diff options
| author | Andreas Kotes <count@flatline.de> | 2014-04-16 16:27:00 +0200 |
|---|---|---|
| committer | Andreas Kotes <count@flatline.de> | 2014-04-16 16:27:00 +0200 |
| commit | 3297473435ad53b6691d6c772f83457a72134c48 (patch) | |
| tree | 9692f248fc19db010839f6c943a9c40809dcc340 /vchat-ssl.c | |
| parent | edba804a0cbd19e5c971c55661bcf83967573906 (diff) | |
store & verify server cert fingerprint
Diffstat (limited to 'vchat-ssl.c')
| -rwxr-xr-x | vchat-ssl.c | 75 |
1 files changed, 70 insertions, 5 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c index 68e3699..d240cbd 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c | |||
| @@ -153,16 +153,81 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store ) | |||
| 153 | cipher = SSL_get_current_cipher(sslp); | 153 | cipher = SSL_get_current_cipher(sslp); |
| 154 | if (cipher) { | 154 | if (cipher) { |
| 155 | char cipher_desc[TMPSTRSIZE]; | 155 | char cipher_desc[TMPSTRSIZE]; |
| 156 | snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); | 156 | snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER ] %s", SSL_CIPHER_description(cipher, cipher_desc, TMPSTRSIZE)); |
| 157 | writecf(FS_SERV, tmpstr); | 157 | writecf(FS_SERV, tmpstr); |
| 158 | } else { | 158 | } else { |
| 159 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); | 159 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR ] Cipher not known / SSL object can't be queried!"); |
| 160 | writecf(FS_ERR, tmpstr); | 160 | writecf(FS_ERR, tmpstr); |
| 161 | } | 161 | } |
| 162 | 162 | ||
| 163 | /* Accept being connected, _if_ verification passed */ | 163 | /* Accept being connected, _if_ verification passed */ |
| 164 | if (sslp && SSL_get_verify_result(sslp) == X509_V_OK) | 164 | if (sslp) { |
| 165 | return 0; | 165 | long result = SSL_get_verify_result(sslp); |
| 166 | |||
| 167 | /* show & verify fingerprint */ | ||
| 168 | if (result == X509_V_OK) { | ||
| 169 | X509 *peercert = SSL_get_peer_certificate(sslp); | ||
| 170 | |||
| 171 | /* FIXME: this IS bad code */ | ||
| 172 | char new_fingerprint[TMPSTRSIZE] = ""; | ||
| 173 | char old_fingerprint[TMPSTRSIZE] = ""; | ||
| 174 | FILE *fingerprint_file = NULL; | ||
| 175 | |||
| 176 | unsigned int fingerprint_len; | ||
| 177 | unsigned char fingerprint_bin[EVP_MAX_MD_SIZE]; | ||
| 178 | |||
| 179 | /* show basic information about peer cert */ | ||
| 180 | snprintf(tmpstr, TMPSTRSIZE, "[SSL SUBJECT ] %s", X509_NAME_oneline(X509_get_subject_name(peercert),0,0)); | ||
| 181 | writecf(FS_SERV, tmpstr); | ||
| 182 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ISSUER ] %s", X509_NAME_oneline(X509_get_issuer_name(peercert),0,0)); | ||
| 183 | writecf(FS_SERV, tmpstr); | ||
| 184 | |||
| 185 | /* calculate fingerprint */ | ||
| 186 | if (X509_digest(peercert,EVP_sha1(),fingerprint_bin,&fingerprint_len)) { | ||
| 187 | char shorttmpstr[3] = "XX"; | ||
| 188 | int j; | ||
| 189 | for (j=0; j<(int)fingerprint_len; j++) { | ||
| 190 | if (j) | ||
| 191 | strncat(new_fingerprint, ":", TMPSTRSIZE); | ||
| 192 | snprintf(shorttmpstr, 3, "%02X", fingerprint_bin[j]); | ||
| 193 | strncat(new_fingerprint, shorttmpstr, TMPSTRSIZE); | ||
| 194 | } | ||
| 195 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from server: %s", new_fingerprint); | ||
| 196 | writecf(FS_SERV, tmpstr); | ||
| 197 | } | ||
| 198 | |||
| 199 | // we don't need the peercert anymore | ||
| 200 | X509_free(peercert); | ||
| 201 | |||
| 202 | fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "r"); | ||
| 203 | if (fingerprint_file) { | ||
| 204 | fgets(old_fingerprint, TMPSTRSIZE, fingerprint_file); | ||
| 205 | fclose(fingerprint_file); | ||
| 206 | |||
| 207 | /* verify fingerprint matches stored version */ | ||
| 208 | if (!strncmp(new_fingerprint, old_fingerprint, TMPSTRSIZE)) | ||
| 209 | return 0; | ||
| 210 | else { | ||
| 211 | snprintf(tmpstr, TMPSTRSIZE, "[SSL FINGERPRINT ] from %s: %s", getstroption(CF_FINGERPRINT), old_fingerprint); | ||
| 212 | writecf(FS_ERR, tmpstr); | ||
| 213 | writecf(FS_ERR, "[SSL CONNECT ERROR] Fingerprint mismatch! Server cert updated?"); | ||
| 214 | return 1; | ||
| 215 | } | ||
| 216 | } else { | ||
| 217 | /* FIXME: there might be other errors than missing file */ | ||
| 218 | fingerprint_file = fopen(tilde_expand(getstroption(CF_FINGERPRINT)), "w"); | ||
| 219 | if (!fingerprint_file) { | ||
| 220 | snprintf (tmpstr, TMPSTRSIZE, "Can't write fingerprint file, %s.", strerror(errno)); | ||
| 221 | writecf(FS_ERR, tmpstr); | ||
| 222 | } else { | ||
| 223 | fputs(new_fingerprint, fingerprint_file); | ||
| 224 | fclose(fingerprint_file); | ||
| 225 | writecf(FS_SERV, "Stored fingerprint."); | ||
| 226 | return 0; | ||
| 227 | } | ||
| 228 | } | ||
| 229 | } | ||
| 230 | } | ||
| 166 | } | 231 | } |
| 167 | } | 232 | } |
| 168 | 233 | ||
| @@ -236,7 +301,7 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store) | |||
| 236 | int vc_verify_callback(int ok, X509_STORE_CTX *store) | 301 | int vc_verify_callback(int ok, X509_STORE_CTX *store) |
| 237 | { | 302 | { |
| 238 | if(!ok) { | 303 | if(!ok) { |
| 239 | snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s", | 304 | snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR ] %s", |
| 240 | X509_verify_cert_error_string(store->error)); | 305 | X509_verify_cert_error_string(store->error)); |
| 241 | writecf(FS_ERR, tmpstr); | 306 | writecf(FS_ERR, tmpstr); |
| 242 | } | 307 | } |