From: Lutz Jänicke <jaenicke@openssl.org>
Date: Tue, 19 Mar 2002 16:47:09 +0000 (+0000)
Subject: Map new X509 verification errors to alert codes (Tom Wu <tom@arcot.com>).
X-Git-Tag: OpenSSL_0_9_6d-beta1~26
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=6bcba344b5f61c661f5f089e425ed6e326d4eecf;p=oweals%2Fopenssl.git

Map new X509 verification errors to alert codes (Tom Wu <tom@arcot.com>).
---

diff --git a/CHANGES b/CHANGES
index 7ff5bdf306..4b145f07f4 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.6c and 0.9.6d  [XX xxx XXXX]
 
+  *) Map new X509 verification errors to alerts. Discovered and submitted by
+     Tom Wu <tom@arcot.com>.
+     [Lutz Jaenicke]
+
   *) Fix ssl3_pending() (ssl/s3_lib.c) to prevent SSL_pending() from
      returning non-zero before the data has been completely received
      when using non-blocking I/O.
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index 3f09b8bc17..49b159d290 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -528,6 +528,8 @@ int ssl_verify_alarm_type(long type)
 	case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD:
 	case X509_V_ERR_CERT_NOT_YET_VALID:
 	case X509_V_ERR_CRL_NOT_YET_VALID:
+	case X509_V_ERR_CERT_UNTRUSTED:
+	case X509_V_ERR_CERT_REJECTED:
 		al=SSL_AD_BAD_CERTIFICATE;
 		break;
 	case X509_V_ERR_CERT_SIGNATURE_FAILURE:
@@ -549,11 +551,16 @@ int ssl_verify_alarm_type(long type)
 	case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
 	case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
 	case X509_V_ERR_CERT_CHAIN_TOO_LONG:
+	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
+	case X509_V_ERR_INVALID_CA:
 		al=SSL_AD_UNKNOWN_CA;
 		break;
 	case X509_V_ERR_APPLICATION_VERIFICATION:
 		al=SSL_AD_HANDSHAKE_FAILURE;
 		break;
+	case X509_V_ERR_INVALID_PURPOSE:
+		al=SSL_AD_UNSUPPORTED_CERTIFICATE;
+		break;
 	default:
 		al=SSL_AD_CERTIFICATE_UNKNOWN;
 		break;