From 2dd5d86c44231e570a62277f92e08d1fb741841f Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Wed, 21 Oct 2015 09:58:28 +0200 Subject: Always load default verify locations too when using cert validation. Also quit when initial connect fails in SSL mode. --- openssl.c | 21 +++++++++++++-------- server.c | 10 +++++++++- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/openssl.c b/openssl.c index a1684cd..1dd5ba9 100644 --- a/openssl.c +++ b/openssl.c @@ -40,7 +40,7 @@ SSL_CTX* ssl_newServerCtx(char *certfile, char *keyfile) SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(ctx, keyfile, SSL_FILETYPE_PEM); if (!SSL_CTX_check_private_key(ctx)) ssl_printErrors("Could not load cert/private key"); - SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); // SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER return ctx; } @@ -51,10 +51,15 @@ SSL_CTX* ssl_newClientCtx(const char *cabundle) SSL_CTX *ctx = SSL_CTX_new(m); if (ctx == NULL) ssl_printErrors("newClientCtx: ctx is NULL"); SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); - SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); + SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); // | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER if (cabundle != NULL && cabundle[0] != '\0') { - SSL_CTX_load_verify_locations(ctx, cabundle, NULL); - //SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); + if (SSL_CTX_load_verify_locations(ctx, cabundle, NULL) == 0) { + ssl_printErrors("Loading trusted certs failed"); + exit(1); + } + SSL_CTX_set_default_verify_paths(ctx); + printf("Loaded ca-bundle '%s'\n", cabundle); + //SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); <- do this manually after SSL_connect } return ctx; } @@ -122,7 +127,7 @@ BOOL ssl_checkCertificateHash(epoll_server_t *server) // Get server cert X509 *cert = SSL_get_peer_certificate(server->ssl); if (cert == NULL) { - printf("Warning: Server %s has no certificate!\n", server->serverData->addr); + printf("Error: Server %s has no certificate!\n", server->serverData->addr); return FALSE; } // Do we have a cabundle set? @@ -130,13 +135,13 @@ BOOL ssl_checkCertificateHash(epoll_server_t *server) BOOL hostOk = spc_verify_cert_hostname(cert, server->serverData->addr); X509_free(cert); if (!hostOk) { - printf("Warning: Server certificate's host name doesn't match '%s'\n", server->serverData->addr); + printf("Error: Server certificate's host name doesn't match '%s'\n", server->serverData->addr); return FALSE; } long res = SSL_get_verify_result(server->ssl); if(X509_V_OK != res) { - printf("Warning: Server %s's certificate cannot be verified with given cabundle %s\n", - server->serverData->addr, server->serverData->cabundle); + printf("Error: Server %s's certificate cannot be verified with given cabundle %s (result: %ld)\n", + server->serverData->addr, server->serverData->cabundle, res); return FALSE; } return TRUE; diff --git a/server.c b/server.c index c4f8eb9..3d02eb4 100644 --- a/server.c +++ b/server.c @@ -20,6 +20,7 @@ #define MAX_SERVERS 10 static server_t *servers = NULL; static int serverCount = 0; +static BOOL connectionInitDone = FALSE; static void server_init(); static server_t *server_create(const char *server); @@ -88,6 +89,7 @@ void server_setCaBundle(const char *server, const char *file) { server_t *entry = server_create(server); if (entry == NULL) return; + if (file == NULL || *file == '\0') return; int fh = open(file, O_RDONLY); if (fh == -1) { printf("Error: cabundle '%s' not readable.\n", file); @@ -171,6 +173,7 @@ BOOL server_initServers() if (!server_ensureConnected(&servers[i])) return FALSE; } + connectionInitDone = TRUE; return TRUE; } @@ -496,7 +499,9 @@ static BOOL server_ensureConnected(server_t *server) printf("[Server] Creating socket for shared connection failed.\n"); return FALSE; } - helper_nonblock(sock); + if (connectionInitDone) { + helper_nonblock(sock); + } con->fd = sock; con->callback = &server_callback; if (ePoll_add(EPOLLIN | EPOLLOUT | EPOLLET, (epoll_item_t*)con) == -1) { @@ -512,6 +517,9 @@ static BOOL server_ensureConnected(server_t *server) con->fd = -1; return FALSE; } + if (!connectionInitDone) { + helper_nonblock(sock); + } // Now bind - TODO: SASL (DIGEST-MD5?) const size_t bodyLen = fmt_ldapbindrequest(NULL, 3, server->bind, server->password); const size_t headerLen = fmt_ldapmessage(NULL, MSGID_BIND, BindRequest, bodyLen); -- cgit v1.2.3-55-g7522