waitress: Add TLS fingerprint mismatch error code

2 files changed, 18 insertions, 17 deletions

diff --git a/src/libwaitress/waitress.c b/src/libwaitress/waitress.c
index 8a8315f..efb76a9 100644
--- a/src/libwaitress/waitress.c
+++ b/src/libwaitress/waitress.c
@@ -1,5 +1,5 @@
 /*
-Copyright (c) 2009-2011
+Copyright (c) 2009-2012
 	Lars-Dominik Braun <lars@6xq.net>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -725,44 +725,45 @@ static int WaitressParseStatusline (const char * const line) {
 
 /*	verify server certificate
  */
-static int WaitressTlsVerify (const WaitressHandle_t *waith) {
+static WaitressReturn_t WaitressTlsVerify (const WaitressHandle_t *waith) {
 	gnutls_session_t session = waith->request.tlsSession;
 	unsigned int certListSize;
 	const gnutls_datum_t *certList;
 	gnutls_x509_crt_t cert;
 
 	if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
-		return GNUTLS_E_CERTIFICATE_ERROR;
+		return WAITRESS_RET_TLS_HANDSHAKE_ERR;
 	}
 
 	if ((certList = gnutls_certificate_get_peers (session,
 			&certListSize)) == NULL) {
-		return GNUTLS_E_CERTIFICATE_ERROR;
+		return WAITRESS_RET_TLS_HANDSHAKE_ERR;
 	}
 
 	if (gnutls_x509_crt_init (&cert) != GNUTLS_E_SUCCESS) {
-		return GNUTLS_E_CERTIFICATE_ERROR;
+		return WAITRESS_RET_TLS_HANDSHAKE_ERR;
 	}
 
 	if (gnutls_x509_crt_import (cert, &certList[0],
 			GNUTLS_X509_FMT_DER) != GNUTLS_E_SUCCESS) {
-		return GNUTLS_E_CERTIFICATE_ERROR;
+		return WAITRESS_RET_TLS_HANDSHAKE_ERR;
 	}
 
 	char fingerprint[20];
 	size_t fingerprintSize = sizeof (fingerprint);
 	if (gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1, fingerprint,
 			&fingerprintSize) != 0) {
-		return GNUTLS_E_CERTIFICATE_ERROR;
+		return WAITRESS_RET_TLS_HANDSHAKE_ERR;
 	}
 
+	assert (waith->tlsFingerprint != NULL);
 	if (memcmp (fingerprint, waith->tlsFingerprint, sizeof (fingerprint)) != 0) {
-		return GNUTLS_E_CERTIFICATE_ERROR;
+		return WAITRESS_RET_TLS_FINGERPRINT_MISMATCH;
 	}
 
 	gnutls_x509_crt_deinit (cert);
 
-	return 0;
+	return WAITRESS_RET_OK;
 }
 
 /*	Connect to server
@@ -823,11 +824,12 @@ static WaitressReturn_t WaitressConnect (WaitressHandle_t *waith) {
 	}
 
 	if (waith->url.tls) {
+		WaitressReturn_t wRet;
+
 		/* set up proxy tunnel */
 		if (WaitressProxyEnabled (waith)) {
 			char buf[256];
 			size_t size;
-			WaitressReturn_t wRet;
 
 			snprintf (buf, sizeof (buf), "CONNECT %s:%s HTTP/"
 					WAITRESS_HTTP_VERSION "\r\n"
@@ -855,8 +857,8 @@ static WaitressReturn_t WaitressConnect (WaitressHandle_t *waith) {
 			return WAITRESS_RET_TLS_HANDSHAKE_ERR;
 		}
 
-		if (WaitressTlsVerify (waith) != 0) {
-			return WAITRESS_RET_TLS_HANDSHAKE_ERR;
+		if ((wRet = WaitressTlsVerify (waith)) != WAITRESS_RET_OK) {
+			return wRet;
 		}
 
 		/* now we can talk encrypted */
@@ -1199,8 +1201,8 @@ const char *WaitressErrorToStr (WaitressReturn_t wRet) {
 			return "TLS handshake failed.";
 			break;
 
-		case WAITRESS_RET_TLS_TRUSTFILE_ERR:
-			return "Loading root certificates failed.";
+		case WAITRESS_RET_TLS_FINGERPRINT_MISMATCH:
+			return "TLS fingerprint mismatch.";
 			break;
 
 		default:
diff --git a/src/libwaitress/waitress.h b/src/libwaitress/waitress.h
index da516bb..6a0a66f 100644
--- a/src/libwaitress/waitress.h
+++ b/src/libwaitress/waitress.h
@@ -1,5 +1,5 @@
 /*
-Copyright (c) 2009-2011
+Copyright (c) 2009-2012
 	Lars-Dominik Braun <lars@6xq.net>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -74,11 +74,10 @@ typedef enum {
 	WAITRESS_RET_READ_ERR,
 	WAITRESS_RET_CONNECTION_CLOSED,
 	WAITRESS_RET_DECODING_ERR,
-	WAITRESS_RET_TLS_DISABLED,
 	WAITRESS_RET_TLS_WRITE_ERR,
 	WAITRESS_RET_TLS_READ_ERR,
 	WAITRESS_RET_TLS_HANDSHAKE_ERR,
-	WAITRESS_RET_TLS_TRUSTFILE_ERR,
+	WAITRESS_RET_TLS_FINGERPRINT_MISMATCH,
 } WaitressReturn_t;
 
 /*	reusable handle