Merge branch 'tls-connection'

1 files changed, 737 insertions, 0 deletions

diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c
new file mode 100644
index 000000000..000c9a35b
--- /dev/null
+++ b/libempathy/empathy-tls-verifier.c
@@ -0,0 +1,737 @@
+/*
+ * empathy-tls-verifier.c - Source for EmpathyTLSVerifier
+ * Copyright (C) 2010 Collabora Ltd.
+ * @author Cosimo Cecchi <cosimo.cecchi@collabora.co.uk>
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+ *
+ * Some snippets are taken from GnuTLS 2.8.6, which is distributed under the
+ * same GNU Lesser General Public License 2.1 (or later) version. See
+ * get_certified_hostname ().
+ */
+
+#include <config.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+#include <telepathy-glib/util.h>
+
+#include "empathy-tls-verifier.h"
+
+#define DEBUG_FLAG EMPATHY_DEBUG_TLS
+#include "empathy-debug.h"
+#include "empathy-utils.h"
+
+G_DEFINE_TYPE (EmpathyTLSVerifier, empathy_tls_verifier,
+    G_TYPE_OBJECT)
+
+#define GET_PRIV(obj) EMPATHY_GET_PRIV (obj, EmpathyTLSVerifier);
+
+enum {
+  PROP_TLS_CERTIFICATE = 1,
+  PROP_HOSTNAME,
+
+  LAST_PROPERTY,
+};
+
+static const gchar* system_ca_paths[] = {
+  "/etc/ssl/certs/ca-certificates.crt",
+  NULL,
+};
+
+typedef struct {
+  GPtrArray *cert_chain;
+
+  GPtrArray *trusted_ca_list;
+  GPtrArray *trusted_crl_list;
+
+  EmpathyTLSCertificate *certificate;
+  gchar *hostname;
+
+  GSimpleAsyncResult *verify_result;
+  GHashTable *details;
+
+  gboolean dispose_run;
+} EmpathyTLSVerifierPriv;
+
+static gnutls_x509_crt_t *
+ptr_array_to_x509_crt_list (GPtrArray *chain)
+{
+  gnutls_x509_crt_t *retval;
+  gint idx;
+
+  retval = g_malloc0 (sizeof (gnutls_x509_crt_t) * chain->len);
+
+  for (idx = 0; idx < (gint) chain->len; idx++)
+    retval[idx] = g_ptr_array_index (chain, idx);
+
+  return retval;
+}
+
+static gboolean
+verification_output_to_reason (gint res,
+    guint verify_output,
+    EmpTLSCertificateRejectReason *reason)
+{
+  gboolean retval = TRUE;
+
+  g_assert (reason != NULL);
+
+  if (res != GNUTLS_E_SUCCESS)
+    {
+      retval = FALSE;
+
+      /* the certificate is not structurally valid */
+      switch (res)
+        {
+        case GNUTLS_E_INSUFFICIENT_CREDENTIALS:
+          *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
+          break;
+        case GNUTLS_E_CONSTRAINT_ERROR:
+          *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_LIMIT_EXCEEDED;
+          break;
+        default:
+          *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+          break;
+        }
+
+      goto out;
+    }
+
+  /* the certificate is structurally valid, check for other errors. */
+  if (verify_output & GNUTLS_CERT_INVALID)
+    {
+      retval = FALSE;
+
+      if (verify_output & GNUTLS_CERT_SIGNER_NOT_FOUND)
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
+      else if (verify_output & GNUTLS_CERT_SIGNER_NOT_CA)
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNTRUSTED;
+      else if (verify_output & GNUTLS_CERT_INSECURE_ALGORITHM)
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_INSECURE;
+      else if (verify_output & GNUTLS_CERT_NOT_ACTIVATED)
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_NOT_ACTIVATED;
+      else if (verify_output & GNUTLS_CERT_EXPIRED)
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_EXPIRED;
+      else
+        *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+
+      goto out;
+    }
+
+ out:
+  return retval;
+}
+
+static gboolean
+verify_last_certificate (EmpathyTLSVerifier *self,
+    gnutls_x509_crt_t cert,
+    EmpTLSCertificateRejectReason *reason)
+{
+  guint verify_output;
+  gint res;
+  gnutls_x509_crt_t *trusted_ca_list;
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  if (priv->trusted_ca_list->len > 0)
+    {
+      trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list);
+      res = gnutls_x509_crt_verify (cert, trusted_ca_list,
+          priv->trusted_ca_list->len, 0, &verify_output);
+
+      DEBUG ("Checking last certificate %p against trusted CAs, output %u",
+          cert, verify_output);
+
+      g_free (trusted_ca_list);
+    }
+  else
+    {
+      /* check it against itself to see if it's structurally valid */
+      res = gnutls_x509_crt_verify (cert, &cert, 1, 0, &verify_output);
+
+      DEBUG ("Checking last certificate %p against itself, output %u", cert,
+          verify_output);
+
+      /* if it's valid, return the SelfSigned error, so that we can add it
+       * later to our trusted CAs whitelist.
+       */
+      if (res == GNUTLS_E_SUCCESS)
+        {
+          *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
+          return FALSE;
+        }
+    }
+
+  return verification_output_to_reason (res, verify_output, reason);
+}
+
+static gboolean
+verify_certificate (EmpathyTLSVerifier *self,
+    gnutls_x509_crt_t cert,
+    gnutls_x509_crt_t issuer,
+    EmpTLSCertificateRejectReason *reason)
+{
+  guint verify_output;
+  gint res;
+
+  res = gnutls_x509_crt_verify (cert, &issuer, 1, 0, &verify_output);
+
+  DEBUG ("Verifying %p against %p, output %u", cert, issuer, verify_output);
+
+  return verification_output_to_reason (res, verify_output, reason);
+}
+
+static void
+complete_verification (EmpathyTLSVerifier *self)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  DEBUG ("Verification successful, completing...");
+
+  g_simple_async_result_complete_in_idle (priv->verify_result);
+
+  tp_clear_object (&priv->verify_result);
+}
+
+static void
+abort_verification (EmpathyTLSVerifier *self,
+    EmpTLSCertificateRejectReason reason)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  DEBUG ("Verification error %u, aborting...", reason);
+
+  g_simple_async_result_set_error (priv->verify_result,
+      G_IO_ERROR, reason, "TLS verification failed with reason %u",
+      reason);
+  g_simple_async_result_complete_in_idle (priv->verify_result);
+
+  tp_clear_object (&priv->verify_result);
+}
+
+static gchar *
+get_certified_hostname (gnutls_x509_crt_t cert)
+{
+  gchar dns_name[256];
+  gsize dns_name_size;
+  gint idx;
+  gint res = 0;
+
+  /* this snippet is taken from GnuTLS.
+   * see gnutls/lib/x509/rfc2818_hostname.c
+   */
+  for (idx = 0; res >= 0; idx++)
+    {
+      dns_name_size = sizeof (dns_name);
+      res = gnutls_x509_crt_get_subject_alt_name (cert, idx,
+          dns_name, &dns_name_size, NULL);
+
+      if (res == GNUTLS_SAN_DNSNAME || res == GNUTLS_SAN_IPADDRESS)
+        return g_strndup (dns_name, dns_name_size);
+    }
+
+  dns_name_size = sizeof (dns_name);
+  res = gnutls_x509_crt_get_dn_by_oid (cert, GNUTLS_OID_X520_COMMON_NAME,
+      0, 0, dns_name, &dns_name_size);
+
+  if (res >= 0)
+    return g_strndup (dns_name, dns_name_size);
+
+  return NULL;
+}
+
+static void
+real_start_verification (EmpathyTLSVerifier *self)
+{
+  gnutls_x509_crt_t first_cert, last_cert;
+  gint idx;
+  gboolean res = FALSE;
+  gint num_certs;
+  EmpTLSCertificateRejectReason reason =
+    EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  DEBUG ("Starting verification");
+
+  /* check if the certificate matches the hostname first. */
+  first_cert = g_ptr_array_index (priv->cert_chain, 0);
+  if (gnutls_x509_crt_check_hostname (first_cert, priv->hostname) == 0)
+    {
+      gchar *certified_hostname;
+
+      reason = EMP_TLS_CERTIFICATE_REJECT_REASON_HOSTNAME_MISMATCH;
+      certified_hostname = get_certified_hostname (first_cert);
+      tp_asv_set_string (priv->details,
+          "expected-hostname", priv->hostname);
+      tp_asv_set_string (priv->details,
+          "certificate-hostname", certified_hostname);
+
+      DEBUG ("Hostname mismatch: got %s but expected %s",
+          certified_hostname, priv->hostname);
+
+      g_free (certified_hostname);
+      goto out;
+    }
+
+  DEBUG ("Hostname matched");
+
+  num_certs = priv->cert_chain->len;
+
+  if (priv->trusted_ca_list->len > 0)
+    {
+      /* if the last certificate is self-signed, and we have a list of
+       * trusted CAs, ignore it, as we want to check the chain against our
+       * trusted CAs list first.
+       */
+      last_cert = g_ptr_array_index (priv->cert_chain, num_certs - 1);
+
+      if (gnutls_x509_crt_check_issuer (last_cert, last_cert) > 0)
+        num_certs--;
+    }
+
+  for (idx = 1; idx < num_certs; idx++)
+    {
+      res = verify_certificate (self,
+          g_ptr_array_index (priv->cert_chain, idx -1),
+          g_ptr_array_index (priv->cert_chain, idx),
+          &reason);
+
+      DEBUG ("Certificate verification %d gave result %d with reason %u", idx,
+          res, reason);
+
+      if (!res)
+        {
+          abort_verification (self, reason);
+          return;
+        }
+    }
+
+  res = verify_last_certificate (self,
+      g_ptr_array_index (priv->cert_chain, num_certs - 1),
+      &reason);
+
+  DEBUG ("Last verification gave result %d with reason %u", res, reason);
+
+ out:
+  if (!res)
+    {
+      abort_verification (self, reason);
+      return;
+    }
+
+  complete_verification (self);
+}
+
+static gboolean
+start_verification (gpointer user_data)
+{
+  EmpathyTLSVerifier *self = user_data;
+
+  real_start_verification (self);
+
+  return FALSE;
+}
+
+static void
+build_gnutls_cert_list (EmpathyTLSVerifier *self)
+{
+  guint num_certs;
+  guint idx;
+  GPtrArray *certificate_data = NULL;
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  g_object_get (priv->certificate,
+      "cert-data", &certificate_data,
+      NULL);
+  num_certs = certificate_data->len;
+
+  priv->cert_chain = g_ptr_array_new_with_free_func (
+      (GDestroyNotify) gnutls_x509_crt_deinit);
+
+  for (idx = 0; idx < num_certs; idx++)
+    {
+      gnutls_x509_crt_t cert;
+      GArray *one_cert;
+      gnutls_datum_t datum = { NULL, 0 };
+
+      one_cert = g_ptr_array_index (certificate_data, idx);
+      datum.data = (guchar *) one_cert->data;
+      datum.size = one_cert->len;
+
+      gnutls_x509_crt_init (&cert);
+      gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_DER);
+
+      g_ptr_array_add (priv->cert_chain, cert);
+    }
+}
+
+static gint
+get_number_and_type_of_certificates (gnutls_datum_t *datum,
+    gnutls_x509_crt_fmt_t *format)
+{
+  gnutls_x509_crt_t fake;
+  guint retval = 1;
+  gint res;
+
+  res = gnutls_x509_crt_list_import (&fake, &retval, datum,
+      GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
+
+  if (res == GNUTLS_E_SHORT_MEMORY_BUFFER || res > 0)
+    {
+      DEBUG ("Found PEM, with %u certificates", retval);
+      *format = GNUTLS_X509_FMT_PEM;
+      return retval;
+    }
+
+  /* try DER */
+  res = gnutls_x509_crt_list_import (&fake, &retval, datum,
+      GNUTLS_X509_FMT_DER, 0);
+
+  if (res > 0)
+    {
+      *format = GNUTLS_X509_FMT_DER;
+      return retval;
+    }
+
+  return res;
+}
+
+static gboolean
+build_gnutls_ca_and_crl_lists (GIOSchedulerJob *job,
+    GCancellable *cancellable,
+    gpointer user_data)
+{
+  gint idx;
+  gchar *user_certs_dir;
+  GDir *dir;
+  GError *error = NULL;
+  EmpathyTLSVerifier *self = user_data;
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  priv->trusted_ca_list = g_ptr_array_new_with_free_func
+    ((GDestroyNotify) gnutls_x509_crt_deinit);
+
+  for (idx = 0; idx < (gint) G_N_ELEMENTS (system_ca_paths) - 1; idx++)
+    {
+      const gchar *path;
+      gchar *contents = NULL;
+      gsize length = 0;
+      gint res, n_certs;
+      gnutls_x509_crt_t *cert_list;
+      gnutls_datum_t datum = { NULL, 0 };
+      gnutls_x509_crt_fmt_t format = 0;
+
+      path = system_ca_paths[idx];
+      g_file_get_contents (path, &contents, &length, &error);
+
+      if (error != NULL)
+        {
+          DEBUG ("Unable to read system CAs from path %s: %s", path,
+              error->message);
+          g_clear_error (&error);
+          continue;
+        }
+
+      datum.data = (guchar *) contents;
+      datum.size = length;
+      n_certs = get_number_and_type_of_certificates (&datum, &format);
+
+      if (n_certs < 0)
+        {
+          DEBUG ("Unable to parse the system CAs from path %s: GnuTLS "
+              "returned error %d", path, n_certs);
+
+          g_free (contents);
+          continue;
+        }
+
+      cert_list = g_malloc0 (sizeof (gnutls_x509_crt_t) * n_certs);
+      res = gnutls_x509_crt_list_import (cert_list, (guint *) &n_certs, &datum,
+          format, 0);
+
+      if (res < 0)
+        {
+          DEBUG ("Unable to import system CAs from path %s; "
+              "GnuTLS returned error %d", path, res);
+
+          g_free (contents);
+          continue;
+        }
+
+      DEBUG ("Successfully imported %d system CA certificates from path %s",
+          n_certs, path);
+
+      /* append the newly created cert structutes into the global GPtrArray */
+      for (idx = 0; idx < n_certs; idx++)
+        g_ptr_array_add (priv->trusted_ca_list, cert_list[idx]);
+
+      g_free (contents);
+      g_free (cert_list);
+    }
+
+  /* user certs */
+  user_certs_dir = g_build_filename (g_get_user_config_dir (),
+      "telepathy", "certs", NULL);
+  dir = g_dir_open (user_certs_dir, 0, &error);
+
+  if (error != NULL)
+    {
+      DEBUG ("Can't open the user certs dir at %s: %s", user_certs_dir,
+          error->message);
+
+      g_error_free (error);
+    }
+  else
+    {
+      const gchar *cert_name;
+
+      while ((cert_name = g_dir_read_name (dir)) != NULL)
+        {
+          gchar *contents = NULL, *cert_path = NULL;
+          gsize length = 0;
+          gint res;
+          gnutls_datum_t datum = { NULL, 0 };
+          gnutls_x509_crt_t cert;
+
+          cert_path = g_build_filename (user_certs_dir, cert_name, NULL);
+
+          g_file_get_contents (cert_path, &contents, &length, &error);
+
+          if (error != NULL)
+            {
+              DEBUG ("Can't open the certificate file at path %s: %s",
+                  cert_path, error->message);
+
+              g_clear_error (&error);
+              g_free (cert_path);
+              continue;
+            }
+
+          datum.data = (guchar *) contents;
+          datum.size = length;
+
+          gnutls_x509_crt_init (&cert);
+          res = gnutls_x509_crt_import (cert, &datum, GNUTLS_X509_FMT_PEM);
+
+          if (res != GNUTLS_E_SUCCESS)
+            {
+              DEBUG ("Can't import the certificate at path %s: "
+                  "GnuTLS returned %d", cert_path, res);
+            }
+          else
+            {
+              g_ptr_array_add (priv->trusted_ca_list, cert);
+            }
+
+          g_free (contents);
+          g_free (cert_path);
+        }
+
+      g_dir_close (dir);
+    }
+
+  g_free (user_certs_dir);
+
+  /* TODO: do the CRL too */
+
+  g_io_scheduler_job_send_to_mainloop_async (job,
+      start_verification, self, NULL);
+
+  return FALSE;
+}
+
+static void
+empathy_tls_verifier_get_property (GObject *object,
+    guint property_id,
+    GValue *value,
+    GParamSpec *pspec)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+  switch (property_id)
+    {
+    case PROP_TLS_CERTIFICATE:
+      g_value_set_object (value, priv->certificate);
+      break;
+    case PROP_HOSTNAME:
+      g_value_set_string (value, priv->hostname);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
+      break;
+    }
+}
+
+static void
+empathy_tls_verifier_set_property (GObject *object,
+    guint property_id,
+    const GValue *value,
+    GParamSpec *pspec)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+  switch (property_id)
+    {
+    case PROP_TLS_CERTIFICATE:
+      priv->certificate = g_value_dup_object (value);
+      break;
+    case PROP_HOSTNAME:
+      priv->hostname = g_value_dup_string (value);
+      break;
+    default:
+      G_OBJECT_WARN_INVALID_PROPERTY_ID (object, property_id, pspec);
+      break;
+    }
+}
+
+static void
+empathy_tls_verifier_dispose (GObject *object)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+  if (priv->dispose_run)
+    return;
+
+  priv->dispose_run = TRUE;
+
+  tp_clear_object (&priv->certificate);
+
+  G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->dispose (object);
+}
+
+static void
+empathy_tls_verifier_finalize (GObject *object)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (object);
+
+  DEBUG ("%p", object);
+
+  tp_clear_pointer (&priv->trusted_ca_list, g_ptr_array_unref);
+  tp_clear_pointer (&priv->cert_chain, g_ptr_array_unref);
+  tp_clear_boxed (G_TYPE_HASH_TABLE, &priv->details);
+  g_free (priv->hostname);
+
+  G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->finalize (object);
+}
+
+static void
+empathy_tls_verifier_constructed (GObject *object)
+{
+  EmpathyTLSVerifier *self = EMPATHY_TLS_VERIFIER (object);
+
+  build_gnutls_cert_list (self);
+
+  if (G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed != NULL)
+    G_OBJECT_CLASS (empathy_tls_verifier_parent_class)->constructed (object);
+}
+
+static void
+empathy_tls_verifier_init (EmpathyTLSVerifier *self)
+{
+  EmpathyTLSVerifierPriv *priv;
+
+  priv = self->priv = G_TYPE_INSTANCE_GET_PRIVATE (self,
+      EMPATHY_TYPE_TLS_VERIFIER, EmpathyTLSVerifierPriv);
+  priv->details = tp_asv_new (NULL, NULL);
+}
+
+static void
+empathy_tls_verifier_class_init (EmpathyTLSVerifierClass *klass)
+{
+  GParamSpec *pspec;
+  GObjectClass *oclass = G_OBJECT_CLASS (klass);
+
+  g_type_class_add_private (klass, sizeof (EmpathyTLSVerifierPriv));
+
+  oclass->set_property = empathy_tls_verifier_set_property;
+  oclass->get_property = empathy_tls_verifier_get_property;
+  oclass->finalize = empathy_tls_verifier_finalize;
+  oclass->dispose = empathy_tls_verifier_dispose;
+  oclass->constructed = empathy_tls_verifier_constructed;
+
+  pspec = g_param_spec_object ("certificate", "The EmpathyTLSCertificate",
+      "The EmpathyTLSCertificate to be verified.",
+      EMPATHY_TYPE_TLS_CERTIFICATE,
+      G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
+  g_object_class_install_property (oclass, PROP_TLS_CERTIFICATE, pspec);
+
+  pspec = g_param_spec_string ("hostname", "The hostname",
+      "The hostname which should be certified by the certificate.",
+      NULL,
+      G_PARAM_CONSTRUCT_ONLY | G_PARAM_READWRITE | G_PARAM_STATIC_STRINGS);
+  g_object_class_install_property (oclass, PROP_HOSTNAME, pspec);
+}
+
+EmpathyTLSVerifier *
+empathy_tls_verifier_new (EmpathyTLSCertificate *certificate,
+    const gchar *hostname)
+{
+  g_assert (EMPATHY_IS_TLS_CERTIFICATE (certificate));
+  g_assert (hostname != NULL);
+
+  return g_object_new (EMPATHY_TYPE_TLS_VERIFIER,
+      "certificate", certificate,
+      "hostname", hostname,
+      NULL);
+}
+
+void
+empathy_tls_verifier_verify_async (EmpathyTLSVerifier *self,
+    GAsyncReadyCallback callback,
+    gpointer user_data)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  g_return_if_fail (priv->verify_result == NULL);
+
+  priv->verify_result = g_simple_async_result_new (G_OBJECT (self),
+      callback, user_data, NULL);
+
+  g_io_scheduler_push_job (build_gnutls_ca_and_crl_lists,
+      self, NULL, G_PRIORITY_DEFAULT, NULL);
+}
+
+gboolean
+empathy_tls_verifier_verify_finish (EmpathyTLSVerifier *self,
+    GAsyncResult *res,
+    EmpTLSCertificateRejectReason *reason,
+    GHashTable **details,
+    GError **error)
+{
+  EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
+
+  if (g_simple_async_result_propagate_error (G_SIMPLE_ASYNC_RESULT (res),
+          error))
+    {
+      if (reason != NULL)
+        *reason = (*error)->code;
+
+      if (details != NULL)
+        {
+          *details = tp_asv_new (NULL, NULL);
+          tp_g_hash_table_update (*details, priv->details,
+              (GBoxedCopyFunc) g_strdup,
+              (GBoxedCopyFunc) tp_g_value_slice_dup);
+        }
+
+      return FALSE;
+    }
+
+  if (reason != NULL)
+    *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_UNKNOWN;
+
+  return TRUE;
+}