diff options
| author | 2021-06-14 10:08:02 +0100 | |
|---|---|---|
| committer | 2021-06-14 10:08:02 +0100 | |
| commit | 04330da0d2e5d119f5f5ce182f4e22ae17c80d22 (patch) | |
| tree | de4c2e0dbdf77753eaeeb1c19077e24bd5449fc3 /src/modules | |
| parent | Add a link to the list of predefined config variables. (diff) | |
| download | inspircd++-04330da0d2e5d119f5f5ce182f4e22ae17c80d22.tar.gz inspircd++-04330da0d2e5d119f5f5ce182f4e22ae17c80d22.tar.bz2 inspircd++-04330da0d2e5d119f5f5ce182f4e22ae17c80d22.zip | |
Clean up VerifyCertificate in the ssl_gnutls module.
Diffstat (limited to 'src/modules')
| -rw-r--r-- | src/modules/extra/m_ssl_gnutls.cpp | 62 |
1 files changed, 23 insertions, 39 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index 1b9291079..670ff79b1 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -793,26 +793,14 @@ class GnuTLSIOHook : public SSLIOHook void VerifyCertificate() { - unsigned int certstatus; - const gnutls_datum_t* cert_list; - int ret; - unsigned int cert_list_size; - gnutls_x509_crt_t cert; - char str[512]; - unsigned char digest[512]; - size_t digest_size = sizeof(digest); - size_t name_size = sizeof(str); ssl_cert* certinfo = new ssl_cert; this->certificate = certinfo; - /* This verification function uses the trusted CAs in the credentials - * structure. So you must have installed one or more CA certificates. - */ - ret = gnutls_certificate_verify_peers2(this->sess, &certstatus); - + unsigned int certstatus; + int ret = gnutls_certificate_verify_peers2(this->sess, &certstatus); if (ret < 0) { - certinfo->error = std::string(gnutls_strerror(ret)); + certinfo->error = gnutls_strerror(ret); return; } @@ -821,16 +809,13 @@ class GnuTLSIOHook : public SSLIOHook certinfo->revoked = (certstatus & GNUTLS_CERT_REVOKED); certinfo->trusted = !(certstatus & GNUTLS_CERT_SIGNER_NOT_CA); - /* Up to here the process is the same for X.509 certificates and - * OpenPGP keys. From now on X.509 certificates are assumed. This can - * be easily extended to work with openpgp keys as well. - */ if (gnutls_certificate_type_get(this->sess) != GNUTLS_CRT_X509) { certinfo->error = "No X509 keys sent"; return; } + gnutls_x509_crt_t cert; ret = gnutls_x509_crt_init(&cert); if (ret < 0) { @@ -838,18 +823,17 @@ class GnuTLSIOHook : public SSLIOHook return; } - cert_list_size = 0; - cert_list = gnutls_certificate_get_peers(this->sess, &cert_list_size); + char buffer[512]; + size_t buffer_size = sizeof(buffer); + + unsigned int cert_list_size = 0; + const gnutls_datum_t* cert_list = gnutls_certificate_get_peers(this->sess, &cert_list_size); if (cert_list == NULL) { certinfo->error = "No certificate was found"; goto info_done_dealloc; } - /* This is not a real world example, since we only check the first - * certificate in the given chain. - */ - ret = gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER); if (ret < 0) { @@ -857,31 +841,31 @@ class GnuTLSIOHook : public SSLIOHook goto info_done_dealloc; } - if (gnutls_x509_crt_get_dn(cert, str, &name_size) == 0) + if (gnutls_x509_crt_get_dn(cert, buffer, &buffer_size) == 0) { - std::string& dn = certinfo->dn; - dn = str; - // Make sure there are no chars in the string that we consider invalid - if (dn.find_first_of("\r\n") != std::string::npos) - dn.clear(); + // Make sure there are no chars in the string that we consider invalid. + certinfo->dn = buffer; + if (certinfo->dn.find_first_of("\r\n") != std::string::npos) + certinfo->dn.clear(); } - name_size = sizeof(str); - if (gnutls_x509_crt_get_issuer_dn(cert, str, &name_size) == 0) + buffer_size = sizeof(buffer); + if (gnutls_x509_crt_get_issuer_dn(cert, buffer, &buffer_size) == 0) { - std::string& issuer = certinfo->issuer; - issuer = str; - if (issuer.find_first_of("\r\n") != std::string::npos) - issuer.clear(); + // Make sure there are no chars in the string that we consider invalid. + certinfo->issuer = buffer; + if (certinfo->issuer.find_first_of("\r\n") != std::string::npos) + certinfo->issuer.clear(); } - if ((ret = gnutls_x509_crt_get_fingerprint(cert, GetProfile().GetHash(), digest, &digest_size)) < 0) + buffer_size = sizeof(buffer); + if ((ret = gnutls_x509_crt_get_fingerprint(cert, GetProfile().GetHash(), buffer, &buffer_size)) < 0) { certinfo->error = gnutls_strerror(ret); } else { - certinfo->fingerprint = BinToHex(digest, digest_size); + certinfo->fingerprint = BinToHex(buffer, buffer_size); } /* Beware here we do not check for errors. |
