Skip to content

Commit

Permalink
TLS: fix SRP detection by using the proper #ifdefs
Browse files Browse the repository at this point in the history
USE_TLS_SRP will be true if *any* selected TLS backend can use SRP

HAVE_OPENSSL_SRP is defined when OpenSSL can use it

HAVE_GNUTLS_SRP is defined when GnuTLS can use it

Clarify in the curl_verison_info docs that CURL_VERSION_TLSAUTH_SRP is
set if at least one of the supported backends offers SRP.

Reported-by: Stefan Strogin
Fixes curl#5865
Closes curl#5870
  • Loading branch information
bagder committed Aug 28, 2020
1 parent c77f6fd commit 68a5132
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 14 deletions.
3 changes: 2 additions & 1 deletion docs/libcurl/curl_version_info.3
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,8 @@ makes libcurl use Windows-provided functions for Kerberos, NTLM, SPNEGO and
Digest authentication. It also allows libcurl to use the current user
credentials without the app having to pass them on. (Added in 7.13.2)
.IP CURL_VERSION_TLSAUTH_SRP
libcurl was built with support for TLS-SRP. (Added in 7.21.4)
libcurl was built with support for TLS-SRP (in one or more of the built-in TLS
backends). (Added in 7.21.4)
.IP CURL_VERSION_UNIX_SOCKETS
libcurl was built with support for Unix domain sockets.
(Added in 7.40.0)
Expand Down
18 changes: 9 additions & 9 deletions lib/vtls/gtls.c
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ static bool gtls_inited = FALSE;
struct ssl_backend_data {
gnutls_session_t session;
gnutls_certificate_credentials_t cred;
#ifdef USE_TLS_SRP
#ifdef HAVE_GNUTLS_SRP
gnutls_srp_client_credentials_t srp_client_cred;
#endif
};
Expand Down Expand Up @@ -434,7 +434,7 @@ gtls_connect_step1(struct connectdata *conn,
return CURLE_SSL_CONNECT_ERROR;
}

#ifdef USE_TLS_SRP
#ifdef HAVE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
infof(data, "Using TLS-SRP username: %s\n", SSL_SET_OPTION(username));

Expand Down Expand Up @@ -588,7 +588,7 @@ gtls_connect_step1(struct connectdata *conn,
return CURLE_SSL_CONNECT_ERROR;
}

#ifdef USE_TLS_SRP
#ifdef HAVE_GNUTLS_SRP
/* Only add SRP to the cipher list if SRP is requested. Otherwise
* GnuTLS will disable TLS 1.3 support. */
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
Expand All @@ -610,7 +610,7 @@ gtls_connect_step1(struct connectdata *conn,
else {
#endif
rc = gnutls_priority_set_direct(session, prioritylist, &err);
#ifdef USE_TLS_SRP
#ifdef HAVE_GNUTLS_SRP
}
#endif

Expand Down Expand Up @@ -681,7 +681,7 @@ gtls_connect_step1(struct connectdata *conn,
}
}

#ifdef USE_TLS_SRP
#ifdef HAVE_GNUTLS_SRP
/* put the credentials to the current session */
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP) {
rc = gnutls_credentials_set(session, GNUTLS_CRD_SRP,
Expand Down Expand Up @@ -868,7 +868,7 @@ gtls_connect_step3(struct connectdata *conn,
if(SSL_CONN_CONFIG(verifypeer) ||
SSL_CONN_CONFIG(verifyhost) ||
SSL_SET_OPTION(issuercert)) {
#ifdef USE_TLS_SRP
#ifdef HAVE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
&& SSL_SET_OPTION(username) != NULL
&& !SSL_CONN_CONFIG(verifypeer)
Expand All @@ -881,7 +881,7 @@ gtls_connect_step3(struct connectdata *conn,
failf(data, "failed to get server cert");
*certverifyresult = GNUTLS_E_NO_CERTIFICATE_FOUND;
return CURLE_PEER_FAILED_VERIFICATION;
#ifdef USE_TLS_SRP
#ifdef HAVE_GNUTLS_SRP
}
#endif
}
Expand Down Expand Up @@ -1448,7 +1448,7 @@ static void close_one(struct ssl_connect_data *connssl)
gnutls_certificate_free_credentials(backend->cred);
backend->cred = NULL;
}
#ifdef USE_TLS_SRP
#ifdef HAVE_GNUTLS_SRP
if(backend->srp_client_cred) {
gnutls_srp_free_client_credentials(backend->srp_client_cred);
backend->srp_client_cred = NULL;
Expand Down Expand Up @@ -1530,7 +1530,7 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex)
}
gnutls_certificate_free_credentials(backend->cred);

#ifdef USE_TLS_SRP
#ifdef HAVE_GNUTLS_SRP
if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
&& SSL_SET_OPTION(username) != NULL)
gnutls_srp_free_client_credentials(backend->srp_client_cred);
Expand Down
8 changes: 4 additions & 4 deletions lib/vtls/openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -2486,7 +2486,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
long * const certverifyresult = &data->set.ssl.certverifyresult;
#endif
const long int ssl_version = SSL_CONN_CONFIG(version);
#ifdef USE_TLS_SRP
#ifdef HAVE_OPENSSL_SRP
const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
#endif
char * const ssl_cert = SSL_SET_OPTION(cert);
Expand Down Expand Up @@ -2531,7 +2531,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
failf(data, OSSL_PACKAGE " was built without SSLv2 support");
return CURLE_NOT_BUILT_IN;
#else
#ifdef USE_TLS_SRP
#ifdef HAVE_OPENSSL_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP)
return CURLE_SSL_CONNECT_ERROR;
#endif
Expand All @@ -2544,7 +2544,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
failf(data, OSSL_PACKAGE " was built without SSLv3 support");
return CURLE_NOT_BUILT_IN;
#else
#ifdef USE_TLS_SRP
#ifdef HAVE_OPENSSL_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP)
return CURLE_SSL_CONNECT_ERROR;
#endif
Expand Down Expand Up @@ -2800,7 +2800,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
SSL_CTX_set_post_handshake_auth(backend->ctx, 1);
#endif

#ifdef USE_TLS_SRP
#ifdef HAVE_OPENSSL_SRP
if(ssl_authtype == CURL_TLSAUTH_SRP) {
char * const ssl_username = SSL_SET_OPTION(username);

Expand Down

0 comments on commit 68a5132

Please sign in to comment.