/* Verifies an SSL server certificate. */ static int check_certificate(ne_session *sess, gnutls_session sock, ne_ssl_certificate *chain) { int ret, failures = 0; ne_uri server; unsigned int status; memset(&server, 0, sizeof server); ne_fill_server_uri(sess, &server); ret = check_identity(&server, chain->subject, NULL); ne_uri_free(&server); if (ret < 0) { ne_set_error(sess, _("Server certificate was missing commonName " "attribute in subject name")); return NE_ERROR; } else if (ret > 0) { failures |= NE_SSL_IDMISMATCH; } failures |= check_chain_expiry(chain); ret = gnutls_certificate_verify_peers2(sock, &status); NE_DEBUG(NE_DBG_SSL, "ssl: Verify peers returned %d, status=%u\n", ret, status); if (ret != GNUTLS_E_SUCCESS) { ne_set_error(sess, _("Could not verify server certificate: %s"), gnutls_strerror(ret)); return NE_ERROR; } failures |= map_verify_failures(&status); NE_DEBUG(NE_DBG_SSL, "ssl: Verification failures = %d (status = %u).\n", failures, status); if (status && status != GNUTLS_CERT_INVALID) { char *errstr = verify_error_string(status); ne_set_error(sess, _("Certificate verification error: %s"), errstr); ne_free(errstr); return NE_ERROR; } if (failures == 0) { ret = NE_OK; } else { ne__ssl_set_verify_err(sess, failures); ret = NE_ERROR; if (sess->ssl_verify_fn && sess->ssl_verify_fn(sess->ssl_verify_ud, failures, chain) == 0) ret = NE_OK; } return ret; }
/* Verifies an SSL server certificate. */ static int check_certificate(ne_session *sess, gnutls_session sock, ne_ssl_certificate *chain) { time_t before, after, now = time(NULL); int ret, failures = 0; before = gnutls_x509_crt_get_activation_time(chain->subject); after = gnutls_x509_crt_get_expiration_time(chain->subject); if (now < before) failures |= NE_SSL_NOTYETVALID; else if (now > after) failures |= NE_SSL_EXPIRED; ret = check_identity(sess->server.hostname, chain->subject, NULL); if (ret < 0) { ne_set_error(sess, _("Server certificate was missing commonName " "attribute in subject name")); return NE_ERROR; } else if (ret > 0) { failures |= NE_SSL_IDMISMATCH; } if (gnutls_certificate_verify_peers(sock)) { failures |= NE_SSL_UNTRUSTED; } NE_DEBUG(NE_DBG_SSL, "Failures = %d\n", failures); if (failures == 0) { ret = NE_OK; } else { ne__ssl_set_verify_err(sess, failures); ret = NE_ERROR; if (sess->ssl_verify_fn && sess->ssl_verify_fn(sess->ssl_verify_ud, failures, chain) == 0) ret = NE_OK; } return ret; }