From becfe2ec783a40254761606a09069cf258d424ef Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 30 Dec 2022 15:04:57 +0100 Subject: [PATCH] urldata: cease storing TLS auth type The only TLS auth type libcurl ever supported is SRP and that is the default type. Since nobody ever sets any other type, there is no point in wasting space to store the set type and code to check the type. If TLS auth is used, SRP is now implied. Closes #10181 --- lib/setopt.c | 27 ++++----------------------- lib/url.c | 3 --- lib/urldata.h | 1 - lib/vtls/gtls.c | 19 +++++++------------ lib/vtls/openssl.c | 6 +----- lib/vtls/vtls.c | 4 ---- 6 files changed, 12 insertions(+), 48 deletions(-) diff --git a/lib/setopt.c b/lib/setopt.c index 59114927b0..ecee4c50ad 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -2843,52 +2843,33 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) case CURLOPT_TLSAUTH_USERNAME: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME] && - !data->set.ssl.primary.authtype) - data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ break; #ifndef CURL_DISABLE_PROXY case CURLOPT_PROXY_TLSAUTH_USERNAME: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_PROXY], va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && - !data->set.proxy_ssl.primary.authtype) - data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default to - SRP */ break; #endif case CURLOPT_TLSAUTH_PASSWORD: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME] && - !data->set.ssl.primary.authtype) - data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ break; #ifndef CURL_DISABLE_PROXY case CURLOPT_PROXY_TLSAUTH_PASSWORD: result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_PROXY], va_arg(param, char *)); - if(data->set.str[STRING_TLSAUTH_USERNAME_PROXY] && - !data->set.proxy_ssl.primary.authtype) - data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; /* default */ break; #endif case CURLOPT_TLSAUTH_TYPE: argptr = va_arg(param, char *); - if(!argptr || - strncasecompare(argptr, "SRP", strlen("SRP"))) - data->set.ssl.primary.authtype = CURL_TLSAUTH_SRP; - else - data->set.ssl.primary.authtype = CURL_TLSAUTH_NONE; + if(argptr && !strncasecompare(argptr, "SRP", strlen("SRP"))) + return CURLE_BAD_FUNCTION_ARGUMENT; break; #ifndef CURL_DISABLE_PROXY case CURLOPT_PROXY_TLSAUTH_TYPE: argptr = va_arg(param, char *); - if(!argptr || - strncasecompare(argptr, "SRP", strlen("SRP"))) - data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_SRP; - else - data->set.proxy_ssl.primary.authtype = CURL_TLSAUTH_NONE; + if(argptr || !strncasecompare(argptr, "SRP", strlen("SRP"))) + return CURLE_BAD_FUNCTION_ARGUMENT; break; #endif #endif diff --git a/lib/url.c b/lib/url.c index 9a858eff05..c91a968247 100644 --- a/lib/url.c +++ b/lib/url.c @@ -563,9 +563,6 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) #endif set->ssl.primary.verifypeer = TRUE; set->ssl.primary.verifyhost = TRUE; -#ifdef USE_TLS_SRP - set->ssl.primary.authtype = CURL_TLSAUTH_NONE; -#endif #ifdef USE_SSH /* defaults to any auth type */ set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; diff --git a/lib/urldata.h b/lib/urldata.h index a70729c7e2..a8af5dba34 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -283,7 +283,6 @@ struct ssl_primary_config { #ifdef USE_TLS_SRP char *username; /* TLS username (for, e.g., SRP) */ char *password; /* TLS password (for, e.g., SRP) */ - enum CURL_TLSAUTH authtype; /* TLS authentication type (default SRP) */ #endif char *curves; /* list of curves to use */ unsigned char ssl_options; /* the CURLOPT_SSL_OPTIONS bitmask */ diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 3857cc303a..44577a1068 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -434,12 +434,10 @@ CURLcode gtls_client_init(struct Curl_easy *data, } #ifdef USE_GNUTLS_SRP - if((config->authtype == CURL_TLSAUTH_SRP) && - Curl_auth_allowed_to_host(data)) { + if(config->username && Curl_auth_allowed_to_host(data)) { infof(data, "Using TLS-SRP username: %s", config->username); - rc = gnutls_srp_allocate_client_credentials( - >ls->srp_client_cred); + rc = gnutls_srp_allocate_client_credentials(>ls->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { failf(data, "gnutls_srp_allocate_client_cred() failed: %s", gnutls_strerror(rc)); @@ -581,7 +579,7 @@ CURLcode gtls_client_init(struct Curl_easy *data, #ifdef USE_GNUTLS_SRP /* Only add SRP to the cipher list if SRP is requested. Otherwise * GnuTLS will disable TLS 1.3 support. */ - if(config->authtype == CURL_TLSAUTH_SRP) { + if(config->username) { size_t len = strlen(prioritylist); char *prioritysrp = malloc(len + sizeof(GNUTLS_SRP) + 1); @@ -646,7 +644,7 @@ CURLcode gtls_client_init(struct Curl_easy *data, #ifdef USE_GNUTLS_SRP /* put the credentials to the current session */ - if(config->authtype == CURL_TLSAUTH_SRP) { + if(config->username) { rc = gnutls_credentials_set(gtls->session, GNUTLS_CRD_SRP, gtls->srp_client_cred); if(rc != GNUTLS_E_SUCCESS) { @@ -865,10 +863,8 @@ Curl_gtls_verifyserver(struct Curl_easy *data, config->verifyhost || config->issuercert) { #ifdef USE_GNUTLS_SRP - if(ssl_config->primary.authtype == CURL_TLSAUTH_SRP - && ssl_config->primary.username - && !config->verifypeer - && gnutls_cipher_get(session)) { + if(ssl_config->primary.username && !config->verifypeer && + gnutls_cipher_get(session)) { /* no peer cert, but auth is ok if we have SRP user and cipher and no peer verify */ } @@ -1561,8 +1557,7 @@ static int gtls_shutdown(struct Curl_cfilter *cf, gnutls_certificate_free_credentials(backend->gtls.cred); #ifdef USE_GNUTLS_SRP - if(ssl_config->primary.authtype == CURL_TLSAUTH_SRP - && ssl_config->primary.username != NULL) + if(ssl_config->primary.username) gnutls_srp_free_client_credentials(backend->gtls.srp_client_cred); #endif diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index f5dd14d53f..3889b6f3b9 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3469,9 +3469,6 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, #endif #endif const long int ssl_version = conn_config->version; -#ifdef USE_OPENSSL_SRP - const enum CURL_TLSAUTH ssl_authtype = ssl_config->primary.authtype; -#endif char * const ssl_cert = ssl_config->primary.clientcert; const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob; const char * const ssl_cert_type = ssl_config->cert_type; @@ -3732,8 +3729,7 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, #endif #ifdef USE_OPENSSL_SRP - if((ssl_authtype == CURL_TLSAUTH_SRP) && - Curl_auth_allowed_to_host(data)) { + if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) { char * const ssl_username = ssl_config->primary.username; char * const ssl_password = ssl_config->primary.password; infof(data, "Using TLS-SRP username: %s", ssl_username); diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index d3526785f2..8b1cbd2eae 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -150,7 +150,6 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, #ifdef USE_TLS_SRP !Curl_timestrcmp(data->username, needle->username) && !Curl_timestrcmp(data->password, needle->password) && - (data->authtype == needle->authtype) && #endif strcasecompare(data->cipher_list, needle->cipher_list) && strcasecompare(data->cipher_list13, needle->cipher_list13) && @@ -173,9 +172,6 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, dest->verifystatus = source->verifystatus; dest->sessionid = source->sessionid; dest->ssl_options = source->ssl_options; -#ifdef USE_TLS_SRP - dest->authtype = source->authtype; -#endif CLONE_BLOB(cert_blob); CLONE_BLOB(ca_info_blob); -- 2.47.3