1 Commits

Author SHA1 Message Date
Dmitry Podgorny
85da4145aa conn: add xmpp_conn_tls_cafile()
This function adds an external CAfile in PEM format as trusted
certificates.
2020-10-07 20:05:57 +03:00
5 changed files with 47 additions and 3 deletions

View File

@@ -49,6 +49,7 @@ int main(int argc, char **argv)
xmpp_conn_t *conn; xmpp_conn_t *conn;
xmpp_log_t *log; xmpp_log_t *log;
char *jid, *pass, *host = NULL; char *jid, *pass, *host = NULL;
const char *cafile = NULL;
long flags = 0; long flags = 0;
int tcp_keepalive = 0; int tcp_keepalive = 0;
int i; int i;
@@ -67,12 +68,15 @@ int main(int argc, char **argv)
flags |= XMPP_CONN_FLAG_LEGACY_AUTH; flags |= XMPP_CONN_FLAG_LEGACY_AUTH;
else if (strcmp(argv[i], "--tcp-keepalive") == 0) else if (strcmp(argv[i], "--tcp-keepalive") == 0)
tcp_keepalive = 1; tcp_keepalive = 1;
else if (strncmp(argv[i], "--cafile=", strlen("--cafile=")) == 0)
cafile = argv[i] + strlen("--cafile=");
else else
break; break;
} }
if ((argc - i) < 2 || (argc - i) > 3) { if ((argc - i) < 2 || (argc - i) > 3) {
fprintf(stderr, "Usage: basic [options] <jid> <pass> [<host>]\n\n" fprintf(stderr, "Usage: basic [options] <jid> <pass> [<host>]\n\n"
"Options:\n" "Options:\n"
" --cafile=<PATH> CAfile for cert verification.\n"
" --disable-tls Disable TLS.\n" " --disable-tls Disable TLS.\n"
" --mandatory-tls Deny plaintext connection.\n" " --mandatory-tls Deny plaintext connection.\n"
" --trust-tls Trust TLS certificate.\n" " --trust-tls Trust TLS certificate.\n"
@@ -111,6 +115,10 @@ int main(int argc, char **argv)
if (tcp_keepalive) if (tcp_keepalive)
xmpp_conn_set_keepalive(conn, KA_TIMEOUT, KA_INTERVAL); xmpp_conn_set_keepalive(conn, KA_TIMEOUT, KA_INTERVAL);
/* add external CAfile if needed */
if (cafile)
xmpp_conn_tls_cafile(conn, cafile);
/* setup authentication information */ /* setup authentication information */
xmpp_conn_set_jid(conn, jid); xmpp_conn_set_jid(conn, jid);
xmpp_conn_set_pass(conn, pass); xmpp_conn_set_pass(conn, pass);

View File

@@ -171,6 +171,7 @@ struct _xmpp_conn_t {
int ka_interval; /* TCP keepalive interval */ int ka_interval; /* TCP keepalive interval */
tls_t *tls; tls_t *tls;
char *tls_cafile;
int tls_support; int tls_support;
int tls_disabled; int tls_disabled;
int tls_mandatory; int tls_mandatory;

View File

@@ -137,6 +137,7 @@ xmpp_conn_t *xmpp_conn_new(xmpp_ctx_t *const ctx)
conn->bound_jid = NULL; conn->bound_jid = NULL;
conn->is_raw = 0; conn->is_raw = 0;
conn->tls_cafile = NULL;
conn->tls_support = 0; conn->tls_support = 0;
conn->tls_disabled = 0; conn->tls_disabled = 0;
conn->tls_mandatory = 0; conn->tls_mandatory = 0;
@@ -338,6 +339,8 @@ int xmpp_conn_release(xmpp_conn_t *const conn)
xmpp_free(ctx, conn->pass); xmpp_free(ctx, conn->pass);
if (conn->lang) if (conn->lang)
xmpp_free(ctx, conn->lang); xmpp_free(ctx, conn->lang);
if (conn->tls_cafile)
xmpp_free(ctx, conn->tls_cafile);
xmpp_free(ctx, conn); xmpp_free(ctx, conn);
released = 1; released = 1;
} }
@@ -686,6 +689,28 @@ int xmpp_conn_tls_start(xmpp_conn_t *const conn)
return conn_tls_start(conn); return conn_tls_start(conn);
} }
/** Set external CAfile which will be used for TLS cert verification.
*
* @return XMPP_EOK (0) on success a number less than 0 on failure
*
* @ingroup Connections
*/
int xmpp_conn_tls_cafile(xmpp_conn_t *const conn, const char *cafile)
{
FILE *f;
f = fopen(cafile, "r");
if (f == NULL) {
xmpp_debug(conn->ctx, "conn", "CAfile '%s' is not readable. errno=%d",
cafile, errno);
return XMPP_EINVOP;
}
fclose(f);
conn->tls_cafile = xmpp_strdup(conn->ctx, cafile);
return conn->tls_cafile == NULL ? XMPP_EMEM : XMPP_EOK;
}
/** Cleanly disconnect the connection. /** Cleanly disconnect the connection.
* This function is only called by the stream parser when </stream:stream> * This function is only called by the stream parser when </stream:stream>
* is received, and it not intended to be called by code outside of Strophe. * is received, and it not intended to be called by code outside of Strophe.
@@ -915,6 +940,10 @@ int conn_tls_start(xmpp_conn_t *const conn)
} }
if (conn->tls != NULL) { if (conn->tls != NULL) {
if (conn->tls_cafile != NULL) {
(void)tls_set_credentials(conn->tls, conn->tls_cafile);
}
if (tls_start(conn->tls)) { if (tls_start(conn->tls)) {
conn->secured = 1; conn->secured = 1;
} else { } else {

View File

@@ -318,9 +318,14 @@ void tls_free(tls_t *tls)
int tls_set_credentials(tls_t *tls, const char *cafilename) int tls_set_credentials(tls_t *tls, const char *cafilename)
{ {
UNUSED(tls); int ret;
UNUSED(cafilename);
return -1; ret = SSL_CTX_load_verify_locations(tls->ssl_ctx, cafilename, NULL);
if (ret != 1) {
xmpp_error(tls->ctx, "tls", "Failed to process CAfile: %s", cafilename);
_tls_log_error(tls->ctx);
}
return ret;
} }
int tls_start(tls_t *tls) int tls_start(tls_t *tls)

View File

@@ -271,6 +271,7 @@ int xmpp_conn_open_stream(xmpp_conn_t *const conn,
char **attributes, char **attributes,
size_t attributes_len); size_t attributes_len);
int xmpp_conn_tls_start(xmpp_conn_t *const conn); int xmpp_conn_tls_start(xmpp_conn_t *const conn);
int xmpp_conn_tls_cafile(xmpp_conn_t *const conn, const char *cafile);
void xmpp_disconnect(xmpp_conn_t *const conn); void xmpp_disconnect(xmpp_conn_t *const conn);