aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2007-10-03 08:07:50 +0000
committerDaniel Stenberg <daniel@haxx.se>2007-10-03 08:07:50 +0000
commitce81cd21d3865270867d68935c9700dbaf5b5fcc (patch)
tree5744d2d3f3e4873b9597b550b71ac3640147746e
parent51c6a5d43b09835289a469165aa7a2bfb79dbdc6 (diff)
I renamed the CURLE_SSL_PEER_CERTIFICATE error code to
CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made this return code get used by the previous SSH MD5 fingerprint check in case it fails.
-rw-r--r--CHANGES5
-rw-r--r--docs/curl.12
-rw-r--r--docs/libcurl/libcurl-errors.34
-rw-r--r--include/curl/curl.h7
-rw-r--r--lib/gtls.c8
-rw-r--r--lib/qssl.c2
-rw-r--r--lib/ssh.c2
-rw-r--r--lib/ssluse.c8
-rw-r--r--lib/strerror.c4
9 files changed, 26 insertions, 16 deletions
diff --git a/CHANGES b/CHANGES
index bcfe39805..67c69c28d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,11 @@
Changelog
Daniel S (3 October 2007)
+- I renamed the CURLE_SSL_PEER_CERTIFICATE error code to
+ CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made
+ this return code get used by the previous SSH MD5 fingerprint check in case
+ it fails.
+
- Based on a patch brought by Johnny Luong, libcurl now offers
CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and the curl tool --hostpubmd5. They both
make the SCP or SFTP connection verify the remote host's md5 checksum of the
diff --git a/docs/curl.1 b/docs/curl.1
index 26d70b8d2..61af057ac 100644
--- a/docs/curl.1
+++ b/docs/curl.1
@@ -1512,7 +1512,7 @@ Unknown TELNET option specified.
.IP 49
Malformed telnet option.
.IP 51
-The remote peer's SSL certificate wasn't ok
+The peer's SSL certificate or SSH MD5 fingerprint was not ok
.IP 52
The server didn't reply anything, which here is considered an error.
.IP 53
diff --git a/docs/libcurl/libcurl-errors.3 b/docs/libcurl/libcurl-errors.3
index 1d8f4e88b..a686793f7 100644
--- a/docs/libcurl/libcurl-errors.3
+++ b/docs/libcurl/libcurl-errors.3
@@ -148,8 +148,8 @@ An option set with CURLOPT_TELNETOPTIONS was not recognized/known. Refer to
the appropriate documentation.
.IP "CURLE_TELNET_OPTION_SYNTAX (49)"
A telnet option string was Illegally formatted.
-.IP "CURLE_SSL_PEER_CERTIFICATE (51)"
-The remote server's SSL certificate was deemed not OK.
+.IP "CURLE_PEER_FAILED_VERIFICATION (51)"
+The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK.
.IP "CURLE_GOT_NOTHING (52)"
Nothing was returned from the server, and under the circumstances, getting
nothing is considered an error.
diff --git a/include/curl/curl.h b/include/curl/curl.h
index 88d495fc9..52acc564a 100644
--- a/include/curl/curl.h
+++ b/include/curl/curl.h
@@ -367,7 +367,8 @@ typedef enum {
CURLE_UNKNOWN_TELNET_OPTION, /* 48 - User specified an unknown option */
CURLE_TELNET_OPTION_SYNTAX , /* 49 - Malformed telnet option */
CURLE_OBSOLETE50, /* 50 - NOT USED */
- CURLE_SSL_PEER_CERTIFICATE, /* 51 - peer's certificate wasn't ok */
+ CURLE_PEER_FAILED_VERIFICATION, /* 51 - peer's certificate or fingerprint
+ wasn't verified fine */
CURLE_GOT_NOTHING, /* 52 - when this is a specific error */
CURLE_SSL_ENGINE_NOTFOUND, /* 53 - SSL crypto engine not found */
CURLE_SSL_ENGINE_SETFAILED, /* 54 - can not set SSL crypto engine as
@@ -416,9 +417,13 @@ typedef enum {
the obsolete stuff removed! */
/* Backwards compatibility with older names */
+
+/* The following were added in 7.17.1 */
/* These are scheduled to disappear by 2009 */
+#define CURLE_SSL_PEER_CERTIFICATE CURLE_PEER_FAILED_VERIFICATION
/* The following were added in 7.17.0 */
+/* These are scheduled to disappear by 2009 */
#define CURLE_OBSOLETE CURLE_OBSOLETE50 /* noone should be using this! */
#define CURLE_BAD_PASSWORD_ENTERED CURLE_OBSOLETE46
#define CURLE_BAD_CALLING_ORDER CURLE_OBSOLETE44
diff --git a/lib/gtls.c b/lib/gtls.c
index 8d126d005..2aeb093d0 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c
@@ -352,7 +352,7 @@ Curl_gtls_connect(struct connectdata *conn,
if(!chainp) {
if(data->set.ssl.verifyhost) {
failf(data, "failed to get server cert");
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
infof(data, "\t common name: WARNING couldn't obtain\n");
}
@@ -413,7 +413,7 @@ Curl_gtls_connect(struct connectdata *conn,
failf(data, "SSL: certificate subject name (%s) does not match "
"target host name '%s'", certbuf, conn->host.dispname);
gnutls_x509_crt_deinit(x509_cert);
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t common name: %s (does not match '%s')\n",
@@ -433,7 +433,7 @@ Curl_gtls_connect(struct connectdata *conn,
if(clock < time(NULL)) {
if (data->set.ssl.verifypeer) {
failf(data, "server certificate expiration date has passed.");
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t server certificate expiration date FAILED\n");
@@ -451,7 +451,7 @@ Curl_gtls_connect(struct connectdata *conn,
if(clock > time(NULL)) {
if (data->set.ssl.verifypeer) {
failf(data, "server certificate not activated yet.");
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t server certificate activation date FAILED\n");
diff --git a/lib/qssl.c b/lib/qssl.c
index bbff445f0..8dd8fc330 100644
--- a/lib/qssl.c
+++ b/lib/qssl.c
@@ -220,7 +220,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
case SSL_ERROR_BAD_CERTIFICATE:
case SSL_ERROR_BAD_CERT_SIG:
case SSL_ERROR_NOT_TRUSTED_ROOT:
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
case SSL_ERROR_BAD_CIPHER_SUITE:
case SSL_ERROR_NO_CIPHERS:
diff --git a/lib/ssh.c b/lib/ssh.c
index 4a9d03732..9dce09630 100644
--- a/lib/ssh.c
+++ b/lib/ssh.c
@@ -371,7 +371,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn)
"Remote %s is not equal to %s",
buf, data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]);
state(conn, SSH_SESSION_FREE);
- sshc->actualCode = CURLE_FAILED_INIT;
+ sshc->actualCode = CURLE_PEER_FAILED_VERIFICATION;
break;
}
}
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 55f6c8453..2ce701d06 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -1121,13 +1121,13 @@ static CURLcode verifyhost(struct connectdata *conn,
if (!peer_CN) {
failf(data,
"SSL: unable to obtain common name from peer certificate");
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) {
if(data->set.ssl.verifyhost > 1) {
failf(data, "SSL: certificate subject name '%s' does not match "
"target host name '%s'", peer_CN, conn->host.dispname);
- res = CURLE_SSL_PEER_CERTIFICATE;
+ res = CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t common name: %s (does not match '%s')\n",
@@ -1624,7 +1624,7 @@ Curl_ossl_connect_step3(struct connectdata *conn,
connssl->server_cert = SSL_get_peer_certificate(connssl->handle);
if(!connssl->server_cert) {
failf(data, "SSL: couldn't get peer certificate!");
- return CURLE_SSL_PEER_CERTIFICATE;
+ return CURLE_PEER_FAILED_VERIFICATION;
}
infof (data, "Server certificate:\n");
@@ -1675,7 +1675,7 @@ Curl_ossl_connect_step3(struct connectdata *conn,
and we return earlyer if verifypeer is set? */
failf(data, "SSL certificate verify result: %s (%ld)",
X509_verify_cert_error_string(lerr), lerr);
- retcode = CURLE_SSL_PEER_CERTIFICATE;
+ retcode = CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "SSL certificate verify result: %s (%ld),"
diff --git a/lib/strerror.c b/lib/strerror.c
index 658a8cba1..94c0f8820 100644
--- a/lib/strerror.c
+++ b/lib/strerror.c
@@ -174,8 +174,8 @@ curl_easy_strerror(CURLcode error)
case CURLE_TELNET_OPTION_SYNTAX :
return "Malformed telnet option";
- case CURLE_SSL_PEER_CERTIFICATE:
- return "SSL peer certificate was not OK";
+ case CURLE_PEER_FAILED_VERIFICATION:
+ return "SSL peer certificate or SSH md5 fingerprint was not OK";
case CURLE_GOT_NOTHING:
return "Server returned nothing (no headers, no data)";