From 697dd19d887c58930c76de68268d58f2251904d6 Mon Sep 17 00:00:00 2001
From: LemonBoy <thatlemon@gmail.com>
Date: Sun, 22 Jan 2017 21:49:37 +0100
Subject: Check whether the client certificate is expired.

Right now we only warn the user, the connection keeps going.
Fixes #211
---
 src/core/network-openssl.c | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

(limited to 'src/core')

diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c
index 1eb85341..001e2d9d 100644
--- a/src/core/network-openssl.c
+++ b/src/core/network-openssl.c
@@ -420,16 +420,38 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, int port, SERVER_
 
 	if (mycert && *mycert) {
 		char *scert = NULL, *spkey = NULL;
+		FILE *fp;
 		scert = convert_home(mycert);
 		if (mypkey && *mypkey)
 			spkey = convert_home(mypkey);
-		ERR_clear_error();
-		if (! SSL_CTX_use_certificate_file(ctx, scert, SSL_FILETYPE_PEM))
-			g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error()));
-		else if (! SSL_CTX_use_PrivateKey_file(ctx, spkey ? spkey : scert, SSL_FILETYPE_PEM))
-			g_warning("Loading of private key '%s' failed: %s", mypkey ? mypkey : mycert, ERR_reason_error_string(ERR_get_error()));
-		else if (! SSL_CTX_check_private_key(ctx))
-			g_warning("Private key does not match the certificate");
+
+		if ((fp = fopen(scert, "r"))) {
+			X509 *cert;
+			/* Let's parse the certificate by hand instead of using
+			 * SSL_CTX_use_certificate_file so that we can validate
+			 * some parts of it. */
+			cert = PEM_read_X509(fp, NULL, get_pem_password_callback, (void *)mypass);
+			if (cert != NULL) {
+				/* Only the expiration date is checked right now */
+				if (X509_cmp_current_time(X509_get_notAfter(cert))  <= 0 ||
+				    X509_cmp_current_time(X509_get_notBefore(cert)) >= 0)
+					g_warning("The client certificate is expired");
+
+				ERR_clear_error();
+				if (! SSL_CTX_use_certificate(ctx, cert))
+					g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error()));
+				else if (! SSL_CTX_use_PrivateKey_file(ctx, spkey ? spkey : scert, SSL_FILETYPE_PEM))
+					g_warning("Loading of private key '%s' failed: %s", mypkey ? mypkey : mycert, ERR_reason_error_string(ERR_get_error()));
+				else if (! SSL_CTX_check_private_key(ctx))
+					g_warning("Private key does not match the certificate");
+
+				X509_free(cert);
+			} else
+				g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error()));
+
+			fclose(fp);
+		} else
+			g_warning("Could not find client certificate '%s'", scert);
 		g_free(scert);
 		g_free(spkey);
 	}
-- 
cgit v1.2.3