verify.c: Perform additional checks on server certificate.

[tlsproxy/tlsproxy.git] / src / verify.c

diff --git a/src/verify.c b/src/verify.c
index 34a081493e81b1a41ef044ff69dffb77d2c8ef99..f68d1bb771a63526f93fba00623fa30061b69e9e 100644 (file)
--- a/src/verify.c
+++ b/src/verify.c
@@ -26,6 +26,31 @@
 #include <gnutls/x509.h>
 
 
+/* Compatibility for older GnuTLS versions. Define the constants in a way
+ * which doesn't affect the status check below. */
+#ifndef GNUTLS_CERT_SIGNER_NOT_CA
+# define GNUTLS_CERT_SIGNER_NOT_CA 0
+#endif
+#ifndef GNUTLS_CERT_SIGNATURE_FAILURE
+# define GNUTLS_CERT_SIGNATURE_FAILURE 0
+#endif
+#ifndef GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED
+# define GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED 0
+#endif
+#ifndef GNUTLS_CERT_UNEXPECTED_OWNER
+# define GNUTLS_CERT_UNEXPECTED_OWNER 0
+#endif
+#ifndef GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE
+# define GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE 0
+#endif
+#ifndef GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
+# define GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE 0
+#endif
+#ifndef GNUTLS_CERT_MISMATCH
+# define GNUTLS_CERT_MISMATCH 0
+#endif
+
+
 static int get_certificate_path(const char *format,
         const char *hostname, char *buffer, size_t size);
 
@@ -55,10 +80,17 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
         return -1;
     }
     /* Definitely an invalid certificate, abort. */
-    if (status & GNUTLS_CERT_EXPIRED
-            || status & GNUTLS_CERT_REVOKED
+    if (status & GNUTLS_CERT_REVOKED
+            || status & GNUTLS_CERT_SIGNER_NOT_CA
+            || status & GNUTLS_CERT_INSECURE_ALGORITHM
             || status & GNUTLS_CERT_NOT_ACTIVATED
-            || status & GNUTLS_CERT_INSECURE_ALGORITHM) {
+            || status & GNUTLS_CERT_EXPIRED
+            || status & GNUTLS_CERT_SIGNATURE_FAILURE
+            || status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED
+            || status & GNUTLS_CERT_UNEXPECTED_OWNER
+            || status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE
+            || status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
+            || status & GNUTLS_CERT_MISMATCH) {
         LOG(WARNING, "verify_tls_connection(): invalid server certificate");
         return -1;
     }
@@ -115,7 +147,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
 
     /* Open stored server certificate file. */
     if (server_certificate_file(&file, hostname, path, sizeof(path)) != 0) {
-        LOG(DEBUG, "server certificate:\n%s", server_cert);
+        LOG(DEBUG1, "server certificate:\n%s", server_cert);
         return -1;
     }
 
@@ -129,7 +161,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
             LOG(WARNING, "verify_tls_connection(): '%s' too big", path);
             fclose(file);
 
-            LOG(DEBUG, "server certificate:\n%s", server_cert);
+            LOG(DEBUG1, "server certificate:\n%s", server_cert);
             return -1;
         }
 
@@ -140,7 +172,7 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
                      path, strerror(errno));
         fclose(file);
 
-        LOG(DEBUG, "server certificate:\n%s", server_cert);
+        LOG(DEBUG1, "server certificate:\n%s", server_cert);
         return -1;
     }
     fclose(file);
@@ -220,8 +252,8 @@ int server_certificate_file(FILE **file, const char *hostname,
     *file = fopen(path, "rb");
     if (*file == NULL) {
         if (global_passthrough_unknown) {
-            LOG(DEBUG, "server_certificate_file(): failed to open '%s': %s",
-                       path, strerror(errno));
+            LOG(DEBUG1, "server_certificate_file(): failed to open '%s': %s",
+                        path, strerror(errno));
         } else {
             LOG(WARNING, "server_certificate_file(): failed to open '%s': %s",
                          path, strerror(errno));