1: /***************************************************************************
2: * _ _ ____ _
3: * Project ___| | | | _ \| |
4: * / __| | | | |_) | |
5: * | (__| |_| | _ <| |___
6: * \___|\___/|_| \_\_____|
7: *
8: * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
9: *
10: * This software is licensed as described in the file COPYING, which
11: * you should have received as part of this distribution. The terms
12: * are also available at https://curl.haxx.se/docs/copyright.html.
13: *
14: * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15: * copies of the Software, and permit persons to whom the Software is
16: * furnished to do so, under the terms of the COPYING file.
17: *
18: * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19: * KIND, either express or implied.
20: *
21: ***************************************************************************/
22:
23: /*
24: * Source file for all wolfSSL specific code for the TLS/SSL layer. No code
25: * but vtls.c should ever call or use these functions.
26: *
27: */
28:
29: #include "curl_setup.h"
30:
31: #ifdef USE_WOLFSSL
32:
33: #define WOLFSSL_OPTIONS_IGNORE_SYS
34: #include <wolfssl/version.h>
35: #include <wolfssl/options.h>
36:
37: /* To determine what functions are available we rely on one or both of:
38: - the user's options.h generated by wolfSSL
39: - the symbols detected by curl's configure
40: Since they are markedly different from one another, and one or the other may
41: not be available, we do some checking below to bring things in sync. */
42:
43: /* HAVE_ALPN is wolfSSL's build time symbol for enabling ALPN in options.h. */
44: #ifndef HAVE_ALPN
45: #ifdef HAVE_WOLFSSL_USEALPN
46: #define HAVE_ALPN
47: #endif
48: #endif
49:
50: /* WOLFSSL_ALLOW_SSLV3 is wolfSSL's build time symbol for enabling SSLv3 in
51: options.h, but is only seen in >= 3.6.6 since that's when they started
52: disabling SSLv3 by default. */
53: #ifndef WOLFSSL_ALLOW_SSLV3
54: #if (LIBWOLFSSL_VERSION_HEX < 0x03006006) || \
55: defined(HAVE_WOLFSSLV3_CLIENT_METHOD)
56: #define WOLFSSL_ALLOW_SSLV3
57: #endif
58: #endif
59:
60: #include <limits.h>
61:
62: #include "urldata.h"
63: #include "sendf.h"
64: #include "inet_pton.h"
65: #include "vtls.h"
66: #include "parsedate.h"
67: #include "connect.h" /* for the connect timeout */
68: #include "select.h"
69: #include "strcase.h"
70: #include "x509asn1.h"
71: #include "curl_printf.h"
72: #include "multiif.h"
73:
74: #include <wolfssl/openssl/ssl.h>
75: #include <wolfssl/ssl.h>
76: #include <wolfssl/error-ssl.h>
77: #include "wolfssl.h"
78:
79: /* The last #include files should be: */
80: #include "curl_memory.h"
81: #include "memdebug.h"
82:
83: /* KEEP_PEER_CERT is a product of the presence of build time symbol
84: OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is
85: in wolfSSL's settings.h, and the latter two are build time symbols in
86: options.h. */
87: #ifndef KEEP_PEER_CERT
88: #if defined(HAVE_WOLFSSL_GET_PEER_CERTIFICATE) || \
89: (defined(OPENSSL_EXTRA) && !defined(NO_CERTS))
90: #define KEEP_PEER_CERT
91: #endif
92: #endif
93:
94: struct ssl_backend_data {
95: SSL_CTX* ctx;
96: SSL* handle;
97: };
98:
99: static Curl_recv wolfssl_recv;
100: static Curl_send wolfssl_send;
101:
102: static int do_file_type(const char *type)
103: {
104: if(!type || !type[0])
105: return SSL_FILETYPE_PEM;
106: if(strcasecompare(type, "PEM"))
107: return SSL_FILETYPE_PEM;
108: if(strcasecompare(type, "DER"))
109: return SSL_FILETYPE_ASN1;
110: return -1;
111: }
112:
113: /*
114: * This function loads all the client/CA certificates and CRLs. Setup the TLS
115: * layer and do all necessary magic.
116: */
117: static CURLcode
118: wolfssl_connect_step1(struct connectdata *conn,
119: int sockindex)
120: {
121: char *ciphers;
122: struct Curl_easy *data = conn->data;
123: struct ssl_connect_data* connssl = &conn->ssl[sockindex];
124: struct ssl_backend_data *backend = connssl->backend;
125: SSL_METHOD* req_method = NULL;
126: curl_socket_t sockfd = conn->sock[sockindex];
127: #ifdef HAVE_SNI
128: bool sni = FALSE;
129: #define use_sni(x) sni = (x)
130: #else
131: #define use_sni(x) Curl_nop_stmt
132: #endif
133:
134: if(connssl->state == ssl_connection_complete)
135: return CURLE_OK;
136:
137: if(SSL_CONN_CONFIG(version_max) != CURL_SSLVERSION_MAX_NONE) {
138: failf(data, "wolfSSL does not support to set maximum SSL/TLS version");
139: return CURLE_SSL_CONNECT_ERROR;
140: }
141:
142: /* check to see if we've been told to use an explicit SSL/TLS version */
143: switch(SSL_CONN_CONFIG(version)) {
144: case CURL_SSLVERSION_DEFAULT:
145: case CURL_SSLVERSION_TLSv1:
146: #if LIBWOLFSSL_VERSION_HEX >= 0x03003000 /* >= 3.3.0 */
147: /* minimum protocol version is set later after the CTX object is created */
148: req_method = SSLv23_client_method();
149: #else
150: infof(data, "wolfSSL <3.3.0 cannot be configured to use TLS 1.0-1.2, "
151: "TLS 1.0 is used exclusively\n");
152: req_method = TLSv1_client_method();
153: #endif
154: use_sni(TRUE);
155: break;
156: case CURL_SSLVERSION_TLSv1_0:
157: #ifdef WOLFSSL_ALLOW_TLSV10
158: req_method = TLSv1_client_method();
159: use_sni(TRUE);
160: #else
161: failf(data, "wolfSSL does not support TLS 1.0");
162: return CURLE_NOT_BUILT_IN;
163: #endif
164: break;
165: case CURL_SSLVERSION_TLSv1_1:
166: req_method = TLSv1_1_client_method();
167: use_sni(TRUE);
168: break;
169: case CURL_SSLVERSION_TLSv1_2:
170: req_method = TLSv1_2_client_method();
171: use_sni(TRUE);
172: break;
173: case CURL_SSLVERSION_TLSv1_3:
174: #ifdef WOLFSSL_TLS13
175: req_method = wolfTLSv1_3_client_method();
176: use_sni(TRUE);
177: break;
178: #else
179: failf(data, "wolfSSL: TLS 1.3 is not yet supported");
180: return CURLE_SSL_CONNECT_ERROR;
181: #endif
182: case CURL_SSLVERSION_SSLv3:
183: #ifdef WOLFSSL_ALLOW_SSLV3
184: req_method = SSLv3_client_method();
185: use_sni(FALSE);
186: #else
187: failf(data, "wolfSSL does not support SSLv3");
188: return CURLE_NOT_BUILT_IN;
189: #endif
190: break;
191: case CURL_SSLVERSION_SSLv2:
192: failf(data, "wolfSSL does not support SSLv2");
193: return CURLE_SSL_CONNECT_ERROR;
194: default:
195: failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
196: return CURLE_SSL_CONNECT_ERROR;
197: }
198:
199: if(!req_method) {
200: failf(data, "SSL: couldn't create a method!");
201: return CURLE_OUT_OF_MEMORY;
202: }
203:
204: if(backend->ctx)
205: SSL_CTX_free(backend->ctx);
206: backend->ctx = SSL_CTX_new(req_method);
207:
208: if(!backend->ctx) {
209: failf(data, "SSL: couldn't create a context!");
210: return CURLE_OUT_OF_MEMORY;
211: }
212:
213: switch(SSL_CONN_CONFIG(version)) {
214: case CURL_SSLVERSION_DEFAULT:
215: case CURL_SSLVERSION_TLSv1:
216: #if LIBWOLFSSL_VERSION_HEX > 0x03004006 /* > 3.4.6 */
217: /* Versions 3.3.0 to 3.4.6 we know the minimum protocol version is
218: * whatever minimum version of TLS was built in and at least TLS 1.0. For
219: * later library versions that could change (eg TLS 1.0 built in but
220: * defaults to TLS 1.1) so we have this short circuit evaluation to find
221: * the minimum supported TLS version.
222: */
223: if((wolfSSL_CTX_SetMinVersion(backend->ctx, WOLFSSL_TLSV1) != 1) &&
224: (wolfSSL_CTX_SetMinVersion(backend->ctx, WOLFSSL_TLSV1_1) != 1) &&
225: (wolfSSL_CTX_SetMinVersion(backend->ctx, WOLFSSL_TLSV1_2) != 1)
226: #ifdef WOLFSSL_TLS13
227: && (wolfSSL_CTX_SetMinVersion(backend->ctx, WOLFSSL_TLSV1_3) != 1)
228: #endif
229: ) {
230: failf(data, "SSL: couldn't set the minimum protocol version");
231: return CURLE_SSL_CONNECT_ERROR;
232: }
233: #endif
234: break;
235: }
236:
237: ciphers = SSL_CONN_CONFIG(cipher_list);
238: if(ciphers) {
239: if(!SSL_CTX_set_cipher_list(backend->ctx, ciphers)) {
240: failf(data, "failed setting cipher list: %s", ciphers);
241: return CURLE_SSL_CIPHER;
242: }
243: infof(data, "Cipher selection: %s\n", ciphers);
244: }
245:
246: #ifndef NO_FILESYSTEM
247: /* load trusted cacert */
248: if(SSL_CONN_CONFIG(CAfile)) {
249: if(1 != SSL_CTX_load_verify_locations(backend->ctx,
250: SSL_CONN_CONFIG(CAfile),
251: SSL_CONN_CONFIG(CApath))) {
252: if(SSL_CONN_CONFIG(verifypeer)) {
253: /* Fail if we insist on successfully verifying the server. */
254: failf(data, "error setting certificate verify locations:\n"
255: " CAfile: %s\n CApath: %s",
256: SSL_CONN_CONFIG(CAfile)?
257: SSL_CONN_CONFIG(CAfile): "none",
258: SSL_CONN_CONFIG(CApath)?
259: SSL_CONN_CONFIG(CApath) : "none");
260: return CURLE_SSL_CACERT_BADFILE;
261: }
262: else {
263: /* Just continue with a warning if no strict certificate
264: verification is required. */
265: infof(data, "error setting certificate verify locations,"
266: " continuing anyway:\n");
267: }
268: }
269: else {
270: /* Everything is fine. */
271: infof(data, "successfully set certificate verify locations:\n");
272: }
273: infof(data,
274: " CAfile: %s\n"
275: " CApath: %s\n",
276: SSL_CONN_CONFIG(CAfile) ? SSL_CONN_CONFIG(CAfile):
277: "none",
278: SSL_CONN_CONFIG(CApath) ? SSL_CONN_CONFIG(CApath):
279: "none");
280: }
281:
282: /* Load the client certificate, and private key */
283: if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) {
284: int file_type = do_file_type(SSL_SET_OPTION(cert_type));
285:
286: if(SSL_CTX_use_certificate_file(backend->ctx, SSL_SET_OPTION(cert),
287: file_type) != 1) {
288: failf(data, "unable to use client certificate (no key or wrong pass"
289: " phrase?)");
290: return CURLE_SSL_CONNECT_ERROR;
291: }
292:
293: file_type = do_file_type(SSL_SET_OPTION(key_type));
294: if(SSL_CTX_use_PrivateKey_file(backend->ctx, SSL_SET_OPTION(key),
295: file_type) != 1) {
296: failf(data, "unable to set private key");
297: return CURLE_SSL_CONNECT_ERROR;
298: }
299: }
300: #endif /* !NO_FILESYSTEM */
301:
302: /* SSL always tries to verify the peer, this only says whether it should
303: * fail to connect if the verification fails, or if it should continue
304: * anyway. In the latter case the result of the verification is checked with
305: * SSL_get_verify_result() below. */
306: SSL_CTX_set_verify(backend->ctx,
307: SSL_CONN_CONFIG(verifypeer)?SSL_VERIFY_PEER:
308: SSL_VERIFY_NONE,
309: NULL);
310:
311: #ifdef HAVE_SNI
312: if(sni) {
313: struct in_addr addr4;
314: #ifdef ENABLE_IPV6
315: struct in6_addr addr6;
316: #endif
317: const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
318: conn->host.name;
319: size_t hostname_len = strlen(hostname);
320: if((hostname_len < USHRT_MAX) &&
321: (0 == Curl_inet_pton(AF_INET, hostname, &addr4)) &&
322: #ifdef ENABLE_IPV6
323: (0 == Curl_inet_pton(AF_INET6, hostname, &addr6)) &&
324: #endif
325: (wolfSSL_CTX_UseSNI(backend->ctx, WOLFSSL_SNI_HOST_NAME, hostname,
326: (unsigned short)hostname_len) != 1)) {
327: infof(data, "WARNING: failed to configure server name indication (SNI) "
328: "TLS extension\n");
329: }
330: }
331: #endif
332:
333: /* give application a chance to interfere with SSL set up. */
334: if(data->set.ssl.fsslctx) {
335: CURLcode result = (*data->set.ssl.fsslctx)(data, backend->ctx,
336: data->set.ssl.fsslctxp);
337: if(result) {
338: failf(data, "error signaled by ssl ctx callback");
339: return result;
340: }
341: }
342: #ifdef NO_FILESYSTEM
343: else if(SSL_CONN_CONFIG(verifypeer)) {
344: failf(data, "SSL: Certificates can't be loaded because wolfSSL was built"
345: " with \"no filesystem\". Either disable peer verification"
346: " (insecure) or if you are building an application with libcurl you"
347: " can load certificates via CURLOPT_SSL_CTX_FUNCTION.");
348: return CURLE_SSL_CONNECT_ERROR;
349: }
350: #endif
351:
352: /* Let's make an SSL structure */
353: if(backend->handle)
354: SSL_free(backend->handle);
355: backend->handle = SSL_new(backend->ctx);
356: if(!backend->handle) {
357: failf(data, "SSL: couldn't create a context (handle)!");
358: return CURLE_OUT_OF_MEMORY;
359: }
360:
361: #ifdef HAVE_ALPN
362: if(conn->bits.tls_enable_alpn) {
363: char protocols[128];
364: *protocols = '\0';
365:
366: /* wolfSSL's ALPN protocol name list format is a comma separated string of
367: protocols in descending order of preference, eg: "h2,http/1.1" */
368:
369: #ifdef USE_NGHTTP2
370: if(data->set.httpversion >= CURL_HTTP_VERSION_2) {
371: strcpy(protocols + strlen(protocols), NGHTTP2_PROTO_VERSION_ID ",");
372: infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
373: }
374: #endif
375:
376: strcpy(protocols + strlen(protocols), ALPN_HTTP_1_1);
377: infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
378:
379: if(wolfSSL_UseALPN(backend->handle, protocols,
380: (unsigned)strlen(protocols),
381: WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) != SSL_SUCCESS) {
382: failf(data, "SSL: failed setting ALPN protocols");
383: return CURLE_SSL_CONNECT_ERROR;
384: }
385: }
386: #endif /* HAVE_ALPN */
387:
388: /* Check if there's a cached ID we can/should use here! */
389: if(SSL_SET_OPTION(primary.sessionid)) {
390: void *ssl_sessionid = NULL;
391:
392: Curl_ssl_sessionid_lock(conn);
393: if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
394: /* we got a session id, use it! */
395: if(!SSL_set_session(backend->handle, ssl_sessionid)) {
396: char error_buffer[WOLFSSL_MAX_ERROR_SZ];
397: Curl_ssl_sessionid_unlock(conn);
398: failf(data, "SSL: SSL_set_session failed: %s",
399: ERR_error_string(SSL_get_error(backend->handle, 0),
400: error_buffer));
401: return CURLE_SSL_CONNECT_ERROR;
402: }
403: /* Informational message */
404: infof(data, "SSL re-using session ID\n");
405: }
406: Curl_ssl_sessionid_unlock(conn);
407: }
408:
409: /* pass the raw socket into the SSL layer */
410: if(!SSL_set_fd(backend->handle, (int)sockfd)) {
411: failf(data, "SSL: SSL_set_fd failed");
412: return CURLE_SSL_CONNECT_ERROR;
413: }
414:
415: connssl->connecting_state = ssl_connect_2;
416: return CURLE_OK;
417: }
418:
419:
420: static CURLcode
421: wolfssl_connect_step2(struct connectdata *conn,
422: int sockindex)
423: {
424: int ret = -1;
425: struct Curl_easy *data = conn->data;
426: struct ssl_connect_data* connssl = &conn->ssl[sockindex];
427: struct ssl_backend_data *backend = connssl->backend;
428: const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
429: conn->host.name;
430: const char * const dispname = SSL_IS_PROXY() ?
431: conn->http_proxy.host.dispname : conn->host.dispname;
432: const char * const pinnedpubkey = SSL_IS_PROXY() ?
433: data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
434: data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
435:
436: conn->recv[sockindex] = wolfssl_recv;
437: conn->send[sockindex] = wolfssl_send;
438:
439: /* Enable RFC2818 checks */
440: if(SSL_CONN_CONFIG(verifyhost)) {
441: ret = wolfSSL_check_domain_name(backend->handle, hostname);
442: if(ret == SSL_FAILURE)
443: return CURLE_OUT_OF_MEMORY;
444: }
445:
446: ret = SSL_connect(backend->handle);
447: if(ret != 1) {
448: char error_buffer[WOLFSSL_MAX_ERROR_SZ];
449: int detail = SSL_get_error(backend->handle, ret);
450:
451: if(SSL_ERROR_WANT_READ == detail) {
452: connssl->connecting_state = ssl_connect_2_reading;
453: return CURLE_OK;
454: }
455: else if(SSL_ERROR_WANT_WRITE == detail) {
456: connssl->connecting_state = ssl_connect_2_writing;
457: return CURLE_OK;
458: }
459: /* There is no easy way to override only the CN matching.
460: * This will enable the override of both mismatching SubjectAltNames
461: * as also mismatching CN fields */
462: else if(DOMAIN_NAME_MISMATCH == detail) {
463: #if 1
464: failf(data, "\tsubject alt name(s) or common name do not match \"%s\"\n",
465: dispname);
466: return CURLE_PEER_FAILED_VERIFICATION;
467: #else
468: /* When the wolfssl_check_domain_name() is used and you desire to
469: * continue on a DOMAIN_NAME_MISMATCH, i.e. 'conn->ssl_config.verifyhost
470: * == 0', CyaSSL version 2.4.0 will fail with an INCOMPLETE_DATA
471: * error. The only way to do this is currently to switch the
472: * Wolfssl_check_domain_name() in and out based on the
473: * 'conn->ssl_config.verifyhost' value. */
474: if(SSL_CONN_CONFIG(verifyhost)) {
475: failf(data,
476: "\tsubject alt name(s) or common name do not match \"%s\"\n",
477: dispname);
478: return CURLE_PEER_FAILED_VERIFICATION;
479: }
480: else {
481: infof(data,
482: "\tsubject alt name(s) and/or common name do not match \"%s\"\n",
483: dispname);
484: return CURLE_OK;
485: }
486: #endif
487: }
488: #if LIBWOLFSSL_VERSION_HEX >= 0x02007000 /* 2.7.0 */
489: else if(ASN_NO_SIGNER_E == detail) {
490: if(SSL_CONN_CONFIG(verifypeer)) {
491: failf(data, "\tCA signer not available for verification\n");
492: return CURLE_SSL_CACERT_BADFILE;
493: }
494: else {
495: /* Just continue with a warning if no strict certificate
496: verification is required. */
497: infof(data, "CA signer not available for verification, "
498: "continuing anyway\n");
499: }
500: }
501: #endif
502: else {
503: failf(data, "SSL_connect failed with error %d: %s", detail,
504: ERR_error_string(detail, error_buffer));
505: return CURLE_SSL_CONNECT_ERROR;
506: }
507: }
508:
509: if(pinnedpubkey) {
510: #ifdef KEEP_PEER_CERT
511: X509 *x509;
512: const char *x509_der;
513: int x509_der_len;
514: curl_X509certificate x509_parsed;
515: curl_asn1Element *pubkey;
516: CURLcode result;
517:
518: x509 = SSL_get_peer_certificate(backend->handle);
519: if(!x509) {
520: failf(data, "SSL: failed retrieving server certificate");
521: return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
522: }
523:
524: x509_der = (const char *)wolfSSL_X509_get_der(x509, &x509_der_len);
525: if(!x509_der) {
526: failf(data, "SSL: failed retrieving ASN.1 server certificate");
527: return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
528: }
529:
530: memset(&x509_parsed, 0, sizeof(x509_parsed));
531: if(Curl_parseX509(&x509_parsed, x509_der, x509_der + x509_der_len))
532: return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
533:
534: pubkey = &x509_parsed.subjectPublicKeyInfo;
535: if(!pubkey->header || pubkey->end <= pubkey->header) {
536: failf(data, "SSL: failed retrieving public key from server certificate");
537: return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
538: }
539:
540: result = Curl_pin_peer_pubkey(data,
541: pinnedpubkey,
542: (const unsigned char *)pubkey->header,
543: (size_t)(pubkey->end - pubkey->header));
544: if(result) {
545: failf(data, "SSL: public key does not match pinned public key!");
546: return result;
547: }
548: #else
549: failf(data, "Library lacks pinning support built-in");
550: return CURLE_NOT_BUILT_IN;
551: #endif
552: }
553:
554: #ifdef HAVE_ALPN
555: if(conn->bits.tls_enable_alpn) {
556: int rc;
557: char *protocol = NULL;
558: unsigned short protocol_len = 0;
559:
560: rc = wolfSSL_ALPN_GetProtocol(backend->handle, &protocol, &protocol_len);
561:
562: if(rc == SSL_SUCCESS) {
563: infof(data, "ALPN, server accepted to use %.*s\n", protocol_len,
564: protocol);
565:
566: if(protocol_len == ALPN_HTTP_1_1_LENGTH &&
567: !memcmp(protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH))
568: conn->negnpn = CURL_HTTP_VERSION_1_1;
569: #ifdef USE_NGHTTP2
570: else if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
571: protocol_len == NGHTTP2_PROTO_VERSION_ID_LEN &&
572: !memcmp(protocol, NGHTTP2_PROTO_VERSION_ID,
573: NGHTTP2_PROTO_VERSION_ID_LEN))
574: conn->negnpn = CURL_HTTP_VERSION_2;
575: #endif
576: else
577: infof(data, "ALPN, unrecognized protocol %.*s\n", protocol_len,
578: protocol);
579: Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ?
580: BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
581: }
582: else if(rc == SSL_ALPN_NOT_FOUND)
583: infof(data, "ALPN, server did not agree to a protocol\n");
584: else {
585: failf(data, "ALPN, failure getting protocol, error %d", rc);
586: return CURLE_SSL_CONNECT_ERROR;
587: }
588: }
589: #endif /* HAVE_ALPN */
590:
591: connssl->connecting_state = ssl_connect_3;
592: #if (LIBWOLFSSL_VERSION_HEX >= 0x03009010)
593: infof(data, "SSL connection using %s / %s\n",
594: wolfSSL_get_version(backend->handle),
595: wolfSSL_get_cipher_name(backend->handle));
596: #else
597: infof(data, "SSL connected\n");
598: #endif
599:
600: return CURLE_OK;
601: }
602:
603:
604: static CURLcode
605: wolfssl_connect_step3(struct connectdata *conn,
606: int sockindex)
607: {
608: CURLcode result = CURLE_OK;
609: struct Curl_easy *data = conn->data;
610: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
611: struct ssl_backend_data *backend = connssl->backend;
612:
613: DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
614:
615: if(SSL_SET_OPTION(primary.sessionid)) {
616: bool incache;
617: SSL_SESSION *our_ssl_sessionid;
618: void *old_ssl_sessionid = NULL;
619:
620: our_ssl_sessionid = SSL_get_session(backend->handle);
621:
622: Curl_ssl_sessionid_lock(conn);
623: incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
624: sockindex));
625: if(incache) {
626: if(old_ssl_sessionid != our_ssl_sessionid) {
627: infof(data, "old SSL session ID is stale, removing\n");
628: Curl_ssl_delsessionid(conn, old_ssl_sessionid);
629: incache = FALSE;
630: }
631: }
632:
633: if(!incache) {
634: result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
635: 0 /* unknown size */, sockindex);
636: if(result) {
637: Curl_ssl_sessionid_unlock(conn);
638: failf(data, "failed to store ssl session");
639: return result;
640: }
641: }
642: Curl_ssl_sessionid_unlock(conn);
643: }
644:
645: connssl->connecting_state = ssl_connect_done;
646:
647: return result;
648: }
649:
650:
651: static ssize_t wolfssl_send(struct connectdata *conn,
652: int sockindex,
653: const void *mem,
654: size_t len,
655: CURLcode *curlcode)
656: {
657: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
658: struct ssl_backend_data *backend = connssl->backend;
659: char error_buffer[WOLFSSL_MAX_ERROR_SZ];
660: int memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
661: int rc = SSL_write(backend->handle, mem, memlen);
662:
663: if(rc < 0) {
664: int err = SSL_get_error(backend->handle, rc);
665:
666: switch(err) {
667: case SSL_ERROR_WANT_READ:
668: case SSL_ERROR_WANT_WRITE:
669: /* there's data pending, re-invoke SSL_write() */
670: *curlcode = CURLE_AGAIN;
671: return -1;
672: default:
673: failf(conn->data, "SSL write: %s, errno %d",
674: ERR_error_string(err, error_buffer),
675: SOCKERRNO);
676: *curlcode = CURLE_SEND_ERROR;
677: return -1;
678: }
679: }
680: return rc;
681: }
682:
683: static void Curl_wolfssl_close(struct connectdata *conn, int sockindex)
684: {
685: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
686: struct ssl_backend_data *backend = connssl->backend;
687:
688: if(backend->handle) {
689: (void)SSL_shutdown(backend->handle);
690: SSL_free(backend->handle);
691: backend->handle = NULL;
692: }
693: if(backend->ctx) {
694: SSL_CTX_free(backend->ctx);
695: backend->ctx = NULL;
696: }
697: }
698:
699: static ssize_t wolfssl_recv(struct connectdata *conn,
700: int num,
701: char *buf,
702: size_t buffersize,
703: CURLcode *curlcode)
704: {
705: struct ssl_connect_data *connssl = &conn->ssl[num];
706: struct ssl_backend_data *backend = connssl->backend;
707: char error_buffer[WOLFSSL_MAX_ERROR_SZ];
708: int buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
709: int nread = SSL_read(backend->handle, buf, buffsize);
710:
711: if(nread < 0) {
712: int err = SSL_get_error(backend->handle, nread);
713:
714: switch(err) {
715: case SSL_ERROR_ZERO_RETURN: /* no more data */
716: break;
717: case SSL_ERROR_WANT_READ:
718: case SSL_ERROR_WANT_WRITE:
719: /* there's data pending, re-invoke SSL_read() */
720: *curlcode = CURLE_AGAIN;
721: return -1;
722: default:
723: failf(conn->data, "SSL read: %s, errno %d",
724: ERR_error_string(err, error_buffer),
725: SOCKERRNO);
726: *curlcode = CURLE_RECV_ERROR;
727: return -1;
728: }
729: }
730: return nread;
731: }
732:
733:
734: static void Curl_wolfssl_session_free(void *ptr)
735: {
736: (void)ptr;
737: /* wolfSSL reuses sessions on own, no free */
738: }
739:
740:
741: static size_t Curl_wolfssl_version(char *buffer, size_t size)
742: {
743: #if LIBWOLFSSL_VERSION_HEX >= 0x03006000
744: return msnprintf(buffer, size, "wolfSSL/%s", wolfSSL_lib_version());
745: #elif defined(WOLFSSL_VERSION)
746: return msnprintf(buffer, size, "wolfSSL/%s", WOLFSSL_VERSION);
747: #endif
748: }
749:
750:
751: static int Curl_wolfssl_init(void)
752: {
753: return (wolfSSL_Init() == SSL_SUCCESS);
754: }
755:
756:
757: static void Curl_wolfssl_cleanup(void)
758: {
759: wolfSSL_Cleanup();
760: }
761:
762:
763: static bool Curl_wolfssl_data_pending(const struct connectdata* conn,
764: int connindex)
765: {
766: const struct ssl_connect_data *connssl = &conn->ssl[connindex];
767: struct ssl_backend_data *backend = connssl->backend;
768: if(backend->handle) /* SSL is in use */
769: return (0 != SSL_pending(backend->handle)) ? TRUE : FALSE;
770: else
771: return FALSE;
772: }
773:
774:
775: /*
776: * This function is called to shut down the SSL layer but keep the
777: * socket open (CCC - Clear Command Channel)
778: */
779: static int Curl_wolfssl_shutdown(struct connectdata *conn, int sockindex)
780: {
781: int retval = 0;
782: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
783: struct ssl_backend_data *backend = connssl->backend;
784:
785: if(backend->handle) {
786: SSL_free(backend->handle);
787: backend->handle = NULL;
788: }
789: return retval;
790: }
791:
792:
793: static CURLcode
794: wolfssl_connect_common(struct connectdata *conn,
795: int sockindex,
796: bool nonblocking,
797: bool *done)
798: {
799: CURLcode result;
800: struct Curl_easy *data = conn->data;
801: struct ssl_connect_data *connssl = &conn->ssl[sockindex];
802: curl_socket_t sockfd = conn->sock[sockindex];
803: time_t timeout_ms;
804: int what;
805:
806: /* check if the connection has already been established */
807: if(ssl_connection_complete == connssl->state) {
808: *done = TRUE;
809: return CURLE_OK;
810: }
811:
812: if(ssl_connect_1 == connssl->connecting_state) {
813: /* Find out how much more time we're allowed */
814: timeout_ms = Curl_timeleft(data, NULL, TRUE);
815:
816: if(timeout_ms < 0) {
817: /* no need to continue if time already is up */
818: failf(data, "SSL connection timeout");
819: return CURLE_OPERATION_TIMEDOUT;
820: }
821:
822: result = wolfssl_connect_step1(conn, sockindex);
823: if(result)
824: return result;
825: }
826:
827: while(ssl_connect_2 == connssl->connecting_state ||
828: ssl_connect_2_reading == connssl->connecting_state ||
829: ssl_connect_2_writing == connssl->connecting_state) {
830:
831: /* check allowed time left */
832: timeout_ms = Curl_timeleft(data, NULL, TRUE);
833:
834: if(timeout_ms < 0) {
835: /* no need to continue if time already is up */
836: failf(data, "SSL connection timeout");
837: return CURLE_OPERATION_TIMEDOUT;
838: }
839:
840: /* if ssl is expecting something, check if it's available. */
841: if(connssl->connecting_state == ssl_connect_2_reading
842: || connssl->connecting_state == ssl_connect_2_writing) {
843:
844: curl_socket_t writefd = ssl_connect_2_writing ==
845: connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
846: curl_socket_t readfd = ssl_connect_2_reading ==
847: connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
848:
849: what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
850: nonblocking?0:timeout_ms);
851: if(what < 0) {
852: /* fatal error */
853: failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
854: return CURLE_SSL_CONNECT_ERROR;
855: }
856: else if(0 == what) {
857: if(nonblocking) {
858: *done = FALSE;
859: return CURLE_OK;
860: }
861: else {
862: /* timeout */
863: failf(data, "SSL connection timeout");
864: return CURLE_OPERATION_TIMEDOUT;
865: }
866: }
867: /* socket is readable or writable */
868: }
869:
870: /* Run transaction, and return to the caller if it failed or if
871: * this connection is part of a multi handle and this loop would
872: * execute again. This permits the owner of a multi handle to
873: * abort a connection attempt before step2 has completed while
874: * ensuring that a client using select() or epoll() will always
875: * have a valid fdset to wait on.
876: */
877: result = wolfssl_connect_step2(conn, sockindex);
878: if(result || (nonblocking &&
879: (ssl_connect_2 == connssl->connecting_state ||
880: ssl_connect_2_reading == connssl->connecting_state ||
881: ssl_connect_2_writing == connssl->connecting_state)))
882: return result;
883: } /* repeat step2 until all transactions are done. */
884:
885: if(ssl_connect_3 == connssl->connecting_state) {
886: result = wolfssl_connect_step3(conn, sockindex);
887: if(result)
888: return result;
889: }
890:
891: if(ssl_connect_done == connssl->connecting_state) {
892: connssl->state = ssl_connection_complete;
893: conn->recv[sockindex] = wolfssl_recv;
894: conn->send[sockindex] = wolfssl_send;
895: *done = TRUE;
896: }
897: else
898: *done = FALSE;
899:
900: /* Reset our connect state machine */
901: connssl->connecting_state = ssl_connect_1;
902:
903: return CURLE_OK;
904: }
905:
906:
907: static CURLcode Curl_wolfssl_connect_nonblocking(struct connectdata *conn,
908: int sockindex, bool *done)
909: {
910: return wolfssl_connect_common(conn, sockindex, TRUE, done);
911: }
912:
913:
914: static CURLcode Curl_wolfssl_connect(struct connectdata *conn, int sockindex)
915: {
916: CURLcode result;
917: bool done = FALSE;
918:
919: result = wolfssl_connect_common(conn, sockindex, FALSE, &done);
920: if(result)
921: return result;
922:
923: DEBUGASSERT(done);
924:
925: return CURLE_OK;
926: }
927:
928: static CURLcode Curl_wolfssl_random(struct Curl_easy *data,
929: unsigned char *entropy, size_t length)
930: {
931: WC_RNG rng;
932: (void)data;
933: if(wc_InitRng(&rng))
934: return CURLE_FAILED_INIT;
935: if(length > UINT_MAX)
936: return CURLE_FAILED_INIT;
937: if(wc_RNG_GenerateBlock(&rng, entropy, (unsigned)length))
938: return CURLE_FAILED_INIT;
939: if(wc_FreeRng(&rng))
940: return CURLE_FAILED_INIT;
941: return CURLE_OK;
942: }
943:
944: static CURLcode Curl_wolfssl_sha256sum(const unsigned char *tmp, /* input */
945: size_t tmplen,
946: unsigned char *sha256sum /* output */,
947: size_t unused)
948: {
949: wc_Sha256 SHA256pw;
950: (void)unused;
951: wc_InitSha256(&SHA256pw);
952: wc_Sha256Update(&SHA256pw, tmp, (word32)tmplen);
953: wc_Sha256Final(&SHA256pw, sha256sum);
954: return CURLE_OK;
955: }
956:
957: static void *Curl_wolfssl_get_internals(struct ssl_connect_data *connssl,
958: CURLINFO info UNUSED_PARAM)
959: {
960: struct ssl_backend_data *backend = connssl->backend;
961: (void)info;
962: return backend->handle;
963: }
964:
965: const struct Curl_ssl Curl_ssl_wolfssl = {
966: { CURLSSLBACKEND_WOLFSSL, "WolfSSL" }, /* info */
967:
968: #ifdef KEEP_PEER_CERT
969: SSLSUPP_PINNEDPUBKEY |
970: #endif
971: SSLSUPP_SSL_CTX,
972:
973: sizeof(struct ssl_backend_data),
974:
975: Curl_wolfssl_init, /* init */
976: Curl_wolfssl_cleanup, /* cleanup */
977: Curl_wolfssl_version, /* version */
978: Curl_none_check_cxn, /* check_cxn */
979: Curl_wolfssl_shutdown, /* shutdown */
980: Curl_wolfssl_data_pending, /* data_pending */
981: Curl_wolfssl_random, /* random */
982: Curl_none_cert_status_request, /* cert_status_request */
983: Curl_wolfssl_connect, /* connect */
984: Curl_wolfssl_connect_nonblocking, /* connect_nonblocking */
985: Curl_wolfssl_get_internals, /* get_internals */
986: Curl_wolfssl_close, /* close_one */
987: Curl_none_close_all, /* close_all */
988: Curl_wolfssl_session_free, /* session_free */
989: Curl_none_set_engine, /* set_engine */
990: Curl_none_set_engine_default, /* set_engine_default */
991: Curl_none_engines_list, /* engines_list */
992: Curl_none_false_start, /* false_start */
993: Curl_none_md5sum, /* md5sum */
994: Curl_wolfssl_sha256sum /* sha256sum */
995: };
996:
997: #endif
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to wolfssl.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / curl / lib / vtls