1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-24 00:58:48 -05:00

vtls: deduplicate some DISABLE_PROXY ifdefs

... in the code of gtls, nss, and openssl

Closes #5735
This commit is contained in:
Kamil Dudka 2020-07-27 15:44:01 +02:00 committed by Daniel Stenberg
parent ce95c5e013
commit 7920be9473
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
4 changed files with 36 additions and 104 deletions

View File

@ -399,15 +399,8 @@ gtls_connect_step1(struct connectdata *conn,
#endif #endif
const char *prioritylist; const char *prioritylist;
const char *err = NULL; const char *err = NULL;
#ifndef CURL_DISABLE_PROXY const char * const hostname = SSL_HOST_NAME();
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
conn->host.name;
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
#else
const char * const hostname = conn->host.name;
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
if(connssl->state == ssl_connection_complete) if(connssl->state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the /* to make us tolerant against being called more than once for the
@ -839,15 +832,8 @@ gtls_connect_step3(struct connectdata *conn,
unsigned int bits; unsigned int bits;
gnutls_protocol_t version = gnutls_protocol_get_version(session); gnutls_protocol_t version = gnutls_protocol_get_version(session);
#endif #endif
#ifndef CURL_DISABLE_PROXY const char * const hostname = SSL_HOST_NAME();
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
conn->host.name;
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
#else
const char * const hostname = conn->host.name;
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
/* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */ /* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */
ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(session), ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(session),
@ -1128,22 +1114,15 @@ gtls_connect_step3(struct connectdata *conn,
} }
#endif #endif
if(!rc) { if(!rc) {
#ifndef CURL_DISABLE_PROXY
const char * const dispname = SSL_IS_PROXY() ?
conn->http_proxy.host.dispname : conn->host.dispname;
#else
const char * const dispname = conn->host.dispname;
#endif
if(SSL_CONN_CONFIG(verifyhost)) { if(SSL_CONN_CONFIG(verifyhost)) {
failf(data, "SSL: certificate subject name (%s) does not match " failf(data, "SSL: certificate subject name (%s) does not match "
"target host name '%s'", certname, dispname); "target host name '%s'", certname, SSL_HOST_DISPNAME());
gnutls_x509_crt_deinit(x509_cert); gnutls_x509_crt_deinit(x509_cert);
return CURLE_PEER_FAILED_VERIFICATION; return CURLE_PEER_FAILED_VERIFICATION;
} }
else else
infof(data, "\t common name: %s (does not match '%s')\n", infof(data, "\t common name: %s (does not match '%s')\n",
certname, dispname); certname, SSL_HOST_DISPNAME());
} }
else else
infof(data, "\t common name: %s (matched)\n", certname); infof(data, "\t common name: %s (matched)\n", certname);

View File

@ -1027,12 +1027,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
CERTCertificate *cert; CERTCertificate *cert;
/* remember the cert verification result */ /* remember the cert verification result */
#ifndef CURL_DISABLE_PROXY SSL_SET_OPTION_LVALUE(certverifyresult) = err;
if(SSL_IS_PROXY())
data->set.proxy_ssl.certverifyresult = err;
else
#endif
data->set.ssl.certverifyresult = err;
if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost)) if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost))
/* we are asked not to verify the host name */ /* we are asked not to verify the host name */
@ -1838,12 +1833,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
CURLcode result; CURLcode result;
bool second_layer = FALSE; bool second_layer = FALSE;
SSLVersionRange sslver_supported; SSLVersionRange sslver_supported;
#ifndef CURL_DISABLE_PROXY
const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
#else
const char *hostname = conn->host.name;
#endif
SSLVersionRange sslver = { SSLVersionRange sslver = {
SSL_LIBRARY_VERSION_TLS_1_0, /* min */ SSL_LIBRARY_VERSION_TLS_1_0, /* min */
@ -1948,12 +1937,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
goto error; goto error;
/* not checked yet */ /* not checked yet */
#ifndef CURL_DISABLE_PROXY SSL_SET_OPTION_LVALUE(certverifyresult) = 0;
if(SSL_IS_PROXY())
data->set.proxy_ssl.certverifyresult = 0;
else
#endif
data->set.ssl.certverifyresult = 0;
if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess) if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
goto error; goto error;
@ -2125,11 +2109,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
goto error; goto error;
/* propagate hostname to the TLS layer */ /* propagate hostname to the TLS layer */
if(SSL_SetURL(backend->handle, hostname) != SECSuccess) if(SSL_SetURL(backend->handle, SSL_HOST_NAME()) != SECSuccess)
goto error; goto error;
/* prevent NSS from re-using the session for a different hostname */ /* prevent NSS from re-using the session for a different hostname */
if(SSL_SetSockPeerID(backend->handle, hostname) != SECSuccess) if(SSL_SetSockPeerID(backend->handle, SSL_HOST_NAME()) != SECSuccess)
goto error; goto error;
return CURLE_OK; return CURLE_OK;
@ -2148,18 +2132,6 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
struct Curl_easy *data = conn->data; struct Curl_easy *data = conn->data;
CURLcode result = CURLE_SSL_CONNECT_ERROR; CURLcode result = CURLE_SSL_CONNECT_ERROR;
PRUint32 timeout; PRUint32 timeout;
#ifndef CURL_DISABLE_PROXY
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
const char * const pinnedpubkey = SSL_IS_PROXY() ?
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
#else
long * const certverifyresult = &data->set.ssl.certverifyresult;
const char * const pinnedpubkey =
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
#endif
/* check timeout situation */ /* check timeout situation */
const timediff_t time_left = Curl_timeleft(data, NULL, TRUE); const timediff_t time_left = Curl_timeleft(data, NULL, TRUE);
@ -2175,9 +2147,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
if(PR_GetError() == PR_WOULD_BLOCK_ERROR) if(PR_GetError() == PR_WOULD_BLOCK_ERROR)
/* blocking direction is updated by nss_update_connecting_state() */ /* blocking direction is updated by nss_update_connecting_state() */
return CURLE_AGAIN; return CURLE_AGAIN;
else if(*certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) else if(SSL_SET_OPTION(certverifyresult) == SSL_ERROR_BAD_CERT_DOMAIN)
result = CURLE_PEER_FAILED_VERIFICATION; result = CURLE_PEER_FAILED_VERIFICATION;
else if(*certverifyresult != 0) else if(SSL_SET_OPTION(certverifyresult) != 0)
result = CURLE_PEER_FAILED_VERIFICATION; result = CURLE_PEER_FAILED_VERIFICATION;
goto error; goto error;
} }
@ -2205,7 +2177,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
} }
} }
result = cmp_peer_pubkey(connssl, pinnedpubkey); result = cmp_peer_pubkey(connssl, SSL_PINNED_PUB_KEY());
if(result) if(result)
/* status already printed */ /* status already printed */
goto error; goto error;

View File

@ -1582,16 +1582,8 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
CURLcode result = CURLE_OK; CURLcode result = CURLE_OK;
bool dNSName = FALSE; /* if a dNSName field exists in the cert */ bool dNSName = FALSE; /* if a dNSName field exists in the cert */
bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */ bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */
#ifndef CURL_DISABLE_PROXY const char * const hostname = SSL_HOST_NAME();
const char * const hostname = SSL_IS_PROXY() ? const char * const dispname = SSL_HOST_DISPNAME();
conn->http_proxy.host.name : conn->host.name;
const char * const dispname = SSL_IS_PROXY() ?
conn->http_proxy.host.dispname : conn->host.dispname;
#else
/* disabled proxy support */
const char * const hostname = conn->host.name;
const char * const dispname = conn->host.dispname;
#endif
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
if(conn->bits.ipv6_ip && if(conn->bits.ipv6_ip &&
@ -2470,24 +2462,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
bool sni; bool sni;
#ifndef CURL_DISABLE_PROXY const char * const hostname = SSL_HOST_NAME();
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
#else
const char * const hostname = conn->host.name;
#endif
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
struct in6_addr addr; struct in6_addr addr;
#else #else
struct in_addr addr; struct in_addr addr;
#endif #endif
#endif
#ifndef CURL_DISABLE_PROXY
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
#else
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif #endif
const long int ssl_version = SSL_CONN_CONFIG(version); const long int ssl_version = SSL_CONN_CONFIG(version);
#ifdef HAVE_OPENSSL_SRP #ifdef HAVE_OPENSSL_SRP
@ -2511,7 +2492,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
if(result) if(result)
return result; return result;
*certverifyresult = !X509_V_OK; SSL_SET_OPTION_LVALUE(certverifyresult) = !X509_V_OK;
/* check to see if we've been told to use an explicit SSL/TLS version */ /* check to see if we've been told to use an explicit SSL/TLS version */
@ -3221,12 +3202,6 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
struct Curl_easy *data = conn->data; struct Curl_easy *data = conn->data;
int err; int err;
struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex];
#ifndef CURL_DISABLE_PROXY
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
#else
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
struct ssl_backend_data *backend = connssl->backend; struct ssl_backend_data *backend = connssl->backend;
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state
@ -3291,7 +3266,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
lerr = SSL_get_verify_result(backend->handle); lerr = SSL_get_verify_result(backend->handle);
if(lerr != X509_V_OK) { if(lerr != X509_V_OK) {
*certverifyresult = lerr; SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
msnprintf(error_buffer, sizeof(error_buffer), msnprintf(error_buffer, sizeof(error_buffer),
"SSL certificate problem: %s", "SSL certificate problem: %s",
X509_verify_cert_error_string(lerr)); X509_verify_cert_error_string(lerr));
@ -3313,12 +3288,10 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
* the SO_ERROR is also lost. * the SO_ERROR is also lost.
*/ */
if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) { if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
const char * const hostname = SSL_HOST_NAME();
#ifndef CURL_DISABLE_PROXY #ifndef CURL_DISABLE_PROXY
const char * const hostname = SSL_IS_PROXY() ?
conn->http_proxy.host.name : conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#else #else
const char * const hostname = conn->host.name;
const long int port = conn->remote_port; const long int port = conn->remote_port;
#endif #endif
char extramsg[80]=""; char extramsg[80]="";
@ -3773,12 +3746,6 @@ static CURLcode servercert(struct connectdata *conn,
char error_buffer[256]=""; char error_buffer[256]="";
char buffer[2048]; char buffer[2048];
const char *ptr; const char *ptr;
#ifndef CURL_DISABLE_PROXY
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
#else
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
BIO *mem = BIO_new(BIO_s_mem()); BIO *mem = BIO_new(BIO_s_mem());
struct ssl_backend_data *backend = connssl->backend; struct ssl_backend_data *backend = connssl->backend;
@ -3899,9 +3866,9 @@ static CURLcode servercert(struct connectdata *conn,
X509_free(issuer); X509_free(issuer);
} }
lerr = *certverifyresult = SSL_get_verify_result(backend->handle); lerr = SSL_get_verify_result(backend->handle);
SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
if(*certverifyresult != X509_V_OK) { if(lerr != X509_V_OK) {
if(SSL_CONN_CONFIG(verifypeer)) { if(SSL_CONN_CONFIG(verifypeer)) {
/* We probably never reach this, because SSL_connect() will fail /* We probably never reach this, because SSL_connect() will fail
and we return earlier if verifypeer is set? */ and we return earlier if verifypeer is set? */

View File

@ -131,12 +131,26 @@ CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state) CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state)
#define SSL_SET_OPTION(var) \ #define SSL_SET_OPTION(var) \
(SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var) (SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var)
#define SSL_SET_OPTION_LVALUE(var) \
(*(SSL_IS_PROXY() ? &data->set.proxy_ssl.var : &data->set.ssl.var))
#define SSL_CONN_CONFIG(var) \ #define SSL_CONN_CONFIG(var) \
(SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var) (SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var)
#define SSL_HOST_NAME() \
(SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name)
#define SSL_HOST_DISPNAME() \
(SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname)
#define SSL_PINNED_PUB_KEY() (SSL_IS_PROXY() \
? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] \
: data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG])
#else #else
#define SSL_IS_PROXY() FALSE #define SSL_IS_PROXY() FALSE
#define SSL_SET_OPTION(var) data->set.ssl.var #define SSL_SET_OPTION(var) data->set.ssl.var
#define SSL_SET_OPTION_LVALUE(var) data->set.ssl.var
#define SSL_CONN_CONFIG(var) conn->ssl_config.var #define SSL_CONN_CONFIG(var) conn->ssl_config.var
#define SSL_HOST_NAME() conn->host.name
#define SSL_HOST_DISPNAME() conn->host.dispname
#define SSL_PINNED_PUB_KEY() \
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]
#endif #endif
bool Curl_ssl_config_matches(struct ssl_primary_config *data, bool Curl_ssl_config_matches(struct ssl_primary_config *data,