diff options
author | Dirk Engling <erdgeist@erdgeist.org> | 2022-05-21 00:34:50 +0200 |
---|---|---|
committer | Dirk Engling <erdgeist@erdgeist.org> | 2022-05-21 00:34:50 +0200 |
commit | 03886bcebff8d0fb53414a36e3ddd7a1ab25b666 (patch) | |
tree | 89585aef3bf7e9a647e66518317bbae5cb5d40ee | |
parent | ee2b2043cf49560e70eb6a62fc883e5073bd2a92 (diff) |
Handle several verify results
-rwxr-xr-x | vchat-tls.c | 35 |
1 files changed, 27 insertions, 8 deletions
diff --git a/vchat-tls.c b/vchat-tls.c index 1156494..e43cc97 100755 --- a/vchat-tls.c +++ b/vchat-tls.c | |||
@@ -73,7 +73,7 @@ void vc_x509store_setcertfile(vc_x509store_t *store, char *file) { | |||
73 | static int verify_or_store_fingerprint(const char *fingerprint) { | 73 | static int verify_or_store_fingerprint(const char *fingerprint) { |
74 | char *fingerprint_file_path = tilde_expand(getstroption(CF_FINGERPRINT)); | 74 | char *fingerprint_file_path = tilde_expand(getstroption(CF_FINGERPRINT)); |
75 | if (!fingerprint_file_path) { | 75 | if (!fingerprint_file_path) { |
76 | writecf(FS_ERR, "[SSL FINGERPRINT ] The CF_FINGERPRINT path is not set."); | 76 | writecf(FS_ERR, "Error: The CF_FINGERPRINT path is not set but CF_PINFINGER was requested."); |
77 | return -1; | 77 | return -1; |
78 | } | 78 | } |
79 | 79 | ||
@@ -90,26 +90,28 @@ static int verify_or_store_fingerprint(const char *fingerprint) { | |||
90 | if (nl) *nl = 0; | 90 | if (nl) *nl = 0; |
91 | 91 | ||
92 | /* verify fingerprint matches stored version */ | 92 | /* verify fingerprint matches stored version */ |
93 | if (!strcmp(fingerprint, old_fingerprint)) | 93 | if (!strcmp(fingerprint, old_fingerprint)) { |
94 | writecf(FS_SERV, "[FINGERPRINT MATCH ]"); | ||
94 | goto cleanup_happy; | 95 | goto cleanup_happy; |
96 | } | ||
95 | } | 97 | } |
96 | 98 | ||
97 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] Found pinned fingerprint (in %s) %s but expected %s", r ? old_fingerprint : "<FILE READ ERROR>", getstroption(CF_FINGERPRINT), fingerprint); | 99 | snprintf(tmpstr, TMPSTRSIZE, "Error: Found pinned fingerprint (in %s) %s but expected %s", r ? old_fingerprint : "<FILE READ ERROR>", getstroption(CF_FINGERPRINT), fingerprint); |
98 | writecf(FS_ERR, tmpstr); | 100 | writecf(FS_ERR, tmpstr); |
99 | writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); | 101 | writecf(FS_ERR, "Error: Fingerprint mismatch! Server cert updated?"); |
100 | free(fingerprint_file_path); | 102 | free(fingerprint_file_path); |
101 | return 1; | 103 | return 1; |
102 | } else | 104 | } else |
103 | writecf(FS_ERR, "[WARNING] No pinned Fingerprint found!"); | 105 | writecf(FS_ERR, "Warning: No pinned fingerprint found, writing the current one."); |
104 | 106 | ||
105 | fingerprint_file = fopen(fingerprint_file_path, "w"); | 107 | fingerprint_file = fopen(fingerprint_file_path, "w"); |
106 | if (!fingerprint_file) { | 108 | if (!fingerprint_file) { |
107 | snprintf (tmpstr, TMPSTRSIZE, "[WARNING] Can't write fingerprint file, %s.", strerror(errno)); | 109 | snprintf (tmpstr, TMPSTRSIZE, "Warning: Can't write fingerprint file, %s.", strerror(errno)); |
108 | writecf(FS_ERR, tmpstr); | 110 | writecf(FS_ERR, tmpstr); |
109 | } else { | 111 | } else { |
110 | fputs(fingerprint, fingerprint_file); | 112 | fputs(fingerprint, fingerprint_file); |
111 | fclose(fingerprint_file); | 113 | fclose(fingerprint_file); |
112 | writecf(FS_SERV, "Stored pinned fingerprint."); | 114 | writecf(FS_SERV, "[FINGERPRINT STORED ]"); |
113 | } | 115 | } |
114 | cleanup_happy: | 116 | cleanup_happy: |
115 | free(fingerprint_file_path); | 117 | free(fingerprint_file_path); |
@@ -612,7 +614,7 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store ) | |||
612 | if (getintoption(CF_PINFINGER) && verify_or_store_fingerprint(fingerprint)) | 614 | if (getintoption(CF_PINFINGER) && verify_or_store_fingerprint(fingerprint)) |
613 | return 1; | 615 | return 1; |
614 | } else { | 616 | } else { |
615 | writecf(FS_SERV, "Unable to load SHA-1 md"); | 617 | writecf(FS_ERR, "Warning: Unable to load SHA-1 md"); |
616 | if (getintoption(CF_PINFINGER)) { | 618 | if (getintoption(CF_PINFINGER)) { |
617 | writecf(FS_ERR, "ERROR: Can not compute fingerprint, but pinning check is required"); | 619 | writecf(FS_ERR, "ERROR: Can not compute fingerprint, but pinning check is required"); |
618 | return 1; | 620 | return 1; |
@@ -620,6 +622,23 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store ) | |||
620 | } | 622 | } |
621 | 623 | ||
622 | ret = mbedtls_ssl_get_verify_result(ssl); | 624 | ret = mbedtls_ssl_get_verify_result(ssl); |
625 | switch (ret) { | ||
626 | case 0: | ||
627 | writecf(FS_SERV, "[TSL HANDSHAKE OK ]"); | ||
628 | break; | ||
629 | case -1: | ||
630 | writecf(FS_ERR, "Error: TSL verify for an unknown reason"); | ||
631 | return -1; | ||
632 | case MBEDTLS_X509_BADCERT_SKIP_VERIFY: | ||
633 | case MBEDTLS_X509_BADCERT_NOT_TRUSTED: | ||
634 | if (getintoption(CF_IGNSSL) || !getintoption(CF_VERIFYSSL)) | ||
635 | return 0; | ||
636 | vc_tls_report_error(ret, "TLS verify failed, mbedtls reports: "); | ||
637 | return -1; | ||
638 | default: | ||
639 | vc_tls_report_error(ret, "TLS verify failed, mbedtls reports: "); | ||
640 | return -1; | ||
641 | } | ||
623 | 642 | ||
624 | return 0; | 643 | return 0; |
625 | } | 644 | } |