| 251 |
|
static void |
| 252 |
|
ssl_handshake(int fd, struct Client *client_p) |
| 253 |
|
{ |
| 254 |
+ |
X509 *cert = NULL; |
| 255 |
|
int ret = SSL_accept(client_p->localClient->fd.ssl); |
| 256 |
|
|
| 257 |
+ |
if ((cert = SSL_get_peer_certificate(client_p->localClient->fd.ssl))) |
| 258 |
+ |
{ |
| 259 |
+ |
int res = SSL_get_verify_result(client_p->localClient->fd.ssl); |
| 260 |
+ |
char buf[EVP_MAX_MD_SIZE * 2 + 1] = { '\0' }; |
| 261 |
+ |
unsigned char md[EVP_MAX_MD_SIZE] = { '\0' }; |
| 262 |
+ |
|
| 263 |
+ |
if (res == X509_V_OK || res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || |
| 264 |
+ |
res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE || |
| 265 |
+ |
res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) |
| 266 |
+ |
{ |
| 267 |
+ |
unsigned int i = 0, n = 0; |
| 268 |
+ |
|
| 269 |
+ |
if (X509_digest(cert, EVP_sha256(), md, &n)) |
| 270 |
+ |
{ |
| 271 |
+ |
for (; i < n; ++i) |
| 272 |
+ |
snprintf(buf + 2 * i, 3, "%02X", md[i]); |
| 273 |
+ |
client_p->certfp = xstrdup(buf); |
| 274 |
+ |
} |
| 275 |
+ |
} |
| 276 |
+ |
else |
| 277 |
+ |
ilog(LOG_TYPE_IRCD, "Client %s!%s@%s gave bad SSL client certificate: %d", |
| 278 |
+ |
client_p->name, client_p->username, client_p->host, res); |
| 279 |
+ |
X509_free(cert); |
| 280 |
+ |
} |
| 281 |
+ |
|
| 282 |
|
if (ret <= 0) |
| 283 |
+ |
{ |
| 284 |
|
switch (SSL_get_error(client_p->localClient->fd.ssl, ret)) |
| 285 |
|
{ |
| 286 |
|
case SSL_ERROR_WANT_WRITE: |
| 297 |
|
exit_client(client_p, client_p, "Error during SSL handshake"); |
| 298 |
|
return; |
| 299 |
|
} |
| 300 |
+ |
} |
| 301 |
|
|
| 302 |
|
start_auth(client_p); |
| 303 |
|
} |
| 365 |
|
return; |
| 366 |
|
} |
| 367 |
|
|
| 368 |
+ |
AddFlag(new_client, FLAGS_SSL); |
| 369 |
|
SSL_set_fd(new_client->localClient->fd.ssl, fd); |
| 370 |
|
ssl_handshake(0, new_client); |
| 371 |
|
} |
