moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

vtls: deduplicate some DISABLE_PROXY ifdefs 

... in the code of gtls, nss, and openssl

Closes #5735
This commit is contained in:
Kamil Dudka 2020-07-27 15:44:01 +02:00 committed by Daniel Stenberg
parent ce95c5e013
commit 7920be9473
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
4 changed files with 36 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
lib/vtls/gtls.c
View File

@ -399,15 +399,8 @@ gtls_connect_step1(struct connectdata *conn,
#endif
const char *prioritylist;
const char *err = NULL;
#ifndef CURL_DISABLE_PROXY
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
#else
const char * const hostname = conn->host.name;
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
const char * const hostname = SSL_HOST_NAME();
long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
if(connssl->state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the
@ -839,15 +832,8 @@ gtls_connect_step3(struct connectdata *conn,
unsigned int bits;
gnutls_protocol_t version = gnutls_protocol_get_version(session);
#endif
#ifndef CURL_DISABLE_PROXY
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
#else
const char * const hostname = conn->host.name;
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
const char * const hostname = SSL_HOST_NAME();
long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
/* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */
ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(session),
@ -1128,22 +1114,15 @@ gtls_connect_step3(struct connectdata *conn,
}
#endif
if(!rc) {
#ifndef CURL_DISABLE_PROXY
const char * const dispname = SSL_IS_PROXY() ?
conn->http_proxy.host.dispname : conn->host.dispname;
#else
const char * const dispname = conn->host.dispname;
#endif
if(SSL_CONN_CONFIG(verifyhost)) {
failf(data, "SSL: certificate subject name (%s) does not match "
"target host name '%s'", certname, dispname);
"target host name '%s'", certname, SSL_HOST_DISPNAME());
gnutls_x509_crt_deinit(x509_cert);
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t common name: %s (does not match '%s')\n",
certname, dispname);
certname, SSL_HOST_DISPNAME());
}
else
infof(data, "\t common name: %s (matched)\n", certname);

42
lib/vtls/nss.c
View File

@ -1027,12 +1027,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
CERTCertificate *cert;
/* remember the cert verification result */
#ifndef CURL_DISABLE_PROXY
if(SSL_IS_PROXY())
data->set.proxy_ssl.certverifyresult = err;
else
#endif
data->set.ssl.certverifyresult = err;
SSL_SET_OPTION_LVALUE(certverifyresult) = err;
if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost))
/* we are asked not to verify the host name */
@ -1838,12 +1833,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
CURLcode result;
bool second_layer = FALSE;
SSLVersionRange sslver_supported;
#ifndef CURL_DISABLE_PROXY
const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
#else
const char *hostname = conn->host.name;
#endif
SSLVersionRange sslver = {
SSL_LIBRARY_VERSION_TLS_1_0, /* min */
@ -1948,12 +1937,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
goto error;
/* not checked yet */
#ifndef CURL_DISABLE_PROXY
if(SSL_IS_PROXY())
data->set.proxy_ssl.certverifyresult = 0;
else
#endif
data->set.ssl.certverifyresult = 0;
SSL_SET_OPTION_LVALUE(certverifyresult) = 0;
if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
goto error;
@ -2125,11 +2109,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
goto error;
/* propagate hostname to the TLS layer */
if(SSL_SetURL(backend->handle, hostname) != SECSuccess)
if(SSL_SetURL(backend->handle, SSL_HOST_NAME()) != SECSuccess)
goto error;
/* prevent NSS from re-using the session for a different hostname */
if(SSL_SetSockPeerID(backend->handle, hostname) != SECSuccess)
if(SSL_SetSockPeerID(backend->handle, SSL_HOST_NAME()) != SECSuccess)
goto error;
return CURLE_OK;
@ -2148,18 +2132,6 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
struct Curl_easy *data = conn->data;
CURLcode result = CURLE_SSL_CONNECT_ERROR;
PRUint32 timeout;
#ifndef CURL_DISABLE_PROXY
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
const char * const pinnedpubkey = SSL_IS_PROXY() ?
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
#else
long * const certverifyresult = &data->set.ssl.certverifyresult;
const char * const pinnedpubkey =
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
#endif
/* check timeout situation */
const timediff_t time_left = Curl_timeleft(data, NULL, TRUE);
@ -2175,9 +2147,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
if(PR_GetError() == PR_WOULD_BLOCK_ERROR)
/* blocking direction is updated by nss_update_connecting_state() */
return CURLE_AGAIN;
else if(*certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
else if(SSL_SET_OPTION(certverifyresult) == SSL_ERROR_BAD_CERT_DOMAIN)
result = CURLE_PEER_FAILED_VERIFICATION;
else if(*certverifyresult != 0)
else if(SSL_SET_OPTION(certverifyresult) != 0)
result = CURLE_PEER_FAILED_VERIFICATION;
goto error;
}
@ -2205,7 +2177,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
}
}
result = cmp_peer_pubkey(connssl, pinnedpubkey);
result = cmp_peer_pubkey(connssl, SSL_PINNED_PUB_KEY());
if(result)
/* status already printed */
goto error;

51
lib/vtls/openssl.c
View File

@ -1582,16 +1582,8 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
CURLcode result = CURLE_OK;
bool dNSName = FALSE; /* if a dNSName field exists in the cert */
bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */
#ifndef CURL_DISABLE_PROXY
const char * const hostname = SSL_IS_PROXY() ?
conn->http_proxy.host.name : conn->host.name;
const char * const dispname = SSL_IS_PROXY() ?
conn->http_proxy.host.dispname : conn->host.dispname;
#else
/* disabled proxy support */
const char * const hostname = conn->host.name;
const char * const dispname = conn->host.dispname;
#endif
const char * const hostname = SSL_HOST_NAME();
const char * const dispname = SSL_HOST_DISPNAME();
#ifdef ENABLE_IPV6
if(conn->bits.ipv6_ip &&
@ -2470,24 +2462,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
bool sni;
#ifndef CURL_DISABLE_PROXY
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
#else
const char * const hostname = conn->host.name;
#endif
const char * const hostname = SSL_HOST_NAME();
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
#endif
#ifndef CURL_DISABLE_PROXY
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
#else
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
const long int ssl_version = SSL_CONN_CONFIG(version);
#ifdef HAVE_OPENSSL_SRP
@ -2511,7 +2492,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
if(result)
return result;
*certverifyresult = !X509_V_OK;
SSL_SET_OPTION_LVALUE(certverifyresult) = !X509_V_OK;
/* check to see if we've been told to use an explicit SSL/TLS version */
@ -3221,12 +3202,6 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
struct Curl_easy *data = conn->data;
int err;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
#ifndef CURL_DISABLE_PROXY
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
#else
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
struct ssl_backend_data *backend = connssl->backend;
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state
@ -3291,7 +3266,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
lerr = SSL_get_verify_result(backend->handle);
if(lerr != X509_V_OK) {
*certverifyresult = lerr;
SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
msnprintf(error_buffer, sizeof(error_buffer),
"SSL certificate problem: %s",
X509_verify_cert_error_string(lerr));
@ -3313,12 +3288,10 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
* the SO_ERROR is also lost.
*/
if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
const char * const hostname = SSL_HOST_NAME();
#ifndef CURL_DISABLE_PROXY
const char * const hostname = SSL_IS_PROXY() ?
conn->http_proxy.host.name : conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#else
const char * const hostname = conn->host.name;
const long int port = conn->remote_port;
#endif
char extramsg[80]="";
@ -3773,12 +3746,6 @@ static CURLcode servercert(struct connectdata *conn,
char error_buffer[256]="";
char buffer[2048];
const char *ptr;
#ifndef CURL_DISABLE_PROXY
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
#else
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
BIO *mem = BIO_new(BIO_s_mem());
struct ssl_backend_data *backend = connssl->backend;
@ -3899,9 +3866,9 @@ static CURLcode servercert(struct connectdata *conn,
X509_free(issuer);
}
lerr = *certverifyresult = SSL_get_verify_result(backend->handle);
if(*certverifyresult != X509_V_OK) {
lerr = SSL_get_verify_result(backend->handle);
SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
if(lerr != X509_V_OK) {
if(SSL_CONN_CONFIG(verifypeer)) {
/* We probably never reach this, because SSL_connect() will fail
and we return earlier if verifypeer is set? */

14
lib/vtls/vtls.h
View File

@ -131,12 +131,26 @@ CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state)
#define SSL_SET_OPTION(var) \
(SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var)
#define SSL_SET_OPTION_LVALUE(var) \
(*(SSL_IS_PROXY() ? &data->set.proxy_ssl.var : &data->set.ssl.var))
#define SSL_CONN_CONFIG(var) \
(SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var)
#define SSL_HOST_NAME() \
(SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name)
#define SSL_HOST_DISPNAME() \
(SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname)
#define SSL_PINNED_PUB_KEY() (SSL_IS_PROXY() \
? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] \
: data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG])
#else
#define SSL_IS_PROXY() FALSE
#define SSL_SET_OPTION(var) data->set.ssl.var
#define SSL_SET_OPTION_LVALUE(var) data->set.ssl.var
#define SSL_CONN_CONFIG(var) conn->ssl_config.var
#define SSL_HOST_NAME() conn->host.name
#define SSL_HOST_DISPNAME() conn->host.dispname
#define SSL_PINNED_PUB_KEY() \
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]
#endif
bool Curl_ssl_config_matches(struct ssl_primary_config *data,