vtls: convert the have_curlssl_* constants to runtime flags

The entire idea of introducing the Curl_ssl struct to describe SSL
backends is to prepare for choosing the SSL backend at runtime.

To that end, convert all the #ifdef have_curlssl_* style conditionals
to use bit flags instead.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

21 files changed, 134 insertions, 121 deletions

diff --git a/lib/url.c b/lib/url.c
index 32623abe5..dd254af54 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -2179,24 +2179,26 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
                                          TRUE : FALSE;
     break;
   case CURLOPT_SSL_CTX_FUNCTION:
-#ifdef have_curlssl_ssl_ctx
     /*
      * Set a SSL_CTX callback
      */
-    data->set.ssl.fsslctx = va_arg(param, curl_ssl_ctx_callback);
-#else
-    result = CURLE_NOT_BUILT_IN;
+#ifdef USE_SSL
+    if(Curl_ssl->have_ssl_ctx)
+      data->set.ssl.fsslctx = va_arg(param, curl_ssl_ctx_callback);
+    else
 #endif
+      result = CURLE_NOT_BUILT_IN;
     break;
   case CURLOPT_SSL_CTX_DATA:
-#ifdef have_curlssl_ssl_ctx
     /*
      * Set a SSL_CTX callback parameter pointer
      */
-    data->set.ssl.fsslctxp = va_arg(param, void *);
-#else
-    result = CURLE_NOT_BUILT_IN;
+#ifdef USE_SSL
+    if(Curl_ssl->have_ssl_ctx)
+      data->set.ssl.fsslctxp = va_arg(param, void *);
+    else
 #endif
+      result = CURLE_NOT_BUILT_IN;
     break;
   case CURLOPT_SSL_FALSESTART:
     /*
@@ -2210,35 +2212,38 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
     data->set.ssl.falsestart = (0 != va_arg(param, long)) ? TRUE : FALSE;
     break;
   case CURLOPT_CERTINFO:
-#ifdef have_curlssl_certinfo
-    data->set.ssl.certinfo = (0 != va_arg(param, long)) ? TRUE : FALSE;
-#else
-    result = CURLE_NOT_BUILT_IN;
+#ifdef USE_SSL
+    if(Curl_ssl->have_certinfo)
+      data->set.ssl.certinfo = (0 != va_arg(param, long)) ? TRUE : FALSE;
+    else
 #endif
+      result = CURLE_NOT_BUILT_IN;
     break;
   case CURLOPT_PINNEDPUBLICKEY:
-#ifdef have_curlssl_pinnedpubkey /* only by supported backends */
     /*
      * Set pinned public key for SSL connection.
      * Specify file name of the public key in DER format.
      */
-    result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG],
-                       va_arg(param, char *));
-#else
-    result = CURLE_NOT_BUILT_IN;
+#ifdef USE_SSL
+    if(Curl_ssl->have_pinnedpubkey)
+      result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG],
+                         va_arg(param, char *));
+    else
 #endif
+      result = CURLE_NOT_BUILT_IN;
     break;
   case CURLOPT_PROXY_PINNEDPUBLICKEY:
-#ifdef have_curlssl_pinnedpubkey /* only by supported backends */
     /*
      * Set pinned public key for SSL connection.
      * Specify file name of the public key in DER format.
      */
-    result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY],
-                       va_arg(param, char *));
-#else
-    result = CURLE_NOT_BUILT_IN;
+#ifdef USE_SSL
+    if(Curl_ssl->have_pinnedpubkey)
+      result = setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY],
+                         va_arg(param, char *));
+    else
 #endif
+      result = CURLE_NOT_BUILT_IN;
     break;
   case CURLOPT_CAINFO:
     /*
@@ -2256,30 +2261,32 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
                        va_arg(param, char *));
     break;
   case CURLOPT_CAPATH:
-#ifdef have_curlssl_ca_path /* not supported by all backends */
     /*
      * Set CA path info for SSL connection. Specify directory name of the CA
      * certificates which have been prepared using openssl c_rehash utility.
      */
-    /* This does not work on windows. */
-    result = setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG],
-                       va_arg(param, char *));
-#else
-    result = CURLE_NOT_BUILT_IN;
+#ifdef USE_SSL
+    if(Curl_ssl->have_ca_path)
+      /* This does not work on windows. */
+      result = setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG],
+                         va_arg(param, char *));
+    else
 #endif
+      result = CURLE_NOT_BUILT_IN;
     break;
   case CURLOPT_PROXY_CAPATH:
-#ifdef have_curlssl_ca_path /* not supported by all backends */
     /*
      * Set CA path info for SSL connection proxy. Specify directory name of the
      * CA certificates which have been prepared using openssl c_rehash utility.
      */
-    /* This does not work on windows. */
-    result = setstropt(&data->set.str[STRING_SSL_CAPATH_PROXY],
-                       va_arg(param, char *));
-#else
-    result = CURLE_NOT_BUILT_IN;
+#ifdef USE_SSL
+    if(Curl_ssl->have_ca_path)
+      /* This does not work on windows. */
+      result = setstropt(&data->set.str[STRING_SSL_CAPATH_PROXY],
+                         va_arg(param, char *));
+    else
 #endif
+      result = CURLE_NOT_BUILT_IN;
     break;
   case CURLOPT_CRLFILE:
     /*
diff --git a/lib/vtls/axtls.c b/lib/vtls/axtls.c
index 3446dac44..885cbf532 100644
--- a/lib/vtls/axtls.c
+++ b/lib/vtls/axtls.c
@@ -705,6 +705,11 @@ CURLcode Curl_axtls_random(struct Curl_easy *data,
 const struct Curl_ssl Curl_ssl_axtls = {
   "axtls",                        /* name */
 
+  0, /* have_ca_path */
+  0, /* have_certinfo */
+  0, /* have_pinnedpubkey */
+  0, /* have_ssl_ctx */
+
   Curl_axtls_init,                /* init */
   Curl_axtls_cleanup,             /* cleanup */
   Curl_axtls_version,             /* version */
diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c
index 62db13c1b..7f90e913f 100644
--- a/lib/vtls/cyassl.c
+++ b/lib/vtls/cyassl.c
@@ -110,6 +110,18 @@ and that's a problem since options.h hasn't been included yet. */
 #define CYASSL_MAX_ERROR_SZ 80
 #endif
 
+/* KEEP_PEER_CERT is a product of the presence of build time symbol
+   OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is
+   in wolfSSL's settings.h, and the latter two are build time symbols in
+   options.h. */
+#ifndef KEEP_PEER_CERT
+#if defined(HAVE_CYASSL_GET_PEER_CERTIFICATE) || \
+    defined(HAVE_WOLFSSL_GET_PEER_CERTIFICATE) || \
+    (defined(OPENSSL_EXTRA) && !defined(NO_CERTS))
+#define KEEP_PEER_CERT
+#endif
+#endif
+
 static Curl_recv cyassl_recv;
 static Curl_send cyassl_send;
 
@@ -954,6 +966,15 @@ static void Curl_cyassl_sha256sum(const unsigned char *tmp, /* input */
 const struct Curl_ssl Curl_ssl_cyassl = {
   "cyassl",                        /* name */
 
+  0, /* have_ca_path */
+  0, /* have_certinfo */
+#ifdef KEEP_PEER_CERT
+  1, /* have_pinnedpubkey */
+#else
+  0, /* have_pinnedpubkey */
+#endif
+  1, /* have_ssl_ctx */
+
   Curl_cyassl_init,                /* init */
   Curl_none_cleanup,               /* cleanup */
   Curl_cyassl_version,             /* version */
diff --git a/lib/vtls/cyassl.h b/lib/vtls/cyassl.h
index abee7cf80..423fdc0bf 100644
--- a/lib/vtls/cyassl.h
+++ b/lib/vtls/cyassl.h
@@ -25,18 +25,6 @@
 
 #ifdef USE_CYASSL
 
-/* KEEP_PEER_CERT is a product of the presence of build time symbol
-   OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is
-   in wolfSSL's settings.h, and the latter two are build time symbols in
-   options.h. */
-#ifndef KEEP_PEER_CERT
-#if defined(HAVE_CYASSL_GET_PEER_CERTIFICATE) || \
-    defined(HAVE_WOLFSSL_GET_PEER_CERTIFICATE) || \
-    (defined(OPENSSL_EXTRA) && !defined(NO_CERTS))
-#define KEEP_PEER_CERT
-#endif
-#endif
-
 CURLcode Curl_cyassl_connect(struct connectdata *conn, int sockindex);
 bool Curl_cyassl_data_pending(const struct connectdata* conn, int connindex);
 int Curl_cyassl_shutdown(struct connectdata* conn, int sockindex);
@@ -60,13 +48,5 @@ extern const struct Curl_ssl Curl_ssl_cyassl;
 /* Set the API backend definition to CyaSSL */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_CYASSL
 
-/* this backend supports CURLOPT_SSL_CTX_* */
-#define have_curlssl_ssl_ctx 1
-
-#ifdef KEEP_PEER_CERT
-/* this backend supports CURLOPT_PINNEDPUBLICKEY */
-#define have_curlssl_pinnedpubkey 1
-#endif
-
 #endif /* USE_CYASSL */
 #endif /* HEADER_CURL_CYASSL_H */
diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c
index 23be96a20..4d755d6b6 100644
--- a/lib/vtls/darwinssl.c
+++ b/lib/vtls/darwinssl.c
@@ -118,6 +118,24 @@
 #define ioErr -36
 #define paramErr -50
 
+/* pinned public key support tests */
+
+/* version 1 supports macOS 10.12+ and iOS 10+ */
+#if ((TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MIN_REQUIRED >= 100000) || \
+    (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED  >= 101200))
+#define DARWIN_SSL_PINNEDPUBKEY_V1 1
+#endif
+
+/* version 2 supports MacOSX 10.7+ */
+#if (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070)
+#define DARWIN_SSL_PINNEDPUBKEY_V2 1
+#endif
+
+#if defined(DARWIN_SSL_PINNEDPUBKEY_V1) || defined(DARWIN_SSL_PINNEDPUBKEY_V2)
+/* this backend supports CURLOPT_PINNEDPUBLICKEY */
+#define DARWIN_SSL_PINNEDPUBKEY 1
+#endif /* DARWIN_SSL_PINNEDPUBKEY */
+
 #ifdef DARWIN_SSL_PINNEDPUBKEY
 /* both new and old APIs return rsa keys missing the spki header (not DER) */
 static const unsigned char rsa4096SpkiHeader[] = {
@@ -2860,6 +2878,15 @@ static ssize_t darwinssl_recv(struct connectdata *conn,
 const struct Curl_ssl Curl_ssl_darwinssl = {
   "darwinssl",                        /* name */
 
+  0, /* have_ca_path */
+  0, /* have_certinfo */
+#ifdef DARWIN_SSL_PINNEDPUBKEY
+  1, /* have_pinnedpubkey */
+#else
+  0, /* have_pinnedpubkey */
+#endif /* DARWIN_SSL_PINNEDPUBKEY */
+  0, /* have_ssl_ctx */
+
   Curl_none_init,                     /* init */
   Curl_none_cleanup,                  /* cleanup */
   Curl_darwinssl_version,             /* version */
diff --git a/lib/vtls/darwinssl.h b/lib/vtls/darwinssl.h
index 37fe8164f..9c4611988 100644
--- a/lib/vtls/darwinssl.h
+++ b/lib/vtls/darwinssl.h
@@ -51,24 +51,5 @@ extern const struct Curl_ssl Curl_ssl_darwinssl;
 /* Set the API backend definition to SecureTransport */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_DARWINSSL
 
-/* pinned public key support tests */
-
-/* version 1 supports macOS 10.12+ and iOS 10+ */
-#if ((TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MIN_REQUIRED >= 100000) || \
-    (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED  >= 101200))
-#define DARWIN_SSL_PINNEDPUBKEY_V1 1
-#endif
-
-/* version 2 supports MacOSX 10.7+ */
-#if (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070)
-#define DARWIN_SSL_PINNEDPUBKEY_V2 1
-#endif
-
-#if defined(DARWIN_SSL_PINNEDPUBKEY_V1) || defined(DARWIN_SSL_PINNEDPUBKEY_V2)
-/* this backend supports CURLOPT_PINNEDPUBLICKEY */
-#define DARWIN_SSL_PINNEDPUBKEY 1
-#define have_curlssl_pinnedpubkey 1
-#endif /* DARWIN_SSL_PINNEDPUBKEY */
-
 #endif /* USE_DARWINSSL */
 #endif /* HEADER_CURL_DARWINSSL_H */
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index d82f658fd..dc24f044b 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -1337,6 +1337,11 @@ int Curl_gskit_check_cxn(struct connectdata *cxn)
 const struct Curl_ssl Curl_ssl_gskit = {
   "gskit",                        /* name */
 
+  0, /* have_ca_path */
+  1, /* have_certinfo */
+  0, /* have_pinnedpubkey */
+  0, /* have_ssl_ctx */
+
   Curl_gskit_init,                /* init */
   Curl_gskit_cleanup,             /* cleanup */
   Curl_gskit_version,             /* version */
diff --git a/lib/vtls/gskit.h b/lib/vtls/gskit.h
index 42856d329..f2f5eb89a 100644
--- a/lib/vtls/gskit.h
+++ b/lib/vtls/gskit.h
@@ -49,9 +49,6 @@ extern const struct Curl_ssl Curl_ssl_gskit;
 /* Set the API backend definition to GSKit */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_GSKIT
 
-/* this backend supports CURLOPT_CERTINFO */
-#define have_curlssl_certinfo 1
-
 #endif /* USE_GSKIT */
 
 #endif /* HEADER_CURL_GSKIT_H */
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 3105a4b13..fbbcdf334 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -1789,6 +1789,11 @@ bool Curl_gtls_cert_status_request(void)
 const struct Curl_ssl Curl_ssl_gnutls = {
   "gnutls",                      /* name */
 
+  1, /* have_ca_path */
+  1, /* have_certinfo */
+  1, /* have_pinnedpubkey */
+  0, /* have_ssl_ctx */
+
   Curl_gtls_init,                /* init */
   Curl_gtls_cleanup,             /* cleanup */
   Curl_gtls_version,             /* version */
diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h
index 05bd834f2..d393b889d 100644
--- a/lib/vtls/gtls.h
+++ b/lib/vtls/gtls.h
@@ -57,14 +57,5 @@ extern const struct Curl_ssl Curl_ssl_gnutls;
 /* Set the API backend definition to GnuTLS */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS
 
-/* this backend supports the CAPATH option */
-#define have_curlssl_ca_path 1
-
-/* this backend supports CURLOPT_CERTINFO */
-#define have_curlssl_certinfo 1
-
-/* this backend supports CURLOPT_PINNEDPUBLICKEY */
-#define have_curlssl_pinnedpubkey 1
-
 #endif /* USE_GNUTLS */
 #endif /* HEADER_CURL_GTLS_H */
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 0ab471306..c925ea93c 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -1018,6 +1018,11 @@ static void Curl_mbedtls_sha256sum(const unsigned char *input,
 const struct Curl_ssl Curl_ssl_mbedtls = {
   "mbedtls",                        /* name */
 
+  0, /* have_ca_path */
+  0, /* have_certinfo */
+  1, /* have_pinnedpubkey */
+  1, /* have_ssl_ctx */
+
   Curl_mbedtls_init,                /* init */
   Curl_mbedtls_cleanup,             /* cleanup */
   Curl_mbedtls_version,             /* version */
diff --git a/lib/vtls/mbedtls.h b/lib/vtls/mbedtls.h
index 39e64c350..aaf84bd54 100644
--- a/lib/vtls/mbedtls.h
+++ b/lib/vtls/mbedtls.h
@@ -51,12 +51,6 @@ int Curl_mbedtls_shutdown(struct connectdata *conn, int sockindex);
 CURLcode Curl_mbedtls_random(struct Curl_easy *data, unsigned char *entropy,
                      size_t length);
 
-/* this backends supports CURLOPT_PINNEDPUBLICKEY */
-#define have_curlssl_pinnedpubkey 1
-
-/* this backend supports CURLOPT_SSL_CTX_* */
-#define have_curlssl_ssl_ctx 1
-
 extern const struct Curl_ssl Curl_ssl_mbedtls;
 
 #define CURL_SSL_BACKEND CURLSSLBACKEND_MBEDTLS
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 603601b55..ff338940c 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -2327,6 +2327,11 @@ bool Curl_nss_false_start(void)
 const struct Curl_ssl Curl_ssl_nss = {
   "nss",                        /* name */
 
+  1, /* have_ca_path */
+  1, /* have_certinfo */
+  1, /* have_pinnedpubkey */
+  0, /* have_ssl_ctx */
+
   Curl_nss_init,                /* init */
   Curl_nss_cleanup,             /* cleanup */
   Curl_nss_version,             /* version */
diff --git a/lib/vtls/nssg.h b/lib/vtls/nssg.h
index 37c4b5b71..222c6e28e 100644
--- a/lib/vtls/nssg.h
+++ b/lib/vtls/nssg.h
@@ -64,14 +64,5 @@ extern const struct Curl_ssl Curl_ssl_nss;
 /* Set the API backend definition to NSS */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_NSS
 
-/* this backend supports the CAPATH option */
-#define have_curlssl_ca_path 1
-
-/* this backend supports CURLOPT_CERTINFO */
-#define have_curlssl_certinfo 1
-
-/* this backends supports CURLOPT_PINNEDPUBLICKEY */
-#define have_curlssl_pinnedpubkey 1
-
 #endif /* USE_NSS */
 #endif /* HEADER_CURL_NSSG_H */
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index eeecd9da6..7376588c3 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3390,6 +3390,11 @@ bool Curl_ossl_cert_status_request(void)
 const struct Curl_ssl Curl_ssl_openssl = {
   "openssl",                     /* name */
 
+  1, /* have_ca_path */
+  1, /* have_certinfo */
+  1, /* have_pinnedpubkey */
+  1, /* have_ssl_ctx */
+
   Curl_ossl_init,                /* init */
   Curl_ossl_cleanup,             /* cleanup */
   Curl_ossl_version,             /* version */
diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h
index 8e14f4549..c17dff284 100644
--- a/lib/vtls/openssl.h
+++ b/lib/vtls/openssl.h
@@ -79,18 +79,6 @@ extern const struct Curl_ssl Curl_ssl_openssl;
 /* Set the API backend definition to OpenSSL */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_OPENSSL
 
-/* this backend supports the CAPATH option */
-#define have_curlssl_ca_path 1
-
-/* this backend supports CURLOPT_CERTINFO */
-#define have_curlssl_certinfo 1
-
-/* this backend supports CURLOPT_SSL_CTX_* */
-#define have_curlssl_ssl_ctx 1
-
-/* this backend supports CURLOPT_PINNEDPUBLICKEY */
-#define have_curlssl_pinnedpubkey 1
-
 #define DEFAULT_CIPHER_SELECTION \
   "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
 
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c
index 5b48945a6..4d8db72d8 100644
--- a/lib/vtls/polarssl.c
+++ b/lib/vtls/polarssl.c
@@ -881,6 +881,11 @@ static void Curl_polarssl_sha256sum(const unsigned char *input,
 const struct Curl_ssl Curl_ssl_polarssl = {
   "polarssl",                        /* name */
 
+  1, /* have_ca_path */
+  0, /* have_certinfo */
+  1, /* have_pinnedpubkey */
+  0, /* have_ssl_ctx */
+
   Curl_polarssl_init,                /* init */
   Curl_polarssl_cleanup,             /* cleanup */
   Curl_polarssl_version,             /* version */
diff --git a/lib/vtls/polarssl.h b/lib/vtls/polarssl.h
index 7109fe5ba..b2560ddb1 100644
--- a/lib/vtls/polarssl.h
+++ b/lib/vtls/polarssl.h
@@ -50,11 +50,5 @@ extern const struct Curl_ssl Curl_ssl_polarssl;
 /* Set the API backend definition to PolarSSL */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_POLARSSL
 
-/* this backend supports the CAPATH option */
-#define have_curlssl_ca_path 1
-
-/* this backends supports CURLOPT_PINNEDPUBLICKEY */
-#define have_curlssl_pinnedpubkey 1
-
 #endif /* USE_POLARSSL */
 #endif /* HEADER_CURL_POLARSSL_H */
diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
index 6ee707b0d..fe7ec47b8 100644
--- a/lib/vtls/schannel.c
+++ b/lib/vtls/schannel.c
@@ -1729,6 +1729,11 @@ static CURLcode verify_certificate(struct connectdata *conn, int sockindex)
 const struct Curl_ssl Curl_ssl_schannel = {
   "schannel",                        /* name */
 
+  0, /* have_ca_path */
+  1, /* have_certinfo */
+  0, /* have_pinnedpubkey */
+  0, /* have_ssl_ctx */
+
   Curl_schannel_init,                /* init */
   Curl_schannel_cleanup,             /* cleanup */
   Curl_schannel_version,             /* version */
diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h
index 1314445c0..aaf253a6b 100644
--- a/lib/vtls/schannel.h
+++ b/lib/vtls/schannel.h
@@ -100,8 +100,5 @@ extern const struct Curl_ssl Curl_ssl_schannel;
 /* Set the API backend definition to Schannel */
 #define CURL_SSL_BACKEND CURLSSLBACKEND_SCHANNEL
 
-/* this backend supports CURLOPT_CERTINFO */
-#define have_curlssl_certinfo 1
-
 #endif /* USE_SCHANNEL */
 #endif /* HEADER_CURL_SCHANNEL_H */
diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
index d42422d11..8b3ff05ae 100644
--- a/lib/vtls/vtls.h
+++ b/lib/vtls/vtls.h
@@ -28,6 +28,11 @@ struct connectdata;
 struct Curl_ssl {
   const char *name;
 
+  unsigned have_ca_path:1;      /* supports CAPATH */
+  unsigned have_certinfo:1;     /* supports CURLOPT_CERTINFO */
+  unsigned have_pinnedpubkey:1; /* supports CURLOPT_PINNEDPUBLICKEY */
+  unsigned have_ssl_ctx:1;      /* supports CURLOPT_SSL_CTX_* */
+
   int (*init)(void);
   void (*cleanup)(void);