2006-09-06 Mikael Hallendal <micke@imendio.com>

	* loudmouth/lm-ssl-openssl.c: (ssl_verify_certificate):
	- Implemented.

diff --git a/ChangeLog b/ChangeLog
index 059ff3001baa12ebc75da5ebb0ca0e40bea7d9b7..09242608a2eb202e27ce5233942bff012d565f53 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2006-09-06  Mikael Hallendal  <micke@imendio.com>
+
+       * loudmouth/lm-ssl-openssl.c: (ssl_verify_certificate):
+       - Implemented.
+
 2006-09-01  Mikael Hallendal  <micke@imendio.com>
 
        * loudmouth/lm-connection.c: (lm_connection_new_with_context),

diff --git a/loudmouth/lm-ssl-openssl.c b/loudmouth/lm-ssl-openssl.c
index 36b38d627e664d3e912aca0e5ca1f774d56e1fd3..1909725638a686cd6e4700934bda4bcecc687869 100644 (file)
--- a/loudmouth/lm-ssl-openssl.c
+++ b/loudmouth/lm-ssl-openssl.c
@@ -32,11 +32,11 @@
 #include <openssl/ssl.h>
 
 struct _LmSSL {
-       LmSSLBase base;
+       LmSSLBase  base;
 
-       SSL_CTX *ctx;
+       SSL_CTX   *ctx;
 
-       SSL     *session;
+       SSL       *session;
 /*     gnutls_certificate_client_credentials gnutls_xcred;*/
 };
 
@@ -48,11 +48,67 @@ static GIOStatus      ssl_io_status_from_return (LmSSL       *ssl,
 static gboolean
 ssl_verify_certificate (LmSSL *ssl, const gchar *server)
 {
-       LmSSLBase *base;
+       LmSSLBase   *base;
+       int          result;
+       LmSSLStatus  status;
 
        base = LM_SSL_BASE (ssl);
 
-       /* FIXME: Implement */
+       result = SSL_get_verify_result (ssl->session);
+
+       /* Result values from 'man verify' */
+       switch (result) {
+       case X509_V_OK:
+               return TRUE;
+       case X509_V_ERR_CERT_HAS_EXPIRED:
+               status = LM_SSL_STATUS_CERT_EXPIRED;
+               break;
+       case X509_V_ERR_CERT_NOT_YET_VALID:
+               status = LM_SSL_STATUS_CERT_NOT_ACTIVATED;
+               break;
+       case X509_V_ERR_CERT_UNTRUSTED:
+               status = LM_SSL_STATUS_UNTRUSTED_CERT;
+               break;
+       case X509_V_ERR_CERT_REVOKED:
+       case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+       case X509_V_ERR_UNABLE_TO_GET_CRL:
+       case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+       case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+       case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+       case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+       case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+       case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+       case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+       case X509_V_ERR_OUT_OF_MEM:
+       case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+       case X509_V_ERR_APPLICATION_VERIFICATION:
+       case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+       case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+       case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+       case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+       case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+       case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+       case X509_V_ERR_INVALID_CA:
+       case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+       case X509_V_ERR_INVALID_PURPOSE:
+       case X509_V_ERR_CERT_REJECTED:
+       case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+       case X509_V_ERR_AKID_SKID_MISMATCH:
+       case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+       case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+               /* FIXME: These doesn't map very well to LmSSLStatus right 
+                *        now. */
+               status = LM_SSL_STATUS_GENERIC_ERROR;
+               break;
+       default:
+               status = LM_SSL_STATUS_GENERIC_ERROR;
+               g_warning ("Unmatched error code '%d' from SSL_get_verify_result", result);
+               break;
+       };
+
+       if (base->func (ssl, status, base->func_data) != LM_SSL_RESPONSE_CONTINUE) {
+               return FALSE;
+       }
 
        return TRUE;
 }