | 169 | snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); |
| 164 | writecf(FS_ERR, tmpstr); | 170 | writecf(FS_ERR, tmpstr); |
| 165 | 171 | ||
| 166 | return 1; | 172 | return 1; |
| @@ -230,17 +236,11 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store) | |||
| 230 | int vc_verify_callback(int ok, X509_STORE_CTX *store) | 236 | int vc_verify_callback(int ok, X509_STORE_CTX *store) |
| 231 | { | 237 | { |
| 232 | if(!ok) { | 238 | if(!ok) { |
| 233 | /* XXX handle action/abort */ | 239 | snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s", |
| 234 | if(!(ok=getintoption(CF_IGNSSL))) | ||
| 235 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", | ||
| 236 | X509_verify_cert_error_string(store->error)); | 240 | X509_verify_cert_error_string(store->error)); |
| 237 | else | ||
| 238 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s (ignored)", | ||
| 239 | X509_verify_cert_error_string(store->error)); | ||
| 240 | |||
| 241 | writecf(FS_ERR, tmpstr); | 241 | writecf(FS_ERR, tmpstr); |
| 242 | } | 242 | } |
| 243 | return(ok); | 243 | return ok; |
| 244 | } | 244 | } |
| 245 | 245 | ||
| 246 | void vc_x509store_setflags(vc_x509store_t *store, int flags) | 246 | void vc_x509store_setflags(vc_x509store_t *store, int flags) |
| @@ -326,6 +326,14 @@ void vc_cleanup_x509store(vc_x509store_t *s) | |||
| 326 | free(s->use_keyfile); | 326 | free(s->use_keyfile); |
| 327 | free(s->use_key); | 327 | free(s->use_key); |
| 328 | sk_X509_free(s->certs); | 328 | sk_X509_free(s->certs); |
| 329 | sk_X509_free(s->crls); | 329 | sk_X509_CRL_free(s->crls); |
| 330 | sk_X509_free(s->use_certs); | 330 | sk_X509_free(s->use_certs); |
| 331 | } | 331 | } |
| 332 | |||
| 333 | const char *vchat_ssl_version_external = "OpenSSL implementation; version unknown"; | ||
| 334 | void vchat_ssl_get_version_external() | ||
| 335 | { | ||
| 336 | char tmpstr[TMPSTRSIZE]; | ||
| 337 | snprintf(tmpstr, TMPSTRSIZE, "%s with %s", SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS)); | ||
| 338 | vchat_ssl_version_external = strdup(tmpstr); | ||
| 339 | } | ||