diff options
Diffstat (limited to 'plugins/FTPFileYM/curl/lib/gskit.c')
| -rw-r--r-- | plugins/FTPFileYM/curl/lib/gskit.c | 906 |
1 files changed, 0 insertions, 906 deletions
diff --git a/plugins/FTPFileYM/curl/lib/gskit.c b/plugins/FTPFileYM/curl/lib/gskit.c deleted file mode 100644 index 5cda85b9b8..0000000000 --- a/plugins/FTPFileYM/curl/lib/gskit.c +++ /dev/null @@ -1,906 +0,0 @@ -/*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * - * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms - * are also available at http://curl.haxx.se/docs/copyright.html. - * - * You may opt to use, copy, modify, merge, publish, distribute and/or sell - * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the COPYING file. - * - * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY - * KIND, either express or implied. - * - ***************************************************************************/ - -#include "curl_setup.h" - -#ifdef USE_GSKIT - -#include <gskssl.h> -#include <qsoasync.h> - -/* Some symbols are undefined/unsupported on OS400 versions < V7R1. */ -#ifndef GSK_SSL_EXTN_SERVERNAME_REQUEST -#define GSK_SSL_EXTN_SERVERNAME_REQUEST 230 -#endif - -#ifdef HAVE_LIMITS_H -# include <limits.h> -#endif - -#include <curl/curl.h> -#include "urldata.h" -#include "sendf.h" -#include "gskit.h" -#include "sslgen.h" -#include "connect.h" /* for the connect timeout */ -#include "select.h" -#include "strequal.h" -#include "x509asn1.h" - -#define _MPRINTF_REPLACE /* use our functions only */ -#include <curl/mprintf.h> - -#include "curl_memory.h" -/* The last #include file should be: */ -#include "memdebug.h" - - -/* Supported ciphers. */ -typedef struct { - const char * name; /* Cipher name. */ - const char * gsktoken; /* Corresponding token for GSKit String. */ - int sslver; /* SSL version. */ -} gskit_cipher; - -static const gskit_cipher ciphertable[] = { - { "null-md5", "01", CURL_SSLVERSION_SSLv3 }, - { "null-sha", "02", CURL_SSLVERSION_SSLv3 }, - { "exp-rc4-md5", "03", CURL_SSLVERSION_SSLv3 }, - { "rc4-md5", "04", CURL_SSLVERSION_SSLv3 }, - { "rc4-sha", "05", CURL_SSLVERSION_SSLv3 }, - { "exp-rc2-cbc-md5", "06", CURL_SSLVERSION_SSLv3 }, - { "exp-des-cbc-sha", "09", CURL_SSLVERSION_SSLv3 }, - { "des-cbc3-sha", "0A", CURL_SSLVERSION_SSLv3 }, - { "aes128-sha", "2F", CURL_SSLVERSION_TLSv1 }, - { "aes256-sha", "35", CURL_SSLVERSION_TLSv1 }, - { "rc4-md5", "1", CURL_SSLVERSION_SSLv2 }, - { "exp-rc4-md5", "2", CURL_SSLVERSION_SSLv2 }, - { "rc2-md5", "3", CURL_SSLVERSION_SSLv2 }, - { "exp-rc2-md5", "4", CURL_SSLVERSION_SSLv2 }, - { "des-cbc-md5", "6", CURL_SSLVERSION_SSLv2 }, - { "des-cbc3-md5", "7", CURL_SSLVERSION_SSLv2 }, - { (const char *) NULL, (const char *) NULL, 0 } -}; - - -static bool is_separator(char c) -{ - /* Return whether character is a cipher list separator. */ - switch (c) { - case ' ': - case '\t': - case ':': - case ',': - case ';': - return true; - } - return false; -} - - -static CURLcode gskit_status(struct SessionHandle * data, int rc, - const char * procname, CURLcode defcode) -{ - CURLcode cc; - - /* Process GSKit status and map it to a CURLcode. */ - switch (rc) { - case GSK_OK: - case GSK_OS400_ASYNCHRONOUS_SOC_INIT: - return CURLE_OK; - case GSK_KEYRING_OPEN_ERROR: - case GSK_OS400_ERROR_NO_ACCESS: - return CURLE_SSL_CACERT_BADFILE; - case GSK_INSUFFICIENT_STORAGE: - return CURLE_OUT_OF_MEMORY; - case GSK_ERROR_BAD_V2_CIPHER: - case GSK_ERROR_BAD_V3_CIPHER: - case GSK_ERROR_NO_CIPHERS: - return CURLE_SSL_CIPHER; - case GSK_OS400_ERROR_NOT_TRUSTED_ROOT: - case GSK_ERROR_CERT_VALIDATION: - return CURLE_PEER_FAILED_VERIFICATION; - case GSK_OS400_ERROR_TIMED_OUT: - return CURLE_OPERATION_TIMEDOUT; - case GSK_WOULD_BLOCK: - return CURLE_AGAIN; - case GSK_OS400_ERROR_NOT_REGISTERED: - break; - case GSK_ERROR_IO: - switch (errno) { - case ENOMEM: - return CURLE_OUT_OF_MEMORY; - default: - failf(data, "%s I/O error: %s", procname, strerror(errno)); - break; - } - break; - default: - failf(data, "%s: %s", procname, gsk_strerror(rc)); - break; - } - return defcode; -} - - -static CURLcode set_enum(struct SessionHandle * data, - gsk_handle h, GSK_ENUM_ID id, GSK_ENUM_VALUE value) -{ - int rc = gsk_attribute_set_enum(h, id, value); - - switch (rc) { - case GSK_OK: - return CURLE_OK; - case GSK_ERROR_IO: - failf(data, "gsk_attribute_set_enum() I/O error: %s", strerror(errno)); - break; - default: - failf(data, "gsk_attribute_set_enum(): %s", gsk_strerror(rc)); - break; - } - return CURLE_SSL_CONNECT_ERROR; -} - - -static CURLcode set_buffer(struct SessionHandle * data, - gsk_handle h, GSK_BUF_ID id, const char * buffer) -{ - int rc = gsk_attribute_set_buffer(h, id, buffer, 0); - - switch (rc) { - case GSK_OK: - return CURLE_OK; - case GSK_ERROR_IO: - failf(data, "gsk_attribute_set_buffer() I/O error: %s", strerror(errno)); - break; - default: - failf(data, "gsk_attribute_set_buffer(): %s", gsk_strerror(rc)); - break; - } - return CURLE_SSL_CONNECT_ERROR; -} - - -static CURLcode set_numeric(struct SessionHandle * data, - gsk_handle h, GSK_NUM_ID id, int value) -{ - int rc = gsk_attribute_set_numeric_value(h, id, value); - - switch (rc) { - case GSK_OK: - return CURLE_OK; - case GSK_ERROR_IO: - failf(data, "gsk_attribute_set_numeric_value() I/O error: %s", - strerror(errno)); - break; - default: - failf(data, "gsk_attribute_set_numeric_value(): %s", gsk_strerror(rc)); - break; - } - return CURLE_SSL_CONNECT_ERROR; -} - - -static CURLcode set_callback(struct SessionHandle * data, - gsk_handle h, GSK_CALLBACK_ID id, void * info) -{ - int rc = gsk_attribute_set_callback(h, id, info); - - switch (rc) { - case GSK_OK: - return CURLE_OK; - case GSK_ERROR_IO: - failf(data, "gsk_attribute_set_callback() I/O error: %s", strerror(errno)); - break; - default: - failf(data, "gsk_attribute_set_callback(): %s", gsk_strerror(rc)); - break; - } - return CURLE_SSL_CONNECT_ERROR; -} - - -static CURLcode set_ciphers(struct SessionHandle * data, gsk_handle h) -{ - const char * cipherlist = data->set.str[STRING_SSL_CIPHER_LIST]; - char * sslv2ciphers; - char * sslv3ciphers; - const char * clp; - const gskit_cipher * ctp; - char * v2p; - char * v3p; - int i; - CURLcode cc; - - /* Compile cipher list into GSKit-compatible cipher lists. */ - - if(!cipherlist) - return CURLE_OK; - while(is_separator(*cipherlist)) /* Skip initial separators. */ - cipherlist++; - if(!*cipherlist) - return CURLE_OK; - - /* We allocate GSKit buffers of the same size as the input string: since - GSKit tokens are always shorter than their cipher names, allocated buffers - will always be large enough to accomodate the result. */ - i = strlen(cipherlist) + 1; - v2p = malloc(i); - if(!v2p) - return CURLE_OUT_OF_MEMORY; - v3p = malloc(i); - if(!v3p) { - free(v2p); - return CURLE_OUT_OF_MEMORY; - } - sslv2ciphers = v2p; - sslv3ciphers = v3p; - - /* Process each cipher in input string. */ - for(;;) { - for(clp = cipherlist; *cipherlist && !is_separator(*cipherlist);) - cipherlist++; - i = cipherlist - clp; - if(!i) - break; - /* Search the cipher in our table. */ - for(ctp = ciphertable; ctp->name; ctp++) - if(strnequal(ctp->name, clp, i) && !ctp->name[i]) - break; - if(!ctp->name) - failf(data, "Unknown cipher %.*s: ignored", i, clp); - else { - switch (ctp->sslver) { - case CURL_SSLVERSION_SSLv2: - strcpy(v2p, ctp->gsktoken); - v2p += strlen(v2p); - break; - default: - /* GSKit wants TLSv1 ciphers with SSLv3 ciphers. */ - strcpy(v3p, ctp->gsktoken); - v3p += strlen(v3p); - break; - } - } - - /* Advance to next cipher name or end of string. */ - while(is_separator(*cipherlist)) - cipherlist++; - } - *v2p = '\0'; - *v3p = '\0'; - cc = set_buffer(data, h, GSK_V2_CIPHER_SPECS, sslv2ciphers); - if(cc == CURLE_OK) - cc = set_buffer(data, h, GSK_V3_CIPHER_SPECS, sslv3ciphers); - free(sslv2ciphers); - free(sslv3ciphers); - return cc; -} - - -int Curl_gskit_init(void) -{ - /* No initialisation needed. */ - - return 1; -} - - -void Curl_gskit_cleanup(void) -{ - /* Nothing to do. */ -} - - -static CURLcode init_environment(struct SessionHandle * data, - gsk_handle * envir, const char * appid, - const char * file, const char * label, - const char * password) -{ - int rc; - CURLcode c; - gsk_handle h; - - /* Creates the GSKit environment. */ - - rc = gsk_environment_open(&h); - switch (rc) { - case GSK_OK: - break; - case GSK_INSUFFICIENT_STORAGE: - return CURLE_OUT_OF_MEMORY; - default: - failf(data, "gsk_environment_open(): %s", gsk_strerror(rc)); - return CURLE_SSL_CONNECT_ERROR; - } - - c = set_enum(data, h, GSK_SESSION_TYPE, GSK_CLIENT_SESSION); - if(c == CURLE_OK && appid) - c = set_buffer(data, h, GSK_OS400_APPLICATION_ID, appid); - if(c == CURLE_OK && file) - c = set_buffer(data, h, GSK_KEYRING_FILE, file); - if(c == CURLE_OK && label) - c = set_buffer(data, h, GSK_KEYRING_LABEL, label); - if(c == CURLE_OK && password) - c = set_buffer(data, h, GSK_KEYRING_PW, password); - - if(c == CURLE_OK) { - /* Locate CAs, Client certificate and key according to our settings. - Note: this call may be blocking for some tenths of seconds. */ - c = gskit_status(data, gsk_environment_init(h), - "gsk_environment_init()", CURLE_SSL_CERTPROBLEM); - if(c == CURLE_OK) { - *envir = h; - return c; - } - } - /* Error: rollback. */ - gsk_environment_close(&h); - return c; -} - - -static void cancel_async_handshake(struct connectdata * conn, int sockindex) -{ - struct ssl_connect_data * connssl = &conn->ssl[sockindex]; - Qso_OverlappedIO_t cstat; - - if(QsoCancelOperation(conn->sock[sockindex], 0) > 0) - QsoWaitForIOCompletion(connssl->iocport, &cstat, (struct timeval *) NULL); -} - - -static void close_async_handshake(struct ssl_connect_data * connssl) -{ - QsoDestroyIOCompletionPort(connssl->iocport); - connssl->iocport = -1; -} - - -static void close_one(struct ssl_connect_data * conn, - struct SessionHandle * data) -{ - if(conn->handle) { - gskit_status(data, gsk_secure_soc_close(&conn->handle), - "gsk_secure_soc_close()", 0); - conn->handle = (gsk_handle) NULL; - } - if(conn->iocport >= 0) - close_async_handshake(conn); -} - - -static ssize_t gskit_send(struct connectdata * conn, int sockindex, - const void * mem, size_t len, CURLcode * curlcode) -{ - struct SessionHandle * data = conn->data; - CURLcode cc; - int written; - - cc = gskit_status(data, - gsk_secure_soc_write(conn->ssl[sockindex].handle, - (char *) mem, (int) len, &written), - "gsk_secure_soc_write()", CURLE_SEND_ERROR); - if(cc != CURLE_OK) { - *curlcode = cc; - written = -1; - } - return (ssize_t) written; /* number of bytes */ -} - - -static ssize_t gskit_recv(struct connectdata * conn, int num, char * buf, - size_t buffersize, CURLcode * curlcode) -{ - struct SessionHandle * data = conn->data; - int buffsize; - int nread; - CURLcode cc; - - buffsize = buffersize > (size_t) INT_MAX? INT_MAX: (int) buffersize; - cc = gskit_status(data, gsk_secure_soc_read(conn->ssl[num].handle, - buf, buffsize, &nread), - "gsk_secure_soc_read()", CURLE_RECV_ERROR); - if(cc != CURLE_OK) { - *curlcode = cc; - nread = -1; - } - return (ssize_t) nread; -} - - -static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex) -{ - struct SessionHandle * data = conn->data; - struct ssl_connect_data * connssl = &conn->ssl[sockindex]; - gsk_handle envir; - CURLcode cc; - int rc; - char * keyringfile; - char * keyringpwd; - char * keyringlabel; - char * v2ciphers; - char * v3ciphers; - char * sni; - bool sslv2enable, sslv3enable, tlsv1enable; - long timeout; - Qso_OverlappedIO_t commarea; - - /* Create SSL environment, start (preferably asynchronous) handshake. */ - - connssl->handle = (gsk_handle) NULL; - connssl->iocport = -1; - - /* GSKit supports two ways of specifying an SSL context: either by - * application identifier (that should have been defined at the system - * level) or by keyring file, password and certificate label. - * Local certificate name (CURLOPT_SSLCERT) is used to hold either the - * application identifier of the certificate label. - * Key password (CURLOPT_KEYPASSWD) holds the keyring password. - * It is not possible to have different keyrings for the CAs and the - * local certificate. We thus use the CA file (CURLOPT_CAINFO) to identify - * the keyring file. - * If no key password is given and the keyring is the system keyring, - * application identifier mode is tried first, as recommended in IBM doc. - */ - - keyringfile = data->set.str[STRING_SSL_CAFILE]; - keyringpwd = data->set.str[STRING_KEY_PASSWD]; - keyringlabel = data->set.str[STRING_CERT]; - envir = (gsk_handle) NULL; - - if(keyringlabel && *keyringlabel && !keyringpwd && - !strcmp(keyringfile, CURL_CA_BUNDLE)) { - /* Try application identifier mode. */ - init_environment(data, &envir, keyringlabel, (const char *) NULL, - (const char *) NULL, (const char *) NULL); - } - - if(!envir) { - /* Use keyring mode. */ - cc = init_environment(data, &envir, (const char *) NULL, - keyringfile, keyringlabel, keyringpwd); - if(cc != CURLE_OK) - return cc; - } - - /* Create secure session. */ - cc = gskit_status(data, gsk_secure_soc_open(envir, &connssl->handle), - "gsk_secure_soc_open()", CURLE_SSL_CONNECT_ERROR); - gsk_environment_close(&envir); - if(cc != CURLE_OK) - return cc; - - /* Determine which SSL/TLS version should be enabled. */ - sslv2enable = sslv3enable = tlsv1enable = false; - sni = conn->host.name; - switch (data->set.ssl.version) { - case CURL_SSLVERSION_SSLv2: - sslv2enable = true; - sni = (char *) NULL; - break; - case CURL_SSLVERSION_SSLv3: - sslv3enable = true; - sni = (char *) NULL; - break; - case CURL_SSLVERSION_TLSv1: - tlsv1enable = true; - break; - default: /* CURL_SSLVERSION_DEFAULT. */ - sslv3enable = true; - tlsv1enable = true; - break; - } - - /* Process SNI. Ignore if not supported (on OS400 < V7R1). */ - if(sni) { - rc = gsk_attribute_set_buffer(connssl->handle, - GSK_SSL_EXTN_SERVERNAME_REQUEST, sni, 0); - switch (rc) { - case GSK_OK: - case GSK_ATTRIBUTE_INVALID_ID: - break; - case GSK_ERROR_IO: - failf(data, "gsk_attribute_set_buffer() I/O error: %s", strerror(errno)); - cc = CURLE_SSL_CONNECT_ERROR; - break; - default: - failf(data, "gsk_attribute_set_buffer(): %s", gsk_strerror(rc)); - cc = CURLE_SSL_CONNECT_ERROR; - break; - } - } - - /* Set session parameters. */ - if(cc == CURLE_OK) { - /* Compute the handshake timeout. Since GSKit granularity is 1 second, - we round up the required value. */ - timeout = Curl_timeleft(data, NULL, TRUE); - if(timeout < 0) - cc = CURLE_OPERATION_TIMEDOUT; - else - cc = set_numeric(data, connssl->handle, GSK_HANDSHAKE_TIMEOUT, - (timeout + 999) / 1000); - } - if(cc == CURLE_OK) - cc = set_numeric(data, connssl->handle, GSK_FD, conn->sock[sockindex]); - if(cc == CURLE_OK) - cc = set_ciphers(data, connssl->handle); - if(cc == CURLE_OK) - cc = set_enum(data, connssl->handle, GSK_PROTOCOL_SSLV2, - sslv2enable? GSK_PROTOCOL_SSLV2_ON: - GSK_PROTOCOL_SSLV2_OFF); - if(cc == CURLE_OK) - cc = set_enum(data, connssl->handle, GSK_PROTOCOL_SSLV3, - sslv3enable? GSK_PROTOCOL_SSLV3_ON: - GSK_PROTOCOL_SSLV3_OFF); - if(cc == CURLE_OK) - cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1, - sslv3enable? GSK_PROTOCOL_TLSV1_ON: - GSK_PROTOCOL_TLSV1_OFF); - if(cc == CURLE_OK) - cc = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE, - data->set.ssl.verifypeer? GSK_SERVER_AUTH_FULL: - GSK_SERVER_AUTH_PASSTHRU); - - if(cc == CURLE_OK) { - /* Start handshake. Try asynchronous first. */ - memset(&commarea, 0, sizeof commarea); - connssl->iocport = QsoCreateIOCompletionPort(); - if(connssl->iocport != -1) { - cc = gskit_status(data, gsk_secure_soc_startInit(connssl->handle, - connssl->iocport, &commarea), - "gsk_secure_soc_startInit()", CURLE_SSL_CONNECT_ERROR); - if(cc == CURLE_OK) { - connssl->connecting_state = ssl_connect_2; - return CURLE_OK; - } - else - close_async_handshake(connssl); - } - else if(errno != ENOBUFS) - cc = gskit_status(data, GSK_ERROR_IO, "QsoCreateIOCompletionPort()", 0); - else { - /* No more completion port available. Use synchronous IO. */ - cc = gskit_status(data, gsk_secure_soc_init(connssl->handle), - "gsk_secure_soc_init()", CURLE_SSL_CONNECT_ERROR); - if(cc == CURLE_OK) { - connssl->connecting_state = ssl_connect_3; - return CURLE_OK; - } - } - } - - /* Error: rollback. */ - close_one(connssl, data); - return cc; -} - - -static CURLcode gskit_connect_step2(struct connectdata * conn, int sockindex, - bool nonblocking) -{ - struct SessionHandle * data = conn->data; - struct ssl_connect_data * connssl = &conn->ssl[sockindex]; - Qso_OverlappedIO_t cstat; - long timeout_ms; - struct timeval stmv; - CURLcode cc; - - /* Poll or wait for end of SSL asynchronous handshake. */ - - for(;;) { - timeout_ms = nonblocking? 0: Curl_timeleft(data, NULL, TRUE); - if(timeout_ms < 0) - timeout_ms = 0; - stmv.tv_sec = timeout_ms / 1000; - stmv.tv_usec = (timeout_ms - stmv.tv_sec * 1000) * 1000; - switch (QsoWaitForIOCompletion(connssl->iocport, &cstat, &stmv)) { - case 1: /* Operation complete. */ - break; - case -1: /* An error occurred: handshake still in progress. */ - if(errno == EINTR) { - if(nonblocking) - return CURLE_OK; - continue; /* Retry. */ - } - if(errno != ETIME) { - failf(data, "QsoWaitForIOCompletion() I/O error: %s", strerror(errno)); - cancel_async_handshake(conn, sockindex); - close_async_handshake(connssl); - return CURLE_SSL_CONNECT_ERROR; - } - /* FALL INTO... */ - case 0: /* Handshake in progress, timeout occurred. */ - if(nonblocking) - return CURLE_OK; - cancel_async_handshake(conn, sockindex); - close_async_handshake(connssl); - return CURLE_OPERATION_TIMEDOUT; - } - break; - } - cc = gskit_status(data, cstat.returnValue, "SSL handshake", - CURLE_SSL_CONNECT_ERROR); - if(cc == CURLE_OK) - connssl->connecting_state = ssl_connect_3; - close_async_handshake(connssl); - return cc; -} - - -static CURLcode gskit_connect_step3(struct connectdata * conn, int sockindex) -{ - struct SessionHandle * data = conn->data; - struct ssl_connect_data * connssl = &conn->ssl[sockindex]; - const gsk_cert_data_elem * cdev; - int cdec; - const gsk_cert_data_elem * p; - const char * cert = (const char *) NULL; - const char * certend; - int i; - CURLcode cc; - - /* SSL handshake done: gather certificate info and verify host. */ - - if(gskit_status(data, gsk_attribute_get_cert_info(connssl->handle, - GSK_PARTNER_CERT_INFO, - &cdev, &cdec), - "gsk_attribute_get_cert_info()", CURLE_SSL_CONNECT_ERROR) == - CURLE_OK) { - infof(data, "Server certificate:\n"); - p = cdev; - for(i = 0; i++ < cdec; p++) - switch (p->cert_data_id) { - case CERT_BODY_DER: - cert = p->cert_data_p; - certend = cert + cdev->cert_data_l; - break; - case CERT_DN_PRINTABLE: - infof(data, "\t subject: %.*s\n", p->cert_data_l, p->cert_data_p); - break; - case CERT_ISSUER_DN_PRINTABLE: - infof(data, "\t issuer: %.*s\n", p->cert_data_l, p->cert_data_p); - break; - case CERT_VALID_FROM: - infof(data, "\t start date: %.*s\n", p->cert_data_l, p->cert_data_p); - break; - case CERT_VALID_TO: - infof(data, "\t expire date: %.*s\n", p->cert_data_l, p->cert_data_p); - break; - } - } - - /* Verify host. */ - cc = Curl_verifyhost(conn, cert, certend); - if(cc != CURLE_OK) - return cc; - - /* The only place GSKit can get the whole CA chain is a validation - callback where no user data pointer is available. Therefore it's not - possible to copy this chain into our structures for CAINFO. - However the server certificate may be available, thus we can return - info about it. */ - if(data->set.ssl.certinfo) { - if(Curl_ssl_init_certinfo(data, 1)) - return CURLE_OUT_OF_MEMORY; - if(cert) { - cc = Curl_extract_certinfo(conn, 0, cert, certend); - if(cc != CURLE_OK) - return cc; - } - } - - connssl->connecting_state = ssl_connect_done; - return CURLE_OK; -} - - -static CURLcode gskit_connect_common(struct connectdata * conn, int sockindex, - bool nonblocking, bool * done) -{ - struct SessionHandle * data = conn->data; - struct ssl_connect_data * connssl = &conn->ssl[sockindex]; - long timeout_ms; - Qso_OverlappedIO_t cstat; - CURLcode cc = CURLE_OK; - - *done = connssl->state == ssl_connection_complete; - if(*done) - return CURLE_OK; - - /* Step 1: create session, start handshake. */ - if(connssl->connecting_state == ssl_connect_1) { - /* check allowed time left */ - timeout_ms = Curl_timeleft(data, NULL, TRUE); - - if(timeout_ms < 0) { - /* no need to continue if time already is up */ - failf(data, "SSL connection timeout"); - cc = CURLE_OPERATION_TIMEDOUT; - } - else - cc = gskit_connect_step1(conn, sockindex); - } - - /* Step 2: check if handshake is over. */ - if(cc == CURLE_OK && connssl->connecting_state == ssl_connect_2) { - /* check allowed time left */ - timeout_ms = Curl_timeleft(data, NULL, TRUE); - - if(timeout_ms < 0) { - /* no need to continue if time already is up */ - failf(data, "SSL connection timeout"); - cc = CURLE_OPERATION_TIMEDOUT; - } - else - cc = gskit_connect_step2(conn, sockindex, nonblocking); - } - - /* Step 3: gather certificate info, verify host. */ - if(cc == CURLE_OK && connssl->connecting_state == ssl_connect_3) - cc = gskit_connect_step3(conn, sockindex); - - if(cc != CURLE_OK) - close_one(connssl, data); - else if(connssl->connecting_state == ssl_connect_done) { - connssl->state = ssl_connection_complete; - connssl->connecting_state = ssl_connect_1; - conn->recv[sockindex] = gskit_recv; - conn->send[sockindex] = gskit_send; - *done = TRUE; - } - - return cc; -} - - -CURLcode Curl_gskit_connect_nonblocking(struct connectdata * conn, - int sockindex, - bool * done) -{ - CURLcode cc; - - cc = gskit_connect_common(conn, sockindex, TRUE, done); - if(*done || cc != CURLE_OK) - conn->ssl[sockindex].connecting_state = ssl_connect_1; - return cc; -} - - -CURLcode Curl_gskit_connect(struct connectdata * conn, int sockindex) -{ - CURLcode retcode; - bool done; - - conn->ssl[sockindex].connecting_state = ssl_connect_1; - retcode = gskit_connect_common(conn, sockindex, FALSE, &done); - if(retcode) - return retcode; - - DEBUGASSERT(done); - - return CURLE_OK; -} - - -void Curl_gskit_close(struct connectdata * conn, int sockindex) -{ - struct SessionHandle * data = conn->data; - struct ssl_connect_data * connssl = &conn->ssl[sockindex]; - - if(connssl->use) - close_one(connssl, data); -} - - -int Curl_gskit_close_all(struct SessionHandle * data) -{ - /* Unimplemented. */ - (void) data; - return 0; -} - - -int Curl_gskit_shutdown(struct connectdata * conn, int sockindex) -{ - struct ssl_connect_data * connssl = &conn->ssl[sockindex]; - struct SessionHandle * data = conn->data; - ssize_t nread; - int what; - int rc; - char buf[120]; - - if(!connssl->handle) - return 0; - - if(data->set.ftp_ccc != CURLFTPSSL_CCC_ACTIVE) - return 0; - - close_one(connssl, data); - rc = 0; - what = Curl_socket_ready(conn->sock[sockindex], - CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT); - - for(;;) { - if(what < 0) { - /* anything that gets here is fatally bad */ - failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO); - rc = -1; - break; - } - - if(!what) { /* timeout */ - failf(data, "SSL shutdown timeout"); - break; - } - - /* Something to read, let's do it and hope that it is the close - notify alert from the server. No way to gsk_secure_soc_read() now, so - use read(). */ - - nread = read(conn->sock[sockindex], buf, sizeof(buf)); - - if(nread < 0) { - failf(data, "read: %s", strerror(errno)); - rc = -1; - } - - if(nread <= 0) - break; - - what = Curl_socket_ready(conn->sock[sockindex], CURL_SOCKET_BAD, 0); - } - - return rc; -} - - -size_t Curl_gskit_version(char * buffer, size_t size) -{ - strncpy(buffer, "GSKit", size); - return strlen(buffer); -} - - -int Curl_gskit_check_cxn(struct connectdata * cxn) -{ - int err; - int errlen; - - /* The only thing that can be tested here is at the socket level. */ - - if(!cxn->ssl[FIRSTSOCKET].handle) - return 0; /* connection has been closed */ - - err = 0; - errlen = sizeof err; - - if(getsockopt(cxn->sock[FIRSTSOCKET], SOL_SOCKET, SO_ERROR, - (unsigned char *) &err, &errlen) || - errlen != sizeof err || err) - return 0; /* connection has been closed */ - - return -1; /* connection status unknown */ -} - -#endif /* USE_GSKIT */ |