darwinssl: adopted to the HTTPS proxy changes (49765cd7) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

lib/vtls/darwinssl.c

+153 −151

Original line number	Diff line number	Diff line
		@@ -1233,33 +1233,34 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
		}
		#endif /* CURL_BUILD_MAC_10_8 \|\| CURL_BUILD_IOS */

		if(data->set.str[STRING_KEY]) {
		if(data->set.str[STRING_KEY_ORIG]) {
		infof(data, "WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure "
		"Transport. The private key must be in the Keychain.\n");
		}

		if(data->set.str[STRING_CERT]) {
		if(data->set.str[STRING_CERT_ORIG]) {
		SecIdentityRef cert_and_key = NULL;
		bool is_cert_file = is_file(data->set.str[STRING_CERT]);
		bool is_cert_file = is_file(data->set.str[STRING_CERT_ORIG]);

		/* User wants to authenticate with a client cert. Look for it:
		If we detect that this is a file on disk, then let's load it.
		Otherwise, assume that the user wants to use an identity loaded
		from the Keychain. */
		if(is_cert_file) {
		if(!data->set.str[STRING_CERT_TYPE])
		if(!data->set.ssl.cert_type)
		infof(data, "WARNING: SSL: Certificate type not set, assuming "
		"PKCS#12 format.\n");
		else if(strncmp(data->set.str[STRING_CERT_TYPE], "P12",
		strlen(data->set.str[STRING_CERT_TYPE])) != 0)
		else if(strncmp(data->set.ssl.cert_type, "P12",
		strlen(data->set.ssl.cert_type)))
		infof(data, "WARNING: SSL: The Security framework only supports "
		"loading identities that are in PKCS#12 format.\n");

		err = CopyIdentityFromPKCS12File(data->set.str[STRING_CERT],
		data->set.str[STRING_KEY_PASSWD], &cert_and_key);
		err = CopyIdentityFromPKCS12File(data->set.str[STRING_CERT_ORIG],
		data->set.ssl.key_passwd,
		&cert_and_key);
		}
		else
		err = CopyIdentityWithLabel(data->set.str[STRING_CERT], &cert_and_key);
		err = CopyIdentityWithLabel(data->set.str[STRING_CERT_ORIG],
		&cert_and_key);

		if(err == noErr) {
		SecCertificateRef cert = NULL;
		@@ -1300,24 +1301,24 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
		switch(err) {
		case errSecAuthFailed: case -25264: /* errSecPkcs12VerifyFailure */
		failf(data, "SSL: Incorrect password for the certificate \"%s\" "
		"and its private key.", data->set.str[STRING_CERT]);
		"and its private key.", data->set.str[STRING_CERT_ORIG]);
		break;
		case -26275: /* errSecDecode / case -25257: / errSecUnknownFormat */
		failf(data, "SSL: Couldn't make sense of the data in the "
		"certificate \"%s\" and its private key.",
		data->set.str[STRING_CERT]);
		data->set.str[STRING_CERT_ORIG]);
		break;
		case -25260: /* errSecPassphraseRequired */
		failf(data, "SSL The certificate \"%s\" requires a password.",
		data->set.str[STRING_CERT]);
		data->set.str[STRING_CERT_ORIG]);
		break;
		case errSecItemNotFound:
		failf(data, "SSL: Can't find the certificate \"%s\" and its private "
		"key in the Keychain.", data->set.str[STRING_CERT]);
		"key in the Keychain.", data->set.str[STRING_CERT_ORIG]);
		break;
		default:
		failf(data, "SSL: Can't load the certificate \"%s\" and its private "
		"key: OSStatus %d", data->set.str[STRING_CERT], err);
		"key: OSStatus %d", data->set.str[STRING_CERT_ORIG], err);
		break;
		}
		return CURLE_SSL_CERTPROBLEM;
		@@ -1350,7 +1351,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
		if(SSLSetSessionOption != NULL) {
		#endif /* CURL_BUILD_MAC */
		bool break_on_auth = !conn->ssl_config.verifypeer \|\|
		data->set.str[STRING_SSL_CAFILE];
		data->set.str[STRING_SSL_CAFILE_ORIG];
		err = SSLSetSessionOption(connssl->ssl_ctx,
		kSSLSessionOptionBreakOnServerAuth,
		break_on_auth);
		@@ -1378,15 +1379,15 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
		}
		#endif /* CURL_BUILD_MAC_10_6 \|\| CURL_BUILD_IOS */

		if(data->set.str[STRING_SSL_CAFILE]) {
		bool is_cert_file = is_file(data->set.str[STRING_SSL_CAFILE]);
		if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
		bool is_cert_file = is_file(data->set.str[STRING_SSL_CAFILE_ORIG]);

		if(!is_cert_file) {
		failf(data, "SSL: can't load CA certificate file %s",
		data->set.str[STRING_SSL_CAFILE]);
		data->set.str[STRING_SSL_CAFILE_ORIG]);
		return CURLE_SSL_CACERT_BADFILE;
		}
		if(!data->set.ssl.verifypeer) {
		if(!data->set.ssl.primary.verifypeer) {
		failf(data, "SSL: CA certificate set, but certificate verification "
		"is disabled");
		return CURLE_SSL_CONNECT_ERROR;
		@@ -1557,8 +1558,9 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn,
		else {
		CURLcode result;
		ssl_sessionid =
		aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE],
		data->set.ssl.verifypeer, data->set.ssl.verifyhost,
		aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE_ORIG],
		data->set.ssl.primary.verifypeer,
		data->set.ssl.primary.verifyhost,
		conn->host.name, conn->remote_port);
		ssl_sessionid_len = strlen(ssl_sessionid);

		@@ -1914,8 +1916,8 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)
		/* The below is errSSLServerAuthCompleted; it's not defined in
		Leopard's headers */
		case -9841:
		if(data->set.str[STRING_SSL_CAFILE]) {
		int res = verify_cert(data->set.str[STRING_SSL_CAFILE], data,
		if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
		int res = verify_cert(data->set.str[STRING_SSL_CAFILE_ORIG], data,
		connssl->ssl_ctx);
		if(res != CURLE_OK)
		return res;