X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=src%2Fverify.c;h=f68d1bb771a63526f93fba00623fa30061b69e9e;hb=8f9459308e695a30874a6cdcd53aa26441b87131;hp=34a081493e81b1a41ef044ff69dffb77d2c8ef99;hpb=b7ce41b809a3b3533d398c0da8fd9787c149434c;p=tlsproxy%2Ftlsproxy.git diff --git a/src/verify.c b/src/verify.c index 34a0814..f68d1bb 100644 --- a/src/verify.c +++ b/src/verify.c @@ -26,6 +26,31 @@ #include +/* Compatibility for older GnuTLS versions. Define the constants in a way + * which doesn't affect the status check below. */ +#ifndef GNUTLS_CERT_SIGNER_NOT_CA +# define GNUTLS_CERT_SIGNER_NOT_CA 0 +#endif +#ifndef GNUTLS_CERT_SIGNATURE_FAILURE +# define GNUTLS_CERT_SIGNATURE_FAILURE 0 +#endif +#ifndef GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED +# define GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED 0 +#endif +#ifndef GNUTLS_CERT_UNEXPECTED_OWNER +# define GNUTLS_CERT_UNEXPECTED_OWNER 0 +#endif +#ifndef GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE +# define GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE 0 +#endif +#ifndef GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE +# define GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE 0 +#endif +#ifndef GNUTLS_CERT_MISMATCH +# define GNUTLS_CERT_MISMATCH 0 +#endif + + static int get_certificate_path(const char *format, const char *hostname, char *buffer, size_t size); @@ -55,10 +80,17 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) { return -1; } /* Definitely an invalid certificate, abort. */ - if (status & GNUTLS_CERT_EXPIRED - || status & GNUTLS_CERT_REVOKED + if (status & GNUTLS_CERT_REVOKED + || status & GNUTLS_CERT_SIGNER_NOT_CA + || status & GNUTLS_CERT_INSECURE_ALGORITHM || status & GNUTLS_CERT_NOT_ACTIVATED - || status & GNUTLS_CERT_INSECURE_ALGORITHM) { + || status & GNUTLS_CERT_EXPIRED + || status & GNUTLS_CERT_SIGNATURE_FAILURE + || status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED + || status & GNUTLS_CERT_UNEXPECTED_OWNER + || status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE + || status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE + || status & GNUTLS_CERT_MISMATCH) { LOG(WARNING, "verify_tls_connection(): invalid server certificate"); return -1; } @@ -115,7 +147,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) { /* Open stored server certificate file. */ if (server_certificate_file(&file, hostname, path, sizeof(path)) != 0) { - LOG(DEBUG, "server certificate:\n%s", server_cert); + LOG(DEBUG1, "server certificate:\n%s", server_cert); return -1; } @@ -129,7 +161,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) { LOG(WARNING, "verify_tls_connection(): '%s' too big", path); fclose(file); - LOG(DEBUG, "server certificate:\n%s", server_cert); + LOG(DEBUG1, "server certificate:\n%s", server_cert); return -1; } @@ -140,7 +172,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) { path, strerror(errno)); fclose(file); - LOG(DEBUG, "server certificate:\n%s", server_cert); + LOG(DEBUG1, "server certificate:\n%s", server_cert); return -1; } fclose(file); @@ -220,8 +252,8 @@ int server_certificate_file(FILE **file, const char *hostname, *file = fopen(path, "rb"); if (*file == NULL) { if (global_passthrough_unknown) { - LOG(DEBUG, "server_certificate_file(): failed to open '%s': %s", - path, strerror(errno)); + LOG(DEBUG1, "server_certificate_file(): failed to open '%s': %s", + path, strerror(errno)); } else { LOG(WARNING, "server_certificate_file(): failed to open '%s': %s", path, strerror(errno));