1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 2010, Hoi-Ho Chan, <hoiho.chan@gmail.com>
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at http://curl.haxx.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 ***************************************************************************/
24 * Source file for all PolarSSL-specific code for the TLS/SSL layer. No code
25 * but sslgen.c should ever call or use these functions.
35 #ifdef HAVE_SYS_SOCKET_H
36 #include <sys/socket.h>
39 #include <polarssl/net.h>
40 #include <polarssl/ssl.h>
41 #include <polarssl/havege.h>
42 #include <polarssl/certs.h>
43 #include <polarssl/x509.h>
47 #include "inet_pton.h"
50 #include "parsedate.h"
51 #include "connect.h" /* for the connect timeout */
55 #define _MPRINTF_REPLACE /* use our functions only */
56 #include <curl/mprintf.h>
57 #include "curl_memory.h"
58 /* The last #include file should be: */
61 /* Define this to enable lots of debugging for PolarSSL */
65 static void polarssl_debug(void *context, int level, char *line)
67 struct SessionHandle *data = NULL;
72 data = (struct SessionHandle *)context;
74 infof(data, "%s", line);
79 static Curl_recv polarssl_recv;
80 static Curl_send polarssl_send;
83 * This function loads all the client/CA certificates and CRLs. Setup the TLS
84 * layer and do all necessary magic.
87 Curl_polarssl_connect(struct connectdata *conn,
90 struct SessionHandle *data = conn->data;
91 bool sni = TRUE; /* default is SNI enabled */
98 void *old_session = NULL;
99 size_t old_session_size = 0;
102 if(conn->ssl[sockindex].state == ssl_connection_complete)
105 /* PolarSSL only supports SSLv3 and TLSv1 */
106 if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
107 failf(data, "PolarSSL does not support SSLv2");
108 return CURLE_SSL_CONNECT_ERROR;
109 } else if(data->set.ssl.version == CURL_SSLVERSION_SSLv3) {
110 sni = FALSE; /* SSLv3 has no SNI */
113 havege_init(&conn->ssl[sockindex].hs);
115 /* Load the trusted CA */
116 memset(&conn->ssl[sockindex].cacert, 0, sizeof(x509_cert));
118 if(data->set.str[STRING_SSL_CAFILE]) {
119 ret = x509parse_crtfile(&conn->ssl[sockindex].cacert,
120 data->set.str[STRING_SSL_CAFILE]);
123 failf(data, "Error reading ca cert file %s: -0x%04X",
124 data->set.str[STRING_SSL_CAFILE], -ret);
126 if(data->set.ssl.verifypeer)
127 return CURLE_SSL_CACERT_BADFILE;
131 /* Load the client certificate */
132 memset(&conn->ssl[sockindex].clicert, 0, sizeof(x509_cert));
134 if(data->set.str[STRING_CERT]) {
135 ret = x509parse_crtfile(&conn->ssl[sockindex].clicert,
136 data->set.str[STRING_CERT]);
139 failf(data, "Error reading client cert file %s: -0x%04X",
140 data->set.str[STRING_CERT], -ret);
141 return CURLE_SSL_CERTPROBLEM;
145 /* Load the client private key */
146 if(data->set.str[STRING_KEY]) {
147 ret = x509parse_keyfile(&conn->ssl[sockindex].rsa,
148 data->set.str[STRING_KEY],
149 data->set.str[STRING_KEY_PASSWD]);
152 failf(data, "Error reading private key %s: -0x%04X",
153 data->set.str[STRING_KEY], -ret);
154 return CURLE_SSL_CERTPROBLEM;
159 memset(&conn->ssl[sockindex].crl, 0, sizeof(x509_crl));
161 if(data->set.str[STRING_SSL_CRLFILE]) {
162 ret = x509parse_crlfile(&conn->ssl[sockindex].crl,
163 data->set.str[STRING_SSL_CRLFILE]);
166 failf(data, "Error reading CRL file %s: -0x%04X",
167 data->set.str[STRING_SSL_CRLFILE], -ret);
168 return CURLE_SSL_CRL_BADFILE;
172 infof(data, "PolarSSL: Connected to %s:%d\n",
173 conn->host.name, conn->remote_port);
175 havege_init(&conn->ssl[sockindex].hs);
177 if(ssl_init(&conn->ssl[sockindex].ssl)) {
178 failf(data, "PolarSSL: ssl_init failed");
179 return CURLE_SSL_CONNECT_ERROR;
182 ssl_set_endpoint(&conn->ssl[sockindex].ssl, SSL_IS_CLIENT);
183 ssl_set_authmode(&conn->ssl[sockindex].ssl, SSL_VERIFY_OPTIONAL);
185 ssl_set_rng(&conn->ssl[sockindex].ssl, havege_rand,
186 &conn->ssl[sockindex].hs);
187 ssl_set_bio(&conn->ssl[sockindex].ssl,
188 net_recv, &conn->sock[sockindex],
189 net_send, &conn->sock[sockindex]);
191 ssl_set_ciphers(&conn->ssl[sockindex].ssl, ssl_default_ciphers);
193 if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {
194 memcpy(&conn->ssl[sockindex].ssn, old_session, old_session_size);
195 infof(data, "PolarSSL re-using session\n");
198 ssl_set_session(&conn->ssl[sockindex].ssl, 1, 600,
199 &conn->ssl[sockindex].ssn);
201 ssl_set_ca_chain(&conn->ssl[sockindex].ssl,
202 &conn->ssl[sockindex].cacert,
203 &conn->ssl[sockindex].crl,
206 ssl_set_own_cert(&conn->ssl[sockindex].ssl,
207 &conn->ssl[sockindex].clicert, &conn->ssl[sockindex].rsa);
209 if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&
211 !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&
213 sni && ssl_set_hostname(&conn->ssl[sockindex].ssl, conn->host.name)) {
214 infof(data, "WARNING: failed to configure "
215 "server name indication (SNI) TLS extension\n");
218 infof(data, "PolarSSL: performing SSL/TLS handshake...\n");
220 #ifdef POLARSSL_DEBUG
221 ssl_set_dbg(&conn->ssl[sockindex].ssl, polarssl_debug, data);
225 if (!(ret = ssl_handshake(&conn->ssl[sockindex].ssl))) {
227 } else if(ret != POLARSSL_ERR_NET_TRY_AGAIN) {
228 failf(data, "ssl_handshake returned -0x%04X", -ret);
229 return CURLE_SSL_CONNECT_ERROR;
231 /* wait for data from server... */
232 long timeout_ms = Curl_timeleft(conn, NULL, TRUE);
235 failf(data, "SSL connection timeout");
236 return CURLE_OPERATION_TIMEDOUT;
239 switch(Curl_socket_ready(conn->sock[sockindex],
240 CURL_SOCKET_BAD, timeout_ms)) {
242 failf(data, "SSL handshake timeout");
243 return CURLE_OPERATION_TIMEDOUT;
245 case CURL_CSELECT_IN:
249 return CURLE_SSL_CONNECT_ERROR;
255 infof(data, "PolarSSL: Handshake complete, cipher is %s\n",
256 ssl_get_cipher(&conn->ssl[sockindex].ssl));
258 ret = ssl_get_verify_result(&conn->ssl[sockindex].ssl);
260 if(ret && data->set.ssl.verifypeer) {
261 if(ret & BADCERT_EXPIRED)
262 failf(data, "Cert verify failed: BADCERT_EXPIRED\n");
264 if(ret & BADCERT_REVOKED)
265 failf(data, "Cert verify failed: BADCERT_REVOKED");
267 if(ret & BADCERT_CN_MISMATCH)
268 failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
270 if(ret & BADCERT_NOT_TRUSTED)
271 failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
273 return CURLE_SSL_CACERT;
276 if(conn->ssl[sockindex].ssl.peer_cert) {
277 /* If the session was resumed, there will be no peer certs */
278 memset(buffer, 0, sizeof(buffer));
280 if(x509parse_cert_info(buffer, sizeof(buffer), (char *)"* ",
281 conn->ssl[sockindex].ssl.peer_cert) != -1)
282 infof(data, "Dumping cert info:\n%s\n", buffer);
285 conn->ssl[sockindex].state = ssl_connection_complete;
286 conn->recv[sockindex] = polarssl_recv;
287 conn->send[sockindex] = polarssl_send;
289 /* Save the current session data for possible re-use */
291 void *new_session = malloc(sizeof(conn->ssl[sockindex].ssn));
294 memcpy(new_session, &conn->ssl[sockindex].ssn,
295 sizeof(conn->ssl[sockindex].ssn));
298 Curl_ssl_delsessionid(conn, old_session);
300 return Curl_ssl_addsessionid(conn, new_session,
301 sizeof(conn->ssl[sockindex].ssn));
308 static ssize_t polarssl_send(struct connectdata *conn,
316 ret = ssl_write(&conn->ssl[sockindex].ssl,
317 (unsigned char *)mem, len);
320 *curlcode = (ret == POLARSSL_ERR_NET_TRY_AGAIN) ?
321 CURLE_AGAIN : CURLE_SEND_ERROR;
328 void Curl_polarssl_close_all(struct SessionHandle *data)
333 void Curl_polarssl_close(struct connectdata *conn, int sockindex)
335 rsa_free(&conn->ssl[sockindex].rsa);
336 x509_free(&conn->ssl[sockindex].clicert);
337 x509_free(&conn->ssl[sockindex].cacert);
338 x509_crl_free(&conn->ssl[sockindex].crl);
339 ssl_free(&conn->ssl[sockindex].ssl);
342 static ssize_t polarssl_recv(struct connectdata *conn,
351 memset(buf, 0, buffersize);
352 ret = ssl_read(&conn->ssl[num].ssl, (unsigned char *)buf, buffersize);
355 *curlcode = (ret == POLARSSL_ERR_NET_TRY_AGAIN) ?
356 CURLE_AGAIN : CURLE_RECV_ERROR;
365 void Curl_polarssl_session_free(void *ptr)
370 size_t Curl_polarssl_version(char *buffer, size_t size)
372 return snprintf(buffer, size, "PolarSSL");