Remove vpninfo->servercert

Just let main.c handle this in the validate_peer_cert() callback. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · Nov 20, 2014 · f237ff1 · f237ff1
1 parent 038ba9e
commit f237ff1
Show file tree

Hide file tree

Showing 8 changed files with 39 additions and 66 deletions.
diff --git a/gnutls.c b/gnutls.c
@@ -1822,20 +1822,6 @@ static int verify_peer(gnutls_session_t session)
 			     _("Could not calculate hash of server's certificate\n"));
 	}
 
-	if (vpninfo->servercert) {
-		err = openconnect_check_peer_cert_hash(vpninfo, vpninfo->servercert);
-		if (err < 0)
-			vpn_progress(vpninfo, PRG_ERR,
-				     _("Could not calculate hash of server's certificate\n"));
-		else if (err) {
-			err = GNUTLS_E_CERTIFICATE_ERROR;
-			vpn_progress(vpninfo, PRG_ERR,
-				     _("Server SSL certificate didn't match: %s\n"),
-				     openconnect_get_peer_cert_hash(vpninfo));
-		}
-		goto done;
-	}
-
 	err = gnutls_certificate_verify_peers2(session, &status);
 	if (err) {
 		vpn_progress(vpninfo, PRG_ERR, _("Error checking server cert status\n"));

diff --git a/java/src/org/infradead/libopenconnect/LibOpenConnect.java b/java/src/org/infradead/libopenconnect/LibOpenConnect.java
@@ -129,7 +129,6 @@ public synchronized native void setMobileInfo(String mobilePlatformVersion,
 	public synchronized native void setCSDWrapper(String wrapper, String TMPDIR, String PATH);
 	public synchronized native void setXMLPost(boolean isEnabled);
 	public synchronized native void setClientCert(String cert, String sslKey);
-	public synchronized native void setServerCertSHA1(String hash);
 	public synchronized native void setReqMTU(int mtu);
 	public synchronized native void setPFS(boolean isEnabled);
 	public synchronized native void setSystemTrust(boolean isEnabled);

diff --git a/jni.c b/jni.c
@@ -1192,14 +1192,6 @@ JNIEXPORT jint JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_setupTun
 	return ret;
 }
 
-JNIEXPORT void JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_setServerCertSHA1(
-	JNIEnv *jenv, jobject jobj, jstring jarg)
-{
-	SET_STRING_START()
-	openconnect_set_server_cert_sha1(ctx->vpninfo, arg);
-	SET_STRING_END();
-}
-
 JNIEXPORT jobject JNICALL Java_org_infradead_libopenconnect_LibOpenConnect_getIPInfo(
 	JNIEnv *jenv, jobject jobj)
 {

diff --git a/library.c b/library.c
@@ -195,7 +195,6 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 	free(vpninfo->proxy_pass);
 	free(vpninfo->vpnc_script);
 	free(vpninfo->cafile);
-	free(vpninfo->servercert);
 	free(vpninfo->ifname);
 	free(vpninfo->dtls_cipher);
 #ifdef OPENCONNECT_GNUTLS
@@ -332,13 +331,6 @@ void openconnect_set_system_trust(struct openconnect_info *vpninfo, unsigned val
 	vpninfo->no_system_trust = !val;
 }
 
-int openconnect_set_server_cert_sha1(struct openconnect_info *vpninfo,
-				     const char *servercert)
-{
-	STRDUP(vpninfo->servercert, servercert);
-	return 0;
-}
-
 const char *openconnect_get_ifname(struct openconnect_info *vpninfo)
 {
 	return vpninfo->ifname;

diff --git a/main.c b/main.c
@@ -87,6 +87,7 @@ static int non_inter;
 static int cookieonly;
 
 static char *token_filename;
+static char *server_cert = NULL;
 
 static char *username;
 static char *password;
@@ -1057,7 +1058,8 @@ int main(int argc, char **argv)
 			openconnect_set_pfs(vpninfo, 1);
 			break;
 		case OPT_SERVERCERT:
-			openconnect_set_server_cert_sha1(vpninfo, dup_config_arg());
+			server_cert = keep_config_arg();
+			openconnect_set_system_trust(vpninfo, 0);
 			break;
 		case OPT_NO_DTLS:
 			use_dtls = 0;
@@ -1548,6 +1550,23 @@ static int validate_peer_cert(void *_vpninfo, const char *reason)
 	const char *fingerprint;
 	struct accepted_cert *this;
 
+	if (server_cert) {
+		int err = openconnect_check_peer_cert_hash(vpninfo, server_cert);
+
+		if (!err)
+			return 0;
+
+		if (err < 0)
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Could not calculate hash of server's certificate\n"));
+		else
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Server SSL certificate didn't match: %s\n"),
+				     openconnect_get_peer_cert_hash(vpninfo));
+
+		return -EINVAL;
+	}
+
 	if (nocertcheck)
 		return 0;
 

diff --git a/openconnect-internal.h b/openconnect-internal.h
@@ -250,7 +250,6 @@ struct openconnect_info {
 	char *cert_password;
 	char *cafile;
 	unsigned no_system_trust;
-	char *servercert;
 	const char *xmlconfig;
 	char xmlsha1[(SHA1_SIZE * 2) + 1];
 	char *authgroup;

diff --git a/openconnect.h b/openconnect.h
@@ -36,6 +36,7 @@
  *  - Remove OPENCONNECT_X509 and openconnect_get_peer_cert().
  *  - Change openconnect_get_cert_der() to openconnect_get_peer_cert_DER() etc.
  *  - Add openconnect_check_peer_cert_hash().
+ *  - Remove openconnect_set_server_cert_sha1().
  *
  * API version 4.1:
  *  - Add openconnect_get_cstp_cipher(), openconnect_get_dtls_cipher(),
@@ -404,7 +405,6 @@ int openconnect_set_mobile_info(struct openconnect_info *vpninfo,
 				const char *mobile_device_uniqueid);
 int openconnect_set_client_cert(struct openconnect_info *, const char *cert,
 				const char *sslkey);
-int openconnect_set_server_cert_sha1(struct openconnect_info *, const char *);
 const char *openconnect_get_ifname(struct openconnect_info *);
 void openconnect_set_reqmtu(struct openconnect_info *, int reqmtu);
 void openconnect_set_dpd(struct openconnect_info *, int min_seconds);

diff --git a/openssl.c b/openssl.c
@@ -1204,40 +1204,26 @@ static int match_cert_hostname(struct openconnect_info *vpninfo, X509 *peer_cert
 static int verify_peer(struct openconnect_info *vpninfo, SSL *https_ssl)
 {
 	int ret;
+	int vfy = SSL_get_verify_result(https_ssl);
+	const char *err_string = NULL;
 
-	if (vpninfo->servercert) {
-		/* If given a cert fingerprint on the command line, that's
-		   all we look for */
-		ret = openconnect_check_peer_cert_hash(vpninfo, vpninfo->servercert);
-		if (ret < 0)
-			vpn_progress(vpninfo, PRG_ERR,
-				     _("Could not calculate hash of server's certificate\n"));
-		else if (ret)
-			vpn_progress(vpninfo, PRG_ERR,
-				     _("Server SSL certificate didn't match: %s\n"),
-				     openconnect_get_peer_cert_hash(vpninfo));
+	if (vfy != X509_V_OK)
+		err_string = X509_verify_cert_error_string(vfy);
+	else if (match_cert_hostname(vpninfo, vpninfo->peer_cert))
+		err_string = _("certificate does not match hostname");
+
+	if (err_string) {
+		vpn_progress(vpninfo, PRG_INFO,
+			     _("Server certificate verify failed: %s\n"),
+			     err_string);
+
+		if (vpninfo->validate_peer_cert)
+			ret = vpninfo->validate_peer_cert(vpninfo->cbdata,
+							  err_string);
+		else
+			ret = -EINVAL;
 	} else {
-		int vfy = SSL_get_verify_result(https_ssl);
-		const char *err_string = NULL;
-
-		if (vfy != X509_V_OK)
-			err_string = X509_verify_cert_error_string(vfy);
-		else if (match_cert_hostname(vpninfo, vpninfo->peer_cert))
-			err_string = _("certificate does not match hostname");
-
-		if (err_string) {
-			vpn_progress(vpninfo, PRG_INFO,
-				     _("Server certificate verify failed: %s\n"),
-				     err_string);
-
-			if (vpninfo->validate_peer_cert)
-				ret = vpninfo->validate_peer_cert(vpninfo->cbdata,
-								  err_string);
-			else
-				ret = -EINVAL;
-		} else {
-			ret = 0;
-		}
+		ret = 0;
 	}
 
 	return ret;