properly authenticate web seeds and trackers over SSL

include/libtorrent/ssl_stream.hpp

@@ -65,6 +65,10 @@ public:
 	void set_host_name(std::string name)
 	{ SSL_set_tlsext_host_name(m_sock.native_handle(), name.c_str()); }
 
+	template <class T>
+	void set_verify_callback(T const& fun, error_code& ec)
+	{ m_sock.set_verify_callback(fun, ec); }
+
 	SSL* native_handle() { return m_sock.native_handle(); }
 
 	typedef boost::function<void(error_code const&)> handler_type;

src/http_connection.cpp

@@ -42,6 +42,10 @@ POSSIBILITY OF SUCH DAMAGE.
 #include "libtorrent/debug.hpp"
 #endif
 
+#ifdef TORRENT_USE_OPENSSL
+#include <boost/asio/ssl/rfc2818_verification.hpp>
+#endif
+
 #include <boost/bind.hpp>
 #include <string>
 #include <algorithm>
@@ -336,6 +340,29 @@ void http_connection::start(std::string const& hostname, std::string const& port
 			}
 		}
 
+#ifdef TORRENT_USE_OPENSSL
+		// for SSL connections, make sure to authenticate the hostname
+		// of the certificate
+#define CASE(t) case socket_type_int_impl<ssl_stream<t> >::value: \
+		m_sock.get<ssl_stream<t> >()->set_verify_callback(asio::ssl::rfc2818_verification(hostname), ec); \
+		break;
+
+		switch(m_sock.type())
+		{
+			CASE(stream_socket)
+			CASE(socks5_stream)
+			CASE(http_stream)
+			CASE(utp_stream)
+		}
+
+		if (ec)
+		{
+			m_resolver.get_io_service().post(boost::bind(&http_connection::callback
+				, me, ec, (char*)0, 0));
+			return;
+		}
+#endif
+
 #if TORRENT_USE_I2P
 		if (is_i2p)
 		{

src/torrent.cpp

@@ -85,7 +85,8 @@ POSSIBILITY OF SUCH DAMAGE.
 #ifdef TORRENT_USE_OPENSSL
 #include "libtorrent/ssl_stream.hpp"
 #include <boost/asio/ssl/context.hpp>
-//#include <boost/asio/ssl/verify_context.hpp>
+#include <boost/asio/ssl/rfc2818_verification.hpp>
+#include <boost/asio/ssl/verify_context.hpp>
 #endif
 
 #if defined TORRENT_VERBOSE_LOGGING || defined TORRENT_LOGGING || defined TORRENT_ERROR_LOGGING
@@ -4554,15 +4555,25 @@ namespace libtorrent
 		TORRENT_ASSERT(ret);
 
 		proxy_settings const& ps = m_ses.proxy();
-		if ((ps.type == proxy_settings::http
+		if (s->get<http_stream>())
-			|| ps.type == proxy_settings::http_pw)
-			&& !ssl)
 		{
 			// the web seed connection will talk immediately to
 			// the proxy, without requiring CONNECT support
 			s->get<http_stream>()->set_no_connect(true);
 		}
 
+		using boost::tuples::ignore;
+		std::string hostname;
+		error_code ec;
+		boost::tie(ignore, ignore, hostname, ignore, ignore)
+			= parse_url_components(web->url, ec);
+		if (ec)
+		{
+			if (m_ses.m_alerts.should_post<url_seed_alert>())
+				m_ses.m_alerts.post_alert(url_seed_alert(get_handle(), web->url, ec));
+			return;
+		}
+
 		if (ps.proxy_hostnames
 			&& (ps.type == proxy_settings::socks5
 				|| ps.type == proxy_settings::socks5_pw))
@@ -4576,14 +4587,31 @@ namespace libtorrent
 				s->get<socks5_stream>();
 			TORRENT_ASSERT(str);
 
-			using boost::tuples::ignore;
-			std::string hostname;
-			error_code ec;
-			boost::tie(ignore, ignore, hostname, ignore, ignore)
-				= parse_url_components(web->url, ec);
 			str->set_dst_name(hostname);
 		}
 
+#ifdef TORRENT_USE_OPENSSL
+		// for SSL connections, make sure to authenticate the hostname
+		// of the certificate
+#define CASE(t) case socket_type_int_impl<ssl_stream<t> >::value: \
+		s->get<ssl_stream<t> >()->set_verify_callback(asio::ssl::rfc2818_verification(hostname), ec); \
+		break;
+
+		switch(s->type())
+		{
+			CASE(stream_socket)
+			CASE(socks5_stream)
+			CASE(http_stream)
+			CASE(utp_stream)
+		}
+		if (ec)
+		{
+			if (m_ses.m_alerts.should_post<url_seed_alert>())
+				m_ses.m_alerts.post_alert(url_seed_alert(get_handle(), web->url, ec));
+			return;
+		}
+#endif
+
 		boost::intrusive_ptr<peer_connection> c;
 		if (web->type == web_seed_entry::url_seed)
 		{