1
0
mirror of https://github.com/rkd77/elinks.git synced 2024-12-04 14:46:47 -05:00

bug 1115: Check status after gnutls_certificate_verify_peers2

The deprecated gnutls_certificate_verify_peers function returns -1
if it fails, or a set of gnutls_certificate_status_t bits; each bit
indicates some kind of problem, so the result is zero if the
certificate is OK.

The newer gnutls_certificate_verify_peers2 function returns -1 if it
fails, or 0 if it succeeds; and writes the status bits via a pointer.
When using that function, ELinks must check the status separately.
Do that.

Also, if GnuTLS is not being used, do not declare a status variable,
because leaving it unused would break the debug build:

/home/Kalle/src/elinks-0.13/src/network/ssl/socket.c: In function ‘ssl_want_read’:
/home/Kalle/src/elinks-0.13/src/network/ssl/socket.c:87: error: unused variable ‘status’
/home/Kalle/src/elinks-0.13/src/network/ssl/socket.c: In function ‘ssl_connect’:
/home/Kalle/src/elinks-0.13/src/network/ssl/socket.c:121: error: unused variable ‘status’
This commit is contained in:
Kalle Olavi Niemitalo 2011-05-01 02:18:46 +03:00 committed by Kalle Olavi Niemitalo
parent b228fe82ab
commit 2d8fd9cecf

View File

@ -84,7 +84,9 @@ ssl_set_no_tls(struct socket *socket)
static void static void
ssl_want_read(struct socket *socket) ssl_want_read(struct socket *socket)
{ {
#ifdef CONFIG_GNUTLS
unsigned int status; unsigned int status;
#endif
if (socket->no_tls) if (socket->no_tls)
ssl_set_no_tls(socket); ssl_set_no_tls(socket);
@ -93,7 +95,8 @@ ssl_want_read(struct socket *socket)
case SSL_ERROR_NONE: case SSL_ERROR_NONE:
#ifdef CONFIG_GNUTLS #ifdef CONFIG_GNUTLS
if (get_opt_bool("connection.ssl.cert_verify", NULL) if (get_opt_bool("connection.ssl.cert_verify", NULL)
&& gnutls_certificate_verify_peers2(*((ssl_t *) socket->ssl), &status)) { && (gnutls_certificate_verify_peers2(*((ssl_t *) socket->ssl), &status)
|| status)) {
socket->ops->retry(socket, connection_state(S_SSL_ERROR)); socket->ops->retry(socket, connection_state(S_SSL_ERROR));
return; return;
} }
@ -118,7 +121,9 @@ int
ssl_connect(struct socket *socket) ssl_connect(struct socket *socket)
{ {
int ret; int ret;
#ifdef CONFIG_GNUTLS
unsigned int status; unsigned int status;
#endif
if (init_ssl_connection(socket) == S_SSL_ERROR) { if (init_ssl_connection(socket) == S_SSL_ERROR) {
socket->ops->done(socket, connection_state(S_SSL_ERROR)); socket->ops->done(socket, connection_state(S_SSL_ERROR));
@ -196,7 +201,8 @@ ssl_connect(struct socket *socket)
if (!get_opt_bool("connection.ssl.cert_verify", NULL)) if (!get_opt_bool("connection.ssl.cert_verify", NULL))
break; break;
if (!gnutls_certificate_verify_peers2(*((ssl_t *) socket->ssl), &status)) if (!gnutls_certificate_verify_peers2(*((ssl_t *) socket->ssl), &status)
&& !status)
#endif #endif
break; break;