From 7920be94738e0d84f7aa30c3605d29ec4274c714 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Mon, 27 Jul 2020 15:44:01 +0200 Subject: [PATCH] vtls: deduplicate some DISABLE_PROXY ifdefs ... in the code of gtls, nss, and openssl Closes #5735 --- lib/vtls/gtls.c | 33 ++++++------------------------ lib/vtls/nss.c | 42 +++++++------------------------------- lib/vtls/openssl.c | 51 ++++++++-------------------------------------- lib/vtls/vtls.h | 14 +++++++++++++ 4 files changed, 36 insertions(+), 104 deletions(-) diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index b09003303..ec3f8599b 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -399,15 +399,8 @@ gtls_connect_step1(struct connectdata *conn, #endif const char *prioritylist; const char *err = NULL; -#ifndef CURL_DISABLE_PROXY - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : - conn->host.name; - long * const certverifyresult = SSL_IS_PROXY() ? - &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; -#else - const char * const hostname = conn->host.name; - long * const certverifyresult = &data->set.ssl.certverifyresult; -#endif + const char * const hostname = SSL_HOST_NAME(); + long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult); if(connssl->state == ssl_connection_complete) /* to make us tolerant against being called more than once for the @@ -839,15 +832,8 @@ gtls_connect_step3(struct connectdata *conn, unsigned int bits; gnutls_protocol_t version = gnutls_protocol_get_version(session); #endif -#ifndef CURL_DISABLE_PROXY - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : - conn->host.name; - long * const certverifyresult = SSL_IS_PROXY() ? - &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; -#else - const char * const hostname = conn->host.name; - long * const certverifyresult = &data->set.ssl.certverifyresult; -#endif + const char * const hostname = SSL_HOST_NAME(); + long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult); /* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */ ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(session), @@ -1128,22 +1114,15 @@ gtls_connect_step3(struct connectdata *conn, } #endif if(!rc) { -#ifndef CURL_DISABLE_PROXY - const char * const dispname = SSL_IS_PROXY() ? - conn->http_proxy.host.dispname : conn->host.dispname; -#else - const char * const dispname = conn->host.dispname; -#endif - if(SSL_CONN_CONFIG(verifyhost)) { failf(data, "SSL: certificate subject name (%s) does not match " - "target host name '%s'", certname, dispname); + "target host name '%s'", certname, SSL_HOST_DISPNAME()); gnutls_x509_crt_deinit(x509_cert); return CURLE_PEER_FAILED_VERIFICATION; } else infof(data, "\t common name: %s (does not match '%s')\n", - certname, dispname); + certname, SSL_HOST_DISPNAME()); } else infof(data, "\t common name: %s (matched)\n", certname); diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 2aed10d1b..d0988549d 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1027,12 +1027,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) CERTCertificate *cert; /* remember the cert verification result */ -#ifndef CURL_DISABLE_PROXY - if(SSL_IS_PROXY()) - data->set.proxy_ssl.certverifyresult = err; - else -#endif - data->set.ssl.certverifyresult = err; + SSL_SET_OPTION_LVALUE(certverifyresult) = err; if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost)) /* we are asked not to verify the host name */ @@ -1838,12 +1833,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) CURLcode result; bool second_layer = FALSE; SSLVersionRange sslver_supported; -#ifndef CURL_DISABLE_PROXY - const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : - conn->host.name; -#else - const char *hostname = conn->host.name; -#endif SSLVersionRange sslver = { SSL_LIBRARY_VERSION_TLS_1_0, /* min */ @@ -1948,12 +1937,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) goto error; /* not checked yet */ -#ifndef CURL_DISABLE_PROXY - if(SSL_IS_PROXY()) - data->set.proxy_ssl.certverifyresult = 0; - else -#endif - data->set.ssl.certverifyresult = 0; + SSL_SET_OPTION_LVALUE(certverifyresult) = 0; if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess) goto error; @@ -2125,11 +2109,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) goto error; /* propagate hostname to the TLS layer */ - if(SSL_SetURL(backend->handle, hostname) != SECSuccess) + if(SSL_SetURL(backend->handle, SSL_HOST_NAME()) != SECSuccess) goto error; /* prevent NSS from re-using the session for a different hostname */ - if(SSL_SetSockPeerID(backend->handle, hostname) != SECSuccess) + if(SSL_SetSockPeerID(backend->handle, SSL_HOST_NAME()) != SECSuccess) goto error; return CURLE_OK; @@ -2148,18 +2132,6 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) struct Curl_easy *data = conn->data; CURLcode result = CURLE_SSL_CONNECT_ERROR; PRUint32 timeout; -#ifndef CURL_DISABLE_PROXY - long * const certverifyresult = SSL_IS_PROXY() ? - &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; - const char * const pinnedpubkey = SSL_IS_PROXY() ? - data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : - data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -#else - long * const certverifyresult = &data->set.ssl.certverifyresult; - const char * const pinnedpubkey = - data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -#endif - /* check timeout situation */ const timediff_t time_left = Curl_timeleft(data, NULL, TRUE); @@ -2175,9 +2147,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) if(PR_GetError() == PR_WOULD_BLOCK_ERROR) /* blocking direction is updated by nss_update_connecting_state() */ return CURLE_AGAIN; - else if(*certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) + else if(SSL_SET_OPTION(certverifyresult) == SSL_ERROR_BAD_CERT_DOMAIN) result = CURLE_PEER_FAILED_VERIFICATION; - else if(*certverifyresult != 0) + else if(SSL_SET_OPTION(certverifyresult) != 0) result = CURLE_PEER_FAILED_VERIFICATION; goto error; } @@ -2205,7 +2177,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) } } - result = cmp_peer_pubkey(connssl, pinnedpubkey); + result = cmp_peer_pubkey(connssl, SSL_PINNED_PUB_KEY()); if(result) /* status already printed */ goto error; diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 1b3ed665d..ffc0d6666 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -1582,16 +1582,8 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) CURLcode result = CURLE_OK; bool dNSName = FALSE; /* if a dNSName field exists in the cert */ bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */ -#ifndef CURL_DISABLE_PROXY - const char * const hostname = SSL_IS_PROXY() ? - conn->http_proxy.host.name : conn->host.name; - const char * const dispname = SSL_IS_PROXY() ? - conn->http_proxy.host.dispname : conn->host.dispname; -#else - /* disabled proxy support */ - const char * const hostname = conn->host.name; - const char * const dispname = conn->host.dispname; -#endif + const char * const hostname = SSL_HOST_NAME(); + const char * const dispname = SSL_HOST_DISPNAME(); #ifdef ENABLE_IPV6 if(conn->bits.ipv6_ip && @@ -2470,24 +2462,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME bool sni; -#ifndef CURL_DISABLE_PROXY - const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : - conn->host.name; -#else - const char * const hostname = conn->host.name; -#endif + const char * const hostname = SSL_HOST_NAME(); #ifdef ENABLE_IPV6 struct in6_addr addr; #else struct in_addr addr; #endif -#endif -#ifndef CURL_DISABLE_PROXY - long * const certverifyresult = SSL_IS_PROXY() ? - &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; -#else - long * const certverifyresult = &data->set.ssl.certverifyresult; #endif const long int ssl_version = SSL_CONN_CONFIG(version); #ifdef HAVE_OPENSSL_SRP @@ -2511,7 +2492,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) if(result) return result; - *certverifyresult = !X509_V_OK; + SSL_SET_OPTION_LVALUE(certverifyresult) = !X509_V_OK; /* check to see if we've been told to use an explicit SSL/TLS version */ @@ -3221,12 +3202,6 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) struct Curl_easy *data = conn->data; int err; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; -#ifndef CURL_DISABLE_PROXY - long * const certverifyresult = SSL_IS_PROXY() ? - &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; -#else - long * const certverifyresult = &data->set.ssl.certverifyresult; -#endif struct ssl_backend_data *backend = connssl->backend; DEBUGASSERT(ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state @@ -3291,7 +3266,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) lerr = SSL_get_verify_result(backend->handle); if(lerr != X509_V_OK) { - *certverifyresult = lerr; + SSL_SET_OPTION_LVALUE(certverifyresult) = lerr; msnprintf(error_buffer, sizeof(error_buffer), "SSL certificate problem: %s", X509_verify_cert_error_string(lerr)); @@ -3313,12 +3288,10 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) * the SO_ERROR is also lost. */ if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) { + const char * const hostname = SSL_HOST_NAME(); #ifndef CURL_DISABLE_PROXY - const char * const hostname = SSL_IS_PROXY() ? - conn->http_proxy.host.name : conn->host.name; const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; #else - const char * const hostname = conn->host.name; const long int port = conn->remote_port; #endif char extramsg[80]=""; @@ -3773,12 +3746,6 @@ static CURLcode servercert(struct connectdata *conn, char error_buffer[256]=""; char buffer[2048]; const char *ptr; -#ifndef CURL_DISABLE_PROXY - long * const certverifyresult = SSL_IS_PROXY() ? - &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; -#else - long * const certverifyresult = &data->set.ssl.certverifyresult; -#endif BIO *mem = BIO_new(BIO_s_mem()); struct ssl_backend_data *backend = connssl->backend; @@ -3899,9 +3866,9 @@ static CURLcode servercert(struct connectdata *conn, X509_free(issuer); } - lerr = *certverifyresult = SSL_get_verify_result(backend->handle); - - if(*certverifyresult != X509_V_OK) { + lerr = SSL_get_verify_result(backend->handle); + SSL_SET_OPTION_LVALUE(certverifyresult) = lerr; + if(lerr != X509_V_OK) { if(SSL_CONN_CONFIG(verifypeer)) { /* We probably never reach this, because SSL_connect() will fail and we return earlier if verifypeer is set? */ diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index 1a0bb1865..b86bdbc1d 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -131,12 +131,26 @@ CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen, CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state) #define SSL_SET_OPTION(var) \ (SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var) +#define SSL_SET_OPTION_LVALUE(var) \ + (*(SSL_IS_PROXY() ? &data->set.proxy_ssl.var : &data->set.ssl.var)) #define SSL_CONN_CONFIG(var) \ (SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var) +#define SSL_HOST_NAME() \ + (SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name) +#define SSL_HOST_DISPNAME() \ + (SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname) +#define SSL_PINNED_PUB_KEY() (SSL_IS_PROXY() \ + ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] \ + : data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) #else #define SSL_IS_PROXY() FALSE #define SSL_SET_OPTION(var) data->set.ssl.var +#define SSL_SET_OPTION_LVALUE(var) data->set.ssl.var #define SSL_CONN_CONFIG(var) conn->ssl_config.var +#define SSL_HOST_NAME() conn->host.name +#define SSL_HOST_DISPNAME() conn->host.dispname +#define SSL_PINNED_PUB_KEY() \ + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG] #endif bool Curl_ssl_config_matches(struct ssl_primary_config *data,