diff options
| -rw-r--r-- | lib/ssl_bogus.c | 5 | ||||
| -rw-r--r-- | lib/ssl_client.h | 4 | ||||
| -rw-r--r-- | lib/ssl_gnutls.c | 31 | ||||
| -rw-r--r-- | lib/ssl_nss.c | 5 | ||||
| -rw-r--r-- | lib/ssl_openssl.c | 5 | ||||
| -rw-r--r-- | protocols/jabber/io.c | 43 |
6 files changed, 59 insertions, 34 deletions
diff --git a/lib/ssl_bogus.c b/lib/ssl_bogus.c index e2466c19..8dba05f4 100644 --- a/lib/ssl_bogus.c +++ b/lib/ssl_bogus.c @@ -69,3 +69,8 @@ int ssl_pending( void *conn ) { return 0; } + +char *ssl_verify_strerror( int code ) +{ + return NULL; +} diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 03355297..9ce878a1 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -100,4 +100,8 @@ G_MODULE_EXPORT int ssl_getfd( void *conn ); the same action as the handler that just received the SSL_AGAIN.) */ G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn ); +/* Converts a verification bitfield passed to ssl_input_function into + a more useful string. Or NULL if it had no useful bits set. */ +G_MODULE_EXPORT char *ssl_verify_strerror( int code ); + G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res); diff --git a/lib/ssl_gnutls.c b/lib/ssl_gnutls.c index 41f71f63..3ecc6eee 100644 --- a/lib/ssl_gnutls.c +++ b/lib/ssl_gnutls.c @@ -194,6 +194,37 @@ static int verify_certificate_callback( gnutls_session_t session ) return verifyret; } +char *ssl_verify_strerror( int code ) +{ + GString *ret = g_string_new( "" ); + + if( code & VERIFY_CERT_REVOKED ) + g_string_append( ret, "certificate has been revoked, " ); + if( code & VERIFY_CERT_SIGNER_NOT_FOUND ) + g_string_append( ret, "certificate hasn't got a known issuer, " ); + if( code & VERIFY_CERT_SIGNER_NOT_CA ) + g_string_append( ret, "certificate's issuer is not a CA, " ); + if( code & VERIFY_CERT_INSECURE_ALGORITHM ) + g_string_append( ret, "certificate uses an insecure algorithm, " ); + if( code & VERIFY_CERT_NOT_ACTIVATED ) + g_string_append( ret, "certificate has not been activated, " ); + if( code & VERIFY_CERT_EXPIRED ) + g_string_append( ret, "certificate has expired, " ); + if( code & VERIFY_CERT_WRONG_HOSTNAME ) + g_string_append( ret, "certificate hostname mismatch, " ); + + if( ret->len == 0 ) + { + g_string_free( ret, TRUE ); + return NULL; + } + else + { + g_string_truncate( ret, ret->len - 2 ); + return g_string_free( ret, FALSE ); + } +} + static gboolean ssl_connected( gpointer data, gint source, b_input_condition cond ) { struct scd *conn = data; diff --git a/lib/ssl_nss.c b/lib/ssl_nss.c index 4dfa063d..3f26960c 100644 --- a/lib/ssl_nss.c +++ b/lib/ssl_nss.c @@ -251,3 +251,8 @@ b_input_condition ssl_getdirection( void *conn ) /* Just in case someone calls us, let's return the most likely case: */ return B_EV_IO_READ; } + +char *ssl_verify_strerror( int code ) +{ + return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." ); +} diff --git a/lib/ssl_openssl.c b/lib/ssl_openssl.c index 7c7f725e..d43c7ab2 100644 --- a/lib/ssl_openssl.c +++ b/lib/ssl_openssl.c @@ -287,6 +287,11 @@ b_input_condition ssl_getdirection( void *conn ) return( ((struct scd*)conn)->lasterr == SSL_ERROR_WANT_WRITE ? B_EV_IO_WRITE : B_EV_IO_READ ); } +char *ssl_verify_strerror( int code ) +{ + return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." ); +} + size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res) { int output_length = 0; diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c index 9e55e3f9..5ff8052c 100644 --- a/protocols/jabber/io.c +++ b/protocols/jabber/io.c @@ -291,45 +291,20 @@ gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_in already, set it to NULL here to prevent a double cleanup: */ jd->ssl = NULL; - imcb_error( ic, "Could not connect to server" ); - if (returncode == OPENSSL_VERIFY_ERROR ) - { - imcb_error( ic, "This BitlBee server is built agains the OpenSSL library." ); - imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." ); - imc_logout( ic, FALSE ); - } - else if (returncode == NSS_VERIFY_ERROR ) - { - imcb_error( ic, "This BitlBee server is built agains the NSS library." ); - imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." ); - imc_logout( ic, FALSE ); - } - else if (returncode == VERIFY_CERT_ERROR ) + if( returncode & VERIFY_CERT_INVALID) { - imcb_error( ic, "An error occured during the certificate verification." ); + char *err = ssl_verify_strerror( returncode ); + imcb_error( ic, "Certificate verification problem 0x%x: %s", + returncode, err ? err : "Unknown" ); + g_free( err ); imc_logout( ic, FALSE ); } - else if (returncode & VERIFY_CERT_INVALID) + else { - imcb_error( ic, "Unable to verify peer's certificate." ); - if (returncode & VERIFY_CERT_REVOKED) - imcb_error( ic, "The certificate has been revoked." ); - if (returncode & VERIFY_CERT_SIGNER_NOT_FOUND) - imcb_error( ic, "The certificate hasn't got a known issuer." ); - if (returncode & VERIFY_CERT_SIGNER_NOT_CA) - imcb_error( ic, "The certificate's issuer is not a CA." ); - if (returncode & VERIFY_CERT_INSECURE_ALGORITHM) - imcb_error( ic, "The certificate uses an insecure algorithm." ); - if (returncode & VERIFY_CERT_NOT_ACTIVATED) - imcb_error( ic, "The certificate has not been activated." ); - if (returncode & VERIFY_CERT_EXPIRED) - imcb_error( ic, "The certificate has expired." ); - if (returncode & VERIFY_CERT_WRONG_HOSTNAME) - imcb_error( ic, "The hostname specified in the certificate doesn't match the server name." ); - imc_logout( ic, FALSE ); + imcb_error( ic, "Could not connect to server" ); + imc_logout( ic, TRUE ); } - else - imc_logout( ic, TRUE ); + return FALSE; } |