From 8f9459308e695a30874a6cdcd53aa26441b87131 Mon Sep 17 00:00:00 2001
From: Simon Ruderich <simon@ruderich.org>
Date: Thu, 8 Aug 2013 21:32:41 +0200
Subject: [PATCH] verify.c: Perform additional checks on server certificate.

---
 src/verify.c | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/src/verify.c b/src/verify.c
index b6f1ff8..f68d1bb 100644
--- a/src/verify.c
+++ b/src/verify.c
@@ -26,6 +26,31 @@
 #include <gnutls/x509.h>
 
 
+/* Compatibility for older GnuTLS versions. Define the constants in a way
+ * which doesn't affect the status check below. */
+#ifndef GNUTLS_CERT_SIGNER_NOT_CA
+# define GNUTLS_CERT_SIGNER_NOT_CA 0
+#endif
+#ifndef GNUTLS_CERT_SIGNATURE_FAILURE
+# define GNUTLS_CERT_SIGNATURE_FAILURE 0
+#endif
+#ifndef GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED
+# define GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED 0
+#endif
+#ifndef GNUTLS_CERT_UNEXPECTED_OWNER
+# define GNUTLS_CERT_UNEXPECTED_OWNER 0
+#endif
+#ifndef GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE
+# define GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE 0
+#endif
+#ifndef GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
+# define GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE 0
+#endif
+#ifndef GNUTLS_CERT_MISMATCH
+# define GNUTLS_CERT_MISMATCH 0
+#endif
+
+
 static int get_certificate_path(const char *format,
         const char *hostname, char *buffer, size_t size);
 
@@ -56,10 +81,16 @@ int verify_tls_connection(gnutls_session_t session, const char *hostname) {
     }
     /* Definitely an invalid certificate, abort. */
     if (status & GNUTLS_CERT_REVOKED
+            || status & GNUTLS_CERT_SIGNER_NOT_CA
             || status & GNUTLS_CERT_INSECURE_ALGORITHM
             || status & GNUTLS_CERT_NOT_ACTIVATED
             || status & GNUTLS_CERT_EXPIRED
-            ) {
+            || status & GNUTLS_CERT_SIGNATURE_FAILURE
+            || status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED
+            || status & GNUTLS_CERT_UNEXPECTED_OWNER
+            || status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE
+            || status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE
+            || status & GNUTLS_CERT_MISMATCH) {
         LOG(WARNING, "verify_tls_connection(): invalid server certificate");
         return -1;
     }
-- 
2.43.2