VirtualBox

source: vbox/trunk/src/libs/curl-7.87.0/lib/vtls/mbedtls.c@ 98929

Last change on this file since 98929 was 98326, checked in by vboxsync, 2 years ago

curl-7.87.0: Applied and adjusted our curl changes to 7.83.1. bugref:10356
  • Property svn:eol-style set to native
File size: 39.1 KB
Line 
1/***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 2012 - 2022, Daniel Stenberg, <[email protected]>, et al.
9 * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <[email protected]>
10 *
11 * This software is licensed as described in the file COPYING, which
12 * you should have received as part of this distribution. The terms
13 * are also available at https://curl.se/docs/copyright.html.
14 *
15 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
16 * copies of the Software, and permit persons to whom the Software is
17 * furnished to do so, under the terms of the COPYING file.
18 *
19 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20 * KIND, either express or implied.
21 *
22 * SPDX-License-Identifier: curl
23 *
24 ***************************************************************************/
25
26/*
27 * Source file for all mbedTLS-specific code for the TLS/SSL layer. No code
28 * but vtls.c should ever call or use these functions.
29 *
30 */
31
32#include "curl_setup.h"
33
34#ifdef USE_MBEDTLS
35
36/* Define this to enable lots of debugging for mbedTLS */
37/* #define MBEDTLS_DEBUG */
38
39#include <mbedtls/version.h>
40#if MBEDTLS_VERSION_NUMBER >= 0x02040000
41#include <mbedtls/net_sockets.h>
42#else
43#include <mbedtls/net.h>
44#endif
45#include <mbedtls/ssl.h>
46#include <mbedtls/x509.h>
47
48#include <mbedtls/error.h>
49#include <mbedtls/entropy.h>
50#include <mbedtls/ctr_drbg.h>
51#include <mbedtls/sha256.h>
52
53#if MBEDTLS_VERSION_MAJOR >= 2
54# ifdef MBEDTLS_DEBUG
55# include <mbedtls/debug.h>
56# endif
57#endif
58
59#include "urldata.h"
60#include "sendf.h"
61#include "inet_pton.h"
62#include "mbedtls.h"
63#include "vtls.h"
64#include "vtls_int.h"
65#include "parsedate.h"
66#include "connect.h" /* for the connect timeout */
67#include "select.h"
68#include "multiif.h"
69#include "mbedtls_threadlock.h"
70
71/* The last 3 #include files should be in this order */
72#include "curl_printf.h"
73#include "curl_memory.h"
74#include "memdebug.h"
75
76/* ALPN for http2 */
77#ifdef USE_HTTP2
78# undef HAS_ALPN
79# ifdef MBEDTLS_SSL_ALPN
80# define HAS_ALPN
81# endif
82#endif
83
84struct ssl_backend_data {
85 mbedtls_ctr_drbg_context ctr_drbg;
86 mbedtls_entropy_context entropy;
87 mbedtls_ssl_context ssl;
88 mbedtls_x509_crt cacert;
89 mbedtls_x509_crt clicert;
90#ifdef MBEDTLS_X509_CRL_PARSE_C
91 mbedtls_x509_crl crl;
92#endif
93 mbedtls_pk_context pk;
94 mbedtls_ssl_config config;
95#ifdef HAS_ALPN
96 const char *protocols[3];
97#endif
98};
99
100/* apply threading? */
101#if defined(USE_THREADS_POSIX) || defined(USE_THREADS_WIN32)
102#define THREADING_SUPPORT
103#endif
104
105#ifndef MBEDTLS_ERROR_C
106#define mbedtls_strerror(a,b,c) b[0] = 0
107#endif
108
109#if defined(THREADING_SUPPORT)
110static mbedtls_entropy_context ts_entropy;
111
112static int entropy_init_initialized = 0;
113
114/* start of entropy_init_mutex() */
115static void entropy_init_mutex(mbedtls_entropy_context *ctx)
116{
117 /* lock 0 = entropy_init_mutex() */
118 Curl_mbedtlsthreadlock_lock_function(0);
119 if(entropy_init_initialized == 0) {
120 mbedtls_entropy_init(ctx);
121 entropy_init_initialized = 1;
122 }
123 Curl_mbedtlsthreadlock_unlock_function(0);
124}
125/* end of entropy_init_mutex() */
126
127/* start of entropy_func_mutex() */
128static int entropy_func_mutex(void *data, unsigned char *output, size_t len)
129{
130 int ret;
131 /* lock 1 = entropy_func_mutex() */
132 Curl_mbedtlsthreadlock_lock_function(1);
133 ret = mbedtls_entropy_func(data, output, len);
134 Curl_mbedtlsthreadlock_unlock_function(1);
135
136 return ret;
137}
138/* end of entropy_func_mutex() */
139
140#endif /* THREADING_SUPPORT */
141
142#ifdef MBEDTLS_DEBUG
143static void mbed_debug(void *context, int level, const char *f_name,
144 int line_nb, const char *line)
145{
146 struct Curl_easy *data = NULL;
147
148 if(!context)
149 return;
150
151 data = (struct Curl_easy *)context;
152
153 infof(data, "%s", line);
154 (void) level;
155}
156#else
157#endif
158
159static int bio_cf_write(void *bio, const unsigned char *buf, size_t blen)
160{
161 struct Curl_cfilter *cf = bio;
162 struct ssl_connect_data *connssl = cf->ctx;
163 struct Curl_easy *data = connssl->call_data;
164 ssize_t nwritten;
165 CURLcode result;
166
167 DEBUGASSERT(data);
168 nwritten = Curl_conn_cf_send(cf->next, data, (char *)buf, blen, &result);
169 /* DEBUGF(infof(data, CFMSG(cf, "bio_cf_out_write(len=%d) -> %d, err=%d"),
170 blen, (int)nwritten, result)); */
171 if(nwritten < 0 && CURLE_AGAIN == result) {
172 nwritten = MBEDTLS_ERR_SSL_WANT_WRITE;
173 }
174 return (int)nwritten;
175}
176
177static int bio_cf_read(void *bio, unsigned char *buf, size_t blen)
178{
179 struct Curl_cfilter *cf = bio;
180 struct ssl_connect_data *connssl = cf->ctx;
181 struct Curl_easy *data = connssl->call_data;
182 ssize_t nread;
183 CURLcode result;
184
185 DEBUGASSERT(data);
186 /* OpenSSL catches this case, so should we. */
187 if(!buf)
188 return 0;
189
190 nread = Curl_conn_cf_recv(cf->next, data, (char *)buf, blen, &result);
191 /* DEBUGF(infof(data, CFMSG(cf, "bio_cf_in_read(len=%d) -> %d, err=%d"),
192 blen, (int)nread, result)); */
193 if(nread < 0 && CURLE_AGAIN == result) {
194 nread = MBEDTLS_ERR_SSL_WANT_READ;
195 }
196 return (int)nread;
197}
198
199/*
200 * profile
201 */
202static const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_fr =
203{
204 /* Hashes from SHA-1 and above */
205 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) |
206 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160) |
207 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) |
208 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
209 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
210 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
211 0xFFFFFFF, /* Any PK alg */
212 0xFFFFFFF, /* Any curve */
213 1024, /* RSA min key len */
214};
215
216/* See https://tls.mbed.org/discussions/generic/
217 howto-determine-exact-buffer-len-for-mbedtls_pk_write_pubkey_der
218*/
219#define RSA_PUB_DER_MAX_BYTES (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
220#define ECP_PUB_DER_MAX_BYTES (30 + 2 * MBEDTLS_ECP_MAX_BYTES)
221
222#define PUB_DER_MAX_BYTES (RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \
223 RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES)
224
225static CURLcode mbedtls_version_from_curl(int *mbedver, long version)
226{
227#if MBEDTLS_VERSION_NUMBER >= 0x03000000
228 switch(version) {
229 case CURL_SSLVERSION_TLSv1_0:
230 case CURL_SSLVERSION_TLSv1_1:
231 case CURL_SSLVERSION_TLSv1_2:
232 *mbedver = MBEDTLS_SSL_MINOR_VERSION_3;
233 return CURLE_OK;
234 case CURL_SSLVERSION_TLSv1_3:
235 break;
236 }
237#else
238 switch(version) {
239 case CURL_SSLVERSION_TLSv1_0:
240 *mbedver = MBEDTLS_SSL_MINOR_VERSION_1;
241 return CURLE_OK;
242 case CURL_SSLVERSION_TLSv1_1:
243 *mbedver = MBEDTLS_SSL_MINOR_VERSION_2;
244 return CURLE_OK;
245 case CURL_SSLVERSION_TLSv1_2:
246 *mbedver = MBEDTLS_SSL_MINOR_VERSION_3;
247 return CURLE_OK;
248 case CURL_SSLVERSION_TLSv1_3:
249 break;
250 }
251#endif
252
253 return CURLE_SSL_CONNECT_ERROR;
254}
255
256static CURLcode
257set_ssl_version_min_max(struct Curl_cfilter *cf, struct Curl_easy *data)
258{
259 struct ssl_connect_data *connssl = cf->ctx;
260 struct ssl_backend_data *backend = connssl->backend;
261 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
262#if MBEDTLS_VERSION_NUMBER >= 0x03000000
263 int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_3;
264 int mbedtls_ver_max = MBEDTLS_SSL_MINOR_VERSION_3;
265#else
266 int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_1;
267 int mbedtls_ver_max = MBEDTLS_SSL_MINOR_VERSION_1;
268#endif
269 long ssl_version = conn_config->version;
270 long ssl_version_max = conn_config->version_max;
271 CURLcode result = CURLE_OK;
272
273 DEBUGASSERT(backend);
274
275 switch(ssl_version) {
276 case CURL_SSLVERSION_DEFAULT:
277 case CURL_SSLVERSION_TLSv1:
278 ssl_version = CURL_SSLVERSION_TLSv1_0;
279 break;
280 }
281
282 switch(ssl_version_max) {
283 case CURL_SSLVERSION_MAX_NONE:
284 case CURL_SSLVERSION_MAX_DEFAULT:
285 ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
286 break;
287 }
288
289 result = mbedtls_version_from_curl(&mbedtls_ver_min, ssl_version);
290 if(result) {
291 failf(data, "unsupported min version passed via CURLOPT_SSLVERSION");
292 return result;
293 }
294 result = mbedtls_version_from_curl(&mbedtls_ver_max, ssl_version_max >> 16);
295 if(result) {
296 failf(data, "unsupported max version passed via CURLOPT_SSLVERSION");
297 return result;
298 }
299
300 mbedtls_ssl_conf_min_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
301 mbedtls_ver_min);
302 mbedtls_ssl_conf_max_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
303 mbedtls_ver_max);
304
305 return result;
306}
307
308static CURLcode
309mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
310{
311 struct ssl_connect_data *connssl = cf->ctx;
312 struct ssl_backend_data *backend = connssl->backend;
313 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
314 const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
315 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
316 const char * const ssl_cafile =
317 /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
318 (ca_info_blob ? NULL : conn_config->CAfile);
319 const bool verifypeer = conn_config->verifypeer;
320 const char * const ssl_capath = conn_config->CApath;
321 char * const ssl_cert = ssl_config->primary.clientcert;
322 const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob;
323 const char * const ssl_crlfile = ssl_config->primary.CRLfile;
324 const char *hostname = connssl->hostname;
325 int ret = -1;
326 char errorbuf[128];
327
328 DEBUGASSERT(backend);
329
330 if((conn_config->version == CURL_SSLVERSION_SSLv2) ||
331 (conn_config->version == CURL_SSLVERSION_SSLv3)) {
332 failf(data, "Not supported SSL version");
333 return CURLE_NOT_BUILT_IN;
334 }
335
336#ifdef THREADING_SUPPORT
337 entropy_init_mutex(&ts_entropy);
338 mbedtls_ctr_drbg_init(&backend->ctr_drbg);
339
340 ret = mbedtls_ctr_drbg_seed(&backend->ctr_drbg, entropy_func_mutex,
341 &ts_entropy, NULL, 0);
342 if(ret) {
343 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
344 failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s",
345 -ret, errorbuf);
346 return CURLE_FAILED_INIT;
347 }
348#else
349 mbedtls_entropy_init(&backend->entropy);
350 mbedtls_ctr_drbg_init(&backend->ctr_drbg);
351
352 ret = mbedtls_ctr_drbg_seed(&backend->ctr_drbg, mbedtls_entropy_func,
353 &backend->entropy, NULL, 0);
354 if(ret) {
355 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
356 failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s",
357 -ret, errorbuf);
358 return CURLE_FAILED_INIT;
359 }
360#endif /* THREADING_SUPPORT */
361
362 /* Load the trusted CA */
363 mbedtls_x509_crt_init(&backend->cacert);
364
365 if(ca_info_blob && verifypeer) {
366 /* Unfortunately, mbedtls_x509_crt_parse() requires the data to be null
367 terminated even when provided the exact length, forcing us to waste
368 extra memory here. */
369 unsigned char *newblob = malloc(ca_info_blob->len + 1);
370 if(!newblob)
371 return CURLE_OUT_OF_MEMORY;
372 memcpy(newblob, ca_info_blob->data, ca_info_blob->len);
373 newblob[ca_info_blob->len] = 0; /* null terminate */
374 ret = mbedtls_x509_crt_parse(&backend->cacert, newblob,
375 ca_info_blob->len + 1);
376 free(newblob);
377 if(ret<0) {
378 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
379 failf(data, "Error importing ca cert blob - mbedTLS: (-0x%04X) %s",
380 -ret, errorbuf);
381 return CURLE_SSL_CERTPROBLEM;
382 }
383 }
384
385 if(ssl_cafile && verifypeer) {
386#ifdef MBEDTLS_FS_IO
387 ret = mbedtls_x509_crt_parse_file(&backend->cacert, ssl_cafile);
388
389 if(ret<0) {
390 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
391 failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s",
392 ssl_cafile, -ret, errorbuf);
393 return CURLE_SSL_CACERT_BADFILE;
394 }
395#else
396 failf(data, "mbedtls: functions that use the filesystem not built in");
397 return CURLE_NOT_BUILT_IN;
398#endif
399 }
400
401 if(ssl_capath) {
402#ifdef MBEDTLS_FS_IO
403 ret = mbedtls_x509_crt_parse_path(&backend->cacert, ssl_capath);
404
405 if(ret<0) {
406 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
407 failf(data, "Error reading ca cert path %s - mbedTLS: (-0x%04X) %s",
408 ssl_capath, -ret, errorbuf);
409
410 if(verifypeer)
411 return CURLE_SSL_CACERT_BADFILE;
412 }
413#else
414 failf(data, "mbedtls: functions that use the filesystem not built in");
415 return CURLE_NOT_BUILT_IN;
416#endif
417 }
418
419 /* Load the client certificate */
420 mbedtls_x509_crt_init(&backend->clicert);
421
422 if(ssl_cert) {
423#ifdef MBEDTLS_FS_IO
424 ret = mbedtls_x509_crt_parse_file(&backend->clicert, ssl_cert);
425
426 if(ret) {
427 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
428 failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s",
429 ssl_cert, -ret, errorbuf);
430
431 return CURLE_SSL_CERTPROBLEM;
432 }
433#else
434 failf(data, "mbedtls: functions that use the filesystem not built in");
435 return CURLE_NOT_BUILT_IN;
436#endif
437 }
438
439 if(ssl_cert_blob) {
440 /* Unfortunately, mbedtls_x509_crt_parse() requires the data to be null
441 terminated even when provided the exact length, forcing us to waste
442 extra memory here. */
443 unsigned char *newblob = malloc(ssl_cert_blob->len + 1);
444 if(!newblob)
445 return CURLE_OUT_OF_MEMORY;
446 memcpy(newblob, ssl_cert_blob->data, ssl_cert_blob->len);
447 newblob[ssl_cert_blob->len] = 0; /* null terminate */
448 ret = mbedtls_x509_crt_parse(&backend->clicert, newblob,
449 ssl_cert_blob->len + 1);
450 free(newblob);
451
452 if(ret) {
453 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
454 failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
455 ssl_config->key, -ret, errorbuf);
456 return CURLE_SSL_CERTPROBLEM;
457 }
458 }
459
460 /* Load the client private key */
461 mbedtls_pk_init(&backend->pk);
462
463 if(ssl_config->key || ssl_config->key_blob) {
464 if(ssl_config->key) {
465#ifdef MBEDTLS_FS_IO
466#if MBEDTLS_VERSION_NUMBER >= 0x03000000
467 ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key,
468 ssl_config->key_passwd,
469 mbedtls_ctr_drbg_random,
470 &backend->ctr_drbg);
471#else
472 ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key,
473 ssl_config->key_passwd);
474#endif
475
476 if(ret) {
477 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
478 failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
479 ssl_config->key, -ret, errorbuf);
480 return CURLE_SSL_CERTPROBLEM;
481 }
482#else
483 failf(data, "mbedtls: functions that use the filesystem not built in");
484 return CURLE_NOT_BUILT_IN;
485#endif
486 }
487 else {
488 const struct curl_blob *ssl_key_blob = ssl_config->key_blob;
489 const unsigned char *key_data =
490 (const unsigned char *)ssl_key_blob->data;
491 const char *passwd = ssl_config->key_passwd;
492#if MBEDTLS_VERSION_NUMBER >= 0x03000000
493 ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len,
494 (const unsigned char *)passwd,
495 passwd ? strlen(passwd) : 0,
496 mbedtls_ctr_drbg_random,
497 &backend->ctr_drbg);
498#else
499 ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len,
500 (const unsigned char *)passwd,
501 passwd ? strlen(passwd) : 0);
502#endif
503
504 if(ret) {
505 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
506 failf(data, "Error parsing private key - mbedTLS: (-0x%04X) %s",
507 -ret, errorbuf);
508 return CURLE_SSL_CERTPROBLEM;
509 }
510 }
511
512 if(ret == 0 && !(mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_RSA) ||
513 mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_ECKEY)))
514 ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
515 }
516
517 /* Load the CRL */
518#ifdef MBEDTLS_X509_CRL_PARSE_C
519 mbedtls_x509_crl_init(&backend->crl);
520
521 if(ssl_crlfile) {
522#ifdef MBEDTLS_FS_IO
523 ret = mbedtls_x509_crl_parse_file(&backend->crl, ssl_crlfile);
524
525 if(ret) {
526 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
527 failf(data, "Error reading CRL file %s - mbedTLS: (-0x%04X) %s",
528 ssl_crlfile, -ret, errorbuf);
529
530 return CURLE_SSL_CRL_BADFILE;
531 }
532#else
533 failf(data, "mbedtls: functions that use the filesystem not built in");
534 return CURLE_NOT_BUILT_IN;
535#endif
536 }
537#else
538 if(ssl_crlfile) {
539 failf(data, "mbedtls: crl support not built in");
540 return CURLE_NOT_BUILT_IN;
541 }
542#endif
543
544 infof(data, "mbedTLS: Connecting to %s:%d", hostname, connssl->port);
545
546 mbedtls_ssl_config_init(&backend->config);
547 ret = mbedtls_ssl_config_defaults(&backend->config,
548 MBEDTLS_SSL_IS_CLIENT,
549 MBEDTLS_SSL_TRANSPORT_STREAM,
550 MBEDTLS_SSL_PRESET_DEFAULT);
551 if(ret) {
552 failf(data, "mbedTLS: ssl_config failed");
553 return CURLE_SSL_CONNECT_ERROR;
554 }
555
556 mbedtls_ssl_init(&backend->ssl);
557 if(mbedtls_ssl_setup(&backend->ssl, &backend->config)) {
558 failf(data, "mbedTLS: ssl_init failed");
559 return CURLE_SSL_CONNECT_ERROR;
560 }
561
562 /* new profile with RSA min key len = 1024 ... */
563 mbedtls_ssl_conf_cert_profile(&backend->config,
564 &mbedtls_x509_crt_profile_fr);
565
566 switch(conn_config->version) {
567 case CURL_SSLVERSION_DEFAULT:
568 case CURL_SSLVERSION_TLSv1:
569#if MBEDTLS_VERSION_NUMBER < 0x03000000
570 mbedtls_ssl_conf_min_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
571 MBEDTLS_SSL_MINOR_VERSION_1);
572 infof(data, "mbedTLS: Set min SSL version to TLS 1.0");
573 break;
574#endif
575 case CURL_SSLVERSION_TLSv1_0:
576 case CURL_SSLVERSION_TLSv1_1:
577 case CURL_SSLVERSION_TLSv1_2:
578 case CURL_SSLVERSION_TLSv1_3:
579 {
580 CURLcode result = set_ssl_version_min_max(cf, data);
581 if(result != CURLE_OK)
582 return result;
583 break;
584 }
585 default:
586 failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
587 return CURLE_SSL_CONNECT_ERROR;
588 }
589
590 mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_OPTIONAL);
591
592 mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random,
593 &backend->ctr_drbg);
594 mbedtls_ssl_set_bio(&backend->ssl, cf, bio_cf_write, bio_cf_read,
595 NULL /* rev_timeout() */);
596
597 mbedtls_ssl_conf_ciphersuites(&backend->config,
598 mbedtls_ssl_list_ciphersuites());
599
600#if defined(MBEDTLS_SSL_RENEGOTIATION)
601 mbedtls_ssl_conf_renegotiation(&backend->config,
602 MBEDTLS_SSL_RENEGOTIATION_ENABLED);
603#endif
604
605#if defined(MBEDTLS_SSL_SESSION_TICKETS)
606 mbedtls_ssl_conf_session_tickets(&backend->config,
607 MBEDTLS_SSL_SESSION_TICKETS_DISABLED);
608#endif
609
610 /* Check if there's a cached ID we can/should use here! */
611 if(ssl_config->primary.sessionid) {
612 void *old_session = NULL;
613
614 Curl_ssl_sessionid_lock(data);
615 if(!Curl_ssl_getsessionid(cf, data, &old_session, NULL)) {
616 ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
617 if(ret) {
618 Curl_ssl_sessionid_unlock(data);
619 failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret);
620 return CURLE_SSL_CONNECT_ERROR;
621 }
622 infof(data, "mbedTLS re-using session");
623 }
624 Curl_ssl_sessionid_unlock(data);
625 }
626
627 mbedtls_ssl_conf_ca_chain(&backend->config,
628 &backend->cacert,
629#ifdef MBEDTLS_X509_CRL_PARSE_C
630 &backend->crl);
631#else
632 NULL);
633#endif
634
635 if(ssl_config->key || ssl_config->key_blob) {
636 mbedtls_ssl_conf_own_cert(&backend->config,
637 &backend->clicert, &backend->pk);
638 }
639 {
640 char *snihost = Curl_ssl_snihost(data, hostname, NULL);
641 if(!snihost || mbedtls_ssl_set_hostname(&backend->ssl, snihost)) {
642 /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
643 the name to set in the SNI extension. So even if curl connects to a
644 host specified as an IP address, this function must be used. */
645 failf(data, "Failed to set SNI");
646 return CURLE_SSL_CONNECT_ERROR;
647 }
648 }
649
650#ifdef HAS_ALPN
651 if(cf->conn->bits.tls_enable_alpn) {
652 const char **p = &backend->protocols[0];
653#ifdef USE_HTTP2
654 if(data->state.httpwant >= CURL_HTTP_VERSION_2)
655 *p++ = ALPN_H2;
656#endif
657 *p++ = ALPN_HTTP_1_1;
658 *p = NULL;
659 /* this function doesn't clone the protocols array, which is why we need
660 to keep it around */
661 if(mbedtls_ssl_conf_alpn_protocols(&backend->config,
662 &backend->protocols[0])) {
663 failf(data, "Failed setting ALPN protocols");
664 return CURLE_SSL_CONNECT_ERROR;
665 }
666 for(p = &backend->protocols[0]; *p; ++p)
667 infof(data, VTLS_INFOF_ALPN_OFFER_1STR, *p);
668 }
669#endif
670
671#ifdef MBEDTLS_DEBUG
672 /* In order to make that work in mbedtls MBEDTLS_DEBUG_C must be defined. */
673 mbedtls_ssl_conf_dbg(&backend->config, mbed_debug, data);
674 /* - 0 No debug
675 * - 1 Error
676 * - 2 State change
677 * - 3 Informational
678 * - 4 Verbose
679 */
680 mbedtls_debug_set_threshold(4);
681#endif
682
683 /* give application a chance to interfere with mbedTLS set up. */
684 if(data->set.ssl.fsslctx) {
685 ret = (*data->set.ssl.fsslctx)(data, &backend->config,
686 data->set.ssl.fsslctxp);
687 if(ret) {
688 failf(data, "error signaled by ssl ctx callback");
689 return ret;
690 }
691 }
692
693 connssl->connecting_state = ssl_connect_2;
694
695 return CURLE_OK;
696}
697
698static CURLcode
699mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
700{
701 int ret;
702 struct ssl_connect_data *connssl = cf->ctx;
703 struct ssl_backend_data *backend = connssl->backend;
704 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
705 const mbedtls_x509_crt *peercert;
706 const char * const pinnedpubkey = Curl_ssl_cf_is_proxy(cf)?
707 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]:
708 data->set.str[STRING_SSL_PINNEDPUBLICKEY];
709
710 DEBUGASSERT(backend);
711
712 ret = mbedtls_ssl_handshake(&backend->ssl);
713
714 if(ret == MBEDTLS_ERR_SSL_WANT_READ) {
715 connssl->connecting_state = ssl_connect_2_reading;
716 return CURLE_OK;
717 }
718 else if(ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
719 connssl->connecting_state = ssl_connect_2_writing;
720 return CURLE_OK;
721 }
722 else if(ret) {
723 char errorbuf[128];
724 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
725 failf(data, "ssl_handshake returned - mbedTLS: (-0x%04X) %s",
726 -ret, errorbuf);
727 return CURLE_SSL_CONNECT_ERROR;
728 }
729
730 infof(data, "mbedTLS: Handshake complete, cipher is %s",
731 mbedtls_ssl_get_ciphersuite(&backend->ssl));
732
733 ret = mbedtls_ssl_get_verify_result(&backend->ssl);
734
735 if(!conn_config->verifyhost)
736 /* Ignore hostname errors if verifyhost is disabled */
737 ret &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH;
738
739 if(ret && conn_config->verifypeer) {
740 if(ret & MBEDTLS_X509_BADCERT_EXPIRED)
741 failf(data, "Cert verify failed: BADCERT_EXPIRED");
742
743 else if(ret & MBEDTLS_X509_BADCERT_REVOKED)
744 failf(data, "Cert verify failed: BADCERT_REVOKED");
745
746 else if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
747 failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
748
749 else if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
750 failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
751
752 else if(ret & MBEDTLS_X509_BADCERT_FUTURE)
753 failf(data, "Cert verify failed: BADCERT_FUTURE");
754
755 return CURLE_PEER_FAILED_VERIFICATION;
756 }
757
758 peercert = mbedtls_ssl_get_peer_cert(&backend->ssl);
759
760 if(peercert && data->set.verbose) {
761 const size_t bufsize = 16384;
762 char *buffer = malloc(bufsize);
763
764 if(!buffer)
765 return CURLE_OUT_OF_MEMORY;
766
767 if(mbedtls_x509_crt_info(buffer, bufsize, "* ", peercert) > 0)
768 infof(data, "Dumping cert info: %s", buffer);
769 else
770 infof(data, "Unable to dump certificate information");
771
772 free(buffer);
773 }
774
775 if(pinnedpubkey) {
776 int size;
777 CURLcode result;
778 mbedtls_x509_crt *p = NULL;
779 unsigned char *pubkey = NULL;
780
781#if MBEDTLS_VERSION_NUMBER == 0x03000000
782 if(!peercert || !peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(p) ||
783 !peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len)) {
784#else
785 if(!peercert || !peercert->raw.p || !peercert->raw.len) {
786#endif
787 failf(data, "Failed due to missing peer certificate");
788 return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
789 }
790
791 p = calloc(1, sizeof(*p));
792
793 if(!p)
794 return CURLE_OUT_OF_MEMORY;
795
796 pubkey = malloc(PUB_DER_MAX_BYTES);
797
798 if(!pubkey) {
799 result = CURLE_OUT_OF_MEMORY;
800 goto pinnedpubkey_error;
801 }
802
803 mbedtls_x509_crt_init(p);
804
805 /* Make a copy of our const peercert because mbedtls_pk_write_pubkey_der
806 needs a non-const key, for now.
807 https://github.com/ARMmbed/mbedtls/issues/396 */
808#if MBEDTLS_VERSION_NUMBER == 0x03000000
809 if(mbedtls_x509_crt_parse_der(p,
810 peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(p),
811 peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len))) {
812#else
813 if(mbedtls_x509_crt_parse_der(p, peercert->raw.p, peercert->raw.len)) {
814#endif
815 failf(data, "Failed copying peer certificate");
816 result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
817 goto pinnedpubkey_error;
818 }
819
820#if MBEDTLS_VERSION_NUMBER == 0x03000000
821 size = mbedtls_pk_write_pubkey_der(&p->MBEDTLS_PRIVATE(pk), pubkey,
822 PUB_DER_MAX_BYTES);
823#else
824 size = mbedtls_pk_write_pubkey_der(&p->pk, pubkey, PUB_DER_MAX_BYTES);
825#endif
826
827 if(size <= 0) {
828 failf(data, "Failed copying public key from peer certificate");
829 result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
830 goto pinnedpubkey_error;
831 }
832
833 /* mbedtls_pk_write_pubkey_der writes data at the end of the buffer. */
834 result = Curl_pin_peer_pubkey(data,
835 pinnedpubkey,
836 &pubkey[PUB_DER_MAX_BYTES - size], size);
837 pinnedpubkey_error:
838 mbedtls_x509_crt_free(p);
839 free(p);
840 free(pubkey);
841 if(result) {
842 return result;
843 }
844 }
845
846#ifdef HAS_ALPN
847 if(cf->conn->bits.tls_enable_alpn) {
848 const char *next_protocol = mbedtls_ssl_get_alpn_protocol(&backend->ssl);
849
850 if(next_protocol) {
851 infof(data, VTLS_INFOF_ALPN_ACCEPTED_1STR, next_protocol);
852#ifdef USE_HTTP2
853 if(!strncmp(next_protocol, ALPN_H2, ALPN_H2_LENGTH) &&
854 !next_protocol[ALPN_H2_LENGTH]) {
855 cf->conn->alpn = CURL_HTTP_VERSION_2;
856 }
857 else
858#endif
859 if(!strncmp(next_protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH) &&
860 !next_protocol[ALPN_HTTP_1_1_LENGTH]) {
861 cf->conn->alpn = CURL_HTTP_VERSION_1_1;
862 }
863 }
864 else {
865 infof(data, VTLS_INFOF_NO_ALPN);
866 }
867 Curl_multiuse_state(data, cf->conn->alpn == CURL_HTTP_VERSION_2 ?
868 BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
869 }
870#endif
871
872 connssl->connecting_state = ssl_connect_3;
873 infof(data, "SSL connected");
874
875 return CURLE_OK;
876}
877
878static CURLcode
879mbed_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data)
880{
881 CURLcode retcode = CURLE_OK;
882 struct ssl_connect_data *connssl = cf->ctx;
883 struct ssl_backend_data *backend = connssl->backend;
884 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
885
886 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
887 DEBUGASSERT(backend);
888
889 if(ssl_config->primary.sessionid) {
890 int ret;
891 mbedtls_ssl_session *our_ssl_sessionid;
892 void *old_ssl_sessionid = NULL;
893 bool added = FALSE;
894
895 our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
896 if(!our_ssl_sessionid)
897 return CURLE_OUT_OF_MEMORY;
898
899 mbedtls_ssl_session_init(our_ssl_sessionid);
900
901 ret = mbedtls_ssl_get_session(&backend->ssl, our_ssl_sessionid);
902 if(ret) {
903 if(ret != MBEDTLS_ERR_SSL_ALLOC_FAILED)
904 mbedtls_ssl_session_free(our_ssl_sessionid);
905 free(our_ssl_sessionid);
906 failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret);
907 return CURLE_SSL_CONNECT_ERROR;
908 }
909
910 /* If there's already a matching session in the cache, delete it */
911 Curl_ssl_sessionid_lock(data);
912 if(!Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL))
913 Curl_ssl_delsessionid(data, old_ssl_sessionid);
914
915 retcode = Curl_ssl_addsessionid(cf, data, our_ssl_sessionid,
916 0, &added);
917 Curl_ssl_sessionid_unlock(data);
918 if(!added) {
919 mbedtls_ssl_session_free(our_ssl_sessionid);
920 free(our_ssl_sessionid);
921 }
922 if(retcode) {
923 failf(data, "failed to store ssl session");
924 return retcode;
925 }
926 }
927
928 connssl->connecting_state = ssl_connect_done;
929
930 return CURLE_OK;
931}
932
933static ssize_t mbed_send(struct Curl_cfilter *cf, struct Curl_easy *data,
934 const void *mem, size_t len,
935 CURLcode *curlcode)
936{
937 struct ssl_connect_data *connssl = cf->ctx;
938 struct ssl_backend_data *backend = connssl->backend;
939 int ret = -1;
940
941 (void)data;
942 DEBUGASSERT(backend);
943 ret = mbedtls_ssl_write(&backend->ssl, (unsigned char *)mem, len);
944
945 if(ret < 0) {
946 *curlcode = (ret == MBEDTLS_ERR_SSL_WANT_WRITE) ?
947 CURLE_AGAIN : CURLE_SEND_ERROR;
948 ret = -1;
949 }
950
951 return ret;
952}
953
954static void mbedtls_close_all(struct Curl_easy *data)
955{
956 (void)data;
957}
958
959static void mbedtls_close(struct Curl_cfilter *cf, struct Curl_easy *data)
960{
961 struct ssl_connect_data *connssl = cf->ctx;
962 struct ssl_backend_data *backend = connssl->backend;
963 char buf[32];
964
965 (void)data;
966 DEBUGASSERT(backend);
967
968 /* Maybe the server has already sent a close notify alert.
969 Read it to avoid an RST on the TCP connection. */
970 (void)mbedtls_ssl_read(&backend->ssl, (unsigned char *)buf, sizeof(buf));
971
972 mbedtls_pk_free(&backend->pk);
973 mbedtls_x509_crt_free(&backend->clicert);
974 mbedtls_x509_crt_free(&backend->cacert);
975#ifdef MBEDTLS_X509_CRL_PARSE_C
976 mbedtls_x509_crl_free(&backend->crl);
977#endif
978 mbedtls_ssl_config_free(&backend->config);
979 mbedtls_ssl_free(&backend->ssl);
980 mbedtls_ctr_drbg_free(&backend->ctr_drbg);
981#ifndef THREADING_SUPPORT
982 mbedtls_entropy_free(&backend->entropy);
983#endif /* THREADING_SUPPORT */
984}
985
986static ssize_t mbed_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
987 char *buf, size_t buffersize,
988 CURLcode *curlcode)
989{
990 struct ssl_connect_data *connssl = cf->ctx;
991 struct ssl_backend_data *backend = connssl->backend;
992 int ret = -1;
993 ssize_t len = -1;
994
995 (void)data;
996 DEBUGASSERT(backend);
997
998 ret = mbedtls_ssl_read(&backend->ssl, (unsigned char *)buf,
999 buffersize);
1000
1001 if(ret <= 0) {
1002 if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
1003 return 0;
1004
1005 *curlcode = (ret == MBEDTLS_ERR_SSL_WANT_READ) ?
1006 CURLE_AGAIN : CURLE_RECV_ERROR;
1007 return -1;
1008 }
1009
1010 len = ret;
1011
1012 return len;
1013}
1014
1015static void mbedtls_session_free(void *ptr)
1016{
1017 mbedtls_ssl_session_free(ptr);
1018 free(ptr);
1019}
1020
1021static size_t mbedtls_version(char *buffer, size_t size)
1022{
1023#ifdef MBEDTLS_VERSION_C
1024 /* if mbedtls_version_get_number() is available it is better */
1025 unsigned int version = mbedtls_version_get_number();
1026 return msnprintf(buffer, size, "mbedTLS/%u.%u.%u", version>>24,
1027 (version>>16)&0xff, (version>>8)&0xff);
1028#else
1029 return msnprintf(buffer, size, "mbedTLS/%s", MBEDTLS_VERSION_STRING);
1030#endif
1031}
1032
1033static CURLcode mbedtls_random(struct Curl_easy *data,
1034 unsigned char *entropy, size_t length)
1035{
1036#if defined(MBEDTLS_CTR_DRBG_C)
1037 int ret = -1;
1038 char errorbuf[128];
1039 mbedtls_entropy_context ctr_entropy;
1040 mbedtls_ctr_drbg_context ctr_drbg;
1041 mbedtls_entropy_init(&ctr_entropy);
1042 mbedtls_ctr_drbg_init(&ctr_drbg);
1043
1044 ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
1045 &ctr_entropy, NULL, 0);
1046
1047 if(ret) {
1048 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
1049 failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s",
1050 -ret, errorbuf);
1051 }
1052 else {
1053 ret = mbedtls_ctr_drbg_random(&ctr_drbg, entropy, length);
1054
1055 if(ret) {
1056 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
1057 failf(data, "mbedtls_ctr_drbg_random returned (-0x%04X) %s",
1058 -ret, errorbuf);
1059 }
1060 }
1061
1062 mbedtls_ctr_drbg_free(&ctr_drbg);
1063 mbedtls_entropy_free(&ctr_entropy);
1064
1065 return ret == 0 ? CURLE_OK : CURLE_FAILED_INIT;
1066#elif defined(MBEDTLS_HAVEGE_C)
1067 mbedtls_havege_state hs;
1068 mbedtls_havege_init(&hs);
1069 mbedtls_havege_random(&hs, entropy, length);
1070 mbedtls_havege_free(&hs);
1071 return CURLE_OK;
1072#else
1073 return CURLE_NOT_BUILT_IN;
1074#endif
1075}
1076
1077static CURLcode
1078mbed_connect_common(struct Curl_cfilter *cf, struct Curl_easy *data,
1079 bool nonblocking,
1080 bool *done)
1081{
1082 CURLcode retcode;
1083 struct ssl_connect_data *connssl = cf->ctx;
1084 curl_socket_t sockfd = cf->conn->sock[cf->sockindex];
1085 timediff_t timeout_ms;
1086 int what;
1087
1088 /* check if the connection has already been established */
1089 if(ssl_connection_complete == connssl->state) {
1090 *done = TRUE;
1091 return CURLE_OK;
1092 }
1093
1094 if(ssl_connect_1 == connssl->connecting_state) {
1095 /* Find out how much more time we're allowed */
1096 timeout_ms = Curl_timeleft(data, NULL, TRUE);
1097
1098 if(timeout_ms < 0) {
1099 /* no need to continue if time already is up */
1100 failf(data, "SSL connection timeout");
1101 return CURLE_OPERATION_TIMEDOUT;
1102 }
1103 retcode = mbed_connect_step1(cf, data);
1104 if(retcode)
1105 return retcode;
1106 }
1107
1108 while(ssl_connect_2 == connssl->connecting_state ||
1109 ssl_connect_2_reading == connssl->connecting_state ||
1110 ssl_connect_2_writing == connssl->connecting_state) {
1111
1112 /* check allowed time left */
1113 timeout_ms = Curl_timeleft(data, NULL, TRUE);
1114
1115 if(timeout_ms < 0) {
1116 /* no need to continue if time already is up */
1117 failf(data, "SSL connection timeout");
1118 return CURLE_OPERATION_TIMEDOUT;
1119 }
1120
1121 /* if ssl is expecting something, check if it's available. */
1122 if(connssl->connecting_state == ssl_connect_2_reading
1123 || connssl->connecting_state == ssl_connect_2_writing) {
1124
1125 curl_socket_t writefd = ssl_connect_2_writing ==
1126 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
1127 curl_socket_t readfd = ssl_connect_2_reading ==
1128 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
1129
1130 what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
1131 nonblocking ? 0 : timeout_ms);
1132 if(what < 0) {
1133 /* fatal error */
1134 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
1135 return CURLE_SSL_CONNECT_ERROR;
1136 }
1137 else if(0 == what) {
1138 if(nonblocking) {
1139 *done = FALSE;
1140 return CURLE_OK;
1141 }
1142 else {
1143 /* timeout */
1144 failf(data, "SSL connection timeout");
1145 return CURLE_OPERATION_TIMEDOUT;
1146 }
1147 }
1148 /* socket is readable or writable */
1149 }
1150
1151 /* Run transaction, and return to the caller if it failed or if
1152 * this connection is part of a multi handle and this loop would
1153 * execute again. This permits the owner of a multi handle to
1154 * abort a connection attempt before step2 has completed while
1155 * ensuring that a client using select() or epoll() will always
1156 * have a valid fdset to wait on.
1157 */
1158 retcode = mbed_connect_step2(cf, data);
1159 if(retcode || (nonblocking &&
1160 (ssl_connect_2 == connssl->connecting_state ||
1161 ssl_connect_2_reading == connssl->connecting_state ||
1162 ssl_connect_2_writing == connssl->connecting_state)))
1163 return retcode;
1164
1165 } /* repeat step2 until all transactions are done. */
1166
1167 if(ssl_connect_3 == connssl->connecting_state) {
1168 retcode = mbed_connect_step3(cf, data);
1169 if(retcode)
1170 return retcode;
1171 }
1172
1173 if(ssl_connect_done == connssl->connecting_state) {
1174 connssl->state = ssl_connection_complete;
1175 *done = TRUE;
1176 }
1177 else
1178 *done = FALSE;
1179
1180 /* Reset our connect state machine */
1181 connssl->connecting_state = ssl_connect_1;
1182
1183 return CURLE_OK;
1184}
1185
1186static CURLcode mbedtls_connect_nonblocking(struct Curl_cfilter *cf,
1187 struct Curl_easy *data,
1188 bool *done)
1189{
1190 return mbed_connect_common(cf, data, TRUE, done);
1191}
1192
1193
1194static CURLcode mbedtls_connect(struct Curl_cfilter *cf,
1195 struct Curl_easy *data)
1196{
1197 CURLcode retcode;
1198 bool done = FALSE;
1199
1200 retcode = mbed_connect_common(cf, data, FALSE, &done);
1201 if(retcode)
1202 return retcode;
1203
1204 DEBUGASSERT(done);
1205
1206 return CURLE_OK;
1207}
1208
1209/*
1210 * return 0 error initializing SSL
1211 * return 1 SSL initialized successfully
1212 */
1213static int mbedtls_init(void)
1214{
1215 return Curl_mbedtlsthreadlock_thread_setup();
1216}
1217
1218static void mbedtls_cleanup(void)
1219{
1220 (void)Curl_mbedtlsthreadlock_thread_cleanup();
1221}
1222
1223static bool mbedtls_data_pending(struct Curl_cfilter *cf,
1224 const struct Curl_easy *data)
1225{
1226 struct ssl_connect_data *ctx = cf->ctx;
1227
1228 (void)data;
1229 DEBUGASSERT(ctx && ctx->backend);
1230 return mbedtls_ssl_get_bytes_avail(&ctx->backend->ssl) != 0;
1231}
1232
1233static CURLcode mbedtls_sha256sum(const unsigned char *input,
1234 size_t inputlen,
1235 unsigned char *sha256sum,
1236 size_t sha256len UNUSED_PARAM)
1237{
1238 /* TODO: explain this for different mbedtls 2.x vs 3 version */
1239 (void)sha256len;
1240#if MBEDTLS_VERSION_NUMBER < 0x02070000
1241 mbedtls_sha256(input, inputlen, sha256sum, 0);
1242#else
1243 /* returns 0 on success, otherwise failure */
1244#if MBEDTLS_VERSION_NUMBER >= 0x03000000
1245 if(mbedtls_sha256(input, inputlen, sha256sum, 0) != 0)
1246#else
1247 if(mbedtls_sha256_ret(input, inputlen, sha256sum, 0) != 0)
1248#endif
1249 return CURLE_BAD_FUNCTION_ARGUMENT;
1250#endif
1251 return CURLE_OK;
1252}
1253
1254static void *mbedtls_get_internals(struct ssl_connect_data *connssl,
1255 CURLINFO info UNUSED_PARAM)
1256{
1257 struct ssl_backend_data *backend = connssl->backend;
1258 (void)info;
1259 DEBUGASSERT(backend);
1260 return &backend->ssl;
1261}
1262
1263const struct Curl_ssl Curl_ssl_mbedtls = {
1264 { CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */
1265
1266 SSLSUPP_CA_PATH |
1267 SSLSUPP_CAINFO_BLOB |
1268 SSLSUPP_PINNEDPUBKEY |
1269 SSLSUPP_SSL_CTX |
1270 SSLSUPP_HTTPS_PROXY,
1271
1272 sizeof(struct ssl_backend_data),
1273
1274 mbedtls_init, /* init */
1275 mbedtls_cleanup, /* cleanup */
1276 mbedtls_version, /* version */
1277 Curl_none_check_cxn, /* check_cxn */
1278 Curl_none_shutdown, /* shutdown */
1279 mbedtls_data_pending, /* data_pending */
1280 mbedtls_random, /* random */
1281 Curl_none_cert_status_request, /* cert_status_request */
1282 mbedtls_connect, /* connect */
1283 mbedtls_connect_nonblocking, /* connect_nonblocking */
1284 Curl_ssl_get_select_socks, /* getsock */
1285 mbedtls_get_internals, /* get_internals */
1286 mbedtls_close, /* close_one */
1287 mbedtls_close_all, /* close_all */
1288 mbedtls_session_free, /* session_free */
1289 Curl_none_set_engine, /* set_engine */
1290 Curl_none_set_engine_default, /* set_engine_default */
1291 Curl_none_engines_list, /* engines_list */
1292 Curl_none_false_start, /* false_start */
1293 mbedtls_sha256sum, /* sha256sum */
1294 NULL, /* associate_connection */
1295 NULL, /* disassociate_connection */
1296 NULL, /* free_multi_ssl_backend_data */
1297 mbed_recv, /* recv decrypted data */
1298 mbed_send, /* send data to encrypt */
1299};
1300
1301#endif /* USE_MBEDTLS */
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette