vlc | branch: master | Rémi Denis-Courmont <[email protected]> | Mon Feb 18 22:24:59 2013 +0200| [7cc2c800a026e661b7dd63054959e79008cfc8e4] | committer: Rémi Denis-Courmont
gnutls: fix strict certificate checks and simplify > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=7cc2c800a026e661b7dd63054959e79008cfc8e4 --- modules/misc/gnutls.c | 45 +++++++++++++-------------------------------- 1 file changed, 13 insertions(+), 32 deletions(-) diff --git a/modules/misc/gnutls.c b/modules/misc/gnutls.c index 3a0bd34..e401935 100644 --- a/modules/misc/gnutls.c +++ b/modules/misc/gnutls.c @@ -345,25 +345,17 @@ static int gnutls_CertSearch (vlc_tls_t *obj, const char *host, static struct { - int flag; - const char msg[43]; - bool strict; + unsigned flag; + const char msg[29]; } cert_errs[] = { - { GNUTLS_CERT_INVALID, - "Certificate could not be verified", false }, - { GNUTLS_CERT_REVOKED, - "Certificate was revoked", true }, - { GNUTLS_CERT_SIGNER_NOT_FOUND, - "Certificate's signer was not found", false }, - { GNUTLS_CERT_SIGNER_NOT_CA, - "Certificate's signer is not a CA", true }, - { GNUTLS_CERT_INSECURE_ALGORITHM, - "Insecure certificate signature algorithm", true }, - { GNUTLS_CERT_NOT_ACTIVATED, - "Certificate is not yet activated", true }, - { GNUTLS_CERT_EXPIRED, - "Certificate has expired", true }, + { GNUTLS_CERT_INVALID, "Certificate not verified" }, + { GNUTLS_CERT_REVOKED, "Certificate revoked" }, + { GNUTLS_CERT_SIGNER_NOT_FOUND, "Signer not found" }, + { GNUTLS_CERT_SIGNER_NOT_CA, "Signer not a CA" }, + { GNUTLS_CERT_INSECURE_ALGORITHM, "Signature algorithm insecure" }, + { GNUTLS_CERT_NOT_ACTIVATED, "Certificate not activated" }, + { GNUTLS_CERT_EXPIRED, "Certificate expired" }, }; @@ -386,25 +378,14 @@ static int gnutls_HandshakeAndValidate (vlc_tls_t *session, const char *host, gnutls_strerror (val)); return -1; } - if (status) { - msg_Err (session, "Certificate verification failure:"); + msg_Err (session, "Certificate verification failure (0x%04X)", status); for (size_t i = 0; i < sizeof (cert_errs) / sizeof (cert_errs[0]); i++) if (status & cert_errs[i].flag) - { msg_Err (session, " * %s", cert_errs[i].msg); - status &= ~cert_errs[i].flag; - if (cert_errs[i].strict) - val = -1; - } - - if (status) - { - msg_Err (session, " * Unknown verification error 0x%04X", status); - val = -1; - } - status = -1; + if (status & ~(GNUTLS_CERT_INVALID|GNUTLS_CERT_SIGNER_NOT_FOUND)) + return -1; } /* certificate (host)name verification */ @@ -447,7 +428,7 @@ static int gnutls_HandshakeAndValidate (vlc_tls_t *session, const char *host, } error: gnutls_x509_crt_deinit (cert); - return val ? -1 : 0; + return val; } static int _______________________________________________ vlc-commits mailing list [email protected] http://mailman.videolan.org/listinfo/vlc-commits
