From 89f897c3fdb4c1342b3e9b9f6cb33cd0f869e2aa Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sat, 24 Sep 2011 03:09:44 -0400 Subject: [PATCH] Pull Andreas Metzler's fix for gnutls_certificate_verify_peers (bug 1095) --- doc/doc-txt/ChangeLog | 2 ++ src/src/tls-gnu.c | 8 ++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index c1362b1bd..e58136040 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -114,6 +114,8 @@ PP/09 Handle IPv6 addresses with SPF. PP/10 GnuTLS: support TLS 1.2 & 1.1. Bugzilla 1156. + Use gnutls_certificate_verify_peers2() [patch from Andreas Metzler]. + Bugzilla 1095. Exim version 4.76 diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 4de9d4f68..6b80637e9 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -235,10 +235,10 @@ Returns: TRUE/FALSE static BOOL verify_certificate(gnutls_session session, const char **error) { -int verify; +int rc; uschar *dn_string = US""; const gnutls_datum *cert; -unsigned int cert_size = 0; +unsigned int verify, cert_size = 0; *error = NULL; @@ -262,7 +262,7 @@ if (cert != NULL) dn_string = string_copy_malloc(buff); } - verify = gnutls_certificate_verify_peers(session); + rc = gnutls_certificate_verify_peers2(session, &verify); } else { @@ -274,7 +274,7 @@ else /* Handle the result of verification. INVALID seems to be set as well as REVOKED, but leave the test for both. */ -if ((verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0) +if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0) { tls_certificate_verified = FALSE; if (*error == NULL) *error = ((verify & GNUTLS_CERT_REVOKED) != 0)? -- 2.30.2