diff options
| author | Vincent Sanders <vince@kyllikki.org> | 2019-09-30 23:57:49 +0100 |
|---|---|---|
| committer | Vincent Sanders <vince@kyllikki.org> | 2019-09-30 23:57:49 +0100 |
| commit | 0a3786fed26a7532e2256b4a36eff8ec2bde8803 (patch) | |
| tree | 2bd45a08a6ccb307efa9c009ace0503ce7f232be /content/fetchers | |
| parent | 1dd9f4f2e44b17d38c5b109b573e3eb17c13420b (diff) | |
| download | netsurf-0a3786fed26a7532e2256b4a36eff8ec2bde8803.tar.gz netsurf-0a3786fed26a7532e2256b4a36eff8ec2bde8803.tar.bz2 | |
Allow the curl fetcher to be built without openssl.
The curl fetcher can operate without openssl library being
available, additionaly curl itself may be compiled with a
different TLS library.
In either case this will simply cause the "unknown" error to be
reported for all TLS failiures and page information to lack any
certificate information.
Diffstat (limited to 'content/fetchers')
| -rw-r--r-- | content/fetchers/curl.c | 91 |
1 files changed, 61 insertions, 30 deletions
diff --git a/content/fetchers/curl.c b/content/fetchers/curl.c index 50c5d6473..8e1ebad63 100644 --- a/content/fetchers/curl.c +++ b/content/fetchers/curl.c @@ -38,8 +38,6 @@ #include <strings.h> #include <time.h> #include <sys/stat.h> -#include <openssl/ssl.h> -#include <openssl/x509v3.h> #include <libwapcaplet/libwapcaplet.h> #include <nsutils/time.h> @@ -62,10 +60,14 @@ #include "content/fetchers/curl.h" #include "content/urldb.h" -/** maximum number of progress notifications per second */ +/** + * maximum number of progress notifications per second + */ #define UPDATES_PER_SECOND 2 -/* the ciphersuites we are willing to use */ +/** + * The ciphersuites the browser is prepared to use + */ #define CIPHER_LIST \ /* disable everything */ \ "-ALL:" \ @@ -80,6 +82,46 @@ /* Remove any PFS suites using weak DSA key exchange */ \ "-DSS" +/* Open SSL compatability for certificate handling */ +#ifdef WITH_OPENSSL + +#include <openssl/ssl.h> +#include <openssl/x509v3.h> + +/* OpenSSL 1.0.x to 1.1.0 certificate reference counting changed + * LibreSSL declares its OpenSSL version as 2.1 but only supports the old way + */ +#if (defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x1010000fL)) +static int ns_X509_up_ref(X509 *cert) +{ + cert->references++; + return 1; +} + +static void ns_X509_free(X509 *cert) +{ + cert->references--; + if (cert->references == 0) { + X509_free(cert); + } +} +#else +#define ns_X509_up_ref X509_up_ref +#define ns_X509_free X509_free +#endif + +#else /* WITH_OPENSSL */ + +typedef char X509; + +static void ns_X509_free(X509 *cert) +{ + free(cert); +} + +#endif /* WITH_OPENSSL */ + + /** SSL certificate info */ struct cert_info { X509 *cert; /**< Pointer to certificate */ @@ -107,7 +149,7 @@ struct curl_fetch_info { struct curl_httppost *post_multipart; /**< Multipart post data, or 0. */ uint64_t last_progress_update; /**< Time of last progress update */ int cert_depth; /**< deepest certificate in use */ - struct cert_info cert_data[MAX_SSL_CERTS]; /**< HTTPS certificate data */ + struct cert_info cert_data[MAX_SSL_CERTS]; /**< HTTPS certificate data */ }; /** curl handle cache entry */ @@ -144,28 +186,6 @@ static char fetch_proxy_userpwd[100]; static bool inside_curl = false; -/* OpenSSL 1.0.x to 1.1.0 certificate reference counting changed - * LibreSSL declares its OpenSSL version as 2.1 but only supports the old way - */ -#if (defined(LIBRESSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x1010000fL)) -static int ns_X509_up_ref(X509 *cert) -{ - cert->references++; - return 1; -} - -static void ns_X509_free(X509 *cert) -{ - cert->references--; - if (cert->references == 0) { - X509_free(cert); - } -} -#else -#define ns_X509_up_ref X509_up_ref -#define ns_X509_free X509_free -#endif - /** * Initialise a cURL fetcher. */ @@ -375,7 +395,7 @@ fetch_curl_setup(struct fetch *parent_fetch, } fetch->last_progress_update = 0; - /* TLS defaults */ + /* Clear certificate chain data */ memset(fetch->cert_data, 0, sizeof(fetch->cert_data)); fetch->cert_depth = -1; @@ -443,6 +463,8 @@ failed: } +#ifdef WITH_OPENSSL + /** * Report the certificate information in the fetch to the users */ @@ -768,6 +790,9 @@ fetch_curl_sslctxfun(CURL *curl_handle, void *_sslctx, void *parm) } +#endif /* WITH_OPENSSL */ + + /** * Set options specific for a fetch. * @@ -866,10 +891,12 @@ static CURLcode fetch_curl_set_options(struct curl_fetch_info *f) /* do verification */ SETOPT(CURLOPT_SSL_VERIFYPEER, 1L); SETOPT(CURLOPT_SSL_VERIFYHOST, 2L); +#ifdef WITH_OPENSSL if (curl_with_openssl) { SETOPT(CURLOPT_SSL_CTX_FUNCTION, fetch_curl_sslctxfun); SETOPT(CURLOPT_SSL_CTX_DATA, f); } +#endif } return CURLE_OK; @@ -1634,7 +1661,6 @@ nserror fetch_curl_register(void) SETOPT(CURLOPT_LOW_SPEED_TIME, 180L); SETOPT(CURLOPT_NOSIGNAL, 1L); SETOPT(CURLOPT_CONNECTTIMEOUT, nsoption_uint(curl_fetch_timeout)); - SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST); if (nsoption_charp(ca_bundle) && strcmp(nsoption_charp(ca_bundle), "")) { @@ -1648,11 +1674,16 @@ nserror fetch_curl_register(void) } /* Detect whether the SSL CTX function API works */ - curl_with_openssl = true; code = curl_easy_setopt(fetch_blank_curl, CURLOPT_SSL_CTX_FUNCTION, NULL); if (code != CURLE_OK) { curl_with_openssl = false; + } else { + /* only set the cipher list with openssl otherwise the + * fetch fails with "Unknown cipher in list" + */ + SETOPT(CURLOPT_SSL_CIPHER_LIST, CIPHER_LIST); + curl_with_openssl = true; } NSLOG(netsurf, INFO, "cURL %slinked against openssl", |