2006-09-06 Mikael Hallendal <micke@imendio.com>
* loudmouth/lm-ssl-openssl.c: (ssl_verify_certificate):
- Implemented.
--- a/ChangeLog Fri Sep 01 14:01:48 2006 +0000
+++ b/ChangeLog Wed Sep 06 14:48:17 2006 +0000
@@ -1,3 +1,8 @@
+2006-09-06 Mikael Hallendal <micke@imendio.com>
+
+ * loudmouth/lm-ssl-openssl.c: (ssl_verify_certificate):
+ - Implemented.
+
2006-09-01 Mikael Hallendal <micke@imendio.com>
* loudmouth/lm-connection.c: (lm_connection_new_with_context),
--- a/loudmouth/lm-ssl-openssl.c Fri Sep 01 14:01:48 2006 +0000
+++ b/loudmouth/lm-ssl-openssl.c Wed Sep 06 14:48:17 2006 +0000
@@ -32,11 +32,11 @@
#include <openssl/ssl.h>
struct _LmSSL {
- LmSSLBase base;
+ LmSSLBase base;
- SSL_CTX *ctx;
+ SSL_CTX *ctx;
- SSL *session;
+ SSL *session;
/* gnutls_certificate_client_credentials gnutls_xcred;*/
};
@@ -48,11 +48,67 @@
static gboolean
ssl_verify_certificate (LmSSL *ssl, const gchar *server)
{
- LmSSLBase *base;
+ LmSSLBase *base;
+ int result;
+ LmSSLStatus status;
base = LM_SSL_BASE (ssl);
- /* FIXME: Implement */
+ result = SSL_get_verify_result (ssl->session);
+
+ /* Result values from 'man verify' */
+ switch (result) {
+ case X509_V_OK:
+ return TRUE;
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ status = LM_SSL_STATUS_CERT_EXPIRED;
+ break;
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ status = LM_SSL_STATUS_CERT_NOT_ACTIVATED;
+ break;
+ case X509_V_ERR_CERT_UNTRUSTED:
+ status = LM_SSL_STATUS_UNTRUSTED_CERT;
+ break;
+ case X509_V_ERR_CERT_REVOKED:
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+ case X509_V_ERR_UNABLE_TO_GET_CRL:
+ case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+ case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+ case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+ case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+ case X509_V_ERR_OUT_OF_MEM:
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ case X509_V_ERR_APPLICATION_VERIFICATION:
+ case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+ case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+ case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+ case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+ case X509_V_ERR_INVALID_CA:
+ case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+ case X509_V_ERR_INVALID_PURPOSE:
+ case X509_V_ERR_CERT_REJECTED:
+ case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+ case X509_V_ERR_AKID_SKID_MISMATCH:
+ case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+ case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+ /* FIXME: These doesn't map very well to LmSSLStatus right
+ * now. */
+ status = LM_SSL_STATUS_GENERIC_ERROR;
+ break;
+ default:
+ status = LM_SSL_STATUS_GENERIC_ERROR;
+ g_warning ("Unmatched error code '%d' from SSL_get_verify_result", result);
+ break;
+ };
+
+ if (base->func (ssl, status, base->func_data) != LM_SSL_RESPONSE_CONTINUE) {
+ return FALSE;
+ }
return TRUE;
}