mirror of
https://github.com/moparisthebest/curl
synced 2024-12-23 08:38:49 -05:00
vtls: deduplicate some DISABLE_PROXY ifdefs
... in the code of gtls, nss, and openssl Closes #5735
This commit is contained in:
parent
ce95c5e013
commit
7920be9473
@ -399,15 +399,8 @@ gtls_connect_step1(struct connectdata *conn,
|
||||
#endif
|
||||
const char *prioritylist;
|
||||
const char *err = NULL;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
||||
conn->host.name;
|
||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
||||
#else
|
||||
const char * const hostname = conn->host.name;
|
||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
||||
#endif
|
||||
const char * const hostname = SSL_HOST_NAME();
|
||||
long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
|
||||
|
||||
if(connssl->state == ssl_connection_complete)
|
||||
/* to make us tolerant against being called more than once for the
|
||||
@ -839,15 +832,8 @@ gtls_connect_step3(struct connectdata *conn,
|
||||
unsigned int bits;
|
||||
gnutls_protocol_t version = gnutls_protocol_get_version(session);
|
||||
#endif
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
||||
conn->host.name;
|
||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
||||
#else
|
||||
const char * const hostname = conn->host.name;
|
||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
||||
#endif
|
||||
const char * const hostname = SSL_HOST_NAME();
|
||||
long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
|
||||
|
||||
/* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */
|
||||
ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(session),
|
||||
@ -1128,22 +1114,15 @@ gtls_connect_step3(struct connectdata *conn,
|
||||
}
|
||||
#endif
|
||||
if(!rc) {
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
const char * const dispname = SSL_IS_PROXY() ?
|
||||
conn->http_proxy.host.dispname : conn->host.dispname;
|
||||
#else
|
||||
const char * const dispname = conn->host.dispname;
|
||||
#endif
|
||||
|
||||
if(SSL_CONN_CONFIG(verifyhost)) {
|
||||
failf(data, "SSL: certificate subject name (%s) does not match "
|
||||
"target host name '%s'", certname, dispname);
|
||||
"target host name '%s'", certname, SSL_HOST_DISPNAME());
|
||||
gnutls_x509_crt_deinit(x509_cert);
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
}
|
||||
else
|
||||
infof(data, "\t common name: %s (does not match '%s')\n",
|
||||
certname, dispname);
|
||||
certname, SSL_HOST_DISPNAME());
|
||||
}
|
||||
else
|
||||
infof(data, "\t common name: %s (matched)\n", certname);
|
||||
|
@ -1027,12 +1027,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
|
||||
CERTCertificate *cert;
|
||||
|
||||
/* remember the cert verification result */
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
if(SSL_IS_PROXY())
|
||||
data->set.proxy_ssl.certverifyresult = err;
|
||||
else
|
||||
#endif
|
||||
data->set.ssl.certverifyresult = err;
|
||||
SSL_SET_OPTION_LVALUE(certverifyresult) = err;
|
||||
|
||||
if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost))
|
||||
/* we are asked not to verify the host name */
|
||||
@ -1838,12 +1833,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
||||
CURLcode result;
|
||||
bool second_layer = FALSE;
|
||||
SSLVersionRange sslver_supported;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
||||
conn->host.name;
|
||||
#else
|
||||
const char *hostname = conn->host.name;
|
||||
#endif
|
||||
|
||||
SSLVersionRange sslver = {
|
||||
SSL_LIBRARY_VERSION_TLS_1_0, /* min */
|
||||
@ -1948,12 +1937,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
||||
goto error;
|
||||
|
||||
/* not checked yet */
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
if(SSL_IS_PROXY())
|
||||
data->set.proxy_ssl.certverifyresult = 0;
|
||||
else
|
||||
#endif
|
||||
data->set.ssl.certverifyresult = 0;
|
||||
SSL_SET_OPTION_LVALUE(certverifyresult) = 0;
|
||||
|
||||
if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
|
||||
goto error;
|
||||
@ -2125,11 +2109,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
||||
goto error;
|
||||
|
||||
/* propagate hostname to the TLS layer */
|
||||
if(SSL_SetURL(backend->handle, hostname) != SECSuccess)
|
||||
if(SSL_SetURL(backend->handle, SSL_HOST_NAME()) != SECSuccess)
|
||||
goto error;
|
||||
|
||||
/* prevent NSS from re-using the session for a different hostname */
|
||||
if(SSL_SetSockPeerID(backend->handle, hostname) != SECSuccess)
|
||||
if(SSL_SetSockPeerID(backend->handle, SSL_HOST_NAME()) != SECSuccess)
|
||||
goto error;
|
||||
|
||||
return CURLE_OK;
|
||||
@ -2148,18 +2132,6 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
||||
struct Curl_easy *data = conn->data;
|
||||
CURLcode result = CURLE_SSL_CONNECT_ERROR;
|
||||
PRUint32 timeout;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
||||
const char * const pinnedpubkey = SSL_IS_PROXY() ?
|
||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
#else
|
||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
||||
const char * const pinnedpubkey =
|
||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||||
#endif
|
||||
|
||||
|
||||
/* check timeout situation */
|
||||
const timediff_t time_left = Curl_timeleft(data, NULL, TRUE);
|
||||
@ -2175,9 +2147,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
||||
if(PR_GetError() == PR_WOULD_BLOCK_ERROR)
|
||||
/* blocking direction is updated by nss_update_connecting_state() */
|
||||
return CURLE_AGAIN;
|
||||
else if(*certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
|
||||
else if(SSL_SET_OPTION(certverifyresult) == SSL_ERROR_BAD_CERT_DOMAIN)
|
||||
result = CURLE_PEER_FAILED_VERIFICATION;
|
||||
else if(*certverifyresult != 0)
|
||||
else if(SSL_SET_OPTION(certverifyresult) != 0)
|
||||
result = CURLE_PEER_FAILED_VERIFICATION;
|
||||
goto error;
|
||||
}
|
||||
@ -2205,7 +2177,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
||||
}
|
||||
}
|
||||
|
||||
result = cmp_peer_pubkey(connssl, pinnedpubkey);
|
||||
result = cmp_peer_pubkey(connssl, SSL_PINNED_PUB_KEY());
|
||||
if(result)
|
||||
/* status already printed */
|
||||
goto error;
|
||||
|
@ -1582,16 +1582,8 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
|
||||
CURLcode result = CURLE_OK;
|
||||
bool dNSName = FALSE; /* if a dNSName field exists in the cert */
|
||||
bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
const char * const hostname = SSL_IS_PROXY() ?
|
||||
conn->http_proxy.host.name : conn->host.name;
|
||||
const char * const dispname = SSL_IS_PROXY() ?
|
||||
conn->http_proxy.host.dispname : conn->host.dispname;
|
||||
#else
|
||||
/* disabled proxy support */
|
||||
const char * const hostname = conn->host.name;
|
||||
const char * const dispname = conn->host.dispname;
|
||||
#endif
|
||||
const char * const hostname = SSL_HOST_NAME();
|
||||
const char * const dispname = SSL_HOST_DISPNAME();
|
||||
|
||||
#ifdef ENABLE_IPV6
|
||||
if(conn->bits.ipv6_ip &&
|
||||
@ -2470,24 +2462,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
|
||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||
bool sni;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
||||
conn->host.name;
|
||||
#else
|
||||
const char * const hostname = conn->host.name;
|
||||
#endif
|
||||
const char * const hostname = SSL_HOST_NAME();
|
||||
|
||||
#ifdef ENABLE_IPV6
|
||||
struct in6_addr addr;
|
||||
#else
|
||||
struct in_addr addr;
|
||||
#endif
|
||||
#endif
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
||||
#else
|
||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
||||
#endif
|
||||
const long int ssl_version = SSL_CONN_CONFIG(version);
|
||||
#ifdef HAVE_OPENSSL_SRP
|
||||
@ -2511,7 +2492,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
if(result)
|
||||
return result;
|
||||
|
||||
*certverifyresult = !X509_V_OK;
|
||||
SSL_SET_OPTION_LVALUE(certverifyresult) = !X509_V_OK;
|
||||
|
||||
/* check to see if we've been told to use an explicit SSL/TLS version */
|
||||
|
||||
@ -3221,12 +3202,6 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
|
||||
struct Curl_easy *data = conn->data;
|
||||
int err;
|
||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
||||
#else
|
||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
||||
#endif
|
||||
struct ssl_backend_data *backend = connssl->backend;
|
||||
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|
||||
|| ssl_connect_2_reading == connssl->connecting_state
|
||||
@ -3291,7 +3266,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
|
||||
|
||||
lerr = SSL_get_verify_result(backend->handle);
|
||||
if(lerr != X509_V_OK) {
|
||||
*certverifyresult = lerr;
|
||||
SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
|
||||
msnprintf(error_buffer, sizeof(error_buffer),
|
||||
"SSL certificate problem: %s",
|
||||
X509_verify_cert_error_string(lerr));
|
||||
@ -3313,12 +3288,10 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
|
||||
* the SO_ERROR is also lost.
|
||||
*/
|
||||
if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
|
||||
const char * const hostname = SSL_HOST_NAME();
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
const char * const hostname = SSL_IS_PROXY() ?
|
||||
conn->http_proxy.host.name : conn->host.name;
|
||||
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
|
||||
#else
|
||||
const char * const hostname = conn->host.name;
|
||||
const long int port = conn->remote_port;
|
||||
#endif
|
||||
char extramsg[80]="";
|
||||
@ -3773,12 +3746,6 @@ static CURLcode servercert(struct connectdata *conn,
|
||||
char error_buffer[256]="";
|
||||
char buffer[2048];
|
||||
const char *ptr;
|
||||
#ifndef CURL_DISABLE_PROXY
|
||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
||||
#else
|
||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
||||
#endif
|
||||
BIO *mem = BIO_new(BIO_s_mem());
|
||||
struct ssl_backend_data *backend = connssl->backend;
|
||||
|
||||
@ -3899,9 +3866,9 @@ static CURLcode servercert(struct connectdata *conn,
|
||||
X509_free(issuer);
|
||||
}
|
||||
|
||||
lerr = *certverifyresult = SSL_get_verify_result(backend->handle);
|
||||
|
||||
if(*certverifyresult != X509_V_OK) {
|
||||
lerr = SSL_get_verify_result(backend->handle);
|
||||
SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
|
||||
if(lerr != X509_V_OK) {
|
||||
if(SSL_CONN_CONFIG(verifypeer)) {
|
||||
/* We probably never reach this, because SSL_connect() will fail
|
||||
and we return earlier if verifypeer is set? */
|
||||
|
@ -131,12 +131,26 @@ CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
|
||||
CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state)
|
||||
#define SSL_SET_OPTION(var) \
|
||||
(SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var)
|
||||
#define SSL_SET_OPTION_LVALUE(var) \
|
||||
(*(SSL_IS_PROXY() ? &data->set.proxy_ssl.var : &data->set.ssl.var))
|
||||
#define SSL_CONN_CONFIG(var) \
|
||||
(SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var)
|
||||
#define SSL_HOST_NAME() \
|
||||
(SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name)
|
||||
#define SSL_HOST_DISPNAME() \
|
||||
(SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname)
|
||||
#define SSL_PINNED_PUB_KEY() (SSL_IS_PROXY() \
|
||||
? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] \
|
||||
: data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG])
|
||||
#else
|
||||
#define SSL_IS_PROXY() FALSE
|
||||
#define SSL_SET_OPTION(var) data->set.ssl.var
|
||||
#define SSL_SET_OPTION_LVALUE(var) data->set.ssl.var
|
||||
#define SSL_CONN_CONFIG(var) conn->ssl_config.var
|
||||
#define SSL_HOST_NAME() conn->host.name
|
||||
#define SSL_HOST_DISPNAME() conn->host.dispname
|
||||
#define SSL_PINNED_PUB_KEY() \
|
||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]
|
||||
#endif
|
||||
|
||||
bool Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||
|
Loading…
Reference in New Issue
Block a user