Move conversion of status codes to status messages into SSL libs.

5 files changed, 50 insertions, 0 deletions

diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c
index e2466c19..8dba05f4 100644
--- a/lib/ssl_bogus.c
+++ b/lib/ssl_bogus.c
@@ -69,3 +69,8 @@ int ssl_pending( void *conn )
 {
 	return 0;
 }
+
+char *ssl_verify_strerror( int code )
+{
+	return NULL;
+}
diff --git a/lib/ssl_client.h b/lib/ssl_client.h
index 03355297..9ce878a1 100644
--- a/lib/ssl_client.h
+++ b/lib/ssl_client.h
@@ -100,4 +100,8 @@ G_MODULE_EXPORT int ssl_getfd( void *conn );
    the same action as the handler that just received the SSL_AGAIN.) */
 G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn );
 
+/* Converts a verification bitfield passed to ssl_input_function into
+   a more useful string. Or NULL if it had no useful bits set. */
+G_MODULE_EXPORT char *ssl_verify_strerror( int code );
+
 G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res);
diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c
index 41f71f63..3ecc6eee 100644
--- a/lib/ssl_gnutls.c
+++ b/lib/ssl_gnutls.c
@@ -194,6 +194,37 @@ static int verify_certificate_callback( gnutls_session_t session )
 	return verifyret;
 }
 
+char *ssl_verify_strerror( int code )
+{
+	GString *ret = g_string_new( "" );
+	
+	if( code & VERIFY_CERT_REVOKED )
+		g_string_append( ret, "certificate has been revoked, " );
+	if( code & VERIFY_CERT_SIGNER_NOT_FOUND )
+		g_string_append( ret, "certificate hasn't got a known issuer, " );
+	if( code & VERIFY_CERT_SIGNER_NOT_CA )
+		g_string_append( ret, "certificate's issuer is not a CA, " );
+	if( code & VERIFY_CERT_INSECURE_ALGORITHM )
+		g_string_append( ret, "certificate uses an insecure algorithm, " );
+	if( code & VERIFY_CERT_NOT_ACTIVATED )
+		g_string_append( ret, "certificate has not been activated, " );
+	if( code & VERIFY_CERT_EXPIRED )
+		g_string_append( ret, "certificate has expired, " );
+	if( code & VERIFY_CERT_WRONG_HOSTNAME )
+		g_string_append( ret, "certificate hostname mismatch, " );
+	
+	if( ret->len == 0 )
+	{
+		g_string_free( ret, TRUE );
+		return NULL;
+	}
+	else
+	{
+		g_string_truncate( ret, ret->len - 2 );
+		return g_string_free( ret, FALSE );
+	}
+}
+
 static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond )
 {
 	struct scd *conn = data;
diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c
index 4dfa063d..3f26960c 100644
--- a/lib/ssl_nss.c
+++ b/lib/ssl_nss.c
@@ -251,3 +251,8 @@ b_input_condition ssl_getdirection( void *conn )
 	/* Just in case someone calls us, let's return the most likely case: */
 	return B_EV_IO_READ;
 }
+
+char *ssl_verify_strerror( int code )
+{
+	return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." );
+}
diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c
index 7c7f725e..d43c7ab2 100644
--- a/lib/ssl_openssl.c
+++ b/lib/ssl_openssl.c
@@ -287,6 +287,11 @@ b_input_condition ssl_getdirection( void *conn )
 	return( ((struct scd*)conn)->lasterr == SSL_ERROR_WANT_WRITE ? B_EV_IO_WRITE : B_EV_IO_READ );
 }
 
+char *ssl_verify_strerror( int code )
+{
+	return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." );
+}
+
 size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res)
 {
 	int output_length = 0;