diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2020-08-27 12:46:43 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2020-08-28 14:13:05 +0200 |
| commit | 68a51324740945f1da9758bc1d26bbe4835bd847 (patch) | |
| tree | 529e597f750ae3918ee5ad7e905e26e76c149f3a /lib | |
| parent | c77f6fd1cb19015c5e728235af860f09636fefbd (diff) | |
| download | curl-68a51324740945f1da9758bc1d26bbe4835bd847.tar.gz | |
TLS: fix SRP detection by using the proper #ifdefs
USE_TLS_SRP will be true if *any* selected TLS backend can use SRP
HAVE_OPENSSL_SRP is defined when OpenSSL can use it
HAVE_GNUTLS_SRP is defined when GnuTLS can use it
Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is
set if at least one of the supported backends offers SRP.
Reported-by: Stefan Strogin
Fixes #5865
Closes #5870
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/vtls/gtls.c | 18 | ||||
| -rw-r--r-- | lib/vtls/openssl.c | 8 |
2 files changed, 13 insertions, 13 deletions
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 16b0bd6cb..9f280447c 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -81,7 +81,7 @@ static bool gtls_inited = FALSE; struct ssl_backend_data { gnutls_session_t session; gnutls_certificate_credentials_t cred; -#ifdef USE_TLS_SRP +#ifdef HAVE_GNUTLS_SRP gnutls_srp_client_credentials_t srp_client_cred; #endif }; @@ -434,7 +434,7 @@ gtls_connect_step1(struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } -#ifdef USE_TLS_SRP +#ifdef HAVE_GNUTLS_SRP if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username)); @@ -588,7 +588,7 @@ gtls_connect_step1(struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } -#ifdef USE_TLS_SRP +#ifdef HAVE_GNUTLS_SRP /* Only add SRP to the cipher list if SRP is requested. Otherwise * GnuTLS will disable TLS 1.3 support. */ if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { @@ -610,7 +610,7 @@ gtls_connect_step1(struct connectdata *conn, else { #endif rc = gnutls_priority_set_direct(session, prioritylist, &err); -#ifdef USE_TLS_SRP +#ifdef HAVE_GNUTLS_SRP } #endif @@ -681,7 +681,7 @@ gtls_connect_step1(struct connectdata *conn, } } -#ifdef USE_TLS_SRP +#ifdef HAVE_GNUTLS_SRP /* put the credentials to the current session */ if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) { rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP, @@ -868,7 +868,7 @@ gtls_connect_step3(struct connectdata *conn, if(SSL_CONN_CONFIG(verifypeer) || SSL_CONN_CONFIG(verifyhost) || SSL_SET_OPTION(issuercert)) { -#ifdef USE_TLS_SRP +#ifdef HAVE_GNUTLS_SRP if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP && SSL_SET_OPTION(username) != NULL && !SSL_CONN_CONFIG(verifypeer) @@ -881,7 +881,7 @@ gtls_connect_step3(struct connectdata *conn, failf(data, "failed to get server cert"); *certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND; return CURLE_PEER_FAILED_VERIFICATION; -#ifdef USE_TLS_SRP +#ifdef HAVE_GNUTLS_SRP } #endif } @@ -1448,7 +1448,7 @@ static void close_one(struct ssl_connect_data *connssl) gnutls_certificate_free_credentials(backend->cred); backend->cred = NULL; } -#ifdef USE_TLS_SRP +#ifdef HAVE_GNUTLS_SRP if(backend->srp_client_cred) { gnutls_srp_free_client_credentials(backend->srp_client_cred); backend->srp_client_cred = NULL; @@ -1530,7 +1530,7 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) } gnutls_certificate_free_credentials(backend->cred); -#ifdef USE_TLS_SRP +#ifdef HAVE_GNUTLS_SRP if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP && SSL_SET_OPTION(username) != NULL) gnutls_srp_free_client_credentials(backend->srp_client_cred); diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 25b7dfab8..09f331418 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -2486,7 +2486,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) long * const certverifyresult = &data->set.ssl.certverifyresult; #endif const long int ssl_version = SSL_CONN_CONFIG(version); -#ifdef USE_TLS_SRP +#ifdef HAVE_OPENSSL_SRP const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype); #endif char * const ssl_cert = SSL_SET_OPTION(cert); @@ -2531,7 +2531,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) failf(data, OSSL_PACKAGE " was built without SSLv2 support"); return CURLE_NOT_BUILT_IN; #else -#ifdef USE_TLS_SRP +#ifdef HAVE_OPENSSL_SRP if(ssl_authtype == CURL_TLSAUTH_SRP) return CURLE_SSL_CONNECT_ERROR; #endif @@ -2544,7 +2544,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) failf(data, OSSL_PACKAGE " was built without SSLv3 support"); return CURLE_NOT_BUILT_IN; #else -#ifdef USE_TLS_SRP +#ifdef HAVE_OPENSSL_SRP if(ssl_authtype == CURL_TLSAUTH_SRP) return CURLE_SSL_CONNECT_ERROR; #endif @@ -2800,7 +2800,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) SSL_CTX_set_post_handshake_auth(backend->ctx, 1); #endif -#ifdef USE_TLS_SRP +#ifdef HAVE_OPENSSL_SRP if(ssl_authtype == CURL_TLSAUTH_SRP) { char * const ssl_username = SSL_SET_OPTION(username); |