xref: /third_party/curl/lib/vtls/mbedtls.c

140 static int entropy_func_mutex(void *data, unsigned char *output, size_t len)
145   ret = mbedtls_entropy_func(data, output, len);
158   struct Curl_easy *data = NULL;
163   data = (struct Curl_easy *)context;
165   infof(data, "%s", line);
174   struct Curl_easy *data = CF_DATA_CURRENT(cf);
178   DEBUGASSERT(data);
179   if(!data)
182   nwritten = Curl_conn_cf_send(cf->next, data, (char *)buf, blen, &result);
183   CURL_TRC_CF(data, cf, "mbedtls_bio_cf_out_write(len=%zu) -> %zd, err=%d",
194   struct Curl_easy *data = CF_DATA_CURRENT(cf);
198   DEBUGASSERT(data);
199   if(!data)
205   nread = Curl_conn_cf_recv(cf->next, data, (char *)buf, blen, &result);
206   CURL_TRC_CF(data, cf, "mbedtls_bio_cf_in_read(len=%zu) -> %zd, err=%d",
272 set_ssl_version_min_max(struct Curl_cfilter *cf, struct Curl_easy *data)
307     failf(data, "unsupported min version passed via CURLOPT_SSLVERSION");
312     failf(data, "unsupported max version passed via CURLOPT_SSLVERSION");
325 mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
332   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
349     failf(data, "Not supported SSL version");
361     failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s",
373     failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s",
383     /* Unfortunately, mbedtls_x509_crt_parse() requires the data to be null
386     unsigned char *newblob = Curl_memdup0(ca_info_blob->data,
395       failf(data, "Error importing ca cert blob - mbedTLS: (-0x%04X) %s",
407       failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s",
412     failf(data, "mbedtls: functions that use the filesystem not built in");
423       failf(data, "Error reading ca cert path %s - mbedTLS: (-0x%04X) %s",
430     failf(data, "mbedtls: functions that use the filesystem not built in");
444       failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s",
450     failf(data, "mbedtls: functions that use the filesystem not built in");
456     /* Unfortunately, mbedtls_x509_crt_parse() requires the data to be null
459     unsigned char *newblob = Curl_memdup0(ssl_cert_blob->data,
469       failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
493         failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
498       failf(data, "mbedtls: functions that use the filesystem not built in");
505         (const unsigned char *)ssl_key_blob->data;
521         failf(data, "Error parsing private key - mbedTLS: (-0x%04X) %s",
542       failf(data, "Error reading CRL file %s - mbedTLS: (-0x%04X) %s",
548     failf(data, "mbedtls: functions that use the filesystem not built in");
554     failf(data, "mbedtls: crl support not built in");
559   infof(data, "mbedTLS: Connecting to %s:%d", hostname, connssl->port);
567     failf(data, "mbedTLS: ssl_config failed");
573     failf(data, "mbedTLS: ssl_init failed");
587     infof(data, "mbedTLS: Set min SSL version to TLS 1.0");
595       CURLcode result = set_ssl_version_min_max(cf, data);
601     failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
631     Curl_ssl_sessionid_lock(data);
632     if(!Curl_ssl_getsessionid(cf, data, &old_session, NULL)) {
635         Curl_ssl_sessionid_unlock(data);
636         failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret);
639       infof(data, "mbedTLS reusing session");
641     Curl_ssl_sessionid_unlock(data);
662     failf(data, "Failed to set SNI");
678       failf(data, "Failed setting ALPN protocols");
682     infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
688   mbedtls_ssl_conf_dbg(&backend->config, mbed_debug, data);
699   if(data->set.ssl.fsslctx) {
700     ret = (*data->set.ssl.fsslctx)(data, &backend->config,
701                                    data->set.ssl.fsslctxp);
703       failf(data, "error signaled by ssl ctx callback");
714 mbed_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data)
723     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]:
724     data->set.str[STRING_SSL_PINNEDPUBLICKEY];
741     failf(data, "ssl_handshake returned - mbedTLS: (-0x%04X) %s",
746   infof(data, "mbedTLS: Handshake complete, cipher is %s",
757       failf(data, "Cert verify failed: BADCERT_EXPIRED");
760       failf(data, "Cert verify failed: BADCERT_REVOKED");
763       failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
766       failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
769       failf(data, "Cert verify failed: BADCERT_FUTURE");
776   if(peercert && data->set.verbose) {
784       infof(data, "Dumping cert info: %s", buffer);
786       infof(data, "Unable to dump certificate information");
803       failf(data, "Failed due to missing peer certificate");
831       failf(data, "Failed copying peer certificate");
844       failf(data, "Failed copying public key from peer certificate");
849     /* mbedtls_pk_write_pubkey_der writes data at the end of the buffer. */
850     result = Curl_pin_peer_pubkey(data,
866     Curl_alpn_set_negotiated(cf, data, (const unsigned char *)proto,
872   infof(data, "SSL connected");
878 mbed_connect_step3(struct Curl_cfilter *cf, struct Curl_easy *data)
884   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
906       failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret);
911     Curl_ssl_sessionid_lock(data);
912     if(!Curl_ssl_getsessionid(cf, data, &old_ssl_sessionid, NULL))
913       Curl_ssl_delsessionid(data, old_ssl_sessionid);
915     retcode = Curl_ssl_addsessionid(cf, data, our_ssl_sessionid,
917     Curl_ssl_sessionid_unlock(data);
923       failf(data, "failed to store ssl session");
933 static ssize_t mbed_send(struct Curl_cfilter *cf, struct Curl_easy *data,
942   (void)data;
955 static void mbedtls_close_all(struct Curl_easy *data)
957   (void)data;
960 static void mbedtls_close(struct Curl_cfilter *cf, struct Curl_easy *data)
967   (void)data;
988 static ssize_t mbed_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
998   (void)data;
1036 static CURLcode mbedtls_random(struct Curl_easy *data,
1052     failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s",
1060       failf(data, "mbedtls_ctr_drbg_random returned (-0x%04X) %s",
1081 mbed_connect_common(struct Curl_cfilter *cf, struct Curl_easy *data,
1087   curl_socket_t sockfd = Curl_conn_cf_get_socket(cf, data);
1099     timeout_ms = Curl_timeleft(data, NULL, TRUE);
1103       failf(data, "SSL connection timeout");
1106     retcode = mbed_connect_step1(cf, data);
1116     timeout_ms = Curl_timeleft(data, NULL, TRUE);
1120       failf(data, "SSL connection timeout");
1137         failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
1147           failf(data, "SSL connection timeout");
1161     retcode = mbed_connect_step2(cf, data);
1171     retcode = mbed_connect_step3(cf, data);
1190                                             struct Curl_easy *data,
1193   return mbed_connect_common(cf, data, TRUE, done);
1198                                 struct Curl_easy *data)
1203   retcode = mbed_connect_common(cf, data, FALSE, &done);
1230                                  const struct Curl_easy *data)
1235   (void)data;
1306   mbed_recv,                        /* recv decrypted data */
1307   mbed_send,                        /* send data to encrypt */

Indexes created Thu Nov 07 10:32:03 CST 2024