[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 47/411: TLS: fix SRP detection by using the proper #ifdefs
|
From: |
gnunet |
|
Subject: |
[gnurl] 47/411: TLS: fix SRP detection by using the proper #ifdefs |
|
Date: |
Wed, 13 Jan 2021 01:17:42 +0100 |
This is an automated email from the git hooks/post-receive script.
nikita pushed a commit to branch master
in repository gnurl.
commit 68a51324740945f1da9758bc1d26bbe4835bd847
Author: Daniel Stenberg <daniel@haxx.se>
AuthorDate: Thu Aug 27 12:46:43 2020 +0200
TLS: fix SRP detection by using the proper #ifdefs
USE_TLS_SRP will be true if *any* selected TLS backend can use SRP
HAVE_OPENSSL_SRP is defined when OpenSSL can use it
HAVE_GNUTLS_SRP is defined when GnuTLS can use it
Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is
set if at least one of the supported backends offers SRP.
Reported-by: Stefan Strogin
Fixes #5865
Closes #5870
---
docs/libcurl/curl_version_info.3 | 3 ++-
lib/vtls/gtls.c | 18 +++++++++---------
lib/vtls/openssl.c | 8 ++++----
3 files changed, 15 insertions(+), 14 deletions(-)
diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3
index 9be46f7bd..5c5f16a3d 100644
--- a/docs/libcurl/curl_version_info.3
+++ b/docs/libcurl/curl_version_info.3
@@ -192,7 +192,8 @@ makes libcurl use Windows-provided functions for Kerberos,
NTLM, SPNEGO and
Digest authentication. It also allows libcurl to use the current user
credentials without the app having to pass them on. (Added in 7.13.2)
.IP CURL_VERSION_TLSAUTH_SRP
-libcurl was built with support for TLS-SRP. (Added in 7.21.4)
+libcurl was built with support for TLS-SRP (in one or more of the built-in TLS
+backends). (Added in 7.21.4)
.IP CURL_VERSION_UNIX_SOCKETS
libcurl was built with support for Unix domain sockets.
(Added in 7.40.0)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 16b0bd6cb..9f280447c 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -81,7 +81,7 @@ static bool gtls_inited = FALSE;
struct ssl_backend_data {
gnutls_session_t session;
gnutls_certificate_credentials_t cred;
-#ifdef USE_TLS_SRP
+#ifdef HAVE_GNUTLS_SRP
gnutls_srp_client_credentials_t srp_client_cred;
#endif
};
@@ -434,7 +434,7 @@ gtls_connect_step1(struct connectdata *conn,
return CURLE_SSL_CONNECT_ERROR;
}
-#ifdef USE_TLS_SRP
+#ifdef HAVE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
@@ -588,7 +588,7 @@ gtls_connect_step1(struct connectdata *conn,
return CURLE_SSL_CONNECT_ERROR;
}
-#ifdef USE_TLS_SRP
+#ifdef HAVE_GNUTLS_SRP
/* Only add SRP to the cipher list if SRP is requested. Otherwise
* GnuTLS will disable TLS 1.3 support. */
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
@@ -610,7 +610,7 @@ gtls_connect_step1(struct connectdata *conn,
else {
#endif
rc = gnutls_priority_set_direct(session, prioritylist, &err);
-#ifdef USE_TLS_SRP
+#ifdef HAVE_GNUTLS_SRP
}
#endif
@@ -681,7 +681,7 @@ gtls_connect_step1(struct connectdata *conn,
}
}
-#ifdef USE_TLS_SRP
+#ifdef HAVE_GNUTLS_SRP
/* put the credentials to the current session */
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
@@ -868,7 +868,7 @@ gtls_connect_step3(struct connectdata *conn,
if(SSL_CONN_CONFIG(verifypeer) ||
SSL_CONN_CONFIG(verifyhost) ||
SSL_SET_OPTION(issuercert)) {
-#ifdef USE_TLS_SRP
+#ifdef HAVE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
&& SSL_SET_OPTION(username) != NULL
&& !SSL_CONN_CONFIG(verifypeer)
@@ -881,7 +881,7 @@ gtls_connect_step3(struct connectdata *conn,
failf(data, "failed to get server cert");
*certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
return CURLE_PEER_FAILED_VERIFICATION;
-#ifdef USE_TLS_SRP
+#ifdef HAVE_GNUTLS_SRP
}
#endif
}
@@ -1448,7 +1448,7 @@ static void close_one(struct ssl_connect_data *connssl)
gnutls_certificate_free_credentials(backend->cred);
backend->cred = NULL;
}
-#ifdef USE_TLS_SRP
+#ifdef HAVE_GNUTLS_SRP
if(backend->srp_client_cred) {
gnutls_srp_free_client_credentials(backend->srp_client_cred);
backend->srp_client_cred = NULL;
@@ -1530,7 +1530,7 @@ static int Curl_gtls_shutdown(struct connectdata *conn,
int sockindex)
}
gnutls_certificate_free_credentials(backend->cred);
-#ifdef USE_TLS_SRP
+#ifdef HAVE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
&& SSL_SET_OPTION(username) != NULL)
gnutls_srp_free_client_credentials(backend->srp_client_cred);
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 25b7dfab8..09f331418 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2486,7 +2486,7 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
const long int ssl_version = SSL_CONN_CONFIG(version);
-#ifdef USE_TLS_SRP
+#ifdef HAVE_OPENSSL_SRP
const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
#endif
char * const ssl_cert = SSL_SET_OPTION(cert);
@@ -2531,7 +2531,7 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
failf(data, OSSL_PACKAGE " was built without SSLv2 support");
return CURLE_NOT_BUILT_IN;
#else
-#ifdef USE_TLS_SRP
+#ifdef HAVE_OPENSSL_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP)
return CURLE_SSL_CONNECT_ERROR;
#endif
@@ -2544,7 +2544,7 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
failf(data, OSSL_PACKAGE " was built without SSLv3 support");
return CURLE_NOT_BUILT_IN;
#else
-#ifdef USE_TLS_SRP
+#ifdef HAVE_OPENSSL_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP)
return CURLE_SSL_CONNECT_ERROR;
#endif
@@ -2800,7 +2800,7 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
SSL_CTX_set_post_handshake_auth(backend->ctx, 1);
#endif
-#ifdef USE_TLS_SRP
+#ifdef HAVE_OPENSSL_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP) {
char * const ssl_username = SSL_SET_OPTION(username);
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [gnurl] 40/411: scripts: improve the "get latest curl release tag" logic, (continued)
- [gnurl] 40/411: scripts: improve the "get latest curl release tag" logic, gnunet, 2021/01/12
- [gnurl] 52/411: tests: add test1912 with typechecks, gnunet, 2021/01/12
- [gnurl] 61/411: buildconf: exec autoreconf to avoid additional process, gnunet, 2021/01/12
- [gnurl] 72/411: copyright.pl: ignore buildconf, gnunet, 2021/01/12
- [gnurl] 62/411: conn: check for connection being dead before reuse, gnunet, 2021/01/12
- [gnurl] 45/411: docs: non-existing macros in man pages, gnunet, 2021/01/12
- [gnurl] 38/411: options: API for meta-data about easy options, gnunet, 2021/01/12
- [gnurl] 55/411: CMake: add option to enable Unicode on Windows, gnunet, 2021/01/12
- [gnurl] 60/411: CI/azure: no longer ignore results of test 1013, gnunet, 2021/01/12
- [gnurl] 56/411: AppVeyor: switch 64-bit Schannel Debug CMake builds to Unicode, gnunet, 2021/01/12
- [gnurl] 47/411: TLS: fix SRP detection by using the proper #ifdefs,
gnunet <=
- [gnurl] 83/411: mqtt.c: avoid curl_ prefix on local variable, gnunet, 2021/01/12
- [gnurl] 78/411: hash: make it 'struct Curl_hash', gnunet, 2021/01/12
- [gnurl] 111/411: configure: let --enable-debug set -Wenum-conversion with gcc >= 10, gnunet, 2021/01/12
- [gnurl] 123/411: docs/LICENSE-MIXING: remove, gnunet, 2021/01/12
- [gnurl] 50/411: sockfilt: handle FD_CLOSE winsock event on write socket, gnunet, 2021/01/12
- [gnurl] 51/411: easyoptions: provide debug function when DEBUGBUILD, gnunet, 2021/01/12
- [gnurl] 36/411: RELEASE-NOTES: synced, gnunet, 2021/01/12
- [gnurl] 48/411: Curl_pgrsTime - return new time to avoid timeout integer overflow, gnunet, 2021/01/12
- [gnurl] 64/411: tls: add CURLOPT_SSL_EC_CURVES and --curves, gnunet, 2021/01/12
- [gnurl] 86/411: travis: add a CI job with openssl3 (from git master), gnunet, 2021/01/12