diff options
author | Johannes Schindelin <johannes.schindelin@gmx.de> | 2017-06-21 12:41:18 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2017-08-28 14:56:58 +0200 |
commit | d65e6cc4fc9f68da4cbf8788c27714622ef9eead (patch) | |
tree | 83999835de729324d3c447d3b3135835885bc84f /lib/vtls/mbedtls.c | |
parent | 20c6cf7e951e70d4c456bd4171b9f25f04f23a87 (diff) | |
download | curl-d65e6cc4fc9f68da4cbf8788c27714622ef9eead.tar.gz |
vtls: prepare the SSL backends for encapsulated private data
At the moment, cURL's SSL backend needs to be configured at build time.
As such, it is totally okay for them to hard-code their backend-specific
data in the ssl_connect_data struct.
In preparation for making the SSL backend a runtime option, let's make
the access of said private data a bit more abstract so that it can be
adjusted later in an easy manner.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Diffstat (limited to 'lib/vtls/mbedtls.c')
-rw-r--r-- | lib/vtls/mbedtls.c | 134 |
1 files changed, 70 insertions, 64 deletions
diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 803932c6f..162374e57 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -61,6 +61,8 @@ #include "curl_memory.h" #include "memdebug.h" +#define BACKEND connssl + /* apply threading? */ #if defined(USE_THREADS_POSIX) || defined(USE_THREADS_WIN32) #define THREADING_SUPPORT @@ -214,9 +216,9 @@ set_ssl_version_min_max(struct connectdata *conn, int sockindex) return result; } - mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3, + mbedtls_ssl_conf_min_version(&BACKEND->config, MBEDTLS_SSL_MAJOR_VERSION_3, mbedtls_ver_min); - mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3, + mbedtls_ssl_conf_max_version(&BACKEND->config, MBEDTLS_SSL_MAJOR_VERSION_3, mbedtls_ver_max); return result; @@ -248,9 +250,9 @@ mbed_connect_step1(struct connectdata *conn, #ifdef THREADING_SUPPORT entropy_init_mutex(&ts_entropy); - mbedtls_ctr_drbg_init(&connssl->ctr_drbg); + mbedtls_ctr_drbg_init(&BACKEND->ctr_drbg); - ret = mbedtls_ctr_drbg_seed(&connssl->ctr_drbg, entropy_func_mutex, + ret = mbedtls_ctr_drbg_seed(&BACKEND->ctr_drbg, entropy_func_mutex, &ts_entropy, NULL, 0); if(ret) { #ifdef MBEDTLS_ERROR_C @@ -260,11 +262,11 @@ mbed_connect_step1(struct connectdata *conn, -ret, errorbuf); } #else - mbedtls_entropy_init(&connssl->entropy); - mbedtls_ctr_drbg_init(&connssl->ctr_drbg); + mbedtls_entropy_init(&BACKEND->entropy); + mbedtls_ctr_drbg_init(&BACKEND->ctr_drbg); - ret = mbedtls_ctr_drbg_seed(&connssl->ctr_drbg, mbedtls_entropy_func, - &connssl->entropy, NULL, 0); + ret = mbedtls_ctr_drbg_seed(&BACKEND->ctr_drbg, mbedtls_entropy_func, + &BACKEND->entropy, NULL, 0); if(ret) { #ifdef MBEDTLS_ERROR_C mbedtls_strerror(ret, errorbuf, sizeof(errorbuf)); @@ -275,10 +277,10 @@ mbed_connect_step1(struct connectdata *conn, #endif /* THREADING_SUPPORT */ /* Load the trusted CA */ - mbedtls_x509_crt_init(&connssl->cacert); + mbedtls_x509_crt_init(&BACKEND->cacert); if(ssl_cafile) { - ret = mbedtls_x509_crt_parse_file(&connssl->cacert, ssl_cafile); + ret = mbedtls_x509_crt_parse_file(&BACKEND->cacert, ssl_cafile); if(ret<0) { #ifdef MBEDTLS_ERROR_C @@ -293,7 +295,7 @@ mbed_connect_step1(struct connectdata *conn, } if(ssl_capath) { - ret = mbedtls_x509_crt_parse_path(&connssl->cacert, ssl_capath); + ret = mbedtls_x509_crt_parse_path(&BACKEND->cacert, ssl_capath); if(ret<0) { #ifdef MBEDTLS_ERROR_C @@ -308,10 +310,10 @@ mbed_connect_step1(struct connectdata *conn, } /* Load the client certificate */ - mbedtls_x509_crt_init(&connssl->clicert); + mbedtls_x509_crt_init(&BACKEND->clicert); if(ssl_cert) { - ret = mbedtls_x509_crt_parse_file(&connssl->clicert, ssl_cert); + ret = mbedtls_x509_crt_parse_file(&BACKEND->clicert, ssl_cert); if(ret) { #ifdef MBEDTLS_ERROR_C @@ -325,12 +327,12 @@ mbed_connect_step1(struct connectdata *conn, } /* Load the client private key */ - mbedtls_pk_init(&connssl->pk); + mbedtls_pk_init(&BACKEND->pk); if(SSL_SET_OPTION(key)) { - ret = mbedtls_pk_parse_keyfile(&connssl->pk, SSL_SET_OPTION(key), + ret = mbedtls_pk_parse_keyfile(&BACKEND->pk, SSL_SET_OPTION(key), SSL_SET_OPTION(key_passwd)); - if(ret == 0 && !mbedtls_pk_can_do(&connssl->pk, MBEDTLS_PK_RSA)) + if(ret == 0 && !mbedtls_pk_can_do(&BACKEND->pk, MBEDTLS_PK_RSA)) ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; if(ret) { @@ -345,10 +347,10 @@ mbed_connect_step1(struct connectdata *conn, } /* Load the CRL */ - mbedtls_x509_crl_init(&connssl->crl); + mbedtls_x509_crl_init(&BACKEND->crl); if(ssl_crlfile) { - ret = mbedtls_x509_crl_parse_file(&connssl->crl, ssl_crlfile); + ret = mbedtls_x509_crl_parse_file(&BACKEND->crl, ssl_crlfile); if(ret) { #ifdef MBEDTLS_ERROR_C @@ -363,14 +365,14 @@ mbed_connect_step1(struct connectdata *conn, infof(data, "mbedTLS: Connecting to %s:%d\n", hostname, port); - mbedtls_ssl_config_init(&connssl->config); + mbedtls_ssl_config_init(&BACKEND->config); - mbedtls_ssl_init(&connssl->ssl); - if(mbedtls_ssl_setup(&connssl->ssl, &connssl->config)) { + mbedtls_ssl_init(&BACKEND->ssl); + if(mbedtls_ssl_setup(&BACKEND->ssl, &BACKEND->config)) { failf(data, "mbedTLS: ssl_init failed"); return CURLE_SSL_CONNECT_ERROR; } - ret = mbedtls_ssl_config_defaults(&connssl->config, + ret = mbedtls_ssl_config_defaults(&BACKEND->config, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); @@ -380,20 +382,20 @@ mbed_connect_step1(struct connectdata *conn, } /* new profile with RSA min key len = 1024 ... */ - mbedtls_ssl_conf_cert_profile(&connssl->config, + mbedtls_ssl_conf_cert_profile(&BACKEND->config, &mbedtls_x509_crt_profile_fr); switch(SSL_CONN_CONFIG(version)) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: - mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3, + mbedtls_ssl_conf_min_version(&BACKEND->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1); infof(data, "mbedTLS: Set min SSL version to TLS 1.0\n"); break; case CURL_SSLVERSION_SSLv3: - mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3, + mbedtls_ssl_conf_min_version(&BACKEND->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0); - mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3, + mbedtls_ssl_conf_max_version(&BACKEND->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0); infof(data, "mbedTLS: Set SSL version to SSLv3\n"); break; @@ -412,25 +414,25 @@ mbed_connect_step1(struct connectdata *conn, return CURLE_SSL_CONNECT_ERROR; } - mbedtls_ssl_conf_authmode(&connssl->config, MBEDTLS_SSL_VERIFY_OPTIONAL); + mbedtls_ssl_conf_authmode(&BACKEND->config, MBEDTLS_SSL_VERIFY_OPTIONAL); - mbedtls_ssl_conf_rng(&connssl->config, mbedtls_ctr_drbg_random, - &connssl->ctr_drbg); - mbedtls_ssl_set_bio(&connssl->ssl, &conn->sock[sockindex], + mbedtls_ssl_conf_rng(&BACKEND->config, mbedtls_ctr_drbg_random, + &BACKEND->ctr_drbg); + mbedtls_ssl_set_bio(&BACKEND->ssl, &conn->sock[sockindex], mbedtls_net_send, mbedtls_net_recv, NULL /* rev_timeout() */); - mbedtls_ssl_conf_ciphersuites(&connssl->config, + mbedtls_ssl_conf_ciphersuites(&BACKEND->config, mbedtls_ssl_list_ciphersuites()); #if defined(MBEDTLS_SSL_RENEGOTIATION) - mbedtls_ssl_conf_renegotiation(&connssl->config, + mbedtls_ssl_conf_renegotiation(&BACKEND->config, MBEDTLS_SSL_RENEGOTIATION_ENABLED); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_conf_session_tickets(&connssl->config, + mbedtls_ssl_conf_session_tickets(&BACKEND->config, MBEDTLS_SSL_SESSION_TICKETS_DISABLED); #endif @@ -440,7 +442,7 @@ mbed_connect_step1(struct connectdata *conn, Curl_ssl_sessionid_lock(conn); if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { - ret = mbedtls_ssl_set_session(&connssl->ssl, old_session); + ret = mbedtls_ssl_set_session(&BACKEND->ssl, old_session); if(ret) { Curl_ssl_sessionid_unlock(conn); failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret); @@ -451,15 +453,15 @@ mbed_connect_step1(struct connectdata *conn, Curl_ssl_sessionid_unlock(conn); } - mbedtls_ssl_conf_ca_chain(&connssl->config, - &connssl->cacert, - &connssl->crl); + mbedtls_ssl_conf_ca_chain(&BACKEND->config, + &BACKEND->cacert, + &BACKEND->crl); if(SSL_SET_OPTION(key)) { - mbedtls_ssl_conf_own_cert(&connssl->config, - &connssl->clicert, &connssl->pk); + mbedtls_ssl_conf_own_cert(&BACKEND->config, + &BACKEND->clicert, &BACKEND->pk); } - if(mbedtls_ssl_set_hostname(&connssl->ssl, hostname)) { + if(mbedtls_ssl_set_hostname(&BACKEND->ssl, hostname)) { /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name to set in the SNI extension. So even if curl connects to a host specified as an IP address, this function must be used. */ @@ -469,7 +471,7 @@ mbed_connect_step1(struct connectdata *conn, #ifdef HAS_ALPN if(conn->bits.tls_enable_alpn) { - const char **p = &connssl->protocols[0]; + const char **p = &BACKEND->protocols[0]; #ifdef USE_NGHTTP2 if(data->set.httpversion >= CURL_HTTP_VERSION_2) *p++ = NGHTTP2_PROTO_VERSION_ID; @@ -478,19 +480,19 @@ mbed_connect_step1(struct connectdata *conn, *p = NULL; /* this function doesn't clone the protocols array, which is why we need to keep it around */ - if(mbedtls_ssl_conf_alpn_protocols(&connssl->config, - &connssl->protocols[0])) { + if(mbedtls_ssl_conf_alpn_protocols(&BACKEND->config, + &BACKEND->protocols[0])) { failf(data, "Failed setting ALPN protocols"); return CURLE_SSL_CONNECT_ERROR; } - for(p = &connssl->protocols[0]; *p; ++p) + for(p = &BACKEND->protocols[0]; *p; ++p) infof(data, "ALPN, offering %s\n", *p); } #endif #ifdef MBEDTLS_DEBUG /* In order to make that work in mbedtls MBEDTLS_DEBUG_C must be defined. */ - mbedtls_ssl_conf_dbg(&connssl->config, mbed_debug, data); + mbedtls_ssl_conf_dbg(&BACKEND->config, mbed_debug, data); /* - 0 No debug * - 1 Error * - 2 State change @@ -502,7 +504,7 @@ mbed_connect_step1(struct connectdata *conn, /* give application a chance to interfere with mbedTLS set up. */ if(data->set.ssl.fsslctx) { - ret = (*data->set.ssl.fsslctx)(data, &connssl->config, + ret = (*data->set.ssl.fsslctx)(data, &BACKEND->config, data->set.ssl.fsslctxp); if(ret) { failf(data, "error signaled by ssl ctx callback"); @@ -537,7 +539,7 @@ mbed_connect_step2(struct connectdata *conn, conn->recv[sockindex] = mbed_recv; conn->send[sockindex] = mbed_send; - ret = mbedtls_ssl_handshake(&connssl->ssl); + ret = mbedtls_ssl_handshake(&BACKEND->ssl); if(ret == MBEDTLS_ERR_SSL_WANT_READ) { connssl->connecting_state = ssl_connect_2_reading; @@ -557,10 +559,10 @@ mbed_connect_step2(struct connectdata *conn, } infof(data, "mbedTLS: Handshake complete, cipher is %s\n", - mbedtls_ssl_get_ciphersuite(&conn->ssl[sockindex].ssl) + mbedtls_ssl_get_ciphersuite(&BACKEND->ssl) ); - ret = mbedtls_ssl_get_verify_result(&conn->ssl[sockindex].ssl); + ret = mbedtls_ssl_get_verify_result(&BACKEND->ssl); if(ret && SSL_CONN_CONFIG(verifypeer)) { if(ret & MBEDTLS_X509_BADCERT_EXPIRED) @@ -580,7 +582,7 @@ mbed_connect_step2(struct connectdata *conn, return CURLE_PEER_FAILED_VERIFICATION; } - peercert = mbedtls_ssl_get_peer_cert(&connssl->ssl); + peercert = mbedtls_ssl_get_peer_cert(&BACKEND->ssl); if(peercert && data->set.verbose) { const size_t bufsize = 16384; @@ -650,7 +652,7 @@ mbed_connect_step2(struct connectdata *conn, #ifdef HAS_ALPN if(conn->bits.tls_enable_alpn) { - next_protocol = mbedtls_ssl_get_alpn_protocol(&connssl->ssl); + next_protocol = mbedtls_ssl_get_alpn_protocol(&BACKEND->ssl); if(next_protocol) { infof(data, "ALPN, server accepted to use %s\n", next_protocol); @@ -700,7 +702,7 @@ mbed_connect_step3(struct connectdata *conn, mbedtls_ssl_session_init(our_ssl_sessionid); - ret = mbedtls_ssl_get_session(&connssl->ssl, our_ssl_sessionid); + ret = mbedtls_ssl_get_session(&BACKEND->ssl, our_ssl_sessionid); if(ret) { free(our_ssl_sessionid); failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret); @@ -730,9 +732,10 @@ static ssize_t mbed_send(struct connectdata *conn, int sockindex, const void *mem, size_t len, CURLcode *curlcode) { + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; int ret = -1; - ret = mbedtls_ssl_write(&conn->ssl[sockindex].ssl, + ret = mbedtls_ssl_write(&BACKEND->ssl, (unsigned char *)mem, len); if(ret < 0) { @@ -751,15 +754,16 @@ static void Curl_mbedtls_close_all(struct Curl_easy *data) static void Curl_mbedtls_close(struct connectdata *conn, int sockindex) { - mbedtls_pk_free(&conn->ssl[sockindex].pk); - mbedtls_x509_crt_free(&conn->ssl[sockindex].clicert); - mbedtls_x509_crt_free(&conn->ssl[sockindex].cacert); - mbedtls_x509_crl_free(&conn->ssl[sockindex].crl); - mbedtls_ssl_config_free(&conn->ssl[sockindex].config); - mbedtls_ssl_free(&conn->ssl[sockindex].ssl); - mbedtls_ctr_drbg_free(&conn->ssl[sockindex].ctr_drbg); + struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + mbedtls_pk_free(&BACKEND->pk); + mbedtls_x509_crt_free(&BACKEND->clicert); + mbedtls_x509_crt_free(&BACKEND->cacert); + mbedtls_x509_crl_free(&BACKEND->crl); + mbedtls_ssl_config_free(&BACKEND->config); + mbedtls_ssl_free(&BACKEND->ssl); + mbedtls_ctr_drbg_free(&BACKEND->ctr_drbg); #ifndef THREADING_SUPPORT - mbedtls_entropy_free(&conn->ssl[sockindex].entropy); + mbedtls_entropy_free(&BACKEND->entropy); #endif /* THREADING_SUPPORT */ } @@ -767,11 +771,12 @@ static ssize_t mbed_recv(struct connectdata *conn, int num, char *buf, size_t buffersize, CURLcode *curlcode) { + struct ssl_connect_data *connssl = &conn->ssl[num]; int ret = -1; ssize_t len = -1; memset(buf, 0, buffersize); - ret = mbedtls_ssl_read(&conn->ssl[num].ssl, (unsigned char *)buf, + ret = mbedtls_ssl_read(&BACKEND->ssl, (unsigned char *)buf, buffersize); if(ret <= 0) { @@ -1001,7 +1006,8 @@ static void Curl_mbedtls_cleanup(void) static bool Curl_mbedtls_data_pending(const struct connectdata *conn, int sockindex) { - return mbedtls_ssl_get_bytes_avail(&conn->ssl[sockindex].ssl) != 0; + const struct ssl_connect_data *connssl = &conn->ssl[sockindex]; + return mbedtls_ssl_get_bytes_avail(&BACKEND->ssl) != 0; } static void Curl_mbedtls_sha256sum(const unsigned char *input, @@ -1016,7 +1022,7 @@ static void *Curl_mbedtls_get_internals(struct ssl_connect_data *connssl, CURLINFO info UNUSED_PARAM) { (void)info; - return &connssl->ssl; + return &BACKEND->ssl; } const struct Curl_ssl Curl_ssl_mbedtls = { |