1
0
mirror of https://github.com/moparisthebest/curl synced 2025-01-11 05:58:01 -05:00

vtls: deduplicate client certificates in ssl_config_data

Closes #5629
This commit is contained in:
Gergely Nagy 2020-06-29 20:07:37 +02:00 committed by Daniel Stenberg
parent 7ea2e1d0c5
commit 182ff2d63c
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
11 changed files with 36 additions and 38 deletions

View File

@ -3635,18 +3635,15 @@ static CURLcode create_conn(struct Curl_easy *data,
data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY];
data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
data->set.proxy_ssl.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
#endif
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
data->set.ssl.key = data->set.str[STRING_KEY_ORIG];
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG];
@ -3661,7 +3658,6 @@ static CURLcode create_conn(struct Curl_easy *data,
#endif
#endif
data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT_ORIG];
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG];
data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG];

View File

@ -245,8 +245,6 @@ struct ssl_config_data {
struct curl_blob *issuercert_blob;
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
void *fsslctxp; /* parameter for call back */
char *cert; /* client certificate file name */
struct curl_blob *cert_blob;
char *cert_type; /* format for certificate (default: PEM)*/
char *key; /* private key file name */
struct curl_blob *key_blob;

View File

@ -705,7 +705,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
int rc;
const char * const keyringfile = SSL_CONN_CONFIG(CAfile);
const char * const keyringpwd = SSL_SET_OPTION(key_passwd);
const char * const keyringlabel = SSL_SET_OPTION(cert);
const char * const keyringlabel = SSL_SET_OPTION(primary.clientcert);
const long int ssl_version = SSL_CONN_CONFIG(version);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char * const hostname = SSL_IS_PROXY()? conn->http_proxy.host.name:

View File

@ -645,7 +645,7 @@ gtls_connect_step1(struct connectdata *conn,
gnutls_alpn_set_protocols(session, protocols, cur, 0);
}
if(SSL_SET_OPTION(cert)) {
if(SSL_SET_OPTION(primary.clientcert)) {
if(SSL_SET_OPTION(key_passwd)) {
const unsigned int supported_key_encryption_algorithms =
GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
@ -654,9 +654,9 @@ gtls_connect_step1(struct connectdata *conn,
GNUTLS_PKCS_USE_PBES2_AES_256;
rc = gnutls_certificate_set_x509_key_file2(
backend->cred,
SSL_SET_OPTION(cert),
SSL_SET_OPTION(primary.clientcert),
SSL_SET_OPTION(key) ?
SSL_SET_OPTION(key) : SSL_SET_OPTION(cert),
SSL_SET_OPTION(key) : SSL_SET_OPTION(primary.clientcert),
do_file_type(SSL_SET_OPTION(cert_type)),
SSL_SET_OPTION(key_passwd),
supported_key_encryption_algorithms);
@ -670,9 +670,9 @@ gtls_connect_step1(struct connectdata *conn,
else {
if(gnutls_certificate_set_x509_key_file(
backend->cred,
SSL_SET_OPTION(cert),
SSL_SET_OPTION(primary.clientcert),
SSL_SET_OPTION(key) ?
SSL_SET_OPTION(key) : SSL_SET_OPTION(cert),
SSL_SET_OPTION(key) : SSL_SET_OPTION(primary.clientcert),
do_file_type(SSL_SET_OPTION(cert_type)) ) !=
GNUTLS_E_SUCCESS) {
failf(data, "error reading X.509 key or certificate file");

View File

@ -244,7 +244,7 @@ mbed_connect_step1(struct connectdata *conn,
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
char * const ssl_cert = SSL_SET_OPTION(cert);
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
#ifndef CURL_DISABLE_PROXY
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :

View File

@ -179,10 +179,11 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
SSL_CONN_CONFIG(CApath) ? SSL_CONN_CONFIG(CApath): "none");
}
if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) {
if(SSL_SET_OPTION(primary.clientcert) && SSL_SET_OPTION(key)) {
int file_type = do_file_type(SSL_SET_OPTION(cert_type));
if(SSL_CTX_use_certificate_chain_file(BACKEND->ctx, SSL_SET_OPTION(cert),
if(SSL_CTX_use_certificate_chain_file(BACKEND->ctx,
SSL_SET_OPTION(primary.clientcert),
file_type) != 1) {
failf(data, "unable to use client certificate (no key or wrong pass"
" phrase?)");

View File

@ -1981,14 +1981,15 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile));
}
if(SSL_SET_OPTION(cert)) {
char *nickname = dup_nickname(data, SSL_SET_OPTION(cert));
if(SSL_SET_OPTION(primary.clientcert)) {
char *nickname = dup_nickname(data, SSL_SET_OPTION(primary.clientcert));
if(nickname) {
/* we are not going to use libnsspem.so to read the client cert */
backend->obj_clicert = NULL;
}
else {
CURLcode rv = cert_stuff(conn, sockindex, SSL_SET_OPTION(cert),
CURLcode rv = cert_stuff(conn, sockindex,
SSL_SET_OPTION(primary.clientcert),
SSL_SET_OPTION(key));
if(rv) {
/* failf() is already done in cert_stuff() */

View File

@ -2493,8 +2493,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#ifdef HAVE_OPENSSL_SRP
const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
#endif
char * const ssl_cert = SSL_SET_OPTION(cert);
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob);
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);

View File

@ -590,7 +590,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
#ifdef HAS_CLIENT_CERT_PATH
/* client certificate */
if(data->set.ssl.cert || data->set.ssl.cert_blob) {
if(data->set.ssl.primary.clientcert || data->set.ssl.primary.cert_blob) {
DWORD cert_store_name = 0;
TCHAR *cert_store_path = NULL;
TCHAR *cert_thumbprint_str = NULL;
@ -600,27 +600,28 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
FILE *fInCert = NULL;
void *certdata = NULL;
size_t certsize = 0;
bool blob = data->set.ssl.cert_blob != NULL;
bool blob = data->set.ssl.primary.cert_blob != NULL;
TCHAR *cert_path = NULL;
if(blob) {
certdata = data->set.ssl.cert_blob->data;
certsize = data->set.ssl.cert_blob->len;
certdata = data->set.ssl.primary.cert_blob->data;
certsize = data->set.ssl.primary.cert_blob->len;
}
else {
cert_path = curlx_convert_UTF8_to_tchar(data->set.ssl.cert);
cert_path = curlx_convert_UTF8_to_tchar(
data->set.ssl.primary.clientcert);
if(!cert_path)
return CURLE_OUT_OF_MEMORY;
result = get_cert_location(cert_path, &cert_store_name,
&cert_store_path, &cert_thumbprint_str);
if(result && (data->set.ssl.cert[0]!='\0'))
fInCert = fopen(data->set.ssl.cert, "rb");
if(result && (data->set.ssl.primary.clientcert[0]!='\0'))
fInCert = fopen(data->set.ssl.primary.clientcert, "rb");
if(result && !fInCert) {
failf(data, "schannel: Failed to get certificate location"
" or file for %s",
data->set.ssl.cert);
data->set.ssl.primary.clientcert);
curlx_unicodefree(cert_path);
return result;
}
@ -630,7 +631,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
(!strcasecompare(data->set.ssl.cert_type, "P12"))) {
failf(data, "schannel: certificate format compatibility error "
" for %s",
blob ? "(memory blob)" : data->set.ssl.cert);
blob ? "(memory blob)" : data->set.ssl.primary.clientcert);
curlx_unicodefree(cert_path);
return CURLE_SSL_CERTPROBLEM;
}
@ -645,7 +646,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
size_t pwd_len = 0;
int str_w_len = 0;
const char *cert_showfilename_error = blob ?
"(memory blob)" : data->set.ssl.cert;
"(memory blob)" : data->set.ssl.primary.clientcert;
curlx_unicodefree(cert_path);
if(fInCert) {
long cert_tell = 0;
@ -666,7 +667,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
fclose(fInCert);
if(!continue_reading) {
failf(data, "schannel: Failed to read cert file %s",
data->set.ssl.cert);
data->set.ssl.primary.clientcert);
free(certdata);
return CURLE_SSL_CERTPROBLEM;
}
@ -773,7 +774,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
CertCloseStore(cert_store, 0);
}
#else
if(data->set.ssl.cert) {
if(data->set.ssl.primary.clientcert || data->set.ssl.primary.cert_blob) {
failf(data, "schannel: client cert support not built in");
return CURLE_NOT_BUILT_IN;
}

View File

@ -1397,8 +1397,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const struct curl_blob *ssl_cablob = NULL;
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
char * const ssl_cert = SSL_SET_OPTION(cert);
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob);
char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;

View File

@ -379,10 +379,11 @@ wolfssl_connect_step1(struct connectdata *conn,
}
/* Load the client certificate, and private key */
if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) {
if(SSL_SET_OPTION(primary.clientcert) && SSL_SET_OPTION(key)) {
int file_type = do_file_type(SSL_SET_OPTION(cert_type));
if(SSL_CTX_use_certificate_file(backend->ctx, SSL_SET_OPTION(cert),
if(SSL_CTX_use_certificate_file(backend->ctx,
SSL_SET_OPTION(primary.clientcert),
file_type) != 1) {
failf(data, "unable to use client certificate (no key or wrong pass"
" phrase?)");