summaryrefslogtreecommitdiff
path: root/vchat-ssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'vchat-ssl.c')
-rwxr-xr-xvchat-ssl.c36
1 files changed, 22 insertions, 14 deletions
diff --git a/vchat-ssl.c b/vchat-ssl.c
index d4a6029..999d6b8 100755
--- a/vchat-ssl.c
+++ b/vchat-ssl.c
@@ -32,7 +32,7 @@
32#include "vchat.h" 32#include "vchat.h"
33#include "vchat-ssl.h" 33#include "vchat-ssl.h"
34 34
35char *vchat_ssl_version = "$Id$"; 35const char *vchat_ssl_version = "$Id$";
36 36
37#define VC_CTX_ERR_EXIT(se, cx) do { \ 37#define VC_CTX_ERR_EXIT(se, cx) do { \
38 snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \ 38 snprintf(tmpstr, TMPSTRSIZE, "CREATE CTX: %s", \
@@ -72,12 +72,14 @@ SSL_CTX * vc_create_sslctx( vc_x509store_t *vc_store )
72 store = NULL; 72 store = NULL;
73 /* Disable some insecure protocols explicitly */ 73 /* Disable some insecure protocols explicitly */
74 SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); 74 SSL_CTX_set_options(ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
75 if( OPENSSL_VERSION_NUMBER < 0x10000000L ) 75 if (getstroption(CF_CIPHERSUITE))
76 SSL_CTX_set_cipher_list(ctx, getstroption(CF_CIPHERSUITE));
77 else if( OPENSSL_VERSION_NUMBER < 0x10000000L )
76 SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA"); 78 SSL_CTX_set_cipher_list(ctx, "DHE-RSA-AES256-SHA");
77 else 79 else
78 SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384"); 80 SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384");
79 81
80 SSL_CTX_set_verify_depth (ctx, 2); 82 SSL_CTX_set_verify_depth (ctx, getintoption(CF_VERIFYSSL));
81 83
82 if( !(verify_callback = vc_store->callback) ) 84 if( !(verify_callback = vc_store->callback) )
83 verify_callback = vc_verify_callback; 85 verify_callback = vc_verify_callback;
@@ -139,6 +141,7 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
139 BIO_push( ssl_conn, *conn ); 141 BIO_push( ssl_conn, *conn );
140 *conn = ssl_conn; 142 *conn = ssl_conn;
141 fflush(stdout); 143 fflush(stdout);
144
142 if( BIO_do_handshake( *conn ) > 0 ) { 145 if( BIO_do_handshake( *conn ) > 0 ) {
143 /* Show information about cipher used */ 146 /* Show information about cipher used */
144 const SSL *sslp = NULL; 147 const SSL *sslp = NULL;
@@ -156,11 +159,14 @@ int vc_connect_ssl( BIO **conn, vc_x509store_t *vc_store )
156 snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!"); 159 snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] Cipher not known / SSL object can't be queried!");
157 writecf(FS_ERR, tmpstr); 160 writecf(FS_ERR, tmpstr);
158 } 161 }
159 return 0; 162
163 /* Accept being connected, _if_ verification passed */
164 if (sslp && SSL_get_verify_result(sslp) == X509_V_OK)
165 return 0;
160 } 166 }
161 } 167 }
162 168
163 snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s", ERR_error_string (ERR_get_error (), NULL)); 169 snprintf(tmpstr, TMPSTRSIZE, "[SSL CONNECT ERROR] %s", ERR_error_string (ERR_get_error (), NULL));
164 writecf(FS_ERR, tmpstr); 170 writecf(FS_ERR, tmpstr);
165 171
166 return 1; 172 return 1;
@@ -230,17 +236,11 @@ X509_STORE *vc_x509store_create(vc_x509store_t *vc_store)
230int vc_verify_callback(int ok, X509_STORE_CTX *store) 236int vc_verify_callback(int ok, X509_STORE_CTX *store)
231{ 237{
232 if(!ok) { 238 if(!ok) {
233 /* XXX handle action/abort */ 239 snprintf(tmpstr, TMPSTRSIZE, "[SSL VERIFY ERROR] %s",
234 if(!(ok=getintoption(CF_IGNSSL)))
235 snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s",
236 X509_verify_cert_error_string(store->error)); 240 X509_verify_cert_error_string(store->error));
237 else
238 snprintf(tmpstr, TMPSTRSIZE, "[SSL ERROR] %s (ignored)",
239 X509_verify_cert_error_string(store->error));
240
241 writecf(FS_ERR, tmpstr); 241 writecf(FS_ERR, tmpstr);
242 } 242 }
243 return(ok); 243 return ok;
244} 244}
245 245
246void vc_x509store_setflags(vc_x509store_t *store, int flags) 246void vc_x509store_setflags(vc_x509store_t *store, int flags)
@@ -326,6 +326,14 @@ void vc_cleanup_x509store(vc_x509store_t *s)
326 free(s->use_keyfile); 326 free(s->use_keyfile);
327 free(s->use_key); 327 free(s->use_key);
328 sk_X509_free(s->certs); 328 sk_X509_free(s->certs);
329 sk_X509_free(s->crls); 329 sk_X509_CRL_free(s->crls);
330 sk_X509_free(s->use_certs); 330 sk_X509_free(s->use_certs);
331} 331}
332
333const char *vchat_ssl_version_external = "OpenSSL implementation; version unknown";
334void vchat_ssl_get_version_external()
335{
336 char tmpstr[TMPSTRSIZE];
337 snprintf(tmpstr, TMPSTRSIZE, "%s with %s", SSLeay_version(SSLEAY_VERSION), SSLeay_version(SSLEAY_CFLAGS));
338 vchat_ssl_version_external = strdup(tmpstr);
339}