diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2016-12-26 16:20:59 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2016-12-26 16:20:59 +0000 |
| commit | 54c956a9b672817a45557f58faa937dd00959253 (patch) | |
| tree | e30d38baad322d808566c5a275eb15a63eafcc55 /lib | |
| parent | 3736d518c3c2354ad155cb900c6fa49a11bc8ec9 (diff) | |
Hook up a certificate verify callback so that we can set user friendly
error messages, instead of libssl error strings. This gives us messages
like:
certificate verification failed: certificate has expired
Instead of:
14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
This also lets us always enable peer verification since the no verification
case is now handled via the callback.
Tested by tedu@
ok beck@
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libtls/tls.c | 33 | ||||
| -rw-r--r-- | lib/libtls/tls_client.c | 6 |
2 files changed, 31 insertions, 8 deletions
diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index 51717a79cb9..6937afe3b80 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.52 2016/11/05 14:50:05 beck Exp $ */ +/* $OpenBSD: tls.c,v 1.53 2016/12/26 16:20:58 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -365,12 +365,37 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) return (-1); } +static int +tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg) +{ + struct tls *ctx = arg; + int x509_err; + + if (ctx->config->verify_cert == 0) + return (1); + + if ((X509_verify_cert(x509_ctx)) < 0) { + tls_set_errorx(ctx, "X509 verify cert failed"); + return (0); + } + + x509_err = X509_STORE_CTX_get_error(x509_ctx); + if (x509_err == X509_V_OK) + return (1); + + tls_set_errorx(ctx, "certificate verification failed: %s", + X509_verify_cert_error_string(x509_err)); + + return (0); +} + int tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) { size_t ca_len = ctx->config->ca_len; char *ca_mem = ctx->config->ca_mem; char *ca_free = NULL; + int rv = -1; SSL_CTX_set_verify(ssl_ctx, verify, NULL); @@ -399,14 +424,14 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) if (ctx->config->verify_depth >= 0) SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth); - free(ca_free); + SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx); - return (0); + rv = 0; err: free(ca_free); - return (-1); + return (rv); } void diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c index 84f4e91740c..18e1667eed9 100644 --- a/lib/libtls/tls_client.c +++ b/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.37 2016/11/02 15:18:42 beck Exp $ */ +/* $OpenBSD: tls_client.c,v 1.38 2016/12/26 16:20:58 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -195,9 +195,7 @@ tls_connect_common(struct tls *ctx, const char *servername) } } - if (ctx->config->verify_cert && - (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, - SSL_VERIFY_PEER) == -1)) + if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1) goto err; if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) { |