1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-17 23:15:08 -05:00

mesalink: implement client authentication

Closes #4184
This commit is contained in:
Yiming Jing 2019-08-01 15:20:30 -07:00 committed by Daniel Stenberg
parent 02346abc32
commit 9b5f2ad329
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -73,6 +73,17 @@ struct ssl_backend_data
static Curl_recv mesalink_recv; static Curl_recv mesalink_recv;
static Curl_send mesalink_send; static Curl_send mesalink_send;
static int do_file_type(const char *type)
{
if(!type || !type[0])
return SSL_FILETYPE_PEM;
if(strcasecompare(type, "PEM"))
return SSL_FILETYPE_PEM;
if(strcasecompare(type, "DER"))
return SSL_FILETYPE_ASN1;
return -1;
}
/* /*
* This function loads all the client/CA certificates and CRLs. Setup the TLS * This function loads all the client/CA certificates and CRLs. Setup the TLS
* layer and do all necessary magic. * layer and do all necessary magic.
@ -83,9 +94,6 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
char *ciphers; char *ciphers;
struct Curl_easy *data = conn->data; struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex];
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char *const ssl_cafile = SSL_CONN_CONFIG(CAfile);
const char *const ssl_capath = SSL_CONN_CONFIG(CApath);
struct in_addr addr4; struct in_addr addr4;
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
struct in6_addr addr6; struct in6_addr addr6;
@ -142,16 +150,20 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
} }
SSL_CTX_set_verify( SSL_CTX_set_verify(
BACKEND->ctx, verifypeer ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL); BACKEND->ctx, SSL_CONN_CONFIG(verifypeer) ?
SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
if(ssl_cafile || ssl_capath) { if(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(CApath)) {
if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) { if(!SSL_CTX_load_verify_locations(BACKEND->ctx, SSL_CONN_CONFIG(CAfile),
if(verifypeer) { SSL_CONN_CONFIG(CApath))) {
if(SSL_CONN_CONFIG(verifypeer)) {
failf(data, failf(data,
"error setting certificate verify locations:\n" "error setting certificate verify locations:\n"
" CAfile: %s\n CApath: %s", " CAfile: %s\n CApath: %s",
ssl_cafile ? ssl_cafile : "none", SSL_CONN_CONFIG(CAfile) ?
ssl_capath ? ssl_capath : "none"); SSL_CONN_CONFIG(CAfile) : "none",
SSL_CONN_CONFIG(CApath) ?
SSL_CONN_CONFIG(CApath) : "none");
return CURLE_SSL_CACERT_BADFILE; return CURLE_SSL_CACERT_BADFILE;
} }
infof(data, infof(data,
@ -164,8 +176,32 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
infof(data, infof(data,
" CAfile: %s\n" " CAfile: %s\n"
" CApath: %s\n", " CApath: %s\n",
ssl_cafile ? ssl_cafile : "none", SSL_CONN_CONFIG(CAfile)?
ssl_capath ? ssl_capath : "none"); SSL_CONN_CONFIG(CAfile): "none",
SSL_CONN_CONFIG(CApath)?
SSL_CONN_CONFIG(CApath): "none");
}
if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) {
int file_type = do_file_type(SSL_SET_OPTION(cert_type));
if(SSL_CTX_use_certificate_chain_file(BACKEND->ctx, SSL_SET_OPTION(cert),
file_type) != 1) {
failf(data, "unable to use client certificate (no key or wrong pass"
" phrase?)");
return CURLE_SSL_CONNECT_ERROR;
}
file_type = do_file_type(SSL_SET_OPTION(key_type));
if(SSL_CTX_use_PrivateKey_file(BACKEND->ctx, SSL_SET_OPTION(key),
file_type) != 1) {
failf(data, "unable to set private key");
return CURLE_SSL_CONNECT_ERROR;
}
infof(data,
"client cert: %s\n",
SSL_CONN_CONFIG(clientcert)?
SSL_CONN_CONFIG(clientcert): "none");
} }
ciphers = SSL_CONN_CONFIG(cipher_list); ciphers = SSL_CONN_CONFIG(cipher_list);