diff options
-rw-r--r-- | .gitattributes | 1 | ||||
-rwxr-xr-x | debian/changelog | 18 | ||||
-rwxr-xr-x | debian/rules | 4 | ||||
-rwxr-xr-x | vchat-client.c | 19 | ||||
-rwxr-xr-x | vchat-client.sgml | 6 | ||||
-rwxr-xr-x | vchat-commands.c | 4 | ||||
-rwxr-xr-x | vchat-config.h | 7 | ||||
-rwxr-xr-x | vchat-howto | 14 | ||||
-rwxr-xr-x | vchat-protocol.c | 2 | ||||
-rwxr-xr-x | vchat-ssl.c | 108 | ||||
-rwxr-xr-x | vchat-ssl.h | 1 | ||||
-rwxr-xr-x | vchat-ui.c | 12 | ||||
-rwxr-xr-x | vchat-user.c | 2 | ||||
-rwxr-xr-x | vchat.h | 19 | ||||
-rwxr-xr-x | vchatrc.ex | 10 |
15 files changed, 174 insertions, 53 deletions
diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9433213 --- /dev/null +++ b/.gitattributes | |||
@@ -0,0 +1 @@ | |||
*.c ident | |||
diff --git a/debian/changelog b/debian/changelog index 17e8bf7..eb2b185 100755 --- a/debian/changelog +++ b/debian/changelog | |||
@@ -1,3 +1,21 @@ | |||
1 | vchat-client (0.19-1) unstable; urgency=high | ||
2 | |||
3 | * fixed version string display | ||
4 | * failing on SSL verify failures | ||
5 | * removed ignssl option | ||
6 | * reenabled ciphers options | ||
7 | * added verifyssl option (cert verify depth) | ||
8 | |||
9 | -- Andreas Kotes <count@flatline.de> Wed, 16 Apr 2014 15:12:23 +0200 | ||
10 | |||
11 | vchat-client (0.18-1) unstable; urgency=high | ||
12 | |||
13 | * updated to use TLSv1 or later | ||
14 | * improved SSL error reporting | ||
15 | * report SSL cipher used | ||
16 | |||
17 | -- Andreas Kotes <count@flatline.de> Tue, 15 Apr 2014 13:09:23 +0200 | ||
18 | |||
1 | vchat-client (0.15-2) unstable; urgency=low | 19 | vchat-client (0.15-2) unstable; urgency=low |
2 | 20 | ||
3 | * changed debian/rules using "make install" | 21 | * changed debian/rules using "make install" |
diff --git a/debian/rules b/debian/rules index 389c597..778533f 100755 --- a/debian/rules +++ b/debian/rules | |||
@@ -5,7 +5,7 @@ | |||
5 | #export DH_VERBOSE=1 | 5 | #export DH_VERBOSE=1 |
6 | 6 | ||
7 | # This is the debhelper compatability version to use. | 7 | # This is the debhelper compatability version to use. |
8 | export DH_COMPAT=3 | 8 | export DH_COMPAT=5 |
9 | 9 | ||
10 | configure: configure-stamp | 10 | configure: configure-stamp |
11 | configure-stamp: | 11 | configure-stamp: |
@@ -28,7 +28,7 @@ clean: | |||
28 | install: build | 28 | install: build |
29 | dh_testdir | 29 | dh_testdir |
30 | dh_testroot | 30 | dh_testroot |
31 | dh_clean -k | 31 | dh_prep |
32 | dh_installdirs | 32 | dh_installdirs |
33 | $(MAKE) install DESTDIR=$(CURDIR)/debian/vchat-client PREFIX=/usr | 33 | $(MAKE) install DESTDIR=$(CURDIR)/debian/vchat-client PREFIX=/usr |
34 | 34 | ||
diff --git a/vchat-client.c b/vchat-client.c index f5cd516..a2e298c 100755 --- a/vchat-client.c +++ b/vchat-client.c | |||
@@ -32,7 +32,7 @@ | |||
32 | #include "vchat-user.h" | 32 | #include "vchat-user.h" |
33 | 33 | ||
34 | /* version of this module */ | 34 | /* version of this module */ |
35 | char *vchat_cl_version = "$Id$"; | 35 | const char *vchat_cl_version = "vchat-client.c $Id$"; |
36 | 36 | ||
37 | /* externally used variables */ | 37 | /* externally used variables */ |
38 | /* we're logged in */ | 38 | /* we're logged in */ |
@@ -442,6 +442,17 @@ void usage( char *name) { | |||
442 | puts (" -n set nickname"); | 442 | puts (" -n set nickname"); |
443 | printf (" -f set from (default \"%s\")\n",getstroption(CF_FROM)); | 443 | printf (" -f set from (default \"%s\")\n",getstroption(CF_FROM)); |
444 | puts (" -h gives this help"); | 444 | puts (" -h gives this help"); |
445 | puts (" -v show module versions"); | ||
446 | } | ||
447 | |||
448 | void versions() { | ||
449 | puts (vchat_cl_version); | ||
450 | puts (vchat_ui_version); | ||
451 | puts (vchat_io_version); | ||
452 | puts (vchat_us_version); | ||
453 | puts (vchat_cm_version); | ||
454 | puts (vchat_ssl_version); | ||
455 | puts (vchat_ssl_version_external); | ||
445 | } | 456 | } |
446 | 457 | ||
447 | /* main - d'oh */ | 458 | /* main - d'oh */ |
@@ -456,9 +467,12 @@ main (int argc, char **argv) | |||
456 | loadconfig (GLOBAL_CONFIG_FILE); | 467 | loadconfig (GLOBAL_CONFIG_FILE); |
457 | loadconfig (getstroption (CF_CONFIGFILE)); | 468 | loadconfig (getstroption (CF_CONFIGFILE)); |
458 | 469 | ||
470 | /* make SSL version used visible */ | ||
471 | vchat_ssl_get_version_external(); | ||
472 | |||
459 | /* parse commandline */ | 473 | /* parse commandline */ |
460 | while (cmdsunparsed) { | 474 | while (cmdsunparsed) { |
461 | pchar = getopt(argc,argv,"C:F:lzs:p:c:n:f:kKL:h"); | 475 | pchar = getopt(argc,argv,"C:F:lzs:p:c:n:f:kKL:hv"); |
462 | #ifdef DEBUG | 476 | #ifdef DEBUG |
463 | fprintf(stderr,"parse commandline: %d ('%c'): %s\n",pchar,pchar,optarg); | 477 | fprintf(stderr,"parse commandline: %d ('%c'): %s\n",pchar,pchar,optarg); |
464 | #endif | 478 | #endif |
@@ -475,6 +489,7 @@ main (int argc, char **argv) | |||
475 | case 'n': own_nick_set(optarg); break; | 489 | case 'n': own_nick_set(optarg); break; |
476 | case 'f': setstroption(CF_FROM,optarg); break; | 490 | case 'f': setstroption(CF_FROM,optarg); break; |
477 | case 'h': usage(argv[0]); exit(0); break; | 491 | case 'h': usage(argv[0]); exit(0); break; |
492 | case 'v': versions(); exit(0); break; | ||
478 | default : usage(argv[0]); exit(1); | 493 | default : usage(argv[0]); exit(1); |
479 | } | 494 | } |
480 | } | 495 | } |
diff --git a/vchat-client.sgml b/vchat-client.sgml index 4b4f130..3d6fbc7 100755 --- a/vchat-client.sgml +++ b/vchat-client.sgml | |||
@@ -101,7 +101,7 @@ overridden in the configfile.</para></listitem> | |||
101 | 101 | ||
102 | <varlistentry> | 102 | <varlistentry> |
103 | <term><option>-f</option> <replaceable>from</replaceable></term> | 103 | <term><option>-f</option> <replaceable>from</replaceable></term> |
104 | <listitem><para>set from (default "vc-alpha-0.15")</para></listitem> | 104 | <listitem><para>set from (default "vc-alpha-0.19")</para></listitem> |
105 | </varlistentry> | 105 | </varlistentry> |
106 | 106 | ||
107 | <varlistentry> | 107 | <varlistentry> |
@@ -144,7 +144,7 @@ configure the behavior of vchat-client</para> | |||
144 | 144 | ||
145 | <varlistentry> | 145 | <varlistentry> |
146 | <term><option>from</option></term> | 146 | <term><option>from</option></term> |
147 | <listitem><para>Sets the from (default is "vc-alpha-0.15")</para></listitem> | 147 | <listitem><para>Sets the from (default is "vc-alpha-0.19")</para></listitem> |
148 | </varlistentry> | 148 | </varlistentry> |
149 | 149 | ||
150 | <varlistentry> | 150 | <varlistentry> |
@@ -159,7 +159,7 @@ configure the behavior of vchat-client</para> | |||
159 | 159 | ||
160 | <varlistentry> | 160 | <varlistentry> |
161 | <term><option>ciphers</option></term> | 161 | <term><option>ciphers</option></term> |
162 | <listitem><para>Set ciphers ("HIGH:MEDIUM")</para></listitem> | 162 | <listitem><para>Set ciphers (autodetected)</para></listitem> |
163 | </varlistentry> | 163 | </varlistentry> |
164 | 164 | ||
165 | <varlistentry> | 165 | <varlistentry> |
diff --git a/vchat-commands.c b/vchat-commands.c index 2c3d68b..06c9010 100755 --- a/vchat-commands.c +++ b/vchat-commands.c | |||
@@ -29,7 +29,7 @@ | |||
29 | #include "vchat-user.h" | 29 | #include "vchat-user.h" |
30 | 30 | ||
31 | /* version of this module */ | 31 | /* version of this module */ |
32 | char *vchat_cm_version = "$Id$"; | 32 | const char *vchat_cm_version = "vchat-commands.c $Id$"; |
33 | 33 | ||
34 | /* from vchat-client.c */ | 34 | /* from vchat-client.c */ |
35 | extern int ownquit; | 35 | extern int ownquit; |
@@ -452,6 +452,8 @@ command_version(char *tail) | |||
452 | writeout (vchat_io_version); | 452 | writeout (vchat_io_version); |
453 | writeout (vchat_us_version); | 453 | writeout (vchat_us_version); |
454 | writeout (vchat_cm_version); | 454 | writeout (vchat_cm_version); |
455 | writeout (vchat_ssl_version); | ||
456 | writeout (vchat_ssl_version_external); | ||
455 | showout(); | 457 | showout(); |
456 | } | 458 | } |
457 | 459 | ||
diff --git a/vchat-config.h b/vchat-config.h index 8392d18..0291100 100755 --- a/vchat-config.h +++ b/vchat-config.h | |||
@@ -29,18 +29,19 @@ extern unsigned int hscroll; | |||
29 | static volatile configoption configoptions[] = { | 29 | static volatile configoption configoptions[] = { |
30 | /* config-option type name in file default value value localvar */ | 30 | /* config-option type name in file default value value localvar */ |
31 | {CF_NICK, CO_STR, "nick", NULL, NULL, { NULL } }, | 31 | {CF_NICK, CO_STR, "nick", NULL, NULL, { NULL } }, |
32 | {CF_FROM, CO_STR, "from", "vc-alpha-0.17", NULL, { NULL } }, | 32 | {CF_FROM, CO_STR, "from", "vc-alpha-0.19", NULL, { NULL } }, |
33 | {CF_SERVERHOST, CO_STR, "host", "localhost", NULL, { NULL } }, | 33 | {CF_SERVERHOST, CO_STR, "host", "localhost", NULL, { NULL } }, |
34 | {CF_SERVERPORT, CO_STR, "port", "2325", NULL, { NULL } }, | 34 | {CF_SERVERPORT, CO_STR, "port", "2325", NULL, { NULL } }, |
35 | {CF_CIPHERSUITE, CO_STR, "ciphers", "HIGH:MEDIUM", NULL, { NULL } }, | 35 | {CF_CIPHERSUITE, CO_STR, "ciphers", NULL, NULL, { NULL } }, |
36 | {CF_CONFIGFILE, CO_STR, "conffile", "~/.vchat/config", NULL, { NULL } }, | 36 | {CF_CONFIGFILE, CO_STR, "conffile", "~/.vchat/config", NULL, { NULL } }, |
37 | {CF_CERTFILE, CO_STR, "certfile", "~/.vchat/cert", NULL, { NULL } }, | 37 | {CF_CERTFILE, CO_STR, "certfile", "~/.vchat/cert", NULL, { NULL } }, |
38 | {CF_KEYFILE, CO_STR, "keyfile", "~/.vchat/key", NULL, { NULL } }, | 38 | {CF_KEYFILE, CO_STR, "keyfile", "~/.vchat/key", NULL, { NULL } }, |
39 | {CF_FORMFILE, CO_STR, "formatfile", "~/.vchat/formats", NULL, { NULL } }, | 39 | {CF_FORMFILE, CO_STR, "formatfile", "~/.vchat/formats", NULL, { NULL } }, |
40 | {CF_LOGINSCRIPT, CO_STR, "loginscript","~/.vchat/loginscript", NULL, { NULL } }, | 40 | {CF_LOGINSCRIPT, CO_STR, "loginscript","~/.vchat/loginscript", NULL, { NULL } }, |
41 | {CF_FINGERPRINT, CO_STR, "fingerprint","~/.vchat/fingerprint", NULL, { NULL } }, | ||
41 | {CF_ENCODING, CO_STR, "encoding", NULL, NULL, { .pstr = &encoding }}, | 42 | {CF_ENCODING, CO_STR, "encoding", NULL, NULL, { .pstr = &encoding }}, |
42 | {CF_USESSL, CO_INT, "usessl", (char *) 1, (char *)-1, { NULL } }, | 43 | {CF_USESSL, CO_INT, "usessl", (char *) 1, (char *)-1, { NULL } }, |
43 | {CF_IGNSSL, CO_INT, "ignssl", (char *) 0, (char *)-1, { NULL } }, | 44 | {CF_VERIFYSSL, CO_INT, "verifyssl", (char *) 2, (char *)-1, { NULL } }, |
44 | {CF_USECERT, CO_INT, "usecert", (char *) 1, (char *)-1, { NULL } }, | 45 | {CF_USECERT, CO_INT, "usecert", (char *) 1, (char *)-1, { NULL } }, |
45 | {CF_USETIME, CO_INT, "usetime", (char *) 1, (char *)-1, { .pint = &usetime } }, | 46 | {CF_USETIME, CO_INT, "usetime", (char *) 1, (char *)-1, { .pint = &usetime } }, |
46 | {CF_USETOPIC, CO_INT, "usetopicbar",(char *) 1, (char *)-1, { NULL } }, | 47 | {CF_USETOPIC, CO_INT, "usetopicbar",(char *) 1, (char *)-1, { NULL } }, |
diff --git a/vchat-howto b/vchat-howto index 0ace213..27f8e14 100755 --- a/vchat-howto +++ b/vchat-howto | |||
@@ -69,11 +69,7 @@ type: | |||
69 | 69 | ||
70 | $ echo host=vchat.berlin.ccc.de >> ~/.vchat/config | 70 | $ echo host=vchat.berlin.ccc.de >> ~/.vchat/config |
71 | 71 | ||
72 | If you want to ignore SSL-warnings due to missing CA-files, type: | 72 | You don't want to ignore SSL-warnings, get the root-certificates from: |
73 | |||
74 | $ echo ignssl=1 >> ~/.vchat/config | ||
75 | |||
76 | If you don't want to ignore SSL-warnings, get the root-certificates from: | ||
77 | 73 | ||
78 | http://www.cacert.org/certs/class3.txt | 74 | http://www.cacert.org/certs/class3.txt |
79 | and | 75 | and |
@@ -87,10 +83,10 @@ and copy them into your openssl-certs directory. For example: | |||
87 | # ln -s root.txt `openssl x509 -in root.txt -hash | head -n 1`.0 | 83 | # ln -s root.txt `openssl x509 -in root.txt -hash | head -n 1`.0 |
88 | # ln -s class3.txt `openssl x509 -in class3.txt -hash | head -n 1`.0 | 84 | # ln -s class3.txt `openssl x509 -in class3.txt -hash | head -n 1`.0 |
89 | 85 | ||
90 | Now you can type: | 86 | NOTE: some openssl versions deliberately disable EC for unknown reasons, you |
91 | 87 | need to manually (re)set the cipher string to a lower security variant there: | |
92 | $ echo ignssl=0 >> ~/.vchat/config | 88 | |
93 | 89 | $ echo ciphers=DHE-RSA-AES256-SHA >> ~/.vchat/config | |
94 | 90 | ||
95 | If you want a seperate private message window, type: | 91 | If you want a seperate private message window, type: |
96 | 92 | ||
diff --git a/vchat-protocol.c b/vchat-protocol.c index e676b28..b077411 100755 --- a/vchat-protocol.c +++ b/vchat-protocol.c | |||
@@ -35,7 +35,7 @@ | |||
35 | #include "vchat-ssl.h" | 35 | #include "vchat-ssl.h" |
36 | 36 | ||
37 | /* version of this module */ | 37 | /* version of this module */ |
38 | char *vchat_io_version = "$Id$"; | 38 | const char *vchat_io_version = "vchat-protocol.c $Id$"; |
39 | 39 | ||
40 | /* externally used variables */ | 40 | /* externally used variables */ |
41 | int serverfd = -1; | 41 | int serverfd = -1; |
diff --git a/vchat-ssl.c b/vchat-ssl.c index 7060e29..79092a6 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c | |||
@@ -32,7 +32,7 @@ | |||
32 | #include "vchat.h" | 32 | #include "vchat.h" |
33 | #include "vchat-ssl.h" | 33 | #include "vchat-ssl.h" |
34 | 34 | ||
35 | char *vchat_ssl_version = "$Id$"; | 35 | const char *vchat_ssl_version = "vchat-ssl.c $Id$"; |
36 | 36 | ||
37 | #define VC_CTX_ERR_EXIT(se, cx) do { \ | 37 | #define VC_CTX_ERR_EXIT(se, cx) do { \ |
38 | snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ | 38 | snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ |
@@ -61,6 +61,7 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) | |||
61 | X509_STORE *store = NULL; | 61 | X509_STORE *store = NULL; |
62 | vc_x509verify_cb_t verify_callback = NULL; | 62 | vc_x509verify_cb_t verify_callback = NULL; |
63 | 63 | ||
64 | /* Explicitly use TLSv1 (or maybe later) */ | ||
64 | if( !(ctx = SSL_CTX_new(SSLv23_client_method())) ) | 65 | if( !(ctx = SSL_CTX_new(SSLv23_client_method())) ) |
65 | VC_CTX_ERR_EXIT(store, ctx); | 66 | VC_CTX_ERR_EXIT(store, ctx); |
66 | 67 | ||
@@ -69,13 +70,16 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) | |||
69 | 70 | ||
70 | SSL_CTX_set_cert_store(ctx, store); | 71 | SSL_CTX_set_cert_store(ctx, store); |
71 | store = NULL; | 72 | store = NULL; |
73 | /* Disable some insecure protocols explicitly */ | ||
72 | SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); | 74 | SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); |
73 | if( OPENSSL_VERSION_NUMBER < 0x10000000L ) | 75 | if (getstroption(CF_CIPHERSUITE)) |
76 | SSL_CTX_set_cipher_list(ctx, getstroption(CF_CIPHERSUITE)); | ||
77 | else if( OPENSSL_VERSION_NUMBER < 0x10000000L ) | ||
74 | SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); | 78 | SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); |
75 | else | 79 | else |
76 | SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); | 80 | SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); |
77 | 81 | ||
78 | SSL_CTX_set_verify_depth (ctx, 2); | 82 | SSL_CTX_set_verify_depth (ctx, getintoption(CF_VERIFYSSL)); |
79 | 83 | ||
80 | if( !(verify_callback = vc_store->callback) ) | 84 | if( !(verify_callback = vc_store->callback) ) |
81 | verify_callback = vc_verify_callback; | 85 | verify_callback = vc_verify_callback; |
@@ -137,6 +141,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
137 | BIO_push( ssl_conn, *conn ); | 141 | BIO_push( ssl_conn, *conn ); |
138 | *conn = ssl_conn; | 142 | *conn = ssl_conn; |
139 | fflush(stdout); | 143 | fflush(stdout); |
144 | |||
140 | if( BIO_do_handshake( *conn ) > 0 ) { | 145 | if( BIO_do_handshake( *conn ) > 0 ) { |
141 | /* Show information about cipher used */ | 146 | /* Show information about cipher used */ |
142 | const SSL *sslp = NULL; | 147 | const SSL *sslp = NULL; |
@@ -144,20 +149,89 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
144 | 149 | ||
145 | /* Get cipher object */ | 150 | /* Get cipher object */ |
146 | BIO_get_ssl(ssl_conn, &sslp); | 151 | BIO_get_ssl(ssl_conn, &sslp); |
152 | if (sslp) | ||
147 | cipher = SSL_get_current_cipher(sslp); | 153 | cipher = SSL_get_current_cipher(sslp); |
148 | if (cipher) { | 154 | if (cipher) { |
149 | char cipher_desc[TMPSTRSIZE]; | 155 | char cipher_desc[TMPSTRSIZE]; |
150 | snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); | 156 | snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER ] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); |
151 | writecf(FS_SERV, tmpstr); | 157 | writecf(FS_SERV, tmpstr); |
152 | } else { | 158 | } else { |
153 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); | 159 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR ] Cipher not known / SSL object can't be queried!"); |
154 | writecf(FS_ERR, tmpstr); | 160 | writecf(FS_ERR, tmpstr); |
155 | } | 161 | } |
156 | return 0; | 162 | |
163 | /* Accept being connected, _if_ verification passed */ | ||
164 | if (sslp) { | ||
165 | long result = SSL_get_verify_result(sslp); | ||
166 | |||
167 | /* show & verify fingerprint */ | ||
168 | if (result == X509_V_OK) { | ||
169 | X509 *peercert = SSL_get_peer_certificate(sslp); | ||
170 | |||
171 | /* FIXME: this IS bad code */ | ||
172 | char new_fingerprint[TMPSTRSIZE] = ""; | ||
173 | char old_fingerprint[TMPSTRSIZE] = ""; | ||
174 | FILE *fingerprint_file = NULL; | ||
175 | |||
176 | unsigned int fingerprint_len; | ||
177 | unsigned char fingerprint_bin[EVP_MAX_MD_SIZE]; | ||
178 | |||
179 | /* show basic information about peer cert */ | ||
180 | snprintf(tmpstr, TMPSTRSIZE, "[SSL SUBJECT ] %s", X509_NAME_oneline(X509_get_subject_name(peercert),0,0)); | ||
181 | writecf(FS_SERV, tmpstr); | ||
182 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ISSUER ] %s", X509_NAME_oneline(X509_get_issuer_name(peercert),0,0)); | ||
183 | writecf(FS_SERV, tmpstr); | ||
184 | |||
185 | /* calculate fingerprint */ | ||
186 | if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) { | ||
187 | char shorttmpstr[3] = "XX"; | ||
188 | int j; | ||
189 | for (j=0; j<(int)fingerprint_len; j++) { | ||
190 | if (j) | ||
191 | strncat(new_fingerprint, ":", TMPSTRSIZE); | ||
192 | snprintf(shorttmpstr, 3, "%02X", fingerprint_bin[j]); | ||
193 | strncat(new_fingerprint, shorttmpstr, TMPSTRSIZE); | ||
194 | } | ||
195 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint); | ||
196 | writecf(FS_SERV, tmpstr); | ||
197 | } | ||
198 | |||
199 | // we don't need the peercert anymore | ||
200 | X509_free(peercert); | ||
201 | |||
202 | fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); | ||
203 | if (fingerprint_file) { | ||
204 | fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file); | ||
205 | fclose(fingerprint_file); | ||
206 | |||
207 | /* verify fingerprint matches stored version */ | ||
208 | if (!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE)) | ||
209 | return 0; | ||
210 | else { | ||
211 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), old_fingerprint); | ||
212 | writecf(FS_ERR, tmpstr); | ||
213 | writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); | ||
214 | return 1; | ||
215 | } | ||
216 | } else { | ||
217 | /* FIXME: there might be other errors than missing file */ | ||
218 | fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "w"); | ||
219 | if (!fingerprint_file) { | ||
220 | snprintf (tmpstr, TMPSTRSIZE, "Can't write fingerprint file, %s.", strerror(errno)); | ||
221 | writecf(FS_ERR, tmpstr); | ||
222 | } else { | ||
223 | fputs(new_fingerprint, fingerprint_file); | ||
224 | fclose(fingerprint_file); | ||
225 | writecf(FS_SERV, "Stored fingerprint."); | ||
226 | return 0; | ||
227 | } | ||
228 | } | ||
229 | } | ||
230 | } | ||
157 | } | 231 | } |
158 | } | 232 | } |
159 | 233 | ||
160 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); | 234 | snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); |
161 | writecf(FS_ERR, tmpstr); | 235 | writecf(FS_ERR, tmpstr); |
162 | 236 | ||
163 | return 1; | 237 | return 1; |
@@ -227,17 +301,11 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store) | |||
227 | int vc_verify_callback(int ok, X509_STORE_CTX *store) | 301 | int vc_verify_callback(int ok, X509_STORE_CTX *store) |
228 | { | 302 | { |
229 | if(!ok) { | 303 | if(!ok) { |
230 | /* XXX handle action/abort */ | 304 | snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR ] %s", |
231 | if(!(ok=getintoption(CF_IGNSSL))) | ||
232 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", | ||
233 | X509_verify_cert_error_string(store->error)); | ||
234 | else | ||
235 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s (ignored)", | ||
236 | X509_verify_cert_error_string(store->error)); | 305 | X509_verify_cert_error_string(store->error)); |
237 | |||
238 | writecf(FS_ERR, tmpstr); | 306 | writecf(FS_ERR, tmpstr); |
239 | } | 307 | } |
240 | return(ok); | 308 | return ok; |
241 | } | 309 | } |
242 | 310 | ||
243 | void vc_x509store_setflags(vc_x509store_t *store, int flags) | 311 | void vc_x509store_setflags(vc_x509store_t *store, int flags) |
@@ -323,6 +391,14 @@ void vc_cleanup_x509store(vc_x509store_t *s) | |||
323 | free(s->use_keyfile); | 391 | free(s->use_keyfile); |
324 | free(s->use_key); | 392 | free(s->use_key); |
325 | sk_X509_free(s->certs); | 393 | sk_X509_free(s->certs); |
326 | sk_X509_free(s->crls); | 394 | sk_X509_CRL_free(s->crls); |
327 | sk_X509_free(s->use_certs); | 395 | sk_X509_free(s->use_certs); |
328 | } | 396 | } |
397 | |||
398 | const char *vchat_ssl_version_external = "OpenSSL implementation; version unknown"; | ||
399 | void vchat_ssl_get_version_external() | ||
400 | { | ||
401 | char tmpstr[TMPSTRSIZE]; | ||
402 | snprintf(tmpstr, TMPSTRSIZE, "%s with %s", SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS)); | ||
403 | vchat_ssl_version_external = strdup(tmpstr); | ||
404 | } | ||
diff --git a/vchat-ssl.h b/vchat-ssl.h index baaa3c4..12d5fdb 100755 --- a/vchat-ssl.h +++ b/vchat-ssl.h | |||
@@ -36,6 +36,7 @@ void vc_x509store_setflags(vc_x509store_t *, int); | |||
36 | void vc_x509store_clearflags(vc_x509store_t *, int); | 36 | void vc_x509store_clearflags(vc_x509store_t *, int); |
37 | int vc_verify_callback(int, X509_STORE_CTX *); | 37 | int vc_verify_callback(int, X509_STORE_CTX *); |
38 | X509_STORE * vc_x509store_create(vc_x509store_t *); | 38 | X509_STORE * vc_x509store_create(vc_x509store_t *); |
39 | char *vc_ssl_version(char *, int); | ||
39 | 40 | ||
40 | #define VC_X509S_NODEF_CAFILE 0x01 | 41 | #define VC_X509S_NODEF_CAFILE 0x01 |
41 | #define VC_X509S_NODEF_CAPATH 0x02 | 42 | #define VC_X509S_NODEF_CAPATH 0x02 |
@@ -36,11 +36,11 @@ | |||
36 | #include "vchat-user.h" | 36 | #include "vchat-user.h" |
37 | 37 | ||
38 | /* version of this module */ | 38 | /* version of this module */ |
39 | char *vchat_ui_version = "$Id$"; | 39 | const char *vchat_ui_version = "vchat-ui.c $Id$"; |
40 | 40 | ||
41 | /* externally used variables */ | 41 | /* externally used variables */ |
42 | /* current string in topic window */ | 42 | /* current string in topic window */ |
43 | char topicstr[TOPICSTRSIZE] = "[] VChat 0.17"; | 43 | char topicstr[TOPICSTRSIZE] = "[] VChat 0.19"; |
44 | /* current string in console window */ | 44 | /* current string in console window */ |
45 | char consolestr[CONSOLESTRSIZE] = "[ Get help: .h for server /h for client commands"; | 45 | char consolestr[CONSOLESTRSIZE] = "[ Get help: .h for server /h for client commands"; |
46 | 46 | ||
@@ -117,7 +117,7 @@ static void forceredraw_wrapper (int a) {forceredraw();} | |||
117 | static void drawwin (WINDOW *win, struct sb_data *sb); | 117 | static void drawwin (WINDOW *win, struct sb_data *sb); |
118 | static int writescr (WINDOW *win, struct sb_entry *entry); | 118 | static int writescr (WINDOW *win, struct sb_entry *entry); |
119 | static int testfilter ( struct sb_entry *entry); | 119 | static int testfilter ( struct sb_entry *entry); |
120 | static int gettextwidth (char *textbuffer); | 120 | static int gettextwidth (const char *textbuffer); |
121 | static void resize_output (void); | 121 | static void resize_output (void); |
122 | static int getsbeheight (struct sb_entry *entry, const int xwidth, int needstime ); | 122 | static int getsbeheight (struct sb_entry *entry, const int xwidth, int needstime ); |
123 | static int getsbdataheight (struct sb_data *data, const int xwidth, int needstime ); | 123 | static int getsbdataheight (struct sb_data *data, const int xwidth, int needstime ); |
@@ -308,7 +308,7 @@ sb_clear ( struct sb_data **sb ) { | |||
308 | }*/ | 308 | }*/ |
309 | 309 | ||
310 | static struct sb_entry* | 310 | static struct sb_entry* |
311 | sb_add (struct sb_data *sb, char *line, time_t when) { | 311 | sb_add (struct sb_data *sb, const char *line, time_t when) { |
312 | struct sb_entry *newone = malloc (sizeof(struct sb_entry)); | 312 | struct sb_entry *newone = malloc (sizeof(struct sb_entry)); |
313 | if( newone ) { | 313 | if( newone ) { |
314 | if( sb->count == sb->scroll ) sb->scroll++; | 314 | if( sb->count == sb->scroll ) sb->scroll++; |
@@ -350,7 +350,7 @@ void showout (void) | |||
350 | resize(0); | 350 | resize(0); |
351 | } | 351 | } |
352 | 352 | ||
353 | void writeout (char *str) | 353 | void writeout (const char *str) |
354 | { | 354 | { |
355 | int i; | 355 | int i; |
356 | sb_add(sb_out,str,time(NULL)); | 356 | sb_add(sb_out,str,time(NULL)); |
@@ -865,7 +865,7 @@ resize (int signal) | |||
865 | } | 865 | } |
866 | 866 | ||
867 | static int | 867 | static int |
868 | gettextwidth (char *textbuffer) | 868 | gettextwidth (const char *textbuffer) |
869 | { | 869 | { |
870 | int width = 0; | 870 | int width = 0; |
871 | 871 | ||
diff --git a/vchat-user.c b/vchat-user.c index d7261d6..7280672 100755 --- a/vchat-user.c +++ b/vchat-user.c | |||
@@ -15,7 +15,7 @@ | |||
15 | #include "vchat-user.h" | 15 | #include "vchat-user.h" |
16 | 16 | ||
17 | /* version of this module */ | 17 | /* version of this module */ |
18 | char *vchat_us_version = "$Id$"; | 18 | char *vchat_us_version = "vchat-user.c $Id$"; |
19 | 19 | ||
20 | typedef struct | 20 | typedef struct |
21 | { | 21 | { |
@@ -30,8 +30,8 @@ typedef struct servermessage servermessage; | |||
30 | /* configuration types and variable numbers */ | 30 | /* configuration types and variable numbers */ |
31 | typedef enum { CO_NIL, CO_STR, CO_INT } conftype; | 31 | typedef enum { CO_NIL, CO_STR, CO_INT } conftype; |
32 | typedef enum { CF_NIL, CF_NICK, CF_FROM, CF_SERVERHOST, CF_SERVERPORT, | 32 | typedef enum { CF_NIL, CF_NICK, CF_FROM, CF_SERVERHOST, CF_SERVERPORT, |
33 | CF_CIPHERSUITE, CF_CONFIGFILE, CF_CERTFILE, CF_KEYFILE, CF_FORMFILE, CF_LOGINSCRIPT, | 33 | CF_CIPHERSUITE, CF_CONFIGFILE, CF_CERTFILE, CF_KEYFILE, CF_FORMFILE, CF_LOGINSCRIPT, CF_FINGERPRINT, |
34 | CF_USESSL, CF_IGNSSL, CF_USECERT, CF_PRIVHEIGHT, CF_PRIVCOLLAPS, CF_HSCROLL, CF_CHANNEL, CF_USETIME, | 34 | CF_USESSL, CF_VERIFYSSL, CF_USECERT, CF_PRIVHEIGHT, CF_PRIVCOLLAPS, CF_HSCROLL, CF_CHANNEL, CF_USETIME, |
35 | CF_USETOPIC, CF_SCROLLBPRIV, CF_SCROLLBACK, CF_SCROLLBPRIVT, CF_SCROLLBACKT, | 35 | CF_USETOPIC, CF_SCROLLBPRIV, CF_SCROLLBACK, CF_SCROLLBPRIVT, CF_SCROLLBACKT, |
36 | CF_ENCODING, CF_BELLPRIV, CF_CASEFIRST, CF_AUTORECONN, CF_KEEPALIVE } confopt; | 36 | CF_ENCODING, CF_BELLPRIV, CF_CASEFIRST, CF_AUTORECONN, CF_KEEPALIVE } confopt; |
37 | 37 | ||
@@ -80,7 +80,7 @@ extern unsigned int want_tcp_keepalive; | |||
80 | /* vchat-client.c */ | 80 | /* vchat-client.c */ |
81 | #define ERRSTRSIZE 1024 | 81 | #define ERRSTRSIZE 1024 |
82 | extern char errstr[]; | 82 | extern char errstr[]; |
83 | extern char *vchat_cl_version; | 83 | extern const char *vchat_cl_version; |
84 | void loadcfg (char *file,int complain,void (*lineparser) (char *)); | 84 | void loadcfg (char *file,int complain,void (*lineparser) (char *)); |
85 | void loadformats (char *file); | 85 | void loadformats (char *file); |
86 | void cleanup(int signal); | 86 | void cleanup(int signal); |
@@ -93,7 +93,7 @@ int getintoption (confopt option); | |||
93 | void setintoption (confopt option, int value); | 93 | void setintoption (confopt option, int value); |
94 | 94 | ||
95 | /* vchat-ui.c */ | 95 | /* vchat-ui.c */ |
96 | extern char *vchat_ui_version; | 96 | extern const char *vchat_ui_version; |
97 | 97 | ||
98 | /* topic and console strings */ | 98 | /* topic and console strings */ |
99 | #define TOPICSTRSIZE 1024 | 99 | #define TOPICSTRSIZE 1024 |
@@ -112,7 +112,7 @@ void userinput (void); | |||
112 | /* display various messages */ | 112 | /* display various messages */ |
113 | int writechan (char *str); | 113 | int writechan (char *str); |
114 | int writepriv (char *str, int maybeep ); | 114 | int writepriv (char *str, int maybeep ); |
115 | void writeout (char *str); | 115 | void writeout (const char *str); |
116 | void showout (void); | 116 | void showout (void); |
117 | void flushout (void); | 117 | void flushout (void); |
118 | #define msgout(STR) {flushout();writeout(STR);showout();} | 118 | #define msgout(STR) {flushout();writeout(STR);showout();} |
@@ -140,7 +140,7 @@ void clearfilters ( char colour ); | |||
140 | void handlequery ( char *line ); | 140 | void handlequery ( char *line ); |
141 | 141 | ||
142 | /* vchat-protocol.c */ | 142 | /* vchat-protocol.c */ |
143 | extern char *vchat_io_version; | 143 | extern const char *vchat_io_version; |
144 | 144 | ||
145 | /* connect/disconnect */ | 145 | /* connect/disconnect */ |
146 | int vcconnect (char *server, char *port); | 146 | int vcconnect (char *server, char *port); |
@@ -156,7 +156,7 @@ void ownleave (int channel); | |||
156 | void ownnickchange (char *newnick); | 156 | void ownnickchange (char *newnick); |
157 | 157 | ||
158 | /* vchat-commands.c */ | 158 | /* vchat-commands.c */ |
159 | extern char *vchat_cm_version; | 159 | extern const char *vchat_cm_version; |
160 | void command_version ( char *tail); | 160 | void command_version ( char *tail); |
161 | 161 | ||
162 | /* user input */ | 162 | /* user input */ |
@@ -171,3 +171,8 @@ typedef struct { | |||
171 | char *short_help; | 171 | char *short_help; |
172 | char *help; | 172 | char *help; |
173 | } commandentry; | 173 | } commandentry; |
174 | |||
175 | /* vchat-ssl.c */ | ||
176 | extern const char *vchat_ssl_version; | ||
177 | extern const char *vchat_ssl_version_external; | ||
178 | void vchat_ssl_get_version_external(); | ||
@@ -4,7 +4,7 @@ | |||
4 | #nick = noname | 4 | #nick = noname |
5 | 5 | ||
6 | # Auto-set from-tag during login | 6 | # Auto-set from-tag during login |
7 | #from = vc-alpha-0.15 | 7 | #from = vc-alpha-0.19 |
8 | 8 | ||
9 | # Server-host to connect to | 9 | # Server-host to connect to |
10 | #host = pulse.flatline.de | 10 | #host = pulse.flatline.de |
@@ -15,7 +15,10 @@ | |||
15 | # Type of ciphers at the SSL-handshake; | 15 | # Type of ciphers at the SSL-handshake; |
16 | # further information in the | 16 | # further information in the |
17 | # OpenSSL/mod_ssl/Apache-documentation | 17 | # OpenSSL/mod_ssl/Apache-documentation |
18 | #ciphers = HIGH:MEDIUM | 18 | # default used before OpenSSL 1.0.0: |
19 | #ciphers = DHE-RSA-AES256-SHA | ||
20 | # default used after OpenSSL 1.0.0: | ||
21 | #ciphers = ECDHE-RSA-AES256-GCM-SHA384 | ||
19 | 22 | ||
20 | # Location of the config-file | 23 | # Location of the config-file |
21 | #conffile = ~/.vchat/config | 24 | #conffile = ~/.vchat/config |
@@ -36,6 +39,9 @@ | |||
36 | # Use the certificate for connecting [0|1] | 39 | # Use the certificate for connecting [0|1] |
37 | #usecert = 1 | 40 | #usecert = 1 |
38 | 41 | ||
42 | # Verify depth for peer certificate | ||
43 | #verifyssl = 2 | ||
44 | |||
39 | # Show the time of the message at start of line [0|1] | 45 | # Show the time of the message at start of line [0|1] |
40 | #usetime = 1 | 46 | #usetime = 1 |
41 | 47 | ||