[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnurl] 137/411: vtls: deduplicate client certificates in ssl_config_dat
|
From: |
gnunet |
|
Subject: |
[gnurl] 137/411: vtls: deduplicate client certificates in ssl_config_data |
|
Date: |
Wed, 13 Jan 2021 01:19:12 +0100 |
This is an automated email from the git hooks/post-receive script.
nikita pushed a commit to branch master
in repository gnurl.
commit 182ff2d63c9a25c14ee1e7dc9e6d63e9079df677
Author: Gergely Nagy <ngg@tresorit.com>
AuthorDate: Mon Jun 29 20:07:37 2020 +0200
vtls: deduplicate client certificates in ssl_config_data
Closes #5629
---
lib/url.c | 4 ----
lib/urldata.h | 2 --
lib/vtls/gskit.c | 2 +-
lib/vtls/gtls.c | 10 +++++-----
lib/vtls/mbedtls.c | 2 +-
lib/vtls/mesalink.c | 7 ++++---
lib/vtls/nss.c | 7 ++++---
lib/vtls/openssl.c | 4 ++--
lib/vtls/schannel.c | 25 +++++++++++++------------
lib/vtls/sectransp.c | 4 ++--
lib/vtls/wolfssl.c | 7 ++++---
11 files changed, 36 insertions(+), 38 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index af2a1c06d..bc224ece7 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3635,18 +3635,15 @@ static CURLcode create_conn(struct Curl_easy *data,
data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
- data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY];
data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
- data->set.proxy_ssl.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
#endif
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
- data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
data->set.ssl.key = data->set.str[STRING_KEY_ORIG];
data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG];
@@ -3661,7 +3658,6 @@ static CURLcode create_conn(struct Curl_easy *data,
#endif
#endif
- data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT_ORIG];
data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG];
data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG];
diff --git a/lib/urldata.h b/lib/urldata.h
index 40f9b26df..81cb5fe57 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -245,8 +245,6 @@ struct ssl_config_data {
struct curl_blob *issuercert_blob;
curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
void *fsslctxp; /* parameter for call back */
- char *cert; /* client certificate file name */
- struct curl_blob *cert_blob;
char *cert_type; /* format for certificate (default: PEM)*/
char *key; /* private key file name */
struct curl_blob *key_blob;
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index 0538e4a46..dc79f487c 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -705,7 +705,7 @@ static CURLcode gskit_connect_step1(struct connectdata
*conn, int sockindex)
int rc;
const char * const keyringfile = SSL_CONN_CONFIG(CAfile);
const char * const keyringpwd = SSL_SET_OPTION(key_passwd);
- const char * const keyringlabel = SSL_SET_OPTION(cert);
+ const char * const keyringlabel = SSL_SET_OPTION(primary.clientcert);
const long int ssl_version = SSL_CONN_CONFIG(version);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char * const hostname = SSL_IS_PROXY()? conn->http_proxy.host.name:
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 978c61abf..b09003303 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -645,7 +645,7 @@ gtls_connect_step1(struct connectdata *conn,
gnutls_alpn_set_protocols(session, protocols, cur, 0);
}
- if(SSL_SET_OPTION(cert)) {
+ if(SSL_SET_OPTION(primary.clientcert)) {
if(SSL_SET_OPTION(key_passwd)) {
const unsigned int supported_key_encryption_algorithms =
GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
@@ -654,9 +654,9 @@ gtls_connect_step1(struct connectdata *conn,
GNUTLS_PKCS_USE_PBES2_AES_256;
rc = gnutls_certificate_set_x509_key_file2(
backend->cred,
- SSL_SET_OPTION(cert),
+ SSL_SET_OPTION(primary.clientcert),
SSL_SET_OPTION(key) ?
- SSL_SET_OPTION(key) : SSL_SET_OPTION(cert),
+ SSL_SET_OPTION(key) : SSL_SET_OPTION(primary.clientcert),
do_file_type(SSL_SET_OPTION(cert_type)),
SSL_SET_OPTION(key_passwd),
supported_key_encryption_algorithms);
@@ -670,9 +670,9 @@ gtls_connect_step1(struct connectdata *conn,
else {
if(gnutls_certificate_set_x509_key_file(
backend->cred,
- SSL_SET_OPTION(cert),
+ SSL_SET_OPTION(primary.clientcert),
SSL_SET_OPTION(key) ?
- SSL_SET_OPTION(key) : SSL_SET_OPTION(cert),
+ SSL_SET_OPTION(key) : SSL_SET_OPTION(primary.clientcert),
do_file_type(SSL_SET_OPTION(cert_type)) ) !=
GNUTLS_E_SUCCESS) {
failf(data, "error reading X.509 key or certificate file");
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 545f824c6..71d2b2d07 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -244,7 +244,7 @@ mbed_connect_step1(struct connectdata *conn,
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
- char * const ssl_cert = SSL_SET_OPTION(cert);
+ char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
#ifndef CURL_DISABLE_PROXY
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c
index 17c64735e..7346a75f9 100644
--- a/lib/vtls/mesalink.c
+++ b/lib/vtls/mesalink.c
@@ -179,11 +179,12 @@ mesalink_connect_step1(struct connectdata *conn, int
sockindex)
SSL_CONN_CONFIG(CApath) ? SSL_CONN_CONFIG(CApath): "none");
}
- if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) {
+ if(SSL_SET_OPTION(primary.clientcert) && SSL_SET_OPTION(key)) {
int file_type = do_file_type(SSL_SET_OPTION(cert_type));
- if(SSL_CTX_use_certificate_chain_file(BACKEND->ctx, SSL_SET_OPTION(cert),
- file_type) != 1) {
+ if(SSL_CTX_use_certificate_chain_file(BACKEND->ctx,
+ SSL_SET_OPTION(primary.clientcert),
+ file_type) != 1) {
failf(data, "unable to use client certificate (no key or wrong pass"
" phrase?)");
return CURLE_SSL_CONNECT_ERROR;
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 25098814a..2aed10d1b 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1981,14 +1981,15 @@ static CURLcode nss_setup_connect(struct connectdata
*conn, int sockindex)
infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile));
}
- if(SSL_SET_OPTION(cert)) {
- char *nickname = dup_nickname(data, SSL_SET_OPTION(cert));
+ if(SSL_SET_OPTION(primary.clientcert)) {
+ char *nickname = dup_nickname(data, SSL_SET_OPTION(primary.clientcert));
if(nickname) {
/* we are not going to use libnsspem.so to read the client cert */
backend->obj_clicert = NULL;
}
else {
- CURLcode rv = cert_stuff(conn, sockindex, SSL_SET_OPTION(cert),
+ CURLcode rv = cert_stuff(conn, sockindex,
+ SSL_SET_OPTION(primary.clientcert),
SSL_SET_OPTION(key));
if(rv) {
/* failf() is already done in cert_stuff() */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 0a5a37384..1b3ed665d 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -2493,8 +2493,8 @@ static CURLcode ossl_connect_step1(struct connectdata
*conn, int sockindex)
#ifdef HAVE_OPENSSL_SRP
const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
#endif
- char * const ssl_cert = SSL_SET_OPTION(cert);
- const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob);
+ char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+ const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 91a83a8e9..1fe9b7b8d 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -590,7 +590,7 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
#ifdef HAS_CLIENT_CERT_PATH
/* client certificate */
- if(data->set.ssl.cert || data->set.ssl.cert_blob) {
+ if(data->set.ssl.primary.clientcert || data->set.ssl.primary.cert_blob) {
DWORD cert_store_name = 0;
TCHAR *cert_store_path = NULL;
TCHAR *cert_thumbprint_str = NULL;
@@ -600,27 +600,28 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
FILE *fInCert = NULL;
void *certdata = NULL;
size_t certsize = 0;
- bool blob = data->set.ssl.cert_blob != NULL;
+ bool blob = data->set.ssl.primary.cert_blob != NULL;
TCHAR *cert_path = NULL;
if(blob) {
- certdata = data->set.ssl.cert_blob->data;
- certsize = data->set.ssl.cert_blob->len;
+ certdata = data->set.ssl.primary.cert_blob->data;
+ certsize = data->set.ssl.primary.cert_blob->len;
}
else {
- cert_path = curlx_convert_UTF8_to_tchar(data->set.ssl.cert);
+ cert_path = curlx_convert_UTF8_to_tchar(
+ data->set.ssl.primary.clientcert);
if(!cert_path)
return CURLE_OUT_OF_MEMORY;
result = get_cert_location(cert_path, &cert_store_name,
&cert_store_path, &cert_thumbprint_str);
- if(result && (data->set.ssl.cert[0]!='\0'))
- fInCert = fopen(data->set.ssl.cert, "rb");
+ if(result && (data->set.ssl.primary.clientcert[0]!='\0'))
+ fInCert = fopen(data->set.ssl.primary.clientcert, "rb");
if(result && !fInCert) {
failf(data, "schannel: Failed to get certificate location"
" or file for %s",
- data->set.ssl.cert);
+ data->set.ssl.primary.clientcert);
curlx_unicodefree(cert_path);
return result;
}
@@ -630,7 +631,7 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
(!strcasecompare(data->set.ssl.cert_type, "P12"))) {
failf(data, "schannel: certificate format compatibility error "
" for %s",
- blob ? "(memory blob)" : data->set.ssl.cert);
+ blob ? "(memory blob)" : data->set.ssl.primary.clientcert);
curlx_unicodefree(cert_path);
return CURLE_SSL_CERTPROBLEM;
}
@@ -645,7 +646,7 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
size_t pwd_len = 0;
int str_w_len = 0;
const char *cert_showfilename_error = blob ?
- "(memory blob)" : data->set.ssl.cert;
+ "(memory blob)" : data->set.ssl.primary.clientcert;
curlx_unicodefree(cert_path);
if(fInCert) {
long cert_tell = 0;
@@ -666,7 +667,7 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
fclose(fInCert);
if(!continue_reading) {
failf(data, "schannel: Failed to read cert file %s",
- data->set.ssl.cert);
+ data->set.ssl.primary.clientcert);
free(certdata);
return CURLE_SSL_CERTPROBLEM;
}
@@ -773,7 +774,7 @@ schannel_connect_step1(struct connectdata *conn, int
sockindex)
CertCloseStore(cert_store, 0);
}
#else
- if(data->set.ssl.cert) {
+ if(data->set.ssl.primary.clientcert || data->set.ssl.primary.cert_blob) {
failf(data, "schannel: client cert support not built in");
return CURLE_NOT_BUILT_IN;
}
diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
index 2627aff16..1e2e93aec 100644
--- a/lib/vtls/sectransp.c
+++ b/lib/vtls/sectransp.c
@@ -1397,8 +1397,8 @@ static CURLcode sectransp_connect_step1(struct
connectdata *conn,
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const struct curl_blob *ssl_cablob = NULL;
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
- char * const ssl_cert = SSL_SET_OPTION(cert);
- const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob);
+ char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
+ const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index 1428032b6..a299b99d1 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -379,11 +379,12 @@ wolfssl_connect_step1(struct connectdata *conn,
}
/* Load the client certificate, and private key */
- if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) {
+ if(SSL_SET_OPTION(primary.clientcert) && SSL_SET_OPTION(key)) {
int file_type = do_file_type(SSL_SET_OPTION(cert_type));
- if(SSL_CTX_use_certificate_file(backend->ctx, SSL_SET_OPTION(cert),
- file_type) != 1) {
+ if(SSL_CTX_use_certificate_file(backend->ctx,
+ SSL_SET_OPTION(primary.clientcert),
+ file_type) != 1) {
failf(data, "unable to use client certificate (no key or wrong pass"
" phrase?)");
return CURLE_SSL_CONNECT_ERROR;
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [gnurl] 259/411: packages/OS400: make the source code-style compliant, (continued)
- [gnurl] 259/411: packages/OS400: make the source code-style compliant, gnunet, 2021/01/12
- [gnurl] 241/411: src/tool_filetime: disable -Wformat on mingw for this file, gnunet, 2021/01/12
- [gnurl] 132/411: curl: make file2string use dynbuf, gnunet, 2021/01/12
- [gnurl] 180/411: pingpong: use a dynbuf for the *_pp_sendf() function, gnunet, 2021/01/12
- [gnurl] 143/411: test3015: verify stdout "as text", gnunet, 2021/01/12
- [gnurl] 150/411: multi: align WinSock mask variables in Curl_multi_wait, gnunet, 2021/01/12
- [gnurl] 145/411: CI/azure: disable test 571 in the msys2 builds, gnunet, 2021/01/12
- [gnurl] 163/411: docs/RESOURCES: remove, gnunet, 2021/01/12
- [gnurl] 169/411: krb5: merged security.c and krb specific FTP functions in here, gnunet, 2021/01/12
- [gnurl] 179/411: dynbuf: add Curl_dyn_vaddf, gnunet, 2021/01/12
- [gnurl] 137/411: vtls: deduplicate client certificates in ssl_config_data,
gnunet <=
- [gnurl] 196/411: TODO: SSH over HTTPS proxy with more backends, gnunet, 2021/01/12
- [gnurl] 138/411: tool_urlglob: fix compiler warning "unreachable code", gnunet, 2021/01/12
- [gnurl] 189/411: ftp: make a 552 response return CURLE_REMOTE_DISK_FULL, gnunet, 2021/01/12
- [gnurl] 236/411: projects/build-wolfssl.bat: fix the copyright year range, gnunet, 2021/01/12
- [gnurl] 212/411: curl: make --libcurl show binary posts correctly, gnunet, 2021/01/12
- [gnurl] 190/411: RELEASE-NOTES: synced, gnunet, 2021/01/12
- [gnurl] 240/411: test122[12]: remove these two tests, gnunet, 2021/01/12
- [gnurl] 250/411: tool_operate: fix compiler warning when --libcurl is disabled, gnunet, 2021/01/12
- [gnurl] 218/411: ldap: reduce the amount of #ifdefs needed, gnunet, 2021/01/12
- [gnurl] 194/411: memdebug: remove 9 year old unused debug function, gnunet, 2021/01/12