- Fixed certificate fingerprint validation for outgoing server connects

git-svn-id: svn://svn.ircd-hybrid.org/svnroot/ircd-hybrid/branches/8.1.x@2462 82007160-df01-0410-b94d-b575c5fd34c7

2 files changed, 50 insertions, 27 deletions

diff --git a/src/s_bsd.c b/src/s_bsd.c
index d75e187..20bef26 100644
--- a/src/s_bsd.c
+++ b/src/s_bsd.c
@@ -252,7 +252,27 @@ static void
 ssl_handshake(int fd, struct Client *client_p)
 {
   X509 *cert = NULL;
-  int ret = SSL_accept(client_p->localClient->fd.ssl);
+  int ret = 0;
+
+  if ((ret = SSL_accept(client_p->localClient->fd.ssl)) <= 0)
+  {
+    switch (SSL_get_error(client_p->localClient->fd.ssl, ret))
+    {
+      case SSL_ERROR_WANT_WRITE:
+        comm_setselect(&client_p->localClient->fd, COMM_SELECT_WRITE,
+	               (PF *) ssl_handshake, client_p, 0);
+        return;
+
+      case SSL_ERROR_WANT_READ:
+        comm_setselect(&client_p->localClient->fd, COMM_SELECT_READ,
+	               (PF *) ssl_handshake, client_p, 0);
+        return;
+
+      default:
+        exit_client(client_p, client_p, "Error during SSL handshake");
+	return;
+    }
+  }
 
   if ((cert = SSL_get_peer_certificate(client_p->localClient->fd.ssl)))
   {
@@ -279,26 +299,6 @@ ssl_handshake(int fd, struct Client *client_p)
     X509_free(cert);
   }
 
-  if (ret <= 0)
-  {
-    switch (SSL_get_error(client_p->localClient->fd.ssl, ret))
-    {
-      case SSL_ERROR_WANT_WRITE:
-        comm_setselect(&client_p->localClient->fd, COMM_SELECT_WRITE,
-	               (PF *) ssl_handshake, client_p, 0);
-        return;
-
-      case SSL_ERROR_WANT_READ:
-        comm_setselect(&client_p->localClient->fd, COMM_SELECT_READ,
-	               (PF *) ssl_handshake, client_p, 0);
-        return;
-
-      default:
-        exit_client(client_p, client_p, "Error during SSL handshake");
-	return;
-    }
-  }
-
   start_auth(client_p);
 }
 #endif
diff --git a/src/s_serv.c b/src/s_serv.c
index 3b622a6..7c6fa2e 100644
--- a/src/s_serv.c
+++ b/src/s_serv.c
@@ -1305,14 +1305,12 @@ finish_ssl_server_handshake(struct Client *client_p)
 static void
 ssl_server_handshake(fde_t *fd, struct Client *client_p)
 {
-  int ret;
-  int err;
+  X509 *cert = NULL;
+  int ret = 0;
 
-  ret = SSL_connect(client_p->localClient->fd.ssl);
-
-  if (ret <= 0)
+  if ((ret = SSL_connect(client_p->localClient->fd.ssl)) <= 0)
   {
-    switch ((err = SSL_get_error(client_p->localClient->fd.ssl, ret)))
+    switch (SSL_get_error(client_p->localClient->fd.ssl, ret))
     {
       case SSL_ERROR_WANT_WRITE:
         comm_setselect(&client_p->localClient->fd, COMM_SELECT_WRITE,
@@ -1334,6 +1332,31 @@ ssl_server_handshake(fde_t *fd, struct Client *client_p)
     }
   }
 
+  if ((cert = SSL_get_peer_certificate(client_p->localClient->fd.ssl)))
+  {
+    int res = SSL_get_verify_result(client_p->localClient->fd.ssl);
+    char buf[EVP_MAX_MD_SIZE * 2 + 1] = { '\0' };
+    unsigned char md[EVP_MAX_MD_SIZE] = { '\0' };
+
+    if (res == X509_V_OK || res == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN ||
+        res == X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE ||
+        res == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
+    {
+      unsigned int i = 0, n = 0;
+
+      if (X509_digest(cert, EVP_sha256(), md, &n))
+      {
+        for (; i < n; ++i)
+          snprintf(buf + 2 * i, 3, "%02X", md[i]);
+        client_p->certfp = xstrdup(buf);
+      }
+    }
+    else
+      ilog(LOG_TYPE_IRCD, "Server %s!%s@%s gave bad SSL client certificate: %d",
+           client_p->name, client_p->username, client_p->host, res);
+    X509_free(cert);
+  }
+
   finish_ssl_server_handshake(client_p);
 }