X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fverify.c;h=855c5d21c4bcf470fb9d036523a984e7c4a3a6aa;hb=f012f75b2ed64fe9955b1dc2013c06e054bafd7f;hp=ab4499213c3f137f65e17623ed514563fc272066;hpb=f3ca90e517a9ae54e831e5a5b91fcc2afb9df5bf;p=tlsproxy%2Ftlsproxy.git

diff --git a/src/verify.c b/src/verify.c
index ab44992..855c5d2 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -26,6 +26,31 @@
 #include <gnutls/x509.h>
 
 
+/* Compatibility for older GnuTLS versions. Define the constants in a way
+ * which doesn't affect the status check below. */
+#ifndef GNUTLS_CERT_SIGNER_NOT_CA
+# define GNUTLS_CERT_SIGNER_NOT_CA 0
+#endif
+#ifndef GNUTLS_CERT_SIGNATURE_FAILURE
+# define GNUTLS_CERT_SIGNATURE_FAILURE 0
+#endif
+#ifndef GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED
+# define GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED 0
+#endif
+#ifndef GNUTLS_CERT_UNEXPECTED_OWNER
+# define GNUTLS_CERT_UNEXPECTED_OWNER 0
+#endif
+#ifndef GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE
+# define GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE 0
+#endif
+#ifndef GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
+# define GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE 0
+#endif
+#ifndef GNUTLS_CERT_MISMATCH
+# define GNUTLS_CERT_MISMATCH 0
+#endif
+
+
 static int get_certificate_path(const char *format,
         const char *hostname, char *buffer, size_t size);
 
@@ -54,11 +79,19 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
             gnutls_strerror(result));
         return -1;
     }
-    /* Definitely an invalid certificate, abort. */
-    if (status & GNUTLS_CERT_EXPIRED
-            || status & GNUTLS_CERT_REVOKED
+    /* Definitely an invalid certificate, abort. We don't perform any CA
+     * verification so don't check for GNUTLS_CERT_INVALID. */
+    if (status & GNUTLS_CERT_REVOKED
+            || status & GNUTLS_CERT_SIGNER_NOT_CA
+            || status & GNUTLS_CERT_INSECURE_ALGORITHM
             || status & GNUTLS_CERT_NOT_ACTIVATED
-            || status & GNUTLS_CERT_INSECURE_ALGORITHM) {
+            || status & GNUTLS_CERT_EXPIRED
+            || status & GNUTLS_CERT_SIGNATURE_FAILURE
+            || status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED
+            || status & GNUTLS_CERT_UNEXPECTED_OWNER
+            || status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE
+            || status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
+            || status & GNUTLS_CERT_MISMATCH) {
         LOG(WARNING, "verify_tls_connection(): invalid server certificate");
         return -1;
     }
@@ -204,13 +237,13 @@ static int get_certificate_path(const char *format,
 }
 
 int proxy_certificate_path(const char *hostname, char *path, size_t size) {
-    return get_certificate_path(PROXY_SERVER_CERT_FORMAT,
+    return get_certificate_path(PROXY_SERVER_CERT_FILE_FORMAT,
                                 hostname, path, size);
 }
 
 int server_certificate_file(FILE **file, const char *hostname,
                             char *path, size_t size) {
-    if (get_certificate_path(STORED_SERVER_CERT_FORMAT,
+    if (get_certificate_path(STORED_SERVER_CERT_FILE_FORMAT,
                              hostname, path, size) != 0) {
         LOG_PERROR(ERROR, "server_certificate_file(): failed to get path");
         return -1;