diff options
| author | dartraiden <wowemuh@gmail.com> | 2021-02-07 18:49:47 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2021-02-07 18:49:47 +0300 |
| commit | 2f0eaffffe7e5d3ac074797f880480494dbcc6f3 (patch) | |
| tree | 161fa6a6df8387d618530a684de9f61f58640596 /libs/libcurl/src/vtls/openssl.c | |
| parent | 061f5621d3f64835c376a7781af86a5e5ee1145c (diff) | |
libcurl: update to 7.75.0
Diffstat (limited to 'libs/libcurl/src/vtls/openssl.c')
| -rw-r--r-- | libs/libcurl/src/vtls/openssl.c | 313 |
1 files changed, 160 insertions, 153 deletions
diff --git a/libs/libcurl/src/vtls/openssl.c b/libs/libcurl/src/vtls/openssl.c index e9c535f8f4..784d9f70e0 100644 --- a/libs/libcurl/src/vtls/openssl.c +++ b/libs/libcurl/src/vtls/openssl.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -362,6 +362,18 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size) return buf; } +/* Return an extra data index for the transfer data. + * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). + */ +static int ossl_get_ssl_data_index(void) +{ + static int ssl_ex_data_data_index = -1; + if(ssl_ex_data_data_index < 0) { + ssl_ex_data_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + } + return ssl_ex_data_data_index; +} + /* Return an extra data index for the connection data. * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). */ @@ -410,7 +422,7 @@ static bool rand_enough(void) return (0 != RAND_status()) ? TRUE : FALSE; } -static CURLcode Curl_ossl_seed(struct Curl_easy *data) +static CURLcode ossl_seed(struct Curl_easy *data) { /* we have the "SSL is seeded" boolean static to prevent multiple time-consuming seedings in vain */ @@ -572,8 +584,7 @@ static bool is_pkcs11_uri(const char *string) #endif -static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, - const char *engine); +static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine); static int SSL_CTX_use_certificate_bio(SSL_CTX *ctx, BIO *in, int type, @@ -700,7 +711,7 @@ SSL_CTX_use_certificate_chain_bio(SSL_CTX *ctx, BIO* in, } static -int cert_stuff(struct connectdata *conn, +int cert_stuff(struct Curl_easy *data, SSL_CTX* ctx, char *cert_file, BIO *cert_bio, @@ -710,7 +721,6 @@ int cert_stuff(struct connectdata *conn, const char *key_type, char *key_passwd) { - struct Curl_easy *data = conn->data; char error_buffer[256]; bool check_privkey = TRUE; @@ -773,7 +783,7 @@ int cert_stuff(struct connectdata *conn, * cert_file is a PKCS#11 URI */ if(!data->state.engine) { if(is_pkcs11_uri(cert_file)) { - if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { + if(ossl_set_engine(data, "pkcs11") != CURLE_OK) { return 0; } } @@ -972,7 +982,7 @@ int cert_stuff(struct connectdata *conn, * key_file is a PKCS#11 URI */ if(!data->state.engine) { if(is_pkcs11_uri(key_file)) { - if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) { + if(ossl_set_engine(data, "pkcs11") != CURLE_OK) { return 0; } } @@ -1113,7 +1123,7 @@ static int x509_name_oneline(X509_NAME *a, char *buf, size_t size) * @retval 0 error initializing SSL * @retval 1 SSL initialized successfully */ -static int Curl_ossl_init(void) +static int ossl_init(void) { #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) @@ -1161,14 +1171,15 @@ static int Curl_ossl_init(void) Curl_tls_keylog_open(); /* Initialize the extra data indexes */ - if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) + if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 || + ossl_get_ssl_sockindex_index() < 0) return 0; return 1; } /* Global cleanup */ -static void Curl_ossl_cleanup(void) +static void ossl_cleanup(void) { #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !defined(LIBRESSL_VERSION_NUMBER) @@ -1212,7 +1223,7 @@ static void Curl_ossl_cleanup(void) * 0 means the connection has been closed * -1 means the connection status is unknown */ -static int Curl_ossl_check_cxn(struct connectdata *conn) +static int ossl_check_cxn(struct connectdata *conn) { /* SSL_peek takes data out of the raw recv buffer without peeking so we use recv MSG_PEEK instead. Bug #795 */ @@ -1258,8 +1269,7 @@ static int Curl_ossl_check_cxn(struct connectdata *conn) /* Selects an OpenSSL crypto engine */ -static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, - const char *engine) +static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine) { #ifdef USE_OPENSSL_ENGINE ENGINE *e; @@ -1289,7 +1299,7 @@ static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, char buf[256]; ENGINE_free(e); - failf(data, "Failed to initialise SSL Engine '%s':\n%s", + failf(data, "Failed to initialise SSL Engine '%s': %s", engine, ossl_strerror(ERR_get_error(), buf, sizeof(buf))); return CURLE_SSL_ENGINE_INITFAILED; } @@ -1304,7 +1314,7 @@ static CURLcode Curl_ossl_set_engine(struct Curl_easy *data, /* Sets engine as default for all SSL operations */ -static CURLcode Curl_ossl_set_engine_default(struct Curl_easy *data) +static CURLcode ossl_set_engine_default(struct Curl_easy *data) { #ifdef USE_OPENSSL_ENGINE if(data->state.engine) { @@ -1326,7 +1336,7 @@ static CURLcode Curl_ossl_set_engine_default(struct Curl_easy *data) /* Return list of OpenSSL crypto engine names. */ -static struct curl_slist *Curl_ossl_engines_list(struct Curl_easy *data) +static struct curl_slist *ossl_engines_list(struct Curl_easy *data) { struct curl_slist *list = NULL; #ifdef USE_OPENSSL_ENGINE @@ -1346,7 +1356,7 @@ static struct curl_slist *Curl_ossl_engines_list(struct Curl_easy *data) return list; } -static void ossl_close(struct ssl_connect_data *connssl) +static void ossl_closeone(struct ssl_connect_data *connssl) { struct ssl_backend_data *backend = connssl->backend; if(backend->handle) { @@ -1365,11 +1375,13 @@ static void ossl_close(struct ssl_connect_data *connssl) /* * This function is called when an SSL connection is closed. */ -static void Curl_ossl_close(struct connectdata *conn, int sockindex) +static void ossl_close(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { - ossl_close(&conn->ssl[sockindex]); + (void) data; + ossl_closeone(&conn->ssl[sockindex]); #ifndef CURL_DISABLE_PROXY - ossl_close(&conn->proxy_ssl[sockindex]); + ossl_closeone(&conn->proxy_ssl[sockindex]); #endif } @@ -1377,11 +1389,11 @@ static void Curl_ossl_close(struct connectdata *conn, int sockindex) * This function is called to shut down the SSL layer but keep the * socket open (CCC - Clear Command Channel) */ -static int Curl_ossl_shutdown(struct connectdata *conn, int sockindex) +static int ossl_shutdown(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { int retval = 0; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct Curl_easy *data = conn->data; char buf[256]; /* We will use this for the OpenSSL error buffer, so it has to be at least 256 bytes long. */ unsigned long sslerror; @@ -1433,7 +1445,7 @@ static int Curl_ossl_shutdown(struct connectdata *conn, int sockindex) default: /* openssl/ssl.h says "look at error stack/return value/errno" */ sslerror = ERR_get_error(); - failf(conn->data, OSSL_PACKAGE " SSL_read on shutdown: %s, errno %d", + failf(data, OSSL_PACKAGE " SSL_read on shutdown: %s, errno %d", (sslerror ? ossl_strerror(sslerror, buf, sizeof(buf)) : SSL_ERROR_to_str(err)), @@ -1478,7 +1490,7 @@ static int Curl_ossl_shutdown(struct connectdata *conn, int sockindex) return retval; } -static void Curl_ossl_session_free(void *ptr) +static void ossl_session_free(void *ptr) { /* free the ID */ SSL_SESSION_free(ptr); @@ -1488,7 +1500,7 @@ static void Curl_ossl_session_free(void *ptr) * This function is called when the 'data' struct is going away. Close * down everything and free all resources! */ -static void Curl_ossl_close_all(struct Curl_easy *data) +static void ossl_close_all(struct Curl_easy *data) { #ifdef USE_OPENSSL_ENGINE if(data->state.engine) { @@ -1582,12 +1594,12 @@ static bool subj_alt_hostcheck(struct Curl_easy *data, in the certificate and must exactly match the IP in the URI. */ -static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) +static CURLcode verifyhost(struct Curl_easy *data, struct connectdata *conn, + X509 *server_cert) { bool matched = FALSE; int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */ size_t addrlen = 0; - struct Curl_easy *data = conn->data; STACK_OF(GENERAL_NAME) *altnames; #ifdef ENABLE_IPV6 struct in6_addr addr; @@ -1782,14 +1794,13 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) -static CURLcode verifystatus(struct connectdata *conn, +static CURLcode verifystatus(struct Curl_easy *data, struct ssl_connect_data *connssl) { int i, ocsp_status; unsigned char *status; const unsigned char *p; CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; OCSP_RESPONSE *rsp = NULL; OCSP_BASICRESP *br = NULL; X509_STORE *st = NULL; @@ -1871,7 +1882,7 @@ static CURLcode verifystatus(struct connectdata *conn, /* Compute the certificate's ID */ cert = SSL_get_peer_certificate(backend->handle); if(!cert) { - failf(data, "Error getting peer certficate"); + failf(data, "Error getting peer certificate"); result = CURLE_SSL_INVALIDCERTSTATUS; goto end; } @@ -2206,15 +2217,15 @@ select_next_proto_cb(SSL *ssl, const unsigned char *in, unsigned int inlen, void *arg) { - struct connectdata *conn = (struct connectdata*) arg; - + struct Curl_easy *data = (struct Curl_easy *)arg; + struct connectdata *conn = data->conn; (void)ssl; #ifdef USE_NGHTTP2 - if(conn->data->set.httpversion >= CURL_HTTP_VERSION_2 && + if(data->set.httpversion >= CURL_HTTP_VERSION_2 && !select_next_protocol(out, outlen, in, inlen, NGHTTP2_PROTO_VERSION_ID, NGHTTP2_PROTO_VERSION_ID_LEN)) { - infof(conn->data, "NPN, negotiated HTTP2 (%s)\n", + infof(data, "NPN, negotiated HTTP2 (%s)\n", NGHTTP2_PROTO_VERSION_ID); conn->negnpn = CURL_HTTP_VERSION_2; return SSL_TLSEXT_ERR_OK; @@ -2223,12 +2234,12 @@ select_next_proto_cb(SSL *ssl, if(!select_next_protocol(out, outlen, in, inlen, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) { - infof(conn->data, "NPN, negotiated HTTP1.1\n"); + infof(data, "NPN, negotiated HTTP1.1\n"); conn->negnpn = CURL_HTTP_VERSION_1_1; return SSL_TLSEXT_ERR_OK; } - infof(conn->data, "NPN, no overlap, use HTTP1.1\n"); + infof(data, "NPN, no overlap, use HTTP1.1\n"); *out = (unsigned char *)ALPN_HTTP_1_1; *outlen = ALPN_HTTP_1_1_LENGTH; conn->negnpn = CURL_HTTP_VERSION_1_1; @@ -2359,16 +2370,14 @@ typedef long ctx_option_t; #if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* 1.1.0 */ static CURLcode set_ssl_version_min_max_legacy(ctx_option_t *ctx_options, - struct connectdata *conn, int sockindex) + struct Curl_easy *data, + struct connectdata *conn, int sockindex) { -#if (OPENSSL_VERSION_NUMBER < 0x1000100FL) || !defined(TLS1_3_VERSION) - /* convoluted #if condition just to avoid compiler warnings on unused - variable */ - struct Curl_easy *data = conn->data; -#endif long ssl_version = SSL_CONN_CONFIG(version); long ssl_version_max = SSL_CONN_CONFIG(version_max); + (void) data; /* In case it's unused. */ + switch(ssl_version) { case CURL_SSLVERSION_TLSv1_3: #ifdef TLS1_3_VERSION @@ -2443,17 +2452,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) struct Curl_easy *data; int sockindex; curl_socket_t *sockindex_ptr; + int data_idx = ossl_get_ssl_data_index(); int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); - if(connectdata_idx < 0 || sockindex_idx < 0) + if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0) return 0; conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); if(!conn) return 0; - data = conn->data; + data = (struct Curl_easy *) SSL_get_ex_data(ssl, data_idx); /* The sockindex has been stored as a pointer to an array element */ sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); @@ -2463,19 +2473,19 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) bool incache; void *old_ssl_sessionid = NULL; - Curl_ssl_sessionid_lock(conn); - incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, + Curl_ssl_sessionid_lock(data); + incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex)); if(incache) { if(old_ssl_sessionid != ssl_sessionid) { infof(data, "old SSL session ID is stale, removing\n"); - Curl_ssl_delsessionid(conn, old_ssl_sessionid); + Curl_ssl_delsessionid(data, old_ssl_sessionid); incache = FALSE; } } if(!incache) { - if(!Curl_ssl_addsessionid(conn, ssl_sessionid, + if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid, 0 /* unknown size */, sockindex)) { /* the session has been put into the session cache */ res = 1; @@ -2483,17 +2493,17 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) else failf(data, "failed to store ssl session"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } return res; } -static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step1(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result = CURLE_OK; char *ciphers; - struct Curl_easy *data = conn->data; SSL_METHOD_QUAL SSL_METHOD *req_method = NULL; X509_LOOKUP *lookup = NULL; curl_socket_t sockfd = conn->sock[sockindex]; @@ -2528,7 +2538,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); /* Make funny stuff to get random input */ - result = Curl_ossl_seed(data); + result = ossl_seed(data); if(result) return result; @@ -2714,7 +2724,8 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */ result = set_ssl_version_min_max(backend->ctx, conn); #else - result = set_ssl_version_min_max_legacy(&ctx_options, conn, sockindex); + result = set_ssl_version_min_max_legacy(&ctx_options, data, conn, + sockindex); #endif if(result != CURLE_OK) return result; @@ -2729,7 +2740,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #ifdef HAS_NPN if(conn->bits.tls_enable_npn) - SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, conn); + SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, data); #endif #ifdef HAS_ALPN @@ -2782,7 +2793,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) result = CURLE_OUT_OF_MEMORY; } if(!result && - !cert_stuff(conn, backend->ctx, + !cert_stuff(data, backend->ctx, ssl_cert, ssl_cert_bio, ssl_cert_type, SSL_SET_OPTION(key), ssl_key_bio, SSL_SET_OPTION(key_type), SSL_SET_OPTION(key_passwd))) @@ -3178,30 +3189,43 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) #ifdef ENABLE_IPV6 (0 == Curl_inet_pton(AF_INET6, hostname, &addr)) && #endif - sni && - !SSL_set_tlsext_host_name(backend->handle, hostname)) - infof(data, "WARNING: failed to configure server name indication (SNI) " - "TLS extension\n"); + sni) { + size_t nlen = strlen(hostname); + if((long)nlen >= data->set.buffer_size) + /* this is seriously messed up */ + return CURLE_SSL_CONNECT_ERROR; + + /* RFC 6066 section 3 says the SNI field is case insensitive, but browsers + send the data lowercase and subsequently there are now numerous servers + out there that don't work unless the name is lowercased */ + Curl_strntolower(data->state.buffer, hostname, nlen); + data->state.buffer[nlen] = 0; + if(!SSL_set_tlsext_host_name(backend->handle, data->state.buffer)) + infof(data, "WARNING: failed to configure server name indication (SNI) " + "TLS extension\n"); + } #endif /* Check if there's a cached ID we can/should use here! */ if(SSL_SET_OPTION(primary.sessionid)) { void *ssl_sessionid = NULL; + int data_idx = ossl_get_ssl_data_index(); int connectdata_idx = ossl_get_ssl_conn_index(); int sockindex_idx = ossl_get_ssl_sockindex_index(); - if(connectdata_idx >= 0 && sockindex_idx >= 0) { + if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) { /* Store the data needed for the "new session" callback. * The sockindex is stored as a pointer to an array element. */ + SSL_set_ex_data(backend->handle, data_idx, data); SSL_set_ex_data(backend->handle, connectdata_idx, conn); SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); } - Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { + Curl_ssl_sessionid_lock(data); + if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) { /* we got a session id, use it! */ if(!SSL_set_session(backend->handle, ssl_sessionid)) { - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); failf(data, "SSL: SSL_set_session failed: %s", ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer))); @@ -3210,7 +3234,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) /* Informational message */ infof(data, "SSL re-using session ID\n"); } - Curl_ssl_sessionid_unlock(conn); + Curl_ssl_sessionid_unlock(data); } #ifndef CURL_DISABLE_PROXY @@ -3237,9 +3261,9 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) return CURLE_OK; } -static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step2(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { - struct Curl_easy *data = conn->data; int err; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -3385,7 +3409,7 @@ static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex) else infof(data, "ALPN, server did not agree to a protocol\n"); - Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ? + Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ? BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE); } #endif @@ -3491,13 +3515,12 @@ typedef size_t numcert_t; typedef int numcert_t; #endif -static CURLcode get_cert_chain(struct connectdata *conn, +static CURLcode get_cert_chain(struct Curl_easy *data, struct ssl_connect_data *connssl) { CURLcode result; STACK_OF(X509) *sk; int i; - struct Curl_easy *data = conn->data; numcert_t numcerts; BIO *mem; struct ssl_backend_data *backend = connssl->backend; @@ -3772,14 +3795,14 @@ static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert, * We check certificates to authenticate the server; otherwise we risk * man-in-the-middle attack. */ -static CURLcode servercert(struct connectdata *conn, +static CURLcode servercert(struct Curl_easy *data, + struct connectdata *conn, struct ssl_connect_data *connssl, bool strict) { CURLcode result = CURLE_OK; int rc; long lerr; - struct Curl_easy *data = conn->data; X509 *issuer; BIO *fp = NULL; char error_buffer[256]=""; @@ -3790,7 +3813,7 @@ static CURLcode servercert(struct connectdata *conn, if(data->set.ssl.certinfo) /* we've been asked to gather certificate info! */ - (void)get_cert_chain(conn, connssl); + (void)get_cert_chain(data, connssl); backend->server_cert = SSL_get_peer_certificate(backend->handle); if(!backend->server_cert) { @@ -3826,7 +3849,7 @@ static CURLcode servercert(struct connectdata *conn, BIO_free(mem); if(SSL_CONN_CONFIG(verifyhost)) { - result = verifyhost(conn, backend->server_cert); + result = verifyhost(data, conn, backend->server_cert); if(result) { X509_free(backend->server_cert); backend->server_cert = NULL; @@ -3928,7 +3951,7 @@ static CURLcode servercert(struct connectdata *conn, #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) if(SSL_CONN_CONFIG(verifystatus)) { - result = verifystatus(conn, connssl); + result = verifystatus(data, connssl); if(result) { X509_free(backend->server_cert); backend->server_cert = NULL; @@ -3956,7 +3979,8 @@ static CURLcode servercert(struct connectdata *conn, return result; } -static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect_step3(struct Curl_easy *data, + struct connectdata *conn, int sockindex) { CURLcode result = CURLE_OK; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; @@ -3970,8 +3994,8 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) * operations. */ - result = servercert(conn, connssl, (SSL_CONN_CONFIG(verifypeer) || - SSL_CONN_CONFIG(verifyhost))); + result = servercert(data, conn, connssl, (SSL_CONN_CONFIG(verifypeer) || + SSL_CONN_CONFIG(verifyhost))); if(!result) connssl->connecting_state = ssl_connect_done; @@ -3982,13 +4006,13 @@ static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex) static Curl_recv ossl_recv; static Curl_send ossl_send; -static CURLcode ossl_connect_common(struct connectdata *conn, +static CURLcode ossl_connect_common(struct Curl_easy *data, + struct connectdata *conn, int sockindex, bool nonblocking, bool *done) { CURLcode result; - struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; curl_socket_t sockfd = conn->sock[sockindex]; int what; @@ -4009,7 +4033,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn, return CURLE_OPERATION_TIMEDOUT; } - result = ossl_connect_step1(conn, sockindex); + result = ossl_connect_step1(data, conn, sockindex); if(result) return result; } @@ -4061,7 +4085,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn, * before step2 has completed while ensuring that a client using select() * or epoll() will always have a valid fdset to wait on. */ - result = ossl_connect_step2(conn, sockindex); + result = ossl_connect_step2(data, conn, sockindex); if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state || ssl_connect_2_reading == connssl->connecting_state || @@ -4071,7 +4095,7 @@ static CURLcode ossl_connect_common(struct connectdata *conn, } /* repeat step2 until all transactions are done. */ if(ssl_connect_3 == connssl->connecting_state) { - result = ossl_connect_step3(conn, sockindex); + result = ossl_connect_step3(data, conn, sockindex); if(result) return result; } @@ -4091,19 +4115,21 @@ static CURLcode ossl_connect_common(struct connectdata *conn, return CURLE_OK; } -static CURLcode Curl_ossl_connect_nonblocking(struct connectdata *conn, - int sockindex, - bool *done) +static CURLcode ossl_connect_nonblocking(struct Curl_easy *data, + struct connectdata *conn, + int sockindex, + bool *done) { - return ossl_connect_common(conn, sockindex, TRUE, done); + return ossl_connect_common(data, conn, sockindex, TRUE, done); } -static CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex) +static CURLcode ossl_connect(struct Curl_easy *data, struct connectdata *conn, + int sockindex) { CURLcode result; bool done = FALSE; - result = ossl_connect_common(conn, sockindex, FALSE, &done); + result = ossl_connect_common(data, conn, sockindex, FALSE, &done); if(result) return result; @@ -4112,8 +4138,8 @@ static CURLcode Curl_ossl_connect(struct connectdata *conn, int sockindex) return CURLE_OK; } -static bool Curl_ossl_data_pending(const struct connectdata *conn, - int connindex) +static bool ossl_data_pending(const struct connectdata *conn, + int connindex) { const struct ssl_connect_data *connssl = &conn->ssl[connindex]; if(connssl->backend->handle && SSL_pending(connssl->backend->handle)) @@ -4128,9 +4154,9 @@ static bool Curl_ossl_data_pending(const struct connectdata *conn, return FALSE; } -static size_t Curl_ossl_version(char *buffer, size_t size); +static size_t ossl_version(char *buffer, size_t size); -static ssize_t ossl_send(struct connectdata *conn, +static ssize_t ossl_send(struct Curl_easy *data, int sockindex, const void *mem, size_t len, @@ -4143,6 +4169,7 @@ static ssize_t ossl_send(struct connectdata *conn, unsigned long sslerror; int memlen; int rc; + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; struct ssl_backend_data *backend = connssl->backend; @@ -4174,7 +4201,7 @@ static ssize_t ossl_send(struct connectdata *conn, strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer)); error_buffer[sizeof(error_buffer) - 1] = '\0'; } - failf(conn->data, OSSL_PACKAGE " SSL_write: %s, errno %d", + failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d", error_buffer, sockerr); *curlcode = CURLE_SEND_ERROR; return -1; @@ -4191,18 +4218,17 @@ static ssize_t ossl_send(struct connectdata *conn, #endif ) { char ver[120]; - Curl_ossl_version(ver, 120); - failf(conn->data, "Error: %s does not support double SSL tunneling.", - ver); + ossl_version(ver, 120); + failf(data, "Error: %s does not support double SSL tunneling.", ver); } else - failf(conn->data, "SSL_write() error: %s", + failf(data, "SSL_write() error: %s", ossl_strerror(sslerror, error_buffer, sizeof(error_buffer))); *curlcode = CURLE_SEND_ERROR; return -1; } /* a true error */ - failf(conn->data, OSSL_PACKAGE " SSL_write: %s, errno %d", + failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d", SSL_ERROR_to_str(err), SOCKERRNO); *curlcode = CURLE_SEND_ERROR; return -1; @@ -4211,7 +4237,7 @@ static ssize_t ossl_send(struct connectdata *conn, return (ssize_t)rc; /* number of bytes */ } -static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ +static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */ int num, /* socketindex */ char *buf, /* store read data here */ size_t buffersize, /* max amount to read */ @@ -4221,6 +4247,7 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ unsigned long sslerror; ssize_t nread; int buffsize; + struct connectdata *conn = data->conn; struct ssl_connect_data *connssl = &conn->ssl[num]; struct ssl_backend_data *backend = connssl->backend; @@ -4264,7 +4291,7 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer)); error_buffer[sizeof(error_buffer) - 1] = '\0'; } - failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d", + failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d", error_buffer, sockerr); *curlcode = CURLE_RECV_ERROR; return -1; @@ -4286,7 +4313,7 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ msnprintf(error_buffer, sizeof(error_buffer), "Connection closed abruptly"); } - failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d" + failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d" " (Fatal because this is a curl debug build)", error_buffer, sockerr); *curlcode = CURLE_RECV_ERROR; @@ -4298,7 +4325,7 @@ static ssize_t ossl_recv(struct connectdata *conn, /* connection data */ return nread; } -static size_t Curl_ossl_version(char *buffer, size_t size) +static size_t ossl_version(char *buffer, size_t size) { #ifdef LIBRESSL_VERSION_NUMBER #if LIBRESSL_VERSION_NUMBER < 0x2070100fL @@ -4369,12 +4396,12 @@ static size_t Curl_ossl_version(char *buffer, size_t size) } /* can be called with data == NULL */ -static CURLcode Curl_ossl_random(struct Curl_easy *data, - unsigned char *entropy, size_t length) +static CURLcode ossl_random(struct Curl_easy *data, + unsigned char *entropy, size_t length) { int rc; if(data) { - if(Curl_ossl_seed(data)) /* Initiate the seed if not already done */ + if(ossl_seed(data)) /* Initiate the seed if not already done */ return CURLE_FAILED_INIT; /* couldn't seed for some reason */ } else { @@ -4386,30 +4413,11 @@ static CURLcode Curl_ossl_random(struct Curl_easy *data, return (rc == 1 ? CURLE_OK : CURLE_FAILED_INIT); } -static CURLcode Curl_ossl_md5sum(unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *md5sum /* output */, - size_t unused) -{ - EVP_MD_CTX *mdctx; - unsigned int len = 0; - (void) unused; - - mdctx = EVP_MD_CTX_create(); - if(!mdctx) - return CURLE_OUT_OF_MEMORY; - EVP_DigestInit(mdctx, EVP_md5()); - EVP_DigestUpdate(mdctx, tmp, tmplen); - EVP_DigestFinal_ex(mdctx, md5sum, &len); - EVP_MD_CTX_destroy(mdctx); - return CURLE_OK; -} - #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) -static CURLcode Curl_ossl_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum /* output */, - size_t unused) +static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum /* output */, + size_t unused) { EVP_MD_CTX *mdctx; unsigned int len = 0; @@ -4426,7 +4434,7 @@ static CURLcode Curl_ossl_sha256sum(const unsigned char *tmp, /* input */ } #endif -static bool Curl_ossl_cert_status_request(void) +static bool ossl_cert_status_request(void) { #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ !defined(OPENSSL_NO_OCSP) @@ -4436,8 +4444,8 @@ static bool Curl_ossl_cert_status_request(void) #endif } -static void *Curl_ossl_get_internals(struct ssl_connect_data *connssl, - CURLINFO info) +static void *ossl_get_internals(struct ssl_connect_data *connssl, + CURLINFO info) { /* Legacy: CURLINFO_TLS_SESSION must return an SSL_CTX pointer. */ struct ssl_backend_data *backend = connssl->backend; @@ -4459,29 +4467,28 @@ const struct Curl_ssl Curl_ssl_openssl = { sizeof(struct ssl_backend_data), - Curl_ossl_init, /* init */ - Curl_ossl_cleanup, /* cleanup */ - Curl_ossl_version, /* version */ - Curl_ossl_check_cxn, /* check_cxn */ - Curl_ossl_shutdown, /* shutdown */ - Curl_ossl_data_pending, /* data_pending */ - Curl_ossl_random, /* random */ - Curl_ossl_cert_status_request, /* cert_status_request */ - Curl_ossl_connect, /* connect */ - Curl_ossl_connect_nonblocking, /* connect_nonblocking */ - Curl_ossl_get_internals, /* get_internals */ - Curl_ossl_close, /* close_one */ - Curl_ossl_close_all, /* close_all */ - Curl_ossl_session_free, /* session_free */ - Curl_ossl_set_engine, /* set_engine */ - Curl_ossl_set_engine_default, /* set_engine_default */ - Curl_ossl_engines_list, /* engines_list */ - Curl_none_false_start, /* false_start */ - Curl_ossl_md5sum, /* md5sum */ + ossl_init, /* init */ + ossl_cleanup, /* cleanup */ + ossl_version, /* version */ + ossl_check_cxn, /* check_cxn */ + ossl_shutdown, /* shutdown */ + ossl_data_pending, /* data_pending */ + ossl_random, /* random */ + ossl_cert_status_request, /* cert_status_request */ + ossl_connect, /* connect */ + ossl_connect_nonblocking, /* connect_nonblocking */ + ossl_get_internals, /* get_internals */ + ossl_close, /* close_one */ + ossl_close_all, /* close_all */ + ossl_session_free, /* session_free */ + ossl_set_engine, /* set_engine */ + ossl_set_engine_default, /* set_engine_default */ + ossl_engines_list, /* engines_list */ + Curl_none_false_start, /* false_start */ #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) - Curl_ossl_sha256sum /* sha256sum */ + ossl_sha256sum /* sha256sum */ #else - NULL /* sha256sum */ + NULL /* sha256sum */ #endif }; |