From 31df56b28fdc4bc25bc42c1e41f0c33502607963 Mon Sep 17 00:00:00 2001
From: Andreas Kotes <andreas.kotes@nokia.com>
Date: Thu, 10 Apr 2014 10:39:29 +0200
Subject: rudimentary debian wheezy build fix

---
 debian/control | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/control b/debian/control
index d106fd5..3ba3fcd 100755
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: vchat-client
 Section: unknown
 Priority: optional
 Maintainer: Andreas Kotes <count@flatline.de>
-Build-Depends: debhelper (>> 3.0.0), libreadline4-dev, libncurses-dev, libssl-dev, docbook-to-man
+Build-Depends: debhelper (>> 3.0.0), libreadline-dev, libncurses-dev, libssl-dev, docbook-to-man
 Standards-Version: 3.5.2
 
 Package: vchat-client
-- 
cgit v1.2.3


From 35feadf586c9492005f71ce2f03d917f7a57a4eb Mon Sep 17 00:00:00 2001
From: Andreas Kotes <andreas.kotes@nokia.com>
Date: Thu, 10 Apr 2014 10:39:49 +0200
Subject: use SHA1 instead of MD5 for cert digest

---
 vchat-keygen | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/vchat-keygen b/vchat-keygen
index fa92c60..a11a6ae 100755
--- a/vchat-keygen
+++ b/vchat-keygen
@@ -57,7 +57,7 @@ EOT
       fi
       echo "vchat-keygen: generating Certificate Signing Request $KEYBASE.csr"
 		echo "vchat-keygen: please enter your nickname at the 'Name []:' prompt"
-      openssl req -new -config $KEYBASE.ca.keyconf -key $KEYBASE.key -out $KEYBASE.csr
+      openssl req -new -sha1 -config $KEYBASE.ca.keyconf -key $KEYBASE.key -out $KEYBASE.csr
 		echo "vchat-keygen: send this ($KEYBASE.csr) Certificate Signing Request to
 		vchat@vchat.berlin.ccc.de to get it signed by the vchat-CA. You will
 		receive your signed Certificate shortly."
-- 
cgit v1.2.3


From 4e3e90f5811d68a002a80d7fe1dcfc3852498e16 Mon Sep 17 00:00:00 2001
From: Andreas Kotes <andreas.kotes@nokia.com>
Date: Thu, 10 Apr 2014 10:45:04 +0200
Subject: request 4096 instead of 2048 bit

---
 vchat-keygen | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/vchat-keygen b/vchat-keygen
index a11a6ae..91fcbba 100755
--- a/vchat-keygen
+++ b/vchat-keygen
@@ -29,7 +29,7 @@ if [ ! -e $KEYBASE.key ]; then
    echo "vchat-keygen: generating RSA key $KEYBASE.key"
    echo "vchat-keygen: please set passphrase for local security"
    umask 0077
-   openssl genrsa -des3 -out $KEYBASE.key 2048
+   openssl genrsa -des3 -out $KEYBASE.key 4096
 else
    echo "vchat-keygen: private key $KEYBASE.key exists"
 fi
@@ -40,7 +40,7 @@ fi
          echo "vchat-keygen: generating config-file for self-signing $KEYBASE.ca.keyconf"
          cat >$KEYBASE.ca.keyconf <<EOT
 [ req ]
-default_bits                    = 2048
+default_bits                    = 4096
 default_keyfile                 = user.key
 distinguished_name              = req_distinguished_name
 string_mask                     = nombstr
-- 
cgit v1.2.3


From 516ba0aea75f74ca0a6060f8d75ad717ab7dcfef Mon Sep 17 00:00:00 2001
From: Andreas Kotes <andreas.kotes@nokia.com>
Date: Thu, 10 Apr 2014 10:46:58 +0200
Subject: recommend openssl 1.0.1g++

---
 README | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README b/README
index 402826c..9ee3529 100755
--- a/README
+++ b/README
@@ -11,7 +11,7 @@ cvs -z3 -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co vchat-client
 
 no autoconf yet, sorry. required libs:
 
-openssl (0.9.6+ preferred)
+openssl (1.0.1g+ preferred)
 readline (4.2+ preferred)
 ncurses (5.2 preferred)
 
-- 
cgit v1.2.3


From 6119ae5156c3f01576d8bdefb8b861a45be372fb Mon Sep 17 00:00:00 2001
From: Andreas Kotes <andreas.kotes@nokia.com>
Date: Thu, 10 Apr 2014 11:02:55 +0200
Subject: update manual pages to point to git

---
 README            | 5 ++---
 vchat-client.sgml | 9 ++++-----
 vchat-howto       | 5 ++---
 3 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/README b/README
index 9ee3529..2a32f88 100755
--- a/README
+++ b/README
@@ -2,10 +2,9 @@ Hi!
 
 this is vchat-client, a GPLed (SSL) client for the vchat protocol.
 
-You can get the most recent version of vchat-client via CVS, e.g:
+You can get the most recent version of vchat-client via git, e.g:
 
-cvs -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot login
-cvs -z3 -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co vchat-client
+git clone git://erdgeist.org/vchat-client
 
 (press return at password prompt)
 
diff --git a/vchat-client.sgml b/vchat-client.sgml
index ee0dc36..4b4f130 100755
--- a/vchat-client.sgml
+++ b/vchat-client.sgml
@@ -262,16 +262,15 @@ TAB	nick completion
 <refsect1>
 <title>DEVEL</title>
 
-<para>You can get the most recent version of vchat-client via CVS, e.g:
+<para>You can get the most recent version of vchat-client via git, e.g:
 <screen>
-<prompt>$ </prompt><userinput>cvs -d:pserver:anonymous@pulse.flatline.de:/home/cvsroot login</userinput>
-<prompt>$ </prompt><userinput>cvs -z3 -d:pserver:anonymous@pulse.flatline.de:/home/cvsroot co vchat-client</userinput>
+<prompt>$ </prompt><userinput>git clone git://erdgeist.org/vchat-client</userinput>
 </screen>
 </para>
 
 <para>(press return at password prompt) no autoconf yet, sorry. required libs:
 <literallayout>
-   - openssl (0.9.6+ preferred)
+   - openssl (1.0.1g+ preferred)
    - readline (4.2+ preferred)
    - ncurses (5.2 preferred)
 </literallayout>
@@ -337,7 +336,7 @@ the admins has to be logged in.</para>
 <refsect1>
 
 <title>SEE ALSO</title>
-<para>gcc (1), cvs (1).</para>
+<para>gcc (1), git (1).</para>
 
 </refsect1>
 
diff --git a/vchat-howto b/vchat-howto
index 22c34b7..0ace213 100755
--- a/vchat-howto
+++ b/vchat-howto
@@ -4,13 +4,12 @@ Newbies Guide to vchat via 'Buntclient'
 1. Get the Source, Luke
 -----------------------
 
-Make sure, you got a shell and the tool called cvs.
+Make sure, you got a shell and the tool called git.
 cd to a directory the source shall reside in.
 
 Type:
 
-$ cvs -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot login
-$ cvs -z3 -d:pserver:anoncvs@cvs.erdgeist.org:/home/cvsroot co vchat-client
+$ git clone git://erdgeist.org/vchat-client
 
 (press return at password prompt)
 
-- 
cgit v1.2.3


From 2a5819c9965b6fa296f8a2ace7aaf70156ee9f90 Mon Sep 17 00:00:00 2001
From: Andreas Kotes <count@flatline.de>
Date: Tue, 15 Apr 2014 12:13:13 +0200
Subject: handle SSL I/O errors more gracefully, avoid double free

---
 vchat-protocol.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/vchat-protocol.c b/vchat-protocol.c
index b50f511..e676b28 100755
--- a/vchat-protocol.c
+++ b/vchat-protocol.c
@@ -166,8 +166,11 @@ vcconnect (char *server, char *port)
     }
 
     /* upgrade our plain BIO to ssl */
-    if( vc_connect_ssl( &server_conn, &vc_store ) )
+    if( vc_connect_ssl( &server_conn, &vc_store ) ) {
       BIO_free_all( server_conn );
+      server_conn = NULL;
+      errno = EIO;
+    }
   }
 
   if( !server_conn ) {
@@ -188,7 +191,8 @@ vcconnect (char *server, char *port)
 /* disconnect from server */
 void
 vcdisconnect () {
-  BIO_free_all( server_conn );
+  if (server_conn)
+    BIO_free_all( server_conn );
   serverfd = -1;
 }
 
-- 
cgit v1.2.3


From 41ffa33b09d9bcf0902c3ef9384011c95f72ccbe Mon Sep 17 00:00:00 2001
From: Andreas Kotes <count@flatline.de>
Date: Tue, 15 Apr 2014 12:29:30 +0200
Subject: change to use TLSv1_2 (or maybe later)

---
 vchat-ssl.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/vchat-ssl.c b/vchat-ssl.c
index 652ca09..7f0395b 100755
--- a/vchat-ssl.c
+++ b/vchat-ssl.c
@@ -61,7 +61,8 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store )
    X509_STORE           *store            = NULL;
    vc_x509verify_cb_t   verify_callback   = NULL;
 
-   if( !(ctx = SSL_CTX_new(SSLv3_method())) )
+   /* Explicitly use TLSv1_2 (or maybe later) */
+   if( !(ctx = SSL_CTX_new(TLSv1_2_client_method())) )
       VC_CTX_ERR_EXIT(store, ctx);
 
    if( !(store = vc_x509store_create(vc_store)) )
@@ -69,7 +70,8 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store )
 
    SSL_CTX_set_cert_store(ctx, store);
    store = NULL;
-   SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
+   /* Disable A LOT of insecure protocols explicitly */
+   SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1);
    SSL_CTX_set_cipher_list(ctx, "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH");
 
    SSL_CTX_set_verify_depth (ctx, 2);
-- 
cgit v1.2.3


From 19375e6c61bfe3bf643786b0e7318c528e4b22a0 Mon Sep 17 00:00:00 2001
From: Andreas Kotes <count@flatline.de>
Date: Tue, 15 Apr 2014 13:05:21 +0200
Subject: show cipher being used

---
 vchat-ssl.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/vchat-ssl.c b/vchat-ssl.c
index 7f0395b..2b41432 100755
--- a/vchat-ssl.c
+++ b/vchat-ssl.c
@@ -136,8 +136,24 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
     BIO_push( ssl_conn, *conn );
     *conn = ssl_conn;
     fflush(stdout);
-    if( BIO_do_handshake( *conn ) > 0 )
+    if( BIO_do_handshake( *conn ) > 0 ) {
+      /* Show information about cipher used */
+      const SSL *sslp = NULL;
+      const SSL_CIPHER * cipher = NULL;
+
+      /* Get cipher object */
+      BIO_get_ssl(ssl_conn, &sslp);
+        cipher = SSL_get_current_cipher(sslp);
+      if (cipher) {
+        char cipher_desc[TMPSTRSIZE];
+        snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE));
+        writecf(FS_SERV, tmpstr);
+      } else {
+        snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!");
+        writecf(FS_ERR, tmpstr);
+      }
       return 0;
+    }
   }
 
   snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL));
-- 
cgit v1.2.3