Support certificate verification by ca-bundle and hostname

1 files changed, 18 insertions, 1 deletions

diff --git a/server.c b/server.c
index a3e0893..c4f8eb9 100644
--- a/server.c
+++ b/server.c
@@ -11,6 +11,7 @@
 #include <unistd.h>
 #include <errno.h>
 #include <socket.h>
+#include <fcntl.h>
 
 #define AD_PORT 3268
 #define AD_PORT_SSL 636
@@ -83,6 +84,20 @@ void server_setBase(const char *server, const char *base)
 	entry->base[entry->baseLen] = '\0';
 }
 
+void server_setCaBundle(const char *server, const char *file)
+{
+	server_t *entry = server_create(server);
+	if (entry == NULL) return;
+	int fh = open(file, O_RDONLY);
+	if (fh == -1) {
+		printf("Error: cabundle '%s' not readable.\n", file);
+		exit(1);
+	}
+	close(fh);
+	if (snprintf(entry->cabundle, MAXPATH, "%s", file) >= MAXPATH) printf("Warning: CaBundle for %s is too long.\n", server);
+	ssl_init();
+}
+
 void server_setHomeTemplate(const char *server, const char *hometemplate)
 {
 	server_t *entry = server_create(server);
@@ -142,7 +157,6 @@ void server_setFingerprint(const char *server, const char *fingerprint)
 	}
 	printf("%02x for %s\n", (int)entry->fingerprint[FINGERPRINTLEN-1], server);
 	ssl_init();
-	entry->sslContext = ssl_newClientCtx();
 }
 
 BOOL server_initServers()
@@ -150,6 +164,9 @@ BOOL server_initServers()
 	int i;
 	printf("%d servers configured.\n", serverCount);
 	for (i = 0; i < serverCount; ++i) {
+		if (servers[i].cabundle[0] != '\0' || memcmp(servers[i].fingerprint, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 20) != 0) {
+			servers[i].sslContext = ssl_newClientCtx(servers[i].cabundle);
+		}
 		printf("%s:\n  Bind: %s\n  Base: %s\n", servers[i].addr, servers[i].bind, servers[i].base);
 		if (!server_ensureConnected(&servers[i]))
 			return FALSE;