diff options
Diffstat (limited to 'src/libwaitress/waitress.c')
-rw-r--r-- | src/libwaitress/waitress.c | 40 |
1 files changed, 11 insertions, 29 deletions
diff --git a/src/libwaitress/waitress.c b/src/libwaitress/waitress.c index 8bb519a..7082ffd 100644 --- a/src/libwaitress/waitress.c +++ b/src/libwaitress/waitress.c @@ -53,21 +53,11 @@ typedef struct { size_t pos; } WaitressFetchBufCbBuffer_t; -WaitressReturn_t WaitressInit (WaitressHandle_t *waith, const char *caPath) { +void WaitressInit (WaitressHandle_t *waith) { assert (waith != NULL); memset (waith, 0, sizeof (*waith)); waith->timeout = 30000; - if (caPath != NULL) { - gnutls_certificate_allocate_credentials (&waith->tlsCred); - if (gnutls_certificate_set_x509_trust_file (waith->tlsCred, caPath, - GNUTLS_X509_FMT_PEM) <= 0) { - return WAITRESS_RET_TLS_TRUSTFILE_ERR; - } - waith->tlsInitialized = true; - } - - return WAITRESS_RET_OK; } void WaitressFree (WaitressHandle_t *waith) { @@ -75,9 +65,6 @@ void WaitressFree (WaitressHandle_t *waith) { free (waith->url.url); free (waith->proxy.url); - if (waith->tlsInitialized) { - gnutls_certificate_free_credentials (waith->tlsCred); - } memset (waith, 0, sizeof (*waith)); } @@ -709,22 +696,10 @@ static int WaitressTlsVerify (gnutls_session_t session) { waith = gnutls_session_get_ptr (session); assert (waith != NULL); - if (gnutls_certificate_verify_peers2 (session, &status) != GNUTLS_E_SUCCESS) { - return GNUTLS_E_CERTIFICATE_ERROR; - } - - /* don't accept invalid certs */ - if (status & (GNUTLS_CERT_INVALID | GNUTLS_CERT_SIGNER_NOT_FOUND | - GNUTLS_CERT_REVOKED | GNUTLS_CERT_EXPIRED | - GNUTLS_CERT_NOT_ACTIVATED)) { - return GNUTLS_E_CERTIFICATE_ERROR; - } - if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) { return GNUTLS_E_CERTIFICATE_ERROR; } - /* check hostname */ if ((certList = gnutls_certificate_get_peers (session, &certListSize)) == NULL) { return GNUTLS_E_CERTIFICATE_ERROR; @@ -739,7 +714,14 @@ static int WaitressTlsVerify (gnutls_session_t session) { return GNUTLS_E_CERTIFICATE_ERROR; } - if (gnutls_x509_crt_check_hostname (cert, waith->url.host) == 0) { + char fingerprint[20]; + size_t fingerprintSize = sizeof (fingerprint); + if (gnutls_x509_crt_get_fingerprint (cert, GNUTLS_DIG_SHA1, fingerprint, + &fingerprintSize) != 0) { + return GNUTLS_E_CERTIFICATE_ERROR; + } + + if (memcmp (fingerprint, waith->tlsFingerprint, sizeof (fingerprint)) != 0) { return GNUTLS_E_CERTIFICATE_ERROR; } @@ -1036,8 +1018,6 @@ WaitressReturn_t WaitressFetchCall (WaitressHandle_t *waith) { waith->request.write = WaitressOrdinaryWrite; if (waith->url.tls) { - assert (waith->tlsInitialized); - waith->request.read = WaitressGnutlsRead; waith->request.write = WaitressGnutlsWrite; gnutls_init (&waith->request.tlsSession, GNUTLS_CLIENT); @@ -1046,6 +1026,7 @@ WaitressReturn_t WaitressFetchCall (WaitressHandle_t *waith) { "PERFORMANCE", &err) != GNUTLS_E_SUCCESS) { return WAITRESS_RET_ERR; } + gnutls_certificate_allocate_credentials (&waith->tlsCred); if (gnutls_credentials_set (waith->request.tlsSession, GNUTLS_CRD_CERTIFICATE, waith->tlsCred) != GNUTLS_E_SUCCESS) { @@ -1083,6 +1064,7 @@ WaitressReturn_t WaitressFetchCall (WaitressHandle_t *waith) { if (waith->url.tls) { gnutls_bye (waith->request.tlsSession, GNUTLS_SHUT_RDWR); gnutls_deinit (waith->request.tlsSession); + gnutls_certificate_free_credentials (waith->tlsCred); } close (waith->request.sockfd); |