diff options
Diffstat (limited to 'ssl_verify_openssl.c')
-rw-r--r-- | ssl_verify_openssl.c | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index a654e3d..06e1143 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -31,3 +31,44 @@ #include "ssl_verify_backend.h" #include "ssl_openssl.h" #include <openssl/x509v3.h> + +int +verify_callback (int preverify_ok, X509_STORE_CTX * ctx) +{ + struct tls_session *session; + SSL *ssl; + + /* get the tls_session pointer */ + ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); + ASSERT (ssl); + session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index); + ASSERT (session); + + cert_hash_remember (session, ctx->error_depth, ctx->current_cert->sha1_hash); + + /* did peer present cert which was signed by our root cert? */ + if (!preverify_ok) + { + /* get the X509 name */ + char *subject = X509_NAME_oneline ( + X509_get_subject_name (ctx->current_cert), NULL, 0); + + if (subject) + { + /* Remote site specified a certificate, but it's not correct */ + msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s", + ctx->error_depth, + X509_verify_cert_error_string (ctx->error), + subject); + free (subject); + } + + ERR_clear_error(); + + session->verified = false; + + return 1; + } + + return verify_cert(session, ctx->current_cert, ctx->error_depth); +} |