diff options
| author | Curl Upstream <curl-library@cool.haxx.se> | 2021-02-03 07:02:36 (GMT) |
|---|---|---|
| committer | Brad King <brad.king@kitware.com> | 2021-02-03 16:49:32 (GMT) |
| commit | 076b3219f58ca16afa52fe095019a05537ade0f3 (patch) | |
| tree | f9ea493f94ce5afb8792e1ab4a040cea7eba4aed /lib/vtls | |
| parent | 5aacc593a961fe9ee1427c03d18fba8947a9e33d (diff) | |
| download | CMake-076b3219f58ca16afa52fe095019a05537ade0f3.zip CMake-076b3219f58ca16afa52fe095019a05537ade0f3.tar.gz CMake-076b3219f58ca16afa52fe095019a05537ade0f3.tar.bz2 | |
curl 2021-02-03 (2f33be81)
Code extracted from:
https://github.com/curl/curl.git
at commit 2f33be817cbce6ad7a36f27dd7ada9219f13584c (curl-7_75_0).
Diffstat (limited to 'lib/vtls')
| -rw-r--r-- | lib/vtls/bearssl.c | 138 | ||||
| -rw-r--r-- | lib/vtls/gskit.c | 112 | ||||
| -rw-r--r-- | lib/vtls/gtls.c | 181 | ||||
| -rw-r--r-- | lib/vtls/mbedtls.c | 138 | ||||
| -rw-r--r-- | lib/vtls/mesalink.c | 115 | ||||
| -rw-r--r-- | lib/vtls/nss.c | 238 | ||||
| -rw-r--r-- | lib/vtls/openssl.c | 313 | ||||
| -rw-r--r-- | lib/vtls/schannel.c | 234 | ||||
| -rw-r--r-- | lib/vtls/schannel.h | 5 | ||||
| -rw-r--r-- | lib/vtls/schannel_verify.c | 21 | ||||
| -rw-r--r-- | lib/vtls/sectransp.c | 157 | ||||
| -rw-r--r-- | lib/vtls/vtls.c | 185 | ||||
| -rw-r--r-- | lib/vtls/vtls.h | 58 | ||||
| -rw-r--r-- | lib/vtls/wolfssl.c | 155 |
14 files changed, 1001 insertions, 1049 deletions
diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c index b0c3dc2..29b08c0 100644 --- a/lib/vtls/bearssl.c +++ b/lib/vtls/bearssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2019 - 2020, Michael Forney, <mforney@mforney.org> + * Copyright (C) 2019 - 2021, Michael Forney, <mforney@mforney.org> * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -294,9 +294,9 @@ static const br_x509_class x509_vtable = { x509_get_pkey }; -static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); @@ -349,8 +349,8 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) ret = load_cafile(ssl_cafile, &backend->anchors, &backend->anchors_len); if(ret != CURLE_OK) { if(verifypeer) { - failf(data, "error setting certificate verify locations:\n" - " CAfile: %s\n", ssl_cafile); + failf(data, "error setting certificate verify locations." + " CAfile: %s", ssl_cafile); return ret; } infof(data, "error setting certificate verify locations," @@ -374,12 +374,12 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) if(SSL_SET_OPTION(primary.sessionid)) { void *session; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) { br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); infof(data, "BearSSL: re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } if(conn->bits.tls_enable_alpn) { @@ -429,10 +429,10 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) return CURLE_OK; } -static CURLcode bearssl_run_until(struct connectdata *conn, int sockindex, +static CURLcode bearssl_run_until(struct Curl_easy *data, + struct connectdata *conn, int sockindex, unsigned target) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; curl_socket_t sockfd = conn->sock[sockindex]; @@ -507,14 +507,15 @@ static CURLcode bearssl_run_until(struct connectdata *conn, int sockindex, } } -static CURLcode bearssl_connect_step2(struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step2(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; CURLcode ret; - ret = bearssl_run_until(conn, sockindex, BR_SSL_SENDAPP | BR_SSL_RECVAPP); + ret = bearssl_run_until(data, conn, sockindex, + BR_SSL_SENDAPP | BR_SSL_RECVAPP); if(ret == CURLE_AGAIN) return CURLE_OK; if(ret == CURLE_OK) { @@ -527,9 +528,9 @@ static CURLcode bearssl_connect_step2(struct connectdata *conn, int sockindex) return ret; } -static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step3(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; CURLcode ret; @@ -552,7 +553,7 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex) conn->negnpn = CURL_HTTP_VERSION_1_1; else infof(data, "ALPN, unrecognized protocol %s\n", protocol); - Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } else @@ -568,12 +569,13 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex) if(!session) return CURLE_OUT_OF_MEMORY; br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex)); + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, + &oldsession, NULL, sockindex)); if(incache) - Curl_ssl_delsessionid(conn, oldsession); - ret = Curl_ssl_addsessionid(conn, session, 0, sockindex); - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_delsessionid(data, oldsession); + ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex); + Curl_ssl_sessionid_unlock(data); if(ret) { free(session); return CURLE_OUT_OF_MEMORY; @@ -585,17 +587,17 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex) return CURLE_OK; } -static ssize_t bearssl_send(struct connectdata *conn, int sockindex, +static ssize_t bearssl_send(struct Curl_easy *data, int sockindex, const void *buf, size_t len, CURLcode *err) { - struct Curl_easy *data = conn->data; + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; unsigned char *app; size_t applen; for(;;) { - *err = bearssl_run_until(conn, sockindex, BR_SSL_SENDAPP); + *err = bearssl_run_until(data, conn, sockindex, BR_SSL_SENDAPP); if (*err != CURLE_OK) return -1; app = br_ssl_engine_sendapp_buf(&backend->ctx.eng, &applen); @@ -618,15 +620,16 @@ static ssize_t bearssl_send(struct connectdata *conn, int sockindex, } } -static ssize_t bearssl_recv(struct connectdata *conn, int sockindex, +static ssize_t bearssl_recv(struct Curl_easy *data, int sockindex, char *buf, size_t len, CURLcode *err) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; unsigned char *app; size_t applen; - *err = bearssl_run_until(conn, sockindex, BR_SSL_RECVAPP); + *err = bearssl_run_until(data, conn, sockindex, BR_SSL_RECVAPP); if(*err != CURLE_OK) return -1; app = br_ssl_engine_recvapp_buf(&backend->ctx.eng, &applen); @@ -640,13 +643,13 @@ static ssize_t bearssl_recv(struct connectdata *conn, int sockindex, return applen; } -static CURLcode bearssl_connect_common(struct connectdata *conn, +static CURLcode bearssl_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode ret; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; timediff_t timeout_ms; @@ -659,7 +662,7 @@ static CURLcode bearssl_connect_common(struct connectdata *conn, } if(ssl_connect_1 == connssl->connecting_state) { - ret = bearssl_connect_step1(conn, sockindex); + ret = bearssl_connect_step1(data, conn, sockindex); if(ret) return ret; } @@ -712,7 +715,7 @@ static CURLcode bearssl_connect_common(struct connectdata *conn, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - ret = bearssl_connect_step2(conn, sockindex); + ret = bearssl_connect_step2(data, conn, sockindex); if(ret || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -721,7 +724,7 @@ static CURLcode bearssl_connect_common(struct connectdata *conn, } if(ssl_connect_3 == connssl->connecting_state) { - ret = bearssl_connect_step3(conn, sockindex); + ret = bearssl_connect_step3(data, conn, sockindex); if(ret) return ret; } @@ -741,21 +744,21 @@ static CURLcode bearssl_connect_common(struct connectdata *conn, return CURLE_OK; } -static size_t Curl_bearssl_version(char *buffer, size_t size) +static size_t bearssl_version(char *buffer, size_t size) { return msnprintf(buffer, size, "BearSSL"); } -static bool Curl_bearssl_data_pending(const struct connectdata *conn, - int connindex) +static bool bearssl_data_pending(const struct connectdata *conn, + int connindex) { const struct ssl_connect_data *connssl = &conn->ssl[connindex]; struct ssl_backend_data *backend = connssl->backend; return br_ssl_engine_current_state(&backend->ctx.eng) & BR_SSL_RECVAPP; } -static CURLcode Curl_bearssl_random(struct Curl_easy *data UNUSED_PARAM, - unsigned char *entropy, size_t length) +static CURLcode bearssl_random(struct Curl_easy *data UNUSED_PARAM, + unsigned char *entropy, size_t length) { static br_hmac_drbg_context ctx; static bool seeded = FALSE; @@ -774,12 +777,13 @@ static CURLcode Curl_bearssl_random(struct Curl_easy *data UNUSED_PARAM, return CURLE_OK; } -static CURLcode Curl_bearssl_connect(struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode ret; bool done = FALSE; - ret = bearssl_connect_common(conn, sockindex, FALSE, &done); + ret = bearssl_connect_common(data, conn, sockindex, FALSE, &done); if(ret) return ret; @@ -788,20 +792,22 @@ static CURLcode Curl_bearssl_connect(struct connectdata *conn, int sockindex) return CURLE_OK; } -static CURLcode Curl_bearssl_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode bearssl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { - return bearssl_connect_common(conn, sockindex, TRUE, done); + return bearssl_connect_common(data, conn, sockindex, TRUE, done); } -static void *Curl_bearssl_get_internals(struct ssl_connect_data *connssl, - CURLINFO info UNUSED_PARAM) +static void *bearssl_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) { struct ssl_backend_data *backend = connssl->backend; return &backend->ctx; } -static void Curl_bearssl_close(struct connectdata *conn, int sockindex) +static void bearssl_close(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -809,35 +815,22 @@ static void Curl_bearssl_close(struct connectdata *conn, int sockindex) if(backend->active) { br_ssl_engine_close(&backend->ctx.eng); - (void)bearssl_run_until(conn, sockindex, BR_SSL_CLOSED); + (void)bearssl_run_until(data, conn, sockindex, BR_SSL_CLOSED); } for(i = 0; i < backend->anchors_len; ++i) free(backend->anchors[i].dn.data); free(backend->anchors); } -static void Curl_bearssl_session_free(void *ptr) +static void bearssl_session_free(void *ptr) { free(ptr); } -static CURLcode Curl_bearssl_md5sum(unsigned char *input, - size_t inputlen, - unsigned char *md5sum, - size_t md5len UNUSED_PARAM) -{ - br_md5_context ctx; - - br_md5_init(&ctx); - br_md5_update(&ctx, input, inputlen); - br_md5_out(&ctx, md5sum); - return CURLE_OK; -} - -static CURLcode Curl_bearssl_sha256sum(const unsigned char *input, - size_t inputlen, - unsigned char *sha256sum, - size_t sha256len UNUSED_PARAM) +static CURLcode bearssl_sha256sum(const unsigned char *input, + size_t inputlen, + unsigned char *sha256sum, + size_t sha256len UNUSED_PARAM) { br_sha256_context ctx; @@ -854,24 +847,23 @@ const struct Curl_ssl Curl_ssl_bearssl = { Curl_none_init, Curl_none_cleanup, - Curl_bearssl_version, + bearssl_version, Curl_none_check_cxn, Curl_none_shutdown, - Curl_bearssl_data_pending, - Curl_bearssl_random, + bearssl_data_pending, + bearssl_random, Curl_none_cert_status_request, - Curl_bearssl_connect, - Curl_bearssl_connect_nonblocking, - Curl_bearssl_get_internals, - Curl_bearssl_close, + bearssl_connect, + bearssl_connect_nonblocking, + bearssl_get_internals, + bearssl_close, Curl_none_close_all, - Curl_bearssl_session_free, + bearssl_session_free, Curl_none_set_engine, Curl_none_set_engine_default, Curl_none_engines_list, Curl_none_false_start, - Curl_bearssl_md5sum, - Curl_bearssl_sha256sum + bearssl_sha256sum }; #endif /* USE_BEARSSL */ diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index 17584c7..9b5f649 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -301,10 +301,9 @@ static CURLcode set_callback(struct Curl_easy *data, } -static CURLcode set_ciphers(struct connectdata *conn, +static CURLcode set_ciphers(struct Curl_easy *data, gsk_handle h, unsigned int *protoflags) { - struct Curl_easy *data = conn->data; const char *cipherlist = SSL_CONN_CONFIG(cipher_list); const char *clp; const struct gskit_cipher *ctp; @@ -435,7 +434,7 @@ static CURLcode set_ciphers(struct connectdata *conn, } -static int Curl_gskit_init(void) +static int gskit_init(void) { /* No initialisation needed. */ @@ -443,7 +442,7 @@ static int Curl_gskit_init(void) } -static void Curl_gskit_cleanup(void) +static void gskit_cleanup(void) { /* Nothing to do. */ } @@ -587,11 +586,11 @@ static int pipe_ssloverssl(struct connectdata *conn, int sockindex, } -static void close_one(struct ssl_connect_data *connssl, +static void close_one(struct ssl_connect_data *connssl, struct Curl_easy *data, struct connectdata *conn, int sockindex) { if(BACKEND->handle) { - gskit_status(conn->data, gsk_secure_soc_close(&BACKEND->handle), + gskit_status(data, gsk_secure_soc_close(&BACKEND->handle), "gsk_secure_soc_close()", 0); /* Last chance to drain output. */ while(pipe_ssloverssl(conn, sockindex, SOS_WRITE) > 0) @@ -612,10 +611,10 @@ static void close_one(struct ssl_connect_data *connssl, static ssize_t gskit_send(struct connectdata *conn, int sockindex, - const void *mem, size_t len, CURLcode *curlcode) + const void *mem, size_t len, CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct Curl_easy *data = conn->data; CURLcode cc = CURLE_SEND_ERROR; int written; @@ -636,11 +635,11 @@ static ssize_t gskit_send(struct connectdata *conn, int sockindex, } -static ssize_t gskit_recv(struct connectdata *conn, int num, char *buf, - size_t buffersize, CURLcode *curlcode) +static ssize_t gskit_recv(struct Curl_easy *data, int num, char *buf, + size_t buffersize, CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[num]; - struct Curl_easy *data = conn->data; int nread; CURLcode cc = CURLE_RECV_ERROR; @@ -664,9 +663,8 @@ static ssize_t gskit_recv(struct connectdata *conn, int num, char *buf, } static CURLcode -set_ssl_version_min_max(unsigned int *protoflags, struct connectdata *conn) +set_ssl_version_min_max(unsigned int *protoflags, struct Curl_easy *data) { - struct Curl_easy *data = conn->data; long ssl_version = SSL_CONN_CONFIG(version); long ssl_version_max = SSL_CONN_CONFIG(version_max); long i = ssl_version; @@ -696,9 +694,9 @@ set_ssl_version_min_max(unsigned int *protoflags, struct connectdata *conn) return CURLE_OK; } -static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) +static CURLcode gskit_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; gsk_handle envir; CURLcode result; @@ -798,7 +796,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) case CURL_SSLVERSION_TLSv1_1: case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: - result = set_ssl_version_min_max(&protoflags, conn); + result = set_ssl_version_min_max(&protoflags, data); if(result != CURLE_OK) return result; break; @@ -832,7 +830,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) result = set_numeric(data, BACKEND->handle, GSK_FD, BACKEND->localfd >= 0? BACKEND->localfd: conn->sock[sockindex]); if(!result) - result = set_ciphers(conn, BACKEND->handle, &protoflags); + result = set_ciphers(data, BACKEND->handle, &protoflags); if(!protoflags) { failf(data, "No SSL protocol/cipher combination enabled"); result = CURLE_SSL_CIPHER; @@ -915,15 +913,15 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex) } /* Error: rollback. */ - close_one(connssl, conn, sockindex); + close_one(connssl, data, conn, sockindex); return result; } -static CURLcode gskit_connect_step2(struct connectdata *conn, int sockindex, +static CURLcode gskit_connect_step2(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; Qso_OverlappedIO_t cstat; struct timeval stmv; @@ -971,9 +969,9 @@ static CURLcode gskit_connect_step2(struct connectdata *conn, int sockindex, } -static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) +static CURLcode gskit_connect_step3(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; const gsk_cert_data_elem *cdev; int cdec; @@ -1016,7 +1014,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) } /* Verify host. */ - result = Curl_verifyhost(conn, cert, certend); + result = Curl_verifyhost(data, conn, cert, certend); if(result) return result; @@ -1031,7 +1029,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) return result; if(cert) { - result = Curl_extract_certinfo(conn, 0, cert, certend); + result = Curl_extract_certinfo(data, 0, cert, certend); if(result) return result; } @@ -1059,10 +1057,10 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) } -static CURLcode gskit_connect_common(struct connectdata *conn, int sockindex, +static CURLcode gskit_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; timediff_t timeout_ms; CURLcode result = CURLE_OK; @@ -1082,7 +1080,7 @@ static CURLcode gskit_connect_common(struct connectdata *conn, int sockindex, result = CURLE_OPERATION_TIMEDOUT; } else - result = gskit_connect_step1(conn, sockindex); + result = gskit_connect_step1(data, conn, sockindex); } /* Handle handshake pipelining. */ @@ -1101,7 +1099,7 @@ static CURLcode gskit_connect_common(struct connectdata *conn, int sockindex, result = CURLE_OPERATION_TIMEDOUT; } else - result = gskit_connect_step2(conn, sockindex, nonblocking); + result = gskit_connect_step2(data, conn, sockindex, nonblocking); } /* Handle handshake pipelining. */ @@ -1111,10 +1109,10 @@ static CURLcode gskit_connect_common(struct connectdata *conn, int sockindex, /* Step 3: gather certificate info, verify host. */ if(!result && connssl->connecting_state == ssl_connect_3) - result = gskit_connect_step3(conn, sockindex); + result = gskit_connect_step3(data, conn, sockindex); if(result) - close_one(connssl, conn, sockindex); + close_one(connssl, data, conn, sockindex); else if(connssl->connecting_state == ssl_connect_done) { connssl->state = ssl_connection_complete; connssl->connecting_state = ssl_connect_1; @@ -1127,25 +1125,27 @@ static CURLcode gskit_connect_common(struct connectdata *conn, int sockindex, } -static CURLcode Curl_gskit_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode gskit_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { CURLcode result; - result = gskit_connect_common(conn, sockindex, TRUE, done); + result = gskit_connect_common(data, conn, sockindex, TRUE, done); if(*done || result) conn->ssl[sockindex].connecting_state = ssl_connect_1; return result; } -static CURLcode Curl_gskit_connect(struct connectdata *conn, int sockindex) +static CURLcode gskit_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result; bool done; conn->ssl[sockindex].connecting_state = ssl_connect_1; - result = gskit_connect_common(conn, sockindex, FALSE, &done); + result = gskit_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -1155,17 +1155,18 @@ static CURLcode Curl_gskit_connect(struct connectdata *conn, int sockindex) } -static void Curl_gskit_close(struct connectdata *conn, int sockindex) +static void gskit_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - close_one(&conn->ssl[sockindex], conn, sockindex); - close_one(&conn->proxy_ssl[sockindex], conn, sockindex); + close_one(&conn->ssl[sockindex], data, conn, sockindex); + close_one(&conn->proxy_ssl[sockindex], data, conn, sockindex); } -static int Curl_gskit_shutdown(struct connectdata *conn, int sockindex) +static int gskit_shutdown(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct Curl_easy *data = conn->data; int what; int rc; char buf[120]; @@ -1178,7 +1179,7 @@ static int Curl_gskit_shutdown(struct connectdata *conn, int sockindex) return 0; #endif - close_one(connssl, conn, sockindex); + close_one(connssl, data, conn, sockindex); rc = 0; what = SOCKET_READABLE(conn->sock[sockindex], SSL_SHUTDOWN_TIMEOUT); @@ -1219,13 +1220,13 @@ static int Curl_gskit_shutdown(struct connectdata *conn, int sockindex) } -static size_t Curl_gskit_version(char *buffer, size_t size) +static size_t gskit_version(char *buffer, size_t size) { return msnprintf(buffer, size, "GSKit"); } -static int Curl_gskit_check_cxn(struct connectdata *cxn) +static int gskit_check_cxn(struct connectdata *cxn) { struct ssl_connect_data *connssl = &cxn->ssl[FIRSTSOCKET]; int err; @@ -1247,8 +1248,8 @@ static int Curl_gskit_check_cxn(struct connectdata *cxn) return -1; /* connection status unknown */ } -static void *Curl_gskit_get_internals(struct ssl_connect_data *connssl, - CURLINFO info UNUSED_PARAM) +static void *gskit_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) { (void)info; return BACKEND->handle; @@ -1262,18 +1263,18 @@ const struct Curl_ssl Curl_ssl_gskit = { sizeof(struct ssl_backend_data), - Curl_gskit_init, /* init */ - Curl_gskit_cleanup, /* cleanup */ - Curl_gskit_version, /* version */ - Curl_gskit_check_cxn, /* check_cxn */ - Curl_gskit_shutdown, /* shutdown */ + gskit_init, /* init */ + gskit_cleanup, /* cleanup */ + gskit_version, /* version */ + gskit_check_cxn, /* check_cxn */ + gskit_shutdown, /* shutdown */ Curl_none_data_pending, /* data_pending */ Curl_none_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ - Curl_gskit_connect, /* connect */ - Curl_gskit_connect_nonblocking, /* connect_nonblocking */ - Curl_gskit_get_internals, /* get_internals */ - Curl_gskit_close, /* close_one */ + gskit_connect, /* connect */ + gskit_connect_nonblocking, /* connect_nonblocking */ + gskit_get_internals, /* get_internals */ + gskit_close, /* close_one */ Curl_none_close_all, /* close_all */ /* No session handling for GSKit */ Curl_none_session_free, /* session_free */ @@ -1281,7 +1282,6 @@ const struct Curl_ssl Curl_ssl_gskit = { Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_none_md5sum, /* md5sum */ NULL /* sha256sum */ }; diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index e848c3f..3ddee19 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -86,38 +86,38 @@ struct ssl_backend_data { #endif }; -static ssize_t Curl_gtls_push(void *s, const void *buf, size_t len) +static ssize_t gtls_push(void *s, const void *buf, size_t len) { curl_socket_t sock = *(curl_socket_t *)s; ssize_t ret = swrite(sock, buf, len); return ret; } -static ssize_t Curl_gtls_pull(void *s, void *buf, size_t len) +static ssize_t gtls_pull(void *s, void *buf, size_t len) { curl_socket_t sock = *(curl_socket_t *)s; ssize_t ret = sread(sock, buf, len); return ret; } -static ssize_t Curl_gtls_push_ssl(void *s, const void *buf, size_t len) +static ssize_t gtls_push_ssl(void *s, const void *buf, size_t len) { return gnutls_record_send((gnutls_session_t) s, buf, len); } -static ssize_t Curl_gtls_pull_ssl(void *s, void *buf, size_t len) +static ssize_t gtls_pull_ssl(void *s, void *buf, size_t len) { return gnutls_record_recv((gnutls_session_t) s, buf, len); } -/* Curl_gtls_init() +/* gtls_init() * * Global GnuTLS init, called from Curl_ssl_init(). This calls functions that * are not thread-safe and thus this function itself is not thread-safe and * must only be called from within curl_global_init() to keep the thread * situation under control! */ -static int Curl_gtls_init(void) +static int gtls_init(void) { int ret = 1; if(!gtls_inited) { @@ -131,7 +131,7 @@ static int Curl_gtls_init(void) return ret; } -static void Curl_gtls_cleanup(void) +static void gtls_cleanup(void) { if(gtls_inited) { gnutls_global_deinit(); @@ -200,12 +200,12 @@ static void unload_file(gnutls_datum_t data) /* this function does a SSL/TLS (re-)handshake */ -static CURLcode handshake(struct connectdata *conn, +static CURLcode handshake(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool duringconnect, bool nonblocking) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; gnutls_session_t session = backend->session; @@ -314,9 +314,9 @@ static gnutls_x509_crt_fmt_t do_file_type(const char *type) #define GNUTLS_SRP "+SRP" static CURLcode -set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn) +set_ssl_version_min_max(const char **prioritylist, struct Curl_easy *data) { - struct Curl_easy *data = conn->data; + struct connectdata *conn = data->conn; long ssl_version = SSL_CONN_CONFIG(version); long ssl_version_max = SSL_CONN_CONFIG(version_max); @@ -379,10 +379,10 @@ set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn) } static CURLcode -gtls_connect_step1(struct connectdata *conn, +gtls_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; unsigned int init_flags; @@ -408,7 +408,7 @@ gtls_connect_step1(struct connectdata *conn, return CURLE_OK; if(!gtls_inited) - Curl_gtls_init(); + gtls_init(); /* Initialize certverifyresult to OK */ *certverifyresult = 0; @@ -568,7 +568,7 @@ gtls_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(&prioritylist, conn); + CURLcode result = set_ssl_version_min_max(&prioritylist, data); if(result != CURLE_OK) return result; break; @@ -698,16 +698,16 @@ gtls_connect_step1(struct connectdata *conn, #ifndef CURL_DISABLE_PROXY if(conn->proxy_ssl[sockindex].use) { transport_ptr = conn->proxy_ssl[sockindex].backend->session; - gnutls_transport_push = Curl_gtls_push_ssl; - gnutls_transport_pull = Curl_gtls_pull_ssl; + gnutls_transport_push = gtls_push_ssl; + gnutls_transport_pull = gtls_pull_ssl; } else #endif { /* file descriptor for the socket */ transport_ptr = &conn->sock[sockindex]; - gnutls_transport_push = Curl_gtls_push; - gnutls_transport_pull = Curl_gtls_pull; + gnutls_transport_push = gtls_push; + gnutls_transport_pull = gtls_pull; } /* set the connection handle */ @@ -731,15 +731,16 @@ gtls_connect_step1(struct connectdata *conn, void *ssl_sessionid; size_t ssl_idsize; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, + &ssl_sessionid, &ssl_idsize, sockindex)) { /* we got a session id, use it! */ gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); /* Informational message */ infof(data, "SSL re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } return CURLE_OK; @@ -807,7 +808,8 @@ static Curl_recv gtls_recv; static Curl_send gtls_send; static CURLcode -gtls_connect_step3(struct connectdata *conn, +gtls_connect_step3(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { unsigned int cert_list_size; @@ -820,7 +822,6 @@ gtls_connect_step3(struct connectdata *conn, size_t size; time_t certclock; const char *ptr; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; gnutls_session_t session = backend->session; @@ -885,7 +886,7 @@ gtls_connect_step3(struct connectdata *conn, const char *beg = (const char *) chainp[i].data; const char *end = beg + chainp[i].size; - result = Curl_extract_certinfo(conn, i, beg, end); + result = Curl_extract_certinfo(data, i, beg, end); if(result) return result; } @@ -1263,7 +1264,7 @@ gtls_connect_step3(struct connectdata *conn, else infof(data, "ALPN, server did not agree to a protocol\n"); - Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } @@ -1290,19 +1291,19 @@ gtls_connect_step3(struct connectdata *conn, /* extract session ID to the allocated buffer */ gnutls_session_get_data(session, connect_sessionid, &connect_idsize); - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)); if(incache) { /* there was one before in the cache, so instead of risking that the previous one was rejected, we just kill that and store the new */ - Curl_ssl_delsessionid(conn, ssl_sessionid); + Curl_ssl_delsessionid(data, ssl_sessionid); } /* store this session id */ - result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize, - sockindex); - Curl_ssl_sessionid_unlock(conn); + result = Curl_ssl_addsessionid(data, conn, connect_sessionid, + connect_idsize, sockindex); + Curl_ssl_sessionid_unlock(data); if(result) { free(connect_sessionid); result = CURLE_OUT_OF_MEMORY; @@ -1326,7 +1327,8 @@ gtls_connect_step3(struct connectdata *conn, 'ssl_connect_2_writing' (waiting to be able to write). */ static CURLcode -gtls_connect_common(struct connectdata *conn, +gtls_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) @@ -1336,19 +1338,19 @@ gtls_connect_common(struct connectdata *conn, /* Initiate the connection, if not already done */ if(ssl_connect_1 == connssl->connecting_state) { - rc = gtls_connect_step1(conn, sockindex); + rc = gtls_connect_step1(data, conn, sockindex); if(rc) return rc; } - rc = handshake(conn, sockindex, TRUE, nonblocking); + rc = handshake(data, conn, sockindex, TRUE, nonblocking); if(rc) /* handshake() sets its own error message with failf() */ return rc; /* Finish connecting once the handshake is done */ if(ssl_connect_1 == connssl->connecting_state) { - rc = gtls_connect_step3(conn, sockindex); + rc = gtls_connect_step3(data, conn, sockindex); if(rc) return rc; } @@ -1358,18 +1360,20 @@ gtls_connect_common(struct connectdata *conn, return CURLE_OK; } -static CURLcode Curl_gtls_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode gtls_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { - return gtls_connect_common(conn, sockindex, TRUE, done); + return gtls_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode Curl_gtls_connect(struct connectdata *conn, int sockindex) +static CURLcode gtls_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result; bool done = FALSE; - result = gtls_connect_common(conn, sockindex, FALSE, &done); + result = gtls_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -1378,8 +1382,8 @@ static CURLcode Curl_gtls_connect(struct connectdata *conn, int sockindex) return CURLE_OK; } -static bool Curl_gtls_data_pending(const struct connectdata *conn, - int connindex) +static bool gtls_data_pending(const struct connectdata *conn, + int connindex) { const struct ssl_connect_data *connssl = &conn->ssl[connindex]; bool res = FALSE; @@ -1399,12 +1403,13 @@ static bool Curl_gtls_data_pending(const struct connectdata *conn, return res; } -static ssize_t gtls_send(struct connectdata *conn, +static ssize_t gtls_send(struct Curl_easy *data, int sockindex, const void *mem, size_t len, CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; ssize_t rc = gnutls_record_send(backend->session, mem, len); @@ -1440,8 +1445,10 @@ static void close_one(struct ssl_connect_data *connssl) #endif } -static void Curl_gtls_close(struct connectdata *conn, int sockindex) +static void gtls_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { + (void) data; close_one(&conn->ssl[sockindex]); #ifndef CURL_DISABLE_PROXY close_one(&conn->proxy_ssl[sockindex]); @@ -1452,12 +1459,12 @@ static void Curl_gtls_close(struct connectdata *conn, int sockindex) * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ -static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) +static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; int retval = 0; - struct Curl_easy *data = conn->data; #ifndef CURL_DISABLE_FTP /* This has only been tested on the proftpd server, and the mod_tls code @@ -1526,12 +1533,13 @@ static int Curl_gtls_shutdown(struct connectdata *conn, int sockindex) return retval; } -static ssize_t gtls_recv(struct connectdata *conn, /* connection data */ +static ssize_t gtls_recv(struct Curl_easy *data, /* connection data */ int num, /* socketindex */ char *buf, /* store read data here */ size_t buffersize, /* max amount to read */ CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[num]; struct ssl_backend_data *backend = connssl->backend; ssize_t ret; @@ -1545,7 +1553,7 @@ static ssize_t gtls_recv(struct connectdata *conn, /* connection data */ if(ret == GNUTLS_E_REHANDSHAKE) { /* BLOCKING call, this is bad but a work-around for now. Fixing this "the proper way" takes a whole lot of work. */ - CURLcode result = handshake(conn, num, FALSE, FALSE); + CURLcode result = handshake(data, conn, num, FALSE, FALSE); if(result) /* handshake() writes error message on its own */ *curlcode = result; @@ -1555,7 +1563,7 @@ static ssize_t gtls_recv(struct connectdata *conn, /* connection data */ } if(ret < 0) { - failf(conn->data, "GnuTLS recv error (%d): %s", + failf(data, "GnuTLS recv error (%d): %s", (int)ret, gnutls_strerror((int)ret)); *curlcode = CURLE_RECV_ERROR; @@ -1565,18 +1573,18 @@ static ssize_t gtls_recv(struct connectdata *conn, /* connection data */ return ret; } -static void Curl_gtls_session_free(void *ptr) +static void gtls_session_free(void *ptr) { free(ptr); } -static size_t Curl_gtls_version(char *buffer, size_t size) +static size_t gtls_version(char *buffer, size_t size) { return msnprintf(buffer, size, "GnuTLS/%s", gnutls_check_version(NULL)); } #ifndef USE_GNUTLS_NETTLE -static int Curl_gtls_seed(struct Curl_easy *data) +static int gtls_seed(struct Curl_easy *data) { /* we have the "SSL is seeded" boolean static to prevent multiple time-consuming seedings in vain */ @@ -1594,8 +1602,8 @@ static int Curl_gtls_seed(struct Curl_easy *data) #endif /* data might be NULL! */ -static CURLcode Curl_gtls_random(struct Curl_easy *data, - unsigned char *entropy, size_t length) +static CURLcode gtls_random(struct Curl_easy *data, + unsigned char *entropy, size_t length) { #if defined(USE_GNUTLS_NETTLE) int rc; @@ -1604,36 +1612,16 @@ static CURLcode Curl_gtls_random(struct Curl_easy *data, return rc?CURLE_FAILED_INIT:CURLE_OK; #elif defined(USE_GNUTLS) if(data) - Curl_gtls_seed(data); /* Initiate the seed if not already done */ + gtls_seed(data); /* Initiate the seed if not already done */ gcry_randomize(entropy, length, GCRY_STRONG_RANDOM); #endif return CURLE_OK; } -static CURLcode Curl_gtls_md5sum(unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *md5sum, /* output */ - size_t md5len) -{ -#if defined(USE_GNUTLS_NETTLE) - struct md5_ctx MD5pw; - md5_init(&MD5pw); - md5_update(&MD5pw, (unsigned int)tmplen, tmp); - md5_digest(&MD5pw, (unsigned int)md5len, md5sum); -#elif defined(USE_GNUTLS) - gcry_md_hd_t MD5pw; - gcry_md_open(&MD5pw, GCRY_MD_MD5, 0); - gcry_md_write(MD5pw, tmp, tmplen); - memcpy(md5sum, gcry_md_read(MD5pw, 0), md5len); - gcry_md_close(MD5pw); -#endif - return CURLE_OK; -} - -static CURLcode Curl_gtls_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t sha256len) +static CURLcode gtls_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum, /* output */ + size_t sha256len) { #if defined(USE_GNUTLS_NETTLE) struct sha256_ctx SHA256pw; @@ -1650,12 +1638,12 @@ static CURLcode Curl_gtls_sha256sum(const unsigned char *tmp, /* input */ return CURLE_OK; } -static bool Curl_gtls_cert_status_request(void) +static bool gtls_cert_status_request(void) { return TRUE; } -static void *Curl_gtls_get_internals(struct ssl_connect_data *connssl, +static void *gtls_get_internals(struct ssl_connect_data *connssl, CURLINFO info UNUSED_PARAM) { struct ssl_backend_data *backend = connssl->backend; @@ -1673,26 +1661,25 @@ const struct Curl_ssl Curl_ssl_gnutls = { sizeof(struct ssl_backend_data), - Curl_gtls_init, /* init */ - Curl_gtls_cleanup, /* cleanup */ - Curl_gtls_version, /* version */ + gtls_init, /* init */ + gtls_cleanup, /* cleanup */ + gtls_version, /* version */ Curl_none_check_cxn, /* check_cxn */ - Curl_gtls_shutdown, /* shutdown */ - Curl_gtls_data_pending, /* data_pending */ - Curl_gtls_random, /* random */ - Curl_gtls_cert_status_request, /* cert_status_request */ - Curl_gtls_connect, /* connect */ - Curl_gtls_connect_nonblocking, /* connect_nonblocking */ - Curl_gtls_get_internals, /* get_internals */ - Curl_gtls_close, /* close_one */ + gtls_shutdown, /* shutdown */ + gtls_data_pending, /* data_pending */ + gtls_random, /* random */ + gtls_cert_status_request, /* cert_status_request */ + gtls_connect, /* connect */ + gtls_connect_nonblocking, /* connect_nonblocking */ + gtls_get_internals, /* get_internals */ + gtls_close, /* close_one */ Curl_none_close_all, /* close_all */ - Curl_gtls_session_free, /* session_free */ + gtls_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_gtls_md5sum, /* md5sum */ - Curl_gtls_sha256sum /* sha256sum */ + gtls_sha256sum /* sha256sum */ }; #endif /* USE_GNUTLS */ diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 191315d..fc3a948 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -5,8 +5,8 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * + * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com> - * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -196,9 +196,9 @@ static CURLcode mbedtls_version_from_curl(int *mbedver, long version) } static CURLcode -set_ssl_version_min_max(struct connectdata *conn, int sockindex) +set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_1; @@ -241,10 +241,9 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) } static CURLcode -mbed_connect_step1(struct connectdata *conn, +mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); @@ -280,7 +279,7 @@ mbed_connect_step1(struct connectdata *conn, #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ - failf(data, "Failed - mbedTLS: ctr_drbg_init returned (-0x%04X) %s\n", + failf(data, "Failed - mbedTLS: ctr_drbg_init returned (-0x%04X) %s", -ret, errorbuf); } #else @@ -293,7 +292,7 @@ mbed_connect_step1(struct connectdata *conn, #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ - failf(data, "Failed - mbedTLS: ctr_drbg_init returned (-0x%04X) %s\n", + failf(data, "Failed - mbedTLS: ctr_drbg_init returned (-0x%04X) %s", -ret, errorbuf); } #endif /* THREADING_SUPPORT */ @@ -427,7 +426,7 @@ mbed_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(conn, sockindex); + CURLcode result = set_ssl_version_min_max(data, conn, sockindex); if(result != CURLE_OK) return result; break; @@ -463,17 +462,17 @@ mbed_connect_step1(struct connectdata *conn, if(SSL_SET_OPTION(primary.sessionid)) { void *old_session = NULL; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) { ret = mbedtls_ssl_set_session(&backend->ssl, old_session); if(ret) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret); return CURLE_SSL_CONNECT_ERROR; } infof(data, "mbedTLS re-using session\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } mbedtls_ssl_conf_ca_chain(&backend->config, @@ -541,11 +540,10 @@ mbed_connect_step1(struct connectdata *conn, } static CURLcode -mbed_connect_step2(struct connectdata *conn, +mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, int sockindex) { int ret; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; const mbedtls_x509_crt *peercert; @@ -701,7 +699,7 @@ mbed_connect_step2(struct connectdata *conn, else { infof(data, "ALPN, server did not agree to a protocol\n"); } - Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -713,13 +711,12 @@ mbed_connect_step2(struct connectdata *conn, } static CURLcode -mbed_connect_step3(struct connectdata *conn, +mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, int sockindex) { CURLcode retcode = CURLE_OK; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; - struct Curl_easy *data = conn->data; DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); @@ -744,12 +741,13 @@ mbed_connect_step3(struct connectdata *conn, } /* If there's already a matching session in the cache, delete it */ - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)) + Curl_ssl_delsessionid(data, old_ssl_sessionid); - retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); - Curl_ssl_sessionid_unlock(conn); + retcode = Curl_ssl_addsessionid(data, conn, + our_ssl_sessionid, 0, sockindex); + Curl_ssl_sessionid_unlock(data); if(retcode) { mbedtls_ssl_session_free(our_ssl_sessionid); free(our_ssl_sessionid); @@ -763,16 +761,16 @@ mbed_connect_step3(struct connectdata *conn, return CURLE_OK; } -static ssize_t mbed_send(struct connectdata *conn, int sockindex, +static ssize_t mbed_send(struct Curl_easy *data, int sockindex, const void *mem, size_t len, CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; int ret = -1; - ret = mbedtls_ssl_write(&backend->ssl, - (unsigned char *)mem, len); + ret = mbedtls_ssl_write(&backend->ssl, (unsigned char *)mem, len); if(ret < 0) { *curlcode = (ret == MBEDTLS_ERR_SSL_WANT_WRITE) ? @@ -783,15 +781,18 @@ static ssize_t mbed_send(struct connectdata *conn, int sockindex, return ret; } -static void Curl_mbedtls_close_all(struct Curl_easy *data) +static void mbedtls_close_all(struct Curl_easy *data) { (void)data; } -static void Curl_mbedtls_close(struct connectdata *conn, int sockindex) +static void mbedtls_close(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; + + (void) data; mbedtls_pk_free(&backend->pk); mbedtls_x509_crt_free(&backend->clicert); mbedtls_x509_crt_free(&backend->cacert); @@ -804,16 +805,16 @@ static void Curl_mbedtls_close(struct connectdata *conn, int sockindex) #endif /* THREADING_SUPPORT */ } -static ssize_t mbed_recv(struct connectdata *conn, int num, +static ssize_t mbed_recv(struct Curl_easy *data, int num, char *buf, size_t buffersize, CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[num]; struct ssl_backend_data *backend = connssl->backend; int ret = -1; ssize_t len = -1; - memset(buf, 0, buffersize); ret = mbedtls_ssl_read(&backend->ssl, (unsigned char *)buf, buffersize); @@ -831,13 +832,13 @@ static ssize_t mbed_recv(struct connectdata *conn, int num, return len; } -static void Curl_mbedtls_session_free(void *ptr) +static void mbedtls_session_free(void *ptr) { mbedtls_ssl_session_free(ptr); free(ptr); } -static size_t Curl_mbedtls_version(char *buffer, size_t size) +static size_t mbedtls_version(char *buffer, size_t size) { #ifdef MBEDTLS_VERSION_C /* if mbedtls_version_get_number() is available it is better */ @@ -849,8 +850,8 @@ static size_t Curl_mbedtls_version(char *buffer, size_t size) #endif } -static CURLcode Curl_mbedtls_random(struct Curl_easy *data, - unsigned char *entropy, size_t length) +static CURLcode mbedtls_random(struct Curl_easy *data, + unsigned char *entropy, size_t length) { #if defined(MBEDTLS_CTR_DRBG_C) int ret = -1; @@ -868,7 +869,7 @@ static CURLcode Curl_mbedtls_random(struct Curl_easy *data, #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ - failf(data, "Failed - mbedTLS: ctr_drbg_seed returned (-0x%04X) %s\n", + failf(data, "Failed - mbedTLS: ctr_drbg_seed returned (-0x%04X) %s", -ret, errorbuf); } else { @@ -878,7 +879,7 @@ static CURLcode Curl_mbedtls_random(struct Curl_easy *data, #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); #endif /* MBEDTLS_ERROR_C */ - failf(data, "mbedTLS: ctr_drbg_init returned (-0x%04X) %s\n", + failf(data, "mbedTLS: ctr_drbg_init returned (-0x%04X) %s", -ret, errorbuf); } } @@ -899,13 +900,13 @@ static CURLcode Curl_mbedtls_random(struct Curl_easy *data, } static CURLcode -mbed_connect_common(struct connectdata *conn, +mbed_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode retcode; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; timediff_t timeout_ms; @@ -926,7 +927,7 @@ mbed_connect_common(struct connectdata *conn, failf(data, "SSL connection timeout"); return CURLE_OPERATION_TIMEDOUT; } - retcode = mbed_connect_step1(conn, sockindex); + retcode = mbed_connect_step1(data, conn, sockindex); if(retcode) return retcode; } @@ -981,7 +982,7 @@ mbed_connect_common(struct connectdata *conn, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - retcode = mbed_connect_step2(conn, sockindex); + retcode = mbed_connect_step2(data, conn, sockindex); if(retcode || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -991,7 +992,7 @@ mbed_connect_common(struct connectdata *conn, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - retcode = mbed_connect_step3(conn, sockindex); + retcode = mbed_connect_step3(data, conn, sockindex); if(retcode) return retcode; } @@ -1011,19 +1012,21 @@ mbed_connect_common(struct connectdata *conn, return CURLE_OK; } -static CURLcode Curl_mbedtls_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode mbedtls_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { - return mbed_connect_common(conn, sockindex, TRUE, done); + return mbed_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode Curl_mbedtls_connect(struct connectdata *conn, int sockindex) +static CURLcode mbedtls_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode retcode; bool done = FALSE; - retcode = mbed_connect_common(conn, sockindex, FALSE, &done); + retcode = mbed_connect_common(data, conn, sockindex, FALSE, &done); if(retcode) return retcode; @@ -1036,28 +1039,28 @@ static CURLcode Curl_mbedtls_connect(struct connectdata *conn, int sockindex) * return 0 error initializing SSL * return 1 SSL initialized successfully */ -static int Curl_mbedtls_init(void) +static int mbedtls_init(void) { return Curl_mbedtlsthreadlock_thread_setup(); } -static void Curl_mbedtls_cleanup(void) +static void mbedtls_cleanup(void) { (void)Curl_mbedtlsthreadlock_thread_cleanup(); } -static bool Curl_mbedtls_data_pending(const struct connectdata *conn, - int sockindex) +static bool mbedtls_data_pending(const struct connectdata *conn, + int sockindex) { const struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; return mbedtls_ssl_get_bytes_avail(&backend->ssl) != 0; } -static CURLcode Curl_mbedtls_sha256sum(const unsigned char *input, - size_t inputlen, - unsigned char *sha256sum, - size_t sha256len UNUSED_PARAM) +static CURLcode mbedtls_sha256sum(const unsigned char *input, + size_t inputlen, + unsigned char *sha256sum, + size_t sha256len UNUSED_PARAM) { (void)sha256len; #if MBEDTLS_VERSION_NUMBER < 0x02070000 @@ -1070,8 +1073,8 @@ static CURLcode Curl_mbedtls_sha256sum(const unsigned char *input, return CURLE_OK; } -static void *Curl_mbedtls_get_internals(struct ssl_connect_data *connssl, - CURLINFO info UNUSED_PARAM) +static void *mbedtls_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) { struct ssl_backend_data *backend = connssl->backend; (void)info; @@ -1087,26 +1090,25 @@ const struct Curl_ssl Curl_ssl_mbedtls = { sizeof(struct ssl_backend_data), - Curl_mbedtls_init, /* init */ - Curl_mbedtls_cleanup, /* cleanup */ - Curl_mbedtls_version, /* version */ + mbedtls_init, /* init */ + mbedtls_cleanup, /* cleanup */ + mbedtls_version, /* version */ Curl_none_check_cxn, /* check_cxn */ Curl_none_shutdown, /* shutdown */ - Curl_mbedtls_data_pending, /* data_pending */ - Curl_mbedtls_random, /* random */ + mbedtls_data_pending, /* data_pending */ + mbedtls_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ - Curl_mbedtls_connect, /* connect */ - Curl_mbedtls_connect_nonblocking, /* connect_nonblocking */ - Curl_mbedtls_get_internals, /* get_internals */ - Curl_mbedtls_close, /* close_one */ - Curl_mbedtls_close_all, /* close_all */ - Curl_mbedtls_session_free, /* session_free */ + mbedtls_connect, /* connect */ + mbedtls_connect_nonblocking, /* connect_nonblocking */ + mbedtls_get_internals, /* get_internals */ + mbedtls_close, /* close_one */ + mbedtls_close_all, /* close_all */ + mbedtls_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_none_md5sum, /* md5sum */ - Curl_mbedtls_sha256sum /* sha256sum */ + mbedtls_sha256sum /* sha256sum */ }; #endif /* USE_MBEDTLS */ diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c index 309786c..b6d1005 100644 --- a/lib/vtls/mesalink.c +++ b/lib/vtls/mesalink.c @@ -6,7 +6,7 @@ * \___|\___/|_| \_\_____| * * Copyright (C) 2017 - 2018, Yiming Jing, <jingyiming@baidu.com> - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -89,10 +89,10 @@ static int do_file_type(const char *type) * layer and do all necessary magic. */ static CURLcode -mesalink_connect_step1(struct connectdata *conn, int sockindex) +mesalink_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { char *ciphers; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct in_addr addr4; #ifdef ENABLE_IPV6 @@ -260,11 +260,11 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) if(SSL_SET_OPTION(primary.sessionid)) { void *ssl_sessionid = NULL; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf( data, "SSL: SSL_set_session failed: %s", @@ -274,7 +274,7 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) /* Informational message */ infof(data, "SSL re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } #endif /* MESALINK_HAVE_SESSION */ @@ -288,10 +288,10 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) } static CURLcode -mesalink_connect_step2(struct connectdata *conn, int sockindex) +mesalink_connect_step2(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { int ret = -1; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; conn->recv[sockindex] = mesalink_recv; @@ -348,27 +348,28 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) our_ssl_sessionid = SSL_get_session(BACKEND->handle); - Curl_ssl_sessionid_lock(conn); + Curl_ssl_sessionid_lock(data); incache = - !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)); + !(Curl_ssl_getsessionid(data, conn, + &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != our_ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + Curl_ssl_delsessionid(data, old_ssl_sessionid); incache = FALSE; } } if(!incache) { result = Curl_ssl_addsessionid( - conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); + data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); if(result) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "failed to store ssl session"); return result; } } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } #endif /* MESALINK_HAVE_SESSION */ @@ -378,9 +379,10 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) } static ssize_t -mesalink_send(struct connectdata *conn, int sockindex, const void *mem, +mesalink_send(struct Curl_easy *data, int sockindex, const void *mem, size_t len, CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; char error_buffer[MESALINK_MAX_ERROR_SZ]; int memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len; @@ -395,7 +397,7 @@ mesalink_send(struct connectdata *conn, int sockindex, const void *mem, *curlcode = CURLE_AGAIN; return -1; default: - failf(conn->data, + failf(data, "SSL write: %s, errno %d", ERR_error_string_n(err, error_buffer, sizeof(error_buffer)), SOCKERRNO); @@ -407,10 +409,12 @@ mesalink_send(struct connectdata *conn, int sockindex, const void *mem, } static void -Curl_mesalink_close(struct connectdata *conn, int sockindex) +mesalink_close(struct Curl_easy *data, struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + (void) data; + if(BACKEND->handle) { (void)SSL_shutdown(BACKEND->handle); SSL_free(BACKEND->handle); @@ -423,9 +427,10 @@ Curl_mesalink_close(struct connectdata *conn, int sockindex) } static ssize_t -mesalink_recv(struct connectdata *conn, int num, char *buf, size_t buffersize, +mesalink_recv(struct Curl_easy *data, int num, char *buf, size_t buffersize, CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[num]; char error_buffer[MESALINK_MAX_ERROR_SZ]; int buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize; @@ -444,7 +449,7 @@ mesalink_recv(struct connectdata *conn, int num, char *buf, size_t buffersize, *curlcode = CURLE_AGAIN; return -1; default: - failf(conn->data, + failf(data, "SSL read: %s, errno %d", ERR_error_string_n(err, error_buffer, sizeof(error_buffer)), SOCKERRNO); @@ -456,13 +461,13 @@ mesalink_recv(struct connectdata *conn, int num, char *buf, size_t buffersize, } static size_t -Curl_mesalink_version(char *buffer, size_t size) +mesalink_version(char *buffer, size_t size) { return msnprintf(buffer, size, "MesaLink/%s", MESALINK_VERSION_STRING); } static int -Curl_mesalink_init(void) +mesalink_init(void) { return (SSL_library_init() == SSL_SUCCESS); } @@ -472,11 +477,14 @@ Curl_mesalink_init(void) * socket open (CCC - Clear Command Channel) */ static int -Curl_mesalink_shutdown(struct connectdata *conn, int sockindex) +mesalink_shutdown(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { int retval = 0; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + (void) data; + if(BACKEND->handle) { SSL_free(BACKEND->handle); BACKEND->handle = NULL; @@ -485,11 +493,10 @@ Curl_mesalink_shutdown(struct connectdata *conn, int sockindex) } static CURLcode -mesalink_connect_common(struct connectdata *conn, int sockindex, - bool nonblocking, bool *done) +mesalink_connect_common(struct Curl_easy *data, struct connectdata *conn, + int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; timediff_t timeout_ms; @@ -511,7 +518,7 @@ mesalink_connect_common(struct connectdata *conn, int sockindex, return CURLE_OPERATION_TIMEDOUT; } - result = mesalink_connect_step1(conn, sockindex); + result = mesalink_connect_step1(data, conn, sockindex); if(result) return result; } @@ -568,7 +575,7 @@ mesalink_connect_common(struct connectdata *conn, int sockindex, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - result = mesalink_connect_step2(conn, sockindex); + result = mesalink_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || @@ -600,19 +607,20 @@ mesalink_connect_common(struct connectdata *conn, int sockindex, } static CURLcode -Curl_mesalink_connect_nonblocking(struct connectdata *conn, int sockindex, - bool *done) +mesalink_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, + int sockindex, bool *done) { - return mesalink_connect_common(conn, sockindex, TRUE, done); + return mesalink_connect_common(data, conn, sockindex, TRUE, done); } static CURLcode -Curl_mesalink_connect(struct connectdata *conn, int sockindex) +mesalink_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result; bool done = FALSE; - result = mesalink_connect_common(conn, sockindex, FALSE, &done); + result = mesalink_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -622,8 +630,8 @@ Curl_mesalink_connect(struct connectdata *conn, int sockindex) } static void * -Curl_mesalink_get_internals(struct ssl_connect_data *connssl, - CURLINFO info UNUSED_PARAM) +mesalink_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) { (void)info; return BACKEND->handle; @@ -636,26 +644,25 @@ const struct Curl_ssl Curl_ssl_mesalink = { sizeof(struct ssl_backend_data), - Curl_mesalink_init, /* init */ - Curl_none_cleanup, /* cleanup */ - Curl_mesalink_version, /* version */ - Curl_none_check_cxn, /* check_cxn */ - Curl_mesalink_shutdown, /* shutdown */ - Curl_none_data_pending, /* data_pending */ - Curl_none_random, /* random */ + mesalink_init, /* init */ + Curl_none_cleanup, /* cleanup */ + mesalink_version, /* version */ + Curl_none_check_cxn, /* check_cxn */ + mesalink_shutdown, /* shutdown */ + Curl_none_data_pending, /* data_pending */ + Curl_none_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ - Curl_mesalink_connect, /* connect */ - Curl_mesalink_connect_nonblocking, /* connect_nonblocking */ - Curl_mesalink_get_internals, /* get_internals */ - Curl_mesalink_close, /* close_one */ - Curl_none_close_all, /* close_all */ - Curl_none_session_free, /* session_free */ - Curl_none_set_engine, /* set_engine */ - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ - Curl_none_md5sum, /* md5sum */ - NULL /* sha256sum */ + mesalink_connect, /* connect */ + mesalink_connect_nonblocking, /* connect_nonblocking */ + mesalink_get_internals, /* get_internals */ + mesalink_close, /* close_one */ + Curl_none_close_all, /* close_all */ + Curl_none_session_free, /* session_free */ + Curl_none_set_engine, /* set_engine */ + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ + NULL /* sha256sum */ }; #endif diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 59649cc..e5ab71c 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -443,7 +443,7 @@ static CURLcode insert_wrapped_ptr(struct Curl_llist *list, void *ptr) /* Call PK11_CreateGenericObject() with the given obj_class and filename. If * the call succeeds, append the object handle to the list of objects so that - * the object can be destroyed in Curl_nss_close(). */ + * the object can be destroyed in nss_close(). */ static CURLcode nss_create_object(struct ssl_connect_data *connssl, CK_OBJECT_CLASS obj_class, const char *filename, bool cacert) @@ -508,7 +508,7 @@ static CURLcode nss_create_object(struct ssl_connect_data *connssl, /* Destroy the NSS object whose handle is given by ptr. This function is * a callback of Curl_llist_alloc() used by Curl_llist_destroy() to destroy - * NSS objects in Curl_nss_close() */ + * NSS objects in nss_close() */ static void nss_destroy_object(void *user, void *ptr) { struct ptr_list_wrap *wrap = (struct ptr_list_wrap *) ptr; @@ -587,7 +587,7 @@ static CURLcode nss_cache_crl(SECItem *crl_der) return CURLE_SSL_CRL_BADFILE; } - /* store the CRL item so that we can free it in Curl_nss_cleanup() */ + /* store the CRL item so that we can free it in nss_cleanup() */ if(insert_wrapped_ptr(&nss_crl_list, crl_der) != CURLE_OK) { if(SECSuccess == CERT_UncacheCRL(db, crl_der)) SECITEM_FreeItem(crl_der, PR_TRUE); @@ -665,14 +665,13 @@ fail: return CURLE_SSL_CRL_BADFILE; } -static CURLcode nss_load_key(struct connectdata *conn, int sockindex, - char *key_file) +static CURLcode nss_load_key(struct Curl_easy *data, struct connectdata *conn, + int sockindex, char *key_file) { PK11SlotInfo *slot, *tmp; SECStatus status; CURLcode result; struct ssl_connect_data *ssl = conn->ssl; - struct Curl_easy *data = conn->data; (void)sockindex; /* unused */ @@ -701,15 +700,15 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex, return (SECSuccess == status) ? CURLE_OK : CURLE_SSL_CERTPROBLEM; } -static int display_error(struct connectdata *conn, PRInt32 err, +static int display_error(struct Curl_easy *data, PRInt32 err, const char *filename) { switch(err) { case SEC_ERROR_BAD_PASSWORD: - failf(conn->data, "Unable to load client key: Incorrect password"); + failf(data, "Unable to load client key: Incorrect password"); return 1; case SEC_ERROR_UNKNOWN_CERT: - failf(conn->data, "Unable to load certificate %s", filename); + failf(data, "Unable to load certificate %s", filename); return 1; default: break; @@ -717,17 +716,16 @@ static int display_error(struct connectdata *conn, PRInt32 err, return 0; /* The caller will print a generic error */ } -static CURLcode cert_stuff(struct connectdata *conn, int sockindex, - char *cert_file, char *key_file) +static CURLcode cert_stuff(struct Curl_easy *data, struct connectdata *conn, + int sockindex, char *cert_file, char *key_file) { - struct Curl_easy *data = conn->data; CURLcode result; if(cert_file) { result = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE); if(result) { const PRErrorCode err = PR_GetError(); - if(!display_error(conn, err, cert_file)) { + if(!display_error(data, err, cert_file)) { const char *err_name = nss_error_to_name(err); failf(data, "unable to load client cert: %d (%s)", err, err_name); } @@ -738,13 +736,13 @@ static CURLcode cert_stuff(struct connectdata *conn, int sockindex, if(key_file || (is_file(cert_file))) { if(key_file) - result = nss_load_key(conn, sockindex, key_file); + result = nss_load_key(data, conn, sockindex, key_file); else /* In case the cert file also has the key */ - result = nss_load_key(conn, sockindex, cert_file); + result = nss_load_key(data, conn, sockindex, cert_file); if(result) { const PRErrorCode err = PR_GetError(); - if(!display_error(conn, err, key_file)) { + if(!display_error(data, err, key_file)) { const char *err_name = nss_error_to_name(err); failf(data, "unable to load client key: %d (%s)", err, err_name); } @@ -771,7 +769,8 @@ static char *nss_get_password(PK11SlotInfo *slot, PRBool retry, void *arg) static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, PRBool isServer) { - struct connectdata *conn = (struct connectdata *)arg; + struct Curl_easy *data = (struct Curl_easy *)arg; + struct connectdata *conn = data->conn; #ifdef SSL_ENABLE_OCSP_STAPLING if(SSL_CONN_CONFIG(verifystatus)) { @@ -779,12 +778,12 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd); if(!csa) { - failf(conn->data, "Invalid OCSP response"); + failf(data, "Invalid OCSP response"); return SECFailure; } if(csa->len == 0) { - failf(conn->data, "No OCSP response received"); + failf(data, "No OCSP response received"); return SECFailure; } @@ -794,14 +793,14 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, ); if(cacheResult != SECSuccess) { - failf(conn->data, "Invalid OCSP response"); + failf(data, "Invalid OCSP response"); return cacheResult; } } #endif if(!SSL_CONN_CONFIG(verifypeer)) { - infof(conn->data, "skipping SSL peer certificate verification\n"); + infof(data, "skipping SSL peer certificate verification\n"); return SECSuccess; } @@ -813,7 +812,8 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, */ static void HandshakeCallback(PRFileDesc *sock, void *arg) { - struct connectdata *conn = (struct connectdata*) arg; + struct Curl_easy *data = (struct Curl_easy *)arg; + struct connectdata *conn = data->conn; unsigned int buflenmax = 50; unsigned char buf[50]; unsigned int buflen; @@ -833,15 +833,15 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) #endif case SSL_NEXT_PROTO_NO_SUPPORT: case SSL_NEXT_PROTO_NO_OVERLAP: - infof(conn->data, "ALPN/NPN, server did not agree to a protocol\n"); + infof(data, "ALPN/NPN, server did not agree to a protocol\n"); return; #ifdef SSL_ENABLE_ALPN case SSL_NEXT_PROTO_SELECTED: - infof(conn->data, "ALPN, server accepted to use %.*s\n", buflen, buf); + infof(data, "ALPN, server accepted to use %.*s\n", buflen, buf); break; #endif case SSL_NEXT_PROTO_NEGOTIATED: - infof(conn->data, "NPN, server accepted to use %.*s\n", buflen, buf); + infof(data, "NPN, server accepted to use %.*s\n", buflen, buf); break; } @@ -856,7 +856,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) !memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) { conn->negnpn = CURL_HTTP_VERSION_1_1; } - Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } } @@ -865,8 +865,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) static SECStatus CanFalseStartCallback(PRFileDesc *sock, void *client_data, PRBool *canFalseStart) { - struct connectdata *conn = client_data; - struct Curl_easy *data = conn->data; + struct Curl_easy *data = (struct Curl_easy *)client_data; SSLChannelInfo channelInfo; SSLCipherSuiteInfo cipherInfo; @@ -949,7 +948,7 @@ static void display_cert_info(struct Curl_easy *data, PR_Free(common_name); } -static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) +static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) { CURLcode result = CURLE_OK; SSLChannelInfo channel; @@ -965,16 +964,16 @@ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) channel.cipherSuite) { if(SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite)) == SECSuccess) { - infof(conn->data, "SSL connection using %s\n", suite.cipherSuiteName); + infof(data, "SSL connection using %s\n", suite.cipherSuiteName); } } cert = SSL_PeerCertificate(sock); if(cert) { - infof(conn->data, "Server certificate:\n"); + infof(data, "Server certificate:\n"); - if(!conn->data->set.ssl.certinfo) { - display_cert_info(conn->data, cert); + if(!data->set.ssl.certinfo) { + display_cert_info(data, cert); CERT_DestroyCertificate(cert); } else { @@ -995,10 +994,10 @@ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) } } - result = Curl_ssl_init_certinfo(conn->data, i); + result = Curl_ssl_init_certinfo(data, i); if(!result) { for(i = 0; cert; cert = cert2) { - result = Curl_extract_certinfo(conn, i++, (char *)cert->derCert.data, + result = Curl_extract_certinfo(data, i++, (char *)cert->derCert.data, (char *)cert->derCert.data + cert->derCert.len); if(result) @@ -1021,8 +1020,8 @@ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) { - struct connectdata *conn = (struct connectdata *)arg; - struct Curl_easy *data = conn->data; + struct Curl_easy *data = (struct Curl_easy *)arg; + struct connectdata *conn = data->conn; PRErrorCode err = PR_GetError(); CERTCertificate *cert; @@ -1335,7 +1334,7 @@ static CURLcode nss_init_core(struct Curl_easy *data, const char *cert_dir) infof(data, "Initializing NSS with certpath: %s\n", certpath); nss_context = NSS_InitContext(certpath, "", "", "", &initparams, - NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); + NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); free(certpath); if(nss_context != NULL) @@ -1360,7 +1359,7 @@ static CURLcode nss_init_core(struct Curl_easy *data, const char *cert_dir) } /* data might be NULL */ -static CURLcode nss_init(struct Curl_easy *data) +static CURLcode nss_setup(struct Curl_easy *data) { char *cert_dir; struct_stat st; @@ -1369,7 +1368,7 @@ static CURLcode nss_init(struct Curl_easy *data) if(initialized) return CURLE_OK; - /* list of all CRL items we need to destroy in Curl_nss_cleanup() */ + /* list of all CRL items we need to destroy in nss_cleanup() */ Curl_llist_init(&nss_crl_list, nss_destroy_crl_item); /* First we check if $SSL_DIR points to a valid dir */ @@ -1423,7 +1422,7 @@ static CURLcode nss_init(struct Curl_easy *data) * @retval 0 error initializing SSL * @retval 1 SSL initialized successfully */ -static int Curl_nss_init(void) +static int nss_init(void) { /* curl_global_init() is not thread-safe so this test is ok */ if(nss_initlock == NULL) { @@ -1451,14 +1450,14 @@ CURLcode Curl_nss_force_init(struct Curl_easy *data) } PR_Lock(nss_initlock); - result = nss_init(data); + result = nss_setup(data); PR_Unlock(nss_initlock); return result; } /* Global cleanup */ -static void Curl_nss_cleanup(void) +static void nss_cleanup(void) { /* This function isn't required to be threadsafe and this is only done * as a safety feature. @@ -1498,7 +1497,7 @@ static void Curl_nss_cleanup(void) * 0 means the connection has been closed * -1 means the connection status is unknown */ -static int Curl_nss_check_cxn(struct connectdata *conn) +static int nss_check_cxn(struct connectdata *conn) { struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET]; struct ssl_backend_data *backend = connssl->backend; @@ -1517,7 +1516,7 @@ static int Curl_nss_check_cxn(struct connectdata *conn) return -1; /* connection status unknown */ } -static void nss_close(struct ssl_connect_data *connssl) +static void close_one(struct ssl_connect_data *connssl) { /* before the cleanup, check whether we are using a client certificate */ struct ssl_backend_data *backend = connssl->backend; @@ -1547,7 +1546,8 @@ static void nss_close(struct ssl_connect_data *connssl) /* * This function is called when an SSL connection is closed. */ -static void Curl_nss_close(struct connectdata *conn, int sockindex) +static void nss_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; #ifndef CURL_DISABLE_PROXY @@ -1555,6 +1555,7 @@ static void Curl_nss_close(struct connectdata *conn, int sockindex) #endif struct ssl_backend_data *backend = connssl->backend; + (void)data; if(backend->handle #ifndef CURL_DISABLE_PROXY || connssl_proxy->backend->handle @@ -1573,9 +1574,9 @@ static void Curl_nss_close(struct connectdata *conn, int sockindex) a double close leading to crash. */ connssl_proxy->backend->handle = NULL; - nss_close(connssl_proxy); + close_one(connssl_proxy); #endif - nss_close(connssl); + close_one(connssl); } /* return true if NSS can provide error code (and possibly msg) for the @@ -1611,10 +1612,10 @@ static bool is_cc_error(PRInt32 err) static Curl_recv nss_recv; static Curl_send nss_send; -static CURLcode nss_load_ca_certificates(struct connectdata *conn, +static CURLcode nss_load_ca_certificates(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; const char *cafile = SSL_CONN_CONFIG(CAfile); const char *capath = SSL_CONN_CONFIG(CApath); bool use_trust_module; @@ -1819,14 +1820,14 @@ static CURLcode nss_set_blocking(struct ssl_connect_data *connssl, return CURLE_OK; } -static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) +static CURLcode nss_setup_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { PRFileDesc *model = NULL; PRFileDesc *nspr_io = NULL; PRFileDesc *nspr_io_stub = NULL; PRBool ssl_no_cache; PRBool ssl_cbc_random_iv; - struct Curl_easy *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -1849,11 +1850,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) backend->data = data; - /* list of all NSS objects we need to destroy in Curl_nss_close() */ + /* list of all NSS objects we need to destroy in nss_do_close() */ Curl_llist_init(&backend->obj_list, nss_destroy_object); PR_Lock(nss_initlock); - result = nss_init(conn->data); + result = nss_setup(data); if(result) { PR_Unlock(nss_initlock); goto error; @@ -1933,20 +1934,20 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) /* bypass the default SSL_AuthCertificate() hook in case we do not want to * verify peer */ - if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, conn) != SECSuccess) + if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, data) != SECSuccess) goto error; /* not checked yet */ SSL_SET_OPTION_LVALUE(certverifyresult) = 0; - if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess) + if(SSL_BadCertHook(model, BadCertHandler, data) != SECSuccess) goto error; - if(SSL_HandshakeCallback(model, HandshakeCallback, conn) != SECSuccess) + if(SSL_HandshakeCallback(model, HandshakeCallback, data) != SECSuccess) goto error; { - const CURLcode rv = nss_load_ca_certificates(conn, sockindex); + const CURLcode rv = nss_load_ca_certificates(data, conn, sockindex); if((rv == CURLE_SSL_CACERT_BADFILE) && !SSL_CONN_CONFIG(verifypeer)) /* not a fatal error because we are not going to verify the peer */ infof(data, "warning: CA certificates failed to load\n"); @@ -1972,7 +1973,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) backend->obj_clicert = NULL; } else { - CURLcode rv = cert_stuff(conn, sockindex, + CURLcode rv = cert_stuff(data, conn, sockindex, SSL_SET_OPTION(primary.clientcert), SSL_SET_OPTION(key)); if(rv) { @@ -2071,7 +2072,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) goto error; if(SSL_SetCanFalseStartCallback(backend->handle, CanFalseStartCallback, - conn) != SECSuccess) + data) != SECSuccess) goto error; } #endif @@ -2125,11 +2126,11 @@ error: return nss_fail_connect(connssl, data, result); } -static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) +static CURLcode nss_do_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; - struct Curl_easy *data = conn->data; CURLcode result = CURLE_SSL_CONNECT_ERROR; PRUint32 timeout; @@ -2154,7 +2155,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) goto error; } - result = display_conn_info(conn, backend->handle); + result = display_conn_info(data, backend->handle); if(result) goto error; @@ -2188,11 +2189,11 @@ error: return nss_fail_connect(connssl, data, result); } -static CURLcode nss_connect_common(struct connectdata *conn, int sockindex, +static CURLcode nss_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct Curl_easy *data = conn->data; const bool blocking = (done == NULL); CURLcode result; @@ -2203,7 +2204,7 @@ static CURLcode nss_connect_common(struct connectdata *conn, int sockindex, } if(connssl->connecting_state == ssl_connect_1) { - result = nss_setup_connect(conn, sockindex); + result = nss_setup_connect(data, conn, sockindex); if(result) /* we do not expect CURLE_AGAIN from nss_setup_connect() */ return result; @@ -2216,7 +2217,7 @@ static CURLcode nss_connect_common(struct connectdata *conn, int sockindex, if(result) return result; - result = nss_do_connect(conn, sockindex); + result = nss_do_connect(data, conn, sockindex); switch(result) { case CURLE_OK: break; @@ -2249,30 +2250,33 @@ static CURLcode nss_connect_common(struct connectdata *conn, int sockindex, return CURLE_OK; } -static CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) +static CURLcode nss_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - return nss_connect_common(conn, sockindex, /* blocking */ NULL); + return nss_connect_common(data, conn, sockindex, /* blocking */ NULL); } -static CURLcode Curl_nss_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode nss_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { - return nss_connect_common(conn, sockindex, done); + return nss_connect_common(data, conn, sockindex, done); } -static ssize_t nss_send(struct connectdata *conn, /* connection data */ +static ssize_t nss_send(struct Curl_easy *data, /* transfer */ int sockindex, /* socketindex */ const void *mem, /* send this data */ size_t len, /* amount to write */ CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; ssize_t rc; /* The SelectClientCert() hook uses this for infof() and failf() but the handle stored in nss_setup_connect() could have already been freed. */ - backend->data = conn->data; + backend->data = data; rc = PR_Send(backend->handle, mem, (int)len, 0, PR_INTERVAL_NO_WAIT); if(rc < 0) { @@ -2282,10 +2286,10 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */ else { /* print the error number and error string */ const char *err_name = nss_error_to_name(err); - infof(conn->data, "SSL write: error %d (%s)\n", err, err_name); + infof(data, "SSL write: error %d (%s)\n", err, err_name); /* print a human-readable message describing the error if available */ - nss_print_error_message(conn->data, err); + nss_print_error_message(data, err); *curlcode = (is_cc_error(err)) ? CURLE_SSL_CERTPROBLEM @@ -2298,19 +2302,20 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */ return rc; /* number of bytes */ } -static ssize_t nss_recv(struct connectdata *conn, /* connection data */ +static ssize_t nss_recv(struct Curl_easy *data, /* transfer */ int sockindex, /* socketindex */ - char *buf, /* store read data here */ - size_t buffersize, /* max amount to read */ + char *buf, /* store read data here */ + size_t buffersize, /* max amount to read */ CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; ssize_t nread; /* The SelectClientCert() hook uses this for infof() and failf() but the handle stored in nss_setup_connect() could have already been freed. */ - backend->data = conn->data; + backend->data = data; nread = PR_Recv(backend->handle, buf, (int)buffersize, 0, PR_INTERVAL_NO_WAIT); @@ -2323,10 +2328,10 @@ static ssize_t nss_recv(struct connectdata *conn, /* connection data */ else { /* print the error number and error string */ const char *err_name = nss_error_to_name(err); - infof(conn->data, "SSL read: errno %d (%s)\n", err, err_name); + infof(data, "SSL read: errno %d (%s)\n", err, err_name); /* print a human-readable message describing the error if available */ - nss_print_error_message(conn->data, err); + nss_print_error_message(data, err); *curlcode = (is_cc_error(err)) ? CURLE_SSL_CERTPROBLEM @@ -2339,9 +2344,9 @@ static ssize_t nss_recv(struct connectdata *conn, /* connection data */ return nread; } -static size_t Curl_nss_version(char *buffer, size_t size) +static size_t nss_version(char *buffer, size_t size) { - return msnprintf(buffer, size, "NSS/%s", NSS_VERSION); + return msnprintf(buffer, size, "NSS/%s", NSS_GetVersion()); } /* data might be NULL */ @@ -2352,9 +2357,9 @@ static int Curl_nss_seed(struct Curl_easy *data) } /* data might be NULL */ -static CURLcode Curl_nss_random(struct Curl_easy *data, - unsigned char *entropy, - size_t length) +static CURLcode nss_random(struct Curl_easy *data, + unsigned char *entropy, + size_t length) { Curl_nss_seed(data); /* Initiate the seed if not already done */ @@ -2365,28 +2370,10 @@ static CURLcode Curl_nss_random(struct Curl_easy *data, return CURLE_OK; } -static CURLcode Curl_nss_md5sum(unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *md5sum, /* output */ - size_t md5len) -{ - PK11Context *MD5pw = PK11_CreateDigestContext(SEC_OID_MD5); - unsigned int MD5out; - - if(!MD5pw) - return CURLE_NOT_BUILT_IN; - - PK11_DigestOp(MD5pw, tmp, curlx_uztoui(tmplen)); - PK11_DigestFinal(MD5pw, md5sum, &MD5out, curlx_uztoui(md5len)); - PK11_DestroyContext(MD5pw, PR_TRUE); - - return CURLE_OK; -} - -static CURLcode Curl_nss_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t sha256len) +static CURLcode nss_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum, /* output */ + size_t sha256len) { PK11Context *SHA256pw = PK11_CreateDigestContext(SEC_OID_SHA256); unsigned int SHA256out; @@ -2401,7 +2388,7 @@ static CURLcode Curl_nss_sha256sum(const unsigned char *tmp, /* input */ return CURLE_OK; } -static bool Curl_nss_cert_status_request(void) +static bool nss_cert_status_request(void) { #ifdef SSL_ENABLE_OCSP_STAPLING return TRUE; @@ -2410,7 +2397,7 @@ static bool Curl_nss_cert_status_request(void) #endif } -static bool Curl_nss_false_start(void) +static bool nss_false_start(void) { #if NSSVERNUM >= 0x030f04 /* 3.15.4 */ return TRUE; @@ -2419,7 +2406,7 @@ static bool Curl_nss_false_start(void) #endif } -static void *Curl_nss_get_internals(struct ssl_connect_data *connssl, +static void *nss_get_internals(struct ssl_connect_data *connssl, CURLINFO info UNUSED_PARAM) { struct ssl_backend_data *backend = connssl->backend; @@ -2437,28 +2424,27 @@ const struct Curl_ssl Curl_ssl_nss = { sizeof(struct ssl_backend_data), - Curl_nss_init, /* init */ - Curl_nss_cleanup, /* cleanup */ - Curl_nss_version, /* version */ - Curl_nss_check_cxn, /* check_cxn */ + nss_init, /* init */ + nss_cleanup, /* cleanup */ + nss_version, /* version */ + nss_check_cxn, /* check_cxn */ /* NSS has no shutdown function provided and thus always fail */ Curl_none_shutdown, /* shutdown */ Curl_none_data_pending, /* data_pending */ - Curl_nss_random, /* random */ - Curl_nss_cert_status_request, /* cert_status_request */ - Curl_nss_connect, /* connect */ - Curl_nss_connect_nonblocking, /* connect_nonblocking */ - Curl_nss_get_internals, /* get_internals */ - Curl_nss_close, /* close_one */ + nss_random, /* random */ + nss_cert_status_request, /* cert_status_request */ + nss_connect, /* connect */ + nss_connect_nonblocking, /* connect_nonblocking */ + nss_get_internals, /* get_internals */ + nss_close, /* close_one */ Curl_none_close_all, /* close_all */ /* NSS has its own session ID cache */ Curl_none_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ - Curl_nss_false_start, /* false_start */ - Curl_nss_md5sum, /* md5sum */ - Curl_nss_sha256sum /* sha256sum */ + nss_false_start, /* false_start */ + nss_sha256sum /* sha256sum */ }; #endif /* USE_NSS */ diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index e9c535f..784d9f7 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -362,6 +362,18 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size) return buf; } +/* Return an extra data index for the transfer data. + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). + */ +static int ossl_get_ssl_data_index(void) +{ + static int ssl_ex_data_data_index = -1; + if(ssl_ex_data_data_index < 0) { + ssl_ex_data_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } + return ssl_ex_data_data_index; +} + /* Return an extra data index for the connection data. * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). */ @@ -410,7 +422,7 @@ static bool rand_enough(void) return (0 != RAND_status()) ? TRUE : FALSE; } -static CURLcode Curl_ossl_seed(struct Curl_easy *data) +static CURLcode ossl_seed(struct Curl_easy *data) { /* we have the "SSL is seeded" boolean static to prevent multiple time-consuming seedings in vain */ @@ -572,8 +584,7 @@ static bool is_pkcs11_uri(const char *string) #endif -static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, - const char *engine); +static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine); static int SSL_CTX_use_certificate_bio(SSL_CTX *ctx, BIO *in, int type, @@ -700,7 +711,7 @@ SSL_CTX_use_certificate_chain_bio(SSL_CTX *ctx, BIO* in, } static -int cert_stuff(struct connectdata *conn, +int cert_stuff(struct Curl_easy *data, SSL_CTX* ctx, char *cert_file, BIO *cert_bio, @@ -710,7 +721,6 @@ int cert_stuff(struct connectdata *conn, const char *key_type, char *key_passwd) { - struct Curl_easy *data = conn->data; char error_buffer[256]; bool check_privkey = TRUE; @@ -773,7 +783,7 @@ int cert_stuff(struct connectdata *conn, * cert_file is a PKCS#11 URI */ if(!data->state.engine) { if(is_pkcs11_uri(cert_file)) { - if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { + if(ossl_set_engine(data, "pkcs11") != CURLE_OK) { return 0; } } @@ -972,7 +982,7 @@ int cert_stuff(struct connectdata *conn, * key_file is a PKCS#11 URI */ if(!data->state.engine) { if(is_pkcs11_uri(key_file)) { - if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { + if(ossl_set_engine(data, "pkcs11") != CURLE_OK) { return 0; } } @@ -1113,7 +1123,7 @@ static int x509_name_oneline(X509_NAME *a, char *buf, size_t size) * @retval 0 error initializing SSL * @retval 1 SSL initialized successfully */ -static int Curl_ossl_init(void) +static int ossl_init(void) { #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) @@ -1161,14 +1171,15 @@ static int Curl_ossl_init(void) Curl_tls_keylog_open(); /* Initialize the extra data indexes */ - if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || + ossl_get_ssl_sockindex_index() < 0) return 0; return 1; } /* Global cleanup */ -static void Curl_ossl_cleanup(void) +static void ossl_cleanup(void) { #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) @@ -1212,7 +1223,7 @@ static void Curl_ossl_cleanup(void) * 0 means the connection has been closed * -1 means the connection status is unknown */ -static int Curl_ossl_check_cxn(struct connectdata *conn) +static int ossl_check_cxn(struct connectdata *conn) { /* SSL_peek takes data out of the raw recv buffer without peeking so we use recv MSG_PEEK instead. Bug #795 */ @@ -1258,8 +1269,7 @@ static int Curl_ossl_check_cxn(struct connectdata *conn) /* Selects an OpenSSL crypto engine */ -static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, - const char *engine) +static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine) { #ifdef USE_OPENSSL_ENGINE ENGINE *e; @@ -1289,7 +1299,7 @@ static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, char buf[256]; ENGINE_free(e); - failf(data, "Failed to initialise SSL Engine '%s':\n%s", + failf(data, "Failed to initialise SSL Engine '%s': %s", engine, ossl_strerror(ERR_get_error(), buf, sizeof(buf))); return CURLE_SSL_ENGINE_INITFAILED; } @@ -1304,7 +1314,7 @@ static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, /* Sets engine as default for all SSL operations */ -static CURLcode Curl_ossl_set_engine_default(struct Curl_easy *data) +static CURLcode ossl_set_engine_default(struct Curl_easy *data) { #ifdef USE_OPENSSL_ENGINE if(data->state.engine) { @@ -1326,7 +1336,7 @@ static CURLcode Curl_ossl_set_engine_default(struct Curl_easy *data) /* Return list of OpenSSL crypto engine names. */ -static struct curl_slist *Curl_ossl_engines_list(struct Curl_easy *data) +static struct curl_slist *ossl_engines_list(struct Curl_easy *data) { struct curl_slist *list = NULL; #ifdef USE_OPENSSL_ENGINE @@ -1346,7 +1356,7 @@ static struct curl_slist *Curl_ossl_engines_list(struct Curl_easy *data) return list; } -static void ossl_close(struct ssl_connect_data *connssl) +static void ossl_closeone(struct ssl_connect_data *connssl) { struct ssl_backend_data *backend = connssl->backend; if(backend->handle) { @@ -1365,11 +1375,13 @@ static void ossl_close(struct ssl_connect_data *connssl) /* * This function is called when an SSL connection is closed. */ -static void Curl_ossl_close(struct connectdata *conn, int sockindex) +static void ossl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - ossl_close(&conn->ssl[sockindex]); + (void) data; + ossl_closeone(&conn->ssl[sockindex]); #ifndef CURL_DISABLE_PROXY - ossl_close(&conn->proxy_ssl[sockindex]); + ossl_closeone(&conn->proxy_ssl[sockindex]); #endif } @@ -1377,11 +1389,11 @@ static void Curl_ossl_close(struct connectdata *conn, int sockindex) * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ -static int Curl_ossl_shutdown(struct connectdata *conn, int sockindex) +static int ossl_shutdown(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { int retval = 0; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct Curl_easy *data = conn->data; char buf[256]; /* We will use this for the OpenSSL error buffer, so it has to be at least 256 bytes long. */ unsigned long sslerror; @@ -1433,7 +1445,7 @@ static int Curl_ossl_shutdown(struct connectdata *conn, int sockindex) default: /* openssl/ssl.h says "look at error stack/return value/errno" */ sslerror = ERR_get_error(); - failf(conn->data, OSSL_PACKAGE " SSL_read on shutdown: %s, errno %d", + failf(data, OSSL_PACKAGE " SSL_read on shutdown: %s, errno %d", (sslerror ? ossl_strerror(sslerror, buf, sizeof(buf)) : SSL_ERROR_to_str(err)), @@ -1478,7 +1490,7 @@ static int Curl_ossl_shutdown(struct connectdata *conn, int sockindex) return retval; } -static void Curl_ossl_session_free(void *ptr) +static void ossl_session_free(void *ptr) { /* free the ID */ SSL_SESSION_free(ptr); @@ -1488,7 +1500,7 @@ static void Curl_ossl_session_free(void *ptr) * This function is called when the 'data' struct is going away. Close * down everything and free all resources! */ -static void Curl_ossl_close_all(struct Curl_easy *data) +static void ossl_close_all(struct Curl_easy *data) { #ifdef USE_OPENSSL_ENGINE if(data->state.engine) { @@ -1582,12 +1594,12 @@ static bool subj_alt_hostcheck(struct Curl_easy *data, in the certificate and must exactly match the IP in the URI. */ -static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) +static CURLcode verifyhost(struct Curl_easy *data, struct connectdata *conn, + X509 *server_cert) { bool matched = FALSE; int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */ size_t addrlen = 0; - struct Curl_easy *data = conn->data; STACK_OF(GENERAL_NAME) *altnames; #ifdef ENABLE_IPV6 struct in6_addr addr; @@ -1782,14 +1794,13 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) -static CURLcode verifystatus(struct connectdata *conn, +static CURLcode verifystatus(struct Curl_easy *data, struct ssl_connect_data *connssl) { int i, ocsp_status; unsigned char *status; const unsigned char *p; CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; OCSP_RESPONSE *rsp = NULL; OCSP_BASICRESP *br = NULL; X509_STORE *st = NULL; @@ -1871,7 +1882,7 @@ static CURLcode verifystatus(struct connectdata *conn, /* Compute the certificate's ID */ cert = SSL_get_peer_certificate(backend->handle); if(!cert) { - failf(data, "Error getting peer certficate"); + failf(data, "Error getting peer certificate"); result = CURLE_SSL_INVALIDCERTSTATUS; goto end; } @@ -2206,15 +2217,15 @@ select_next_proto_cb(SSL *ssl, const unsigned char *in, unsigned int inlen, void *arg) { - struct connectdata *conn = (struct connectdata*) arg; - + struct Curl_easy *data = (struct Curl_easy *)arg; + struct connectdata *conn = data->conn; (void)ssl; #ifdef USE_NGHTTP2 - if(conn->data->set.httpversion >= CURL_HTTP_VERSION_2 && + if(data->set.httpversion >= CURL_HTTP_VERSION_2 && !select_next_protocol(out, outlen, in, inlen, NGHTTP2_PROTO_VERSION_ID, NGHTTP2_PROTO_VERSION_ID_LEN)) { - infof(conn->data, "NPN, negotiated HTTP2 (%s)\n", + infof(data, "NPN, negotiated HTTP2 (%s)\n", NGHTTP2_PROTO_VERSION_ID); conn->negnpn = CURL_HTTP_VERSION_2; return SSL_TLSEXT_ERR_OK; @@ -2223,12 +2234,12 @@ select_next_proto_cb(SSL *ssl, if(!select_next_protocol(out, outlen, in, inlen, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) { - infof(conn->data, "NPN, negotiated HTTP1.1\n"); + infof(data, "NPN, negotiated HTTP1.1\n"); conn->negnpn = CURL_HTTP_VERSION_1_1; return SSL_TLSEXT_ERR_OK; } - infof(conn->data, "NPN, no overlap, use HTTP1.1\n"); + infof(data, "NPN, no overlap, use HTTP1.1\n"); *out = (unsigned char *)ALPN_HTTP_1_1; *outlen = ALPN_HTTP_1_1_LENGTH; conn->negnpn = CURL_HTTP_VERSION_1_1; @@ -2359,16 +2370,14 @@ typedef long ctx_option_t; #if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* 1.1.0 */ static CURLcode set_ssl_version_min_max_legacy(ctx_option_t *ctx_options, - struct connectdata *conn, int sockindex) + struct Curl_easy *data, + struct connectdata *conn, int sockindex) { -#if (OPENSSL_VERSION_NUMBER < 0x1000100FL) || !defined(TLS1_3_VERSION) - /* convoluted #if condition just to avoid compiler warnings on unused - variable */ - struct Curl_easy *data = conn->data; -#endif long ssl_version = SSL_CONN_CONFIG(version); long ssl_version_max = SSL_CONN_CONFIG(version_max); + (void) data; /* In case it's unused. */ + switch(ssl_version) { case CURL_SSLVERSION_TLSv1_3: #ifdef TLS1_3_VERSION @@ -2443,17 +2452,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) struct Curl_easy *data; int sockindex; curl_socket_t *sockindex_ptr; + int data_idx = ossl_get_ssl_data_index(); int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); - if(connectdata_idx < 0 || sockindex_idx < 0) + if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0) return 0; conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); if(!conn) return 0; - data = conn->data; + data = (struct Curl_easy *) SSL_get_ex_data(ssl, data_idx); /* The sockindex has been stored as a pointer to an array element */ sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); @@ -2463,19 +2473,19 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) bool incache; void *old_ssl_sessionid = NULL; - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + Curl_ssl_delsessionid(data, old_ssl_sessionid); incache = FALSE; } } if(!incache) { - if(!Curl_ssl_addsessionid(conn, ssl_sessionid, + if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid, 0 /* unknown size */, sockindex)) { /* the session has been put into the session cache */ res = 1; @@ -2483,17 +2493,17 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) else failf(data, "failed to store ssl session"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } return res; } -static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result = CURLE_OK; char *ciphers; - struct Curl_easy *data = conn->data; SSL_METHOD_QUAL SSL_METHOD *req_method = NULL; X509_LOOKUP *lookup = NULL; curl_socket_t sockfd = conn->sock[sockindex]; @@ -2528,7 +2538,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); /* Make funny stuff to get random input */ - result = Curl_ossl_seed(data); + result = ossl_seed(data); if(result) return result; @@ -2714,7 +2724,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */ result = set_ssl_version_min_max(backend->ctx, conn); #else - result = set_ssl_version_min_max_legacy(&ctx_options, conn, sockindex); + result = set_ssl_version_min_max_legacy(&ctx_options, data, conn, + sockindex); #endif if(result != CURLE_OK) return result; @@ -2729,7 +2740,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #ifdef HAS_NPN if(conn->bits.tls_enable_npn) - SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, conn); + SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, data); #endif #ifdef HAS_ALPN @@ -2782,7 +2793,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) result = CURLE_OUT_OF_MEMORY; } if(!result && - !cert_stuff(conn, backend->ctx, + !cert_stuff(data, backend->ctx, ssl_cert, ssl_cert_bio, ssl_cert_type, SSL_SET_OPTION(key), ssl_key_bio, SSL_SET_OPTION(key_type), SSL_SET_OPTION(key_passwd))) @@ -3178,30 +3189,43 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #ifdef ENABLE_IPV6 (0 == Curl_inet_pton(AF_INET6, hostname, &addr)) && #endif - sni && - !SSL_set_tlsext_host_name(backend->handle, hostname)) - infof(data, "WARNING: failed to configure server name indication (SNI) " - "TLS extension\n"); + sni) { + size_t nlen = strlen(hostname); + if((long)nlen >= data->set.buffer_size) + /* this is seriously messed up */ + return CURLE_SSL_CONNECT_ERROR; + + /* RFC 6066 section 3 says the SNI field is case insensitive, but browsers + send the data lowercase and subsequently there are now numerous servers + out there that don't work unless the name is lowercased */ + Curl_strntolower(data->state.buffer, hostname, nlen); + data->state.buffer[nlen] = 0; + if(!SSL_set_tlsext_host_name(backend->handle, data->state.buffer)) + infof(data, "WARNING: failed to configure server name indication (SNI) " + "TLS extension\n"); + } #endif /* Check if there's a cached ID we can/should use here! */ if(SSL_SET_OPTION(primary.sessionid)) { void *ssl_sessionid = NULL; + int data_idx = ossl_get_ssl_data_index(); int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); - if(connectdata_idx >= 0 && sockindex_idx >= 0) { + if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) { /* Store the data needed for the "new session" callback. * The sockindex is stored as a pointer to an array element. */ + SSL_set_ex_data(backend->handle, data_idx, data); SSL_set_ex_data(backend->handle, connectdata_idx, conn); SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); } - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(backend->handle, ssl_sessionid)) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "SSL: SSL_set_session failed: %s", ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer))); @@ -3210,7 +3234,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) /* Informational message */ infof(data, "SSL re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } #ifndef CURL_DISABLE_PROXY @@ -3237,9 +3261,9 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) return CURLE_OK; } -static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step2(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; int err; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -3385,7 +3409,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) else infof(data, "ALPN, server did not agree to a protocol\n"); - Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -3491,13 +3515,12 @@ typedef size_t numcert_t; typedef int numcert_t; #endif -static CURLcode get_cert_chain(struct connectdata *conn, +static CURLcode get_cert_chain(struct Curl_easy *data, struct ssl_connect_data *connssl) { CURLcode result; STACK_OF(X509) *sk; int i; - struct Curl_easy *data = conn->data; numcert_t numcerts; BIO *mem; struct ssl_backend_data *backend = connssl->backend; @@ -3772,14 +3795,14 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert, * We check certificates to authenticate the server; otherwise we risk * man-in-the-middle attack. */ -static CURLcode servercert(struct connectdata *conn, +static CURLcode servercert(struct Curl_easy *data, + struct connectdata *conn, struct ssl_connect_data *connssl, bool strict) { CURLcode result = CURLE_OK; int rc; long lerr; - struct Curl_easy *data = conn->data; X509 *issuer; BIO *fp = NULL; char error_buffer[256]=""; @@ -3790,7 +3813,7 @@ static CURLcode servercert(struct connectdata *conn, if(data->set.ssl.certinfo) /* we've been asked to gather certificate info! */ - (void)get_cert_chain(conn, connssl); + (void)get_cert_chain(data, connssl); backend->server_cert = SSL_get_peer_certificate(backend->handle); if(!backend->server_cert) { @@ -3826,7 +3849,7 @@ static CURLcode servercert(struct connectdata *conn, BIO_free(mem); if(SSL_CONN_CONFIG(verifyhost)) { - result = verifyhost(conn, backend->server_cert); + result = verifyhost(data, conn, backend->server_cert); if(result) { X509_free(backend->server_cert); backend->server_cert = NULL; @@ -3928,7 +3951,7 @@ static CURLcode servercert(struct connectdata *conn, #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) if(SSL_CONN_CONFIG(verifystatus)) { - result = verifystatus(conn, connssl); + result = verifystatus(data, connssl); if(result) { X509_free(backend->server_cert); backend->server_cert = NULL; @@ -3956,7 +3979,8 @@ static CURLcode servercert(struct connectdata *conn, return result; } -static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step3(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result = CURLE_OK; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; @@ -3970,8 +3994,8 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) * operations. */ - result = servercert(conn, connssl, (SSL_CONN_CONFIG(verifypeer) || - SSL_CONN_CONFIG(verifyhost))); + result = servercert(data, conn, connssl, (SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost))); if(!result) connssl->connecting_state = ssl_connect_done; @@ -3982,13 +4006,13 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) static Curl_recv ossl_recv; static Curl_send ossl_send; -static CURLcode ossl_connect_common(struct connectdata *conn, +static CURLcode ossl_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; int what; @@ -4009,7 +4033,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn, return CURLE_OPERATION_TIMEDOUT; } - result = ossl_connect_step1(conn, sockindex); + result = ossl_connect_step1(data, conn, sockindex); if(result) return result; } @@ -4061,7 +4085,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - result = ossl_connect_step2(conn, sockindex); + result = ossl_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -4071,7 +4095,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - result = ossl_connect_step3(conn, sockindex); + result = ossl_connect_step3(data, conn, sockindex); if(result) return result; } @@ -4091,19 +4115,21 @@ static CURLcode ossl_connect_common(struct connectdata *conn, return CURLE_OK; } -static CURLcode Curl_ossl_connect_nonblocking(struct connectdata *conn, - int sockindex, - bool *done) +static CURLcode ossl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, + bool *done) { - return ossl_connect_common(conn, sockindex, TRUE, done); + return ossl_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result; bool done = FALSE; - result = ossl_connect_common(conn, sockindex, FALSE, &done); + result = ossl_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -4112,8 +4138,8 @@ static CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex) return CURLE_OK; } -static bool Curl_ossl_data_pending(const struct connectdata *conn, - int connindex) +static bool ossl_data_pending(const struct connectdata *conn, + int connindex) { const struct ssl_connect_data *connssl = &conn->ssl[connindex]; if(connssl->backend->handle && SSL_pending(connssl->backend->handle)) @@ -4128,9 +4154,9 @@ static bool Curl_ossl_data_pending(const struct connectdata *conn, return FALSE; } -static size_t Curl_ossl_version(char *buffer, size_t size); +static size_t ossl_version(char *buffer, size_t size); -static ssize_t ossl_send(struct connectdata *conn, +static ssize_t ossl_send(struct Curl_easy *data, int sockindex, const void *mem, size_t len, @@ -4143,6 +4169,7 @@ static ssize_t ossl_send(struct connectdata *conn, unsigned long sslerror; int memlen; int rc; + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -4174,7 +4201,7 @@ static ssize_t ossl_send(struct connectdata *conn, strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer)); error_buffer[sizeof(error_buffer) - 1] = '\0'; } - failf(conn->data, OSSL_PACKAGE " SSL_write: %s, errno %d", + failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d", error_buffer, sockerr); *curlcode = CURLE_SEND_ERROR; return -1; @@ -4191,18 +4218,17 @@ static ssize_t ossl_send(struct connectdata *conn, #endif ) { char ver[120]; - Curl_ossl_version(ver, 120); - failf(conn->data, "Error: %s does not support double SSL tunneling.", - ver); + ossl_version(ver, 120); + failf(data, "Error: %s does not support double SSL tunneling.", ver); } else - failf(conn->data, "SSL_write() error: %s", + failf(data, "SSL_write() error: %s", ossl_strerror(sslerror, error_buffer, sizeof(error_buffer))); *curlcode = CURLE_SEND_ERROR; return -1; } /* a true error */ - failf(conn->data, OSSL_PACKAGE " SSL_write: %s, errno %d", + failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d", SSL_ERROR_to_str(err), SOCKERRNO); *curlcode = CURLE_SEND_ERROR; return -1; @@ -4211,7 +4237,7 @@ static ssize_t ossl_send(struct connectdata *conn, return (ssize_t)rc; /* number of bytes */ } -static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ +static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */ int num, /* socketindex */ char *buf, /* store read data here */ size_t buffersize, /* max amount to read */ @@ -4221,6 +4247,7 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ unsigned long sslerror; ssize_t nread; int buffsize; + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[num]; struct ssl_backend_data *backend = connssl->backend; @@ -4264,7 +4291,7 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer)); error_buffer[sizeof(error_buffer) - 1] = '\0'; } - failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d", + failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d", error_buffer, sockerr); *curlcode = CURLE_RECV_ERROR; return -1; @@ -4286,7 +4313,7 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ msnprintf(error_buffer, sizeof(error_buffer), "Connection closed abruptly"); } - failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d" + failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d" " (Fatal because this is a curl debug build)", error_buffer, sockerr); *curlcode = CURLE_RECV_ERROR; @@ -4298,7 +4325,7 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ return nread; } -static size_t Curl_ossl_version(char *buffer, size_t size) +static size_t ossl_version(char *buffer, size_t size) { #ifdef LIBRESSL_VERSION_NUMBER #if LIBRESSL_VERSION_NUMBER < 0x2070100fL @@ -4369,12 +4396,12 @@ static size_t Curl_ossl_version(char *buffer, size_t size) } /* can be called with data == NULL */ -static CURLcode Curl_ossl_random(struct Curl_easy *data, - unsigned char *entropy, size_t length) +static CURLcode ossl_random(struct Curl_easy *data, + unsigned char *entropy, size_t length) { int rc; if(data) { - if(Curl_ossl_seed(data)) /* Initiate the seed if not already done */ + if(ossl_seed(data)) /* Initiate the seed if not already done */ return CURLE_FAILED_INIT; /* couldn't seed for some reason */ } else { @@ -4386,30 +4413,11 @@ static CURLcode Curl_ossl_random(struct Curl_easy *data, return (rc == 1 ? CURLE_OK : CURLE_FAILED_INIT); } -static CURLcode Curl_ossl_md5sum(unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *md5sum /* output */, - size_t unused) -{ - EVP_MD_CTX *mdctx; - unsigned int len = 0; - (void) unused; - - mdctx = EVP_MD_CTX_create(); - if(!mdctx) - return CURLE_OUT_OF_MEMORY; - EVP_DigestInit(mdctx, EVP_md5()); - EVP_DigestUpdate(mdctx, tmp, tmplen); - EVP_DigestFinal_ex(mdctx, md5sum, &len); - EVP_MD_CTX_destroy(mdctx); - return CURLE_OK; -} - #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) -static CURLcode Curl_ossl_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum /* output */, - size_t unused) +static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum /* output */, + size_t unused) { EVP_MD_CTX *mdctx; unsigned int len = 0; @@ -4426,7 +4434,7 @@ static CURLcode Curl_ossl_sha256sum(const unsigned char *tmp, /* input */ } #endif -static bool Curl_ossl_cert_status_request(void) +static bool ossl_cert_status_request(void) { #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) @@ -4436,8 +4444,8 @@ static bool Curl_ossl_cert_status_request(void) #endif } -static void *Curl_ossl_get_internals(struct ssl_connect_data *connssl, - CURLINFO info) +static void *ossl_get_internals(struct ssl_connect_data *connssl, + CURLINFO info) { /* Legacy: CURLINFO_TLS_SESSION must return an SSL_CTX pointer. */ struct ssl_backend_data *backend = connssl->backend; @@ -4459,29 +4467,28 @@ const struct Curl_ssl Curl_ssl_openssl = { sizeof(struct ssl_backend_data), - Curl_ossl_init, /* init */ - Curl_ossl_cleanup, /* cleanup */ - Curl_ossl_version, /* version */ - Curl_ossl_check_cxn, /* check_cxn */ - Curl_ossl_shutdown, /* shutdown */ - Curl_ossl_data_pending, /* data_pending */ - Curl_ossl_random, /* random */ - Curl_ossl_cert_status_request, /* cert_status_request */ - Curl_ossl_connect, /* connect */ - Curl_ossl_connect_nonblocking, /* connect_nonblocking */ - Curl_ossl_get_internals, /* get_internals */ - Curl_ossl_close, /* close_one */ - Curl_ossl_close_all, /* close_all */ - Curl_ossl_session_free, /* session_free */ - Curl_ossl_set_engine, /* set_engine */ - Curl_ossl_set_engine_default, /* set_engine_default */ - Curl_ossl_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ - Curl_ossl_md5sum, /* md5sum */ + ossl_init, /* init */ + ossl_cleanup, /* cleanup */ + ossl_version, /* version */ + ossl_check_cxn, /* check_cxn */ + ossl_shutdown, /* shutdown */ + ossl_data_pending, /* data_pending */ + ossl_random, /* random */ + ossl_cert_status_request, /* cert_status_request */ + ossl_connect, /* connect */ + ossl_connect_nonblocking, /* connect_nonblocking */ + ossl_get_internals, /* get_internals */ + ossl_close, /* close_one */ + ossl_close_all, /* close_all */ + ossl_session_free, /* session_free */ + ossl_set_engine, /* set_engine */ + ossl_set_engine_default, /* set_engine_default */ + ossl_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) - Curl_ossl_sha256sum /* sha256sum */ + ossl_sha256sum /* sha256sum */ #else - NULL /* sha256sum */ + NULL /* sha256sum */ #endif }; diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index d7bc389..0668f98 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -5,9 +5,9 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * + * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 2012 - 2016, Marc Hoersken, <info@marc-hoersken.de> * Copyright (C) 2012, Mark Salisbury, <mark.salisbury@hp.com> - * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -142,7 +142,8 @@ static Curl_recv schannel_recv; static Curl_send schannel_send; -static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex, +static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, + struct connectdata *conn, int sockindex, const char *pinnedpubkey); static void InitSecBuffer(SecBuffer *buffer, unsigned long BufType, @@ -162,9 +163,9 @@ static void InitSecBufferDesc(SecBufferDesc *desc, SecBuffer *BufArr, } static CURLcode -set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct connectdata *conn) +set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct Curl_easy *data, + struct connectdata *conn) { - struct Curl_easy *data = conn->data; long ssl_version = SSL_CONN_CONFIG(version); long ssl_version_max = SSL_CONN_CONFIG(version_max); long i = ssl_version; @@ -405,10 +406,10 @@ get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path, #endif static CURLcode -schannel_connect_step1(struct connectdata *conn, int sockindex) +schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { ssize_t written = -1; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SecBuffer outbuf; SecBufferDesc outbuf_desc; @@ -493,8 +494,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) /* check for an existing re-usable credential handle */ if(SSL_SET_OPTION(primary.sessionid)) { - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, + (void **)&old_cred, NULL, sockindex)) { BACKEND->cred = old_cred; DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); @@ -504,7 +506,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) "schannel: incremented credential handle refcount = %d\n", BACKEND->cred->refcount)); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } if(!BACKEND->cred) { @@ -563,7 +565,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - result = set_ssl_version_min_max(&schannel_cred, conn); + result = set_ssl_version_min_max(&schannel_cred, data, conn); if(result != CURLE_OK) return result; break; @@ -956,7 +958,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) "sending %lu bytes...\n", outbuf.cbBuffer)); /* send initial handshake data which is now stored in output buffer */ - result = Curl_write_plain(conn, conn->sock[sockindex], outbuf.pvBuffer, + result = Curl_write_plain(data, conn->sock[sockindex], outbuf.pvBuffer, outbuf.cbBuffer, &written); s_pSecFn->FreeContextBuffer(outbuf.pvBuffer); if((result != CURLE_OK) || (outbuf.cbBuffer != (size_t) written)) { @@ -980,11 +982,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) } static CURLcode -schannel_connect_step2(struct connectdata *conn, int sockindex) +schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { int i; ssize_t nread = -1, written = -1; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; unsigned char *reallocated_buffer; SecBuffer outbuf[3]; @@ -1153,7 +1155,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) "sending %lu bytes...\n", outbuf[i].cbBuffer)); /* send handshake token to server */ - result = Curl_write_plain(conn, conn->sock[sockindex], + result = Curl_write_plain(data, conn->sock[sockindex], outbuf[i].pvBuffer, outbuf[i].cbBuffer, &written); if((result != CURLE_OK) || @@ -1252,7 +1254,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; if(pubkey_ptr) { - result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr); + result = pkp_pin_peer_pubkey(data, conn, sockindex, pubkey_ptr); if(result) { failf(data, "SSL: public key does not match pinned public key!"); return result; @@ -1261,7 +1263,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) #ifdef HAS_MANUAL_VERIFY_API if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) { - return Curl_verify_certificate(conn, sockindex); + return Curl_verify_certificate(data, conn, sockindex); } #endif @@ -1305,7 +1307,7 @@ cert_counter_callback(const CERT_CONTEXT *ccert_context, void *certs_count) struct Adder_args { - struct connectdata *conn; + struct Curl_easy *data; CURLcode result; int idx; int certs_count; @@ -1320,17 +1322,18 @@ add_cert_to_certinfo(const CERT_CONTEXT *ccert_context, void *raw_arg) const char *beg = (const char *) ccert_context->pbCertEncoded; const char *end = beg + ccert_context->cbCertEncoded; int insert_index = (args->certs_count - 1) - args->idx; - args->result = Curl_extract_certinfo(args->conn, insert_index, beg, end); + args->result = Curl_extract_certinfo(args->data, insert_index, + beg, end); args->idx++; } return args->result == CURLE_OK; } static CURLcode -schannel_connect_step3(struct connectdata *conn, int sockindex) +schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SECURITY_STATUS sspi_status = SEC_E_OK; CERT_CONTEXT *ccert_context = NULL; @@ -1400,7 +1403,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) } else infof(data, "ALPN, server did not agree to a protocol\n"); - Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -1410,24 +1413,24 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) bool incache; struct Curl_schannel_cred *old_cred = NULL; - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL, sockindex)); if(incache) { if(old_cred != BACKEND->cred) { DEBUGF(infof(data, "schannel: old credential handle is stale, removing\n")); /* we're not taking old_cred ownership here, no refcount++ is needed */ - Curl_ssl_delsessionid(conn, (void *)old_cred); + Curl_ssl_delsessionid(data, (void *)old_cred); incache = FALSE; } } if(!incache) { - result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred, + result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred, sizeof(struct Curl_schannel_cred), sockindex); if(result) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "schannel: failed to store credential handle"); return result; } @@ -1438,7 +1441,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) "schannel: stored credential handle in session cache\n")); } } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } if(data->set.ssl.certinfo) { @@ -1458,7 +1461,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) result = Curl_ssl_init_certinfo(data, certs_count); if(!result) { struct Adder_args args; - args.conn = conn; + args.data = data; args.idx = 0; args.certs_count = certs_count; traverse_cert_store(ccert_context, add_cert_to_certinfo, &args); @@ -1475,11 +1478,10 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) } static CURLcode -schannel_connect_common(struct connectdata *conn, int sockindex, - bool nonblocking, bool *done) +schannel_connect_common(struct Curl_easy *data, struct connectdata *conn, + int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; timediff_t timeout_ms; @@ -1501,7 +1503,7 @@ schannel_connect_common(struct connectdata *conn, int sockindex, return CURLE_OPERATION_TIMEDOUT; } - result = schannel_connect_step1(conn, sockindex); + result = schannel_connect_step1(data, conn, sockindex); if(result) return result; } @@ -1556,7 +1558,7 @@ schannel_connect_common(struct connectdata *conn, int sockindex, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - result = schannel_connect_step2(conn, sockindex); + result = schannel_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -1566,7 +1568,7 @@ schannel_connect_common(struct connectdata *conn, int sockindex, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - result = schannel_connect_step3(conn, sockindex); + result = schannel_connect_step3(data, conn, sockindex); if(result) return result; } @@ -1597,12 +1599,13 @@ schannel_connect_common(struct connectdata *conn, int sockindex, } static ssize_t -schannel_send(struct connectdata *conn, int sockindex, +schannel_send(struct Curl_easy *data, int sockindex, const void *buf, size_t len, CURLcode *err) { ssize_t written = -1; size_t data_len = 0; - unsigned char *data = NULL; + unsigned char *ptr = NULL; + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SecBuffer outbuf[4]; SecBufferDesc outbuf_desc; @@ -1629,19 +1632,19 @@ schannel_send(struct connectdata *conn, int sockindex, /* calculate the complete message length and allocate a buffer for it */ data_len = BACKEND->stream_sizes.cbHeader + len + BACKEND->stream_sizes.cbTrailer; - data = (unsigned char *) malloc(data_len); - if(data == NULL) { + ptr = (unsigned char *) malloc(data_len); + if(!ptr) { *err = CURLE_OUT_OF_MEMORY; return -1; } /* setup output buffers (header, data, trailer, empty) */ InitSecBuffer(&outbuf[0], SECBUFFER_STREAM_HEADER, - data, BACKEND->stream_sizes.cbHeader); + ptr, BACKEND->stream_sizes.cbHeader); InitSecBuffer(&outbuf[1], SECBUFFER_DATA, - data + BACKEND->stream_sizes.cbHeader, curlx_uztoul(len)); + ptr + BACKEND->stream_sizes.cbHeader, curlx_uztoul(len)); InitSecBuffer(&outbuf[2], SECBUFFER_STREAM_TRAILER, - data + BACKEND->stream_sizes.cbHeader + len, + ptr + BACKEND->stream_sizes.cbHeader + len, BACKEND->stream_sizes.cbTrailer); InitSecBuffer(&outbuf[3], SECBUFFER_EMPTY, NULL, 0); InitSecBufferDesc(&outbuf_desc, outbuf, 4); @@ -1680,10 +1683,10 @@ schannel_send(struct connectdata *conn, int sockindex, while(len > (size_t)written) { ssize_t this_write = 0; int what; - timediff_t timeout_ms = Curl_timeleft(conn->data, NULL, FALSE); + timediff_t timeout_ms = Curl_timeleft(data, NULL, FALSE); if(timeout_ms < 0) { /* we already got the timeout */ - failf(conn->data, "schannel: timed out sending data " + failf(data, "schannel: timed out sending data " "(bytes sent: %zd)", written); *err = CURLE_OPERATION_TIMEDOUT; written = -1; @@ -1694,13 +1697,13 @@ schannel_send(struct connectdata *conn, int sockindex, what = SOCKET_WRITABLE(conn->sock[sockindex], timeout_ms); if(what < 0) { /* fatal error */ - failf(conn->data, "select/poll on SSL socket, errno: %d", SOCKERRNO); + failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO); *err = CURLE_SEND_ERROR; written = -1; break; } else if(0 == what) { - failf(conn->data, "schannel: timed out sending data " + failf(data, "schannel: timed out sending data " "(bytes sent: %zd)", written); *err = CURLE_OPERATION_TIMEDOUT; written = -1; @@ -1708,7 +1711,7 @@ schannel_send(struct connectdata *conn, int sockindex, } /* socket is writable */ - result = Curl_write_plain(conn, conn->sock[sockindex], data + written, + result = Curl_write_plain(data, conn->sock[sockindex], ptr + written, len - written, &this_write); if(result == CURLE_AGAIN) continue; @@ -1728,7 +1731,7 @@ schannel_send(struct connectdata *conn, int sockindex, *err = CURLE_SEND_ERROR; } - Curl_safefree(data); + Curl_safefree(ptr); if(len == (size_t)written) /* Encrypted message including header, data and trailer entirely sent. @@ -1739,12 +1742,12 @@ schannel_send(struct connectdata *conn, int sockindex, } static ssize_t -schannel_recv(struct connectdata *conn, int sockindex, +schannel_recv(struct Curl_easy *data, int sockindex, char *buf, size_t len, CURLcode *err) { size_t size = 0; ssize_t nread = -1; - struct Curl_easy *data = conn->data; + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; unsigned char *reallocated_buffer; size_t reallocated_length; @@ -1783,14 +1786,12 @@ schannel_recv(struct connectdata *conn, int sockindex, infof(data, "schannel: server indicated shutdown in a prior call\n"); goto cleanup; } - else if(!len) { - /* It's debatable what to return when !len. Regardless we can't return - immediately because there may be data to decrypt (in the case we want to - decrypt all encrypted cached data) so handle !len later in cleanup. - */ - ; /* do nothing */ - } - else if(!BACKEND->recv_connection_closed) { + + /* It's debatable what to return when !len. Regardless we can't return + immediately because there may be data to decrypt (in the case we want to + decrypt all encrypted cached data) so handle !len later in cleanup. + */ + else if(len && !BACKEND->recv_connection_closed) { /* increase enc buffer in order to fit the requested amount of data */ size = BACKEND->encdata_length - BACKEND->encdata_offset; if(size < CURL_SCHANNEL_BUFFER_FREE_SIZE || @@ -1957,7 +1958,7 @@ schannel_recv(struct connectdata *conn, int sockindex, infof(data, "schannel: renegotiating SSL/TLS connection\n"); connssl->state = ssl_connection_negotiating; connssl->connecting_state = ssl_connect_2_writing; - *err = schannel_connect_common(conn, sockindex, FALSE, &done); + *err = schannel_connect_common(data, conn, sockindex, FALSE, &done); if(*err) { infof(data, "schannel: renegotiation failed\n"); goto cleanup; @@ -2064,18 +2065,20 @@ schannel_recv(struct connectdata *conn, int sockindex, return *err ? -1 : 0; } -static CURLcode Curl_schannel_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode schannel_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { - return schannel_connect_common(conn, sockindex, TRUE, done); + return schannel_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode Curl_schannel_connect(struct connectdata *conn, int sockindex) +static CURLcode schannel_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result; bool done = FALSE; - result = schannel_connect_common(conn, sockindex, FALSE, &done); + result = schannel_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -2084,8 +2087,8 @@ static CURLcode Curl_schannel_connect(struct connectdata *conn, int sockindex) return CURLE_OK; } -static bool Curl_schannel_data_pending(const struct connectdata *conn, - int sockindex) +static bool schannel_data_pending(const struct connectdata *conn, + int sockindex) { const struct ssl_connect_data *connssl = &conn->ssl[sockindex]; @@ -2096,14 +2099,15 @@ static bool Curl_schannel_data_pending(const struct connectdata *conn, return FALSE; } -static void Curl_schannel_close(struct connectdata *conn, int sockindex) +static void schannel_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { if(conn->ssl[sockindex].use) /* if the SSL/TLS channel hasn't been shut down yet, do that now. */ - Curl_ssl_shutdown(conn, sockindex); + Curl_ssl_shutdown(data, conn, sockindex); } -static void Curl_schannel_session_free(void *ptr) +static void schannel_session_free(void *ptr) { /* this is expected to be called under sessionid lock */ struct Curl_schannel_cred *cred = ptr; @@ -2115,12 +2119,12 @@ static void Curl_schannel_session_free(void *ptr) } } -static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) +static int schannel_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { /* See https://msdn.microsoft.com/en-us/library/windows/desktop/aa380138.aspx * Shutting Down an Schannel Connection */ - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; #ifndef CURL_DISABLE_PROXY char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : @@ -2183,7 +2187,7 @@ static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) if((sspi_status == SEC_E_OK) || (sspi_status == SEC_I_CONTEXT_EXPIRED)) { /* send close message which is in output buffer */ ssize_t written; - result = Curl_write_plain(conn, conn->sock[sockindex], outbuf.pvBuffer, + result = Curl_write_plain(data, conn->sock[sockindex], outbuf.pvBuffer, outbuf.cbBuffer, &written); s_pSecFn->FreeContextBuffer(outbuf.pvBuffer); @@ -2203,14 +2207,9 @@ static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) /* free SSPI Schannel API credential handle */ if(BACKEND->cred) { - /* - * When this function is called from Curl_schannel_close() the connection - * might not have an associated transfer so the check for conn->data is - * necessary. - */ - Curl_ssl_sessionid_lock(conn); - Curl_schannel_session_free(BACKEND->cred); - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_lock(data); + schannel_session_free(BACKEND->cred); + Curl_ssl_sessionid_unlock(data); BACKEND->cred = NULL; } @@ -2232,25 +2231,25 @@ static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) return CURLE_OK; } -static int Curl_schannel_init(void) +static int schannel_init(void) { return (Curl_sspi_global_init() == CURLE_OK ? 1 : 0); } -static void Curl_schannel_cleanup(void) +static void schannel_cleanup(void) { Curl_sspi_global_cleanup(); } -static size_t Curl_schannel_version(char *buffer, size_t size) +static size_t schannel_version(char *buffer, size_t size) { size = msnprintf(buffer, size, "Schannel"); return size; } -static CURLcode Curl_schannel_random(struct Curl_easy *data UNUSED_PARAM, - unsigned char *entropy, size_t length) +static CURLcode schannel_random(struct Curl_easy *data UNUSED_PARAM, + unsigned char *entropy, size_t length) { HCRYPTPROV hCryptProv = 0; @@ -2269,10 +2268,10 @@ static CURLcode Curl_schannel_random(struct Curl_easy *data UNUSED_PARAM, return CURLE_OK; } -static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex, +static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, + struct connectdata *conn, int sockindex, const char *pinnedpubkey) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CERT_CONTEXT *pCertContextServer = NULL; @@ -2334,12 +2333,12 @@ static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex, return result; } -static void Curl_schannel_checksum(const unsigned char *input, - size_t inputlen, - unsigned char *checksum, - size_t checksumlen, - DWORD provType, - const unsigned int algId) +static void schannel_checksum(const unsigned char *input, + size_t inputlen, + unsigned char *checksum, + size_t checksumlen, + DWORD provType, + const unsigned int algId) { HCRYPTPROV hProv = 0; HCRYPTHASH hHash = 0; @@ -2384,28 +2383,18 @@ static void Curl_schannel_checksum(const unsigned char *input, CryptReleaseContext(hProv, 0); } -static CURLcode Curl_schannel_md5sum(unsigned char *input, - size_t inputlen, - unsigned char *md5sum, - size_t md5len) -{ - Curl_schannel_checksum(input, inputlen, md5sum, md5len, - PROV_RSA_FULL, CALG_MD5); - return CURLE_OK; -} - -static CURLcode Curl_schannel_sha256sum(const unsigned char *input, - size_t inputlen, - unsigned char *sha256sum, - size_t sha256len) +static CURLcode schannel_sha256sum(const unsigned char *input, + size_t inputlen, + unsigned char *sha256sum, + size_t sha256len) { - Curl_schannel_checksum(input, inputlen, sha256sum, sha256len, - PROV_RSA_AES, CALG_SHA_256); + schannel_checksum(input, inputlen, sha256sum, sha256len, + PROV_RSA_AES, CALG_SHA_256); return CURLE_OK; } -static void *Curl_schannel_get_internals(struct ssl_connect_data *connssl, - CURLINFO info UNUSED_PARAM) +static void *schannel_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) { (void)info; return &BACKEND->ctxt->ctxt_handle; @@ -2419,26 +2408,25 @@ const struct Curl_ssl Curl_ssl_schannel = { sizeof(struct ssl_backend_data), - Curl_schannel_init, /* init */ - Curl_schannel_cleanup, /* cleanup */ - Curl_schannel_version, /* version */ + schannel_init, /* init */ + schannel_cleanup, /* cleanup */ + schannel_version, /* version */ Curl_none_check_cxn, /* check_cxn */ - Curl_schannel_shutdown, /* shutdown */ - Curl_schannel_data_pending, /* data_pending */ - Curl_schannel_random, /* random */ + schannel_shutdown, /* shutdown */ + schannel_data_pending, /* data_pending */ + schannel_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ - Curl_schannel_connect, /* connect */ - Curl_schannel_connect_nonblocking, /* connect_nonblocking */ - Curl_schannel_get_internals, /* get_internals */ - Curl_schannel_close, /* close_one */ + schannel_connect, /* connect */ + schannel_connect_nonblocking, /* connect_nonblocking */ + schannel_get_internals, /* get_internals */ + schannel_close, /* close_one */ Curl_none_close_all, /* close_all */ - Curl_schannel_session_free, /* session_free */ + schannel_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_schannel_md5sum, /* md5sum */ - Curl_schannel_sha256sum /* sha256sum */ + schannel_sha256sum /* sha256sum */ }; #endif /* USE_SCHANNEL */ diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h index 085b3f4..2952caa 100644 --- a/lib/vtls/schannel.h +++ b/lib/vtls/schannel.h @@ -8,7 +8,7 @@ * \___|\___/|_| \_\_____| * * Copyright (C) 2012, Marc Hoersken, <info@marc-hoersken.de>, et al. - * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -53,7 +53,8 @@ extern const struct Curl_ssl Curl_ssl_schannel; -CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex); +CURLcode Curl_verify_certificate(struct Curl_easy *data, + struct connectdata *conn, int sockindex); /* structs to expose only in schannel.c and schannel_verify.c */ #ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS diff --git a/lib/vtls/schannel_verify.c b/lib/vtls/schannel_verify.c index 31b3b2f..2ef39cc 100644 --- a/lib/vtls/schannel_verify.c +++ b/lib/vtls/schannel_verify.c @@ -7,7 +7,7 @@ * * Copyright (C) 2012 - 2016, Marc Hoersken, <info@marc-hoersken.de> * Copyright (C) 2012, Mark Salisbury, <mark.salisbury@hp.com> - * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -79,10 +79,9 @@ static int is_cr_or_lf(char c) static CURLcode add_certs_to_store(HCERTSTORE trust_store, const char *ca_file, - struct connectdata *conn) + struct Curl_easy *data) { CURLcode result; - struct Curl_easy *data = conn->data; HANDLE ca_file_handle = INVALID_HANDLE_VALUE; LARGE_INTEGER file_size; char *ca_file_buffer = NULL; @@ -477,7 +476,7 @@ static CURLcode verify_host(struct Curl_easy *data, * (or some equivalent) encoding */ cert_hostname = curlx_convert_tchar_to_UTF8( - &cert_hostname_buff[cert_hostname_buff_index]); + &cert_hostname_buff[cert_hostname_buff_index]); if(!cert_hostname) { result = CURLE_OUT_OF_MEMORY; } @@ -500,8 +499,8 @@ static CURLcode verify_host(struct Curl_easy *data, "against certificate name (%s)\n", conn_hostname, cert_hostname); - cert_hostname_len = _tcslen( - &cert_hostname_buff[cert_hostname_buff_index]); + cert_hostname_len = + _tcslen(&cert_hostname_buff[cert_hostname_buff_index]); /* Move on to next cert name */ cert_hostname_buff_index += cert_hostname_len + 1; @@ -522,15 +521,15 @@ static CURLcode verify_host(struct Curl_easy *data, failf(data, "schannel: server certificate name verification failed"); cleanup: - curlx_unicodefree(cert_hostname_buff); + Curl_safefree(cert_hostname_buff); return result; } -CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex) +CURLcode Curl_verify_certificate(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { SECURITY_STATUS sspi_status; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CURLcode result = CURLE_OK; CERT_CONTEXT *pCertContextServer = NULL; @@ -584,7 +583,7 @@ CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex) } else { result = add_certs_to_store(trust_store, SSL_CONN_CONFIG(CAfile), - conn); + data); } } @@ -675,7 +674,7 @@ CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex) if(result == CURLE_OK) { if(SSL_CONN_CONFIG(verifyhost)) { - result = verify_host(conn->data, pCertContextServer, conn_hostname); + result = verify_host(data, pCertContextServer, conn_hostname); } } diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c index 8ef60cb..9a8f7de 100644 --- a/lib/vtls/sectransp.c +++ b/lib/vtls/sectransp.c @@ -5,8 +5,8 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * + * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 2012 - 2017, Nick Zitzmann, <nickzman@gmail.com>. - * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -1291,9 +1291,9 @@ static CURLcode sectransp_version_from_curl(SSLProtocol *darwinver, #endif static CURLcode -set_ssl_version_min_max(struct connectdata *conn, int sockindex) +set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; long ssl_version = SSL_CONN_CONFIG(version); @@ -1387,10 +1387,10 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) } -static CURLcode sectransp_connect_step1(struct connectdata *conn, +static CURLcode sectransp_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -1478,7 +1478,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(conn, sockindex); + CURLcode result = set_ssl_version_min_max(data, conn, sockindex); if(result != CURLE_OK) return result; break; @@ -1527,7 +1527,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(conn, sockindex); + CURLcode result = set_ssl_version_min_max(data, conn, sockindex); if(result != CURLE_OK) return result; break; @@ -1952,12 +1952,12 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, char *ssl_sessionid; size_t ssl_sessionid_len; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid, &ssl_sessionid_len, sockindex)) { /* we got a session id, use it! */ err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); if(err != noErr) { failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err); return CURLE_SSL_CONNECT_ERROR; @@ -1976,14 +1976,14 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); if(err != noErr) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err); return CURLE_SSL_CONNECT_ERROR; } - result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len, - sockindex); - Curl_ssl_sessionid_unlock(conn); + result = Curl_ssl_addsessionid(data, conn, ssl_sessionid, + ssl_sessionid_len, sockindex); + Curl_ssl_sessionid_unlock(data); if(result) { failf(data, "failed to store ssl session"); return result; @@ -2379,9 +2379,9 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, #endif /* SECTRANSP_PINNEDPUBKEY */ static CURLcode -sectransp_connect_step2(struct connectdata *conn, int sockindex) +sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; OSStatus err; @@ -2418,7 +2418,7 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex) return result; } /* the documentation says we need to call SSLHandshake() again */ - return sectransp_connect_step2(conn, sockindex); + return sectransp_connect_step2(data, conn, sockindex); /* Problem with encrypt / decrypt */ case errSSLPeerDecodeError: @@ -2693,7 +2693,7 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex) else infof(data, "ALPN, server did not agree to a protocol\n"); - Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); /* chosenProtocol is a reference to the string within alpnArr @@ -2711,10 +2711,10 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex) #ifndef CURL_DISABLE_VERBOSE_STRINGS /* This should be called during step3 of the connection at the earliest */ static void -show_verbose_server_cert(struct connectdata *conn, +show_verbose_server_cert(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; CFArrayRef server_certs = NULL; @@ -2817,10 +2817,9 @@ show_verbose_server_cert(struct connectdata *conn, #endif /* !CURL_DISABLE_VERBOSE_STRINGS */ static CURLcode -sectransp_connect_step3(struct connectdata *conn, +sectransp_connect_step3(struct Curl_easy *data, struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; /* There is no step 3! @@ -2828,7 +2827,7 @@ sectransp_connect_step3(struct connectdata *conn, * server certificates. */ #ifndef CURL_DISABLE_VERBOSE_STRINGS if(data->set.verbose) - show_verbose_server_cert(conn, sockindex); + show_verbose_server_cert(data, conn, sockindex); #endif connssl->connecting_state = ssl_connect_done; @@ -2839,13 +2838,13 @@ static Curl_recv sectransp_recv; static Curl_send sectransp_send; static CURLcode -sectransp_connect_common(struct connectdata *conn, +sectransp_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; int what; @@ -2866,7 +2865,7 @@ sectransp_connect_common(struct connectdata *conn, return CURLE_OPERATION_TIMEDOUT; } - result = sectransp_connect_step1(conn, sockindex); + result = sectransp_connect_step1(data, conn, sockindex); if(result) return result; } @@ -2920,7 +2919,7 @@ sectransp_connect_common(struct connectdata *conn, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - result = sectransp_connect_step2(conn, sockindex); + result = sectransp_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -2931,7 +2930,7 @@ sectransp_connect_common(struct connectdata *conn, if(ssl_connect_3 == connssl->connecting_state) { - result = sectransp_connect_step3(conn, sockindex); + result = sectransp_connect_step3(data, conn, sockindex); if(result) return result; } @@ -2951,18 +2950,20 @@ sectransp_connect_common(struct connectdata *conn, return CURLE_OK; } -static CURLcode Curl_sectransp_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode sectransp_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { - return sectransp_connect_common(conn, sockindex, TRUE, done); + return sectransp_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode Curl_sectransp_connect(struct connectdata *conn, int sockindex) +static CURLcode sectransp_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result; bool done = FALSE; - result = sectransp_connect_common(conn, sockindex, FALSE, &done); + result = sectransp_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -2972,11 +2973,14 @@ static CURLcode Curl_sectransp_connect(struct connectdata *conn, int sockindex) return CURLE_OK; } -static void Curl_sectransp_close(struct connectdata *conn, int sockindex) +static void sectransp_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; + (void) data; + if(backend->ssl_ctx) { (void)SSLClose(backend->ssl_ctx); #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS @@ -2994,11 +2998,11 @@ static void Curl_sectransp_close(struct connectdata *conn, int sockindex) backend->ssl_sockfd = 0; } -static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex) +static int sectransp_shutdown(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; - struct Curl_easy *data = conn->data; ssize_t nread; int what; int rc; @@ -3012,7 +3016,7 @@ static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex) return 0; #endif - Curl_sectransp_close(conn, sockindex); + sectransp_close(data, conn, sockindex); rc = 0; @@ -3050,7 +3054,7 @@ static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex) return rc; } -static void Curl_sectransp_session_free(void *ptr) +static void sectransp_session_free(void *ptr) { /* ST, as of iOS 5 and Mountain Lion, has no public method of deleting a cached session ID inside the Security framework. There is a private @@ -3061,7 +3065,7 @@ static void Curl_sectransp_session_free(void *ptr) Curl_safefree(ptr); } -static size_t Curl_sectransp_version(char *buffer, size_t size) +static size_t sectransp_version(char *buffer, size_t size) { return msnprintf(buffer, size, "SecureTransport"); } @@ -3074,7 +3078,7 @@ static size_t Curl_sectransp_version(char *buffer, size_t size) * 0 means the connection has been closed * -1 means the connection status is unknown */ -static int Curl_sectransp_check_cxn(struct connectdata *conn) +static int sectransp_check_cxn(struct connectdata *conn) { struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET]; struct ssl_backend_data *backend = connssl->backend; @@ -3090,8 +3094,8 @@ static int Curl_sectransp_check_cxn(struct connectdata *conn) return 0; } -static bool Curl_sectransp_data_pending(const struct connectdata *conn, - int connindex) +static bool sectransp_data_pending(const struct connectdata *conn, + int connindex) { const struct ssl_connect_data *connssl = &conn->ssl[connindex]; struct ssl_backend_data *backend = connssl->backend; @@ -3108,8 +3112,8 @@ static bool Curl_sectransp_data_pending(const struct connectdata *conn, return false; } -static CURLcode Curl_sectransp_random(struct Curl_easy *data UNUSED_PARAM, - unsigned char *entropy, size_t length) +static CURLcode sectransp_random(struct Curl_easy *data UNUSED_PARAM, + unsigned char *entropy, size_t length) { /* arc4random_buf() isn't available on cats older than Lion, so let's do this manually for the benefit of the older cats. */ @@ -3128,27 +3132,17 @@ static CURLcode Curl_sectransp_random(struct Curl_easy *data UNUSED_PARAM, return CURLE_OK; } -static CURLcode Curl_sectransp_md5sum(unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *md5sum, /* output */ - size_t md5len) -{ - (void)md5len; - (void)CC_MD5(tmp, (CC_LONG)tmplen, md5sum); - return CURLE_OK; -} - -static CURLcode Curl_sectransp_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t sha256len) +static CURLcode sectransp_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum, /* output */ + size_t sha256len) { assert(sha256len >= CURL_SHA256_DIGEST_LENGTH); (void)CC_SHA256(tmp, (CC_LONG)tmplen, sha256sum); return CURLE_OK; } -static bool Curl_sectransp_false_start(void) +static bool sectransp_false_start(void) { #if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 if(SSLSetSessionOption != NULL) @@ -3157,13 +3151,13 @@ static bool Curl_sectransp_false_start(void) return FALSE; } -static ssize_t sectransp_send(struct connectdata *conn, +static ssize_t sectransp_send(struct Curl_easy *data, int sockindex, const void *mem, size_t len, CURLcode *curlcode) { - /*struct Curl_easy *data = conn->data;*/ + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; size_t processed = 0UL; @@ -3198,7 +3192,7 @@ static ssize_t sectransp_send(struct connectdata *conn, *curlcode = CURLE_AGAIN; return -1L; default: - failf(conn->data, "SSLWrite() returned error %d", err); + failf(data, "SSLWrite() returned error %d", err); *curlcode = CURLE_SEND_ERROR; return -1L; } @@ -3215,7 +3209,7 @@ static ssize_t sectransp_send(struct connectdata *conn, *curlcode = CURLE_AGAIN; return -1L; default: - failf(conn->data, "SSLWrite() returned error %d", err); + failf(data, "SSLWrite() returned error %d", err); *curlcode = CURLE_SEND_ERROR; return -1L; } @@ -3224,13 +3218,13 @@ static ssize_t sectransp_send(struct connectdata *conn, return (ssize_t)processed; } -static ssize_t sectransp_recv(struct connectdata *conn, +static ssize_t sectransp_recv(struct Curl_easy *data, int num, char *buf, size_t buffersize, CURLcode *curlcode) { - /*struct Curl_easy *data = conn->data;*/ + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[num]; struct ssl_backend_data *backend = connssl->backend; size_t processed = 0UL; @@ -3262,14 +3256,14 @@ static ssize_t sectransp_recv(struct connectdata *conn, Leopard's headers */ case -9841: if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) { - CURLcode result = verify_cert(SSL_CONN_CONFIG(CAfile), conn->data, + CURLcode result = verify_cert(SSL_CONN_CONFIG(CAfile), data, backend->ssl_ctx); if(result) return result; } goto again; default: - failf(conn->data, "SSLRead() return error %d", err); + failf(data, "SSLRead() return error %d", err); *curlcode = CURLE_RECV_ERROR; return -1L; break; @@ -3278,8 +3272,8 @@ static ssize_t sectransp_recv(struct connectdata *conn, return (ssize_t)processed; } -static void *Curl_sectransp_get_internals(struct ssl_connect_data *connssl, - CURLINFO info UNUSED_PARAM) +static void *sectransp_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) { struct ssl_backend_data *backend = connssl->backend; (void)info; @@ -3299,24 +3293,23 @@ const struct Curl_ssl Curl_ssl_sectransp = { Curl_none_init, /* init */ Curl_none_cleanup, /* cleanup */ - Curl_sectransp_version, /* version */ - Curl_sectransp_check_cxn, /* check_cxn */ - Curl_sectransp_shutdown, /* shutdown */ - Curl_sectransp_data_pending, /* data_pending */ - Curl_sectransp_random, /* random */ + sectransp_version, /* version */ + sectransp_check_cxn, /* check_cxn */ + sectransp_shutdown, /* shutdown */ + sectransp_data_pending, /* data_pending */ + sectransp_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ - Curl_sectransp_connect, /* connect */ - Curl_sectransp_connect_nonblocking, /* connect_nonblocking */ - Curl_sectransp_get_internals, /* get_internals */ - Curl_sectransp_close, /* close_one */ + sectransp_connect, /* connect */ + sectransp_connect_nonblocking, /* connect_nonblocking */ + sectransp_get_internals, /* get_internals */ + sectransp_close, /* close_one */ Curl_none_close_all, /* close_all */ - Curl_sectransp_session_free, /* session_free */ + sectransp_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ - Curl_sectransp_false_start, /* false_start */ - Curl_sectransp_md5sum, /* md5sum */ - Curl_sectransp_sha256sum /* sha256sum */ + sectransp_false_start, /* false_start */ + sectransp_sha256sum /* sha256sum */ }; #ifdef __clang__ diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index 3bd51fd..b8ab749 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -75,17 +75,21 @@ (1<<CURL_LOCK_DATA_SSL_SESSION))) #define CLONE_STRING(var) \ - if(source->var) { \ - dest->var = strdup(source->var); \ - if(!dest->var) \ - return FALSE; \ - } \ - else \ - dest->var = NULL; - -#define CLONE_BLOB(var) \ - if(blobdup(&dest->var, source->var)) \ - return FALSE; + do { \ + if(source->var) { \ + dest->var = strdup(source->var); \ + if(!dest->var) \ + return FALSE; \ + } \ + else \ + dest->var = NULL; \ + } while(0) + +#define CLONE_BLOB(var) \ + do { \ + if(blobdup(&dest->var, source->var)) \ + return FALSE; \ + } while(0) static CURLcode blobdup(struct curl_blob **dest, struct curl_blob *src) @@ -185,13 +189,13 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) } #ifdef USE_SSL -static int multissl_init(const struct Curl_ssl *backend); +static int multissl_setup(const struct Curl_ssl *backend); #endif int Curl_ssl_backend(void) { #ifdef USE_SSL - multissl_init(NULL); + multissl_setup(NULL); return Curl_ssl->info.id; #else return (int)CURLSSLBACKEND_NONE; @@ -287,7 +291,8 @@ ssl_connect_init_proxy(struct connectdata *conn, int sockindex) #endif CURLcode -Curl_ssl_connect(struct connectdata *conn, int sockindex) +Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result; @@ -299,26 +304,27 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex) } #endif - if(!ssl_prefs_check(conn->data)) + if(!ssl_prefs_check(data)) return CURLE_SSL_CONNECT_ERROR; /* mark this is being ssl-enabled from here on. */ conn->ssl[sockindex].use = TRUE; conn->ssl[sockindex].state = ssl_connection_negotiating; - result = Curl_ssl->connect_blocking(conn, sockindex); + result = Curl_ssl->connect_blocking(data, conn, sockindex); if(!result) - Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */ + Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ return result; } CURLcode -Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, - bool *done) +Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, + int sockindex, bool *done) { CURLcode result; + #ifndef CURL_DISABLE_PROXY if(conn->bits.proxy_ssl_connected[sockindex]) { result = ssl_connect_init_proxy(conn, sockindex); @@ -326,47 +332,46 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, return result; } #endif - if(!ssl_prefs_check(conn->data)) + if(!ssl_prefs_check(data)) return CURLE_SSL_CONNECT_ERROR; /* mark this is being ssl requested from here on. */ conn->ssl[sockindex].use = TRUE; - result = Curl_ssl->connect_nonblocking(conn, sockindex, done); + result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done); if(!result && *done) - Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */ + Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ return result; } /* * Lock shared SSL session data */ -void Curl_ssl_sessionid_lock(struct connectdata *conn) +void Curl_ssl_sessionid_lock(struct Curl_easy *data) { - if(SSLSESSION_SHARED(conn->data)) - Curl_share_lock(conn->data, - CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); + if(SSLSESSION_SHARED(data)) + Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); } /* * Unlock shared SSL session data */ -void Curl_ssl_sessionid_unlock(struct connectdata *conn) +void Curl_ssl_sessionid_unlock(struct Curl_easy *data) { - if(SSLSESSION_SHARED(conn->data)) - Curl_share_unlock(conn->data, CURL_LOCK_DATA_SSL_SESSION); + if(SSLSESSION_SHARED(data)) + Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION); } /* * Check if there's a session ID for the given connection in the cache, and if * there's one suitable, it is provided. Returns TRUE when no entry matched. */ -bool Curl_ssl_getsessionid(struct connectdata *conn, +bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, void **ssl_sessionid, size_t *idsize, /* set 0 if unknown */ int sockindex) { struct Curl_ssl_session *check; - struct Curl_easy *data = conn->data; size_t i; long *general_age; bool no_match = TRUE; @@ -453,10 +458,9 @@ void Curl_ssl_kill_session(struct Curl_ssl_session *session) /* * Delete the given session ID from the cache. */ -void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) +void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) { size_t i; - struct Curl_easy *data = conn->data; for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) { struct Curl_ssl_session *check = &data->state.session[i]; @@ -474,13 +478,13 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) * layer. Curl_XXXX_session_free() will be called to free/kill the session ID * later on. */ -CURLcode Curl_ssl_addsessionid(struct connectdata *conn, +CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, void *ssl_sessionid, size_t idsize, int sockindex) { size_t i; - struct Curl_easy *data = conn->data; /* the mother of all structs */ struct Curl_ssl_session *store = &data->state.session[0]; long oldest_age = data->state.session[0].age; /* zero if unused */ char *clone_host; @@ -620,16 +624,18 @@ int Curl_ssl_getsock(struct connectdata *conn, /* USE_OPENSSL || USE_GNUTLS || USE_SCHANNEL || USE_SECTRANSP || USE_NSS */ #endif -void Curl_ssl_close(struct connectdata *conn, int sockindex) +void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { DEBUGASSERT((sockindex <= 1) && (sockindex >= -1)); - Curl_ssl->close_one(conn, sockindex); + Curl_ssl->close_one(data, conn, sockindex); conn->ssl[sockindex].state = ssl_connection_none; } -CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) +CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - if(Curl_ssl->shut_down(conn, sockindex)) + if(Curl_ssl->shut_down(data, conn, sockindex)) return CURLE_SSL_SHUTDOWN_FAILED; conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */ @@ -684,12 +690,12 @@ CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount) return CURLE_OK; } -static size_t Curl_multissl_version(char *buffer, size_t size); +static size_t multissl_version(char *buffer, size_t size); size_t Curl_ssl_version(char *buffer, size_t size) { #ifdef CURL_WITH_MULTI_SSL - return Curl_multissl_version(buffer, size); + return multissl_version(buffer, size); #else return Curl_ssl->version(buffer, size); #endif @@ -1030,16 +1036,6 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, return result; } -#ifndef CURL_DISABLE_CRYPTO_AUTH -CURLcode Curl_ssl_md5sum(unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *md5sum, /* output */ - size_t md5len) -{ - return Curl_ssl->md5sum(tmp, tmplen, md5sum, md5len); -} -#endif - /* * Check whether the SSL backend supports the status_request extension. */ @@ -1076,9 +1072,11 @@ int Curl_none_init(void) void Curl_none_cleanup(void) { } -int Curl_none_shutdown(struct connectdata *conn UNUSED_PARAM, +int Curl_none_shutdown(struct Curl_easy *data UNUSED_PARAM, + struct connectdata *conn UNUSED_PARAM, int sockindex UNUSED_PARAM) { + (void)data; (void)conn; (void)sockindex; return 0; @@ -1148,70 +1146,44 @@ bool Curl_none_false_start(void) return FALSE; } -#ifndef CURL_DISABLE_CRYPTO_AUTH -CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen, - unsigned char *md5sum, size_t md5len UNUSED_PARAM) +static int multissl_init(void) { - struct MD5_context *MD5pw; - - (void)md5len; - - MD5pw = Curl_MD5_init(Curl_DIGEST_MD5); - if(!MD5pw) - return CURLE_OUT_OF_MEMORY; - Curl_MD5_update(MD5pw, input, curlx_uztoui(inputlen)); - Curl_MD5_final(MD5pw, md5sum); - return CURLE_OK; -} -#else -CURLcode Curl_none_md5sum(unsigned char *input UNUSED_PARAM, - size_t inputlen UNUSED_PARAM, - unsigned char *md5sum UNUSED_PARAM, - size_t md5len UNUSED_PARAM) -{ - (void)input; - (void)inputlen; - (void)md5sum; - (void)md5len; - return CURLE_NOT_BUILT_IN; -} -#endif - -static int Curl_multissl_init(void) -{ - if(multissl_init(NULL)) + if(multissl_setup(NULL)) return 1; return Curl_ssl->init(); } -static CURLcode Curl_multissl_connect(struct connectdata *conn, int sockindex) +static CURLcode multissl_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - if(multissl_init(NULL)) + if(multissl_setup(NULL)) return CURLE_FAILED_INIT; - return Curl_ssl->connect_blocking(conn, sockindex); + return Curl_ssl->connect_blocking(data, conn, sockindex); } -static CURLcode Curl_multissl_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode multissl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { - if(multissl_init(NULL)) + if(multissl_setup(NULL)) return CURLE_FAILED_INIT; - return Curl_ssl->connect_nonblocking(conn, sockindex, done); + return Curl_ssl->connect_nonblocking(data, conn, sockindex, done); } -static void *Curl_multissl_get_internals(struct ssl_connect_data *connssl, - CURLINFO info) +static void *multissl_get_internals(struct ssl_connect_data *connssl, + CURLINFO info) { - if(multissl_init(NULL)) + if(multissl_setup(NULL)) return NULL; return Curl_ssl->get_internals(connssl, info); } -static void Curl_multissl_close(struct connectdata *conn, int sockindex) +static void multissl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - if(multissl_init(NULL)) + if(multissl_setup(NULL)) return; - Curl_ssl->close_one(conn, sockindex); + Curl_ssl->close_one(data, conn, sockindex); } static const struct Curl_ssl Curl_ssl_multi = { @@ -1219,25 +1191,24 @@ static const struct Curl_ssl Curl_ssl_multi = { 0, /* supports nothing */ (size_t)-1, /* something insanely large to be on the safe side */ - Curl_multissl_init, /* init */ + multissl_init, /* init */ Curl_none_cleanup, /* cleanup */ - Curl_multissl_version, /* version */ + multissl_version, /* version */ Curl_none_check_cxn, /* check_cxn */ Curl_none_shutdown, /* shutdown */ Curl_none_data_pending, /* data_pending */ Curl_none_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ - Curl_multissl_connect, /* connect */ - Curl_multissl_connect_nonblocking, /* connect_nonblocking */ - Curl_multissl_get_internals, /* get_internals */ - Curl_multissl_close, /* close_one */ + multissl_connect, /* connect */ + multissl_connect_nonblocking, /* connect_nonblocking */ + multissl_get_internals, /* get_internals */ + multissl_close, /* close_one */ Curl_none_close_all, /* close_all */ Curl_none_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_none_md5sum, /* md5sum */ NULL /* sha256sum */ }; @@ -1302,7 +1273,7 @@ static const struct Curl_ssl *available_backends[] = { NULL }; -static size_t Curl_multissl_version(char *buffer, size_t size) +static size_t multissl_version(char *buffer, size_t size) { static const struct Curl_ssl *selected; static char backends[200]; @@ -1346,7 +1317,7 @@ static size_t Curl_multissl_version(char *buffer, size_t size) return backends_len; } -static int multissl_init(const struct Curl_ssl *backend) +static int multissl_setup(const struct Curl_ssl *backend) { const char *env; char *env_tmp; @@ -1405,7 +1376,7 @@ CURLsslset curl_global_sslset(curl_sslbackend id, const char *name, for(i = 0; available_backends[i]; i++) { if(available_backends[i]->info.id == id || (name && strcasecompare(available_backends[i]->info.name, name))) { - multissl_init(available_backends[i]); + multissl_setup(available_backends[i]); return CURLSSLSET_OK; } } diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index f4cab99..9666682 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -47,7 +47,8 @@ struct Curl_ssl { size_t (*version)(char *buffer, size_t size); int (*check_cxn)(struct connectdata *cxn); - int (*shut_down)(struct connectdata *conn, int sockindex); + int (*shut_down)(struct Curl_easy *data, struct connectdata *conn, + int sockindex); bool (*data_pending)(const struct connectdata *conn, int connindex); @@ -56,11 +57,14 @@ struct Curl_ssl { size_t length); bool (*cert_status_request)(void); - CURLcode (*connect_blocking)(struct connectdata *conn, int sockindex); - CURLcode (*connect_nonblocking)(struct connectdata *conn, int sockindex, + CURLcode (*connect_blocking)(struct Curl_easy *data, + struct connectdata *conn, int sockindex); + CURLcode (*connect_nonblocking)(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done); void *(*get_internals)(struct ssl_connect_data *connssl, CURLINFO info); - void (*close_one)(struct connectdata *conn, int sockindex); + void (*close_one)(struct Curl_easy *data, struct connectdata *conn, + int sockindex); void (*close_all)(struct Curl_easy *data); void (*session_free)(void *ptr); @@ -69,9 +73,6 @@ struct Curl_ssl { struct curl_slist *(*engines_list)(struct Curl_easy *data); bool (*false_start)(void); - - CURLcode (*md5sum)(unsigned char *input, size_t inputlen, - unsigned char *md5sum, size_t md5sumlen); CURLcode (*sha256sum)(const unsigned char *input, size_t inputlen, unsigned char *sha256sum, size_t sha256sumlen); }; @@ -82,7 +83,8 @@ extern const struct Curl_ssl *Curl_ssl; int Curl_none_init(void); void Curl_none_cleanup(void); -int Curl_none_shutdown(struct connectdata *conn, int sockindex); +int Curl_none_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex); int Curl_none_check_cxn(struct connectdata *conn); CURLcode Curl_none_random(struct Curl_easy *data, unsigned char *entropy, size_t length); @@ -95,8 +97,6 @@ CURLcode Curl_none_set_engine_default(struct Curl_easy *data); struct curl_slist *Curl_none_engines_list(struct Curl_easy *data); bool Curl_none_false_start(void); bool Curl_ssl_tls13_ciphersuites(void); -CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen, - unsigned char *md5sum, size_t md5len); #include "openssl.h" /* OpenSSL versions */ #include "gtls.h" /* GnuTLS versions */ @@ -165,15 +165,19 @@ int Curl_ssl_backend(void); #ifdef USE_SSL int Curl_ssl_init(void); void Curl_ssl_cleanup(void); -CURLcode Curl_ssl_connect(struct connectdata *conn, int sockindex); -CURLcode Curl_ssl_connect_nonblocking(struct connectdata *conn, +CURLcode Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex); +CURLcode Curl_ssl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done); /* tell the SSL stuff to close down all open information regarding connections (and thus session ID caching etc) */ void Curl_ssl_close_all(struct Curl_easy *data); -void Curl_ssl_close(struct connectdata *conn, int sockindex); -CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex); +void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex); +CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex); CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine); /* Sets engine as default for all SSL operations */ CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data); @@ -205,10 +209,10 @@ CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data, int certnum, * The purpose of explicitly locking SSL session cache data is to allow * individual SSL engines to manage session lifetime in their specific way. */ -void Curl_ssl_sessionid_lock(struct connectdata *conn); +void Curl_ssl_sessionid_lock(struct Curl_easy *data); /* Unlock session cache mutex */ -void Curl_ssl_sessionid_unlock(struct connectdata *conn); +void Curl_ssl_sessionid_unlock(struct Curl_easy *data); /* extract a session ID * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). @@ -216,7 +220,8 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn); * is properly taken (e.g. its refcount is incremented * under sessionid mutex). */ -bool Curl_ssl_getsessionid(struct connectdata *conn, +bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, void **ssl_sessionid, size_t *idsize, /* set 0 if unknown */ int sockindex); @@ -225,7 +230,8 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, * Caller must ensure that it has properly shared ownership of this sessionid * object with cache (e.g. incrementing refcount on success) */ -CURLcode Curl_ssl_addsessionid(struct connectdata *conn, +CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, void *ssl_sessionid, size_t idsize, int sockindex); @@ -242,15 +248,11 @@ void Curl_ssl_kill_session(struct Curl_ssl_session *session); * take sessionid object ownership from sessionid cache * (e.g. decrement refcount). */ -void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid); +void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid); /* get N random bytes into the buffer */ CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer, size_t length); -CURLcode Curl_ssl_md5sum(unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *md5sum, /* output */ - size_t md5len); /* Check pinned public key. */ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, const char *pinnedpubkey, @@ -267,10 +269,10 @@ bool Curl_ssl_false_start(void); /* When SSL support is not present, just define away these function calls */ #define Curl_ssl_init() 1 #define Curl_ssl_cleanup() Curl_nop_stmt -#define Curl_ssl_connect(x,y) CURLE_NOT_BUILT_IN +#define Curl_ssl_connect(x,y,z) CURLE_NOT_BUILT_IN #define Curl_ssl_close_all(x) Curl_nop_stmt -#define Curl_ssl_close(x,y) Curl_nop_stmt -#define Curl_ssl_shutdown(x,y) CURLE_NOT_BUILT_IN +#define Curl_ssl_close(x,y,z) Curl_nop_stmt +#define Curl_ssl_shutdown(x,y,z) CURLE_NOT_BUILT_IN #define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN #define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN #define Curl_ssl_engines_list(x) NULL @@ -280,7 +282,7 @@ bool Curl_ssl_false_start(void); #define Curl_ssl_data_pending(x,y) 0 #define Curl_ssl_check_cxn(x) 0 #define Curl_ssl_free_certinfo(x) Curl_nop_stmt -#define Curl_ssl_connect_nonblocking(x,y,z) CURLE_NOT_BUILT_IN +#define Curl_ssl_connect_nonblocking(x,y,z,w) CURLE_NOT_BUILT_IN #define Curl_ssl_kill_session(x) Curl_nop_stmt #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN) #define Curl_ssl_cert_status_request() FALSE diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index 44ee2d9..e1fa459 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -217,11 +217,10 @@ static int do_file_type(const char *type) * layer and do all necessary magic. */ static CURLcode -wolfssl_connect_step1(struct connectdata *conn, +wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, int sockindex) { char *ciphers; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; SSL_METHOD* req_method = NULL; @@ -256,7 +255,7 @@ wolfssl_connect_step1(struct connectdata *conn, use_sni(TRUE); break; case CURL_SSLVERSION_TLSv1_0: -#ifdef WOLFSSL_ALLOW_TLSV10 +#if defined(WOLFSSL_ALLOW_TLSV10) && !defined(NO_OLD_TLS) req_method = TLSv1_client_method(); use_sni(TRUE); #else @@ -265,8 +264,13 @@ wolfssl_connect_step1(struct connectdata *conn, #endif break; case CURL_SSLVERSION_TLSv1_1: +#ifndef NO_OLD_TLS req_method = TLSv1_1_client_method(); use_sni(TRUE); +#else + failf(data, "wolfSSL does not support TLS 1.1"); + return CURLE_NOT_BUILT_IN; +#endif break; case CURL_SSLVERSION_TLSv1_2: req_method = TLSv1_2_client_method(); @@ -500,16 +504,23 @@ wolfssl_connect_step1(struct connectdata *conn, } #endif /* OPENSSL_EXTRA */ +#ifdef HAVE_SECURE_RENEGOTIATION + if(wolfSSL_UseSecureRenegotiation(backend->handle) != SSL_SUCCESS) { + failf(data, "SSL: failed setting secure renegotiation"); + return CURLE_SSL_CONNECT_ERROR; + } +#endif /* HAVE_SECURE_RENEGOTIATION */ + /* Check if there's a cached ID we can/should use here! */ if(SSL_SET_OPTION(primary.sessionid)) { void *ssl_sessionid = NULL; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(backend->handle, ssl_sessionid)) { char error_buffer[WOLFSSL_MAX_ERROR_SZ]; - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "SSL: SSL_set_session failed: %s", ERR_error_string(SSL_get_error(backend->handle, 0), error_buffer)); @@ -518,7 +529,7 @@ wolfssl_connect_step1(struct connectdata *conn, /* Informational message */ infof(data, "SSL re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } /* pass the raw socket into the SSL layer */ @@ -533,11 +544,10 @@ wolfssl_connect_step1(struct connectdata *conn, static CURLcode -wolfssl_connect_step2(struct connectdata *conn, +wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, int sockindex) { int ret = -1; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; #ifndef CURL_DISABLE_PROXY @@ -608,7 +618,7 @@ wolfssl_connect_step2(struct connectdata *conn, * as also mismatching CN fields */ else if(DOMAIN_NAME_MISMATCH == detail) { #if 1 - failf(data, "\tsubject alt name(s) or common name do not match \"%s\"\n", + failf(data, "\tsubject alt name(s) or common name do not match \"%s\"", dispname); return CURLE_PEER_FAILED_VERIFICATION; #else @@ -635,7 +645,7 @@ wolfssl_connect_step2(struct connectdata *conn, #if LIBWOLFSSL_VERSION_HEX >= 0x02007000 /* 2.7.0 */ else if(ASN_NO_SIGNER_E == detail) { if(SSL_CONN_CONFIG(verifypeer)) { - failf(data, "\tCA signer not available for verification\n"); + failf(data, "\tCA signer not available for verification"); return CURLE_SSL_CACERT_BADFILE; } else { @@ -723,7 +733,7 @@ wolfssl_connect_step2(struct connectdata *conn, else infof(data, "ALPN, unrecognized protocol %.*s\n", protocol_len, protocol); - Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } else if(rc == SSL_ALPN_NOT_FOUND) @@ -749,11 +759,10 @@ wolfssl_connect_step2(struct connectdata *conn, static CURLcode -wolfssl_connect_step3(struct connectdata *conn, +wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, int sockindex) { CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -766,27 +775,27 @@ wolfssl_connect_step3(struct connectdata *conn, our_ssl_sessionid = SSL_get_session(backend->handle); - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != our_ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + Curl_ssl_delsessionid(data, old_ssl_sessionid); incache = FALSE; } } if(!incache) { - result = Curl_ssl_addsessionid(conn, our_ssl_sessionid, + result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); if(result) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "failed to store ssl session"); return result; } } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } connssl->connecting_state = ssl_connect_done; @@ -795,12 +804,13 @@ wolfssl_connect_step3(struct connectdata *conn, } -static ssize_t wolfssl_send(struct connectdata *conn, - int sockindex, - const void *mem, - size_t len, - CURLcode *curlcode) +static ssize_t wolfssl_send(struct Curl_easy *data, + int sockindex, + const void *mem, + size_t len, + CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; char error_buffer[WOLFSSL_MAX_ERROR_SZ]; @@ -817,7 +827,7 @@ static ssize_t wolfssl_send(struct connectdata *conn, *curlcode = CURLE_AGAIN; return -1; default: - failf(conn->data, "SSL write: %s, errno %d", + failf(data, "SSL write: %s, errno %d", ERR_error_string(err, error_buffer), SOCKERRNO); *curlcode = CURLE_SEND_ERROR; @@ -827,11 +837,14 @@ static ssize_t wolfssl_send(struct connectdata *conn, return rc; } -static void Curl_wolfssl_close(struct connectdata *conn, int sockindex) +static void wolfssl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; + (void) data; + if(backend->handle) { (void)SSL_shutdown(backend->handle); SSL_free(backend->handle); @@ -843,12 +856,13 @@ static void Curl_wolfssl_close(struct connectdata *conn, int sockindex) } } -static ssize_t wolfssl_recv(struct connectdata *conn, +static ssize_t wolfssl_recv(struct Curl_easy *data, int num, char *buf, size_t buffersize, CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[num]; struct ssl_backend_data *backend = connssl->backend; char error_buffer[WOLFSSL_MAX_ERROR_SZ]; @@ -867,9 +881,8 @@ static ssize_t wolfssl_recv(struct connectdata *conn, *curlcode = CURLE_AGAIN; return -1; default: - failf(conn->data, "SSL read: %s, errno %d", - ERR_error_string(err, error_buffer), - SOCKERRNO); + failf(data, "SSL read: %s, errno %d", + ERR_error_string(err, error_buffer), SOCKERRNO); *curlcode = CURLE_RECV_ERROR; return -1; } @@ -878,14 +891,14 @@ static ssize_t wolfssl_recv(struct connectdata *conn, } -static void Curl_wolfssl_session_free(void *ptr) +static void wolfssl_session_free(void *ptr) { (void)ptr; /* wolfSSL reuses sessions on own, no free */ } -static size_t Curl_wolfssl_version(char *buffer, size_t size) +static size_t wolfssl_version(char *buffer, size_t size) { #if LIBWOLFSSL_VERSION_HEX >= 0x03006000 return msnprintf(buffer, size, "wolfSSL/%s", wolfSSL_lib_version()); @@ -895,7 +908,7 @@ static size_t Curl_wolfssl_version(char *buffer, size_t size) } -static int Curl_wolfssl_init(void) +static int wolfssl_init(void) { #ifdef OPENSSL_EXTRA Curl_tls_keylog_open(); @@ -904,7 +917,7 @@ static int Curl_wolfssl_init(void) } -static void Curl_wolfssl_cleanup(void) +static void wolfssl_cleanup(void) { wolfSSL_Cleanup(); #ifdef OPENSSL_EXTRA @@ -913,8 +926,8 @@ static void Curl_wolfssl_cleanup(void) } -static bool Curl_wolfssl_data_pending(const struct connectdata *conn, - int connindex) +static bool wolfssl_data_pending(const struct connectdata *conn, + int connindex) { const struct ssl_connect_data *connssl = &conn->ssl[connindex]; struct ssl_backend_data *backend = connssl->backend; @@ -929,12 +942,15 @@ static bool Curl_wolfssl_data_pending(const struct connectdata *conn, * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ -static int Curl_wolfssl_shutdown(struct connectdata *conn, int sockindex) +static int wolfssl_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { int retval = 0; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; + (void) data; + if(backend->handle) { SSL_free(backend->handle); backend->handle = NULL; @@ -944,13 +960,13 @@ static int Curl_wolfssl_shutdown(struct connectdata *conn, int sockindex) static CURLcode -wolfssl_connect_common(struct connectdata *conn, +wolfssl_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; int what; @@ -971,7 +987,7 @@ wolfssl_connect_common(struct connectdata *conn, return CURLE_OPERATION_TIMEDOUT; } - result = wolfssl_connect_step1(conn, sockindex); + result = wolfssl_connect_step1(data, conn, sockindex); if(result) return result; } @@ -1026,7 +1042,7 @@ wolfssl_connect_common(struct connectdata *conn, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - result = wolfssl_connect_step2(conn, sockindex); + result = wolfssl_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -1035,7 +1051,7 @@ wolfssl_connect_common(struct connectdata *conn, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - result = wolfssl_connect_step3(conn, sockindex); + result = wolfssl_connect_step3(data, conn, sockindex); if(result) return result; } @@ -1056,19 +1072,21 @@ wolfssl_connect_common(struct connectdata *conn, } -static CURLcode Curl_wolfssl_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode wolfssl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { - return wolfssl_connect_common(conn, sockindex, TRUE, done); + return wolfssl_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode Curl_wolfssl_connect(struct connectdata *conn, int sockindex) +static CURLcode wolfssl_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result; bool done = FALSE; - result = wolfssl_connect_common(conn, sockindex, FALSE, &done); + result = wolfssl_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -1077,8 +1095,8 @@ static CURLcode Curl_wolfssl_connect(struct connectdata *conn, int sockindex) return CURLE_OK; } -static CURLcode Curl_wolfssl_random(struct Curl_easy *data, - unsigned char *entropy, size_t length) +static CURLcode wolfssl_random(struct Curl_easy *data, + unsigned char *entropy, size_t length) { WC_RNG rng; (void)data; @@ -1093,10 +1111,10 @@ static CURLcode Curl_wolfssl_random(struct Curl_easy *data, return CURLE_OK; } -static CURLcode Curl_wolfssl_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum /* output */, - size_t unused) +static CURLcode wolfssl_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum /* output */, + size_t unused) { wc_Sha256 SHA256pw; (void)unused; @@ -1106,7 +1124,7 @@ static CURLcode Curl_wolfssl_sha256sum(const unsigned char *tmp, /* input */ return CURLE_OK; } -static void *Curl_wolfssl_get_internals(struct ssl_connect_data *connssl, +static void *wolfssl_get_internals(struct ssl_connect_data *connssl, CURLINFO info UNUSED_PARAM) { struct ssl_backend_data *backend = connssl->backend; @@ -1124,26 +1142,25 @@ const struct Curl_ssl Curl_ssl_wolfssl = { sizeof(struct ssl_backend_data), - Curl_wolfssl_init, /* init */ - Curl_wolfssl_cleanup, /* cleanup */ - Curl_wolfssl_version, /* version */ + wolfssl_init, /* init */ + wolfssl_cleanup, /* cleanup */ + wolfssl_version, /* version */ Curl_none_check_cxn, /* check_cxn */ - Curl_wolfssl_shutdown, /* shutdown */ - Curl_wolfssl_data_pending, /* data_pending */ - Curl_wolfssl_random, /* random */ + wolfssl_shutdown, /* shutdown */ + wolfssl_data_pending, /* data_pending */ + wolfssl_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ - Curl_wolfssl_connect, /* connect */ - Curl_wolfssl_connect_nonblocking, /* connect_nonblocking */ - Curl_wolfssl_get_internals, /* get_internals */ - Curl_wolfssl_close, /* close_one */ + wolfssl_connect, /* connect */ + wolfssl_connect_nonblocking, /* connect_nonblocking */ + wolfssl_get_internals, /* get_internals */ + wolfssl_close, /* close_one */ Curl_none_close_all, /* close_all */ - Curl_wolfssl_session_free, /* session_free */ + wolfssl_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_none_md5sum, /* md5sum */ - Curl_wolfssl_sha256sum /* sha256sum */ + wolfssl_sha256sum /* sha256sum */ }; #endif |