Changeset 78b8401

Timestamp:

2011-12-19T17:22:37Z (12 years ago)

Author:

Wilmer van der Gaast <wilmer@…>

Branches:

master

Children:

af5764e

Parents:

486ddb5

Message:

Move conversion of status codes to status messages into SSL libs.

Files:

• lib/ssl_bogus.c (modified) (1 diff)
• lib/ssl_client.h (modified) (1 diff)
• lib/ssl_gnutls.c (modified) (1 diff)
• lib/ssl_nss.c (modified) (1 diff)
• lib/ssl_openssl.c (modified) (1 diff)
• protocols/jabber/io.c (modified) (1 diff)

lib/ssl_bogus.c

@@ -70 +70 @@
         return 0;
 }
+
+char *ssl_verify_strerror( int code )
+{
+        return NULL;
+}

lib/ssl_client.h

@@ -101 +101 @@
 G_MODULE_EXPORT b_input_condition ssl_getdirection( void *conn );
 
+/* Converts a verification bitfield passed to ssl_input_function into
+   a more useful string. Or NULL if it had no useful bits set. */
+G_MODULE_EXPORT char *ssl_verify_strerror( int code );
+
 G_MODULE_EXPORT size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res);

lib/ssl_gnutls.c

@@ -193 +193 @@
 
         return verifyret;
+}
+
+char *ssl_verify_strerror( int code )
+{
+        GString *ret = g_string_new( "" );
+        
+        if( code & VERIFY_CERT_REVOKED )
+                g_string_append( ret, "certificate has been revoked, " );
+        if( code & VERIFY_CERT_SIGNER_NOT_FOUND )
+                g_string_append( ret, "certificate hasn't got a known issuer, " );
+        if( code & VERIFY_CERT_SIGNER_NOT_CA )
+                g_string_append( ret, "certificate's issuer is not a CA, " );
+        if( code & VERIFY_CERT_INSECURE_ALGORITHM )
+                g_string_append( ret, "certificate uses an insecure algorithm, " );
+        if( code & VERIFY_CERT_NOT_ACTIVATED )
+                g_string_append( ret, "certificate has not been activated, " );
+        if( code & VERIFY_CERT_EXPIRED )
+                g_string_append( ret, "certificate has expired, " );
+        if( code & VERIFY_CERT_WRONG_HOSTNAME )
+                g_string_append( ret, "certificate hostname mismatch, " );
+        
+        if( ret->len == 0 )
+        {
+                g_string_free( ret, TRUE );
+                return NULL;
+        }
+        else
+        {
+                g_string_truncate( ret, ret->len - 2 );
+                return g_string_free( ret, FALSE );
+        }
 }
 

lib/ssl_nss.c

@@ -252 +252 @@
         return B_EV_IO_READ;
 }
+
+char *ssl_verify_strerror( int code )
+{
+        return g_strdup( "SSL certificate verification not supported by BitlBee NSS code." );
+}

lib/ssl_openssl.c

@@ -288 +288 @@
 }
 
+char *ssl_verify_strerror( int code )
+{
+        return g_strdup( "SSL certificate verification not supported by BitlBee OpenSSL code." );
+}
+
 size_t ssl_des3_encrypt(const unsigned char *key, size_t key_len, const unsigned char *input, size_t input_len, const unsigned char *iv, unsigned char **res)
 {

protocols/jabber/io.c

@@ -292 +292 @@
                 jd->ssl = NULL;
                 
-                imcb_error( ic, "Could not connect to server" );
-                if (returncode ==  OPENSSL_VERIFY_ERROR )
-                {
-                        imcb_error( ic, "This BitlBee server is built agains the OpenSSL library." );
-                        imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." );
+                if( returncode & VERIFY_CERT_INVALID)
+                {
+                        char *err = ssl_verify_strerror( returncode );
+                        imcb_error( ic, "Certificate verification problem 0x%x: %s",
+                                    returncode, err ? err : "Unknown" );
+                        g_free( err );
                         imc_logout( ic, FALSE );
                 }
-                else if (returncode ==  NSS_VERIFY_ERROR )
-                {
-                        imcb_error( ic, "This BitlBee server is built agains the NSS library." );
-                        imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." );
-                        imc_logout( ic, FALSE );
-                }
-                else if (returncode == VERIFY_CERT_ERROR )
-                {
-                        imcb_error( ic, "An error occured during the certificate verification." );
-                        imc_logout( ic, FALSE );
-                }
-                else if (returncode  & VERIFY_CERT_INVALID)
-                {
-                        imcb_error( ic, "Unable to verify peer's certificate." );
-                        if (returncode & VERIFY_CERT_REVOKED)
-                                imcb_error( ic, "The certificate has been revoked." );
-                        if (returncode & VERIFY_CERT_SIGNER_NOT_FOUND)
-                                imcb_error( ic, "The certificate hasn't got a known issuer." );
-                        if (returncode & VERIFY_CERT_SIGNER_NOT_CA)
-                                imcb_error( ic, "The certificate's issuer is not a CA." );
-                        if (returncode & VERIFY_CERT_INSECURE_ALGORITHM)
-                                imcb_error( ic, "The certificate uses an insecure algorithm." );
-                        if (returncode & VERIFY_CERT_NOT_ACTIVATED)
-                                imcb_error( ic, "The certificate has not been activated." );
-                        if (returncode & VERIFY_CERT_EXPIRED)
-                                imcb_error( ic, "The certificate has expired." );
-                        if (returncode & VERIFY_CERT_WRONG_HOSTNAME)
-                                imcb_error( ic, "The hostname specified in the certificate doesn't match the server name." );
-                        imc_logout( ic, FALSE );
-                }
                 else
-                imc_logout( ic, TRUE );
+                {
+                        imcb_error( ic, "Could not connect to server" );
+                        imc_logout( ic, TRUE );
+                }
+                
                 return FALSE;
         }