diff options
| author | Yiming Jing <jingyiming@baidu.com> | 2019-08-01 15:20:30 -0700 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2019-08-06 10:19:17 +0200 |
| commit | 9b5f2ad329c4401c16de2e6d24a54b9d0f5478d7 (patch) | |
| tree | 5563eb43d099ef0de6317d0895bf4973fe214246 | |
| parent | 02346abc32a3995299fa9c2f35b9f0a1d091b045 (diff) | |
| download | curl-9b5f2ad329c4401c16de2e6d24a54b9d0f5478d7.tar.gz | |
mesalink: implement client authentication
Closes #4184
| -rw-r--r-- | lib/vtls/mesalink.c | 62 |
1 files changed, 49 insertions, 13 deletions
diff --git a/lib/vtls/mesalink.c b/lib/vtls/mesalink.c index 7ca4f0eac..9507888bd 100644 --- a/lib/vtls/mesalink.c +++ b/lib/vtls/mesalink.c @@ -73,6 +73,17 @@ struct ssl_backend_data static Curl_recv mesalink_recv; static Curl_send mesalink_send; +static int do_file_type(const char *type) +{ + if(!type || !type[0]) + return SSL_FILETYPE_PEM; + if(strcasecompare(type, "PEM")) + return SSL_FILETYPE_PEM; + if(strcasecompare(type, "DER")) + return SSL_FILETYPE_ASN1; + return -1; +} + /* * This function loads all the client/CA certificates and CRLs. Setup the TLS * layer and do all necessary magic. @@ -83,9 +94,6 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) char *ciphers; struct Curl_easy *data = conn->data; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - const bool verifypeer = SSL_CONN_CONFIG(verifypeer); - const char *const ssl_cafile = SSL_CONN_CONFIG(CAfile); - const char *const ssl_capath = SSL_CONN_CONFIG(CApath); struct in_addr addr4; #ifdef ENABLE_IPV6 struct in6_addr addr6; @@ -142,21 +150,25 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) } SSL_CTX_set_verify( - BACKEND->ctx, verifypeer ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL); + BACKEND->ctx, SSL_CONN_CONFIG(verifypeer) ? + SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL); - if(ssl_cafile || ssl_capath) { - if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) { - if(verifypeer) { + if(SSL_CONN_CONFIG(CAfile) || SSL_CONN_CONFIG(CApath)) { + if(!SSL_CTX_load_verify_locations(BACKEND->ctx, SSL_CONN_CONFIG(CAfile), + SSL_CONN_CONFIG(CApath))) { + if(SSL_CONN_CONFIG(verifypeer)) { failf(data, "error setting certificate verify locations:\n" " CAfile: %s\n CApath: %s", - ssl_cafile ? ssl_cafile : "none", - ssl_capath ? ssl_capath : "none"); + SSL_CONN_CONFIG(CAfile) ? + SSL_CONN_CONFIG(CAfile) : "none", + SSL_CONN_CONFIG(CApath) ? + SSL_CONN_CONFIG(CApath) : "none"); return CURLE_SSL_CACERT_BADFILE; } infof(data, - "error setting certificate verify locations," - " continuing anyway:\n"); + "error setting certificate verify locations," + " continuing anyway:\n"); } else { infof(data, "successfully set certificate verify locations:\n"); @@ -164,8 +176,32 @@ mesalink_connect_step1(struct connectdata *conn, int sockindex) infof(data, " CAfile: %s\n" " CApath: %s\n", - ssl_cafile ? ssl_cafile : "none", - ssl_capath ? ssl_capath : "none"); + SSL_CONN_CONFIG(CAfile)? + SSL_CONN_CONFIG(CAfile): "none", + SSL_CONN_CONFIG(CApath)? + SSL_CONN_CONFIG(CApath): "none"); + } + + if(SSL_SET_OPTION(cert) && SSL_SET_OPTION(key)) { + int file_type = do_file_type(SSL_SET_OPTION(cert_type)); + + if(SSL_CTX_use_certificate_chain_file(BACKEND->ctx, SSL_SET_OPTION(cert), + file_type) != 1) { + failf(data, "unable to use client certificate (no key or wrong pass" + " phrase?)"); + return CURLE_SSL_CONNECT_ERROR; + } + + file_type = do_file_type(SSL_SET_OPTION(key_type)); + if(SSL_CTX_use_PrivateKey_file(BACKEND->ctx, SSL_SET_OPTION(key), + file_type) != 1) { + failf(data, "unable to set private key"); + return CURLE_SSL_CONNECT_ERROR; + } + infof(data, + "client cert: %s\n", + SSL_CONN_CONFIG(clientcert)? + SSL_CONN_CONFIG(clientcert): "none"); } ciphers = SSL_CONN_CONFIG(cipher_list); |