summaryrefslogtreecommitdiff
path: root/src/libwaitress/waitress.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libwaitress/waitress.c')
-rw-r--r--src/libwaitress/waitress.c30
1 files changed, 16 insertions, 14 deletions
diff --git a/src/libwaitress/waitress.c b/src/libwaitress/waitress.c
index 8a8315f..efb76a9 100644
--- a/src/libwaitress/waitress.c
+++ b/src/libwaitress/waitress.c
@@ -1,5 +1,5 @@
/*
-Copyright (c) 2009-2011
+Copyright (c) 2009-2012
Lars-Dominik Braun <lars@6xq.net>
Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -725,44 +725,45 @@ static int WaitressParseStatusline (const char * const line) {
/* verify server certificate
*/
-static int WaitressTlsVerify (const WaitressHandle_t *waith) {
+static WaitressReturn_t WaitressTlsVerify (const WaitressHandle_t *waith) {
gnutls_session_t session = waith->request.tlsSession;
unsigned int certListSize;
const gnutls_datum_t *certList;
gnutls_x509_crt_t cert;
if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
- return GNUTLS_E_CERTIFICATE_ERROR;
+ return WAITRESS_RET_TLS_HANDSHAKE_ERR;
}
if ((certList = gnutls_certificate_get_peers (session,
&certListSize)) == NULL) {
- return GNUTLS_E_CERTIFICATE_ERROR;
+ return WAITRESS_RET_TLS_HANDSHAKE_ERR;
}
if (gnutls_x509_crt_init (&cert) != GNUTLS_E_SUCCESS) {
- return GNUTLS_E_CERTIFICATE_ERROR;
+ return WAITRESS_RET_TLS_HANDSHAKE_ERR;
}
if (gnutls_x509_crt_import (cert, &certList[0],
GNUTLS_X509_FMT_DER) != GNUTLS_E_SUCCESS) {
- return GNUTLS_E_CERTIFICATE_ERROR;
+ return WAITRESS_RET_TLS_HANDSHAKE_ERR;
}
char fingerprint[20];
size_t fingerprintSize = sizeof (fingerprint);
if (gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1, fingerprint,
&fingerprintSize) != 0) {
- return GNUTLS_E_CERTIFICATE_ERROR;
+ return WAITRESS_RET_TLS_HANDSHAKE_ERR;
}
+ assert (waith->tlsFingerprint != NULL);
if (memcmp (fingerprint, waith->tlsFingerprint, sizeof (fingerprint)) != 0) {
- return GNUTLS_E_CERTIFICATE_ERROR;
+ return WAITRESS_RET_TLS_FINGERPRINT_MISMATCH;
}
gnutls_x509_crt_deinit (cert);
- return 0;
+ return WAITRESS_RET_OK;
}
/* Connect to server
@@ -823,11 +824,12 @@ static WaitressReturn_t WaitressConnect (WaitressHandle_t *waith) {
}
if (waith->url.tls) {
+ WaitressReturn_t wRet;
+
/* set up proxy tunnel */
if (WaitressProxyEnabled (waith)) {
char buf[256];
size_t size;
- WaitressReturn_t wRet;
snprintf (buf, sizeof (buf), "CONNECT %s:%s HTTP/"
WAITRESS_HTTP_VERSION "\r\n"
@@ -855,8 +857,8 @@ static WaitressReturn_t WaitressConnect (WaitressHandle_t *waith) {
return WAITRESS_RET_TLS_HANDSHAKE_ERR;
}
- if (WaitressTlsVerify (waith) != 0) {
- return WAITRESS_RET_TLS_HANDSHAKE_ERR;
+ if ((wRet = WaitressTlsVerify (waith)) != WAITRESS_RET_OK) {
+ return wRet;
}
/* now we can talk encrypted */
@@ -1199,8 +1201,8 @@ const char *WaitressErrorToStr (WaitressReturn_t wRet) {
return "TLS handshake failed.";
break;
- case WAITRESS_RET_TLS_TRUSTFILE_ERR:
- return "Loading root certificates failed.";
+ case WAITRESS_RET_TLS_FINGERPRINT_MISMATCH:
+ return "TLS fingerprint mismatch.";
break;
default: