From d33a389bf256821f22cf80a9d630c18cef42870d Mon Sep 17 00:00:00 2001 From: Lars-Dominik Braun Date: Sat, 1 Dec 2012 13:25:09 +0100 Subject: waitress: Add TLS fingerprint mismatch error code --- src/libwaitress/waitress.c | 30 ++++++++++++++++-------------- src/libwaitress/waitress.h | 5 ++--- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/src/libwaitress/waitress.c b/src/libwaitress/waitress.c index 8a8315f..efb76a9 100644 --- a/src/libwaitress/waitress.c +++ b/src/libwaitress/waitress.c @@ -1,5 +1,5 @@ /* -Copyright (c) 2009-2011 +Copyright (c) 2009-2012 Lars-Dominik Braun Permission is hereby granted, free of charge, to any person obtaining a copy @@ -725,44 +725,45 @@ static int WaitressParseStatusline (const char * const line) { /* verify server certificate */ -static int WaitressTlsVerify (const WaitressHandle_t *waith) { +static WaitressReturn_t WaitressTlsVerify (const WaitressHandle_t *waith) { gnutls_session_t session = waith->request.tlsSession; unsigned int certListSize; const gnutls_datum_t *certList; gnutls_x509_crt_t cert; if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { - return GNUTLS_E_CERTIFICATE_ERROR; + return WAITRESS_RET_TLS_HANDSHAKE_ERR; } if ((certList = gnutls_certificate_get_peers (session, &certListSize)) == NULL) { - return GNUTLS_E_CERTIFICATE_ERROR; + return WAITRESS_RET_TLS_HANDSHAKE_ERR; } if (gnutls_x509_crt_init (&cert) != GNUTLS_E_SUCCESS) { - return GNUTLS_E_CERTIFICATE_ERROR; + return WAITRESS_RET_TLS_HANDSHAKE_ERR; } if (gnutls_x509_crt_import (cert, &certList[0], GNUTLS_X509_FMT_DER) != GNUTLS_E_SUCCESS) { - return GNUTLS_E_CERTIFICATE_ERROR; + return WAITRESS_RET_TLS_HANDSHAKE_ERR; } char fingerprint[20]; size_t fingerprintSize = sizeof (fingerprint); if (gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1, fingerprint, &fingerprintSize) != 0) { - return GNUTLS_E_CERTIFICATE_ERROR; + return WAITRESS_RET_TLS_HANDSHAKE_ERR; } + assert (waith->tlsFingerprint != NULL); if (memcmp (fingerprint, waith->tlsFingerprint, sizeof (fingerprint)) != 0) { - return GNUTLS_E_CERTIFICATE_ERROR; + return WAITRESS_RET_TLS_FINGERPRINT_MISMATCH; } gnutls_x509_crt_deinit (cert); - return 0; + return WAITRESS_RET_OK; } /* Connect to server @@ -823,11 +824,12 @@ static WaitressReturn_t WaitressConnect (WaitressHandle_t *waith) { } if (waith->url.tls) { + WaitressReturn_t wRet; + /* set up proxy tunnel */ if (WaitressProxyEnabled (waith)) { char buf[256]; size_t size; - WaitressReturn_t wRet; snprintf (buf, sizeof (buf), "CONNECT %s:%s HTTP/" WAITRESS_HTTP_VERSION "\r\n" @@ -855,8 +857,8 @@ static WaitressReturn_t WaitressConnect (WaitressHandle_t *waith) { return WAITRESS_RET_TLS_HANDSHAKE_ERR; } - if (WaitressTlsVerify (waith) != 0) { - return WAITRESS_RET_TLS_HANDSHAKE_ERR; + if ((wRet = WaitressTlsVerify (waith)) != WAITRESS_RET_OK) { + return wRet; } /* now we can talk encrypted */ @@ -1199,8 +1201,8 @@ const char *WaitressErrorToStr (WaitressReturn_t wRet) { return "TLS handshake failed."; break; - case WAITRESS_RET_TLS_TRUSTFILE_ERR: - return "Loading root certificates failed."; + case WAITRESS_RET_TLS_FINGERPRINT_MISMATCH: + return "TLS fingerprint mismatch."; break; default: diff --git a/src/libwaitress/waitress.h b/src/libwaitress/waitress.h index da516bb..6a0a66f 100644 --- a/src/libwaitress/waitress.h +++ b/src/libwaitress/waitress.h @@ -1,5 +1,5 @@ /* -Copyright (c) 2009-2011 +Copyright (c) 2009-2012 Lars-Dominik Braun Permission is hereby granted, free of charge, to any person obtaining a copy @@ -74,11 +74,10 @@ typedef enum { WAITRESS_RET_READ_ERR, WAITRESS_RET_CONNECTION_CLOSED, WAITRESS_RET_DECODING_ERR, - WAITRESS_RET_TLS_DISABLED, WAITRESS_RET_TLS_WRITE_ERR, WAITRESS_RET_TLS_READ_ERR, WAITRESS_RET_TLS_HANDSHAKE_ERR, - WAITRESS_RET_TLS_TRUSTFILE_ERR, + WAITRESS_RET_TLS_FINGERPRINT_MISMATCH, } WaitressReturn_t; /* reusable handle -- cgit v1.2.3