1 files changed, 22 insertions, 6 deletions
diff --git a/vchat-tls.c b/vchat-tls.c
index dbfd927..ad66334 100755
--- a/vchat-tls.c
+++ b/vchat-tls.c
@@ -462,16 +462,20 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
    mbedtls_x509_crt_init(&s->_cacert);
    mbedtls_x509_crt_init(&s->_cert);
    mbedtls_pk_init(&s->_key);
+    mbedtls_ssl_init(ssl);
    mbedtls_ssl_config_init(conf);
-    mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
+    if (mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT)) {
+        writecf(FS_ERR, "Out of memory");
+        return -1;
+    }
    /* TODO: Always verify peer */
-    mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
+    mbedtls_ssl_conf_authmode(conf, getintoption(CF_IGNSSL) ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_REQUIRED);
    mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &s->_ctr_drbg);
    /*  mbedtls_ssl_conf_ciphersuites( */
-    /* Read in all certs */
    if (vc_store->cafile) {
        mbedtls_x509_crt_parse_file(&s->_cacert, vc_store->cafile);
        mbedtls_ssl_conf_ca_chain(conf, &s->_cacert, NULL);
@@ -505,11 +509,13 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
        fprintf(stderr, "KEYPAIR MISSMATCH\n");
    }
 #endif
-    mbedtls_ssl_conf_own_cert(conf, &s->_cert, &s->_key);
+    if ((ret = mbedtls_ssl_conf_own_cert(conf, &s->_cert, &s->_key)) != 0) {
+        vc_tls_report_error(ret, "Setting key and cert to tls session fails, mbedtls reports: ");
+        return -1;
+    }
    /* Config constructed, pass to ssl */
    /* Init ssl and config structs and configure ssl ctx */
-    mbedtls_ssl_init(ssl);
    mbedtls_ssl_setup(ssl, conf);
    /* TODO: mbedtls_ssl_set_hostname(&ssl, SERVER_NAME) */
@@ -522,6 +528,16 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
        }
    }
+    snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER       ] %s", mbedtls_ssl_get_ciphersuite(ssl));
+    writecf(FS_SERV, tmpstr);
+    const mbedtls_x509_crt* peer_cert = mbedtls_ssl_get_peer_cert(ssl);
+    mbedtls_x509_crt_info(tmpstr, sizeof(tmpstr), "[SSL PEER INFO    ] ", peer_cert);
+    char *token = strtok(tmpstr, "\n");
+    do {
+        writecf(FS_SERV, token);
+    } while ((token = strtok(NULL, "\n")));
    mbedtls_ssl_get_verify_result(ssl);
    return 0;

diff --git a/vchat-tls.c b/vchat-tls.c index dbfd927..ad66334 100755 --- a/vchat-tls.c +++ b/vchat-tls.c
@@ -462,16 +462,20 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
462	mbedtls_x509_crt_init(&s->_cacert);	462	mbedtls_x509_crt_init(&s->_cacert);
463	mbedtls_x509_crt_init(&s->_cert);	463	mbedtls_x509_crt_init(&s->_cert);
464	mbedtls_pk_init(&s->_key);	464	mbedtls_pk_init(&s->_key);
465		465	mbedtls_ssl_init(ssl);
466	mbedtls_ssl_config_init(conf);	466	mbedtls_ssl_config_init(conf);
467	mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);	467
		468	if (mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT)) {
		469	writecf(FS_ERR, "Out of memory");
		470	return -1;
		471	}
		472
468	/* TODO: Always verify peer */	473	/* TODO: Always verify peer */
469	mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);	474	mbedtls_ssl_conf_authmode(conf, getintoption(CF_IGNSSL) ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_REQUIRED);
470	mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &s->_ctr_drbg);	475	mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &s->_ctr_drbg);
471		476
472	/* mbedtls_ssl_conf_ciphersuites( */	477	/* mbedtls_ssl_conf_ciphersuites( */
473		478
474	/* Read in all certs */
475	if (vc_store->cafile) {	479	if (vc_store->cafile) {
476	mbedtls_x509_crt_parse_file(&s->_cacert, vc_store->cafile);	480	mbedtls_x509_crt_parse_file(&s->_cacert, vc_store->cafile);
477	mbedtls_ssl_conf_ca_chain(conf, &s->_cacert, NULL);	481	mbedtls_ssl_conf_ca_chain(conf, &s->_cacert, NULL);
@@ -505,11 +509,13 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
505	fprintf(stderr, "KEYPAIR MISSMATCH\n");	509	fprintf(stderr, "KEYPAIR MISSMATCH\n");
506	}	510	}
507	#endif	511	#endif
508	mbedtls_ssl_conf_own_cert(conf, &s->_cert, &s->_key);	512	if ((ret = mbedtls_ssl_conf_own_cert(conf, &s->_cert, &s->_key)) != 0) {
		513	vc_tls_report_error(ret, "Setting key and cert to tls session fails, mbedtls reports: ");
		514	return -1;
		515	}
509		516
510	/* Config constructed, pass to ssl */	517	/* Config constructed, pass to ssl */
511	/* Init ssl and config structs and configure ssl ctx */	518	/* Init ssl and config structs and configure ssl ctx */
512	mbedtls_ssl_init(ssl);
513	mbedtls_ssl_setup(ssl, conf);	519	mbedtls_ssl_setup(ssl, conf);
514	/* TODO: mbedtls_ssl_set_hostname(&ssl, SERVER_NAME) */	520	/* TODO: mbedtls_ssl_set_hostname(&ssl, SERVER_NAME) */
515		521
@@ -522,6 +528,16 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
522	}	528	}
523	}	529	}
524		530
		531	snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER ] %s", mbedtls_ssl_get_ciphersuite(ssl));
		532	writecf(FS_SERV, tmpstr);
		533
		534	const mbedtls_x509_crt* peer_cert = mbedtls_ssl_get_peer_cert(ssl);
		535	mbedtls_x509_crt_info(tmpstr, sizeof(tmpstr), "[SSL PEER INFO ] ", peer_cert);
		536	char *token = strtok(tmpstr, "\n");
		537	do {
		538	writecf(FS_SERV, token);
		539	} while ((token = strtok(NULL, "\n")));
		540
525	mbedtls_ssl_get_verify_result(ssl);	541	mbedtls_ssl_get_verify_result(ssl);
526		542
527	return 0;	543	return 0;