loudmouth: comparison loudmouth/lm-ssl-openssl.c

equal deleted inserted replaced

-:ac1affcd5d22
+:10bcf8e0e443
 #ifdef HAVE_OPENSSL
 #include <openssl/ssl.h>
 struct _LmSSL {
-	LmSSLBase base;
+	LmSSLBase  base;
-	SSL_CTX *ctx;
+	SSL_CTX   *ctx;
-	SSL     *session;
+	SSL       *session;
 /*	gnutls_certificate_client_credentials gnutls_xcred;*/
 };
 static gboolean       ssl_verify_certificate    (LmSSL       *ssl,
 						 const gchar *server);
 						 gint         error);
 static gboolean
 ssl_verify_certificate (LmSSL *ssl, const gchar *server)
 {
-	LmSSLBase *base;
+	LmSSLBase   *base;
+	int          result;
+	LmSSLStatus  status;
 	base = LM_SSL_BASE (ssl);
-	/* FIXME: Implement */
+	result = SSL_get_verify_result (ssl->session);
+	/* Result values from 'man verify' */
+	switch (result) {
+	case X509_V_OK:
+		return TRUE;
+	case X509_V_ERR_CERT_HAS_EXPIRED:
+		status = LM_SSL_STATUS_CERT_EXPIRED;
+		break;
+	case X509_V_ERR_CERT_NOT_YET_VALID:
+		status = LM_SSL_STATUS_CERT_NOT_ACTIVATED;
+		break;
+	case X509_V_ERR_CERT_UNTRUSTED:
+		status = LM_SSL_STATUS_UNTRUSTED_CERT;
+		break;
+	case X509_V_ERR_CERT_REVOKED:
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+	case X509_V_ERR_UNABLE_TO_GET_CRL:
+	case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+	case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+	case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+	case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+	case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+	case X509_V_ERR_OUT_OF_MEM:
+	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+	case X509_V_ERR_APPLICATION_VERIFICATION:
+	case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+	case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+	case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+	case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+	case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+	case X509_V_ERR_INVALID_CA:
+	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+	case X509_V_ERR_INVALID_PURPOSE:
+	case X509_V_ERR_CERT_REJECTED:
+	case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+	case X509_V_ERR_AKID_SKID_MISMATCH:
+	case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+	case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+		/* FIXME: These doesn't map very well to LmSSLStatus right
+		 *        now. */
+		status = LM_SSL_STATUS_GENERIC_ERROR;
+		break;
+	default:
+		status = LM_SSL_STATUS_GENERIC_ERROR;
+		g_warning ("Unmatched error code '%d' from SSL_get_verify_result", result);
+		break;
+	};
+	if (base->func (ssl, status, base->func_data) != LM_SSL_RESPONSE_CONTINUE) {
+		return FALSE;
+	}
 	return TRUE;
 }
 static GIOStatus

changeset 169	10bcf8e0e443
parent 140	103227122f45
child 209	1fd5e3004816
child 263	23192c7973c0