summaryrefslogtreecommitdiff
path: root/vchat-tls.c
diff options
context:
space:
mode:
authorDirk Engling <erdgeist@erdgeist.org>2022-05-21 00:34:50 +0200
committerDirk Engling <erdgeist@erdgeist.org>2022-05-21 00:34:50 +0200
commit03886bcebff8d0fb53414a36e3ddd7a1ab25b666 (patch)
tree89585aef3bf7e9a647e66518317bbae5cb5d40ee /vchat-tls.c
parentee2b2043cf49560e70eb6a62fc883e5073bd2a92 (diff)
Handle several verify results
Diffstat (limited to 'vchat-tls.c')
-rwxr-xr-xvchat-tls.c35
1 files changed, 27 insertions, 8 deletions
diff --git a/vchat-tls.c b/vchat-tls.c
index 1156494..e43cc97 100755
--- a/vchat-tls.c
+++ b/vchat-tls.c
@@ -73,7 +73,7 @@ void vc_x509store_setcertfile(vc_x509store_t *store, char *file) {
73static int verify_or_store_fingerprint(const char *fingerprint) { 73static int verify_or_store_fingerprint(const char *fingerprint) {
74 char *fingerprint_file_path = tilde_expand(getstroption(CF_FINGERPRINT)); 74 char *fingerprint_file_path = tilde_expand(getstroption(CF_FINGERPRINT));
75 if (!fingerprint_file_path) { 75 if (!fingerprint_file_path) {
76 writecf(FS_ERR, "[SSL FINGERPRINT ] The CF_FINGERPRINT path is not set."); 76 writecf(FS_ERR, "Error: The CF_FINGERPRINT path is not set but CF_PINFINGER was requested.");
77 return -1; 77 return -1;
78 } 78 }
79 79
@@ -90,26 +90,28 @@ static int verify_or_store_fingerprint(const char *fingerprint) {
90 if (nl) *nl = 0; 90 if (nl) *nl = 0;
91 91
92 /* verify fingerprint matches stored version */ 92 /* verify fingerprint matches stored version */
93 if (!strcmp(fingerprint, old_fingerprint)) 93 if (!strcmp(fingerprint, old_fingerprint)) {
94 writecf(FS_SERV, "[FINGERPRINT MATCH ]");
94 goto cleanup_happy; 95 goto cleanup_happy;
96 }
95 } 97 }
96 98
97 snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] Found pinned fingerprint (in %s) %s but expected %s", r ? old_fingerprint : "<FILE READ ERROR>", getstroption(CF_FINGERPRINT), fingerprint); 99 snprintf(tmpstr, TMPSTRSIZE, "Error: Found pinned fingerprint (in %s) %s but expected %s", r ? old_fingerprint : "<FILE READ ERROR>", getstroption(CF_FINGERPRINT), fingerprint);
98 writecf(FS_ERR, tmpstr); 100 writecf(FS_ERR, tmpstr);
99 writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); 101 writecf(FS_ERR, "Error: Fingerprint mismatch! Server cert updated?");
100 free(fingerprint_file_path); 102 free(fingerprint_file_path);
101 return 1; 103 return 1;
102 } else 104 } else
103 writecf(FS_ERR, "[WARNING] No pinned Fingerprint found!"); 105 writecf(FS_ERR, "Warning: No pinned fingerprint found, writing the current one.");
104 106
105 fingerprint_file = fopen(fingerprint_file_path, "w"); 107 fingerprint_file = fopen(fingerprint_file_path, "w");
106 if (!fingerprint_file) { 108 if (!fingerprint_file) {
107 snprintf (tmpstr, TMPSTRSIZE, "[WARNING] Can't write fingerprint file, %s.", strerror(errno)); 109 snprintf (tmpstr, TMPSTRSIZE, "Warning: Can't write fingerprint file, %s.", strerror(errno));
108 writecf(FS_ERR, tmpstr); 110 writecf(FS_ERR, tmpstr);
109 } else { 111 } else {
110 fputs(fingerprint, fingerprint_file); 112 fputs(fingerprint, fingerprint_file);
111 fclose(fingerprint_file); 113 fclose(fingerprint_file);
112 writecf(FS_SERV, "Stored pinned fingerprint."); 114 writecf(FS_SERV, "[FINGERPRINT STORED ]");
113 } 115 }
114cleanup_happy: 116cleanup_happy:
115 free(fingerprint_file_path); 117 free(fingerprint_file_path);
@@ -612,7 +614,7 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
612 if (getintoption(CF_PINFINGER) && verify_or_store_fingerprint(fingerprint)) 614 if (getintoption(CF_PINFINGER) && verify_or_store_fingerprint(fingerprint))
613 return 1; 615 return 1;
614 } else { 616 } else {
615 writecf(FS_SERV, "Unable to load SHA-1 md"); 617 writecf(FS_ERR, "Warning: Unable to load SHA-1 md");
616 if (getintoption(CF_PINFINGER)) { 618 if (getintoption(CF_PINFINGER)) {
617 writecf(FS_ERR, "ERROR: Can not compute fingerprint, but pinning check is required"); 619 writecf(FS_ERR, "ERROR: Can not compute fingerprint, but pinning check is required");
618 return 1; 620 return 1;
@@ -620,6 +622,23 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
620 } 622 }
621 623
622 ret = mbedtls_ssl_get_verify_result(ssl); 624 ret = mbedtls_ssl_get_verify_result(ssl);
625 switch (ret) {
626 case 0:
627 writecf(FS_SERV, "[TSL HANDSHAKE OK ]");
628 break;
629 case -1:
630 writecf(FS_ERR, "Error: TSL verify for an unknown reason");
631 return -1;
632 case MBEDTLS_X509_BADCERT_SKIP_VERIFY:
633 case MBEDTLS_X509_BADCERT_NOT_TRUSTED:
634 if (getintoption(CF_IGNSSL) || !getintoption(CF_VERIFYSSL))
635 return 0;
636 vc_tls_report_error(ret, "TLS verify failed, mbedtls reports: ");
637 return -1;
638 default:
639 vc_tls_report_error(ret, "TLS verify failed, mbedtls reports: ");
640 return -1;
641 }
623 642
624 return 0; 643 return 0;
625} 644}