From 03a999261937c9d389ad96759ff56efbbb1eb605 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Wed, 12 Aug 2020 07:29:30 +0200
Subject: serv, cli: ensure that invalid flag is always set

According to the documentation, the GNUTLS_CERT_INVALID flag must
always be set in case of verification failure, together with the flag
indicating the actual error cause.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 src/common.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/common.c b/src/common.c
index 753481741b..2dc54d09bf 100644
--- a/src/common.c
+++ b/src/common.c
@@ -282,8 +282,11 @@ int cert_verify(gnutls_session_t session, const char *hostname, const char *purp
 
 	gnutls_free(out.data);
 
-	if (status)
+	if (status) {
+		if (!(status & GNUTLS_CERT_INVALID))
+			abort();
 		return 0;
+	}
 
 	return 1;
 }
-- 
cgit v1.2.1