aniani/irssi
1
0
Fork 0
mirror of https://github.com/irssi/irssi.git synced 2025-02-02 15:08:01 -05:00
Code

Use one SSL_CTX per connection, use default trusted CAs if nothing specified.

Browse Source 
This allows useful use of -ssl_verify without
-ssl_cafile/-ssl_capath, using OpenSSL's default trusted CAs.


git-svn-id: file:///var/www/svn.irssi.org/SVN/irssi/trunk@5107 dbcabf3a-b0e7-0310-adc4-f8d773084564
This commit is contained in:
Jilles Tjoelker 2010-01-31 00:13:05 +00:00 committed by jilles
parent 2a439eee54
commit 532e3f5d19
1 changed files with 15 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/core/network-openssl.c
View File

@ -43,14 +43,13 @@ typedef struct
const char *hostname; const char *hostname;
} GIOSSLChannel; } GIOSSLChannel;
static SSL_CTX *ssl_ctx = NULL; static int ssl_inited = FALSE;
static void irssi_ssl_free(GIOChannel *handle) static void irssi_ssl_free(GIOChannel *handle)
{ {
GIOSSLChannel *chan = (GIOSSLChannel *)handle; GIOSSLChannel *chan = (GIOSSLChannel *)handle;
g_io_channel_unref(chan->giochan); g_io_channel_unref(chan->giochan);
SSL_free(chan->ssl); SSL_free(chan->ssl);
if (chan->ctx != ssl_ctx)
SSL_CTX_free(chan->ctx); SSL_CTX_free(chan->ctx);
g_free(chan); g_free(chan);
} }
@ -375,13 +374,7 @@ static gboolean irssi_ssl_init(void)
{ {
SSL_library_init(); SSL_library_init();
SSL_load_error_strings(); SSL_load_error_strings();
ssl_inited = TRUE;
ssl_ctx = SSL_CTX_new(SSLv23_client_method());
if(!ssl_ctx)
{
g_error("Initialization of the SSL library failed");
return FALSE;
}
return TRUE; return TRUE;
@ -397,18 +390,20 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, const char *hostn
g_return_val_if_fail(handle != NULL, NULL); g_return_val_if_fail(handle != NULL, NULL);
if(!ssl_ctx && !irssi_ssl_init()) if(!ssl_inited && !irssi_ssl_init())
return NULL; return NULL;
if(!(fd = g_io_channel_unix_get_fd(handle))) if(!(fd = g_io_channel_unix_get_fd(handle)))
return NULL; return NULL;
if (mycert && *mycert) { ctx = SSL_CTX_new(SSLv23_client_method());
char *scert = NULL, *spkey = NULL; if (ctx == NULL) {
if ((ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
g_error("Could not allocate memory for SSL context"); g_error("Could not allocate memory for SSL context");
return NULL; return NULL;
} }
if (mycert && *mycert) {
char *scert = NULL, *spkey = NULL;
scert = convert_home(mycert); scert = convert_home(mycert);
if (mypkey && *mypkey) if (mypkey && *mypkey)
spkey = convert_home(mypkey); spkey = convert_home(mypkey);
@ -425,10 +420,6 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, const char *hostn
if ((cafile && *cafile) || (capath && *capath)) { if ((cafile && *cafile) || (capath && *capath)) {
char *scafile = NULL; char *scafile = NULL;
char *scapath = NULL; char *scapath = NULL;
if (! ctx && (ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
g_error("Could not allocate memory for SSL context");
return NULL;
}
if (cafile && *cafile) if (cafile && *cafile)
scafile = convert_home(cafile); scafile = convert_home(cafile);
if (capath && *capath) if (capath && *capath)
@ -443,14 +434,15 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, const char *hostn
g_free(scafile); g_free(scafile);
g_free(scapath); g_free(scapath);
verify = TRUE; verify = TRUE;
} else {
if (!SSL_CTX_set_default_verify_paths(ctx))
g_warning("Could not load default certificates");
} }
if (ctx == NULL)
ctx = ssl_ctx;
if(!(ssl = SSL_new(ctx))) if(!(ssl = SSL_new(ctx)))
{ {
g_warning("Failed to allocate SSL structure"); g_warning("Failed to allocate SSL structure");
SSL_CTX_free(ctx);
return NULL; return NULL;
} }
@ -458,7 +450,6 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, const char *hostn
{ {
g_warning("Failed to associate socket to SSL stream"); g_warning("Failed to associate socket to SSL stream");
SSL_free(ssl); SSL_free(ssl);
if (ctx != ssl_ctx)
SSL_CTX_free(ctx); SSL_CTX_free(ctx);
return NULL; return NULL;
} }