mirror of
https://github.com/moparisthebest/curl
synced 2024-12-23 16:48:49 -05:00
vtls: deduplicate some DISABLE_PROXY ifdefs
... in the code of gtls, nss, and openssl Closes #5735
This commit is contained in:
parent
ce95c5e013
commit
7920be9473
@ -399,15 +399,8 @@ gtls_connect_step1(struct connectdata *conn,
|
|||||||
#endif
|
#endif
|
||||||
const char *prioritylist;
|
const char *prioritylist;
|
||||||
const char *err = NULL;
|
const char *err = NULL;
|
||||||
#ifndef CURL_DISABLE_PROXY
|
const char * const hostname = SSL_HOST_NAME();
|
||||||
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
|
||||||
conn->host.name;
|
|
||||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
|
||||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
|
||||||
#else
|
|
||||||
const char * const hostname = conn->host.name;
|
|
||||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if(connssl->state == ssl_connection_complete)
|
if(connssl->state == ssl_connection_complete)
|
||||||
/* to make us tolerant against being called more than once for the
|
/* to make us tolerant against being called more than once for the
|
||||||
@ -839,15 +832,8 @@ gtls_connect_step3(struct connectdata *conn,
|
|||||||
unsigned int bits;
|
unsigned int bits;
|
||||||
gnutls_protocol_t version = gnutls_protocol_get_version(session);
|
gnutls_protocol_t version = gnutls_protocol_get_version(session);
|
||||||
#endif
|
#endif
|
||||||
#ifndef CURL_DISABLE_PROXY
|
const char * const hostname = SSL_HOST_NAME();
|
||||||
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
|
||||||
conn->host.name;
|
|
||||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
|
||||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
|
||||||
#else
|
|
||||||
const char * const hostname = conn->host.name;
|
|
||||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */
|
/* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */
|
||||||
ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(session),
|
ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(session),
|
||||||
@ -1128,22 +1114,15 @@ gtls_connect_step3(struct connectdata *conn,
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
if(!rc) {
|
if(!rc) {
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
const char * const dispname = SSL_IS_PROXY() ?
|
|
||||||
conn->http_proxy.host.dispname : conn->host.dispname;
|
|
||||||
#else
|
|
||||||
const char * const dispname = conn->host.dispname;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if(SSL_CONN_CONFIG(verifyhost)) {
|
if(SSL_CONN_CONFIG(verifyhost)) {
|
||||||
failf(data, "SSL: certificate subject name (%s) does not match "
|
failf(data, "SSL: certificate subject name (%s) does not match "
|
||||||
"target host name '%s'", certname, dispname);
|
"target host name '%s'", certname, SSL_HOST_DISPNAME());
|
||||||
gnutls_x509_crt_deinit(x509_cert);
|
gnutls_x509_crt_deinit(x509_cert);
|
||||||
return CURLE_PEER_FAILED_VERIFICATION;
|
return CURLE_PEER_FAILED_VERIFICATION;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
infof(data, "\t common name: %s (does not match '%s')\n",
|
infof(data, "\t common name: %s (does not match '%s')\n",
|
||||||
certname, dispname);
|
certname, SSL_HOST_DISPNAME());
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
infof(data, "\t common name: %s (matched)\n", certname);
|
infof(data, "\t common name: %s (matched)\n", certname);
|
||||||
|
@ -1027,12 +1027,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
|
|||||||
CERTCertificate *cert;
|
CERTCertificate *cert;
|
||||||
|
|
||||||
/* remember the cert verification result */
|
/* remember the cert verification result */
|
||||||
#ifndef CURL_DISABLE_PROXY
|
SSL_SET_OPTION_LVALUE(certverifyresult) = err;
|
||||||
if(SSL_IS_PROXY())
|
|
||||||
data->set.proxy_ssl.certverifyresult = err;
|
|
||||||
else
|
|
||||||
#endif
|
|
||||||
data->set.ssl.certverifyresult = err;
|
|
||||||
|
|
||||||
if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost))
|
if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost))
|
||||||
/* we are asked not to verify the host name */
|
/* we are asked not to verify the host name */
|
||||||
@ -1838,12 +1833,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|||||||
CURLcode result;
|
CURLcode result;
|
||||||
bool second_layer = FALSE;
|
bool second_layer = FALSE;
|
||||||
SSLVersionRange sslver_supported;
|
SSLVersionRange sslver_supported;
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
|
||||||
conn->host.name;
|
|
||||||
#else
|
|
||||||
const char *hostname = conn->host.name;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
SSLVersionRange sslver = {
|
SSLVersionRange sslver = {
|
||||||
SSL_LIBRARY_VERSION_TLS_1_0, /* min */
|
SSL_LIBRARY_VERSION_TLS_1_0, /* min */
|
||||||
@ -1948,12 +1937,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
/* not checked yet */
|
/* not checked yet */
|
||||||
#ifndef CURL_DISABLE_PROXY
|
SSL_SET_OPTION_LVALUE(certverifyresult) = 0;
|
||||||
if(SSL_IS_PROXY())
|
|
||||||
data->set.proxy_ssl.certverifyresult = 0;
|
|
||||||
else
|
|
||||||
#endif
|
|
||||||
data->set.ssl.certverifyresult = 0;
|
|
||||||
|
|
||||||
if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
|
if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
|
||||||
goto error;
|
goto error;
|
||||||
@ -2125,11 +2109,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
/* propagate hostname to the TLS layer */
|
/* propagate hostname to the TLS layer */
|
||||||
if(SSL_SetURL(backend->handle, hostname) != SECSuccess)
|
if(SSL_SetURL(backend->handle, SSL_HOST_NAME()) != SECSuccess)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
/* prevent NSS from re-using the session for a different hostname */
|
/* prevent NSS from re-using the session for a different hostname */
|
||||||
if(SSL_SetSockPeerID(backend->handle, hostname) != SECSuccess)
|
if(SSL_SetSockPeerID(backend->handle, SSL_HOST_NAME()) != SECSuccess)
|
||||||
goto error;
|
goto error;
|
||||||
|
|
||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
@ -2148,18 +2132,6 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
|||||||
struct Curl_easy *data = conn->data;
|
struct Curl_easy *data = conn->data;
|
||||||
CURLcode result = CURLE_SSL_CONNECT_ERROR;
|
CURLcode result = CURLE_SSL_CONNECT_ERROR;
|
||||||
PRUint32 timeout;
|
PRUint32 timeout;
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
|
||||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
|
||||||
const char * const pinnedpubkey = SSL_IS_PROXY() ?
|
|
||||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
|
||||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
|
||||||
#else
|
|
||||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
|
||||||
const char * const pinnedpubkey =
|
|
||||||
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
|
||||||
#endif
|
|
||||||
|
|
||||||
|
|
||||||
/* check timeout situation */
|
/* check timeout situation */
|
||||||
const timediff_t time_left = Curl_timeleft(data, NULL, TRUE);
|
const timediff_t time_left = Curl_timeleft(data, NULL, TRUE);
|
||||||
@ -2175,9 +2147,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
|||||||
if(PR_GetError() == PR_WOULD_BLOCK_ERROR)
|
if(PR_GetError() == PR_WOULD_BLOCK_ERROR)
|
||||||
/* blocking direction is updated by nss_update_connecting_state() */
|
/* blocking direction is updated by nss_update_connecting_state() */
|
||||||
return CURLE_AGAIN;
|
return CURLE_AGAIN;
|
||||||
else if(*certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
|
else if(SSL_SET_OPTION(certverifyresult) == SSL_ERROR_BAD_CERT_DOMAIN)
|
||||||
result = CURLE_PEER_FAILED_VERIFICATION;
|
result = CURLE_PEER_FAILED_VERIFICATION;
|
||||||
else if(*certverifyresult != 0)
|
else if(SSL_SET_OPTION(certverifyresult) != 0)
|
||||||
result = CURLE_PEER_FAILED_VERIFICATION;
|
result = CURLE_PEER_FAILED_VERIFICATION;
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
@ -2205,7 +2177,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
result = cmp_peer_pubkey(connssl, pinnedpubkey);
|
result = cmp_peer_pubkey(connssl, SSL_PINNED_PUB_KEY());
|
||||||
if(result)
|
if(result)
|
||||||
/* status already printed */
|
/* status already printed */
|
||||||
goto error;
|
goto error;
|
||||||
|
@ -1582,16 +1582,8 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
|
|||||||
CURLcode result = CURLE_OK;
|
CURLcode result = CURLE_OK;
|
||||||
bool dNSName = FALSE; /* if a dNSName field exists in the cert */
|
bool dNSName = FALSE; /* if a dNSName field exists in the cert */
|
||||||
bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */
|
bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */
|
||||||
#ifndef CURL_DISABLE_PROXY
|
const char * const hostname = SSL_HOST_NAME();
|
||||||
const char * const hostname = SSL_IS_PROXY() ?
|
const char * const dispname = SSL_HOST_DISPNAME();
|
||||||
conn->http_proxy.host.name : conn->host.name;
|
|
||||||
const char * const dispname = SSL_IS_PROXY() ?
|
|
||||||
conn->http_proxy.host.dispname : conn->host.dispname;
|
|
||||||
#else
|
|
||||||
/* disabled proxy support */
|
|
||||||
const char * const hostname = conn->host.name;
|
|
||||||
const char * const dispname = conn->host.dispname;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
if(conn->bits.ipv6_ip &&
|
if(conn->bits.ipv6_ip &&
|
||||||
@ -2470,24 +2462,13 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
|
|
||||||
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
|
||||||
bool sni;
|
bool sni;
|
||||||
#ifndef CURL_DISABLE_PROXY
|
const char * const hostname = SSL_HOST_NAME();
|
||||||
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
|
||||||
conn->host.name;
|
|
||||||
#else
|
|
||||||
const char * const hostname = conn->host.name;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef ENABLE_IPV6
|
#ifdef ENABLE_IPV6
|
||||||
struct in6_addr addr;
|
struct in6_addr addr;
|
||||||
#else
|
#else
|
||||||
struct in_addr addr;
|
struct in_addr addr;
|
||||||
#endif
|
#endif
|
||||||
#endif
|
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
|
||||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
|
||||||
#else
|
|
||||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
|
||||||
#endif
|
#endif
|
||||||
const long int ssl_version = SSL_CONN_CONFIG(version);
|
const long int ssl_version = SSL_CONN_CONFIG(version);
|
||||||
#ifdef HAVE_OPENSSL_SRP
|
#ifdef HAVE_OPENSSL_SRP
|
||||||
@ -2511,7 +2492,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
|||||||
if(result)
|
if(result)
|
||||||
return result;
|
return result;
|
||||||
|
|
||||||
*certverifyresult = !X509_V_OK;
|
SSL_SET_OPTION_LVALUE(certverifyresult) = !X509_V_OK;
|
||||||
|
|
||||||
/* check to see if we've been told to use an explicit SSL/TLS version */
|
/* check to see if we've been told to use an explicit SSL/TLS version */
|
||||||
|
|
||||||
@ -3221,12 +3202,6 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
|
|||||||
struct Curl_easy *data = conn->data;
|
struct Curl_easy *data = conn->data;
|
||||||
int err;
|
int err;
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
|
||||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
|
||||||
#else
|
|
||||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
|
||||||
#endif
|
|
||||||
struct ssl_backend_data *backend = connssl->backend;
|
struct ssl_backend_data *backend = connssl->backend;
|
||||||
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|
||||||
|| ssl_connect_2_reading == connssl->connecting_state
|
|| ssl_connect_2_reading == connssl->connecting_state
|
||||||
@ -3291,7 +3266,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
|
|||||||
|
|
||||||
lerr = SSL_get_verify_result(backend->handle);
|
lerr = SSL_get_verify_result(backend->handle);
|
||||||
if(lerr != X509_V_OK) {
|
if(lerr != X509_V_OK) {
|
||||||
*certverifyresult = lerr;
|
SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
|
||||||
msnprintf(error_buffer, sizeof(error_buffer),
|
msnprintf(error_buffer, sizeof(error_buffer),
|
||||||
"SSL certificate problem: %s",
|
"SSL certificate problem: %s",
|
||||||
X509_verify_cert_error_string(lerr));
|
X509_verify_cert_error_string(lerr));
|
||||||
@ -3313,12 +3288,10 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
|
|||||||
* the SO_ERROR is also lost.
|
* the SO_ERROR is also lost.
|
||||||
*/
|
*/
|
||||||
if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
|
if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
|
||||||
|
const char * const hostname = SSL_HOST_NAME();
|
||||||
#ifndef CURL_DISABLE_PROXY
|
#ifndef CURL_DISABLE_PROXY
|
||||||
const char * const hostname = SSL_IS_PROXY() ?
|
|
||||||
conn->http_proxy.host.name : conn->host.name;
|
|
||||||
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
|
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
|
||||||
#else
|
#else
|
||||||
const char * const hostname = conn->host.name;
|
|
||||||
const long int port = conn->remote_port;
|
const long int port = conn->remote_port;
|
||||||
#endif
|
#endif
|
||||||
char extramsg[80]="";
|
char extramsg[80]="";
|
||||||
@ -3773,12 +3746,6 @@ static CURLcode servercert(struct connectdata *conn,
|
|||||||
char error_buffer[256]="";
|
char error_buffer[256]="";
|
||||||
char buffer[2048];
|
char buffer[2048];
|
||||||
const char *ptr;
|
const char *ptr;
|
||||||
#ifndef CURL_DISABLE_PROXY
|
|
||||||
long * const certverifyresult = SSL_IS_PROXY() ?
|
|
||||||
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
|
||||||
#else
|
|
||||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
|
||||||
#endif
|
|
||||||
BIO *mem = BIO_new(BIO_s_mem());
|
BIO *mem = BIO_new(BIO_s_mem());
|
||||||
struct ssl_backend_data *backend = connssl->backend;
|
struct ssl_backend_data *backend = connssl->backend;
|
||||||
|
|
||||||
@ -3899,9 +3866,9 @@ static CURLcode servercert(struct connectdata *conn,
|
|||||||
X509_free(issuer);
|
X509_free(issuer);
|
||||||
}
|
}
|
||||||
|
|
||||||
lerr = *certverifyresult = SSL_get_verify_result(backend->handle);
|
lerr = SSL_get_verify_result(backend->handle);
|
||||||
|
SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
|
||||||
if(*certverifyresult != X509_V_OK) {
|
if(lerr != X509_V_OK) {
|
||||||
if(SSL_CONN_CONFIG(verifypeer)) {
|
if(SSL_CONN_CONFIG(verifypeer)) {
|
||||||
/* We probably never reach this, because SSL_connect() will fail
|
/* We probably never reach this, because SSL_connect() will fail
|
||||||
and we return earlier if verifypeer is set? */
|
and we return earlier if verifypeer is set? */
|
||||||
|
@ -131,12 +131,26 @@ CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
|
|||||||
CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state)
|
CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state)
|
||||||
#define SSL_SET_OPTION(var) \
|
#define SSL_SET_OPTION(var) \
|
||||||
(SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var)
|
(SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var)
|
||||||
|
#define SSL_SET_OPTION_LVALUE(var) \
|
||||||
|
(*(SSL_IS_PROXY() ? &data->set.proxy_ssl.var : &data->set.ssl.var))
|
||||||
#define SSL_CONN_CONFIG(var) \
|
#define SSL_CONN_CONFIG(var) \
|
||||||
(SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var)
|
(SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var)
|
||||||
|
#define SSL_HOST_NAME() \
|
||||||
|
(SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name)
|
||||||
|
#define SSL_HOST_DISPNAME() \
|
||||||
|
(SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname)
|
||||||
|
#define SSL_PINNED_PUB_KEY() (SSL_IS_PROXY() \
|
||||||
|
? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] \
|
||||||
|
: data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG])
|
||||||
#else
|
#else
|
||||||
#define SSL_IS_PROXY() FALSE
|
#define SSL_IS_PROXY() FALSE
|
||||||
#define SSL_SET_OPTION(var) data->set.ssl.var
|
#define SSL_SET_OPTION(var) data->set.ssl.var
|
||||||
|
#define SSL_SET_OPTION_LVALUE(var) data->set.ssl.var
|
||||||
#define SSL_CONN_CONFIG(var) conn->ssl_config.var
|
#define SSL_CONN_CONFIG(var) conn->ssl_config.var
|
||||||
|
#define SSL_HOST_NAME() conn->host.name
|
||||||
|
#define SSL_HOST_DISPNAME() conn->host.dispname
|
||||||
|
#define SSL_PINNED_PUB_KEY() \
|
||||||
|
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
bool Curl_ssl_config_matches(struct ssl_primary_config *data,
|
bool Curl_ssl_config_matches(struct ssl_primary_config *data,
|
||||||
|
Loading…
Reference in New Issue
Block a user