int
verify_callback (int preverify_ok, X509_STORE_CTX * ctx)
{
int ret = 0;
struct tls_session *session;
SSL *ssl;
struct gc_arena gc = gc_new();
/* get the tls_session pointer */
ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
ASSERT (ssl);
session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index);
ASSERT (session);
cert_hash_remember (session, ctx->error_depth,
x509_get_sha1_hash(ctx->current_cert, &gc));
/* did peer present cert which was signed by our root cert? */
if (!preverify_ok)
{
/* get the X509 name */
char *subject = x509_get_subject(ctx->current_cert, &gc);
if (subject)
{
/* Remote site specified a certificate, but it's not correct */
msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s",
ctx->error_depth,
X509_verify_cert_error_string (ctx->error),
subject);
}
ERR_clear_error();
session->verified = false;
goto cleanup;
}
if (SUCCESS != verify_cert(session, ctx->current_cert, ctx->error_depth))
goto cleanup;
ret = 1;
cleanup:
gc_free(&gc);
return ret;
}
int
verify_callback (void *session_obj, x509_crt *cert, int cert_depth,
int *flags)
{
struct tls_session *session = (struct tls_session *) session_obj;
struct gc_arena gc = gc_new();
ASSERT (cert);
ASSERT (session);
session->verified = false;
/* Remember certificate hash */
cert_hash_remember (session, cert_depth, x509_get_sha1_hash(cert, &gc));
/* did peer present cert which was signed by our root cert? */
if (*flags != 0)
{
char *subject = x509_get_subject(cert, &gc);
if (subject)
msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, %s", cert_depth, *flags, subject);
else
msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, could not extract X509 "
"subject string from certificate", *flags, cert_depth);
/* Leave flags set to non-zero to indicate that the cert is not ok */
}
else if (SUCCESS != verify_cert(session, cert, cert_depth))
{
*flags |= BADCERT_OTHER;
}
gc_free(&gc);
/*
* PolarSSL-1.2.0+ expects 0 on anything except fatal errors.
*/
return 0;
}