118 /* As this callback doesn't get auxiliary pointer parameter we |
118 /* As this callback doesn't get auxiliary pointer parameter we |
119 * cannot really use this. However, we can retrieve results later. */ |
119 * cannot really use this. However, we can retrieve results later. */ |
120 return 1; |
120 return 1; |
121 } |
121 } |
122 |
122 |
|
123 /* side effect: fills the ssl->fingerprint buffer */ |
123 static gboolean |
124 static gboolean |
124 ssl_verify_certificate (LmSSL *ssl, const gchar *server) |
125 ssl_verify_certificate (LmSSL *ssl, const gchar *server) |
125 { |
126 { |
126 gboolean retval = TRUE; |
127 gboolean retval = TRUE; |
127 LmSSLBase *base; |
128 LmSSLBase *base; |
128 long verify_res; |
129 long verify_res; |
|
130 int rc; |
|
131 const EVP_MD *digest = EVP_md5(); |
129 unsigned int digest_len; |
132 unsigned int digest_len; |
130 X509 *srv_crt; |
133 X509 *srv_crt; |
131 gchar *cn; |
134 gchar *cn; |
132 X509_NAME *crt_subj; |
135 X509_NAME *crt_subj; |
133 |
136 |
140 SSL_get_cipher_name(ssl->ssl), |
143 SSL_get_cipher_name(ssl->ssl), |
141 SSL_get_cipher_bits(ssl->ssl, NULL)); |
144 SSL_get_cipher_bits(ssl->ssl, NULL)); |
142 |
145 |
143 verify_res = SSL_get_verify_result(ssl->ssl); |
146 verify_res = SSL_get_verify_result(ssl->ssl); |
144 srv_crt = SSL_get_peer_certificate(ssl->ssl); |
147 srv_crt = SSL_get_peer_certificate(ssl->ssl); |
145 if (base->expected_fingerprint != NULL) { |
148 rc = X509_digest(srv_crt, digest, (guchar *) base->fingerprint, |
146 X509_digest(srv_crt, EVP_md5(), (guchar *) base->fingerprint, |
149 &digest_len); |
147 &digest_len); |
150 if ((rc > 0) && (digest_len == EVP_MD_size(digest))) { |
148 if (memcmp(base->expected_fingerprint, base->fingerprint, |
151 if (base->expected_fingerprint != NULL) { |
|
152 if (memcmp(base->expected_fingerprint, base->fingerprint, |
149 digest_len) != 0) { |
153 digest_len) != 0) { |
150 if (base->func(ssl, |
154 if (base->func(ssl, |
151 LM_SSL_STATUS_CERT_FINGERPRINT_MISMATCH, |
155 LM_SSL_STATUS_CERT_FINGERPRINT_MISMATCH, |
152 base->func_data) != LM_SSL_RESPONSE_CONTINUE) { |
156 base->func_data) != LM_SSL_RESPONSE_CONTINUE) { |
153 return FALSE; |
157 return FALSE; |
|
158 } |
154 } |
159 } |
155 } |
160 } |
|
161 } else { |
|
162 if (base->func(ssl, |
|
163 LM_SSL_STATUS_GENERIC_ERROR, |
|
164 base->func_data) != LM_SSL_RESPONSE_CONTINUE) { |
|
165 return FALSE; |
|
166 } |
156 } |
167 } |
157 g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, |
168 g_log (LM_LOG_DOMAIN, LM_LOG_LEVEL_SSL, |
158 "%s: SSL_get_verify_result() = %ld\n", |
169 "%s: SSL_get_verify_result() = %ld\n", |
159 __FILE__, |
170 __FILE__, |
160 verify_res); |
171 verify_res); |