struct sockaddr_in addr; // cette variable devient globale /* ... */ // fonction callback à ajouter int verify_callback (int ok, X509_STORE_CTX *store) { int depth = X509_STORE_CTX_get_error_depth(store); X509 *cert = X509_STORE_CTX_get_current_cert(store); int err = X509_STORE_CTX_get_error(store); if(depth > 0) return ok; // just check server certif IP (at depth 0), else preverify "ok" is enough... printf("+++++ check peer certificate +++++\n"); printf(" * preverify ok = %d\n", ok); printf(" * chain depth = %d\n", depth); printf(" * error code %i (%s)\n", err, X509_verify_cert_error_string(err)); char data[256]; X509_NAME_oneline(X509_get_issuer_name(cert), data, 256); printf(" * issuer = %s\n", data); X509_NAME_oneline(X509_get_subject_name(cert), data, 256); printf(" * subject = %s\n", data); char * certifip = data+4; // printf(" * certificate IP = %s\n", certifip); char * serverip = inet_ntoa(addr.sin_addr); // printf(" * server IP = %s\n", serverip); if (ok) { if(strcmp(certifip,serverip) == 0) { printf("SUCCESS: certificate IP (%s) matches server IP (%s)!\n", certifip, serverip); return 1; // continue verification } else { printf("FAILURE: certificate IP (%s) does not match server IP (%s)!\n", certifip, serverip); return 0; // stop verification } } return 0; // stop verification } int main(int count, char *strings[]) { SSL_CTX *ctx; int server; SSL *ssl; char buf[1024]; int bytes; char *hostname, *portnum; if(count != 3) { printf("usage: %s \n", strings[0]); exit(0); } SSL_library_init(); hostname=strings[1]; portnum=strings[2]; ctx = InitCTX(); // code à ajouter pour vérifier le certificat du serveur... SSL_CTX_load_verify_locations (ctx, "ca-cert.pem",0); SSL_CTX_set_verify (ctx, SSL_VERIFY_PEER, verify_callback); server = OpenConnection(hostname, atoi(portnum)); ssl = SSL_new(ctx); /* ... */ }