Hook up a certificate verify callback so that we can set user friendly

error messages, instead of libssl error strings. This gives us messages like: certificate verification failed: certificate has expired Instead of: 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed This also lets us always enable peer verification since the no verification case is now handled via the callback. Tested by tedu@ ok beck@
author: jsing <> 2016-12-26 16:20:58 +0000
committer: jsing <> 2016-12-26 16:20:58 +0000
commit: e42acf6ea18cc05e621978c53dbbb294bdb059c7 (patch)
tree: fbec04954e27c01c99531c149058fcede14efd69 /src
parent: 14b2889eb360f84951861c14bd3a80c2fd701017 (diff)
download: openbsd-e42acf6ea18cc05e621978c53dbbb294bdb059c7.tar.gz
openbsd-e42acf6ea18cc05e621978c53dbbb294bdb059c7.tar.bz2
openbsd-e42acf6ea18cc05e621978c53dbbb294bdb059c7.zip
2 files changed, 31 insertions, 8 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 51717a79cb..6937afe3b8 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.52 2016/11/05 14:50:05 beck Exp $ */
+/* $OpenBSD: tls.c,v 1.53 2016/12/26 16:20:58 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -365,12 +365,37 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
        return (-1);
 }
+static int
+tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
+{
+        struct tls *ctx = arg;
+        int x509_err;
+        if (ctx->config->verify_cert == 0)
+                return (1);
+        if ((X509_verify_cert(x509_ctx)) < 0) {
+                tls_set_errorx(ctx, "X509 verify cert failed");
+                return (0);
+        }
+        x509_err = X509_STORE_CTX_get_error(x509_ctx);
+        if (x509_err == X509_V_OK)
+                return (1);
+        tls_set_errorx(ctx, "certificate verification failed: %s",
+            X509_verify_cert_error_string(x509_err));
+        return (0);
+}
 int
 tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
 {
        size_t ca_len = ctx->config->ca_len;
        char *ca_mem = ctx->config->ca_mem;
        char *ca_free = NULL;
+        int rv = -1;
        SSL_CTX_set_verify(ssl_ctx, verify, NULL);
@@ -399,14 +424,14 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
        if (ctx->config->verify_depth >= 0)
                SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);
-        free(ca_free);
+        SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx);
-        return (0);
+        rv = 0;
 err:
        free(ca_free);
-        return (-1);
+        return (rv);
 }
 void
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 84f4e91740..18e1667eed 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.37 2016/11/02 15:18:42 beck Exp $ */
+/* $OpenBSD: tls_client.c,v 1.38 2016/12/26 16:20:58 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -195,9 +195,7 @@ tls_connect_common(struct tls *ctx, const char *servername)
                }
        }
-        if (ctx->config->verify_cert &&
+        if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)
-            (tls_configure_ssl_verify(ctx, ctx->ssl_ctx,
-             SSL_VERIFY_PEER) == -1))
                goto err;
        if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) != 1) {
author	jsing <>	2016-12-26 16:20:58 +0000
committer	jsing <>	2016-12-26 16:20:58 +0000
commit	e42acf6ea18cc05e621978c53dbbb294bdb059c7 (patch)
tree	fbec04954e27c01c99531c149058fcede14efd69 /src
parent	14b2889eb360f84951861c14bd3a80c2fd701017 (diff)
download	openbsd-e42acf6ea18cc05e621978c53dbbb294bdb059c7.tar.gz openbsd-e42acf6ea18cc05e621978c53dbbb294bdb059c7.tar.bz2 openbsd-e42acf6ea18cc05e621978c53dbbb294bdb059c7.zip