diff options
| author | erdgeist <> | 2010-07-30 21:41:50 +0000 |
|---|---|---|
| committer | erdgeist <> | 2010-07-30 21:41:50 +0000 |
| commit | 6dac4efa6181e2696ea112c3f1826f529160ceef (patch) | |
| tree | 0f081ca75b0f35d727314c78c4b0f33fdf93af25 /vchat-ssl.c | |
| parent | a4b65f17eb73100a3fd4ec1f4de7cee56aa5131b (diff) | |
Can do v6 and reconnect.
Diffstat (limited to 'vchat-ssl.c')
| -rwxr-xr-x | vchat-ssl.c | 112 |
1 files changed, 27 insertions, 85 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c index 3c191c2..1a1ff16 100755 --- a/vchat-ssl.c +++ b/vchat-ssl.c | |||
| @@ -11,7 +11,7 @@ | |||
| 11 | * without even the implied warranty of merchantability or fitness for a | 11 | * without even the implied warranty of merchantability or fitness for a |
| 12 | * particular purpose. In no event shall the copyright holder be liable for | 12 | * particular purpose. In no event shall the copyright holder be liable for |
| 13 | * any direct, indirect, incidental or special damages arising in any way out | 13 | * any direct, indirect, incidental or special damages arising in any way out |
| 14 | * of the use of this software. | 14 | * of the use of this software. |
| 15 | * | 15 | * |
| 16 | */ | 16 | */ |
| 17 | 17 | ||
| @@ -111,31 +111,19 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store ) | |||
| 111 | } else if(vc_store->use_key) | 111 | } else if(vc_store->use_key) |
| 112 | r=SSL_CTX_use_PrivateKey(ctx, vc_store->use_key); | 112 | r=SSL_CTX_use_PrivateKey(ctx, vc_store->use_key); |
| 113 | 113 | ||
| 114 | if(r!=1) | 114 | if( r!=1 || !SSL_CTX_check_private_key(ctx)) |
| 115 | VC_SETCERT_ERR_EXIT(store, ctx, "Load private key failed"); | 115 | VC_SETCERT_ERR_EXIT(store, ctx, "Load private key failed"); |
| 116 | |||
| 117 | } | 116 | } |
| 118 | 117 | ||
| 119 | SSL_CTX_set_app_data(ctx, vc_store); | 118 | SSL_CTX_set_app_data(ctx, vc_store); |
| 120 | return(ctx); | 119 | return(ctx); |
| 121 | } | 120 | } |
| 122 | 121 | ||
| 123 | #define VC_CONNSSL_ERR_EXIT(_cx, cx, cn) do { \ | 122 | int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store, SSL_CTX **ctx) |
| 124 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", \ | ||
| 125 | ERR_error_string (ERR_get_error (), NULL)); \ | ||
| 126 | writecf(FS_ERR, tmpstr); \ | ||
| 127 | if(cn) BIO_free_all(cn); \ | ||
| 128 | if(*cx) SSL_CTX_free(*cx); \ | ||
| 129 | if(_cx) *cx = 0; \ | ||
| 130 | return(0); \ | ||
| 131 | } while(0) | ||
| 132 | |||
| 133 | BIO * vc_connect_ssl(char *host, int port, vc_x509store_t *vc_store, | ||
| 134 | SSL_CTX **ctx) | ||
| 135 | { | 123 | { |
| 136 | BIO *conn = NULL; | 124 | BIO *ssl_conn = NULL; |
| 137 | int _ctx = 0; | 125 | int _ctx = 0; |
| 138 | 126 | ||
| 139 | if(*ctx) { | 127 | if(*ctx) { |
| 140 | CRYPTO_add( &((*ctx)->references), 1, CRYPTO_LOCK_SSL_CTX ); | 128 | CRYPTO_add( &((*ctx)->references), 1, CRYPTO_LOCK_SSL_CTX ); |
| 141 | if( vc_store && vc_store != SSL_CTX_get_app_data(*ctx) ) { | 129 | if( vc_store && vc_store != SSL_CTX_get_app_data(*ctx) ) { |
| @@ -147,72 +135,26 @@ BIO * vc_connect_ssl(char *host, int port, vc_x509store_t *vc_store, | |||
| 147 | _ctx = 1; | 135 | _ctx = 1; |
| 148 | } | 136 | } |
| 149 | 137 | ||
| 150 | if( !(conn = BIO_new_ssl_connect(*ctx)) ) | 138 | ssl_conn = BIO_new_ssl(*ctx, 1); |
| 151 | VC_CONNSSL_ERR_EXIT(_ctx, ctx, conn); | 139 | if(_ctx) |
| 152 | 140 | SSL_CTX_free(*ctx); | |
| 153 | BIO_set_conn_hostname(conn, host); | ||
| 154 | BIO_set_conn_int_port(conn, &port); | ||
| 155 | 141 | ||
| 156 | fflush(stdout); | 142 | if( ssl_conn ) { |
| 157 | if(BIO_do_connect(conn) <= 0) | 143 | BIO_push( ssl_conn, *conn ); |
| 158 | VC_CONNSSL_ERR_EXIT(_ctx, ctx, conn); | 144 | *conn = ssl_conn; |
| 145 | fflush(stdout); | ||
| 146 | if( BIO_do_handshake( *conn ) > 0 ) | ||
| 147 | return 0; | ||
| 148 | } | ||
| 159 | 149 | ||
| 160 | if(_ctx) | 150 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); |
| 161 | SSL_CTX_free(*ctx); | 151 | writecf(FS_ERR, tmpstr); |
| 162 | 152 | ||
| 163 | return(conn); | 153 | return 1; |
| 164 | } | ||
| 165 | |||
| 166 | #define VC_CONN_ERR_EXIT(cn) do { \ | ||
| 167 | snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", \ | ||
| 168 | ERR_error_string(ERR_get_error(), NULL)); \ | ||
| 169 | if(ERR_get_error()) \ | ||
| 170 | writecf(FS_ERR, tmpstr); \ | ||
| 171 | if(cn) BIO_free_all(cn); \ | ||
| 172 | return(NULL); \ | ||
| 173 | } while(0) | ||
| 174 | |||
| 175 | #define VC_VERIFICATION_ERR_EXIT(cn, err) do { \ | ||
| 176 | snprintf(tmpstr, TMPSTRSIZE, \ | ||
| 177 | "[SSL ERROR] certificate verify failed: %s", err); \ | ||
| 178 | writecf(FS_ERR, tmpstr); \ | ||
| 179 | if(cn && !ignore_ssl) { BIO_free_all(cn); return(NULL); } \ | ||
| 180 | } while(0) | ||
| 181 | |||
| 182 | BIO * vc_connect( char *host, int port, int use_ssl, | ||
| 183 | vc_x509store_t *vc_store, SSL_CTX **ctx) | ||
| 184 | { | ||
| 185 | BIO *conn = NULL; | ||
| 186 | SSL *ssl = NULL; | ||
| 187 | |||
| 188 | if(use_ssl) { | ||
| 189 | if( !(conn = vc_connect_ssl(host, port, vc_store, ctx)) ) | ||
| 190 | VC_CONN_ERR_EXIT(conn); | ||
| 191 | |||
| 192 | |||
| 193 | BIO_get_ssl(conn, &ssl); | ||
| 194 | if(!vc_verify_cert_hostname(SSL_get_peer_certificate(ssl), host)) | ||
| 195 | VC_VERIFICATION_ERR_EXIT(conn, "Hostname does not match!"); | ||
| 196 | |||
| 197 | return(conn); | ||
| 198 | } | ||
| 199 | |||
| 200 | *ctx = 0; | ||
| 201 | |||
| 202 | if( !(conn = BIO_new_connect(host)) ) | ||
| 203 | VC_CONN_ERR_EXIT(conn); | ||
| 204 | |||
| 205 | BIO_set_conn_int_port(conn, &port); | ||
| 206 | |||
| 207 | if(BIO_do_connect(conn) <= 0) | ||
| 208 | VC_CONN_ERR_EXIT(conn); | ||
| 209 | |||
| 210 | return(conn); | ||
| 211 | } | 154 | } |
| 212 | 155 | ||
| 213 | int vc_verify_cert_hostname(X509 *cert, char *host) | 156 | int vc_verify_cert_hostname(X509 *cert, char *host) |
| 214 | { | 157 | { |
| 215 | |||
| 216 | int i = 0; | 158 | int i = 0; |
| 217 | int j = 0; | 159 | int j = 0; |
| 218 | int n = 0; | 160 | int n = 0; |
| @@ -231,39 +173,39 @@ int vc_verify_cert_hostname(X509 *cert, char *host) | |||
| 231 | memset(&name, 0, sizeof(name)); | 173 | memset(&name, 0, sizeof(name)); |
| 232 | 174 | ||
| 233 | if((extcount = X509_get_ext_count(cert)) > 0) { | 175 | if((extcount = X509_get_ext_count(cert)) > 0) { |
| 234 | 176 | ||
| 235 | for(i=0; !ok && i < extcount; i++) { | 177 | for(i=0; !ok && i < extcount; i++) { |
| 236 | 178 | ||
| 237 | meth = NULL; | 179 | meth = NULL; |
| 238 | 180 | ||
| 239 | ext = X509_get_ext(cert, i); | 181 | ext = X509_get_ext(cert, i); |
| 240 | extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); | 182 | extstr = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ext))); |
| 241 | 183 | ||
| 242 | if(!strcasecmp(extstr, "subjectAltName")) { | 184 | if(!strcasecmp(extstr, "subjectAltName")) { |
| 243 | 185 | ||
| 244 | if( !(meth = X509V3_EXT_get(ext)) ) | 186 | if( !(meth = X509V3_EXT_get(ext)) ) |
| 245 | break; | 187 | break; |
| 246 | 188 | ||
| 247 | if( !(meth->d2i) ) | 189 | if( !(meth->d2i) ) |
| 248 | break; | 190 | break; |
| 249 | 191 | ||
| 250 | data = ext->value->data; | 192 | data = ext->value->data; |
| 251 | 193 | ||
| 252 | val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0); | 194 | val = meth->i2v(meth, meth->d2i(0, &data, ext->value->length), 0); |
| 253 | for( j=0, n=sk_CONF_VALUE_num(val); j<n; j++ ) { | 195 | for( j=0, n=sk_CONF_VALUE_num(val); j<n; j++ ) { |
| 254 | nval = sk_CONF_VALUE_value(val, j); | 196 | nval = sk_CONF_VALUE_value(val, j); |
| 255 | if( !strcasecmp(nval->name, "DNS") && | 197 | if( !strcasecmp(nval->name, "DNS") && |
| 256 | !strcasecmp(nval->value, host) ) { | 198 | !strcasecmp(nval->value, host) ) { |
| 257 | ok = 1; | 199 | ok = 1; |
| 258 | break; | 200 | break; |
| 259 | } | 201 | } |
| 260 | } | 202 | } |
| 261 | } | 203 | } |
| 262 | } | 204 | } |
| 263 | } | 205 | } |
| 264 | 206 | ||
| 265 | if( !ok && (subj = X509_get_subject_name(cert)) && | 207 | if( !ok && (subj = X509_get_subject_name(cert)) && |
| 266 | X509_NAME_get_text_by_NID(subj, NID_commonName, | 208 | X509_NAME_get_text_by_NID(subj, NID_commonName, |
| 267 | name, sizeof(name)) > 0 ) { | 209 | name, sizeof(name)) > 0 ) { |
| 268 | name[sizeof(name)-1] = '\0'; | 210 | name[sizeof(name)-1] = '\0'; |
| 269 | if(!strcasecmp(name, host)) | 211 | if(!strcasecmp(name, host)) |
| @@ -331,7 +273,7 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store) | |||
| 331 | X509_STORE_set_flags( store, | 273 | X509_STORE_set_flags( store, |
| 332 | X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL ); | 274 | X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL ); |
| 333 | } | 275 | } |
| 334 | 276 | ||
| 335 | if( !(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir())) ) | 277 | if( !(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir())) ) |
| 336 | VC_STORE_ERR_EXIT(store); | 278 | VC_STORE_ERR_EXIT(store); |
| 337 | 279 | ||