generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

openssl: fixup the proxy/primary access macros

Browse Source 
IS_PROXY_SSL() no longer depend on connect state

IS_PROXY_SSL renamed to SSL_IS_PROXY

SSL_OPTION renamed to SSL_SET_OPTION

SSL_OPTION_PRIM renamed to SSL_CONN_CONFIG
This commit is contained in:
Daniel Stenberg 2015-07-01 00:06:53 +02:00
parent 316054e8cd
commit 211b265ffd
1 changed files with 40 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
lib/vtls/openssl.c
View File

@ -149,13 +149,10 @@
*/
#define RAND_LOAD_LENGTH 1024
#define IS_PROXY_SSL() (CURLPROXY_HTTPS == conn->http_proxy.proxytype && \
ssl_connection_complete != conn->proxy_ssl[sockindex].state)
#define SSL_OPTION(var) (IS_PROXY_SSL() ? data->set.proxy_ssl.var : \
data->set.ssl.var)
#define SSL_OPTION_PRIM(var) (IS_PROXY_SSL() ? \
#define SSL_IS_PROXY() (CURLPROXY_HTTPS == conn->http_proxy.proxytype)
#define SSL_SET_OPTION(var) (SSL_IS_PROXY() ? data->set.proxy_ssl.var : \
data->set.ssl.var)
#define SSL_CONN_CONFIG(var) (SSL_IS_PROXY() ? \
conn->proxy_ssl_config.var : conn->ssl_config.var)
static int passwd_callback(char *buf, int num, int encrypting,
@ -1110,9 +1107,9 @@ static CURLcode verifyhost(struct connectdata *conn,
struct in_addr addr;
#endif
CURLcode result = CURLE_OK;
const char * const hostname = IS_PROXY_SSL() ? conn->http_proxy.host.name :
conn->host.name;
const char * const dispname = IS_PROXY_SSL() ?
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const char * const dispname = SSL_IS_PROXY() ?
conn->http_proxy.host.dispname : conn->host.dispname;
#ifdef ENABLE_IPV6
@ -1706,20 +1703,20 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
struct in_addr addr;
#endif
#endif
long * const certverifyresult = IS_PROXY_SSL() ?
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
const long int ssl_version = SSL_OPTION_PRIM(version);
const long int ssl_version = SSL_CONN_CONFIG(version);
#ifdef USE_TLS_SRP
const enum CURL_TLSAUTH ssl_authtype = SSL_OPTION(authtype);
const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
#endif
char * const ssl_cert = SSL_OPTION(cert);
const char * const ssl_cert_type = SSL_OPTION(cert_type);
const char * const ssl_cafile = SSL_OPTION_PRIM(CAfile);
const char * const ssl_capath = SSL_OPTION_PRIM(CApath);
const bool verifypeer = SSL_OPTION_PRIM(verifypeer);
const char * const ssl_crlfile = SSL_OPTION(CRLfile);
const char * const hostname = IS_PROXY_SSL() ? conn->http_proxy.host.name :
conn->host.name;
char * const ssl_cert = SSL_SET_OPTION(cert);
const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
@ -1737,8 +1734,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_TLSv1_1:
case CURL_SSLVERSION_TLSv1_2:
/* it will be handled later with the context options */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
!defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
!defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
req_method = TLS_client_method();
#else
req_method = SSLv23_client_method();
@ -1849,7 +1846,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
/* unless the user explicitly ask to allow the protocol vulnerability we
use the work-around */
if(!SSL_OPTION(enable_beast))
if(!SSL_SET_OPTION(enable_beast))
ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
@ -1952,14 +1949,14 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
if(ssl_cert || ssl_cert_type) {
if(!cert_stuff(conn, connssl->ctx, ssl_cert, ssl_cert_type,
SSL_OPTION(key), SSL_OPTION(key_type),
SSL_OPTION(key_passwd))) {
SSL_SET_OPTION(key), SSL_SET_OPTION(key_type),
SSL_SET_OPTION(key_passwd))) {
/* failf() is already done in cert_stuff() */
return CURLE_SSL_CERTPROBLEM;
}
}
ciphers = SSL_OPTION_PRIM(cipher_list);
ciphers = SSL_CONN_CONFIG(cipher_list);
if(!ciphers)
ciphers = (char *)DEFAULT_CIPHER_SELECTION;
if(!SSL_CTX_set_cipher_list(connssl->ctx, ciphers)) {
@ -1970,7 +1967,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#ifdef USE_TLS_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP) {
char * const ssl_username = SSL_OPTION(username);
char * const ssl_username = SSL_SET_OPTION(username);
infof(data, "Using TLS-SRP username: %s\n", ssl_username);
@ -1978,11 +1975,11 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
failf(data, "Unable to set SRP user name");
return CURLE_BAD_FUNCTION_ARGUMENT;
}
if(!SSL_CTX_set_srp_password(connssl->ctx, SSL_OPTION(password))) {
if(!SSL_CTX_set_srp_password(connssl->ctx, SSL_SET_OPTION(password))) {
failf(data, "failed setting SRP password");
return CURLE_BAD_FUNCTION_ARGUMENT;
}
if(!SSL_OPTION_PRIM(cipher_list)) {
if(!SSL_CONN_CONFIG(cipher_list)) {
infof(data, "Setting cipher list SRP\n");
if(!SSL_CTX_set_cipher_list(connssl->ctx, "SRP")) {
@ -2084,7 +2081,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_IS_BORINGSSL)
if(SSL_OPTION_PRIM(verifystatus))
if(SSL_CONN_CONFIG(verifystatus))
SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);
#endif
@ -2140,8 +2137,8 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
int err;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state
|| ssl_connect_2_writing == connssl->connecting_state);
|| ssl_connect_2_reading == connssl->connecting_state
|| ssl_connect_2_writing == connssl->connecting_state);
ERR_clear_error();
@ -2216,9 +2213,9 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
* the SO_ERROR is also lost.
*/
if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
const char * const hostname = IS_PROXY_SSL() ?
const char * const hostname = SSL_IS_PROXY() ?
conn->http_proxy.host.name : conn->host.name;
const long int port = IS_PROXY_SSL() ? conn->port : conn->remote_port;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
failf(data, "Unknown SSL protocol error in connection to %s:%ld ",
hostname, port);
return result;
@ -2668,7 +2665,7 @@ static CURLcode servercert(struct connectdata *conn,
FILE *fp;
char *buffer = data->state.buffer;
const char *ptr;
long * const certverifyresult = IS_PROXY_SSL() ?
long * const certverifyresult = SSL_IS_PROXY() ?
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
if(data->set.ssl.certinfo)
@ -2682,7 +2679,7 @@ static CURLcode servercert(struct connectdata *conn,
return CURLE_PEER_FAILED_VERIFICATION;
}
infof(data, "%s certificate:\n", IS_PROXY_SSL() ? "Proxy" : "Server");
infof(data, "%s certificate:\n", SSL_IS_PROXY() ? "Proxy" : "Server");
rc = x509_name_oneline(X509_get_subject_name(connssl->server_cert),
buffer, BUFSIZE);
@ -2696,7 +2693,7 @@ static CURLcode servercert(struct connectdata *conn,
asn1_output(certdate, buffer, BUFSIZE);
infof(data, "\t expire date: %s\n", buffer);
if(SSL_OPTION_PRIM(verifyhost)) {
if(SSL_CONN_CONFIG(verifyhost)) {
result = verifyhost(conn, connssl->server_cert, sockindex);
if(result) {
X509_free(connssl->server_cert);
@ -2761,7 +2758,7 @@ static CURLcode servercert(struct connectdata *conn,
lerr = *certverifyresult = SSL_get_verify_result(connssl->handle);
if(*certverifyresult != X509_V_OK) {
if(SSL_OPTION_PRIM(verifypeer)) {
if(SSL_CONN_CONFIG(verifypeer)) {
/* We probably never reach this, because SSL_connect() will fail
and we return earlier if verifypeer is set? */
if(strict)
@ -2780,7 +2777,7 @@ static CURLcode servercert(struct connectdata *conn,
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_IS_BORINGSSL)
if(SSL_OPTION_PRIM(verifystatus)) {
if(SSL_CONN_CONFIG(verifystatus)) {
result = verifystatus(conn, connssl);
if(result) {
X509_free(connssl->server_cert);
@ -2858,8 +2855,9 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
* operations.
*/
result = servercert(conn, connssl, (SSL_OPTION_PRIM(verifypeer) ||
SSL_OPTION_PRIM(verifyhost)), sockindex);
result = servercert(conn, connssl,
(SSL_CONN_CONFIG(verifypeer) ||
SSL_CONN_CONFIG(verifyhost)), sockindex);
if(!result)
connssl->connecting_state = ssl_connect_done;