diff options
| author | Wilmer van der Gaast <wilmer@gaast.net> | 2011-12-19 18:57:20 +0100 |
|---|---|---|
| committer | Wilmer van der Gaast <wilmer@gaast.net> | 2011-12-19 18:57:20 +0100 |
| commit | a72dc2bb447e754295f8efc6f44fc6572f0f8511 (patch) | |
| tree | 3cd1c6bdc1630cd571740b74b3f1e51dd976fa40 | |
| parent | 25b05b75be1acdd4c96a301839be525809f35a47 (diff) | |
Add verify argument to ssl_connect() so HTTPS-based stuff is also secure.
(Think of Twitter, but also MSN/Yahoo! authentication.)
| -rw-r--r-- | lib/http_client.c | 17 | ||||
| -rw-r--r-- | lib/ssl_bogus.c | 2 | ||||
| -rw-r--r-- | lib/ssl_client.h | 2 | ||||
| -rw-r--r-- | lib/ssl_gnutls.c | 4 | ||||
| -rw-r--r-- | lib/ssl_nss.c | 2 | ||||
| -rw-r--r-- | lib/ssl_openssl.c | 2 | ||||
| -rw-r--r-- | protocols/jabber/jabber.c | 2 | ||||
| -rw-r--r-- | protocols/skype/skype.c | 2 |
8 files changed, 23 insertions, 10 deletions
diff --git a/lib/http_client.c b/lib/http_client.c index 02e5ebbe..514daf80 100644 --- a/lib/http_client.c +++ b/lib/http_client.c @@ -46,7 +46,7 @@ struct http_request *http_dorequest( char *host, int port, int ssl, char *reques if( ssl ) { - req->ssl = ssl_connect( host, port, http_ssl_connected, req ); + req->ssl = ssl_connect( host, port, TRUE, http_ssl_connected, req ); if( req->ssl == NULL ) error = 1; } @@ -162,7 +162,8 @@ static gboolean http_connected( gpointer data, int source, b_input_condition con return FALSE; error: - req->status_string = g_strdup( "Error while writing HTTP request" ); + if( req->status_string == NULL ) + req->status_string = g_strdup( "Error while writing HTTP request" ); req->func( req ); http_free( req ); @@ -175,7 +176,17 @@ static gboolean http_ssl_connected( gpointer data, int returncode, void *source, struct http_request *req = data; if( source == NULL ) + { + if( returncode != 0 ) + { + char *err = ssl_verify_strerror( returncode ); + req->status_string = g_strdup_printf( + "Certificate verification problem 0x%x: %s", + returncode, err ? err : "Unknown" ); + g_free( err ); + } return http_connected( data, -1, cond ); + } req->fd = ssl_getfd( source ); @@ -439,7 +450,7 @@ got_reply: if( new_proto == PROTO_HTTPS ) { - req->ssl = ssl_connect( new_host, new_port, http_ssl_connected, req ); + req->ssl = ssl_connect( new_host, new_port, TRUE, http_ssl_connected, req ); if( req->ssl == NULL ) error = 1; } diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c index 8dba05f4..e134201d 100644 --- a/lib/ssl_bogus.c +++ b/lib/ssl_bogus.c @@ -31,7 +31,7 @@ void ssl_init( void ) { } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { return( NULL ); } diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 9ce878a1..d8822143 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -63,7 +63,7 @@ G_MODULE_EXPORT void ssl_init( void ); /* Connect to host:port, call the given function when the connection is ready to be used for SSL traffic. This is all done asynchronously, no blocking I/O! (Except for the DNS lookups, for now...) */ -G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ); +G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ); /* Start an SSL session on an existing fd. Useful for STARTTLS functionality, for example in Jabber. */ diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c index 3ecc6eee..b4bc72d5 100644 --- a/lib/ssl_gnutls.c +++ b/lib/ssl_gnutls.c @@ -77,7 +77,7 @@ void ssl_init( void ) atexit( gnutls_global_deinit ); } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); @@ -85,6 +85,8 @@ void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data conn->func = func; conn->data = data; conn->inpa = -1; + conn->hostname = g_strdup( host ); + conn->verify = verify && global.conf->cafile; if( conn->fd < 0 ) { diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 3f26960c..5b573f9b 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -102,7 +102,7 @@ void ssl_init( void ) initialized = TRUE; } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index d43c7ab2..955c8274 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -64,7 +64,7 @@ void ssl_init( void ) // SSLeay_add_ssl_algorithms(); } -void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ) +void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ) { struct scd *conn = g_new0( struct scd, 1 ); diff --git a/protocols/jabber/jabber.c b/protocols/jabber/jabber.c index dd2f0866..372d73a9 100644 --- a/protocols/jabber/jabber.c +++ b/protocols/jabber/jabber.c @@ -235,7 +235,7 @@ static void jabber_login( account_t *acc ) non-standard ports... */ if( set_getbool( &acc->set, "ssl" ) ) { - jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), jabber_connected_ssl, ic ); + jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), FALSE, jabber_connected_ssl, ic ); jd->fd = jd->ssl ? ssl_getfd( jd->ssl ) : -1; } else diff --git a/protocols/skype/skype.c b/protocols/skype/skype.c index 10f355a6..760aeb3d 100644 --- a/protocols/skype/skype.c +++ b/protocols/skype/skype.c @@ -1184,7 +1184,7 @@ static void skype_login(account_t *acc) imcb_log(ic, "Connecting"); sd->ssl = ssl_connect(set_getstr(&acc->set, "server"), - set_getint(&acc->set, "port"), skype_connected, ic); + set_getint(&acc->set, "port"), FALSE, skype_connected, ic); sd->fd = sd->ssl ? ssl_getfd(sd->ssl) : -1; sd->username = g_strdup(acc->user); |