From: Daniel Stenberg Date: Wed, 3 Oct 2007 08:07:50 +0000 (+0000) Subject: I renamed the CURLE_SSL_PEER_CERTIFICATE error code to X-Git-Tag: curl-7_17_1~127 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ce81cd21d3865270867d68935c9700dbaf5b5fcc;p=curl I renamed the CURLE_SSL_PEER_CERTIFICATE error code to CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made this return code get used by the previous SSH MD5 fingerprint check in case it fails. --- diff --git a/CHANGES b/CHANGES index bcfe39805..67c69c28d 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,11 @@ Changelog Daniel S (3 October 2007) +- I renamed the CURLE_SSL_PEER_CERTIFICATE error code to + CURLE_PEER_FAILED_VERIFICATION (standard CURL_NO_OLDIES style), and made + this return code get used by the previous SSH MD5 fingerprint check in case + it fails. + - Based on a patch brought by Johnny Luong, libcurl now offers CURLOPT_SSH_HOST_PUBLIC_KEY_MD5 and the curl tool --hostpubmd5. They both make the SCP or SFTP connection verify the remote host's md5 checksum of the diff --git a/docs/curl.1 b/docs/curl.1 index 26d70b8d2..61af057ac 100644 --- a/docs/curl.1 +++ b/docs/curl.1 @@ -1512,7 +1512,7 @@ Unknown TELNET option specified. .IP 49 Malformed telnet option. .IP 51 -The remote peer's SSL certificate wasn't ok +The peer's SSL certificate or SSH MD5 fingerprint was not ok .IP 52 The server didn't reply anything, which here is considered an error. .IP 53 diff --git a/docs/libcurl/libcurl-errors.3 b/docs/libcurl/libcurl-errors.3 index 1d8f4e88b..a686793f7 100644 --- a/docs/libcurl/libcurl-errors.3 +++ b/docs/libcurl/libcurl-errors.3 @@ -148,8 +148,8 @@ An option set with CURLOPT_TELNETOPTIONS was not recognized/known. Refer to the appropriate documentation. .IP "CURLE_TELNET_OPTION_SYNTAX (49)" A telnet option string was Illegally formatted. -.IP "CURLE_SSL_PEER_CERTIFICATE (51)" -The remote server's SSL certificate was deemed not OK. +.IP "CURLE_PEER_FAILED_VERIFICATION (51)" +The remote server's SSL certificate or SSH md5 fingerprint was deemed not OK. .IP "CURLE_GOT_NOTHING (52)" Nothing was returned from the server, and under the circumstances, getting nothing is considered an error. diff --git a/include/curl/curl.h b/include/curl/curl.h index 88d495fc9..52acc564a 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -367,7 +367,8 @@ typedef enum { CURLE_UNKNOWN_TELNET_OPTION, /* 48 - User specified an unknown option */ CURLE_TELNET_OPTION_SYNTAX , /* 49 - Malformed telnet option */ CURLE_OBSOLETE50, /* 50 - NOT USED */ - CURLE_SSL_PEER_CERTIFICATE, /* 51 - peer's certificate wasn't ok */ + CURLE_PEER_FAILED_VERIFICATION, /* 51 - peer's certificate or fingerprint + wasn't verified fine */ CURLE_GOT_NOTHING, /* 52 - when this is a specific error */ CURLE_SSL_ENGINE_NOTFOUND, /* 53 - SSL crypto engine not found */ CURLE_SSL_ENGINE_SETFAILED, /* 54 - can not set SSL crypto engine as @@ -416,9 +417,13 @@ typedef enum { the obsolete stuff removed! */ /* Backwards compatibility with older names */ + +/* The following were added in 7.17.1 */ /* These are scheduled to disappear by 2009 */ +#define CURLE_SSL_PEER_CERTIFICATE CURLE_PEER_FAILED_VERIFICATION /* The following were added in 7.17.0 */ +/* These are scheduled to disappear by 2009 */ #define CURLE_OBSOLETE CURLE_OBSOLETE50 /* noone should be using this! */ #define CURLE_BAD_PASSWORD_ENTERED CURLE_OBSOLETE46 #define CURLE_BAD_CALLING_ORDER CURLE_OBSOLETE44 diff --git a/lib/gtls.c b/lib/gtls.c index 8d126d005..2aeb093d0 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -352,7 +352,7 @@ Curl_gtls_connect(struct connectdata *conn, if(!chainp) { if(data->set.ssl.verifyhost) { failf(data, "failed to get server cert"); - return CURLE_SSL_PEER_CERTIFICATE; + return CURLE_PEER_FAILED_VERIFICATION; } infof(data, "\t common name: WARNING couldn't obtain\n"); } @@ -413,7 +413,7 @@ Curl_gtls_connect(struct connectdata *conn, failf(data, "SSL: certificate subject name (%s) does not match " "target host name '%s'", certbuf, conn->host.dispname); gnutls_x509_crt_deinit(x509_cert); - return CURLE_SSL_PEER_CERTIFICATE; + return CURLE_PEER_FAILED_VERIFICATION; } else infof(data, "\t common name: %s (does not match '%s')\n", @@ -433,7 +433,7 @@ Curl_gtls_connect(struct connectdata *conn, if(clock < time(NULL)) { if (data->set.ssl.verifypeer) { failf(data, "server certificate expiration date has passed."); - return CURLE_SSL_PEER_CERTIFICATE; + return CURLE_PEER_FAILED_VERIFICATION; } else infof(data, "\t server certificate expiration date FAILED\n"); @@ -451,7 +451,7 @@ Curl_gtls_connect(struct connectdata *conn, if(clock > time(NULL)) { if (data->set.ssl.verifypeer) { failf(data, "server certificate not activated yet."); - return CURLE_SSL_PEER_CERTIFICATE; + return CURLE_PEER_FAILED_VERIFICATION; } else infof(data, "\t server certificate activation date FAILED\n"); diff --git a/lib/qssl.c b/lib/qssl.c index bbff445f0..8dd8fc330 100644 --- a/lib/qssl.c +++ b/lib/qssl.c @@ -220,7 +220,7 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex) case SSL_ERROR_BAD_CERTIFICATE: case SSL_ERROR_BAD_CERT_SIG: case SSL_ERROR_NOT_TRUSTED_ROOT: - return CURLE_SSL_PEER_CERTIFICATE; + return CURLE_PEER_FAILED_VERIFICATION; case SSL_ERROR_BAD_CIPHER_SUITE: case SSL_ERROR_NO_CIPHERS: diff --git a/lib/ssh.c b/lib/ssh.c index 4a9d03732..9dce09630 100644 --- a/lib/ssh.c +++ b/lib/ssh.c @@ -371,7 +371,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn) "Remote %s is not equal to %s", buf, data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]); state(conn, SSH_SESSION_FREE); - sshc->actualCode = CURLE_FAILED_INIT; + sshc->actualCode = CURLE_PEER_FAILED_VERIFICATION; break; } } diff --git a/lib/ssluse.c b/lib/ssluse.c index 55f6c8453..2ce701d06 100644 --- a/lib/ssluse.c +++ b/lib/ssluse.c @@ -1121,13 +1121,13 @@ static CURLcode verifyhost(struct connectdata *conn, if (!peer_CN) { failf(data, "SSL: unable to obtain common name from peer certificate"); - return CURLE_SSL_PEER_CERTIFICATE; + return CURLE_PEER_FAILED_VERIFICATION; } else if(!cert_hostcheck((const char *)peer_CN, conn->host.name)) { if(data->set.ssl.verifyhost > 1) { failf(data, "SSL: certificate subject name '%s' does not match " "target host name '%s'", peer_CN, conn->host.dispname); - res = CURLE_SSL_PEER_CERTIFICATE; + res = CURLE_PEER_FAILED_VERIFICATION; } else infof(data, "\t common name: %s (does not match '%s')\n", @@ -1624,7 +1624,7 @@ Curl_ossl_connect_step3(struct connectdata *conn, connssl->server_cert = SSL_get_peer_certificate(connssl->handle); if(!connssl->server_cert) { failf(data, "SSL: couldn't get peer certificate!"); - return CURLE_SSL_PEER_CERTIFICATE; + return CURLE_PEER_FAILED_VERIFICATION; } infof (data, "Server certificate:\n"); @@ -1675,7 +1675,7 @@ Curl_ossl_connect_step3(struct connectdata *conn, and we return earlyer if verifypeer is set? */ failf(data, "SSL certificate verify result: %s (%ld)", X509_verify_cert_error_string(lerr), lerr); - retcode = CURLE_SSL_PEER_CERTIFICATE; + retcode = CURLE_PEER_FAILED_VERIFICATION; } else infof(data, "SSL certificate verify result: %s (%ld)," diff --git a/lib/strerror.c b/lib/strerror.c index 658a8cba1..94c0f8820 100644 --- a/lib/strerror.c +++ b/lib/strerror.c @@ -174,8 +174,8 @@ curl_easy_strerror(CURLcode error) case CURLE_TELNET_OPTION_SYNTAX : return "Malformed telnet option"; - case CURLE_SSL_PEER_CERTIFICATE: - return "SSL peer certificate was not OK"; + case CURLE_PEER_FAILED_VERIFICATION: + return "SSL peer certificate or SSH md5 fingerprint was not OK"; case CURLE_GOT_NOTHING: return "Server returned nothing (no headers, no data)";