diff options
author | Stefan Eissing <stefan@eissing.org> | 2022-11-22 09:55:41 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2022-11-22 14:25:50 +0100 |
commit | af22c2a546ab862ab577c8d9d3609af0de178974 (patch) | |
tree | f1a0c2d3c57d45da66809894997a50db840ac9e6 /lib/vtls/schannel_verify.c | |
parent | a28a80d59e8f111fa5a23bfb76c8ff148333edb0 (diff) | |
download | curl-af22c2a546ab862ab577c8d9d3609af0de178974.tar.gz |
vtls: localization of state data in filters
- almost all backend calls pass the Curl_cfilter intance instead of
connectdata+sockindex
- ssl_connect_data is remove from struct connectdata and made internal
to vtls
- ssl_connect_data is allocated in the added filter, kept at cf->ctx
- added function to let a ssl filter access its ssl_primary_config and
ssl_config_data this selects the propert subfields in conn and data,
for filters added as plain or proxy
- adjusted all backends to use the changed api
- adjusted all backends to access config data via the exposed
functions, no longer using conn or data directly
cfilter renames for clear purpose:
- methods `Curl_conn_*(data, conn, sockindex)` work on the complete
filter chain at `sockindex` and connection `conn`.
- methods `Curl_cf_*(cf, ...)` work on a specific Curl_cfilter
instance.
- methods `Curl_conn_cf()` work on/with filter instances at a
connection.
- rebased and resolved some naming conflicts
- hostname validation (und session lookup) on SECONDARY use the same
name as on FIRST (again).
new debug macros and removing connectdata from function signatures where not
needed.
adapting schannel for new Curl_read_plain paramter.
Closes #9919
Diffstat (limited to 'lib/vtls/schannel_verify.c')
-rw-r--r-- | lib/vtls/schannel_verify.c | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/lib/vtls/schannel_verify.c b/lib/vtls/schannel_verify.c index 6ee9a78c4..e4992162e 100644 --- a/lib/vtls/schannel_verify.c +++ b/lib/vtls/schannel_verify.c @@ -459,7 +459,7 @@ static DWORD cert_get_name_string(struct Curl_easy *data, static CURLcode verify_host(struct Curl_easy *data, CERT_CONTEXT *pCertContextServer, - const char * const conn_hostname) + const char *conn_hostname) { CURLcode result = CURLE_PEER_FAILED_VERIFICATION; TCHAR *cert_hostname_buff = NULL; @@ -563,17 +563,18 @@ cleanup: return result; } -CURLcode Curl_verify_certificate(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +CURLcode Curl_verify_certificate(struct Curl_cfilter *cf, + struct Curl_easy *data) { + struct ssl_connect_data *connssl = cf->ctx; + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); SECURITY_STATUS sspi_status; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CURLcode result = CURLE_OK; CERT_CONTEXT *pCertContextServer = NULL; const CERT_CHAIN_CONTEXT *pChainContext = NULL; HCERTCHAINENGINE cert_chain_engine = NULL; HCERTSTORE trust_store = NULL; - const char * const conn_hostname = SSL_HOST_NAME(); DEBUGASSERT(BACKEND); @@ -590,7 +591,7 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, } if(result == CURLE_OK && - (SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(ca_info_blob)) && + (conn_config->CAfile || conn_config->ca_info_blob) && BACKEND->use_manual_cred_validation) { /* * Create a chain engine that uses the certificates in the CA file as @@ -617,7 +618,7 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, result = CURLE_SSL_CACERT_BADFILE; } else { - const struct curl_blob *ca_info_blob = SSL_CONN_CONFIG(ca_info_blob); + const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; if(ca_info_blob) { result = add_certs_data_to_store(trust_store, (const char *)ca_info_blob->data, @@ -627,7 +628,7 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, } else { result = add_certs_file_to_store(trust_store, - SSL_CONN_CONFIG(CAfile), + conn_config->CAfile, data); } } @@ -670,7 +671,7 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, NULL, pCertContextServer->hCertStore, &ChainPara, - (SSL_SET_OPTION(no_revoke) ? 0 : + (ssl_config->no_revoke ? 0 : CERT_CHAIN_REVOCATION_CHECK_CHAIN), NULL, &pChainContext)) { @@ -719,8 +720,8 @@ CURLcode Curl_verify_certificate(struct Curl_easy *data, } if(result == CURLE_OK) { - if(SSL_CONN_CONFIG(verifyhost)) { - result = verify_host(data, pCertContextServer, conn_hostname); + if(conn_config->verifyhost) { + result = verify_host(data, pCertContextServer, connssl->hostname); } } |