summaryrefslogtreecommitdiff
path: root/vchat-ssl.c
diff options
context:
space:
mode:
authorAndreas Kotes <count@flatline.de>2014-04-16 16:27:00 +0200
committerAndreas Kotes <count@flatline.de>2014-04-16 16:27:00 +0200
commit3297473435ad53b6691d6c772f83457a72134c48 (patch)
tree9692f248fc19db010839f6c943a9c40809dcc340 /vchat-ssl.c
parentedba804a0cbd19e5c971c55661bcf83967573906 (diff)
store & verify server cert fingerprint
Diffstat (limited to 'vchat-ssl.c')
-rwxr-xr-xvchat-ssl.c75
1 files changed, 70 insertions, 5 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c
index 68e3699..d240cbd 100755
--- a/vchat-ssl.c
+++ b/vchat-ssl.c
@@ -153,16 +153,81 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
153 cipher = SSL_get_current_cipher(sslp); 153 cipher = SSL_get_current_cipher(sslp);
154 if (cipher) { 154 if (cipher) {
155 char cipher_desc[TMPSTRSIZE]; 155 char cipher_desc[TMPSTRSIZE];
156 snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); 156 snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER ] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE));
157 writecf(FS_SERV, tmpstr); 157 writecf(FS_SERV, tmpstr);
158 } else { 158 } else {
159 snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); 159 snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR ] Cipher not known / SSL object can't be queried!");
160 writecf(FS_ERR, tmpstr); 160 writecf(FS_ERR, tmpstr);
161 } 161 }
162 162
163 /* Accept being connected, _if_ verification passed */ 163 /* Accept being connected, _if_ verification passed */
164 if (sslp && SSL_get_verify_result(sslp) == X509_V_OK) 164 if (sslp) {
165 return 0; 165 long result = SSL_get_verify_result(sslp);
166
167 /* show & verify fingerprint */
168 if (result == X509_V_OK) {
169 X509 *peercert = SSL_get_peer_certificate(sslp);
170
171 /* FIXME: this IS bad code */
172 char new_fingerprint[TMPSTRSIZE] = "";
173 char old_fingerprint[TMPSTRSIZE] = "";
174 FILE *fingerprint_file = NULL;
175
176 unsigned int fingerprint_len;
177 unsigned char fingerprint_bin[EVP_MAX_MD_SIZE];
178
179 /* show basic information about peer cert */
180 snprintf(tmpstr, TMPSTRSIZE, "[SSL SUBJECT ] %s", X509_NAME_oneline(X509_get_subject_name(peercert),0,0));
181 writecf(FS_SERV, tmpstr);
182 snprintf(tmpstr, TMPSTRSIZE, "[SSL ISSUER ] %s", X509_NAME_oneline(X509_get_issuer_name(peercert),0,0));
183 writecf(FS_SERV, tmpstr);
184
185 /* calculate fingerprint */
186 if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) {
187 char shorttmpstr[3] = "XX";
188 int j;
189 for (j=0; j<(int)fingerprint_len; j++) {
190 if (j)
191 strncat(new_fingerprint, ":", TMPSTRSIZE);
192 snprintf(shorttmpstr, 3, "%02X", fingerprint_bin[j]);
193 strncat(new_fingerprint, shorttmpstr, TMPSTRSIZE);
194 }
195 snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint);
196 writecf(FS_SERV, tmpstr);
197 }
198
199 // we don't need the peercert anymore
200 X509_free(peercert);
201
202 fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r");
203 if (fingerprint_file) {
204 fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file);
205 fclose(fingerprint_file);
206
207 /* verify fingerprint matches stored version */
208 if (!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE))
209 return 0;
210 else {
211 snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), old_fingerprint);
212 writecf(FS_ERR, tmpstr);
213 writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?");
214 return 1;
215 }
216 } else {
217 /* FIXME: there might be other errors than missing file */
218 fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "w");
219 if (!fingerprint_file) {
220 snprintf (tmpstr, TMPSTRSIZE, "Can't write fingerprint file, %s.", strerror(errno));
221 writecf(FS_ERR, tmpstr);
222 } else {
223 fputs(new_fingerprint, fingerprint_file);
224 fclose(fingerprint_file);
225 writecf(FS_SERV, "Stored fingerprint.");
226 return 0;
227 }
228 }
229 }
230 }
166 } 231 }
167 } 232 }
168 233
@@ -236,7 +301,7 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store)
236int vc_verify_callback(int ok, X509_STORE_CTX *store) 301int vc_verify_callback(int ok, X509_STORE_CTX *store)
237{ 302{
238 if(!ok) { 303 if(!ok) {
239 snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s", 304 snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR ] %s",
240 X509_verify_cert_error_string(store->error)); 305 X509_verify_cert_error_string(store->error));
241 writecf(FS_ERR, tmpstr); 306 writecf(FS_ERR, tmpstr);
242 } 307 }