mirror of
https://github.com/moparisthebest/curl
synced 2024-12-23 08:38:49 -05:00
doh: inherit some SSL options from user's easy handle
- Inherit SSL options for the doh handle but not SSL client certs, SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert, SSL pinned public key, SSL ciphers, SSL id cache setting, SSL kerberos or SSL gss-api settings. - Fix inheritance of verbose setting. - Inherit NOSIGNAL. There is no way for the user to set options for the doh (DNS-over-HTTPS) handles and instead we inherit some options from the user's easy handle. My thinking for the SSL options not inherited is they are most likely not intended by the user for the DOH transfer. I did inherit insecure because I think that should still be in control of the user. Prior to this change doh did not work for me because CAINFO was not inherited. Also verbose was set always which AFAICT was a bug (#3660). Fixes https://github.com/curl/curl/issues/3660 Closes https://github.com/curl/curl/pull/3661
This commit is contained in:
parent
ff7e5a29c7
commit
9e6af114ea
71
lib/doh.c
71
lib/doh.c
@ -173,8 +173,12 @@ static int Curl_doh_done(struct Curl_easy *doh, CURLcode result)
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define ERROR_CHECK_SETOPT(x,y) result = curl_easy_setopt(doh, x, y); \
|
||||
if(result) goto error
|
||||
#define ERROR_CHECK_SETOPT(x,y) \
|
||||
do { \
|
||||
result = curl_easy_setopt(doh, x, y); \
|
||||
if(result) \
|
||||
goto error; \
|
||||
} WHILE_FALSE
|
||||
|
||||
static CURLcode dohprobe(struct Curl_easy *data,
|
||||
struct dnsprobe *p, DNStype dnstype,
|
||||
@ -242,7 +246,68 @@ static CURLcode dohprobe(struct Curl_easy *data,
|
||||
ERROR_CHECK_SETOPT(CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
|
||||
#endif
|
||||
ERROR_CHECK_SETOPT(CURLOPT_TIMEOUT_MS, (long)timeout_ms);
|
||||
ERROR_CHECK_SETOPT(CURLOPT_VERBOSE, 1L);
|
||||
if(data->set.verbose)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_VERBOSE, 1L);
|
||||
if(data->set.no_signal)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_NOSIGNAL, 1L);
|
||||
|
||||
/* Inherit *some* SSL options from the user's transfer. This is a
|
||||
best-guess as to which options are needed for compatibility. #3661 */
|
||||
if(data->set.ssl.falsestart)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_SSL_FALSESTART, 1L);
|
||||
if(data->set.ssl.primary.verifyhost)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYHOST, 2L);
|
||||
if(data->set.proxy_ssl.primary.verifyhost)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYHOST, 2L);
|
||||
if(data->set.ssl.primary.verifypeer)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L);
|
||||
if(data->set.proxy_ssl.primary.verifypeer)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYPEER, 1L);
|
||||
if(data->set.ssl.primary.verifystatus)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYSTATUS, 1L);
|
||||
if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_CAINFO,
|
||||
data->set.str[STRING_SSL_CAFILE_ORIG]);
|
||||
}
|
||||
if(data->set.str[STRING_SSL_CAFILE_PROXY]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_PROXY_CAINFO,
|
||||
data->set.str[STRING_SSL_CAFILE_PROXY]);
|
||||
}
|
||||
if(data->set.str[STRING_SSL_CAPATH_ORIG]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_CAPATH,
|
||||
data->set.str[STRING_SSL_CAPATH_ORIG]);
|
||||
}
|
||||
if(data->set.str[STRING_SSL_CAPATH_PROXY]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_PROXY_CAPATH,
|
||||
data->set.str[STRING_SSL_CAPATH_PROXY]);
|
||||
}
|
||||
if(data->set.str[STRING_SSL_CRLFILE_ORIG]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_CRLFILE,
|
||||
data->set.str[STRING_SSL_CRLFILE_ORIG]);
|
||||
}
|
||||
if(data->set.str[STRING_SSL_CRLFILE_PROXY]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_PROXY_CRLFILE,
|
||||
data->set.str[STRING_SSL_CRLFILE_PROXY]);
|
||||
}
|
||||
if(data->set.ssl.certinfo)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_CERTINFO, 1L);
|
||||
if(data->set.str[STRING_SSL_RANDOM_FILE]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_RANDOM_FILE,
|
||||
data->set.str[STRING_SSL_RANDOM_FILE]);
|
||||
}
|
||||
if(data->set.str[STRING_SSL_EGDSOCKET]) {
|
||||
ERROR_CHECK_SETOPT(CURLOPT_EGDSOCKET,
|
||||
data->set.str[STRING_SSL_EGDSOCKET]);
|
||||
}
|
||||
if(data->set.ssl.no_revoke)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
|
||||
if(data->set.proxy_ssl.no_revoke)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
|
||||
if(data->set.ssl.fsslctx)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_SSL_CTX_FUNCTION, data->set.ssl.fsslctx);
|
||||
if(data->set.ssl.fsslctxp)
|
||||
ERROR_CHECK_SETOPT(CURLOPT_SSL_CTX_DATA, data->set.ssl.fsslctxp);
|
||||
|
||||
doh->set.fmultidone = Curl_doh_done;
|
||||
doh->set.dohfor = data; /* identify for which transfer this is done */
|
||||
p->easy = doh;
|
||||
|
Loading…
Reference in New Issue
Block a user