summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDirk Engling <erdgeist@erdgeist.org>2016-04-15 13:31:42 +0200
committerDirk Engling <erdgeist@erdgeist.org>2016-04-15 13:31:42 +0200
commit035058400069cd8f3c10213c1c4049746ac9133c (patch)
tree13e72f63a1f98dba2ca041f2fee405fae6dcdf48
parent2d0c1c42afd1e50864312890c9e3909294bf21ed (diff)
Fix fingerprint verification code
-rwxr-xr-xvchat-ssl.c21
1 files changed, 10 insertions, 11 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c
index 2a1c28a..6699243 100755
--- a/vchat-ssl.c
+++ b/vchat-ssl.c
@@ -201,8 +201,8 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
201 X509 *peercert = SSL_get_peer_certificate(sslp); 201 X509 *peercert = SSL_get_peer_certificate(sslp);
202 202
203 /* FIXME: this IS bad code */ 203 /* FIXME: this IS bad code */
204 char new_fingerprint[TMPSTRSIZE] = ""; 204 char new_fingerprint[TMPSTRSIZE];
205 char old_fingerprint[TMPSTRSIZE] = ""; 205 char old_fingerprint[TMPSTRSIZE];
206 FILE *fingerprint_file = NULL; 206 FILE *fingerprint_file = NULL;
207 207
208 unsigned int fingerprint_len; 208 unsigned int fingerprint_len;
@@ -216,14 +216,13 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
216 216
217 /* calculate fingerprint */ 217 /* calculate fingerprint */
218 if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) { 218 if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) {
219 char shorttmpstr[3] = "XX";
220 int j; 219 int j;
220 assert ( ( fingerprint_len > 1 ) && (fingerprint_len * 3 < TMPSTRSIZE ));
221 char * nf = new_fingerprint;
221 for (j=0; j<(int)fingerprint_len; j++) { 222 for (j=0; j<(int)fingerprint_len; j++) {
222 if (j) 223 nf += snprintf(nf, 3, "%02X:", fingerprint_bin[j]);
223 strncat(new_fingerprint, ":", TMPSTRSIZE); 224 assert ( nf > new_fingerprint );
224 snprintf(shorttmpstr, 3, "%02X", fingerprint_bin[j]); 225 nf[-1] = 0;
225 strncat(new_fingerprint, shorttmpstr, TMPSTRSIZE);
226 }
227 snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint); 226 snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint);
228 writecf(FS_SERV, tmpstr); 227 writecf(FS_SERV, tmpstr);
229 } 228 }
@@ -233,14 +232,14 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
233 232
234 fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); 233 fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r");
235 if (fingerprint_file) { 234 if (fingerprint_file) {
236 fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file); 235 int r = fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file);
237 fclose(fingerprint_file); 236 fclose(fingerprint_file);
238 237
239 /* verify fingerprint matches stored version */ 238 /* verify fingerprint matches stored version */
240 if (!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE)) 239 if ( r &&!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE))
241 return 0; 240 return 0;
242 else { 241 else {
243 snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), old_fingerprint); 242 snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), r ? old_fingerprint : "<FILE READ ERROR>" );
244 writecf(FS_ERR, tmpstr); 243 writecf(FS_ERR, tmpstr);
245 writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); 244 writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?");
246 return 1; 245 return 1;