diff options
Diffstat (limited to 'lib/vtls')
-rw-r--r-- | lib/vtls/axtls.c | 5 | ||||
-rw-r--r-- | lib/vtls/cyassl.c | 21 | ||||
-rw-r--r-- | lib/vtls/cyassl.h | 20 | ||||
-rw-r--r-- | lib/vtls/darwinssl.c | 27 | ||||
-rw-r--r-- | lib/vtls/darwinssl.h | 19 | ||||
-rw-r--r-- | lib/vtls/gskit.c | 5 | ||||
-rw-r--r-- | lib/vtls/gskit.h | 3 | ||||
-rw-r--r-- | lib/vtls/gtls.c | 5 | ||||
-rw-r--r-- | lib/vtls/gtls.h | 9 | ||||
-rw-r--r-- | lib/vtls/mbedtls.c | 5 | ||||
-rw-r--r-- | lib/vtls/mbedtls.h | 6 | ||||
-rw-r--r-- | lib/vtls/nss.c | 5 | ||||
-rw-r--r-- | lib/vtls/nssg.h | 9 | ||||
-rw-r--r-- | lib/vtls/openssl.c | 5 | ||||
-rw-r--r-- | lib/vtls/openssl.h | 12 | ||||
-rw-r--r-- | lib/vtls/polarssl.c | 5 | ||||
-rw-r--r-- | lib/vtls/polarssl.h | 6 | ||||
-rw-r--r-- | lib/vtls/schannel.c | 5 | ||||
-rw-r--r-- | lib/vtls/schannel.h | 3 | ||||
-rw-r--r-- | lib/vtls/vtls.h | 5 |
20 files changed, 93 insertions, 87 deletions
diff --git a/lib/vtls/axtls.c b/lib/vtls/axtls.c index 3446dac44..885cbf532 100644 --- a/lib/vtls/axtls.c +++ b/lib/vtls/axtls.c @@ -705,6 +705,11 @@ CURLcode Curl_axtls_random(struct Curl_easy *data, const struct Curl_ssl Curl_ssl_axtls = { "axtls", /* name */ + 0, /* have_ca_path */ + 0, /* have_certinfo */ + 0, /* have_pinnedpubkey */ + 0, /* have_ssl_ctx */ + Curl_axtls_init, /* init */ Curl_axtls_cleanup, /* cleanup */ Curl_axtls_version, /* version */ diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 62db13c1b..7f90e913f 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -110,6 +110,18 @@ and that's a problem since options.h hasn't been included yet. */ #define CYASSL_MAX_ERROR_SZ 80 #endif +/* KEEP_PEER_CERT is a product of the presence of build time symbol + OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is + in wolfSSL's settings.h, and the latter two are build time symbols in + options.h. */ +#ifndef KEEP_PEER_CERT +#if defined(HAVE_CYASSL_GET_PEER_CERTIFICATE) || \ + defined(HAVE_WOLFSSL_GET_PEER_CERTIFICATE) || \ + (defined(OPENSSL_EXTRA) && !defined(NO_CERTS)) +#define KEEP_PEER_CERT +#endif +#endif + static Curl_recv cyassl_recv; static Curl_send cyassl_send; @@ -954,6 +966,15 @@ static void Curl_cyassl_sha256sum(const unsigned char *tmp, /* input */ const struct Curl_ssl Curl_ssl_cyassl = { "cyassl", /* name */ + 0, /* have_ca_path */ + 0, /* have_certinfo */ +#ifdef KEEP_PEER_CERT + 1, /* have_pinnedpubkey */ +#else + 0, /* have_pinnedpubkey */ +#endif + 1, /* have_ssl_ctx */ + Curl_cyassl_init, /* init */ Curl_none_cleanup, /* cleanup */ Curl_cyassl_version, /* version */ diff --git a/lib/vtls/cyassl.h b/lib/vtls/cyassl.h index abee7cf80..423fdc0bf 100644 --- a/lib/vtls/cyassl.h +++ b/lib/vtls/cyassl.h @@ -25,18 +25,6 @@ #ifdef USE_CYASSL -/* KEEP_PEER_CERT is a product of the presence of build time symbol - OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is - in wolfSSL's settings.h, and the latter two are build time symbols in - options.h. */ -#ifndef KEEP_PEER_CERT -#if defined(HAVE_CYASSL_GET_PEER_CERTIFICATE) || \ - defined(HAVE_WOLFSSL_GET_PEER_CERTIFICATE) || \ - (defined(OPENSSL_EXTRA) && !defined(NO_CERTS)) -#define KEEP_PEER_CERT -#endif -#endif - CURLcode Curl_cyassl_connect(struct connectdata *conn, int sockindex); bool Curl_cyassl_data_pending(const struct connectdata* conn, int connindex); int Curl_cyassl_shutdown(struct connectdata* conn, int sockindex); @@ -60,13 +48,5 @@ extern const struct Curl_ssl Curl_ssl_cyassl; /* Set the API backend definition to CyaSSL */ #define CURL_SSL_BACKEND CURLSSLBACKEND_CYASSL -/* this backend supports CURLOPT_SSL_CTX_* */ -#define have_curlssl_ssl_ctx 1 - -#ifdef KEEP_PEER_CERT -/* this backend supports CURLOPT_PINNEDPUBLICKEY */ -#define have_curlssl_pinnedpubkey 1 -#endif - #endif /* USE_CYASSL */ #endif /* HEADER_CURL_CYASSL_H */ diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c index 23be96a20..4d755d6b6 100644 --- a/lib/vtls/darwinssl.c +++ b/lib/vtls/darwinssl.c @@ -118,6 +118,24 @@ #define ioErr -36 #define paramErr -50 +/* pinned public key support tests */ + +/* version 1 supports macOS 10.12+ and iOS 10+ */ +#if ((TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MIN_REQUIRED >= 100000) || \ + (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200)) +#define DARWIN_SSL_PINNEDPUBKEY_V1 1 +#endif + +/* version 2 supports MacOSX 10.7+ */ +#if (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070) +#define DARWIN_SSL_PINNEDPUBKEY_V2 1 +#endif + +#if defined(DARWIN_SSL_PINNEDPUBKEY_V1) || defined(DARWIN_SSL_PINNEDPUBKEY_V2) +/* this backend supports CURLOPT_PINNEDPUBLICKEY */ +#define DARWIN_SSL_PINNEDPUBKEY 1 +#endif /* DARWIN_SSL_PINNEDPUBKEY */ + #ifdef DARWIN_SSL_PINNEDPUBKEY /* both new and old APIs return rsa keys missing the spki header (not DER) */ static const unsigned char rsa4096SpkiHeader[] = { @@ -2860,6 +2878,15 @@ static ssize_t darwinssl_recv(struct connectdata *conn, const struct Curl_ssl Curl_ssl_darwinssl = { "darwinssl", /* name */ + 0, /* have_ca_path */ + 0, /* have_certinfo */ +#ifdef DARWIN_SSL_PINNEDPUBKEY + 1, /* have_pinnedpubkey */ +#else + 0, /* have_pinnedpubkey */ +#endif /* DARWIN_SSL_PINNEDPUBKEY */ + 0, /* have_ssl_ctx */ + Curl_none_init, /* init */ Curl_none_cleanup, /* cleanup */ Curl_darwinssl_version, /* version */ diff --git a/lib/vtls/darwinssl.h b/lib/vtls/darwinssl.h index 37fe8164f..9c4611988 100644 --- a/lib/vtls/darwinssl.h +++ b/lib/vtls/darwinssl.h @@ -51,24 +51,5 @@ extern const struct Curl_ssl Curl_ssl_darwinssl; /* Set the API backend definition to SecureTransport */ #define CURL_SSL_BACKEND CURLSSLBACKEND_DARWINSSL -/* pinned public key support tests */ - -/* version 1 supports macOS 10.12+ and iOS 10+ */ -#if ((TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MIN_REQUIRED >= 100000) || \ - (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200)) -#define DARWIN_SSL_PINNEDPUBKEY_V1 1 -#endif - -/* version 2 supports MacOSX 10.7+ */ -#if (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070) -#define DARWIN_SSL_PINNEDPUBKEY_V2 1 -#endif - -#if defined(DARWIN_SSL_PINNEDPUBKEY_V1) || defined(DARWIN_SSL_PINNEDPUBKEY_V2) -/* this backend supports CURLOPT_PINNEDPUBLICKEY */ -#define DARWIN_SSL_PINNEDPUBKEY 1 -#define have_curlssl_pinnedpubkey 1 -#endif /* DARWIN_SSL_PINNEDPUBKEY */ - #endif /* USE_DARWINSSL */ #endif /* HEADER_CURL_DARWINSSL_H */ diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index d82f658fd..dc24f044b 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -1337,6 +1337,11 @@ int Curl_gskit_check_cxn(struct connectdata *cxn) const struct Curl_ssl Curl_ssl_gskit = { "gskit", /* name */ + 0, /* have_ca_path */ + 1, /* have_certinfo */ + 0, /* have_pinnedpubkey */ + 0, /* have_ssl_ctx */ + Curl_gskit_init, /* init */ Curl_gskit_cleanup, /* cleanup */ Curl_gskit_version, /* version */ diff --git a/lib/vtls/gskit.h b/lib/vtls/gskit.h index 42856d329..f2f5eb89a 100644 --- a/lib/vtls/gskit.h +++ b/lib/vtls/gskit.h @@ -49,9 +49,6 @@ extern const struct Curl_ssl Curl_ssl_gskit; /* Set the API backend definition to GSKit */ #define CURL_SSL_BACKEND CURLSSLBACKEND_GSKIT -/* this backend supports CURLOPT_CERTINFO */ -#define have_curlssl_certinfo 1 - #endif /* USE_GSKIT */ #endif /* HEADER_CURL_GSKIT_H */ diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 3105a4b13..fbbcdf334 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -1789,6 +1789,11 @@ bool Curl_gtls_cert_status_request(void) const struct Curl_ssl Curl_ssl_gnutls = { "gnutls", /* name */ + 1, /* have_ca_path */ + 1, /* have_certinfo */ + 1, /* have_pinnedpubkey */ + 0, /* have_ssl_ctx */ + Curl_gtls_init, /* init */ Curl_gtls_cleanup, /* cleanup */ Curl_gtls_version, /* version */ diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h index 05bd834f2..d393b889d 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h @@ -57,14 +57,5 @@ extern const struct Curl_ssl Curl_ssl_gnutls; /* Set the API backend definition to GnuTLS */ #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS -/* this backend supports the CAPATH option */ -#define have_curlssl_ca_path 1 - -/* this backend supports CURLOPT_CERTINFO */ -#define have_curlssl_certinfo 1 - -/* this backend supports CURLOPT_PINNEDPUBLICKEY */ -#define have_curlssl_pinnedpubkey 1 - #endif /* USE_GNUTLS */ #endif /* HEADER_CURL_GTLS_H */ diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 0ab471306..c925ea93c 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -1018,6 +1018,11 @@ static void Curl_mbedtls_sha256sum(const unsigned char *input, const struct Curl_ssl Curl_ssl_mbedtls = { "mbedtls", /* name */ + 0, /* have_ca_path */ + 0, /* have_certinfo */ + 1, /* have_pinnedpubkey */ + 1, /* have_ssl_ctx */ + Curl_mbedtls_init, /* init */ Curl_mbedtls_cleanup, /* cleanup */ Curl_mbedtls_version, /* version */ diff --git a/lib/vtls/mbedtls.h b/lib/vtls/mbedtls.h index 39e64c350..aaf84bd54 100644 --- a/lib/vtls/mbedtls.h +++ b/lib/vtls/mbedtls.h @@ -51,12 +51,6 @@ int Curl_mbedtls_shutdown(struct connectdata *conn, int sockindex); CURLcode Curl_mbedtls_random(struct Curl_easy *data, unsigned char *entropy, size_t length); -/* this backends supports CURLOPT_PINNEDPUBLICKEY */ -#define have_curlssl_pinnedpubkey 1 - -/* this backend supports CURLOPT_SSL_CTX_* */ -#define have_curlssl_ssl_ctx 1 - extern const struct Curl_ssl Curl_ssl_mbedtls; #define CURL_SSL_BACKEND CURLSSLBACKEND_MBEDTLS diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 603601b55..ff338940c 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -2327,6 +2327,11 @@ bool Curl_nss_false_start(void) const struct Curl_ssl Curl_ssl_nss = { "nss", /* name */ + 1, /* have_ca_path */ + 1, /* have_certinfo */ + 1, /* have_pinnedpubkey */ + 0, /* have_ssl_ctx */ + Curl_nss_init, /* init */ Curl_nss_cleanup, /* cleanup */ Curl_nss_version, /* version */ diff --git a/lib/vtls/nssg.h b/lib/vtls/nssg.h index 37c4b5b71..222c6e28e 100644 --- a/lib/vtls/nssg.h +++ b/lib/vtls/nssg.h @@ -64,14 +64,5 @@ extern const struct Curl_ssl Curl_ssl_nss; /* Set the API backend definition to NSS */ #define CURL_SSL_BACKEND CURLSSLBACKEND_NSS -/* this backend supports the CAPATH option */ -#define have_curlssl_ca_path 1 - -/* this backend supports CURLOPT_CERTINFO */ -#define have_curlssl_certinfo 1 - -/* this backends supports CURLOPT_PINNEDPUBLICKEY */ -#define have_curlssl_pinnedpubkey 1 - #endif /* USE_NSS */ #endif /* HEADER_CURL_NSSG_H */ diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index eeecd9da6..7376588c3 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3390,6 +3390,11 @@ bool Curl_ossl_cert_status_request(void) const struct Curl_ssl Curl_ssl_openssl = { "openssl", /* name */ + 1, /* have_ca_path */ + 1, /* have_certinfo */ + 1, /* have_pinnedpubkey */ + 1, /* have_ssl_ctx */ + Curl_ossl_init, /* init */ Curl_ossl_cleanup, /* cleanup */ Curl_ossl_version, /* version */ diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h index 8e14f4549..c17dff284 100644 --- a/lib/vtls/openssl.h +++ b/lib/vtls/openssl.h @@ -79,18 +79,6 @@ extern const struct Curl_ssl Curl_ssl_openssl; /* Set the API backend definition to OpenSSL */ #define CURL_SSL_BACKEND CURLSSLBACKEND_OPENSSL -/* this backend supports the CAPATH option */ -#define have_curlssl_ca_path 1 - -/* this backend supports CURLOPT_CERTINFO */ -#define have_curlssl_certinfo 1 - -/* this backend supports CURLOPT_SSL_CTX_* */ -#define have_curlssl_ssl_ctx 1 - -/* this backend supports CURLOPT_PINNEDPUBLICKEY */ -#define have_curlssl_pinnedpubkey 1 - #define DEFAULT_CIPHER_SELECTION \ "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH" diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index 5b48945a6..4d8db72d8 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -881,6 +881,11 @@ static void Curl_polarssl_sha256sum(const unsigned char *input, const struct Curl_ssl Curl_ssl_polarssl = { "polarssl", /* name */ + 1, /* have_ca_path */ + 0, /* have_certinfo */ + 1, /* have_pinnedpubkey */ + 0, /* have_ssl_ctx */ + Curl_polarssl_init, /* init */ Curl_polarssl_cleanup, /* cleanup */ Curl_polarssl_version, /* version */ diff --git a/lib/vtls/polarssl.h b/lib/vtls/polarssl.h index 7109fe5ba..b2560ddb1 100644 --- a/lib/vtls/polarssl.h +++ b/lib/vtls/polarssl.h @@ -50,11 +50,5 @@ extern const struct Curl_ssl Curl_ssl_polarssl; /* Set the API backend definition to PolarSSL */ #define CURL_SSL_BACKEND CURLSSLBACKEND_POLARSSL -/* this backend supports the CAPATH option */ -#define have_curlssl_ca_path 1 - -/* this backends supports CURLOPT_PINNEDPUBLICKEY */ -#define have_curlssl_pinnedpubkey 1 - #endif /* USE_POLARSSL */ #endif /* HEADER_CURL_POLARSSL_H */ diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index 6ee707b0d..fe7ec47b8 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -1729,6 +1729,11 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex) const struct Curl_ssl Curl_ssl_schannel = { "schannel", /* name */ + 0, /* have_ca_path */ + 1, /* have_certinfo */ + 0, /* have_pinnedpubkey */ + 0, /* have_ssl_ctx */ + Curl_schannel_init, /* init */ Curl_schannel_cleanup, /* cleanup */ Curl_schannel_version, /* version */ diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h index 1314445c0..aaf253a6b 100644 --- a/lib/vtls/schannel.h +++ b/lib/vtls/schannel.h @@ -100,8 +100,5 @@ extern const struct Curl_ssl Curl_ssl_schannel; /* Set the API backend definition to Schannel */ #define CURL_SSL_BACKEND CURLSSLBACKEND_SCHANNEL -/* this backend supports CURLOPT_CERTINFO */ -#define have_curlssl_certinfo 1 - #endif /* USE_SCHANNEL */ #endif /* HEADER_CURL_SCHANNEL_H */ diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index d42422d11..8b3ff05ae 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -28,6 +28,11 @@ struct connectdata; struct Curl_ssl { const char *name; + unsigned have_ca_path:1; /* supports CAPATH */ + unsigned have_certinfo:1; /* supports CURLOPT_CERTINFO */ + unsigned have_pinnedpubkey:1; /* supports CURLOPT_PINNEDPUBLICKEY */ + unsigned have_ssl_ctx:1; /* supports CURLOPT_SSL_CTX_* */ + int (*init)(void); void (*cleanup)(void); |