diff options
Diffstat (limited to 'Utilities/cmcurl/lib/vtls/polarssl.c')
-rw-r--r-- | Utilities/cmcurl/lib/vtls/polarssl.c | 198 |
1 files changed, 131 insertions, 67 deletions
diff --git a/Utilities/cmcurl/lib/vtls/polarssl.c b/Utilities/cmcurl/lib/vtls/polarssl.c index 669091c..fc0644f 100644 --- a/Utilities/cmcurl/lib/vtls/polarssl.c +++ b/Utilities/cmcurl/lib/vtls/polarssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2012 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 2012 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al. * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com> * * This software is licensed as described in the file COPYING, which @@ -30,7 +30,6 @@ #include "curl_setup.h" #ifdef USE_POLARSSL - #include <polarssl/net.h> #include <polarssl/ssl.h> #include <polarssl/certs.h> @@ -70,6 +69,19 @@ #define PUB_DER_MAX_BYTES (RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \ RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES) +struct ssl_backend_data { + ctr_drbg_context ctr_drbg; + entropy_context entropy; + ssl_context ssl; + int server_fd; + x509_crt cacert; + x509_crt clicert; + x509_crl crl; + rsa_context rsa; +}; + +#define BACKEND connssl->backend + /* apply threading? */ #if defined(USE_THREADS_POSIX) || defined(USE_THREADS_WIN32) #define THREADING_SUPPORT @@ -197,8 +209,8 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) return result; } - ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, ssl_min_ver); - ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3, ssl_max_ver); + ssl_set_min_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3, ssl_min_ver); + ssl_set_max_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3, ssl_max_ver); return result; } @@ -215,7 +227,7 @@ polarssl_connect_step1(struct connectdata *conn, const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; int ret = -1; char errorbuf[128]; - errorbuf[0]=0; + errorbuf[0] = 0; /* PolarSSL only supports SSLv3 and TLSv1 */ if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) { @@ -226,16 +238,16 @@ polarssl_connect_step1(struct connectdata *conn, #ifdef THREADING_SUPPORT entropy_init_mutex(&entropy); - if((ret = ctr_drbg_init(&connssl->ctr_drbg, entropy_func_mutex, &entropy, + if((ret = ctr_drbg_init(&BACKEND->ctr_drbg, entropy_func_mutex, &entropy, NULL, 0)) != 0) { error_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n", -ret, errorbuf); } #else - entropy_init(&connssl->entropy); + entropy_init(&BACKEND->entropy); - if((ret = ctr_drbg_init(&connssl->ctr_drbg, entropy_func, &connssl->entropy, + if((ret = ctr_drbg_init(&BACKEND->ctr_drbg, entropy_func, &BACKEND->entropy, NULL, 0)) != 0) { error_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "Failed - PolarSSL: ctr_drbg_init returned (-0x%04X) %s\n", @@ -244,10 +256,10 @@ polarssl_connect_step1(struct connectdata *conn, #endif /* THREADING_SUPPORT */ /* Load the trusted CA */ - memset(&connssl->cacert, 0, sizeof(x509_crt)); + memset(&BACKEND->cacert, 0, sizeof(x509_crt)); if(SSL_CONN_CONFIG(CAfile)) { - ret = x509_crt_parse_file(&connssl->cacert, + ret = x509_crt_parse_file(&BACKEND->cacert, SSL_CONN_CONFIG(CAfile)); if(ret<0) { @@ -261,7 +273,7 @@ polarssl_connect_step1(struct connectdata *conn, } if(capath) { - ret = x509_crt_parse_path(&connssl->cacert, capath); + ret = x509_crt_parse_path(&BACKEND->cacert, capath); if(ret<0) { error_strerror(ret, errorbuf, sizeof(errorbuf)); @@ -274,10 +286,10 @@ polarssl_connect_step1(struct connectdata *conn, } /* Load the client certificate */ - memset(&connssl->clicert, 0, sizeof(x509_crt)); + memset(&BACKEND->clicert, 0, sizeof(x509_crt)); if(SSL_SET_OPTION(cert)) { - ret = x509_crt_parse_file(&connssl->clicert, + ret = x509_crt_parse_file(&BACKEND->clicert, SSL_SET_OPTION(cert)); if(ret) { @@ -298,9 +310,9 @@ polarssl_connect_step1(struct connectdata *conn, if(ret == 0 && !pk_can_do(&pk, POLARSSL_PK_RSA)) ret = POLARSSL_ERR_PK_TYPE_MISMATCH; if(ret == 0) - rsa_copy(&connssl->rsa, pk_rsa(pk)); + rsa_copy(&BACKEND->rsa, pk_rsa(pk)); else - rsa_free(&connssl->rsa); + rsa_free(&BACKEND->rsa); pk_free(&pk); if(ret) { @@ -313,10 +325,10 @@ polarssl_connect_step1(struct connectdata *conn, } /* Load the CRL */ - memset(&connssl->crl, 0, sizeof(x509_crl)); + memset(&BACKEND->crl, 0, sizeof(x509_crl)); if(SSL_SET_OPTION(CRLfile)) { - ret = x509_crl_parse_file(&connssl->crl, + ret = x509_crl_parse_file(&BACKEND->crl, SSL_SET_OPTION(CRLfile)); if(ret) { @@ -330,7 +342,7 @@ polarssl_connect_step1(struct connectdata *conn, infof(data, "PolarSSL: Connecting to %s:%d\n", hostname, port); - if(ssl_init(&connssl->ssl)) { + if(ssl_init(&BACKEND->ssl)) { failf(data, "PolarSSL: ssl_init failed"); return CURLE_SSL_CONNECT_ERROR; } @@ -338,13 +350,13 @@ polarssl_connect_step1(struct connectdata *conn, switch(SSL_CONN_CONFIG(version)) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: - ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, + ssl_set_min_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1); break; case CURL_SSLVERSION_SSLv3: - ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, + ssl_set_min_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0); - ssl_set_max_version(&connssl->ssl, SSL_MAJOR_VERSION_3, + ssl_set_max_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0); infof(data, "PolarSSL: Forced min. SSL Version to be SSLv3\n"); break; @@ -363,16 +375,16 @@ polarssl_connect_step1(struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } - ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT); - ssl_set_authmode(&connssl->ssl, SSL_VERIFY_OPTIONAL); + ssl_set_endpoint(&BACKEND->ssl, SSL_IS_CLIENT); + ssl_set_authmode(&BACKEND->ssl, SSL_VERIFY_OPTIONAL); - ssl_set_rng(&connssl->ssl, ctr_drbg_random, - &connssl->ctr_drbg); - ssl_set_bio(&connssl->ssl, + ssl_set_rng(&BACKEND->ssl, ctr_drbg_random, + &BACKEND->ctr_drbg); + ssl_set_bio(&BACKEND->ssl, net_recv, &conn->sock[sockindex], net_send, &conn->sock[sockindex]); - ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); + ssl_set_ciphersuites(&BACKEND->ssl, ssl_list_ciphersuites()); /* Check if there's a cached ID we can/should use here! */ if(SSL_SET_OPTION(primary.sessionid)) { @@ -380,7 +392,7 @@ polarssl_connect_step1(struct connectdata *conn, Curl_ssl_sessionid_lock(conn); if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { - ret = ssl_set_session(&connssl->ssl, old_session); + ret = ssl_set_session(&BACKEND->ssl, old_session); if(ret) { Curl_ssl_sessionid_unlock(conn); failf(data, "ssl_set_session returned -0x%x", -ret); @@ -391,15 +403,15 @@ polarssl_connect_step1(struct connectdata *conn, Curl_ssl_sessionid_unlock(conn); } - ssl_set_ca_chain(&connssl->ssl, - &connssl->cacert, - &connssl->crl, + ssl_set_ca_chain(&BACKEND->ssl, + &BACKEND->cacert, + &BACKEND->crl, hostname); - ssl_set_own_cert_rsa(&connssl->ssl, - &connssl->clicert, &connssl->rsa); + ssl_set_own_cert_rsa(&BACKEND->ssl, + &BACKEND->clicert, &BACKEND->rsa); - if(ssl_set_hostname(&connssl->ssl, hostname)) { + if(ssl_set_hostname(&BACKEND->ssl, hostname)) { /* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name to set in the SNI extension. So even if curl connects to a host specified as an IP address, this function must be used. */ @@ -424,12 +436,12 @@ polarssl_connect_step1(struct connectdata *conn, protocols[cur] = NULL; - ssl_set_alpn_protocols(&connssl->ssl, protocols); + ssl_set_alpn_protocols(&BACKEND->ssl, protocols); } #endif #ifdef POLARSSL_DEBUG - ssl_set_dbg(&connssl->ssl, polarssl_debug, data); + ssl_set_dbg(&BACKEND->ssl, polarssl_debug, data); #endif connssl->connecting_state = ssl_connect_2; @@ -456,7 +468,7 @@ polarssl_connect_step2(struct connectdata *conn, conn->recv[sockindex] = polarssl_recv; conn->send[sockindex] = polarssl_send; - ret = ssl_handshake(&connssl->ssl); + ret = ssl_handshake(&BACKEND->ssl); switch(ret) { case 0: @@ -478,9 +490,9 @@ polarssl_connect_step2(struct connectdata *conn, } infof(data, "PolarSSL: Handshake complete, cipher is %s\n", - ssl_get_ciphersuite(&conn->ssl[sockindex].ssl) ); + ssl_get_ciphersuite(&BACKEND->ssl) ); - ret = ssl_get_verify_result(&conn->ssl[sockindex].ssl); + ret = ssl_get_verify_result(&BACKEND->ssl); if(ret && SSL_CONN_CONFIG(verifypeer)) { if(ret & BADCERT_EXPIRED) @@ -500,12 +512,12 @@ polarssl_connect_step2(struct connectdata *conn, return CURLE_PEER_FAILED_VERIFICATION; } - if(ssl_get_peer_cert(&(connssl->ssl))) { + if(ssl_get_peer_cert(&(BACKEND->ssl))) { /* If the session was resumed, there will be no peer certs */ memset(buffer, 0, sizeof(buffer)); if(x509_crt_info(buffer, sizeof(buffer), (char *)"* ", - ssl_get_peer_cert(&(connssl->ssl))) != -1) + ssl_get_peer_cert(&(BACKEND->ssl))) != -1) infof(data, "Dumping cert info:\n%s\n", buffer); } @@ -517,7 +529,7 @@ polarssl_connect_step2(struct connectdata *conn, unsigned char pubkey[PUB_DER_MAX_BYTES]; const x509_crt *peercert; - peercert = ssl_get_peer_cert(&connssl->ssl); + peercert = ssl_get_peer_cert(&BACKEND->ssl); if(!peercert || !peercert->raw.p || !peercert->raw.len) { failf(data, "Failed due to missing peer certificate"); @@ -566,7 +578,7 @@ polarssl_connect_step2(struct connectdata *conn, #ifdef HAS_ALPN if(conn->bits.tls_enable_alpn) { - const char *next_protocol = ssl_get_alpn_protocol(&connssl->ssl); + const char *next_protocol = ssl_get_alpn_protocol(&BACKEND->ssl); if(next_protocol != NULL) { infof(data, "ALPN, server accepted to use %s\n", next_protocol); @@ -614,7 +626,7 @@ polarssl_connect_step3(struct connectdata *conn, memset(our_ssl_sessionid, 0, sizeof(ssl_session)); - ret = ssl_get_session(&connssl->ssl, our_ssl_sessionid); + ret = ssl_get_session(&BACKEND->ssl, our_ssl_sessionid); if(ret) { failf(data, "ssl_get_session returned -0x%x", -ret); return CURLE_SSL_CONNECT_ERROR; @@ -645,9 +657,10 @@ static ssize_t polarssl_send(struct connectdata *conn, size_t len, CURLcode *curlcode) { + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; int ret = -1; - ret = ssl_write(&conn->ssl[sockindex].ssl, + ret = ssl_write(&BACKEND->ssl, (unsigned char *)mem, len); if(ret < 0) { @@ -659,13 +672,14 @@ static ssize_t polarssl_send(struct connectdata *conn, return ret; } -void Curl_polarssl_close(struct connectdata *conn, int sockindex) +static void Curl_polarssl_close(struct connectdata *conn, int sockindex) { - rsa_free(&conn->ssl[sockindex].rsa); - x509_crt_free(&conn->ssl[sockindex].clicert); - x509_crt_free(&conn->ssl[sockindex].cacert); - x509_crl_free(&conn->ssl[sockindex].crl); - ssl_free(&conn->ssl[sockindex].ssl); + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + rsa_free(&BACKEND->rsa); + x509_crt_free(&BACKEND->clicert); + x509_crt_free(&BACKEND->cacert); + x509_crl_free(&BACKEND->crl); + ssl_free(&BACKEND->ssl); } static ssize_t polarssl_recv(struct connectdata *conn, @@ -674,11 +688,12 @@ static ssize_t polarssl_recv(struct connectdata *conn, size_t buffersize, CURLcode *curlcode) { + struct ssl_connect_data *connssl = &conn->ssl[num]; int ret = -1; ssize_t len = -1; memset(buf, 0, buffersize); - ret = ssl_read(&conn->ssl[num].ssl, (unsigned char *)buf, buffersize); + ret = ssl_read(&BACKEND->ssl, (unsigned char *)buf, buffersize); if(ret <= 0) { if(ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY) @@ -694,7 +709,7 @@ static ssize_t polarssl_recv(struct connectdata *conn, return len; } -void Curl_polarssl_session_free(void *ptr) +static void Curl_polarssl_session_free(void *ptr) { ssl_session_free(ptr); free(ptr); @@ -703,7 +718,7 @@ void Curl_polarssl_session_free(void *ptr) /* 1.3.10 was the first rebranded version. All new releases (in 1.3 branch and higher) will be mbed TLS branded.. */ -size_t Curl_polarssl_version(char *buffer, size_t size) +static size_t Curl_polarssl_version(char *buffer, size_t size) { unsigned int version = version_get_number(); return snprintf(buffer, size, "%s/%d.%d.%d", @@ -762,9 +777,9 @@ polarssl_connect_common(struct connectdata *conn, if(connssl->connecting_state == ssl_connect_2_reading || connssl->connecting_state == ssl_connect_2_writing) { - curl_socket_t writefd = ssl_connect_2_writing== + curl_socket_t writefd = ssl_connect_2_writing == connssl->connecting_state?sockfd:CURL_SOCKET_BAD; - curl_socket_t readfd = ssl_connect_2_reading== + curl_socket_t readfd = ssl_connect_2_reading == connssl->connecting_state?sockfd:CURL_SOCKET_BAD; what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd, @@ -825,18 +840,14 @@ polarssl_connect_common(struct connectdata *conn, return CURLE_OK; } -CURLcode -Curl_polarssl_connect_nonblocking(struct connectdata *conn, - int sockindex, - bool *done) +static CURLcode Curl_polarssl_connect_nonblocking(struct connectdata *conn, + int sockindex, bool *done) { return polarssl_connect_common(conn, sockindex, TRUE, done); } -CURLcode -Curl_polarssl_connect(struct connectdata *conn, - int sockindex) +static CURLcode Curl_polarssl_connect(struct connectdata *conn, int sockindex) { CURLcode result; bool done = FALSE; @@ -854,20 +865,73 @@ Curl_polarssl_connect(struct connectdata *conn, * return 0 error initializing SSL * return 1 SSL initialized successfully */ -int Curl_polarssl_init(void) +static int Curl_polarssl_init(void) { return Curl_polarsslthreadlock_thread_setup(); } -void Curl_polarssl_cleanup(void) +static void Curl_polarssl_cleanup(void) { (void)Curl_polarsslthreadlock_thread_cleanup(); } +static bool Curl_polarssl_data_pending(const struct connectdata *conn, + int sockindex) +{ + const struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + return ssl_get_bytes_avail(&BACKEND->ssl) != 0; +} + +static void Curl_polarssl_sha256sum(const unsigned char *input, + size_t inputlen, + unsigned char *sha256sum, + size_t sha256len UNUSED_PARAM) +{ + (void)sha256len; + sha256(input, inputlen, sha256sum, 0); +} -int Curl_polarssl_data_pending(const struct connectdata *conn, int sockindex) +static void *Curl_polarssl_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) { - return ssl_get_bytes_avail(&conn->ssl[sockindex].ssl) != 0; + (void)info; + return &BACKEND->ssl; } +const struct Curl_ssl Curl_ssl_polarssl = { + { CURLSSLBACKEND_POLARSSL, "polarssl" }, /* info */ + + 1, /* have_ca_path */ + 0, /* have_certinfo */ + 1, /* have_pinnedpubkey */ + 0, /* have_ssl_ctx */ + 0, /* support_https_proxy */ + + sizeof(struct ssl_backend_data), + + Curl_polarssl_init, /* init */ + Curl_polarssl_cleanup, /* cleanup */ + Curl_polarssl_version, /* version */ + Curl_none_check_cxn, /* check_cxn */ + Curl_none_shutdown, /* shutdown */ + Curl_polarssl_data_pending, /* data_pending */ + /* This might cause libcurl to use a weeker random! + * TODO: use Polarssl's CTR-DRBG or HMAC-DRBG + */ + Curl_none_random, /* random */ + Curl_none_cert_status_request, /* cert_status_request */ + Curl_polarssl_connect, /* connect */ + Curl_polarssl_connect_nonblocking, /* connect_nonblocking */ + Curl_polarssl_get_internals, /* get_internals */ + Curl_polarssl_close, /* close */ + Curl_none_close_all, /* close_all */ + Curl_polarssl_session_free, /* session_free */ + Curl_none_set_engine, /* set_engine */ + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ + Curl_none_md5sum, /* md5sum */ + Curl_polarssl_sha256sum /* sha256sum */ +}; + #endif /* USE_POLARSSL */ |