diff options
| author | Dirk Engling <erdgeist@erdgeist.org> | 2016-04-15 13:31:42 +0200 |
|---|---|---|
| committer | Dirk Engling <erdgeist@erdgeist.org> | 2016-04-15 13:31:42 +0200 |
| commit | 035058400069cd8f3c10213c1c4049746ac9133c (patch) | |
| tree | 13e72f63a1f98dba2ca041f2fee405fae6dcdf48 /vchat-ssl.c | |
| parent | 2d0c1c42afd1e50864312890c9e3909294bf21ed (diff) | |
Fix fingerprint verification code
Diffstat (limited to 'vchat-ssl.c')
| -rwxr-xr-x | vchat-ssl.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c index 2a1c28a..6699243 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c | |||
| @@ -201,8 +201,8 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
| 201 | X509 *peercert = SSL_get_peer_certificate(sslp); | 201 | X509 *peercert = SSL_get_peer_certificate(sslp); |
| 202 | 202 | ||
| 203 | /* FIXME: this IS bad code */ | 203 | /* FIXME: this IS bad code */ |
| 204 | char new_fingerprint[TMPSTRSIZE] = ""; | 204 | char new_fingerprint[TMPSTRSIZE]; |
| 205 | char old_fingerprint[TMPSTRSIZE] = ""; | 205 | char old_fingerprint[TMPSTRSIZE]; |
| 206 | FILE *fingerprint_file = NULL; | 206 | FILE *fingerprint_file = NULL; |
| 207 | 207 | ||
| 208 | unsigned int fingerprint_len; | 208 | unsigned int fingerprint_len; |
| @@ -216,14 +216,13 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
| 216 | 216 | ||
| 217 | /* calculate fingerprint */ | 217 | /* calculate fingerprint */ |
| 218 | if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) { | 218 | if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) { |
| 219 | char shorttmpstr[3] = "XX"; | ||
| 220 | int j; | 219 | int j; |
| 220 | assert ( ( fingerprint_len > 1 ) && (fingerprint_len * 3 < TMPSTRSIZE )); | ||
| 221 | char * nf = new_fingerprint; | ||
| 221 | for (j=0; j<(int)fingerprint_len; j++) { | 222 | for (j=0; j<(int)fingerprint_len; j++) { |
| 222 | if (j) | 223 | nf += snprintf(nf, 3, "%02X:", fingerprint_bin[j]); |
| 223 | strncat(new_fingerprint, ":", TMPSTRSIZE); | 224 | assert ( nf > new_fingerprint ); |
| 224 | snprintf(shorttmpstr, 3, "%02X", fingerprint_bin[j]); | 225 | nf[-1] = 0; |
| 225 | strncat(new_fingerprint, shorttmpstr, TMPSTRSIZE); | ||
| 226 | } | ||
| 227 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint); | 226 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint); |
| 228 | writecf(FS_SERV, tmpstr); | 227 | writecf(FS_SERV, tmpstr); |
| 229 | } | 228 | } |
| @@ -233,14 +232,14 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
| 233 | 232 | ||
| 234 | fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); | 233 | fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); |
| 235 | if (fingerprint_file) { | 234 | if (fingerprint_file) { |
| 236 | fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file); | 235 | int r = fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file); |
| 237 | fclose(fingerprint_file); | 236 | fclose(fingerprint_file); |
| 238 | 237 | ||
| 239 | /* verify fingerprint matches stored version */ | 238 | /* verify fingerprint matches stored version */ |
| 240 | if (!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE)) | 239 | if ( r &&!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE)) |
| 241 | return 0; | 240 | return 0; |
| 242 | else { | 241 | else { |
| 243 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), old_fingerprint); | 242 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), r ? old_fingerprint : "<FILE READ ERROR>" ); |
| 244 | writecf(FS_ERR, tmpstr); | 243 | writecf(FS_ERR, tmpstr); |
| 245 | writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); | 244 | writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); |
| 246 | return 1; | 245 | return 1; |