From 78ff4e0de3c53b026bb23a92c5c7abe3d285038e Mon Sep 17 00:00:00 2001 From: Han Han Date: Mon, 19 Nov 2018 17:48:59 -0800 Subject: [PATCH] ssl: replace all internal uses of CURLE_SSL_CACERT Closes #3291 --- lib/vtls/darwinssl.c | 24 ++++++++++++------------ lib/vtls/gtls.c | 2 +- lib/vtls/mbedtls.c | 2 +- lib/vtls/nss.c | 2 +- lib/vtls/openssl.c | 2 +- lib/vtls/polarssl.c | 2 +- packages/OS400/curl.inc.in | 2 +- src/tool_operate.c | 4 ++-- 8 files changed, 20 insertions(+), 20 deletions(-) diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c index e8116b8a1..bae221a3d 100644 --- a/lib/vtls/darwinssl.c +++ b/lib/vtls/darwinssl.c @@ -950,7 +950,7 @@ static CURLcode CopyCertSubject(struct Curl_easy *data, if(!c) { failf(data, "SSL: invalid CA certificate subject"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; } /* If the subject is already available as UTF-8 encoded (ie 'direct') then @@ -970,7 +970,7 @@ static CURLcode CopyCertSubject(struct Curl_easy *data, if(!CFStringGetCString(c, cbuf, cbuf_size, kCFStringEncodingUTF8)) { failf(data, "SSL: invalid CA certificate subject"); - result = CURLE_SSL_CACERT; + result = CURLE_PEER_FAILED_VERIFICATION; } else /* pass back the buffer */ @@ -1649,7 +1649,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } CFRelease(cert); - if(result == CURLE_SSL_CACERT) + if(result == CURLE_PEER_FAILED_VERIFICATION) return CURLE_SSL_CERTPROBLEM; if(result) return result; @@ -2429,37 +2429,37 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) /* These are all certificate problems with the server: */ case errSSLXCertChainInvalid: failf(data, "SSL certificate problem: Invalid certificate chain"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; case errSSLUnknownRootCert: failf(data, "SSL certificate problem: Untrusted root certificate"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; case errSSLNoRootCert: failf(data, "SSL certificate problem: No root certificate"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; case errSSLCertNotYetValid: failf(data, "SSL certificate problem: The certificate chain had a " "certificate that is not yet valid"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; case errSSLCertExpired: case errSSLPeerCertExpired: failf(data, "SSL certificate problem: Certificate chain had an " "expired certificate"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; case errSSLBadCert: case errSSLPeerBadCert: failf(data, "SSL certificate problem: Couldn't understand the server " "certificate format"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; case errSSLPeerUnsupportedCert: failf(data, "SSL certificate problem: An unsupported certificate " "format was encountered"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; case errSSLPeerCertRevoked: failf(data, "SSL certificate problem: The certificate was revoked"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; case errSSLPeerCertUnknown: failf(data, "SSL certificate problem: The certificate is unknown"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; /* These are all certificate problems with the client: */ case errSecAuthFailed: diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 37662a748..84331a425 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -1110,7 +1110,7 @@ gtls_connect_step3(struct connectdata *conn, "CRLfile: %s", SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile): "none", SSL_SET_OPTION(CRLfile)?SSL_SET_OPTION(CRLfile):"none"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; } else infof(data, "\t server certificate verification FAILED\n"); diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index c5ed8872e..6adafff8b 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -580,7 +580,7 @@ mbed_connect_step2(struct connectdata *conn, if(ret & MBEDTLS_X509_BADCERT_REVOKED) { failf(data, "Cert verify failed: BADCERT_REVOKED"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; } if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 427ab91aa..3da66249c 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -2081,7 +2081,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) else if(*certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) result = CURLE_PEER_FAILED_VERIFICATION; else if(*certverifyresult != 0) - result = CURLE_SSL_CACERT; + result = CURLE_PEER_FAILED_VERIFICATION; goto error; } diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 0e0fc0acb..2f67595f2 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2719,7 +2719,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) if((lib == ERR_LIB_SSL) && (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) { - result = CURLE_SSL_CACERT; + result = CURLE_PEER_FAILED_VERIFICATION; lerr = SSL_get_verify_result(BACKEND->handle); if(lerr != X509_V_OK) { diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index 27af0ccf3..cb038ecbb 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -497,7 +497,7 @@ polarssl_connect_step2(struct connectdata *conn, if(ret & BADCERT_REVOKED) { failf(data, "Cert verify failed: BADCERT_REVOKED"); - return CURLE_SSL_CACERT; + return CURLE_PEER_FAILED_VERIFICATION; } if(ret & BADCERT_CN_MISMATCH) diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in index e916cf7ab..b13358704 100644 --- a/packages/OS400/curl.inc.in +++ b/packages/OS400/curl.inc.in @@ -586,7 +586,7 @@ d CURLE_HTTP2_STREAM... d c 92 * - d CURLE_SSL_CACERT... + d CURLE_PEER_FAILED_VERIFICATION... d c 60 * /if not defined(CURL_NO_OLDIES) diff --git a/src/tool_operate.c b/src/tool_operate.c index 46ca316f9..e53a9d867 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -97,7 +97,7 @@ CURLcode curl_easy_perform_ev(CURL *easy); static bool is_fatal_error(CURLcode code) { switch(code) { - /* TODO: Should CURLE_SSL_CACERT be included as critical error ? */ + /* TODO: Should CURLE_PEER_FAILED_VERIFICATION be a critical error? */ case CURLE_FAILED_INIT: case CURLE_OUT_OF_MEMORY: case CURLE_UNKNOWN_OPTION: @@ -1805,7 +1805,7 @@ static CURLcode operate_do(struct GlobalConfig *global, else if(result && global->showerror) { fprintf(global->errors, "curl: (%d) %s\n", result, (errorbuffer[0]) ? errorbuffer : curl_easy_strerror(result)); - if(result == CURLE_SSL_CACERT) + if(result == CURLE_PEER_FAILED_VERIFICATION) fputs(CURL_CA_CERT_ERRORMSG, global->errors); }