Inicio Explorar Ayuda
Registro Iniciar sesión
hebinlong
/
aria2
1
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Explorar el Código

Warn about insecure SSL connections.

Fixed GH-313
Nils Maier hace 11 años
padre
811c0f758d
commit
c5c38bf3a4
Se han modificado 5 ficheros con 87 adiciones y 2 borrados
Dividir vista Mostrar estadísticas de diff
  1. 13 1
      src/AppleTLSSession.cc
  2. 21 0
      src/LibgnutlsTLSSession.cc
  3. 20 0
      src/LibsslTLSSession.cc
  4. 29 1
      src/WinTLSSession.cc
  5. 4 0
      src/message.h

+ 13 - 1
src/AppleTLSSession.cc
Ver fichero 

@@ -43,6 +43,7 @@
 
 #include "LogFactory.h"
 
 #include "a2functional.h"
 
 #include "fmt.h"
 
+#include "message.h"
 
 
 #define ioErr -36
 
 #define paramErr -50
 
@@ -85,7 +86,7 @@ static inline const char* protoToString(SSLProtocol proto)
 
   case kSSLProtocol2:
 
     return "SSLv2 (!)";
 
   case kSSLProtocol3:
 
-    return "SSLv3";
 
+    return "SSLv3 (!)";
 
   case kTLSProtocol1:
 
     return "TLSv1";
 
   case kTLSProtocol11:
 
@@ -731,6 +732,17 @@ int AppleTLSSession::tlsConnect(const std::string& hostname,
 
                   hostname.c_str(),
 
                   protoToString(proto),
 
                   suiteToString(suite).c_str()));
 
+  switch (proto) {
 
+    case kSSLProtocol2:
 
+    case kSSLProtocol3: {
 
+      std::string protoAndSuite = protoToString(proto);
 
+      protoAndSuite += " " + suiteToString(suite);
 
+      A2_LOG_WARN(fmt(MSG_WARN_OLD_TLS_CONNECTION, protoAndSuite.c_str()));
 
+      break;
 
+    }
 
+    default:
 
+      break;
 
+  }
 
 
   return TLS_ERR_OK;
 
 }

+ 21 - 0
src/LibgnutlsTLSSession.cc
Ver fichero 

@@ -39,6 +39,9 @@
 
 #include "TLSContext.h"
 
 #include "util.h"
 
 #include "SocketCore.h"
 
+#include "LogFactory.h"
 
+#include "fmt.h"
 
+#include "message.h"
 
 
 namespace aria2 {
 
 
@@ -297,6 +300,24 @@ int GnuTLSSession::tlsConnect(const std::string& hostname,
 
       return TLS_ERR_ERROR;
 
     }
 
   }
 
+  auto proto = gnutls_protocol_get_version(sslSession_);
 
+  switch(proto) {
 
+    case GNUTLS_SSL3: {
 
+      std::string protoAndSuite = gnutls_protocol_get_name(proto);
 
+      protoAndSuite += " ";
 
+      protoAndSuite += gnutls_cipher_suite_get_name(
 
+          gnutls_kx_get(sslSession_),
 
+          gnutls_cipher_get(sslSession_),
 
+          gnutls_mac_get(sslSession_)
 
+          );
 
+      A2_LOG_WARN(fmt(MSG_WARN_OLD_TLS_CONNECTION, protoAndSuite.c_str()));
 
+      break;
 
+    }
 
+
 
+    default:
 
+      break;
 
+  }
 
+
 
   return TLS_ERR_OK;
 
 }

+ 20 - 0
src/LibsslTLSSession.cc
Ver fichero 

@@ -267,6 +267,26 @@ int OpenSSLTLSSession::tlsConnect(const std::string& hostname,
 
       return TLS_ERR_ERROR;
 
     }
 
   }
 
+
 
+  switch(SSL_version(ssl_)) {
 
+    case SSL3_VERSION:
 
+    case SSL2_VERSION: {
 
+      std::string protoAndSuite = "Unknown";
 
+      auto cipher = SSL_get_current_cipher(ssl_);
 
+      if(cipher) {
 
+        auto buf = make_unique<char[]>(256);
 
+        auto cipherstr = SSL_CIPHER_description(cipher, buf.get(), 256);
 
+        if(cipherstr) {
 
+          protoAndSuite = cipherstr;
 
+        }
 
+      }
 
+      A2_LOG_WARN(fmt(MSG_WARN_OLD_TLS_CONNECTION, protoAndSuite.c_str()));
 
+      break;
 
+    }
 
+    default:
 
+      break;
 
+  }
 
+
 
   return TLS_ERR_OK;
 
 }

+ 29 - 1
src/WinTLSSession.cc
Ver fichero 

@@ -119,6 +119,17 @@ inline static std::string getCipherSuite(CtxtHandle* handle)
 
   return "Unknown";
 
 }
 
 
+inline static uint32_t getProtocolVersion(CtxtHandle* handle)
 
+{
 
+  WinSecPkgContext_CipherInfo info = {SECPKGCONTEXT_CIPHERINFO_V1};
 
+  if (QueryContextAttributes(handle, SECPKG_ATTR_CIPHER_INFO, &info) ==
 
+      SEC_E_OK) {
 
+    return info.dwProtocol;
 
+  }
 
+  // XXX Assume the best?!
 
+  return std::numeric_limits<uint32_t>::max();
 
+}
 
+
 
 } // namespace
 
 
 namespace aria2 {
 
@@ -808,14 +819,31 @@ restart:
 
   }
 
   // Fall through
 
 
-  case st_handshake_done:
 
+  case st_handshake_done: {
 
     // All ready now :D
 
     state_ = st_connected;
 
     A2_LOG_INFO(
 
         fmt("WinTLS: connected with: %s", getCipherSuite(&handle_).c_str()));
 
+    auto proto = getProtocolVersion(&handle_);
 
+    if (proto < 0x301) {
 
+      std::string protoAndSuite;
 
+      switch (proto) {
 
+      case 0x300:
 
+        protoAndSuite = "SSLv3";
 
+        break;
 
+      default:
 
+        protoAndSuite = "Unknown";
 
+        break;
 
+      }
 
+      protoAndSuite += " " + getCipherSuite(&handle_);
 
+      A2_LOG_WARN(fmt(MSG_WARN_OLD_TLS_CONNECTION, protoAndSuite.c_str()));
 
+    }
 
+
 
     return TLS_ERR_OK;
 
   }
 
 
+  }
 
+
 
   A2_LOG_ERROR("WinTLS: Unreachable reached during tlsConnect! This is a bug!");
 
   state_ = st_error;
 
   return TLS_ERR_ERROR;

+ 4 - 0
src/message.h
Ver fichero 

@@ -183,6 +183,10 @@
 
 #define MSG_WARN_NO_CA_CERT                                             \
 
   _("You may encounter the certificate verification error with HTTPS server." \
 
     " See --ca-certificate and --check-certificate option.")
 
+#define MSG_WARN_OLD_TLS_CONNECTION \
 
+  _("aria2c had to connect to the server using an old and vulnerable cipher" \
 
+    " suite. The integrity and confidentiality of the connection might be" \
 
+    " compromised.\nProtocol and cipher suite: %s")
 
 #define MSG_SHOW_FILES _("Printing the contents of file '%s'...")
 
 #define MSG_NOT_TORRENT_METALINK _("This file is neither Torrent nor Metalink" \
 
                                    " file. Skipping.")