1 files changed, 22 insertions, 14 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c
index d4a6029..999d6b8 100755
--- a/vchat-ssl.c
+++ b/vchat-ssl.c
@@ -32,7 +32,7 @@
 #include "vchat.h"
 #include "vchat-ssl.h"
-char *vchat_ssl_version = "$Id$";
+const char *vchat_ssl_version = "$Id$";
 #define VC_CTX_ERR_EXIT(se, cx) do { \
      snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \
@@ -72,12 +72,14 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store )
   store = NULL;
   /* Disable some insecure protocols explicitly */
   SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
-   if( OPENSSL_VERSION_NUMBER < 0x10000000L )
+   if (getstroption(CF_CIPHERSUITE))
+     SSL_CTX_set_cipher_list(ctx, getstroption(CF_CIPHERSUITE));
+   else if( OPENSSL_VERSION_NUMBER < 0x10000000L )
     SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA");
   else
     SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384");
-   SSL_CTX_set_verify_depth (ctx, 2);
+   SSL_CTX_set_verify_depth (ctx, getintoption(CF_VERIFYSSL));
   if( !(verify_callback = vc_store->callback) )
      verify_callback = vc_verify_callback;
@@ -139,6 +141,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
    BIO_push( ssl_conn, *conn );
    *conn = ssl_conn;
    fflush(stdout);
    if( BIO_do_handshake( *conn ) > 0 ) {
      /* Show information about cipher used */
      const SSL *sslp = NULL;
@@ -156,11 +159,14 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
        snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!");
        writecf(FS_ERR, tmpstr);
      }
-      return 0;
+      /* Accept being connected, _if_ verification passed */
+      if (sslp && SSL_get_verify_result(sslp) == X509_V_OK)
+        return 0;
    }
  }
-  snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL));
+  snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL));
  writecf(FS_ERR, tmpstr);
  return 1;
@@ -230,17 +236,11 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store)
 int vc_verify_callback(int ok, X509_STORE_CTX *store)
 {
   if(!ok) {
-      /* XXX handle action/abort */
+      snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s", 
-      if(!(ok=getintoption(CF_IGNSSL)))
-         snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", 
               X509_verify_cert_error_string(store->error));
-      else
-         snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s (ignored)", 
-               X509_verify_cert_error_string(store->error));
      writecf(FS_ERR, tmpstr);
   }
-   return(ok);
+   return ok;
 }
 void vc_x509store_setflags(vc_x509store_t *store, int flags)
@@ -326,6 +326,14 @@ void vc_cleanup_x509store(vc_x509store_t *s)
   free(s->use_keyfile);
   free(s->use_key);
   sk_X509_free(s->certs);
-   sk_X509_free(s->crls);
+   sk_X509_CRL_free(s->crls);
   sk_X509_free(s->use_certs);
 }
+const char *vchat_ssl_version_external = "OpenSSL implementation; version unknown";
+void vchat_ssl_get_version_external()
+{
+   char tmpstr[TMPSTRSIZE];
+   snprintf(tmpstr, TMPSTRSIZE, "%s with %s", SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS));
+   vchat_ssl_version_external = strdup(tmpstr);
+}

diff --git a/vchat-ssl.c b/vchat-ssl.c index d4a6029..999d6b8 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c
@@ -32,7 +32,7 @@
32	#include "vchat.h"	32	#include "vchat.h"
33	#include "vchat-ssl.h"	33	#include "vchat-ssl.h"
34		34
35	char *vchat_ssl_version = "$Id$";	35	const char *vchat_ssl_version = "$Id$";
36		36
37	#define VC_CTX_ERR_EXIT(se, cx) do { \	37	#define VC_CTX_ERR_EXIT(se, cx) do { \
38	snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \	38	snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \
@@ -72,12 +72,14 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store )
72	store = NULL;	72	store = NULL;
73	/* Disable some insecure protocols explicitly */	73	/* Disable some insecure protocols explicitly */
74	SSL_CTX_set_options(ctx, SSL_OP_ALL \| SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3);	74	SSL_CTX_set_options(ctx, SSL_OP_ALL \| SSL_OP_NO_SSLv2 \| SSL_OP_NO_SSLv3);
75	if( OPENSSL_VERSION_NUMBER < 0x10000000L )	75	if (getstroption(CF_CIPHERSUITE))
		76	SSL_CTX_set_cipher_list(ctx, getstroption(CF_CIPHERSUITE));
		77	else if( OPENSSL_VERSION_NUMBER < 0x10000000L )
76	SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA");	78	SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA");
77	else	79	else
78	SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384");	80	SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384");
79		81
80	SSL_CTX_set_verify_depth (ctx, 2);	82	SSL_CTX_set_verify_depth (ctx, getintoption(CF_VERIFYSSL));
81		83
82	if( !(verify_callback = vc_store->callback) )	84	if( !(verify_callback = vc_store->callback) )
83	verify_callback = vc_verify_callback;	85	verify_callback = vc_verify_callback;
@@ -139,6 +141,7 @@ int vc_connect_ssl( BIO *conn, vc_x509store_t vc_store )
139	BIO_push( ssl_conn, *conn );	141	BIO_push( ssl_conn, *conn );
140	*conn = ssl_conn;	142	*conn = ssl_conn;
141	fflush(stdout);	143	fflush(stdout);
		144
142	if( BIO_do_handshake( *conn ) > 0 ) {	145	if( BIO_do_handshake( *conn ) > 0 ) {
143	/* Show information about cipher used */	146	/* Show information about cipher used */
144	const SSL *sslp = NULL;	147	const SSL *sslp = NULL;
@@ -156,11 +159,14 @@ int vc_connect_ssl( BIO *conn, vc_x509store_t vc_store )
156	snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!");	159	snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!");
157	writecf(FS_ERR, tmpstr);	160	writecf(FS_ERR, tmpstr);
158	}	161	}
159	return 0;	162
		163	/* Accept being connected, _if_ verification passed */
		164	if (sslp && SSL_get_verify_result(sslp) == X509_V_OK)
		165	return 0;
160	}	166	}
161	}	167	}
162		168
163	snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL));	169	snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL));
164	writecf(FS_ERR, tmpstr);	170	writecf(FS_ERR, tmpstr);
165		171
166	return 1;	172	return 1;
@@ -230,17 +236,11 @@ X509_STORE vc_x509store_create(vc_x509store_t vc_store)
230	int vc_verify_callback(int ok, X509_STORE_CTX *store)	236	int vc_verify_callback(int ok, X509_STORE_CTX *store)
231	{	237	{
232	if(!ok) {	238	if(!ok) {
233	/* XXX handle action/abort */	239	snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s",
234	if(!(ok=getintoption(CF_IGNSSL)))
235	snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s",
236	X509_verify_cert_error_string(store->error));	240	X509_verify_cert_error_string(store->error));
237	else
238	snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s (ignored)",
239	X509_verify_cert_error_string(store->error));
240
241	writecf(FS_ERR, tmpstr);	241	writecf(FS_ERR, tmpstr);
242	}	242	}
243	return(ok);	243	return ok;
244	}	244	}
245		245
246	void vc_x509store_setflags(vc_x509store_t *store, int flags)	246	void vc_x509store_setflags(vc_x509store_t *store, int flags)
@@ -326,6 +326,14 @@ void vc_cleanup_x509store(vc_x509store_t *s)
326	free(s->use_keyfile);	326	free(s->use_keyfile);
327	free(s->use_key);	327	free(s->use_key);
328	sk_X509_free(s->certs);	328	sk_X509_free(s->certs);
329	sk_X509_free(s->crls);	329	sk_X509_CRL_free(s->crls);
330	sk_X509_free(s->use_certs);	330	sk_X509_free(s->use_certs);
331	}	331	}
		332
		333	const char *vchat_ssl_version_external = "OpenSSL implementation; version unknown";
		334	void vchat_ssl_get_version_external()
		335	{
		336	char tmpstr[TMPSTRSIZE];
		337	snprintf(tmpstr, TMPSTRSIZE, "%s with %s", SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS));
		338	vchat_ssl_version_external = strdup(tmpstr);
		339	}