summaryrefslogtreecommitdiffstats
path: root/Utilities/cmcurl/lib/vtls/sectransp.c
diff options
context:
space:
mode:
Diffstat (limited to 'Utilities/cmcurl/lib/vtls/sectransp.c')
-rw-r--r--Utilities/cmcurl/lib/vtls/sectransp.c55
1 files changed, 42 insertions, 13 deletions
diff --git a/Utilities/cmcurl/lib/vtls/sectransp.c b/Utilities/cmcurl/lib/vtls/sectransp.c
index f7a20b2..8ee8fe9 100644
--- a/Utilities/cmcurl/lib/vtls/sectransp.c
+++ b/Utilities/cmcurl/lib/vtls/sectransp.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) 2012 - 2017, Nick Zitzmann, <nickzman@gmail.com>.
*
* This software is licensed as described in the file COPYING, which
@@ -603,7 +603,7 @@ const static struct st_cipher ciphertable[] = {
CIPHER_WEAK_RC_ENCRYPTION),
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC003 */
"ECDH-ECDSA-DES-CBC3-SHA",
- CIPHER_STRONG_ENOUGH),
+ CIPHER_WEAK_3DES_ENCRYPTION),
CIPHER_DEF(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC004 */
"ECDH-ECDSA-AES128-SHA",
CIPHER_STRONG_ENOUGH),
@@ -837,12 +837,14 @@ static OSStatus SocketRead(SSLConnectionRef connection,
/*int sock = *(int *)connection;*/
struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection;
struct ssl_backend_data *backend = connssl->backend;
- int sock = backend->ssl_sockfd;
+ int sock;
OSStatus rtn = noErr;
size_t bytesRead;
ssize_t rrtn;
int theErr;
+ DEBUGASSERT(backend);
+ sock = backend->ssl_sockfd;
*dataLength = 0;
for(;;) {
@@ -898,13 +900,15 @@ static OSStatus SocketWrite(SSLConnectionRef connection,
/*int sock = *(int *)connection;*/
struct ssl_connect_data *connssl = (struct ssl_connect_data *)connection;
struct ssl_backend_data *backend = connssl->backend;
- int sock = backend->ssl_sockfd;
+ int sock;
ssize_t length;
size_t dataLen = *dataLength;
const UInt8 *dataPtr = (UInt8 *)data;
OSStatus ortn;
int theErr;
+ DEBUGASSERT(backend);
+ sock = backend->ssl_sockfd;
*dataLength = 0;
do {
@@ -934,9 +938,9 @@ static OSStatus SocketWrite(SSLConnectionRef connection,
#ifndef CURL_DISABLE_VERBOSE_STRINGS
CF_INLINE const char *TLSCipherNameForNumber(SSLCipherSuite cipher)
{
- /* The first ciphers in the ciphertable are continuos. Here we do small
+ /* The first ciphers in the ciphertable are continuous. Here we do small
optimization and instead of loop directly get SSL name by cipher number.
- */
+ */
if(cipher <= SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA) {
return ciphertable[cipher].name;
}
@@ -1376,6 +1380,8 @@ set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn,
long ssl_version_max = SSL_CONN_CONFIG(version_max);
long max_supported_version_by_os;
+ DEBUGASSERT(backend);
+
/* macOS 10.5-10.7 supported TLS 1.0 only.
macOS 10.8 and later, and iOS 5 and later, added TLS 1.1 and 1.2.
macOS 10.13 and later, and iOS 11 and later, added TLS 1.3. */
@@ -1684,6 +1690,8 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
#if CURL_BUILD_MAC
int darwinver_maj = 0, darwinver_min = 0;
+ DEBUGASSERT(backend);
+
GetDarwinVersionNumber(&darwinver_maj, &darwinver_min);
#endif /* CURL_BUILD_MAC */
@@ -1693,7 +1701,7 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
CFRelease(backend->ssl_ctx);
backend->ssl_ctx = SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType);
if(!backend->ssl_ctx) {
- failf(data, "SSL: couldn't create a context!");
+ failf(data, "SSL: couldn't create a context");
return CURLE_OUT_OF_MEMORY;
}
}
@@ -1843,12 +1851,12 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
#endif
) {
CFArrayAppendValue(alpnArr, CFSTR(ALPN_H2));
- infof(data, "ALPN, offering %s", ALPN_H2);
+ infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2);
}
#endif
CFArrayAppendValue(alpnArr, CFSTR(ALPN_HTTP_1_1));
- infof(data, "ALPN, offering %s", ALPN_HTTP_1_1);
+ infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1);
/* expects length prefixed preference ordered list of protocols in wire
* format
@@ -2028,8 +2036,13 @@ static CURLcode sectransp_connect_step1(struct Curl_easy *data,
* Both hostname check and SNI require SSLSetPeerDomainName().
* Also: the verifyhost setting influences SNI usage */
if(conn->ssl_config.verifyhost) {
- err = SSLSetPeerDomainName(backend->ssl_ctx, hostname,
- strlen(hostname));
+ size_t snilen;
+ char *snihost = Curl_ssl_snihost(data, hostname, &snilen);
+ if(!snihost) {
+ failf(data, "Failed to set SNI");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ err = SSLSetPeerDomainName(backend->ssl_ctx, snihost, snilen);
if(err != noErr) {
infof(data, "WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d",
@@ -2542,6 +2555,7 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn,
DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
|| ssl_connect_2_reading == connssl->connecting_state
|| ssl_connect_2_writing == connssl->connecting_state);
+ DEBUGASSERT(backend);
/* Here goes nothing: */
err = SSLHandshake(backend->ssl_ctx);
@@ -2774,7 +2788,7 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn,
pkp_pin_peer_pubkey(data, backend->ssl_ctx,
data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
if(result) {
- failf(data, "SSL: public key does not match pinned public key!");
+ failf(data, "SSL: public key does not match pinned public key");
return result;
}
}
@@ -2839,7 +2853,7 @@ sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn,
conn->negnpn = CURL_HTTP_VERSION_1_1;
}
else
- infof(data, "ALPN, server did not agree to a protocol");
+ infof(data, VTLS_INFOF_NO_ALPN);
Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ?
BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
@@ -2918,6 +2932,8 @@ collect_server_cert(struct Curl_easy *data,
CFIndex i, count;
SecTrustRef trust = NULL;
+ DEBUGASSERT(backend);
+
if(!show_verbose_server_cert && !data->set.ssl.certinfo)
return CURLE_OK;
@@ -3162,6 +3178,8 @@ static void sectransp_close(struct Curl_easy *data, struct connectdata *conn,
(void) data;
+ DEBUGASSERT(backend);
+
if(backend->ssl_ctx) {
(void)SSLClose(backend->ssl_ctx);
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
@@ -3190,6 +3208,8 @@ static int sectransp_shutdown(struct Curl_easy *data,
char buf[120];
int loop = 10; /* avoid getting stuck */
+ DEBUGASSERT(backend);
+
if(!backend->ssl_ctx)
return 0;
@@ -3269,6 +3289,8 @@ static int sectransp_check_cxn(struct connectdata *conn)
OSStatus err;
SSLSessionState state;
+ DEBUGASSERT(backend);
+
if(backend->ssl_ctx) {
err = SSLGetSessionState(backend->ssl_ctx, &state);
if(err == noErr)
@@ -3286,6 +3308,8 @@ static bool sectransp_data_pending(const struct connectdata *conn,
OSStatus err;
size_t buffer;
+ DEBUGASSERT(backend);
+
if(backend->ssl_ctx) { /* SSL is in use */
err = SSLGetBufferedReadSize(backend->ssl_ctx, &buffer);
if(err == noErr)
@@ -3347,6 +3371,8 @@ static ssize_t sectransp_send(struct Curl_easy *data,
size_t processed = 0UL;
OSStatus err;
+ DEBUGASSERT(backend);
+
/* The SSLWrite() function works a little differently than expected. The
fourth argument (processed) is currently documented in Apple's
documentation as: "On return, the length, in bytes, of the data actually
@@ -3414,6 +3440,8 @@ static ssize_t sectransp_recv(struct Curl_easy *data,
size_t processed = 0UL;
OSStatus err;
+ DEBUGASSERT(backend);
+
again:
err = SSLRead(backend->ssl_ctx, buf, buffersize, &processed);
@@ -3463,6 +3491,7 @@ static void *sectransp_get_internals(struct ssl_connect_data *connssl,
{
struct ssl_backend_data *backend = connssl->backend;
(void)info;
+ DEBUGASSERT(backend);
return backend->ssl_ctx;
}
generated by cgit v0.12 at 2025-01-10 19:58:26 (GMT)