From 1e4a2d7587fc7623cdfa41504c40a7650fe60642 Mon Sep 17 00:00:00 2001
From: Richard Frith-Macdonald <rfm@gnu.org>
Date: Fri, 24 Aug 2018 13:18:27 +0100
Subject: [PATCH] certificate authentication fixes

---
 ChangeLog      |  8 ++++++++
 Source/GSTLS.m | 40 ++++++++++++++++++++--------------------
 2 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index fb9506e69..cc46504ea 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2018-08-24  Richard Frith-Macdonald <rfm@gnu.org>
+
+	* Source/GSTLS.m: Fixup for last modification ... still verify the
+	certificate (so we can find out who issued/owns it) even if we do
+	not have verification turned on ... the verification setting controls
+	whether we reject the connection.  Also fixed off by one bug in
+	getting the issuer and owner distinguished names.
+
 2018-08-13  Richard Frith-Macdonald <rfm@gnu.org>
 
 	* Source/GSTLS.m: Change behavior so that when acting as a server we
diff --git a/Source/GSTLS.m b/Source/GSTLS.m
index a1fe8be2c..b89bb2fa2 100644
--- a/Source/GSTLS.m
+++ b/Source/GSTLS.m
@@ -1816,28 +1816,28 @@ retrieve_callback(gnutls_session_t session,
 
       if (globalDebug > 1)
         {
+          NSLog(@"%@ trying verify:\n%@", self, [self sessionInfo]);
+        }
+      ret = [self verify];
+      if (ret < 0)
+        {
+          if (globalDebug > 1 || (YES == shouldVerify && globalDebug > 0)
+            || YES == [[opts objectForKey: GSTLSDebug] boolValue])
+            {
+              NSLog(@"%@ unable to verify SSL connection - %s",
+                self, gnutls_strerror(ret));
+              NSLog(@"%@ %@", self, [self sessionInfo]);
+            }
           if (YES == shouldVerify)
             {
-              NSLog(@"%@ before verify:\n%@", self, [self sessionInfo]);
-            }
-          else
-            {
-              NSLog(@"%@ do not verify:\n%@", self, [self sessionInfo]);
+              [self disconnect: NO];
             }
         }
-      if (YES == shouldVerify)
+      else
         {
-          ret = [self verify];
-          if (ret < 0)
+          if (globalDebug > 1)
             {
-              if (globalDebug > 0
-                || YES == [[opts objectForKey: GSTLSDebug] boolValue])
-                {
-                  NSLog(@"%@ unable to verify SSL connection - %s",
-                    self, gnutls_strerror(ret));
-                  NSLog(@"%@ %@", self, [self sessionInfo]);
-                }
-              [self disconnect: NO];
+              NSLog(@"%@ succeeded verify:\n%@", self, [self sessionInfo]);
             }
         }
       return YES;       // Handshake complete
@@ -2221,14 +2221,14 @@ retrieve_callback(gnutls_session_t session,
 
       /* Get certificate owner and issuer
        */
-      dn_size = sizeof(dn);
+      dn_size = sizeof(dn)-1;
       gnutls_x509_crt_get_dn(cert, dn, &dn_size);
-      dn[dn_size - 1] = '\0';
+      dn[dn_size] = '\0';
       ASSIGN(owner, [NSString stringWithUTF8String: dn]);
       
-      dn_size = sizeof(dn);
+      dn_size = sizeof(dn)-1;
       gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size);
-      dn[dn_size - 1] = '\0';
+      dn[dn_size] = '\0';
       ASSIGN(issuer, [NSString stringWithUTF8String: dn]);
     }