From c6da05a5ec0c5250df077e42647c498f8ae38e8d Mon Sep 17 00:00:00 2001 From: Okhin Vasilij Date: Mon, 21 Nov 2016 17:01:25 +0700 Subject: [PATCH] HTTPS-proxy: fixed mbedtls and polishing --- .../opts/CURLINFO_PROXY_SSL_VERIFYRESULT.3 | 2 +- docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3 | 2 +- docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3 | 2 +- docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3 | 4 +- docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.3 | 2 +- docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3 | 2 +- docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.3 | 2 +- docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.3 | 2 +- docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.3 | 2 +- docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 | 4 +- .../opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3 | 2 +- docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3 | 2 +- .../opts/CURLOPT_PROXY_SSL_VERIFYHOST.3 | 2 +- .../opts/CURLOPT_PROXY_SSL_VERIFYPEER.3 | 2 +- .../opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.3 | 2 +- .../libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.3 | 2 +- .../opts/CURLOPT_PROXY_TLSAUTH_USERNAME.3 | 2 +- docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3 | 2 +- docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.3 | 2 +- docs/libcurl/symbols-in-versions | 40 +++++----- lib/curl_sasl.c | 14 +++- lib/http_proxy.c | 2 + lib/multi.c | 2 + lib/url.c | 6 +- lib/vtls/darwinssl.c | 77 ++++++++++--------- lib/vtls/gskit.c | 2 +- lib/vtls/gtls.c | 4 +- lib/vtls/mbedtls.c | 62 +++++++-------- lib/vtls/openssl.c | 8 +- lib/vtls/schannel.c | 35 ++++++--- 30 files changed, 159 insertions(+), 135 deletions(-) diff --git a/docs/libcurl/opts/CURLINFO_PROXY_SSL_VERIFYRESULT.3 b/docs/libcurl/opts/CURLINFO_PROXY_SSL_VERIFYRESULT.3 index 8f09df5c4..34892f54f 100644 --- a/docs/libcurl/opts/CURLINFO_PROXY_SSL_VERIFYRESULT.3 +++ b/docs/libcurl/opts/CURLINFO_PROXY_SSL_VERIFYRESULT.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLINFO_PROXY_SSL_VERIFYRESULT 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_getinfo options" +.TH CURLINFO_PROXY_SSL_VERIFYRESULT 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_getinfo options" .SH NAME CURLINFO_PROXY_SSL_VERIFYRESULT \- get the result of the proxy certification verification .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3 b/docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3 index 31fc562e8..d240b37fd 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_CAINFO.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_CAINFO 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_CAINFO 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_CAINFO \- path to proxy Certificate Authority (CA) bundle .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3 b/docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3 index 7c984538a..d1dfb06a0 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_CAPATH.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_CAPATH 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_CAPATH 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_CAPATH \- specify directory holding proxy CA certificates .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3 b/docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3 index 956cc5691..1d0dc6397 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_CRLFILE.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_CRLFILE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_CRLFILE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_CRLFILE \- specify a proxy Certificate Revocation List file .SH SYNOPSIS @@ -52,8 +52,6 @@ NULL All TLS-based protocols .SH EXAMPLE TODO -.SH AVAILABILITY -Added in 7.51.1 .SH RETURN VALUE Returns CURLE_OK if the option is supported, CURLE_UNKNOWN_OPTION if not, or CURLE_OUT_OF_MEMORY if there was insufficient heap space. diff --git a/docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.3 b/docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.3 index 5f328020e..1abd329d3 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_KEYPASSWD.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_KEYPASSWD 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_KEYPASSWD 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_KEYPASSWD \- set passphrase to proxy private key .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3 index 8ce38592d..d69f6e632 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLCERT.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_SSLCERT 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_SSLCERT 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_SSLCERT \- set SSL proxy client certificate .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.3 index 297cc0c30..326330c61 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLCERTTYPE.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_SSLCERTTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_SSLCERTTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_SSLCERTTYPE \- specify type of the proxy client SSL certificate .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.3 index 6301ae8f4..e5c7369ae 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLKEY.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_SSLKEY 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_SSLKEY 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_SSLKEY \- specify private keyfile for TLS and SSL proxy client cert .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.3 index 8c81b49f0..97454f925 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLKEYTYPE.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_SSLKEYTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_SSLKEYTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_SSLKEYTYPE \- set type of the proxy private key file .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 index ef65b169c..0e91be932 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSLVERSION.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_SSLVERSION 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_SSLVERSION 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_SSLVERSION \- set proxy preferred TLS/SSL version .SH SYNOPSIS @@ -50,7 +50,7 @@ TLSv1.1 (Added in 7.34.0) .IP CURL_SSLVERSION_TLSv1_2 TLSv1.2 (Added in 7.34.0) .IP CURL_SSLVERSION_TLSv1_3 -TLSv1.3 (Added in 7.51.1) +TLSv1.3 (Added in 7.52.0) .RE .SH DEFAULT CURL_SSLVERSION_DEFAULT diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3 index a7cbc6af7..f872952ad 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_CIPHER_LIST.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_SSL_CIPHER_LIST 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_SSL_CIPHER_LIST 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_SSL_CIPHER_LIST \- specify ciphers to use for proxy TLS .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3 index 6b4cbaeb4..45402dfab 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_OPTIONS.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_SSL_OPTIONS 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_SSL_OPTIONS 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_SSL_OPTIONS \- set proxy SSL behavior options .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.3 index 9a0d69ab6..e72027a8b 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYHOST.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_SSL_VERIFYHOST 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_SSL_VERIFYHOST 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_SSL_VERIFYHOST \- verify the proxy certificate's name against host .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYPEER.3 b/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYPEER.3 index 294c77b37..0eb902bb1 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYPEER.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_SSL_VERIFYPEER.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_SSL_VERIFYPEER 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_SSL_VERIFYPEER 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_SSL_VERIFYPEER \- verify the proxy peer's SSL certificate .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.3 b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.3 index ed2544bd1..1d824fed0 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_PASSWORD.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_TLSAUTH_PASSWORD 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_TLSAUTH_PASSWORD 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_TLSAUTH_PASSWORD \- password to use for proxy TLS authentication .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.3 b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.3 index f30256ab7..228a42e46 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_TYPE.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_TLSAUTH_TYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_TLSAUTH_TYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_TLSAUTH_TYPE \- set proxy TLS authentication methods .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.3 b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.3 index 53c8378a4..e8d4e4d1e 100644 --- a/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.3 +++ b/docs/libcurl/opts/CURLOPT_PROXY_TLSAUTH_USERNAME.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_PROXY_TLSAUTH_USERNAME 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_PROXY_TLSAUTH_USERNAME 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_PROXY_TLSAUTH_USERNAME \- user name to use for proxy TLS authentication .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3 b/docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3 index bddb40a18..aad3d40a5 100644 --- a/docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3 +++ b/docs/libcurl/opts/CURLOPT_SOCKS_PROXY.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_SOCKS_PROXY 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_SOCKS_PROXY 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_SOCKS_PROXY \- set socks proxy to use .SH SYNOPSIS diff --git a/docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.3 b/docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.3 index 789bfb877..210024067 100644 --- a/docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.3 +++ b/docs/libcurl/opts/CURLOPT_SOCKS_PROXYTYPE.3 @@ -20,7 +20,7 @@ .\" * .\" ************************************************************************** .\" -.TH CURLOPT_SOCKS_PROXYTYPE 3 "16 Nov 2016" "libcurl 7.51.1" "curl_easy_setopt options" +.TH CURLOPT_SOCKS_PROXYTYPE 3 "16 Nov 2016" "libcurl 7.52.0" "curl_easy_setopt options" .SH NAME CURLOPT_SOCKS_PROXYTYPE \- socks proxy protocol type .SH SYNOPSIS diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index fb3330f14..1d58d51c1 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -240,7 +240,7 @@ CURLINFO_PRIMARY_IP 7.19.0 CURLINFO_PRIMARY_PORT 7.21.0 CURLINFO_PRIVATE 7.10.3 CURLINFO_PROXYAUTH_AVAIL 7.10.8 -CURLINFO_PROXY_SSL_VERIFYRESULT 7.51.1 +CURLINFO_PROXY_SSL_VERIFYRESULT 7.52.0 CURLINFO_REDIRECT_COUNT 7.9.7 CURLINFO_REDIRECT_TIME 7.9.7 CURLINFO_REDIRECT_URL 7.18.2 @@ -469,23 +469,23 @@ CURLOPT_PROXYPORT 7.1 CURLOPT_PROXYTYPE 7.10 CURLOPT_PROXYUSERNAME 7.19.1 CURLOPT_PROXYUSERPWD 7.1 -CURLOPT_PROXY_CAINFO 7.51.1 -CURLOPT_PROXY_CAPATH 7.51.1 -CURLOPT_PROXY_CRLFILE 7.51.1 -CURLOPT_PROXY_KEYPASSWD 7.51.1 +CURLOPT_PROXY_CAINFO 7.52.0 +CURLOPT_PROXY_CAPATH 7.52.0 +CURLOPT_PROXY_CRLFILE 7.52.0 +CURLOPT_PROXY_KEYPASSWD 7.52.0 CURLOPT_PROXY_SERVICE_NAME 7.43.0 -CURLOPT_PROXY_SSLCERT 7.51.1 -CURLOPT_PROXY_SSLCERTTYPE 7.51.1 -CURLOPT_PROXY_SSLKEY 7.51.1 -CURLOPT_PROXY_SSLKEYTYPE 7.51.1 -CURLOPT_PROXY_SSLVERSION 7.51.1 -CURLOPT_PROXY_SSL_CIPHER_LIST 7.51.1 -CURLOPT_PROXY_SSL_OPTIONS 7.51.1 -CURLOPT_PROXY_SSL_VERIFYHOST 7.51.1 -CURLOPT_PROXY_SSL_VERIFYPEER 7.51.1 -CURLOPT_PROXY_TLSAUTH_PASSWORD 7.51.1 -CURLOPT_PROXY_TLSAUTH_TYPE 7.51.1 -CURLOPT_PROXY_TLSAUTH_USERNAME 7.51.1 +CURLOPT_PROXY_SSLCERT 7.52.0 +CURLOPT_PROXY_SSLCERTTYPE 7.52.0 +CURLOPT_PROXY_SSLKEY 7.52.0 +CURLOPT_PROXY_SSLKEYTYPE 7.52.0 +CURLOPT_PROXY_SSLVERSION 7.52.0 +CURLOPT_PROXY_SSL_CIPHER_LIST 7.52.0 +CURLOPT_PROXY_SSL_OPTIONS 7.52.0 +CURLOPT_PROXY_SSL_VERIFYHOST 7.52.0 +CURLOPT_PROXY_SSL_VERIFYPEER 7.52.0 +CURLOPT_PROXY_TLSAUTH_PASSWORD 7.52.0 +CURLOPT_PROXY_TLSAUTH_TYPE 7.52.0 +CURLOPT_PROXY_TLSAUTH_USERNAME 7.52.0 CURLOPT_PROXY_TRANSFER_MODE 7.18.0 CURLOPT_PUT 7.1 CURLOPT_QUOTE 7.1 @@ -515,8 +515,8 @@ CURLOPT_SOCKOPTDATA 7.16.0 CURLOPT_SOCKOPTFUNCTION 7.16.0 CURLOPT_SOCKS5_GSSAPI_NEC 7.19.4 CURLOPT_SOCKS5_GSSAPI_SERVICE 7.19.4 7.49.0 -CURLOPT_SOCKS_PROXY 7.51.1 -CURLOPT_SOCKS_PROXYTYPE 7.51.1 +CURLOPT_SOCKS_PROXY 7.52.0 +CURLOPT_SOCKS_PROXYTYPE 7.52.0 CURLOPT_SOURCE_HOST 7.12.1 - 7.15.5 CURLOPT_SOURCE_PATH 7.12.1 - 7.15.5 CURLOPT_SOURCE_PORT 7.12.1 - 7.15.5 @@ -630,7 +630,7 @@ CURLPROTO_TELNET 7.19.4 CURLPROTO_TFTP 7.19.4 CURLPROXY_HTTP 7.10 CURLPROXY_HTTP_1_0 7.19.4 -CURLPROXY_HTTPS 7.51.1 +CURLPROXY_HTTPS 7.52.0 CURLPROXY_SOCKS4 7.10 CURLPROXY_SOCKS4A 7.18.0 CURLPROXY_SOCKS5 7.10 diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c index 6b8696216..19efbf583 100644 --- a/lib/curl_sasl.c +++ b/lib/curl_sasl.c @@ -262,6 +262,9 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn, size_t len = 0; saslstate state1 = SASL_STOP; saslstate state2 = SASL_FINAL; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; #if defined(USE_KERBEROS5) const char* service = data->set.str[STRING_SERVICE_NAME] ? data->set.str[STRING_SERVICE_NAME] : @@ -341,8 +344,8 @@ CURLcode Curl_sasl_start(struct SASL *sasl, struct connectdata *conn, if(force_ir || data->set.sasl_ir) result = Curl_auth_create_oauth_bearer_message(data, conn->user, - conn->host.name, - conn->port, + hostname, + port, conn->oauth_bearer, &resp, &len); } @@ -408,6 +411,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn, struct Curl_easy *data = conn->data; saslstate newstate = SASL_FINAL; char *resp = NULL; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; #if !defined(CURL_DISABLE_CRYPTO_AUTH) char *serverdata; char *chlg = NULL; @@ -542,8 +548,8 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct connectdata *conn, /* Create the authorisation message */ if(sasl->authused == SASL_MECH_OAUTHBEARER) { result = Curl_auth_create_oauth_bearer_message(data, conn->user, - conn->host.name, - conn->port, + hostname, + port, conn->oauth_bearer, &resp, &len); diff --git a/lib/http_proxy.c b/lib/http_proxy.c index cd4cac06d..bbe2e8eb1 100644 --- a/lib/http_proxy.c +++ b/lib/http_proxy.c @@ -63,6 +63,8 @@ static CURLcode https_proxy_connect(struct connectdata *conn, int sockindex) } return result; #else + (void) conn; + (void) sockindex; return CURLE_NOT_BUILT_IN; #endif } diff --git a/lib/multi.c b/lib/multi.c index 07a903da5..950b600cb 100644 --- a/lib/multi.c +++ b/lib/multi.c @@ -813,8 +813,10 @@ static int waitconnect_getsock(struct connectdata *conn, if(!numsocks) return GETSOCK_BLANK; +#ifdef USE_SSL if(CONNECT_FIRSTSOCKET_PROXY_SSL()) return Curl_ssl_getsock(conn, sock, numsocks); +#endif for(i=0; i<2; i++) { if(conn->tempsock[i] != CURL_SOCKET_BAD) { diff --git a/lib/url.c b/lib/url.c index 15ba92cae..ad5921353 100644 --- a/lib/url.c +++ b/lib/url.c @@ -3786,10 +3786,6 @@ ConnectionExists(struct Curl_easy *data, CURLcode Curl_connected_proxy(struct connectdata *conn, int sockindex) { CURLcode result = CURLE_OK; - /* if(!conn->bits.proxy || sockindex) */ - /* this magic only works for the primary socket as the secondary is used - for FTP only and it has FTP specific magic in ftp.c */ - /* return CURLE_OK; */ if(conn->bits.socksproxy) { #ifndef CURL_DISABLE_PROXY @@ -3823,6 +3819,8 @@ CURLcode Curl_connected_proxy(struct connectdata *conn, int sockindex) result = CURLE_COULDNT_CONNECT; } /* switch proxytype */ conn->bits.socksproxy_connecting = FALSE; +#else + (void)sockindex; #endif /* CURL_DISABLE_PROXY */ } diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c index e4b4a6b48..705bff912 100644 --- a/lib/vtls/darwinssl.c +++ b/lib/vtls/darwinssl.c @@ -1038,6 +1038,12 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, struct Curl_easy *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); + char * const ssl_cert = SSL_SET_OPTION(cert); + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; #ifdef ENABLE_IPV6 struct in6_addr addr; #else @@ -1233,34 +1239,33 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } #endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */ - if(data->set.str[STRING_KEY_ORIG]) { + if(SSL_SET_OPTION(key)) { infof(data, "WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure " "Transport. The private key must be in the Keychain.\n"); } - if(data->set.str[STRING_CERT_ORIG]) { + if(ssl_cert) { SecIdentityRef cert_and_key = NULL; - bool is_cert_file = is_file(data->set.str[STRING_CERT_ORIG]); + bool is_cert_file = is_file(ssl_cert); /* User wants to authenticate with a client cert. Look for it: If we detect that this is a file on disk, then let's load it. Otherwise, assume that the user wants to use an identity loaded from the Keychain. */ if(is_cert_file) { - if(!data->set.ssl.cert_type) + if(!SSL_SET_OPTION(cert_type)) infof(data, "WARNING: SSL: Certificate type not set, assuming " - "PKCS#12 format.\n"); - else if(strncmp(data->set.ssl.cert_type, "P12", - strlen(data->set.ssl.cert_type))) + "PKCS#12 format.\n"); + else if(strncmp(SSL_SET_OPTION(cert_type), "P12", + strlen(SSL_SET_OPTION(cert_type))) != 0) infof(data, "WARNING: SSL: The Security framework only supports " - "loading identities that are in PKCS#12 format.\n"); - err = CopyIdentityFromPKCS12File(data->set.str[STRING_CERT_ORIG], - data->set.ssl.key_passwd, - &cert_and_key); + "loading identities that are in PKCS#12 format.\n"); + + err = CopyIdentityFromPKCS12File(ssl_cert, + SSL_SET_OPTION(key_passwd), &cert_and_key); } else - err = CopyIdentityWithLabel(data->set.str[STRING_CERT_ORIG], - &cert_and_key); + err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); if(err == noErr) { SecCertificateRef cert = NULL; @@ -1301,24 +1306,24 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, switch(err) { case errSecAuthFailed: case -25264: /* errSecPkcs12VerifyFailure */ failf(data, "SSL: Incorrect password for the certificate \"%s\" " - "and its private key.", data->set.str[STRING_CERT_ORIG]); + "and its private key.", ssl_cert); break; case -26275: /* errSecDecode */ case -25257: /* errSecUnknownFormat */ failf(data, "SSL: Couldn't make sense of the data in the " - "certificate \"%s\" and its private key.", - data->set.str[STRING_CERT_ORIG]); + "certificate \"%s\" and its private key.", + ssl_cert); break; case -25260: /* errSecPassphraseRequired */ failf(data, "SSL The certificate \"%s\" requires a password.", - data->set.str[STRING_CERT_ORIG]); + ssl_cert); break; case errSecItemNotFound: failf(data, "SSL: Can't find the certificate \"%s\" and its private " - "key in the Keychain.", data->set.str[STRING_CERT_ORIG]); + "key in the Keychain.", ssl_cert); break; default: failf(data, "SSL: Can't load the certificate \"%s\" and its private " - "key: OSStatus %d", data->set.str[STRING_CERT_ORIG], err); + "key: OSStatus %d", ssl_cert, err); break; } return CURLE_SSL_CERTPROBLEM; @@ -1350,8 +1355,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, #else if(SSLSetSessionOption != NULL) { #endif /* CURL_BUILD_MAC */ - bool break_on_auth = !conn->ssl_config.verifypeer || - data->set.str[STRING_SSL_CAFILE_ORIG]; + bool break_on_auth = !conn->ssl_config.verifypeer || ssl_cafile; err = SSLSetSessionOption(connssl->ssl_ctx, kSSLSessionOptionBreakOnServerAuth, break_on_auth); @@ -1379,15 +1383,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } #endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */ - if(data->set.str[STRING_SSL_CAFILE_ORIG]) { - bool is_cert_file = is_file(data->set.str[STRING_SSL_CAFILE_ORIG]); + if(ssl_cafile) { + bool is_cert_file = is_file(ssl_cafile); if(!is_cert_file) { - failf(data, "SSL: can't load CA certificate file %s", - data->set.str[STRING_SSL_CAFILE_ORIG]); + failf(data, "SSL: can't load CA certificate file %s", ssl_cafile); return CURLE_SSL_CACERT_BADFILE; } - if(!data->set.ssl.primary.verifypeer) { + if(!verifypeer) { failf(data, "SSL: CA certificate set, but certificate verification " "is disabled"); return CURLE_SSL_CONNECT_ERROR; @@ -1398,17 +1401,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, * Both hostname check and SNI require SSLSetPeerDomainName(). * Also: the verifyhost setting influences SNI usage */ if(conn->ssl_config.verifyhost) { - err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name, - strlen(conn->host.name)); + err = SSLSetPeerDomainName(connssl->ssl_ctx, hostname, + strlen(hostname)); if(err != noErr) { infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n", err); } - if((Curl_inet_pton(AF_INET, conn->host.name, &addr)) + if((Curl_inet_pton(AF_INET, hostname, &addr)) #ifdef ENABLE_IPV6 - || (Curl_inet_pton(AF_INET6, conn->host.name, &addr)) + || (Curl_inet_pton(AF_INET6, hostname, &addr)) #endif ) { infof(data, "WARNING: using IP address, SNI is being disabled by " @@ -1558,10 +1561,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, else { CURLcode result; ssl_sessionid = - aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE_ORIG], - data->set.ssl.primary.verifypeer, - data->set.ssl.primary.verifyhost, - conn->host.name, conn->remote_port); + aprintf("%s:%d:%d:%s:%hu", ssl_cafile, + verifypeer, SSL_CONN_CONFIG(verifyhost), hostname, port); ssl_sessionid_len = strlen(ssl_sessionid); err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len); @@ -1898,6 +1899,8 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) OSStatus err; SSLCipherSuite cipher; SSLProtocol protocol = 0; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; DEBUGASSERT(ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state @@ -1916,8 +1919,8 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) /* The below is errSSLServerAuthCompleted; it's not defined in Leopard's headers */ case -9841: - if(data->set.str[STRING_SSL_CAFILE_ORIG]) { - int res = verify_cert(data->set.str[STRING_SSL_CAFILE_ORIG], data, + if(SSL_CONN_CONFIG(CAfile)) { + int res = verify_cert(SSL_CONN_CONFIG(CAfile), data, connssl->ssl_ctx); if(res != CURLE_OK) return res; @@ -1986,7 +1989,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) return CURLE_SSL_CONNECT_ERROR; default: failf(data, "Unknown SSL protocol error in connection to %s:%d", - conn->host.name, err); + hostname, err); return CURLE_SSL_CONNECT_ERROR; } } diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index a91d09cb7..6cac9573c 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -833,7 +833,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) } /* Determine which SSL/TLS version should be enabled. */ - sni = conn->host.name; + sni = hostname; switch (ssl_version) { case CURL_SSLVERSION_SSLv2: protoflags = CURL_GSKPROTO_SSLV2_MASK; diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 4ef06ee5d..4c9d9fada 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -502,8 +502,8 @@ gtls_connect_step1(struct connectdata *conn, #ifdef CURL_CA_FALLBACK /* use system ca certificate store as fallback */ - if(data->set.ssl.verifypeer && - !(data->set.ssl.CAfile || data->set.ssl.CApath)) { + if(SSL_CONN_CONFIG(verifypeer) && + !(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(CApath))) { gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred); } #endif diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 8fa126a75..c84e597a3 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -163,13 +163,21 @@ mbed_connect_step1(struct connectdata *conn, { struct Curl_easy *data = conn->data; struct ssl_connect_data* connssl = &conn->ssl[sockindex]; + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(cert); + const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; int ret = -1; char errorbuf[128]; errorbuf[0]=0; /* mbedTLS only supports SSLv3 and TLSv1 */ - if(data->set.ssl.primary.version == CURL_SSLVERSION_SSLv2) { + if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) { failf(data, "mbedTLS does not support SSLv2"); return CURLE_SSL_CONNECT_ERROR; } @@ -205,34 +213,32 @@ mbed_connect_step1(struct connectdata *conn, /* Load the trusted CA */ mbedtls_x509_crt_init(&connssl->cacert); - if(data->set.str[STRING_SSL_CAFILE_ORIG]) { - ret = mbedtls_x509_crt_parse_file(&connssl->cacert, - data->set.str[STRING_SSL_CAFILE_ORIG]); + if(ssl_cafile) { + ret = mbedtls_x509_crt_parse_file(&connssl->cacert, ssl_cafile); if(ret<0) { #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s", - data->set.str[STRING_SSL_CAFILE_ORIG], -ret, errorbuf); + ssl_cafile, -ret, errorbuf); - if(data->set.ssl.primary.verifypeer) + if(verifypeer) return CURLE_SSL_CACERT_BADFILE; } } - if(data->set.str[STRING_SSL_CAPATH_ORIG]) { - ret = mbedtls_x509_crt_parse_path(&connssl->cacert, - data->set.str[STRING_SSL_CAPATH_ORIG]); + if(ssl_capath) { + ret = mbedtls_x509_crt_parse_path(&connssl->cacert, ssl_capath); if(ret<0) { #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "Error reading ca cert path %s - mbedTLS: (-0x%04X) %s", - data->set.str[STRING_SSL_CAPATH_ORIG], -ret, errorbuf); + ssl_capath, -ret, errorbuf); - if(data->set.ssl.primary.verifypeer) + if(verifypeer) return CURLE_SSL_CACERT_BADFILE; } } @@ -240,16 +246,15 @@ mbed_connect_step1(struct connectdata *conn, /* Load the client certificate */ mbedtls_x509_crt_init(&connssl->clicert); - if(data->set.str[STRING_CERT_ORIG]) { - ret = mbedtls_x509_crt_parse_file(&connssl->clicert, - data->set.str[STRING_CERT_ORIG]); + if(ssl_cert) { + ret = mbedtls_x509_crt_parse_file(&connssl->clicert, ssl_cert); if(ret) { #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s", - data->set.str[STRING_CERT_ORIG], -ret, errorbuf); + ssl_cert, -ret, errorbuf); return CURLE_SSL_CERTPROBLEM; } @@ -258,10 +263,9 @@ mbed_connect_step1(struct connectdata *conn, /* Load the client private key */ mbedtls_pk_init(&connssl->pk); - if(data->set.str[STRING_KEY_ORIG]) { - ret = mbedtls_pk_parse_keyfile(&connssl->pk, - data->set.str[STRING_KEY_ORIG], - data->set.str[STRING_KEY_ORIG]); + if(SSL_SET_OPTION(key)) { + ret = mbedtls_pk_parse_keyfile(&connssl->pk, SSL_SET_OPTION(key), + SSL_SET_OPTION(key_passwd)); if(ret == 0 && !mbedtls_pk_can_do(&connssl->pk, MBEDTLS_PK_RSA)) ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; @@ -270,7 +274,7 @@ mbed_connect_step1(struct connectdata *conn, mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s", - data->set.str[STRING_KEY_ORIG], -ret, errorbuf); + SSL_SET_OPTION(key), -ret, errorbuf); return CURLE_SSL_CERTPROBLEM; } @@ -279,23 +283,21 @@ mbed_connect_step1(struct connectdata *conn, /* Load the CRL */ mbedtls_x509_crl_init(&connssl->crl); - if(data->set.str[STRING_SSL_CRLFILE_ORIG]) { - ret = mbedtls_x509_crl_parse_file(&connssl->crl, - data->set.str[STRING_SSL_CRLFILE_ORIG]); + if(ssl_crlfile) { + ret = mbedtls_x509_crl_parse_file(&connssl->crl, ssl_crlfile); if(ret) { #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "Error reading CRL file %s - mbedTLS: (-0x%04X) %s", - data->set.str[STRING_SSL_CRLFILE_ORIG], -ret, errorbuf); + ssl_crlfile, -ret, errorbuf); return CURLE_SSL_CRL_BADFILE; } } - infof(data, "mbedTLS: Connecting to %s:%d\n", - conn->host.name, conn->remote_port); + infof(data, "mbedTLS: Connecting to %s:%d\n", hostname, port); mbedtls_ssl_config_init(&connssl->config); @@ -317,7 +319,7 @@ mbed_connect_step1(struct connectdata *conn, mbedtls_ssl_conf_cert_profile(&connssl->config, &mbedtls_x509_crt_profile_fr); - switch(data->set.ssl.primary.version) { + switch(SSL_CONN_CONFIG(version)) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3, @@ -393,11 +395,11 @@ mbed_connect_step1(struct connectdata *conn, &connssl->cacert, &connssl->crl); - if(data->set.str[STRING_KEY_ORIG]) { + if(SSL_SET_OPTION(key)) { mbedtls_ssl_conf_own_cert(&connssl->config, &connssl->clicert, &connssl->pk); } - if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) { + if(mbedtls_ssl_set_hostname(&connssl->ssl, hostname)) { /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name to set in the SNI extension. So even if curl connects to a host specified as an IP address, this function must be used. */ @@ -487,7 +489,7 @@ mbed_connect_step2(struct connectdata *conn, ret = mbedtls_ssl_get_verify_result(&conn->ssl[sockindex].ssl); - if(ret && data->set.ssl.primary.verifypeer) { + if(ret && SSL_CONN_CONFIG(verifypeer)) { if(ret & MBEDTLS_X509_BADCERT_EXPIRED) failf(data, "Cert verify failed: BADCERT_EXPIRED"); diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index b8bc6c117..465d1bef6 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2074,7 +2074,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) ssl_capath ? ssl_capath : "none"); } #ifdef CURL_CA_FALLBACK - else if(data->set.ssl.verifypeer) { + else if(verifypeer) { /* verfying the peer without any CA certificates won't work so use openssl's built in default as fallback */ SSL_CTX_set_default_verify_paths(connssl->ctx); @@ -2108,7 +2108,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest */ #if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS) - if(data->set.ssl.verifypeer) { + if(verifypeer) { X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx), X509_V_FLAG_TRUSTED_FIRST); } @@ -2204,6 +2204,8 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) struct Curl_easy *data = conn->data; int err; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + long * const certverifyresult = SSL_IS_PROXY() ? + &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; DEBUGASSERT(ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || ssl_connect_2_writing == connssl->connecting_state); @@ -2253,7 +2255,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) lerr = SSL_get_verify_result(connssl->handle); if(lerr != X509_V_OK) { - data->set.ssl.certverifyresult = lerr; + *certverifyresult = lerr; snprintf(error_buffer, sizeof(error_buffer), "SSL certificate problem: %s", X509_verify_cert_error_string(lerr)); diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index 7b20c2656..25d44382c 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -123,9 +123,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) #endif TCHAR *host_name; CURLcode result; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; infof(data, "schannel: SSL/TLS connection with %s port %hu (step 1/3)\n", - conn->host.name, conn->remote_port); + hostname, conn->remote_port); #ifdef HAS_ALPN /* ALPN is only supported on Windows 8.1 / Server 2012 R2 and above. @@ -259,9 +261,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) } /* Warn if SNI is disabled due to use of an IP address */ - if(Curl_inet_pton(AF_INET, conn->host.name, &addr) + if(Curl_inet_pton(AF_INET, hostname, &addr) #ifdef ENABLE_IPV6 - || Curl_inet_pton(AF_INET6, conn->host.name, &addr6) + || Curl_inet_pton(AF_INET6, hostname, &addr6) #endif ) { infof(data, "schannel: using IP address, SNI is not supported by OS.\n"); @@ -339,7 +341,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) } memset(connssl->ctxt, 0, sizeof(struct curl_schannel_ctxt)); - host_name = Curl_convert_UTF8_to_tchar(conn->host.name); + host_name = Curl_convert_UTF8_to_tchar(hostname); if(!host_name) return CURLE_OUT_OF_MEMORY; @@ -412,11 +414,13 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) TCHAR *host_name; CURLcode result; bool doread; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; doread = (connssl->connecting_state != ssl_connect_2_writing) ? TRUE : FALSE; infof(data, "schannel: SSL/TLS connection with %s port %hu (step 2/3)\n", - conn->host.name, conn->remote_port); + hostname, conn->remote_port); if(!connssl->cred || !connssl->ctxt) return CURLE_SSL_CONNECT_ERROR; @@ -512,7 +516,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) memcpy(inbuf[0].pvBuffer, connssl->encdata_buffer, connssl->encdata_offset); - host_name = Curl_convert_UTF8_to_tchar(conn->host.name); + host_name = Curl_convert_UTF8_to_tchar(hostname); if(!host_name) return CURLE_OUT_OF_MEMORY; @@ -644,6 +648,8 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SECURITY_STATUS sspi_status = SEC_E_OK; CERT_CONTEXT *ccert_context = NULL; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; #ifdef HAS_ALPN SecPkgContext_ApplicationProtocol alpn_result; #endif @@ -651,7 +657,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); infof(data, "schannel: SSL/TLS connection with %s port %hu (step 3/3)\n", - conn->host.name, conn->remote_port); + hostname, conn->remote_port); if(!connssl->cred) return CURLE_SSL_CONNECT_ERROR; @@ -1384,9 +1390,11 @@ int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) */ struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; infof(data, "schannel: shutting down SSL/TLS connection with %s port %hu\n", - conn->host.name, conn->remote_port); + hostname, conn->remote_port); if(connssl->cred && connssl->ctxt) { SecBufferDesc BuffDesc; @@ -1408,7 +1416,7 @@ int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) failf(data, "schannel: ApplyControlToken failure: %s", Curl_sspi_strerror(conn, sspi_status)); - host_name = Curl_convert_UTF8_to_tchar(conn->host.name); + host_name = Curl_convert_UTF8_to_tchar(hostname); if(!host_name) return CURLE_OUT_OF_MEMORY; @@ -1533,6 +1541,9 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex) CURLcode result = CURLE_OK; CERT_CONTEXT *pCertContextServer = NULL; const CERT_CHAIN_CONTEXT *pChainContext = NULL; + const char * const conn_hostname = SSL_IS_PROXY() ? + conn->http_proxy.host.name : + conn->host.name; status = s_pSecFn->QueryContextAttributes(&connssl->ctxt->ctxt_handle, SECPKG_ATTR_REMOTE_CERT_CONTEXT, @@ -1597,7 +1608,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex) DWORD len; cert_hostname.const_tchar_ptr = cert_hostname_buff; - hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn->host.name); + hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn_hostname); /* TODO: Fix this for certificates with multiple alternative names. Right now we're only asking for the first preferred alternative name. @@ -1615,7 +1626,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex) 128); if(len > 0 && *cert_hostname.tchar_ptr == '*') { /* this is a wildcard cert. try matching the last len - 1 chars */ - int hostname_len = strlen(conn->host.name); + int hostname_len = strlen(conn_hostname); cert_hostname.tchar_ptr++; if(_tcsicmp(cert_hostname.const_tchar_ptr, hostname.const_tchar_ptr + hostname_len - len + 2) != 0) @@ -1630,7 +1641,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex) _cert_hostname = Curl_convert_tchar_to_UTF8(cert_hostname.tchar_ptr); failf(data, "schannel: CertGetNameString() certificate hostname " "(%s) did not match connection (%s)", - _cert_hostname, conn->host.name); + _cert_hostname, conn_hostname); Curl_unicodefree(_cert_hostname); } Curl_unicodefree(hostname.tchar_ptr);