diff options
Diffstat (limited to 'vchat-ssl.c')
-rwxr-xr-x | vchat-ssl.c | 36 |
1 files changed, 22 insertions, 14 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c index d4a6029..999d6b8 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c | |||
@@ -32,7 +32,7 @@ | |||
32 | #include "vchat.h" | 32 | #include "vchat.h" |
33 | #include "vchat-ssl.h" | 33 | #include "vchat-ssl.h" |
34 | 34 | ||
35 | char *vchat_ssl_version = "$Id$"; | 35 | const char *vchat_ssl_version = "$Id$"; |
36 | 36 | ||
37 | #define VC_CTX_ERR_EXIT(se, cx) do { \ | 37 | #define VC_CTX_ERR_EXIT(se, cx) do { \ |
38 | snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ | 38 | snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ |
@@ -72,12 +72,14 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) | |||
72 | store = NULL; | 72 | store = NULL; |
73 | /* Disable some insecure protocols explicitly */ | 73 | /* Disable some insecure protocols explicitly */ |
74 | SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); | 74 | SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); |
75 | if( OPENSSL_VERSION_NUMBER < 0x10000000L ) | 75 | if (getstroption(CF_CIPHERSUITE)) |
76 | SSL_CTX_set_cipher_list(ctx, getstroption(CF_CIPHERSUITE)); | ||
77 | else if( OPENSSL_VERSION_NUMBER < 0x10000000L ) | ||
76 | SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); | 78 | SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); |
77 | else | 79 | else |
78 | SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); | 80 | SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); |
79 | 81 | ||
80 | SSL_CTX_set_verify_depth (ctx, 2); | 82 | SSL_CTX_set_verify_depth (ctx, getintoption(CF_VERIFYSSL)); |
81 | 83 | ||
82 | if( !(verify_callback = vc_store->callback) ) | 84 | if( !(verify_callback = vc_store->callback) ) |
83 | verify_callback = vc_verify_callback; | 85 | verify_callback = vc_verify_callback; |
@@ -139,6 +141,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
139 | BIO_push( ssl_conn, *conn ); | 141 | BIO_push( ssl_conn, *conn ); |
140 | *conn = ssl_conn; | 142 | *conn = ssl_conn; |
141 | fflush(stdout); | 143 | fflush(stdout); |
144 | |||
142 | if( BIO_do_handshake( *conn ) > 0 ) { | 145 | if( BIO_do_handshake( *conn ) > 0 ) { |
143 | /* Show information about cipher used */ | 146 | /* Show information about cipher used */ |
144 | const SSL *sslp = NULL; | 147 | const SSL *sslp = NULL; |
@@ -156,11 +159,14 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
156 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); | 159 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); |
157 | writecf(FS_ERR, tmpstr); | 160 | writecf(FS_ERR, tmpstr); |
158 | } | 161 | } |
159 | return 0; | 162 | |
163 | /* Accept being connected, _if_ verification passed */ | ||
164 | if (sslp && SSL_get_verify_result(sslp) == X509_V_OK) | ||
165 | return 0; | ||
160 | } | 166 | } |
161 | } | 167 | } |
162 | 168 | ||
163 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); | 169 | snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); |
164 | writecf(FS_ERR, tmpstr); | 170 | writecf(FS_ERR, tmpstr); |
165 | 171 | ||
166 | return 1; | 172 | return 1; |
@@ -230,17 +236,11 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store) | |||
230 | int vc_verify_callback(int ok, X509_STORE_CTX *store) | 236 | int vc_verify_callback(int ok, X509_STORE_CTX *store) |
231 | { | 237 | { |
232 | if(!ok) { | 238 | if(!ok) { |
233 | /* XXX handle action/abort */ | 239 | snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s", |
234 | if(!(ok=getintoption(CF_IGNSSL))) | ||
235 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", | ||
236 | X509_verify_cert_error_string(store->error)); | 240 | X509_verify_cert_error_string(store->error)); |
237 | else | ||
238 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s (ignored)", | ||
239 | X509_verify_cert_error_string(store->error)); | ||
240 | |||
241 | writecf(FS_ERR, tmpstr); | 241 | writecf(FS_ERR, tmpstr); |
242 | } | 242 | } |
243 | return(ok); | 243 | return ok; |
244 | } | 244 | } |
245 | 245 | ||
246 | void vc_x509store_setflags(vc_x509store_t *store, int flags) | 246 | void vc_x509store_setflags(vc_x509store_t *store, int flags) |
@@ -326,6 +326,14 @@ void vc_cleanup_x509store(vc_x509store_t *s) | |||
326 | free(s->use_keyfile); | 326 | free(s->use_keyfile); |
327 | free(s->use_key); | 327 | free(s->use_key); |
328 | sk_X509_free(s->certs); | 328 | sk_X509_free(s->certs); |
329 | sk_X509_free(s->crls); | 329 | sk_X509_CRL_free(s->crls); |
330 | sk_X509_free(s->use_certs); | 330 | sk_X509_free(s->use_certs); |
331 | } | 331 | } |
332 | |||
333 | const char *vchat_ssl_version_external = "OpenSSL implementation; version unknown"; | ||
334 | void vchat_ssl_get_version_external() | ||
335 | { | ||
336 | char tmpstr[TMPSTRSIZE]; | ||
337 | snprintf(tmpstr, TMPSTRSIZE, "%s with %s", SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS)); | ||
338 | vchat_ssl_version_external = strdup(tmpstr); | ||
339 | } | ||