From: Daniel Stenberg Date: Mon, 4 Nov 2024 07:35:43 +0000 (+0100) Subject: wolfssl: no more use of the OpenSSL API X-Git-Tag: curl-8_11_0~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=41330077989a987879103c3b15a12fd66260b213;p=thirdparty%2Fcurl.git wolfssl: no more use of the OpenSSL API Allows curl to build with a wolfSSL built without its OpenSSL API. It should allow curl to (soon?) build with *both* wolfSSL and OpenSSL This change makes curl use its own sha256 implementaion when built with wolfSSL: room for improvement. Closes #15480 --- diff --git a/lib/sha256.c b/lib/sha256.c index ce60d85e51..c5bb921bb3 100644 --- a/lib/sha256.c +++ b/lib/sha256.c @@ -34,9 +34,6 @@ #ifdef USE_WOLFSSL #include -#ifndef NO_SHA256 -#define USE_OPENSSL_SHA256 -#endif #endif #if defined(USE_OPENSSL) diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index bc383ec5cb..1769a1367a 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -163,7 +163,7 @@ wolfssl_tls13_secret_callback(SSL *ssl, int id, const unsigned char *secret, #endif /* defined(HAVE_SECRET_CALLBACK) && defined(WOLFSSL_TLS13) */ static void -wolfssl_log_tls12_secret(SSL *ssl) +wolfssl_log_tls12_secret(WOLFSSL *ssl) { unsigned char *ms, *sr, *cr; unsigned int msLen, srLen, crLen, i, x = 0; @@ -187,7 +187,7 @@ wolfssl_log_tls12_secret(SSL *ssl) #endif if(wolfSSL_get_keys(ssl, &ms, &msLen, &sr, &srLen, &cr, &crLen) != - SSL_SUCCESS) { + WOLFSSL_SUCCESS) { return; } @@ -208,11 +208,11 @@ wolfssl_log_tls12_secret(SSL *ssl) static int wolfssl_do_file_type(const char *type) { if(!type || !type[0]) - return SSL_FILETYPE_PEM; + return WOLFSSL_FILETYPE_PEM; if(strcasecompare(type, "PEM")) - return SSL_FILETYPE_PEM; + return WOLFSSL_FILETYPE_PEM; if(strcasecompare(type, "DER")) - return SSL_FILETYPE_ASN1; + return WOLFSSL_FILETYPE_ASN1; return -1; } @@ -477,7 +477,7 @@ CURLcode wssl_setup_session(struct Curl_cfilter *cf, static CURLcode populate_x509_store(struct Curl_cfilter *cf, struct Curl_easy *data, - X509_STORE *store, + WOLFSSL_X509_STORE *store, struct wolfssl_ctx *wssl) { struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); @@ -507,7 +507,8 @@ static CURLcode populate_x509_store(struct Curl_cfilter *cf, if(ca_info_blob) { if(wolfSSL_CTX_load_verify_buffer(wssl->ctx, ca_info_blob->data, (long)ca_info_blob->len, - SSL_FILETYPE_PEM) != SSL_SUCCESS) { + WOLFSSL_FILETYPE_PEM) != + WOLFSSL_SUCCESS) { if(imported_native_ca) { infof(data, "error importing CA certificate blob, continuing anyway"); } @@ -536,7 +537,7 @@ static CURLcode populate_x509_store(struct Curl_cfilter *cf, ssl_cafile, ssl_capath, WOLFSSL_LOAD_FLAG_IGNORE_ERR); - if(SSL_SUCCESS != rc) { + if(WOLFSSL_SUCCESS != rc) { if(conn_config->verifypeer) { /* Fail if we insist on successfully verifying the server. */ failf(data, "error setting certificate verify locations:" @@ -614,8 +615,8 @@ cached_x509_store_different(struct Curl_cfilter *cf, return strcmp(mb->CAfile, conn_config->CAfile); } -static X509_STORE *get_cached_x509_store(struct Curl_cfilter *cf, - const struct Curl_easy *data) +static WOLFSSL_X509_STORE *get_cached_x509_store(struct Curl_cfilter *cf, + const struct Curl_easy *data) { struct Curl_multi *multi = data->multi; struct wssl_x509_share *share; @@ -636,7 +637,7 @@ static X509_STORE *get_cached_x509_store(struct Curl_cfilter *cf, static void set_cached_x509_store(struct Curl_cfilter *cf, const struct Curl_easy *data, - X509_STORE *store) + WOLFSSL_X509_STORE *store) { struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); struct Curl_multi *multi = data->multi; @@ -668,13 +669,13 @@ static void set_cached_x509_store(struct Curl_cfilter *cf, if(conn_config->CAfile) { CAfile = strdup(conn_config->CAfile); if(!CAfile) { - X509_STORE_free(store); + wolfSSL_X509_STORE_free(store); return; } } if(share->store) { - X509_STORE_free(share->store); + wolfSSL_X509_STORE_free(share->store); free(share->CAfile); } @@ -714,7 +715,7 @@ CURLcode Curl_wssl_setup_x509_store(struct Curl_cfilter *cf, else if(cache_criteria_met) { /* wolfSSL's initial store in CTX is not shareable by default. * Make a new one, suitable for adding to the cache. See #14278 */ - X509_STORE *store = wolfSSL_X509_STORE_new(); + WOLFSSL_X509_STORE *store = wolfSSL_X509_STORE_new(); if(!store) { failf(data, "SSL: could not create a X509 store"); return CURLE_OUT_OF_MEMORY; @@ -728,7 +729,7 @@ CURLcode Curl_wssl_setup_x509_store(struct Curl_cfilter *cf, } else { /* We never share the CTX's store, use it. */ - X509_STORE *store = wolfSSL_CTX_get_cert_store(wssl->ctx); + WOLFSSL_X509_STORE *store = wolfSSL_CTX_get_cert_store(wssl->ctx); result = populate_x509_store(cf, data, store, wssl); } @@ -939,7 +940,7 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) if(result) return result; - if(!SSL_CTX_set_cipher_list(backend->ctx, Curl_dyn_ptr(&c))) { + if(!wolfSSL_CTX_set_cipher_list(backend->ctx, Curl_dyn_ptr(&c))) { failf(data, "failed setting cipher list: %s", Curl_dyn_ptr(&c)); Curl_dyn_free(&c); return CURLE_SSL_CIPHER; @@ -963,7 +964,7 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) if(pqkem == 0) #endif { - if(!SSL_CTX_set1_curves_list(backend->ctx, curves)) { + if(!wolfSSL_CTX_set1_curves_list(backend->ctx, curves)) { failf(data, "failed setting curves list: '%s'", curves); return CURLE_SSL_CIPHER; } @@ -1064,8 +1065,8 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) * anyway. In the latter case the result of the verification is checked with * SSL_get_verify_result() below. */ wolfSSL_CTX_set_verify(backend->ctx, - conn_config->verifypeer ? SSL_VERIFY_PEER : - SSL_VERIFY_NONE, NULL); + conn_config->verifypeer ? WOLFSSL_VERIFY_PEER : + WOLFSSL_VERIFY_NONE, NULL); #ifdef HAVE_SNI if(connssl->peer.sni) { @@ -1132,7 +1133,7 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) if(result || wolfSSL_UseALPN(backend->handle, (char *)proto.data, (unsigned int)proto.len, - WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) != SSL_SUCCESS) { + WOLFSSL_ALPN_CONTINUE_ON_MISMATCH) != WOLFSSL_SUCCESS) { failf(data, "SSL: failed setting ALPN protocols"); return CURLE_SSL_CONNECT_ERROR; } @@ -1310,7 +1311,7 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) if(conn_config->verifyhost) { char *snihost = connssl->peer.sni ? connssl->peer.sni : connssl->peer.hostname; - if(wolfSSL_check_domain_name(backend->handle, snihost) == SSL_FAILURE) + if(wolfSSL_check_domain_name(backend->handle, snihost) == WOLFSSL_FAILURE) return CURLE_SSL_CONNECT_ERROR; } @@ -1339,7 +1340,7 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) * Note that OpenSSL SSL_want_read() is always true here. If wolfSSL ever * changes, the worst case is that no key is logged on error. */ - if(ret == SSL_SUCCESS || + if(ret == WOLFSSL_SUCCESS || (!wolfSSL_want_read(backend->handle) && !wolfSSL_want_write(backend->handle))) { wolfssl_log_tls12_secret(backend->handle); @@ -1353,11 +1354,11 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) if(ret != 1) { int detail = wolfSSL_get_error(backend->handle, ret); - if(SSL_ERROR_WANT_READ == detail) { + if(WOLFSSL_ERROR_WANT_READ == detail) { connssl->io_need = CURL_SSL_IO_NEED_RECV; return CURLE_OK; } - else if(SSL_ERROR_WANT_WRITE == detail) { + else if(WOLFSSL_ERROR_WANT_WRITE == detail) { connssl->io_need = CURL_SSL_IO_NEED_SEND; return CURLE_OK; } @@ -1449,7 +1450,7 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) if(pinnedpubkey) { #ifdef KEEP_PEER_CERT - X509 *x509; + WOLFSSL_X509 *x509; const char *x509_der; int x509_der_len; struct Curl_X509certificate x509_parsed; @@ -1501,11 +1502,11 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) rc = wolfSSL_ALPN_GetProtocol(backend->handle, &protocol, &protocol_len); - if(rc == SSL_SUCCESS) { + if(rc == WOLFSSL_SUCCESS) { Curl_alpn_set_negotiated(cf, data, connssl, (const unsigned char *)protocol, protocol_len); } - else if(rc == SSL_ALPN_NOT_FOUND) + else if(rc == WOLFSSL_ALPN_NOT_FOUND) Curl_alpn_set_negotiated(cf, data, connssl, NULL, 0); else { failf(data, "ALPN, failure getting protocol, error %d", rc); @@ -1547,8 +1548,8 @@ static ssize_t wolfssl_send(struct Curl_cfilter *cf, int err = wolfSSL_get_error(backend->handle, rc); switch(err) { - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: + case WOLFSSL_ERROR_WANT_READ: + case WOLFSSL_ERROR_WANT_WRITE: /* there is data pending, re-invoke SSL_write() */ CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> AGAIN", len); *curlcode = CURLE_AGAIN; @@ -1597,14 +1598,14 @@ static CURLcode wolfssl_shutdown(struct Curl_cfilter *cf, wctx->shutting_down = TRUE; connssl->io_need = CURL_SSL_IO_NEED_NONE; *done = FALSE; - if(!(wolfSSL_get_shutdown(wctx->handle) & SSL_SENT_SHUTDOWN)) { + if(!(wolfSSL_get_shutdown(wctx->handle) & WOLFSSL_SENT_SHUTDOWN)) { /* We have not started the shutdown from our side yet. Check * if the server already sent us one. */ - ERR_clear_error(); + wolfSSL_ERR_clear_error(); nread = wolfSSL_read(wctx->handle, buf, (int)sizeof(buf)); err = wolfSSL_get_error(wctx->handle, nread); CURL_TRC_CF(data, cf, "wolfSSL_read, nread=%d, err=%d", nread, err); - if(!nread && err == SSL_ERROR_ZERO_RETURN) { + if(!nread && err == WOLFSSL_ERROR_ZERO_RETURN) { bool input_pending; /* Yes, it did. */ if(!send_shutdown) { @@ -1627,13 +1628,13 @@ static CURLcode wolfssl_shutdown(struct Curl_cfilter *cf, /* SSL should now have started the shutdown from our side. Since it * was not complete, we are lacking the close notify from the server. */ if(send_shutdown) { - ERR_clear_error(); + wolfSSL_ERR_clear_error(); if(wolfSSL_shutdown(wctx->handle) == 1) { CURL_TRC_CF(data, cf, "SSL shutdown finished"); *done = TRUE; goto out; } - if(SSL_ERROR_WANT_WRITE == wolfSSL_get_error(wctx->handle, nread)) { + if(WOLFSSL_ERROR_WANT_WRITE == wolfSSL_get_error(wctx->handle, nread)) { CURL_TRC_CF(data, cf, "SSL shutdown still wants to send"); connssl->io_need = CURL_SSL_IO_NEED_SEND; goto out; @@ -1643,25 +1644,25 @@ static CURLcode wolfssl_shutdown(struct Curl_cfilter *cf, } for(i = 0; i < 10; ++i) { - ERR_clear_error(); + wolfSSL_ERR_clear_error(); nread = wolfSSL_read(wctx->handle, buf, (int)sizeof(buf)); if(nread <= 0) break; } err = wolfSSL_get_error(wctx->handle, nread); switch(err) { - case SSL_ERROR_ZERO_RETURN: /* no more data */ + case WOLFSSL_ERROR_ZERO_RETURN: /* no more data */ CURL_TRC_CF(data, cf, "SSL shutdown received"); *done = TRUE; break; - case SSL_ERROR_NONE: /* just did not get anything */ - case SSL_ERROR_WANT_READ: + case WOLFSSL_ERROR_NONE: /* just did not get anything */ + case WOLFSSL_ERROR_WANT_READ: /* SSL has send its notify and now wants to read the reply * from the server. We are not really interested in that. */ CURL_TRC_CF(data, cf, "SSL shutdown sent, want receive"); connssl->io_need = CURL_SSL_IO_NEED_RECV; break; - case SSL_ERROR_WANT_WRITE: + case WOLFSSL_ERROR_WANT_WRITE: CURL_TRC_CF(data, cf, "SSL shutdown send blocked"); connssl->io_need = CURL_SSL_IO_NEED_SEND; break; @@ -1722,13 +1723,13 @@ static ssize_t wolfssl_recv(struct Curl_cfilter *cf, int err = wolfSSL_get_error(backend->handle, nread); switch(err) { - case SSL_ERROR_ZERO_RETURN: /* no more data */ + case WOLFSSL_ERROR_ZERO_RETURN: /* no more data */ CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> CLOSED", blen); *curlcode = CURLE_OK; return 0; - case SSL_ERROR_NONE: - case SSL_ERROR_WANT_READ: - case SSL_ERROR_WANT_WRITE: + case WOLFSSL_ERROR_NONE: + case WOLFSSL_ERROR_WANT_READ: + case WOLFSSL_ERROR_WANT_WRITE: /* there is data pending, re-invoke wolfSSL_read() */ CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> AGAIN", blen); *curlcode = CURLE_AGAIN; @@ -1772,7 +1773,7 @@ static int wolfssl_init(void) #ifdef OPENSSL_EXTRA Curl_tls_keylog_open(); #endif - ret = (wolfSSL_Init() == SSL_SUCCESS); + ret = (wolfSSL_Init() == WOLFSSL_SUCCESS); wolfssl_bio_cf_init_methods(); return ret; }