From 8b42df3eb1dee2297dc7056d59f1b646cf9aa2a0 Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Tue, 10 Sep 2024 03:23:33 +0200 Subject: [PATCH] src: tidy-up conditions for CA bundle search - delete redundant Schannel check. - move `feature_ssl` check one level up from `FindWin32CACert()`. - check `feature_ssl` early to skip a bunch of CA bundle search logic for no-ssl configurations. Reviewed-by: Jay Satiro Closes #14841 --- src/tool_doswin.c | 49 ++++++++++++++++++++-------------------------- src/tool_doswin.h | 1 - src/tool_operate.c | 6 +++--- 3 files changed, 24 insertions(+), 32 deletions(-) diff --git a/src/tool_doswin.c b/src/tool_doswin.c index 1bb3e948e7..fd9325476d 100644 --- a/src/tool_doswin.c +++ b/src/tool_doswin.c @@ -600,7 +600,12 @@ char **__crt0_glob_function(char *arg) #ifdef _WIN32 -/* +/* Search and set the CA cert file for Windows. + * + * Do not call this function if Schannel is the selected SSL backend. We allow + * setting CA location for Schannel only when explicitly specified by the user + * via CURLOPT_CAINFO / --cacert. + * * Function to find CACert bundle on a Win32 platform using SearchPath. * (SearchPath is already declared via inclusions done in setup header file) * (Use the ASCII version instead of the Unicode one!) @@ -614,42 +619,30 @@ char **__crt0_glob_function(char *arg) * For WinXP and later search order actually depends on registry value: * HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeProcessSearchMode */ - CURLcode FindWin32CACert(struct OperationConfig *config, - curl_sslbackend backend, const TCHAR *bundle_file) { CURLcode result = CURLE_OK; #ifdef CURL_WINDOWS_UWP (void)config; - (void)backend; (void)bundle_file; #else - /* Search and set cert file only if libcurl supports SSL. - * - * If Schannel is the selected SSL backend then these locations are - * ignored. We allow setting CA location for schannel only when explicitly - * specified by the user via CURLOPT_CAINFO / --cacert. - */ - if(feature_ssl && backend != CURLSSLBACKEND_SCHANNEL) { - - DWORD res_len; - TCHAR buf[PATH_MAX]; - TCHAR *ptr = NULL; - - buf[0] = TEXT('\0'); - - res_len = SearchPath(NULL, bundle_file, NULL, PATH_MAX, buf, &ptr); - if(res_len > 0) { - char *mstr = curlx_convert_tchar_to_UTF8(buf); - Curl_safefree(config->cacert); - if(mstr) - config->cacert = strdup(mstr); - curlx_unicodefree(mstr); - if(!config->cacert) - result = CURLE_OUT_OF_MEMORY; - } + DWORD res_len; + TCHAR buf[PATH_MAX]; + TCHAR *ptr = NULL; + + buf[0] = TEXT('\0'); + + res_len = SearchPath(NULL, bundle_file, NULL, PATH_MAX, buf, &ptr); + if(res_len > 0) { + char *mstr = curlx_convert_tchar_to_UTF8(buf); + Curl_safefree(config->cacert); + if(mstr) + config->cacert = strdup(mstr); + curlx_unicodefree(mstr); + if(!config->cacert) + result = CURLE_OUT_OF_MEMORY; } #endif diff --git a/src/tool_doswin.h b/src/tool_doswin.h index e07d89d959..f16fc33ac8 100644 --- a/src/tool_doswin.h +++ b/src/tool_doswin.h @@ -60,7 +60,6 @@ char **__crt0_glob_function(char *arg); #ifdef _WIN32 CURLcode FindWin32CACert(struct OperationConfig *config, - curl_sslbackend backend, const TCHAR *bundle_file); struct curl_slist *GetLoadedModulePaths(void); CURLcode win32_init(void); diff --git a/src/tool_operate.c b/src/tool_operate.c index 86cd483a84..c8ea8ed458 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -3014,7 +3014,8 @@ static CURLcode transfer_per_config(struct GlobalConfig *global, * too. Just for the sake of it. */ capath_from_env = false; - if(!config->cacert && + if(feature_ssl && + !config->cacert && !config->capath && (!config->insecure_ok || (config->doh_url && !config->doh_insecure_ok))) { CURL *curltls = curl_easy_init(); @@ -3079,8 +3080,7 @@ static CURLcode transfer_per_config(struct GlobalConfig *global, #ifdef _WIN32 if(!env) - result = FindWin32CACert(config, tls_backend_info->backend, - TEXT("curl-ca-bundle.crt")); + result = FindWin32CACert(config, TEXT("curl-ca-bundle.crt")); #endif } curl_easy_cleanup(curltls); -- 2.47.3