From 486ddb53b93b6677dc3feeb4afaad2ea93a71a81 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 15:50:58 +0100 Subject: Initial merge of tls_verify patch from AopicieR. --- lib/ssl_client.h | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) (limited to 'lib/ssl_client.h') diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 091335c5..03355297 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -36,14 +36,25 @@ /* Some generic error codes. Especially SSL_AGAIN is important if you want to do asynchronous I/O. */ +#define NSS_VERIFY_ERROR -2 +#define OPENSSL_VERIFY_ERROR -1 #define SSL_OK 0 #define SSL_NOHANDSHAKE 1 #define SSL_AGAIN 2 +#define VERIFY_CERT_ERROR 2 +#define VERIFY_CERT_INVALID 4 +#define VERIFY_CERT_REVOKED 8 +#define VERIFY_CERT_SIGNER_NOT_FOUND 16 +#define VERIFY_CERT_SIGNER_NOT_CA 32 +#define VERIFY_CERT_INSECURE_ALGORITHM 64 +#define VERIFY_CERT_NOT_ACTIVATED 128 +#define VERIFY_CERT_EXPIRED 256 +#define VERIFY_CERT_WRONG_HOSTNAME 512 extern int ssl_errno; /* This is what your callback function should look like. */ -typedef gboolean (*ssl_input_function)(gpointer, void*, b_input_condition); +typedef gboolean (*ssl_input_function)(gpointer, int, void*, b_input_condition); /* Perform any global initialization the SSL library might need. */ @@ -56,7 +67,7 @@ G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func /* Start an SSL session on an existing fd. Useful for STARTTLS functionality, for example in Jabber. */ -G_MODULE_EXPORT void *ssl_starttls( int fd, ssl_input_function func, gpointer data ); +G_MODULE_EXPORT void *ssl_starttls( int fd, char *hostname, gboolean verify, ssl_input_function func, gpointer data ); /* Obviously you need special read/write functions to read data. */ G_MODULE_EXPORT int ssl_read( void *conn, char *buf, int len ); -- cgit v1.2.3 From 78b840187cc1e2d370dd758e6a73c21e510107b5 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 18:22:37 +0100 Subject: Move conversion of status codes to status messages into SSL libs. --- lib/ssl_client.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lib/ssl_client.h') diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 03355297..9ce878a1 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -100,4 +100,8 @@ G_MODULE_EXPORT int ssl_getfd( void *conn ); the same action as the handler that just received the SSL_AGAIN.) */ G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn ); +/* Converts a verification bitfield passed to ssl_input_function into + a more useful string. Or NULL if it had no useful bits set. */ +G_MODULE_EXPORT char *ssl_verify_strerror( int code ); + G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res); -- cgit v1.2.3 From a72dc2bb447e754295f8efc6f44fc6572f0f8511 Mon Sep 17 00:00:00 2001 From: Wilmer van der Gaast Date: Mon, 19 Dec 2011 18:57:20 +0100 Subject: Add verify argument to ssl_connect() so HTTPS-based stuff is also secure. (Think of Twitter, but also MSN/Yahoo! authentication.) --- lib/ssl_client.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/ssl_client.h') diff --git a/lib/ssl_client.h b/lib/ssl_client.h index 9ce878a1..d8822143 100644 --- a/lib/ssl_client.h +++ b/lib/ssl_client.h @@ -63,7 +63,7 @@ G_MODULE_EXPORT void ssl_init( void ); /* Connect to host:port, call the given function when the connection is ready to be used for SSL traffic. This is all done asynchronously, no blocking I/O! (Except for the DNS lookups, for now...) */ -G_MODULE_EXPORT void *ssl_connect( char *host, int port, ssl_input_function func, gpointer data ); +G_MODULE_EXPORT void *ssl_connect( char *host, int port, gboolean verify, ssl_input_function func, gpointer data ); /* Start an SSL session on an existing fd. Useful for STARTTLS functionality, for example in Jabber. */ -- cgit v1.2.3