summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemko Tronçon <git@el-tramo.be>2010-11-07 14:58:23 (GMT)
committerRemko Tronçon <git@el-tramo.be>2010-11-07 18:04:57 (GMT)
commite2f2e48f6e01739ccaa763ff7f037306131d4e61 (patch)
tree92fefe8ff9255356d849d1eadcad45666bde52e5 /Swiften/TLS
parent832d109bfabc16ef2834790743c1d235b254d781 (diff)
downloadswift-contrib-e2f2e48f6e01739ccaa763ff7f037306131d4e61.zip
swift-contrib-e2f2e48f6e01739ccaa763ff7f037306131d4e61.tar.bz2
Added security error handling to Swiften.
Diffstat (limited to 'Swiften/TLS')
-rw-r--r--Swiften/TLS/CertificateVerificationError.h9
-rw-r--r--Swiften/TLS/OpenSSL/OpenSSLContext.cpp65
-rw-r--r--Swiften/TLS/OpenSSL/OpenSSLContext.h2
-rw-r--r--Swiften/TLS/SConscript1
4 files changed, 75 insertions, 2 deletions
diff --git a/Swiften/TLS/CertificateVerificationError.h b/Swiften/TLS/CertificateVerificationError.h
index 71895ff..76b4aff 100644
--- a/Swiften/TLS/CertificateVerificationError.h
+++ b/Swiften/TLS/CertificateVerificationError.h
@@ -11,6 +11,15 @@ namespace Swift {
public:
enum Type {
UnknownError,
+ Expired,
+ NotYetValid,
+ SelfSigned,
+ Rejected,
+ Untrusted,
+ InvalidPurpose,
+ PathLengthExceeded,
+ InvalidSignature,
+ InvalidCA,
};
CertificateVerificationError(Type type = UnknownError) : type(type) {}
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
index 234c831..c78d5a1 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -221,13 +221,74 @@ Certificate::ref OpenSSLContext::getPeerCertificate() const {
}
boost::optional<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const {
- long verifyResult = SSL_get_verify_result(handle_);
+ int verifyResult = SSL_get_verify_result(handle_);
if (verifyResult != X509_V_OK) {
- return CertificateVerificationError();
+ return CertificateVerificationError(getVerificationErrorTypeForResult(verifyResult));
}
else {
return boost::optional<CertificateVerificationError>();
}
}
+CertificateVerificationError::Type OpenSSLContext::getVerificationErrorTypeForResult(int result) {
+ assert(result != 0);
+ switch (result) {
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ return CertificateVerificationError::NotYetValid;
+
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ return CertificateVerificationError::Expired;
+
+ case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+ case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+ return CertificateVerificationError::SelfSigned;
+
+ case X509_V_ERR_CERT_UNTRUSTED:
+ return CertificateVerificationError::Untrusted;
+
+ case X509_V_ERR_CERT_REJECTED:
+ return CertificateVerificationError::Rejected;
+
+ case X509_V_ERR_INVALID_PURPOSE:
+ return CertificateVerificationError::InvalidPurpose;
+
+ case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+ return CertificateVerificationError::PathLengthExceeded;
+
+ case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+ case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+ case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+ return CertificateVerificationError::InvalidSignature;
+
+ case X509_V_ERR_INVALID_CA:
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+ case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+ return CertificateVerificationError::InvalidCA;
+
+ case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+ case X509_V_ERR_AKID_SKID_MISMATCH:
+ case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+ case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+ return CertificateVerificationError::UnknownError;
+
+ // Unused / should not happen
+ case X509_V_ERR_CERT_REVOKED:
+ case X509_V_ERR_OUT_OF_MEM:
+ case X509_V_ERR_UNABLE_TO_GET_CRL:
+ case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+ case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+ case X509_V_ERR_CRL_NOT_YET_VALID:
+ case X509_V_ERR_CRL_HAS_EXPIRED:
+ case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+ case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+ case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+ case X509_V_ERR_APPLICATION_VERIFICATION:
+ default:
+ return CertificateVerificationError::UnknownError;
+ }
+}
+
}
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h
index a0e73c4..31141a5 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.h
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h
@@ -33,6 +33,8 @@ namespace Swift {
private:
static void ensureLibraryInitialized();
+ static CertificateVerificationError::Type getVerificationErrorTypeForResult(int);
+
void doConnect();
void sendPendingDataToNetwork();
void sendPendingDataToApplication();
diff --git a/Swiften/TLS/SConscript b/Swiften/TLS/SConscript
index 6a67545..b84dbc0 100644
--- a/Swiften/TLS/SConscript
+++ b/Swiften/TLS/SConscript
@@ -3,6 +3,7 @@ Import("swiften_env")
objects = swiften_env.StaticObject([
"TLSContext.cpp",
"TLSContextFactory.cpp",
+ "SecurityError.cpp",
])
if swiften_env.get("HAVE_OPENSSL", 0) :