version 1.136, 2015/09/12 08:38:33 |
version 1.137, 2015/09/12 21:01:14 |
|
|
int tls_cachanged; /* Using non-default CA file */ |
int tls_cachanged; /* Using non-default CA file */ |
int TLSopt; /* TLS options */ |
int TLSopt; /* TLS options */ |
char *tls_expectname; /* required name in peer cert */ |
char *tls_expectname; /* required name in peer cert */ |
char *tls_peerhash; /* hash of peer cert */ |
|
char *tls_expecthash; /* required hash of peer cert */ |
char *tls_expecthash; /* required hash of peer cert */ |
|
|
int timeout = -1; |
int timeout = -1; |
|
|
if (s) |
if (s) |
close(s); |
close(s); |
|
|
free(tls_peerhash); |
|
tls_config_free(tls_cfg); |
tls_config_free(tls_cfg); |
|
|
exit(ret); |
exit(ret); |
|
|
errx(1, "tls handshake failed (%s)", |
errx(1, "tls handshake failed (%s)", |
tls_error(tls_ctx)); |
tls_error(tls_ctx)); |
} while (i == TLS_WANT_POLLIN || i == TLS_WANT_POLLOUT); |
} while (i == TLS_WANT_POLLIN || i == TLS_WANT_POLLOUT); |
if (tls_peer_cert_hash(tls_ctx, &tls_peerhash) == -1) |
|
errx(1, "hash of peer certificate failed"); |
|
if (vflag) |
if (vflag) |
report_tls(tls_ctx, host, tls_expectname); |
report_tls(tls_ctx, host, tls_expectname); |
if (tls_expecthash && tls_peerhash && |
if (tls_expecthash && tls_peer_cert_hash(tls_ctx) && |
strcmp(tls_expecthash, tls_peerhash) != 0) |
strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) |
errx(1, "peer certificate is not %s", tls_expecthash); |
errx(1, "peer certificate is not %s", tls_expecthash); |
} |
} |
struct tls * |
struct tls * |
|
|
if (tls_cctx) { |
if (tls_cctx) { |
int gotcert = tls_peer_cert_provided(tls_cctx); |
int gotcert = tls_peer_cert_provided(tls_cctx); |
|
|
if (gotcert && tls_peer_cert_hash(tls_cctx, &tls_peerhash) == -1) |
|
warn("hash of peer certificate failed"); |
|
if (vflag && gotcert) |
if (vflag && gotcert) |
report_tls(tls_cctx, host, tls_expectname); |
report_tls(tls_cctx, host, tls_expectname); |
if ((TLSopt & TLS_CCERT) && !gotcert) |
if ((TLSopt & TLS_CCERT) && !gotcert) |
warnx("No client certificate provided"); |
warnx("No client certificate provided"); |
else if (gotcert && tls_peerhash && tls_expecthash && |
else if (gotcert && tls_peer_cert_hash(tls_ctx) && tls_expecthash && |
strcmp(tls_expecthash, tls_peerhash) != 0) |
strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) |
warnx("peer certificate is not %s", tls_expecthash); |
warnx("peer certificate is not %s", tls_expecthash); |
else if (gotcert && tls_expectname && |
else if (gotcert && tls_expectname && |
(!tls_peer_cert_contains_name(tls_cctx, tls_expectname))) |
(!tls_peer_cert_contains_name(tls_cctx, tls_expectname))) |
|
|
report_tls(struct tls * tls_ctx, char * host, char *tls_expectname) |
report_tls(struct tls * tls_ctx, char * host, char *tls_expectname) |
{ |
{ |
char *subject = NULL, *issuer = NULL; |
char *subject = NULL, *issuer = NULL; |
if (tls_peer_cert_subject(tls_ctx, &subject) == -1) |
|
errx(1, "unable to get certificate subject"); |
|
if (tls_peer_cert_issuer(tls_ctx, &issuer) == -1) |
|
errx(1, "unable to get certificate issuer"); |
|
fprintf(stderr, "TLS handshake completed with %s\n", host); |
fprintf(stderr, "TLS handshake completed with %s\n", host); |
fprintf(stderr, "Peer name %s\n", |
fprintf(stderr, "Peer name %s\n", |
tls_expectname ? tls_expectname : host); |
tls_expectname ? tls_expectname : host); |
if (subject) |
if (tls_peer_cert_subject(tls_ctx)) |
fprintf(stderr, "Subject: %s\n", subject); |
fprintf(stderr, "Subject: %s\n", |
if (issuer) |
tls_peer_cert_subject(tls_ctx)); |
fprintf(stderr, "Issuer: %s\n", issuer); |
if (tls_peer_cert_issuer(tls_ctx)) |
if (tls_peerhash) |
fprintf(stderr, "Issuer: %s\n", |
fprintf(stderr, "Cert Hash: %s\n", tls_peerhash); |
tls_peer_cert_issuer(tls_ctx)); |
|
if (tls_peer_cert_hash(tls_ctx)) |
|
fprintf(stderr, "Cert Hash: %s\n", |
|
tls_peer_cert_hash(tls_ctx)); |
free(subject); |
free(subject); |
free(issuer); |
free(issuer); |
} |
} |