vtls: convert the have_curlssl_* constants to runtime flags (937899a3) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP curl

lib/url.c

+41 −34

Original line number	Diff line number	Diff line
		@@ -2179,24 +2179,26 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
		TRUE : FALSE;
		break;
		case CURLOPT_SSL_CTX_FUNCTION:
		#ifdef have_curlssl_ssl_ctx
		/*
		* Set a SSL_CTX callback
		*/
		#ifdef USE_SSL
		if(Curl_ssl->have_ssl_ctx)
		data->set.ssl.fsslctx = va_arg(param, curl_ssl_ctx_callback);
		#else
		result = CURLE_NOT_BUILT_IN;
		else
		#endif
		result = CURLE_NOT_BUILT_IN;
		break;
		case CURLOPT_SSL_CTX_DATA:
		#ifdef have_curlssl_ssl_ctx
		/*
		* Set a SSL_CTX callback parameter pointer
		*/
		#ifdef USE_SSL
		if(Curl_ssl->have_ssl_ctx)
		data->set.ssl.fsslctxp = va_arg(param, void *);
		#else
		result = CURLE_NOT_BUILT_IN;
		else
		#endif
		result = CURLE_NOT_BUILT_IN;
		break;
		case CURLOPT_SSL_FALSESTART:
		/*
		@@ -2210,35 +2212,38 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
		data->set.ssl.falsestart = (0 != va_arg(param, long)) ? TRUE : FALSE;
		break;
		case CURLOPT_CERTINFO:
		#ifdef have_curlssl_certinfo
		#ifdef USE_SSL
		if(Curl_ssl->have_certinfo)
		data->set.ssl.certinfo = (0 != va_arg(param, long)) ? TRUE : FALSE;
		#else
		result = CURLE_NOT_BUILT_IN;
		else
		#endif
		result = CURLE_NOT_BUILT_IN;
		break;
		case CURLOPT_PINNEDPUBLICKEY:
		#ifdef have_curlssl_pinnedpubkey /* only by supported backends */
		/*
		* Set pinned public key for SSL connection.
		* Specify file name of the public key in DER format.
		*/
		#ifdef USE_SSL
		if(Curl_ssl->have_pinnedpubkey)
		result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG],
		va_arg(param, char *));
		#else
		result = CURLE_NOT_BUILT_IN;
		else
		#endif
		result = CURLE_NOT_BUILT_IN;
		break;
		case CURLOPT_PROXY_PINNEDPUBLICKEY:
		#ifdef have_curlssl_pinnedpubkey /* only by supported backends */
		/*
		* Set pinned public key for SSL connection.
		* Specify file name of the public key in DER format.
		*/
		#ifdef USE_SSL
		if(Curl_ssl->have_pinnedpubkey)
		result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY],
		va_arg(param, char *));
		#else
		result = CURLE_NOT_BUILT_IN;
		else
		#endif
		result = CURLE_NOT_BUILT_IN;
		break;
		case CURLOPT_CAINFO:
		/*
		@@ -2256,30 +2261,32 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
		va_arg(param, char *));
		break;
		case CURLOPT_CAPATH:
		#ifdef have_curlssl_ca_path /* not supported by all backends */
		/*
		* Set CA path info for SSL connection. Specify directory name of the CA
		* certificates which have been prepared using openssl c_rehash utility.
		*/
		#ifdef USE_SSL
		if(Curl_ssl->have_ca_path)
		/* This does not work on windows. */
		result = setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG],
		va_arg(param, char *));
		#else
		result = CURLE_NOT_BUILT_IN;
		else
		#endif
		result = CURLE_NOT_BUILT_IN;
		break;
		case CURLOPT_PROXY_CAPATH:
		#ifdef have_curlssl_ca_path /* not supported by all backends */
		/*
		* Set CA path info for SSL connection proxy. Specify directory name of the
		* CA certificates which have been prepared using openssl c_rehash utility.
		*/
		#ifdef USE_SSL
		if(Curl_ssl->have_ca_path)
		/* This does not work on windows. */
		result = setstropt(&data->set.str[STRING_SSL_CAPATH_PROXY],
		va_arg(param, char *));
		#else
		result = CURLE_NOT_BUILT_IN;
		else
		#endif
		result = CURLE_NOT_BUILT_IN;
		break;
		case CURLOPT_CRLFILE:
		/*

lib/vtls/axtls.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -705,6 +705,11 @@ CURLcode Curl_axtls_random(struct Curl_easy *data,
		const struct Curl_ssl Curl_ssl_axtls = {
		"axtls", /* name */

		0, /* have_ca_path */
		0, /* have_certinfo */
		0, /* have_pinnedpubkey */
		0, /* have_ssl_ctx */

		Curl_axtls_init, /* init */
		Curl_axtls_cleanup, /* cleanup */
		Curl_axtls_version, /* version */

lib/vtls/cyassl.c

+21 −0

Original line number	Diff line number	Diff line
		@@ -110,6 +110,18 @@ and that's a problem since options.h hasn't been included yet. */
		#define CYASSL_MAX_ERROR_SZ 80
		#endif

		/* KEEP_PEER_CERT is a product of the presence of build time symbol
		OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is
		in wolfSSL's settings.h, and the latter two are build time symbols in
		options.h. */
		#ifndef KEEP_PEER_CERT
		#if defined(HAVE_CYASSL_GET_PEER_CERTIFICATE) \|\| \
		defined(HAVE_WOLFSSL_GET_PEER_CERTIFICATE) \|\| \
		(defined(OPENSSL_EXTRA) && !defined(NO_CERTS))
		#define KEEP_PEER_CERT
		#endif
		#endif

		static Curl_recv cyassl_recv;
		static Curl_send cyassl_send;

		@@ -954,6 +966,15 @@ static void Curl_cyassl_sha256sum(const unsigned char tmp, / input */
		const struct Curl_ssl Curl_ssl_cyassl = {
		"cyassl", /* name */

		0, /* have_ca_path */
		0, /* have_certinfo */
		#ifdef KEEP_PEER_CERT
		1, /* have_pinnedpubkey */
		#else
		0, /* have_pinnedpubkey */
		#endif
		1, /* have_ssl_ctx */

		Curl_cyassl_init, /* init */
		Curl_none_cleanup, /* cleanup */
		Curl_cyassl_version, /* version */

lib/vtls/cyassl.h

+0 −20

Original line number	Diff line number	Diff line
		@@ -25,18 +25,6 @@

		#ifdef USE_CYASSL

		/* KEEP_PEER_CERT is a product of the presence of build time symbol
		OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is
		in wolfSSL's settings.h, and the latter two are build time symbols in
		options.h. */
		#ifndef KEEP_PEER_CERT
		#if defined(HAVE_CYASSL_GET_PEER_CERTIFICATE) \|\| \
		defined(HAVE_WOLFSSL_GET_PEER_CERTIFICATE) \|\| \
		(defined(OPENSSL_EXTRA) && !defined(NO_CERTS))
		#define KEEP_PEER_CERT
		#endif
		#endif

		CURLcode Curl_cyassl_connect(struct connectdata *conn, int sockindex);
		bool Curl_cyassl_data_pending(const struct connectdata* conn, int connindex);
		int Curl_cyassl_shutdown(struct connectdata* conn, int sockindex);
		@@ -60,13 +48,5 @@ extern const struct Curl_ssl Curl_ssl_cyassl;
		/* Set the API backend definition to CyaSSL */
		#define CURL_SSL_BACKEND CURLSSLBACKEND_CYASSL

		/* this backend supports CURLOPT_SSL_CTX_* */
		#define have_curlssl_ssl_ctx 1

		#ifdef KEEP_PEER_CERT
		/* this backend supports CURLOPT_PINNEDPUBLICKEY */
		#define have_curlssl_pinnedpubkey 1
		#endif

		#endif /* USE_CYASSL */
		#endif /* HEADER_CURL_CYASSL_H */

lib/vtls/darwinssl.c

+27 −0

Original line number	Diff line number	Diff line
		@@ -118,6 +118,24 @@
		#define ioErr -36
		#define paramErr -50

		/* pinned public key support tests */

		/* version 1 supports macOS 10.12+ and iOS 10+ */
		#if ((TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MIN_REQUIRED >= 100000) \|\| \
		(!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200))
		#define DARWIN_SSL_PINNEDPUBKEY_V1 1
		#endif

		/* version 2 supports MacOSX 10.7+ */
		#if (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070)
		#define DARWIN_SSL_PINNEDPUBKEY_V2 1
		#endif

		#if defined(DARWIN_SSL_PINNEDPUBKEY_V1) \|\| defined(DARWIN_SSL_PINNEDPUBKEY_V2)
		/* this backend supports CURLOPT_PINNEDPUBLICKEY */
		#define DARWIN_SSL_PINNEDPUBKEY 1
		#endif /* DARWIN_SSL_PINNEDPUBKEY */

		#ifdef DARWIN_SSL_PINNEDPUBKEY
		/* both new and old APIs return rsa keys missing the spki header (not DER) */
		static const unsigned char rsa4096SpkiHeader[] = {
		@@ -2860,6 +2878,15 @@ static ssize_t darwinssl_recv(struct connectdata *conn,
		const struct Curl_ssl Curl_ssl_darwinssl = {
		"darwinssl", /* name */

		0, /* have_ca_path */
		0, /* have_certinfo */
		#ifdef DARWIN_SSL_PINNEDPUBKEY
		1, /* have_pinnedpubkey */
		#else
		0, /* have_pinnedpubkey */
		#endif /* DARWIN_SSL_PINNEDPUBKEY */
		0, /* have_ssl_ctx */

		Curl_none_init, /* init */
		Curl_none_cleanup, /* cleanup */
		Curl_darwinssl_version, /* version */