diff options
Diffstat (limited to 'socket.c')
-rw-r--r-- | socket.c | 33 |
1 files changed, 31 insertions, 2 deletions
@@ -217,7 +217,7 @@ int UnixOpen(const char *path) struct sockaddr_un ad; memset(&ad, 0, sizeof(ad)); ad.sun_family = AF_UNIX; - strncpy(ad.sun_path, path, sizeof(ad.sun_path)-1); + strlcpy(ad.sun_path, path, sizeof(ad.sun_path)); sock = socket( AF_UNIX, SOCK_STREAM, 0 ); if (sock < 0) @@ -636,6 +636,12 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict ) subj = X509_get_subject_name(x509_cert); issuer = X509_get_issuer_name(x509_cert); + if (outlevel >= O_DEBUG) { + if (SSLverbose) + report(stdout, GT_("SSL verify callback depth %d: preverify_ok == %d, err = %d, %s\n"), + depth, ok_return, err, X509_verify_cert_error_string(err)); + } + if (outlevel >= O_VERBOSE) { if (depth == 0 && SSLverbose) report(stdout, GT_("Server certificate:\n")); @@ -954,8 +960,10 @@ static int OSSL10X_proto_version_logic(int sock, const char **myproto, int *avoi return 0; } #define OSSL_proto_version_logic(a,b,c) OSSL10X_proto_version_logic((a),(b),(c)) +#undef OSSL110_API #else /* implementation for OpenSSL 1.1.0 */ +#define OSSL110_API 1 static int OSSL110_proto_version_logic(int sock, const char **myproto, int *avoid_ssl_versions) { @@ -1049,11 +1057,16 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck int ssle_connect = 0; long ver; +#ifndef OSSL110_API SSL_load_error_strings(); SSL_library_init(); OpenSSL_add_all_algorithms(); /* see Debian Bug#576430 and manpage */ + ver = SSLeay(); +#else + ver = OpenSSL_version_num(); +#endif - if ((ver = SSLeay()) < OPENSSL_VERSION_NUMBER) { + if (ver < OPENSSL_VERSION_NUMBER) { report(stderr, GT_("Loaded OpenSSL library %#lx older than headers %#lx, refusing to work.\n"), (long)ver, (long)(OPENSSL_VERSION_NUMBER)); return -1; } @@ -1172,6 +1185,22 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck } } + /* OpenSSL >= 1.0.2: set host name for verification */ + /* XXX FIXME: do we need to change the function's signature and pass the akalist to + * permit the other hostnames through SSL? */ + /* https://wiki.openssl.org/index.php/Hostname_validation */ + { + int r; + X509_VERIFY_PARAM *param = SSL_get0_param(_ssl_context[sock]); + + X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS); + if (0 == (r = X509_VERIFY_PARAM_set1_host(param, servercname, strlen(servercname)))) { + report(stderr, GT_("Warning: X509_VERIFY_PARAM_set1_host(%p, \"%s\") failed (code %#x), trying to continue.\n"), + (void *)_ssl_context[sock], servercname, r); + ERR_print_errors_fp(stderr); + } + } + if( mycert || mykey ) { /* Ok... He has a certificate file defined, so lets declare it. If |