certificate authentication fixes

2025-05-31 16:50:58 +00:00 · 2018-08-24 13:18:27 +01:00 · 2018-08-24 13:18:27 +01:00 · 1e4a2d7587
commit 1e4a2d7587
parent cb0ea3fb6d
2 changed files with 28 additions and 20 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
 2018-08-24  Richard Frith-Macdonald <rfm@gnu.org>
 	* Source/GSTLS.m: Fixup for last modification ... still verify the
 	certificate (so we can find out who issued/owns it) even if we do
 	not have verification turned on ... the verification setting controls
 	whether we reject the connection.  Also fixed off by one bug in
 	getting the issuer and owner distinguished names.
 2018-08-13  Richard Frith-Macdonald <rfm@gnu.org>
 	* Source/GSTLS.m: Change behavior so that when acting as a server we
--- a/Source/GSTLS.m
+++ b/Source/GSTLS.m
@ -1816,30 +1816,30 @@ retrieve_callback(gnutls_session_t session,
      if (globalDebug > 1)
        {
-          if (YES == shouldVerify)
+          NSLog(@"%@ trying verify:\n%@", self, [self sessionInfo]);
            {
              NSLog(@"%@ before verify:\n%@", self, [self sessionInfo]);
        }
          else
            {
              NSLog(@"%@ do not verify:\n%@", self, [self sessionInfo]);
            }
        }
      if (YES == shouldVerify)
        {
      ret = [self verify];
      if (ret < 0)
        {
-              if (globalDebug > 0
+          if (globalDebug > 1 || (YES == shouldVerify && globalDebug > 0)
            || YES == [[opts objectForKey: GSTLSDebug] boolValue])
            {
              NSLog(@"%@ unable to verify SSL connection - %s",
                self, gnutls_strerror(ret));
              NSLog(@"%@ %@", self, [self sessionInfo]);
            }
          if (YES == shouldVerify)
            {
              [self disconnect: NO];
            }
        }
      else
        {
          if (globalDebug > 1)
            {
              NSLog(@"%@ succeeded verify:\n%@", self, [self sessionInfo]);
            }
        }
      return YES;       // Handshake complete
    }
 }
@ -2221,14 +2221,14 @@ retrieve_callback(gnutls_session_t session,
      /* Get certificate owner and issuer
       */
-      dn_size = sizeof(dn);
+      dn_size = sizeof(dn)-1;
      gnutls_x509_crt_get_dn(cert, dn, &dn_size);
-      dn[dn_size - 1] = '\0';
+      dn[dn_size] = '\0';
      ASSIGN(owner, [NSString stringWithUTF8String: dn]);
-      dn_size = sizeof(dn);
+      dn_size = sizeof(dn)-1;
      gnutls_x509_crt_get_issuer_dn(cert, dn, &dn_size);
-      dn[dn_size - 1] = '\0';
+      dn[dn_size] = '\0';
      ASSIGN(issuer, [NSString stringWithUTF8String: dn]);
    }