Added security error handling to Swiften.

author: Remko Tronçon <git@el-tramo.be> 2010-11-07 14:58:23 (GMT)
committer: Remko Tronçon <git@el-tramo.be> 2010-11-07 18:04:57 (GMT)
commit: e2f2e48f6e01739ccaa763ff7f037306131d4e61 (patch)
tree: 92fefe8ff9255356d849d1eadcad45666bde52e5 /Swiften/TLS
parent: 832d109bfabc16ef2834790743c1d235b254d781 (diff)
download: swift-e2f2e48f6e01739ccaa763ff7f037306131d4e61.zip
swift-e2f2e48f6e01739ccaa763ff7f037306131d4e61.tar.bz2
4 files changed, 75 insertions, 2 deletions
diff --git a/Swiften/TLS/CertificateVerificationError.h b/Swiften/TLS/CertificateVerificationError.h
index 71895ff..76b4aff 100644
--- a/Swiften/TLS/CertificateVerificationError.h
+++ b/Swiften/TLS/CertificateVerificationError.h
@@ -11,6 +11,15 @@ namespace Swift {
 		public:
 			enum Type {
 				UnknownError,
+				Expired,
+				NotYetValid,
+				SelfSigned,
+				Rejected,
+				Untrusted,
+				InvalidPurpose,
+				PathLengthExceeded,
+				InvalidSignature,
+				InvalidCA,
 			};
 
 			CertificateVerificationError(Type type = UnknownError) : type(type) {}
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
index 234c831..c78d5a1 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -221,13 +221,74 @@ Certificate::ref OpenSSLContext::getPeerCertificate() const {
 }
 
 boost::optional<CertificateVerificationError> OpenSSLContext::getPeerCertificateVerificationError() const {
-	long verifyResult = SSL_get_verify_result(handle_);
+	int verifyResult = SSL_get_verify_result(handle_);
 	if (verifyResult != X509_V_OK) {
-		return CertificateVerificationError();
+		return CertificateVerificationError(getVerificationErrorTypeForResult(verifyResult));
 	}
 	else {
 		return boost::optional<CertificateVerificationError>();
 	}
 }
 
+CertificateVerificationError::Type OpenSSLContext::getVerificationErrorTypeForResult(int result) {
+	assert(result != 0);
+	switch (result) {
+		case X509_V_ERR_CERT_NOT_YET_VALID:
+		case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+			return CertificateVerificationError::NotYetValid;
+
+		case X509_V_ERR_CERT_HAS_EXPIRED:
+		case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+			return CertificateVerificationError::Expired;
+
+		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+		case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+			return CertificateVerificationError::SelfSigned;
+
+		case X509_V_ERR_CERT_UNTRUSTED:
+			return CertificateVerificationError::Untrusted;
+
+		case X509_V_ERR_CERT_REJECTED:
+			return CertificateVerificationError::Rejected;
+
+		case X509_V_ERR_INVALID_PURPOSE:
+			return CertificateVerificationError::InvalidPurpose;
+
+		case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+			return CertificateVerificationError::PathLengthExceeded;
+
+		case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
+		case X509_V_ERR_CERT_SIGNATURE_FAILURE:
+		case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+			return CertificateVerificationError::InvalidSignature;
+
+		case X509_V_ERR_INVALID_CA:
+		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+		case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
+		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+			return CertificateVerificationError::InvalidCA;
+
+		case X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
+		case X509_V_ERR_AKID_SKID_MISMATCH:
+		case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH:
+		case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
+			return CertificateVerificationError::UnknownError;
+
+		// Unused / should not happen
+		case X509_V_ERR_CERT_REVOKED:
+		case X509_V_ERR_OUT_OF_MEM:
+		case X509_V_ERR_UNABLE_TO_GET_CRL:
+		case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE:
+		case X509_V_ERR_CRL_SIGNATURE_FAILURE:
+		case X509_V_ERR_CRL_NOT_YET_VALID:
+		case X509_V_ERR_CRL_HAS_EXPIRED:
+		case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD:
+		case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
+		case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+		case X509_V_ERR_APPLICATION_VERIFICATION:
+		default:
+			return CertificateVerificationError::UnknownError;
+	}
+}
+
 }
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h
index a0e73c4..31141a5 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.h
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h
@@ -33,6 +33,8 @@ namespace Swift {
 		private:
 			static void ensureLibraryInitialized();	
 
+			static CertificateVerificationError::Type getVerificationErrorTypeForResult(int);
+
 			void doConnect();
 			void sendPendingDataToNetwork();
 			void sendPendingDataToApplication();
diff --git a/Swiften/TLS/SConscript b/Swiften/TLS/SConscript
index 6a67545..b84dbc0 100644
--- a/Swiften/TLS/SConscript
+++ b/Swiften/TLS/SConscript
@@ -3,6 +3,7 @@ Import("swiften_env")
 objects = swiften_env.StaticObject([
 			"TLSContext.cpp",
 			"TLSContextFactory.cpp",
+			"SecurityError.cpp",
 		])
 		
 if swiften_env.get("HAVE_OPENSSL", 0) :
author	Remko Tronçon <git@el-tramo.be>	2010-11-07 14:58:23 (GMT)
committer	Remko Tronçon <git@el-tramo.be>	2010-11-07 18:04:57 (GMT)
commit	e2f2e48f6e01739ccaa763ff7f037306131d4e61 (patch)
tree	92fefe8ff9255356d849d1eadcad45666bde52e5 /Swiften/TLS
parent	832d109bfabc16ef2834790743c1d235b254d781 (diff)
download	swift-e2f2e48f6e01739ccaa763ff7f037306131d4e61.zip swift-e2f2e48f6e01739ccaa763ff7f037306131d4e61.tar.bz2