From bbe3aa9f881fa27fe828e3c9a36d6831f254a3ee Mon Sep 17 00:00:00 2001 From: Patrick Monnerat Date: Wed, 13 Jan 2021 17:01:31 +0100 Subject: [PATCH] vtls: reduce conn->data use Closes #6474 --- lib/ftp.c | 10 +-- lib/gopher.c | 2 +- lib/http.c | 2 +- lib/http_proxy.c | 2 +- lib/imap.c | 5 +- lib/openldap.c | 5 +- lib/pop3.c | 5 +- lib/smb.c | 3 +- lib/smtp.c | 5 +- lib/url.c | 4 +- lib/vtls/bearssl.c | 65 +++++++------- lib/vtls/gskit.c | 61 +++---------- lib/vtls/gtls.c | 70 ++++++++------- lib/vtls/mbedtls.c | 59 +++++++------ lib/vtls/mesalink.c | 104 +++++++++++----------- lib/vtls/nss.c | 115 ++++++++++++------------ lib/vtls/openssl.c | 133 +++++++++++++++------------- lib/vtls/schannel.c | 174 ++++++++++++++++++------------------- lib/vtls/schannel.h | 5 +- lib/vtls/schannel_verify.c | 11 ++- lib/vtls/sectransp.c | 140 ++++++++++++++--------------- lib/vtls/vtls.c | 73 +++++++++------- lib/vtls/vtls.h | 49 +++++++---- lib/vtls/wolfssl.c | 59 +++++++------ 24 files changed, 597 insertions(+), 564 deletions(-) diff --git a/lib/ftp.c b/lib/ftp.c index bb44bcdb2..9e9830e26 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -443,7 +443,7 @@ static CURLcode InitiateTransfer(struct Curl_easy *data) /* since we only have a plaintext TCP connection here, we must now * do the TLS stuff */ infof(data, "Doing the SSL/TLS handshake on the data stream\n"); - result = Curl_ssl_connect(conn, SECONDARYSOCKET); + result = Curl_ssl_connect(data, conn, SECONDARYSOCKET); if(result) return result; } @@ -2734,7 +2734,7 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, if((ftpcode == 234) || (ftpcode == 334)) { /* Curl_ssl_connect is BLOCKING */ - result = Curl_ssl_connect(conn, FIRSTSOCKET); + result = Curl_ssl_connect(data, conn, FIRSTSOCKET); if(!result) { conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */ conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */ @@ -2800,7 +2800,7 @@ static CURLcode ftp_statemachine(struct Curl_easy *data, case FTP_CCC: if(ftpcode < 500) { /* First shut down the SSL layer (note: this call will block) */ - result = Curl_ssl_shutdown(conn, FIRSTSOCKET); + result = Curl_ssl_shutdown(data, conn, FIRSTSOCKET); if(result) failf(data, "Failed to clear the command channel (CCC)"); @@ -3138,7 +3138,7 @@ static CURLcode ftp_connect(struct Curl_easy *data, if(conn->handler->flags & PROTOPT_SSL) { /* BLOCKING */ - result = Curl_ssl_connect(conn, FIRSTSOCKET); + result = Curl_ssl_connect(data, conn, FIRSTSOCKET); if(result) return result; conn->bits.ftp_use_control_ssl = TRUE; @@ -3284,7 +3284,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status, if(conn->ssl[SECONDARYSOCKET].use) { /* The secondary socket is using SSL so we must close down that part first before we close the socket for real */ - Curl_ssl_close(conn, SECONDARYSOCKET); + Curl_ssl_close(data, conn, SECONDARYSOCKET); /* Note that we keep "use" set to TRUE since that (next) connection is still requested to use SSL */ diff --git a/lib/gopher.c b/lib/gopher.c index e5c7d2752..a39cc7e6b 100644 --- a/lib/gopher.c +++ b/lib/gopher.c @@ -113,7 +113,7 @@ static CURLcode gopher_connect(struct Curl_easy *data, bool *done) static CURLcode gopher_connecting(struct Curl_easy *data, bool *done) { struct connectdata *conn = data->conn; - CURLcode result = Curl_ssl_connect(conn, FIRSTSOCKET); + CURLcode result = Curl_ssl_connect(data, conn, FIRSTSOCKET); if(result) connclose(conn, "Failed TLS connection"); *done = TRUE; diff --git a/lib/http.c b/lib/http.c index 0d1d0d568..89e5da975 100644 --- a/lib/http.c +++ b/lib/http.c @@ -1532,7 +1532,7 @@ static CURLcode https_connecting(struct Curl_easy *data, bool *done) #endif /* perform SSL initialization for this socket */ - result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, done); + result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET, done); if(result) connclose(conn, "Failed HTTPS connection"); diff --git a/lib/http_proxy.c b/lib/http_proxy.c index 8163c9694..3e38ab0cd 100644 --- a/lib/http_proxy.c +++ b/lib/http_proxy.c @@ -58,7 +58,7 @@ static CURLcode https_proxy_connect(struct connectdata *conn, int sockindex) if(!conn->bits.proxy_ssl_connected[sockindex]) { /* perform SSL initialization for this socket */ result = - Curl_ssl_connect_nonblocking(conn, sockindex, + Curl_ssl_connect_nonblocking(conn->data, conn, sockindex, &conn->bits.proxy_ssl_connected[sockindex]); if(result) /* a failed connection is marked for closure to prevent (bad) re-use or diff --git a/lib/imap.c b/lib/imap.c index 04ee4ef55..bab531239 100644 --- a/lib/imap.c +++ b/lib/imap.c @@ -473,7 +473,7 @@ static CURLcode imap_perform_upgrade_tls(struct Curl_easy *data, { /* Start the SSL connection */ struct imap_conn *imapc = &conn->proto.imapc; - CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, + CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET, &imapc->ssldone); if(!result) { @@ -1366,7 +1366,8 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done) struct imap_conn *imapc = &conn->proto.imapc; if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) { - result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &imapc->ssldone); + result = Curl_ssl_connect_nonblocking(data, conn, + FIRSTSOCKET, &imapc->ssldone); if(result || !imapc->ssldone) return result; } diff --git a/lib/openldap.c b/lib/openldap.c index e387605fe..bb6f785b5 100644 --- a/lib/openldap.c +++ b/lib/openldap.c @@ -245,7 +245,8 @@ static CURLcode ldap_connect(struct Curl_easy *data, bool *done) #ifdef USE_SSL if(conn->handler->flags & PROTOPT_SSL) { CURLcode result; - result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &li->ssldone); + result = Curl_ssl_connect_nonblocking(data, conn, + FIRSTSOCKET, &li->ssldone); if(result) return result; } @@ -267,7 +268,7 @@ static CURLcode ldap_connecting(struct Curl_easy *data, bool *done) if(conn->handler->flags & PROTOPT_SSL) { /* Is the SSL handshake complete yet? */ if(!li->ssldone) { - CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, + CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET, &li->ssldone); if(result || !li->ssldone) return result; diff --git a/lib/pop3.c b/lib/pop3.c index af3bca5b0..551d0da9c 100644 --- a/lib/pop3.c +++ b/lib/pop3.c @@ -368,7 +368,7 @@ static CURLcode pop3_perform_upgrade_tls(struct Curl_easy *data, { /* Start the SSL connection */ struct pop3_conn *pop3c = &conn->proto.pop3c; - CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, + CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET, &pop3c->ssldone); if(!result) { @@ -1029,7 +1029,8 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done) struct pop3_conn *pop3c = &conn->proto.pop3c; if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) { - result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &pop3c->ssldone); + result = Curl_ssl_connect_nonblocking(data, conn, + FIRSTSOCKET, &pop3c->ssldone); if(result || !pop3c->ssldone) return result; } diff --git a/lib/smb.c b/lib/smb.c index 69279c8d1..6af9b3ac2 100644 --- a/lib/smb.c +++ b/lib/smb.c @@ -669,7 +669,8 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done) #ifdef USE_SSL if((conn->handler->flags & PROTOPT_SSL)) { bool ssl_done = FALSE; - result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &ssl_done); + result = Curl_ssl_connect_nonblocking(data, conn, + FIRSTSOCKET, &ssl_done); if(result && result != CURLE_AGAIN) return result; if(!ssl_done) diff --git a/lib/smtp.c b/lib/smtp.c index 84d4d5744..d408a6dbe 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -395,7 +395,7 @@ static CURLcode smtp_perform_upgrade_tls(struct Curl_easy *data) /* Start the SSL connection */ struct connectdata *conn = data->conn; struct smtp_conn *smtpc = &conn->proto.smtpc; - CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, + CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET, &smtpc->ssldone); if(!result) { @@ -1256,7 +1256,8 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done) struct smtp_conn *smtpc = &conn->proto.smtpc; if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) { - result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &smtpc->ssldone); + result = Curl_ssl_connect_nonblocking(data, conn, + FIRSTSOCKET, &smtpc->ssldone); if(result || !smtpc->ssldone) return result; } diff --git a/lib/url.c b/lib/url.c index 7512bb4d9..f8a7876b4 100644 --- a/lib/url.c +++ b/lib/url.c @@ -723,8 +723,8 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn) /* close the SSL stuff before we close any sockets since they will/may write to the sockets */ - Curl_ssl_close(conn, FIRSTSOCKET); - Curl_ssl_close(conn, SECONDARYSOCKET); + Curl_ssl_close(data, conn, FIRSTSOCKET); + Curl_ssl_close(data, conn, SECONDARYSOCKET); /* close possibly still open sockets */ if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET]) diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c index 6eb61943a..8dd262ed0 100644 --- a/lib/vtls/bearssl.c +++ b/lib/vtls/bearssl.c @@ -294,9 +294,9 @@ static const br_x509_class x509_vtable = { x509_get_pkey }; -static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); @@ -374,12 +374,12 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) if(SSL_SET_OPTION(primary.sessionid)) { void *session; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) { br_ssl_engine_set_session_parameters(&backend->ctx.eng, session); infof(data, "BearSSL: re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } if(conn->bits.tls_enable_alpn) { @@ -429,10 +429,10 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex) return CURLE_OK; } -static CURLcode bearssl_run_until(struct connectdata *conn, int sockindex, +static CURLcode bearssl_run_until(struct Curl_easy *data, + struct connectdata *conn, int sockindex, unsigned target) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; curl_socket_t sockfd = conn->sock[sockindex]; @@ -507,14 +507,15 @@ static CURLcode bearssl_run_until(struct connectdata *conn, int sockindex, } } -static CURLcode bearssl_connect_step2(struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step2(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; CURLcode ret; - ret = bearssl_run_until(conn, sockindex, BR_SSL_SENDAPP | BR_SSL_RECVAPP); + ret = bearssl_run_until(data, conn, sockindex, + BR_SSL_SENDAPP | BR_SSL_RECVAPP); if(ret == CURLE_AGAIN) return CURLE_OK; if(ret == CURLE_OK) { @@ -527,9 +528,9 @@ static CURLcode bearssl_connect_step2(struct connectdata *conn, int sockindex) return ret; } -static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect_step3(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; CURLcode ret; @@ -568,12 +569,13 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex) if(!session) return CURLE_OUT_OF_MEMORY; br_ssl_engine_get_session_parameters(&backend->ctx.eng, session); - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex)); + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, + &oldsession, NULL, sockindex)); if(incache) - Curl_ssl_delsessionid(conn, oldsession); - ret = Curl_ssl_addsessionid(conn, session, 0, sockindex); - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_delsessionid(data, oldsession); + ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex); + Curl_ssl_sessionid_unlock(data); if(ret) { free(session); return CURLE_OUT_OF_MEMORY; @@ -595,7 +597,7 @@ static ssize_t bearssl_send(struct Curl_easy *data, int sockindex, size_t applen; for(;;) { - *err = bearssl_run_until(conn, sockindex, BR_SSL_SENDAPP); + *err = bearssl_run_until(data, conn, sockindex, BR_SSL_SENDAPP); if (*err != CURLE_OK) return -1; app = br_ssl_engine_sendapp_buf(&backend->ctx.eng, &applen); @@ -627,7 +629,7 @@ static ssize_t bearssl_recv(struct Curl_easy *data, int sockindex, unsigned char *app; size_t applen; - *err = bearssl_run_until(conn, sockindex, BR_SSL_RECVAPP); + *err = bearssl_run_until(data, conn, sockindex, BR_SSL_RECVAPP); if(*err != CURLE_OK) return -1; app = br_ssl_engine_recvapp_buf(&backend->ctx.eng, &applen); @@ -641,13 +643,13 @@ static ssize_t bearssl_recv(struct Curl_easy *data, int sockindex, return applen; } -static CURLcode bearssl_connect_common(struct connectdata *conn, +static CURLcode bearssl_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode ret; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; timediff_t timeout_ms; @@ -660,7 +662,7 @@ static CURLcode bearssl_connect_common(struct connectdata *conn, } if(ssl_connect_1 == connssl->connecting_state) { - ret = bearssl_connect_step1(conn, sockindex); + ret = bearssl_connect_step1(data, conn, sockindex); if(ret) return ret; } @@ -713,7 +715,7 @@ static CURLcode bearssl_connect_common(struct connectdata *conn, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - ret = bearssl_connect_step2(conn, sockindex); + ret = bearssl_connect_step2(data, conn, sockindex); if(ret || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -722,7 +724,7 @@ static CURLcode bearssl_connect_common(struct connectdata *conn, } if(ssl_connect_3 == connssl->connecting_state) { - ret = bearssl_connect_step3(conn, sockindex); + ret = bearssl_connect_step3(data, conn, sockindex); if(ret) return ret; } @@ -775,12 +777,13 @@ static CURLcode bearssl_random(struct Curl_easy *data UNUSED_PARAM, return CURLE_OK; } -static CURLcode bearssl_connect(struct connectdata *conn, int sockindex) +static CURLcode bearssl_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode ret; bool done = FALSE; - ret = bearssl_connect_common(conn, sockindex, FALSE, &done); + ret = bearssl_connect_common(data, conn, sockindex, FALSE, &done); if(ret) return ret; @@ -789,10 +792,11 @@ static CURLcode bearssl_connect(struct connectdata *conn, int sockindex) return CURLE_OK; } -static CURLcode bearssl_connect_nonblocking(struct connectdata *conn, +static CURLcode bearssl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done) { - return bearssl_connect_common(conn, sockindex, TRUE, done); + return bearssl_connect_common(data, conn, sockindex, TRUE, done); } static void *bearssl_get_internals(struct ssl_connect_data *connssl, @@ -802,7 +806,8 @@ static void *bearssl_get_internals(struct ssl_connect_data *connssl, return &backend->ctx; } -static void bearssl_close(struct connectdata *conn, int sockindex) +static void bearssl_close(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -810,7 +815,7 @@ static void bearssl_close(struct connectdata *conn, int sockindex) if(backend->active) { br_ssl_engine_close(&backend->ctx.eng); - (void)bearssl_run_until(conn, sockindex, BR_SSL_CLOSED); + (void)bearssl_run_until(data, conn, sockindex, BR_SSL_CLOSED); } for(i = 0; i < backend->anchors_len; ++i) free(backend->anchors[i].dn.data); diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index 26a1e8215..0095a2071 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -610,10 +610,10 @@ static void close_one(struct ssl_connect_data *connssl, struct Curl_easy *data, } -static ssize_t real_gskit_send(struct Curl_easy *data, - struct connectdata *conn, int sockindex, - const void *mem, size_t len, CURLcode *curlcode) +static ssize_t gskit_send(struct connectdata *conn, int sockindex, + const void *mem, size_t len, CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CURLcode cc = CURLE_SEND_ERROR; int written; @@ -634,17 +634,11 @@ static ssize_t real_gskit_send(struct Curl_easy *data, return (ssize_t) written; /* number of bytes */ } -static ssize_t gskit_send(struct connectdata *conn, int sockindex, - const void *mem, size_t len, CURLcode *curlcode) -{ - return real_gskit_send(conn->data, conn, sockindex, mem, len, curlcode); -} - -static ssize_t real_gskit_recv(struct Curl_easy *data, - struct connectdata *conn, int num, char *buf, +static ssize_t gskit_recv(struct Curl_easy *data, int num, char *buf, size_t buffersize, CURLcode *curlcode) { + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[num]; int nread; CURLcode cc = CURLE_RECV_ERROR; @@ -668,12 +662,6 @@ static ssize_t real_gskit_recv(struct Curl_easy *data, return (ssize_t) nread; } -static ssize_t gskit_recv(struct connectdata *conn, int num, char *buf, - size_t buffersize, CURLcode *curlcode) -{ - return real_gskit_recv(conn->data, conn, num, buf, buffersize, curlcode); -} - static CURLcode set_ssl_version_min_max(unsigned int *protoflags, struct Curl_easy *data) { @@ -1137,9 +1125,9 @@ static CURLcode gskit_connect_common(struct Curl_easy *data, } -static CURLcode real_gskit_connect_nonblocking(struct Curl_easy *data, - struct connectdata *conn, - int sockindex, bool *done) +static CURLcode gskit_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { CURLcode result; @@ -1149,15 +1137,9 @@ static CURLcode real_gskit_connect_nonblocking(struct Curl_easy *data, return result; } -static CURLcode gskit_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) -{ - return real_gskit_connect_nonblocking(conn->data, conn, sockindex, done); -} - -static CURLcode real_gskit_connect(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static CURLcode gskit_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result; bool done; @@ -1172,27 +1154,17 @@ static CURLcode real_gskit_connect(struct Curl_easy *data, return CURLE_OK; } -static CURLcode gskit_connect(struct connectdata *conn, int sockindex) -{ - return real_gskit_connect(conn->data, conn, sockindex); -} - -static void real_gskit_close(struct Curl_easy *data, struct connectdata *conn, - int sockindex) +static void gskit_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { close_one(&conn->ssl[sockindex], data, conn, sockindex); close_one(&conn->proxy_ssl[sockindex], data, conn, sockindex); } -static void gskit_close(struct connectdata *conn, int sockindex) -{ - real_gskit_close(conn->data, conn, sockindex); -} - -static int real_gskit_shutdown(struct Curl_easy *data, - struct connectdata *conn, int sockindex) +static int gskit_shutdown(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; int what; @@ -1247,11 +1219,6 @@ static int real_gskit_shutdown(struct Curl_easy *data, return rc; } -static int gskit_shutdown(struct connectdata *conn, int sockindex) -{ - return real_gskit_shutdown(conn->data, conn, sockindex); -} - static size_t gskit_version(char *buffer, size_t size) { diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index 4e2700fa1..27c8a0536 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -200,12 +200,12 @@ static void unload_file(gnutls_datum_t data) /* this function does a SSL/TLS (re-)handshake */ -static CURLcode handshake(struct connectdata *conn, +static CURLcode handshake(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool duringconnect, bool nonblocking) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; gnutls_session_t session = backend->session; @@ -314,9 +314,9 @@ static gnutls_x509_crt_fmt_t do_file_type(const char *type) #define GNUTLS_SRP "+SRP" static CURLcode -set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn) +set_ssl_version_min_max(const char **prioritylist, struct Curl_easy *data) { - struct Curl_easy *data = conn->data; + struct connectdata *conn = data->conn; long ssl_version = SSL_CONN_CONFIG(version); long ssl_version_max = SSL_CONN_CONFIG(version_max); @@ -379,10 +379,10 @@ set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn) } static CURLcode -gtls_connect_step1(struct connectdata *conn, +gtls_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; unsigned int init_flags; @@ -568,7 +568,7 @@ gtls_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(&prioritylist, conn); + CURLcode result = set_ssl_version_min_max(&prioritylist, data); if(result != CURLE_OK) return result; break; @@ -731,15 +731,16 @@ gtls_connect_step1(struct connectdata *conn, void *ssl_sessionid; size_t ssl_idsize; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, + &ssl_sessionid, &ssl_idsize, sockindex)) { /* we got a session id, use it! */ gnutls_session_set_data(session, ssl_sessionid, ssl_idsize); /* Informational message */ infof(data, "SSL re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } return CURLE_OK; @@ -807,7 +808,8 @@ static Curl_recv gtls_recv; static Curl_send gtls_send; static CURLcode -gtls_connect_step3(struct connectdata *conn, +gtls_connect_step3(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { unsigned int cert_list_size; @@ -820,7 +822,6 @@ gtls_connect_step3(struct connectdata *conn, size_t size; time_t certclock; const char *ptr; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; gnutls_session_t session = backend->session; @@ -1290,19 +1291,19 @@ gtls_connect_step3(struct connectdata *conn, /* extract session ID to the allocated buffer */ gnutls_session_get_data(session, connect_sessionid, &connect_idsize); - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)); if(incache) { /* there was one before in the cache, so instead of risking that the previous one was rejected, we just kill that and store the new */ - Curl_ssl_delsessionid(conn, ssl_sessionid); + Curl_ssl_delsessionid(data, ssl_sessionid); } /* store this session id */ - result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize, - sockindex); - Curl_ssl_sessionid_unlock(conn); + result = Curl_ssl_addsessionid(data, conn, connect_sessionid, + connect_idsize, sockindex); + Curl_ssl_sessionid_unlock(data); if(result) { free(connect_sessionid); result = CURLE_OUT_OF_MEMORY; @@ -1326,7 +1327,8 @@ gtls_connect_step3(struct connectdata *conn, 'ssl_connect_2_writing' (waiting to be able to write). */ static CURLcode -gtls_connect_common(struct connectdata *conn, +gtls_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) @@ -1336,19 +1338,19 @@ gtls_connect_common(struct connectdata *conn, /* Initiate the connection, if not already done */ if(ssl_connect_1 == connssl->connecting_state) { - rc = gtls_connect_step1(conn, sockindex); + rc = gtls_connect_step1(data, conn, sockindex); if(rc) return rc; } - rc = handshake(conn, sockindex, TRUE, nonblocking); + rc = handshake(data, conn, sockindex, TRUE, nonblocking); if(rc) /* handshake() sets its own error message with failf() */ return rc; /* Finish connecting once the handshake is done */ if(ssl_connect_1 == connssl->connecting_state) { - rc = gtls_connect_step3(conn, sockindex); + rc = gtls_connect_step3(data, conn, sockindex); if(rc) return rc; } @@ -1358,18 +1360,20 @@ gtls_connect_common(struct connectdata *conn, return CURLE_OK; } -static CURLcode gtls_connect_nonblocking(struct connectdata *conn, +static CURLcode gtls_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done) { - return gtls_connect_common(conn, sockindex, TRUE, done); + return gtls_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode gtls_connect(struct connectdata *conn, int sockindex) +static CURLcode gtls_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result; bool done = FALSE; - result = gtls_connect_common(conn, sockindex, FALSE, &done); + result = gtls_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -1441,8 +1445,10 @@ static void close_one(struct ssl_connect_data *connssl) #endif } -static void gtls_close(struct connectdata *conn, int sockindex) +static void gtls_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { + (void) data; close_one(&conn->ssl[sockindex]); #ifndef CURL_DISABLE_PROXY close_one(&conn->proxy_ssl[sockindex]); @@ -1453,12 +1459,12 @@ static void gtls_close(struct connectdata *conn, int sockindex) * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ -static int gtls_shutdown(struct connectdata *conn, int sockindex) +static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; int retval = 0; - struct Curl_easy *data = conn->data; #ifndef CURL_DISABLE_FTP /* This has only been tested on the proftpd server, and the mod_tls code @@ -1547,7 +1553,7 @@ static ssize_t gtls_recv(struct Curl_easy *data, /* connection data */ if(ret == GNUTLS_E_REHANDSHAKE) { /* BLOCKING call, this is bad but a work-around for now. Fixing this "the proper way" takes a whole lot of work. */ - CURLcode result = handshake(conn, num, FALSE, FALSE); + CURLcode result = handshake(data, conn, num, FALSE, FALSE); if(result) /* handshake() writes error message on its own */ *curlcode = result; @@ -1557,7 +1563,7 @@ static ssize_t gtls_recv(struct Curl_easy *data, /* connection data */ } if(ret < 0) { - failf(conn->data, "GnuTLS recv error (%d): %s", + failf(data, "GnuTLS recv error (%d): %s", (int)ret, gnutls_strerror((int)ret)); *curlcode = CURLE_RECV_ERROR; @@ -1606,7 +1612,7 @@ static CURLcode gtls_random(struct Curl_easy *data, return rc?CURLE_FAILED_INIT:CURLE_OK; #elif defined(USE_GNUTLS) if(data) - Curl_gtls_seed(data); /* Initiate the seed if not already done */ + gtls_seed(data); /* Initiate the seed if not already done */ gcry_randomize(entropy, length, GCRY_STRONG_RANDOM); #endif return CURLE_OK; diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index f8baa1c34..4ebd8af7d 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -196,9 +196,9 @@ static CURLcode mbedtls_version_from_curl(int *mbedver, long version) } static CURLcode -set_ssl_version_min_max(struct connectdata *conn, int sockindex) +set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_1; @@ -241,10 +241,9 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) } static CURLcode -mbed_connect_step1(struct connectdata *conn, +mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile); @@ -427,7 +426,7 @@ mbed_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(conn, sockindex); + CURLcode result = set_ssl_version_min_max(data, conn, sockindex); if(result != CURLE_OK) return result; break; @@ -463,17 +462,17 @@ mbed_connect_step1(struct connectdata *conn, if(SSL_SET_OPTION(primary.sessionid)) { void *old_session = NULL; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) { ret = mbedtls_ssl_set_session(&backend->ssl, old_session); if(ret) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret); return CURLE_SSL_CONNECT_ERROR; } infof(data, "mbedTLS re-using session\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } mbedtls_ssl_conf_ca_chain(&backend->config, @@ -541,11 +540,10 @@ mbed_connect_step1(struct connectdata *conn, } static CURLcode -mbed_connect_step2(struct connectdata *conn, +mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn, int sockindex) { int ret; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; const mbedtls_x509_crt *peercert; @@ -713,13 +711,12 @@ mbed_connect_step2(struct connectdata *conn, } static CURLcode -mbed_connect_step3(struct connectdata *conn, +mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn, int sockindex) { CURLcode retcode = CURLE_OK; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; - struct Curl_easy *data = conn->data; DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); @@ -744,12 +741,13 @@ mbed_connect_step3(struct connectdata *conn, } /* If there's already a matching session in the cache, delete it */ - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)) + Curl_ssl_delsessionid(data, old_ssl_sessionid); - retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); - Curl_ssl_sessionid_unlock(conn); + retcode = Curl_ssl_addsessionid(data, conn, + our_ssl_sessionid, 0, sockindex); + Curl_ssl_sessionid_unlock(data); if(retcode) { mbedtls_ssl_session_free(our_ssl_sessionid); free(our_ssl_sessionid); @@ -788,10 +786,13 @@ static void mbedtls_close_all(struct Curl_easy *data) (void)data; } -static void mbedtls_close(struct connectdata *conn, int sockindex) +static void mbedtls_close(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; + + (void) data; mbedtls_pk_free(&backend->pk); mbedtls_x509_crt_free(&backend->clicert); mbedtls_x509_crt_free(&backend->cacert); @@ -899,13 +900,13 @@ static CURLcode mbedtls_random(struct Curl_easy *data, } static CURLcode -mbed_connect_common(struct connectdata *conn, +mbed_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode retcode; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; timediff_t timeout_ms; @@ -926,7 +927,7 @@ mbed_connect_common(struct connectdata *conn, failf(data, "SSL connection timeout"); return CURLE_OPERATION_TIMEDOUT; } - retcode = mbed_connect_step1(conn, sockindex); + retcode = mbed_connect_step1(data, conn, sockindex); if(retcode) return retcode; } @@ -981,7 +982,7 @@ mbed_connect_common(struct connectdata *conn, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - retcode = mbed_connect_step2(conn, sockindex); + retcode = mbed_connect_step2(data, conn, sockindex); if(retcode || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -991,7 +992,7 @@ mbed_connect_common(struct connectdata *conn, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - retcode = mbed_connect_step3(conn, sockindex); + retcode = mbed_connect_step3(data, conn, sockindex); if(retcode) return retcode; } @@ -1011,19 +1012,21 @@ mbed_connect_common(struct connectdata *conn, return CURLE_OK; } -static CURLcode mbedtls_connect_nonblocking(struct connectdata *conn, +static CURLcode mbedtls_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done) { - return mbed_connect_common(conn, sockindex, TRUE, done); + return mbed_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode mbedtls_connect(struct connectdata *conn, int sockindex) +static CURLcode mbedtls_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode retcode; bool done = FALSE; - retcode = mbed_connect_common(conn, sockindex, FALSE, &done); + retcode = mbed_connect_common(data, conn, sockindex, FALSE, &done); if(retcode) return retcode; diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c index 93e3381cf..af1d55e10 100644 --- a/lib/vtls/mesalink.c +++ b/lib/vtls/mesalink.c @@ -89,10 +89,10 @@ static int do_file_type(const char *type) * layer and do all necessary magic. */ static CURLcode -mesalink_connect_step1(struct connectdata *conn, int sockindex) +mesalink_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { char *ciphers; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct in_addr addr4; #ifdef ENABLE_IPV6 @@ -260,11 +260,11 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) if(SSL_SET_OPTION(primary.sessionid)) { void *ssl_sessionid = NULL; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf( data, "SSL: SSL_set_session failed: %s", @@ -274,7 +274,7 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) /* Informational message */ infof(data, "SSL re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } #endif /* MESALINK_HAVE_SESSION */ @@ -288,10 +288,10 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) } static CURLcode -mesalink_connect_step2(struct connectdata *conn, int sockindex) +mesalink_connect_step2(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { int ret = -1; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; conn->recv[sockindex] = mesalink_recv; @@ -348,27 +348,28 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex) our_ssl_sessionid = SSL_get_session(BACKEND->handle); - Curl_ssl_sessionid_lock(conn); + Curl_ssl_sessionid_lock(data); incache = - !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)); + !(Curl_ssl_getsessionid(data, conn, + &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != our_ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + Curl_ssl_delsessionid(data, old_ssl_sessionid); incache = FALSE; } } if(!incache) { result = Curl_ssl_addsessionid( - conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); + data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); if(result) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "failed to store ssl session"); return result; } } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } #endif /* MESALINK_HAVE_SESSION */ @@ -408,10 +409,12 @@ mesalink_send(struct Curl_easy *data, int sockindex, const void *mem, } static void -Curl_mesalink_close(struct connectdata *conn, int sockindex) +mesalink_close(struct Curl_easy *data, struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + (void) data; + if(BACKEND->handle) { (void)SSL_shutdown(BACKEND->handle); SSL_free(BACKEND->handle); @@ -458,13 +461,13 @@ mesalink_recv(struct Curl_easy *data, int num, char *buf, size_t buffersize, } static size_t -Curl_mesalink_version(char *buffer, size_t size) +mesalink_version(char *buffer, size_t size) { return msnprintf(buffer, size, "MesaLink/%s", MESALINK_VERSION_STRING); } static int -Curl_mesalink_init(void) +mesalink_init(void) { return (SSL_library_init() == SSL_SUCCESS); } @@ -474,11 +477,14 @@ Curl_mesalink_init(void) * socket open (CCC - Clear Command Channel) */ static int -Curl_mesalink_shutdown(struct connectdata *conn, int sockindex) +mesalink_shutdown(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { int retval = 0; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + (void) data; + if(BACKEND->handle) { SSL_free(BACKEND->handle); BACKEND->handle = NULL; @@ -487,11 +493,10 @@ Curl_mesalink_shutdown(struct connectdata *conn, int sockindex) } static CURLcode -mesalink_connect_common(struct connectdata *conn, int sockindex, - bool nonblocking, bool *done) +mesalink_connect_common(struct Curl_easy *data, struct connectdata *conn, + int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; timediff_t timeout_ms; @@ -513,7 +518,7 @@ mesalink_connect_common(struct connectdata *conn, int sockindex, return CURLE_OPERATION_TIMEDOUT; } - result = mesalink_connect_step1(conn, sockindex); + result = mesalink_connect_step1(data, conn, sockindex); if(result) return result; } @@ -570,7 +575,7 @@ mesalink_connect_common(struct connectdata *conn, int sockindex, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - result = mesalink_connect_step2(conn, sockindex); + result = mesalink_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || @@ -602,19 +607,20 @@ mesalink_connect_common(struct connectdata *conn, int sockindex, } static CURLcode -Curl_mesalink_connect_nonblocking(struct connectdata *conn, int sockindex, - bool *done) +mesalink_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, + int sockindex, bool *done) { - return mesalink_connect_common(conn, sockindex, TRUE, done); + return mesalink_connect_common(data, conn, sockindex, TRUE, done); } static CURLcode -Curl_mesalink_connect(struct connectdata *conn, int sockindex) +mesalink_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result; bool done = FALSE; - result = mesalink_connect_common(conn, sockindex, FALSE, &done); + result = mesalink_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -624,8 +630,8 @@ Curl_mesalink_connect(struct connectdata *conn, int sockindex) } static void * -Curl_mesalink_get_internals(struct ssl_connect_data *connssl, - CURLINFO info UNUSED_PARAM) +mesalink_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) { (void)info; return BACKEND->handle; @@ -638,26 +644,26 @@ const struct Curl_ssl Curl_ssl_mesalink = { sizeof(struct ssl_backend_data), - Curl_mesalink_init, /* init */ - Curl_none_cleanup, /* cleanup */ - Curl_mesalink_version, /* version */ - Curl_none_check_cxn, /* check_cxn */ - Curl_mesalink_shutdown, /* shutdown */ - Curl_none_data_pending, /* data_pending */ - Curl_none_random, /* random */ + mesalink_init, /* init */ + Curl_none_cleanup, /* cleanup */ + mesalink_version, /* version */ + Curl_none_check_cxn, /* check_cxn */ + mesalink_shutdown, /* shutdown */ + Curl_none_data_pending, /* data_pending */ + Curl_none_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ - Curl_mesalink_connect, /* connect */ - Curl_mesalink_connect_nonblocking, /* connect_nonblocking */ - Curl_mesalink_get_internals, /* get_internals */ - Curl_mesalink_close, /* close_one */ - Curl_none_close_all, /* close_all */ - Curl_none_session_free, /* session_free */ - Curl_none_set_engine, /* set_engine */ - Curl_none_set_engine_default, /* set_engine_default */ - Curl_none_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ - Curl_none_md5sum, /* md5sum */ - NULL /* sha256sum */ + mesalink_connect, /* connect */ + mesalink_connect_nonblocking, /* connect_nonblocking */ + mesalink_get_internals, /* get_internals */ + mesalink_close, /* close_one */ + Curl_none_close_all, /* close_all */ + Curl_none_session_free, /* session_free */ + Curl_none_set_engine, /* set_engine */ + Curl_none_set_engine_default, /* set_engine_default */ + Curl_none_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ + Curl_none_md5sum, /* md5sum */ + NULL /* sha256sum */ }; #endif diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 5d043931f..d1357a97f 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -443,7 +443,7 @@ static CURLcode insert_wrapped_ptr(struct Curl_llist *list, void *ptr) /* Call PK11_CreateGenericObject() with the given obj_class and filename. If * the call succeeds, append the object handle to the list of objects so that - * the object can be destroyed in Curl_nss_close(). */ + * the object can be destroyed in nss_close(). */ static CURLcode nss_create_object(struct ssl_connect_data *connssl, CK_OBJECT_CLASS obj_class, const char *filename, bool cacert) @@ -508,7 +508,7 @@ static CURLcode nss_create_object(struct ssl_connect_data *connssl, /* Destroy the NSS object whose handle is given by ptr. This function is * a callback of Curl_llist_alloc() used by Curl_llist_destroy() to destroy - * NSS objects in Curl_nss_close() */ + * NSS objects in nss_close() */ static void nss_destroy_object(void *user, void *ptr) { struct ptr_list_wrap *wrap = (struct ptr_list_wrap *) ptr; @@ -665,14 +665,13 @@ fail: return CURLE_SSL_CRL_BADFILE; } -static CURLcode nss_load_key(struct connectdata *conn, int sockindex, - char *key_file) +static CURLcode nss_load_key(struct Curl_easy *data, struct connectdata *conn, + int sockindex, char *key_file) { PK11SlotInfo *slot, *tmp; SECStatus status; CURLcode result; struct ssl_connect_data *ssl = conn->ssl; - struct Curl_easy *data = conn->data; (void)sockindex; /* unused */ @@ -701,15 +700,15 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex, return (SECSuccess == status) ? CURLE_OK : CURLE_SSL_CERTPROBLEM; } -static int display_error(struct connectdata *conn, PRInt32 err, +static int display_error(struct Curl_easy *data, PRInt32 err, const char *filename) { switch(err) { case SEC_ERROR_BAD_PASSWORD: - failf(conn->data, "Unable to load client key: Incorrect password"); + failf(data, "Unable to load client key: Incorrect password"); return 1; case SEC_ERROR_UNKNOWN_CERT: - failf(conn->data, "Unable to load certificate %s", filename); + failf(data, "Unable to load certificate %s", filename); return 1; default: break; @@ -717,17 +716,16 @@ static int display_error(struct connectdata *conn, PRInt32 err, return 0; /* The caller will print a generic error */ } -static CURLcode cert_stuff(struct connectdata *conn, int sockindex, - char *cert_file, char *key_file) +static CURLcode cert_stuff(struct Curl_easy *data, struct connectdata *conn, + int sockindex, char *cert_file, char *key_file) { - struct Curl_easy *data = conn->data; CURLcode result; if(cert_file) { result = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE); if(result) { const PRErrorCode err = PR_GetError(); - if(!display_error(conn, err, cert_file)) { + if(!display_error(data, err, cert_file)) { const char *err_name = nss_error_to_name(err); failf(data, "unable to load client cert: %d (%s)", err, err_name); } @@ -738,13 +736,13 @@ static CURLcode cert_stuff(struct connectdata *conn, int sockindex, if(key_file || (is_file(cert_file))) { if(key_file) - result = nss_load_key(conn, sockindex, key_file); + result = nss_load_key(data, conn, sockindex, key_file); else /* In case the cert file also has the key */ - result = nss_load_key(conn, sockindex, cert_file); + result = nss_load_key(data, conn, sockindex, cert_file); if(result) { const PRErrorCode err = PR_GetError(); - if(!display_error(conn, err, key_file)) { + if(!display_error(data, err, key_file)) { const char *err_name = nss_error_to_name(err); failf(data, "unable to load client key: %d (%s)", err, err_name); } @@ -771,7 +769,8 @@ static char *nss_get_password(PK11SlotInfo *slot, PRBool retry, void *arg) static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, PRBool isServer) { - struct connectdata *conn = (struct connectdata *)arg; + struct Curl_easy *data = (struct Curl_easy *)arg; + struct connectdata *conn = data->conn; #ifdef SSL_ENABLE_OCSP_STAPLING if(SSL_CONN_CONFIG(verifystatus)) { @@ -779,12 +778,12 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd); if(!csa) { - failf(conn->data, "Invalid OCSP response"); + failf(data, "Invalid OCSP response"); return SECFailure; } if(csa->len == 0) { - failf(conn->data, "No OCSP response received"); + failf(data, "No OCSP response received"); return SECFailure; } @@ -794,14 +793,14 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, ); if(cacheResult != SECSuccess) { - failf(conn->data, "Invalid OCSP response"); + failf(data, "Invalid OCSP response"); return cacheResult; } } #endif if(!SSL_CONN_CONFIG(verifypeer)) { - infof(conn->data, "skipping SSL peer certificate verification\n"); + infof(data, "skipping SSL peer certificate verification\n"); return SECSuccess; } @@ -813,8 +812,8 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, */ static void HandshakeCallback(PRFileDesc *sock, void *arg) { - struct connectdata *conn = (struct connectdata*) arg; - struct Curl_easy *data = conn->data; + struct Curl_easy *data = (struct Curl_easy *)arg; + struct connectdata *conn = data->conn; unsigned int buflenmax = 50; unsigned char buf[50]; unsigned int buflen; @@ -857,7 +856,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) !memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) { conn->negnpn = CURL_HTTP_VERSION_1_1; } - Curl_multiuse_state(conn->data, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } } @@ -866,8 +865,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) static SECStatus CanFalseStartCallback(PRFileDesc *sock, void *client_data, PRBool *canFalseStart) { - struct connectdata *conn = client_data; - struct Curl_easy *data = conn->data; + struct Curl_easy *data = (struct Curl_easy *)client_data; SSLChannelInfo channelInfo; SSLCipherSuiteInfo cipherInfo; @@ -950,10 +948,9 @@ static void display_cert_info(struct Curl_easy *data, PR_Free(common_name); } -static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) +static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) { CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; SSLChannelInfo channel; SSLCipherSuiteInfo suite; CERTCertificate *cert; @@ -1023,8 +1020,8 @@ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock) static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) { - struct connectdata *conn = (struct connectdata *)arg; - struct Curl_easy *data = conn->data; + struct Curl_easy *data = (struct Curl_easy *)arg; + struct connectdata *conn = data->conn; PRErrorCode err = PR_GetError(); CERTCertificate *cert; @@ -1549,7 +1546,8 @@ static void close_one(struct ssl_connect_data *connssl) /* * This function is called when an SSL connection is closed. */ -static void nss_close(struct connectdata *conn, int sockindex) +static void nss_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; #ifndef CURL_DISABLE_PROXY @@ -1557,6 +1555,7 @@ static void nss_close(struct connectdata *conn, int sockindex) #endif struct ssl_backend_data *backend = connssl->backend; + (void)data; if(backend->handle #ifndef CURL_DISABLE_PROXY || connssl_proxy->backend->handle @@ -1613,10 +1612,10 @@ static bool is_cc_error(PRInt32 err) static Curl_recv nss_recv; static Curl_send nss_send; -static CURLcode nss_load_ca_certificates(struct connectdata *conn, +static CURLcode nss_load_ca_certificates(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; const char *cafile = SSL_CONN_CONFIG(CAfile); const char *capath = SSL_CONN_CONFIG(CApath); bool use_trust_module; @@ -1821,14 +1820,14 @@ static CURLcode nss_set_blocking(struct ssl_connect_data *connssl, return CURLE_OK; } -static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) +static CURLcode nss_setup_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { PRFileDesc *model = NULL; PRFileDesc *nspr_io = NULL; PRFileDesc *nspr_io_stub = NULL; PRBool ssl_no_cache; PRBool ssl_cbc_random_iv; - struct Curl_easy *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -1851,11 +1850,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) backend->data = data; - /* list of all NSS objects we need to destroy in Curl_nss_close() */ + /* list of all NSS objects we need to destroy in nss_do_close() */ Curl_llist_init(&backend->obj_list, nss_destroy_object); PR_Lock(nss_initlock); - result = nss_setup(conn->data); + result = nss_setup(data); if(result) { PR_Unlock(nss_initlock); goto error; @@ -1935,20 +1934,20 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) /* bypass the default SSL_AuthCertificate() hook in case we do not want to * verify peer */ - if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, conn) != SECSuccess) + if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, data) != SECSuccess) goto error; /* not checked yet */ SSL_SET_OPTION_LVALUE(certverifyresult) = 0; - if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess) + if(SSL_BadCertHook(model, BadCertHandler, data) != SECSuccess) goto error; - if(SSL_HandshakeCallback(model, HandshakeCallback, conn) != SECSuccess) + if(SSL_HandshakeCallback(model, HandshakeCallback, data) != SECSuccess) goto error; { - const CURLcode rv = nss_load_ca_certificates(conn, sockindex); + const CURLcode rv = nss_load_ca_certificates(data, conn, sockindex); if((rv == CURLE_SSL_CACERT_BADFILE) && !SSL_CONN_CONFIG(verifypeer)) /* not a fatal error because we are not going to verify the peer */ infof(data, "warning: CA certificates failed to load\n"); @@ -1974,7 +1973,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) backend->obj_clicert = NULL; } else { - CURLcode rv = cert_stuff(conn, sockindex, + CURLcode rv = cert_stuff(data, conn, sockindex, SSL_SET_OPTION(primary.clientcert), SSL_SET_OPTION(key)); if(rv) { @@ -2073,7 +2072,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) goto error; if(SSL_SetCanFalseStartCallback(backend->handle, CanFalseStartCallback, - conn) != SECSuccess) + data) != SECSuccess) goto error; } #endif @@ -2127,11 +2126,11 @@ error: return nss_fail_connect(connssl, data, result); } -static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) +static CURLcode nss_do_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; - struct Curl_easy *data = conn->data; CURLcode result = CURLE_SSL_CONNECT_ERROR; PRUint32 timeout; @@ -2156,7 +2155,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) goto error; } - result = display_conn_info(conn, backend->handle); + result = display_conn_info(data, backend->handle); if(result) goto error; @@ -2190,11 +2189,11 @@ error: return nss_fail_connect(connssl, data, result); } -static CURLcode nss_connect_common(struct connectdata *conn, int sockindex, +static CURLcode nss_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct Curl_easy *data = conn->data; const bool blocking = (done == NULL); CURLcode result; @@ -2205,7 +2204,7 @@ static CURLcode nss_connect_common(struct connectdata *conn, int sockindex, } if(connssl->connecting_state == ssl_connect_1) { - result = nss_setup_connect(conn, sockindex); + result = nss_setup_connect(data, conn, sockindex); if(result) /* we do not expect CURLE_AGAIN from nss_setup_connect() */ return result; @@ -2218,7 +2217,7 @@ static CURLcode nss_connect_common(struct connectdata *conn, int sockindex, if(result) return result; - result = nss_do_connect(conn, sockindex); + result = nss_do_connect(data, conn, sockindex); switch(result) { case CURLE_OK: break; @@ -2251,15 +2250,17 @@ static CURLcode nss_connect_common(struct connectdata *conn, int sockindex, return CURLE_OK; } -static CURLcode nss_connect(struct connectdata *conn, int sockindex) +static CURLcode nss_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - return nss_connect_common(conn, sockindex, /* blocking */ NULL); + return nss_connect_common(data, conn, sockindex, /* blocking */ NULL); } -static CURLcode nss_connect_nonblocking(struct connectdata *conn, +static CURLcode nss_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done) { - return nss_connect_common(conn, sockindex, done); + return nss_connect_common(data, conn, sockindex, done); } static ssize_t nss_send(struct Curl_easy *data, /* transfer */ @@ -2288,7 +2289,7 @@ static ssize_t nss_send(struct Curl_easy *data, /* transfer */ infof(data, "SSL write: error %d (%s)\n", err, err_name); /* print a human-readable message describing the error if available */ - nss_print_error_message(conn->data, err); + nss_print_error_message(data, err); *curlcode = (is_cc_error(err)) ? CURLE_SSL_CERTPROBLEM @@ -2303,8 +2304,8 @@ static ssize_t nss_send(struct Curl_easy *data, /* transfer */ static ssize_t nss_recv(struct Curl_easy *data, /* transfer */ int sockindex, /* socketindex */ - char *buf, /* store read data here */ - size_t buffersize, /* max amount to read */ + char *buf, /* store read data here */ + size_t buffersize, /* max amount to read */ CURLcode *curlcode) { struct connectdata *conn = data->conn; @@ -2330,7 +2331,7 @@ static ssize_t nss_recv(struct Curl_easy *data, /* transfer */ infof(data, "SSL read: errno %d (%s)\n", err, err_name); /* print a human-readable message describing the error if available */ - nss_print_error_message(conn->data, err); + nss_print_error_message(data, err); *curlcode = (is_cc_error(err)) ? CURLE_SSL_CERTPROBLEM diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 319d27deb..f99b663aa 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -362,6 +362,18 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size) return buf; } +/* Return an extra data index for the transfer data. + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). + */ +static int ossl_get_ssl_data_index(void) +{ + static int ssl_ex_data_data_index = -1; + if(ssl_ex_data_data_index < 0) { + ssl_ex_data_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } + return ssl_ex_data_data_index; +} + /* Return an extra data index for the connection data. * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). */ @@ -572,8 +584,7 @@ static bool is_pkcs11_uri(const char *string) #endif -static CURLcode ossl_set_engine(struct Curl_easy *data, - const char *engine); +static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine); static int SSL_CTX_use_certificate_bio(SSL_CTX *ctx, BIO *in, int type, @@ -700,7 +711,7 @@ SSL_CTX_use_certificate_chain_bio(SSL_CTX *ctx, BIO* in, } static -int cert_stuff(struct connectdata *conn, +int cert_stuff(struct Curl_easy *data, SSL_CTX* ctx, char *cert_file, BIO *cert_bio, @@ -710,7 +721,6 @@ int cert_stuff(struct connectdata *conn, const char *key_type, char *key_passwd) { - struct Curl_easy *data = conn->data; char error_buffer[256]; bool check_privkey = TRUE; @@ -1161,7 +1171,8 @@ static int ossl_init(void) Curl_tls_keylog_open(); /* Initialize the extra data indexes */ - if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || + ossl_get_ssl_sockindex_index() < 0) return 0; return 1; @@ -1258,8 +1269,7 @@ static int ossl_check_cxn(struct connectdata *conn) /* Selects an OpenSSL crypto engine */ -static CURLcode ossl_set_engine(struct Curl_easy *data, - const char *engine) +static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine) { #ifdef USE_OPENSSL_ENGINE ENGINE *e; @@ -1365,8 +1375,10 @@ static void ossl_closeone(struct ssl_connect_data *connssl) /* * This function is called when an SSL connection is closed. */ -static void ossl_close(struct connectdata *conn, int sockindex) +static void ossl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { + (void) data; ossl_closeone(&conn->ssl[sockindex]); #ifndef CURL_DISABLE_PROXY ossl_closeone(&conn->proxy_ssl[sockindex]); @@ -1377,11 +1389,11 @@ static void ossl_close(struct connectdata *conn, int sockindex) * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ -static int ossl_shutdown(struct connectdata *conn, int sockindex) +static int ossl_shutdown(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { int retval = 0; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct Curl_easy *data = conn->data; char buf[256]; /* We will use this for the OpenSSL error buffer, so it has to be at least 256 bytes long. */ unsigned long sslerror; @@ -1582,12 +1594,12 @@ static bool subj_alt_hostcheck(struct Curl_easy *data, in the certificate and must exactly match the IP in the URI. */ -static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) +static CURLcode verifyhost(struct Curl_easy *data, struct connectdata *conn, + X509 *server_cert) { bool matched = FALSE; int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */ size_t addrlen = 0; - struct Curl_easy *data = conn->data; STACK_OF(GENERAL_NAME) *altnames; #ifdef ENABLE_IPV6 struct in6_addr addr; @@ -1782,14 +1794,13 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) -static CURLcode verifystatus(struct connectdata *conn, +static CURLcode verifystatus(struct Curl_easy *data, struct ssl_connect_data *connssl) { int i, ocsp_status; unsigned char *status; const unsigned char *p; CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; OCSP_RESPONSE *rsp = NULL; OCSP_BASICRESP *br = NULL; X509_STORE *st = NULL; @@ -2359,16 +2370,14 @@ typedef long ctx_option_t; #if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* 1.1.0 */ static CURLcode set_ssl_version_min_max_legacy(ctx_option_t *ctx_options, - struct connectdata *conn, int sockindex) + struct Curl_easy *data, + struct connectdata *conn, int sockindex) { -#if (OPENSSL_VERSION_NUMBER < 0x1000100FL) || !defined(TLS1_3_VERSION) - /* convoluted #if condition just to avoid compiler warnings on unused - variable */ - struct Curl_easy *data = conn->data; -#endif long ssl_version = SSL_CONN_CONFIG(version); long ssl_version_max = SSL_CONN_CONFIG(version_max); + (void) data; /* In case it's unused. */ + switch(ssl_version) { case CURL_SSLVERSION_TLSv1_3: #ifdef TLS1_3_VERSION @@ -2443,17 +2452,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) struct Curl_easy *data; int sockindex; curl_socket_t *sockindex_ptr; + int data_idx = ossl_get_ssl_data_index(); int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); - if(connectdata_idx < 0 || sockindex_idx < 0) + if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0) return 0; conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); if(!conn) return 0; - data = conn->data; + data = (struct Curl_easy *) SSL_get_ex_data(ssl, data_idx); /* The sockindex has been stored as a pointer to an array element */ sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); @@ -2463,19 +2473,19 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) bool incache; void *old_ssl_sessionid = NULL; - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + Curl_ssl_delsessionid(data, old_ssl_sessionid); incache = FALSE; } } if(!incache) { - if(!Curl_ssl_addsessionid(conn, ssl_sessionid, + if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid, 0 /* unknown size */, sockindex)) { /* the session has been put into the session cache */ res = 1; @@ -2483,17 +2493,17 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) else failf(data, "failed to store ssl session"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } return res; } -static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result = CURLE_OK; char *ciphers; - struct Curl_easy *data = conn->data; SSL_METHOD_QUAL SSL_METHOD *req_method = NULL; X509_LOOKUP *lookup = NULL; curl_socket_t sockfd = conn->sock[sockindex]; @@ -2714,7 +2724,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */ result = set_ssl_version_min_max(backend->ctx, conn); #else - result = set_ssl_version_min_max_legacy(&ctx_options, conn, sockindex); + result = set_ssl_version_min_max_legacy(&ctx_options, data, conn, + sockindex); #endif if(result != CURLE_OK) return result; @@ -2782,7 +2793,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) result = CURLE_OUT_OF_MEMORY; } if(!result && - !cert_stuff(conn, backend->ctx, + !cert_stuff(data, backend->ctx, ssl_cert, ssl_cert_bio, ssl_cert_type, SSL_SET_OPTION(key), ssl_key_bio, SSL_SET_OPTION(key_type), SSL_SET_OPTION(key_passwd))) @@ -3187,21 +3198,23 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) /* Check if there's a cached ID we can/should use here! */ if(SSL_SET_OPTION(primary.sessionid)) { void *ssl_sessionid = NULL; + int data_idx = ossl_get_ssl_data_index(); int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); - if(connectdata_idx >= 0 && sockindex_idx >= 0) { + if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) { /* Store the data needed for the "new session" callback. * The sockindex is stored as a pointer to an array element. */ + SSL_set_ex_data(backend->handle, data_idx, data); SSL_set_ex_data(backend->handle, connectdata_idx, conn); SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); } - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(backend->handle, ssl_sessionid)) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "SSL: SSL_set_session failed: %s", ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer))); @@ -3210,7 +3223,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) /* Informational message */ infof(data, "SSL re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } #ifndef CURL_DISABLE_PROXY @@ -3237,9 +3250,9 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) return CURLE_OK; } -static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step2(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; int err; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -3491,13 +3504,12 @@ typedef size_t numcert_t; typedef int numcert_t; #endif -static CURLcode get_cert_chain(struct connectdata *conn, +static CURLcode get_cert_chain(struct Curl_easy *data, struct ssl_connect_data *connssl) { CURLcode result; STACK_OF(X509) *sk; int i; - struct Curl_easy *data = conn->data; numcert_t numcerts; BIO *mem; struct ssl_backend_data *backend = connssl->backend; @@ -3772,14 +3784,14 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert, * We check certificates to authenticate the server; otherwise we risk * man-in-the-middle attack. */ -static CURLcode servercert(struct connectdata *conn, +static CURLcode servercert(struct Curl_easy *data, + struct connectdata *conn, struct ssl_connect_data *connssl, bool strict) { CURLcode result = CURLE_OK; int rc; long lerr; - struct Curl_easy *data = conn->data; X509 *issuer; BIO *fp = NULL; char error_buffer[256]=""; @@ -3790,7 +3802,7 @@ static CURLcode servercert(struct connectdata *conn, if(data->set.ssl.certinfo) /* we've been asked to gather certificate info! */ - (void)get_cert_chain(conn, connssl); + (void)get_cert_chain(data, connssl); backend->server_cert = SSL_get_peer_certificate(backend->handle); if(!backend->server_cert) { @@ -3826,7 +3838,7 @@ static CURLcode servercert(struct connectdata *conn, BIO_free(mem); if(SSL_CONN_CONFIG(verifyhost)) { - result = verifyhost(conn, backend->server_cert); + result = verifyhost(data, conn, backend->server_cert); if(result) { X509_free(backend->server_cert); backend->server_cert = NULL; @@ -3928,7 +3940,7 @@ static CURLcode servercert(struct connectdata *conn, #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) if(SSL_CONN_CONFIG(verifystatus)) { - result = verifystatus(conn, connssl); + result = verifystatus(data, connssl); if(result) { X509_free(backend->server_cert); backend->server_cert = NULL; @@ -3956,7 +3968,8 @@ static CURLcode servercert(struct connectdata *conn, return result; } -static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step3(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result = CURLE_OK; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; @@ -3970,8 +3983,8 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) * operations. */ - result = servercert(conn, connssl, (SSL_CONN_CONFIG(verifypeer) || - SSL_CONN_CONFIG(verifyhost))); + result = servercert(data, conn, connssl, (SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost))); if(!result) connssl->connecting_state = ssl_connect_done; @@ -3982,13 +3995,13 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) static Curl_recv ossl_recv; static Curl_send ossl_send; -static CURLcode ossl_connect_common(struct connectdata *conn, +static CURLcode ossl_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; int what; @@ -4009,7 +4022,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn, return CURLE_OPERATION_TIMEDOUT; } - result = ossl_connect_step1(conn, sockindex); + result = ossl_connect_step1(data, conn, sockindex); if(result) return result; } @@ -4061,7 +4074,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - result = ossl_connect_step2(conn, sockindex); + result = ossl_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -4071,7 +4084,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - result = ossl_connect_step3(conn, sockindex); + result = ossl_connect_step3(data, conn, sockindex); if(result) return result; } @@ -4091,19 +4104,21 @@ static CURLcode ossl_connect_common(struct connectdata *conn, return CURLE_OK; } -static CURLcode ossl_connect_nonblocking(struct connectdata *conn, +static CURLcode ossl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done) { - return ossl_connect_common(conn, sockindex, TRUE, done); + return ossl_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode ossl_connect(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result; bool done = FALSE; - result = ossl_connect_common(conn, sockindex, FALSE, &done); + result = ossl_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -4265,7 +4280,7 @@ static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */ strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer)); error_buffer[sizeof(error_buffer) - 1] = '\0'; } - failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d", + failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d", error_buffer, sockerr); *curlcode = CURLE_RECV_ERROR; return -1; @@ -4287,7 +4302,7 @@ static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */ msnprintf(error_buffer, sizeof(error_buffer), "Connection closed abruptly"); } - failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d" + failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d" " (Fatal because this is a curl debug build)", error_buffer, sockerr); *curlcode = CURLE_RECV_ERROR; diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index 4f647bd5d..5a35eb21e 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -142,7 +142,8 @@ static Curl_recv schannel_recv; static Curl_send schannel_send; -static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex, +static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, + struct connectdata *conn, int sockindex, const char *pinnedpubkey); static void InitSecBuffer(SecBuffer *buffer, unsigned long BufType, @@ -162,9 +163,9 @@ static void InitSecBufferDesc(SecBufferDesc *desc, SecBuffer *BufArr, } static CURLcode -set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct connectdata *conn) +set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct Curl_easy *data, + struct connectdata *conn) { - struct Curl_easy *data = conn->data; long ssl_version = SSL_CONN_CONFIG(version); long ssl_version_max = SSL_CONN_CONFIG(version_max); long i = ssl_version; @@ -405,10 +406,10 @@ get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path, #endif static CURLcode -schannel_connect_step1(struct connectdata *conn, int sockindex) +schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { ssize_t written = -1; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SecBuffer outbuf; SecBufferDesc outbuf_desc; @@ -493,8 +494,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) /* check for an existing re-usable credential handle */ if(SSL_SET_OPTION(primary.sessionid)) { - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, + (void **)&old_cred, NULL, sockindex)) { BACKEND->cred = old_cred; DEBUGF(infof(data, "schannel: re-using existing credential handle\n")); @@ -504,7 +506,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) "schannel: incremented credential handle refcount = %d\n", BACKEND->cred->refcount)); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } if(!BACKEND->cred) { @@ -563,7 +565,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - result = set_ssl_version_min_max(&schannel_cred, conn); + result = set_ssl_version_min_max(&schannel_cred, data, conn); if(result != CURLE_OK) return result; break; @@ -980,11 +982,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) } static CURLcode -schannel_connect_step2(struct connectdata *conn, int sockindex) +schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { int i; ssize_t nread = -1, written = -1; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; unsigned char *reallocated_buffer; SecBuffer outbuf[3]; @@ -1252,7 +1254,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; if(pubkey_ptr) { - result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr); + result = pkp_pin_peer_pubkey(data, conn, sockindex, pubkey_ptr); if(result) { failf(data, "SSL: public key does not match pinned public key!"); return result; @@ -1261,7 +1263,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) #ifdef HAS_MANUAL_VERIFY_API if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) { - return Curl_verify_certificate(conn, sockindex); + return Curl_verify_certificate(data, conn, sockindex); } #endif @@ -1328,10 +1330,10 @@ add_cert_to_certinfo(const CERT_CONTEXT *ccert_context, void *raw_arg) } static CURLcode -schannel_connect_step3(struct connectdata *conn, int sockindex) +schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; SECURITY_STATUS sspi_status = SEC_E_OK; CERT_CONTEXT *ccert_context = NULL; @@ -1411,24 +1413,24 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) bool incache; struct Curl_schannel_cred *old_cred = NULL; - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL, sockindex)); if(incache) { if(old_cred != BACKEND->cred) { DEBUGF(infof(data, "schannel: old credential handle is stale, removing\n")); /* we're not taking old_cred ownership here, no refcount++ is needed */ - Curl_ssl_delsessionid(conn, (void *)old_cred); + Curl_ssl_delsessionid(data, (void *)old_cred); incache = FALSE; } } if(!incache) { - result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred, + result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred, sizeof(struct Curl_schannel_cred), sockindex); if(result) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "schannel: failed to store credential handle"); return result; } @@ -1439,7 +1441,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) "schannel: stored credential handle in session cache\n")); } } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } if(data->set.ssl.certinfo) { @@ -1476,11 +1478,10 @@ schannel_connect_step3(struct connectdata *conn, int sockindex) } static CURLcode -schannel_connect_common(struct connectdata *conn, int sockindex, - bool nonblocking, bool *done) +schannel_connect_common(struct Curl_easy *data, struct connectdata *conn, + int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; timediff_t timeout_ms; @@ -1502,7 +1503,7 @@ schannel_connect_common(struct connectdata *conn, int sockindex, return CURLE_OPERATION_TIMEDOUT; } - result = schannel_connect_step1(conn, sockindex); + result = schannel_connect_step1(data, conn, sockindex); if(result) return result; } @@ -1557,7 +1558,7 @@ schannel_connect_common(struct connectdata *conn, int sockindex, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - result = schannel_connect_step2(conn, sockindex); + result = schannel_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -1567,7 +1568,7 @@ schannel_connect_common(struct connectdata *conn, int sockindex, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - result = schannel_connect_step3(conn, sockindex); + result = schannel_connect_step3(data, conn, sockindex); if(result) return result; } @@ -1957,7 +1958,7 @@ schannel_recv(struct Curl_easy *data, int sockindex, infof(data, "schannel: renegotiating SSL/TLS connection\n"); connssl->state = ssl_connection_negotiating; connssl->connecting_state = ssl_connect_2_writing; - *err = schannel_connect_common(conn, sockindex, FALSE, &done); + *err = schannel_connect_common(data, conn, sockindex, FALSE, &done); if(*err) { infof(data, "schannel: renegotiation failed\n"); goto cleanup; @@ -2064,18 +2065,20 @@ schannel_recv(struct Curl_easy *data, int sockindex, return *err ? -1 : 0; } -static CURLcode Curl_schannel_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode schannel_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { - return schannel_connect_common(conn, sockindex, TRUE, done); + return schannel_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode Curl_schannel_connect(struct connectdata *conn, int sockindex) +static CURLcode schannel_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result; bool done = FALSE; - result = schannel_connect_common(conn, sockindex, FALSE, &done); + result = schannel_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -2084,8 +2087,8 @@ static CURLcode Curl_schannel_connect(struct connectdata *conn, int sockindex) return CURLE_OK; } -static bool Curl_schannel_data_pending(const struct connectdata *conn, - int sockindex) +static bool schannel_data_pending(const struct connectdata *conn, + int sockindex) { const struct ssl_connect_data *connssl = &conn->ssl[sockindex]; @@ -2096,14 +2099,15 @@ static bool Curl_schannel_data_pending(const struct connectdata *conn, return FALSE; } -static void Curl_schannel_close(struct connectdata *conn, int sockindex) +static void schannel_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { if(conn->ssl[sockindex].use) /* if the SSL/TLS channel hasn't been shut down yet, do that now. */ - Curl_ssl_shutdown(conn, sockindex); + Curl_ssl_shutdown(data, conn, sockindex); } -static void Curl_schannel_session_free(void *ptr) +static void schannel_session_free(void *ptr) { /* this is expected to be called under sessionid lock */ struct Curl_schannel_cred *cred = ptr; @@ -2115,12 +2119,12 @@ static void Curl_schannel_session_free(void *ptr) } } -static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) +static int schannel_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { /* See https://msdn.microsoft.com/en-us/library/windows/desktop/aa380138.aspx * Shutting Down an Schannel Connection */ - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; #ifndef CURL_DISABLE_PROXY char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : @@ -2203,14 +2207,9 @@ static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) /* free SSPI Schannel API credential handle */ if(BACKEND->cred) { - /* - * When this function is called from Curl_schannel_close() the connection - * might not have an associated transfer so the check for conn->data is - * necessary. - */ - Curl_ssl_sessionid_lock(conn); - Curl_schannel_session_free(BACKEND->cred); - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_lock(data); + schannel_session_free(BACKEND->cred); + Curl_ssl_sessionid_unlock(data); BACKEND->cred = NULL; } @@ -2232,25 +2231,25 @@ static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex) return CURLE_OK; } -static int Curl_schannel_init(void) +static int schannel_init(void) { return (Curl_sspi_global_init() == CURLE_OK ? 1 : 0); } -static void Curl_schannel_cleanup(void) +static void schannel_cleanup(void) { Curl_sspi_global_cleanup(); } -static size_t Curl_schannel_version(char *buffer, size_t size) +static size_t schannel_version(char *buffer, size_t size) { size = msnprintf(buffer, size, "Schannel"); return size; } -static CURLcode Curl_schannel_random(struct Curl_easy *data UNUSED_PARAM, - unsigned char *entropy, size_t length) +static CURLcode schannel_random(struct Curl_easy *data UNUSED_PARAM, + unsigned char *entropy, size_t length) { HCRYPTPROV hCryptProv = 0; @@ -2269,10 +2268,10 @@ static CURLcode Curl_schannel_random(struct Curl_easy *data UNUSED_PARAM, return CURLE_OK; } -static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex, +static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, + struct connectdata *conn, int sockindex, const char *pinnedpubkey) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CERT_CONTEXT *pCertContextServer = NULL; @@ -2334,12 +2333,12 @@ static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex, return result; } -static void Curl_schannel_checksum(const unsigned char *input, - size_t inputlen, - unsigned char *checksum, - size_t checksumlen, - DWORD provType, - const unsigned int algId) +static void schannel_checksum(const unsigned char *input, + size_t inputlen, + unsigned char *checksum, + size_t checksumlen, + DWORD provType, + const unsigned int algId) { HCRYPTPROV hProv = 0; HCRYPTHASH hHash = 0; @@ -2384,28 +2383,27 @@ static void Curl_schannel_checksum(const unsigned char *input, CryptReleaseContext(hProv, 0); } -static CURLcode Curl_schannel_md5sum(unsigned char *input, - size_t inputlen, - unsigned char *md5sum, - size_t md5len) +static CURLcode schannel_md5sum(unsigned char *input, + size_t inputlen, + unsigned char *md5sum, + size_t md5len) { - Curl_schannel_checksum(input, inputlen, md5sum, md5len, - PROV_RSA_FULL, CALG_MD5); + schannel_checksum(input, inputlen, md5sum, md5len, PROV_RSA_FULL, CALG_MD5); return CURLE_OK; } -static CURLcode Curl_schannel_sha256sum(const unsigned char *input, - size_t inputlen, - unsigned char *sha256sum, - size_t sha256len) +static CURLcode schannel_sha256sum(const unsigned char *input, + size_t inputlen, + unsigned char *sha256sum, + size_t sha256len) { - Curl_schannel_checksum(input, inputlen, sha256sum, sha256len, - PROV_RSA_AES, CALG_SHA_256); + schannel_checksum(input, inputlen, sha256sum, sha256len, + PROV_RSA_AES, CALG_SHA_256); return CURLE_OK; } -static void *Curl_schannel_get_internals(struct ssl_connect_data *connssl, - CURLINFO info UNUSED_PARAM) +static void *schannel_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) { (void)info; return &BACKEND->ctxt->ctxt_handle; @@ -2419,26 +2417,26 @@ const struct Curl_ssl Curl_ssl_schannel = { sizeof(struct ssl_backend_data), - Curl_schannel_init, /* init */ - Curl_schannel_cleanup, /* cleanup */ - Curl_schannel_version, /* version */ + schannel_init, /* init */ + schannel_cleanup, /* cleanup */ + schannel_version, /* version */ Curl_none_check_cxn, /* check_cxn */ - Curl_schannel_shutdown, /* shutdown */ - Curl_schannel_data_pending, /* data_pending */ - Curl_schannel_random, /* random */ + schannel_shutdown, /* shutdown */ + schannel_data_pending, /* data_pending */ + schannel_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ - Curl_schannel_connect, /* connect */ - Curl_schannel_connect_nonblocking, /* connect_nonblocking */ - Curl_schannel_get_internals, /* get_internals */ - Curl_schannel_close, /* close_one */ + schannel_connect, /* connect */ + schannel_connect_nonblocking, /* connect_nonblocking */ + schannel_get_internals, /* get_internals */ + schannel_close, /* close_one */ Curl_none_close_all, /* close_all */ - Curl_schannel_session_free, /* session_free */ + schannel_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_schannel_md5sum, /* md5sum */ - Curl_schannel_sha256sum /* sha256sum */ + schannel_md5sum, /* md5sum */ + schannel_sha256sum /* sha256sum */ }; #endif /* USE_SCHANNEL */ diff --git a/lib/vtls/schannel.h b/lib/vtls/schannel.h index 085b3f455..2952caa1a 100644 --- a/lib/vtls/schannel.h +++ b/lib/vtls/schannel.h @@ -8,7 +8,7 @@ * \___|\___/|_| \_\_____| * * Copyright (C) 2012, Marc Hoersken, , et al. - * Copyright (C) 2012 - 2020, Daniel Stenberg, , et al. + * Copyright (C) 2012 - 2021, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -53,7 +53,8 @@ extern const struct Curl_ssl Curl_ssl_schannel; -CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex); +CURLcode Curl_verify_certificate(struct Curl_easy *data, + struct connectdata *conn, int sockindex); /* structs to expose only in schannel.c and schannel_verify.c */ #ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS diff --git a/lib/vtls/schannel_verify.c b/lib/vtls/schannel_verify.c index 4b18fc0bf..2ef39cc0f 100644 --- a/lib/vtls/schannel_verify.c +++ b/lib/vtls/schannel_verify.c @@ -79,10 +79,9 @@ static int is_cr_or_lf(char c) static CURLcode add_certs_to_store(HCERTSTORE trust_store, const char *ca_file, - struct connectdata *conn) + struct Curl_easy *data) { CURLcode result; - struct Curl_easy *data = conn->data; HANDLE ca_file_handle = INVALID_HANDLE_VALUE; LARGE_INTEGER file_size; char *ca_file_buffer = NULL; @@ -527,10 +526,10 @@ cleanup: return result; } -CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex) +CURLcode Curl_verify_certificate(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { SECURITY_STATUS sspi_status; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; CURLcode result = CURLE_OK; CERT_CONTEXT *pCertContextServer = NULL; @@ -584,7 +583,7 @@ CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex) } else { result = add_certs_to_store(trust_store, SSL_CONN_CONFIG(CAfile), - conn); + data); } } @@ -675,7 +674,7 @@ CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex) if(result == CURLE_OK) { if(SSL_CONN_CONFIG(verifyhost)) { - result = verify_host(conn->data, pCertContextServer, conn_hostname); + result = verify_host(data, pCertContextServer, conn_hostname); } } diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c index aae614946..dfe3d28f4 100644 --- a/lib/vtls/sectransp.c +++ b/lib/vtls/sectransp.c @@ -1291,9 +1291,9 @@ static CURLcode sectransp_version_from_curl(SSLProtocol *darwinver, #endif static CURLcode -set_ssl_version_min_max(struct connectdata *conn, int sockindex) +set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; long ssl_version = SSL_CONN_CONFIG(version); @@ -1387,10 +1387,10 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) } -static CURLcode sectransp_connect_step1(struct connectdata *conn, +static CURLcode sectransp_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -1478,7 +1478,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(conn, sockindex); + CURLcode result = set_ssl_version_min_max(data, conn, sockindex); if(result != CURLE_OK) return result; break; @@ -1527,7 +1527,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_3: { - CURLcode result = set_ssl_version_min_max(conn, sockindex); + CURLcode result = set_ssl_version_min_max(data, conn, sockindex); if(result != CURLE_OK) return result; break; @@ -1952,12 +1952,12 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, char *ssl_sessionid; size_t ssl_sessionid_len; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid, + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid, &ssl_sessionid_len, sockindex)) { /* we got a session id, use it! */ err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); if(err != noErr) { failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err); return CURLE_SSL_CONNECT_ERROR; @@ -1976,14 +1976,14 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn, err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len); if(err != noErr) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err); return CURLE_SSL_CONNECT_ERROR; } - result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len, - sockindex); - Curl_ssl_sessionid_unlock(conn); + result = Curl_ssl_addsessionid(data, conn, ssl_sessionid, + ssl_sessionid_len, sockindex); + Curl_ssl_sessionid_unlock(data); if(result) { failf(data, "failed to store ssl session"); return result; @@ -2379,9 +2379,9 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, #endif /* SECTRANSP_PINNEDPUBKEY */ static CURLcode -sectransp_connect_step2(struct connectdata *conn, int sockindex) +sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; OSStatus err; @@ -2418,7 +2418,7 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex) return result; } /* the documentation says we need to call SSLHandshake() again */ - return sectransp_connect_step2(conn, sockindex); + return sectransp_connect_step2(data, conn, sockindex); /* Problem with encrypt / decrypt */ case errSSLPeerDecodeError: @@ -2711,10 +2711,10 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex) #ifndef CURL_DISABLE_VERBOSE_STRINGS /* This should be called during step3 of the connection at the earliest */ static void -show_verbose_server_cert(struct connectdata *conn, +show_verbose_server_cert(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; CFArrayRef server_certs = NULL; @@ -2817,10 +2817,9 @@ show_verbose_server_cert(struct connectdata *conn, #endif /* !CURL_DISABLE_VERBOSE_STRINGS */ static CURLcode -sectransp_connect_step3(struct connectdata *conn, +sectransp_connect_step3(struct Curl_easy *data, struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; /* There is no step 3! @@ -2828,7 +2827,7 @@ sectransp_connect_step3(struct connectdata *conn, * server certificates. */ #ifndef CURL_DISABLE_VERBOSE_STRINGS if(data->set.verbose) - show_verbose_server_cert(conn, sockindex); + show_verbose_server_cert(data, conn, sockindex); #endif connssl->connecting_state = ssl_connect_done; @@ -2839,13 +2838,13 @@ static Curl_recv sectransp_recv; static Curl_send sectransp_send; static CURLcode -sectransp_connect_common(struct connectdata *conn, +sectransp_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; int what; @@ -2866,7 +2865,7 @@ sectransp_connect_common(struct connectdata *conn, return CURLE_OPERATION_TIMEDOUT; } - result = sectransp_connect_step1(conn, sockindex); + result = sectransp_connect_step1(data, conn, sockindex); if(result) return result; } @@ -2920,7 +2919,7 @@ sectransp_connect_common(struct connectdata *conn, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - result = sectransp_connect_step2(conn, sockindex); + result = sectransp_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -2931,7 +2930,7 @@ sectransp_connect_common(struct connectdata *conn, if(ssl_connect_3 == connssl->connecting_state) { - result = sectransp_connect_step3(conn, sockindex); + result = sectransp_connect_step3(data, conn, sockindex); if(result) return result; } @@ -2951,18 +2950,20 @@ sectransp_connect_common(struct connectdata *conn, return CURLE_OK; } -static CURLcode Curl_sectransp_connect_nonblocking(struct connectdata *conn, - int sockindex, bool *done) +static CURLcode sectransp_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, bool *done) { - return sectransp_connect_common(conn, sockindex, TRUE, done); + return sectransp_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode Curl_sectransp_connect(struct connectdata *conn, int sockindex) +static CURLcode sectransp_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result; bool done = FALSE; - result = sectransp_connect_common(conn, sockindex, FALSE, &done); + result = sectransp_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -2972,11 +2973,14 @@ static CURLcode Curl_sectransp_connect(struct connectdata *conn, int sockindex) return CURLE_OK; } -static void Curl_sectransp_close(struct connectdata *conn, int sockindex) +static void sectransp_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; + (void) data; + if(backend->ssl_ctx) { (void)SSLClose(backend->ssl_ctx); #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS @@ -2994,11 +2998,11 @@ static void Curl_sectransp_close(struct connectdata *conn, int sockindex) backend->ssl_sockfd = 0; } -static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex) +static int sectransp_shutdown(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; - struct Curl_easy *data = conn->data; ssize_t nread; int what; int rc; @@ -3012,7 +3016,7 @@ static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex) return 0; #endif - Curl_sectransp_close(conn, sockindex); + sectransp_close(data, conn, sockindex); rc = 0; @@ -3050,7 +3054,7 @@ static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex) return rc; } -static void Curl_sectransp_session_free(void *ptr) +static void sectransp_session_free(void *ptr) { /* ST, as of iOS 5 and Mountain Lion, has no public method of deleting a cached session ID inside the Security framework. There is a private @@ -3061,7 +3065,7 @@ static void Curl_sectransp_session_free(void *ptr) Curl_safefree(ptr); } -static size_t Curl_sectransp_version(char *buffer, size_t size) +static size_t sectransp_version(char *buffer, size_t size) { return msnprintf(buffer, size, "SecureTransport"); } @@ -3074,7 +3078,7 @@ static size_t Curl_sectransp_version(char *buffer, size_t size) * 0 means the connection has been closed * -1 means the connection status is unknown */ -static int Curl_sectransp_check_cxn(struct connectdata *conn) +static int sectransp_check_cxn(struct connectdata *conn) { struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET]; struct ssl_backend_data *backend = connssl->backend; @@ -3090,8 +3094,8 @@ static int Curl_sectransp_check_cxn(struct connectdata *conn) return 0; } -static bool Curl_sectransp_data_pending(const struct connectdata *conn, - int connindex) +static bool sectransp_data_pending(const struct connectdata *conn, + int connindex) { const struct ssl_connect_data *connssl = &conn->ssl[connindex]; struct ssl_backend_data *backend = connssl->backend; @@ -3108,8 +3112,8 @@ static bool Curl_sectransp_data_pending(const struct connectdata *conn, return false; } -static CURLcode Curl_sectransp_random(struct Curl_easy *data UNUSED_PARAM, - unsigned char *entropy, size_t length) +static CURLcode sectransp_random(struct Curl_easy *data UNUSED_PARAM, + unsigned char *entropy, size_t length) { /* arc4random_buf() isn't available on cats older than Lion, so let's do this manually for the benefit of the older cats. */ @@ -3128,27 +3132,27 @@ static CURLcode Curl_sectransp_random(struct Curl_easy *data UNUSED_PARAM, return CURLE_OK; } -static CURLcode Curl_sectransp_md5sum(unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *md5sum, /* output */ - size_t md5len) +static CURLcode sectransp_md5sum(unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *md5sum, /* output */ + size_t md5len) { (void)md5len; (void)CC_MD5(tmp, (CC_LONG)tmplen, md5sum); return CURLE_OK; } -static CURLcode Curl_sectransp_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t sha256len) +static CURLcode sectransp_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum, /* output */ + size_t sha256len) { assert(sha256len >= CURL_SHA256_DIGEST_LENGTH); (void)CC_SHA256(tmp, (CC_LONG)tmplen, sha256sum); return CURLE_OK; } -static bool Curl_sectransp_false_start(void) +static bool sectransp_false_start(void) { #if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 if(SSLSetSessionOption != NULL) @@ -3198,7 +3202,7 @@ static ssize_t sectransp_send(struct Curl_easy *data, *curlcode = CURLE_AGAIN; return -1L; default: - failf(conn->data, "SSLWrite() returned error %d", err); + failf(data, "SSLWrite() returned error %d", err); *curlcode = CURLE_SEND_ERROR; return -1L; } @@ -3262,7 +3266,7 @@ static ssize_t sectransp_recv(struct Curl_easy *data, Leopard's headers */ case -9841: if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) { - CURLcode result = verify_cert(SSL_CONN_CONFIG(CAfile), conn->data, + CURLcode result = verify_cert(SSL_CONN_CONFIG(CAfile), data, backend->ssl_ctx); if(result) return result; @@ -3278,8 +3282,8 @@ static ssize_t sectransp_recv(struct Curl_easy *data, return (ssize_t)processed; } -static void *Curl_sectransp_get_internals(struct ssl_connect_data *connssl, - CURLINFO info UNUSED_PARAM) +static void *sectransp_get_internals(struct ssl_connect_data *connssl, + CURLINFO info UNUSED_PARAM) { struct ssl_backend_data *backend = connssl->backend; (void)info; @@ -3299,24 +3303,24 @@ const struct Curl_ssl Curl_ssl_sectransp = { Curl_none_init, /* init */ Curl_none_cleanup, /* cleanup */ - Curl_sectransp_version, /* version */ - Curl_sectransp_check_cxn, /* check_cxn */ - Curl_sectransp_shutdown, /* shutdown */ - Curl_sectransp_data_pending, /* data_pending */ - Curl_sectransp_random, /* random */ + sectransp_version, /* version */ + sectransp_check_cxn, /* check_cxn */ + sectransp_shutdown, /* shutdown */ + sectransp_data_pending, /* data_pending */ + sectransp_random, /* random */ Curl_none_cert_status_request, /* cert_status_request */ - Curl_sectransp_connect, /* connect */ - Curl_sectransp_connect_nonblocking, /* connect_nonblocking */ - Curl_sectransp_get_internals, /* get_internals */ - Curl_sectransp_close, /* close_one */ + sectransp_connect, /* connect */ + sectransp_connect_nonblocking, /* connect_nonblocking */ + sectransp_get_internals, /* get_internals */ + sectransp_close, /* close_one */ Curl_none_close_all, /* close_all */ - Curl_sectransp_session_free, /* session_free */ + sectransp_session_free, /* session_free */ Curl_none_set_engine, /* set_engine */ Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ - Curl_sectransp_false_start, /* false_start */ - Curl_sectransp_md5sum, /* md5sum */ - Curl_sectransp_sha256sum /* sha256sum */ + sectransp_false_start, /* false_start */ + sectransp_md5sum, /* md5sum */ + sectransp_sha256sum /* sha256sum */ }; #ifdef __clang__ diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index 3b37748cf..e32773b0c 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -291,7 +291,8 @@ ssl_connect_init_proxy(struct connectdata *conn, int sockindex) #endif CURLcode -Curl_ssl_connect(struct connectdata *conn, int sockindex) +Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result; @@ -303,26 +304,27 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex) } #endif - if(!ssl_prefs_check(conn->data)) + if(!ssl_prefs_check(data)) return CURLE_SSL_CONNECT_ERROR; /* mark this is being ssl-enabled from here on. */ conn->ssl[sockindex].use = TRUE; conn->ssl[sockindex].state = ssl_connection_negotiating; - result = Curl_ssl->connect_blocking(conn, sockindex); + result = Curl_ssl->connect_blocking(data, conn, sockindex); if(!result) - Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */ + Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ return result; } CURLcode -Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, - bool *done) +Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn, + int sockindex, bool *done) { CURLcode result; + #ifndef CURL_DISABLE_PROXY if(conn->bits.proxy_ssl_connected[sockindex]) { result = ssl_connect_init_proxy(conn, sockindex); @@ -330,47 +332,46 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, return result; } #endif - if(!ssl_prefs_check(conn->data)) + if(!ssl_prefs_check(data)) return CURLE_SSL_CONNECT_ERROR; /* mark this is being ssl requested from here on. */ conn->ssl[sockindex].use = TRUE; - result = Curl_ssl->connect_nonblocking(conn, sockindex, done); + result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done); if(!result && *done) - Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */ + Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */ return result; } /* * Lock shared SSL session data */ -void Curl_ssl_sessionid_lock(struct connectdata *conn) +void Curl_ssl_sessionid_lock(struct Curl_easy *data) { - if(SSLSESSION_SHARED(conn->data)) - Curl_share_lock(conn->data, - CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); + if(SSLSESSION_SHARED(data)) + Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); } /* * Unlock shared SSL session data */ -void Curl_ssl_sessionid_unlock(struct connectdata *conn) +void Curl_ssl_sessionid_unlock(struct Curl_easy *data) { - if(SSLSESSION_SHARED(conn->data)) - Curl_share_unlock(conn->data, CURL_LOCK_DATA_SSL_SESSION); + if(SSLSESSION_SHARED(data)) + Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION); } /* * Check if there's a session ID for the given connection in the cache, and if * there's one suitable, it is provided. Returns TRUE when no entry matched. */ -bool Curl_ssl_getsessionid(struct connectdata *conn, +bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, void **ssl_sessionid, size_t *idsize, /* set 0 if unknown */ int sockindex) { struct Curl_ssl_session *check; - struct Curl_easy *data = conn->data; size_t i; long *general_age; bool no_match = TRUE; @@ -457,10 +458,9 @@ void Curl_ssl_kill_session(struct Curl_ssl_session *session) /* * Delete the given session ID from the cache. */ -void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) +void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid) { size_t i; - struct Curl_easy *data = conn->data; for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) { struct Curl_ssl_session *check = &data->state.session[i]; @@ -478,13 +478,13 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) * layer. Curl_XXXX_session_free() will be called to free/kill the session ID * later on. */ -CURLcode Curl_ssl_addsessionid(struct connectdata *conn, +CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, void *ssl_sessionid, size_t idsize, int sockindex) { size_t i; - struct Curl_easy *data = conn->data; /* the mother of all structs */ struct Curl_ssl_session *store = &data->state.session[0]; long oldest_age = data->state.session[0].age; /* zero if unused */ char *clone_host; @@ -624,16 +624,18 @@ int Curl_ssl_getsock(struct connectdata *conn, /* USE_OPENSSL || USE_GNUTLS || USE_SCHANNEL || USE_SECTRANSP || USE_NSS */ #endif -void Curl_ssl_close(struct connectdata *conn, int sockindex) +void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { DEBUGASSERT((sockindex <= 1) && (sockindex >= -1)); - Curl_ssl->close_one(conn, sockindex); + Curl_ssl->close_one(data, conn, sockindex); conn->ssl[sockindex].state = ssl_connection_none; } -CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) +CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - if(Curl_ssl->shut_down(conn, sockindex)) + if(Curl_ssl->shut_down(data, conn, sockindex)) return CURLE_SSL_SHUTDOWN_FAILED; conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */ @@ -1080,9 +1082,11 @@ int Curl_none_init(void) void Curl_none_cleanup(void) { } -int Curl_none_shutdown(struct connectdata *conn UNUSED_PARAM, +int Curl_none_shutdown(struct Curl_easy *data UNUSED_PARAM, + struct connectdata *conn UNUSED_PARAM, int sockindex UNUSED_PARAM) { + (void)data; (void)conn; (void)sockindex; return 0; @@ -1188,19 +1192,21 @@ static int multissl_init(void) return Curl_ssl->init(); } -static CURLcode multissl_connect(struct connectdata *conn, int sockindex) +static CURLcode multissl_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { if(multissl_setup(NULL)) return CURLE_FAILED_INIT; - return Curl_ssl->connect_blocking(conn, sockindex); + return Curl_ssl->connect_blocking(data, conn, sockindex); } -static CURLcode multissl_connect_nonblocking(struct connectdata *conn, +static CURLcode multissl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done) { if(multissl_setup(NULL)) return CURLE_FAILED_INIT; - return Curl_ssl->connect_nonblocking(conn, sockindex, done); + return Curl_ssl->connect_nonblocking(data, conn, sockindex, done); } static void *multissl_get_internals(struct ssl_connect_data *connssl, @@ -1211,11 +1217,12 @@ static void *multissl_get_internals(struct ssl_connect_data *connssl, return Curl_ssl->get_internals(connssl, info); } -static void multissl_close(struct connectdata *conn, int sockindex) +static void multissl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { if(multissl_setup(NULL)) return; - Curl_ssl->close_one(conn, sockindex); + Curl_ssl->close_one(data, conn, sockindex); } static const struct Curl_ssl Curl_ssl_multi = { diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index f4cab9988..8c4bcce35 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -7,7 +7,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -47,7 +47,8 @@ struct Curl_ssl { size_t (*version)(char *buffer, size_t size); int (*check_cxn)(struct connectdata *cxn); - int (*shut_down)(struct connectdata *conn, int sockindex); + int (*shut_down)(struct Curl_easy *data, struct connectdata *conn, + int sockindex); bool (*data_pending)(const struct connectdata *conn, int connindex); @@ -56,11 +57,14 @@ struct Curl_ssl { size_t length); bool (*cert_status_request)(void); - CURLcode (*connect_blocking)(struct connectdata *conn, int sockindex); - CURLcode (*connect_nonblocking)(struct connectdata *conn, int sockindex, + CURLcode (*connect_blocking)(struct Curl_easy *data, + struct connectdata *conn, int sockindex); + CURLcode (*connect_nonblocking)(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done); void *(*get_internals)(struct ssl_connect_data *connssl, CURLINFO info); - void (*close_one)(struct connectdata *conn, int sockindex); + void (*close_one)(struct Curl_easy *data, struct connectdata *conn, + int sockindex); void (*close_all)(struct Curl_easy *data); void (*session_free)(void *ptr); @@ -82,7 +86,8 @@ extern const struct Curl_ssl *Curl_ssl; int Curl_none_init(void); void Curl_none_cleanup(void); -int Curl_none_shutdown(struct connectdata *conn, int sockindex); +int Curl_none_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex); int Curl_none_check_cxn(struct connectdata *conn); CURLcode Curl_none_random(struct Curl_easy *data, unsigned char *entropy, size_t length); @@ -165,15 +170,19 @@ int Curl_ssl_backend(void); #ifdef USE_SSL int Curl_ssl_init(void); void Curl_ssl_cleanup(void); -CURLcode Curl_ssl_connect(struct connectdata *conn, int sockindex); -CURLcode Curl_ssl_connect_nonblocking(struct connectdata *conn, +CURLcode Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex); +CURLcode Curl_ssl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done); /* tell the SSL stuff to close down all open information regarding connections (and thus session ID caching etc) */ void Curl_ssl_close_all(struct Curl_easy *data); -void Curl_ssl_close(struct connectdata *conn, int sockindex); -CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex); +void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex); +CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex); CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine); /* Sets engine as default for all SSL operations */ CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data); @@ -205,10 +214,10 @@ CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data, int certnum, * The purpose of explicitly locking SSL session cache data is to allow * individual SSL engines to manage session lifetime in their specific way. */ -void Curl_ssl_sessionid_lock(struct connectdata *conn); +void Curl_ssl_sessionid_lock(struct Curl_easy *data); /* Unlock session cache mutex */ -void Curl_ssl_sessionid_unlock(struct connectdata *conn); +void Curl_ssl_sessionid_unlock(struct Curl_easy *data); /* extract a session ID * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). @@ -216,7 +225,8 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn); * is properly taken (e.g. its refcount is incremented * under sessionid mutex). */ -bool Curl_ssl_getsessionid(struct connectdata *conn, +bool Curl_ssl_getsessionid(struct Curl_easy *data, + struct connectdata *conn, void **ssl_sessionid, size_t *idsize, /* set 0 if unknown */ int sockindex); @@ -225,7 +235,8 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, * Caller must ensure that it has properly shared ownership of this sessionid * object with cache (e.g. incrementing refcount on success) */ -CURLcode Curl_ssl_addsessionid(struct connectdata *conn, +CURLcode Curl_ssl_addsessionid(struct Curl_easy *data, + struct connectdata *conn, void *ssl_sessionid, size_t idsize, int sockindex); @@ -242,7 +253,7 @@ void Curl_ssl_kill_session(struct Curl_ssl_session *session); * take sessionid object ownership from sessionid cache * (e.g. decrement refcount). */ -void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid); +void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid); /* get N random bytes into the buffer */ CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer, @@ -267,10 +278,10 @@ bool Curl_ssl_false_start(void); /* When SSL support is not present, just define away these function calls */ #define Curl_ssl_init() 1 #define Curl_ssl_cleanup() Curl_nop_stmt -#define Curl_ssl_connect(x,y) CURLE_NOT_BUILT_IN +#define Curl_ssl_connect(x,y,z) CURLE_NOT_BUILT_IN #define Curl_ssl_close_all(x) Curl_nop_stmt -#define Curl_ssl_close(x,y) Curl_nop_stmt -#define Curl_ssl_shutdown(x,y) CURLE_NOT_BUILT_IN +#define Curl_ssl_close(x,y,z) Curl_nop_stmt +#define Curl_ssl_shutdown(x,y,z) CURLE_NOT_BUILT_IN #define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN #define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN #define Curl_ssl_engines_list(x) NULL @@ -280,7 +291,7 @@ bool Curl_ssl_false_start(void); #define Curl_ssl_data_pending(x,y) 0 #define Curl_ssl_check_cxn(x) 0 #define Curl_ssl_free_certinfo(x) Curl_nop_stmt -#define Curl_ssl_connect_nonblocking(x,y,z) CURLE_NOT_BUILT_IN +#define Curl_ssl_connect_nonblocking(x,y,z,w) CURLE_NOT_BUILT_IN #define Curl_ssl_kill_session(x) Curl_nop_stmt #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN) #define Curl_ssl_cert_status_request() FALSE diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index be3c2c510..4d2b05af5 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -217,11 +217,10 @@ static int do_file_type(const char *type) * layer and do all necessary magic. */ static CURLcode -wolfssl_connect_step1(struct connectdata *conn, +wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn, int sockindex) { char *ciphers; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; SSL_METHOD* req_method = NULL; @@ -516,12 +515,12 @@ wolfssl_connect_step1(struct connectdata *conn, if(SSL_SET_OPTION(primary.sessionid)) { void *ssl_sessionid = NULL; - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(backend->handle, ssl_sessionid)) { char error_buffer[WOLFSSL_MAX_ERROR_SZ]; - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "SSL: SSL_set_session failed: %s", ERR_error_string(SSL_get_error(backend->handle, 0), error_buffer)); @@ -530,7 +529,7 @@ wolfssl_connect_step1(struct connectdata *conn, /* Informational message */ infof(data, "SSL re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } /* pass the raw socket into the SSL layer */ @@ -545,11 +544,10 @@ wolfssl_connect_step1(struct connectdata *conn, static CURLcode -wolfssl_connect_step2(struct connectdata *conn, +wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn, int sockindex) { int ret = -1; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; #ifndef CURL_DISABLE_PROXY @@ -761,11 +759,10 @@ wolfssl_connect_step2(struct connectdata *conn, static CURLcode -wolfssl_connect_step3(struct connectdata *conn, +wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn, int sockindex) { CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -778,27 +775,27 @@ wolfssl_connect_step3(struct connectdata *conn, our_ssl_sessionid = SSL_get_session(backend->handle); - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != our_ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + Curl_ssl_delsessionid(data, old_ssl_sessionid); incache = FALSE; } } if(!incache) { - result = Curl_ssl_addsessionid(conn, our_ssl_sessionid, + result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex); if(result) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "failed to store ssl session"); return result; } } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } connssl->connecting_state = ssl_connect_done; @@ -840,11 +837,14 @@ static ssize_t wolfssl_send(struct Curl_easy *data, return rc; } -static void wolfssl_close(struct connectdata *conn, int sockindex) +static void wolfssl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; + (void) data; + if(backend->handle) { (void)SSL_shutdown(backend->handle); SSL_free(backend->handle); @@ -942,12 +942,15 @@ static bool wolfssl_data_pending(const struct connectdata *conn, * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ -static int wolfssl_shutdown(struct connectdata *conn, int sockindex) +static int wolfssl_shutdown(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { int retval = 0; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; + (void) data; + if(backend->handle) { SSL_free(backend->handle); backend->handle = NULL; @@ -957,13 +960,13 @@ static int wolfssl_shutdown(struct connectdata *conn, int sockindex) static CURLcode -wolfssl_connect_common(struct connectdata *conn, +wolfssl_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; int what; @@ -984,7 +987,7 @@ wolfssl_connect_common(struct connectdata *conn, return CURLE_OPERATION_TIMEDOUT; } - result = wolfssl_connect_step1(conn, sockindex); + result = wolfssl_connect_step1(data, conn, sockindex); if(result) return result; } @@ -1039,7 +1042,7 @@ wolfssl_connect_common(struct connectdata *conn, * ensuring that a client using select() or epoll() will always * have a valid fdset to wait on. */ - result = wolfssl_connect_step2(conn, sockindex); + result = wolfssl_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -1048,7 +1051,7 @@ wolfssl_connect_common(struct connectdata *conn, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - result = wolfssl_connect_step3(conn, sockindex); + result = wolfssl_connect_step3(data, conn, sockindex); if(result) return result; } @@ -1069,19 +1072,21 @@ wolfssl_connect_common(struct connectdata *conn, } -static CURLcode wolfssl_connect_nonblocking(struct connectdata *conn, +static CURLcode wolfssl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool *done) { - return wolfssl_connect_common(conn, sockindex, TRUE, done); + return wolfssl_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode wolfssl_connect(struct connectdata *conn, int sockindex) +static CURLcode wolfssl_connect(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result; bool done = FALSE; - result = wolfssl_connect_common(conn, sockindex, FALSE, &done); + result = wolfssl_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result;