From 74ba80e293eb2521d28916b24c3be59b3baf688a Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <daniel@haxx.se>

Date: Thu, 18 Feb 2021 10:13:56 +0100

Subject: [PATCH 1/2] urldata: remove the _ORIG suffix from string names

It doesn't provide any useful info but only makes the names longer.

Closes #6624

Upstream-commit: 70472a44deaff387cf8c8c197e04f3add2a96e2e

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 lib/setopt.c         | 32 ++++++++++++++++----------------

 lib/url.c            | 32 ++++++++++++++++----------------

 lib/urldata.h        | 28 ++++++++++++++--------------

 lib/vtls/cyassl.c    |  2 +-

 lib/vtls/darwinssl.c |  4 ++--

 lib/vtls/gskit.c     |  2 +-

 lib/vtls/gtls.c      |  2 +-

 lib/vtls/mbedtls.c   |  2 +-

 lib/vtls/nss.c       |  2 +-

 lib/vtls/openssl.c   |  2 +-

 lib/vtls/polarssl.c  |  2 +-

 lib/vtls/schannel.c  |  2 +-

 12 files changed, 56 insertions(+), 56 deletions(-)

diff --git a/lib/setopt.c b/lib/setopt.c

index 4f04962..b07ccfe 100644

--- a/lib/setopt.c

+++ b/lib/setopt.c

@@ -133,7 +133,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

     break;

   case CURLOPT_SSL_CIPHER_LIST:

     /* set a list of cipher we want to use in the SSL connection */

-    result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],

                             va_arg(param, char *));

     break;

   case CURLOPT_PROXY_SSL_CIPHER_LIST:

@@ -145,7 +145,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

   case CURLOPT_TLS13_CIPHERS:

     if(Curl_ssl_tls13_ciphersuites()) {

       /* set preferred list of TLS 1.3 cipher suites */

-      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],

+      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST],

                               va_arg(param, char *));

     }

     else

@@ -1532,7 +1532,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

     /*

      * String that holds file name of the SSL certificate to use

      */

-    result = Curl_setstropt(&data->set.str[STRING_CERT_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_CERT],

                             va_arg(param, char *));

     break;

   case CURLOPT_PROXY_SSLCERT:

@@ -1546,7 +1546,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

     /*

      * String that holds file type of the SSL certificate to use

      */

-    result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE],

                             va_arg(param, char *));

     break;

   case CURLOPT_PROXY_SSLCERTTYPE:

@@ -1560,7 +1560,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

     /*

      * String that holds file name of the SSL key to use

      */

-    result = Curl_setstropt(&data->set.str[STRING_KEY_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_KEY],

                             va_arg(param, char *));

     break;

   case CURLOPT_PROXY_SSLKEY:

@@ -1574,7 +1574,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

     /*

      * String that holds file type of the SSL key to use

      */

-    result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE],

                             va_arg(param, char *));

     break;

   case CURLOPT_PROXY_SSLKEYTYPE:

@@ -1588,7 +1588,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

     /*

      * String that holds the SSL or SSH private key password.

      */

-    result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD],

                             va_arg(param, char *));

     break;

   case CURLOPT_PROXY_KEYPASSWD:

@@ -1815,7 +1815,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

      */

 #ifdef USE_SSL

     if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY)

-      result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG],

+      result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY],

                               va_arg(param, char *));

     else

 #endif

@@ -1838,7 +1838,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

     /*

      * Set CA info for SSL connection. Specify file name of the CA certificate

      */

-    result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE],

                             va_arg(param, char *));

     break;

   case CURLOPT_PROXY_CAINFO:

@@ -1857,7 +1857,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

 #ifdef USE_SSL

     if(Curl_ssl->supports & SSLSUPP_CA_PATH)

       /* This does not work on windows. */

-      result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG],

+      result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH],

                               va_arg(param, char *));

     else

 #endif

@@ -1882,7 +1882,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

      * Set CRL file info for SSL connection. Specify file name of the CRL

      * to check certificates revocation

      */

-    result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE],

                             va_arg(param, char *));

     break;

   case CURLOPT_PROXY_CRLFILE:

@@ -1898,7 +1898,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

      * Set Issuer certificate file

      * to check certificates issuer

      */

-    result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT],

                             va_arg(param, char *));

     break;

   case CURLOPT_TELNETOPTIONS:

@@ -2449,9 +2449,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

     break;

 #ifdef USE_TLS_SRP

   case CURLOPT_TLSAUTH_USERNAME:

-    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],

                             va_arg(param, char *));

-    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)

+    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)

       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */

     break;

   case CURLOPT_PROXY_TLSAUTH_USERNAME:

@@ -2462,9 +2462,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,

       data->set.proxy_ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */

     break;

   case CURLOPT_TLSAUTH_PASSWORD:

-    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],

+    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],

                             va_arg(param, char *));

-    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)

+    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)

       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */

     break;

   case CURLOPT_PROXY_TLSAUTH_PASSWORD:

diff --git a/lib/url.c b/lib/url.c

index bb9d107..a6bc012 100644

--- a/lib/url.c

+++ b/lib/url.c

@@ -496,7 +496,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)

    */

   if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {

 #if defined(CURL_CA_BUNDLE)

-    result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE);

+    result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE);

     if(result)

       return result;

@@ -506,7 +506,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)

       return result;

 #endif

 #if defined(CURL_CA_PATH)

-    result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], CURL_CA_PATH);

+    result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], CURL_CA_PATH);

     if(result)

       return result;

@@ -4333,9 +4333,9 @@ static CURLcode create_conn(struct Curl_easy *data,

      that will be freed as part of the Curl_easy struct, but all cloned

      copies will be separately allocated.

   */

-  data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG];

+  data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];

   data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];

-  data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];

+  data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];

   data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];

   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];

   data->set.proxy_ssl.primary.random_file =

@@ -4343,34 +4343,34 @@ static CURLcode create_conn(struct Curl_easy *data,

   data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];

   data->set.proxy_ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];

   data->set.ssl.primary.cipher_list =

-    data->set.str[STRING_SSL_CIPHER_LIST_ORIG];

+    data->set.str[STRING_SSL_CIPHER_LIST];

   data->set.proxy_ssl.primary.cipher_list =

     data->set.str[STRING_SSL_CIPHER_LIST_PROXY];

   data->set.ssl.primary.cipher_list13 =

-    data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];

+    data->set.str[STRING_SSL_CIPHER13_LIST];

   data->set.proxy_ssl.primary.cipher_list13 =

     data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];

-  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];

+  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];

   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];

-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];

+  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];

   data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];

-  data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];

+  data->set.ssl.cert = data->set.str[STRING_CERT];

   data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];

-  data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];

+  data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];

   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];

-  data->set.ssl.key = data->set.str[STRING_KEY_ORIG];

+  data->set.ssl.key = data->set.str[STRING_KEY];

   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];

-  data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG];

+  data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];

   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];

-  data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG];

+  data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];

   data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY];

-  data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];

+  data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];

   data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];

 #ifdef USE_TLS_SRP

-  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];

+  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];

   data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];

-  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];

+  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];

   data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];

 #endif

diff --git a/lib/urldata.h b/lib/urldata.h

index c70290a..1f8f364 100644

--- a/lib/urldata.h

+++ b/lib/urldata.h

@@ -1366,9 +1366,9 @@ struct DynamicStatic {

 struct Curl_multi;    /* declared and used only in multi.c */

 enum dupstring {

-  STRING_CERT_ORIG,       /* client certificate file name */

+  STRING_CERT,            /* client certificate file name */

   STRING_CERT_PROXY,      /* client certificate file name */

-  STRING_CERT_TYPE_ORIG,  /* format for certificate (default: PEM)*/

+  STRING_CERT_TYPE,       /* format for certificate (default: PEM)*/

   STRING_CERT_TYPE_PROXY, /* format for certificate (default: PEM)*/

   STRING_COOKIE,          /* HTTP cookie string to send */

   STRING_COOKIEJAR,       /* dump all cookies to this file */

@@ -1379,11 +1379,11 @@ enum dupstring {

   STRING_FTP_ACCOUNT,     /* ftp account data */

   STRING_FTP_ALTERNATIVE_TO_USER, /* command to send if USER/PASS fails */

   STRING_FTPPORT,         /* port to send with the FTP PORT command */

-  STRING_KEY_ORIG,        /* private key file name */

+  STRING_KEY,             /* private key file name */

   STRING_KEY_PROXY,       /* private key file name */

-  STRING_KEY_PASSWD_ORIG, /* plain text private key password */

+  STRING_KEY_PASSWD,      /* plain text private key password */

   STRING_KEY_PASSWD_PROXY, /* plain text private key password */

-  STRING_KEY_TYPE_ORIG,   /* format for private key (default: PEM) */

+  STRING_KEY_TYPE,        /* format for private key (default: PEM) */

   STRING_KEY_TYPE_PROXY,  /* format for private key (default: PEM) */

   STRING_KRB_LEVEL,       /* krb security level */

   STRING_NETRC_FILE,      /* if not NULL, use this instead of trying to find

@@ -1393,22 +1393,22 @@ enum dupstring {

   STRING_SET_RANGE,       /* range, if used */

   STRING_SET_REFERER,     /* custom string for the HTTP referer field */

   STRING_SET_URL,         /* what original URL to work on */

-  STRING_SSL_CAPATH_ORIG, /* CA directory name (doesn't work on windows) */

+  STRING_SSL_CAPATH,      /* CA directory name (doesn't work on windows) */

   STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */

-  STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */

+  STRING_SSL_CAFILE,      /* certificate file to verify peer against */

   STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */

-  STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */

+  STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */

   STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */

-  STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */

+  STRING_SSL_CIPHER_LIST, /* list of ciphers to use */

   STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */

-  STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */

+  STRING_SSL_CIPHER13_LIST, /* list of TLS 1.3 ciphers to use */

   STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */

   STRING_SSL_EGDSOCKET,   /* path to file containing the EGD daemon socket */

   STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */

   STRING_USERAGENT,       /* User-Agent string */

-  STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */

+  STRING_SSL_CRLFILE,     /* crl file to check certificate */

   STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */

-  STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */

+  STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */

   STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */

   STRING_SSL_ENGINE,      /* name of ssl engine */

   STRING_USERNAME,        /* <username>, if used */

@@ -1433,9 +1433,9 @@ enum dupstring {

   STRING_MAIL_AUTH,

 #ifdef USE_TLS_SRP

-  STRING_TLSAUTH_USERNAME_ORIG,  /* TLS auth <username> */

+  STRING_TLSAUTH_USERNAME,  /* TLS auth <username> */

   STRING_TLSAUTH_USERNAME_PROXY, /* TLS auth <username> */

-  STRING_TLSAUTH_PASSWORD_ORIG,  /* TLS auth <password> */

+  STRING_TLSAUTH_PASSWORD,  /* TLS auth <password> */

   STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth <password> */

 #endif

   STRING_BEARER,                /* <bearer>, if used */

diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c

index e10398a..ffd116d 100644

--- a/lib/vtls/cyassl.c

+++ b/lib/vtls/cyassl.c

@@ -474,7 +474,7 @@ cyassl_connect_step2(struct connectdata *conn,

     conn->http_proxy.host.dispname : conn->host.dispname;

   const char * const pinnedpubkey = SSL_IS_PROXY() ?

                         data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :

-                        data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];

+                        data->set.str[STRING_SSL_PINNEDPUBLICKEY];

   conn->recv[sockindex] = cyassl_recv;

   conn->send[sockindex] = cyassl_send;

diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c

index 1aea0dc..572e8bf 100644

--- a/lib/vtls/darwinssl.c

+++ b/lib/vtls/darwinssl.c

@@ -2449,9 +2449,9 @@ darwinssl_connect_step2(struct connectdata *conn, int sockindex)

     connssl->connecting_state = ssl_connect_3;

 #ifdef DARWIN_SSL_PINNEDPUBKEY

-    if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) {

+    if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {

       CURLcode result = pkp_pin_peer_pubkey(data, BACKEND->ssl_ctx,

-                            data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]);

+                            data->set.str[STRING_SSL_PINNEDPUBLICKEY]);

       if(result) {

         failf(data, "SSL: public key does not match pinned public key!");

         return result;

diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c

index a0b4960..b4c7b8a 100644

--- a/lib/vtls/gskit.c

+++ b/lib/vtls/gskit.c

@@ -1136,7 +1136,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)

   /* Check pinned public key. */

   ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :

-                         data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];

+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];

   if(!result && ptr) {

     curl_X509certificate x509;

     curl_asn1Element *p;

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c

index 207b0fd..c5eb948 100644

--- a/lib/vtls/gtls.c

+++ b/lib/vtls/gtls.c

@@ -1329,7 +1329,7 @@ gtls_connect_step3(struct connectdata *conn,

   }

   ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :

-        data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];

+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];

   if(ptr) {

     result = pkp_pin_peer_pubkey(data, x509_cert, ptr);

     if(result != CURLE_OK) {

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c

index d7759dc..48010ae 100644

--- a/lib/vtls/mbedtls.c

+++ b/lib/vtls/mbedtls.c

@@ -540,7 +540,7 @@ mbed_connect_step2(struct connectdata *conn,

   const mbedtls_x509_crt *peercert;

   const char * const pinnedpubkey = SSL_IS_PROXY() ?

         data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :

-        data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];

+        data->set.str[STRING_SSL_PINNEDPUBLICKEY];

 #ifdef HAS_ALPN

   const char *next_protocol;

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c

index 89f8183..366bf9e 100644

--- a/lib/vtls/nss.c

+++ b/lib/vtls/nss.c

@@ -2067,7 +2067,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)

     &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;

   const char * const pinnedpubkey = SSL_IS_PROXY() ?

               data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :

-              data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];

+              data->set.str[STRING_SSL_PINNEDPUBLICKEY];

   /* check timeout situation */

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c

index 35cd652..8c97c1d 100644

--- a/lib/vtls/openssl.c

+++ b/lib/vtls/openssl.c

@@ -3388,7 +3388,7 @@ static CURLcode servercert(struct connectdata *conn,

     result = CURLE_OK;

   ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :

-                         data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];

+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];

   if(!result && ptr) {

     result = pkp_pin_peer_pubkey(data, BACKEND->server_cert, ptr);

     if(result)

diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c

index 604cb4c..f284ad1 100644

--- a/lib/vtls/polarssl.c

+++ b/lib/vtls/polarssl.c

@@ -459,7 +459,7 @@ polarssl_connect_step2(struct connectdata *conn,

   char buffer[1024];

   const char * const pinnedpubkey = SSL_IS_PROXY() ?

             data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :

-            data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];

+            data->set.str[STRING_SSL_PINNEDPUBLICKEY];

   char errorbuf[128];

diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c

index 8f6c301..95c060b 100644

--- a/lib/vtls/schannel.c

+++ b/lib/vtls/schannel.c

@@ -1060,7 +1060,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)

   pubkey_ptr = SSL_IS_PROXY() ?

     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :

-    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];

+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];

   if(pubkey_ptr) {

     result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr);

     if(result) {

-- 

2.31.1

From 040fa4f60f9b809972d51184dfa4980ba44d8b6b Mon Sep 17 00:00:00 2001

From: Daniel Stenberg <daniel@haxx.se>

Date: Sat, 19 Jun 2021 00:42:28 +0200

Subject: [PATCH 2/2] vtls: fix connection reuse checks for issuer cert and

 case sensitivity

CVE-2021-22924

Reported-by: Harry Sintonen

Bug: https://curl.se/docs/CVE-2021-22924.html

Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 lib/url.c          |  5 +++--

 lib/urldata.h      |  2 +-

 lib/vtls/gtls.c    | 10 +++++-----

 lib/vtls/nss.c     |  4 ++--

 lib/vtls/openssl.c | 12 ++++++------

 lib/vtls/vtls.c    | 21 ++++++++++++++++-----

 6 files changed, 33 insertions(+), 21 deletions(-)

diff --git a/lib/url.c b/lib/url.c

index a6bc012..4803653 100644

--- a/lib/url.c

+++ b/lib/url.c

@@ -4337,6 +4337,9 @@ static CURLcode create_conn(struct Curl_easy *data,

   data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];

   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];

   data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];

+  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];

+  data->set.proxy_ssl.primary.issuercert =

+    data->set.str[STRING_SSL_ISSUERCERT_PROXY];

   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];

   data->set.proxy_ssl.primary.random_file =

     data->set.str[STRING_SSL_RANDOM_FILE];

@@ -4353,8 +4356,6 @@ static CURLcode create_conn(struct Curl_easy *data,

   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];

   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];

-  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];

-  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];

   data->set.ssl.cert = data->set.str[STRING_CERT];

   data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];

   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];

diff --git a/lib/urldata.h b/lib/urldata.h

index 1f8f364..72a36fb 100644

--- a/lib/urldata.h

+++ b/lib/urldata.h

@@ -223,6 +223,7 @@ struct ssl_primary_config {

   bool sessionid;        /* cache session IDs or not */

   char *CApath;          /* certificate dir (doesn't work on windows) */

   char *CAfile;          /* certificate to verify peer against */

+  char *issuercert;      /* optional issuer certificate filename */

   char *clientcert;

   char *random_file;     /* path to file containing "random" data */

   char *egdsocket;       /* path to file containing the EGD daemon socket */

@@ -238,7 +239,6 @@ struct ssl_config_data {

   bool no_partialchain;  /* don't accept partial certificate chains */

   long certverifyresult; /* result from the certificate verification */

   char *CRLfile;   /* CRL to check certificate revocation */

-  char *issuercert;/* optional issuer certificate filename */

   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */

   void *fsslctxp;        /* parameter for call back */

   bool certinfo;         /* gather lots of certificate info */

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c

index c5eb948..0cb59c8 100644

--- a/lib/vtls/gtls.c

+++ b/lib/vtls/gtls.c

@@ -1002,7 +1002,7 @@ gtls_connect_step3(struct connectdata *conn,

   if(!chainp) {

     if(SSL_CONN_CONFIG(verifypeer) ||

        SSL_CONN_CONFIG(verifyhost) ||

-       SSL_SET_OPTION(issuercert)) {

+       SSL_CONN_CONFIG(issuercert)) {

 #ifdef USE_TLS_SRP

       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP

          && SSL_SET_OPTION(username) != NULL

@@ -1184,21 +1184,21 @@ gtls_connect_step3(struct connectdata *conn,

        gnutls_x509_crt_t format */

     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);

-  if(SSL_SET_OPTION(issuercert)) {

+  if(SSL_CONN_CONFIG(issuercert)) {

     gnutls_x509_crt_init(&x509_issuer);

-    issuerp = load_file(SSL_SET_OPTION(issuercert));

+    issuerp = load_file(SSL_CONN_CONFIG(issuercert));

     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);

     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);

     gnutls_x509_crt_deinit(x509_issuer);

     unload_file(issuerp);

     if(rc <= 0) {

       failf(data, "server certificate issuer check failed (IssuerCert: %s)",

-            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");

+            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");

       gnutls_x509_crt_deinit(x509_cert);

       return CURLE_SSL_ISSUER_ERROR;

     }

     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",

-          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");

+          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");

   }

   size = sizeof(certbuf);

diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c

index 366bf9e..2d9581d 100644

--- a/lib/vtls/nss.c

+++ b/lib/vtls/nss.c

@@ -2095,9 +2095,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)

   if(result)

     goto error;

-  if(SSL_SET_OPTION(issuercert)) {

+  if(SSL_CONN_CONFIG(issuercert)) {

     SECStatus ret = SECFailure;

-    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));

+    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));

     if(nickname) {

       /* we support only nicknames in case of issuercert for now */

       ret = check_issuer_cert(BACKEND->handle, nickname);

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c

index 8c97c1d..28eaa6d 100644

--- a/lib/vtls/openssl.c

+++ b/lib/vtls/openssl.c

@@ -3311,11 +3311,11 @@ static CURLcode servercert(struct connectdata *conn,

        deallocating the certificate. */

     /* e.g. match issuer name with provided issuer certificate */

-    if(SSL_SET_OPTION(issuercert)) {

-      if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {

+    if(SSL_CONN_CONFIG(issuercert)) {

+      if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {

         if(strict)

           failf(data, "SSL: Unable to open issuer cert (%s)",

-                SSL_SET_OPTION(issuercert));

+                SSL_CONN_CONFIG(issuercert));

         BIO_free(fp);

         X509_free(BACKEND->server_cert);

         BACKEND->server_cert = NULL;

@@ -3326,7 +3326,7 @@ static CURLcode servercert(struct connectdata *conn,

       if(!issuer) {

         if(strict)

           failf(data, "SSL: Unable to read issuer cert (%s)",

-                SSL_SET_OPTION(issuercert));

+                SSL_CONN_CONFIG(issuercert));

         BIO_free(fp);

         X509_free(issuer);

         X509_free(BACKEND->server_cert);

@@ -3337,7 +3337,7 @@ static CURLcode servercert(struct connectdata *conn,

       if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {

         if(strict)

           failf(data, "SSL: Certificate issuer check failed (%s)",

-                SSL_SET_OPTION(issuercert));

+                SSL_CONN_CONFIG(issuercert));

         BIO_free(fp);

         X509_free(issuer);

         X509_free(BACKEND->server_cert);

@@ -3346,7 +3346,7 @@ static CURLcode servercert(struct connectdata *conn,

       }

       infof(data, " SSL certificate issuer check ok (%s)\n",

-            SSL_SET_OPTION(issuercert));

+            SSL_CONN_CONFIG(issuercert));

       X509_free(issuer);

     }

diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c

index b61c640..18672a5 100644

--- a/lib/vtls/vtls.c

+++ b/lib/vtls/vtls.c

@@ -82,6 +82,15 @@

   else                                       \

     dest->var = NULL;

+static bool safecmp(char *a, char *b)

+{

+  if(a && b)

+    return !strcmp(a, b);

+  else if(!a && !b)

+    return TRUE; /* match */

+  return FALSE; /* no match */

+}

+

 bool

 Curl_ssl_config_matches(struct ssl_primary_config* data,

                         struct ssl_primary_config* needle)

@@ -91,11 +100,11 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,

      (data->verifypeer == needle->verifypeer) &&

      (data->verifyhost == needle->verifyhost) &&

      (data->verifystatus == needle->verifystatus) &&

-     Curl_safe_strcasecompare(data->CApath, needle->CApath) &&

-     Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&

-     Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&

-     Curl_safe_strcasecompare(data->random_file, needle->random_file) &&

-     Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&

+     safecmp(data->CApath, needle->CApath) &&

+     safecmp(data->CAfile, needle->CAfile) &&

+     safecmp(data->clientcert, needle->clientcert) &&

+     safecmp(data->random_file, needle->random_file) &&

+     safecmp(data->egdsocket, needle->egdsocket) &&

      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&

      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))

     return TRUE;

@@ -116,6 +125,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,

   CLONE_STRING(CApath);

   CLONE_STRING(CAfile);

+  CLONE_STRING(issuercert);

   CLONE_STRING(clientcert);

   CLONE_STRING(random_file);

   CLONE_STRING(egdsocket);

@@ -129,6 +139,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)

 {

   Curl_safefree(sslc->CApath);

   Curl_safefree(sslc->CAfile);

+  Curl_safefree(sslc->issuercert);

   Curl_safefree(sslc->clientcert);

   Curl_safefree(sslc->random_file);

   Curl_safefree(sslc->egdsocket);

-- 

2.31.1