Changeset a72dc2b

Timestamp:

2011-12-19T17:57:20Z (12 years ago)

Author:

Wilmer van der Gaast <wilmer@…>

Branches:

master

Children:

9f958f7

Parents:

25b05b7

Message:

Add verify argument to ssl_connect() so HTTPS-based stuff is also secure.
(Think of Twitter, but also MSN/Yahoo! authentication.)

Files:

• lib/http_client.c (modified) (4 diffs)
• lib/ssl_bogus.c (modified) (1 diff)
• lib/ssl_client.h (modified) (1 diff)
• lib/ssl_gnutls.c (modified) (2 diffs)
• lib/ssl_nss.c (modified) (1 diff)
• lib/ssl_openssl.c (modified) (1 diff)
• protocols/jabber/jabber.c (modified) (1 diff)
• protocols/skype/skype.c (modified) (1 diff)

lib/http_client.c

@@ -47 +47 @@
         if( ssl )
         {
-                req->ssl = ssl_connect( host, port, http_ssl_connected, req );
+                req->ssl = ssl_connect( host, port, TRUE, http_ssl_connected, req );
                 if( req->ssl == NULL )
                         error = 1;
@@ -163 +163 @@
         
 error:
-        req->status_string = g_strdup( "Error while writing HTTP request" );
+        if( req->status_string == NULL )
+                req->status_string = g_strdup( "Error while writing HTTP request" );
         
         req->func( req );
@@ -176 +177 @@
         
         if( source == NULL )
+        {
+                if( returncode != 0 )
+                {
+                        char *err = ssl_verify_strerror( returncode );
+                        req->status_string = g_strdup_printf(
+                                "Certificate verification problem 0x%x: %s",
+                                returncode, err ? err : "Unknown" );
+                        g_free( err );
+                }
                 return http_connected( data, -1, cond );
+        }
         
         req->fd = ssl_getfd( source );
@@ -440 +451 @@
                 if( new_proto == PROTO_HTTPS )
                 {
-                        req->ssl = ssl_connect( new_host, new_port, http_ssl_connected, req );
+                        req->ssl = ssl_connect( new_host, new_port, TRUE, http_ssl_connected, req );
                         if( req->ssl == NULL )
                                 error = 1;

lib/ssl_bogus.c

@@ -32 +32 @@
 }
 
-void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
 {
         return( NULL );

lib/ssl_client.h

@@ -64 +64 @@
    ready to be used for SSL traffic. This is all done asynchronously, no
    blocking I/O! (Except for the DNS lookups, for now...) */
-G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data );
+G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data );
 
 /* Start an SSL session on an existing fd. Useful for STARTTLS functionality,

lib/ssl_gnutls.c

@@ -78 +78 @@
 }
 
-void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );
@@ -86 +86 @@
         conn->data = data;
         conn->inpa = -1;
+        conn->hostname = g_strdup( host );
+        conn->verify = verify && global.conf->cafile;
         
         if( conn->fd < 0 )

lib/ssl_nss.c

@@ -103 +103 @@
 }
 
-void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );

lib/ssl_openssl.c

@@ -65 +65 @@
 }
 
-void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data )
+void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data )
 {
         struct scd *conn = g_new0( struct scd, 1 );

protocols/jabber/jabber.c

@@ -236 +236 @@
         if( set_getbool( &acc->set, "ssl" ) )
         {
-                jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), jabber_connected_ssl, ic );
+                jd->ssl = ssl_connect( connect_to, set_getint( &acc->set, "port" ), FALSE, jabber_connected_ssl, ic );
                 jd->fd = jd->ssl ? ssl_getfd( jd->ssl ) : -1;
         }

protocols/skype/skype.c

@@ -1185 +1185 @@
         imcb_log(ic, "Connecting");
         sd->ssl = ssl_connect(set_getstr(&acc->set, "server"),
-                set_getint(&acc->set, "port"), skype_connected, ic);
+                set_getint(&acc->set, "port"), FALSE, skype_connected, ic);
         sd->fd = sd->ssl ? ssl_getfd(sd->ssl) : -1;
         sd->username = g_strdup(acc->user);