summaryrefslogtreecommitdiff
path: root/Utilities/cmcurl/lib/vtls/wolfssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'Utilities/cmcurl/lib/vtls/wolfssl.c')
-rw-r--r--Utilities/cmcurl/lib/vtls/wolfssl.c179
1 files changed, 97 insertions, 82 deletions
diff --git a/Utilities/cmcurl/lib/vtls/wolfssl.c b/Utilities/cmcurl/lib/vtls/wolfssl.c
index 7b2a124e4..e1fa45926 100644
--- a/Utilities/cmcurl/lib/vtls/wolfssl.c
+++ b/Utilities/cmcurl/lib/vtls/wolfssl.c
@@ -5,11 +5,11 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
- * are also available at https://curl.haxx.se/docs/copyright.html.
+ * are also available at https://curl.se/docs/copyright.html.
*
* You may opt to use, copy, modify, merge, publish, distribute and/or sell
* copies of the Software, and permit persons to whom the Software is
@@ -217,11 +217,10 @@ static int do_file_type(const char *type)
* layer and do all necessary magic.
*/
static CURLcode
-wolfssl_connect_step1(struct connectdata *conn,
+wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
char *ciphers;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
SSL_METHOD* req_method = NULL;
@@ -256,7 +255,7 @@ wolfssl_connect_step1(struct connectdata *conn,
use_sni(TRUE);
break;
case CURL_SSLVERSION_TLSv1_0:
-#ifdef WOLFSSL_ALLOW_TLSV10
+#if defined(WOLFSSL_ALLOW_TLSV10) && !defined(NO_OLD_TLS)
req_method = TLSv1_client_method();
use_sni(TRUE);
#else
@@ -265,8 +264,13 @@ wolfssl_connect_step1(struct connectdata *conn,
#endif
break;
case CURL_SSLVERSION_TLSv1_1:
+#ifndef NO_OLD_TLS
req_method = TLSv1_1_client_method();
use_sni(TRUE);
+#else
+ failf(data, "wolfSSL does not support TLS 1.1");
+ return CURLE_NOT_BUILT_IN;
+#endif
break;
case CURL_SSLVERSION_TLSv1_2:
req_method = TLSv1_2_client_method();
@@ -353,8 +357,8 @@ wolfssl_connect_step1(struct connectdata *conn,
SSL_CONN_CONFIG(CApath))) {
if(SSL_CONN_CONFIG(verifypeer)) {
/* Fail if we insist on successfully verifying the server. */
- failf(data, "error setting certificate verify locations:\n"
- " CAfile: %s\n CApath: %s",
+ failf(data, "error setting certificate verify locations:"
+ " CAfile: %s CApath: %s",
SSL_CONN_CONFIG(CAfile)?
SSL_CONN_CONFIG(CAfile): "none",
SSL_CONN_CONFIG(CApath)?
@@ -372,21 +376,19 @@ wolfssl_connect_step1(struct connectdata *conn,
/* Everything is fine. */
infof(data, "successfully set certificate verify locations:\n");
}
- infof(data,
- " CAfile: %s\n"
- " CApath: %s\n",
- SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
- "none",
- SSL_CONN_CONFIG(CApath) ? SSL_CONN_CONFIG(CApath):
- "none");
+ infof(data, " CAfile: %s\n",
+ SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile) : "none");
+ infof(data, " CApath: %s\n",
+ SSL_CONN_CONFIG(CApath) ? SSL_CONN_CONFIG(CApath) : "none");
}
/* Load the client certificate, and private key */
- if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) {
+ if(SSL_SET_OPTION(primary.clientcert) && SSL_SET_OPTION(key)) {
int file_type = do_file_type(SSL_SET_OPTION(cert_type));
- if(SSL_CTX_use_certificate_file(backend->ctx, SSL_SET_OPTION(cert),
- file_type) != 1) {
+ if(SSL_CTX_use_certificate_file(backend->ctx,
+ SSL_SET_OPTION(primary.clientcert),
+ file_type) != 1) {
failf(data, "unable to use client certificate (no key or wrong pass"
" phrase?)");
return CURLE_SSL_CONNECT_ERROR;
@@ -502,16 +504,23 @@ wolfssl_connect_step1(struct connectdata *conn,
}
#endif /* OPENSSL_EXTRA */
+#ifdef HAVE_SECURE_RENEGOTIATION
+ if(wolfSSL_UseSecureRenegotiation(backend->handle) != SSL_SUCCESS) {
+ failf(data, "SSL: failed setting secure renegotiation");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+#endif /* HAVE_SECURE_RENEGOTIATION */
+
/* Check if there's a cached ID we can/should use here! */
if(SSL_SET_OPTION(primary.sessionid)) {
void *ssl_sessionid = NULL;
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
failf(data, "SSL: SSL_set_session failed: %s",
ERR_error_string(SSL_get_error(backend->handle, 0),
error_buffer));
@@ -520,7 +529,7 @@ wolfssl_connect_step1(struct connectdata *conn,
/* Informational message */
infof(data, "SSL re-using session ID\n");
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
/* pass the raw socket into the SSL layer */
@@ -535,11 +544,10 @@ wolfssl_connect_step1(struct connectdata *conn,
static CURLcode
-wolfssl_connect_step2(struct connectdata *conn,
+wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
int ret = -1;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
#ifndef CURL_DISABLE_PROXY
@@ -610,7 +618,7 @@ wolfssl_connect_step2(struct connectdata *conn,
* as also mismatching CN fields */
else if(DOMAIN_NAME_MISMATCH == detail) {
#if 1
- failf(data, "\tsubject alt name(s) or common name do not match \"%s\"\n",
+ failf(data, "\tsubject alt name(s) or common name do not match \"%s\"",
dispname);
return CURLE_PEER_FAILED_VERIFICATION;
#else
@@ -637,7 +645,7 @@ wolfssl_connect_step2(struct connectdata *conn,
#if LIBWOLFSSL_VERSION_HEX >= 0x02007000 /* 2.7.0 */
else if(ASN_NO_SIGNER_E == detail) {
if(SSL_CONN_CONFIG(verifypeer)) {
- failf(data, "\tCA signer not available for verification\n");
+ failf(data, "\tCA signer not available for verification");
return CURLE_SSL_CACERT_BADFILE;
}
else {
@@ -725,7 +733,7 @@ wolfssl_connect_step2(struct connectdata *conn,
else
infof(data, "ALPN, unrecognized protocol %.*s\n", protocol_len,
protocol);
- Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ?
+ Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ?
BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
}
else if(rc == SSL_ALPN_NOT_FOUND)
@@ -751,11 +759,10 @@ wolfssl_connect_step2(struct connectdata *conn,
static CURLcode
-wolfssl_connect_step3(struct connectdata *conn,
+wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
CURLcode result = CURLE_OK;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
@@ -768,27 +775,27 @@ wolfssl_connect_step3(struct connectdata *conn,
our_ssl_sessionid = SSL_get_session(backend->handle);
- Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+ Curl_ssl_sessionid_lock(data);
+ incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
sockindex));
if(incache) {
if(old_ssl_sessionid != our_ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
- Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+ Curl_ssl_delsessionid(data, old_ssl_sessionid);
incache = FALSE;
}
}
if(!incache) {
- result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
+ result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid,
0 /* unknown size */, sockindex);
if(result) {
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
failf(data, "failed to store ssl session");
return result;
}
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
connssl->connecting_state = ssl_connect_done;
@@ -797,12 +804,13 @@ wolfssl_connect_step3(struct connectdata *conn,
}
-static ssize_t wolfssl_send(struct connectdata *conn,
- int sockindex,
- const void *mem,
- size_t len,
- CURLcode *curlcode)
+static ssize_t wolfssl_send(struct Curl_easy *data,
+ int sockindex,
+ const void *mem,
+ size_t len,
+ CURLcode *curlcode)
{
+ struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
@@ -819,7 +827,7 @@ static ssize_t wolfssl_send(struct connectdata *conn,
*curlcode = CURLE_AGAIN;
return -1;
default:
- failf(conn->data, "SSL write: %s, errno %d",
+ failf(data, "SSL write: %s, errno %d",
ERR_error_string(err, error_buffer),
SOCKERRNO);
*curlcode = CURLE_SEND_ERROR;
@@ -829,11 +837,14 @@ static ssize_t wolfssl_send(struct connectdata *conn,
return rc;
}
-static void Curl_wolfssl_close(struct connectdata *conn, int sockindex)
+static void wolfssl_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
+ (void) data;
+
if(backend->handle) {
(void)SSL_shutdown(backend->handle);
SSL_free(backend->handle);
@@ -845,12 +856,13 @@ static void Curl_wolfssl_close(struct connectdata *conn, int sockindex)
}
}
-static ssize_t wolfssl_recv(struct connectdata *conn,
+static ssize_t wolfssl_recv(struct Curl_easy *data,
int num,
char *buf,
size_t buffersize,
CURLcode *curlcode)
{
+ struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[num];
struct ssl_backend_data *backend = connssl->backend;
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
@@ -869,9 +881,8 @@ static ssize_t wolfssl_recv(struct connectdata *conn,
*curlcode = CURLE_AGAIN;
return -1;
default:
- failf(conn->data, "SSL read: %s, errno %d",
- ERR_error_string(err, error_buffer),
- SOCKERRNO);
+ failf(data, "SSL read: %s, errno %d",
+ ERR_error_string(err, error_buffer), SOCKERRNO);
*curlcode = CURLE_RECV_ERROR;
return -1;
}
@@ -880,14 +891,14 @@ static ssize_t wolfssl_recv(struct connectdata *conn,
}
-static void Curl_wolfssl_session_free(void *ptr)
+static void wolfssl_session_free(void *ptr)
{
(void)ptr;
/* wolfSSL reuses sessions on own, no free */
}
-static size_t Curl_wolfssl_version(char *buffer, size_t size)
+static size_t wolfssl_version(char *buffer, size_t size)
{
#if LIBWOLFSSL_VERSION_HEX >= 0x03006000
return msnprintf(buffer, size, "wolfSSL/%s", wolfSSL_lib_version());
@@ -897,7 +908,7 @@ static size_t Curl_wolfssl_version(char *buffer, size_t size)
}
-static int Curl_wolfssl_init(void)
+static int wolfssl_init(void)
{
#ifdef OPENSSL_EXTRA
Curl_tls_keylog_open();
@@ -906,7 +917,7 @@ static int Curl_wolfssl_init(void)
}
-static void Curl_wolfssl_cleanup(void)
+static void wolfssl_cleanup(void)
{
wolfSSL_Cleanup();
#ifdef OPENSSL_EXTRA
@@ -915,8 +926,8 @@ static void Curl_wolfssl_cleanup(void)
}
-static bool Curl_wolfssl_data_pending(const struct connectdata *conn,
- int connindex)
+static bool wolfssl_data_pending(const struct connectdata *conn,
+ int connindex)
{
const struct ssl_connect_data *connssl = &conn->ssl[connindex];
struct ssl_backend_data *backend = connssl->backend;
@@ -931,12 +942,15 @@ static bool Curl_wolfssl_data_pending(const struct connectdata *conn,
* This function is called to shut down the SSL layer but keep the
* socket open (CCC - Clear Command Channel)
*/
-static int Curl_wolfssl_shutdown(struct connectdata *conn, int sockindex)
+static int wolfssl_shutdown(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
int retval = 0;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
+ (void) data;
+
if(backend->handle) {
SSL_free(backend->handle);
backend->handle = NULL;
@@ -946,13 +960,13 @@ static int Curl_wolfssl_shutdown(struct connectdata *conn, int sockindex)
static CURLcode
-wolfssl_connect_common(struct connectdata *conn,
+wolfssl_connect_common(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode result;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
int what;
@@ -973,7 +987,7 @@ wolfssl_connect_common(struct connectdata *conn,
return CURLE_OPERATION_TIMEDOUT;
}
- result = wolfssl_connect_step1(conn, sockindex);
+ result = wolfssl_connect_step1(data, conn, sockindex);
if(result)
return result;
}
@@ -1028,7 +1042,7 @@ wolfssl_connect_common(struct connectdata *conn,
* ensuring that a client using select() or epoll() will always
* have a valid fdset to wait on.
*/
- result = wolfssl_connect_step2(conn, sockindex);
+ result = wolfssl_connect_step2(data, conn, sockindex);
if(result || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
@@ -1037,7 +1051,7 @@ wolfssl_connect_common(struct connectdata *conn,
} /* repeat step2 until all transactions are done. */
if(ssl_connect_3 == connssl->connecting_state) {
- result = wolfssl_connect_step3(conn, sockindex);
+ result = wolfssl_connect_step3(data, conn, sockindex);
if(result)
return result;
}
@@ -1058,19 +1072,21 @@ wolfssl_connect_common(struct connectdata *conn,
}
-static CURLcode Curl_wolfssl_connect_nonblocking(struct connectdata *conn,
- int sockindex, bool *done)
+static CURLcode wolfssl_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
+ int sockindex, bool *done)
{
- return wolfssl_connect_common(conn, sockindex, TRUE, done);
+ return wolfssl_connect_common(data, conn, sockindex, TRUE, done);
}
-static CURLcode Curl_wolfssl_connect(struct connectdata *conn, int sockindex)
+static CURLcode wolfssl_connect(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
CURLcode result;
bool done = FALSE;
- result = wolfssl_connect_common(conn, sockindex, FALSE, &done);
+ result = wolfssl_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
@@ -1079,8 +1095,8 @@ static CURLcode Curl_wolfssl_connect(struct connectdata *conn, int sockindex)
return CURLE_OK;
}
-static CURLcode Curl_wolfssl_random(struct Curl_easy *data,
- unsigned char *entropy, size_t length)
+static CURLcode wolfssl_random(struct Curl_easy *data,
+ unsigned char *entropy, size_t length)
{
WC_RNG rng;
(void)data;
@@ -1095,10 +1111,10 @@ static CURLcode Curl_wolfssl_random(struct Curl_easy *data,
return CURLE_OK;
}
-static CURLcode Curl_wolfssl_sha256sum(const unsigned char *tmp, /* input */
- size_t tmplen,
- unsigned char *sha256sum /* output */,
- size_t unused)
+static CURLcode wolfssl_sha256sum(const unsigned char *tmp, /* input */
+ size_t tmplen,
+ unsigned char *sha256sum /* output */,
+ size_t unused)
{
wc_Sha256 SHA256pw;
(void)unused;
@@ -1108,7 +1124,7 @@ static CURLcode Curl_wolfssl_sha256sum(const unsigned char *tmp, /* input */
return CURLE_OK;
}
-static void *Curl_wolfssl_get_internals(struct ssl_connect_data *connssl,
+static void *wolfssl_get_internals(struct ssl_connect_data *connssl,
CURLINFO info UNUSED_PARAM)
{
struct ssl_backend_data *backend = connssl->backend;
@@ -1126,26 +1142,25 @@ const struct Curl_ssl Curl_ssl_wolfssl = {
sizeof(struct ssl_backend_data),
- Curl_wolfssl_init, /* init */
- Curl_wolfssl_cleanup, /* cleanup */
- Curl_wolfssl_version, /* version */
+ wolfssl_init, /* init */
+ wolfssl_cleanup, /* cleanup */
+ wolfssl_version, /* version */
Curl_none_check_cxn, /* check_cxn */
- Curl_wolfssl_shutdown, /* shutdown */
- Curl_wolfssl_data_pending, /* data_pending */
- Curl_wolfssl_random, /* random */
+ wolfssl_shutdown, /* shutdown */
+ wolfssl_data_pending, /* data_pending */
+ wolfssl_random, /* random */
Curl_none_cert_status_request, /* cert_status_request */
- Curl_wolfssl_connect, /* connect */
- Curl_wolfssl_connect_nonblocking, /* connect_nonblocking */
- Curl_wolfssl_get_internals, /* get_internals */
- Curl_wolfssl_close, /* close_one */
+ wolfssl_connect, /* connect */
+ wolfssl_connect_nonblocking, /* connect_nonblocking */
+ wolfssl_get_internals, /* get_internals */
+ wolfssl_close, /* close_one */
Curl_none_close_all, /* close_all */
- Curl_wolfssl_session_free, /* session_free */
+ wolfssl_session_free, /* session_free */
Curl_none_set_engine, /* set_engine */
Curl_none_set_engine_default, /* set_engine_default */
Curl_none_engines_list, /* engines_list */
Curl_none_false_start, /* false_start */
- Curl_none_md5sum, /* md5sum */
- Curl_wolfssl_sha256sum /* sha256sum */
+ wolfssl_sha256sum /* sha256sum */
};
#endif
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-29 15:45:49 +0000