aboutsummaryrefslogtreecommitdiffstats
path: root/libempathy
diff options
context:
space:
mode:
authorCosimo Cecchi <cosimoc@gnome.org>2010-08-13 00:46:08 +0800
committerCosimo Cecchi <cosimoc@gnome.org>2010-08-13 22:22:24 +0800
commitdd4b301661b2516731027eebbf3147692292d749 (patch)
tree41cda825d968173afc7f1776783abbde347a3cea /libempathy
parent7472633dcbe1e50a28224960a02b8cf8f83bf422 (diff)
downloadgsoc2013-empathy-dd4b301661b2516731027eebbf3147692292d749.tar
gsoc2013-empathy-dd4b301661b2516731027eebbf3147692292d749.tar.gz
gsoc2013-empathy-dd4b301661b2516731027eebbf3147692292d749.tar.bz2
gsoc2013-empathy-dd4b301661b2516731027eebbf3147692292d749.tar.lz
gsoc2013-empathy-dd4b301661b2516731027eebbf3147692292d749.tar.xz
gsoc2013-empathy-dd4b301661b2516731027eebbf3147692292d749.tar.zst
gsoc2013-empathy-dd4b301661b2516731027eebbf3147692292d749.zip
Correctly treat the last certificate in the chain
I.e. emit SelfSigned if we don't have any trusted CAs in our cache.
Diffstat (limited to 'libempathy')
-rw-r--r--libempathy/empathy-tls-verifier.c43
1 files changed, 33 insertions, 10 deletions
diff --git a/libempathy/empathy-tls-verifier.c b/libempathy/empathy-tls-verifier.c
index 1ed9ede0c..f279efbfe 100644
--- a/libempathy/empathy-tls-verifier.c
+++ b/libempathy/empathy-tls-verifier.c
@@ -139,11 +139,34 @@ verify_last_certificate (EmpathyTLSVerifier *self,
gnutls_x509_crt_t *trusted_ca_list;
EmpathyTLSVerifierPriv *priv = GET_PRIV (self);
- trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list);
- res = gnutls_x509_crt_verify (cert, trusted_ca_list,
- priv->trusted_ca_list->len, 0, &verify_output);
+ if (priv->trusted_ca_list->len > 0)
+ {
+ trusted_ca_list = ptr_array_to_x509_crt_list (priv->trusted_ca_list);
+ res = gnutls_x509_crt_verify (cert, trusted_ca_list,
+ priv->trusted_ca_list->len, 0, &verify_output);
+
+ DEBUG ("Checking last certificate %p against trusted CAs, output %u",
+ cert, verify_output);
- g_free (trusted_ca_list);
+ g_free (trusted_ca_list);
+ }
+ else
+ {
+ /* check it against itself to see if it's structurally valid */
+ res = gnutls_x509_crt_verify (cert, &cert, 1, 0, &verify_output);
+
+ DEBUG ("Checking last certificate %p against itself, output %u", cert,
+ verify_output);
+
+ /* if it's valid, return the SelfSigned error, so that we can add it
+ * later to our trusted CAs whitelist.
+ */
+ if (res == GNUTLS_E_SUCCESS)
+ {
+ *reason = EMP_TLS_CERTIFICATE_REJECT_REASON_SELF_SIGNED;
+ return FALSE;
+ }
+ }
return verification_output_to_reason (res, verify_output, reason);
}
@@ -233,13 +256,13 @@ real_start_verification (EmpathyTLSVerifier *self)
}
}
- if (priv->trusted_ca_list->len > 0)
- {
- res = verify_last_certificate (self,
- g_ptr_array_index (priv->cert_chain, num_certs - 1),
- &reason);
- }
+ res = verify_last_certificate (self,
+ g_ptr_array_index (priv->cert_chain, num_certs - 1),
+ &reason);
+ DEBUG ("Last verification gave result %d with reason %u", res, reason);
+
+ out:
if (!res)
{
abort_verification (self, reason);