diff options
| author | Curl Upstream <curl-library@lists.haxx.se> | 2022-12-21 07:00:59 (GMT) |
|---|---|---|
| committer | Brad King <brad.king@kitware.com> | 2023-01-27 20:58:30 (GMT) |
| commit | dac458ddbf2b48168779821654a7e69cbd828c14 (patch) | |
| tree | 8191fa2b92ceb3469c8ac5878b4ded3112f5f16c /lib/vtls/bearssl.c | |
| parent | ec122fff08ab9a8e56fb90126ecedb99c759011b (diff) | |
| download | CMake-dac458ddbf2b48168779821654a7e69cbd828c14.zip CMake-dac458ddbf2b48168779821654a7e69cbd828c14.tar.gz CMake-dac458ddbf2b48168779821654a7e69cbd828c14.tar.bz2 | |
curl 2022-12-21 (c12fb3dd)
Code extracted from:
https://github.com/curl/curl.git
at commit c12fb3ddaf48e709a7a4deaa55ec485e4df163ee (curl-7_87_0).
Diffstat (limited to 'lib/vtls/bearssl.c')
| -rw-r--r-- | lib/vtls/bearssl.c | 186 |
1 files changed, 89 insertions, 97 deletions
diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c index 1221ce8..d9c0ce0 100644 --- a/lib/vtls/bearssl.c +++ b/lib/vtls/bearssl.c @@ -32,13 +32,17 @@ #include "sendf.h" #include "inet_pton.h" #include "vtls.h" +#include "vtls_int.h" #include "connect.h" #include "select.h" #include "multiif.h" #include "curl_printf.h" -#include "curl_memory.h" #include "strcase.h" +/* The last #include files should be: */ +#include "curl_memory.h" +#include "memdebug.h" + struct x509_context { const br_x509_class *vtable; br_x509_minimal_context minimal; @@ -566,18 +570,20 @@ static CURLcode bearssl_set_selected_ciphers(struct Curl_easy *data, return CURLE_OK; } -static CURLcode bearssl_connect_step1(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step1(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; - const struct curl_blob *ca_info_blob = SSL_CONN_CONFIG(ca_info_blob); + struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); + const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; const char * const ssl_cafile = /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */ - (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile)); - const char *hostname = SSL_HOST_NAME(); - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const bool verifyhost = SSL_CONN_CONFIG(verifyhost); + (ca_info_blob ? NULL : conn_config->CAfile); + const char *hostname = connssl->hostname; + const bool verifypeer = conn_config->verifypeer; + const bool verifyhost = conn_config->verifyhost; CURLcode ret; unsigned version_min, version_max; #ifdef ENABLE_IPV6 @@ -588,7 +594,7 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, DEBUGASSERT(backend); - switch(SSL_CONN_CONFIG(version)) { + switch(conn_config->version) { case CURL_SSLVERSION_SSLv2: failf(data, "BearSSL does not support SSLv2"); return CURLE_SSL_CONNECT_ERROR; @@ -659,11 +665,11 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, br_ssl_engine_set_buffer(&backend->ctx.eng, backend->buf, sizeof(backend->buf), 1); - if(SSL_CONN_CONFIG(cipher_list)) { + if(conn_config->cipher_list) { /* Override the ciphers as specified. For the default cipher list see the BearSSL source code of br_ssl_client_init_full() */ ret = bearssl_set_selected_ciphers(data, &backend->ctx.eng, - SSL_CONN_CONFIG(cipher_list)); + conn_config->cipher_list); if(ret) return ret; } @@ -674,19 +680,18 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, backend->x509.verifyhost = verifyhost; br_ssl_engine_set_x509(&backend->ctx.eng, &backend->x509.vtable); - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { void *session; Curl_ssl_sessionid_lock(data); - if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE, - &session, NULL, sockindex)) { + if(!Curl_ssl_getsessionid(cf, data, &session, NULL)) { br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); infof(data, "BearSSL: re-using session ID"); } Curl_ssl_sessionid_unlock(data); } - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { int cur = 0; /* NOTE: when adding more protocols here, increase the size of the @@ -696,7 +701,7 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, #ifdef USE_HTTP2 if(data->state.httpwant >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY - && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy) + && (!Curl_ssl_cf_is_proxy(cf) || !cf->conn->bits.tunnel_proxy) #endif ) { backend->protocols[cur++] = ALPN_H2; @@ -753,17 +758,17 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data, return CURLE_OK; } -static CURLcode bearssl_run_until(struct Curl_easy *data, - struct connectdata *conn, int sockindex, +static CURLcode bearssl_run_until(struct Curl_cfilter *cf, + struct Curl_easy *data, unsigned target) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; - curl_socket_t sockfd = conn->sock[sockindex]; unsigned state; unsigned char *buf; size_t len; ssize_t ret; + CURLcode result; int err; DEBUGASSERT(backend); @@ -802,48 +807,37 @@ static CURLcode bearssl_run_until(struct Curl_easy *data, return CURLE_OK; if(state & BR_SSL_SENDREC) { buf = br_ssl_engine_sendrec_buf(&backend->ctx.eng, &len); - ret = swrite(sockfd, buf, len); - if(ret == -1) { - if(SOCKERRNO == EAGAIN || SOCKERRNO == EWOULDBLOCK) { - if(connssl->state != ssl_connection_complete) - connssl->connecting_state = ssl_connect_2_writing; - return CURLE_AGAIN; - } - return CURLE_WRITE_ERROR; + ret = Curl_conn_cf_send(cf->next, data, (char *)buf, len, &result); + if(ret <= 0) { + return result; } br_ssl_engine_sendrec_ack(&backend->ctx.eng, ret); } else if(state & BR_SSL_RECVREC) { buf = br_ssl_engine_recvrec_buf(&backend->ctx.eng, &len); - ret = sread(sockfd, buf, len); + ret = Curl_conn_cf_recv(cf->next, data, (char *)buf, len, &result); if(ret == 0) { failf(data, "SSL: EOF without close notify"); return CURLE_READ_ERROR; } - if(ret == -1) { - if(SOCKERRNO == EAGAIN || SOCKERRNO == EWOULDBLOCK) { - if(connssl->state != ssl_connection_complete) - connssl->connecting_state = ssl_connect_2_reading; - return CURLE_AGAIN; - } - return CURLE_READ_ERROR; + if(ret <= 0) { + return result; } br_ssl_engine_recvrec_ack(&backend->ctx.eng, ret); } } } -static CURLcode bearssl_connect_step2(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step2(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; CURLcode ret; DEBUGASSERT(backend); - ret = bearssl_run_until(data, conn, sockindex, - BR_SSL_SENDAPP | BR_SSL_RECVAPP); + ret = bearssl_run_until(cf, data, BR_SSL_SENDAPP | BR_SSL_RECVAPP); if(ret == CURLE_AGAIN) return CURLE_OK; if(ret == CURLE_OK) { @@ -856,17 +850,18 @@ static CURLcode bearssl_connect_step2(struct Curl_easy *data, return ret; } -static CURLcode bearssl_connect_step3(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step3(struct Curl_cfilter *cf, + struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; + struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data); CURLcode ret; DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); DEBUGASSERT(backend); - if(conn->bits.tls_enable_alpn) { + if(cf->conn->bits.tls_enable_alpn) { const char *protocol; protocol = br_ssl_engine_get_selected_protocol(&backend->ctx.eng); @@ -875,21 +870,21 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, #ifdef USE_HTTP2 if(!strcmp(protocol, ALPN_H2)) - conn->alpn = CURL_HTTP_VERSION_2; + cf->conn->alpn = CURL_HTTP_VERSION_2; else #endif if(!strcmp(protocol, ALPN_HTTP_1_1)) - conn->alpn = CURL_HTTP_VERSION_1_1; + cf->conn->alpn = CURL_HTTP_VERSION_1_1; else infof(data, "ALPN, unrecognized protocol %s", protocol); - Curl_multiuse_state(data, conn->alpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } else infof(data, VTLS_INFOF_NO_ALPN); } - if(SSL_SET_OPTION(primary.sessionid)) { + if(ssl_config->primary.sessionid) { bool incache; bool added = FALSE; void *oldsession; @@ -900,14 +895,10 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, return CURLE_OUT_OF_MEMORY; br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); Curl_ssl_sessionid_lock(data); - incache = !(Curl_ssl_getsessionid(data, conn, - SSL_IS_PROXY() ? TRUE : FALSE, - &oldsession, NULL, sockindex)); + incache = !(Curl_ssl_getsessionid(cf, data, &oldsession, NULL)); if(incache) Curl_ssl_delsessionid(data, oldsession); - ret = Curl_ssl_addsessionid(data, conn, - SSL_IS_PROXY() ? TRUE : FALSE, - session, 0, sockindex, &added); + ret = Curl_ssl_addsessionid(cf, data, session, 0, &added); Curl_ssl_sessionid_unlock(data); if(!added) free(session); @@ -921,11 +912,10 @@ static CURLcode bearssl_connect_step3(struct Curl_easy *data, return CURLE_OK; } -static ssize_t bearssl_send(struct Curl_easy *data, int sockindex, +static ssize_t bearssl_send(struct Curl_cfilter *cf, struct Curl_easy *data, const void *buf, size_t len, CURLcode *err) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; unsigned char *app; size_t applen; @@ -933,7 +923,7 @@ static ssize_t bearssl_send(struct Curl_easy *data, int sockindex, DEBUGASSERT(backend); for(;;) { - *err = bearssl_run_until(data, conn, sockindex, BR_SSL_SENDAPP); + *err = bearssl_run_until(cf, data, BR_SSL_SENDAPP); if (*err != CURLE_OK) return -1; app = br_ssl_engine_sendapp_buf(&backend->ctx.eng, &applen); @@ -956,18 +946,17 @@ static ssize_t bearssl_send(struct Curl_easy *data, int sockindex, } } -static ssize_t bearssl_recv(struct Curl_easy *data, int sockindex, +static ssize_t bearssl_recv(struct Curl_cfilter *cf, struct Curl_easy *data, char *buf, size_t len, CURLcode *err) { - struct connectdata *conn = data->conn; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; unsigned char *app; size_t applen; DEBUGASSERT(backend); - *err = bearssl_run_until(data, conn, sockindex, BR_SSL_RECVAPP); + *err = bearssl_run_until(cf, data, BR_SSL_RECVAPP); if(*err != CURLE_OK) return -1; app = br_ssl_engine_recvapp_buf(&backend->ctx.eng, &applen); @@ -981,15 +970,14 @@ static ssize_t bearssl_recv(struct Curl_easy *data, int sockindex, return applen; } -static CURLcode bearssl_connect_common(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, +static CURLcode bearssl_connect_common(struct Curl_cfilter *cf, + struct Curl_easy *data, bool nonblocking, bool *done) { CURLcode ret; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - curl_socket_t sockfd = conn->sock[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; + curl_socket_t sockfd = cf->conn->sock[cf->sockindex]; timediff_t timeout_ms; int what; @@ -1000,7 +988,7 @@ static CURLcode bearssl_connect_common(struct Curl_easy *data, } if(ssl_connect_1 == connssl->connecting_state) { - ret = bearssl_connect_step1(data, conn, sockindex); + ret = bearssl_connect_step1(cf, data); if(ret) return ret; } @@ -1053,7 +1041,7 @@ static CURLcode bearssl_connect_common(struct Curl_easy *data, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - ret = bearssl_connect_step2(data, conn, sockindex); + ret = bearssl_connect_step2(cf, data); if(ret || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -1062,15 +1050,13 @@ static CURLcode bearssl_connect_common(struct Curl_easy *data, } if(ssl_connect_3 == connssl->connecting_state) { - ret = bearssl_connect_step3(data, conn, sockindex); + ret = bearssl_connect_step3(cf, data); if(ret) return ret; } if(ssl_connect_done == connssl->connecting_state) { connssl->state = ssl_connection_complete; - conn->recv[sockindex] = bearssl_recv; - conn->send[sockindex] = bearssl_send; *done = TRUE; } else @@ -1087,13 +1073,14 @@ static size_t bearssl_version(char *buffer, size_t size) return msnprintf(buffer, size, "BearSSL"); } -static bool bearssl_data_pending(const struct connectdata *conn, - int connindex) +static bool bearssl_data_pending(struct Curl_cfilter *cf, + const struct Curl_easy *data) { - const struct ssl_connect_data *connssl = &conn->ssl[connindex]; - struct ssl_backend_data *backend = connssl->backend; - DEBUGASSERT(backend); - return br_ssl_engine_current_state(&backend->ctx.eng) & BR_SSL_RECVAPP; + struct ssl_connect_data *ctx = cf->ctx; + + (void)data; + DEBUGASSERT(ctx && ctx->backend); + return br_ssl_engine_current_state(&ctx->backend->ctx.eng) & BR_SSL_RECVAPP; } static CURLcode bearssl_random(struct Curl_easy *data UNUSED_PARAM, @@ -1116,13 +1103,13 @@ static CURLcode bearssl_random(struct Curl_easy *data UNUSED_PARAM, return CURLE_OK; } -static CURLcode bearssl_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect(struct Curl_cfilter *cf, + struct Curl_easy *data) { CURLcode ret; bool done = FALSE; - ret = bearssl_connect_common(data, conn, sockindex, FALSE, &done); + ret = bearssl_connect_common(cf, data, FALSE, &done); if(ret) return ret; @@ -1131,11 +1118,11 @@ static CURLcode bearssl_connect(struct Curl_easy *data, return CURLE_OK; } -static CURLcode bearssl_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode bearssl_connect_nonblocking(struct Curl_cfilter *cf, + struct Curl_easy *data, + bool *done) { - return bearssl_connect_common(data, conn, sockindex, TRUE, done); + return bearssl_connect_common(cf, data, TRUE, done); } static void *bearssl_get_internals(struct ssl_connect_data *connssl, @@ -1146,22 +1133,24 @@ static void *bearssl_get_internals(struct ssl_connect_data *connssl, return &backend->ctx; } -static void bearssl_close(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static void bearssl_close(struct Curl_cfilter *cf, struct Curl_easy *data) { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + struct ssl_connect_data *connssl = cf->ctx; struct ssl_backend_data *backend = connssl->backend; size_t i; DEBUGASSERT(backend); if(backend->active) { + backend->active = FALSE; br_ssl_engine_close(&backend->ctx.eng); - (void)bearssl_run_until(data, conn, sockindex, BR_SSL_CLOSED); + (void)bearssl_run_until(cf, data, BR_SSL_CLOSED); + } + if(backend->anchors) { + for(i = 0; i < backend->anchors_len; ++i) + free(backend->anchors[i].dn.data); + Curl_safefree(backend->anchors); } - for(i = 0; i < backend->anchors_len; ++i) - free(backend->anchors[i].dn.data); - free(backend->anchors); } static void bearssl_session_free(void *ptr) @@ -1184,7 +1173,7 @@ static CURLcode bearssl_sha256sum(const unsigned char *input, const struct Curl_ssl Curl_ssl_bearssl = { { CURLSSLBACKEND_BEARSSL, "bearssl" }, /* info */ - SSLSUPP_CAINFO_BLOB | SSLSUPP_SSL_CTX, + SSLSUPP_CAINFO_BLOB | SSLSUPP_SSL_CTX | SSLSUPP_HTTPS_PROXY, sizeof(struct ssl_backend_data), Curl_none_init, /* init */ @@ -1197,7 +1186,7 @@ const struct Curl_ssl Curl_ssl_bearssl = { Curl_none_cert_status_request, /* cert_status_request */ bearssl_connect, /* connect */ bearssl_connect_nonblocking, /* connect_nonblocking */ - Curl_ssl_getsock, /* getsock */ + Curl_ssl_get_select_socks, /* getsock */ bearssl_get_internals, /* get_internals */ bearssl_close, /* close_one */ Curl_none_close_all, /* close_all */ @@ -1208,7 +1197,10 @@ const struct Curl_ssl Curl_ssl_bearssl = { Curl_none_false_start, /* false_start */ bearssl_sha256sum, /* sha256sum */ NULL, /* associate_connection */ - NULL /* disassociate_connection */ + NULL, /* disassociate_connection */ + NULL, /* free_multi_ssl_backend_data */ + bearssl_recv, /* recv decrypted data */ + bearssl_send, /* send data to encrypt */ }; #endif /* USE_BEARSSL */ |