X-Git-Url: https://ruderich.org/simon/gitweb/?p=tlsproxy%2Ftlsproxy.git;a=blobdiff_plain;f=src%2Fverify.c;h=f68d1bb771a63526f93fba00623fa30061b69e9e;hp=b6f1ff845aab14bb7a55c8d7106d8e09f63c1804;hb=8f9459308e695a30874a6cdcd53aa26441b87131;hpb=2e96ede8aa7a32d840fa62fd8c4520960b69348d diff --git a/src/verify.c b/src/verify.c index b6f1ff8..f68d1bb 100644 --- a/src/verify.c +++ b/src/verify.c @@ -26,6 +26,31 @@ #include +/* Compatibility for older GnuTLS versions. Define the constants in a way + * which doesn't affect the status check below. */ +#ifndef GNUTLS_CERT_SIGNER_NOT_CA +# define GNUTLS_CERT_SIGNER_NOT_CA 0 +#endif +#ifndef GNUTLS_CERT_SIGNATURE_FAILURE +# define GNUTLS_CERT_SIGNATURE_FAILURE 0 +#endif +#ifndef GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED +# define GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED 0 +#endif +#ifndef GNUTLS_CERT_UNEXPECTED_OWNER +# define GNUTLS_CERT_UNEXPECTED_OWNER 0 +#endif +#ifndef GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE +# define GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE 0 +#endif +#ifndef GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE +# define GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE 0 +#endif +#ifndef GNUTLS_CERT_MISMATCH +# define GNUTLS_CERT_MISMATCH 0 +#endif + + static int get_certificate_path(const char *format, const char *hostname, char *buffer, size_t size); @@ -56,10 +81,16 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) { } /* Definitely an invalid certificate, abort. */ if (status & GNUTLS_CERT_REVOKED + || status & GNUTLS_CERT_SIGNER_NOT_CA || status & GNUTLS_CERT_INSECURE_ALGORITHM || status & GNUTLS_CERT_NOT_ACTIVATED || status & GNUTLS_CERT_EXPIRED - ) { + || status & GNUTLS_CERT_SIGNATURE_FAILURE + || status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED + || status & GNUTLS_CERT_UNEXPECTED_OWNER + || status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE + || status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE + || status & GNUTLS_CERT_MISMATCH) { LOG(WARNING, "verify_tls_connection(): invalid server certificate"); return -1; }