aboutsummaryrefslogtreecommitdiff
path: root/lib/ssluse.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssluse.c')
-rw-r--r--lib/ssluse.c111
1 files changed, 58 insertions, 53 deletions
diff --git a/lib/ssluse.c b/lib/ssluse.c
index 1b53f2589..cd138bb6e 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -378,22 +378,22 @@ int cert_stuff(struct connectdata *conn,
params.cert = NULL;
/* Does the engine supports LOAD_CERT_CTRL ? */
- if (!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
- 0, (void *)cmd_name, NULL)) {
+ if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
+ 0, (void *)cmd_name, NULL)) {
failf(data, "ssl engine does not support loading certificates");
return 0;
}
/* Load the certificate from the engine */
- if (!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
- 0, &params, NULL, 1)) {
+ if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
+ 0, &params, NULL, 1)) {
failf(data, "ssl engine cannot load client cert with id"
" '%s' [%s]", cert_file,
ERR_error_string(ERR_get_error(), NULL));
return 0;
}
- if (!params.cert) {
+ if(!params.cert) {
failf(data, "ssl engine didn't initialized the certificate "
"properly.");
return 0;
@@ -467,7 +467,7 @@ int cert_stuff(struct connectdata *conn,
return 0;
}
- if (!SSL_CTX_check_private_key (ctx)) {
+ if(!SSL_CTX_check_private_key (ctx)) {
failf(data, "private key from PKCS12 file '%s' "
"does not match certificate in same file", cert_file);
EVP_PKEY_free(pri);
@@ -475,15 +475,15 @@ int cert_stuff(struct connectdata *conn,
return 0;
}
/* Set Certificate Verification chain */
- if (ca && sk_X509_num(ca)) {
- for (i = 0; i < sk_X509_num(ca); i++) {
- if (!SSL_CTX_add_extra_chain_cert(ctx,sk_X509_value(ca, i))) {
+ if(ca && sk_X509_num(ca)) {
+ for(i = 0; i < sk_X509_num(ca); i++) {
+ if(!SSL_CTX_add_extra_chain_cert(ctx,sk_X509_value(ca, i))) {
failf(data, "cannot add certificate to certificate chain");
EVP_PKEY_free(pri);
X509_free(x509);
return 0;
}
- if (!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) {
+ if(!SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) {
failf(data, "cannot add certificate to client CA list");
EVP_PKEY_free(pri);
X509_free(x509);
@@ -788,10 +788,12 @@ CURLcode Curl_ossl_set_engine_default(struct SessionHandle *data)
#ifdef HAVE_OPENSSL_ENGINE_H
if(data->state.engine) {
if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
- infof(data,"set default crypto engine '%s'\n", ENGINE_get_id(data->state.engine));
+ infof(data,"set default crypto engine '%s'\n",
+ ENGINE_get_id(data->state.engine));
}
else {
- failf(data, "set default crypto engine '%s' failed", ENGINE_get_id(data->state.engine));
+ failf(data, "set default crypto engine '%s' failed",
+ ENGINE_get_id(data->state.engine));
return CURLE_SSL_ENGINE_SETFAILED;
}
}
@@ -810,7 +812,7 @@ struct curl_slist *Curl_ossl_engines_list(struct SessionHandle *data)
struct curl_slist *beg = NULL;
ENGINE *e;
- for (e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
+ for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
list = curl_slist_append(list, ENGINE_get_id(e));
if(list == NULL) {
curl_slist_free_all(beg);
@@ -998,7 +1000,7 @@ static int asn1_output(const ASN1_UTCTIME *tm,
return 1;
if(asn1_string[i-1] == 'Z')
gmt=TRUE;
- for (i=0; i<10; i++)
+ for(i=0; i<10; i++)
if((asn1_string[i] > '9') || (asn1_string[i] < '0'))
return 2;
@@ -1145,7 +1147,7 @@ static CURLcode verifyhost(struct connectdata *conn,
numalts = sk_GENERAL_NAME_num(altnames);
/* loop through all alternatives while none has matched */
- for (i=0; (i<numalts) && (matched != 1); i++) {
+ for(i=0; (i<numalts) && (matched != 1); i++) {
/* get a handle to alternative name number i */
const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
@@ -1439,10 +1441,11 @@ ossl_connect_step1(struct connectdata *conn,
default:
case CURL_SSLVERSION_DEFAULT:
#ifdef USE_TLS_SRP
- if (data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
+ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
infof(data, "Set version TLSv1 for SRP authorisation\n");
req_method = TLSv1_client_method() ;
- } else
+ }
+ else
#endif
/* we try to figure out version */
req_method = SSLv23_client_method();
@@ -1458,7 +1461,7 @@ ossl_connect_step1(struct connectdata *conn,
return CURLE_NOT_BUILT_IN;
#else
#ifdef USE_TLS_SRP
- if (data->set.ssl.authtype == CURL_TLSAUTH_SRP)
+ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
return CURLE_SSL_CONNECT_ERROR;
#endif
req_method = SSLv2_client_method();
@@ -1467,7 +1470,7 @@ ossl_connect_step1(struct connectdata *conn,
#endif
case CURL_SSLVERSION_SSLv3:
#ifdef USE_TLS_SRP
- if (data->set.ssl.authtype == CURL_TLSAUTH_SRP)
+ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP)
return CURLE_SSL_CONNECT_ERROR;
#endif
req_method = SSLv3_client_method();
@@ -1568,11 +1571,11 @@ ossl_connect_step1(struct connectdata *conn,
if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) {
infof(data, "Using TLS-SRP username: %s\n", data->set.ssl.username);
- if (!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) {
+ if(!SSL_CTX_set_srp_username(connssl->ctx, data->set.ssl.username)) {
failf(data, "Unable to set SRP user name");
return CURLE_BAD_FUNCTION_ARGUMENT;
}
- if (!SSL_CTX_set_srp_password(connssl->ctx,data->set.ssl.password)) {
+ if(!SSL_CTX_set_srp_password(connssl->ctx,data->set.ssl.password)) {
failf(data, "failed setting SRP password");
return CURLE_BAD_FUNCTION_ARGUMENT;
}
@@ -1622,13 +1625,13 @@ ossl_connect_step1(struct connectdata *conn,
"none");
}
- if (data->set.str[STRING_SSL_CRLFILE]) {
+ if(data->set.str[STRING_SSL_CRLFILE]) {
/* tell SSL where to find CRL file that is used to check certificate
* revocation */
lookup=X509_STORE_add_lookup(connssl->ctx->cert_store,X509_LOOKUP_file());
- if ( !lookup ||
- (!X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE],
- X509_FILETYPE_PEM)) ) {
+ if(!lookup ||
+ (!X509_load_crl_file(lookup,data->set.str[STRING_SSL_CRLFILE],
+ X509_FILETYPE_PEM)) ) {
failf(data,"error loading CRL file: %s\n",
data->set.str[STRING_SSL_CRLFILE]);
return CURLE_SSL_CRL_BADFILE;
@@ -1675,12 +1678,12 @@ ossl_connect_step1(struct connectdata *conn,
connssl->server_cert = 0x0;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
- if ((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
+ if((0 == Curl_inet_pton(AF_INET, conn->host.name, &addr)) &&
#ifdef ENABLE_IPV6
- (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
+ (0 == Curl_inet_pton(AF_INET6, conn->host.name, &addr)) &&
#endif
- sni &&
- !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
+ sni &&
+ !SSL_set_tlsext_host_name(connssl->handle, conn->host.name))
infof(data, "WARNING: failed to configure server name indication (SNI) "
"TLS extension\n");
#endif
@@ -1699,9 +1702,9 @@ ossl_connect_step1(struct connectdata *conn,
/* pass the raw socket into the SSL layers */
if(!SSL_set_fd(connssl->handle, (int)sockfd)) {
- failf(data, "SSL: SSL_set_fd failed: %s",
- ERR_error_string(ERR_get_error(),NULL));
- return CURLE_SSL_CONNECT_ERROR;
+ failf(data, "SSL: SSL_set_fd failed: %s",
+ ERR_error_string(ERR_get_error(),NULL));
+ return CURLE_SSL_CONNECT_ERROR;
}
connssl->connecting_state = ssl_connect_2;
@@ -1903,15 +1906,15 @@ static void pubkey_show(struct SessionHandle *data,
#define print_pubkey_BN(_type, _name, _num) \
do { \
- if (pubkey->pkey._type->_name != NULL) { \
- int len = BN_num_bytes(pubkey->pkey._type->_name); \
- if(len < CERTBUFFERSIZE) { \
+ if(pubkey->pkey._type->_name != NULL) { \
+ int len = BN_num_bytes(pubkey->pkey._type->_name); \
+ if(len < CERTBUFFERSIZE) { \
BN_bn2bin(pubkey->pkey._type->_name, (unsigned char*)bufp); \
- bufp[len] = 0; \
+ bufp[len] = 0; \
pubkey_show(data, _num, #_type, #_name, (unsigned char*)bufp, len); \
} \
} \
-} while (0)
+} while(0)
static int X509V3_ext(struct SessionHandle *data,
int certnum,
@@ -1924,7 +1927,7 @@ static int X509V3_ext(struct SessionHandle *data,
/* no extensions, bail out */
return 1;
- for (i=0; i<sk_X509_EXTENSION_num(exts); i++) {
+ for(i=0; i<sk_X509_EXTENSION_num(exts); i++) {
ASN1_OBJECT *obj;
X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
BUF_MEM *biomem;
@@ -1960,7 +1963,8 @@ static int X509V3_ext(struct SessionHandle *data,
while((biomem->data[j] == ' ') && (j<(size_t)biomem->length))
j++;
if(j<(size_t)biomem->length)
- ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%s%c", sep, biomem->data[j]);
+ ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%s%c", sep,
+ biomem->data[j]);
}
infof(data, " %s\n", buf);
@@ -1980,7 +1984,7 @@ static void X509_signature(struct SessionHandle *data,
char buf[1024];
char *ptr = buf;
int i;
- for (i=0; i<sig->length; i++)
+ for(i=0; i<sig->length; i++)
ptr+=snprintf(ptr, sizeof(buf)-(ptr-buf), "%02x:", sig->data[i]);
infof(data, " Signature: %s\n", buf);
@@ -2058,7 +2062,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
}
infof(data, "--- Certificate chain\n");
- for (i=0; i<numcerts; i++) {
+ for(i=0; i<numcerts; i++) {
long value;
ASN1_INTEGER *num;
ASN1_TIME *certdate;
@@ -2089,7 +2093,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
push_certinfo(data, i, "Version", bufp); /* hex */
num=X509_get_serialNumber(x);
- if (num->length <= 4) {
+ if(num->length <= 4) {
value = ASN1_INTEGER_get(num);
infof(data," Serial Number: %ld (0x%lx)\n", value, value);
snprintf(bufp, CERTBUFFERSIZE, "%lx", value);
@@ -2102,7 +2106,7 @@ static CURLcode get_cert_chain(struct connectdata *conn,
if(num->type == V_ASN1_NEG_INTEGER)
*ptr++='-';
- for (j=0; (j<num->length) && (left>=4); j++) {
+ for(j=0; (j<num->length) && (left>=4); j++) {
/* TODO: length restrictions */
snprintf(ptr, 3, "%02x%c",num->data[j],
((j+1 == num->length)?'\n':':'));
@@ -2272,9 +2276,10 @@ static CURLcode servercert(struct connectdata *conn,
deallocating the certificate. */
/* e.g. match issuer name with provided issuer certificate */
- if (data->set.str[STRING_SSL_ISSUERCERT]) {
- if (! (fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"r"))) {
- if (strict)
+ if(data->set.str[STRING_SSL_ISSUERCERT]) {
+ fp=fopen(data->set.str[STRING_SSL_ISSUERCERT],"r");
+ if(!fp) {
+ if(strict)
failf(data, "SSL: Unable to open issuer cert (%s)\n",
data->set.str[STRING_SSL_ISSUERCERT]);
X509_free(connssl->server_cert);
@@ -2282,8 +2287,8 @@ static CURLcode servercert(struct connectdata *conn,
return CURLE_SSL_ISSUER_ERROR;
}
issuer = PEM_read_X509(fp,NULL,ZERO_NULL,NULL);
- if (!issuer) {
- if (strict)
+ if(!issuer) {
+ if(strict)
failf(data, "SSL: Unable to read issuer cert (%s)\n",
data->set.str[STRING_SSL_ISSUERCERT]);
X509_free(connssl->server_cert);
@@ -2292,8 +2297,8 @@ static CURLcode servercert(struct connectdata *conn,
return CURLE_SSL_ISSUER_ERROR;
}
fclose(fp);
- if (X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) {
- if (strict)
+ if(X509_check_issued(issuer,connssl->server_cert) != X509_V_OK) {
+ if(strict)
failf(data, "SSL: Certificate issuer check failed (%s)\n",
data->set.str[STRING_SSL_ISSUERCERT]);
X509_free(connssl->server_cert);
@@ -2368,14 +2373,14 @@ ossl_connect_step3(struct connectdata *conn,
#endif
incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL));
- if (incache) {
- if (old_ssl_sessionid != our_ssl_sessionid) {
+ if(incache) {
+ if(old_ssl_sessionid != our_ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
Curl_ssl_delsessionid(conn, old_ssl_sessionid);
incache = FALSE;
}
}
- if (!incache) {
+ if(!incache) {
retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
0 /* unknown size */);
if(retcode) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-10 18:24:00 +0000