[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 210/411: vtls: deduplicate some DISABLE_PROXY ifdefs
|
From: |
gnunet |
|
Subject: |
[gnurl] 210/411: vtls: deduplicate some DISABLE_PROXY ifdefs |
|
Date: |
Wed, 13 Jan 2021 01:20:25 +0100 |
This is an automated email from the git hooks/post-receive script.
nikita pushed a commit to branch master
in repository gnurl.
commit 7920be94738e0d84f7aa30c3605d29ec4274c714
Author: Kamil Dudka <kdudka@redhat.com>
AuthorDate: Mon Jul 27 15:44:01 2020 +0200
vtls: deduplicate some DISABLE_PROXY ifdefs
... in the code of gtls, nss, and openssl
Closes #5735
---
lib/vtls/gtls.c | 33 ++++++---------------------------
lib/vtls/nss.c | 42 +++++++-----------------------------------
lib/vtls/openssl.c | 51 +++++++++------------------------------------------
lib/vtls/vtls.h | 14 ++++++++++++++
4 files changed, 36 insertions(+), 104 deletions(-)
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index b09003303..ec3f8599b 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -399,15 +399,8 @@ gtls_connect_step1(struct connectdata *conn,
#endif
const char *prioritylist;
const char *err = NULL;
-#ifndef CURL_DISABLE_PROXY
- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
- conn->host.name;
- long * const certverifyresult = SSL_IS_PROXY() ?
- &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
-#else
- const char * const hostname = conn->host.name;
- long * const certverifyresult = &data->set.ssl.certverifyresult;
-#endif
+ const char * const hostname = SSL_HOST_NAME();
+ long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
if(connssl->state == ssl_connection_complete)
/* to make us tolerant against being called more than once for the
@@ -839,15 +832,8 @@ gtls_connect_step3(struct connectdata *conn,
unsigned int bits;
gnutls_protocol_t version = gnutls_protocol_get_version(session);
#endif
-#ifndef CURL_DISABLE_PROXY
- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
- conn->host.name;
- long * const certverifyresult = SSL_IS_PROXY() ?
- &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
-#else
- const char * const hostname = conn->host.name;
- long * const certverifyresult = &data->set.ssl.certverifyresult;
-#endif
+ const char * const hostname = SSL_HOST_NAME();
+ long * const certverifyresult = &SSL_SET_OPTION_LVALUE(certverifyresult);
/* the name of the cipher suite used, e.g. ECDHE_RSA_AES_256_GCM_SHA384. */
ptr = gnutls_cipher_suite_get_name(gnutls_kx_get(session),
@@ -1128,22 +1114,15 @@ gtls_connect_step3(struct connectdata *conn,
}
#endif
if(!rc) {
-#ifndef CURL_DISABLE_PROXY
- const char * const dispname = SSL_IS_PROXY() ?
- conn->http_proxy.host.dispname : conn->host.dispname;
-#else
- const char * const dispname = conn->host.dispname;
-#endif
-
if(SSL_CONN_CONFIG(verifyhost)) {
failf(data, "SSL: certificate subject name (%s) does not match "
- "target host name '%s'", certname, dispname);
+ "target host name '%s'", certname, SSL_HOST_DISPNAME());
gnutls_x509_crt_deinit(x509_cert);
return CURLE_PEER_FAILED_VERIFICATION;
}
else
infof(data, "\t common name: %s (does not match '%s')\n",
- certname, dispname);
+ certname, SSL_HOST_DISPNAME());
}
else
infof(data, "\t common name: %s (matched)\n", certname);
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 2aed10d1b..d0988549d 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1027,12 +1027,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc
*sock)
CERTCertificate *cert;
/* remember the cert verification result */
-#ifndef CURL_DISABLE_PROXY
- if(SSL_IS_PROXY())
- data->set.proxy_ssl.certverifyresult = err;
- else
-#endif
- data->set.ssl.certverifyresult = err;
+ SSL_SET_OPTION_LVALUE(certverifyresult) = err;
if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost))
/* we are asked not to verify the host name */
@@ -1838,12 +1833,6 @@ static CURLcode nss_setup_connect(struct connectdata
*conn, int sockindex)
CURLcode result;
bool second_layer = FALSE;
SSLVersionRange sslver_supported;
-#ifndef CURL_DISABLE_PROXY
- const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
- conn->host.name;
-#else
- const char *hostname = conn->host.name;
-#endif
SSLVersionRange sslver = {
SSL_LIBRARY_VERSION_TLS_1_0, /* min */
@@ -1948,12 +1937,7 @@ static CURLcode nss_setup_connect(struct connectdata
*conn, int sockindex)
goto error;
/* not checked yet */
-#ifndef CURL_DISABLE_PROXY
- if(SSL_IS_PROXY())
- data->set.proxy_ssl.certverifyresult = 0;
- else
-#endif
- data->set.ssl.certverifyresult = 0;
+ SSL_SET_OPTION_LVALUE(certverifyresult) = 0;
if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
goto error;
@@ -2125,11 +2109,11 @@ static CURLcode nss_setup_connect(struct connectdata
*conn, int sockindex)
goto error;
/* propagate hostname to the TLS layer */
- if(SSL_SetURL(backend->handle, hostname) != SECSuccess)
+ if(SSL_SetURL(backend->handle, SSL_HOST_NAME()) != SECSuccess)
goto error;
/* prevent NSS from re-using the session for a different hostname */
- if(SSL_SetSockPeerID(backend->handle, hostname) != SECSuccess)
+ if(SSL_SetSockPeerID(backend->handle, SSL_HOST_NAME()) != SECSuccess)
goto error;
return CURLE_OK;
@@ -2148,18 +2132,6 @@ static CURLcode nss_do_connect(struct connectdata *conn,
int sockindex)
struct Curl_easy *data = conn->data;
CURLcode result = CURLE_SSL_CONNECT_ERROR;
PRUint32 timeout;
-#ifndef CURL_DISABLE_PROXY
- long * const certverifyresult = SSL_IS_PROXY() ?
- &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
- const char * const pinnedpubkey = SSL_IS_PROXY() ?
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-#else
- long * const certverifyresult = &data->set.ssl.certverifyresult;
- const char * const pinnedpubkey =
- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-#endif
-
/* check timeout situation */
const timediff_t time_left = Curl_timeleft(data, NULL, TRUE);
@@ -2175,9 +2147,9 @@ static CURLcode nss_do_connect(struct connectdata *conn,
int sockindex)
if(PR_GetError() == PR_WOULD_BLOCK_ERROR)
/* blocking direction is updated by nss_update_connecting_state() */
return CURLE_AGAIN;
- else if(*certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
+ else if(SSL_SET_OPTION(certverifyresult) == SSL_ERROR_BAD_CERT_DOMAIN)
result = CURLE_PEER_FAILED_VERIFICATION;
- else if(*certverifyresult != 0)
+ else if(SSL_SET_OPTION(certverifyresult) != 0)
result = CURLE_PEER_FAILED_VERIFICATION;
goto error;
}
@@ -2205,7 +2177,7 @@ static CURLcode nss_do_connect(struct connectdata *conn,
int sockindex)
}
}
- result = cmp_peer_pubkey(connssl, pinnedpubkey);
+ result = cmp_peer_pubkey(connssl, SSL_PINNED_PUB_KEY());
if(result)
/* status already printed */
goto error;
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 1b3ed665d..ffc0d6666 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1582,16 +1582,8 @@ static CURLcode verifyhost(struct connectdata *conn,
X509 *server_cert)
CURLcode result = CURLE_OK;
bool dNSName = FALSE; /* if a dNSName field exists in the cert */
bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */
-#ifndef CURL_DISABLE_PROXY
- const char * const hostname = SSL_IS_PROXY() ?
- conn->http_proxy.host.name : conn->host.name;
- const char * const dispname = SSL_IS_PROXY() ?
- conn->http_proxy.host.dispname : conn->host.dispname;
-#else
- /* disabled proxy support */
- const char * const hostname = conn->host.name;
- const char * const dispname = conn->host.dispname;
-#endif
+ const char * const hostname = SSL_HOST_NAME();
+ const char * const dispname = SSL_HOST_DISPNAME();
#ifdef ENABLE_IPV6
if(conn->bits.ipv6_ip &&
@@ -2470,24 +2462,13 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
bool sni;
-#ifndef CURL_DISABLE_PROXY
- const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
- conn->host.name;
-#else
- const char * const hostname = conn->host.name;
-#endif
+ const char * const hostname = SSL_HOST_NAME();
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
struct in_addr addr;
#endif
-#endif
-#ifndef CURL_DISABLE_PROXY
- long * const certverifyresult = SSL_IS_PROXY() ?
- &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
-#else
- long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
const long int ssl_version = SSL_CONN_CONFIG(version);
#ifdef HAVE_OPENSSL_SRP
@@ -2511,7 +2492,7 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
if(result)
return result;
- *certverifyresult = !X509_V_OK;
+ SSL_SET_OPTION_LVALUE(certverifyresult) = !X509_V_OK;
/* check to see if we've been told to use an explicit SSL/TLS version */
@@ -3221,12 +3202,6 @@ static CURLcode ossl_connect_step2(struct connectdata
*conn, int sockindex)
struct Curl_easy *data = conn->data;
int err;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
-#ifndef CURL_DISABLE_PROXY
- long * const certverifyresult = SSL_IS_PROXY() ?
- &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
-#else
- long * const certverifyresult = &data->set.ssl.certverifyresult;
-#endif
struct ssl_backend_data *backend = connssl->backend;
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state
@@ -3291,7 +3266,7 @@ static CURLcode ossl_connect_step2(struct connectdata
*conn, int sockindex)
lerr = SSL_get_verify_result(backend->handle);
if(lerr != X509_V_OK) {
- *certverifyresult = lerr;
+ SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
msnprintf(error_buffer, sizeof(error_buffer),
"SSL certificate problem: %s",
X509_verify_cert_error_string(lerr));
@@ -3313,12 +3288,10 @@ static CURLcode ossl_connect_step2(struct connectdata
*conn, int sockindex)
* the SO_ERROR is also lost.
*/
if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
+ const char * const hostname = SSL_HOST_NAME();
#ifndef CURL_DISABLE_PROXY
- const char * const hostname = SSL_IS_PROXY() ?
- conn->http_proxy.host.name : conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
#else
- const char * const hostname = conn->host.name;
const long int port = conn->remote_port;
#endif
char extramsg[80]="";
@@ -3773,12 +3746,6 @@ static CURLcode servercert(struct connectdata *conn,
char error_buffer[256]="";
char buffer[2048];
const char *ptr;
-#ifndef CURL_DISABLE_PROXY
- long * const certverifyresult = SSL_IS_PROXY() ?
- &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
-#else
- long * const certverifyresult = &data->set.ssl.certverifyresult;
-#endif
BIO *mem = BIO_new(BIO_s_mem());
struct ssl_backend_data *backend = connssl->backend;
@@ -3899,9 +3866,9 @@ static CURLcode servercert(struct connectdata *conn,
X509_free(issuer);
}
- lerr = *certverifyresult = SSL_get_verify_result(backend->handle);
-
- if(*certverifyresult != X509_V_OK) {
+ lerr = SSL_get_verify_result(backend->handle);
+ SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
+ if(lerr != X509_V_OK) {
if(SSL_CONN_CONFIG(verifypeer)) {
/* We probably never reach this, because SSL_connect() will fail
and we return earlier if verifypeer is set? */
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index 1a0bb1865..b86bdbc1d 100644
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -131,12 +131,26 @@ CURLcode Curl_none_md5sum(unsigned char *input, size_t
inputlen,
CURL_SOCKET_BAD ? FIRSTSOCKET : SECONDARYSOCKET].state)
#define SSL_SET_OPTION(var) \
(SSL_IS_PROXY() ? data->set.proxy_ssl.var : data->set.ssl.var)
+#define SSL_SET_OPTION_LVALUE(var) \
+ (*(SSL_IS_PROXY() ? &data->set.proxy_ssl.var : &data->set.ssl.var))
#define SSL_CONN_CONFIG(var) \
(SSL_IS_PROXY() ? conn->proxy_ssl_config.var : conn->ssl_config.var)
+#define SSL_HOST_NAME() \
+ (SSL_IS_PROXY() ? conn->http_proxy.host.name : conn->host.name)
+#define SSL_HOST_DISPNAME() \
+ (SSL_IS_PROXY() ? conn->http_proxy.host.dispname : conn->host.dispname)
+#define SSL_PINNED_PUB_KEY() (SSL_IS_PROXY() \
+ ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] \
+ : data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG])
#else
#define SSL_IS_PROXY() FALSE
#define SSL_SET_OPTION(var) data->set.ssl.var
+#define SSL_SET_OPTION_LVALUE(var) data->set.ssl.var
#define SSL_CONN_CONFIG(var) conn->ssl_config.var
+#define SSL_HOST_NAME() conn->host.name
+#define SSL_HOST_DISPNAME() conn->host.dispname
+#define SSL_PINNED_PUB_KEY() \
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]
#endif
bool Curl_ssl_config_matches(struct ssl_primary_config *data,
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [gnurl] 242/411: RELEASE-NOTES: synced, (continued)
- [gnurl] 242/411: RELEASE-NOTES: synced, gnunet, 2021/01/12
- [gnurl] 262/411: runtests: revert the mistaken edit of $CURL, gnunet, 2021/01/12
- [gnurl] 195/411: libssh2: handle the SSH protocols done over HTTPS proxy, gnunet, 2021/01/12
- [gnurl] 230/411: src/Makefile.m32: fix undefined curlx_dyn_* errors, gnunet, 2021/01/12
- [gnurl] 263/411: CI/travis: add brotli and zstd to the libssh2 build, gnunet, 2021/01/12
- [gnurl] 203/411: configure: don't say HTTPS-proxy is enabled when disabled!, gnunet, 2021/01/12
- [gnurl] 245/411: docs/FEATURE: convert to markdown, gnunet, 2021/01/12
- [gnurl] 229/411: HISTORY: curl verifies SSL certs by default since version 7.10, gnunet, 2021/01/12
- [gnurl] 219/411: docs/opts: fix typos in two manual pages, gnunet, 2021/01/12
- [gnurl] 201/411: MANUAL: update examples to resolve without redirects, gnunet, 2021/01/12
- [gnurl] 210/411: vtls: deduplicate some DISABLE_PROXY ifdefs,
gnunet <=
- [gnurl] 248/411: urlapi: URL encode a '+' in the query part, gnunet, 2021/01/12
- [gnurl] 257/411: CURLOPT_NOBODY.3: fix typo, gnunet, 2021/01/12
- [gnurl] 256/411: CI/azure: improve on flakiness by avoiding libtool wrappers, gnunet, 2021/01/12
- [gnurl] 221/411: runtests: add %repeat[]% for test files, gnunet, 2021/01/12
- [gnurl] 294/411: header.d: fix syntax mistake, gnunet, 2021/01/12
- [gnurl] 333/411: docs: document the 8MB input string limit, gnunet, 2021/01/12
- [gnurl] 289/411: header.d: mention the "Transfer-Encoding: chunked" handling, gnunet, 2021/01/12
- [gnurl] 297/411: tool_debug_cb: do not assume zero-terminated data, gnunet, 2021/01/12
- [gnurl] 311/411: curl.se: new home, gnunet, 2021/01/12
- [gnurl] 273/411: libssh2: fix build with disabled proxy support, gnunet, 2021/01/12