diff options
| author | Wilmer van der Gaast <wilmer@gaast.net> | 2011-12-23 23:40:17 +0100 | 
|---|---|---|
| committer | Wilmer van der Gaast <wilmer@gaast.net> | 2011-12-23 23:40:17 +0100 | 
| commit | 200e151edbbcbb164e7fe2a01a28a0c1c9108972 (patch) | |
| tree | ba51f16352b0fab2911aae8298642a153aec82f6 /lib | |
| parent | 792a93b417c24a206d8995ca8bf51482f20e997e (diff) | |
tls_verify correction: Don't fail cert verification in non-GnuTLS modules
unless "cafile" setting is enabled.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/ssl_client.h | 2 | ||||
| -rw-r--r-- | lib/ssl_nss.c | 7 | ||||
| -rw-r--r-- | lib/ssl_openssl.c | 7 | 
3 files changed, 6 insertions, 10 deletions
| diff --git a/lib/ssl_client.h b/lib/ssl_client.h index d8822143..206fe9cb 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -36,8 +36,6 @@  /* Some generic error codes. Especially SSL_AGAIN is important if you     want to do asynchronous I/O. */ -#define NSS_VERIFY_ERROR -2 -#define OPENSSL_VERIFY_ERROR -1  #define SSL_OK            0  #define SSL_NOHANDSHAKE   1  #define SSL_AGAIN         2 diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 5b573f9b..d50620d5 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -139,7 +139,7 @@ void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function  	conn->fd = fd;  	conn->func = func;  	conn->data = data; -	conn->verify = verify; +	conn->verify = verify && global.conf->cafile;  	/* This function should be called via a (short) timeout instead of  	   directly from here, because these SSL calls are *supposed* to be @@ -159,12 +159,11 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con  {  	struct scd *conn = data; -	/* Right now we don't have any verification functionality for nss so we  -	   fail in case verification has been requested by the user. */ +	/* Right now we don't have any verification functionality for NSS. */  	if( conn->verify )  	{ -		conn->func( conn->data, NSS_VERIFY_ERROR, NULL, cond ); +		conn->func( conn->data, 1, NULL, cond );  		if( source >= 0 ) closesocket( source );  		g_free( conn ); diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index 955c8274..5c38d0e9 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -90,7 +90,7 @@ void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function  	conn->func = func;  	conn->data = data;  	conn->inpa = -1; -	conn->verify = verify; +	conn->verify = verify && global.conf->cafile;  	/* This function should be called via a (short) timeout instead of  	   directly from here, because these SSL calls are *supposed* to be @@ -118,12 +118,11 @@ static gboolean ssl_connected( gpointer data, gint source, b_input_condition con  	struct scd *conn = data;  	SSL_METHOD *meth; -	/* Right now we don't have any verification functionality for openssl so we  -	   fail in case verification has been requested by the user. */ +	/* Right now we don't have any verification functionality for OpenSSL. */  	if( conn->verify )  	{ -		conn->func( conn->data, OPENSSL_VERIFY_ERROR, NULL, cond ); +		conn->func( conn->data, 1, NULL, cond );  		if( source >= 0 ) closesocket( source );  		g_free( conn ); | 
