moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-11-10 11:35:07 -05:00
Code Issues Releases Wiki Activity

vtls: reduce conn->data use

Browse Source 
Closes #6474
This commit is contained in:
Patrick Monnerat 2021-01-13 17:01:31 +01:00 committed by Daniel Stenberg
parent 8399d89360
commit bbe3aa9f88
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
24 changed files with 597 additions and 564 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/ftp.c
View File

@ -443,7 +443,7 @@ static CURLcode InitiateTransfer(struct Curl_easy *data)
/* since we only have a plaintext TCP connection here, we must now
* do the TLS stuff */
infof(data, "Doing the SSL/TLS handshake on the data stream\n");
result = Curl_ssl_connect(conn, SECONDARYSOCKET);
result = Curl_ssl_connect(data, conn, SECONDARYSOCKET);
if(result)
return result;
}
@ -2734,7 +2734,7 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
if((ftpcode == 234) || (ftpcode == 334)) {
/* Curl_ssl_connect is BLOCKING */
result = Curl_ssl_connect(conn, FIRSTSOCKET);
result = Curl_ssl_connect(data, conn, FIRSTSOCKET);
if(!result) {
conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */
conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */
@ -2800,7 +2800,7 @@ static CURLcode ftp_statemachine(struct Curl_easy *data,
case FTP_CCC:
if(ftpcode < 500) {
/* First shut down the SSL layer (note: this call will block) */
result = Curl_ssl_shutdown(conn, FIRSTSOCKET);
result = Curl_ssl_shutdown(data, conn, FIRSTSOCKET);
if(result)
failf(data, "Failed to clear the command channel (CCC)");
@ -3138,7 +3138,7 @@ static CURLcode ftp_connect(struct Curl_easy *data,
if(conn->handler->flags & PROTOPT_SSL) {
/* BLOCKING */
result = Curl_ssl_connect(conn, FIRSTSOCKET);
result = Curl_ssl_connect(data, conn, FIRSTSOCKET);
if(result)
return result;
conn->bits.ftp_use_control_ssl = TRUE;
@ -3284,7 +3284,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status,
if(conn->ssl[SECONDARYSOCKET].use) {
/* The secondary socket is using SSL so we must close down that part
first before we close the socket for real */
Curl_ssl_close(conn, SECONDARYSOCKET);
Curl_ssl_close(data, conn, SECONDARYSOCKET);
/* Note that we keep "use" set to TRUE since that (next) connection is
still requested to use SSL */

2
lib/gopher.c
View File

@ -113,7 +113,7 @@ static CURLcode gopher_connect(struct Curl_easy *data, bool *done)
static CURLcode gopher_connecting(struct Curl_easy *data, bool *done)
{
struct connectdata *conn = data->conn;
CURLcode result = Curl_ssl_connect(conn, FIRSTSOCKET);
CURLcode result = Curl_ssl_connect(data, conn, FIRSTSOCKET);
if(result)
connclose(conn, "Failed TLS connection");
*done = TRUE;

2
lib/http.c
View File

@ -1532,7 +1532,7 @@ static CURLcode https_connecting(struct Curl_easy *data, bool *done)
#endif
/* perform SSL initialization for this socket */
result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, done);
result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET, done);
if(result)
connclose(conn, "Failed HTTPS connection");

2
lib/http_proxy.c
View File

@ -58,7 +58,7 @@ static CURLcode https_proxy_connect(struct connectdata *conn, int sockindex)
if(!conn->bits.proxy_ssl_connected[sockindex]) {
/* perform SSL initialization for this socket */
result =
Curl_ssl_connect_nonblocking(conn, sockindex,
Curl_ssl_connect_nonblocking(conn->data, conn, sockindex,
&conn->bits.proxy_ssl_connected[sockindex]);
if(result)
/* a failed connection is marked for closure to prevent (bad) re-use or

5
lib/imap.c
View File

@ -473,7 +473,7 @@ static CURLcode imap_perform_upgrade_tls(struct Curl_easy *data,
{
/* Start the SSL connection */
struct imap_conn *imapc = &conn->proto.imapc;
CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET,
CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET,
&imapc->ssldone);
if(!result) {
@ -1366,7 +1366,8 @@ static CURLcode imap_multi_statemach(struct Curl_easy *data, bool *done)
struct imap_conn *imapc = &conn->proto.imapc;
if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) {
result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &imapc->ssldone);
result = Curl_ssl_connect_nonblocking(data, conn,
FIRSTSOCKET, &imapc->ssldone);
if(result || !imapc->ssldone)
return result;
}

5
lib/openldap.c
View File

@ -245,7 +245,8 @@ static CURLcode ldap_connect(struct Curl_easy *data, bool *done)
#ifdef USE_SSL
if(conn->handler->flags & PROTOPT_SSL) {
CURLcode result;
result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &li->ssldone);
result = Curl_ssl_connect_nonblocking(data, conn,
FIRSTSOCKET, &li->ssldone);
if(result)
return result;
}
@ -267,7 +268,7 @@ static CURLcode ldap_connecting(struct Curl_easy *data, bool *done)
if(conn->handler->flags & PROTOPT_SSL) {
/* Is the SSL handshake complete yet? */
if(!li->ssldone) {
CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET,
CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET,
&li->ssldone);
if(result || !li->ssldone)
return result;

5
lib/pop3.c
View File

@ -368,7 +368,7 @@ static CURLcode pop3_perform_upgrade_tls(struct Curl_easy *data,
{
/* Start the SSL connection */
struct pop3_conn *pop3c = &conn->proto.pop3c;
CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET,
CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET,
&pop3c->ssldone);
if(!result) {
@ -1029,7 +1029,8 @@ static CURLcode pop3_multi_statemach(struct Curl_easy *data, bool *done)
struct pop3_conn *pop3c = &conn->proto.pop3c;
if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) {
result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &pop3c->ssldone);
result = Curl_ssl_connect_nonblocking(data, conn,
FIRSTSOCKET, &pop3c->ssldone);
if(result || !pop3c->ssldone)
return result;
}

3
lib/smb.c
View File

@ -669,7 +669,8 @@ static CURLcode smb_connection_state(struct Curl_easy *data, bool *done)
#ifdef USE_SSL
if((conn->handler->flags & PROTOPT_SSL)) {
bool ssl_done = FALSE;
result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &ssl_done);
result = Curl_ssl_connect_nonblocking(data, conn,
FIRSTSOCKET, &ssl_done);
if(result && result != CURLE_AGAIN)
return result;
if(!ssl_done)

5
lib/smtp.c
View File

@ -395,7 +395,7 @@ static CURLcode smtp_perform_upgrade_tls(struct Curl_easy *data)
/* Start the SSL connection */
struct connectdata *conn = data->conn;
struct smtp_conn *smtpc = &conn->proto.smtpc;
CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET,
CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET,
&smtpc->ssldone);
if(!result) {
@ -1256,7 +1256,8 @@ static CURLcode smtp_multi_statemach(struct Curl_easy *data, bool *done)
struct smtp_conn *smtpc = &conn->proto.smtpc;
if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) {
result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &smtpc->ssldone);
result = Curl_ssl_connect_nonblocking(data, conn,
FIRSTSOCKET, &smtpc->ssldone);
if(result || !smtpc->ssldone)
return result;
}

4
lib/url.c
View File

@ -723,8 +723,8 @@ static void conn_shutdown(struct Curl_easy *data, struct connectdata *conn)
/* close the SSL stuff before we close any sockets since they will/may
write to the sockets */
Curl_ssl_close(conn, FIRSTSOCKET);
Curl_ssl_close(conn, SECONDARYSOCKET);
Curl_ssl_close(data, conn, FIRSTSOCKET);
Curl_ssl_close(data, conn, SECONDARYSOCKET);
/* close possibly still open sockets */
if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET])

65
lib/vtls/bearssl.c
View File

@ -294,9 +294,9 @@ static const br_x509_class x509_vtable = {
x509_get_pkey
};
static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
static CURLcode bearssl_connect_step1(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
@ -374,12 +374,12 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
if(SSL_SET_OPTION(primary.sessionid)) {
void *session;
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) {
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) {
br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
infof(data, "BearSSL: re-using session ID\n");
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
if(conn->bits.tls_enable_alpn) {
@ -429,10 +429,10 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
return CURLE_OK;
}
static CURLcode bearssl_run_until(struct connectdata *conn, int sockindex,
static CURLcode bearssl_run_until(struct Curl_easy *data,
struct connectdata *conn, int sockindex,
unsigned target)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
curl_socket_t sockfd = conn->sock[sockindex];
@ -507,14 +507,15 @@ static CURLcode bearssl_run_until(struct connectdata *conn, int sockindex,
}
}
static CURLcode bearssl_connect_step2(struct connectdata *conn, int sockindex)
static CURLcode bearssl_connect_step2(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
CURLcode ret;
ret = bearssl_run_until(conn, sockindex, BR_SSL_SENDAPP | BR_SSL_RECVAPP);
ret = bearssl_run_until(data, conn, sockindex,
BR_SSL_SENDAPP | BR_SSL_RECVAPP);
if(ret == CURLE_AGAIN)
return CURLE_OK;
if(ret == CURLE_OK) {
@ -527,9 +528,9 @@ static CURLcode bearssl_connect_step2(struct connectdata *conn, int sockindex)
return ret;
}
static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex)
static CURLcode bearssl_connect_step3(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
CURLcode ret;
@ -568,12 +569,13 @@ static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex)
if(!session)
return CURLE_OUT_OF_MEMORY;
br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
Curl_ssl_sessionid_lock(conn);
incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex));
Curl_ssl_sessionid_lock(data);
incache = !(Curl_ssl_getsessionid(data, conn,
&oldsession, NULL, sockindex));
if(incache)
Curl_ssl_delsessionid(conn, oldsession);
ret = Curl_ssl_addsessionid(conn, session, 0, sockindex);
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_delsessionid(data, oldsession);
ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex);
Curl_ssl_sessionid_unlock(data);
if(ret) {
free(session);
return CURLE_OUT_OF_MEMORY;
@ -595,7 +597,7 @@ static ssize_t bearssl_send(struct Curl_easy *data, int sockindex,
size_t applen;
for(;;) {
*err = bearssl_run_until(conn, sockindex, BR_SSL_SENDAPP);
*err = bearssl_run_until(data, conn, sockindex, BR_SSL_SENDAPP);
if (*err != CURLE_OK)
return -1;
app = br_ssl_engine_sendapp_buf(&backend->ctx.eng, &applen);
@ -627,7 +629,7 @@ static ssize_t bearssl_recv(struct Curl_easy *data, int sockindex,
unsigned char *app;
size_t applen;
*err = bearssl_run_until(conn, sockindex, BR_SSL_RECVAPP);
*err = bearssl_run_until(data, conn, sockindex, BR_SSL_RECVAPP);
if(*err != CURLE_OK)
return -1;
app = br_ssl_engine_recvapp_buf(&backend->ctx.eng, &applen);
@ -641,13 +643,13 @@ static ssize_t bearssl_recv(struct Curl_easy *data, int sockindex,
return applen;
}
static CURLcode bearssl_connect_common(struct connectdata *conn,
static CURLcode bearssl_connect_common(struct Curl_easy *data,
struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode ret;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
timediff_t timeout_ms;
@ -660,7 +662,7 @@ static CURLcode bearssl_connect_common(struct connectdata *conn,
}
if(ssl_connect_1 == connssl->connecting_state) {
ret = bearssl_connect_step1(conn, sockindex);
ret = bearssl_connect_step1(data, conn, sockindex);
if(ret)
return ret;
}
@ -713,7 +715,7 @@ static CURLcode bearssl_connect_common(struct connectdata *conn,
* before step2 has completed while ensuring that a client using select()
* or epoll() will always have a valid fdset to wait on.
*/
ret = bearssl_connect_step2(conn, sockindex);
ret = bearssl_connect_step2(data, conn, sockindex);
if(ret || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
@ -722,7 +724,7 @@ static CURLcode bearssl_connect_common(struct connectdata *conn,
}
if(ssl_connect_3 == connssl->connecting_state) {
ret = bearssl_connect_step3(conn, sockindex);
ret = bearssl_connect_step3(data, conn, sockindex);
if(ret)
return ret;
}
@ -775,12 +777,13 @@ static CURLcode bearssl_random(struct Curl_easy *data UNUSED_PARAM,
return CURLE_OK;
}
static CURLcode bearssl_connect(struct connectdata *conn, int sockindex)
static CURLcode bearssl_connect(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
CURLcode ret;
bool done = FALSE;
ret = bearssl_connect_common(conn, sockindex, FALSE, &done);
ret = bearssl_connect_common(data, conn, sockindex, FALSE, &done);
if(ret)
return ret;
@ -789,10 +792,11 @@ static CURLcode bearssl_connect(struct connectdata *conn, int sockindex)
return CURLE_OK;
}
static CURLcode bearssl_connect_nonblocking(struct connectdata *conn,
static CURLcode bearssl_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex, bool *done)
{
return bearssl_connect_common(conn, sockindex, TRUE, done);
return bearssl_connect_common(data, conn, sockindex, TRUE, done);
}
static void *bearssl_get_internals(struct ssl_connect_data *connssl,
@ -802,7 +806,8 @@ static void *bearssl_get_internals(struct ssl_connect_data *connssl,
return &backend->ctx;
}
static void bearssl_close(struct connectdata *conn, int sockindex)
static void bearssl_close(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
@ -810,7 +815,7 @@ static void bearssl_close(struct connectdata *conn, int sockindex)
if(backend->active) {
br_ssl_engine_close(&backend->ctx.eng);
(void)bearssl_run_until(conn, sockindex, BR_SSL_CLOSED);
(void)bearssl_run_until(data, conn, sockindex, BR_SSL_CLOSED);
}
for(i = 0; i < backend->anchors_len; ++i)
free(backend->anchors[i].dn.data);

61
lib/vtls/gskit.c
View File

@ -610,10 +610,10 @@ static void close_one(struct ssl_connect_data *connssl, struct Curl_easy *data,
}
static ssize_t real_gskit_send(struct Curl_easy *data,
struct connectdata *conn, int sockindex,
const void *mem, size_t len, CURLcode *curlcode)
static ssize_t gskit_send(struct connectdata *conn, int sockindex,
const void *mem, size_t len, CURLcode *curlcode)
{
struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CURLcode cc = CURLE_SEND_ERROR;
int written;
@ -634,17 +634,11 @@ static ssize_t real_gskit_send(struct Curl_easy *data,
return (ssize_t) written; /* number of bytes */
}
static ssize_t gskit_send(struct connectdata *conn, int sockindex,
const void *mem, size_t len, CURLcode *curlcode)
{
return real_gskit_send(conn->data, conn, sockindex, mem, len, curlcode);
}
static ssize_t real_gskit_recv(struct Curl_easy *data,
struct connectdata *conn, int num, char *buf,
static ssize_t gskit_recv(struct Curl_easy *data, int num, char *buf,
size_t buffersize, CURLcode *curlcode)
{
struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[num];
int nread;
CURLcode cc = CURLE_RECV_ERROR;
@ -668,12 +662,6 @@ static ssize_t real_gskit_recv(struct Curl_easy *data,
return (ssize_t) nread;
}
static ssize_t gskit_recv(struct connectdata *conn, int num, char *buf,
size_t buffersize, CURLcode *curlcode)
{
return real_gskit_recv(conn->data, conn, num, buf, buffersize, curlcode);
}
static CURLcode
set_ssl_version_min_max(unsigned int *protoflags, struct Curl_easy *data)
{
@ -1137,9 +1125,9 @@ static CURLcode gskit_connect_common(struct Curl_easy *data,
}
static CURLcode real_gskit_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex, bool *done)
static CURLcode gskit_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex, bool *done)
{
CURLcode result;
@ -1149,15 +1137,9 @@ static CURLcode real_gskit_connect_nonblocking(struct Curl_easy *data,
return result;
}
static CURLcode gskit_connect_nonblocking(struct connectdata *conn,
int sockindex, bool *done)
{
return real_gskit_connect_nonblocking(conn->data, conn, sockindex, done);
}
static CURLcode real_gskit_connect(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
static CURLcode gskit_connect(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
CURLcode result;
bool done;
@ -1172,27 +1154,17 @@ static CURLcode real_gskit_connect(struct Curl_easy *data,
return CURLE_OK;
}
static CURLcode gskit_connect(struct connectdata *conn, int sockindex)
{
return real_gskit_connect(conn->data, conn, sockindex);
}
static void real_gskit_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
static void gskit_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
close_one(&conn->ssl[sockindex], data, conn, sockindex);
close_one(&conn->proxy_ssl[sockindex], data, conn, sockindex);
}
static void gskit_close(struct connectdata *conn, int sockindex)
{
real_gskit_close(conn->data, conn, sockindex);
}
static int real_gskit_shutdown(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
static int gskit_shutdown(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
int what;
@ -1247,11 +1219,6 @@ static int real_gskit_shutdown(struct Curl_easy *data,
return rc;
}
static int gskit_shutdown(struct connectdata *conn, int sockindex)
{
return real_gskit_shutdown(conn->data, conn, sockindex);
}
static size_t gskit_version(char *buffer, size_t size)
{

70
lib/vtls/gtls.c
View File

@ -200,12 +200,12 @@ static void unload_file(gnutls_datum_t data)
/* this function does a SSL/TLS (re-)handshake */
static CURLcode handshake(struct connectdata *conn,
static CURLcode handshake(struct Curl_easy *data,
struct connectdata *conn,
int sockindex,
bool duringconnect,
bool nonblocking)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
gnutls_session_t session = backend->session;
@ -314,9 +314,9 @@ static gnutls_x509_crt_fmt_t do_file_type(const char *type)
#define GNUTLS_SRP "+SRP"
static CURLcode
set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn)
set_ssl_version_min_max(const char **prioritylist, struct Curl_easy *data)
{
struct Curl_easy *data = conn->data;
struct connectdata *conn = data->conn;
long ssl_version = SSL_CONN_CONFIG(version);
long ssl_version_max = SSL_CONN_CONFIG(version_max);
@ -379,10 +379,10 @@ set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn)
}
static CURLcode
gtls_connect_step1(struct connectdata *conn,
gtls_connect_step1(struct Curl_easy *data,
struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
unsigned int init_flags;
@ -568,7 +568,7 @@ gtls_connect_step1(struct connectdata *conn,
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
CURLcode result = set_ssl_version_min_max(&prioritylist, conn);
CURLcode result = set_ssl_version_min_max(&prioritylist, data);
if(result != CURLE_OK)
return result;
break;
@ -731,15 +731,16 @@ gtls_connect_step1(struct connectdata *conn,
void *ssl_sessionid;
size_t ssl_idsize;
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(data, conn,
&ssl_sessionid, &ssl_idsize, sockindex)) {
/* we got a session id, use it! */
gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
/* Informational message */
infof(data, "SSL re-using session ID\n");
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
return CURLE_OK;
@ -807,7 +808,8 @@ static Curl_recv gtls_recv;
static Curl_send gtls_send;
static CURLcode
gtls_connect_step3(struct connectdata *conn,
gtls_connect_step3(struct Curl_easy *data,
struct connectdata *conn,
int sockindex)
{
unsigned int cert_list_size;
@ -820,7 +822,6 @@ gtls_connect_step3(struct connectdata *conn,
size_t size;
time_t certclock;
const char *ptr;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
gnutls_session_t session = backend->session;
@ -1290,19 +1291,19 @@ gtls_connect_step3(struct connectdata *conn,
/* extract session ID to the allocated buffer */
gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
Curl_ssl_sessionid_lock(conn);
incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
Curl_ssl_sessionid_lock(data);
incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL,
sockindex));
if(incache) {
/* there was one before in the cache, so instead of risking that the
previous one was rejected, we just kill that and store the new */
Curl_ssl_delsessionid(conn, ssl_sessionid);
Curl_ssl_delsessionid(data, ssl_sessionid);
}
/* store this session id */
result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
sockindex);
Curl_ssl_sessionid_unlock(conn);
result = Curl_ssl_addsessionid(data, conn, connect_sessionid,
connect_idsize, sockindex);
Curl_ssl_sessionid_unlock(data);
if(result) {
free(connect_sessionid);
result = CURLE_OUT_OF_MEMORY;
@ -1326,7 +1327,8 @@ gtls_connect_step3(struct connectdata *conn,
'ssl_connect_2_writing' (waiting to be able to write).
*/
static CURLcode
gtls_connect_common(struct connectdata *conn,
gtls_connect_common(struct Curl_easy *data,
struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
@ -1336,19 +1338,19 @@ gtls_connect_common(struct connectdata *conn,
/* Initiate the connection, if not already done */
if(ssl_connect_1 == connssl->connecting_state) {
rc = gtls_connect_step1(conn, sockindex);
rc = gtls_connect_step1(data, conn, sockindex);
if(rc)
return rc;
}
rc = handshake(conn, sockindex, TRUE, nonblocking);
rc = handshake(data, conn, sockindex, TRUE, nonblocking);
if(rc)
/* handshake() sets its own error message with failf() */
return rc;
/* Finish connecting once the handshake is done */
if(ssl_connect_1 == connssl->connecting_state) {
rc = gtls_connect_step3(conn, sockindex);
rc = gtls_connect_step3(data, conn, sockindex);
if(rc)
return rc;
}
@ -1358,18 +1360,20 @@ gtls_connect_common(struct connectdata *conn,
return CURLE_OK;
}
static CURLcode gtls_connect_nonblocking(struct connectdata *conn,
static CURLcode gtls_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex, bool *done)
{
return gtls_connect_common(conn, sockindex, TRUE, done);
return gtls_connect_common(data, conn, sockindex, TRUE, done);
}
static CURLcode gtls_connect(struct connectdata *conn, int sockindex)
static CURLcode gtls_connect(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
CURLcode result;
bool done = FALSE;
result = gtls_connect_common(conn, sockindex, FALSE, &done);
result = gtls_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
@ -1441,8 +1445,10 @@ static void close_one(struct ssl_connect_data *connssl)
#endif
}
static void gtls_close(struct connectdata *conn, int sockindex)
static void gtls_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
(void) data;
close_one(&conn->ssl[sockindex]);
#ifndef CURL_DISABLE_PROXY
close_one(&conn->proxy_ssl[sockindex]);
@ -1453,12 +1459,12 @@ static void gtls_close(struct connectdata *conn, int sockindex)
* This function is called to shut down the SSL layer but keep the
* socket open (CCC - Clear Command Channel)
*/
static int gtls_shutdown(struct connectdata *conn, int sockindex)
static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
int retval = 0;
struct Curl_easy *data = conn->data;
#ifndef CURL_DISABLE_FTP
/* This has only been tested on the proftpd server, and the mod_tls code
@ -1547,7 +1553,7 @@ static ssize_t gtls_recv(struct Curl_easy *data, /* connection data */
if(ret == GNUTLS_E_REHANDSHAKE) {
/* BLOCKING call, this is bad but a work-around for now. Fixing this "the
proper way" takes a whole lot of work. */
CURLcode result = handshake(conn, num, FALSE, FALSE);
CURLcode result = handshake(data, conn, num, FALSE, FALSE);
if(result)
/* handshake() writes error message on its own */
*curlcode = result;
@ -1557,7 +1563,7 @@ static ssize_t gtls_recv(struct Curl_easy *data, /* connection data */
}
if(ret < 0) {
failf(conn->data, "GnuTLS recv error (%d): %s",
failf(data, "GnuTLS recv error (%d): %s",
(int)ret, gnutls_strerror((int)ret));
*curlcode = CURLE_RECV_ERROR;
@ -1606,7 +1612,7 @@ static CURLcode gtls_random(struct Curl_easy *data,
return rc?CURLE_FAILED_INIT:CURLE_OK;
#elif defined(USE_GNUTLS)
if(data)
Curl_gtls_seed(data); /* Initiate the seed if not already done */
gtls_seed(data); /* Initiate the seed if not already done */
gcry_randomize(entropy, length, GCRY_STRONG_RANDOM);
#endif
return CURLE_OK;

59
lib/vtls/mbedtls.c
View File

@ -196,9 +196,9 @@ static CURLcode mbedtls_version_from_curl(int *mbedver, long version)
}
static CURLcode
set_ssl_version_min_max(struct connectdata *conn, int sockindex)
set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_1;
@ -241,10 +241,9 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)
}
static CURLcode
mbed_connect_step1(struct connectdata *conn,
mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
@ -427,7 +426,7 @@ mbed_connect_step1(struct connectdata *conn,
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
CURLcode result = set_ssl_version_min_max(conn, sockindex);
CURLcode result = set_ssl_version_min_max(data, conn, sockindex);
if(result != CURLE_OK)
return result;
break;
@ -463,17 +462,17 @@ mbed_connect_step1(struct connectdata *conn,
if(SSL_SET_OPTION(primary.sessionid)) {
void *old_session = NULL;
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) {
ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
if(ret) {
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret);
return CURLE_SSL_CONNECT_ERROR;
}
infof(data, "mbedTLS re-using session\n");
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
mbedtls_ssl_conf_ca_chain(&backend->config,
@ -541,11 +540,10 @@ mbed_connect_step1(struct connectdata *conn,
}
static CURLcode
mbed_connect_step2(struct connectdata *conn,
mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
int ret;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
const mbedtls_x509_crt *peercert;
@ -713,13 +711,12 @@ mbed_connect_step2(struct connectdata *conn,
}
static CURLcode
mbed_connect_step3(struct connectdata *conn,
mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
CURLcode retcode = CURLE_OK;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
struct Curl_easy *data = conn->data;
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
@ -744,12 +741,13 @@ mbed_connect_step3(struct connectdata *conn,
}
/* If there's already a matching session in the cache, delete it */
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
Curl_ssl_delsessionid(conn, old_ssl_sessionid);
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex))
Curl_ssl_delsessionid(data, old_ssl_sessionid);
retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
Curl_ssl_sessionid_unlock(conn);
retcode = Curl_ssl_addsessionid(data, conn,
our_ssl_sessionid, 0, sockindex);
Curl_ssl_sessionid_unlock(data);
if(retcode) {
mbedtls_ssl_session_free(our_ssl_sessionid);
free(our_ssl_sessionid);
@ -788,10 +786,13 @@ static void mbedtls_close_all(struct Curl_easy *data)
(void)data;
}
static void mbedtls_close(struct connectdata *conn, int sockindex)
static void mbedtls_close(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
(void) data;
mbedtls_pk_free(&backend->pk);
mbedtls_x509_crt_free(&backend->clicert);
mbedtls_x509_crt_free(&backend->cacert);
@ -899,13 +900,13 @@ static CURLcode mbedtls_random(struct Curl_easy *data,
}
static CURLcode
mbed_connect_common(struct connectdata *conn,
mbed_connect_common(struct Curl_easy *data,
struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode retcode;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
timediff_t timeout_ms;
@ -926,7 +927,7 @@ mbed_connect_common(struct connectdata *conn,
failf(data, "SSL connection timeout");
return CURLE_OPERATION_TIMEDOUT;
}
retcode = mbed_connect_step1(conn, sockindex);
retcode = mbed_connect_step1(data, conn, sockindex);
if(retcode)
return retcode;
}
@ -981,7 +982,7 @@ mbed_connect_common(struct connectdata *conn,
* ensuring that a client using select() or epoll() will always
* have a valid fdset to wait on.
*/
retcode = mbed_connect_step2(conn, sockindex);
retcode = mbed_connect_step2(data, conn, sockindex);
if(retcode || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
@ -991,7 +992,7 @@ mbed_connect_common(struct connectdata *conn,
} /* repeat step2 until all transactions are done. */
if(ssl_connect_3 == connssl->connecting_state) {
retcode = mbed_connect_step3(conn, sockindex);
retcode = mbed_connect_step3(data, conn, sockindex);
if(retcode)
return retcode;
}
@ -1011,19 +1012,21 @@ mbed_connect_common(struct connectdata *conn,
return CURLE_OK;
}
static CURLcode mbedtls_connect_nonblocking(struct connectdata *conn,
static CURLcode mbedtls_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex, bool *done)
{
return mbed_connect_common(conn, sockindex, TRUE, done);
return mbed_connect_common(data, conn, sockindex, TRUE, done);
}
static CURLcode mbedtls_connect(struct connectdata *conn, int sockindex)
static CURLcode mbedtls_connect(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
CURLcode retcode;
bool done = FALSE;
retcode = mbed_connect_common(conn, sockindex, FALSE, &done);
retcode = mbed_connect_common(data, conn, sockindex, FALSE, &done);
if(retcode)
return retcode;

104
lib/vtls/mesalink.c
View File

@ -89,10 +89,10 @@ static int do_file_type(const char *type)
* layer and do all necessary magic.
*/
static CURLcode
mesalink_connect_step1(struct connectdata *conn, int sockindex)
mesalink_connect_step1(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
char *ciphers;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct in_addr addr4;
#ifdef ENABLE_IPV6
@ -260,11 +260,11 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
if(SSL_SET_OPTION(primary.sessionid)) {
void *ssl_sessionid = NULL;
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
failf(
data,
"SSL: SSL_set_session failed: %s",
@ -274,7 +274,7 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
/* Informational message */
infof(data, "SSL re-using session ID\n");
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
#endif /* MESALINK_HAVE_SESSION */
@ -288,10 +288,10 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex)
}
static CURLcode
mesalink_connect_step2(struct connectdata *conn, int sockindex)
mesalink_connect_step2(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
int ret = -1;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
conn->recv[sockindex] = mesalink_recv;
@ -348,27 +348,28 @@ mesalink_connect_step3(struct connectdata *conn, int sockindex)
our_ssl_sessionid = SSL_get_session(BACKEND->handle);
Curl_ssl_sessionid_lock(conn);
Curl_ssl_sessionid_lock(data);
incache =
!(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
!(Curl_ssl_getsessionid(data, conn,
&old_ssl_sessionid, NULL, sockindex));
if(incache) {
if(old_ssl_sessionid != our_ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
Curl_ssl_delsessionid(conn, old_ssl_sessionid);
Curl_ssl_delsessionid(data, old_ssl_sessionid);
incache = FALSE;
}
}
if(!incache) {
result = Curl_ssl_addsessionid(
conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
if(result) {
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
failf(data, "failed to store ssl session");
return result;
}
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
#endif /* MESALINK_HAVE_SESSION */
@ -408,10 +409,12 @@ mesalink_send(struct Curl_easy *data, int sockindex, const void *mem,
}
static void
Curl_mesalink_close(struct connectdata *conn, int sockindex)
mesalink_close(struct Curl_easy *data, struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
(void) data;
if(BACKEND->handle) {
(void)SSL_shutdown(BACKEND->handle);
SSL_free(BACKEND->handle);
@ -458,13 +461,13 @@ mesalink_recv(struct Curl_easy *data, int num, char *buf, size_t buffersize,
}
static size_t
Curl_mesalink_version(char *buffer, size_t size)
mesalink_version(char *buffer, size_t size)
{
return msnprintf(buffer, size, "MesaLink/%s", MESALINK_VERSION_STRING);
}
static int
Curl_mesalink_init(void)
mesalink_init(void)
{
return (SSL_library_init() == SSL_SUCCESS);
}
@ -474,11 +477,14 @@ Curl_mesalink_init(void)
* socket open (CCC - Clear Command Channel)
*/
static int
Curl_mesalink_shutdown(struct connectdata *conn, int sockindex)
mesalink_shutdown(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
int retval = 0;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
(void) data;
if(BACKEND->handle) {
SSL_free(BACKEND->handle);
BACKEND->handle = NULL;
@ -487,11 +493,10 @@ Curl_mesalink_shutdown(struct connectdata *conn, int sockindex)
}
static CURLcode
mesalink_connect_common(struct connectdata *conn, int sockindex,
bool nonblocking, bool *done)
mesalink_connect_common(struct Curl_easy *data, struct connectdata *conn,
int sockindex, bool nonblocking, bool *done)
{
CURLcode result;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
timediff_t timeout_ms;
@ -513,7 +518,7 @@ mesalink_connect_common(struct connectdata *conn, int sockindex,
return CURLE_OPERATION_TIMEDOUT;
}
result = mesalink_connect_step1(conn, sockindex);
result = mesalink_connect_step1(data, conn, sockindex);
if(result)
return result;
}
@ -570,7 +575,7 @@ mesalink_connect_common(struct connectdata *conn, int sockindex,
* ensuring that a client using select() or epoll() will always
* have a valid fdset to wait on.
*/
result = mesalink_connect_step2(conn, sockindex);
result = mesalink_connect_step2(data, conn, sockindex);
if(result ||
(nonblocking && (ssl_connect_2 == connssl->connecting_state ||
@ -602,19 +607,20 @@ mesalink_connect_common(struct connectdata *conn, int sockindex,
}
static CURLcode
Curl_mesalink_connect_nonblocking(struct connectdata *conn, int sockindex,
bool *done)
mesalink_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn,
int sockindex, bool *done)
{
return mesalink_connect_common(conn, sockindex, TRUE, done);
return mesalink_connect_common(data, conn, sockindex, TRUE, done);
}
static CURLcode
Curl_mesalink_connect(struct connectdata *conn, int sockindex)
mesalink_connect(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
CURLcode result;
bool done = FALSE;
result = mesalink_connect_common(conn, sockindex, FALSE, &done);
result = mesalink_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
@ -624,8 +630,8 @@ Curl_mesalink_connect(struct connectdata *conn, int sockindex)
}
static void *
Curl_mesalink_get_internals(struct ssl_connect_data *connssl,
CURLINFO info UNUSED_PARAM)
mesalink_get_internals(struct ssl_connect_data *connssl,
CURLINFO info UNUSED_PARAM)
{
(void)info;
return BACKEND->handle;
@ -638,26 +644,26 @@ const struct Curl_ssl Curl_ssl_mesalink = {
sizeof(struct ssl_backend_data),
Curl_mesalink_init, /* init */
Curl_none_cleanup, /* cleanup */
Curl_mesalink_version, /* version */
Curl_none_check_cxn, /* check_cxn */
Curl_mesalink_shutdown, /* shutdown */
Curl_none_data_pending, /* data_pending */
Curl_none_random, /* random */
mesalink_init, /* init */
Curl_none_cleanup, /* cleanup */
mesalink_version, /* version */
Curl_none_check_cxn, /* check_cxn */
mesalink_shutdown, /* shutdown */
Curl_none_data_pending, /* data_pending */
Curl_none_random, /* random */
Curl_none_cert_status_request, /* cert_status_request */
Curl_mesalink_connect, /* connect */
Curl_mesalink_connect_nonblocking, /* connect_nonblocking */
Curl_mesalink_get_internals, /* get_internals */
Curl_mesalink_close, /* close_one */
Curl_none_close_all, /* close_all */
Curl_none_session_free, /* session_free */
Curl_none_set_engine, /* set_engine */
Curl_none_set_engine_default, /* set_engine_default */
Curl_none_engines_list, /* engines_list */
Curl_none_false_start, /* false_start */
Curl_none_md5sum, /* md5sum */
NULL /* sha256sum */
mesalink_connect, /* connect */
mesalink_connect_nonblocking, /* connect_nonblocking */
mesalink_get_internals, /* get_internals */
mesalink_close, /* close_one */
Curl_none_close_all, /* close_all */
Curl_none_session_free, /* session_free */
Curl_none_set_engine, /* set_engine */
Curl_none_set_engine_default, /* set_engine_default */
Curl_none_engines_list, /* engines_list */
Curl_none_false_start, /* false_start */
Curl_none_md5sum, /* md5sum */
NULL /* sha256sum */
};
#endif

115
lib/vtls/nss.c
View File

@ -443,7 +443,7 @@ static CURLcode insert_wrapped_ptr(struct Curl_llist *list, void *ptr)
/* Call PK11_CreateGenericObject() with the given obj_class and filename. If
* the call succeeds, append the object handle to the list of objects so that
* the object can be destroyed in Curl_nss_close(). */
* the object can be destroyed in nss_close(). */
static CURLcode nss_create_object(struct ssl_connect_data *connssl,
CK_OBJECT_CLASS obj_class,
const char *filename, bool cacert)
@ -508,7 +508,7 @@ static CURLcode nss_create_object(struct ssl_connect_data *connssl,
/* Destroy the NSS object whose handle is given by ptr. This function is
* a callback of Curl_llist_alloc() used by Curl_llist_destroy() to destroy
* NSS objects in Curl_nss_close() */
* NSS objects in nss_close() */
static void nss_destroy_object(void *user, void *ptr)
{
struct ptr_list_wrap *wrap = (struct ptr_list_wrap *) ptr;
@ -665,14 +665,13 @@ fail:
return CURLE_SSL_CRL_BADFILE;
}
static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
char *key_file)
static CURLcode nss_load_key(struct Curl_easy *data, struct connectdata *conn,
int sockindex, char *key_file)
{
PK11SlotInfo *slot, *tmp;
SECStatus status;
CURLcode result;
struct ssl_connect_data *ssl = conn->ssl;
struct Curl_easy *data = conn->data;
(void)sockindex; /* unused */
@ -701,15 +700,15 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
return (SECSuccess == status) ? CURLE_OK : CURLE_SSL_CERTPROBLEM;
}
static int display_error(struct connectdata *conn, PRInt32 err,
static int display_error(struct Curl_easy *data, PRInt32 err,
const char *filename)
{
switch(err) {
case SEC_ERROR_BAD_PASSWORD:
failf(conn->data, "Unable to load client key: Incorrect password");
failf(data, "Unable to load client key: Incorrect password");
return 1;
case SEC_ERROR_UNKNOWN_CERT:
failf(conn->data, "Unable to load certificate %s", filename);
failf(data, "Unable to load certificate %s", filename);
return 1;
default:
break;
@ -717,17 +716,16 @@ static int display_error(struct connectdata *conn, PRInt32 err,
return 0; /* The caller will print a generic error */
}
static CURLcode cert_stuff(struct connectdata *conn, int sockindex,
char *cert_file, char *key_file)
static CURLcode cert_stuff(struct Curl_easy *data, struct connectdata *conn,
int sockindex, char *cert_file, char *key_file)
{
struct Curl_easy *data = conn->data;
CURLcode result;
if(cert_file) {
result = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE);
if(result) {
const PRErrorCode err = PR_GetError();
if(!display_error(conn, err, cert_file)) {
if(!display_error(data, err, cert_file)) {
const char *err_name = nss_error_to_name(err);
failf(data, "unable to load client cert: %d (%s)", err, err_name);
}
@ -738,13 +736,13 @@ static CURLcode cert_stuff(struct connectdata *conn, int sockindex,
if(key_file || (is_file(cert_file))) {
if(key_file)
result = nss_load_key(conn, sockindex, key_file);
result = nss_load_key(data, conn, sockindex, key_file);
else
/* In case the cert file also has the key */
result = nss_load_key(conn, sockindex, cert_file);
result = nss_load_key(data, conn, sockindex, cert_file);
if(result) {
const PRErrorCode err = PR_GetError();
if(!display_error(conn, err, key_file)) {
if(!display_error(data, err, key_file)) {
const char *err_name = nss_error_to_name(err);
failf(data, "unable to load client key: %d (%s)", err, err_name);
}
@ -771,7 +769,8 @@ static char *nss_get_password(PK11SlotInfo *slot, PRBool retry, void *arg)
static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,
PRBool isServer)
{
struct connectdata *conn = (struct connectdata *)arg;
struct Curl_easy *data = (struct Curl_easy *)arg;
struct connectdata *conn = data->conn;
#ifdef SSL_ENABLE_OCSP_STAPLING
if(SSL_CONN_CONFIG(verifystatus)) {
@ -779,12 +778,12 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,
const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd);
if(!csa) {
failf(conn->data, "Invalid OCSP response");
failf(data, "Invalid OCSP response");
return SECFailure;
}
if(csa->len == 0) {
failf(conn->data, "No OCSP response received");
failf(data, "No OCSP response received");
return SECFailure;
}
@ -794,14 +793,14 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,
);
if(cacheResult != SECSuccess) {
failf(conn->data, "Invalid OCSP response");
failf(data, "Invalid OCSP response");
return cacheResult;
}
}
#endif
if(!SSL_CONN_CONFIG(verifypeer)) {
infof(conn->data, "skipping SSL peer certificate verification\n");
infof(data, "skipping SSL peer certificate verification\n");
return SECSuccess;
}
@ -813,8 +812,8 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,
*/
static void HandshakeCallback(PRFileDesc *sock, void *arg)
{
struct connectdata *conn = (struct connectdata*) arg;
struct Curl_easy *data = conn->data;
struct Curl_easy *data = (struct Curl_easy *)arg;
struct connectdata *conn = data->conn;
unsigned int buflenmax = 50;
unsigned char buf[50];
unsigned int buflen;
@ -857,7 +856,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg)
!memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) {
conn->negnpn = CURL_HTTP_VERSION_1_1;
}
Curl_multiuse_state(conn->data, conn->negnpn == CURL_HTTP_VERSION_2 ?
Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ?
BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
}
}
@ -866,8 +865,7 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg)
static SECStatus CanFalseStartCallback(PRFileDesc *sock, void *client_data,
PRBool *canFalseStart)
{
struct connectdata *conn = client_data;
struct Curl_easy *data = conn->data;
struct Curl_easy *data = (struct Curl_easy *)client_data;
SSLChannelInfo channelInfo;
SSLCipherSuiteInfo cipherInfo;
@ -950,10 +948,9 @@ static void display_cert_info(struct Curl_easy *data,
PR_Free(common_name);
}
static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
{
CURLcode result = CURLE_OK;
struct Curl_easy *data = conn->data;
SSLChannelInfo channel;
SSLCipherSuiteInfo suite;
CERTCertificate *cert;
@ -1023,8 +1020,8 @@ static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
{
struct connectdata *conn = (struct connectdata *)arg;
struct Curl_easy *data = conn->data;
struct Curl_easy *data = (struct Curl_easy *)arg;
struct connectdata *conn = data->conn;
PRErrorCode err = PR_GetError();
CERTCertificate *cert;
@ -1549,7 +1546,8 @@ static void close_one(struct ssl_connect_data *connssl)
/*
* This function is called when an SSL connection is closed.
*/
static void nss_close(struct connectdata *conn, int sockindex)
static void nss_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
#ifndef CURL_DISABLE_PROXY
@ -1557,6 +1555,7 @@ static void nss_close(struct connectdata *conn, int sockindex)
#endif
struct ssl_backend_data *backend = connssl->backend;
(void)data;
if(backend->handle
#ifndef CURL_DISABLE_PROXY
|| connssl_proxy->backend->handle
@ -1613,10 +1612,10 @@ static bool is_cc_error(PRInt32 err)
static Curl_recv nss_recv;
static Curl_send nss_send;
static CURLcode nss_load_ca_certificates(struct connectdata *conn,
static CURLcode nss_load_ca_certificates(struct Curl_easy *data,
struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
const char *cafile = SSL_CONN_CONFIG(CAfile);
const char *capath = SSL_CONN_CONFIG(CApath);
bool use_trust_module;
@ -1821,14 +1820,14 @@ static CURLcode nss_set_blocking(struct ssl_connect_data *connssl,
return CURLE_OK;
}
static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
static CURLcode nss_setup_connect(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
PRFileDesc *model = NULL;
PRFileDesc *nspr_io = NULL;
PRFileDesc *nspr_io_stub = NULL;
PRBool ssl_no_cache;
PRBool ssl_cbc_random_iv;
struct Curl_easy *data = conn->data;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
@ -1851,11 +1850,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
backend->data = data;
/* list of all NSS objects we need to destroy in Curl_nss_close() */
/* list of all NSS objects we need to destroy in nss_do_close() */
Curl_llist_init(&backend->obj_list, nss_destroy_object);
PR_Lock(nss_initlock);
result = nss_setup(conn->data);
result = nss_setup(data);
if(result) {
PR_Unlock(nss_initlock);
goto error;
@ -1935,20 +1934,20 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
/* bypass the default SSL_AuthCertificate() hook in case we do not want to
* verify peer */
if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, conn) != SECSuccess)
if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, data) != SECSuccess)
goto error;
/* not checked yet */
SSL_SET_OPTION_LVALUE(certverifyresult) = 0;
if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
if(SSL_BadCertHook(model, BadCertHandler, data) != SECSuccess)
goto error;
if(SSL_HandshakeCallback(model, HandshakeCallback, conn) != SECSuccess)
if(SSL_HandshakeCallback(model, HandshakeCallback, data) != SECSuccess)
goto error;
{
const CURLcode rv = nss_load_ca_certificates(conn, sockindex);
const CURLcode rv = nss_load_ca_certificates(data, conn, sockindex);
if((rv == CURLE_SSL_CACERT_BADFILE) && !SSL_CONN_CONFIG(verifypeer))
/* not a fatal error because we are not going to verify the peer */
infof(data, "warning: CA certificates failed to load\n");
@ -1974,7 +1973,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
backend->obj_clicert = NULL;
}
else {
CURLcode rv = cert_stuff(conn, sockindex,
CURLcode rv = cert_stuff(data, conn, sockindex,
SSL_SET_OPTION(primary.clientcert),
SSL_SET_OPTION(key));
if(rv) {
@ -2073,7 +2072,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
goto error;
if(SSL_SetCanFalseStartCallback(backend->handle, CanFalseStartCallback,
conn) != SECSuccess)
data) != SECSuccess)
goto error;
}
#endif
@ -2127,11 +2126,11 @@ error:
return nss_fail_connect(connssl, data, result);
}
static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
static CURLcode nss_do_connect(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
struct Curl_easy *data = conn->data;
CURLcode result = CURLE_SSL_CONNECT_ERROR;
PRUint32 timeout;
@ -2156,7 +2155,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
goto error;
}
result = display_conn_info(conn, backend->handle);
result = display_conn_info(data, backend->handle);
if(result)
goto error;
@ -2190,11 +2189,11 @@ error:
return nss_fail_connect(connssl, data, result);
}
static CURLcode nss_connect_common(struct connectdata *conn, int sockindex,
static CURLcode nss_connect_common(struct Curl_easy *data,
struct connectdata *conn, int sockindex,
bool *done)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct Curl_easy *data = conn->data;
const bool blocking = (done == NULL);
CURLcode result;
@ -2205,7 +2204,7 @@ static CURLcode nss_connect_common(struct connectdata *conn, int sockindex,
}
if(connssl->connecting_state == ssl_connect_1) {
result = nss_setup_connect(conn, sockindex);
result = nss_setup_connect(data, conn, sockindex);
if(result)
/* we do not expect CURLE_AGAIN from nss_setup_connect() */
return result;
@ -2218,7 +2217,7 @@ static CURLcode nss_connect_common(struct connectdata *conn, int sockindex,
if(result)
return result;
result = nss_do_connect(conn, sockindex);
result = nss_do_connect(data, conn, sockindex);
switch(result) {
case CURLE_OK:
break;
@ -2251,15 +2250,17 @@ static CURLcode nss_connect_common(struct connectdata *conn, int sockindex,
return CURLE_OK;
}
static CURLcode nss_connect(struct connectdata *conn, int sockindex)
static CURLcode nss_connect(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
return nss_connect_common(conn, sockindex, /* blocking */ NULL);
return nss_connect_common(data, conn, sockindex, /* blocking */ NULL);
}
static CURLcode nss_connect_nonblocking(struct connectdata *conn,
static CURLcode nss_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex, bool *done)
{
return nss_connect_common(conn, sockindex, done);
return nss_connect_common(data, conn, sockindex, done);
}
static ssize_t nss_send(struct Curl_easy *data, /* transfer */
@ -2288,7 +2289,7 @@ static ssize_t nss_send(struct Curl_easy *data, /* transfer */
infof(data, "SSL write: error %d (%s)\n", err, err_name);
/* print a human-readable message describing the error if available */
nss_print_error_message(conn->data, err);
nss_print_error_message(data, err);
*curlcode = (is_cc_error(err))
? CURLE_SSL_CERTPROBLEM
@ -2303,8 +2304,8 @@ static ssize_t nss_send(struct Curl_easy *data, /* transfer */
static ssize_t nss_recv(struct Curl_easy *data, /* transfer */
int sockindex, /* socketindex */
char *buf, /* store read data here */
size_t buffersize, /* max amount to read */
char *buf, /* store read data here */
size_t buffersize, /* max amount to read */
CURLcode *curlcode)
{
struct connectdata *conn = data->conn;
@ -2330,7 +2331,7 @@ static ssize_t nss_recv(struct Curl_easy *data, /* transfer */
infof(data, "SSL read: errno %d (%s)\n", err, err_name);
/* print a human-readable message describing the error if available */
nss_print_error_message(conn->data, err);
nss_print_error_message(data, err);
*curlcode = (is_cc_error(err))
? CURLE_SSL_CERTPROBLEM

133
lib/vtls/openssl.c
View File

@ -362,6 +362,18 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size)
return buf;
}
/* Return an extra data index for the transfer data.
* This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
*/
static int ossl_get_ssl_data_index(void)
{
static int ssl_ex_data_data_index = -1;
if(ssl_ex_data_data_index < 0) {
ssl_ex_data_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
}
return ssl_ex_data_data_index;
}
/* Return an extra data index for the connection data.
* This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
*/
@ -572,8 +584,7 @@ static bool is_pkcs11_uri(const char *string)
#endif
static CURLcode ossl_set_engine(struct Curl_easy *data,
const char *engine);
static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine);
static int
SSL_CTX_use_certificate_bio(SSL_CTX *ctx, BIO *in, int type,
@ -700,7 +711,7 @@ SSL_CTX_use_certificate_chain_bio(SSL_CTX *ctx, BIO* in,
}
static
int cert_stuff(struct connectdata *conn,
int cert_stuff(struct Curl_easy *data,
SSL_CTX* ctx,
char *cert_file,
BIO *cert_bio,
@ -710,7 +721,6 @@ int cert_stuff(struct connectdata *conn,
const char *key_type,
char *key_passwd)
{
struct Curl_easy *data = conn->data;
char error_buffer[256];
bool check_privkey = TRUE;
@ -1161,7 +1171,8 @@ static int ossl_init(void)
Curl_tls_keylog_open();
/* Initialize the extra data indexes */
if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
ossl_get_ssl_sockindex_index() < 0)
return 0;
return 1;
@ -1258,8 +1269,7 @@ static int ossl_check_cxn(struct connectdata *conn)
/* Selects an OpenSSL crypto engine
*/
static CURLcode ossl_set_engine(struct Curl_easy *data,
const char *engine)
static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine)
{
#ifdef USE_OPENSSL_ENGINE
ENGINE *e;
@ -1365,8 +1375,10 @@ static void ossl_closeone(struct ssl_connect_data *connssl)
/*
* This function is called when an SSL connection is closed.
*/
static void ossl_close(struct connectdata *conn, int sockindex)
static void ossl_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
(void) data;
ossl_closeone(&conn->ssl[sockindex]);
#ifndef CURL_DISABLE_PROXY
ossl_closeone(&conn->proxy_ssl[sockindex]);
@ -1377,11 +1389,11 @@ static void ossl_close(struct connectdata *conn, int sockindex)
* This function is called to shut down the SSL layer but keep the
* socket open (CCC - Clear Command Channel)
*/
static int ossl_shutdown(struct connectdata *conn, int sockindex)
static int ossl_shutdown(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
int retval = 0;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct Curl_easy *data = conn->data;
char buf[256]; /* We will use this for the OpenSSL error buffer, so it has
to be at least 256 bytes long. */
unsigned long sslerror;
@ -1582,12 +1594,12 @@ static bool subj_alt_hostcheck(struct Curl_easy *data,
in the certificate and must exactly match the IP in the URI.
*/
static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
static CURLcode verifyhost(struct Curl_easy *data, struct connectdata *conn,
X509 *server_cert)
{
bool matched = FALSE;
int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
size_t addrlen = 0;
struct Curl_easy *data = conn->data;
STACK_OF(GENERAL_NAME) *altnames;
#ifdef ENABLE_IPV6
struct in6_addr addr;
@ -1782,14 +1794,13 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_NO_OCSP)
static CURLcode verifystatus(struct connectdata *conn,
static CURLcode verifystatus(struct Curl_easy *data,
struct ssl_connect_data *connssl)
{
int i, ocsp_status;
unsigned char *status;
const unsigned char *p;
CURLcode result = CURLE_OK;
struct Curl_easy *data = conn->data;
OCSP_RESPONSE *rsp = NULL;
OCSP_BASICRESP *br = NULL;
X509_STORE *st = NULL;
@ -2359,16 +2370,14 @@ typedef long ctx_option_t;
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* 1.1.0 */
static CURLcode
set_ssl_version_min_max_legacy(ctx_option_t *ctx_options,
struct connectdata *conn, int sockindex)
struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
#if (OPENSSL_VERSION_NUMBER < 0x1000100FL) || !defined(TLS1_3_VERSION)
/* convoluted #if condition just to avoid compiler warnings on unused
variable */
struct Curl_easy *data = conn->data;
#endif
long ssl_version = SSL_CONN_CONFIG(version);
long ssl_version_max = SSL_CONN_CONFIG(version_max);
(void) data; /* In case it's unused. */
switch(ssl_version) {
case CURL_SSLVERSION_TLSv1_3:
#ifdef TLS1_3_VERSION
@ -2443,17 +2452,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
struct Curl_easy *data;
int sockindex;
curl_socket_t *sockindex_ptr;
int data_idx = ossl_get_ssl_data_index();
int connectdata_idx = ossl_get_ssl_conn_index();
int sockindex_idx = ossl_get_ssl_sockindex_index();
if(connectdata_idx < 0 || sockindex_idx < 0)
if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0)
return 0;
conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
if(!conn)
return 0;
data = conn->data;
data = (struct Curl_easy *) SSL_get_ex_data(ssl, data_idx);
/* The sockindex has been stored as a pointer to an array element */
sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
@ -2463,19 +2473,19 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
bool incache;
void *old_ssl_sessionid = NULL;
Curl_ssl_sessionid_lock(conn);
incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
Curl_ssl_sessionid_lock(data);
incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
sockindex));
if(incache) {
if(old_ssl_sessionid != ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
Curl_ssl_delsessionid(conn, old_ssl_sessionid);
Curl_ssl_delsessionid(data, old_ssl_sessionid);
incache = FALSE;
}
}
if(!incache) {
if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid,
0 /* unknown size */, sockindex)) {
/* the session has been put into the session cache */
res = 1;
@ -2483,17 +2493,17 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
else
failf(data, "failed to store ssl session");
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
return res;
}
static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
static CURLcode ossl_connect_step1(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
CURLcode result = CURLE_OK;
char *ciphers;
struct Curl_easy *data = conn->data;
SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
X509_LOOKUP *lookup = NULL;
curl_socket_t sockfd = conn->sock[sockindex];
@ -2714,7 +2724,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */
result = set_ssl_version_min_max(backend->ctx, conn);
#else
result = set_ssl_version_min_max_legacy(&ctx_options, conn, sockindex);
result = set_ssl_version_min_max_legacy(&ctx_options, data, conn,
sockindex);
#endif
if(result != CURLE_OK)
return result;
@ -2782,7 +2793,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
result = CURLE_OUT_OF_MEMORY;
}
if(!result &&
!cert_stuff(conn, backend->ctx,
!cert_stuff(data, backend->ctx,
ssl_cert, ssl_cert_bio, ssl_cert_type,
SSL_SET_OPTION(key), ssl_key_bio,
SSL_SET_OPTION(key_type), SSL_SET_OPTION(key_passwd)))
@ -3187,21 +3198,23 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
/* Check if there's a cached ID we can/should use here! */
if(SSL_SET_OPTION(primary.sessionid)) {
void *ssl_sessionid = NULL;
int data_idx = ossl_get_ssl_data_index();
int connectdata_idx = ossl_get_ssl_conn_index();
int sockindex_idx = ossl_get_ssl_sockindex_index();
if(connectdata_idx >= 0 && sockindex_idx >= 0) {
if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) {
/* Store the data needed for the "new session" callback.
* The sockindex is stored as a pointer to an array element. */
SSL_set_ex_data(backend->handle, data_idx, data);
SSL_set_ex_data(backend->handle, connectdata_idx, conn);
SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
}
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
failf(data, "SSL: SSL_set_session failed: %s",
ossl_strerror(ERR_get_error(), error_buffer,
sizeof(error_buffer)));
@ -3210,7 +3223,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
/* Informational message */
infof(data, "SSL re-using session ID\n");
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
#ifndef CURL_DISABLE_PROXY
@ -3237,9 +3250,9 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
return CURLE_OK;
}
static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
static CURLcode ossl_connect_step2(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
struct Curl_easy *data = conn->data;
int err;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
@ -3491,13 +3504,12 @@ typedef size_t numcert_t;
typedef int numcert_t;
#endif
static CURLcode get_cert_chain(struct connectdata *conn,
static CURLcode get_cert_chain(struct Curl_easy *data,
struct ssl_connect_data *connssl)
{
CURLcode result;
STACK_OF(X509) *sk;
int i;
struct Curl_easy *data = conn->data;
numcert_t numcerts;
BIO *mem;
struct ssl_backend_data *backend = connssl->backend;
@ -3772,14 +3784,14 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
* We check certificates to authenticate the server; otherwise we risk
* man-in-the-middle attack.
*/
static CURLcode servercert(struct connectdata *conn,
static CURLcode servercert(struct Curl_easy *data,
struct connectdata *conn,
struct ssl_connect_data *connssl,
bool strict)
{
CURLcode result = CURLE_OK;
int rc;
long lerr;
struct Curl_easy *data = conn->data;
X509 *issuer;
BIO *fp = NULL;
char error_buffer[256]="";
@ -3790,7 +3802,7 @@ static CURLcode servercert(struct connectdata *conn,
if(data->set.ssl.certinfo)
/* we've been asked to gather certificate info! */
(void)get_cert_chain(conn, connssl);
(void)get_cert_chain(data, connssl);
backend->server_cert = SSL_get_peer_certificate(backend->handle);
if(!backend->server_cert) {
@ -3826,7 +3838,7 @@ static CURLcode servercert(struct connectdata *conn,
BIO_free(mem);
if(SSL_CONN_CONFIG(verifyhost)) {
result = verifyhost(conn, backend->server_cert);
result = verifyhost(data, conn, backend->server_cert);
if(result) {
X509_free(backend->server_cert);
backend->server_cert = NULL;
@ -3928,7 +3940,7 @@ static CURLcode servercert(struct connectdata *conn,
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_NO_OCSP)
if(SSL_CONN_CONFIG(verifystatus)) {
result = verifystatus(conn, connssl);
result = verifystatus(data, connssl);
if(result) {
X509_free(backend->server_cert);
backend->server_cert = NULL;
@ -3956,7 +3968,8 @@ static CURLcode servercert(struct connectdata *conn,
return result;
}
static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
static CURLcode ossl_connect_step3(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
CURLcode result = CURLE_OK;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
@ -3970,8 +3983,8 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
* operations.
*/
result = servercert(conn, connssl, (SSL_CONN_CONFIG(verifypeer) ||
SSL_CONN_CONFIG(verifyhost)));
result = servercert(data, conn, connssl, (SSL_CONN_CONFIG(verifypeer) ||
SSL_CONN_CONFIG(verifyhost)));
if(!result)
connssl->connecting_state = ssl_connect_done;
@ -3982,13 +3995,13 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
static Curl_recv ossl_recv;
static Curl_send ossl_send;
static CURLcode ossl_connect_common(struct connectdata *conn,
static CURLcode ossl_connect_common(struct Curl_easy *data,
struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode result;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
int what;
@ -4009,7 +4022,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn,
return CURLE_OPERATION_TIMEDOUT;
}
result = ossl_connect_step1(conn, sockindex);
result = ossl_connect_step1(data, conn, sockindex);
if(result)
return result;
}
@ -4061,7 +4074,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn,
* before step2 has completed while ensuring that a client using select()
* or epoll() will always have a valid fdset to wait on.
*/
result = ossl_connect_step2(conn, sockindex);
result = ossl_connect_step2(data, conn, sockindex);
if(result || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
@ -4071,7 +4084,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn,
} /* repeat step2 until all transactions are done. */
if(ssl_connect_3 == connssl->connecting_state) {
result = ossl_connect_step3(conn, sockindex);
result = ossl_connect_step3(data, conn, sockindex);
if(result)
return result;
}
@ -4091,19 +4104,21 @@ static CURLcode ossl_connect_common(struct connectdata *conn,
return CURLE_OK;
}
static CURLcode ossl_connect_nonblocking(struct connectdata *conn,
static CURLcode ossl_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex,
bool *done)
{
return ossl_connect_common(conn, sockindex, TRUE, done);
return ossl_connect_common(data, conn, sockindex, TRUE, done);
}
static CURLcode ossl_connect(struct connectdata *conn, int sockindex)
static CURLcode ossl_connect(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
CURLcode result;
bool done = FALSE;
result = ossl_connect_common(conn, sockindex, FALSE, &done);
result = ossl_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
@ -4265,7 +4280,7 @@ static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */
strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer));
error_buffer[sizeof(error_buffer) - 1] = '\0';
}
failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d",
failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d",
error_buffer, sockerr);
*curlcode = CURLE_RECV_ERROR;
return -1;
@ -4287,7 +4302,7 @@ static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */
msnprintf(error_buffer, sizeof(error_buffer),
"Connection closed abruptly");
}
failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d"
failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d"
" (Fatal because this is a curl debug build)",
error_buffer, sockerr);
*curlcode = CURLE_RECV_ERROR;

174
lib/vtls/schannel.c
View File

@ -142,7 +142,8 @@
static Curl_recv schannel_recv;
static Curl_send schannel_send;
static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex,
static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data,
struct connectdata *conn, int sockindex,
const char *pinnedpubkey);
static void InitSecBuffer(SecBuffer *buffer, unsigned long BufType,
@ -162,9 +163,9 @@ static void InitSecBufferDesc(SecBufferDesc *desc, SecBuffer *BufArr,
}
static CURLcode
set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct connectdata *conn)
set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct Curl_easy *data,
struct connectdata *conn)
{
struct Curl_easy *data = conn->data;
long ssl_version = SSL_CONN_CONFIG(version);
long ssl_version_max = SSL_CONN_CONFIG(version_max);
long i = ssl_version;
@ -405,10 +406,10 @@ get_cert_location(TCHAR *path, DWORD *store_name, TCHAR **store_path,
#endif
static CURLcode
schannel_connect_step1(struct connectdata *conn, int sockindex)
schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
ssize_t written = -1;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SecBuffer outbuf;
SecBufferDesc outbuf_desc;
@ -493,8 +494,9 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
/* check for an existing re-usable credential handle */
if(SSL_SET_OPTION(primary.sessionid)) {
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(data, conn,
(void **)&old_cred, NULL, sockindex)) {
BACKEND->cred = old_cred;
DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
@ -504,7 +506,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
"schannel: incremented credential handle refcount = %d\n",
BACKEND->cred->refcount));
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
if(!BACKEND->cred) {
@ -563,7 +565,7 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
result = set_ssl_version_min_max(&schannel_cred, conn);
result = set_ssl_version_min_max(&schannel_cred, data, conn);
if(result != CURLE_OK)
return result;
break;
@ -980,11 +982,11 @@ schannel_connect_step1(struct connectdata *conn, int sockindex)
}
static CURLcode
schannel_connect_step2(struct connectdata *conn, int sockindex)
schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
int i;
ssize_t nread = -1, written = -1;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
unsigned char *reallocated_buffer;
SecBuffer outbuf[3];
@ -1252,7 +1254,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
if(pubkey_ptr) {
result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr);
result = pkp_pin_peer_pubkey(data, conn, sockindex, pubkey_ptr);
if(result) {
failf(data, "SSL: public key does not match pinned public key!");
return result;
@ -1261,7 +1263,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
#ifdef HAS_MANUAL_VERIFY_API
if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) {
return Curl_verify_certificate(conn, sockindex);
return Curl_verify_certificate(data, conn, sockindex);
}
#endif
@ -1328,10 +1330,10 @@ add_cert_to_certinfo(const CERT_CONTEXT *ccert_context, void *raw_arg)
}
static CURLcode
schannel_connect_step3(struct connectdata *conn, int sockindex)
schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
CURLcode result = CURLE_OK;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SECURITY_STATUS sspi_status = SEC_E_OK;
CERT_CONTEXT *ccert_context = NULL;
@ -1411,24 +1413,24 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
bool incache;
struct Curl_schannel_cred *old_cred = NULL;
Curl_ssl_sessionid_lock(conn);
incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
Curl_ssl_sessionid_lock(data);
incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL,
sockindex));
if(incache) {
if(old_cred != BACKEND->cred) {
DEBUGF(infof(data,
"schannel: old credential handle is stale, removing\n"));
/* we're not taking old_cred ownership here, no refcount++ is needed */
Curl_ssl_delsessionid(conn, (void *)old_cred);
Curl_ssl_delsessionid(data, (void *)old_cred);
incache = FALSE;
}
}
if(!incache) {
result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred,
sizeof(struct Curl_schannel_cred),
sockindex);
if(result) {
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
failf(data, "schannel: failed to store credential handle");
return result;
}
@ -1439,7 +1441,7 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
"schannel: stored credential handle in session cache\n"));
}
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
if(data->set.ssl.certinfo) {
@ -1476,11 +1478,10 @@ schannel_connect_step3(struct connectdata *conn, int sockindex)
}
static CURLcode
schannel_connect_common(struct connectdata *conn, int sockindex,
bool nonblocking, bool *done)
schannel_connect_common(struct Curl_easy *data, struct connectdata *conn,
int sockindex, bool nonblocking, bool *done)
{
CURLcode result;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
timediff_t timeout_ms;
@ -1502,7 +1503,7 @@ schannel_connect_common(struct connectdata *conn, int sockindex,
return CURLE_OPERATION_TIMEDOUT;
}
result = schannel_connect_step1(conn, sockindex);
result = schannel_connect_step1(data, conn, sockindex);
if(result)
return result;
}
@ -1557,7 +1558,7 @@ schannel_connect_common(struct connectdata *conn, int sockindex,
* ensuring that a client using select() or epoll() will always
* have a valid fdset to wait on.
*/
result = schannel_connect_step2(conn, sockindex);
result = schannel_connect_step2(data, conn, sockindex);
if(result || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
@ -1567,7 +1568,7 @@ schannel_connect_common(struct connectdata *conn, int sockindex,
} /* repeat step2 until all transactions are done. */
if(ssl_connect_3 == connssl->connecting_state) {
result = schannel_connect_step3(conn, sockindex);
result = schannel_connect_step3(data, conn, sockindex);
if(result)
return result;
}
@ -1957,7 +1958,7 @@ schannel_recv(struct Curl_easy *data, int sockindex,
infof(data, "schannel: renegotiating SSL/TLS connection\n");
connssl->state = ssl_connection_negotiating;
connssl->connecting_state = ssl_connect_2_writing;
*err = schannel_connect_common(conn, sockindex, FALSE, &done);
*err = schannel_connect_common(data, conn, sockindex, FALSE, &done);
if(*err) {
infof(data, "schannel: renegotiation failed\n");
goto cleanup;
@ -2064,18 +2065,20 @@ schannel_recv(struct Curl_easy *data, int sockindex,
return *err ? -1 : 0;
}
static CURLcode Curl_schannel_connect_nonblocking(struct connectdata *conn,
int sockindex, bool *done)
static CURLcode schannel_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex, bool *done)
{
return schannel_connect_common(conn, sockindex, TRUE, done);
return schannel_connect_common(data, conn, sockindex, TRUE, done);
}
static CURLcode Curl_schannel_connect(struct connectdata *conn, int sockindex)
static CURLcode schannel_connect(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
CURLcode result;
bool done = FALSE;
result = schannel_connect_common(conn, sockindex, FALSE, &done);
result = schannel_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
@ -2084,8 +2087,8 @@ static CURLcode Curl_schannel_connect(struct connectdata *conn, int sockindex)
return CURLE_OK;
}
static bool Curl_schannel_data_pending(const struct connectdata *conn,
int sockindex)
static bool schannel_data_pending(const struct connectdata *conn,
int sockindex)
{
const struct ssl_connect_data *connssl = &conn->ssl[sockindex];
@ -2096,14 +2099,15 @@ static bool Curl_schannel_data_pending(const struct connectdata *conn,
return FALSE;
}
static void Curl_schannel_close(struct connectdata *conn, int sockindex)
static void schannel_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
if(conn->ssl[sockindex].use)
/* if the SSL/TLS channel hasn't been shut down yet, do that now. */
Curl_ssl_shutdown(conn, sockindex);
Curl_ssl_shutdown(data, conn, sockindex);
}
static void Curl_schannel_session_free(void *ptr)
static void schannel_session_free(void *ptr)
{
/* this is expected to be called under sessionid lock */
struct Curl_schannel_cred *cred = ptr;
@ -2115,12 +2119,12 @@ static void Curl_schannel_session_free(void *ptr)
}
}
static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
static int schannel_shutdown(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
/* See https://msdn.microsoft.com/en-us/library/windows/desktop/aa380138.aspx
* Shutting Down an Schannel Connection
*/
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
#ifndef CURL_DISABLE_PROXY
char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
@ -2203,14 +2207,9 @@ static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
/* free SSPI Schannel API credential handle */
if(BACKEND->cred) {
/*
* When this function is called from Curl_schannel_close() the connection
* might not have an associated transfer so the check for conn->data is
* necessary.
*/
Curl_ssl_sessionid_lock(conn);
Curl_schannel_session_free(BACKEND->cred);
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_lock(data);
schannel_session_free(BACKEND->cred);
Curl_ssl_sessionid_unlock(data);
BACKEND->cred = NULL;
}
@ -2232,25 +2231,25 @@ static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
return CURLE_OK;
}
static int Curl_schannel_init(void)
static int schannel_init(void)
{
return (Curl_sspi_global_init() == CURLE_OK ? 1 : 0);
}
static void Curl_schannel_cleanup(void)
static void schannel_cleanup(void)
{
Curl_sspi_global_cleanup();
}
static size_t Curl_schannel_version(char *buffer, size_t size)
static size_t schannel_version(char *buffer, size_t size)
{
size = msnprintf(buffer, size, "Schannel");
return size;
}
static CURLcode Curl_schannel_random(struct Curl_easy *data UNUSED_PARAM,
unsigned char *entropy, size_t length)
static CURLcode schannel_random(struct Curl_easy *data UNUSED_PARAM,
unsigned char *entropy, size_t length)
{
HCRYPTPROV hCryptProv = 0;
@ -2269,10 +2268,10 @@ static CURLcode Curl_schannel_random(struct Curl_easy *data UNUSED_PARAM,
return CURLE_OK;
}
static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex,
static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data,
struct connectdata *conn, int sockindex,
const char *pinnedpubkey)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CERT_CONTEXT *pCertContextServer = NULL;
@ -2334,12 +2333,12 @@ static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex,
return result;
}
static void Curl_schannel_checksum(const unsigned char *input,
size_t inputlen,
unsigned char *checksum,
size_t checksumlen,
DWORD provType,
const unsigned int algId)
static void schannel_checksum(const unsigned char *input,
size_t inputlen,
unsigned char *checksum,
size_t checksumlen,
DWORD provType,
const unsigned int algId)
{
HCRYPTPROV hProv = 0;
HCRYPTHASH hHash = 0;
@ -2384,28 +2383,27 @@ static void Curl_schannel_checksum(const unsigned char *input,
CryptReleaseContext(hProv, 0);
}
static CURLcode Curl_schannel_md5sum(unsigned char *input,
size_t inputlen,
unsigned char *md5sum,
size_t md5len)
static CURLcode schannel_md5sum(unsigned char *input,
size_t inputlen,
unsigned char *md5sum,
size_t md5len)
{
Curl_schannel_checksum(input, inputlen, md5sum, md5len,
PROV_RSA_FULL, CALG_MD5);
schannel_checksum(input, inputlen, md5sum, md5len, PROV_RSA_FULL, CALG_MD5);
return CURLE_OK;
}
static CURLcode Curl_schannel_sha256sum(const unsigned char *input,
size_t inputlen,
unsigned char *sha256sum,
size_t sha256len)
static CURLcode schannel_sha256sum(const unsigned char *input,
size_t inputlen,
unsigned char *sha256sum,
size_t sha256len)
{
Curl_schannel_checksum(input, inputlen, sha256sum, sha256len,
PROV_RSA_AES, CALG_SHA_256);
schannel_checksum(input, inputlen, sha256sum, sha256len,
PROV_RSA_AES, CALG_SHA_256);
return CURLE_OK;
}
static void *Curl_schannel_get_internals(struct ssl_connect_data *connssl,
CURLINFO info UNUSED_PARAM)
static void *schannel_get_internals(struct ssl_connect_data *connssl,
CURLINFO info UNUSED_PARAM)
{
(void)info;
return &BACKEND->ctxt->ctxt_handle;
@ -2419,26 +2417,26 @@ const struct Curl_ssl Curl_ssl_schannel = {
sizeof(struct ssl_backend_data),
Curl_schannel_init, /* init */
Curl_schannel_cleanup, /* cleanup */
Curl_schannel_version, /* version */
schannel_init, /* init */
schannel_cleanup, /* cleanup */
schannel_version, /* version */
Curl_none_check_cxn, /* check_cxn */
Curl_schannel_shutdown, /* shutdown */
Curl_schannel_data_pending, /* data_pending */
Curl_schannel_random, /* random */
schannel_shutdown, /* shutdown */
schannel_data_pending, /* data_pending */
schannel_random, /* random */
Curl_none_cert_status_request, /* cert_status_request */
Curl_schannel_connect, /* connect */
Curl_schannel_connect_nonblocking, /* connect_nonblocking */
Curl_schannel_get_internals, /* get_internals */
Curl_schannel_close, /* close_one */
schannel_connect, /* connect */
schannel_connect_nonblocking, /* connect_nonblocking */
schannel_get_internals, /* get_internals */
schannel_close, /* close_one */
Curl_none_close_all, /* close_all */
Curl_schannel_session_free, /* session_free */
schannel_session_free, /* session_free */
Curl_none_set_engine, /* set_engine */
Curl_none_set_engine_default, /* set_engine_default */
Curl_none_engines_list, /* engines_list */
Curl_none_false_start, /* false_start */
Curl_schannel_md5sum, /* md5sum */
Curl_schannel_sha256sum /* sha256sum */
schannel_md5sum, /* md5sum */
schannel_sha256sum /* sha256sum */
};
#endif /* USE_SCHANNEL */

5
lib/vtls/schannel.h
View File

@ -8,7 +8,7 @@
* \___|\___/|_| \_\_____|
*
* Copyright (C) 2012, Marc Hoersken, <info@marc-hoersken.de>, et al.
* Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@ -53,7 +53,8 @@
extern const struct Curl_ssl Curl_ssl_schannel;
CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex);
CURLcode Curl_verify_certificate(struct Curl_easy *data,
struct connectdata *conn, int sockindex);
/* structs to expose only in schannel.c and schannel_verify.c */
#ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS

11
lib/vtls/schannel_verify.c
View File

@ -79,10 +79,9 @@ static int is_cr_or_lf(char c)
static CURLcode add_certs_to_store(HCERTSTORE trust_store,
const char *ca_file,
struct connectdata *conn)
struct Curl_easy *data)
{
CURLcode result;
struct Curl_easy *data = conn->data;
HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
LARGE_INTEGER file_size;
char *ca_file_buffer = NULL;
@ -527,10 +526,10 @@ cleanup:
return result;
}
CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex)
CURLcode Curl_verify_certificate(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
SECURITY_STATUS sspi_status;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CURLcode result = CURLE_OK;
CERT_CONTEXT *pCertContextServer = NULL;
@ -584,7 +583,7 @@ CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex)
}
else {
result = add_certs_to_store(trust_store, SSL_CONN_CONFIG(CAfile),
conn);
data);
}
}
@ -675,7 +674,7 @@ CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex)
if(result == CURLE_OK) {
if(SSL_CONN_CONFIG(verifyhost)) {
result = verify_host(conn->data, pCertContextServer, conn_hostname);
result = verify_host(data, pCertContextServer, conn_hostname);
}
}

140
lib/vtls/sectransp.c
View File

@ -1291,9 +1291,9 @@ static CURLcode sectransp_version_from_curl(SSLProtocol *darwinver,
#endif
static CURLcode
set_ssl_version_min_max(struct connectdata *conn, int sockindex)
set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
long ssl_version = SSL_CONN_CONFIG(version);
@ -1387,10 +1387,10 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex)
}
static CURLcode sectransp_connect_step1(struct connectdata *conn,
static CURLcode sectransp_connect_step1(struct Curl_easy *data,
struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
@ -1478,7 +1478,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
CURLcode result = set_ssl_version_min_max(conn, sockindex);
CURLcode result = set_ssl_version_min_max(data, conn, sockindex);
if(result != CURLE_OK)
return result;
break;
@ -1527,7 +1527,7 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
CURLcode result = set_ssl_version_min_max(conn, sockindex);
CURLcode result = set_ssl_version_min_max(data, conn, sockindex);
if(result != CURLE_OK)
return result;
break;
@ -1952,12 +1952,12 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
char *ssl_sessionid;
size_t ssl_sessionid_len;
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid,
&ssl_sessionid_len, sockindex)) {
/* we got a session id, use it! */
err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
if(err != noErr) {
failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err);
return CURLE_SSL_CONNECT_ERROR;
@ -1976,14 +1976,14 @@ static CURLcode sectransp_connect_step1(struct connectdata *conn,
err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
if(err != noErr) {
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err);
return CURLE_SSL_CONNECT_ERROR;
}
result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
sockindex);
Curl_ssl_sessionid_unlock(conn);
result = Curl_ssl_addsessionid(data, conn, ssl_sessionid,
ssl_sessionid_len, sockindex);
Curl_ssl_sessionid_unlock(data);
if(result) {
failf(data, "failed to store ssl session");
return result;
@ -2379,9 +2379,9 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data,
#endif /* SECTRANSP_PINNEDPUBKEY */
static CURLcode
sectransp_connect_step2(struct connectdata *conn, int sockindex)
sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
OSStatus err;
@ -2418,7 +2418,7 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
return result;
}
/* the documentation says we need to call SSLHandshake() again */
return sectransp_connect_step2(conn, sockindex);
return sectransp_connect_step2(data, conn, sockindex);
/* Problem with encrypt / decrypt */
case errSSLPeerDecodeError:
@ -2711,10 +2711,10 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
#ifndef CURL_DISABLE_VERBOSE_STRINGS
/* This should be called during step3 of the connection at the earliest */
static void
show_verbose_server_cert(struct connectdata *conn,
show_verbose_server_cert(struct Curl_easy *data,
struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
CFArrayRef server_certs = NULL;
@ -2817,10 +2817,9 @@ show_verbose_server_cert(struct connectdata *conn,
#endif /* !CURL_DISABLE_VERBOSE_STRINGS */
static CURLcode
sectransp_connect_step3(struct connectdata *conn,
sectransp_connect_step3(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
/* There is no step 3!
@ -2828,7 +2827,7 @@ sectransp_connect_step3(struct connectdata *conn,
* server certificates. */
#ifndef CURL_DISABLE_VERBOSE_STRINGS
if(data->set.verbose)
show_verbose_server_cert(conn, sockindex);
show_verbose_server_cert(data, conn, sockindex);
#endif
connssl->connecting_state = ssl_connect_done;
@ -2839,13 +2838,13 @@ static Curl_recv sectransp_recv;
static Curl_send sectransp_send;
static CURLcode
sectransp_connect_common(struct connectdata *conn,
sectransp_connect_common(struct Curl_easy *data,
struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode result;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
int what;
@ -2866,7 +2865,7 @@ sectransp_connect_common(struct connectdata *conn,
return CURLE_OPERATION_TIMEDOUT;
}
result = sectransp_connect_step1(conn, sockindex);
result = sectransp_connect_step1(data, conn, sockindex);
if(result)
return result;
}
@ -2920,7 +2919,7 @@ sectransp_connect_common(struct connectdata *conn,
* before step2 has completed while ensuring that a client using select()
* or epoll() will always have a valid fdset to wait on.
*/
result = sectransp_connect_step2(conn, sockindex);
result = sectransp_connect_step2(data, conn, sockindex);
if(result || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
@ -2931,7 +2930,7 @@ sectransp_connect_common(struct connectdata *conn,
if(ssl_connect_3 == connssl->connecting_state) {
result = sectransp_connect_step3(conn, sockindex);
result = sectransp_connect_step3(data, conn, sockindex);
if(result)
return result;
}
@ -2951,18 +2950,20 @@ sectransp_connect_common(struct connectdata *conn,
return CURLE_OK;
}
static CURLcode Curl_sectransp_connect_nonblocking(struct connectdata *conn,
int sockindex, bool *done)
static CURLcode sectransp_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex, bool *done)
{
return sectransp_connect_common(conn, sockindex, TRUE, done);
return sectransp_connect_common(data, conn, sockindex, TRUE, done);
}
static CURLcode Curl_sectransp_connect(struct connectdata *conn, int sockindex)
static CURLcode sectransp_connect(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
CURLcode result;
bool done = FALSE;
result = sectransp_connect_common(conn, sockindex, FALSE, &done);
result = sectransp_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
@ -2972,11 +2973,14 @@ static CURLcode Curl_sectransp_connect(struct connectdata *conn, int sockindex)
return CURLE_OK;
}
static void Curl_sectransp_close(struct connectdata *conn, int sockindex)
static void sectransp_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
(void) data;
if(backend->ssl_ctx) {
(void)SSLClose(backend->ssl_ctx);
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
@ -2994,11 +2998,11 @@ static void Curl_sectransp_close(struct connectdata *conn, int sockindex)
backend->ssl_sockfd = 0;
}
static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex)
static int sectransp_shutdown(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
struct Curl_easy *data = conn->data;
ssize_t nread;
int what;
int rc;
@ -3012,7 +3016,7 @@ static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex)
return 0;
#endif
Curl_sectransp_close(conn, sockindex);
sectransp_close(data, conn, sockindex);
rc = 0;
@ -3050,7 +3054,7 @@ static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex)
return rc;
}
static void Curl_sectransp_session_free(void *ptr)
static void sectransp_session_free(void *ptr)
{
/* ST, as of iOS 5 and Mountain Lion, has no public method of deleting a
cached session ID inside the Security framework. There is a private
@ -3061,7 +3065,7 @@ static void Curl_sectransp_session_free(void *ptr)
Curl_safefree(ptr);
}
static size_t Curl_sectransp_version(char *buffer, size_t size)
static size_t sectransp_version(char *buffer, size_t size)
{
return msnprintf(buffer, size, "SecureTransport");
}
@ -3074,7 +3078,7 @@ static size_t Curl_sectransp_version(char *buffer, size_t size)
* 0 means the connection has been closed
* -1 means the connection status is unknown
*/
static int Curl_sectransp_check_cxn(struct connectdata *conn)
static int sectransp_check_cxn(struct connectdata *conn)
{
struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET];
struct ssl_backend_data *backend = connssl->backend;
@ -3090,8 +3094,8 @@ static int Curl_sectransp_check_cxn(struct connectdata *conn)
return 0;
}
static bool Curl_sectransp_data_pending(const struct connectdata *conn,
int connindex)
static bool sectransp_data_pending(const struct connectdata *conn,
int connindex)
{
const struct ssl_connect_data *connssl = &conn->ssl[connindex];
struct ssl_backend_data *backend = connssl->backend;
@ -3108,8 +3112,8 @@ static bool Curl_sectransp_data_pending(const struct connectdata *conn,
return false;
}
static CURLcode Curl_sectransp_random(struct Curl_easy *data UNUSED_PARAM,
unsigned char *entropy, size_t length)
static CURLcode sectransp_random(struct Curl_easy *data UNUSED_PARAM,
unsigned char *entropy, size_t length)
{
/* arc4random_buf() isn't available on cats older than Lion, so let's
do this manually for the benefit of the older cats. */
@ -3128,27 +3132,27 @@ static CURLcode Curl_sectransp_random(struct Curl_easy *data UNUSED_PARAM,
return CURLE_OK;
}
static CURLcode Curl_sectransp_md5sum(unsigned char *tmp, /* input */
size_t tmplen,
unsigned char *md5sum, /* output */
size_t md5len)
static CURLcode sectransp_md5sum(unsigned char *tmp, /* input */
size_t tmplen,
unsigned char *md5sum, /* output */
size_t md5len)
{
(void)md5len;
(void)CC_MD5(tmp, (CC_LONG)tmplen, md5sum);
return CURLE_OK;
}
static CURLcode Curl_sectransp_sha256sum(const unsigned char *tmp, /* input */
size_t tmplen,
unsigned char *sha256sum, /* output */
size_t sha256len)
static CURLcode sectransp_sha256sum(const unsigned char *tmp, /* input */
size_t tmplen,
unsigned char *sha256sum, /* output */
size_t sha256len)
{
assert(sha256len >= CURL_SHA256_DIGEST_LENGTH);
(void)CC_SHA256(tmp, (CC_LONG)tmplen, sha256sum);
return CURLE_OK;
}
static bool Curl_sectransp_false_start(void)
static bool sectransp_false_start(void)
{
#if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7
if(SSLSetSessionOption != NULL)
@ -3198,7 +3202,7 @@ static ssize_t sectransp_send(struct Curl_easy *data,
*curlcode = CURLE_AGAIN;
return -1L;
default:
failf(conn->data, "SSLWrite() returned error %d", err);
failf(data, "SSLWrite() returned error %d", err);
*curlcode = CURLE_SEND_ERROR;
return -1L;
}
@ -3262,7 +3266,7 @@ static ssize_t sectransp_recv(struct Curl_easy *data,
Leopard's headers */
case -9841:
if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) {
CURLcode result = verify_cert(SSL_CONN_CONFIG(CAfile), conn->data,
CURLcode result = verify_cert(SSL_CONN_CONFIG(CAfile), data,
backend->ssl_ctx);
if(result)
return result;
@ -3278,8 +3282,8 @@ static ssize_t sectransp_recv(struct Curl_easy *data,
return (ssize_t)processed;
}
static void *Curl_sectransp_get_internals(struct ssl_connect_data *connssl,
CURLINFO info UNUSED_PARAM)
static void *sectransp_get_internals(struct ssl_connect_data *connssl,
CURLINFO info UNUSED_PARAM)
{
struct ssl_backend_data *backend = connssl->backend;
(void)info;
@ -3299,24 +3303,24 @@ const struct Curl_ssl Curl_ssl_sectransp = {
Curl_none_init, /* init */
Curl_none_cleanup, /* cleanup */
Curl_sectransp_version, /* version */
Curl_sectransp_check_cxn, /* check_cxn */
Curl_sectransp_shutdown, /* shutdown */
Curl_sectransp_data_pending, /* data_pending */
Curl_sectransp_random, /* random */
sectransp_version, /* version */
sectransp_check_cxn, /* check_cxn */
sectransp_shutdown, /* shutdown */
sectransp_data_pending, /* data_pending */
sectransp_random, /* random */
Curl_none_cert_status_request, /* cert_status_request */
Curl_sectransp_connect, /* connect */
Curl_sectransp_connect_nonblocking, /* connect_nonblocking */
Curl_sectransp_get_internals, /* get_internals */
Curl_sectransp_close, /* close_one */
sectransp_connect, /* connect */
sectransp_connect_nonblocking, /* connect_nonblocking */
sectransp_get_internals, /* get_internals */
sectransp_close, /* close_one */
Curl_none_close_all, /* close_all */
Curl_sectransp_session_free, /* session_free */
sectransp_session_free, /* session_free */
Curl_none_set_engine, /* set_engine */
Curl_none_set_engine_default, /* set_engine_default */
Curl_none_engines_list, /* engines_list */
Curl_sectransp_false_start, /* false_start */
Curl_sectransp_md5sum, /* md5sum */
Curl_sectransp_sha256sum /* sha256sum */
sectransp_false_start, /* false_start */
sectransp_md5sum, /* md5sum */
sectransp_sha256sum /* sha256sum */
};
#ifdef __clang__

73
lib/vtls/vtls.c
View File

@ -291,7 +291,8 @@ ssl_connect_init_proxy(struct connectdata *conn, int sockindex)
#endif
CURLcode
Curl_ssl_connect(struct connectdata *conn, int sockindex)
Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
CURLcode result;
@ -303,26 +304,27 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex)
}
#endif
if(!ssl_prefs_check(conn->data))
if(!ssl_prefs_check(data))
return CURLE_SSL_CONNECT_ERROR;
/* mark this is being ssl-enabled from here on. */
conn->ssl[sockindex].use = TRUE;
conn->ssl[sockindex].state = ssl_connection_negotiating;
result = Curl_ssl->connect_blocking(conn, sockindex);
result = Curl_ssl->connect_blocking(data, conn, sockindex);
if(!result)
Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */
Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
return result;
}
CURLcode
Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex,
bool *done)
Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn,
int sockindex, bool *done)
{
CURLcode result;
#ifndef CURL_DISABLE_PROXY
if(conn->bits.proxy_ssl_connected[sockindex]) {
result = ssl_connect_init_proxy(conn, sockindex);
@ -330,47 +332,46 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex,
return result;
}
#endif
if(!ssl_prefs_check(conn->data))
if(!ssl_prefs_check(data))
return CURLE_SSL_CONNECT_ERROR;
/* mark this is being ssl requested from here on. */
conn->ssl[sockindex].use = TRUE;
result = Curl_ssl->connect_nonblocking(conn, sockindex, done);
result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
if(!result && *done)
Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */
Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
return result;
}
/*
* Lock shared SSL session data
*/
void Curl_ssl_sessionid_lock(struct connectdata *conn)
void Curl_ssl_sessionid_lock(struct Curl_easy *data)
{
if(SSLSESSION_SHARED(conn->data))
Curl_share_lock(conn->data,
CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
if(SSLSESSION_SHARED(data))
Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
}
/*
* Unlock shared SSL session data
*/
void Curl_ssl_sessionid_unlock(struct connectdata *conn)
void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
{
if(SSLSESSION_SHARED(conn->data))
Curl_share_unlock(conn->data, CURL_LOCK_DATA_SSL_SESSION);
if(SSLSESSION_SHARED(data))
Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
}
/*
* Check if there's a session ID for the given connection in the cache, and if
* there's one suitable, it is provided. Returns TRUE when no entry matched.
*/
bool Curl_ssl_getsessionid(struct connectdata *conn,
bool Curl_ssl_getsessionid(struct Curl_easy *data,
struct connectdata *conn,
void **ssl_sessionid,
size_t *idsize, /* set 0 if unknown */
int sockindex)
{
struct Curl_ssl_session *check;
struct Curl_easy *data = conn->data;
size_t i;
long *general_age;
bool no_match = TRUE;
@ -457,10 +458,9 @@ void Curl_ssl_kill_session(struct Curl_ssl_session *session)
/*
* Delete the given session ID from the cache.
*/
void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
{
size_t i;
struct Curl_easy *data = conn->data;
for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
struct Curl_ssl_session *check = &data->state.session[i];
@ -478,13 +478,13 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
* layer. Curl_XXXX_session_free() will be called to free/kill the session ID
* later on.
*/
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
struct connectdata *conn,
void *ssl_sessionid,
size_t idsize,
int sockindex)
{
size_t i;
struct Curl_easy *data = conn->data; /* the mother of all structs */
struct Curl_ssl_session *store = &data->state.session[0];
long oldest_age = data->state.session[0].age; /* zero if unused */
char *clone_host;
@ -624,16 +624,18 @@ int Curl_ssl_getsock(struct connectdata *conn,
/* USE_OPENSSL || USE_GNUTLS || USE_SCHANNEL || USE_SECTRANSP || USE_NSS */
#endif
void Curl_ssl_close(struct connectdata *conn, int sockindex)
void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
DEBUGASSERT((sockindex <= 1) && (sockindex >= -1));
Curl_ssl->close_one(conn, sockindex);
Curl_ssl->close_one(data, conn, sockindex);
conn->ssl[sockindex].state = ssl_connection_none;
}
CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex)
CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
if(Curl_ssl->shut_down(conn, sockindex))
if(Curl_ssl->shut_down(data, conn, sockindex))
return CURLE_SSL_SHUTDOWN_FAILED;
conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */
@ -1080,9 +1082,11 @@ int Curl_none_init(void)
void Curl_none_cleanup(void)
{ }
int Curl_none_shutdown(struct connectdata *conn UNUSED_PARAM,
int Curl_none_shutdown(struct Curl_easy *data UNUSED_PARAM,
struct connectdata *conn UNUSED_PARAM,
int sockindex UNUSED_PARAM)
{
(void)data;
(void)conn;
(void)sockindex;
return 0;
@ -1188,19 +1192,21 @@ static int multissl_init(void)
return Curl_ssl->init();
}
static CURLcode multissl_connect(struct connectdata *conn, int sockindex)
static CURLcode multissl_connect(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
if(multissl_setup(NULL))
return CURLE_FAILED_INIT;
return Curl_ssl->connect_blocking(conn, sockindex);
return Curl_ssl->connect_blocking(data, conn, sockindex);
}
static CURLcode multissl_connect_nonblocking(struct connectdata *conn,
static CURLcode multissl_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex, bool *done)
{
if(multissl_setup(NULL))
return CURLE_FAILED_INIT;
return Curl_ssl->connect_nonblocking(conn, sockindex, done);
return Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
}
static void *multissl_get_internals(struct ssl_connect_data *connssl,
@ -1211,11 +1217,12 @@ static void *multissl_get_internals(struct ssl_connect_data *connssl,
return Curl_ssl->get_internals(connssl, info);
}
static void multissl_close(struct connectdata *conn, int sockindex)
static void multissl_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
if(multissl_setup(NULL))
return;
Curl_ssl->close_one(conn, sockindex);
Curl_ssl->close_one(data, conn, sockindex);
}
static const struct Curl_ssl Curl_ssl_multi = {

49
lib/vtls/vtls.h
View File

@ -7,7 +7,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
* Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
* Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@ -47,7 +47,8 @@ struct Curl_ssl {
size_t (*version)(char *buffer, size_t size);
int (*check_cxn)(struct connectdata *cxn);
int (*shut_down)(struct connectdata *conn, int sockindex);
int (*shut_down)(struct Curl_easy *data, struct connectdata *conn,
int sockindex);
bool (*data_pending)(const struct connectdata *conn,
int connindex);
@ -56,11 +57,14 @@ struct Curl_ssl {
size_t length);
bool (*cert_status_request)(void);
CURLcode (*connect_blocking)(struct connectdata *conn, int sockindex);
CURLcode (*connect_nonblocking)(struct connectdata *conn, int sockindex,
CURLcode (*connect_blocking)(struct Curl_easy *data,
struct connectdata *conn, int sockindex);
CURLcode (*connect_nonblocking)(struct Curl_easy *data,
struct connectdata *conn, int sockindex,
bool *done);
void *(*get_internals)(struct ssl_connect_data *connssl, CURLINFO info);
void (*close_one)(struct connectdata *conn, int sockindex);
void (*close_one)(struct Curl_easy *data, struct connectdata *conn,
int sockindex);
void (*close_all)(struct Curl_easy *data);
void (*session_free)(void *ptr);
@ -82,7 +86,8 @@ extern const struct Curl_ssl *Curl_ssl;
int Curl_none_init(void);
void Curl_none_cleanup(void);
int Curl_none_shutdown(struct connectdata *conn, int sockindex);
int Curl_none_shutdown(struct Curl_easy *data, struct connectdata *conn,
int sockindex);
int Curl_none_check_cxn(struct connectdata *conn);
CURLcode Curl_none_random(struct Curl_easy *data, unsigned char *entropy,
size_t length);
@ -165,15 +170,19 @@ int Curl_ssl_backend(void);
#ifdef USE_SSL
int Curl_ssl_init(void);
void Curl_ssl_cleanup(void);
CURLcode Curl_ssl_connect(struct connectdata *conn, int sockindex);
CURLcode Curl_ssl_connect_nonblocking(struct connectdata *conn,
CURLcode Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
int sockindex);
CURLcode Curl_ssl_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex,
bool *done);
/* tell the SSL stuff to close down all open information regarding
connections (and thus session ID caching etc) */
void Curl_ssl_close_all(struct Curl_easy *data);
void Curl_ssl_close(struct connectdata *conn, int sockindex);
CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex);
void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex);
CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn,
int sockindex);
CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine);
/* Sets engine as default for all SSL operations */
CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data);
@ -205,10 +214,10 @@ CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data, int certnum,
* The purpose of explicitly locking SSL session cache data is to allow
* individual SSL engines to manage session lifetime in their specific way.
*/
void Curl_ssl_sessionid_lock(struct connectdata *conn);
void Curl_ssl_sessionid_lock(struct Curl_easy *data);
/* Unlock session cache mutex */
void Curl_ssl_sessionid_unlock(struct connectdata *conn);
void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
/* extract a session ID
* Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
@ -216,7 +225,8 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
* is properly taken (e.g. its refcount is incremented
* under sessionid mutex).
*/
bool Curl_ssl_getsessionid(struct connectdata *conn,
bool Curl_ssl_getsessionid(struct Curl_easy *data,
struct connectdata *conn,
void **ssl_sessionid,
size_t *idsize, /* set 0 if unknown */
int sockindex);
@ -225,7 +235,8 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
* Caller must ensure that it has properly shared ownership of this sessionid
* object with cache (e.g. incrementing refcount on success)
*/
CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
struct connectdata *conn,
void *ssl_sessionid,
size_t idsize,
int sockindex);
@ -242,7 +253,7 @@ void Curl_ssl_kill_session(struct Curl_ssl_session *session);
* take sessionid object ownership from sessionid cache
* (e.g. decrement refcount).
*/
void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid);
void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid);
/* get N random bytes into the buffer */
CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer,
@ -267,10 +278,10 @@ bool Curl_ssl_false_start(void);
/* When SSL support is not present, just define away these function calls */
#define Curl_ssl_init() 1
#define Curl_ssl_cleanup() Curl_nop_stmt
#define Curl_ssl_connect(x,y) CURLE_NOT_BUILT_IN
#define Curl_ssl_connect(x,y,z) CURLE_NOT_BUILT_IN
#define Curl_ssl_close_all(x) Curl_nop_stmt
#define Curl_ssl_close(x,y) Curl_nop_stmt
#define Curl_ssl_shutdown(x,y) CURLE_NOT_BUILT_IN
#define Curl_ssl_close(x,y,z) Curl_nop_stmt
#define Curl_ssl_shutdown(x,y,z) CURLE_NOT_BUILT_IN
#define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN
#define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN
#define Curl_ssl_engines_list(x) NULL
@ -280,7 +291,7 @@ bool Curl_ssl_false_start(void);
#define Curl_ssl_data_pending(x,y) 0
#define Curl_ssl_check_cxn(x) 0
#define Curl_ssl_free_certinfo(x) Curl_nop_stmt
#define Curl_ssl_connect_nonblocking(x,y,z) CURLE_NOT_BUILT_IN
#define Curl_ssl_connect_nonblocking(x,y,z,w) CURLE_NOT_BUILT_IN
#define Curl_ssl_kill_session(x) Curl_nop_stmt
#define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
#define Curl_ssl_cert_status_request() FALSE

59
lib/vtls/wolfssl.c
View File

@ -217,11 +217,10 @@ static int do_file_type(const char *type)
* layer and do all necessary magic.
*/
static CURLcode
wolfssl_connect_step1(struct connectdata *conn,
wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
char *ciphers;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
SSL_METHOD* req_method = NULL;
@ -516,12 +515,12 @@ wolfssl_connect_step1(struct connectdata *conn,
if(SSL_SET_OPTION(primary.sessionid)) {
void *ssl_sessionid = NULL;
Curl_ssl_sessionid_lock(conn);
if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
failf(data, "SSL: SSL_set_session failed: %s",
ERR_error_string(SSL_get_error(backend->handle, 0),
error_buffer));
@ -530,7 +529,7 @@ wolfssl_connect_step1(struct connectdata *conn,
/* Informational message */
infof(data, "SSL re-using session ID\n");
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
/* pass the raw socket into the SSL layer */
@ -545,11 +544,10 @@ wolfssl_connect_step1(struct connectdata *conn,
static CURLcode
wolfssl_connect_step2(struct connectdata *conn,
wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
int ret = -1;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
#ifndef CURL_DISABLE_PROXY
@ -761,11 +759,10 @@ wolfssl_connect_step2(struct connectdata *conn,
static CURLcode
wolfssl_connect_step3(struct connectdata *conn,
wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
CURLcode result = CURLE_OK;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
@ -778,27 +775,27 @@ wolfssl_connect_step3(struct connectdata *conn,
our_ssl_sessionid = SSL_get_session(backend->handle);
Curl_ssl_sessionid_lock(conn);
incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
Curl_ssl_sessionid_lock(data);
incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
sockindex));
if(incache) {
if(old_ssl_sessionid != our_ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
Curl_ssl_delsessionid(conn, old_ssl_sessionid);
Curl_ssl_delsessionid(data, old_ssl_sessionid);
incache = FALSE;
}
}
if(!incache) {
result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid,
0 /* unknown size */, sockindex);
if(result) {
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
failf(data, "failed to store ssl session");
return result;
}
}
Curl_ssl_sessionid_unlock(conn);
Curl_ssl_sessionid_unlock(data);
}
connssl->connecting_state = ssl_connect_done;
@ -840,11 +837,14 @@ static ssize_t wolfssl_send(struct Curl_easy *data,
return rc;
}
static void wolfssl_close(struct connectdata *conn, int sockindex)
static void wolfssl_close(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
(void) data;
if(backend->handle) {
(void)SSL_shutdown(backend->handle);
SSL_free(backend->handle);
@ -942,12 +942,15 @@ static bool wolfssl_data_pending(const struct connectdata *conn,
* This function is called to shut down the SSL layer but keep the
* socket open (CCC - Clear Command Channel)
*/
static int wolfssl_shutdown(struct connectdata *conn, int sockindex)
static int wolfssl_shutdown(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
int retval = 0;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
(void) data;
if(backend->handle) {
SSL_free(backend->handle);
backend->handle = NULL;
@ -957,13 +960,13 @@ static int wolfssl_shutdown(struct connectdata *conn, int sockindex)
static CURLcode
wolfssl_connect_common(struct connectdata *conn,
wolfssl_connect_common(struct Curl_easy *data,
struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode result;
struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
int what;
@ -984,7 +987,7 @@ wolfssl_connect_common(struct connectdata *conn,
return CURLE_OPERATION_TIMEDOUT;
}
result = wolfssl_connect_step1(conn, sockindex);
result = wolfssl_connect_step1(data, conn, sockindex);
if(result)
return result;
}
@ -1039,7 +1042,7 @@ wolfssl_connect_common(struct connectdata *conn,
* ensuring that a client using select() or epoll() will always
* have a valid fdset to wait on.
*/
result = wolfssl_connect_step2(conn, sockindex);
result = wolfssl_connect_step2(data, conn, sockindex);
if(result || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
@ -1048,7 +1051,7 @@ wolfssl_connect_common(struct connectdata *conn,
} /* repeat step2 until all transactions are done. */
if(ssl_connect_3 == connssl->connecting_state) {
result = wolfssl_connect_step3(conn, sockindex);
result = wolfssl_connect_step3(data, conn, sockindex);
if(result)
return result;
}
@ -1069,19 +1072,21 @@ wolfssl_connect_common(struct connectdata *conn,
}
static CURLcode wolfssl_connect_nonblocking(struct connectdata *conn,
static CURLcode wolfssl_connect_nonblocking(struct Curl_easy *data,
struct connectdata *conn,
int sockindex, bool *done)
{
return wolfssl_connect_common(conn, sockindex, TRUE, done);
return wolfssl_connect_common(data, conn, sockindex, TRUE, done);
}
static CURLcode wolfssl_connect(struct connectdata *conn, int sockindex)
static CURLcode wolfssl_connect(struct Curl_easy *data,
struct connectdata *conn, int sockindex)
{
CURLcode result;
bool done = FALSE;
result = wolfssl_connect_common(conn, sockindex, FALSE, &done);
result = wolfssl_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;