From e7506fcdc92fa243a65a2f1efe9f3c5af2fac6b8 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Felix=20D=C3=B6rre?= Date: Tue, 23 Dec 2014 16:20:26 +0100 Subject: [PATCH] add: Enable (peer)-verification See associated commit in Gigi and certificate generation there for notes on the "keys" directory --- src/recordHandler.cpp | 43 +++++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/src/recordHandler.cpp b/src/recordHandler.cpp index 7c633d7..9942872 100644 --- a/src/recordHandler.cpp +++ b/src/recordHandler.cpp @@ -28,34 +28,41 @@ int gencb( int a, int b, BN_GENCB* g ) { return 1; } -int vfy( int prevfy, X509_STORE_CTX* ct ) { - ( void ) ct; - return prevfy; +static int verify_callback( int preverify_ok, X509_STORE_CTX* ctx ) { + if( !preverify_ok ) { + std::cout << "Verification failed: " << preverify_ok << " because " << X509_STORE_CTX_get_error( ctx ) << std::endl; + } + + return preverify_ok; } static std::shared_ptr dh_param; std::shared_ptr generateSSLContext( bool server ) { - std::shared_ptr ctx = std::shared_ptr( SSL_CTX_new( TLSv1_2_method() ), SSL_CTX_free ); + std::shared_ptr ctx = std::shared_ptr( + SSL_CTX_new( TLSv1_2_method() ), + []( SSL_CTX * p ) { + SSL_CTX_free( p ); + } ); if( !SSL_CTX_set_cipher_list( ctx.get(), "HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:-RSA+AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128" ) ) { throw "Cannot set cipher list. Your source is broken."; } - SSL_CTX_set_verify( ctx.get(), SSL_VERIFY_NONE, vfy ); - SSL_CTX_use_certificate_file( ctx.get(), "testdata/server.crt", SSL_FILETYPE_PEM ); - SSL_CTX_use_PrivateKey_file( ctx.get(), "testdata/server.key", SSL_FILETYPE_PEM ); - std::shared_ptr cert_names( - SSL_load_client_CA_file( "testdata/server.crt" ), - []( STACK_OF( X509_NAME ) *st ) { - sk_X509_NAME_free( st ); - } ); - - if( cert_names ) { - SSL_CTX_set_client_CA_list( ctx.get(), cert_names.get() ); - } + SSL_CTX_set_verify( ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback ); + SSL_CTX_use_certificate_file( ctx.get(), server ? "keys/signer_server.crt" : "keys/signer_client.crt", SSL_FILETYPE_PEM ); + SSL_CTX_use_PrivateKey_file( ctx.get(), server ? "keys/signer_server.key" : "keys/signer_client.key", SSL_FILETYPE_PEM ); + SSL_CTX_load_verify_locations( ctx.get(), "keys/env.crt", 0 ); if( server ) { + STACK_OF( X509_NAME ) *names = SSL_load_client_CA_file( "keys/env.crt" ); + + if( names ) { + SSL_CTX_set_client_CA_list( ctx.get(), names ); + } else { + // error + } + if( !dh_param ) { FILE* paramfile = fopen( "dh_param.pem", "r" ); @@ -233,9 +240,6 @@ DefaultRecordHandler::DefaultRecordHandler( std::shared_ptr signer, std: ctx = generateSSLContext( true ); - SSL_CTX_use_certificate_file( ctx.get(), "testdata/server.crt", SSL_FILETYPE_PEM ); - SSL_CTX_use_PrivateKey_file( ctx.get(), "testdata/server.key", SSL_FILETYPE_PEM ); - this->bio = bio; } @@ -331,7 +335,6 @@ int handlermain( int argc, const char* argv[] ) { auto res = sign->sign( cert ); std::cout << "log: " << res->log << std::endl; std::cout << "cert things: " << res->certificate << std::endl; - return 0; } -- 2.39.2