LibreSSL 2.7 defines ASN1_STRING_get0_data, like OpenSSL 1.1.
This fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229044.
Original patch from Piotr Kubaj.
Reported-by: Jack L. <xxjack12xx@gmail.com>
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
LibreSSL 2.7 does not define ASN1_STRING_get0_data, like OpenSSL 1.1.
This fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=229044.
Original patch from Piotr Kubaj.
Reported-by: Jack L. <xxjack12xx@gmail.com>
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Some FreeBSD configurations can use LibreSSL instead of OpenSSL.
The two libraries are really similar but need some minimal adjustment.
Signed-off-by: Paweł Pękala <pawelbsd@gmail.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
The latter is deprecated, so might be removed at some point in the
future. This also adds a compatibility wrapper for OpenSSL < 1.1.0.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Change inet_aton function to glib functions.
inet_aton only supported IPv4 addresses, and wasn't available on windows
machines. GInetAddress functions support IPv6 natively, and requires less
boilerplate code then IPv6 gettaddrinfo().
If verify_subject() is called with a SpiceOpenSSLVerify struct containing a
non-NULL 'in_subject' member, it would try to use the local 'in_entries'
variable without having initialized it first. This could happen if
verify_subject() was called multiple time with the same SpiceOpenSSLVerify
context, which probably isn't occurring the way we are using it.
However, since verify_subject() is the only method which needs in_subject,
we don't need to have it stored in SpiceOpenSSLVerify, and we can
recreate it as needed locally in that method, which avoids that issue.
Currently, SSL verification of the peer certificate checks if
the certificate's subject CN or one of its subjectAltName match
the hostname. If this succeeds, then the verification succeeds.
Otherwise openssl_verify() checks the cert subject if this was set,
which means it checks the certificate's subject (not just its CN) matches
exactly the cert subject string that is set in SpiceSession.
Given that the cert subject is something the user specifies in addition
to the hostname, the cert subject check should have priority over the
hostname check, that is, when we have a cert subject set, the
success/failure of the cert subject cert should determine the
success/failure of openssl_verify(), and the hostname check
should only be carried out when no cert subject was set.
This fixes rhbz#871034
We currently log an error when openssl_verify() is called with
preverify_ok set to 0 for all certificates in the certificate chain
except for the peer certificate (when 'depth' is 0).
This commit logs an error in the latter case as well.
When the server certificate is not being signed by the provided CA,
the SSL debug message is currently for example:
ssl_verify.c:428:openssl_verify: openssl verify:num=19:self signed
certificate in certificate chain:depth=1:/C=IL/L=Raanana/O=Red
Hat/CN=my CA
Add a more explicit debug message too, as requested in bug:
https://bugzilla.redhat.com/show_bug.cgi?id=846666
During switch-host migration, only PUBKEY verification is required.
Couldn't it just load the certificate again for the new session?
perhaps, but that's they way the code used to work until I introduced
a regression in spice commit d46f9d3f4e006d3bca9b99fac25169b17e7ac803.
A number of functions were used without prior declaration. In
some cases this was due to missing include files. In other cases
the functions should have just been static.
Ideally this would allow -Wmissing-declarations to be enabled, but
the files generated by spice_codegen.py will still trip up on this.
Add extra {} braces around if/else statements which only
call SPICE_DEBUG to avoid:
../common/ssl_verify.c: In function 'verify_pubkey':
../common/ssl_verify.c:87:50: warning: suggest braces around empty body in an 'else' statement [-Wempty-body]
../common/ssl_verify.c: In function 'verify_hostname':
../common/ssl_verify.c:254:53: warning: suggest braces around empty body in an 'if' statement [-Wempty-body]
../common/ssl_verify.c: In function 'verify_subject':
../common/ssl_verify.c:381:41: warning: suggest braces around empty body in an 'else' statement [-Wempty-body]
Code adapter from RedPeer::ssl_verify_callback() and used by
spice-gtk.
Since v1:
- fixed Makefile.am
- added config.h include
- autoconf alloca added in patch series
- moved int escape inside for loop
- added a failed case when missing assignment
- replaced strlen () by -1
- skip spaces after comma
- c++ guards
I didn't use bool, because openSSL uses int, and it is more future
proof for error reporting.
