diff options
author | Okhin Vasilij <OkhinVI@gmail.com> | 2016-11-21 17:01:25 +0700 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-11-24 23:41:45 +0100 |
commit | c6da05a5ec0c5250df077e42647c498f8ae38e8d (patch) | |
tree | 9e14b903397afb8f2bc8d0385aa51ef90e8cb84f /lib/vtls | |
parent | 49765cd75cdd40ceecb125ac893051be90977018 (diff) |
HTTPS-proxy: fixed mbedtls and polishing
Diffstat (limited to 'lib/vtls')
-rw-r--r-- | lib/vtls/darwinssl.c | 77 | ||||
-rw-r--r-- | lib/vtls/gskit.c | 2 | ||||
-rw-r--r-- | lib/vtls/gtls.c | 4 | ||||
-rw-r--r-- | lib/vtls/mbedtls.c | 62 | ||||
-rw-r--r-- | lib/vtls/openssl.c | 8 | ||||
-rw-r--r-- | lib/vtls/schannel.c | 35 |
6 files changed, 103 insertions, 85 deletions
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c index e4b4a6b48..705bff912 100644 --- a/lib/vtls/darwinssl.c +++ b/lib/vtls/darwinssl.c @@ -1038,6 +1038,12 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, struct Curl_easy *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); + char * const ssl_cert = SSL_SET_OPTION(cert); + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; #ifdef ENABLE_IPV6 struct in6_addr addr; #else @@ -1233,34 +1239,33 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } #endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */ - if(data->set.str[STRING_KEY_ORIG]) { + if(SSL_SET_OPTION(key)) { infof(data, "WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure " "Transport. The private key must be in the Keychain.\n"); } - if(data->set.str[STRING_CERT_ORIG]) { + if(ssl_cert) { SecIdentityRef cert_and_key = NULL; - bool is_cert_file = is_file(data->set.str[STRING_CERT_ORIG]); + bool is_cert_file = is_file(ssl_cert); /* User wants to authenticate with a client cert. Look for it: If we detect that this is a file on disk, then let's load it. Otherwise, assume that the user wants to use an identity loaded from the Keychain. */ if(is_cert_file) { - if(!data->set.ssl.cert_type) + if(!SSL_SET_OPTION(cert_type)) infof(data, "WARNING: SSL: Certificate type not set, assuming " - "PKCS#12 format.\n"); - else if(strncmp(data->set.ssl.cert_type, "P12", - strlen(data->set.ssl.cert_type))) + "PKCS#12 format.\n"); + else if(strncmp(SSL_SET_OPTION(cert_type), "P12", + strlen(SSL_SET_OPTION(cert_type))) != 0) infof(data, "WARNING: SSL: The Security framework only supports " - "loading identities that are in PKCS#12 format.\n"); - err = CopyIdentityFromPKCS12File(data->set.str[STRING_CERT_ORIG], - data->set.ssl.key_passwd, - &cert_and_key); + "loading identities that are in PKCS#12 format.\n"); + + err = CopyIdentityFromPKCS12File(ssl_cert, + SSL_SET_OPTION(key_passwd), &cert_and_key); } else - err = CopyIdentityWithLabel(data->set.str[STRING_CERT_ORIG], - &cert_and_key); + err = CopyIdentityWithLabel(ssl_cert, &cert_and_key); if(err == noErr) { SecCertificateRef cert = NULL; @@ -1301,24 +1306,24 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, switch(err) { case errSecAuthFailed: case -25264: /* errSecPkcs12VerifyFailure */ failf(data, "SSL: Incorrect password for the certificate \"%s\" " - "and its private key.", data->set.str[STRING_CERT_ORIG]); + "and its private key.", ssl_cert); break; case -26275: /* errSecDecode */ case -25257: /* errSecUnknownFormat */ failf(data, "SSL: Couldn't make sense of the data in the " - "certificate \"%s\" and its private key.", - data->set.str[STRING_CERT_ORIG]); + "certificate \"%s\" and its private key.", + ssl_cert); break; case -25260: /* errSecPassphraseRequired */ failf(data, "SSL The certificate \"%s\" requires a password.", - data->set.str[STRING_CERT_ORIG]); + ssl_cert); break; case errSecItemNotFound: failf(data, "SSL: Can't find the certificate \"%s\" and its private " - "key in the Keychain.", data->set.str[STRING_CERT_ORIG]); + "key in the Keychain.", ssl_cert); break; default: failf(data, "SSL: Can't load the certificate \"%s\" and its private " - "key: OSStatus %d", data->set.str[STRING_CERT_ORIG], err); + "key: OSStatus %d", ssl_cert, err); break; } return CURLE_SSL_CERTPROBLEM; @@ -1350,8 +1355,7 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, #else if(SSLSetSessionOption != NULL) { #endif /* CURL_BUILD_MAC */ - bool break_on_auth = !conn->ssl_config.verifypeer || - data->set.str[STRING_SSL_CAFILE_ORIG]; + bool break_on_auth = !conn->ssl_config.verifypeer || ssl_cafile; err = SSLSetSessionOption(connssl->ssl_ctx, kSSLSessionOptionBreakOnServerAuth, break_on_auth); @@ -1379,15 +1383,14 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, } #endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */ - if(data->set.str[STRING_SSL_CAFILE_ORIG]) { - bool is_cert_file = is_file(data->set.str[STRING_SSL_CAFILE_ORIG]); + if(ssl_cafile) { + bool is_cert_file = is_file(ssl_cafile); if(!is_cert_file) { - failf(data, "SSL: can't load CA certificate file %s", - data->set.str[STRING_SSL_CAFILE_ORIG]); + failf(data, "SSL: can't load CA certificate file %s", ssl_cafile); return CURLE_SSL_CACERT_BADFILE; } - if(!data->set.ssl.primary.verifypeer) { + if(!verifypeer) { failf(data, "SSL: CA certificate set, but certificate verification " "is disabled"); return CURLE_SSL_CONNECT_ERROR; @@ -1398,17 +1401,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, * Both hostname check and SNI require SSLSetPeerDomainName(). * Also: the verifyhost setting influences SNI usage */ if(conn->ssl_config.verifyhost) { - err = SSLSetPeerDomainName(connssl->ssl_ctx, conn->host.name, - strlen(conn->host.name)); + err = SSLSetPeerDomainName(connssl->ssl_ctx, hostname, + strlen(hostname)); if(err != noErr) { infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n", err); } - if((Curl_inet_pton(AF_INET, conn->host.name, &addr)) + if((Curl_inet_pton(AF_INET, hostname, &addr)) #ifdef ENABLE_IPV6 - || (Curl_inet_pton(AF_INET6, conn->host.name, &addr)) + || (Curl_inet_pton(AF_INET6, hostname, &addr)) #endif ) { infof(data, "WARNING: using IP address, SNI is being disabled by " @@ -1558,10 +1561,8 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, else { CURLcode result; ssl_sessionid = - aprintf("%s:%d:%d:%s:%hu", data->set.str[STRING_SSL_CAFILE_ORIG], - data->set.ssl.primary.verifypeer, - data->set.ssl.primary.verifyhost, - conn->host.name, conn->remote_port); + aprintf("%s:%d:%d:%s:%hu", ssl_cafile, + verifypeer, SSL_CONN_CONFIG(verifyhost), hostname, port); ssl_sessionid_len = strlen(ssl_sessionid); err = SSLSetPeerID(connssl->ssl_ctx, ssl_sessionid, ssl_sessionid_len); @@ -1898,6 +1899,8 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) OSStatus err; SSLCipherSuite cipher; SSLProtocol protocol = 0; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; DEBUGASSERT(ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state @@ -1916,8 +1919,8 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) /* The below is errSSLServerAuthCompleted; it's not defined in Leopard's headers */ case -9841: - if(data->set.str[STRING_SSL_CAFILE_ORIG]) { - int res = verify_cert(data->set.str[STRING_SSL_CAFILE_ORIG], data, + if(SSL_CONN_CONFIG(CAfile)) { + int res = verify_cert(SSL_CONN_CONFIG(CAfile), data, connssl->ssl_ctx); if(res != CURLE_OK) return res; @@ -1986,7 +1989,7 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex) return CURLE_SSL_CONNECT_ERROR; default: failf(data, "Unknown SSL protocol error in connection to %s:%d", - conn->host.name, err); + hostname, err); return CURLE_SSL_CONNECT_ERROR; } } diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index a91d09cb7..6cac9573c 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -833,7 +833,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) } /* Determine which SSL/TLS version should be enabled. */ - sni = conn->host.name; + sni = hostname; switch (ssl_version) { case CURL_SSLVERSION_SSLv2: protoflags = CURL_GSKPROTO_SSLV2_MASK; diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 4ef06ee5d..4c9d9fada 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -502,8 +502,8 @@ gtls_connect_step1(struct connectdata *conn, #ifdef CURL_CA_FALLBACK /* use system ca certificate store as fallback */ - if(data->set.ssl.verifypeer && - !(data->set.ssl.CAfile || data->set.ssl.CApath)) { + if(SSL_CONN_CONFIG(verifypeer) && + !(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(CApath))) { gnutls_certificate_set_x509_system_trust(conn->ssl[sockindex].cred); } #endif diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 8fa126a75..c84e597a3 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -163,13 +163,21 @@ mbed_connect_step1(struct connectdata *conn, { struct Curl_easy *data = conn->data; struct ssl_connect_data* connssl = &conn->ssl[sockindex]; + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); + const bool verifypeer = SSL_CONN_CONFIG(verifypeer); + const char * const ssl_capath = SSL_CONN_CONFIG(CApath); + char * const ssl_cert = SSL_SET_OPTION(cert); + const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile); + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; int ret = -1; char errorbuf[128]; errorbuf[0]=0; /* mbedTLS only supports SSLv3 and TLSv1 */ - if(data->set.ssl.primary.version == CURL_SSLVERSION_SSLv2) { + if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) { failf(data, "mbedTLS does not support SSLv2"); return CURLE_SSL_CONNECT_ERROR; } @@ -205,34 +213,32 @@ mbed_connect_step1(struct connectdata *conn, /* Load the trusted CA */ mbedtls_x509_crt_init(&connssl->cacert); - if(data->set.str[STRING_SSL_CAFILE_ORIG]) { - ret = mbedtls_x509_crt_parse_file(&connssl->cacert, - data->set.str[STRING_SSL_CAFILE_ORIG]); + if(ssl_cafile) { + ret = mbedtls_x509_crt_parse_file(&connssl->cacert, ssl_cafile); if(ret<0) { #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s", - data->set.str[STRING_SSL_CAFILE_ORIG], -ret, errorbuf); + ssl_cafile, -ret, errorbuf); - if(data->set.ssl.primary.verifypeer) + if(verifypeer) return CURLE_SSL_CACERT_BADFILE; } } - if(data->set.str[STRING_SSL_CAPATH_ORIG]) { - ret = mbedtls_x509_crt_parse_path(&connssl->cacert, - data->set.str[STRING_SSL_CAPATH_ORIG]); + if(ssl_capath) { + ret = mbedtls_x509_crt_parse_path(&connssl->cacert, ssl_capath); if(ret<0) { #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "Error reading ca cert path %s - mbedTLS: (-0x%04X) %s", - data->set.str[STRING_SSL_CAPATH_ORIG], -ret, errorbuf); + ssl_capath, -ret, errorbuf); - if(data->set.ssl.primary.verifypeer) + if(verifypeer) return CURLE_SSL_CACERT_BADFILE; } } @@ -240,16 +246,15 @@ mbed_connect_step1(struct connectdata *conn, /* Load the client certificate */ mbedtls_x509_crt_init(&connssl->clicert); - if(data->set.str[STRING_CERT_ORIG]) { - ret = mbedtls_x509_crt_parse_file(&connssl->clicert, - data->set.str[STRING_CERT_ORIG]); + if(ssl_cert) { + ret = mbedtls_x509_crt_parse_file(&connssl->clicert, ssl_cert); if(ret) { #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s", - data->set.str[STRING_CERT_ORIG], -ret, errorbuf); + ssl_cert, -ret, errorbuf); return CURLE_SSL_CERTPROBLEM; } @@ -258,10 +263,9 @@ mbed_connect_step1(struct connectdata *conn, /* Load the client private key */ mbedtls_pk_init(&connssl->pk); - if(data->set.str[STRING_KEY_ORIG]) { - ret = mbedtls_pk_parse_keyfile(&connssl->pk, - data->set.str[STRING_KEY_ORIG], - data->set.str[STRING_KEY_ORIG]); + if(SSL_SET_OPTION(key)) { + ret = mbedtls_pk_parse_keyfile(&connssl->pk, SSL_SET_OPTION(key), + SSL_SET_OPTION(key_passwd)); if(ret == 0 && !mbedtls_pk_can_do(&connssl->pk, MBEDTLS_PK_RSA)) ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; @@ -270,7 +274,7 @@ mbed_connect_step1(struct connectdata *conn, mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s", - data->set.str[STRING_KEY_ORIG], -ret, errorbuf); + SSL_SET_OPTION(key), -ret, errorbuf); return CURLE_SSL_CERTPROBLEM; } @@ -279,23 +283,21 @@ mbed_connect_step1(struct connectdata *conn, /* Load the CRL */ mbedtls_x509_crl_init(&connssl->crl); - if(data->set.str[STRING_SSL_CRLFILE_ORIG]) { - ret = mbedtls_x509_crl_parse_file(&connssl->crl, - data->set.str[STRING_SSL_CRLFILE_ORIG]); + if(ssl_crlfile) { + ret = mbedtls_x509_crl_parse_file(&connssl->crl, ssl_crlfile); if(ret) { #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ failf(data, "Error reading CRL file %s - mbedTLS: (-0x%04X) %s", - data->set.str[STRING_SSL_CRLFILE_ORIG], -ret, errorbuf); + ssl_crlfile, -ret, errorbuf); return CURLE_SSL_CRL_BADFILE; } } - infof(data, "mbedTLS: Connecting to %s:%d\n", - conn->host.name, conn->remote_port); + infof(data, "mbedTLS: Connecting to %s:%d\n", hostname, port); mbedtls_ssl_config_init(&connssl->config); @@ -317,7 +319,7 @@ mbed_connect_step1(struct connectdata *conn, mbedtls_ssl_conf_cert_profile(&connssl->config, &mbedtls_x509_crt_profile_fr); - switch(data->set.ssl.primary.version) { + switch(SSL_CONN_CONFIG(version)) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3, @@ -393,11 +395,11 @@ mbed_connect_step1(struct connectdata *conn, &connssl->cacert, &connssl->crl); - if(data->set.str[STRING_KEY_ORIG]) { + if(SSL_SET_OPTION(key)) { mbedtls_ssl_conf_own_cert(&connssl->config, &connssl->clicert, &connssl->pk); } - if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) { + if(mbedtls_ssl_set_hostname(&connssl->ssl, hostname)) { /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name to set in the SNI extension. So even if curl connects to a host specified as an IP address, this function must be used. */ @@ -487,7 +489,7 @@ mbed_connect_step2(struct connectdata *conn, ret = mbedtls_ssl_get_verify_result(&conn->ssl[sockindex].ssl); - if(ret && data->set.ssl.primary.verifypeer) { + if(ret && SSL_CONN_CONFIG(verifypeer)) { if(ret & MBEDTLS_X509_BADCERT_EXPIRED) failf(data, "Cert verify failed: BADCERT_EXPIRED"); diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index b8bc6c117..465d1bef6 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2074,7 +2074,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) ssl_capath ? ssl_capath : "none"); } #ifdef CURL_CA_FALLBACK - else if(data->set.ssl.verifypeer) { + else if(verifypeer) { /* verfying the peer without any CA certificates won't work so use openssl's built in default as fallback */ SSL_CTX_set_default_verify_paths(connssl->ctx); @@ -2108,7 +2108,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest */ #if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS) - if(data->set.ssl.verifypeer) { + if(verifypeer) { X509_STORE_set_flags(SSL_CTX_get_cert_store(connssl->ctx), X509_V_FLAG_TRUSTED_FIRST); } @@ -2204,6 +2204,8 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) struct Curl_easy *data = conn->data; int err; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + long * const certverifyresult = SSL_IS_PROXY() ? + &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; DEBUGASSERT(ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || ssl_connect_2_writing == connssl->connecting_state); @@ -2253,7 +2255,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) lerr = SSL_get_verify_result(connssl->handle); if(lerr != X509_V_OK) { - data->set.ssl.certverifyresult = lerr; + *certverifyresult = lerr; snprintf(error_buffer, sizeof(error_buffer), "SSL certificate problem: %s", X509_verify_cert_error_string(lerr)); diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index 7b20c2656..25d44382c 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -123,9 +123,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) #endif TCHAR *host_name; CURLcode result; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; infof(data, "schannel: SSL/TLS connection with %s port %hu (step 1/3)\n", - conn->host.name, conn->remote_port); + hostname, conn->remote_port); #ifdef HAS_ALPN /* ALPN is only supported on Windows 8.1 / Server 2012 R2 and above. @@ -259,9 +261,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) } /* Warn if SNI is disabled due to use of an IP address */ - if(Curl_inet_pton(AF_INET, conn->host.name, &addr) + if(Curl_inet_pton(AF_INET, hostname, &addr) #ifdef ENABLE_IPV6 - || Curl_inet_pton(AF_INET6, conn->host.name, &addr6) + || Curl_inet_pton(AF_INET6, hostname, &addr6) #endif ) { infof(data, "schannel: using IP address, SNI is not supported by OS.\n"); @@ -339,7 +341,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) } memset(connssl->ctxt, 0, sizeof(struct curl_schannel_ctxt)); - host_name = Curl_convert_UTF8_to_tchar(conn->host.name); + host_name = Curl_convert_UTF8_to_tchar(hostname); if(!host_name) return CURLE_OUT_OF_MEMORY; @@ -412,11 +414,13 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) TCHAR *host_name; CURLcode result; bool doread; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; doread = (connssl->connecting_state != ssl_connect_2_writing) ? TRUE : FALSE; infof(data, "schannel: SSL/TLS connection with %s port %hu (step 2/3)\n", - conn->host.name, conn->remote_port); + hostname, conn->remote_port); if(!connssl->cred || !connssl->ctxt) return CURLE_SSL_CONNECT_ERROR; @@ -512,7 +516,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) memcpy(inbuf[0].pvBuffer, connssl->encdata_buffer, connssl->encdata_offset); - host_name = Curl_convert_UTF8_to_tchar(conn->host.name); + host_name = Curl_convert_UTF8_to_tchar(hostname); if(!host_name) return CURLE_OUT_OF_MEMORY; @@ -644,6 +648,8 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SECURITY_STATUS sspi_status = SEC_E_OK; CERT_CONTEXT *ccert_context = NULL; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; #ifdef HAS_ALPN SecPkgContext_ApplicationProtocol alpn_result; #endif @@ -651,7 +657,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); infof(data, "schannel: SSL/TLS connection with %s port %hu (step 3/3)\n", - conn->host.name, conn->remote_port); + hostname, conn->remote_port); if(!connssl->cred) return CURLE_SSL_CONNECT_ERROR; @@ -1384,9 +1390,11 @@ int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) */ struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; infof(data, "schannel: shutting down SSL/TLS connection with %s port %hu\n", - conn->host.name, conn->remote_port); + hostname, conn->remote_port); if(connssl->cred && connssl->ctxt) { SecBufferDesc BuffDesc; @@ -1408,7 +1416,7 @@ int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) failf(data, "schannel: ApplyControlToken failure: %s", Curl_sspi_strerror(conn, sspi_status)); - host_name = Curl_convert_UTF8_to_tchar(conn->host.name); + host_name = Curl_convert_UTF8_to_tchar(hostname); if(!host_name) return CURLE_OUT_OF_MEMORY; @@ -1533,6 +1541,9 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex) CURLcode result = CURLE_OK; CERT_CONTEXT *pCertContextServer = NULL; const CERT_CHAIN_CONTEXT *pChainContext = NULL; + const char * const conn_hostname = SSL_IS_PROXY() ? + conn->http_proxy.host.name : + conn->host.name; status = s_pSecFn->QueryContextAttributes(&connssl->ctxt->ctxt_handle, SECPKG_ATTR_REMOTE_CERT_CONTEXT, @@ -1597,7 +1608,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex) DWORD len; cert_hostname.const_tchar_ptr = cert_hostname_buff; - hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn->host.name); + hostname.tchar_ptr = Curl_convert_UTF8_to_tchar(conn_hostname); /* TODO: Fix this for certificates with multiple alternative names. Right now we're only asking for the first preferred alternative name. @@ -1615,7 +1626,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex) 128); if(len > 0 && *cert_hostname.tchar_ptr == '*') { /* this is a wildcard cert. try matching the last len - 1 chars */ - int hostname_len = strlen(conn->host.name); + int hostname_len = strlen(conn_hostname); cert_hostname.tchar_ptr++; if(_tcsicmp(cert_hostname.const_tchar_ptr, hostname.const_tchar_ptr + hostname_len - len + 2) != 0) @@ -1630,7 +1641,7 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex) _cert_hostname = Curl_convert_tchar_to_UTF8(cert_hostname.tchar_ptr); failf(data, "schannel: CertGetNameString() certificate hostname " "(%s) did not match connection (%s)", - _cert_hostname, conn->host.name); + _cert_hostname, conn_hostname); Curl_unicodefree(_cert_hostname); } Curl_unicodefree(hostname.tchar_ptr); |