diff options
Diffstat (limited to 'vchat-ssl.c')
-rwxr-xr-x | vchat-ssl.c | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c index b344d10..b052d84 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c | |||
@@ -168,7 +168,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
168 | FILE *fingerprint_file = NULL; | 168 | FILE *fingerprint_file = NULL; |
169 | char * fp = fingerprint; | 169 | char * fp = fingerprint; |
170 | 170 | ||
171 | long result; | 171 | long result, j; |
172 | 172 | ||
173 | if( !ctx ) | 173 | if( !ctx ) |
174 | return 1; | 174 | return 1; |
@@ -220,7 +220,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
220 | 220 | ||
221 | assert ( ( fingerprint_len > 1 ) && (fingerprint_len <= EVP_MAX_MD_SIZE )); | 221 | assert ( ( fingerprint_len > 1 ) && (fingerprint_len <= EVP_MAX_MD_SIZE )); |
222 | for (j=0; j<(int)fingerprint_len; j++) | 222 | for (j=0; j<(int)fingerprint_len; j++) |
223 | fp += sprintf(nf, "%02X:", fingerprint_bin[j]); | 223 | fp += sprintf(fp, "%02X:", fingerprint_bin[j]); |
224 | assert ( fp > fingerprint ); | 224 | assert ( fp > fingerprint ); |
225 | fp[-1] = 0; | 225 | fp[-1] = 0; |
226 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", fingerprint); | 226 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", fingerprint); |
@@ -229,16 +229,8 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
229 | /* we don't need the peercert anymore */ | 229 | /* we don't need the peercert anymore */ |
230 | X509_free(peercert); | 230 | X509_free(peercert); |
231 | 231 | ||
232 | /* If verify of x509 chain was requested, do the check here */ | ||
233 | result = SSL_get_verify_result(sslp); | ||
234 | if (result != X509_V_OK && !getintoption(CF_IGNSSL) ) | ||
235 | goto ssl_error; | ||
236 | |||
237 | if (result != X509_V_OK) | ||
238 | writecf(FS_ERR, "[SSL VERIFY ERROR ] FAILURE IGNORED!!!"); | ||
239 | |||
240 | /* verify fingerprint */ | 232 | /* verify fingerprint */ |
241 | if (getintoption(CF_PIN_FINGERPRINT)) { | 233 | if (getintoption(CF_PINFINGER)) { |
242 | 234 | ||
243 | fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); | 235 | fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); |
244 | if (fingerprint_file) { | 236 | if (fingerprint_file) { |
@@ -276,6 +268,17 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
276 | return 0; | 268 | return 0; |
277 | } | 269 | } |
278 | 270 | ||
271 | /* If verify of x509 chain was requested, do the check here */ | ||
272 | result = SSL_get_verify_result(sslp); | ||
273 | |||
274 | if (result == X509_V_OK) | ||
275 | return 0; | ||
276 | |||
277 | if (getintoption(CF_IGNSSL)) { | ||
278 | writecf(FS_ERR, "[SSL VERIFY ERROR ] FAILURE IGNORED!!!"); | ||
279 | return 0; | ||
280 | } | ||
281 | |||
279 | ssl_error: | 282 | ssl_error: |
280 | snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); | 283 | snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); |
281 | writecf(FS_ERR, tmpstr); | 284 | writecf(FS_ERR, tmpstr); |