mirror of
https://github.com/curl/curl.git
synced 2024-12-15 06:40:09 +08:00
TLS: fix SRP detection by using the proper #ifdefs
USE_TLS_SRP will be true if *any* selected TLS backend can use SRP HAVE_OPENSSL_SRP is defined when OpenSSL can use it HAVE_GNUTLS_SRP is defined when GnuTLS can use it Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is set if at least one of the supported backends offers SRP. Reported-by: Stefan Strogin Fixes #5865 Closes #5870
This commit is contained in:
parent
c77f6fd1cb
commit
68a5132474
@ -192,7 +192,8 @@ makes libcurl use Windows-provided functions for Kerberos, NTLM, SPNEGO and
|
||||
Digest authentication. It also allows libcurl to use the current user
|
||||
credentials without the app having to pass them on. (Added in 7.13.2)
|
||||
.IP CURL_VERSION_TLSAUTH_SRP
|
||||
libcurl was built with support for TLS-SRP. (Added in 7.21.4)
|
||||
libcurl was built with support for TLS-SRP (in one or more of the built-in TLS
|
||||
backends). (Added in 7.21.4)
|
||||
.IP CURL_VERSION_UNIX_SOCKETS
|
||||
libcurl was built with support for Unix domain sockets.
|
||||
(Added in 7.40.0)
|
||||
|
@ -81,7 +81,7 @@ static bool gtls_inited = FALSE;
|
||||
struct ssl_backend_data {
|
||||
gnutls_session_t session;
|
||||
gnutls_certificate_credentials_t cred;
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_GNUTLS_SRP
|
||||
gnutls_srp_client_credentials_t srp_client_cred;
|
||||
#endif
|
||||
};
|
||||
@ -434,7 +434,7 @@ gtls_connect_step1(struct connectdata *conn,
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_GNUTLS_SRP
|
||||
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||
infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));
|
||||
|
||||
@ -588,7 +588,7 @@ gtls_connect_step1(struct connectdata *conn,
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
}
|
||||
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_GNUTLS_SRP
|
||||
/* Only add SRP to the cipher list if SRP is requested. Otherwise
|
||||
* GnuTLS will disable TLS 1.3 support. */
|
||||
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||
@ -610,7 +610,7 @@ gtls_connect_step1(struct connectdata *conn,
|
||||
else {
|
||||
#endif
|
||||
rc = gnutls_priority_set_direct(session, prioritylist, &err);
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_GNUTLS_SRP
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -681,7 +681,7 @@ gtls_connect_step1(struct connectdata *conn,
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_GNUTLS_SRP
|
||||
/* put the credentials to the current session */
|
||||
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
|
||||
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
|
||||
@ -868,7 +868,7 @@ gtls_connect_step3(struct connectdata *conn,
|
||||
if(SSL_CONN_CONFIG(verifypeer) ||
|
||||
SSL_CONN_CONFIG(verifyhost) ||
|
||||
SSL_SET_OPTION(issuercert)) {
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_GNUTLS_SRP
|
||||
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||
&& SSL_SET_OPTION(username) != NULL
|
||||
&& !SSL_CONN_CONFIG(verifypeer)
|
||||
@ -881,7 +881,7 @@ gtls_connect_step3(struct connectdata *conn,
|
||||
failf(data, "failed to get server cert");
|
||||
*certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
|
||||
return CURLE_PEER_FAILED_VERIFICATION;
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_GNUTLS_SRP
|
||||
}
|
||||
#endif
|
||||
}
|
||||
@ -1448,7 +1448,7 @@ static void close_one(struct ssl_connect_data *connssl)
|
||||
gnutls_certificate_free_credentials(backend->cred);
|
||||
backend->cred = NULL;
|
||||
}
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_GNUTLS_SRP
|
||||
if(backend->srp_client_cred) {
|
||||
gnutls_srp_free_client_credentials(backend->srp_client_cred);
|
||||
backend->srp_client_cred = NULL;
|
||||
@ -1530,7 +1530,7 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex)
|
||||
}
|
||||
gnutls_certificate_free_credentials(backend->cred);
|
||||
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_GNUTLS_SRP
|
||||
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
|
||||
&& SSL_SET_OPTION(username) != NULL)
|
||||
gnutls_srp_free_client_credentials(backend->srp_client_cred);
|
||||
|
@ -2486,7 +2486,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
long * const certverifyresult = &data->set.ssl.certverifyresult;
|
||||
#endif
|
||||
const long int ssl_version = SSL_CONN_CONFIG(version);
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_OPENSSL_SRP
|
||||
const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
|
||||
#endif
|
||||
char * const ssl_cert = SSL_SET_OPTION(cert);
|
||||
@ -2531,7 +2531,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
failf(data, OSSL_PACKAGE " was built without SSLv2 support");
|
||||
return CURLE_NOT_BUILT_IN;
|
||||
#else
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_OPENSSL_SRP
|
||||
if(ssl_authtype == CURL_TLSAUTH_SRP)
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
#endif
|
||||
@ -2544,7 +2544,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
failf(data, OSSL_PACKAGE " was built without SSLv3 support");
|
||||
return CURLE_NOT_BUILT_IN;
|
||||
#else
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_OPENSSL_SRP
|
||||
if(ssl_authtype == CURL_TLSAUTH_SRP)
|
||||
return CURLE_SSL_CONNECT_ERROR;
|
||||
#endif
|
||||
@ -2800,7 +2800,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
|
||||
SSL_CTX_set_post_handshake_auth(backend->ctx, 1);
|
||||
#endif
|
||||
|
||||
#ifdef USE_TLS_SRP
|
||||
#ifdef HAVE_OPENSSL_SRP
|
||||
if(ssl_authtype == CURL_TLSAUTH_SRP) {
|
||||
char * const ssl_username = SSL_SET_OPTION(username);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user