Initial merge of tls_verify patch from AopicieR.

1 files changed, 17 insertions, 3 deletions

diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c
index ec524ca6..4dfa063d 100644
--- a/lib/ssl_nss.c
+++ b/lib/ssl_nss.c
@@ -51,6 +51,7 @@ struct scd
 	int fd;
 	PRFileDesc *prfd;
 	gboolean established;
+	gboolean verify;
 };
 
 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond );
@@ -131,13 +132,14 @@ static gboolean ssl_starttls_real( gpointer data, gint source, b_input_condition
 	return ssl_connected( conn, conn->fd, B_EV_IO_WRITE );
 }
 
-void *ssl_starttls( int fd, ssl_input_function func, gpointer data )
+void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data )
 {
 	struct scd *conn = g_new0( struct scd, 1 );
 
 	conn->fd = fd;
 	conn->func = func;
 	conn->data = data;
+	conn->verify = verify;
 
 	/* This function should be called via a (short) timeout instead of
 	   directly from here, because these SSL calls are *supposed* to be
@@ -157,6 +159,18 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 {
 	struct scd *conn = data;
 	
+	/* Right now we don't have any verification functionality for nss so we 
+	   fail in case verification has been requested by the user. */
+
+	if( conn->verify )
+	{
+		conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond );
+		if( source >= 0 ) closesocket( source );
+		g_free( conn );
+
+		return FALSE;
+	}
+	
 	if( source == -1 )
 		goto ssl_connected_failure;
 	
@@ -176,12 +190,12 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con
 	
 	
 	conn->established = TRUE;
-	conn->func( conn->data, conn, cond );
+	conn->func( conn->data, 0, conn, cond );
 	return FALSE;
 	
 	ssl_connected_failure:
 	
-	conn->func( conn->data, NULL, cond );
+	conn->func( conn->data, 0, NULL, cond );
 	
 	PR_Close( conn -> prfd );
 	if( source >= 0 ) closesocket( source );