From 962f887a64422c8e0a7f12131d8401211ef8cd74 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 13:06:58 +0200 Subject: allow the use of TLSv1 / TLSv1_1 again --- vchat-ssl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/vchat-ssl.c b/vchat-ssl.c index 2b41432..0333aee 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -61,8 +61,8 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) X509_STORE *store = NULL; vc_x509verify_cb_t verify_callback = NULL; - /* Explicitly use TLSv1_2 (or maybe later) */ - if( !(ctx = SSL_CTX_new(TLSv1_2_client_method())) ) + /* Explicitly use TLSv1 (or maybe later) */ + if( !(ctx = SSL_CTX_new(TLSv1_client_method())) ) VC_CTX_ERR_EXIT(store, ctx); if( !(store = vc_x509store_create(vc_store)) ) @@ -70,8 +70,8 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) SSL_CTX_set_cert_store(ctx, store); store = NULL; - /* Disable A LOT of insecure protocols explicitly */ - SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1); + /* Disable some insecure protocols explicitly */ + SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); SSL_CTX_set_verify_depth (ctx, 2); -- cgit v1.2.3 From 2cf4cbdf20b0154470c4b1642a5f8cc0cd97cf7c Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 13:15:16 +0200 Subject: version bump 0.18 --- debian/changelog | 8 ++++++++ vchat-client.sgml | 4 ++-- vchat-config.h | 2 +- vchat-ui.c | 2 +- vchatrc.ex | 2 +- 5 files changed, 13 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index 17e8bf7..1c5752f 100755 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +vchat-client (0.18-1) unstable; urgency=high + + * updated to use TLSv1 or later + * improved SSL error reporting + * report SSL cipher used + + -- Andreas Kotes Tue, 15 Apr 2014 13:09:23 +0200 + vchat-client (0.15-2) unstable; urgency=low * changed debian/rules using "make install" diff --git a/vchat-client.sgml b/vchat-client.sgml index 4b4f130..6b35fe1 100755 --- a/vchat-client.sgml +++ b/vchat-client.sgml @@ -101,7 +101,7 @@ overridden in the configfile. from -set from (default "vc-alpha-0.15") +set from (default "vc-alpha-0.18") @@ -144,7 +144,7 @@ configure the behavior of vchat-client -Sets the from (default is "vc-alpha-0.15") +Sets the from (default is "vc-alpha-0.18") diff --git a/vchat-config.h b/vchat-config.h index 8392d18..d2f29a0 100755 --- a/vchat-config.h +++ b/vchat-config.h @@ -29,7 +29,7 @@ extern unsigned int hscroll; static volatile configoption configoptions[] = { /* config-option type name in file default value value localvar */ {CF_NICK, CO_STR, "nick", NULL, NULL, { NULL } }, - {CF_FROM, CO_STR, "from", "vc-alpha-0.17", NULL, { NULL } }, + {CF_FROM, CO_STR, "from", "vc-alpha-0.18", NULL, { NULL } }, {CF_SERVERHOST, CO_STR, "host", "localhost", NULL, { NULL } }, {CF_SERVERPORT, CO_STR, "port", "2325", NULL, { NULL } }, {CF_CIPHERSUITE, CO_STR, "ciphers", "HIGH:MEDIUM", NULL, { NULL } }, diff --git a/vchat-ui.c b/vchat-ui.c index f3e5af5..f8bcc45 100755 --- a/vchat-ui.c +++ b/vchat-ui.c @@ -40,7 +40,7 @@ char *vchat_ui_version = "$Id$"; /* externally used variables */ /* current string in topic window */ -char topicstr[TOPICSTRSIZE] = "[] VChat 0.17"; +char topicstr[TOPICSTRSIZE] = "[] VChat 0.18"; /* current string in console window */ char consolestr[CONSOLESTRSIZE] = "[ Get help: .h for server /h for client commands"; diff --git a/vchatrc.ex b/vchatrc.ex index cb399a3..5d2a98f 100755 --- a/vchatrc.ex +++ b/vchatrc.ex @@ -4,7 +4,7 @@ #nick = noname # Auto-set from-tag during login -#from = vc-alpha-0.15 +#from = vc-alpha-0.18 # Server-host to connect to #host = pulse.flatline.de -- cgit v1.2.3 From 47ca1fb4bf7165c7bd1640be6045f785438eab22 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 13:22:06 +0200 Subject: update debian packaging rules --- debian/rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/rules b/debian/rules index 389c597..778533f 100755 --- a/debian/rules +++ b/debian/rules @@ -5,7 +5,7 @@ #export DH_VERBOSE=1 # This is the debhelper compatability version to use. -export DH_COMPAT=3 +export DH_COMPAT=5 configure: configure-stamp configure-stamp: @@ -28,7 +28,7 @@ clean: install: build dh_testdir dh_testroot - dh_clean -k + dh_prep dh_installdirs $(MAKE) install DESTDIR=$(CURDIR)/debian/vchat-client PREFIX=/usr -- cgit v1.2.3 From 2cb919fee2df15cf82ec11fd32f59ef57436cd1b Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 13:32:37 +0200 Subject: don't check cipher if SSL object not available --- vchat-ssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/vchat-ssl.c b/vchat-ssl.c index 0333aee..986187f 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -143,6 +143,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) /* Get cipher object */ BIO_get_ssl(ssl_conn, &sslp); + if (sslp) cipher = SSL_get_current_cipher(sslp); if (cipher) { char cipher_desc[TMPSTRSIZE]; -- cgit v1.2.3 From f98143f4d2774dc06b23655fd369075247aab4e9 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 13:33:13 +0200 Subject: disable RC4 explicitly --- vchat-ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vchat-ssl.c b/vchat-ssl.c index 986187f..e571d85 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -72,7 +72,7 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) store = NULL; /* Disable some insecure protocols explicitly */ SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); - SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"); + SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:!RC4:@STRENGTH"); SSL_CTX_set_verify_depth (ctx, 2); -- cgit v1.2.3 From cc89915d8cc8361c29318ee954f4fff14d862cb7 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Tue, 15 Apr 2014 15:26:54 +0200 Subject: use SSLv23_client_method & force cipherstring --- vchat-ssl.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/vchat-ssl.c b/vchat-ssl.c index e571d85..d4a6029 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -62,7 +62,7 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) vc_x509verify_cb_t verify_callback = NULL; /* Explicitly use TLSv1 (or maybe later) */ - if( !(ctx = SSL_CTX_new(TLSv1_client_method())) ) + if( !(ctx = SSL_CTX_new(SSLv23_client_method())) ) VC_CTX_ERR_EXIT(store, ctx); if( !(store = vc_x509store_create(vc_store)) ) @@ -71,8 +71,11 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) SSL_CTX_set_cert_store(ctx, store); store = NULL; /* Disable some insecure protocols explicitly */ - SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3); - SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:!RC4:@STRENGTH"); + SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); + if( OPENSSL_VERSION_NUMBER < 0x10000000L ) + SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); + else + SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); SSL_CTX_set_verify_depth (ctx, 2); -- cgit v1.2.3 From 0171de7653dbc409f8a936e80a8c9bc3ab3d1bdb Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Wed, 16 Apr 2014 15:20:49 +0200 Subject: version 0.19 * fixed version string display * failing on SSL verify failures * removed ignssl option * reenabled ciphers options * added verifyssl option (cert verify depth) --- .gitattributes | 1 + debian/changelog | 10 ++++++++++ vchat-client.c | 19 +++++++++++++++++-- vchat-client.sgml | 6 +++--- vchat-commands.c | 4 +++- vchat-config.h | 6 +++--- vchat-howto | 14 +++++--------- vchat-protocol.c | 2 +- vchat-ssl.c | 36 ++++++++++++++++++++++-------------- vchat-ssl.h | 1 + vchat-ui.c | 12 ++++++------ vchat.h | 17 +++++++++++------ vchatrc.ex | 10 ++++++++-- 13 files changed, 91 insertions(+), 47 deletions(-) create mode 100644 .gitattributes diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9433213 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.c ident diff --git a/debian/changelog b/debian/changelog index 1c5752f..eb2b185 100755 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +vchat-client (0.19-1) unstable; urgency=high + + * fixed version string display + * failing on SSL verify failures + * removed ignssl option + * reenabled ciphers options + * added verifyssl option (cert verify depth) + + -- Andreas Kotes Wed, 16 Apr 2014 15:12:23 +0200 + vchat-client (0.18-1) unstable; urgency=high * updated to use TLSv1 or later diff --git a/vchat-client.c b/vchat-client.c index f5cd516..1efcd7d 100755 --- a/vchat-client.c +++ b/vchat-client.c @@ -32,7 +32,7 @@ #include "vchat-user.h" /* version of this module */ -char *vchat_cl_version = "$Id$"; +const char *vchat_cl_version = "$Id$"; /* externally used variables */ /* we're logged in */ @@ -442,6 +442,17 @@ void usage( char *name) { puts (" -n set nickname"); printf (" -f set from (default \"%s\")\n",getstroption(CF_FROM)); puts (" -h gives this help"); + puts (" -v show module versions"); +} + +void versions() { + puts (vchat_cl_version); + puts (vchat_ui_version); + puts (vchat_io_version); + puts (vchat_us_version); + puts (vchat_cm_version); + puts (vchat_ssl_version); + puts (vchat_ssl_version_external); } /* main - d'oh */ @@ -456,9 +467,12 @@ main (int argc, char **argv) loadconfig (GLOBAL_CONFIG_FILE); loadconfig (getstroption (CF_CONFIGFILE)); + /* make SSL version used visible */ + vchat_ssl_get_version_external(); + /* parse commandline */ while (cmdsunparsed) { - pchar = getopt(argc,argv,"C:F:lzs:p:c:n:f:kKL:h"); + pchar = getopt(argc,argv,"C:F:lzs:p:c:n:f:kKL:hv"); #ifdef DEBUG fprintf(stderr,"parse commandline: %d ('%c'): %s\n",pchar,pchar,optarg); #endif @@ -475,6 +489,7 @@ main (int argc, char **argv) case 'n': own_nick_set(optarg); break; case 'f': setstroption(CF_FROM,optarg); break; case 'h': usage(argv[0]); exit(0); break; + case 'v': versions(); exit(0); break; default : usage(argv[0]); exit(1); } } diff --git a/vchat-client.sgml b/vchat-client.sgml index 6b35fe1..3d6fbc7 100755 --- a/vchat-client.sgml +++ b/vchat-client.sgml @@ -101,7 +101,7 @@ overridden in the configfile. from -set from (default "vc-alpha-0.18") +set from (default "vc-alpha-0.19") @@ -144,7 +144,7 @@ configure the behavior of vchat-client -Sets the from (default is "vc-alpha-0.18") +Sets the from (default is "vc-alpha-0.19") @@ -159,7 +159,7 @@ configure the behavior of vchat-client -Set ciphers ("HIGH:MEDIUM") +Set ciphers (autodetected) diff --git a/vchat-commands.c b/vchat-commands.c index 2c3d68b..5ade188 100755 --- a/vchat-commands.c +++ b/vchat-commands.c @@ -29,7 +29,7 @@ #include "vchat-user.h" /* version of this module */ -char *vchat_cm_version = "$Id$"; +const char *vchat_cm_version = "$Id$"; /* from vchat-client.c */ extern int ownquit; @@ -452,6 +452,8 @@ command_version(char *tail) writeout (vchat_io_version); writeout (vchat_us_version); writeout (vchat_cm_version); + writeout (vchat_ssl_version); + writeout (vchat_ssl_version_external); showout(); } diff --git a/vchat-config.h b/vchat-config.h index d2f29a0..2628dc1 100755 --- a/vchat-config.h +++ b/vchat-config.h @@ -29,10 +29,10 @@ extern unsigned int hscroll; static volatile configoption configoptions[] = { /* config-option type name in file default value value localvar */ {CF_NICK, CO_STR, "nick", NULL, NULL, { NULL } }, - {CF_FROM, CO_STR, "from", "vc-alpha-0.18", NULL, { NULL } }, + {CF_FROM, CO_STR, "from", "vc-alpha-0.19", NULL, { NULL } }, {CF_SERVERHOST, CO_STR, "host", "localhost", NULL, { NULL } }, {CF_SERVERPORT, CO_STR, "port", "2325", NULL, { NULL } }, - {CF_CIPHERSUITE, CO_STR, "ciphers", "HIGH:MEDIUM", NULL, { NULL } }, + {CF_CIPHERSUITE, CO_STR, "ciphers", NULL, NULL, { NULL } }, {CF_CONFIGFILE, CO_STR, "conffile", "~/.vchat/config", NULL, { NULL } }, {CF_CERTFILE, CO_STR, "certfile", "~/.vchat/cert", NULL, { NULL } }, {CF_KEYFILE, CO_STR, "keyfile", "~/.vchat/key", NULL, { NULL } }, @@ -40,7 +40,7 @@ static volatile configoption configoptions[] = { {CF_LOGINSCRIPT, CO_STR, "loginscript","~/.vchat/loginscript", NULL, { NULL } }, {CF_ENCODING, CO_STR, "encoding", NULL, NULL, { .pstr = &encoding }}, {CF_USESSL, CO_INT, "usessl", (char *) 1, (char *)-1, { NULL } }, - {CF_IGNSSL, CO_INT, "ignssl", (char *) 0, (char *)-1, { NULL } }, + {CF_VERIFYSSL, CO_INT, "verifyssl", (char *) 2, (char *)-1, { NULL } }, {CF_USECERT, CO_INT, "usecert", (char *) 1, (char *)-1, { NULL } }, {CF_USETIME, CO_INT, "usetime", (char *) 1, (char *)-1, { .pint = &usetime } }, {CF_USETOPIC, CO_INT, "usetopicbar",(char *) 1, (char *)-1, { NULL } }, diff --git a/vchat-howto b/vchat-howto index 0ace213..27f8e14 100755 --- a/vchat-howto +++ b/vchat-howto @@ -69,11 +69,7 @@ type: $ echo host=vchat.berlin.ccc.de >> ~/.vchat/config -If you want to ignore SSL-warnings due to missing CA-files, type: - -$ echo ignssl=1 >> ~/.vchat/config - -If you don't want to ignore SSL-warnings, get the root-certificates from: +You don't want to ignore SSL-warnings, get the root-certificates from: http://www.cacert.org/certs/class3.txt and @@ -87,10 +83,10 @@ and copy them into your openssl-certs directory. For example: # ln -s root.txt `openssl x509 -in root.txt -hash | head -n 1`.0 # ln -s class3.txt `openssl x509 -in class3.txt -hash | head -n 1`.0 -Now you can type: - - $ echo ignssl=0 >> ~/.vchat/config - +NOTE: some openssl versions deliberately disable EC for unknown reasons, you +need to manually (re)set the cipher string to a lower security variant there: + +$ echo ciphers=DHE-RSA-AES256-SHA >> ~/.vchat/config If you want a seperate private message window, type: diff --git a/vchat-protocol.c b/vchat-protocol.c index e676b28..6cf9724 100755 --- a/vchat-protocol.c +++ b/vchat-protocol.c @@ -35,7 +35,7 @@ #include "vchat-ssl.h" /* version of this module */ -char *vchat_io_version = "$Id$"; +const char *vchat_io_version = "$Id$"; /* externally used variables */ int serverfd = -1; diff --git a/vchat-ssl.c b/vchat-ssl.c index d4a6029..999d6b8 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -32,7 +32,7 @@ #include "vchat.h" #include "vchat-ssl.h" -char *vchat_ssl_version = "$Id$"; +const char *vchat_ssl_version = "$Id$"; #define VC_CTX_ERR_EXIT(se, cx) do { \ snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ @@ -72,12 +72,14 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) store = NULL; /* Disable some insecure protocols explicitly */ SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); - if( OPENSSL_VERSION_NUMBER < 0x10000000L ) + if (getstroption(CF_CIPHERSUITE)) + SSL_CTX_set_cipher_list(ctx, getstroption(CF_CIPHERSUITE)); + else if( OPENSSL_VERSION_NUMBER < 0x10000000L ) SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); else SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); - SSL_CTX_set_verify_depth (ctx, 2); + SSL_CTX_set_verify_depth (ctx, getintoption(CF_VERIFYSSL)); if( !(verify_callback = vc_store->callback) ) verify_callback = vc_verify_callback; @@ -139,6 +141,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) BIO_push( ssl_conn, *conn ); *conn = ssl_conn; fflush(stdout); + if( BIO_do_handshake( *conn ) > 0 ) { /* Show information about cipher used */ const SSL *sslp = NULL; @@ -156,11 +159,14 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); writecf(FS_ERR, tmpstr); } - return 0; + + /* Accept being connected, _if_ verification passed */ + if (sslp && SSL_get_verify_result(sslp) == X509_V_OK) + return 0; } } - snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); + snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); writecf(FS_ERR, tmpstr); return 1; @@ -230,17 +236,11 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store) int vc_verify_callback(int ok, X509_STORE_CTX *store) { if(!ok) { - /* XXX handle action/abort */ - if(!(ok=getintoption(CF_IGNSSL))) - snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", + snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s", X509_verify_cert_error_string(store->error)); - else - snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s (ignored)", - X509_verify_cert_error_string(store->error)); - writecf(FS_ERR, tmpstr); } - return(ok); + return ok; } void vc_x509store_setflags(vc_x509store_t *store, int flags) @@ -326,6 +326,14 @@ void vc_cleanup_x509store(vc_x509store_t *s) free(s->use_keyfile); free(s->use_key); sk_X509_free(s->certs); - sk_X509_free(s->crls); + sk_X509_CRL_free(s->crls); sk_X509_free(s->use_certs); } + +const char *vchat_ssl_version_external = "OpenSSL implementation; version unknown"; +void vchat_ssl_get_version_external() +{ + char tmpstr[TMPSTRSIZE]; + snprintf(tmpstr, TMPSTRSIZE, "%s with %s", SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS)); + vchat_ssl_version_external = strdup(tmpstr); +} diff --git a/vchat-ssl.h b/vchat-ssl.h index baaa3c4..12d5fdb 100755 --- a/vchat-ssl.h +++ b/vchat-ssl.h @@ -36,6 +36,7 @@ void vc_x509store_setflags(vc_x509store_t *, int); void vc_x509store_clearflags(vc_x509store_t *, int); int vc_verify_callback(int, X509_STORE_CTX *); X509_STORE * vc_x509store_create(vc_x509store_t *); +char *vc_ssl_version(char *, int); #define VC_X509S_NODEF_CAFILE 0x01 #define VC_X509S_NODEF_CAPATH 0x02 diff --git a/vchat-ui.c b/vchat-ui.c index f8bcc45..d4ea668 100755 --- a/vchat-ui.c +++ b/vchat-ui.c @@ -36,11 +36,11 @@ #include "vchat-user.h" /* version of this module */ -char *vchat_ui_version = "$Id$"; +const char *vchat_ui_version = "$Id$"; /* externally used variables */ /* current string in topic window */ -char topicstr[TOPICSTRSIZE] = "[] VChat 0.18"; +char topicstr[TOPICSTRSIZE] = "[] VChat 0.19"; /* current string in console window */ char consolestr[CONSOLESTRSIZE] = "[ Get help: .h for server /h for client commands"; @@ -117,7 +117,7 @@ static void forceredraw_wrapper (int a) {forceredraw();} static void drawwin (WINDOW *win, struct sb_data *sb); static int writescr (WINDOW *win, struct sb_entry *entry); static int testfilter ( struct sb_entry *entry); -static int gettextwidth (char *textbuffer); +static int gettextwidth (const char *textbuffer); static void resize_output (void); static int getsbeheight (struct sb_entry *entry, const int xwidth, int needstime ); static int getsbdataheight (struct sb_data *data, const int xwidth, int needstime ); @@ -308,7 +308,7 @@ sb_clear ( struct sb_data **sb ) { }*/ static struct sb_entry* -sb_add (struct sb_data *sb, char *line, time_t when) { +sb_add (struct sb_data *sb, const char *line, time_t when) { struct sb_entry *newone = malloc (sizeof(struct sb_entry)); if( newone ) { if( sb->count == sb->scroll ) sb->scroll++; @@ -350,7 +350,7 @@ void showout (void) resize(0); } -void writeout (char *str) +void writeout (const char *str) { int i; sb_add(sb_out,str,time(NULL)); @@ -865,7 +865,7 @@ resize (int signal) } static int -gettextwidth (char *textbuffer) +gettextwidth (const char *textbuffer) { int width = 0; diff --git a/vchat.h b/vchat.h index 1a24973..a0797d5 100755 --- a/vchat.h +++ b/vchat.h @@ -31,7 +31,7 @@ typedef struct servermessage servermessage; typedef enum { CO_NIL, CO_STR, CO_INT } conftype; typedef enum { CF_NIL, CF_NICK, CF_FROM, CF_SERVERHOST, CF_SERVERPORT, CF_CIPHERSUITE, CF_CONFIGFILE, CF_CERTFILE, CF_KEYFILE, CF_FORMFILE, CF_LOGINSCRIPT, -CF_USESSL, CF_IGNSSL, CF_USECERT, CF_PRIVHEIGHT, CF_PRIVCOLLAPS, CF_HSCROLL, CF_CHANNEL, CF_USETIME, +CF_USESSL, CF_VERIFYSSL, CF_USECERT, CF_PRIVHEIGHT, CF_PRIVCOLLAPS, CF_HSCROLL, CF_CHANNEL, CF_USETIME, CF_USETOPIC, CF_SCROLLBPRIV, CF_SCROLLBACK, CF_SCROLLBPRIVT, CF_SCROLLBACKT, CF_ENCODING, CF_BELLPRIV, CF_CASEFIRST, CF_AUTORECONN, CF_KEEPALIVE } confopt; @@ -80,7 +80,7 @@ extern unsigned int want_tcp_keepalive; /* vchat-client.c */ #define ERRSTRSIZE 1024 extern char errstr[]; -extern char *vchat_cl_version; +extern const char *vchat_cl_version; void loadcfg (char *file,int complain,void (*lineparser) (char *)); void loadformats (char *file); void cleanup(int signal); @@ -93,7 +93,7 @@ int getintoption (confopt option); void setintoption (confopt option, int value); /* vchat-ui.c */ -extern char *vchat_ui_version; +extern const char *vchat_ui_version; /* topic and console strings */ #define TOPICSTRSIZE 1024 @@ -112,7 +112,7 @@ void userinput (void); /* display various messages */ int writechan (char *str); int writepriv (char *str, int maybeep ); -void writeout (char *str); +void writeout (const char *str); void showout (void); void flushout (void); #define msgout(STR) {flushout();writeout(STR);showout();} @@ -140,7 +140,7 @@ void clearfilters ( char colour ); void handlequery ( char *line ); /* vchat-protocol.c */ -extern char *vchat_io_version; +extern const char *vchat_io_version; /* connect/disconnect */ int vcconnect (char *server, char *port); @@ -156,7 +156,7 @@ void ownleave (int channel); void ownnickchange (char *newnick); /* vchat-commands.c */ -extern char *vchat_cm_version; +extern const char *vchat_cm_version; void command_version ( char *tail); /* user input */ @@ -171,3 +171,8 @@ typedef struct { char *short_help; char *help; } commandentry; + +/* vchat-ssl.c */ +extern const char *vchat_ssl_version; +extern const char *vchat_ssl_version_external; +void vchat_ssl_get_version_external(); diff --git a/vchatrc.ex b/vchatrc.ex index 5d2a98f..c66d1f9 100755 --- a/vchatrc.ex +++ b/vchatrc.ex @@ -4,7 +4,7 @@ #nick = noname # Auto-set from-tag during login -#from = vc-alpha-0.18 +#from = vc-alpha-0.19 # Server-host to connect to #host = pulse.flatline.de @@ -15,7 +15,10 @@ # Type of ciphers at the SSL-handshake; # further information in the # OpenSSL/mod_ssl/Apache-documentation -#ciphers = HIGH:MEDIUM +# default used before OpenSSL 1.0.0: +#ciphers = DHE-RSA-AES256-SHA +# default used after OpenSSL 1.0.0: +#ciphers = ECDHE-RSA-AES256-GCM-SHA384 # Location of the config-file #conffile = ~/.vchat/config @@ -36,6 +39,9 @@ # Use the certificate for connecting [0|1] #usecert = 1 +# Verify depth for peer certificate +#verifyssl = 2 + # Show the time of the message at start of line [0|1] #usetime = 1 -- cgit v1.2.3 From edba804a0cbd19e5c971c55661bcf83967573906 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Wed, 16 Apr 2014 15:28:51 +0200 Subject: fix version strings --- vchat-client.c | 2 +- vchat-commands.c | 2 +- vchat-protocol.c | 2 +- vchat-ssl.c | 2 +- vchat-ui.c | 2 +- vchat-user.c | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/vchat-client.c b/vchat-client.c index 1efcd7d..a2e298c 100755 --- a/vchat-client.c +++ b/vchat-client.c @@ -32,7 +32,7 @@ #include "vchat-user.h" /* version of this module */ -const char *vchat_cl_version = "$Id$"; +const char *vchat_cl_version = "vchat-client.c $Id$"; /* externally used variables */ /* we're logged in */ diff --git a/vchat-commands.c b/vchat-commands.c index 5ade188..06c9010 100755 --- a/vchat-commands.c +++ b/vchat-commands.c @@ -29,7 +29,7 @@ #include "vchat-user.h" /* version of this module */ -const char *vchat_cm_version = "$Id$"; +const char *vchat_cm_version = "vchat-commands.c $Id$"; /* from vchat-client.c */ extern int ownquit; diff --git a/vchat-protocol.c b/vchat-protocol.c index 6cf9724..b077411 100755 --- a/vchat-protocol.c +++ b/vchat-protocol.c @@ -35,7 +35,7 @@ #include "vchat-ssl.h" /* version of this module */ -const char *vchat_io_version = "$Id$"; +const char *vchat_io_version = "vchat-protocol.c $Id$"; /* externally used variables */ int serverfd = -1; diff --git a/vchat-ssl.c b/vchat-ssl.c index 999d6b8..68e3699 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -32,7 +32,7 @@ #include "vchat.h" #include "vchat-ssl.h" -const char *vchat_ssl_version = "$Id$"; +const char *vchat_ssl_version = "vchat-ssl.c $Id$"; #define VC_CTX_ERR_EXIT(se, cx) do { \ snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ diff --git a/vchat-ui.c b/vchat-ui.c index d4ea668..ba162a5 100755 --- a/vchat-ui.c +++ b/vchat-ui.c @@ -36,7 +36,7 @@ #include "vchat-user.h" /* version of this module */ -const char *vchat_ui_version = "$Id$"; +const char *vchat_ui_version = "vchat-ui.c $Id$"; /* externally used variables */ /* current string in topic window */ diff --git a/vchat-user.c b/vchat-user.c index d7261d6..7280672 100755 --- a/vchat-user.c +++ b/vchat-user.c @@ -15,7 +15,7 @@ #include "vchat-user.h" /* version of this module */ -char *vchat_us_version = "$Id$"; +char *vchat_us_version = "vchat-user.c $Id$"; typedef struct { -- cgit v1.2.3 From 3297473435ad53b6691d6c772f83457a72134c48 Mon Sep 17 00:00:00 2001 From: Andreas Kotes Date: Wed, 16 Apr 2014 16:27:00 +0200 Subject: store & verify server cert fingerprint --- vchat-config.h | 1 + vchat-ssl.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++---- vchat.h | 2 +- 3 files changed, 72 insertions(+), 6 deletions(-) diff --git a/vchat-config.h b/vchat-config.h index 2628dc1..0291100 100755 --- a/vchat-config.h +++ b/vchat-config.h @@ -38,6 +38,7 @@ static volatile configoption configoptions[] = { {CF_KEYFILE, CO_STR, "keyfile", "~/.vchat/key", NULL, { NULL } }, {CF_FORMFILE, CO_STR, "formatfile", "~/.vchat/formats", NULL, { NULL } }, {CF_LOGINSCRIPT, CO_STR, "loginscript","~/.vchat/loginscript", NULL, { NULL } }, + {CF_FINGERPRINT, CO_STR, "fingerprint","~/.vchat/fingerprint", NULL, { NULL } }, {CF_ENCODING, CO_STR, "encoding", NULL, NULL, { .pstr = &encoding }}, {CF_USESSL, CO_INT, "usessl", (char *) 1, (char *)-1, { NULL } }, {CF_VERIFYSSL, CO_INT, "verifyssl", (char *) 2, (char *)-1, { NULL } }, diff --git a/vchat-ssl.c b/vchat-ssl.c index 68e3699..d240cbd 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c @@ -153,16 +153,81 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) cipher = SSL_get_current_cipher(sslp); if (cipher) { char cipher_desc[TMPSTRSIZE]; - snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); + snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER ] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); writecf(FS_SERV, tmpstr); } else { - snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); + snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR ] Cipher not known / SSL object can't be queried!"); writecf(FS_ERR, tmpstr); } /* Accept being connected, _if_ verification passed */ - if (sslp && SSL_get_verify_result(sslp) == X509_V_OK) - return 0; + if (sslp) { + long result = SSL_get_verify_result(sslp); + + /* show & verify fingerprint */ + if (result == X509_V_OK) { + X509 *peercert = SSL_get_peer_certificate(sslp); + + /* FIXME: this IS bad code */ + char new_fingerprint[TMPSTRSIZE] = ""; + char old_fingerprint[TMPSTRSIZE] = ""; + FILE *fingerprint_file = NULL; + + unsigned int fingerprint_len; + unsigned char fingerprint_bin[EVP_MAX_MD_SIZE]; + + /* show basic information about peer cert */ + snprintf(tmpstr, TMPSTRSIZE, "[SSL SUBJECT ] %s", X509_NAME_oneline(X509_get_subject_name(peercert),0,0)); + writecf(FS_SERV, tmpstr); + snprintf(tmpstr, TMPSTRSIZE, "[SSL ISSUER ] %s", X509_NAME_oneline(X509_get_issuer_name(peercert),0,0)); + writecf(FS_SERV, tmpstr); + + /* calculate fingerprint */ + if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) { + char shorttmpstr[3] = "XX"; + int j; + for (j=0; j<(int)fingerprint_len; j++) { + if (j) + strncat(new_fingerprint, ":", TMPSTRSIZE); + snprintf(shorttmpstr, 3, "%02X", fingerprint_bin[j]); + strncat(new_fingerprint, shorttmpstr, TMPSTRSIZE); + } + snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint); + writecf(FS_SERV, tmpstr); + } + + // we don't need the peercert anymore + X509_free(peercert); + + fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); + if (fingerprint_file) { + fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file); + fclose(fingerprint_file); + + /* verify fingerprint matches stored version */ + if (!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE)) + return 0; + else { + snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), old_fingerprint); + writecf(FS_ERR, tmpstr); + writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); + return 1; + } + } else { + /* FIXME: there might be other errors than missing file */ + fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "w"); + if (!fingerprint_file) { + snprintf (tmpstr, TMPSTRSIZE, "Can't write fingerprint file, %s.", strerror(errno)); + writecf(FS_ERR, tmpstr); + } else { + fputs(new_fingerprint, fingerprint_file); + fclose(fingerprint_file); + writecf(FS_SERV, "Stored fingerprint."); + return 0; + } + } + } + } } } @@ -236,7 +301,7 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store) int vc_verify_callback(int ok, X509_STORE_CTX *store) { if(!ok) { - snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s", + snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR ] %s", X509_verify_cert_error_string(store->error)); writecf(FS_ERR, tmpstr); } diff --git a/vchat.h b/vchat.h index a0797d5..16ee181 100755 --- a/vchat.h +++ b/vchat.h @@ -30,7 +30,7 @@ typedef struct servermessage servermessage; /* configuration types and variable numbers */ typedef enum { CO_NIL, CO_STR, CO_INT } conftype; typedef enum { CF_NIL, CF_NICK, CF_FROM, CF_SERVERHOST, CF_SERVERPORT, -CF_CIPHERSUITE, CF_CONFIGFILE, CF_CERTFILE, CF_KEYFILE, CF_FORMFILE, CF_LOGINSCRIPT, +CF_CIPHERSUITE, CF_CONFIGFILE, CF_CERTFILE, CF_KEYFILE, CF_FORMFILE, CF_LOGINSCRIPT, CF_FINGERPRINT, CF_USESSL, CF_VERIFYSSL, CF_USECERT, CF_PRIVHEIGHT, CF_PRIVCOLLAPS, CF_HSCROLL, CF_CHANNEL, CF_USETIME, CF_USETOPIC, CF_SCROLLBPRIV, CF_SCROLLBACK, CF_SCROLLBPRIVT, CF_SCROLLBACKT, CF_ENCODING, CF_BELLPRIV, CF_CASEFIRST, CF_AUTORECONN, CF_KEEPALIVE } confopt; -- cgit v1.2.3