diff --git a/examples/basic.c b/examples/basic.c index fb9299d..e610d0b 100644 --- a/examples/basic.c +++ b/examples/basic.c @@ -49,6 +49,7 @@ int main(int argc, char **argv) xmpp_conn_t *conn; xmpp_log_t *log; char *jid, *pass, *host = NULL; + const char *cafile = NULL; long flags = 0; int tcp_keepalive = 0; int i; @@ -67,12 +68,15 @@ int main(int argc, char **argv) flags |= XMPP_CONN_FLAG_LEGACY_AUTH; else if (strcmp(argv[i], "--tcp-keepalive") == 0) tcp_keepalive = 1; + else if (strncmp(argv[i], "--cafile=", strlen("--cafile=")) == 0) + cafile = argv[i] + strlen("--cafile="); else break; } if ((argc - i) < 2 || (argc - i) > 3) { fprintf(stderr, "Usage: basic [options] []\n\n" "Options:\n" + " --cafile= CAfile for cert verification.\n" " --disable-tls Disable TLS.\n" " --mandatory-tls Deny plaintext connection.\n" " --trust-tls Trust TLS certificate.\n" @@ -111,6 +115,10 @@ int main(int argc, char **argv) if (tcp_keepalive) xmpp_conn_set_keepalive(conn, KA_TIMEOUT, KA_INTERVAL); + /* add external CAfile if needed */ + if (cafile) + xmpp_conn_tls_cafile(conn, cafile); + /* setup authentication information */ xmpp_conn_set_jid(conn, jid); xmpp_conn_set_pass(conn, pass); diff --git a/src/common.h b/src/common.h index ddc30fd..7ad9161 100644 --- a/src/common.h +++ b/src/common.h @@ -171,6 +171,7 @@ struct _xmpp_conn_t { int ka_interval; /* TCP keepalive interval */ tls_t *tls; + char *tls_cafile; int tls_support; int tls_disabled; int tls_mandatory; diff --git a/src/conn.c b/src/conn.c index e6b4411..f8579b7 100644 --- a/src/conn.c +++ b/src/conn.c @@ -137,6 +137,7 @@ xmpp_conn_t *xmpp_conn_new(xmpp_ctx_t *const ctx) conn->bound_jid = NULL; conn->is_raw = 0; + conn->tls_cafile = NULL; conn->tls_support = 0; conn->tls_disabled = 0; conn->tls_mandatory = 0; @@ -338,6 +339,8 @@ int xmpp_conn_release(xmpp_conn_t *const conn) xmpp_free(ctx, conn->pass); if (conn->lang) xmpp_free(ctx, conn->lang); + if (conn->tls_cafile) + xmpp_free(ctx, conn->tls_cafile); xmpp_free(ctx, conn); released = 1; } @@ -686,6 +689,28 @@ int xmpp_conn_tls_start(xmpp_conn_t *const conn) return conn_tls_start(conn); } +/** Set external CAfile which will be used for TLS cert verification. + * + * @return XMPP_EOK (0) on success a number less than 0 on failure + * + * @ingroup Connections + */ +int xmpp_conn_tls_cafile(xmpp_conn_t *const conn, const char *cafile) +{ + FILE *f; + + f = fopen(cafile, "r"); + if (f == NULL) { + xmpp_debug(conn->ctx, "conn", "CAfile '%s' is not readable. errno=%d", + cafile, errno); + return XMPP_EINVOP; + } + fclose(f); + conn->tls_cafile = xmpp_strdup(conn->ctx, cafile); + + return conn->tls_cafile == NULL ? XMPP_EMEM : XMPP_EOK; +} + /** Cleanly disconnect the connection. * This function is only called by the stream parser when * is received, and it not intended to be called by code outside of Strophe. @@ -915,6 +940,10 @@ int conn_tls_start(xmpp_conn_t *const conn) } if (conn->tls != NULL) { + if (conn->tls_cafile != NULL) { + (void)tls_set_credentials(conn->tls, conn->tls_cafile); + } + if (tls_start(conn->tls)) { conn->secured = 1; } else { diff --git a/src/tls_openssl.c b/src/tls_openssl.c index e517a2b..912070d 100644 --- a/src/tls_openssl.c +++ b/src/tls_openssl.c @@ -318,9 +318,14 @@ void tls_free(tls_t *tls) int tls_set_credentials(tls_t *tls, const char *cafilename) { - UNUSED(tls); - UNUSED(cafilename); - return -1; + int ret; + + ret = SSL_CTX_load_verify_locations(tls->ssl_ctx, cafilename, NULL); + if (ret != 1) { + xmpp_error(tls->ctx, "tls", "Failed to process CAfile: %s", cafilename); + _tls_log_error(tls->ctx); + } + return ret; } int tls_start(tls_t *tls) diff --git a/strophe.h b/strophe.h index daa244a..ef1bcb5 100644 --- a/strophe.h +++ b/strophe.h @@ -271,6 +271,7 @@ int xmpp_conn_open_stream(xmpp_conn_t *const conn, char **attributes, size_t attributes_len); int xmpp_conn_tls_start(xmpp_conn_t *const conn); +int xmpp_conn_tls_cafile(xmpp_conn_t *const conn, const char *cafile); void xmpp_disconnect(xmpp_conn_t *const conn);