From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 13 Jan 2023 16:11:50 +0000 (+0100)
Subject: curl: Don't ignore unknown SSL/TLS backends
X-Git-Tag: android-2.4.0~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d11868fb383cb65f5b086ea421dba8df16ad9876;p=thirdparty%2Fstrongswan.git

curl: Don't ignore unknown SSL/TLS backends

Only older versions of OpenSSL and GnuTLS need special treatment, so we
now accept all other backends (e.g. "(SecureTransport) OpenSSL/1.1.1s"
on macOS).

Whenever we remove support for the affected versions of the mentioned
libraries, we can remove the corresponding *-threading plugin feature
and the code here.
---

diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c
index b7ced5ee99..37564c2e4e 100644
--- a/src/libstrongswan/plugins/curl/curl_plugin.c
+++ b/src/libstrongswan/plugins/curl/curl_plugin.c
@@ -60,7 +60,9 @@ static void add_feature(private_curl_plugin_t *this, plugin_feature_t f)
 static void add_feature_with_ssl(private_curl_plugin_t *this, const char *ssl,
 								 char *proto, plugin_feature_t f)
 {
-	/* http://curl.haxx.se/libcurl/c/libcurl-tutorial.html#Multi-threading */
+	/* according to https://curl.se/libcurl/c/threadsafe.html there is only an
+	 * issue with thread-safety with older versions of OpenSSL (<= 1.0.2) and
+	 * GnuTLS (< 1.6.0), so we just accept all other SSL backends */
 	if (strpfx(ssl, "OpenSSL") || strpfx(ssl, "LibreSSL"))
 	{
 		add_feature(this, f);
@@ -71,15 +73,9 @@ static void add_feature_with_ssl(private_curl_plugin_t *this, const char *ssl,
 		add_feature(this, f);
 		add_feature(this, PLUGIN_DEPENDS(CUSTOM, "gcrypt-threading"));
 	}
-	else if (strpfx(ssl, "NSS") ||
-			 strpfx(ssl, "BoringSSL"))
-	{
-		add_feature(this, f);
-	}
 	else
 	{
-		DBG1(DBG_LIB, "curl SSL backend '%s' not supported, %s disabled",
-			 ssl, proto);
+		add_feature(this, f);
 	}
 }