diff options
| author | dartraiden <wowemuh@gmail.com> | 2023-10-11 18:36:33 +0300 |
|---|---|---|
| committer | dartraiden <wowemuh@gmail.com> | 2023-10-11 18:38:34 +0300 |
| commit | b7dfc6fda6f6b461f45a2ce457911bf128160208 (patch) | |
| tree | 795d58d5d6d83c483022c3e14640f5999d0c0623 /libs/libcurl/src/vtls | |
| parent | f40b2ce583f05b0756c4552f2e46535bea2c0c39 (diff) | |
libcurl: update to 8.4.0
Diffstat (limited to 'libs/libcurl/src/vtls')
| -rw-r--r-- | libs/libcurl/src/vtls/gtls.c | 8 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/mbedtls.c | 13 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/openssl.c | 100 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/schannel.c | 48 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/schannel.h | 2 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/schannel_int.h | 43 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/sectransp.c | 16 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/vtls.c | 3 | ||||
| -rw-r--r-- | libs/libcurl/src/vtls/wolfssl.c | 71 |
9 files changed, 132 insertions, 172 deletions
diff --git a/libs/libcurl/src/vtls/gtls.c b/libs/libcurl/src/vtls/gtls.c index c806a08cc4..cc30cb0f55 100644 --- a/libs/libcurl/src/vtls/gtls.c +++ b/libs/libcurl/src/vtls/gtls.c @@ -1473,7 +1473,6 @@ static int gtls_shutdown(struct Curl_cfilter *cf, struct Curl_easy *data)
{
struct ssl_connect_data *connssl = cf->ctx;
- struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
struct gtls_ssl_backend_data *backend =
(struct gtls_ssl_backend_data *)connssl->backend;
int retval = 0;
@@ -1536,8 +1535,11 @@ static int gtls_shutdown(struct Curl_cfilter *cf, gnutls_certificate_free_credentials(backend->gtls.cred);
#ifdef USE_GNUTLS_SRP
- if(ssl_config->primary.username)
- gnutls_srp_free_client_credentials(backend->gtls.srp_client_cred);
+ {
+ struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
+ if(ssl_config->primary.username)
+ gnutls_srp_free_client_credentials(backend->gtls.srp_client_cred);
+ }
#endif
backend->gtls.cred = NULL;
diff --git a/libs/libcurl/src/vtls/mbedtls.c b/libs/libcurl/src/vtls/mbedtls.c index 5f9414b881..496cac0ab4 100644 --- a/libs/libcurl/src/vtls/mbedtls.c +++ b/libs/libcurl/src/vtls/mbedtls.c @@ -156,7 +156,8 @@ static void mbed_debug(void *context, int level, const char *f_name, #else
#endif
-static int bio_cf_write(void *bio, const unsigned char *buf, size_t blen)
+static int mbedtls_bio_cf_write(void *bio,
+ const unsigned char *buf, size_t blen)
{
struct Curl_cfilter *cf = bio;
struct Curl_easy *data = CF_DATA_CURRENT(cf);
@@ -165,7 +166,7 @@ static int bio_cf_write(void *bio, const unsigned char *buf, size_t blen) DEBUGASSERT(data);
nwritten = Curl_conn_cf_send(cf->next, data, (char *)buf, blen, &result);
- CURL_TRC_CF(data, cf, "bio_cf_out_write(len=%zu) -> %zd, err=%d",
+ CURL_TRC_CF(data, cf, "mbedtls_bio_cf_out_write(len=%zu) -> %zd, err=%d",
blen, nwritten, result);
if(nwritten < 0 && CURLE_AGAIN == result) {
nwritten = MBEDTLS_ERR_SSL_WANT_WRITE;
@@ -173,7 +174,7 @@ static int bio_cf_write(void *bio, const unsigned char *buf, size_t blen) return (int)nwritten;
}
-static int bio_cf_read(void *bio, unsigned char *buf, size_t blen)
+static int mbedtls_bio_cf_read(void *bio, unsigned char *buf, size_t blen)
{
struct Curl_cfilter *cf = bio;
struct Curl_easy *data = CF_DATA_CURRENT(cf);
@@ -186,7 +187,7 @@ static int bio_cf_read(void *bio, unsigned char *buf, size_t blen) return 0;
nread = Curl_conn_cf_recv(cf->next, data, (char *)buf, blen, &result);
- CURL_TRC_CF(data, cf, "bio_cf_in_read(len=%zu) -> %zd, err=%d",
+ CURL_TRC_CF(data, cf, "mbedtls_bio_cf_in_read(len=%zu) -> %zd, err=%d",
blen, nread, result);
if(nread < 0 && CURLE_AGAIN == result) {
nread = MBEDTLS_ERR_SSL_WANT_READ;
@@ -591,7 +592,9 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random,
&backend->ctr_drbg);
- mbedtls_ssl_set_bio(&backend->ssl, cf, bio_cf_write, bio_cf_read,
+ mbedtls_ssl_set_bio(&backend->ssl, cf,
+ mbedtls_bio_cf_write,
+ mbedtls_bio_cf_read,
NULL /* rev_timeout() */);
mbedtls_ssl_conf_ciphersuites(&backend->config,
diff --git a/libs/libcurl/src/vtls/openssl.c b/libs/libcurl/src/vtls/openssl.c index 577069f040..b2f201ef13 100644 --- a/libs/libcurl/src/vtls/openssl.c +++ b/libs/libcurl/src/vtls/openssl.c @@ -466,7 +466,9 @@ CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl) X509_get0_signature(&psig, &sigalg, x);
if(sigalg) {
- i2a_ASN1_OBJECT(mem, sigalg->algorithm);
+ const ASN1_OBJECT *sigalgoid = NULL;
+ X509_ALGOR_get0(&sigalgoid, NULL, NULL, sigalg);
+ i2a_ASN1_OBJECT(mem, sigalgoid);
push_certinfo("Signature Algorithm", i);
}
@@ -661,7 +663,7 @@ CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl) #define BIO_set_shutdown(x,v) ((x)->shutdown=(v))
#endif /* USE_PRE_1_1_API */
-static int bio_cf_create(BIO *bio)
+static int ossl_bio_cf_create(BIO *bio)
{
BIO_set_shutdown(bio, 1);
BIO_set_init(bio, 1);
@@ -672,14 +674,14 @@ static int bio_cf_create(BIO *bio) return 1;
}
-static int bio_cf_destroy(BIO *bio)
+static int ossl_bio_cf_destroy(BIO *bio)
{
if(!bio)
return 0;
return 1;
}
-static long bio_cf_ctrl(BIO *bio, int cmd, long num, void *ptr)
+static long ossl_bio_cf_ctrl(BIO *bio, int cmd, long num, void *ptr)
{
struct Curl_cfilter *cf = BIO_get_data(bio);
long ret = 1;
@@ -713,7 +715,7 @@ static long bio_cf_ctrl(BIO *bio, int cmd, long num, void *ptr) return ret;
}
-static int bio_cf_out_write(BIO *bio, const char *buf, int blen)
+static int ossl_bio_cf_out_write(BIO *bio, const char *buf, int blen)
{
struct Curl_cfilter *cf = BIO_get_data(bio);
struct ssl_connect_data *connssl = cf->ctx;
@@ -725,7 +727,7 @@ static int bio_cf_out_write(BIO *bio, const char *buf, int blen) DEBUGASSERT(data);
nwritten = Curl_conn_cf_send(cf->next, data, buf, blen, &result);
- CURL_TRC_CF(data, cf, "bio_cf_out_write(len=%d) -> %d, err=%d",
+ CURL_TRC_CF(data, cf, "ossl_bio_cf_out_write(len=%d) -> %d, err=%d",
blen, (int)nwritten, result);
BIO_clear_retry_flags(bio);
backend->io_result = result;
@@ -736,7 +738,7 @@ static int bio_cf_out_write(BIO *bio, const char *buf, int blen) return (int)nwritten;
}
-static int bio_cf_in_read(BIO *bio, char *buf, int blen)
+static int ossl_bio_cf_in_read(BIO *bio, char *buf, int blen)
{
struct Curl_cfilter *cf = BIO_get_data(bio);
struct ssl_connect_data *connssl = cf->ctx;
@@ -752,7 +754,7 @@ static int bio_cf_in_read(BIO *bio, char *buf, int blen) return 0;
nread = Curl_conn_cf_recv(cf->next, data, buf, blen, &result);
- CURL_TRC_CF(data, cf, "bio_cf_in_read(len=%d) -> %d, err=%d",
+ CURL_TRC_CF(data, cf, "ossl_bio_cf_in_read(len=%d) -> %d, err=%d",
blen, (int)nread, result);
BIO_clear_retry_flags(bio);
backend->io_result = result;
@@ -777,42 +779,42 @@ static int bio_cf_in_read(BIO *bio, char *buf, int blen) #if USE_PRE_1_1_API
-static BIO_METHOD bio_cf_meth_1_0 = {
+static BIO_METHOD ossl_bio_cf_meth_1_0 = {
BIO_TYPE_MEM,
"OpenSSL CF BIO",
- bio_cf_out_write,
- bio_cf_in_read,
+ ossl_bio_cf_out_write,
+ ossl_bio_cf_in_read,
NULL, /* puts is never called */
NULL, /* gets is never called */
- bio_cf_ctrl,
- bio_cf_create,
- bio_cf_destroy,
+ ossl_bio_cf_ctrl,
+ ossl_bio_cf_create,
+ ossl_bio_cf_destroy,
NULL
};
-static BIO_METHOD *bio_cf_method_create(void)
+static BIO_METHOD *ossl_bio_cf_method_create(void)
{
- return &bio_cf_meth_1_0;
+ return &ossl_bio_cf_meth_1_0;
}
-#define bio_cf_method_free(m) Curl_nop_stmt
+#define ossl_bio_cf_method_free(m) Curl_nop_stmt
#else
-static BIO_METHOD *bio_cf_method_create(void)
+static BIO_METHOD *ossl_bio_cf_method_create(void)
{
BIO_METHOD *m = BIO_meth_new(BIO_TYPE_MEM, "OpenSSL CF BIO");
if(m) {
- BIO_meth_set_write(m, &bio_cf_out_write);
- BIO_meth_set_read(m, &bio_cf_in_read);
- BIO_meth_set_ctrl(m, &bio_cf_ctrl);
- BIO_meth_set_create(m, &bio_cf_create);
- BIO_meth_set_destroy(m, &bio_cf_destroy);
+ BIO_meth_set_write(m, &ossl_bio_cf_out_write);
+ BIO_meth_set_read(m, &ossl_bio_cf_in_read);
+ BIO_meth_set_ctrl(m, &ossl_bio_cf_ctrl);
+ BIO_meth_set_create(m, &ossl_bio_cf_create);
+ BIO_meth_set_destroy(m, &ossl_bio_cf_destroy);
}
return m;
}
-static void bio_cf_method_free(BIO_METHOD *m)
+static void ossl_bio_cf_method_free(BIO_METHOD *m)
{
if(m)
BIO_meth_free(m);
@@ -1551,11 +1553,9 @@ fail: UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
UI_method_set_reader(ui_method, ssl_ui_reader);
UI_method_set_writer(ui_method, ssl_ui_writer);
- /* the typecast below was added to please mingw32 */
- priv_key = (EVP_PKEY *)
- ENGINE_load_private_key(data->state.engine, key_file,
- ui_method,
- key_passwd);
+ priv_key = ENGINE_load_private_key(data->state.engine, key_file,
+ ui_method,
+ key_passwd);
UI_destroy_method(ui_method);
if(!priv_key) {
failf(data, "failed to load private key from crypto engine");
@@ -1878,15 +1878,45 @@ static void ossl_close(struct Curl_cfilter *cf, struct Curl_easy *data) if(backend->handle) {
if(cf->next && cf->next->connected) {
- char buf[32];
+ char buf[1024];
+ int nread, err;
+ long sslerr;
+
/* Maybe the server has already sent a close notify alert.
Read it to avoid an RST on the TCP connection. */
(void)SSL_read(backend->handle, buf, (int)sizeof(buf));
-
- (void)SSL_shutdown(backend->handle);
-
ERR_clear_error();
+ if(SSL_shutdown(backend->handle) == 1) {
+ CURL_TRC_CF(data, cf, "SSL shutdown finished");
+ }
+ else {
+ nread = SSL_read(backend->handle, buf, (int)sizeof(buf));
+ err = SSL_get_error(backend->handle, nread);
+ switch(err) {
+ case SSL_ERROR_NONE: /* this is not an error */
+ case SSL_ERROR_ZERO_RETURN: /* no more data */
+ CURL_TRC_CF(data, cf, "SSL shutdown, EOF from server");
+ break;
+ case SSL_ERROR_WANT_READ:
+ /* SSL has send its notify and now wants to read the reply
+ * from the server. We are not really interested in that. */
+ CURL_TRC_CF(data, cf, "SSL shutdown sent");
+ break;
+ case SSL_ERROR_WANT_WRITE:
+ CURL_TRC_CF(data, cf, "SSL shutdown send blocked");
+ break;
+ default:
+ sslerr = ERR_get_error();
+ CURL_TRC_CF(data, cf, "SSL shutdown, error: '%s', errno %d",
+ (sslerr ?
+ ossl_strerror(sslerr, buf, sizeof(buf)) :
+ SSL_ERROR_to_str(err)),
+ SOCKERRNO);
+ break;
+ }
+ }
+ ERR_clear_error();
SSL_set_connect_state(backend->handle);
}
@@ -1899,7 +1929,7 @@ static void ossl_close(struct Curl_cfilter *cf, struct Curl_easy *data) backend->x509_store_setup = FALSE;
}
if(backend->bio_method) {
- bio_cf_method_free(backend->bio_method);
+ ossl_bio_cf_method_free(backend->bio_method);
backend->bio_method = NULL;
}
}
@@ -3789,7 +3819,7 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, Curl_ssl_sessionid_unlock(data);
}
- backend->bio_method = bio_cf_method_create();
+ backend->bio_method = ossl_bio_cf_method_create();
if(!backend->bio_method)
return CURLE_OUT_OF_MEMORY;
bio = BIO_new(backend->bio_method);
diff --git a/libs/libcurl/src/vtls/schannel.c b/libs/libcurl/src/vtls/schannel.c index 843319e4ac..77ab43a9bf 100644 --- a/libs/libcurl/src/vtls/schannel.c +++ b/libs/libcurl/src/vtls/schannel.c @@ -68,22 +68,6 @@ # define HAS_ALPN 1
#endif
-#ifndef UNISP_NAME_A
-#define UNISP_NAME_A "Microsoft Unified Security Protocol Provider"
-#endif
-
-#ifndef UNISP_NAME_W
-#define UNISP_NAME_W L"Microsoft Unified Security Protocol Provider"
-#endif
-
-#ifndef UNISP_NAME
-#ifdef UNICODE
-#define UNISP_NAME UNISP_NAME_W
-#else
-#define UNISP_NAME UNISP_NAME_A
-#endif
-#endif
-
#ifndef BCRYPT_CHACHA20_POLY1305_ALGORITHM
#define BCRYPT_CHACHA20_POLY1305_ALGORITHM L"CHACHA20_POLY1305"
#endif
@@ -108,13 +92,6 @@ #define BCRYPT_SHA384_ALGORITHM L"SHA384"
#endif
-/* Workaround broken compilers like MinGW.
- Return the number of elements in a statically sized array.
-*/
-#ifndef ARRAYSIZE
-#define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0]))
-#endif
-
#ifdef HAS_CLIENT_CERT_PATH
#ifdef UNICODE
#define CURL_CERT_STORE_PROV_SYSTEM CERT_STORE_PROV_SYSTEM_W
@@ -123,18 +100,6 @@ #endif
#endif
-#ifndef SP_PROT_SSL2_CLIENT
-#define SP_PROT_SSL2_CLIENT 0x00000008
-#endif
-
-#ifndef SP_PROT_SSL3_CLIENT
-#define SP_PROT_SSL3_CLIENT 0x00000008
-#endif
-
-#ifndef SP_PROT_TLS1_CLIENT
-#define SP_PROT_TLS1_CLIENT 0x00000080
-#endif
-
#ifndef SP_PROT_TLS1_0_CLIENT
#define SP_PROT_TLS1_0_CLIENT SP_PROT_TLS1_CLIENT
#endif
@@ -175,12 +140,6 @@ # define CALG_SHA_256 0x0000800c
#endif
-/* Work around typo in classic MinGW's w32api up to version 5.0,
- see https://osdn.net/projects/mingw/ticket/38391 */
-#if !defined(ALG_CLASS_DHASH) && defined(ALG_CLASS_HASH)
-#define ALG_CLASS_DHASH ALG_CLASS_HASH
-#endif
-
#ifndef PKCS12_NO_PERSIST_KEY
#define PKCS12_NO_PERSIST_KEY 0x00008000
#endif
@@ -769,7 +728,7 @@ schannel_acquire_credential_handle(struct Curl_cfilter *cf, }
#endif
- /* allocate memory for the re-usable credential handle */
+ /* allocate memory for the reusable credential handle */
backend->cred = (struct Curl_schannel_cred *)
calloc(1, sizeof(struct Curl_schannel_cred));
if(!backend->cred) {
@@ -1169,7 +1128,7 @@ schannel_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) backend->cred = NULL;
- /* check for an existing re-usable credential handle */
+ /* check for an existing reusable credential handle */
if(ssl_config->primary.sessionid) {
Curl_ssl_sessionid_lock(data);
if(!Curl_ssl_getsessionid(cf, data, (void **)&old_cred, NULL)) {
@@ -2752,8 +2711,7 @@ static void schannel_checksum(const unsigned char *input, if(!CryptCreateHash(hProv, algId, 0, 0, &hHash))
break; /* failed */
- /* workaround for original MinGW, should be (const BYTE*) */
- if(!CryptHashData(hHash, (BYTE*)input, (DWORD)inputlen, 0))
+ if(!CryptHashData(hHash, input, (DWORD)inputlen, 0))
break; /* failed */
/* get hash size */
diff --git a/libs/libcurl/src/vtls/schannel.h b/libs/libcurl/src/vtls/schannel.h index 4066e9ca1b..438012d434 100644 --- a/libs/libcurl/src/vtls/schannel.h +++ b/libs/libcurl/src/vtls/schannel.h @@ -68,7 +68,7 @@ * BoringSSL's <openssl/x509.h>: So just undefine those defines here
* (and only here).
*/
-#if defined(HAVE_BORINGSSL) || defined(OPENSSL_IS_BORINGSSL)
+#if defined(OPENSSL_IS_BORINGSSL)
# undef X509_NAME
# undef X509_CERT_PAIR
# undef X509_EXTENSIONS
diff --git a/libs/libcurl/src/vtls/schannel_int.h b/libs/libcurl/src/vtls/schannel_int.h index 97fed9e660..17a94d6e85 100644 --- a/libs/libcurl/src/vtls/schannel_int.h +++ b/libs/libcurl/src/vtls/schannel_int.h @@ -28,15 +28,9 @@ #ifdef USE_SCHANNEL
-#ifdef __MINGW32__
-#ifdef __MINGW64_VERSION_MAJOR
+#if defined(__MINGW32__) || defined(CERT_CHAIN_REVOCATION_CHECK_CHAIN)
#define HAS_MANUAL_VERIFY_API
#endif
-#else
-#ifdef CERT_CHAIN_REVOCATION_CHECK_CHAIN
-#define HAS_MANUAL_VERIFY_API
-#endif
-#endif
#if defined(CryptStringToBinary) && defined(CRYPT_STRING_HEX) \
&& !defined(DISABLE_SCHANNEL_CLIENT_CERT)
@@ -60,41 +54,6 @@ #endif
-#if defined(__MINGW32__) && !defined(__MINGW64_VERSION_MAJOR)
-/* Original mingw is missing CERT structs or they're disabled.
- Refer to w32api-5.0.2-mingw32-dev\include\wincrypt.h. */
-
-/* !checksrc! disable TYPEDEFSTRUCT 4 */
-typedef struct _CERT_OTHER_NAME {
- LPSTR pszObjId;
- CRYPT_OBJID_BLOB Value;
-} CERT_OTHER_NAME, *PCERT_OTHER_NAME;
-
-typedef struct _CERT_ALT_NAME_ENTRY {
- DWORD dwAltNameChoice;
- union {
- PCERT_OTHER_NAME pOtherName;
- LPWSTR pwszRfc822Name;
- LPWSTR pwszDNSName;
- CERT_NAME_BLOB DirectoryName;
- LPWSTR pwszURL;
- CRYPT_DATA_BLOB IPAddress;
- LPSTR pszRegisteredID;
- };
-} CERT_ALT_NAME_ENTRY, *PCERT_ALT_NAME_ENTRY;
-
-typedef struct _CERT_ALT_NAME_INFO {
- DWORD cAltEntry;
- PCERT_ALT_NAME_ENTRY rgAltEntry;
-} CERT_ALT_NAME_INFO, *PCERT_ALT_NAME_INFO;
-
-typedef struct _CRYPT_DECODE_PARA {
- DWORD cbSize;
- PFN_CRYPT_ALLOC pfnAlloc;
- PFN_CRYPT_FREE pfnFree;
-} CRYPT_DECODE_PARA, *PCRYPT_DECODE_PARA;
-#endif
-
#ifndef SCH_CREDENTIALS_VERSION
#define SCH_CREDENTIALS_VERSION 0x00000005
diff --git a/libs/libcurl/src/vtls/sectransp.c b/libs/libcurl/src/vtls/sectransp.c index 3a3ae009c8..d941119de9 100644 --- a/libs/libcurl/src/vtls/sectransp.c +++ b/libs/libcurl/src/vtls/sectransp.c @@ -830,9 +830,9 @@ static const unsigned char ecDsaSecp384r1SpkiHeader[] = { #endif /* SECTRANSP_PINNEDPUBKEY_V1 */
#endif /* SECTRANSP_PINNEDPUBKEY */
-static OSStatus bio_cf_in_read(SSLConnectionRef connection,
- void *buf,
- size_t *dataLength) /* IN/OUT */
+static OSStatus sectransp_bio_cf_in_read(SSLConnectionRef connection,
+ void *buf,
+ size_t *dataLength) /* IN/OUT */
{
struct Curl_cfilter *cf = (struct Curl_cfilter *)connection;
struct ssl_connect_data *connssl = cf->ctx;
@@ -870,9 +870,9 @@ static OSStatus bio_cf_in_read(SSLConnectionRef connection, return rtn;
}
-static OSStatus bio_cf_out_write(SSLConnectionRef connection,
- const void *buf,
- size_t *dataLength) /* IN/OUT */
+static OSStatus sectransp_bio_cf_out_write(SSLConnectionRef connection,
+ const void *buf,
+ size_t *dataLength) /* IN/OUT */
{
struct Curl_cfilter *cf = (struct Curl_cfilter *)connection;
struct ssl_connect_data *connssl = cf->ctx;
@@ -2100,7 +2100,9 @@ static CURLcode sectransp_connect_step1(struct Curl_cfilter *cf, }
}
- err = SSLSetIOFuncs(backend->ssl_ctx, bio_cf_in_read, bio_cf_out_write);
+ err = SSLSetIOFuncs(backend->ssl_ctx,
+ sectransp_bio_cf_in_read,
+ sectransp_bio_cf_out_write);
if(err != noErr) {
failf(data, "SSL: SSLSetIOFuncs() failed: OSStatus %d", err);
return CURLE_SSL_CONNECT_ERROR;
diff --git a/libs/libcurl/src/vtls/vtls.c b/libs/libcurl/src/vtls/vtls.c index 3e33c16042..6a45ccb6d8 100644 --- a/libs/libcurl/src/vtls/vtls.c +++ b/libs/libcurl/src/vtls/vtls.c @@ -1494,7 +1494,8 @@ static void ssl_cf_close(struct Curl_cfilter *cf, CF_DATA_SAVE(save, cf, data);
cf_close(cf, data);
- cf->next->cft->do_close(cf->next, data);
+ if(cf->next)
+ cf->next->cft->do_close(cf->next, data);
CF_DATA_RESTORE(cf, save);
}
diff --git a/libs/libcurl/src/vtls/wolfssl.c b/libs/libcurl/src/vtls/wolfssl.c index 231ff35b71..fad1f7a88e 100644 --- a/libs/libcurl/src/vtls/wolfssl.c +++ b/libs/libcurl/src/vtls/wolfssl.c @@ -229,7 +229,7 @@ static const struct group_name_map gnm[] = { #ifdef USE_BIO_CHAIN
-static int bio_cf_create(WOLFSSL_BIO *bio)
+static int wolfssl_bio_cf_create(WOLFSSL_BIO *bio)
{
wolfSSL_BIO_set_shutdown(bio, 1);
wolfSSL_BIO_set_init(bio, 1);
@@ -237,14 +237,14 @@ static int bio_cf_create(WOLFSSL_BIO *bio) return 1;
}
-static int bio_cf_destroy(WOLFSSL_BIO *bio)
+static int wolfssl_bio_cf_destroy(WOLFSSL_BIO *bio)
{
if(!bio)
return 0;
return 1;
}
-static long bio_cf_ctrl(WOLFSSL_BIO *bio, int cmd, long num, void *ptr)
+static long wolfssl_bio_cf_ctrl(WOLFSSL_BIO *bio, int cmd, long num, void *ptr)
{
struct Curl_cfilter *cf = BIO_get_data(bio);
long ret = 1;
@@ -278,7 +278,8 @@ static long bio_cf_ctrl(WOLFSSL_BIO *bio, int cmd, long num, void *ptr) return ret;
}
-static int bio_cf_out_write(WOLFSSL_BIO *bio, const char *buf, int blen)
+static int wolfssl_bio_cf_out_write(WOLFSSL_BIO *bio,
+ const char *buf, int blen)
{
struct Curl_cfilter *cf = wolfSSL_BIO_get_data(bio);
struct ssl_connect_data *connssl = cf->ctx;
@@ -299,7 +300,7 @@ static int bio_cf_out_write(WOLFSSL_BIO *bio, const char *buf, int blen) return (int)nwritten;
}
-static int bio_cf_in_read(WOLFSSL_BIO *bio, char *buf, int blen)
+static int wolfssl_bio_cf_in_read(WOLFSSL_BIO *bio, char *buf, int blen)
{
struct Curl_cfilter *cf = wolfSSL_BIO_get_data(bio);
struct ssl_connect_data *connssl = cf->ctx;
@@ -323,27 +324,27 @@ static int bio_cf_in_read(WOLFSSL_BIO *bio, char *buf, int blen) return (int)nread;
}
-static WOLFSSL_BIO_METHOD *bio_cf_method = NULL;
+static WOLFSSL_BIO_METHOD *wolfssl_bio_cf_method = NULL;
-static void bio_cf_init_methods(void)
+static void wolfssl_bio_cf_init_methods(void)
{
- bio_cf_method = wolfSSL_BIO_meth_new(BIO_TYPE_MEM, "wolfSSL CF BIO");
- wolfSSL_BIO_meth_set_write(bio_cf_method, &bio_cf_out_write);
- wolfSSL_BIO_meth_set_read(bio_cf_method, &bio_cf_in_read);
- wolfSSL_BIO_meth_set_ctrl(bio_cf_method, &bio_cf_ctrl);
- wolfSSL_BIO_meth_set_create(bio_cf_method, &bio_cf_create);
- wolfSSL_BIO_meth_set_destroy(bio_cf_method, &bio_cf_destroy);
+ wolfssl_bio_cf_method = wolfSSL_BIO_meth_new(BIO_TYPE_MEM, "wolfSSL CF BIO");
+ wolfSSL_BIO_meth_set_write(wolfssl_bio_cf_method, &wolfssl_bio_cf_out_write);
+ wolfSSL_BIO_meth_set_read(wolfssl_bio_cf_method, &wolfssl_bio_cf_in_read);
+ wolfSSL_BIO_meth_set_ctrl(wolfssl_bio_cf_method, &wolfssl_bio_cf_ctrl);
+ wolfSSL_BIO_meth_set_create(wolfssl_bio_cf_method, &wolfssl_bio_cf_create);
+ wolfSSL_BIO_meth_set_destroy(wolfssl_bio_cf_method, &wolfssl_bio_cf_destroy);
}
-static void bio_cf_free_methods(void)
+static void wolfssl_bio_cf_free_methods(void)
{
- wolfSSL_BIO_meth_free(bio_cf_method);
+ wolfSSL_BIO_meth_free(wolfssl_bio_cf_method);
}
#else /* USE_BIO_CHAIN */
-#define bio_cf_init_methods() Curl_nop_stmt
-#define bio_cf_free_methods() Curl_nop_stmt
+#define wolfssl_bio_cf_init_methods() Curl_nop_stmt
+#define wolfssl_bio_cf_free_methods() Curl_nop_stmt
#endif /* !USE_BIO_CHAIN */
@@ -361,6 +362,10 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
const struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
+ const char * const ssl_cafile =
+ /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
+ (ca_info_blob ? NULL : conn_config->CAfile);
+ const char * const ssl_capath = conn_config->CApath;
WOLFSSL_METHOD* req_method = NULL;
#ifdef HAVE_LIBOQS
word16 oqsAlg = 0;
@@ -541,20 +546,21 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) }
#ifndef NO_FILESYSTEM
- /* load trusted cacert */
- if(conn_config->CAfile) {
- if(1 != wolfSSL_CTX_load_verify_locations(backend->ctx,
- conn_config->CAfile,
- conn_config->CApath)) {
+ /* load trusted cacert from file if not blob */
+ if(ssl_cafile || ssl_capath) {
+ int rc =
+ wolfSSL_CTX_load_verify_locations_ex(backend->ctx,
+ ssl_cafile,
+ ssl_capath,
+ WOLFSSL_LOAD_FLAG_IGNORE_ERR);
+ if(SSL_SUCCESS != rc) {
if(conn_config->verifypeer && !imported_ca_info_blob &&
!imported_native_ca) {
/* Fail if we insist on successfully verifying the server. */
failf(data, "error setting certificate verify locations:"
" CAfile: %s CApath: %s",
- conn_config->CAfile?
- conn_config->CAfile: "none",
- conn_config->CApath?
- conn_config->CApath : "none");
+ ssl_cafile ? ssl_cafile : "none",
+ ssl_capath ? ssl_capath : "none");
return CURLE_SSL_CACERT_BADFILE;
}
else {
@@ -568,10 +574,8 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) /* Everything is fine. */
infof(data, "successfully set certificate verify locations:");
}
- infof(data, " CAfile: %s",
- conn_config->CAfile ? conn_config->CAfile : "none");
- infof(data, " CApath: %s",
- conn_config->CApath ? conn_config->CApath : "none");
+ infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
+ infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
}
/* Load the client certificate, and private key */
@@ -720,7 +724,7 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) {
WOLFSSL_BIO *bio;
- bio = BIO_new(bio_cf_method);
+ bio = BIO_new(wolfssl_bio_cf_method);
if(!bio)
return CURLE_OUT_OF_MEMORY;
@@ -1140,14 +1144,14 @@ static int wolfssl_init(void) Curl_tls_keylog_open();
#endif
ret = (wolfSSL_Init() == SSL_SUCCESS);
- bio_cf_init_methods();
+ wolfssl_bio_cf_init_methods();
return ret;
}
static void wolfssl_cleanup(void)
{
- bio_cf_free_methods();
+ wolfssl_bio_cf_free_methods();
wolfSSL_Cleanup();
#ifdef OPENSSL_EXTRA
Curl_tls_keylog_close();
@@ -1378,6 +1382,7 @@ const struct Curl_ssl Curl_ssl_wolfssl = { #ifdef USE_BIO_CHAIN
SSLSUPP_HTTPS_PROXY |
#endif
+ SSLSUPP_CA_PATH |
SSLSUPP_CAINFO_BLOB |
SSLSUPP_SSL_CTX,
|