From 182ff2d63c9a25c14ee1e7dc9e6d63e9079df677 Mon Sep 17 00:00:00 2001 From: Gergely Nagy Date: Mon, 29 Jun 2020 20:07:37 +0200 Subject: [PATCH] vtls: deduplicate client certificates in ssl_config_data Closes #5629 --- lib/url.c | 4 ---- lib/urldata.h | 2 -- lib/vtls/gskit.c | 2 +- lib/vtls/gtls.c | 10 +++++----- lib/vtls/mbedtls.c | 2 +- lib/vtls/mesalink.c | 7 ++++--- lib/vtls/nss.c | 7 ++++--- lib/vtls/openssl.c | 4 ++-- lib/vtls/schannel.c | 25 +++++++++++++------------ lib/vtls/sectransp.c | 4 ++-- lib/vtls/wolfssl.c | 7 ++++--- 11 files changed, 36 insertions(+), 38 deletions(-) diff --git a/lib/url.c b/lib/url.c index af2a1c06d..bc224ece7 100644 --- a/lib/url.c +++ b/lib/url.c @@ -3635,18 +3635,15 @@ static CURLcode create_conn(struct Curl_easy *data, data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; - data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY]; data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY]; data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY]; - data->set.proxy_ssl.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; #endif data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; - data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; data->set.ssl.key = data->set.str[STRING_KEY_ORIG]; data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG]; @@ -3661,7 +3658,6 @@ static CURLcode create_conn(struct Curl_easy *data, #endif #endif - data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT_ORIG]; data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG]; data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG]; diff --git a/lib/urldata.h b/lib/urldata.h index 40f9b26df..81cb5fe57 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -245,8 +245,6 @@ struct ssl_config_data { struct curl_blob *issuercert_blob; curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ void *fsslctxp; /* parameter for call back */ - char *cert; /* client certificate file name */ - struct curl_blob *cert_blob; char *cert_type; /* format for certificate (default: PEM)*/ char *key; /* private key file name */ struct curl_blob *key_blob; diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index 0538e4a46..dc79f487c 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -705,7 +705,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) int rc; const char * const keyringfile = SSL_CONN_CONFIG(CAfile); const char * const keyringpwd = SSL_SET_OPTION(key_passwd); - const char * const keyringlabel = SSL_SET_OPTION(cert); + const char * const keyringlabel = SSL_SET_OPTION(primary.clientcert); const long int ssl_version = SSL_CONN_CONFIG(version); const bool verifypeer = SSL_CONN_CONFIG(verifypeer); const char * const hostname = SSL_IS_PROXY()? conn->http_proxy.host.name: diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 978c61abf..b09003303 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -645,7 +645,7 @@ gtls_connect_step1(struct connectdata *conn, gnutls_alpn_set_protocols(session, protocols, cur, 0); } - if(SSL_SET_OPTION(cert)) { + if(SSL_SET_OPTION(primary.clientcert)) { if(SSL_SET_OPTION(key_passwd)) { const unsigned int supported_key_encryption_algorithms = GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR | @@ -654,9 +654,9 @@ gtls_connect_step1(struct connectdata *conn, GNUTLS_PKCS_USE_PBES2_AES_256; rc = gnutls_certificate_set_x509_key_file2( backend->cred, - SSL_SET_OPTION(cert), + SSL_SET_OPTION(primary.clientcert), SSL_SET_OPTION(key) ? - SSL_SET_OPTION(key) : SSL_SET_OPTION(cert), + SSL_SET_OPTION(key) : SSL_SET_OPTION(primary.clientcert), do_file_type(SSL_SET_OPTION(cert_type)), SSL_SET_OPTION(key_passwd), supported_key_encryption_algorithms); @@ -670,9 +670,9 @@ gtls_connect_step1(struct connectdata *conn, else { if(gnutls_certificate_set_x509_key_file( backend->cred, - SSL_SET_OPTION(cert), + SSL_SET_OPTION(primary.clientcert), SSL_SET_OPTION(key) ? - SSL_SET_OPTION(key) : SSL_SET_OPTION(cert), + SSL_SET_OPTION(key) : SSL_SET_OPTION(primary.clientcert), do_file_type(SSL_SET_OPTION(cert_type)) ) != GNUTLS_E_SUCCESS) { failf(data, "error reading X.509 key or certificate file"); diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 545f824c6..71d2b2d07 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -244,7 +244,7 @@ mbed_connect_step1(struct connectdata *conn, const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); const bool verifypeer = SSL_CONN_CONFIG(verifypeer); const char * const ssl_capath = SSL_CONN_CONFIG(CApath); - char * const ssl_cert = SSL_SET_OPTION(cert); + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); #ifndef CURL_DISABLE_PROXY const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c index 17c64735e..7346a75f9 100644 --- a/lib/vtls/mesalink.c +++ b/lib/vtls/mesalink.c @@ -179,11 +179,12 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) SSL_CONN_CONFIG(CApath) ? SSL_CONN_CONFIG(CApath): "none"); } - if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) { + if(SSL_SET_OPTION(primary.clientcert) && SSL_SET_OPTION(key)) { int file_type = do_file_type(SSL_SET_OPTION(cert_type)); - if(SSL_CTX_use_certificate_chain_file(BACKEND->ctx, SSL_SET_OPTION(cert), - file_type) != 1) { + if(SSL_CTX_use_certificate_chain_file(BACKEND->ctx, + SSL_SET_OPTION(primary.clientcert), + file_type) != 1) { failf(data, "unable to use client certificate (no key or wrong pass" " phrase?)"); return CURLE_SSL_CONNECT_ERROR; diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 25098814a..2aed10d1b 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1981,14 +1981,15 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile)); } - if(SSL_SET_OPTION(cert)) { - char *nickname = dup_nickname(data, SSL_SET_OPTION(cert)); + if(SSL_SET_OPTION(primary.clientcert)) { + char *nickname = dup_nickname(data, SSL_SET_OPTION(primary.clientcert)); if(nickname) { /* we are not going to use libnsspem.so to read the client cert */ backend->obj_clicert = NULL; } else { - CURLcode rv = cert_stuff(conn, sockindex, SSL_SET_OPTION(cert), + CURLcode rv = cert_stuff(conn, sockindex, + SSL_SET_OPTION(primary.clientcert), SSL_SET_OPTION(key)); if(rv) { /* failf() is already done in cert_stuff() */ diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 0a5a37384..1b3ed665d 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2493,8 +2493,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #ifdef HAVE_OPENSSL_SRP const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); #endif - char * const ssl_cert = SSL_SET_OPTION(cert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob); + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); const char * const ssl_cert_type = SSL_SET_OPTION(cert_type); const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); const char * const ssl_capath = SSL_CONN_CONFIG(CApath); diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index 91a83a8e9..1fe9b7b8d 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -590,7 +590,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) #ifdef HAS_CLIENT_CERT_PATH /* client certificate */ - if(data->set.ssl.cert || data->set.ssl.cert_blob) { + if(data->set.ssl.primary.clientcert || data->set.ssl.primary.cert_blob) { DWORD cert_store_name = 0; TCHAR *cert_store_path = NULL; TCHAR *cert_thumbprint_str = NULL; @@ -600,27 +600,28 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) FILE *fInCert = NULL; void *certdata = NULL; size_t certsize = 0; - bool blob = data->set.ssl.cert_blob != NULL; + bool blob = data->set.ssl.primary.cert_blob != NULL; TCHAR *cert_path = NULL; if(blob) { - certdata = data->set.ssl.cert_blob->data; - certsize = data->set.ssl.cert_blob->len; + certdata = data->set.ssl.primary.cert_blob->data; + certsize = data->set.ssl.primary.cert_blob->len; } else { - cert_path = curlx_convert_UTF8_to_tchar(data->set.ssl.cert); + cert_path = curlx_convert_UTF8_to_tchar( + data->set.ssl.primary.clientcert); if(!cert_path) return CURLE_OUT_OF_MEMORY; result = get_cert_location(cert_path, &cert_store_name, &cert_store_path, &cert_thumbprint_str); - if(result && (data->set.ssl.cert[0]!='\0')) - fInCert = fopen(data->set.ssl.cert, "rb"); + if(result && (data->set.ssl.primary.clientcert[0]!='\0')) + fInCert = fopen(data->set.ssl.primary.clientcert, "rb"); if(result && !fInCert) { failf(data, "schannel: Failed to get certificate location" " or file for %s", - data->set.ssl.cert); + data->set.ssl.primary.clientcert); curlx_unicodefree(cert_path); return result; } @@ -630,7 +631,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) (!strcasecompare(data->set.ssl.cert_type, "P12"))) { failf(data, "schannel: certificate format compatibility error " " for %s", - blob ? "(memory blob)" : data->set.ssl.cert); + blob ? "(memory blob)" : data->set.ssl.primary.clientcert); curlx_unicodefree(cert_path); return CURLE_SSL_CERTPROBLEM; } @@ -645,7 +646,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) size_t pwd_len = 0; int str_w_len = 0; const char *cert_showfilename_error = blob ? - "(memory blob)" : data->set.ssl.cert; + "(memory blob)" : data->set.ssl.primary.clientcert; curlx_unicodefree(cert_path); if(fInCert) { long cert_tell = 0; @@ -666,7 +667,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) fclose(fInCert); if(!continue_reading) { failf(data, "schannel: Failed to read cert file %s", - data->set.ssl.cert); + data->set.ssl.primary.clientcert); free(certdata); return CURLE_SSL_CERTPROBLEM; } @@ -773,7 +774,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) CertCloseStore(cert_store, 0); } #else - if(data->set.ssl.cert) { + if(data->set.ssl.primary.clientcert || data->set.ssl.primary.cert_blob) { failf(data, "schannel: client cert support not built in"); return CURLE_NOT_BUILT_IN; } diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c index 2627aff16..1e2e93aec 100644 --- a/lib/vtls/sectransp.c +++ b/lib/vtls/sectransp.c @@ -1397,8 +1397,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); const struct curl_blob *ssl_cablob = NULL; const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - char * const ssl_cert = SSL_SET_OPTION(cert); - const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob); + char * const ssl_cert = SSL_SET_OPTION(primary.clientcert); + const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob); const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name; const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index 1428032b6..a299b99d1 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -379,11 +379,12 @@ wolfssl_connect_step1(struct connectdata *conn, } /* Load the client certificate, and private key */ - if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) { + if(SSL_SET_OPTION(primary.clientcert) && SSL_SET_OPTION(key)) { int file_type = do_file_type(SSL_SET_OPTION(cert_type)); - if(SSL_CTX_use_certificate_file(backend->ctx, SSL_SET_OPTION(cert), - file_type) != 1) { + if(SSL_CTX_use_certificate_file(backend->ctx, + SSL_SET_OPTION(primary.clientcert), + file_type) != 1) { failf(data, "unable to use client certificate (no key or wrong pass" " phrase?)"); return CURLE_SSL_CONNECT_ERROR;