VirtualBox

source: vbox/trunk/src/libs/curl-8.3.0/lib/vtls/mbedtls.c@ 101127

Last change on this file since 101127 was 101127, checked in by vboxsync, 19 months ago

curl-8.3.0: Applied and adjusted our curl changes to 8.0.1. bugref:10526
  • Property svn:eol-style set to native
File size: 38.8 KB
Line 
1/***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <[email protected]>, et al.
9 * Copyright (C) Hoi-Ho Chan, <[email protected]>
10 *
11 * This software is licensed as described in the file COPYING, which
12 * you should have received as part of this distribution. The terms
13 * are also available at https://curl.se/docs/copyright.html.
14 *
15 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
16 * copies of the Software, and permit persons to whom the Software is
17 * furnished to do so, under the terms of the COPYING file.
18 *
19 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20 * KIND, either express or implied.
21 *
22 * SPDX-License-Identifier: curl
23 *
24 ***************************************************************************/
25
26/*
27 * Source file for all mbedTLS-specific code for the TLS/SSL layer. No code
28 * but vtls.c should ever call or use these functions.
29 *
30 */
31
32#include "curl_setup.h"
33
34#ifdef USE_MBEDTLS
35
36/* Define this to enable lots of debugging for mbedTLS */
37/* #define MBEDTLS_DEBUG */
38
39#include <mbedtls/version.h>
40#if MBEDTLS_VERSION_NUMBER >= 0x02040000
41#include <mbedtls/net_sockets.h>
42#else
43#include <mbedtls/net.h>
44#endif
45#include <mbedtls/ssl.h>
46#include <mbedtls/x509.h>
47
48#include <mbedtls/error.h>
49#include <mbedtls/entropy.h>
50#include <mbedtls/ctr_drbg.h>
51#include <mbedtls/sha256.h>
52
53#if MBEDTLS_VERSION_MAJOR >= 2
54# ifdef MBEDTLS_DEBUG
55# include <mbedtls/debug.h>
56# endif
57#endif
58
59#include "urldata.h"
60#include "sendf.h"
61#include "inet_pton.h"
62#include "mbedtls.h"
63#include "vtls.h"
64#include "vtls_int.h"
65#include "parsedate.h"
66#include "connect.h" /* for the connect timeout */
67#include "select.h"
68#include "multiif.h"
69#include "mbedtls_threadlock.h"
70
71/* The last 3 #include files should be in this order */
72#include "curl_printf.h"
73#include "curl_memory.h"
74#include "memdebug.h"
75
76/* ALPN for http2 */
77#ifdef USE_HTTP2
78# undef HAS_ALPN
79# ifdef MBEDTLS_SSL_ALPN
80# define HAS_ALPN
81# endif
82#endif
83
84struct mbed_ssl_backend_data {
85 mbedtls_ctr_drbg_context ctr_drbg;
86 mbedtls_entropy_context entropy;
87 mbedtls_ssl_context ssl;
88 mbedtls_x509_crt cacert;
89 mbedtls_x509_crt clicert;
90#ifdef MBEDTLS_X509_CRL_PARSE_C
91 mbedtls_x509_crl crl;
92#endif
93 mbedtls_pk_context pk;
94 mbedtls_ssl_config config;
95#ifdef HAS_ALPN
96 const char *protocols[3];
97#endif
98};
99
100/* apply threading? */
101#if defined(USE_THREADS_POSIX) || defined(USE_THREADS_WIN32)
102#define THREADING_SUPPORT
103#endif
104
105#ifndef MBEDTLS_ERROR_C
106#define mbedtls_strerror(a,b,c) b[0] = 0
107#endif
108
109#if defined(THREADING_SUPPORT)
110static mbedtls_entropy_context ts_entropy;
111
112static int entropy_init_initialized = 0;
113
114/* start of entropy_init_mutex() */
115static void entropy_init_mutex(mbedtls_entropy_context *ctx)
116{
117 /* lock 0 = entropy_init_mutex() */
118 Curl_mbedtlsthreadlock_lock_function(0);
119 if(entropy_init_initialized == 0) {
120 mbedtls_entropy_init(ctx);
121 entropy_init_initialized = 1;
122 }
123 Curl_mbedtlsthreadlock_unlock_function(0);
124}
125/* end of entropy_init_mutex() */
126
127/* start of entropy_func_mutex() */
128static int entropy_func_mutex(void *data, unsigned char *output, size_t len)
129{
130 int ret;
131 /* lock 1 = entropy_func_mutex() */
132 Curl_mbedtlsthreadlock_lock_function(1);
133 ret = mbedtls_entropy_func(data, output, len);
134 Curl_mbedtlsthreadlock_unlock_function(1);
135
136 return ret;
137}
138/* end of entropy_func_mutex() */
139
140#endif /* THREADING_SUPPORT */
141
142#ifdef MBEDTLS_DEBUG
143static void mbed_debug(void *context, int level, const char *f_name,
144 int line_nb, const char *line)
145{
146 struct Curl_easy *data = NULL;
147
148 if(!context)
149 return;
150
151 data = (struct Curl_easy *)context;
152
153 infof(data, "%s", line);
154 (void) level;
155}
156#else
157#endif
158
159static int bio_cf_write(void *bio, const unsigned char *buf, size_t blen)
160{
161 struct Curl_cfilter *cf = bio;
162 struct Curl_easy *data = CF_DATA_CURRENT(cf);
163 ssize_t nwritten;
164 CURLcode result;
165
166 DEBUGASSERT(data);
167 nwritten = Curl_conn_cf_send(cf->next, data, (char *)buf, blen, &result);
168 CURL_TRC_CF(data, cf, "bio_cf_out_write(len=%zu) -> %zd, err=%d",
169 blen, nwritten, result);
170 if(nwritten < 0 && CURLE_AGAIN == result) {
171 nwritten = MBEDTLS_ERR_SSL_WANT_WRITE;
172 }
173 return (int)nwritten;
174}
175
176static int bio_cf_read(void *bio, unsigned char *buf, size_t blen)
177{
178 struct Curl_cfilter *cf = bio;
179 struct Curl_easy *data = CF_DATA_CURRENT(cf);
180 ssize_t nread;
181 CURLcode result;
182
183 DEBUGASSERT(data);
184 /* OpenSSL catches this case, so should we. */
185 if(!buf)
186 return 0;
187
188 nread = Curl_conn_cf_recv(cf->next, data, (char *)buf, blen, &result);
189 CURL_TRC_CF(data, cf, "bio_cf_in_read(len=%zu) -> %zd, err=%d",
190 blen, nread, result);
191 if(nread < 0 && CURLE_AGAIN == result) {
192 nread = MBEDTLS_ERR_SSL_WANT_READ;
193 }
194 return (int)nread;
195}
196
197/*
198 * profile
199 */
200static const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_fr =
201{
202 /* Hashes from SHA-1 and above */
203 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) |
204 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160) |
205 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) |
206 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
207 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
208 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
209 0xFFFFFFF, /* Any PK alg */
210 0xFFFFFFF, /* Any curve */
211 1024, /* RSA min key len */
212};
213
214/* See https://tls.mbed.org/discussions/generic/
215 howto-determine-exact-buffer-len-for-mbedtls_pk_write_pubkey_der
216*/
217#define RSA_PUB_DER_MAX_BYTES (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
218#define ECP_PUB_DER_MAX_BYTES (30 + 2 * MBEDTLS_ECP_MAX_BYTES)
219
220#define PUB_DER_MAX_BYTES (RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \
221 RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES)
222
223static CURLcode mbedtls_version_from_curl(int *mbedver, long version)
224{
225#if MBEDTLS_VERSION_NUMBER >= 0x03000000
226 switch(version) {
227 case CURL_SSLVERSION_TLSv1_0:
228 case CURL_SSLVERSION_TLSv1_1:
229 case CURL_SSLVERSION_TLSv1_2:
230 *mbedver = MBEDTLS_SSL_MINOR_VERSION_3;
231 return CURLE_OK;
232 case CURL_SSLVERSION_TLSv1_3:
233 break;
234 }
235#else
236 switch(version) {
237 case CURL_SSLVERSION_TLSv1_0:
238 *mbedver = MBEDTLS_SSL_MINOR_VERSION_1;
239 return CURLE_OK;
240 case CURL_SSLVERSION_TLSv1_1:
241 *mbedver = MBEDTLS_SSL_MINOR_VERSION_2;
242 return CURLE_OK;
243 case CURL_SSLVERSION_TLSv1_2:
244 *mbedver = MBEDTLS_SSL_MINOR_VERSION_3;
245 return CURLE_OK;
246 case CURL_SSLVERSION_TLSv1_3:
247 break;
248 }
249#endif
250
251 return CURLE_SSL_CONNECT_ERROR;
252}
253
254static CURLcode
255set_ssl_version_min_max(struct Curl_cfilter *cf, struct Curl_easy *data)
256{
257 struct ssl_connect_data *connssl = cf->ctx;
258 struct mbed_ssl_backend_data *backend =
259 (struct mbed_ssl_backend_data *)connssl->backend;
260 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
261#if MBEDTLS_VERSION_NUMBER >= 0x03000000
262 int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_3;
263 int mbedtls_ver_max = MBEDTLS_SSL_MINOR_VERSION_3;
264#else
265 int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_1;
266 int mbedtls_ver_max = MBEDTLS_SSL_MINOR_VERSION_1;
267#endif
268 long ssl_version = conn_config->version;
269 long ssl_version_max = conn_config->version_max;
270 CURLcode result = CURLE_OK;
271
272 DEBUGASSERT(backend);
273
274 switch(ssl_version) {
275 case CURL_SSLVERSION_DEFAULT:
276 case CURL_SSLVERSION_TLSv1:
277 ssl_version = CURL_SSLVERSION_TLSv1_0;
278 break;
279 }
280
281 switch(ssl_version_max) {
282 case CURL_SSLVERSION_MAX_NONE:
283 case CURL_SSLVERSION_MAX_DEFAULT:
284 ssl_version_max = CURL_SSLVERSION_MAX_TLSv1_2;
285 break;
286 }
287
288 result = mbedtls_version_from_curl(&mbedtls_ver_min, ssl_version);
289 if(result) {
290 failf(data, "unsupported min version passed via CURLOPT_SSLVERSION");
291 return result;
292 }
293 result = mbedtls_version_from_curl(&mbedtls_ver_max, ssl_version_max >> 16);
294 if(result) {
295 failf(data, "unsupported max version passed via CURLOPT_SSLVERSION");
296 return result;
297 }
298
299 mbedtls_ssl_conf_min_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
300 mbedtls_ver_min);
301 mbedtls_ssl_conf_max_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
302 mbedtls_ver_max);
303
304 return result;
305}
306
307static CURLcode
308mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
309{
310 struct ssl_connect_data *connssl = cf->ctx;
311 struct mbed_ssl_backend_data *backend =
312 (struct mbed_ssl_backend_data *)connssl->backend;
313 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
314 const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
315 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
316 const char * const ssl_cafile =
317 /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
318 (ca_info_blob ? NULL : conn_config->CAfile);
319 const bool verifypeer = conn_config->verifypeer;
320 const char * const ssl_capath = conn_config->CApath;
321 char * const ssl_cert = ssl_config->primary.clientcert;
322 const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob;
323 const char * const ssl_crlfile = ssl_config->primary.CRLfile;
324 const char *hostname = connssl->hostname;
325 int ret = -1;
326 char errorbuf[128];
327
328 DEBUGASSERT(backend);
329
330 if((conn_config->version == CURL_SSLVERSION_SSLv2) ||
331 (conn_config->version == CURL_SSLVERSION_SSLv3)) {
332 failf(data, "Not supported SSL version");
333 return CURLE_NOT_BUILT_IN;
334 }
335
336#ifdef THREADING_SUPPORT
337 entropy_init_mutex(&ts_entropy);
338 mbedtls_ctr_drbg_init(&backend->ctr_drbg);
339
340 ret = mbedtls_ctr_drbg_seed(&backend->ctr_drbg, entropy_func_mutex,
341 &ts_entropy, NULL, 0);
342 if(ret) {
343 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
344 failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s",
345 -ret, errorbuf);
346 return CURLE_FAILED_INIT;
347 }
348#else
349 mbedtls_entropy_init(&backend->entropy);
350 mbedtls_ctr_drbg_init(&backend->ctr_drbg);
351
352 ret = mbedtls_ctr_drbg_seed(&backend->ctr_drbg, mbedtls_entropy_func,
353 &backend->entropy, NULL, 0);
354 if(ret) {
355 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
356 failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s",
357 -ret, errorbuf);
358 return CURLE_FAILED_INIT;
359 }
360#endif /* THREADING_SUPPORT */
361
362 /* Load the trusted CA */
363 mbedtls_x509_crt_init(&backend->cacert);
364
365 if(ca_info_blob && verifypeer) {
366 /* Unfortunately, mbedtls_x509_crt_parse() requires the data to be null
367 terminated even when provided the exact length, forcing us to waste
368 extra memory here. */
369 unsigned char *newblob = malloc(ca_info_blob->len + 1);
370 if(!newblob)
371 return CURLE_OUT_OF_MEMORY;
372 memcpy(newblob, ca_info_blob->data, ca_info_blob->len);
373 newblob[ca_info_blob->len] = 0; /* null terminate */
374 ret = mbedtls_x509_crt_parse(&backend->cacert, newblob,
375 ca_info_blob->len + 1);
376 free(newblob);
377 if(ret<0) {
378 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
379 failf(data, "Error importing ca cert blob - mbedTLS: (-0x%04X) %s",
380 -ret, errorbuf);
381 return CURLE_SSL_CERTPROBLEM;
382 }
383 }
384
385 if(ssl_cafile && verifypeer) {
386#ifdef MBEDTLS_FS_IO
387 ret = mbedtls_x509_crt_parse_file(&backend->cacert, ssl_cafile);
388
389 if(ret<0) {
390 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
391 failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s",
392 ssl_cafile, -ret, errorbuf);
393 return CURLE_SSL_CACERT_BADFILE;
394 }
395#else
396 failf(data, "mbedtls: functions that use the filesystem not built in");
397 return CURLE_NOT_BUILT_IN;
398#endif
399 }
400
401 if(ssl_capath) {
402#ifdef MBEDTLS_FS_IO
403 ret = mbedtls_x509_crt_parse_path(&backend->cacert, ssl_capath);
404
405 if(ret<0) {
406 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
407 failf(data, "Error reading ca cert path %s - mbedTLS: (-0x%04X) %s",
408 ssl_capath, -ret, errorbuf);
409
410 if(verifypeer)
411 return CURLE_SSL_CACERT_BADFILE;
412 }
413#else
414 failf(data, "mbedtls: functions that use the filesystem not built in");
415 return CURLE_NOT_BUILT_IN;
416#endif
417 }
418
419 /* Load the client certificate */
420 mbedtls_x509_crt_init(&backend->clicert);
421
422 if(ssl_cert) {
423#ifdef MBEDTLS_FS_IO
424 ret = mbedtls_x509_crt_parse_file(&backend->clicert, ssl_cert);
425
426 if(ret) {
427 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
428 failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s",
429 ssl_cert, -ret, errorbuf);
430
431 return CURLE_SSL_CERTPROBLEM;
432 }
433#else
434 failf(data, "mbedtls: functions that use the filesystem not built in");
435 return CURLE_NOT_BUILT_IN;
436#endif
437 }
438
439 if(ssl_cert_blob) {
440 /* Unfortunately, mbedtls_x509_crt_parse() requires the data to be null
441 terminated even when provided the exact length, forcing us to waste
442 extra memory here. */
443 unsigned char *newblob = malloc(ssl_cert_blob->len + 1);
444 if(!newblob)
445 return CURLE_OUT_OF_MEMORY;
446 memcpy(newblob, ssl_cert_blob->data, ssl_cert_blob->len);
447 newblob[ssl_cert_blob->len] = 0; /* null terminate */
448 ret = mbedtls_x509_crt_parse(&backend->clicert, newblob,
449 ssl_cert_blob->len + 1);
450 free(newblob);
451
452 if(ret) {
453 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
454 failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
455 ssl_config->key, -ret, errorbuf);
456 return CURLE_SSL_CERTPROBLEM;
457 }
458 }
459
460 /* Load the client private key */
461 mbedtls_pk_init(&backend->pk);
462
463 if(ssl_config->key || ssl_config->key_blob) {
464 if(ssl_config->key) {
465#ifdef MBEDTLS_FS_IO
466#if MBEDTLS_VERSION_NUMBER >= 0x03000000
467 ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key,
468 ssl_config->key_passwd,
469 mbedtls_ctr_drbg_random,
470 &backend->ctr_drbg);
471#else
472 ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key,
473 ssl_config->key_passwd);
474#endif
475
476 if(ret) {
477 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
478 failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
479 ssl_config->key, -ret, errorbuf);
480 return CURLE_SSL_CERTPROBLEM;
481 }
482#else
483 failf(data, "mbedtls: functions that use the filesystem not built in");
484 return CURLE_NOT_BUILT_IN;
485#endif
486 }
487 else {
488 const struct curl_blob *ssl_key_blob = ssl_config->key_blob;
489 const unsigned char *key_data =
490 (const unsigned char *)ssl_key_blob->data;
491 const char *passwd = ssl_config->key_passwd;
492#if MBEDTLS_VERSION_NUMBER >= 0x03000000
493 ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len,
494 (const unsigned char *)passwd,
495 passwd ? strlen(passwd) : 0,
496 mbedtls_ctr_drbg_random,
497 &backend->ctr_drbg);
498#else
499 ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len,
500 (const unsigned char *)passwd,
501 passwd ? strlen(passwd) : 0);
502#endif
503
504 if(ret) {
505 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
506 failf(data, "Error parsing private key - mbedTLS: (-0x%04X) %s",
507 -ret, errorbuf);
508 return CURLE_SSL_CERTPROBLEM;
509 }
510 }
511
512 if(ret == 0 && !(mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_RSA) ||
513 mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_ECKEY)))
514 ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
515 }
516
517 /* Load the CRL */
518#ifdef MBEDTLS_X509_CRL_PARSE_C
519 mbedtls_x509_crl_init(&backend->crl);
520
521 if(ssl_crlfile) {
522#ifdef MBEDTLS_FS_IO
523 ret = mbedtls_x509_crl_parse_file(&backend->crl, ssl_crlfile);
524
525 if(ret) {
526 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
527 failf(data, "Error reading CRL file %s - mbedTLS: (-0x%04X) %s",
528 ssl_crlfile, -ret, errorbuf);
529
530 return CURLE_SSL_CRL_BADFILE;
531 }
532#else
533 failf(data, "mbedtls: functions that use the filesystem not built in");
534 return CURLE_NOT_BUILT_IN;
535#endif
536 }
537#else
538 if(ssl_crlfile) {
539 failf(data, "mbedtls: crl support not built in");
540 return CURLE_NOT_BUILT_IN;
541 }
542#endif
543
544 infof(data, "mbedTLS: Connecting to %s:%d", hostname, connssl->port);
545
546 mbedtls_ssl_config_init(&backend->config);
547 ret = mbedtls_ssl_config_defaults(&backend->config,
548 MBEDTLS_SSL_IS_CLIENT,
549 MBEDTLS_SSL_TRANSPORT_STREAM,
550 MBEDTLS_SSL_PRESET_DEFAULT);
551 if(ret) {
552 failf(data, "mbedTLS: ssl_config failed");
553 return CURLE_SSL_CONNECT_ERROR;
554 }
555
556 mbedtls_ssl_init(&backend->ssl);
557 if(mbedtls_ssl_setup(&backend->ssl, &backend->config)) {
558 failf(data, "mbedTLS: ssl_init failed");
559 return CURLE_SSL_CONNECT_ERROR;
560 }
561
562 /* new profile with RSA min key len = 1024 ... */
563 mbedtls_ssl_conf_cert_profile(&backend->config,
564 &mbedtls_x509_crt_profile_fr);
565
566 switch(conn_config->version) {
567 case CURL_SSLVERSION_DEFAULT:
568 case CURL_SSLVERSION_TLSv1:
569#if MBEDTLS_VERSION_NUMBER < 0x03000000
570 mbedtls_ssl_conf_min_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3,
571 MBEDTLS_SSL_MINOR_VERSION_1);
572 infof(data, "mbedTLS: Set min SSL version to TLS 1.0");
573 break;
574#endif
575 case CURL_SSLVERSION_TLSv1_0:
576 case CURL_SSLVERSION_TLSv1_1:
577 case CURL_SSLVERSION_TLSv1_2:
578 case CURL_SSLVERSION_TLSv1_3:
579 {
580 CURLcode result = set_ssl_version_min_max(cf, data);
581 if(result != CURLE_OK)
582 return result;
583 break;
584 }
585 default:
586 failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
587 return CURLE_SSL_CONNECT_ERROR;
588 }
589
590 mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_OPTIONAL);
591
592 mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random,
593 &backend->ctr_drbg);
594 mbedtls_ssl_set_bio(&backend->ssl, cf, bio_cf_write, bio_cf_read,
595 NULL /* rev_timeout() */);
596
597 mbedtls_ssl_conf_ciphersuites(&backend->config,
598 mbedtls_ssl_list_ciphersuites());
599
600#if defined(MBEDTLS_SSL_RENEGOTIATION)
601 mbedtls_ssl_conf_renegotiation(&backend->config,
602 MBEDTLS_SSL_RENEGOTIATION_ENABLED);
603#endif
604
605#if defined(MBEDTLS_SSL_SESSION_TICKETS)
606 mbedtls_ssl_conf_session_tickets(&backend->config,
607 MBEDTLS_SSL_SESSION_TICKETS_DISABLED);
608#endif
609
610 /* Check if there's a cached ID we can/should use here! */
611 if(ssl_config->primary.sessionid) {
612 void *old_session = NULL;
613
614 Curl_ssl_sessionid_lock(data);
615 if(!Curl_ssl_getsessionid(cf, data, &old_session, NULL)) {
616 ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
617 if(ret) {
618 Curl_ssl_sessionid_unlock(data);
619 failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret);
620 return CURLE_SSL_CONNECT_ERROR;
621 }
622 infof(data, "mbedTLS reusing session");
623 }
624 Curl_ssl_sessionid_unlock(data);
625 }
626
627 mbedtls_ssl_conf_ca_chain(&backend->config,
628 &backend->cacert,
629#ifdef MBEDTLS_X509_CRL_PARSE_C
630 &backend->crl);
631#else
632 NULL);
633#endif
634
635 if(ssl_config->key || ssl_config->key_blob) {
636 mbedtls_ssl_conf_own_cert(&backend->config,
637 &backend->clicert, &backend->pk);
638 }
639 {
640 char *snihost = Curl_ssl_snihost(data, hostname, NULL);
641 if(!snihost || mbedtls_ssl_set_hostname(&backend->ssl, snihost)) {
642 /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks and
643 the name to set in the SNI extension. So even if curl connects to a
644 host specified as an IP address, this function must be used. */
645 failf(data, "Failed to set SNI");
646 return CURLE_SSL_CONNECT_ERROR;
647 }
648 }
649
650#ifdef HAS_ALPN
651 if(connssl->alpn) {
652 struct alpn_proto_buf proto;
653 size_t i;
654
655 for(i = 0; i < connssl->alpn->count; ++i) {
656 backend->protocols[i] = connssl->alpn->entries[i];
657 }
658 /* this function doesn't clone the protocols array, which is why we need
659 to keep it around */
660 if(mbedtls_ssl_conf_alpn_protocols(&backend->config,
661 &backend->protocols[0])) {
662 failf(data, "Failed setting ALPN protocols");
663 return CURLE_SSL_CONNECT_ERROR;
664 }
665 Curl_alpn_to_proto_str(&proto, connssl->alpn);
666 infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
667 }
668#endif
669
670#ifdef MBEDTLS_DEBUG
671 /* In order to make that work in mbedtls MBEDTLS_DEBUG_C must be defined. */
672 mbedtls_ssl_conf_dbg(&backend->config, mbed_debug, data);
673 /* - 0 No debug
674 * - 1 Error
675 * - 2 State change
676 * - 3 Informational
677 * - 4 Verbose
678 */
679 mbedtls_debug_set_threshold(4);
680#endif
681
682 /* give application a chance to interfere with mbedTLS set up. */
683 if(data->set.ssl.fsslctx) {
684 ret = (*data->set.ssl.fsslctx)(data, &backend->config,
685 data->set.ssl.fsslctxp);
686 if(ret) {
687 failf(data, "error signaled by ssl ctx callback");
688 return ret;
689 }
690 }
691
692 connssl->connecting_state = ssl_connect_2;
693
694 return CURLE_OK;
695}
696
697static CURLcode
698mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
699{
700 int ret;
701 struct ssl_connect_data *connssl = cf->ctx;
702 struct mbed_ssl_backend_data *backend =
703 (struct mbed_ssl_backend_data *)connssl->backend;
704 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
705 const mbedtls_x509_crt *peercert;
706 const char * const pinnedpubkey = Curl_ssl_cf_is_proxy(cf)?
707 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]:
708 data->set.str[STRING_SSL_PINNEDPUBLICKEY];
709
710 DEBUGASSERT(backend);
711
712 ret = mbedtls_ssl_handshake(&backend->ssl);
713
714 if(ret == MBEDTLS_ERR_SSL_WANT_READ) {
715 connssl->connecting_state = ssl_connect_2_reading;
716 return CURLE_OK;
717 }
718 else if(ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
719 connssl->connecting_state = ssl_connect_2_writing;
720 return CURLE_OK;
721 }
722 else if(ret) {
723 char errorbuf[128];
724 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
725 failf(data, "ssl_handshake returned - mbedTLS: (-0x%04X) %s",
726 -ret, errorbuf);
727 return CURLE_SSL_CONNECT_ERROR;
728 }
729
730 infof(data, "mbedTLS: Handshake complete, cipher is %s",
731 mbedtls_ssl_get_ciphersuite(&backend->ssl));
732
733 ret = mbedtls_ssl_get_verify_result(&backend->ssl);
734
735 if(!conn_config->verifyhost)
736 /* Ignore hostname errors if verifyhost is disabled */
737 ret &= ~MBEDTLS_X509_BADCERT_CN_MISMATCH;
738
739 if(ret && conn_config->verifypeer) {
740 if(ret & MBEDTLS_X509_BADCERT_EXPIRED)
741 failf(data, "Cert verify failed: BADCERT_EXPIRED");
742
743 else if(ret & MBEDTLS_X509_BADCERT_REVOKED)
744 failf(data, "Cert verify failed: BADCERT_REVOKED");
745
746 else if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
747 failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
748
749 else if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
750 failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
751
752 else if(ret & MBEDTLS_X509_BADCERT_FUTURE)
753 failf(data, "Cert verify failed: BADCERT_FUTURE");
754
755 return CURLE_PEER_FAILED_VERIFICATION;
756 }
757
758 peercert = mbedtls_ssl_get_peer_cert(&backend->ssl);
759
760 if(peercert && data->set.verbose) {
761 const size_t bufsize = 16384;
762 char *buffer = malloc(bufsize);
763
764 if(!buffer)
765 return CURLE_OUT_OF_MEMORY;
766
767 if(mbedtls_x509_crt_info(buffer, bufsize, "* ", peercert) > 0)
768 infof(data, "Dumping cert info: %s", buffer);
769 else
770 infof(data, "Unable to dump certificate information");
771
772 free(buffer);
773 }
774
775 if(pinnedpubkey) {
776 int size;
777 CURLcode result;
778 mbedtls_x509_crt *p = NULL;
779 unsigned char *pubkey = NULL;
780
781#if MBEDTLS_VERSION_NUMBER == 0x03000000
782 if(!peercert || !peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(p) ||
783 !peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len)) {
784#else
785 if(!peercert || !peercert->raw.p || !peercert->raw.len) {
786#endif
787 failf(data, "Failed due to missing peer certificate");
788 return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
789 }
790
791 p = calloc(1, sizeof(*p));
792
793 if(!p)
794 return CURLE_OUT_OF_MEMORY;
795
796 pubkey = malloc(PUB_DER_MAX_BYTES);
797
798 if(!pubkey) {
799 result = CURLE_OUT_OF_MEMORY;
800 goto pinnedpubkey_error;
801 }
802
803 mbedtls_x509_crt_init(p);
804
805 /* Make a copy of our const peercert because mbedtls_pk_write_pubkey_der
806 needs a non-const key, for now.
807 https://github.com/ARMmbed/mbedtls/issues/396 */
808#if MBEDTLS_VERSION_NUMBER == 0x03000000
809 if(mbedtls_x509_crt_parse_der(p,
810 peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(p),
811 peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len))) {
812#else
813 if(mbedtls_x509_crt_parse_der(p, peercert->raw.p, peercert->raw.len)) {
814#endif
815 failf(data, "Failed copying peer certificate");
816 result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
817 goto pinnedpubkey_error;
818 }
819
820#if MBEDTLS_VERSION_NUMBER == 0x03000000
821 size = mbedtls_pk_write_pubkey_der(&p->MBEDTLS_PRIVATE(pk), pubkey,
822 PUB_DER_MAX_BYTES);
823#else
824 size = mbedtls_pk_write_pubkey_der(&p->pk, pubkey, PUB_DER_MAX_BYTES);
825#endif
826
827 if(size <= 0) {
828 failf(data, "Failed copying public key from peer certificate");
829 result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
830 goto pinnedpubkey_error;
831 }
832
833 /* mbedtls_pk_write_pubkey_der writes data at the end of the buffer. */
834 result = Curl_pin_peer_pubkey(data,
835 pinnedpubkey,
836 &pubkey[PUB_DER_MAX_BYTES - size], size);
837pinnedpubkey_error:
838 mbedtls_x509_crt_free(p);
839 free(p);
840 free(pubkey);
841 if(result) {
842 return result;
843 }
844 }
845
846#ifdef HAS_ALPN
847 if(connssl->alpn) {
848 const char *proto = mbedtls_ssl_get_alpn_protocol(&backend->ssl);
849
850 Curl_alpn_set_negotiated(cf, data, (const unsigned char *)proto,
851 proto? strlen(proto) : 0);
852 }
853#endif
854
855 connssl->connecting_state = ssl_connect_3;
856 infof(data, "SSL connected");
857
858 return CURLE_OK;
859}
860
861static CURLcode
862mbed_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data)
863{
864 CURLcode retcode = CURLE_OK;
865 struct ssl_connect_data *connssl = cf->ctx;
866 struct mbed_ssl_backend_data *backend =
867 (struct mbed_ssl_backend_data *)connssl->backend;
868 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
869
870 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
871 DEBUGASSERT(backend);
872
873 if(ssl_config->primary.sessionid) {
874 int ret;
875 mbedtls_ssl_session *our_ssl_sessionid;
876 void *old_ssl_sessionid = NULL;
877 bool added = FALSE;
878
879 our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
880 if(!our_ssl_sessionid)
881 return CURLE_OUT_OF_MEMORY;
882
883 mbedtls_ssl_session_init(our_ssl_sessionid);
884
885 ret = mbedtls_ssl_get_session(&backend->ssl, our_ssl_sessionid);
886 if(ret) {
887 if(ret != MBEDTLS_ERR_SSL_ALLOC_FAILED)
888 mbedtls_ssl_session_free(our_ssl_sessionid);
889 free(our_ssl_sessionid);
890 failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret);
891 return CURLE_SSL_CONNECT_ERROR;
892 }
893
894 /* If there's already a matching session in the cache, delete it */
895 Curl_ssl_sessionid_lock(data);
896 if(!Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL))
897 Curl_ssl_delsessionid(data, old_ssl_sessionid);
898
899 retcode = Curl_ssl_addsessionid(cf, data, our_ssl_sessionid,
900 0, &added);
901 Curl_ssl_sessionid_unlock(data);
902 if(!added) {
903 mbedtls_ssl_session_free(our_ssl_sessionid);
904 free(our_ssl_sessionid);
905 }
906 if(retcode) {
907 failf(data, "failed to store ssl session");
908 return retcode;
909 }
910 }
911
912 connssl->connecting_state = ssl_connect_done;
913
914 return CURLE_OK;
915}
916
917static ssize_t mbed_send(struct Curl_cfilter *cf, struct Curl_easy *data,
918 const void *mem, size_t len,
919 CURLcode *curlcode)
920{
921 struct ssl_connect_data *connssl = cf->ctx;
922 struct mbed_ssl_backend_data *backend =
923 (struct mbed_ssl_backend_data *)connssl->backend;
924 int ret = -1;
925
926 (void)data;
927 DEBUGASSERT(backend);
928 ret = mbedtls_ssl_write(&backend->ssl, (unsigned char *)mem, len);
929
930 if(ret < 0) {
931 *curlcode = (ret == MBEDTLS_ERR_SSL_WANT_WRITE) ?
932 CURLE_AGAIN : CURLE_SEND_ERROR;
933 ret = -1;
934 }
935
936 return ret;
937}
938
939static void mbedtls_close_all(struct Curl_easy *data)
940{
941 (void)data;
942}
943
944static void mbedtls_close(struct Curl_cfilter *cf, struct Curl_easy *data)
945{
946 struct ssl_connect_data *connssl = cf->ctx;
947 struct mbed_ssl_backend_data *backend =
948 (struct mbed_ssl_backend_data *)connssl->backend;
949 char buf[32];
950
951 (void)data;
952 DEBUGASSERT(backend);
953
954 /* Maybe the server has already sent a close notify alert.
955 Read it to avoid an RST on the TCP connection. */
956 (void)mbedtls_ssl_read(&backend->ssl, (unsigned char *)buf, sizeof(buf));
957
958 mbedtls_pk_free(&backend->pk);
959 mbedtls_x509_crt_free(&backend->clicert);
960 mbedtls_x509_crt_free(&backend->cacert);
961#ifdef MBEDTLS_X509_CRL_PARSE_C
962 mbedtls_x509_crl_free(&backend->crl);
963#endif
964 mbedtls_ssl_config_free(&backend->config);
965 mbedtls_ssl_free(&backend->ssl);
966 mbedtls_ctr_drbg_free(&backend->ctr_drbg);
967#ifndef THREADING_SUPPORT
968 mbedtls_entropy_free(&backend->entropy);
969#endif /* THREADING_SUPPORT */
970}
971
972static ssize_t mbed_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
973 char *buf, size_t buffersize,
974 CURLcode *curlcode)
975{
976 struct ssl_connect_data *connssl = cf->ctx;
977 struct mbed_ssl_backend_data *backend =
978 (struct mbed_ssl_backend_data *)connssl->backend;
979 int ret = -1;
980 ssize_t len = -1;
981
982 (void)data;
983 DEBUGASSERT(backend);
984
985 ret = mbedtls_ssl_read(&backend->ssl, (unsigned char *)buf,
986 buffersize);
987
988 if(ret <= 0) {
989 if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
990 return 0;
991
992 *curlcode = (ret == MBEDTLS_ERR_SSL_WANT_READ) ?
993 CURLE_AGAIN : CURLE_RECV_ERROR;
994 return -1;
995 }
996
997 len = ret;
998
999 return len;
1000}
1001
1002static void mbedtls_session_free(void *ptr)
1003{
1004 mbedtls_ssl_session_free(ptr);
1005 free(ptr);
1006}
1007
1008static size_t mbedtls_version(char *buffer, size_t size)
1009{
1010#ifdef MBEDTLS_VERSION_C
1011 /* if mbedtls_version_get_number() is available it is better */
1012 unsigned int version = mbedtls_version_get_number();
1013 return msnprintf(buffer, size, "mbedTLS/%u.%u.%u", version>>24,
1014 (version>>16)&0xff, (version>>8)&0xff);
1015#else
1016 return msnprintf(buffer, size, "mbedTLS/%s", MBEDTLS_VERSION_STRING);
1017#endif
1018}
1019
1020static CURLcode mbedtls_random(struct Curl_easy *data,
1021 unsigned char *entropy, size_t length)
1022{
1023#if defined(MBEDTLS_CTR_DRBG_C)
1024 int ret = -1;
1025 char errorbuf[128];
1026 mbedtls_entropy_context ctr_entropy;
1027 mbedtls_ctr_drbg_context ctr_drbg;
1028 mbedtls_entropy_init(&ctr_entropy);
1029 mbedtls_ctr_drbg_init(&ctr_drbg);
1030
1031 ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
1032 &ctr_entropy, NULL, 0);
1033
1034 if(ret) {
1035 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
1036 failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s",
1037 -ret, errorbuf);
1038 }
1039 else {
1040 ret = mbedtls_ctr_drbg_random(&ctr_drbg, entropy, length);
1041
1042 if(ret) {
1043 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
1044 failf(data, "mbedtls_ctr_drbg_random returned (-0x%04X) %s",
1045 -ret, errorbuf);
1046 }
1047 }
1048
1049 mbedtls_ctr_drbg_free(&ctr_drbg);
1050 mbedtls_entropy_free(&ctr_entropy);
1051
1052 return ret == 0 ? CURLE_OK : CURLE_FAILED_INIT;
1053#elif defined(MBEDTLS_HAVEGE_C)
1054 mbedtls_havege_state hs;
1055 mbedtls_havege_init(&hs);
1056 mbedtls_havege_random(&hs, entropy, length);
1057 mbedtls_havege_free(&hs);
1058 return CURLE_OK;
1059#else
1060 return CURLE_NOT_BUILT_IN;
1061#endif
1062}
1063
1064static CURLcode
1065mbed_connect_common(struct Curl_cfilter *cf, struct Curl_easy *data,
1066 bool nonblocking,
1067 bool *done)
1068{
1069 CURLcode retcode;
1070 struct ssl_connect_data *connssl = cf->ctx;
1071 curl_socket_t sockfd = Curl_conn_cf_get_socket(cf, data);
1072 timediff_t timeout_ms;
1073 int what;
1074
1075 /* check if the connection has already been established */
1076 if(ssl_connection_complete == connssl->state) {
1077 *done = TRUE;
1078 return CURLE_OK;
1079 }
1080
1081 if(ssl_connect_1 == connssl->connecting_state) {
1082 /* Find out how much more time we're allowed */
1083 timeout_ms = Curl_timeleft(data, NULL, TRUE);
1084
1085 if(timeout_ms < 0) {
1086 /* no need to continue if time already is up */
1087 failf(data, "SSL connection timeout");
1088 return CURLE_OPERATION_TIMEDOUT;
1089 }
1090 retcode = mbed_connect_step1(cf, data);
1091 if(retcode)
1092 return retcode;
1093 }
1094
1095 while(ssl_connect_2 == connssl->connecting_state ||
1096 ssl_connect_2_reading == connssl->connecting_state ||
1097 ssl_connect_2_writing == connssl->connecting_state) {
1098
1099 /* check allowed time left */
1100 timeout_ms = Curl_timeleft(data, NULL, TRUE);
1101
1102 if(timeout_ms < 0) {
1103 /* no need to continue if time already is up */
1104 failf(data, "SSL connection timeout");
1105 return CURLE_OPERATION_TIMEDOUT;
1106 }
1107
1108 /* if ssl is expecting something, check if it's available. */
1109 if(connssl->connecting_state == ssl_connect_2_reading
1110 || connssl->connecting_state == ssl_connect_2_writing) {
1111
1112 curl_socket_t writefd = ssl_connect_2_writing ==
1113 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
1114 curl_socket_t readfd = ssl_connect_2_reading ==
1115 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
1116
1117 what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
1118 nonblocking ? 0 : timeout_ms);
1119 if(what < 0) {
1120 /* fatal error */
1121 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
1122 return CURLE_SSL_CONNECT_ERROR;
1123 }
1124 else if(0 == what) {
1125 if(nonblocking) {
1126 *done = FALSE;
1127 return CURLE_OK;
1128 }
1129 else {
1130 /* timeout */
1131 failf(data, "SSL connection timeout");
1132 return CURLE_OPERATION_TIMEDOUT;
1133 }
1134 }
1135 /* socket is readable or writable */
1136 }
1137
1138 /* Run transaction, and return to the caller if it failed or if
1139 * this connection is part of a multi handle and this loop would
1140 * execute again. This permits the owner of a multi handle to
1141 * abort a connection attempt before step2 has completed while
1142 * ensuring that a client using select() or epoll() will always
1143 * have a valid fdset to wait on.
1144 */
1145 retcode = mbed_connect_step2(cf, data);
1146 if(retcode || (nonblocking &&
1147 (ssl_connect_2 == connssl->connecting_state ||
1148 ssl_connect_2_reading == connssl->connecting_state ||
1149 ssl_connect_2_writing == connssl->connecting_state)))
1150 return retcode;
1151
1152 } /* repeat step2 until all transactions are done. */
1153
1154 if(ssl_connect_3 == connssl->connecting_state) {
1155 retcode = mbed_connect_step3(cf, data);
1156 if(retcode)
1157 return retcode;
1158 }
1159
1160 if(ssl_connect_done == connssl->connecting_state) {
1161 connssl->state = ssl_connection_complete;
1162 *done = TRUE;
1163 }
1164 else
1165 *done = FALSE;
1166
1167 /* Reset our connect state machine */
1168 connssl->connecting_state = ssl_connect_1;
1169
1170 return CURLE_OK;
1171}
1172
1173static CURLcode mbedtls_connect_nonblocking(struct Curl_cfilter *cf,
1174 struct Curl_easy *data,
1175 bool *done)
1176{
1177 return mbed_connect_common(cf, data, TRUE, done);
1178}
1179
1180
1181static CURLcode mbedtls_connect(struct Curl_cfilter *cf,
1182 struct Curl_easy *data)
1183{
1184 CURLcode retcode;
1185 bool done = FALSE;
1186
1187 retcode = mbed_connect_common(cf, data, FALSE, &done);
1188 if(retcode)
1189 return retcode;
1190
1191 DEBUGASSERT(done);
1192
1193 return CURLE_OK;
1194}
1195
1196/*
1197 * return 0 error initializing SSL
1198 * return 1 SSL initialized successfully
1199 */
1200static int mbedtls_init(void)
1201{
1202 return Curl_mbedtlsthreadlock_thread_setup();
1203}
1204
1205static void mbedtls_cleanup(void)
1206{
1207 (void)Curl_mbedtlsthreadlock_thread_cleanup();
1208}
1209
1210static bool mbedtls_data_pending(struct Curl_cfilter *cf,
1211 const struct Curl_easy *data)
1212{
1213 struct ssl_connect_data *ctx = cf->ctx;
1214 struct mbed_ssl_backend_data *backend;
1215
1216 (void)data;
1217 DEBUGASSERT(ctx && ctx->backend);
1218 backend = (struct mbed_ssl_backend_data *)ctx->backend;
1219 return mbedtls_ssl_get_bytes_avail(&backend->ssl) != 0;
1220}
1221
1222static CURLcode mbedtls_sha256sum(const unsigned char *input,
1223 size_t inputlen,
1224 unsigned char *sha256sum,
1225 size_t sha256len UNUSED_PARAM)
1226{
1227 /* TODO: explain this for different mbedtls 2.x vs 3 version */
1228 (void)sha256len;
1229#if MBEDTLS_VERSION_NUMBER < 0x02070000
1230 mbedtls_sha256(input, inputlen, sha256sum, 0);
1231#else
1232 /* returns 0 on success, otherwise failure */
1233#if MBEDTLS_VERSION_NUMBER >= 0x03000000
1234 if(mbedtls_sha256(input, inputlen, sha256sum, 0) != 0)
1235#else
1236 if(mbedtls_sha256_ret(input, inputlen, sha256sum, 0) != 0)
1237#endif
1238 return CURLE_BAD_FUNCTION_ARGUMENT;
1239#endif
1240 return CURLE_OK;
1241}
1242
1243static void *mbedtls_get_internals(struct ssl_connect_data *connssl,
1244 CURLINFO info UNUSED_PARAM)
1245{
1246 struct mbed_ssl_backend_data *backend =
1247 (struct mbed_ssl_backend_data *)connssl->backend;
1248 (void)info;
1249 DEBUGASSERT(backend);
1250 return &backend->ssl;
1251}
1252
1253const struct Curl_ssl Curl_ssl_mbedtls = {
1254 { CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */
1255
1256 SSLSUPP_CA_PATH |
1257 SSLSUPP_CAINFO_BLOB |
1258 SSLSUPP_PINNEDPUBKEY |
1259 SSLSUPP_SSL_CTX |
1260 SSLSUPP_HTTPS_PROXY,
1261
1262 sizeof(struct mbed_ssl_backend_data),
1263
1264 mbedtls_init, /* init */
1265 mbedtls_cleanup, /* cleanup */
1266 mbedtls_version, /* version */
1267 Curl_none_check_cxn, /* check_cxn */
1268 Curl_none_shutdown, /* shutdown */
1269 mbedtls_data_pending, /* data_pending */
1270 mbedtls_random, /* random */
1271 Curl_none_cert_status_request, /* cert_status_request */
1272 mbedtls_connect, /* connect */
1273 mbedtls_connect_nonblocking, /* connect_nonblocking */
1274 Curl_ssl_get_select_socks, /* getsock */
1275 mbedtls_get_internals, /* get_internals */
1276 mbedtls_close, /* close_one */
1277 mbedtls_close_all, /* close_all */
1278 mbedtls_session_free, /* session_free */
1279 Curl_none_set_engine, /* set_engine */
1280 Curl_none_set_engine_default, /* set_engine_default */
1281 Curl_none_engines_list, /* engines_list */
1282 Curl_none_false_start, /* false_start */
1283 mbedtls_sha256sum, /* sha256sum */
1284 NULL, /* associate_connection */
1285 NULL, /* disassociate_connection */
1286 NULL, /* free_multi_ssl_backend_data */
1287 mbed_recv, /* recv decrypted data */
1288 mbed_send, /* send data to encrypt */
1289};
1290
1291#endif /* USE_MBEDTLS */
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette