Initial merge of tls_verify patch from AopicieR.

4 files changed, 55 insertions, 5 deletions

diff --git a/protocols/jabber/io.c b/protocols/jabber/io.c
index a28eea90..9e55e3f9 100644
--- a/protocols/jabber/io.c
+++ b/protocols/jabber/io.c
@@ -275,7 +275,7 @@ gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition c
 	return jabber_start_stream( ic );
 }
 
-gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond )
+gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond )
 {
 	struct im_connection *ic = data;
 	struct jabber_data *jd;
@@ -292,6 +292,43 @@ gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition co
 		jd->ssl = NULL;
 		
 		imcb_error( ic, "Could not connect to server" );
+		if (returncode ==  OPENSSL_VERIFY_ERROR )
+		{
+			imcb_error( ic, "This BitlBee server is built agains the OpenSSL library." );
+			imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." );
+			imc_logout( ic, FALSE );
+		}
+		else if (returncode ==  NSS_VERIFY_ERROR )
+		{
+			imcb_error( ic, "This BitlBee server is built agains the NSS library." );
+			imcb_error( ic, "Unfortunately certificate verification is only supported when built against GnuTLS for now." );
+			imc_logout( ic, FALSE );
+		}
+		else if (returncode == VERIFY_CERT_ERROR )
+		{
+			imcb_error( ic, "An error occured during the certificate verification." );
+			imc_logout( ic, FALSE );
+		}
+		else if (returncode  & VERIFY_CERT_INVALID)
+		{
+			imcb_error( ic, "Unable to verify peer's certificate." );
+			if (returncode & VERIFY_CERT_REVOKED)
+				imcb_error( ic, "The certificate has been revoked." );
+			if (returncode & VERIFY_CERT_SIGNER_NOT_FOUND)
+				imcb_error( ic, "The certificate hasn't got a known issuer." );
+			if (returncode & VERIFY_CERT_SIGNER_NOT_CA)
+				imcb_error( ic, "The certificate's issuer is not a CA." );
+			if (returncode & VERIFY_CERT_INSECURE_ALGORITHM)
+				imcb_error( ic, "The certificate uses an insecure algorithm." );
+			if (returncode & VERIFY_CERT_NOT_ACTIVATED)
+				imcb_error( ic, "The certificate has not been activated." );
+			if (returncode & VERIFY_CERT_EXPIRED)
+				imcb_error( ic, "The certificate has expired." );
+			if (returncode & VERIFY_CERT_WRONG_HOSTNAME)
+				imcb_error( ic, "The hostname specified in the certificate doesn't match the server name." );
+			imc_logout( ic, FALSE );
+		}
+		else
 		imc_logout( ic, TRUE );
 		return FALSE;
 	}
@@ -396,7 +433,7 @@ static xt_status jabber_pkt_proceed_tls( struct xt_node *node, gpointer data )
 {
 	struct im_connection *ic = data;
 	struct jabber_data *jd = ic->proto_data;
-	char *xmlns;
+	char *xmlns, *tlsname;
 	
 	xmlns = xt_find_attr( node, "xmlns" );
 	
@@ -422,7 +459,17 @@ static xt_status jabber_pkt_proceed_tls( struct xt_node *node, gpointer data )
 	imcb_log( ic, "Converting stream to TLS" );
 	
 	jd->flags |= JFLAG_STARTTLS_DONE;
-	jd->ssl = ssl_starttls( jd->fd, jabber_connected_ssl, ic );
+
+	/* If the user specified a server for the account, use this server as the 
+	 * hostname in the certificate verification. Else we use the domain from 
+	 * the username. */
+	if( ic->acc->server && *ic->acc->server )
+		tlsname = ic->acc->server;
+	else
+		tlsname = jd->server;
+	
+	jd->ssl = ssl_starttls( jd->fd, tlsname, set_getbool( &ic->acc->set, "tls_verify" ),
+	                        jabber_connected_ssl, ic );
 	
 	return XT_HANDLED;
 }
diff --git a/protocols/jabber/jabber.c b/protocols/jabber/jabber.c
index 7d9547ab..dd2f0866 100644
--- a/protocols/jabber/jabber.c
+++ b/protocols/jabber/jabber.c
@@ -81,6 +81,9 @@ static void jabber_init( account_t *acc )
 	s = set_add( &acc->set, "tls", "try", set_eval_tls, acc );
 	s->flags |= ACC_SET_OFFLINE_ONLY;
 	
+	s = set_add( &acc->set, "tls_verify", "true", set_eval_bool, acc );
+	s->flags |= ACC_SET_OFFLINE_ONLY;
+	
 	s = set_add( &acc->set, "sasl", "true", set_eval_bool, acc );
 	s->flags |= ACC_SET_OFFLINE_ONLY | SET_HIDDEN_DEFAULT;
 
diff --git a/protocols/jabber/jabber.h b/protocols/jabber/jabber.h
index adf9a291..5996c301 100644
--- a/protocols/jabber/jabber.h
+++ b/protocols/jabber/jabber.h
@@ -306,7 +306,7 @@ extern const struct jabber_away_state jabber_away_state_list[];
 int jabber_write_packet( struct im_connection *ic, struct xt_node *node );
 int jabber_write( struct im_connection *ic, char *buf, int len );
 gboolean jabber_connected_plain( gpointer data, gint source, b_input_condition cond );
-gboolean jabber_connected_ssl( gpointer data, void *source, b_input_condition cond );
+gboolean jabber_connected_ssl( gpointer data, int returncode, void *source, b_input_condition cond );
 gboolean jabber_start_stream( struct im_connection *ic );
 void jabber_end_stream( struct im_connection *ic );
 
diff --git a/protocols/skype/skype.c b/protocols/skype/skype.c
index 5b1a6c30..10f355a6 100644
--- a/protocols/skype/skype.c
+++ b/protocols/skype/skype.c
@@ -1156,7 +1156,7 @@ gboolean skype_start_stream(struct im_connection *ic)
 	return st;
 }
 
-gboolean skype_connected(gpointer data, void *source, b_input_condition cond)
+gboolean skype_connected(gpointer data, int returncode, void *source, b_input_condition cond)
 {
 	struct im_connection *ic = data;
 	struct skype_data *sd = ic->proto_data;