1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-10 05:43:12 +02:00

Make new functions more generic and use it from crash reporter so

people with older OpenSSL libraries (and LibreSSL) benefit from
the hostname validation code there as well.
This commit is contained in:
Bram Matthys
2017-09-01 17:28:49 +02:00
parent aa829bce12
commit 199a7e162d
4 changed files with 29 additions and 15 deletions
+2 -2
View File
@@ -791,5 +791,5 @@ extern SSLOptions *FindSSLOptionsForUser(aClient *acptr);
extern int IsWebsocket(aClient *acptr);
extern PlaintextPolicy plaintextpolicy_strtoval(char *s);
extern char *plaintextpolicy_valtostr(PlaintextPolicy policy);
extern int verify_certificate(aClient *acptr, char *hostname, char **errstr);
extern char *certificate_name(aClient *acptr);
extern int verify_certificate(SSL *ssl, char *hostname, char **errstr);
extern char *certificate_name(SSL *ssl);
+17 -1
View File
@@ -489,8 +489,10 @@ int crashreport_send(char *fname)
int n;
FILE *fd;
SSL_CTX *ctx_client;
SSL *ssl = NULL;
BIO *socket = NULL;
int xfr = 0;
char *errstr;
filesize = getfilesize(fname);
if (filesize < 0)
@@ -534,7 +536,21 @@ int crashreport_send(char *fname)
printf("ERROR: Could not connect to %s (SSL handshake failed)\n", CRASH_REPORT_HOST);
return 0;
}
BIO_get_ssl(socket, &ssl);
if (!ssl)
{
printf("ERROR: Could not get SSL connection from BIO\n");
return 0;
}
if (!verify_certificate(ssl, REPORT_HOST, &errstr))
{
printf("Certificate problem with crash.unrealircd.org: %s\n", errstr);
printf("Fatal error. See above.\n");
return 0;
}
snprintf(buf, sizeof(buf), "POST /crash.php HTTP/1.1\r\n"
"User-Agent: UnrealIRCd %s\r\n"
"Host: %s\r\n"
+1 -2
View File
@@ -335,7 +335,6 @@ skip_host_check:
if (!IsSSL(cptr))
{
/* Rare, but better we handle it here or the (other) error will be confusing */
sendto_one(cptr,
"ERROR :Link '%s' denied (Not using SSL/TLS) %s",
servername, inpath);
@@ -344,7 +343,7 @@ skip_host_check:
return exit_client(cptr, sptr, &me,
"Link denied (Not using SSL/TLS)");
}
if (!verify_certificate(cptr, link->servername, &errstr))
if (!verify_certificate(cptr->local->ssl, link->servername, &errstr))
{
sendto_one(cptr,
"ERROR :Link '%s' denied (Certificate verification failed) %s",
+9 -10
View File
@@ -869,9 +869,8 @@ SSLOptions *FindSSLOptionsForUser(aClient *acptr)
return sslopt;
}
/** Verify certificate of client 'acptr' and make sure the certificate
* is valid for 'hostname'. */
int verify_certificate(aClient *acptr, char *hostname, char **errstr)
/** Verify certificate and make sure the certificate is valid for 'hostname'. */
int verify_certificate(SSL *ssl, char *hostname, char **errstr)
{
static char buf[512];
X509 *cert;
@@ -882,7 +881,7 @@ int verify_certificate(aClient *acptr, char *hostname, char **errstr)
if (*errstr)
*errstr = NULL; /* default */
if (!IsSecure(acptr))
if (!ssl)
{
strlcpy(buf, "Not using SSL/TLS", sizeof(buf));
if (errstr)
@@ -890,7 +889,7 @@ int verify_certificate(aClient *acptr, char *hostname, char **errstr)
return 0; /* Cannot verify a non-SSL connection */
}
if (SSL_get_verify_result(acptr->local->ssl) != X509_V_OK)
if (SSL_get_verify_result(ssl) != X509_V_OK)
{
strlcpy(buf, "Certificate is not issued by a trusted Certificate Authority", sizeof(buf));
if (errstr)
@@ -899,7 +898,7 @@ int verify_certificate(aClient *acptr, char *hostname, char **errstr)
}
/* Now verify if the name of the certificate matches hostname */
cert = SSL_get_peer_certificate(acptr->local->ssl);
cert = SSL_get_peer_certificate(ssl);
if (!cert)
{
@@ -927,22 +926,22 @@ int verify_certificate(aClient *acptr, char *hostname, char **errstr)
/* Certificate is verified but is issued for a different hostname */
snprintf(buf, sizeof(buf), "Certificate '%s' is not valid for hostname '%s'",
certificate_name(acptr), hostname);
certificate_name(ssl), hostname);
*errstr = buf;
return 0;
}
/** Grab the certificate name */
char *certificate_name(aClient *acptr)
char *certificate_name(SSL *ssl)
{
static char buf[384];
X509 *cert;
X509_NAME *n;
if (!IsSecure(acptr))
if (!ssl)
return NULL;
cert = SSL_get_peer_certificate(acptr->local->ssl);
cert = SSL_get_peer_certificate(ssl);
if (!cert)
return NULL;