diff options
author | Remko Tronçon <git@el-tramo.be> | 2010-11-07 14:58:23 (GMT) |
---|---|---|
committer | Remko Tronçon <git@el-tramo.be> | 2010-11-07 18:04:57 (GMT) |
commit | e2f2e48f6e01739ccaa763ff7f037306131d4e61 (patch) | |
tree | 92fefe8ff9255356d849d1eadcad45666bde52e5 /Swiften/TLS | |
parent | 832d109bfabc16ef2834790743c1d235b254d781 (diff) | |
download | swift-contrib-e2f2e48f6e01739ccaa763ff7f037306131d4e61.zip swift-contrib-e2f2e48f6e01739ccaa763ff7f037306131d4e61.tar.bz2 |
Added security error handling to Swiften.
Diffstat (limited to 'Swiften/TLS')
-rw-r--r-- | Swiften/TLS/CertificateVerificationError.h | 9 | ||||
-rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.cpp | 65 | ||||
-rw-r--r-- | Swiften/TLS/OpenSSL/OpenSSLContext.h | 2 | ||||
-rw-r--r-- | Swiften/TLS/SConscript | 1 |
4 files changed, 75 insertions, 2 deletions
diff --git a/Swiften/TLS/CertificateVerificationError.h b/Swiften/TLS/CertificateVerificationError.h index 71895ff..76b4aff 100644 --- a/Swiften/TLS/CertificateVerificationError.h +++ b/Swiften/TLS/CertificateVerificationError.h @@ -11,6 +11,15 @@ namespace Swift { public: enum Type { UnknownError, + Expired, + NotYetValid, + SelfSigned, + Rejected, + Untrusted, + InvalidPurpose, + PathLengthExceeded, + InvalidSignature, + InvalidCA, }; CertificateVerificationError(Type type = UnknownError) : type(type) {} diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp index 234c831..c78d5a1 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp @@ -221,13 +221,74 @@ Certificate::ref OpenSSLContext::getPeerCertificate() const { } boost::optional<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const { - long verifyResult = SSL_get_verify_result(handle_); + int verifyResult = SSL_get_verify_result(handle_); if (verifyResult != X509_V_OK) { - return CertificateVerificationError(); + return CertificateVerificationError(getVerificationErrorTypeForResult(verifyResult)); } else { return boost::optional<CertificateVerificationError>(); } } +CertificateVerificationError::Type OpenSSLContext::getVerificationErrorTypeForResult(int result) { + assert(result != 0); + switch (result) { + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + return CertificateVerificationError::NotYetValid; + + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + return CertificateVerificationError::Expired; + + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: + return CertificateVerificationError::SelfSigned; + + case X509_V_ERR_CERT_UNTRUSTED: + return CertificateVerificationError::Untrusted; + + case X509_V_ERR_CERT_REJECTED: + return CertificateVerificationError::Rejected; + + case X509_V_ERR_INVALID_PURPOSE: + return CertificateVerificationError::InvalidPurpose; + + case X509_V_ERR_PATH_LENGTH_EXCEEDED: + return CertificateVerificationError::PathLengthExceeded; + + case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: + case X509_V_ERR_CERT_SIGNATURE_FAILURE: + case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: + return CertificateVerificationError::InvalidSignature; + + case X509_V_ERR_INVALID_CA: + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: + case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: + return CertificateVerificationError::InvalidCA; + + case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: + case X509_V_ERR_AKID_SKID_MISMATCH: + case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: + case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: + return CertificateVerificationError::UnknownError; + + // Unused / should not happen + case X509_V_ERR_CERT_REVOKED: + case X509_V_ERR_OUT_OF_MEM: + case X509_V_ERR_UNABLE_TO_GET_CRL: + case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: + case X509_V_ERR_CRL_SIGNATURE_FAILURE: + case X509_V_ERR_CRL_NOT_YET_VALID: + case X509_V_ERR_CRL_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: + case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: + case X509_V_ERR_CERT_CHAIN_TOO_LONG: + case X509_V_ERR_APPLICATION_VERIFICATION: + default: + return CertificateVerificationError::UnknownError; + } +} + } diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h index a0e73c4..31141a5 100644 --- a/Swiften/TLS/OpenSSL/OpenSSLContext.h +++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h @@ -33,6 +33,8 @@ namespace Swift { private: static void ensureLibraryInitialized(); + static CertificateVerificationError::Type getVerificationErrorTypeForResult(int); + void doConnect(); void sendPendingDataToNetwork(); void sendPendingDataToApplication(); diff --git a/Swiften/TLS/SConscript b/Swiften/TLS/SConscript index 6a67545..b84dbc0 100644 --- a/Swiften/TLS/SConscript +++ b/Swiften/TLS/SConscript @@ -3,6 +3,7 @@ Import("swiften_env") objects = swiften_env.StaticObject([ "TLSContext.cpp", "TLSContextFactory.cpp", + "SecurityError.cpp", ]) if swiften_env.get("HAVE_OPENSSL", 0) : |