Skip to content
Permalink
Browse files

doh: inherit some SSL options from user's easy handle

- Inherit SSL options for the doh handle but not SSL client certs,
  SSL ALPN/NPN, SSL engine, SSL version, SSL issuer cert,
  SSL pinned public key, SSL ciphers, SSL id cache setting,
  SSL kerberos or SSL gss-api settings.

- Fix inheritance of verbose setting.

- Inherit NOSIGNAL.

There is no way for the user to set options for the doh (DNS-over-HTTPS)
handles and instead we inherit some options from the user's easy handle.

My thinking for the SSL options not inherited is they are most likely
not intended by the user for the DOH transfer. I did inherit insecure
because I think that should still be in control of the user.

Prior to this change doh did not work for me because CAINFO was not
inherited. Also verbose was set always which AFAICT was a bug (#3660).

Fixes #3660
Closes #3661
  • Loading branch information...
jay committed Mar 9, 2019
1 parent ff7e5a2 commit 9e6af114ea9e5fbc6d997a5409ff451c9086b29f
Showing with 68 additions and 3 deletions.
  1. +68 −3 lib/doh.c
@@ -173,8 +173,12 @@ static int Curl_doh_done(struct Curl_easy *doh, CURLcode result)
return 0;
}

#define ERROR_CHECK_SETOPT(x,y) result = curl_easy_setopt(doh, x, y); \
if(result) goto error
#define ERROR_CHECK_SETOPT(x,y) \
do { \
result = curl_easy_setopt(doh, x, y); \
if(result) \
goto error; \
} WHILE_FALSE

static CURLcode dohprobe(struct Curl_easy *data,
struct dnsprobe *p, DNStype dnstype,
@@ -242,7 +246,68 @@ static CURLcode dohprobe(struct Curl_easy *data,
ERROR_CHECK_SETOPT(CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
#endif
ERROR_CHECK_SETOPT(CURLOPT_TIMEOUT_MS, (long)timeout_ms);
ERROR_CHECK_SETOPT(CURLOPT_VERBOSE, 1L);
if(data->set.verbose)
ERROR_CHECK_SETOPT(CURLOPT_VERBOSE, 1L);
if(data->set.no_signal)
ERROR_CHECK_SETOPT(CURLOPT_NOSIGNAL, 1L);

/* Inherit *some* SSL options from the user's transfer. This is a
best-guess as to which options are needed for compatibility. #3661 */
if(data->set.ssl.falsestart)
ERROR_CHECK_SETOPT(CURLOPT_SSL_FALSESTART, 1L);
if(data->set.ssl.primary.verifyhost)
ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYHOST, 2L);
if(data->set.proxy_ssl.primary.verifyhost)
ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYHOST, 2L);
if(data->set.ssl.primary.verifypeer)
ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L);
if(data->set.proxy_ssl.primary.verifypeer)
ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_VERIFYPEER, 1L);
if(data->set.ssl.primary.verifystatus)
ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYSTATUS, 1L);
if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
ERROR_CHECK_SETOPT(CURLOPT_CAINFO,
data->set.str[STRING_SSL_CAFILE_ORIG]);
}
if(data->set.str[STRING_SSL_CAFILE_PROXY]) {
ERROR_CHECK_SETOPT(CURLOPT_PROXY_CAINFO,
data->set.str[STRING_SSL_CAFILE_PROXY]);
}
if(data->set.str[STRING_SSL_CAPATH_ORIG]) {
ERROR_CHECK_SETOPT(CURLOPT_CAPATH,
data->set.str[STRING_SSL_CAPATH_ORIG]);
}
if(data->set.str[STRING_SSL_CAPATH_PROXY]) {
ERROR_CHECK_SETOPT(CURLOPT_PROXY_CAPATH,
data->set.str[STRING_SSL_CAPATH_PROXY]);
}
if(data->set.str[STRING_SSL_CRLFILE_ORIG]) {
ERROR_CHECK_SETOPT(CURLOPT_CRLFILE,
data->set.str[STRING_SSL_CRLFILE_ORIG]);
}
if(data->set.str[STRING_SSL_CRLFILE_PROXY]) {
ERROR_CHECK_SETOPT(CURLOPT_PROXY_CRLFILE,
data->set.str[STRING_SSL_CRLFILE_PROXY]);
}
if(data->set.ssl.certinfo)
ERROR_CHECK_SETOPT(CURLOPT_CERTINFO, 1L);
if(data->set.str[STRING_SSL_RANDOM_FILE]) {
ERROR_CHECK_SETOPT(CURLOPT_RANDOM_FILE,
data->set.str[STRING_SSL_RANDOM_FILE]);
}
if(data->set.str[STRING_SSL_EGDSOCKET]) {
ERROR_CHECK_SETOPT(CURLOPT_EGDSOCKET,
data->set.str[STRING_SSL_EGDSOCKET]);
}
if(data->set.ssl.no_revoke)
ERROR_CHECK_SETOPT(CURLOPT_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
if(data->set.proxy_ssl.no_revoke)
ERROR_CHECK_SETOPT(CURLOPT_PROXY_SSL_OPTIONS, CURLSSLOPT_NO_REVOKE);
if(data->set.ssl.fsslctx)
ERROR_CHECK_SETOPT(CURLOPT_SSL_CTX_FUNCTION, data->set.ssl.fsslctx);
if(data->set.ssl.fsslctxp)
ERROR_CHECK_SETOPT(CURLOPT_SSL_CTX_DATA, data->set.ssl.fsslctxp);

doh->set.fmultidone = Curl_doh_done;
doh->set.dohfor = data; /* identify for which transfer this is done */
p->easy = doh;

0 comments on commit 9e6af11

Please sign in to comment.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.