From: Stefan Eissing Date: Tue, 14 Oct 2025 10:13:24 +0000 (+0200) Subject: apple sectrust: add to features X-Git-Tag: rc-8_17_0-2~70 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c37ed9a11e57c2f416ab29c5fda8d6bd813acd89;p=thirdparty%2Fcurl.git apple sectrust: add to features It should be visible in the feature list that libcurl is build with Apple SecTrust enabled. Closes #19057 --- diff --git a/CMakeLists.txt b/CMakeLists.txt index b48b045284..bb2dc54f1d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -767,6 +767,9 @@ endif() if(APPLE) option(USE_APPLE_SECTRUST "Use Apple OS-native certificate verification" OFF) if(USE_APPLE_SECTRUST) + if(NOT CURL_USE_OPENSSL AND NOT CURL_USE_GNUTLS) + message(FATAL_ERROR "Apple SecTrust is only supported with Openssl/GnuTLS") + endif() find_library(COREFOUNDATION_FRAMEWORK NAMES "Security") mark_as_advanced(COREFOUNDATION_FRAMEWORK) if(NOT COREFOUNDATION_FRAMEWORK) @@ -2173,6 +2176,7 @@ curl_add_if("HTTPSRR" _ssl_enabled AND USE_HTTPSRR) curl_add_if("PSL" USE_LIBPSL) curl_add_if("CAcert" CURL_CA_EMBED_SET) curl_add_if("SSLS-EXPORT" _ssl_enabled AND USE_SSLS_EXPORT) +curl_add_if("AppleSecTrust" USE_APPLE_SECTRUST AND _ssl_enabled AND (USE_OPENSSL OR USE_GNUTLS)) if(_items) if(CMAKE_VERSION VERSION_GREATER_EQUAL 3.13) list(SORT _items CASE INSENSITIVE) diff --git a/configure.ac b/configure.ac index 0880552cfb..3b4ebf9649 100644 --- a/configure.ac +++ b/configure.ac @@ -5304,6 +5304,10 @@ if test "x$OPENSSL_ENABLED" = "x1" -o -n "$SSL_ENABLED"; then fi fi +if test "x$APPLE_SECTRUST_ENABLED" = "x1"; then + SUPPORT_FEATURES="$SUPPORT_FEATURES AppleSecTrust" +fi + if test "x$want_httpsrr" != "xno"; then SUPPORT_FEATURES="$SUPPORT_FEATURES HTTPSRR" fi diff --git a/docs/libcurl/curl_version_info.md b/docs/libcurl/curl_version_info.md index a9c97b39c5..3620f60ca6 100644 --- a/docs/libcurl/curl_version_info.md +++ b/docs/libcurl/curl_version_info.md @@ -159,6 +159,13 @@ entry. HTTP Alt-Svc parsing and the associated options (Added in 7.64.1) +## `AppleSecTrust` + +*features* mask bit: non-existent + +libcurl was built with support for Apple's SecTrust service to verify +server certificates (Added in 8.17.0). + ## `AsynchDNS` *features* mask bit: CURL_VERSION_ASYNCHDNS diff --git a/lib/version.c b/lib/version.c index 3798fed6e1..7c9ac12fb9 100644 --- a/lib/version.c +++ b/lib/version.c @@ -523,6 +523,9 @@ static const struct feat features_table[] = { #ifdef USE_LIBPSL FEATURE("PSL", NULL, CURL_VERSION_PSL), #endif +#ifdef USE_APPLE_SECTRUST + FEATURE("AppleSecTrust", NULL, 0), +#endif #ifdef USE_SPNEGO FEATURE("SPNEGO", NULL, CURL_VERSION_SPNEGO), #endif diff --git a/lib/vtls/apple.c b/lib/vtls/apple.c index c96ebe037b..87d5208d73 100644 --- a/lib/vtls/apple.c +++ b/lib/vtls/apple.c @@ -46,16 +46,16 @@ #include "vtls.h" #include "apple.h" -#if defined(USE_SSL) && defined(USE_APPLE_SECTRUST) +#ifdef USE_APPLE_SECTRUST #include -#endif /* USE_SSL && USE_APPLE_SECTRUST */ +#endif /* The last #include files should be: */ #include "../curl_memory.h" #include "../memdebug.h" -#if defined(USE_SSL) && defined(USE_APPLE_SECTRUST) +#ifdef USE_APPLE_SECTRUST #define SSL_SYSTEM_VERIFIER #if (defined(MAC_OS_X_VERSION_MAX_ALLOWED) \ @@ -294,4 +294,4 @@ out: return result; } -#endif /* USE_SSL && USE_APPLE_SECTRUST */ +#endif /* USE_APPLE_SECTRUST */ diff --git a/lib/vtls/apple.h b/lib/vtls/apple.h index c965a449f1..3d84f87822 100644 --- a/lib/vtls/apple.h +++ b/lib/vtls/apple.h @@ -26,7 +26,7 @@ #include "../curl_setup.h" -#if defined(USE_SSL) && defined(USE_APPLE_SECTRUST) +#ifdef USE_APPLE_SECTRUST struct Curl_cfilter; struct Curl_easy; struct ssl_peer; @@ -50,6 +50,6 @@ CURLcode Curl_vtls_apple_verify(struct Curl_cfilter *cf, void *cb_user_data, const unsigned char *ocsp_buf, size_t ocsp_len); -#endif /* USE_SSL && USE_APPLE_SECTRUST */ +#endif /* USE_APPLE_SECTRUST */ #endif /* HEADER_CURL_VTLS_APPLE_H */ diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index b715dab035..7ee9699dbf 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -80,7 +80,7 @@ #ifdef USE_APPLE_SECTRUST #include -#endif /* USE_APPLE_SECTRUST */ +#endif /* The last #include files should be: */ #include "../curl_memory.h" diff --git a/m4/curl-apple-sectrust.m4 b/m4/curl-apple-sectrust.m4 index 792f719d38..7ed2aa1e5b 100644 --- a/m4/curl-apple-sectrust.m4 +++ b/m4/curl-apple-sectrust.m4 @@ -41,7 +41,10 @@ if test "x$OPT_APPLE_SECTRUST" = xyes; then ],[ build_for_apple="no" ]) - if test "x$build_for_apple" != "xno"; then + if test "x$build_for_apple" == "xno"; then + AC_MSG_ERROR([Apple SecTrust can only be enabled for Apple OS targets]) + fi + if test "x$OPENSSL_ENABLED" == "x1" -o "x$GNUTLS_ENABLED" == "x1"; then AC_MSG_RESULT(yes) AC_DEFINE(USE_APPLE_SECTRUST, 1, [enable Apple OS certificate validation]) APPLE_SECTRUST_ENABLED=1 @@ -49,7 +52,7 @@ if test "x$OPT_APPLE_SECTRUST" = xyes; then LDFLAGS="$LDFLAGS $APPLE_SECTRUST_LDFLAGS" LDFLAGSPC="$LDFLAGSPC $APPLE_SECTRUST_LDFLAGS" else - AC_MSG_RESULT(no) + AC_MSG_ERROR([Apple SecTrust is only supported for OpenSSL/GnuTLS builds]) fi else AC_MSG_RESULT(no)