Fix GnuTLS tls_verify_peers() checking.
* Change the function to pass the certstatus parameter by reference, and indicate success/failure of the function via the return value. It was previously returning the certstatus, but was also returning 0 or the *unset* certstatus on error too. Since a 0 certstatus means "success", this meant a gnutls_certificate_verify_peers2() failure would be regarded as a valid cert. * The gnutls_certificate_type_get() inside tls_verify_peers() checks the *client* certificate type. Since it was only called if gnutls_certificate_verify_peers2() failed, I assume was either a mistake, or perhaps an attempt to give a special error message if the client cert was OpenPGP. In either case, the error message was not very informative, so just remove the call and special error message. * Fix GNUTLS_E_NO_CERTIFICATE_FOUND check to be against verify_ret instead of certstat. * Fix gnutls_strerror() call to use verify_ret instead of certstat. * gnutls_certificate_verify_peers2() already calls and checks gnutls_auth_get_type(), so remove call at the beginning of tls_check_certificate(). * gnutls_certificate_verify_peers2() also verifies the certificate type for the *server* is GNUTLS_CRT_X509. Add a comment about that.
Showing with 61 additions and 41 deletions