aboutsummaryrefslogtreecommitdiffstats
path: root/socket.c
diff options
context:
space:
mode:
Diffstat (limited to 'socket.c')
-rw-r--r--socket.c33
1 files changed, 31 insertions, 2 deletions
diff --git a/socket.c b/socket.c
index f836115f..399ba189 100644
--- a/socket.c
+++ b/socket.c
@@ -217,7 +217,7 @@ int UnixOpen(const char *path)
struct sockaddr_un ad;
memset(&ad, 0, sizeof(ad));
ad.sun_family = AF_UNIX;
- strncpy(ad.sun_path, path, sizeof(ad.sun_path)-1);
+ strlcpy(ad.sun_path, path, sizeof(ad.sun_path));
sock = socket( AF_UNIX, SOCK_STREAM, 0 );
if (sock < 0)
@@ -636,6 +636,12 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
subj = X509_get_subject_name(x509_cert);
issuer = X509_get_issuer_name(x509_cert);
+ if (outlevel >= O_DEBUG) {
+ if (SSLverbose)
+ report(stdout, GT_("SSL verify callback depth %d: preverify_ok == %d, err = %d, %s\n"),
+ depth, ok_return, err, X509_verify_cert_error_string(err));
+ }
+
if (outlevel >= O_VERBOSE) {
if (depth == 0 && SSLverbose)
report(stdout, GT_("Server certificate:\n"));
@@ -954,8 +960,10 @@ static int OSSL10X_proto_version_logic(int sock, const char **myproto, int *avoi
return 0;
}
#define OSSL_proto_version_logic(a,b,c) OSSL10X_proto_version_logic((a),(b),(c))
+#undef OSSL110_API
#else
/* implementation for OpenSSL 1.1.0 */
+#define OSSL110_API 1
static int OSSL110_proto_version_logic(int sock, const char **myproto,
int *avoid_ssl_versions)
{
@@ -1049,11 +1057,16 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
int ssle_connect = 0;
long ver;
+#ifndef OSSL110_API
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms(); /* see Debian Bug#576430 and manpage */
+ ver = SSLeay();
+#else
+ ver = OpenSSL_version_num();
+#endif
- if ((ver = SSLeay()) < OPENSSL_VERSION_NUMBER) {
+ if (ver < OPENSSL_VERSION_NUMBER) {
report(stderr, GT_("Loaded OpenSSL library %#lx older than headers %#lx, refusing to work.\n"), (long)ver, (long)(OPENSSL_VERSION_NUMBER));
return -1;
}
@@ -1172,6 +1185,22 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
}
}
+ /* OpenSSL >= 1.0.2: set host name for verification */
+ /* XXX FIXME: do we need to change the function's signature and pass the akalist to
+ * permit the other hostnames through SSL? */
+ /* https://wiki.openssl.org/index.php/Hostname_validation */
+ {
+ int r;
+ X509_VERIFY_PARAM *param = SSL_get0_param(_ssl_context[sock]);
+
+ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
+ if (0 == (r = X509_VERIFY_PARAM_set1_host(param, servercname, strlen(servercname)))) {
+ report(stderr, GT_("Warning: X509_VERIFY_PARAM_set1_host(%p, \"%s\") failed (code %#x), trying to continue.\n"),
+ (void *)_ssl_context[sock], servercname, r);
+ ERR_print_errors_fp(stderr);
+ }
+ }
+
if( mycert || mykey ) {
/* Ok... He has a certificate file defined, so lets declare it. If
generated by cgit v1.2.3 (git 2.39.1) at 2025-03-17 19:00:57 +0000