conn: add xmpp_conn_tls_cafile()

This function adds an external CAfile in PEM format as trusted
certificates.
This commit is contained in:
Dmitry Podgorny
2020-10-07 20:05:57 +03:00
parent c07ac0a68d
commit 85da4145aa
5 changed files with 47 additions and 3 deletions

View File

@@ -49,6 +49,7 @@ int main(int argc, char **argv)
xmpp_conn_t *conn;
xmpp_log_t *log;
char *jid, *pass, *host = NULL;
const char *cafile = NULL;
long flags = 0;
int tcp_keepalive = 0;
int i;
@@ -67,12 +68,15 @@ int main(int argc, char **argv)
flags |= XMPP_CONN_FLAG_LEGACY_AUTH;
else if (strcmp(argv[i], "--tcp-keepalive") == 0)
tcp_keepalive = 1;
else if (strncmp(argv[i], "--cafile=", strlen("--cafile=")) == 0)
cafile = argv[i] + strlen("--cafile=");
else
break;
}
if ((argc - i) < 2 || (argc - i) > 3) {
fprintf(stderr, "Usage: basic [options] <jid> <pass> [<host>]\n\n"
"Options:\n"
" --cafile=<PATH> CAfile for cert verification.\n"
" --disable-tls Disable TLS.\n"
" --mandatory-tls Deny plaintext connection.\n"
" --trust-tls Trust TLS certificate.\n"
@@ -111,6 +115,10 @@ int main(int argc, char **argv)
if (tcp_keepalive)
xmpp_conn_set_keepalive(conn, KA_TIMEOUT, KA_INTERVAL);
/* add external CAfile if needed */
if (cafile)
xmpp_conn_tls_cafile(conn, cafile);
/* setup authentication information */
xmpp_conn_set_jid(conn, jid);
xmpp_conn_set_pass(conn, pass);

View File

@@ -171,6 +171,7 @@ struct _xmpp_conn_t {
int ka_interval; /* TCP keepalive interval */
tls_t *tls;
char *tls_cafile;
int tls_support;
int tls_disabled;
int tls_mandatory;

View File

@@ -137,6 +137,7 @@ xmpp_conn_t *xmpp_conn_new(xmpp_ctx_t *const ctx)
conn->bound_jid = NULL;
conn->is_raw = 0;
conn->tls_cafile = NULL;
conn->tls_support = 0;
conn->tls_disabled = 0;
conn->tls_mandatory = 0;
@@ -338,6 +339,8 @@ int xmpp_conn_release(xmpp_conn_t *const conn)
xmpp_free(ctx, conn->pass);
if (conn->lang)
xmpp_free(ctx, conn->lang);
if (conn->tls_cafile)
xmpp_free(ctx, conn->tls_cafile);
xmpp_free(ctx, conn);
released = 1;
}
@@ -686,6 +689,28 @@ int xmpp_conn_tls_start(xmpp_conn_t *const conn)
return conn_tls_start(conn);
}
/** Set external CAfile which will be used for TLS cert verification.
*
* @return XMPP_EOK (0) on success a number less than 0 on failure
*
* @ingroup Connections
*/
int xmpp_conn_tls_cafile(xmpp_conn_t *const conn, const char *cafile)
{
FILE *f;
f = fopen(cafile, "r");
if (f == NULL) {
xmpp_debug(conn->ctx, "conn", "CAfile '%s' is not readable. errno=%d",
cafile, errno);
return XMPP_EINVOP;
}
fclose(f);
conn->tls_cafile = xmpp_strdup(conn->ctx, cafile);
return conn->tls_cafile == NULL ? XMPP_EMEM : XMPP_EOK;
}
/** Cleanly disconnect the connection.
* This function is only called by the stream parser when </stream:stream>
* is received, and it not intended to be called by code outside of Strophe.
@@ -915,6 +940,10 @@ int conn_tls_start(xmpp_conn_t *const conn)
}
if (conn->tls != NULL) {
if (conn->tls_cafile != NULL) {
(void)tls_set_credentials(conn->tls, conn->tls_cafile);
}
if (tls_start(conn->tls)) {
conn->secured = 1;
} else {

View File

@@ -318,9 +318,14 @@ void tls_free(tls_t *tls)
int tls_set_credentials(tls_t *tls, const char *cafilename)
{
UNUSED(tls);
UNUSED(cafilename);
return -1;
int ret;
ret = SSL_CTX_load_verify_locations(tls->ssl_ctx, cafilename, NULL);
if (ret != 1) {
xmpp_error(tls->ctx, "tls", "Failed to process CAfile: %s", cafilename);
_tls_log_error(tls->ctx);
}
return ret;
}
int tls_start(tls_t *tls)

View File

@@ -271,6 +271,7 @@ int xmpp_conn_open_stream(xmpp_conn_t *const conn,
char **attributes,
size_t attributes_len);
int xmpp_conn_tls_start(xmpp_conn_t *const conn);
int xmpp_conn_tls_cafile(xmpp_conn_t *const conn, const char *cafile);
void xmpp_disconnect(xmpp_conn_t *const conn);