Git-Mirrors/RetroShare
1
0
Fork 0
mirror of https://github.com/RetroShare/RetroShare.git synced 2025-06-07 14:12:43 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

fixed missing error checking in X509 Verify callback

Browse source 
git-svn-id: http://svn.code.sf.net/p/retroshare/code/trunk@7858 b45a01b8-16f6-495d-af2f-9b41ad6348cc
This commit is contained in:
csoler 2015-01-23 08:13:26 +00:00
parent 8600b39384
commit 2e211a6904
1 changed files with 92 additions and 82 deletions
Download patch file Download diff file Expand all files Collapse all files

46
libretroshare/src/pqi/authssl.cc
View file

@ -1102,10 +1102,20 @@ int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
err = X509_STORE_CTX_get_error(ctx); err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx); depth = X509_STORE_CTX_get_error_depth(ctx);
#ifdef AUTHSSL_DEBUG if(err_cert == NULL)
{
std::cerr << "AuthSSLimpl::VerifyX509Callback(): Cannot get certificate. Error!" << std::endl;
return false ;
}
if(err != X509_V_OK)
{
std::cerr << "AuthSSLimpl::VerifyX509Callback(): get certificate returned error code =" << err << ", error depth=" << depth << std::endl;
return false ;
}
#ifdef AUTHSSL_DEBUG
std::cerr << "AuthSSLimpl::VerifyX509Callback(preverify_ok: " << preverify_ok std::cerr << "AuthSSLimpl::VerifyX509Callback(preverify_ok: " << preverify_ok
<< " Err: " << err << " Depth: " << depth << std::endl; << " Err: " << err << " Depth: " << depth << std::endl;
#endif #endif
/* /*
* Retrieve the pointer to the SSL of the connection currently treated * Retrieve the pointer to the SSL of the connection currently treated
@ -1114,16 +1124,16 @@ int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256);
#ifdef AUTHSSL_DEBUG #ifdef AUTHSSL_DEBUG
std::cerr << "AuthSSLimpl::VerifyX509Callback: depth: " << depth << ":" << buf << std::endl; std::cerr << "AuthSSLimpl::VerifyX509Callback: depth: " << depth << ":" << buf << std::endl;
#endif #endif
if (!preverify_ok) { if (!preverify_ok) {
#ifdef AUTHSSL_DEBUG #ifdef AUTHSSL_DEBUG
fprintf(stderr, "Verify error:num=%d:%s:depth=%d:%s\n", err, fprintf(stderr, "Verify error:num=%d:%s:depth=%d:%s\n", err,
X509_verify_cert_error_string(err), depth, buf); X509_verify_cert_error_string(err), depth, buf);
#endif #endif
} }
/* /*
@ -1135,21 +1145,21 @@ int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
{ {
X509_NAME_oneline(X509_get_issuer_name(X509_STORE_CTX_get_current_cert(ctx)), buf, 256); X509_NAME_oneline(X509_get_issuer_name(X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
#ifdef AUTHSSL_DEBUG #ifdef AUTHSSL_DEBUG
printf("issuer= %s\n", buf); printf("issuer= %s\n", buf);
#endif #endif
#ifdef AUTHSSL_DEBUG #ifdef AUTHSSL_DEBUG
fprintf(stderr, "Doing REAL PGP Certificates\n"); fprintf(stderr, "Doing REAL PGP Certificates\n");
#endif #endif
uint32_t auth_diagnostic ; uint32_t auth_diagnostic ;
/* do the REAL Authentication */ /* do the REAL Authentication */
if (!AuthX509WithGPG(X509_STORE_CTX_get_current_cert(ctx),auth_diagnostic)) if (!AuthX509WithGPG(X509_STORE_CTX_get_current_cert(ctx),auth_diagnostic))
{ {
#ifdef AUTHSSL_DEBUG #ifdef AUTHSSL_DEBUG
fprintf(stderr, "AuthSSLimpl::VerifyX509Callback() X509 not authenticated.\n"); fprintf(stderr, "AuthSSLimpl::VerifyX509Callback() X509 not authenticated.\n");
#endif #endif
std::cerr << "(WW) Certificate was rejected because authentication failed. Diagnostic = " << auth_diagnostic << std::endl; std::cerr << "(WW) Certificate was rejected because authentication failed. Diagnostic = " << auth_diagnostic << std::endl;
return false; return false;
} }
@ -1157,23 +1167,23 @@ int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
if (pgpid != AuthGPG::getAuthGPG()->getGPGOwnId() && !AuthGPG::getAuthGPG()->isGPGAccepted(pgpid)) if (pgpid != AuthGPG::getAuthGPG()->getGPGOwnId() && !AuthGPG::getAuthGPG()->isGPGAccepted(pgpid))
{ {
#ifdef AUTHSSL_DEBUG #ifdef AUTHSSL_DEBUG
fprintf(stderr, "AuthSSLimpl::VerifyX509Callback() pgp key not accepted : \n"); fprintf(stderr, "AuthSSLimpl::VerifyX509Callback() pgp key not accepted : \n");
fprintf(stderr, "issuer pgpid : "); fprintf(stderr, "issuer pgpid : ");
fprintf(stderr, "%s\n",pgpid.c_str()); fprintf(stderr, "%s\n",pgpid.c_str());
fprintf(stderr, "\n AuthGPG::getAuthGPG()->getGPGOwnId() : "); fprintf(stderr, "\n AuthGPG::getAuthGPG()->getGPGOwnId() : ");
fprintf(stderr, "%s\n",AuthGPG::getAuthGPG()->getGPGOwnId().c_str()); fprintf(stderr, "%s\n",AuthGPG::getAuthGPG()->getGPGOwnId().c_str());
fprintf(stderr, "\n"); fprintf(stderr, "\n");
#endif #endif
return false; return false;
} }
preverify_ok = true; preverify_ok = true;
} else { } else {
#ifdef AUTHSSL_DEBUG #ifdef AUTHSSL_DEBUG
fprintf(stderr, "A normal certificate is probably a security breach attempt. We sould fail it !!!\n"); fprintf(stderr, "A normal certificate is probably a security breach attempt. We sould fail it !!!\n");
#endif #endif
preverify_ok = false; preverify_ok = false;
} }
@ -1185,13 +1195,13 @@ int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
} }
#ifdef AUTHSSL_DEBUG #ifdef AUTHSSL_DEBUG
if (preverify_ok) { if (preverify_ok) {
fprintf(stderr, "AuthSSLimpl::VerifyX509Callback returned true.\n"); fprintf(stderr, "AuthSSLimpl::VerifyX509Callback returned true.\n");
} else { } else {
fprintf(stderr, "AuthSSLimpl::VerifyX509Callback returned false.\n"); fprintf(stderr, "AuthSSLimpl::VerifyX509Callback returned false.\n");
} }
#endif #endif
return preverify_ok; return preverify_ok;
} }