summaryrefslogtreecommitdiffstats
path: root/Utilities/cmcurl/lib/vtls/sectransp.c
diff options
context:
space:
mode:
Diffstat (limited to 'Utilities/cmcurl/lib/vtls/sectransp.c')
-rw-r--r--Utilities/cmcurl/lib/vtls/sectransp.c261
1 files changed, 149 insertions, 112 deletions
diff --git a/Utilities/cmcurl/lib/vtls/sectransp.c b/Utilities/cmcurl/lib/vtls/sectransp.c
index 7dd028f..2627aff 100644
--- a/Utilities/cmcurl/lib/vtls/sectransp.c
+++ b/Utilities/cmcurl/lib/vtls/sectransp.c
@@ -138,8 +138,6 @@ struct ssl_backend_data {
size_t ssl_write_buffered_length;
};
-#define BACKEND connssl->backend
-
/* pinned public key support tests */
/* version 1 supports macOS 10.12+ and iOS 10+ */
@@ -201,7 +199,8 @@ static OSStatus SocketRead(SSLConnectionRef connection,
UInt8 *currData = (UInt8 *)data;
/*int sock = *(int *)connection;*/
struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection;
- int sock = BACKEND->ssl_sockfd;
+ struct ssl_backend_data *backend = connssl->backend;
+ int sock = backend->ssl_sockfd;
OSStatus rtn = noErr;
size_t bytesRead;
ssize_t rrtn;
@@ -230,7 +229,7 @@ static OSStatus SocketRead(SSLConnectionRef connection,
break;
case EAGAIN:
rtn = errSSLWouldBlock;
- BACKEND->ssl_direction = false;
+ backend->ssl_direction = false;
break;
default:
rtn = ioErr;
@@ -261,7 +260,8 @@ static OSStatus SocketWrite(SSLConnectionRef connection,
size_t bytesSent = 0;
/*int sock = *(int *)connection;*/
struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection;
- int sock = BACKEND->ssl_sockfd;
+ struct ssl_backend_data *backend = connssl->backend;
+ int sock = backend->ssl_sockfd;
ssize_t length;
size_t dataLen = *dataLength;
const UInt8 *dataPtr = (UInt8 *)data;
@@ -281,7 +281,7 @@ static OSStatus SocketWrite(SSLConnectionRef connection,
theErr = errno;
if(theErr == EAGAIN) {
ortn = errSSLWouldBlock;
- BACKEND->ssl_direction = true;
+ backend->ssl_direction = true;
}
else {
ortn = ioErr;
@@ -1126,12 +1126,12 @@ static OSStatus CopyIdentityWithLabel(char *label,
}
static OSStatus CopyIdentityFromPKCS12File(const char *cPath,
+ const struct curl_blob *blob,
const char *cPassword,
SecIdentityRef *out_cert_and_key)
{
OSStatus status = errSecItemNotFound;
- CFURLRef pkcs_url = CFURLCreateFromFileSystemRepresentation(NULL,
- (const UInt8 *)cPath, strlen(cPath), false);
+ CFURLRef pkcs_url = NULL;
CFStringRef password = cPassword ? CFStringCreateWithCString(NULL,
cPassword, kCFStringEncodingUTF8) : NULL;
CFDataRef pkcs_data = NULL;
@@ -1140,8 +1140,26 @@ static OSStatus CopyIdentityFromPKCS12File(const char *cPath,
/* These constants are documented as having first appeared in 10.6 but they
raise linker errors when used on that cat for some reason. */
#if CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS
- if(CFURLCreateDataAndPropertiesFromResource(NULL, pkcs_url, &pkcs_data,
- NULL, NULL, &status)) {
+ bool resource_imported;
+
+ if(blob) {
+ pkcs_data = CFDataCreate(kCFAllocatorDefault,
+ (const unsigned char *)blob->data, blob->len);
+ status = (pkcs_data != NULL) ? errSecSuccess : errSecAllocate;
+ resource_imported = (pkcs_data != NULL);
+ }
+ else {
+ pkcs_url =
+ CFURLCreateFromFileSystemRepresentation(NULL,
+ (const UInt8 *)cPath,
+ strlen(cPath), false);
+ resource_imported =
+ CFURLCreateDataAndPropertiesFromResource(NULL,
+ pkcs_url, &pkcs_data,
+ NULL, NULL, &status);
+ }
+
+ if(resource_imported) {
CFArrayRef items = NULL;
/* On iOS SecPKCS12Import will never add the client certificate to the
@@ -1219,7 +1237,8 @@ static OSStatus CopyIdentityFromPKCS12File(const char *cPath,
#endif /* CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS */
if(password)
CFRelease(password);
- CFRelease(pkcs_url);
+ if(pkcs_url)
+ CFRelease(pkcs_url);
return status;
}
@@ -1276,6 +1295,7 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ struct ssl_backend_data *backend = connssl->backend;
long ssl_version = SSL_CONN_CONFIG(version);
long ssl_version_max = SSL_CONN_CONFIG(version_max);
long max_supported_version_by_os;
@@ -1326,30 +1346,30 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)
return result;
}
- (void)SSLSetProtocolVersionMin(BACKEND->ssl_ctx, darwin_ver_min);
- (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, darwin_ver_max);
+ (void)SSLSetProtocolVersionMin(backend->ssl_ctx, darwin_ver_min);
+ (void)SSLSetProtocolVersionMax(backend->ssl_ctx, darwin_ver_max);
return result;
}
else {
#if CURL_SUPPORT_MAC_10_8
long i = ssl_version;
- (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kSSLProtocolAll,
false);
for(; i <= (ssl_version_max >> 16); i++) {
switch(i) {
case CURL_SSLVERSION_TLSv1_0:
- (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kTLSProtocol1,
true);
break;
case CURL_SSLVERSION_TLSv1_1:
- (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kTLSProtocol11,
true);
break;
case CURL_SSLVERSION_TLSv1_2:
- (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kTLSProtocol12,
true);
break;
@@ -1373,9 +1393,12 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
struct Curl_easy *data = conn->data;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ struct ssl_backend_data *backend = connssl->backend;
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
+ const struct curl_blob *ssl_cablob = NULL;
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
char * const ssl_cert = SSL_SET_OPTION(cert);
+ const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(cert_blob);
const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
conn->host.name;
const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
@@ -1395,10 +1418,10 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
if(SSLCreateContext != NULL) { /* use the newer API if available */
- if(BACKEND->ssl_ctx)
- CFRelease(BACKEND->ssl_ctx);
- BACKEND->ssl_ctx = SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType);
- if(!BACKEND->ssl_ctx) {
+ if(backend->ssl_ctx)
+ CFRelease(backend->ssl_ctx);
+ backend->ssl_ctx = SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType);
+ if(!backend->ssl_ctx) {
failf(data, "SSL: couldn't create a context!");
return CURLE_OUT_OF_MEMORY;
}
@@ -1406,9 +1429,9 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
else {
/* The old ST API does not exist under iOS, so don't compile it: */
#if CURL_SUPPORT_MAC_10_8
- if(BACKEND->ssl_ctx)
- (void)SSLDisposeContext(BACKEND->ssl_ctx);
- err = SSLNewContext(false, &(BACKEND->ssl_ctx));
+ if(backend->ssl_ctx)
+ (void)SSLDisposeContext(backend->ssl_ctx);
+ err = SSLNewContext(false, &(backend->ssl_ctx));
if(err != noErr) {
failf(data, "SSL: couldn't create a context: OSStatus %d", err);
return CURLE_OUT_OF_MEMORY;
@@ -1416,31 +1439,31 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
#endif /* CURL_SUPPORT_MAC_10_8 */
}
#else
- if(BACKEND->ssl_ctx)
- (void)SSLDisposeContext(BACKEND->ssl_ctx);
- err = SSLNewContext(false, &(BACKEND->ssl_ctx));
+ if(backend->ssl_ctx)
+ (void)SSLDisposeContext(backend->ssl_ctx);
+ err = SSLNewContext(false, &(backend->ssl_ctx));
if(err != noErr) {
failf(data, "SSL: couldn't create a context: OSStatus %d", err);
return CURLE_OUT_OF_MEMORY;
}
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
- BACKEND->ssl_write_buffered_length = 0UL; /* reset buffered write length */
+ backend->ssl_write_buffered_length = 0UL; /* reset buffered write length */
/* check to see if we've been told to use an explicit SSL/TLS version */
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
if(SSLSetProtocolVersionMax != NULL) {
switch(conn->ssl_config.version) {
case CURL_SSLVERSION_TLSv1:
- (void)SSLSetProtocolVersionMin(BACKEND->ssl_ctx, kTLSProtocol1);
+ (void)SSLSetProtocolVersionMin(backend->ssl_ctx, kTLSProtocol1);
#if (CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11) && HAVE_BUILTIN_AVAILABLE == 1
if(__builtin_available(macOS 10.13, iOS 11.0, *)) {
- (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kTLSProtocol13);
+ (void)SSLSetProtocolVersionMax(backend->ssl_ctx, kTLSProtocol13);
}
else {
- (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kTLSProtocol12);
+ (void)SSLSetProtocolVersionMax(backend->ssl_ctx, kTLSProtocol12);
}
#else
- (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kTLSProtocol12);
+ (void)SSLSetProtocolVersionMax(backend->ssl_ctx, kTLSProtocol12);
#endif /* (CURL_BUILD_MAC_10_13 || CURL_BUILD_IOS_11) &&
HAVE_BUILTIN_AVAILABLE == 1 */
break;
@@ -1456,20 +1479,20 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
break;
}
case CURL_SSLVERSION_SSLv3:
- err = SSLSetProtocolVersionMin(BACKEND->ssl_ctx, kSSLProtocol3);
+ err = SSLSetProtocolVersionMin(backend->ssl_ctx, kSSLProtocol3);
if(err != noErr) {
failf(data, "Your version of the OS does not support SSLv3");
return CURLE_SSL_CONNECT_ERROR;
}
- (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kSSLProtocol3);
+ (void)SSLSetProtocolVersionMax(backend->ssl_ctx, kSSLProtocol3);
break;
case CURL_SSLVERSION_SSLv2:
- err = SSLSetProtocolVersionMin(BACKEND->ssl_ctx, kSSLProtocol2);
+ err = SSLSetProtocolVersionMin(backend->ssl_ctx, kSSLProtocol2);
if(err != noErr) {
failf(data, "Your version of the OS does not support SSLv2");
return CURLE_SSL_CONNECT_ERROR;
}
- (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kSSLProtocol2);
+ (void)SSLSetProtocolVersionMax(backend->ssl_ctx, kSSLProtocol2);
break;
default:
failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
@@ -1478,19 +1501,19 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
}
else {
#if CURL_SUPPORT_MAC_10_8
- (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kSSLProtocolAll,
false);
switch(conn->ssl_config.version) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
- (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kTLSProtocol1,
true);
- (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kTLSProtocol11,
true);
- (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kTLSProtocol12,
true);
break;
@@ -1505,7 +1528,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
break;
}
case CURL_SSLVERSION_SSLv3:
- err = SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kSSLProtocol3,
true);
if(err != noErr) {
@@ -1514,7 +1537,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
}
break;
case CURL_SSLVERSION_SSLv2:
- err = SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kSSLProtocol2,
true);
if(err != noErr) {
@@ -1534,12 +1557,12 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
" SSL/TLS version");
return CURLE_SSL_CONNECT_ERROR;
}
- (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx, kSSLProtocolAll, false);
+ (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx, kSSLProtocolAll, false);
switch(conn->ssl_config.version) {
case CURL_SSLVERSION_DEFAULT:
case CURL_SSLVERSION_TLSv1:
case CURL_SSLVERSION_TLSv1_0:
- (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ (void)SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kTLSProtocol1,
true);
break;
@@ -1553,7 +1576,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
failf(data, "Your version of the OS does not support TLSv1.3");
return CURLE_SSL_CONNECT_ERROR;
case CURL_SSLVERSION_SSLv2:
- err = SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kSSLProtocol2,
true);
if(err != noErr) {
@@ -1562,7 +1585,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
}
break;
case CURL_SSLVERSION_SSLv3:
- err = SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
+ err = SSLSetProtocolVersionEnabled(backend->ssl_ctx,
kSSLProtocol3,
true);
if(err != noErr) {
@@ -1596,7 +1619,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
/* expects length prefixed preference ordered list of protocols in wire
* format
*/
- err = SSLSetALPNProtocols(BACKEND->ssl_ctx, alpnArr);
+ err = SSLSetALPNProtocols(backend->ssl_ctx, alpnArr);
if(err != noErr)
infof(data, "WARNING: failed to set ALPN protocols; OSStatus %d\n",
err);
@@ -1610,15 +1633,16 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
"Transport. The private key must be in the Keychain.\n");
}
- if(ssl_cert) {
+ if(ssl_cert || ssl_cert_blob) {
+ bool is_cert_data = ssl_cert_blob != NULL;
+ bool is_cert_file = (!is_cert_data) && is_file(ssl_cert);
SecIdentityRef cert_and_key = NULL;
- bool is_cert_file = is_file(ssl_cert);
/* User wants to authenticate with a client cert. Look for it:
If we detect that this is a file on disk, then let's load it.
Otherwise, assume that the user wants to use an identity loaded
from the Keychain. */
- if(is_cert_file) {
+ if(is_cert_file || is_cert_data) {
if(!SSL_SET_OPTION(cert_type))
infof(data, "WARNING: SSL: Certificate type not set, assuming "
"PKCS#12 format.\n");
@@ -1627,7 +1651,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
infof(data, "WARNING: SSL: The Security framework only supports "
"loading identities that are in PKCS#12 format.\n");
- err = CopyIdentityFromPKCS12File(ssl_cert,
+ err = CopyIdentityFromPKCS12File(ssl_cert, ssl_cert_blob,
SSL_SET_OPTION(key_passwd), &cert_and_key);
}
else
@@ -1657,7 +1681,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
certs_c[0] = cert_and_key;
certs = CFArrayCreate(NULL, (const void **)certs_c, 1L,
&kCFTypeArrayCallBacks);
- err = SSLSetCertificate(BACKEND->ssl_ctx, certs);
+ err = SSLSetCertificate(backend->ssl_ctx, certs);
if(certs)
CFRelease(certs);
if(err != noErr) {
@@ -1667,27 +1691,30 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
CFRelease(cert_and_key);
}
else {
+ const char *cert_showfilename_error =
+ is_cert_data ? "(memory blob)" : ssl_cert;
+
switch(err) {
case errSecAuthFailed: case -25264: /* errSecPkcs12VerifyFailure */
failf(data, "SSL: Incorrect password for the certificate \"%s\" "
- "and its private key.", ssl_cert);
+ "and its private key.", cert_showfilename_error);
break;
case -26275: /* errSecDecode */ case -25257: /* errSecUnknownFormat */
failf(data, "SSL: Couldn't make sense of the data in the "
"certificate \"%s\" and its private key.",
- ssl_cert);
+ cert_showfilename_error);
break;
case -25260: /* errSecPassphraseRequired */
failf(data, "SSL The certificate \"%s\" requires a password.",
- ssl_cert);
+ cert_showfilename_error);
break;
case errSecItemNotFound:
failf(data, "SSL: Can't find the certificate \"%s\" and its private "
- "key in the Keychain.", ssl_cert);
+ "key in the Keychain.", cert_showfilename_error);
break;
default:
failf(data, "SSL: Can't load the certificate \"%s\" and its private "
- "key: OSStatus %d", ssl_cert, err);
+ "key: OSStatus %d", cert_showfilename_error, err);
break;
}
return CURLE_SSL_CERTPROBLEM;
@@ -1719,8 +1746,9 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
#else
if(SSLSetSessionOption != NULL) {
#endif /* CURL_BUILD_MAC */
- bool break_on_auth = !conn->ssl_config.verifypeer || ssl_cafile;
- err = SSLSetSessionOption(BACKEND->ssl_ctx,
+ bool break_on_auth = !conn->ssl_config.verifypeer ||
+ ssl_cafile || ssl_cablob;
+ err = SSLSetSessionOption(backend->ssl_ctx,
kSSLSessionOptionBreakOnServerAuth,
break_on_auth);
if(err != noErr) {
@@ -1730,7 +1758,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
}
else {
#if CURL_SUPPORT_MAC_10_8
- err = SSLSetEnableCertVerify(BACKEND->ssl_ctx,
+ err = SSLSetEnableCertVerify(backend->ssl_ctx,
conn->ssl_config.verifypeer?true:false);
if(err != noErr) {
failf(data, "SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err);
@@ -1739,7 +1767,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
#endif /* CURL_SUPPORT_MAC_10_8 */
}
#else
- err = SSLSetEnableCertVerify(BACKEND->ssl_ctx,
+ err = SSLSetEnableCertVerify(backend->ssl_ctx,
conn->ssl_config.verifypeer?true:false);
if(err != noErr) {
failf(data, "SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err);
@@ -1747,10 +1775,11 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
}
#endif /* CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS */
- if(ssl_cafile && verifypeer) {
- bool is_cert_file = is_file(ssl_cafile);
+ if((ssl_cafile || ssl_cablob) && verifypeer) {
+ bool is_cert_data = ssl_cablob != NULL;
+ bool is_cert_file = (!is_cert_data) && is_file(ssl_cafile);
- if(!is_cert_file) {
+ if(!(is_cert_file || is_cert_data)) {
failf(data, "SSL: can't load CA certificate file %s", ssl_cafile);
return CURLE_SSL_CACERT_BADFILE;
}
@@ -1760,7 +1789,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
* Both hostname check and SNI require SSLSetPeerDomainName().
* Also: the verifyhost setting influences SNI usage */
if(conn->ssl_config.verifyhost) {
- err = SSLSetPeerDomainName(BACKEND->ssl_ctx, hostname,
+ err = SSLSetPeerDomainName(backend->ssl_ctx, hostname,
strlen(hostname));
if(err != noErr) {
@@ -1786,7 +1815,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
higher priority, but it's probably better that we not connect at all than
to give the user a false sense of security if the server only supports
insecure ciphers. (Note: We don't care about SSLv2-only ciphers.) */
- err = SSLGetNumberSupportedCiphers(BACKEND->ssl_ctx, &all_ciphers_count);
+ err = SSLGetNumberSupportedCiphers(backend->ssl_ctx, &all_ciphers_count);
if(err != noErr) {
failf(data, "SSL: SSLGetNumberSupportedCiphers() failed: OSStatus %d",
err);
@@ -1803,7 +1832,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
failf(data, "SSL: Failed to allocate memory for allowed ciphers");
return CURLE_OUT_OF_MEMORY;
}
- err = SSLGetSupportedCiphers(BACKEND->ssl_ctx, all_ciphers,
+ err = SSLGetSupportedCiphers(backend->ssl_ctx, all_ciphers,
&all_ciphers_count);
if(err != noErr) {
Curl_safefree(all_ciphers);
@@ -1890,7 +1919,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
break;
}
}
- err = SSLSetEnabledCiphers(BACKEND->ssl_ctx, allowed_ciphers,
+ err = SSLSetEnabledCiphers(backend->ssl_ctx, allowed_ciphers,
allowed_ciphers_count);
Curl_safefree(all_ciphers);
Curl_safefree(allowed_ciphers);
@@ -1903,9 +1932,9 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
/* We want to enable 1/n-1 when using a CBC cipher unless the user
specifically doesn't want us doing that: */
if(SSLSetSessionOption != NULL) {
- SSLSetSessionOption(BACKEND->ssl_ctx, kSSLSessionOptionSendOneByteRecord,
+ SSLSetSessionOption(backend->ssl_ctx, kSSLSessionOptionSendOneByteRecord,
!data->set.ssl.enable_beast);
- SSLSetSessionOption(BACKEND->ssl_ctx, kSSLSessionOptionFalseStart,
+ SSLSetSessionOption(backend->ssl_ctx, kSSLSessionOptionFalseStart,
data->set.ssl.falsestart); /* false start support */
}
#endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
@@ -1919,7 +1948,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
&ssl_sessionid_len, sockindex)) {
/* we got a session id, use it! */
- err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+ err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
Curl_ssl_sessionid_unlock(conn);
if(err != noErr) {
failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err);
@@ -1937,7 +1966,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
verifypeer, SSL_CONN_CONFIG(verifyhost), hostname, port);
ssl_sessionid_len = strlen(ssl_sessionid);
- err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
+ err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
if(err != noErr) {
Curl_ssl_sessionid_unlock(conn);
failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err);
@@ -1954,7 +1983,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
}
}
- err = SSLSetIOFuncs(BACKEND->ssl_ctx, SocketRead, SocketWrite);
+ err = SSLSetIOFuncs(backend->ssl_ctx, SocketRead, SocketWrite);
if(err != noErr) {
failf(data, "SSL: SSLSetIOFuncs() failed: OSStatus %d", err);
return CURLE_SSL_CONNECT_ERROR;
@@ -1964,8 +1993,8 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
/* We need to store the FD in a constant memory address, because
* SSLSetConnection() will not copy that address. I've found that
* conn->sock[sockindex] may change on its own. */
- BACKEND->ssl_sockfd = sockfd;
- err = SSLSetConnection(BACKEND->ssl_ctx, connssl);
+ backend->ssl_sockfd = sockfd;
+ err = SSLSetConnection(backend->ssl_ctx, connssl);
if(err != noErr) {
failf(data, "SSL: SSLSetConnection() failed: %d", err);
return CURLE_SSL_CONNECT_ERROR;
@@ -2346,6 +2375,7 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ struct ssl_backend_data *backend = connssl->backend;
OSStatus err;
SSLCipherSuite cipher;
SSLProtocol protocol = 0;
@@ -2357,12 +2387,12 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
|| ssl_connect_2_writing == connssl->connecting_state);
/* Here goes nothing: */
- err = SSLHandshake(BACKEND->ssl_ctx);
+ err = SSLHandshake(backend->ssl_ctx);
if(err != noErr) {
switch(err) {
case errSSLWouldBlock: /* they're not done with us yet */
- connssl->connecting_state = BACKEND->ssl_direction ?
+ connssl->connecting_state = backend->ssl_direction ?
ssl_connect_2_writing : ssl_connect_2_reading;
return CURLE_OK;
@@ -2371,7 +2401,7 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
case -9841:
if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) {
CURLcode result = verify_cert(SSL_CONN_CONFIG(CAfile), data,
- BACKEND->ssl_ctx);
+ backend->ssl_ctx);
if(result)
return result;
}
@@ -2580,7 +2610,7 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
#ifdef SECTRANSP_PINNEDPUBKEY
if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) {
- CURLcode result = pkp_pin_peer_pubkey(data, BACKEND->ssl_ctx,
+ CURLcode result = pkp_pin_peer_pubkey(data, backend->ssl_ctx,
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]);
if(result) {
failf(data, "SSL: public key does not match pinned public key!");
@@ -2590,8 +2620,8 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
#endif /* SECTRANSP_PINNEDPUBKEY */
/* Informational message */
- (void)SSLGetNegotiatedCipher(BACKEND->ssl_ctx, &cipher);
- (void)SSLGetNegotiatedProtocolVersion(BACKEND->ssl_ctx, &protocol);
+ (void)SSLGetNegotiatedCipher(backend->ssl_ctx, &cipher);
+ (void)SSLGetNegotiatedProtocolVersion(backend->ssl_ctx, &protocol);
switch(protocol) {
case kSSLProtocol2:
infof(data, "SSL 2.0 connection using %s\n",
@@ -2631,7 +2661,7 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
if(__builtin_available(macOS 10.13.4, iOS 11, tvOS 11, *)) {
CFArrayRef alpnArr = NULL;
CFStringRef chosenProtocol = NULL;
- err = SSLCopyALPNProtocols(BACKEND->ssl_ctx, &alpnArr);
+ err = SSLCopyALPNProtocols(backend->ssl_ctx, &alpnArr);
if(err == noErr && alpnArr && CFArrayGetCount(alpnArr) >= 1)
chosenProtocol = CFArrayGetValueAtIndex(alpnArr, 0);
@@ -2674,19 +2704,20 @@ show_verbose_server_cert(struct connectdata *conn,
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ struct ssl_backend_data *backend = connssl->backend;
CFArrayRef server_certs = NULL;
SecCertificateRef server_cert;
OSStatus err;
CFIndex i, count;
SecTrustRef trust = NULL;
- if(!BACKEND->ssl_ctx)
+ if(!backend->ssl_ctx)
return;
#if CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS
#if CURL_BUILD_IOS
#pragma unused(server_certs)
- err = SSLCopyPeerTrust(BACKEND->ssl_ctx, &trust);
+ err = SSLCopyPeerTrust(backend->ssl_ctx, &trust);
/* For some reason, SSLCopyPeerTrust() can return noErr and yet return
a null trust, so be on guard for that: */
if(err == noErr && trust) {
@@ -2712,7 +2743,7 @@ show_verbose_server_cert(struct connectdata *conn,
Lion or later. */
if(SecTrustEvaluateAsync != NULL) {
#pragma unused(server_certs)
- err = SSLCopyPeerTrust(BACKEND->ssl_ctx, &trust);
+ err = SSLCopyPeerTrust(backend->ssl_ctx, &trust);
/* For some reason, SSLCopyPeerTrust() can return noErr and yet return
a null trust, so be on guard for that: */
if(err == noErr && trust) {
@@ -2732,7 +2763,7 @@ show_verbose_server_cert(struct connectdata *conn,
}
else {
#if CURL_SUPPORT_MAC_10_8
- err = SSLCopyPeerCertificates(BACKEND->ssl_ctx, &server_certs);
+ err = SSLCopyPeerCertificates(backend->ssl_ctx, &server_certs);
/* Just in case SSLCopyPeerCertificates() returns null too... */
if(err == noErr && server_certs) {
count = CFArrayGetCount(server_certs);
@@ -2754,7 +2785,7 @@ show_verbose_server_cert(struct connectdata *conn,
#endif /* CURL_BUILD_IOS */
#else
#pragma unused(trust)
- err = SSLCopyPeerCertificates(BACKEND->ssl_ctx, &server_certs);
+ err = SSLCopyPeerCertificates(backend->ssl_ctx, &server_certs);
if(err == noErr) {
count = CFArrayGetCount(server_certs);
for(i = 0L ; i < count ; i++) {
@@ -2805,7 +2836,6 @@ sectransp_connect_common(struct connectdata *conn,
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
- timediff_t timeout_ms;
int what;
/* check if the connection has already been established */
@@ -2816,7 +2846,7 @@ sectransp_connect_common(struct connectdata *conn,
if(ssl_connect_1 == connssl->connecting_state) {
/* Find out how much more time we're allowed */
- timeout_ms = Curl_timeleft(data, NULL, TRUE);
+ const timediff_t timeout_ms = Curl_timeleft(data, NULL, TRUE);
if(timeout_ms < 0) {
/* no need to continue if time already is up */
@@ -2834,7 +2864,7 @@ sectransp_connect_common(struct connectdata *conn,
ssl_connect_2_writing == connssl->connecting_state) {
/* check allowed time left */
- timeout_ms = Curl_timeleft(data, NULL, TRUE);
+ const timediff_t timeout_ms = Curl_timeleft(data, NULL, TRUE);
if(timeout_ms < 0) {
/* no need to continue if time already is up */
@@ -2852,7 +2882,7 @@ sectransp_connect_common(struct connectdata *conn,
connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
- nonblocking?0:(time_t)timeout_ms);
+ nonblocking ? 0 : timeout_ms);
if(what < 0) {
/* fatal error */
failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
@@ -2933,34 +2963,36 @@ static CURLcode Curl_sectransp_connect(struct connectdata *conn, int sockindex)
static void Curl_sectransp_close(struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ struct ssl_backend_data *backend = connssl->backend;
- if(BACKEND->ssl_ctx) {
- (void)SSLClose(BACKEND->ssl_ctx);
+ if(backend->ssl_ctx) {
+ (void)SSLClose(backend->ssl_ctx);
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
if(SSLCreateContext != NULL)
- CFRelease(BACKEND->ssl_ctx);
+ CFRelease(backend->ssl_ctx);
#if CURL_SUPPORT_MAC_10_8
else
- (void)SSLDisposeContext(BACKEND->ssl_ctx);
+ (void)SSLDisposeContext(backend->ssl_ctx);
#endif /* CURL_SUPPORT_MAC_10_8 */
#else
- (void)SSLDisposeContext(BACKEND->ssl_ctx);
+ (void)SSLDisposeContext(backend->ssl_ctx);
#endif /* CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS */
- BACKEND->ssl_ctx = NULL;
+ backend->ssl_ctx = NULL;
}
- BACKEND->ssl_sockfd = 0;
+ backend->ssl_sockfd = 0;
}
static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ struct ssl_backend_data *backend = connssl->backend;
struct Curl_easy *data = conn->data;
ssize_t nread;
int what;
int rc;
char buf[120];
- if(!BACKEND->ssl_ctx)
+ if(!backend->ssl_ctx)
return 0;
#ifndef CURL_DISABLE_FTP
@@ -3033,11 +3065,12 @@ static size_t Curl_sectransp_version(char *buffer, size_t size)
static int Curl_sectransp_check_cxn(struct connectdata *conn)
{
struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET];
+ struct ssl_backend_data *backend = connssl->backend;
OSStatus err;
SSLSessionState state;
- if(BACKEND->ssl_ctx) {
- err = SSLGetSessionState(BACKEND->ssl_ctx, &state);
+ if(backend->ssl_ctx) {
+ err = SSLGetSessionState(backend->ssl_ctx, &state);
if(err == noErr)
return state == kSSLConnected || state == kSSLHandshake;
return -1;
@@ -3049,11 +3082,12 @@ static bool Curl_sectransp_data_pending(const struct connectdata *conn,
int connindex)
{
const struct ssl_connect_data *connssl = &conn->ssl[connindex];
+ struct ssl_backend_data *backend = connssl->backend;
OSStatus err;
size_t buffer;
- if(BACKEND->ssl_ctx) { /* SSL is in use */
- err = SSLGetBufferedReadSize(BACKEND->ssl_ctx, &buffer);
+ if(backend->ssl_ctx) { /* SSL is in use */
+ err = SSLGetBufferedReadSize(backend->ssl_ctx, &buffer);
if(err == noErr)
return buffer > 0UL;
return false;
@@ -3119,6 +3153,7 @@ static ssize_t sectransp_send(struct connectdata *conn,
{
/*struct Curl_easy *data = conn->data;*/
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ struct ssl_backend_data *backend = connssl->backend;
size_t processed = 0UL;
OSStatus err;
@@ -3137,15 +3172,15 @@ static ssize_t sectransp_send(struct connectdata *conn,
over again with no new data until it quits returning errSSLWouldBlock. */
/* Do we have buffered data to write from the last time we were called? */
- if(BACKEND->ssl_write_buffered_length) {
+ if(backend->ssl_write_buffered_length) {
/* Write the buffered data: */
- err = SSLWrite(BACKEND->ssl_ctx, NULL, 0UL, &processed);
+ err = SSLWrite(backend->ssl_ctx, NULL, 0UL, &processed);
switch(err) {
case noErr:
/* processed is always going to be 0 because we didn't write to
the buffer, so return how much was written to the socket */
- processed = BACKEND->ssl_write_buffered_length;
- BACKEND->ssl_write_buffered_length = 0UL;
+ processed = backend->ssl_write_buffered_length;
+ backend->ssl_write_buffered_length = 0UL;
break;
case errSSLWouldBlock: /* argh, try again */
*curlcode = CURLE_AGAIN;
@@ -3158,13 +3193,13 @@ static ssize_t sectransp_send(struct connectdata *conn,
}
else {
/* We've got new data to write: */
- err = SSLWrite(BACKEND->ssl_ctx, mem, len, &processed);
+ err = SSLWrite(backend->ssl_ctx, mem, len, &processed);
if(err != noErr) {
switch(err) {
case errSSLWouldBlock:
/* Data was buffered but not sent, we have to tell the caller
to try sending again, and remember how much was buffered */
- BACKEND->ssl_write_buffered_length = len;
+ backend->ssl_write_buffered_length = len;
*curlcode = CURLE_AGAIN;
return -1L;
default:
@@ -3185,11 +3220,12 @@ static ssize_t sectransp_recv(struct connectdata *conn,
{
/*struct Curl_easy *data = conn->data;*/
struct ssl_connect_data *connssl = &conn->ssl[num];
+ struct ssl_backend_data *backend = connssl->backend;
size_t processed = 0UL;
OSStatus err;
again:
- err = SSLRead(BACKEND->ssl_ctx, buf, buffersize, &processed);
+ err = SSLRead(backend->ssl_ctx, buf, buffersize, &processed);
if(err != noErr) {
switch(err) {
@@ -3215,7 +3251,7 @@ static ssize_t sectransp_recv(struct connectdata *conn,
case -9841:
if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) {
CURLcode result = verify_cert(SSL_CONN_CONFIG(CAfile), conn->data,
- BACKEND->ssl_ctx);
+ backend->ssl_ctx);
if(result)
return result;
}
@@ -3233,8 +3269,9 @@ static ssize_t sectransp_recv(struct connectdata *conn,
static void *Curl_sectransp_get_internals(struct ssl_connect_data *connssl,
CURLINFO info UNUSED_PARAM)
{
+ struct ssl_backend_data *backend = connssl->backend;
(void)info;
- return BACKEND->ssl_ctx;
+ return backend->ssl_ctx;
}
const struct Curl_ssl Curl_ssl_sectransp = {