/* since we only have a plaintext TCP connection here, we must now
* do the TLS stuff */
infof(data, "Doing the SSL/TLS handshake on the data stream\n");
- result = Curl_ssl_connect(conn, SECONDARYSOCKET);
+ result = Curl_ssl_connect(data, conn, SECONDARYSOCKET);
if(result)
return result;
}
if((ftpcode == 234) || (ftpcode == 334)) {
/* Curl_ssl_connect is BLOCKING */
- result = Curl_ssl_connect(conn, FIRSTSOCKET);
+ result = Curl_ssl_connect(data, conn, FIRSTSOCKET);
if(!result) {
conn->bits.ftp_use_data_ssl = FALSE; /* clear-text data */
conn->bits.ftp_use_control_ssl = TRUE; /* SSL on control */
case FTP_CCC:
if(ftpcode < 500) {
/* First shut down the SSL layer (note: this call will block) */
- result = Curl_ssl_shutdown(conn, FIRSTSOCKET);
+ result = Curl_ssl_shutdown(data, conn, FIRSTSOCKET);
if(result)
failf(data, "Failed to clear the command channel (CCC)");
if(conn->handler->flags & PROTOPT_SSL) {
/* BLOCKING */
- result = Curl_ssl_connect(conn, FIRSTSOCKET);
+ result = Curl_ssl_connect(data, conn, FIRSTSOCKET);
if(result)
return result;
conn->bits.ftp_use_control_ssl = TRUE;
if(conn->ssl[SECONDARYSOCKET].use) {
/* The secondary socket is using SSL so we must close down that part
first before we close the socket for real */
- Curl_ssl_close(conn, SECONDARYSOCKET);
+ Curl_ssl_close(data, conn, SECONDARYSOCKET);
/* Note that we keep "use" set to TRUE since that (next) connection is
still requested to use SSL */
static CURLcode gopher_connecting(struct Curl_easy *data, bool *done)
{
struct connectdata *conn = data->conn;
- CURLcode result = Curl_ssl_connect(conn, FIRSTSOCKET);
+ CURLcode result = Curl_ssl_connect(data, conn, FIRSTSOCKET);
if(result)
connclose(conn, "Failed TLS connection");
*done = TRUE;
#endif
/* perform SSL initialization for this socket */
- result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, done);
+ result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET, done);
if(result)
connclose(conn, "Failed HTTPS connection");
if(!conn->bits.proxy_ssl_connected[sockindex]) {
/* perform SSL initialization for this socket */
result =
- Curl_ssl_connect_nonblocking(conn, sockindex,
+ Curl_ssl_connect_nonblocking(conn->data, conn, sockindex,
&conn->bits.proxy_ssl_connected[sockindex]);
if(result)
/* a failed connection is marked for closure to prevent (bad) re-use or
{
/* Start the SSL connection */
struct imap_conn *imapc = &conn->proto.imapc;
- CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET,
+ CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET,
&imapc->ssldone);
if(!result) {
struct imap_conn *imapc = &conn->proto.imapc;
if((conn->handler->flags & PROTOPT_SSL) && !imapc->ssldone) {
- result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &imapc->ssldone);
+ result = Curl_ssl_connect_nonblocking(data, conn,
+ FIRSTSOCKET, &imapc->ssldone);
if(result || !imapc->ssldone)
return result;
}
#ifdef USE_SSL
if(conn->handler->flags & PROTOPT_SSL) {
CURLcode result;
- result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &li->ssldone);
+ result = Curl_ssl_connect_nonblocking(data, conn,
+ FIRSTSOCKET, &li->ssldone);
if(result)
return result;
}
if(conn->handler->flags & PROTOPT_SSL) {
/* Is the SSL handshake complete yet? */
if(!li->ssldone) {
- CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET,
+ CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET,
&li->ssldone);
if(result || !li->ssldone)
return result;
{
/* Start the SSL connection */
struct pop3_conn *pop3c = &conn->proto.pop3c;
- CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET,
+ CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET,
&pop3c->ssldone);
if(!result) {
struct pop3_conn *pop3c = &conn->proto.pop3c;
if((conn->handler->flags & PROTOPT_SSL) && !pop3c->ssldone) {
- result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &pop3c->ssldone);
+ result = Curl_ssl_connect_nonblocking(data, conn,
+ FIRSTSOCKET, &pop3c->ssldone);
if(result || !pop3c->ssldone)
return result;
}
#ifdef USE_SSL
if((conn->handler->flags & PROTOPT_SSL)) {
bool ssl_done = FALSE;
- result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &ssl_done);
+ result = Curl_ssl_connect_nonblocking(data, conn,
+ FIRSTSOCKET, &ssl_done);
if(result && result != CURLE_AGAIN)
return result;
if(!ssl_done)
/* Start the SSL connection */
struct connectdata *conn = data->conn;
struct smtp_conn *smtpc = &conn->proto.smtpc;
- CURLcode result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET,
+ CURLcode result = Curl_ssl_connect_nonblocking(data, conn, FIRSTSOCKET,
&smtpc->ssldone);
if(!result) {
struct smtp_conn *smtpc = &conn->proto.smtpc;
if((conn->handler->flags & PROTOPT_SSL) && !smtpc->ssldone) {
- result = Curl_ssl_connect_nonblocking(conn, FIRSTSOCKET, &smtpc->ssldone);
+ result = Curl_ssl_connect_nonblocking(data, conn,
+ FIRSTSOCKET, &smtpc->ssldone);
if(result || !smtpc->ssldone)
return result;
}
/* close the SSL stuff before we close any sockets since they will/may
write to the sockets */
- Curl_ssl_close(conn, FIRSTSOCKET);
- Curl_ssl_close(conn, SECONDARYSOCKET);
+ Curl_ssl_close(data, conn, FIRSTSOCKET);
+ Curl_ssl_close(data, conn, SECONDARYSOCKET);
/* close possibly still open sockets */
if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET])
x509_get_pkey
};
-static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
+static CURLcode bearssl_connect_step1(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
if(SSL_SET_OPTION(primary.sessionid)) {
void *session;
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &session, NULL, sockindex)) {
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn, &session, NULL, sockindex)) {
br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
infof(data, "BearSSL: re-using session ID\n");
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
if(conn->bits.tls_enable_alpn) {
return CURLE_OK;
}
-static CURLcode bearssl_run_until(struct connectdata *conn, int sockindex,
+static CURLcode bearssl_run_until(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex,
unsigned target)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
curl_socket_t sockfd = conn->sock[sockindex];
}
}
-static CURLcode bearssl_connect_step2(struct connectdata *conn, int sockindex)
+static CURLcode bearssl_connect_step2(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
CURLcode ret;
- ret = bearssl_run_until(conn, sockindex, BR_SSL_SENDAPP | BR_SSL_RECVAPP);
+ ret = bearssl_run_until(data, conn, sockindex,
+ BR_SSL_SENDAPP | BR_SSL_RECVAPP);
if(ret == CURLE_AGAIN)
return CURLE_OK;
if(ret == CURLE_OK) {
return ret;
}
-static CURLcode bearssl_connect_step3(struct connectdata *conn, int sockindex)
+static CURLcode bearssl_connect_step3(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
CURLcode ret;
if(!session)
return CURLE_OUT_OF_MEMORY;
br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
- Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, &oldsession, NULL, sockindex));
+ Curl_ssl_sessionid_lock(data);
+ incache = !(Curl_ssl_getsessionid(data, conn,
+ &oldsession, NULL, sockindex));
if(incache)
- Curl_ssl_delsessionid(conn, oldsession);
- ret = Curl_ssl_addsessionid(conn, session, 0, sockindex);
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_delsessionid(data, oldsession);
+ ret = Curl_ssl_addsessionid(data, conn, session, 0, sockindex);
+ Curl_ssl_sessionid_unlock(data);
if(ret) {
free(session);
return CURLE_OUT_OF_MEMORY;
size_t applen;
for(;;) {
- *err = bearssl_run_until(conn, sockindex, BR_SSL_SENDAPP);
+ *err = bearssl_run_until(data, conn, sockindex, BR_SSL_SENDAPP);
if (*err != CURLE_OK)
return -1;
app = br_ssl_engine_sendapp_buf(&backend->ctx.eng, &applen);
unsigned char *app;
size_t applen;
- *err = bearssl_run_until(conn, sockindex, BR_SSL_RECVAPP);
+ *err = bearssl_run_until(data, conn, sockindex, BR_SSL_RECVAPP);
if(*err != CURLE_OK)
return -1;
app = br_ssl_engine_recvapp_buf(&backend->ctx.eng, &applen);
return applen;
}
-static CURLcode bearssl_connect_common(struct connectdata *conn,
+static CURLcode bearssl_connect_common(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode ret;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
timediff_t timeout_ms;
}
if(ssl_connect_1 == connssl->connecting_state) {
- ret = bearssl_connect_step1(conn, sockindex);
+ ret = bearssl_connect_step1(data, conn, sockindex);
if(ret)
return ret;
}
* before step2 has completed while ensuring that a client using select()
* or epoll() will always have a valid fdset to wait on.
*/
- ret = bearssl_connect_step2(conn, sockindex);
+ ret = bearssl_connect_step2(data, conn, sockindex);
if(ret || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
}
if(ssl_connect_3 == connssl->connecting_state) {
- ret = bearssl_connect_step3(conn, sockindex);
+ ret = bearssl_connect_step3(data, conn, sockindex);
if(ret)
return ret;
}
return CURLE_OK;
}
-static CURLcode bearssl_connect(struct connectdata *conn, int sockindex)
+static CURLcode bearssl_connect(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
CURLcode ret;
bool done = FALSE;
- ret = bearssl_connect_common(conn, sockindex, FALSE, &done);
+ ret = bearssl_connect_common(data, conn, sockindex, FALSE, &done);
if(ret)
return ret;
return CURLE_OK;
}
-static CURLcode bearssl_connect_nonblocking(struct connectdata *conn,
+static CURLcode bearssl_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex, bool *done)
{
- return bearssl_connect_common(conn, sockindex, TRUE, done);
+ return bearssl_connect_common(data, conn, sockindex, TRUE, done);
}
static void *bearssl_get_internals(struct ssl_connect_data *connssl,
return &backend->ctx;
}
-static void bearssl_close(struct connectdata *conn, int sockindex)
+static void bearssl_close(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
if(backend->active) {
br_ssl_engine_close(&backend->ctx.eng);
- (void)bearssl_run_until(conn, sockindex, BR_SSL_CLOSED);
+ (void)bearssl_run_until(data, conn, sockindex, BR_SSL_CLOSED);
}
for(i = 0; i < backend->anchors_len; ++i)
free(backend->anchors[i].dn.data);
}
-static ssize_t real_gskit_send(struct Curl_easy *data,
- struct connectdata *conn, int sockindex,
- const void *mem, size_t len, CURLcode *curlcode)
+static ssize_t gskit_send(struct connectdata *conn, int sockindex,
+ const void *mem, size_t len, CURLcode *curlcode)
{
+ struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CURLcode cc = CURLE_SEND_ERROR;
int written;
return (ssize_t) written; /* number of bytes */
}
-static ssize_t gskit_send(struct connectdata *conn, int sockindex,
- const void *mem, size_t len, CURLcode *curlcode)
-{
- return real_gskit_send(conn->data, conn, sockindex, mem, len, curlcode);
-}
-
-static ssize_t real_gskit_recv(struct Curl_easy *data,
- struct connectdata *conn, int num, char *buf,
+static ssize_t gskit_recv(struct Curl_easy *data, int num, char *buf,
size_t buffersize, CURLcode *curlcode)
{
+ struct connectdata *conn = data->conn;
struct ssl_connect_data *connssl = &conn->ssl[num];
int nread;
CURLcode cc = CURLE_RECV_ERROR;
return (ssize_t) nread;
}
-static ssize_t gskit_recv(struct connectdata *conn, int num, char *buf,
- size_t buffersize, CURLcode *curlcode)
-{
- return real_gskit_recv(conn->data, conn, num, buf, buffersize, curlcode);
-}
-
static CURLcode
set_ssl_version_min_max(unsigned int *protoflags, struct Curl_easy *data)
{
}
-static CURLcode real_gskit_connect_nonblocking(struct Curl_easy *data,
- struct connectdata *conn,
- int sockindex, bool *done)
+static CURLcode gskit_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
+ int sockindex, bool *done)
{
CURLcode result;
return result;
}
-static CURLcode gskit_connect_nonblocking(struct connectdata *conn,
- int sockindex, bool *done)
-{
- return real_gskit_connect_nonblocking(conn->data, conn, sockindex, done);
-}
-
-static CURLcode real_gskit_connect(struct Curl_easy *data,
- struct connectdata *conn, int sockindex)
+static CURLcode gskit_connect(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
CURLcode result;
bool done;
return CURLE_OK;
}
-static CURLcode gskit_connect(struct connectdata *conn, int sockindex)
-{
- return real_gskit_connect(conn->data, conn, sockindex);
-}
-
-static void real_gskit_close(struct Curl_easy *data, struct connectdata *conn,
- int sockindex)
+static void gskit_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
close_one(&conn->ssl[sockindex], data, conn, sockindex);
close_one(&conn->proxy_ssl[sockindex], data, conn, sockindex);
}
-static void gskit_close(struct connectdata *conn, int sockindex)
-{
- real_gskit_close(conn->data, conn, sockindex);
-}
-
-static int real_gskit_shutdown(struct Curl_easy *data,
- struct connectdata *conn, int sockindex)
+static int gskit_shutdown(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
int what;
return rc;
}
-static int gskit_shutdown(struct connectdata *conn, int sockindex)
-{
- return real_gskit_shutdown(conn->data, conn, sockindex);
-}
-
static size_t gskit_version(char *buffer, size_t size)
{
/* this function does a SSL/TLS (re-)handshake */
-static CURLcode handshake(struct connectdata *conn,
+static CURLcode handshake(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex,
bool duringconnect,
bool nonblocking)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
gnutls_session_t session = backend->session;
#define GNUTLS_SRP "+SRP"
static CURLcode
-set_ssl_version_min_max(const char **prioritylist, struct connectdata *conn)
+set_ssl_version_min_max(const char **prioritylist, struct Curl_easy *data)
{
- struct Curl_easy *data = conn->data;
+ struct connectdata *conn = data->conn;
long ssl_version = SSL_CONN_CONFIG(version);
long ssl_version_max = SSL_CONN_CONFIG(version_max);
}
static CURLcode
-gtls_connect_step1(struct connectdata *conn,
+gtls_connect_step1(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
unsigned int init_flags;
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
- CURLcode result = set_ssl_version_min_max(&prioritylist, conn);
+ CURLcode result = set_ssl_version_min_max(&prioritylist, data);
if(result != CURLE_OK)
return result;
break;
void *ssl_sessionid;
size_t ssl_idsize;
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, &ssl_idsize, sockindex)) {
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn,
+ &ssl_sessionid, &ssl_idsize, sockindex)) {
/* we got a session id, use it! */
gnutls_session_set_data(session, ssl_sessionid, ssl_idsize);
/* Informational message */
infof(data, "SSL re-using session ID\n");
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
return CURLE_OK;
static Curl_send gtls_send;
static CURLcode
-gtls_connect_step3(struct connectdata *conn,
+gtls_connect_step3(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex)
{
unsigned int cert_list_size;
size_t size;
time_t certclock;
const char *ptr;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
gnutls_session_t session = backend->session;
/* extract session ID to the allocated buffer */
gnutls_session_get_data(session, connect_sessionid, &connect_idsize);
- Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL,
+ Curl_ssl_sessionid_lock(data);
+ incache = !(Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL,
sockindex));
if(incache) {
/* there was one before in the cache, so instead of risking that the
previous one was rejected, we just kill that and store the new */
- Curl_ssl_delsessionid(conn, ssl_sessionid);
+ Curl_ssl_delsessionid(data, ssl_sessionid);
}
/* store this session id */
- result = Curl_ssl_addsessionid(conn, connect_sessionid, connect_idsize,
- sockindex);
- Curl_ssl_sessionid_unlock(conn);
+ result = Curl_ssl_addsessionid(data, conn, connect_sessionid,
+ connect_idsize, sockindex);
+ Curl_ssl_sessionid_unlock(data);
if(result) {
free(connect_sessionid);
result = CURLE_OUT_OF_MEMORY;
'ssl_connect_2_writing' (waiting to be able to write).
*/
static CURLcode
-gtls_connect_common(struct connectdata *conn,
+gtls_connect_common(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
/* Initiate the connection, if not already done */
if(ssl_connect_1 == connssl->connecting_state) {
- rc = gtls_connect_step1(conn, sockindex);
+ rc = gtls_connect_step1(data, conn, sockindex);
if(rc)
return rc;
}
- rc = handshake(conn, sockindex, TRUE, nonblocking);
+ rc = handshake(data, conn, sockindex, TRUE, nonblocking);
if(rc)
/* handshake() sets its own error message with failf() */
return rc;
/* Finish connecting once the handshake is done */
if(ssl_connect_1 == connssl->connecting_state) {
- rc = gtls_connect_step3(conn, sockindex);
+ rc = gtls_connect_step3(data, conn, sockindex);
if(rc)
return rc;
}
return CURLE_OK;
}
-static CURLcode gtls_connect_nonblocking(struct connectdata *conn,
+static CURLcode gtls_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex, bool *done)
{
- return gtls_connect_common(conn, sockindex, TRUE, done);
+ return gtls_connect_common(data, conn, sockindex, TRUE, done);
}
-static CURLcode gtls_connect(struct connectdata *conn, int sockindex)
+static CURLcode gtls_connect(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
CURLcode result;
bool done = FALSE;
- result = gtls_connect_common(conn, sockindex, FALSE, &done);
+ result = gtls_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
#endif
}
-static void gtls_close(struct connectdata *conn, int sockindex)
+static void gtls_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
+ (void) data;
close_one(&conn->ssl[sockindex]);
#ifndef CURL_DISABLE_PROXY
close_one(&conn->proxy_ssl[sockindex]);
* This function is called to shut down the SSL layer but keep the
* socket open (CCC - Clear Command Channel)
*/
-static int gtls_shutdown(struct connectdata *conn, int sockindex)
+static int gtls_shutdown(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
int retval = 0;
- struct Curl_easy *data = conn->data;
#ifndef CURL_DISABLE_FTP
/* This has only been tested on the proftpd server, and the mod_tls code
if(ret == GNUTLS_E_REHANDSHAKE) {
/* BLOCKING call, this is bad but a work-around for now. Fixing this "the
proper way" takes a whole lot of work. */
- CURLcode result = handshake(conn, num, FALSE, FALSE);
+ CURLcode result = handshake(data, conn, num, FALSE, FALSE);
if(result)
/* handshake() writes error message on its own */
*curlcode = result;
}
if(ret < 0) {
- failf(conn->data, "GnuTLS recv error (%d): %s",
+ failf(data, "GnuTLS recv error (%d): %s",
(int)ret, gnutls_strerror((int)ret));
*curlcode = CURLE_RECV_ERROR;
return rc?CURLE_FAILED_INIT:CURLE_OK;
#elif defined(USE_GNUTLS)
if(data)
- Curl_gtls_seed(data); /* Initiate the seed if not already done */
+ gtls_seed(data); /* Initiate the seed if not already done */
gcry_randomize(entropy, length, GCRY_STRONG_RANDOM);
#endif
return CURLE_OK;
}
static CURLcode
-set_ssl_version_min_max(struct connectdata *conn, int sockindex)
+set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
int mbedtls_ver_min = MBEDTLS_SSL_MINOR_VERSION_1;
}
static CURLcode
-mbed_connect_step1(struct connectdata *conn,
+mbed_connect_step1(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
- CURLcode result = set_ssl_version_min_max(conn, sockindex);
+ CURLcode result = set_ssl_version_min_max(data, conn, sockindex);
if(result != CURLE_OK)
return result;
break;
if(SSL_SET_OPTION(primary.sessionid)) {
void *old_session = NULL;
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn, &old_session, NULL, sockindex)) {
ret = mbedtls_ssl_set_session(&backend->ssl, old_session);
if(ret) {
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret);
return CURLE_SSL_CONNECT_ERROR;
}
infof(data, "mbedTLS re-using session\n");
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
mbedtls_ssl_conf_ca_chain(&backend->config,
}
static CURLcode
-mbed_connect_step2(struct connectdata *conn,
+mbed_connect_step2(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
int ret;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
const mbedtls_x509_crt *peercert;
}
static CURLcode
-mbed_connect_step3(struct connectdata *conn,
+mbed_connect_step3(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
CURLcode retcode = CURLE_OK;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
- struct Curl_easy *data = conn->data;
DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
}
/* If there's already a matching session in the cache, delete it */
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex))
- Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL, sockindex))
+ Curl_ssl_delsessionid(data, old_ssl_sessionid);
- retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex);
- Curl_ssl_sessionid_unlock(conn);
+ retcode = Curl_ssl_addsessionid(data, conn,
+ our_ssl_sessionid, 0, sockindex);
+ Curl_ssl_sessionid_unlock(data);
if(retcode) {
mbedtls_ssl_session_free(our_ssl_sessionid);
free(our_ssl_sessionid);
(void)data;
}
-static void mbedtls_close(struct connectdata *conn, int sockindex)
+static void mbedtls_close(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
+
+ (void) data;
mbedtls_pk_free(&backend->pk);
mbedtls_x509_crt_free(&backend->clicert);
mbedtls_x509_crt_free(&backend->cacert);
}
static CURLcode
-mbed_connect_common(struct connectdata *conn,
+mbed_connect_common(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode retcode;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
timediff_t timeout_ms;
failf(data, "SSL connection timeout");
return CURLE_OPERATION_TIMEDOUT;
}
- retcode = mbed_connect_step1(conn, sockindex);
+ retcode = mbed_connect_step1(data, conn, sockindex);
if(retcode)
return retcode;
}
* ensuring that a client using select() or epoll() will always
* have a valid fdset to wait on.
*/
- retcode = mbed_connect_step2(conn, sockindex);
+ retcode = mbed_connect_step2(data, conn, sockindex);
if(retcode || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
} /* repeat step2 until all transactions are done. */
if(ssl_connect_3 == connssl->connecting_state) {
- retcode = mbed_connect_step3(conn, sockindex);
+ retcode = mbed_connect_step3(data, conn, sockindex);
if(retcode)
return retcode;
}
return CURLE_OK;
}
-static CURLcode mbedtls_connect_nonblocking(struct connectdata *conn,
+static CURLcode mbedtls_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex, bool *done)
{
- return mbed_connect_common(conn, sockindex, TRUE, done);
+ return mbed_connect_common(data, conn, sockindex, TRUE, done);
}
-static CURLcode mbedtls_connect(struct connectdata *conn, int sockindex)
+static CURLcode mbedtls_connect(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
CURLcode retcode;
bool done = FALSE;
- retcode = mbed_connect_common(conn, sockindex, FALSE, &done);
+ retcode = mbed_connect_common(data, conn, sockindex, FALSE, &done);
if(retcode)
return retcode;
* layer and do all necessary magic.
*/
static CURLcode
-mesalink_connect_step1(struct connectdata *conn, int sockindex)
+mesalink_connect_step1(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
char *ciphers;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct in_addr addr4;
#ifdef ENABLE_IPV6
if(SSL_SET_OPTION(primary.sessionid)) {
void *ssl_sessionid = NULL;
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
failf(
data,
"SSL: SSL_set_session failed: %s",
/* Informational message */
infof(data, "SSL re-using session ID\n");
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
#endif /* MESALINK_HAVE_SESSION */
}
static CURLcode
-mesalink_connect_step2(struct connectdata *conn, int sockindex)
+mesalink_connect_step2(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
int ret = -1;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
conn->recv[sockindex] = mesalink_recv;
our_ssl_sessionid = SSL_get_session(BACKEND->handle);
- Curl_ssl_sessionid_lock(conn);
+ Curl_ssl_sessionid_lock(data);
incache =
- !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex));
+ !(Curl_ssl_getsessionid(data, conn,
+ &old_ssl_sessionid, NULL, sockindex));
if(incache) {
if(old_ssl_sessionid != our_ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
- Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+ Curl_ssl_delsessionid(data, old_ssl_sessionid);
incache = FALSE;
}
}
if(!incache) {
result = Curl_ssl_addsessionid(
- conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
+ data, conn, our_ssl_sessionid, 0 /* unknown size */, sockindex);
if(result) {
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
failf(data, "failed to store ssl session");
return result;
}
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
#endif /* MESALINK_HAVE_SESSION */
}
static void
-Curl_mesalink_close(struct connectdata *conn, int sockindex)
+mesalink_close(struct Curl_easy *data, struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ (void) data;
+
if(BACKEND->handle) {
(void)SSL_shutdown(BACKEND->handle);
SSL_free(BACKEND->handle);
}
static size_t
-Curl_mesalink_version(char *buffer, size_t size)
+mesalink_version(char *buffer, size_t size)
{
return msnprintf(buffer, size, "MesaLink/%s", MESALINK_VERSION_STRING);
}
static int
-Curl_mesalink_init(void)
+mesalink_init(void)
{
return (SSL_library_init() == SSL_SUCCESS);
}
* socket open (CCC - Clear Command Channel)
*/
static int
-Curl_mesalink_shutdown(struct connectdata *conn, int sockindex)
+mesalink_shutdown(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
int retval = 0;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ (void) data;
+
if(BACKEND->handle) {
SSL_free(BACKEND->handle);
BACKEND->handle = NULL;
}
static CURLcode
-mesalink_connect_common(struct connectdata *conn, int sockindex,
- bool nonblocking, bool *done)
+mesalink_connect_common(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex, bool nonblocking, bool *done)
{
CURLcode result;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
timediff_t timeout_ms;
return CURLE_OPERATION_TIMEDOUT;
}
- result = mesalink_connect_step1(conn, sockindex);
+ result = mesalink_connect_step1(data, conn, sockindex);
if(result)
return result;
}
* ensuring that a client using select() or epoll() will always
* have a valid fdset to wait on.
*/
- result = mesalink_connect_step2(conn, sockindex);
+ result = mesalink_connect_step2(data, conn, sockindex);
if(result ||
(nonblocking && (ssl_connect_2 == connssl->connecting_state ||
}
static CURLcode
-Curl_mesalink_connect_nonblocking(struct connectdata *conn, int sockindex,
- bool *done)
+mesalink_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex, bool *done)
{
- return mesalink_connect_common(conn, sockindex, TRUE, done);
+ return mesalink_connect_common(data, conn, sockindex, TRUE, done);
}
static CURLcode
-Curl_mesalink_connect(struct connectdata *conn, int sockindex)
+mesalink_connect(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
CURLcode result;
bool done = FALSE;
- result = mesalink_connect_common(conn, sockindex, FALSE, &done);
+ result = mesalink_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
}
static void *
-Curl_mesalink_get_internals(struct ssl_connect_data *connssl,
- CURLINFO info UNUSED_PARAM)
+mesalink_get_internals(struct ssl_connect_data *connssl,
+ CURLINFO info UNUSED_PARAM)
{
(void)info;
return BACKEND->handle;
sizeof(struct ssl_backend_data),
- Curl_mesalink_init, /* init */
- Curl_none_cleanup, /* cleanup */
- Curl_mesalink_version, /* version */
- Curl_none_check_cxn, /* check_cxn */
- Curl_mesalink_shutdown, /* shutdown */
- Curl_none_data_pending, /* data_pending */
- Curl_none_random, /* random */
+ mesalink_init, /* init */
+ Curl_none_cleanup, /* cleanup */
+ mesalink_version, /* version */
+ Curl_none_check_cxn, /* check_cxn */
+ mesalink_shutdown, /* shutdown */
+ Curl_none_data_pending, /* data_pending */
+ Curl_none_random, /* random */
Curl_none_cert_status_request, /* cert_status_request */
- Curl_mesalink_connect, /* connect */
- Curl_mesalink_connect_nonblocking, /* connect_nonblocking */
- Curl_mesalink_get_internals, /* get_internals */
- Curl_mesalink_close, /* close_one */
- Curl_none_close_all, /* close_all */
- Curl_none_session_free, /* session_free */
- Curl_none_set_engine, /* set_engine */
- Curl_none_set_engine_default, /* set_engine_default */
- Curl_none_engines_list, /* engines_list */
- Curl_none_false_start, /* false_start */
- Curl_none_md5sum, /* md5sum */
- NULL /* sha256sum */
+ mesalink_connect, /* connect */
+ mesalink_connect_nonblocking, /* connect_nonblocking */
+ mesalink_get_internals, /* get_internals */
+ mesalink_close, /* close_one */
+ Curl_none_close_all, /* close_all */
+ Curl_none_session_free, /* session_free */
+ Curl_none_set_engine, /* set_engine */
+ Curl_none_set_engine_default, /* set_engine_default */
+ Curl_none_engines_list, /* engines_list */
+ Curl_none_false_start, /* false_start */
+ Curl_none_md5sum, /* md5sum */
+ NULL /* sha256sum */
};
#endif
/* Call PK11_CreateGenericObject() with the given obj_class and filename. If
* the call succeeds, append the object handle to the list of objects so that
- * the object can be destroyed in Curl_nss_close(). */
+ * the object can be destroyed in nss_close(). */
static CURLcode nss_create_object(struct ssl_connect_data *connssl,
CK_OBJECT_CLASS obj_class,
const char *filename, bool cacert)
/* Destroy the NSS object whose handle is given by ptr. This function is
* a callback of Curl_llist_alloc() used by Curl_llist_destroy() to destroy
- * NSS objects in Curl_nss_close() */
+ * NSS objects in nss_close() */
static void nss_destroy_object(void *user, void *ptr)
{
struct ptr_list_wrap *wrap = (struct ptr_list_wrap *) ptr;
return CURLE_SSL_CRL_BADFILE;
}
-static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
- char *key_file)
+static CURLcode nss_load_key(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex, char *key_file)
{
PK11SlotInfo *slot, *tmp;
SECStatus status;
CURLcode result;
struct ssl_connect_data *ssl = conn->ssl;
- struct Curl_easy *data = conn->data;
(void)sockindex; /* unused */
return (SECSuccess == status) ? CURLE_OK : CURLE_SSL_CERTPROBLEM;
}
-static int display_error(struct connectdata *conn, PRInt32 err,
+static int display_error(struct Curl_easy *data, PRInt32 err,
const char *filename)
{
switch(err) {
case SEC_ERROR_BAD_PASSWORD:
- failf(conn->data, "Unable to load client key: Incorrect password");
+ failf(data, "Unable to load client key: Incorrect password");
return 1;
case SEC_ERROR_UNKNOWN_CERT:
- failf(conn->data, "Unable to load certificate %s", filename);
+ failf(data, "Unable to load certificate %s", filename);
return 1;
default:
break;
return 0; /* The caller will print a generic error */
}
-static CURLcode cert_stuff(struct connectdata *conn, int sockindex,
- char *cert_file, char *key_file)
+static CURLcode cert_stuff(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex, char *cert_file, char *key_file)
{
- struct Curl_easy *data = conn->data;
CURLcode result;
if(cert_file) {
result = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE);
if(result) {
const PRErrorCode err = PR_GetError();
- if(!display_error(conn, err, cert_file)) {
+ if(!display_error(data, err, cert_file)) {
const char *err_name = nss_error_to_name(err);
failf(data, "unable to load client cert: %d (%s)", err, err_name);
}
if(key_file || (is_file(cert_file))) {
if(key_file)
- result = nss_load_key(conn, sockindex, key_file);
+ result = nss_load_key(data, conn, sockindex, key_file);
else
/* In case the cert file also has the key */
- result = nss_load_key(conn, sockindex, cert_file);
+ result = nss_load_key(data, conn, sockindex, cert_file);
if(result) {
const PRErrorCode err = PR_GetError();
- if(!display_error(conn, err, key_file)) {
+ if(!display_error(data, err, key_file)) {
const char *err_name = nss_error_to_name(err);
failf(data, "unable to load client key: %d (%s)", err, err_name);
}
static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,
PRBool isServer)
{
- struct connectdata *conn = (struct connectdata *)arg;
+ struct Curl_easy *data = (struct Curl_easy *)arg;
+ struct connectdata *conn = data->conn;
#ifdef SSL_ENABLE_OCSP_STAPLING
if(SSL_CONN_CONFIG(verifystatus)) {
const SECItemArray *csa = SSL_PeerStapledOCSPResponses(fd);
if(!csa) {
- failf(conn->data, "Invalid OCSP response");
+ failf(data, "Invalid OCSP response");
return SECFailure;
}
if(csa->len == 0) {
- failf(conn->data, "No OCSP response received");
+ failf(data, "No OCSP response received");
return SECFailure;
}
);
if(cacheResult != SECSuccess) {
- failf(conn->data, "Invalid OCSP response");
+ failf(data, "Invalid OCSP response");
return cacheResult;
}
}
#endif
if(!SSL_CONN_CONFIG(verifypeer)) {
- infof(conn->data, "skipping SSL peer certificate verification\n");
+ infof(data, "skipping SSL peer certificate verification\n");
return SECSuccess;
}
*/
static void HandshakeCallback(PRFileDesc *sock, void *arg)
{
- struct connectdata *conn = (struct connectdata*) arg;
- struct Curl_easy *data = conn->data;
+ struct Curl_easy *data = (struct Curl_easy *)arg;
+ struct connectdata *conn = data->conn;
unsigned int buflenmax = 50;
unsigned char buf[50];
unsigned int buflen;
!memcmp(ALPN_HTTP_1_1, buf, ALPN_HTTP_1_1_LENGTH)) {
conn->negnpn = CURL_HTTP_VERSION_1_1;
}
- Curl_multiuse_state(conn->data, conn->negnpn == CURL_HTTP_VERSION_2 ?
+ Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ?
BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
}
}
static SECStatus CanFalseStartCallback(PRFileDesc *sock, void *client_data,
PRBool *canFalseStart)
{
- struct connectdata *conn = client_data;
- struct Curl_easy *data = conn->data;
+ struct Curl_easy *data = (struct Curl_easy *)client_data;
SSLChannelInfo channelInfo;
SSLCipherSuiteInfo cipherInfo;
PR_Free(common_name);
}
-static CURLcode display_conn_info(struct connectdata *conn, PRFileDesc *sock)
+static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock)
{
CURLcode result = CURLE_OK;
- struct Curl_easy *data = conn->data;
SSLChannelInfo channel;
SSLCipherSuiteInfo suite;
CERTCertificate *cert;
static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
{
- struct connectdata *conn = (struct connectdata *)arg;
- struct Curl_easy *data = conn->data;
+ struct Curl_easy *data = (struct Curl_easy *)arg;
+ struct connectdata *conn = data->conn;
PRErrorCode err = PR_GetError();
CERTCertificate *cert;
/*
* This function is called when an SSL connection is closed.
*/
-static void nss_close(struct connectdata *conn, int sockindex)
+static void nss_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
#ifndef CURL_DISABLE_PROXY
#endif
struct ssl_backend_data *backend = connssl->backend;
+ (void)data;
if(backend->handle
#ifndef CURL_DISABLE_PROXY
|| connssl_proxy->backend->handle
static Curl_recv nss_recv;
static Curl_send nss_send;
-static CURLcode nss_load_ca_certificates(struct connectdata *conn,
+static CURLcode nss_load_ca_certificates(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex)
{
- struct Curl_easy *data = conn->data;
const char *cafile = SSL_CONN_CONFIG(CAfile);
const char *capath = SSL_CONN_CONFIG(CApath);
bool use_trust_module;
return CURLE_OK;
}
-static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
+static CURLcode nss_setup_connect(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
PRFileDesc *model = NULL;
PRFileDesc *nspr_io = NULL;
PRFileDesc *nspr_io_stub = NULL;
PRBool ssl_no_cache;
PRBool ssl_cbc_random_iv;
- struct Curl_easy *data = conn->data;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
backend->data = data;
- /* list of all NSS objects we need to destroy in Curl_nss_close() */
+ /* list of all NSS objects we need to destroy in nss_do_close() */
Curl_llist_init(&backend->obj_list, nss_destroy_object);
PR_Lock(nss_initlock);
- result = nss_setup(conn->data);
+ result = nss_setup(data);
if(result) {
PR_Unlock(nss_initlock);
goto error;
/* bypass the default SSL_AuthCertificate() hook in case we do not want to
* verify peer */
- if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, conn) != SECSuccess)
+ if(SSL_AuthCertificateHook(model, nss_auth_cert_hook, data) != SECSuccess)
goto error;
/* not checked yet */
SSL_SET_OPTION_LVALUE(certverifyresult) = 0;
- if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
+ if(SSL_BadCertHook(model, BadCertHandler, data) != SECSuccess)
goto error;
- if(SSL_HandshakeCallback(model, HandshakeCallback, conn) != SECSuccess)
+ if(SSL_HandshakeCallback(model, HandshakeCallback, data) != SECSuccess)
goto error;
{
- const CURLcode rv = nss_load_ca_certificates(conn, sockindex);
+ const CURLcode rv = nss_load_ca_certificates(data, conn, sockindex);
if((rv == CURLE_SSL_CACERT_BADFILE) && !SSL_CONN_CONFIG(verifypeer))
/* not a fatal error because we are not going to verify the peer */
infof(data, "warning: CA certificates failed to load\n");
backend->obj_clicert = NULL;
}
else {
- CURLcode rv = cert_stuff(conn, sockindex,
+ CURLcode rv = cert_stuff(data, conn, sockindex,
SSL_SET_OPTION(primary.clientcert),
SSL_SET_OPTION(key));
if(rv) {
goto error;
if(SSL_SetCanFalseStartCallback(backend->handle, CanFalseStartCallback,
- conn) != SECSuccess)
+ data) != SECSuccess)
goto error;
}
#endif
return nss_fail_connect(connssl, data, result);
}
-static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
+static CURLcode nss_do_connect(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
- struct Curl_easy *data = conn->data;
CURLcode result = CURLE_SSL_CONNECT_ERROR;
PRUint32 timeout;
goto error;
}
- result = display_conn_info(conn, backend->handle);
+ result = display_conn_info(data, backend->handle);
if(result)
goto error;
return nss_fail_connect(connssl, data, result);
}
-static CURLcode nss_connect_common(struct connectdata *conn, int sockindex,
+static CURLcode nss_connect_common(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex,
bool *done)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
- struct Curl_easy *data = conn->data;
const bool blocking = (done == NULL);
CURLcode result;
}
if(connssl->connecting_state == ssl_connect_1) {
- result = nss_setup_connect(conn, sockindex);
+ result = nss_setup_connect(data, conn, sockindex);
if(result)
/* we do not expect CURLE_AGAIN from nss_setup_connect() */
return result;
if(result)
return result;
- result = nss_do_connect(conn, sockindex);
+ result = nss_do_connect(data, conn, sockindex);
switch(result) {
case CURLE_OK:
break;
return CURLE_OK;
}
-static CURLcode nss_connect(struct connectdata *conn, int sockindex)
+static CURLcode nss_connect(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
- return nss_connect_common(conn, sockindex, /* blocking */ NULL);
+ return nss_connect_common(data, conn, sockindex, /* blocking */ NULL);
}
-static CURLcode nss_connect_nonblocking(struct connectdata *conn,
+static CURLcode nss_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex, bool *done)
{
- return nss_connect_common(conn, sockindex, done);
+ return nss_connect_common(data, conn, sockindex, done);
}
static ssize_t nss_send(struct Curl_easy *data, /* transfer */
infof(data, "SSL write: error %d (%s)\n", err, err_name);
/* print a human-readable message describing the error if available */
- nss_print_error_message(conn->data, err);
+ nss_print_error_message(data, err);
*curlcode = (is_cc_error(err))
? CURLE_SSL_CERTPROBLEM
static ssize_t nss_recv(struct Curl_easy *data, /* transfer */
int sockindex, /* socketindex */
- char *buf, /* store read data here */
- size_t buffersize, /* max amount to read */
+ char *buf, /* store read data here */
+ size_t buffersize, /* max amount to read */
CURLcode *curlcode)
{
struct connectdata *conn = data->conn;
infof(data, "SSL read: errno %d (%s)\n", err, err_name);
/* print a human-readable message describing the error if available */
- nss_print_error_message(conn->data, err);
+ nss_print_error_message(data, err);
*curlcode = (is_cc_error(err))
? CURLE_SSL_CERTPROBLEM
return buf;
}
+/* Return an extra data index for the transfer data.
+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
+ */
+static int ossl_get_ssl_data_index(void)
+{
+ static int ssl_ex_data_data_index = -1;
+ if(ssl_ex_data_data_index < 0) {
+ ssl_ex_data_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+ }
+ return ssl_ex_data_data_index;
+}
+
/* Return an extra data index for the connection data.
* This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
*/
#endif
-static CURLcode ossl_set_engine(struct Curl_easy *data,
- const char *engine);
+static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine);
static int
SSL_CTX_use_certificate_bio(SSL_CTX *ctx, BIO *in, int type,
}
static
-int cert_stuff(struct connectdata *conn,
+int cert_stuff(struct Curl_easy *data,
SSL_CTX* ctx,
char *cert_file,
BIO *cert_bio,
const char *key_type,
char *key_passwd)
{
- struct Curl_easy *data = conn->data;
char error_buffer[256];
bool check_privkey = TRUE;
Curl_tls_keylog_open();
/* Initialize the extra data indexes */
- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
+ if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
+ ossl_get_ssl_sockindex_index() < 0)
return 0;
return 1;
/* Selects an OpenSSL crypto engine
*/
-static CURLcode ossl_set_engine(struct Curl_easy *data,
- const char *engine)
+static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine)
{
#ifdef USE_OPENSSL_ENGINE
ENGINE *e;
/*
* This function is called when an SSL connection is closed.
*/
-static void ossl_close(struct connectdata *conn, int sockindex)
+static void ossl_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
+ (void) data;
ossl_closeone(&conn->ssl[sockindex]);
#ifndef CURL_DISABLE_PROXY
ossl_closeone(&conn->proxy_ssl[sockindex]);
* This function is called to shut down the SSL layer but keep the
* socket open (CCC - Clear Command Channel)
*/
-static int ossl_shutdown(struct connectdata *conn, int sockindex)
+static int ossl_shutdown(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
int retval = 0;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
- struct Curl_easy *data = conn->data;
char buf[256]; /* We will use this for the OpenSSL error buffer, so it has
to be at least 256 bytes long. */
unsigned long sslerror;
in the certificate and must exactly match the IP in the URI.
*/
-static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
+static CURLcode verifyhost(struct Curl_easy *data, struct connectdata *conn,
+ X509 *server_cert)
{
bool matched = FALSE;
int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
size_t addrlen = 0;
- struct Curl_easy *data = conn->data;
STACK_OF(GENERAL_NAME) *altnames;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_NO_OCSP)
-static CURLcode verifystatus(struct connectdata *conn,
+static CURLcode verifystatus(struct Curl_easy *data,
struct ssl_connect_data *connssl)
{
int i, ocsp_status;
unsigned char *status;
const unsigned char *p;
CURLcode result = CURLE_OK;
- struct Curl_easy *data = conn->data;
OCSP_RESPONSE *rsp = NULL;
OCSP_BASICRESP *br = NULL;
X509_STORE *st = NULL;
#if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* 1.1.0 */
static CURLcode
set_ssl_version_min_max_legacy(ctx_option_t *ctx_options,
- struct connectdata *conn, int sockindex)
+ struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
-#if (OPENSSL_VERSION_NUMBER < 0x1000100FL) || !defined(TLS1_3_VERSION)
- /* convoluted #if condition just to avoid compiler warnings on unused
- variable */
- struct Curl_easy *data = conn->data;
-#endif
long ssl_version = SSL_CONN_CONFIG(version);
long ssl_version_max = SSL_CONN_CONFIG(version_max);
+ (void) data; /* In case it's unused. */
+
switch(ssl_version) {
case CURL_SSLVERSION_TLSv1_3:
#ifdef TLS1_3_VERSION
struct Curl_easy *data;
int sockindex;
curl_socket_t *sockindex_ptr;
+ int data_idx = ossl_get_ssl_data_index();
int connectdata_idx = ossl_get_ssl_conn_index();
int sockindex_idx = ossl_get_ssl_sockindex_index();
- if(connectdata_idx < 0 || sockindex_idx < 0)
+ if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0)
return 0;
conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
if(!conn)
return 0;
- data = conn->data;
+ data = (struct Curl_easy *) SSL_get_ex_data(ssl, data_idx);
/* The sockindex has been stored as a pointer to an array element */
sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
bool incache;
void *old_ssl_sessionid = NULL;
- Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+ Curl_ssl_sessionid_lock(data);
+ incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
sockindex));
if(incache) {
if(old_ssl_sessionid != ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
- Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+ Curl_ssl_delsessionid(data, old_ssl_sessionid);
incache = FALSE;
}
}
if(!incache) {
- if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
+ if(!Curl_ssl_addsessionid(data, conn, ssl_sessionid,
0 /* unknown size */, sockindex)) {
/* the session has been put into the session cache */
res = 1;
else
failf(data, "failed to store ssl session");
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
return res;
}
-static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
+static CURLcode ossl_connect_step1(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
CURLcode result = CURLE_OK;
char *ciphers;
- struct Curl_easy *data = conn->data;
SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
X509_LOOKUP *lookup = NULL;
curl_socket_t sockfd = conn->sock[sockindex];
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */
result = set_ssl_version_min_max(backend->ctx, conn);
#else
- result = set_ssl_version_min_max_legacy(&ctx_options, conn, sockindex);
+ result = set_ssl_version_min_max_legacy(&ctx_options, data, conn,
+ sockindex);
#endif
if(result != CURLE_OK)
return result;
result = CURLE_OUT_OF_MEMORY;
}
if(!result &&
- !cert_stuff(conn, backend->ctx,
+ !cert_stuff(data, backend->ctx,
ssl_cert, ssl_cert_bio, ssl_cert_type,
SSL_SET_OPTION(key), ssl_key_bio,
SSL_SET_OPTION(key_type), SSL_SET_OPTION(key_passwd)))
/* Check if there's a cached ID we can/should use here! */
if(SSL_SET_OPTION(primary.sessionid)) {
void *ssl_sessionid = NULL;
+ int data_idx = ossl_get_ssl_data_index();
int connectdata_idx = ossl_get_ssl_conn_index();
int sockindex_idx = ossl_get_ssl_sockindex_index();
- if(connectdata_idx >= 0 && sockindex_idx >= 0) {
+ if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0) {
/* Store the data needed for the "new session" callback.
* The sockindex is stored as a pointer to an array element. */
+ SSL_set_ex_data(backend->handle, data_idx, data);
SSL_set_ex_data(backend->handle, connectdata_idx, conn);
SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
}
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
failf(data, "SSL: SSL_set_session failed: %s",
ossl_strerror(ERR_get_error(), error_buffer,
sizeof(error_buffer)));
/* Informational message */
infof(data, "SSL re-using session ID\n");
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
#ifndef CURL_DISABLE_PROXY
return CURLE_OK;
}
-static CURLcode ossl_connect_step2(struct connectdata *conn, int sockindex)
+static CURLcode ossl_connect_step2(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
- struct Curl_easy *data = conn->data;
int err;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
typedef int numcert_t;
#endif
-static CURLcode get_cert_chain(struct connectdata *conn,
+static CURLcode get_cert_chain(struct Curl_easy *data,
struct ssl_connect_data *connssl)
{
CURLcode result;
STACK_OF(X509) *sk;
int i;
- struct Curl_easy *data = conn->data;
numcert_t numcerts;
BIO *mem;
struct ssl_backend_data *backend = connssl->backend;
* We check certificates to authenticate the server; otherwise we risk
* man-in-the-middle attack.
*/
-static CURLcode servercert(struct connectdata *conn,
+static CURLcode servercert(struct Curl_easy *data,
+ struct connectdata *conn,
struct ssl_connect_data *connssl,
bool strict)
{
CURLcode result = CURLE_OK;
int rc;
long lerr;
- struct Curl_easy *data = conn->data;
X509 *issuer;
BIO *fp = NULL;
char error_buffer[256]="";
if(data->set.ssl.certinfo)
/* we've been asked to gather certificate info! */
- (void)get_cert_chain(conn, connssl);
+ (void)get_cert_chain(data, connssl);
backend->server_cert = SSL_get_peer_certificate(backend->handle);
if(!backend->server_cert) {
BIO_free(mem);
if(SSL_CONN_CONFIG(verifyhost)) {
- result = verifyhost(conn, backend->server_cert);
+ result = verifyhost(data, conn, backend->server_cert);
if(result) {
X509_free(backend->server_cert);
backend->server_cert = NULL;
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_NO_OCSP)
if(SSL_CONN_CONFIG(verifystatus)) {
- result = verifystatus(conn, connssl);
+ result = verifystatus(data, connssl);
if(result) {
X509_free(backend->server_cert);
backend->server_cert = NULL;
return result;
}
-static CURLcode ossl_connect_step3(struct connectdata *conn, int sockindex)
+static CURLcode ossl_connect_step3(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
CURLcode result = CURLE_OK;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
* operations.
*/
- result = servercert(conn, connssl, (SSL_CONN_CONFIG(verifypeer) ||
- SSL_CONN_CONFIG(verifyhost)));
+ result = servercert(data, conn, connssl, (SSL_CONN_CONFIG(verifypeer) ||
+ SSL_CONN_CONFIG(verifyhost)));
if(!result)
connssl->connecting_state = ssl_connect_done;
static Curl_recv ossl_recv;
static Curl_send ossl_send;
-static CURLcode ossl_connect_common(struct connectdata *conn,
+static CURLcode ossl_connect_common(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode result;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
int what;
return CURLE_OPERATION_TIMEDOUT;
}
- result = ossl_connect_step1(conn, sockindex);
+ result = ossl_connect_step1(data, conn, sockindex);
if(result)
return result;
}
* before step2 has completed while ensuring that a client using select()
* or epoll() will always have a valid fdset to wait on.
*/
- result = ossl_connect_step2(conn, sockindex);
+ result = ossl_connect_step2(data, conn, sockindex);
if(result || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
} /* repeat step2 until all transactions are done. */
if(ssl_connect_3 == connssl->connecting_state) {
- result = ossl_connect_step3(conn, sockindex);
+ result = ossl_connect_step3(data, conn, sockindex);
if(result)
return result;
}
return CURLE_OK;
}
-static CURLcode ossl_connect_nonblocking(struct connectdata *conn,
+static CURLcode ossl_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex,
bool *done)
{
- return ossl_connect_common(conn, sockindex, TRUE, done);
+ return ossl_connect_common(data, conn, sockindex, TRUE, done);
}
-static CURLcode ossl_connect(struct connectdata *conn, int sockindex)
+static CURLcode ossl_connect(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
CURLcode result;
bool done = FALSE;
- result = ossl_connect_common(conn, sockindex, FALSE, &done);
+ result = ossl_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer));
error_buffer[sizeof(error_buffer) - 1] = '\0';
}
- failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d",
+ failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d",
error_buffer, sockerr);
*curlcode = CURLE_RECV_ERROR;
return -1;
msnprintf(error_buffer, sizeof(error_buffer),
"Connection closed abruptly");
}
- failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d"
+ failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d"
" (Fatal because this is a curl debug build)",
error_buffer, sockerr);
*curlcode = CURLE_RECV_ERROR;
static Curl_recv schannel_recv;
static Curl_send schannel_send;
-static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex,
+static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex,
const char *pinnedpubkey);
static void InitSecBuffer(SecBuffer *buffer, unsigned long BufType,
}
static CURLcode
-set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct connectdata *conn)
+set_ssl_version_min_max(SCHANNEL_CRED *schannel_cred, struct Curl_easy *data,
+ struct connectdata *conn)
{
- struct Curl_easy *data = conn->data;
long ssl_version = SSL_CONN_CONFIG(version);
long ssl_version_max = SSL_CONN_CONFIG(version_max);
long i = ssl_version;
#endif
static CURLcode
-schannel_connect_step1(struct connectdata *conn, int sockindex)
+schannel_connect_step1(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
ssize_t written = -1;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SecBuffer outbuf;
SecBufferDesc outbuf_desc;
/* check for an existing re-usable credential handle */
if(SSL_SET_OPTION(primary.sessionid)) {
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn,
+ (void **)&old_cred, NULL, sockindex)) {
BACKEND->cred = old_cred;
DEBUGF(infof(data, "schannel: re-using existing credential handle\n"));
"schannel: incremented credential handle refcount = %d\n",
BACKEND->cred->refcount));
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
if(!BACKEND->cred) {
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
- result = set_ssl_version_min_max(&schannel_cred, conn);
+ result = set_ssl_version_min_max(&schannel_cred, data, conn);
if(result != CURLE_OK)
return result;
break;
}
static CURLcode
-schannel_connect_step2(struct connectdata *conn, int sockindex)
+schannel_connect_step2(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
int i;
ssize_t nread = -1, written = -1;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
unsigned char *reallocated_buffer;
SecBuffer outbuf[3];
data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
if(pubkey_ptr) {
- result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr);
+ result = pkp_pin_peer_pubkey(data, conn, sockindex, pubkey_ptr);
if(result) {
failf(data, "SSL: public key does not match pinned public key!");
return result;
#ifdef HAS_MANUAL_VERIFY_API
if(conn->ssl_config.verifypeer && BACKEND->use_manual_cred_validation) {
- return Curl_verify_certificate(conn, sockindex);
+ return Curl_verify_certificate(data, conn, sockindex);
}
#endif
}
static CURLcode
-schannel_connect_step3(struct connectdata *conn, int sockindex)
+schannel_connect_step3(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
CURLcode result = CURLE_OK;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
SECURITY_STATUS sspi_status = SEC_E_OK;
CERT_CONTEXT *ccert_context = NULL;
bool incache;
struct Curl_schannel_cred *old_cred = NULL;
- Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL,
+ Curl_ssl_sessionid_lock(data);
+ incache = !(Curl_ssl_getsessionid(data, conn, (void **)&old_cred, NULL,
sockindex));
if(incache) {
if(old_cred != BACKEND->cred) {
DEBUGF(infof(data,
"schannel: old credential handle is stale, removing\n"));
/* we're not taking old_cred ownership here, no refcount++ is needed */
- Curl_ssl_delsessionid(conn, (void *)old_cred);
+ Curl_ssl_delsessionid(data, (void *)old_cred);
incache = FALSE;
}
}
if(!incache) {
- result = Curl_ssl_addsessionid(conn, (void *)BACKEND->cred,
+ result = Curl_ssl_addsessionid(data, conn, (void *)BACKEND->cred,
sizeof(struct Curl_schannel_cred),
sockindex);
if(result) {
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
failf(data, "schannel: failed to store credential handle");
return result;
}
"schannel: stored credential handle in session cache\n"));
}
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
if(data->set.ssl.certinfo) {
}
static CURLcode
-schannel_connect_common(struct connectdata *conn, int sockindex,
- bool nonblocking, bool *done)
+schannel_connect_common(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex, bool nonblocking, bool *done)
{
CURLcode result;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
timediff_t timeout_ms;
return CURLE_OPERATION_TIMEDOUT;
}
- result = schannel_connect_step1(conn, sockindex);
+ result = schannel_connect_step1(data, conn, sockindex);
if(result)
return result;
}
* ensuring that a client using select() or epoll() will always
* have a valid fdset to wait on.
*/
- result = schannel_connect_step2(conn, sockindex);
+ result = schannel_connect_step2(data, conn, sockindex);
if(result || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
} /* repeat step2 until all transactions are done. */
if(ssl_connect_3 == connssl->connecting_state) {
- result = schannel_connect_step3(conn, sockindex);
+ result = schannel_connect_step3(data, conn, sockindex);
if(result)
return result;
}
infof(data, "schannel: renegotiating SSL/TLS connection\n");
connssl->state = ssl_connection_negotiating;
connssl->connecting_state = ssl_connect_2_writing;
- *err = schannel_connect_common(conn, sockindex, FALSE, &done);
+ *err = schannel_connect_common(data, conn, sockindex, FALSE, &done);
if(*err) {
infof(data, "schannel: renegotiation failed\n");
goto cleanup;
return *err ? -1 : 0;
}
-static CURLcode Curl_schannel_connect_nonblocking(struct connectdata *conn,
- int sockindex, bool *done)
+static CURLcode schannel_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
+ int sockindex, bool *done)
{
- return schannel_connect_common(conn, sockindex, TRUE, done);
+ return schannel_connect_common(data, conn, sockindex, TRUE, done);
}
-static CURLcode Curl_schannel_connect(struct connectdata *conn, int sockindex)
+static CURLcode schannel_connect(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
CURLcode result;
bool done = FALSE;
- result = schannel_connect_common(conn, sockindex, FALSE, &done);
+ result = schannel_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
return CURLE_OK;
}
-static bool Curl_schannel_data_pending(const struct connectdata *conn,
- int sockindex)
+static bool schannel_data_pending(const struct connectdata *conn,
+ int sockindex)
{
const struct ssl_connect_data *connssl = &conn->ssl[sockindex];
return FALSE;
}
-static void Curl_schannel_close(struct connectdata *conn, int sockindex)
+static void schannel_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
if(conn->ssl[sockindex].use)
/* if the SSL/TLS channel hasn't been shut down yet, do that now. */
- Curl_ssl_shutdown(conn, sockindex);
+ Curl_ssl_shutdown(data, conn, sockindex);
}
-static void Curl_schannel_session_free(void *ptr)
+static void schannel_session_free(void *ptr)
{
/* this is expected to be called under sessionid lock */
struct Curl_schannel_cred *cred = ptr;
}
}
-static int Curl_schannel_shutdown(struct connectdata *conn, int sockindex)
+static int schannel_shutdown(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
/* See https://msdn.microsoft.com/en-us/library/windows/desktop/aa380138.aspx
* Shutting Down an Schannel Connection
*/
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
#ifndef CURL_DISABLE_PROXY
char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
/* free SSPI Schannel API credential handle */
if(BACKEND->cred) {
- /*
- * When this function is called from Curl_schannel_close() the connection
- * might not have an associated transfer so the check for conn->data is
- * necessary.
- */
- Curl_ssl_sessionid_lock(conn);
- Curl_schannel_session_free(BACKEND->cred);
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_lock(data);
+ schannel_session_free(BACKEND->cred);
+ Curl_ssl_sessionid_unlock(data);
BACKEND->cred = NULL;
}
return CURLE_OK;
}
-static int Curl_schannel_init(void)
+static int schannel_init(void)
{
return (Curl_sspi_global_init() == CURLE_OK ? 1 : 0);
}
-static void Curl_schannel_cleanup(void)
+static void schannel_cleanup(void)
{
Curl_sspi_global_cleanup();
}
-static size_t Curl_schannel_version(char *buffer, size_t size)
+static size_t schannel_version(char *buffer, size_t size)
{
size = msnprintf(buffer, size, "Schannel");
return size;
}
-static CURLcode Curl_schannel_random(struct Curl_easy *data UNUSED_PARAM,
- unsigned char *entropy, size_t length)
+static CURLcode schannel_random(struct Curl_easy *data UNUSED_PARAM,
+ unsigned char *entropy, size_t length)
{
HCRYPTPROV hCryptProv = 0;
return CURLE_OK;
}
-static CURLcode pkp_pin_peer_pubkey(struct connectdata *conn, int sockindex,
+static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex,
const char *pinnedpubkey)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CERT_CONTEXT *pCertContextServer = NULL;
return result;
}
-static void Curl_schannel_checksum(const unsigned char *input,
- size_t inputlen,
- unsigned char *checksum,
- size_t checksumlen,
- DWORD provType,
- const unsigned int algId)
+static void schannel_checksum(const unsigned char *input,
+ size_t inputlen,
+ unsigned char *checksum,
+ size_t checksumlen,
+ DWORD provType,
+ const unsigned int algId)
{
HCRYPTPROV hProv = 0;
HCRYPTHASH hHash = 0;
CryptReleaseContext(hProv, 0);
}
-static CURLcode Curl_schannel_md5sum(unsigned char *input,
- size_t inputlen,
- unsigned char *md5sum,
- size_t md5len)
+static CURLcode schannel_md5sum(unsigned char *input,
+ size_t inputlen,
+ unsigned char *md5sum,
+ size_t md5len)
{
- Curl_schannel_checksum(input, inputlen, md5sum, md5len,
- PROV_RSA_FULL, CALG_MD5);
+ schannel_checksum(input, inputlen, md5sum, md5len, PROV_RSA_FULL, CALG_MD5);
return CURLE_OK;
}
-static CURLcode Curl_schannel_sha256sum(const unsigned char *input,
- size_t inputlen,
- unsigned char *sha256sum,
- size_t sha256len)
+static CURLcode schannel_sha256sum(const unsigned char *input,
+ size_t inputlen,
+ unsigned char *sha256sum,
+ size_t sha256len)
{
- Curl_schannel_checksum(input, inputlen, sha256sum, sha256len,
- PROV_RSA_AES, CALG_SHA_256);
+ schannel_checksum(input, inputlen, sha256sum, sha256len,
+ PROV_RSA_AES, CALG_SHA_256);
return CURLE_OK;
}
-static void *Curl_schannel_get_internals(struct ssl_connect_data *connssl,
- CURLINFO info UNUSED_PARAM)
+static void *schannel_get_internals(struct ssl_connect_data *connssl,
+ CURLINFO info UNUSED_PARAM)
{
(void)info;
return &BACKEND->ctxt->ctxt_handle;
sizeof(struct ssl_backend_data),
- Curl_schannel_init, /* init */
- Curl_schannel_cleanup, /* cleanup */
- Curl_schannel_version, /* version */
+ schannel_init, /* init */
+ schannel_cleanup, /* cleanup */
+ schannel_version, /* version */
Curl_none_check_cxn, /* check_cxn */
- Curl_schannel_shutdown, /* shutdown */
- Curl_schannel_data_pending, /* data_pending */
- Curl_schannel_random, /* random */
+ schannel_shutdown, /* shutdown */
+ schannel_data_pending, /* data_pending */
+ schannel_random, /* random */
Curl_none_cert_status_request, /* cert_status_request */
- Curl_schannel_connect, /* connect */
- Curl_schannel_connect_nonblocking, /* connect_nonblocking */
- Curl_schannel_get_internals, /* get_internals */
- Curl_schannel_close, /* close_one */
+ schannel_connect, /* connect */
+ schannel_connect_nonblocking, /* connect_nonblocking */
+ schannel_get_internals, /* get_internals */
+ schannel_close, /* close_one */
Curl_none_close_all, /* close_all */
- Curl_schannel_session_free, /* session_free */
+ schannel_session_free, /* session_free */
Curl_none_set_engine, /* set_engine */
Curl_none_set_engine_default, /* set_engine_default */
Curl_none_engines_list, /* engines_list */
Curl_none_false_start, /* false_start */
- Curl_schannel_md5sum, /* md5sum */
- Curl_schannel_sha256sum /* sha256sum */
+ schannel_md5sum, /* md5sum */
+ schannel_sha256sum /* sha256sum */
};
#endif /* USE_SCHANNEL */
* \___|\___/|_| \_\_____|
*
* Copyright (C) 2012, Marc Hoersken, <info@marc-hoersken.de>, et al.
- * Copyright (C) 2012 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 2012 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
extern const struct Curl_ssl Curl_ssl_schannel;
-CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex);
+CURLcode Curl_verify_certificate(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex);
/* structs to expose only in schannel.c and schannel_verify.c */
#ifdef EXPOSE_SCHANNEL_INTERNAL_STRUCTS
static CURLcode add_certs_to_store(HCERTSTORE trust_store,
const char *ca_file,
- struct connectdata *conn)
+ struct Curl_easy *data)
{
CURLcode result;
- struct Curl_easy *data = conn->data;
HANDLE ca_file_handle = INVALID_HANDLE_VALUE;
LARGE_INTEGER file_size;
char *ca_file_buffer = NULL;
return result;
}
-CURLcode Curl_verify_certificate(struct connectdata *conn, int sockindex)
+CURLcode Curl_verify_certificate(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
SECURITY_STATUS sspi_status;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CURLcode result = CURLE_OK;
CERT_CONTEXT *pCertContextServer = NULL;
}
else {
result = add_certs_to_store(trust_store, SSL_CONN_CONFIG(CAfile),
- conn);
+ data);
}
}
if(result == CURLE_OK) {
if(SSL_CONN_CONFIG(verifyhost)) {
- result = verify_host(conn->data, pCertContextServer, conn_hostname);
+ result = verify_host(data, pCertContextServer, conn_hostname);
}
}
#endif
static CURLcode
-set_ssl_version_min_max(struct connectdata *conn, int sockindex)
+set_ssl_version_min_max(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
long ssl_version = SSL_CONN_CONFIG(version);
}
-static CURLcode sectransp_connect_step1(struct connectdata *conn,
+static CURLcode sectransp_connect_step1(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex)
{
- struct Curl_easy *data = conn->data;
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
- CURLcode result = set_ssl_version_min_max(conn, sockindex);
+ CURLcode result = set_ssl_version_min_max(data, conn, sockindex);
if(result != CURLE_OK)
return result;
break;
case CURL_SSLVERSION_TLSv1_2:
case CURL_SSLVERSION_TLSv1_3:
{
- CURLcode result = set_ssl_version_min_max(conn, sockindex);
+ CURLcode result = set_ssl_version_min_max(data, conn, sockindex);
if(result != CURLE_OK)
return result;
break;
char *ssl_sessionid;
size_t ssl_sessionid_len;
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, (void **)&ssl_sessionid,
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn, (void **)&ssl_sessionid,
&ssl_sessionid_len, sockindex)) {
/* we got a session id, use it! */
err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
if(err != noErr) {
failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err);
return CURLE_SSL_CONNECT_ERROR;
err = SSLSetPeerID(backend->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
if(err != noErr) {
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
failf(data, "SSL: SSLSetPeerID() failed: OSStatus %d", err);
return CURLE_SSL_CONNECT_ERROR;
}
- result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
- sockindex);
- Curl_ssl_sessionid_unlock(conn);
+ result = Curl_ssl_addsessionid(data, conn, ssl_sessionid,
+ ssl_sessionid_len, sockindex);
+ Curl_ssl_sessionid_unlock(data);
if(result) {
failf(data, "failed to store ssl session");
return result;
#endif /* SECTRANSP_PINNEDPUBKEY */
static CURLcode
-sectransp_connect_step2(struct connectdata *conn, int sockindex)
+sectransp_connect_step2(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
OSStatus err;
return result;
}
/* the documentation says we need to call SSLHandshake() again */
- return sectransp_connect_step2(conn, sockindex);
+ return sectransp_connect_step2(data, conn, sockindex);
/* Problem with encrypt / decrypt */
case errSSLPeerDecodeError:
#ifndef CURL_DISABLE_VERBOSE_STRINGS
/* This should be called during step3 of the connection at the earliest */
static void
-show_verbose_server_cert(struct connectdata *conn,
+show_verbose_server_cert(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
CFArrayRef server_certs = NULL;
#endif /* !CURL_DISABLE_VERBOSE_STRINGS */
static CURLcode
-sectransp_connect_step3(struct connectdata *conn,
+sectransp_connect_step3(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
/* There is no step 3!
* server certificates. */
#ifndef CURL_DISABLE_VERBOSE_STRINGS
if(data->set.verbose)
- show_verbose_server_cert(conn, sockindex);
+ show_verbose_server_cert(data, conn, sockindex);
#endif
connssl->connecting_state = ssl_connect_done;
static Curl_send sectransp_send;
static CURLcode
-sectransp_connect_common(struct connectdata *conn,
+sectransp_connect_common(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode result;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
int what;
return CURLE_OPERATION_TIMEDOUT;
}
- result = sectransp_connect_step1(conn, sockindex);
+ result = sectransp_connect_step1(data, conn, sockindex);
if(result)
return result;
}
* before step2 has completed while ensuring that a client using select()
* or epoll() will always have a valid fdset to wait on.
*/
- result = sectransp_connect_step2(conn, sockindex);
+ result = sectransp_connect_step2(data, conn, sockindex);
if(result || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
if(ssl_connect_3 == connssl->connecting_state) {
- result = sectransp_connect_step3(conn, sockindex);
+ result = sectransp_connect_step3(data, conn, sockindex);
if(result)
return result;
}
return CURLE_OK;
}
-static CURLcode Curl_sectransp_connect_nonblocking(struct connectdata *conn,
- int sockindex, bool *done)
+static CURLcode sectransp_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
+ int sockindex, bool *done)
{
- return sectransp_connect_common(conn, sockindex, TRUE, done);
+ return sectransp_connect_common(data, conn, sockindex, TRUE, done);
}
-static CURLcode Curl_sectransp_connect(struct connectdata *conn, int sockindex)
+static CURLcode sectransp_connect(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
CURLcode result;
bool done = FALSE;
- result = sectransp_connect_common(conn, sockindex, FALSE, &done);
+ result = sectransp_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
return CURLE_OK;
}
-static void Curl_sectransp_close(struct connectdata *conn, int sockindex)
+static void sectransp_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
+ (void) data;
+
if(backend->ssl_ctx) {
(void)SSLClose(backend->ssl_ctx);
#if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS
backend->ssl_sockfd = 0;
}
-static int Curl_sectransp_shutdown(struct connectdata *conn, int sockindex)
+static int sectransp_shutdown(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
- struct Curl_easy *data = conn->data;
ssize_t nread;
int what;
int rc;
return 0;
#endif
- Curl_sectransp_close(conn, sockindex);
+ sectransp_close(data, conn, sockindex);
rc = 0;
return rc;
}
-static void Curl_sectransp_session_free(void *ptr)
+static void sectransp_session_free(void *ptr)
{
/* ST, as of iOS 5 and Mountain Lion, has no public method of deleting a
cached session ID inside the Security framework. There is a private
Curl_safefree(ptr);
}
-static size_t Curl_sectransp_version(char *buffer, size_t size)
+static size_t sectransp_version(char *buffer, size_t size)
{
return msnprintf(buffer, size, "SecureTransport");
}
* 0 means the connection has been closed
* -1 means the connection status is unknown
*/
-static int Curl_sectransp_check_cxn(struct connectdata *conn)
+static int sectransp_check_cxn(struct connectdata *conn)
{
struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET];
struct ssl_backend_data *backend = connssl->backend;
return 0;
}
-static bool Curl_sectransp_data_pending(const struct connectdata *conn,
- int connindex)
+static bool sectransp_data_pending(const struct connectdata *conn,
+ int connindex)
{
const struct ssl_connect_data *connssl = &conn->ssl[connindex];
struct ssl_backend_data *backend = connssl->backend;
return false;
}
-static CURLcode Curl_sectransp_random(struct Curl_easy *data UNUSED_PARAM,
- unsigned char *entropy, size_t length)
+static CURLcode sectransp_random(struct Curl_easy *data UNUSED_PARAM,
+ unsigned char *entropy, size_t length)
{
/* arc4random_buf() isn't available on cats older than Lion, so let's
do this manually for the benefit of the older cats. */
return CURLE_OK;
}
-static CURLcode Curl_sectransp_md5sum(unsigned char *tmp, /* input */
- size_t tmplen,
- unsigned char *md5sum, /* output */
- size_t md5len)
+static CURLcode sectransp_md5sum(unsigned char *tmp, /* input */
+ size_t tmplen,
+ unsigned char *md5sum, /* output */
+ size_t md5len)
{
(void)md5len;
(void)CC_MD5(tmp, (CC_LONG)tmplen, md5sum);
return CURLE_OK;
}
-static CURLcode Curl_sectransp_sha256sum(const unsigned char *tmp, /* input */
- size_t tmplen,
- unsigned char *sha256sum, /* output */
- size_t sha256len)
+static CURLcode sectransp_sha256sum(const unsigned char *tmp, /* input */
+ size_t tmplen,
+ unsigned char *sha256sum, /* output */
+ size_t sha256len)
{
assert(sha256len >= CURL_SHA256_DIGEST_LENGTH);
(void)CC_SHA256(tmp, (CC_LONG)tmplen, sha256sum);
return CURLE_OK;
}
-static bool Curl_sectransp_false_start(void)
+static bool sectransp_false_start(void)
{
#if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7
if(SSLSetSessionOption != NULL)
*curlcode = CURLE_AGAIN;
return -1L;
default:
- failf(conn->data, "SSLWrite() returned error %d", err);
+ failf(data, "SSLWrite() returned error %d", err);
*curlcode = CURLE_SEND_ERROR;
return -1L;
}
Leopard's headers */
case -9841:
if(SSL_CONN_CONFIG(CAfile) && SSL_CONN_CONFIG(verifypeer)) {
- CURLcode result = verify_cert(SSL_CONN_CONFIG(CAfile), conn->data,
+ CURLcode result = verify_cert(SSL_CONN_CONFIG(CAfile), data,
backend->ssl_ctx);
if(result)
return result;
return (ssize_t)processed;
}
-static void *Curl_sectransp_get_internals(struct ssl_connect_data *connssl,
- CURLINFO info UNUSED_PARAM)
+static void *sectransp_get_internals(struct ssl_connect_data *connssl,
+ CURLINFO info UNUSED_PARAM)
{
struct ssl_backend_data *backend = connssl->backend;
(void)info;
Curl_none_init, /* init */
Curl_none_cleanup, /* cleanup */
- Curl_sectransp_version, /* version */
- Curl_sectransp_check_cxn, /* check_cxn */
- Curl_sectransp_shutdown, /* shutdown */
- Curl_sectransp_data_pending, /* data_pending */
- Curl_sectransp_random, /* random */
+ sectransp_version, /* version */
+ sectransp_check_cxn, /* check_cxn */
+ sectransp_shutdown, /* shutdown */
+ sectransp_data_pending, /* data_pending */
+ sectransp_random, /* random */
Curl_none_cert_status_request, /* cert_status_request */
- Curl_sectransp_connect, /* connect */
- Curl_sectransp_connect_nonblocking, /* connect_nonblocking */
- Curl_sectransp_get_internals, /* get_internals */
- Curl_sectransp_close, /* close_one */
+ sectransp_connect, /* connect */
+ sectransp_connect_nonblocking, /* connect_nonblocking */
+ sectransp_get_internals, /* get_internals */
+ sectransp_close, /* close_one */
Curl_none_close_all, /* close_all */
- Curl_sectransp_session_free, /* session_free */
+ sectransp_session_free, /* session_free */
Curl_none_set_engine, /* set_engine */
Curl_none_set_engine_default, /* set_engine_default */
Curl_none_engines_list, /* engines_list */
- Curl_sectransp_false_start, /* false_start */
- Curl_sectransp_md5sum, /* md5sum */
- Curl_sectransp_sha256sum /* sha256sum */
+ sectransp_false_start, /* false_start */
+ sectransp_md5sum, /* md5sum */
+ sectransp_sha256sum /* sha256sum */
};
#ifdef __clang__
#endif
CURLcode
-Curl_ssl_connect(struct connectdata *conn, int sockindex)
+Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
CURLcode result;
}
#endif
- if(!ssl_prefs_check(conn->data))
+ if(!ssl_prefs_check(data))
return CURLE_SSL_CONNECT_ERROR;
/* mark this is being ssl-enabled from here on. */
conn->ssl[sockindex].use = TRUE;
conn->ssl[sockindex].state = ssl_connection_negotiating;
- result = Curl_ssl->connect_blocking(conn, sockindex);
+ result = Curl_ssl->connect_blocking(data, conn, sockindex);
if(!result)
- Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */
+ Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
return result;
}
CURLcode
-Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex,
- bool *done)
+Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex, bool *done)
{
CURLcode result;
+
#ifndef CURL_DISABLE_PROXY
if(conn->bits.proxy_ssl_connected[sockindex]) {
result = ssl_connect_init_proxy(conn, sockindex);
return result;
}
#endif
- if(!ssl_prefs_check(conn->data))
+ if(!ssl_prefs_check(data))
return CURLE_SSL_CONNECT_ERROR;
/* mark this is being ssl requested from here on. */
conn->ssl[sockindex].use = TRUE;
- result = Curl_ssl->connect_nonblocking(conn, sockindex, done);
+ result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
if(!result && *done)
- Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */
+ Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
return result;
}
/*
* Lock shared SSL session data
*/
-void Curl_ssl_sessionid_lock(struct connectdata *conn)
+void Curl_ssl_sessionid_lock(struct Curl_easy *data)
{
- if(SSLSESSION_SHARED(conn->data))
- Curl_share_lock(conn->data,
- CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
+ if(SSLSESSION_SHARED(data))
+ Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
}
/*
* Unlock shared SSL session data
*/
-void Curl_ssl_sessionid_unlock(struct connectdata *conn)
+void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
{
- if(SSLSESSION_SHARED(conn->data))
- Curl_share_unlock(conn->data, CURL_LOCK_DATA_SSL_SESSION);
+ if(SSLSESSION_SHARED(data))
+ Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
}
/*
* Check if there's a session ID for the given connection in the cache, and if
* there's one suitable, it is provided. Returns TRUE when no entry matched.
*/
-bool Curl_ssl_getsessionid(struct connectdata *conn,
+bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
void **ssl_sessionid,
size_t *idsize, /* set 0 if unknown */
int sockindex)
{
struct Curl_ssl_session *check;
- struct Curl_easy *data = conn->data;
size_t i;
long *general_age;
bool no_match = TRUE;
/*
* Delete the given session ID from the cache.
*/
-void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
+void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
{
size_t i;
- struct Curl_easy *data = conn->data;
for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
struct Curl_ssl_session *check = &data->state.session[i];
* layer. Curl_XXXX_session_free() will be called to free/kill the session ID
* later on.
*/
-CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
void *ssl_sessionid,
size_t idsize,
int sockindex)
{
size_t i;
- struct Curl_easy *data = conn->data; /* the mother of all structs */
struct Curl_ssl_session *store = &data->state.session[0];
long oldest_age = data->state.session[0].age; /* zero if unused */
char *clone_host;
/* USE_OPENSSL || USE_GNUTLS || USE_SCHANNEL || USE_SECTRANSP || USE_NSS */
#endif
-void Curl_ssl_close(struct connectdata *conn, int sockindex)
+void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
DEBUGASSERT((sockindex <= 1) && (sockindex >= -1));
- Curl_ssl->close_one(conn, sockindex);
+ Curl_ssl->close_one(data, conn, sockindex);
conn->ssl[sockindex].state = ssl_connection_none;
}
-CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex)
+CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
- if(Curl_ssl->shut_down(conn, sockindex))
+ if(Curl_ssl->shut_down(data, conn, sockindex))
return CURLE_SSL_SHUTDOWN_FAILED;
conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */
void Curl_none_cleanup(void)
{ }
-int Curl_none_shutdown(struct connectdata *conn UNUSED_PARAM,
+int Curl_none_shutdown(struct Curl_easy *data UNUSED_PARAM,
+ struct connectdata *conn UNUSED_PARAM,
int sockindex UNUSED_PARAM)
{
+ (void)data;
(void)conn;
(void)sockindex;
return 0;
return Curl_ssl->init();
}
-static CURLcode multissl_connect(struct connectdata *conn, int sockindex)
+static CURLcode multissl_connect(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
if(multissl_setup(NULL))
return CURLE_FAILED_INIT;
- return Curl_ssl->connect_blocking(conn, sockindex);
+ return Curl_ssl->connect_blocking(data, conn, sockindex);
}
-static CURLcode multissl_connect_nonblocking(struct connectdata *conn,
+static CURLcode multissl_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex, bool *done)
{
if(multissl_setup(NULL))
return CURLE_FAILED_INIT;
- return Curl_ssl->connect_nonblocking(conn, sockindex, done);
+ return Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
}
static void *multissl_get_internals(struct ssl_connect_data *connssl,
return Curl_ssl->get_internals(connssl, info);
}
-static void multissl_close(struct connectdata *conn, int sockindex)
+static void multissl_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
if(multissl_setup(NULL))
return;
- Curl_ssl->close_one(conn, sockindex);
+ Curl_ssl->close_one(data, conn, sockindex);
}
static const struct Curl_ssl Curl_ssl_multi = {
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
size_t (*version)(char *buffer, size_t size);
int (*check_cxn)(struct connectdata *cxn);
- int (*shut_down)(struct connectdata *conn, int sockindex);
+ int (*shut_down)(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex);
bool (*data_pending)(const struct connectdata *conn,
int connindex);
size_t length);
bool (*cert_status_request)(void);
- CURLcode (*connect_blocking)(struct connectdata *conn, int sockindex);
- CURLcode (*connect_nonblocking)(struct connectdata *conn, int sockindex,
+ CURLcode (*connect_blocking)(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex);
+ CURLcode (*connect_nonblocking)(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex,
bool *done);
void *(*get_internals)(struct ssl_connect_data *connssl, CURLINFO info);
- void (*close_one)(struct connectdata *conn, int sockindex);
+ void (*close_one)(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex);
void (*close_all)(struct Curl_easy *data);
void (*session_free)(void *ptr);
int Curl_none_init(void);
void Curl_none_cleanup(void);
-int Curl_none_shutdown(struct connectdata *conn, int sockindex);
+int Curl_none_shutdown(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex);
int Curl_none_check_cxn(struct connectdata *conn);
CURLcode Curl_none_random(struct Curl_easy *data, unsigned char *entropy,
size_t length);
#ifdef USE_SSL
int Curl_ssl_init(void);
void Curl_ssl_cleanup(void);
-CURLcode Curl_ssl_connect(struct connectdata *conn, int sockindex);
-CURLcode Curl_ssl_connect_nonblocking(struct connectdata *conn,
+CURLcode Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex);
+CURLcode Curl_ssl_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex,
bool *done);
/* tell the SSL stuff to close down all open information regarding
connections (and thus session ID caching etc) */
void Curl_ssl_close_all(struct Curl_easy *data);
-void Curl_ssl_close(struct connectdata *conn, int sockindex);
-CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex);
+void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex);
+CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex);
CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine);
/* Sets engine as default for all SSL operations */
CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data);
* The purpose of explicitly locking SSL session cache data is to allow
* individual SSL engines to manage session lifetime in their specific way.
*/
-void Curl_ssl_sessionid_lock(struct connectdata *conn);
+void Curl_ssl_sessionid_lock(struct Curl_easy *data);
/* Unlock session cache mutex */
-void Curl_ssl_sessionid_unlock(struct connectdata *conn);
+void Curl_ssl_sessionid_unlock(struct Curl_easy *data);
/* extract a session ID
* Sessionid mutex must be locked (see Curl_ssl_sessionid_lock).
* is properly taken (e.g. its refcount is incremented
* under sessionid mutex).
*/
-bool Curl_ssl_getsessionid(struct connectdata *conn,
+bool Curl_ssl_getsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
void **ssl_sessionid,
size_t *idsize, /* set 0 if unknown */
int sockindex);
* Caller must ensure that it has properly shared ownership of this sessionid
* object with cache (e.g. incrementing refcount on success)
*/
-CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
+CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
+ struct connectdata *conn,
void *ssl_sessionid,
size_t idsize,
int sockindex);
* take sessionid object ownership from sessionid cache
* (e.g. decrement refcount).
*/
-void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid);
+void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid);
/* get N random bytes into the buffer */
CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer,
/* When SSL support is not present, just define away these function calls */
#define Curl_ssl_init() 1
#define Curl_ssl_cleanup() Curl_nop_stmt
-#define Curl_ssl_connect(x,y) CURLE_NOT_BUILT_IN
+#define Curl_ssl_connect(x,y,z) CURLE_NOT_BUILT_IN
#define Curl_ssl_close_all(x) Curl_nop_stmt
-#define Curl_ssl_close(x,y) Curl_nop_stmt
-#define Curl_ssl_shutdown(x,y) CURLE_NOT_BUILT_IN
+#define Curl_ssl_close(x,y,z) Curl_nop_stmt
+#define Curl_ssl_shutdown(x,y,z) CURLE_NOT_BUILT_IN
#define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN
#define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN
#define Curl_ssl_engines_list(x) NULL
#define Curl_ssl_data_pending(x,y) 0
#define Curl_ssl_check_cxn(x) 0
#define Curl_ssl_free_certinfo(x) Curl_nop_stmt
-#define Curl_ssl_connect_nonblocking(x,y,z) CURLE_NOT_BUILT_IN
+#define Curl_ssl_connect_nonblocking(x,y,z,w) CURLE_NOT_BUILT_IN
#define Curl_ssl_kill_session(x) Curl_nop_stmt
#define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN)
#define Curl_ssl_cert_status_request() FALSE
* layer and do all necessary magic.
*/
static CURLcode
-wolfssl_connect_step1(struct connectdata *conn,
+wolfssl_connect_step1(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
char *ciphers;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
SSL_METHOD* req_method = NULL;
if(SSL_SET_OPTION(primary.sessionid)) {
void *ssl_sessionid = NULL;
- Curl_ssl_sessionid_lock(conn);
- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
+ Curl_ssl_sessionid_lock(data);
+ if(!Curl_ssl_getsessionid(data, conn, &ssl_sessionid, NULL, sockindex)) {
/* we got a session id, use it! */
if(!SSL_set_session(backend->handle, ssl_sessionid)) {
char error_buffer[WOLFSSL_MAX_ERROR_SZ];
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
failf(data, "SSL: SSL_set_session failed: %s",
ERR_error_string(SSL_get_error(backend->handle, 0),
error_buffer));
/* Informational message */
infof(data, "SSL re-using session ID\n");
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
/* pass the raw socket into the SSL layer */
static CURLcode
-wolfssl_connect_step2(struct connectdata *conn,
+wolfssl_connect_step2(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
int ret = -1;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
#ifndef CURL_DISABLE_PROXY
static CURLcode
-wolfssl_connect_step3(struct connectdata *conn,
+wolfssl_connect_step3(struct Curl_easy *data, struct connectdata *conn,
int sockindex)
{
CURLcode result = CURLE_OK;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
our_ssl_sessionid = SSL_get_session(backend->handle);
- Curl_ssl_sessionid_lock(conn);
- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
+ Curl_ssl_sessionid_lock(data);
+ incache = !(Curl_ssl_getsessionid(data, conn, &old_ssl_sessionid, NULL,
sockindex));
if(incache) {
if(old_ssl_sessionid != our_ssl_sessionid) {
infof(data, "old SSL session ID is stale, removing\n");
- Curl_ssl_delsessionid(conn, old_ssl_sessionid);
+ Curl_ssl_delsessionid(data, old_ssl_sessionid);
incache = FALSE;
}
}
if(!incache) {
- result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
+ result = Curl_ssl_addsessionid(data, conn, our_ssl_sessionid,
0 /* unknown size */, sockindex);
if(result) {
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
failf(data, "failed to store ssl session");
return result;
}
}
- Curl_ssl_sessionid_unlock(conn);
+ Curl_ssl_sessionid_unlock(data);
}
connssl->connecting_state = ssl_connect_done;
return rc;
}
-static void wolfssl_close(struct connectdata *conn, int sockindex)
+static void wolfssl_close(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
+ (void) data;
+
if(backend->handle) {
(void)SSL_shutdown(backend->handle);
SSL_free(backend->handle);
* This function is called to shut down the SSL layer but keep the
* socket open (CCC - Clear Command Channel)
*/
-static int wolfssl_shutdown(struct connectdata *conn, int sockindex)
+static int wolfssl_shutdown(struct Curl_easy *data, struct connectdata *conn,
+ int sockindex)
{
int retval = 0;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct ssl_backend_data *backend = connssl->backend;
+ (void) data;
+
if(backend->handle) {
SSL_free(backend->handle);
backend->handle = NULL;
static CURLcode
-wolfssl_connect_common(struct connectdata *conn,
+wolfssl_connect_common(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex,
bool nonblocking,
bool *done)
{
CURLcode result;
- struct Curl_easy *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
curl_socket_t sockfd = conn->sock[sockindex];
int what;
return CURLE_OPERATION_TIMEDOUT;
}
- result = wolfssl_connect_step1(conn, sockindex);
+ result = wolfssl_connect_step1(data, conn, sockindex);
if(result)
return result;
}
* ensuring that a client using select() or epoll() will always
* have a valid fdset to wait on.
*/
- result = wolfssl_connect_step2(conn, sockindex);
+ result = wolfssl_connect_step2(data, conn, sockindex);
if(result || (nonblocking &&
(ssl_connect_2 == connssl->connecting_state ||
ssl_connect_2_reading == connssl->connecting_state ||
} /* repeat step2 until all transactions are done. */
if(ssl_connect_3 == connssl->connecting_state) {
- result = wolfssl_connect_step3(conn, sockindex);
+ result = wolfssl_connect_step3(data, conn, sockindex);
if(result)
return result;
}
}
-static CURLcode wolfssl_connect_nonblocking(struct connectdata *conn,
+static CURLcode wolfssl_connect_nonblocking(struct Curl_easy *data,
+ struct connectdata *conn,
int sockindex, bool *done)
{
- return wolfssl_connect_common(conn, sockindex, TRUE, done);
+ return wolfssl_connect_common(data, conn, sockindex, TRUE, done);
}
-static CURLcode wolfssl_connect(struct connectdata *conn, int sockindex)
+static CURLcode wolfssl_connect(struct Curl_easy *data,
+ struct connectdata *conn, int sockindex)
{
CURLcode result;
bool done = FALSE;
- result = wolfssl_connect_common(conn, sockindex, FALSE, &done);
+ result = wolfssl_connect_common(data, conn, sockindex, FALSE, &done);
if(result)
return result;
projects / thirdparty / curl.git / commitdiff
