160 lines
5.6 KiB
Diff
160 lines
5.6 KiB
Diff
|
From d040da28f57d0b3fcd6f63809a8c85a600f87a62 Mon Sep 17 00:00:00 2001
|
||
|
Message-Id: <d040da28f57d0b3fcd6f63809a8c85a600f87a62.1594274337.git.baruch@tkos.co.il>
|
||
|
From: Baruch Siach <baruch@tkos.co.il>
|
||
|
Date: Thu, 9 Jul 2020 08:14:49 +0300
|
||
|
Subject: [PATCH] nss: fix build with disabled proxy support
|
||
|
|
||
|
Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
|
||
|
defined.
|
||
|
|
||
|
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
||
|
---
|
||
|
Upstream status: https://github.com/curl/curl/pull/5667
|
||
|
|
||
|
lib/vtls/nss.c | 44 +++++++++++++++++++++++++++++++++++---------
|
||
|
1 file changed, 35 insertions(+), 9 deletions(-)
|
||
|
|
||
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
||
|
index fca292613815..0f0d1ee6c80f 100644
|
||
|
--- a/lib/vtls/nss.c
|
||
|
+++ b/lib/vtls/nss.c
|
||
|
@@ -1027,9 +1027,11 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
|
||
|
CERTCertificate *cert;
|
||
|
|
||
|
/* remember the cert verification result */
|
||
|
+#ifndef CURL_DISABLE_PROXY
|
||
|
if(SSL_IS_PROXY())
|
||
|
data->set.proxy_ssl.certverifyresult = err;
|
||
|
else
|
||
|
+#endif
|
||
|
data->set.ssl.certverifyresult = err;
|
||
|
|
||
|
if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost))
|
||
|
@@ -1553,24 +1555,32 @@ static void nss_close(struct ssl_connect_data *connssl)
|
||
|
static void Curl_nss_close(struct connectdata *conn, int sockindex)
|
||
|
{
|
||
|
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
||
|
+#ifndef CURL_DISABLE_PROXY
|
||
|
struct ssl_connect_data *connssl_proxy = &conn->proxy_ssl[sockindex];
|
||
|
+#endif
|
||
|
struct ssl_backend_data *backend = connssl->backend;
|
||
|
|
||
|
- if(backend->handle || connssl_proxy->backend->handle) {
|
||
|
+ if(backend->handle
|
||
|
+#ifndef CURL_DISABLE_PROXY
|
||
|
+ || connssl_proxy->backend->handle
|
||
|
+#endif
|
||
|
+ ) {
|
||
|
/* NSS closes the socket we previously handed to it, so we must mark it
|
||
|
as closed to avoid double close */
|
||
|
fake_sclose(conn->sock[sockindex]);
|
||
|
conn->sock[sockindex] = CURL_SOCKET_BAD;
|
||
|
}
|
||
|
|
||
|
+#ifndef CURL_DISABLE_PROXY
|
||
|
if(backend->handle)
|
||
|
/* nss_close(connssl) will transitively close also
|
||
|
connssl_proxy->backend->handle if both are used. Clear it to avoid
|
||
|
a double close leading to crash. */
|
||
|
connssl_proxy->backend->handle = NULL;
|
||
|
|
||
|
- nss_close(connssl);
|
||
|
nss_close(connssl_proxy);
|
||
|
+#endif
|
||
|
+ nss_close(connssl);
|
||
|
}
|
||
|
|
||
|
/* return true if NSS can provide error code (and possibly msg) for the
|
||
|
@@ -1828,6 +1838,12 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
||
|
CURLcode result;
|
||
|
bool second_layer = FALSE;
|
||
|
SSLVersionRange sslver_supported;
|
||
|
+#ifndef CURL_DISABLE_PROXY
|
||
|
+ const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
||
|
+ conn->host.name;
|
||
|
+#else
|
||
|
+ const char *hostname = conn->host.name;
|
||
|
+#endif
|
||
|
|
||
|
SSLVersionRange sslver = {
|
||
|
SSL_LIBRARY_VERSION_TLS_1_0, /* min */
|
||
|
@@ -1932,9 +1948,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
||
|
goto error;
|
||
|
|
||
|
/* not checked yet */
|
||
|
+#ifndef CURL_DISABLE_PROXY
|
||
|
if(SSL_IS_PROXY())
|
||
|
data->set.proxy_ssl.certverifyresult = 0;
|
||
|
else
|
||
|
+#endif
|
||
|
data->set.ssl.certverifyresult = 0;
|
||
|
|
||
|
if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
|
||
|
@@ -1991,12 +2009,14 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
||
|
goto error;
|
||
|
}
|
||
|
|
||
|
+#ifndef CURL_DISABLE_PROXY
|
||
|
if(conn->proxy_ssl[sockindex].use) {
|
||
|
DEBUGASSERT(ssl_connection_complete == conn->proxy_ssl[sockindex].state);
|
||
|
DEBUGASSERT(conn->proxy_ssl[sockindex].backend->handle != NULL);
|
||
|
nspr_io = conn->proxy_ssl[sockindex].backend->handle;
|
||
|
second_layer = TRUE;
|
||
|
}
|
||
|
+#endif
|
||
|
else {
|
||
|
/* wrap OS file descriptor by NSPR's file descriptor abstraction */
|
||
|
nspr_io = PR_ImportTCPSocket(sockfd);
|
||
|
@@ -2077,8 +2097,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
||
|
unsigned char protocols[128];
|
||
|
|
||
|
#ifdef USE_NGHTTP2
|
||
|
- if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
|
||
|
- (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
|
||
|
+ if(data->set.httpversion >= CURL_HTTP_VERSION_2
|
||
|
+#ifndef CURL_DISABLE_PROXY
|
||
|
+ && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
|
||
|
+#endif
|
||
|
+ ) {
|
||
|
protocols[cur++] = NGHTTP2_PROTO_VERSION_ID_LEN;
|
||
|
memcpy(&protocols[cur], NGHTTP2_PROTO_VERSION_ID,
|
||
|
NGHTTP2_PROTO_VERSION_ID_LEN);
|
||
|
@@ -2101,14 +2124,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
||
|
goto error;
|
||
|
|
||
|
/* propagate hostname to the TLS layer */
|
||
|
- if(SSL_SetURL(backend->handle, SSL_IS_PROXY() ? conn->http_proxy.host.name :
|
||
|
- conn->host.name) != SECSuccess)
|
||
|
+ if(SSL_SetURL(backend->handle, hostname) != SECSuccess)
|
||
|
goto error;
|
||
|
|
||
|
/* prevent NSS from re-using the session for a different hostname */
|
||
|
- if(SSL_SetSockPeerID(backend->handle, SSL_IS_PROXY() ?
|
||
|
- conn->http_proxy.host.name : conn->host.name)
|
||
|
- != SECSuccess)
|
||
|
+ if(SSL_SetSockPeerID(backend->handle, hostname) != SECSuccess)
|
||
|
goto error;
|
||
|
|
||
|
return CURLE_OK;
|
||
|
@@ -2127,11 +2147,17 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
|
||
|
struct Curl_easy *data = conn->data;
|
||
|
CURLcode result = CURLE_SSL_CONNECT_ERROR;
|
||
|
PRUint32 timeout;
|
||
|
+#ifndef CURL_DISABLE_PROXY
|
||
|
long * const certverifyresult = SSL_IS_PROXY() ?
|
||
|
&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
|
||
|
const char * const pinnedpubkey = SSL_IS_PROXY() ?
|
||
|
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
|
||
|
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||
|
+#else
|
||
|
+ long * const certverifyresult = &data->set.ssl.certverifyresult;
|
||
|
+ const char * const pinnedpubkey =
|
||
|
+ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
|
||
|
+#endif
|
||
|
|
||
|
|
||
|
/* check timeout situation */
|
||
|
--
|
||
|
2.27.0
|
||
|
|