1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at http://curl.haxx.se/docs/copyright.html.
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
21 ***************************************************************************/
23 #include "curl_setup.h"
30 /* Some symbols are undefined/unsupported on OS400 versions < V7R1. */
31 #ifndef GSK_SSL_EXTN_SERVERNAME_REQUEST
32 #define GSK_SSL_EXTN_SERVERNAME_REQUEST 230
35 #ifndef GSK_TLSV10_CIPHER_SPECS
36 #define GSK_TLSV10_CIPHER_SPECS 236
39 #ifndef GSK_TLSV11_CIPHER_SPECS
40 #define GSK_TLSV11_CIPHER_SPECS 237
43 #ifndef GSK_TLSV12_CIPHER_SPECS
44 #define GSK_TLSV12_CIPHER_SPECS 238
47 #ifndef GSK_PROTOCOL_TLSV11
48 #define GSK_PROTOCOL_TLSV11 437
51 #ifndef GSK_PROTOCOL_TLSV12
52 #define GSK_PROTOCOL_TLSV12 438
68 #include <curl/curl.h>
73 #include "connect.h" /* for the connect timeout */
77 #include "curl_printf.h"
79 #include "curl_memory.h"
80 /* The last #include file should be: */
84 /* SSL version flags. */
85 #define CURL_GSKPROTO_SSLV2 0
86 #define CURL_GSKPROTO_SSLV2_MASK (1 << CURL_GSKPROTO_SSLV2)
87 #define CURL_GSKPROTO_SSLV3 1
88 #define CURL_GSKPROTO_SSLV3_MASK (1 << CURL_GSKPROTO_SSLV3)
89 #define CURL_GSKPROTO_TLSV10 2
90 #define CURL_GSKPROTO_TLSV10_MASK (1 << CURL_GSKPROTO_TLSV10)
91 #define CURL_GSKPROTO_TLSV11 3
92 #define CURL_GSKPROTO_TLSV11_MASK (1 << CURL_GSKPROTO_TLSV11)
93 #define CURL_GSKPROTO_TLSV12 4
94 #define CURL_GSKPROTO_TLSV12_MASK (1 << CURL_GSKPROTO_TLSV12)
95 #define CURL_GSKPROTO_LAST 5
98 /* Supported ciphers. */
100 const char *name; /* Cipher name. */
101 const char *gsktoken; /* Corresponding token for GSKit String. */
102 unsigned int versions; /* SSL version flags. */
105 static const gskit_cipher ciphertable[] = {
107 CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK |
108 CURL_GSKPROTO_TLSV11_MASK | CURL_GSKPROTO_TLSV12_MASK },
110 CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK |
111 CURL_GSKPROTO_TLSV11_MASK | CURL_GSKPROTO_TLSV12_MASK },
112 { "exp-rc4-md5", "03",
113 CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK },
115 CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK |
116 CURL_GSKPROTO_TLSV11_MASK | CURL_GSKPROTO_TLSV12_MASK },
118 CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK |
119 CURL_GSKPROTO_TLSV11_MASK | CURL_GSKPROTO_TLSV12_MASK },
120 { "exp-rc2-cbc-md5", "06",
121 CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK },
122 { "exp-des-cbc-sha", "09",
123 CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK |
124 CURL_GSKPROTO_TLSV11_MASK },
125 { "des-cbc3-sha", "0A",
126 CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK |
127 CURL_GSKPROTO_TLSV11_MASK | CURL_GSKPROTO_TLSV12_MASK },
128 { "aes128-sha", "2F",
129 CURL_GSKPROTO_TLSV10_MASK | CURL_GSKPROTO_TLSV11_MASK |
130 CURL_GSKPROTO_TLSV12_MASK },
131 { "aes256-sha", "35",
132 CURL_GSKPROTO_TLSV10_MASK | CURL_GSKPROTO_TLSV11_MASK |
133 CURL_GSKPROTO_TLSV12_MASK },
134 { "null-sha256", "3B", CURL_GSKPROTO_TLSV12_MASK },
135 { "aes128-sha256", "3C", CURL_GSKPROTO_TLSV12_MASK },
136 { "aes256-sha256", "3D", CURL_GSKPROTO_TLSV12_MASK },
137 { "aes128-gcm-sha256",
138 "9C", CURL_GSKPROTO_TLSV12_MASK },
139 { "aes256-gcm-sha384",
140 "9D", CURL_GSKPROTO_TLSV12_MASK },
141 { "rc4-md5", "1", CURL_GSKPROTO_SSLV2_MASK },
142 { "exp-rc4-md5", "2", CURL_GSKPROTO_SSLV2_MASK },
143 { "rc2-md5", "3", CURL_GSKPROTO_SSLV2_MASK },
144 { "exp-rc2-md5", "4", CURL_GSKPROTO_SSLV2_MASK },
145 { "des-cbc-md5", "6", CURL_GSKPROTO_SSLV2_MASK },
146 { "des-cbc3-md5", "7", CURL_GSKPROTO_SSLV2_MASK },
147 { (const char *) NULL, (const char *) NULL, 0 }
151 static bool is_separator(char c)
153 /* Return whether character is a cipher list separator. */
166 static CURLcode gskit_status(struct SessionHandle *data, int rc,
167 const char *procname, CURLcode defcode)
169 /* Process GSKit status and map it to a CURLcode. */
172 case GSK_OS400_ASYNCHRONOUS_SOC_INIT:
174 case GSK_KEYRING_OPEN_ERROR:
175 case GSK_OS400_ERROR_NO_ACCESS:
176 return CURLE_SSL_CACERT_BADFILE;
177 case GSK_INSUFFICIENT_STORAGE:
178 return CURLE_OUT_OF_MEMORY;
179 case GSK_ERROR_BAD_V2_CIPHER:
180 case GSK_ERROR_BAD_V3_CIPHER:
181 case GSK_ERROR_NO_CIPHERS:
182 return CURLE_SSL_CIPHER;
183 case GSK_OS400_ERROR_NOT_TRUSTED_ROOT:
184 case GSK_ERROR_CERT_VALIDATION:
185 return CURLE_PEER_FAILED_VERIFICATION;
186 case GSK_OS400_ERROR_TIMED_OUT:
187 return CURLE_OPERATION_TIMEDOUT;
188 case GSK_WOULD_BLOCK:
190 case GSK_OS400_ERROR_NOT_REGISTERED:
195 return CURLE_OUT_OF_MEMORY;
197 failf(data, "%s I/O error: %s", procname, strerror(errno));
202 failf(data, "%s: %s", procname, gsk_strerror(rc));
209 static CURLcode set_enum(struct SessionHandle *data, gsk_handle h,
210 GSK_ENUM_ID id, GSK_ENUM_VALUE value, bool unsupported_ok)
212 int rc = gsk_attribute_set_enum(h, id, value);
218 failf(data, "gsk_attribute_set_enum() I/O error: %s", strerror(errno));
220 case GSK_ATTRIBUTE_INVALID_ID:
222 return CURLE_UNSUPPORTED_PROTOCOL;
224 failf(data, "gsk_attribute_set_enum(): %s", gsk_strerror(rc));
227 return CURLE_SSL_CONNECT_ERROR;
231 static CURLcode set_buffer(struct SessionHandle *data, gsk_handle h,
232 GSK_BUF_ID id, const char *buffer, bool unsupported_ok)
234 int rc = gsk_attribute_set_buffer(h, id, buffer, 0);
240 failf(data, "gsk_attribute_set_buffer() I/O error: %s", strerror(errno));
242 case GSK_ATTRIBUTE_INVALID_ID:
244 return CURLE_UNSUPPORTED_PROTOCOL;
246 failf(data, "gsk_attribute_set_buffer(): %s", gsk_strerror(rc));
249 return CURLE_SSL_CONNECT_ERROR;
253 static CURLcode set_numeric(struct SessionHandle *data,
254 gsk_handle h, GSK_NUM_ID id, int value)
256 int rc = gsk_attribute_set_numeric_value(h, id, value);
262 failf(data, "gsk_attribute_set_numeric_value() I/O error: %s",
266 failf(data, "gsk_attribute_set_numeric_value(): %s", gsk_strerror(rc));
269 return CURLE_SSL_CONNECT_ERROR;
273 static CURLcode set_callback(struct SessionHandle *data,
274 gsk_handle h, GSK_CALLBACK_ID id, void *info)
276 int rc = gsk_attribute_set_callback(h, id, info);
282 failf(data, "gsk_attribute_set_callback() I/O error: %s", strerror(errno));
285 failf(data, "gsk_attribute_set_callback(): %s", gsk_strerror(rc));
288 return CURLE_SSL_CONNECT_ERROR;
292 static CURLcode set_ciphers(struct SessionHandle *data,
293 gsk_handle h, unsigned int *protoflags)
295 const char *cipherlist = data->set.str[STRING_SSL_CIPHER_LIST];
297 const gskit_cipher *ctp;
305 } ciphers[CURL_GSKPROTO_LAST];
307 /* Compile cipher list into GSKit-compatible cipher lists. */
311 while(is_separator(*cipherlist)) /* Skip initial separators. */
316 /* We allocate GSKit buffers of the same size as the input string: since
317 GSKit tokens are always shorter than their cipher names, allocated buffers
318 will always be large enough to accomodate the result. */
319 l = strlen(cipherlist) + 1;
320 memset((char *) ciphers, 0, sizeof ciphers);
321 for(i = 0; i < CURL_GSKPROTO_LAST; i++) {
322 ciphers[i].buf = malloc(l);
323 if(!ciphers[i].buf) {
325 free(ciphers[i].buf);
326 return CURLE_OUT_OF_MEMORY;
328 ciphers[i].ptr = ciphers[i].buf;
329 *ciphers[i].ptr = '\0';
332 /* Process each cipher in input string. */
336 for(clp = cipherlist; *cipherlist && !is_separator(*cipherlist);)
338 l = cipherlist - clp;
341 /* Search the cipher in our table. */
342 for(ctp = ciphertable; ctp->name; ctp++)
343 if(strnequal(ctp->name, clp, l) && !ctp->name[l])
346 failf(data, "Unknown cipher %.*s", l, clp);
347 result = CURLE_SSL_CIPHER;
350 unsupported |= !(ctp->versions & (CURL_GSKPROTO_SSLV2_MASK |
351 CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK));
352 for(i = 0; i < CURL_GSKPROTO_LAST; i++) {
353 if(ctp->versions & (1 << i)) {
354 strcpy(ciphers[i].ptr, ctp->gsktoken);
355 ciphers[i].ptr += strlen(ctp->gsktoken);
360 /* Advance to next cipher name or end of string. */
361 while(is_separator(*cipherlist))
365 /* Disable protocols with empty cipher lists. */
366 for(i = 0; i < CURL_GSKPROTO_LAST; i++) {
367 if(!(*protoflags & (1 << i)) || !ciphers[i].buf[0]) {
368 *protoflags &= ~(1 << i);
369 ciphers[i].buf[0] = '\0';
373 /* Try to set-up TLSv1.1 and TLSv2.1 ciphers. */
374 if(*protoflags & CURL_GSKPROTO_TLSV11_MASK) {
375 result = set_buffer(data, h, GSK_TLSV11_CIPHER_SPECS,
376 ciphers[CURL_GSKPROTO_TLSV11].buf, TRUE);
377 if(result == CURLE_UNSUPPORTED_PROTOCOL) {
380 failf(data, "TLSv1.1-only ciphers are not yet supported");
381 result = CURLE_SSL_CIPHER;
385 if(!result && (*protoflags & CURL_GSKPROTO_TLSV12_MASK)) {
386 result = set_buffer(data, h, GSK_TLSV12_CIPHER_SPECS,
387 ciphers[CURL_GSKPROTO_TLSV12].buf, TRUE);
388 if(result == CURLE_UNSUPPORTED_PROTOCOL) {
391 failf(data, "TLSv1.2-only ciphers are not yet supported");
392 result = CURLE_SSL_CIPHER;
397 /* Try to set-up TLSv1.0 ciphers. If not successful, concatenate them to
398 the SSLv3 ciphers. OS/400 prior to version 7.1 will understand it. */
399 if(!result && (*protoflags & CURL_GSKPROTO_TLSV10_MASK)) {
400 result = set_buffer(data, h, GSK_TLSV10_CIPHER_SPECS,
401 ciphers[CURL_GSKPROTO_TLSV10].buf, TRUE);
402 if(result == CURLE_UNSUPPORTED_PROTOCOL) {
404 strcpy(ciphers[CURL_GSKPROTO_SSLV3].ptr,
405 ciphers[CURL_GSKPROTO_TLSV10].ptr);
409 /* Set-up other ciphers. */
410 if(!result && (*protoflags & CURL_GSKPROTO_SSLV3_MASK))
411 result = set_buffer(data, h, GSK_V3_CIPHER_SPECS,
412 ciphers[CURL_GSKPROTO_SSLV3].buf, FALSE);
413 if(!result && (*protoflags & CURL_GSKPROTO_SSLV2_MASK))
414 result = set_buffer(data, h, GSK_V2_CIPHER_SPECS,
415 ciphers[CURL_GSKPROTO_SSLV2].buf, FALSE);
418 for(i = 0; i < CURL_GSKPROTO_LAST; i++)
419 free(ciphers[i].buf);
425 int Curl_gskit_init(void)
427 /* No initialisation needed. */
433 void Curl_gskit_cleanup(void)
439 static CURLcode init_environment(struct SessionHandle *data,
440 gsk_handle *envir, const char *appid,
441 const char *file, const char *label,
442 const char *password)
448 /* Creates the GSKit environment. */
450 rc = gsk_environment_open(&h);
454 case GSK_INSUFFICIENT_STORAGE:
455 return CURLE_OUT_OF_MEMORY;
457 failf(data, "gsk_environment_open(): %s", gsk_strerror(rc));
458 return CURLE_SSL_CONNECT_ERROR;
461 result = set_enum(data, h, GSK_SESSION_TYPE, GSK_CLIENT_SESSION, FALSE);
463 result = set_buffer(data, h, GSK_OS400_APPLICATION_ID, appid, FALSE);
465 result = set_buffer(data, h, GSK_KEYRING_FILE, file, FALSE);
467 result = set_buffer(data, h, GSK_KEYRING_LABEL, label, FALSE);
468 if(!result && password)
469 result = set_buffer(data, h, GSK_KEYRING_PW, password, FALSE);
472 /* Locate CAs, Client certificate and key according to our settings.
473 Note: this call may be blocking for some tenths of seconds. */
474 result = gskit_status(data, gsk_environment_init(h),
475 "gsk_environment_init()", CURLE_SSL_CERTPROBLEM);
481 /* Error: rollback. */
482 gsk_environment_close(&h);
487 static void cancel_async_handshake(struct connectdata *conn, int sockindex)
489 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
490 Qso_OverlappedIO_t cstat;
492 if(QsoCancelOperation(conn->sock[sockindex], 0) > 0)
493 QsoWaitForIOCompletion(connssl->iocport, &cstat, (struct timeval *) NULL);
497 static void close_async_handshake(struct ssl_connect_data *connssl)
499 QsoDestroyIOCompletionPort(connssl->iocport);
500 connssl->iocport = -1;
504 static void close_one(struct ssl_connect_data *conn,
505 struct SessionHandle *data)
508 gskit_status(data, gsk_secure_soc_close(&conn->handle),
509 "gsk_secure_soc_close()", 0);
510 conn->handle = (gsk_handle) NULL;
512 if(conn->iocport >= 0)
513 close_async_handshake(conn);
517 static ssize_t gskit_send(struct connectdata *conn, int sockindex,
518 const void *mem, size_t len, CURLcode *curlcode)
520 struct SessionHandle *data = conn->data;
524 cc = gskit_status(data,
525 gsk_secure_soc_write(conn->ssl[sockindex].handle,
526 (char *) mem, (int) len, &written),
527 "gsk_secure_soc_write()", CURLE_SEND_ERROR);
532 return (ssize_t) written; /* number of bytes */
536 static ssize_t gskit_recv(struct connectdata *conn, int num, char *buf,
537 size_t buffersize, CURLcode *curlcode)
539 struct SessionHandle *data = conn->data;
544 buffsize = buffersize > (size_t) INT_MAX? INT_MAX: (int) buffersize;
545 cc = gskit_status(data, gsk_secure_soc_read(conn->ssl[num].handle,
546 buf, buffsize, &nread),
547 "gsk_secure_soc_read()", CURLE_RECV_ERROR);
552 return (ssize_t) nread;
556 static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
558 struct SessionHandle *data = conn->data;
559 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
567 unsigned int protoflags;
569 Qso_OverlappedIO_t commarea;
571 /* Create SSL environment, start (preferably asynchronous) handshake. */
573 connssl->handle = (gsk_handle) NULL;
574 connssl->iocport = -1;
576 /* GSKit supports two ways of specifying an SSL context: either by
577 * application identifier (that should have been defined at the system
578 * level) or by keyring file, password and certificate label.
579 * Local certificate name (CURLOPT_SSLCERT) is used to hold either the
580 * application identifier of the certificate label.
581 * Key password (CURLOPT_KEYPASSWD) holds the keyring password.
582 * It is not possible to have different keyrings for the CAs and the
583 * local certificate. We thus use the CA file (CURLOPT_CAINFO) to identify
585 * If no key password is given and the keyring is the system keyring,
586 * application identifier mode is tried first, as recommended in IBM doc.
589 keyringfile = data->set.str[STRING_SSL_CAFILE];
590 keyringpwd = data->set.str[STRING_KEY_PASSWD];
591 keyringlabel = data->set.str[STRING_CERT];
592 envir = (gsk_handle) NULL;
594 if(keyringlabel && *keyringlabel && !keyringpwd &&
595 !strcmp(keyringfile, CURL_CA_BUNDLE)) {
596 /* Try application identifier mode. */
597 init_environment(data, &envir, keyringlabel, (const char *) NULL,
598 (const char *) NULL, (const char *) NULL);
602 /* Use keyring mode. */
603 result = init_environment(data, &envir, (const char *) NULL,
604 keyringfile, keyringlabel, keyringpwd);
609 /* Create secure session. */
610 result = gskit_status(data, gsk_secure_soc_open(envir, &connssl->handle),
611 "gsk_secure_soc_open()", CURLE_SSL_CONNECT_ERROR);
612 gsk_environment_close(&envir);
616 /* Determine which SSL/TLS version should be enabled. */
617 protoflags = CURL_GSKPROTO_TLSV10_MASK | CURL_GSKPROTO_TLSV11_MASK |
618 CURL_GSKPROTO_TLSV12_MASK;
619 sni = conn->host.name;
620 switch (data->set.ssl.version) {
621 case CURL_SSLVERSION_SSLv2:
622 protoflags = CURL_GSKPROTO_SSLV2_MASK;
625 case CURL_SSLVERSION_SSLv3:
626 protoflags = CURL_GSKPROTO_SSLV3_MASK;
629 case CURL_SSLVERSION_TLSv1:
630 protoflags = CURL_GSKPROTO_TLSV10_MASK |
631 CURL_GSKPROTO_TLSV11_MASK | CURL_GSKPROTO_TLSV12_MASK;
633 case CURL_SSLVERSION_TLSv1_0:
634 protoflags = CURL_GSKPROTO_TLSV10_MASK;
636 case CURL_SSLVERSION_TLSv1_1:
637 protoflags = CURL_GSKPROTO_TLSV11_MASK;
639 case CURL_SSLVERSION_TLSv1_2:
640 protoflags = CURL_GSKPROTO_TLSV12_MASK;
644 /* Process SNI. Ignore if not supported (on OS400 < V7R1). */
646 result = set_buffer(data, connssl->handle,
647 GSK_SSL_EXTN_SERVERNAME_REQUEST, sni, TRUE);
648 if(result == CURLE_UNSUPPORTED_PROTOCOL)
652 /* Set session parameters. */
654 /* Compute the handshake timeout. Since GSKit granularity is 1 second,
655 we round up the required value. */
656 timeout = Curl_timeleft(data, NULL, TRUE);
658 result = CURLE_OPERATION_TIMEDOUT;
660 result = set_numeric(data, connssl->handle, GSK_HANDSHAKE_TIMEOUT,
661 (timeout + 999) / 1000);
664 result = set_numeric(data, connssl->handle, GSK_FD, conn->sock[sockindex]);
666 result = set_ciphers(data, connssl->handle, &protoflags);
668 failf(data, "No SSL protocol/cipher combination enabled");
669 result = CURLE_SSL_CIPHER;
672 result = set_enum(data, connssl->handle, GSK_PROTOCOL_SSLV2,
673 (protoflags & CURL_GSKPROTO_SSLV2_MASK)?
674 GSK_PROTOCOL_SSLV2_ON: GSK_PROTOCOL_SSLV2_OFF, FALSE);
676 result = set_enum(data, connssl->handle, GSK_PROTOCOL_SSLV3,
677 (protoflags & CURL_GSKPROTO_SSLV3_MASK)?
678 GSK_PROTOCOL_SSLV3_ON: GSK_PROTOCOL_SSLV3_OFF, FALSE);
680 result = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1,
681 (protoflags & CURL_GSKPROTO_TLSV10_MASK)?
682 GSK_PROTOCOL_TLSV1_ON: GSK_PROTOCOL_TLSV1_OFF, FALSE);
684 result = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV11,
685 (protoflags & CURL_GSKPROTO_TLSV11_MASK)?
686 GSK_TRUE: GSK_FALSE, TRUE);
687 if(result == CURLE_UNSUPPORTED_PROTOCOL) {
689 if(protoflags == CURL_GSKPROTO_TLSV11_MASK) {
690 failf(data, "TLS 1.1 not yet supported");
691 result = CURLE_SSL_CIPHER;
696 result = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV12,
697 (protoflags & CURL_GSKPROTO_TLSV12_MASK)?
698 GSK_TRUE: GSK_FALSE, TRUE);
699 if(result == CURLE_UNSUPPORTED_PROTOCOL) {
701 if(protoflags == CURL_GSKPROTO_TLSV12_MASK) {
702 failf(data, "TLS 1.2 not yet supported");
703 result = CURLE_SSL_CIPHER;
708 result = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE,
709 data->set.ssl.verifypeer? GSK_SERVER_AUTH_FULL:
710 GSK_SERVER_AUTH_PASSTHRU, FALSE);
713 /* Start handshake. Try asynchronous first. */
714 memset(&commarea, 0, sizeof commarea);
715 connssl->iocport = QsoCreateIOCompletionPort();
716 if(connssl->iocport != -1) {
717 result = gskit_status(data,
718 gsk_secure_soc_startInit(connssl->handle,
721 "gsk_secure_soc_startInit()",
722 CURLE_SSL_CONNECT_ERROR);
724 connssl->connecting_state = ssl_connect_2;
728 close_async_handshake(connssl);
730 else if(errno != ENOBUFS)
731 result = gskit_status(data, GSK_ERROR_IO,
732 "QsoCreateIOCompletionPort()", 0);
734 /* No more completion port available. Use synchronous IO. */
735 result = gskit_status(data, gsk_secure_soc_init(connssl->handle),
736 "gsk_secure_soc_init()", CURLE_SSL_CONNECT_ERROR);
738 connssl->connecting_state = ssl_connect_3;
744 /* Error: rollback. */
745 close_one(connssl, data);
750 static CURLcode gskit_connect_step2(struct connectdata *conn, int sockindex,
753 struct SessionHandle *data = conn->data;
754 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
755 Qso_OverlappedIO_t cstat;
760 /* Poll or wait for end of SSL asynchronous handshake. */
763 timeout_ms = nonblocking? 0: Curl_timeleft(data, NULL, TRUE);
766 stmv.tv_sec = timeout_ms / 1000;
767 stmv.tv_usec = (timeout_ms - stmv.tv_sec * 1000) * 1000;
768 switch (QsoWaitForIOCompletion(connssl->iocport, &cstat, &stmv)) {
769 case 1: /* Operation complete. */
771 case -1: /* An error occurred: handshake still in progress. */
775 continue; /* Retry. */
778 failf(data, "QsoWaitForIOCompletion() I/O error: %s", strerror(errno));
779 cancel_async_handshake(conn, sockindex);
780 close_async_handshake(connssl);
781 return CURLE_SSL_CONNECT_ERROR;
784 case 0: /* Handshake in progress, timeout occurred. */
787 cancel_async_handshake(conn, sockindex);
788 close_async_handshake(connssl);
789 return CURLE_OPERATION_TIMEDOUT;
793 result = gskit_status(data, cstat.returnValue, "SSL handshake",
794 CURLE_SSL_CONNECT_ERROR);
796 connssl->connecting_state = ssl_connect_3;
797 close_async_handshake(connssl);
802 static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
804 struct SessionHandle *data = conn->data;
805 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
806 const gsk_cert_data_elem *cdev;
808 const gsk_cert_data_elem *p;
809 const char *cert = (const char *) NULL;
815 /* SSL handshake done: gather certificate info and verify host. */
817 if(gskit_status(data, gsk_attribute_get_cert_info(connssl->handle,
818 GSK_PARTNER_CERT_INFO,
820 "gsk_attribute_get_cert_info()", CURLE_SSL_CONNECT_ERROR) ==
822 infof(data, "Server certificate:\n");
824 for(i = 0; i++ < cdec; p++)
825 switch (p->cert_data_id) {
827 cert = p->cert_data_p;
828 certend = cert + cdev->cert_data_l;
830 case CERT_DN_PRINTABLE:
831 infof(data, "\t subject: %.*s\n", p->cert_data_l, p->cert_data_p);
833 case CERT_ISSUER_DN_PRINTABLE:
834 infof(data, "\t issuer: %.*s\n", p->cert_data_l, p->cert_data_p);
836 case CERT_VALID_FROM:
837 infof(data, "\t start date: %.*s\n", p->cert_data_l, p->cert_data_p);
840 infof(data, "\t expire date: %.*s\n", p->cert_data_l, p->cert_data_p);
846 result = Curl_verifyhost(conn, cert, certend);
850 /* The only place GSKit can get the whole CA chain is a validation
851 callback where no user data pointer is available. Therefore it's not
852 possible to copy this chain into our structures for CAINFO.
853 However the server certificate may be available, thus we can return
855 if(data->set.ssl.certinfo) {
856 result = Curl_ssl_init_certinfo(data, 1);
861 result = Curl_extract_certinfo(conn, 0, cert, certend);
867 /* Check pinned public key. */
868 ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
870 curl_X509certificate x509;
874 return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
875 Curl_parseX509(&x509, cert, certend);
876 p = &x509.subjectPublicKeyInfo;
877 result = Curl_pin_peer_pubkey(ptr, p->header, p->end - p->header);
879 failf(data, "SSL: public key does not match pinned public key!");
884 connssl->connecting_state = ssl_connect_done;
889 static CURLcode gskit_connect_common(struct connectdata *conn, int sockindex,
890 bool nonblocking, bool *done)
892 struct SessionHandle *data = conn->data;
893 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
895 Qso_OverlappedIO_t cstat;
896 CURLcode result = CURLE_OK;
898 *done = connssl->state == ssl_connection_complete;
902 /* Step 1: create session, start handshake. */
903 if(connssl->connecting_state == ssl_connect_1) {
904 /* check allowed time left */
905 timeout_ms = Curl_timeleft(data, NULL, TRUE);
908 /* no need to continue if time already is up */
909 failf(data, "SSL connection timeout");
910 result = CURLE_OPERATION_TIMEDOUT;
913 result = gskit_connect_step1(conn, sockindex);
916 /* Step 2: check if handshake is over. */
917 if(!result && connssl->connecting_state == ssl_connect_2) {
918 /* check allowed time left */
919 timeout_ms = Curl_timeleft(data, NULL, TRUE);
922 /* no need to continue if time already is up */
923 failf(data, "SSL connection timeout");
924 result = CURLE_OPERATION_TIMEDOUT;
927 result = gskit_connect_step2(conn, sockindex, nonblocking);
930 /* Step 3: gather certificate info, verify host. */
931 if(!result && connssl->connecting_state == ssl_connect_3)
932 result = gskit_connect_step3(conn, sockindex);
935 close_one(connssl, data);
936 else if(connssl->connecting_state == ssl_connect_done) {
937 connssl->state = ssl_connection_complete;
938 connssl->connecting_state = ssl_connect_1;
939 conn->recv[sockindex] = gskit_recv;
940 conn->send[sockindex] = gskit_send;
948 CURLcode Curl_gskit_connect_nonblocking(struct connectdata *conn,
954 result = gskit_connect_common(conn, sockindex, TRUE, done);
956 conn->ssl[sockindex].connecting_state = ssl_connect_1;
961 CURLcode Curl_gskit_connect(struct connectdata *conn, int sockindex)
966 conn->ssl[sockindex].connecting_state = ssl_connect_1;
967 result = gskit_connect_common(conn, sockindex, FALSE, &done);
977 void Curl_gskit_close(struct connectdata *conn, int sockindex)
979 struct SessionHandle *data = conn->data;
980 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
983 close_one(connssl, data);
987 int Curl_gskit_shutdown(struct connectdata *conn, int sockindex)
989 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
990 struct SessionHandle *data = conn->data;
999 if(data->set.ftp_ccc != CURLFTPSSL_CCC_ACTIVE)
1002 close_one(connssl, data);
1004 what = Curl_socket_ready(conn->sock[sockindex],
1005 CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT);
1009 /* anything that gets here is fatally bad */
1010 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
1015 if(!what) { /* timeout */
1016 failf(data, "SSL shutdown timeout");
1020 /* Something to read, let's do it and hope that it is the close
1021 notify alert from the server. No way to gsk_secure_soc_read() now, so
1024 nread = read(conn->sock[sockindex], buf, sizeof(buf));
1027 failf(data, "read: %s", strerror(errno));
1034 what = Curl_socket_ready(conn->sock[sockindex], CURL_SOCKET_BAD, 0);
1041 size_t Curl_gskit_version(char *buffer, size_t size)
1043 strncpy(buffer, "GSKit", size);
1044 return strlen(buffer);
1048 int Curl_gskit_check_cxn(struct connectdata *cxn)
1053 /* The only thing that can be tested here is at the socket level. */
1055 if(!cxn->ssl[FIRSTSOCKET].handle)
1056 return 0; /* connection has been closed */
1059 errlen = sizeof err;
1061 if(getsockopt(cxn->sock[FIRSTSOCKET], SOL_SOCKET, SO_ERROR,
1062 (unsigned char *) &err, &errlen) ||
1063 errlen != sizeof err || err)
1064 return 0; /* connection has been closed */
1066 return -1; /* connection status unknown */
1069 #endif /* USE_GSKIT */
projects / platform / upstream / curl.git / blob