summaryrefslogtreecommitdiff
path: root/vchat-tls.c
diff options
context:
space:
mode:
authorDirk Engling <erdgeist@erdgeist.org>2022-05-20 03:09:24 +0200
committerDirk Engling <erdgeist@erdgeist.org>2022-05-20 03:09:24 +0200
commit8c821b3f20b99ca1f05dd28aba92c897a7c9a10e (patch)
tree87425d8427632275eccaa31cd7313870cbfb3286 /vchat-tls.c
parent133a4bbe527dc8067238e426a43fc90e44972e7d (diff)
Check for more errors and dump the cert info to the user
Diffstat (limited to 'vchat-tls.c')
-rwxr-xr-xvchat-tls.c28
1 files changed, 22 insertions, 6 deletions
diff --git a/vchat-tls.c b/vchat-tls.c
index dbfd927..ad66334 100755
--- a/vchat-tls.c
+++ b/vchat-tls.c
@@ -462,16 +462,20 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
462 mbedtls_x509_crt_init(&s->_cacert); 462 mbedtls_x509_crt_init(&s->_cacert);
463 mbedtls_x509_crt_init(&s->_cert); 463 mbedtls_x509_crt_init(&s->_cert);
464 mbedtls_pk_init(&s->_key); 464 mbedtls_pk_init(&s->_key);
465 465 mbedtls_ssl_init(ssl);
466 mbedtls_ssl_config_init(conf); 466 mbedtls_ssl_config_init(conf);
467 mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); 467
468 if (mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT)) {
469 writecf(FS_ERR, "Out of memory");
470 return -1;
471 }
472
468 /* TODO: Always verify peer */ 473 /* TODO: Always verify peer */
469 mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); 474 mbedtls_ssl_conf_authmode(conf, getintoption(CF_IGNSSL) ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_REQUIRED);
470 mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &s->_ctr_drbg); 475 mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &s->_ctr_drbg);
471 476
472 /* mbedtls_ssl_conf_ciphersuites( */ 477 /* mbedtls_ssl_conf_ciphersuites( */
473 478
474 /* Read in all certs */
475 if (vc_store->cafile) { 479 if (vc_store->cafile) {
476 mbedtls_x509_crt_parse_file(&s->_cacert, vc_store->cafile); 480 mbedtls_x509_crt_parse_file(&s->_cacert, vc_store->cafile);
477 mbedtls_ssl_conf_ca_chain(conf, &s->_cacert, NULL); 481 mbedtls_ssl_conf_ca_chain(conf, &s->_cacert, NULL);
@@ -505,11 +509,13 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
505 fprintf(stderr, "KEYPAIR MISSMATCH\n"); 509 fprintf(stderr, "KEYPAIR MISSMATCH\n");
506 } 510 }
507#endif 511#endif
508 mbedtls_ssl_conf_own_cert(conf, &s->_cert, &s->_key); 512 if ((ret = mbedtls_ssl_conf_own_cert(conf, &s->_cert, &s->_key)) != 0) {
513 vc_tls_report_error(ret, "Setting key and cert to tls session fails, mbedtls reports: ");
514 return -1;
515 }
509 516
510 /* Config constructed, pass to ssl */ 517 /* Config constructed, pass to ssl */
511 /* Init ssl and config structs and configure ssl ctx */ 518 /* Init ssl and config structs and configure ssl ctx */
512 mbedtls_ssl_init(ssl);
513 mbedtls_ssl_setup(ssl, conf); 519 mbedtls_ssl_setup(ssl, conf);
514 /* TODO: mbedtls_ssl_set_hostname(&ssl, SERVER_NAME) */ 520 /* TODO: mbedtls_ssl_set_hostname(&ssl, SERVER_NAME) */
515 521
@@ -522,6 +528,16 @@ int vc_tls_connect( int serverfd, vc_x509store_t *vc_store )
522 } 528 }
523 } 529 }
524 530
531 snprintf(tmpstr, TMPSTRSIZE, "[SSL CIPHER ] %s", mbedtls_ssl_get_ciphersuite(ssl));
532 writecf(FS_SERV, tmpstr);
533
534 const mbedtls_x509_crt* peer_cert = mbedtls_ssl_get_peer_cert(ssl);
535 mbedtls_x509_crt_info(tmpstr, sizeof(tmpstr), "[SSL PEER INFO ] ", peer_cert);
536 char *token = strtok(tmpstr, "\n");
537 do {
538 writecf(FS_SERV, token);
539 } while ((token = strtok(NULL, "\n")));
540
525 mbedtls_ssl_get_verify_result(ssl); 541 mbedtls_ssl_get_verify_result(ssl);
526 542
527 return 0; 543 return 0;