aboutsummaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorEmil Engler <me@emilengler.com>2020-04-23 21:36:35 +0200
committerDaniel Stenberg <daniel@haxx.se>2020-04-30 14:40:54 +0200
commit42d8d9a7e816f14226819cdc2440e11ef004230e (patch)
treed795d50cb88eb04f37588f21f8fbf17b4789db48 /lib
parentc06902713998d68202c5a764de910ba8d0e8f54d (diff)
GnuTLS: Backend support for CURLINFO_SSL_VERIFYRESULT
Closes #5287
Diffstat (limited to 'lib')
-rw-r--r--lib/vtls/gtls.c23
1 files changed, 21 insertions, 2 deletions
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 4ed3ea5cf..85cd4dc22 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -401,6 +401,8 @@ gtls_connect_step1(struct connectdata *conn,
const char *err = NULL;
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
+ long * const certverifyresult = SSL_IS_PROXY() ?
+ &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
if(connssl->state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the
@@ -410,6 +412,9 @@ gtls_connect_step1(struct connectdata *conn,
if(!gtls_inited)
Curl_gtls_init();
+ /* Initalize certverifyresult to OK */
+ *certverifyresult = 0;
+
if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) {
failf(data, "GnuTLS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
@@ -458,8 +463,10 @@ gtls_connect_step1(struct connectdata *conn,
if(rc < 0) {
infof(data, "error reading ca cert file %s (%s)\n",
SSL_CONN_CONFIG(CAfile), gnutls_strerror(rc));
- if(SSL_CONN_CONFIG(verifypeer))
+ if(SSL_CONN_CONFIG(verifypeer)) {
+ *certverifyresult = rc;
return CURLE_SSL_CACERT_BADFILE;
+ }
}
else
infof(data, "found %d certificates in %s\n", rc,
@@ -474,8 +481,10 @@ gtls_connect_step1(struct connectdata *conn,
if(rc < 0) {
infof(data, "error reading ca cert file %s (%s)\n",
SSL_CONN_CONFIG(CApath), gnutls_strerror(rc));
- if(SSL_CONN_CONFIG(verifypeer))
+ if(SSL_CONN_CONFIG(verifypeer)) {
+ *certverifyresult = rc;
return CURLE_SSL_CACERT_BADFILE;
+ }
}
else
infof(data, "found %d certificates in %s\n",
@@ -821,6 +830,8 @@ gtls_connect_step3(struct connectdata *conn,
#endif
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
+ long * const certverifyresult = SSL_IS_PROXY() ?
+ &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
/* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */
ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(session),
@@ -852,6 +863,7 @@ gtls_connect_step3(struct connectdata *conn,
else {
#endif
failf(data, "failed to get server cert");
+ *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
return CURLE_PEER_FAILED_VERIFICATION;
#ifdef USE_TLS_SRP
}
@@ -888,9 +900,12 @@ gtls_connect_step3(struct connectdata *conn,
rc = gnutls_certificate_verify_peers2(session, &verify_status);
if(rc < 0) {
failf(data, "server cert verify failed: %d", rc);
+ *certverifyresult = rc;
return CURLE_SSL_CONNECT_ERROR;
}
+ *certverifyresult = verify_status;
+
/* verify_status is a bitmask of gnutls_certificate_status bits */
if(verify_status & GNUTLS_CERT_INVALID) {
if(SSL_CONN_CONFIG(verifypeer)) {
@@ -1119,6 +1134,7 @@ gtls_connect_step3(struct connectdata *conn,
if(certclock == (time_t)-1) {
if(SSL_CONN_CONFIG(verifypeer)) {
failf(data, "server cert expiration date verify failed");
+ *certverifyresult = GNUTLS_CERT_EXPIRED;
gnutls_x509_crt_deinit(x509_cert);
return CURLE_SSL_CONNECT_ERROR;
}
@@ -1129,6 +1145,7 @@ gtls_connect_step3(struct connectdata *conn,
if(certclock < time(NULL)) {
if(SSL_CONN_CONFIG(verifypeer)) {
failf(data, "server certificate expiration date has passed.");
+ *certverifyresult = GNUTLS_CERT_EXPIRED;
gnutls_x509_crt_deinit(x509_cert);
return CURLE_PEER_FAILED_VERIFICATION;
}
@@ -1144,6 +1161,7 @@ gtls_connect_step3(struct connectdata *conn,
if(certclock == (time_t)-1) {
if(SSL_CONN_CONFIG(verifypeer)) {
failf(data, "server cert activation date verify failed");
+ *certverifyresult = GNUTLS_CERT_NOT_ACTIVATED;
gnutls_x509_crt_deinit(x509_cert);
return CURLE_SSL_CONNECT_ERROR;
}
@@ -1154,6 +1172,7 @@ gtls_connect_step3(struct connectdata *conn,
if(certclock > time(NULL)) {
if(SSL_CONN_CONFIG(verifypeer)) {
failf(data, "server certificate not activated yet.");
+ *certverifyresult = GNUTLS_CERT_NOT_ACTIVATED;
gnutls_x509_crt_deinit(x509_cert);
return CURLE_PEER_FAILED_VERIFICATION;
}