# HG changeset patch # User hallski # Date 1157554097 0 # Node ID 10bcf8e0e4430f7f1ec1db61c8b00a42fb8c4da7 # Parent ac1affcd5d22c5118f4c2c8bc3f5174a54bc8fe3 2006-09-06 Mikael Hallendal * loudmouth/lm-ssl-openssl.c: (ssl_verify_certificate): - Implemented. diff -r ac1affcd5d22 -r 10bcf8e0e443 ChangeLog --- a/ChangeLog Fri Sep 01 14:01:48 2006 +0000 +++ b/ChangeLog Wed Sep 06 14:48:17 2006 +0000 @@ -1,3 +1,8 @@ +2006-09-06 Mikael Hallendal + + * loudmouth/lm-ssl-openssl.c: (ssl_verify_certificate): + - Implemented. + 2006-09-01 Mikael Hallendal * loudmouth/lm-connection.c: (lm_connection_new_with_context), diff -r ac1affcd5d22 -r 10bcf8e0e443 loudmouth/lm-ssl-openssl.c --- a/loudmouth/lm-ssl-openssl.c Fri Sep 01 14:01:48 2006 +0000 +++ b/loudmouth/lm-ssl-openssl.c Wed Sep 06 14:48:17 2006 +0000 @@ -32,11 +32,11 @@ #include struct _LmSSL { - LmSSLBase base; + LmSSLBase base; - SSL_CTX *ctx; + SSL_CTX *ctx; - SSL *session; + SSL *session; /* gnutls_certificate_client_credentials gnutls_xcred;*/ }; @@ -48,11 +48,67 @@ static gboolean ssl_verify_certificate (LmSSL *ssl, const gchar *server) { - LmSSLBase *base; + LmSSLBase *base; + int result; + LmSSLStatus status; base = LM_SSL_BASE (ssl); - /* FIXME: Implement */ + result = SSL_get_verify_result (ssl->session); + + /* Result values from 'man verify' */ + switch (result) { + case X509_V_OK: + return TRUE; + case X509_V_ERR_CERT_HAS_EXPIRED: + status = LM_SSL_STATUS_CERT_EXPIRED; + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + status = LM_SSL_STATUS_CERT_NOT_ACTIVATED; + break; + case X509_V_ERR_CERT_UNTRUSTED: + status = LM_SSL_STATUS_UNTRUSTED_CERT; + break; + case X509_V_ERR_CERT_REVOKED: + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: + case X509_V_ERR_UNABLE_TO_GET_CRL: + case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: + case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: + case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: + case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: + case X509_V_ERR_OUT_OF_MEM: + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + case X509_V_ERR_APPLICATION_VERIFICATION: + case X509_V_ERR_CERT_CHAIN_TOO_LONG: + case X509_V_ERR_CERT_SIGNATURE_FAILURE: + case X509_V_ERR_CRL_SIGNATURE_FAILURE: + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: + case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: + case X509_V_ERR_INVALID_CA: + case X509_V_ERR_PATH_LENGTH_EXCEEDED: + case X509_V_ERR_INVALID_PURPOSE: + case X509_V_ERR_CERT_REJECTED: + case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: + case X509_V_ERR_AKID_SKID_MISMATCH: + case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: + case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: + /* FIXME: These doesn't map very well to LmSSLStatus right + * now. */ + status = LM_SSL_STATUS_GENERIC_ERROR; + break; + default: + status = LM_SSL_STATUS_GENERIC_ERROR; + g_warning ("Unmatched error code '%d' from SSL_get_verify_result", result); + break; + }; + + if (base->func (ssl, status, base->func_data) != LM_SSL_RESPONSE_CONTINUE) { + return FALSE; + } return TRUE; }