1 /***************************************************************************
3 * Project ___| | | | _ \| |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
8 * Copyright (C) 2010 - 2011, Hoi-Ho Chan, <hoiho.chan@gmail.com>
9 * Copyright (C) 2012 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
11 * This software is licensed as described in the file COPYING, which
12 * you should have received as part of this distribution. The terms
13 * are also available at https://curl.haxx.se/docs/copyright.html.
15 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
16 * copies of the Software, and permit persons to whom the Software is
17 * furnished to do so, under the terms of the COPYING file.
19 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20 * KIND, either express or implied.
22 ***************************************************************************/
25 * Source file for all mbedTLS-specific code for the TLS/SSL layer. No code
26 * but vtls.c should ever call or use these functions.
30 #include "curl_setup.h"
34 #include <mbedtls/net.h>
35 #include <mbedtls/ssl.h>
36 #include <mbedtls/certs.h>
37 #include <mbedtls/x509.h>
38 #include <mbedtls/version.h>
40 #include <mbedtls/error.h>
41 #include <mbedtls/entropy.h>
42 #include <mbedtls/ctr_drbg.h>
43 #include <mbedtls/sha256.h>
47 #include "inet_pton.h"
50 #include "parsedate.h"
51 #include "connect.h" /* for the connect timeout */
54 #include "polarssl_threadlock.h"
56 /* The last 3 #include files should be in this order */
57 #include "curl_printf.h"
58 #include "curl_memory.h"
61 /* apply threading? */
62 #if defined(USE_THREADS_POSIX) || defined(USE_THREADS_WIN32)
63 #define THREADING_SUPPORT
66 #if defined(THREADING_SUPPORT)
67 static mbedtls_entropy_context entropy;
69 static int entropy_init_initialized = 0;
71 /* start of entropy_init_mutex() */
72 static void entropy_init_mutex(mbedtls_entropy_context *ctx)
74 /* lock 0 = entropy_init_mutex() */
75 Curl_polarsslthreadlock_lock_function(0);
76 if(entropy_init_initialized == 0) {
77 mbedtls_entropy_init(ctx);
78 entropy_init_initialized = 1;
80 Curl_polarsslthreadlock_unlock_function(0);
82 /* end of entropy_init_mutex() */
84 /* start of entropy_func_mutex() */
85 static int entropy_func_mutex(void *data, unsigned char *output, size_t len)
88 /* lock 1 = entropy_func_mutex() */
89 Curl_polarsslthreadlock_lock_function(1);
90 ret = mbedtls_entropy_func(data, output, len);
91 Curl_polarsslthreadlock_unlock_function(1);
95 /* end of entropy_func_mutex() */
97 #endif /* THREADING_SUPPORT */
99 /* Define this to enable lots of debugging for mbedTLS */
103 static void mbed_debug(void *context, int level, const char *f_name,
104 int line_nb, const char *line)
106 struct Curl_easy *data = NULL;
111 data = (struct Curl_easy *)context;
113 infof(data, "%s", line);
119 /* ALPN for http2? */
122 # ifdef MBEDTLS_SSL_ALPN
131 const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_fr =
133 /* Hashes from SHA-1 and above */
134 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1) |
135 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_RIPEMD160) |
136 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA224) |
137 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA256) |
138 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA384) |
139 MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA512),
140 0xFFFFFFF, /* Any PK alg */
141 0xFFFFFFF, /* Any curve */
142 1024, /* RSA min key len */
145 /* See https://tls.mbed.org/discussions/generic/
146 howto-determine-exact-buffer-len-for-mbedtls_pk_write_pubkey_der
148 #define RSA_PUB_DER_MAX_BYTES (38 + 2 * MBEDTLS_MPI_MAX_SIZE)
149 #define ECP_PUB_DER_MAX_BYTES (30 + 2 * MBEDTLS_ECP_MAX_BYTES)
151 #define PUB_DER_MAX_BYTES (RSA_PUB_DER_MAX_BYTES > ECP_PUB_DER_MAX_BYTES ? \
152 RSA_PUB_DER_MAX_BYTES : ECP_PUB_DER_MAX_BYTES)
154 static Curl_recv mbed_recv;
155 static Curl_send mbed_send;
158 mbed_connect_step1(struct connectdata *conn,
161 struct Curl_easy *data = conn->data;
162 struct ssl_connect_data* connssl = &conn->ssl[sockindex];
168 /* mbedTLS only supports SSLv3 and TLSv1 */
169 if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) {
170 failf(data, "mbedTLS does not support SSLv2");
171 return CURLE_SSL_CONNECT_ERROR;
174 #ifdef THREADING_SUPPORT
175 entropy_init_mutex(&entropy);
176 mbedtls_ctr_drbg_init(&connssl->ctr_drbg);
178 ret = mbedtls_ctr_drbg_seed(&connssl->ctr_drbg, entropy_func_mutex,
181 #ifdef MBEDTLS_ERROR_C
182 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
183 #endif /* MBEDTLS_ERROR_C */
184 failf(data, "Failed - mbedTLS: ctr_drbg_init returned (-0x%04X) %s\n",
188 mbedtls_entropy_init(&connssl->entropy);
189 mbedtls_ctr_drbg_init(&connssl->ctr_drbg);
191 ret = mbedtls_ctr_drbg_seed(&connssl->ctr_drbg, mbedtls_entropy_func,
192 &connssl->entropy, NULL, 0);
194 #ifdef MBEDTLS_ERROR_C
195 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
196 #endif /* MBEDTLS_ERROR_C */
197 failf(data, "Failed - mbedTLS: ctr_drbg_init returned (-0x%04X) %s\n",
200 #endif /* THREADING_SUPPORT */
202 /* Load the trusted CA */
203 mbedtls_x509_crt_init(&connssl->cacert);
205 if(data->set.str[STRING_SSL_CAFILE]) {
206 ret = mbedtls_x509_crt_parse_file(&connssl->cacert,
207 data->set.str[STRING_SSL_CAFILE]);
210 #ifdef MBEDTLS_ERROR_C
211 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
212 #endif /* MBEDTLS_ERROR_C */
213 failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s",
214 data->set.str[STRING_SSL_CAFILE], -ret, errorbuf);
216 if(data->set.ssl.verifypeer)
217 return CURLE_SSL_CACERT_BADFILE;
221 if(data->set.str[STRING_SSL_CAPATH]) {
222 ret = mbedtls_x509_crt_parse_path(&connssl->cacert,
223 data->set.str[STRING_SSL_CAPATH]);
226 #ifdef MBEDTLS_ERROR_C
227 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
228 #endif /* MBEDTLS_ERROR_C */
229 failf(data, "Error reading ca cert path %s - mbedTLS: (-0x%04X) %s",
230 data->set.str[STRING_SSL_CAPATH], -ret, errorbuf);
232 if(data->set.ssl.verifypeer)
233 return CURLE_SSL_CACERT_BADFILE;
237 /* Load the client certificate */
238 mbedtls_x509_crt_init(&connssl->clicert);
240 if(data->set.str[STRING_CERT]) {
241 ret = mbedtls_x509_crt_parse_file(&connssl->clicert,
242 data->set.str[STRING_CERT]);
245 #ifdef MBEDTLS_ERROR_C
246 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
247 #endif /* MBEDTLS_ERROR_C */
248 failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s",
249 data->set.str[STRING_CERT], -ret, errorbuf);
251 return CURLE_SSL_CERTPROBLEM;
255 /* Load the client private key */
256 mbedtls_pk_init(&connssl->pk);
258 if(data->set.str[STRING_KEY]) {
259 ret = mbedtls_pk_parse_keyfile(&connssl->pk, data->set.str[STRING_KEY],
260 data->set.str[STRING_KEY_PASSWD]);
261 if(ret == 0 && !mbedtls_pk_can_do(&connssl->pk, MBEDTLS_PK_RSA))
262 ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
265 #ifdef MBEDTLS_ERROR_C
266 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
267 #endif /* MBEDTLS_ERROR_C */
268 failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s",
269 data->set.str[STRING_KEY], -ret, errorbuf);
271 return CURLE_SSL_CERTPROBLEM;
276 mbedtls_x509_crl_init(&connssl->crl);
278 if(data->set.str[STRING_SSL_CRLFILE]) {
279 ret = mbedtls_x509_crl_parse_file(&connssl->crl,
280 data->set.str[STRING_SSL_CRLFILE]);
283 #ifdef MBEDTLS_ERROR_C
284 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
285 #endif /* MBEDTLS_ERROR_C */
286 failf(data, "Error reading CRL file %s - mbedTLS: (-0x%04X) %s",
287 data->set.str[STRING_SSL_CRLFILE], -ret, errorbuf);
289 return CURLE_SSL_CRL_BADFILE;
293 infof(data, "mbedTLS: Connecting to %s:%d\n",
294 conn->host.name, conn->remote_port);
296 mbedtls_ssl_config_init(&connssl->config);
298 mbedtls_ssl_init(&connssl->ssl);
299 if(mbedtls_ssl_setup(&connssl->ssl, &connssl->config)) {
300 failf(data, "mbedTLS: ssl_init failed");
301 return CURLE_SSL_CONNECT_ERROR;
303 ret = mbedtls_ssl_config_defaults(&connssl->config,
304 MBEDTLS_SSL_IS_CLIENT,
305 MBEDTLS_SSL_TRANSPORT_STREAM,
306 MBEDTLS_SSL_PRESET_DEFAULT);
308 failf(data, "mbedTLS: ssl_config failed");
309 return CURLE_SSL_CONNECT_ERROR;
312 /* new profile with RSA min key len = 1024 ... */
313 mbedtls_ssl_conf_cert_profile(&connssl->config,
314 &mbedtls_x509_crt_profile_fr);
316 switch(data->set.ssl.version) {
317 case CURL_SSLVERSION_DEFAULT:
318 case CURL_SSLVERSION_TLSv1:
319 mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
320 MBEDTLS_SSL_MINOR_VERSION_1);
321 infof(data, "mbedTLS: Set min SSL version to TLS 1.0\n");
323 case CURL_SSLVERSION_SSLv3:
324 mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
325 MBEDTLS_SSL_MINOR_VERSION_0);
326 mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
327 MBEDTLS_SSL_MINOR_VERSION_0);
328 infof(data, "mbedTLS: Set SSL version to SSLv3\n");
330 case CURL_SSLVERSION_TLSv1_0:
331 mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
332 MBEDTLS_SSL_MINOR_VERSION_1);
333 mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
334 MBEDTLS_SSL_MINOR_VERSION_1);
335 infof(data, "mbedTLS: Set SSL version to TLS 1.0\n");
337 case CURL_SSLVERSION_TLSv1_1:
338 mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
339 MBEDTLS_SSL_MINOR_VERSION_2);
340 mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
341 MBEDTLS_SSL_MINOR_VERSION_2);
342 infof(data, "mbedTLS: Set SSL version to TLS 1.1\n");
344 case CURL_SSLVERSION_TLSv1_2:
345 mbedtls_ssl_conf_min_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
346 MBEDTLS_SSL_MINOR_VERSION_3);
347 mbedtls_ssl_conf_max_version(&connssl->config, MBEDTLS_SSL_MAJOR_VERSION_3,
348 MBEDTLS_SSL_MINOR_VERSION_3);
349 infof(data, "mbedTLS: Set SSL version to TLS 1.2\n");
352 failf(data, "mbedTLS: Unsupported SSL protocol version");
353 return CURLE_SSL_CONNECT_ERROR;
356 mbedtls_ssl_conf_authmode(&connssl->config, MBEDTLS_SSL_VERIFY_OPTIONAL);
358 mbedtls_ssl_conf_rng(&connssl->config, mbedtls_ctr_drbg_random,
360 mbedtls_ssl_set_bio(&connssl->ssl, &conn->sock[sockindex],
363 NULL /* rev_timeout() */);
365 mbedtls_ssl_conf_ciphersuites(&connssl->config,
366 mbedtls_ssl_list_ciphersuites());
368 /* Check if there's a cached ID we can/should use here! */
369 if(conn->ssl_config.sessionid) {
370 void *old_session = NULL;
372 Curl_ssl_sessionid_lock(conn);
373 if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) {
374 ret = mbedtls_ssl_set_session(&connssl->ssl, old_session);
376 Curl_ssl_sessionid_unlock(conn);
377 failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret);
378 return CURLE_SSL_CONNECT_ERROR;
380 infof(data, "mbedTLS re-using session\n");
382 Curl_ssl_sessionid_unlock(conn);
385 mbedtls_ssl_conf_ca_chain(&connssl->config,
389 if(data->set.str[STRING_KEY]) {
390 mbedtls_ssl_conf_own_cert(&connssl->config,
391 &connssl->clicert, &connssl->pk);
393 if(mbedtls_ssl_set_hostname(&connssl->ssl, conn->host.name)) {
394 /* mbedtls_ssl_set_hostname() sets the name to use in CN/SAN checks *and*
395 the name to set in the SNI extension. So even if curl connects to a
396 host specified as an IP address, this function must be used. */
397 failf(data, "couldn't set hostname in mbedTLS");
398 return CURLE_SSL_CONNECT_ERROR;
402 if(conn->bits.tls_enable_alpn) {
403 const char **p = &connssl->protocols[0];
405 if(data->set.httpversion >= CURL_HTTP_VERSION_2)
406 *p++ = NGHTTP2_PROTO_VERSION_ID;
408 *p++ = ALPN_HTTP_1_1;
410 /* this function doesn't clone the protocols array, which is why we need
412 if(mbedtls_ssl_conf_alpn_protocols(&connssl->config,
413 &connssl->protocols[0])) {
414 failf(data, "Failed setting ALPN protocols");
415 return CURLE_SSL_CONNECT_ERROR;
417 for(p = &connssl->protocols[0]; *p; ++p)
418 infof(data, "ALPN, offering %s\n", *p);
423 /* In order to make that work in mbedtls MBEDTLS_DEBUG_C must be defined. */
424 mbedtls_ssl_conf_dbg(&connssl->config, mbed_debug, data);
431 mbedtls_debug_set_threshold(4);
434 connssl->connecting_state = ssl_connect_2;
440 mbed_connect_step2(struct connectdata *conn,
444 struct Curl_easy *data = conn->data;
445 struct ssl_connect_data* connssl = &conn->ssl[sockindex];
446 const mbedtls_x509_crt *peercert;
449 const char* next_protocol;
455 conn->recv[sockindex] = mbed_recv;
456 conn->send[sockindex] = mbed_send;
458 ret = mbedtls_ssl_handshake(&connssl->ssl);
460 if(ret == MBEDTLS_ERR_SSL_WANT_READ) {
461 connssl->connecting_state = ssl_connect_2_reading;
464 else if(ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
465 connssl->connecting_state = ssl_connect_2_writing;
469 #ifdef MBEDTLS_ERROR_C
470 mbedtls_strerror(ret, errorbuf, sizeof(errorbuf));
471 #endif /* MBEDTLS_ERROR_C */
472 failf(data, "ssl_handshake returned - mbedTLS: (-0x%04X) %s",
474 return CURLE_SSL_CONNECT_ERROR;
477 infof(data, "mbedTLS: Handshake complete, cipher is %s\n",
478 mbedtls_ssl_get_ciphersuite(&conn->ssl[sockindex].ssl)
481 ret = mbedtls_ssl_get_verify_result(&conn->ssl[sockindex].ssl);
483 if(ret && data->set.ssl.verifypeer) {
484 if(ret & MBEDTLS_X509_BADCERT_EXPIRED)
485 failf(data, "Cert verify failed: BADCERT_EXPIRED");
487 if(ret & MBEDTLS_X509_BADCERT_REVOKED) {
488 failf(data, "Cert verify failed: BADCERT_REVOKED");
489 return CURLE_SSL_CACERT;
492 if(ret & MBEDTLS_X509_BADCERT_CN_MISMATCH)
493 failf(data, "Cert verify failed: BADCERT_CN_MISMATCH");
495 if(ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED)
496 failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED");
498 return CURLE_PEER_FAILED_VERIFICATION;
501 peercert = mbedtls_ssl_get_peer_cert(&connssl->ssl);
503 if(peercert && data->set.verbose) {
504 const size_t bufsize = 16384;
505 char *buffer = malloc(bufsize);
508 return CURLE_OUT_OF_MEMORY;
510 if(mbedtls_x509_crt_info(buffer, bufsize, "* ", peercert) > 0)
511 infof(data, "Dumping cert info:\n%s\n", buffer);
513 infof(data, "Unable to dump certificate information.\n");
518 if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {
522 unsigned char pubkey[PUB_DER_MAX_BYTES];
524 if(!peercert || !peercert->raw.p || !peercert->raw.len) {
525 failf(data, "Failed due to missing peer certificate");
526 return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
529 p = calloc(1, sizeof(*p));
532 return CURLE_OUT_OF_MEMORY;
534 mbedtls_x509_crt_init(p);
536 /* Make a copy of our const peercert because mbedtls_pk_write_pubkey_der
537 needs a non-const key, for now.
538 https://github.com/ARMmbed/mbedtls/issues/396 */
539 if(mbedtls_x509_crt_parse_der(p, peercert->raw.p, peercert->raw.len)) {
540 failf(data, "Failed copying peer certificate");
541 mbedtls_x509_crt_free(p);
543 return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
546 size = mbedtls_pk_write_pubkey_der(&p->pk, pubkey, PUB_DER_MAX_BYTES);
549 failf(data, "Failed copying public key from peer certificate");
550 mbedtls_x509_crt_free(p);
552 return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
555 /* mbedtls_pk_write_pubkey_der writes data at the end of the buffer. */
556 result = Curl_pin_peer_pubkey(data,
557 data->set.str[STRING_SSL_PINNEDPUBLICKEY],
558 &pubkey[PUB_DER_MAX_BYTES - size], size);
560 mbedtls_x509_crt_free(p);
565 mbedtls_x509_crt_free(p);
570 if(conn->bits.tls_enable_alpn) {
571 next_protocol = mbedtls_ssl_get_alpn_protocol(&connssl->ssl);
574 infof(data, "ALPN, server accepted to use %s\n", next_protocol);
576 if(!strncmp(next_protocol, NGHTTP2_PROTO_VERSION_ID,
577 NGHTTP2_PROTO_VERSION_ID_LEN) &&
578 !next_protocol[NGHTTP2_PROTO_VERSION_ID_LEN]) {
579 conn->negnpn = CURL_HTTP_VERSION_2;
583 if(!strncmp(next_protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH) &&
584 !next_protocol[ALPN_HTTP_1_1_LENGTH]) {
585 conn->negnpn = CURL_HTTP_VERSION_1_1;
589 infof(data, "ALPN, server did not agree to a protocol\n");
594 connssl->connecting_state = ssl_connect_3;
595 infof(data, "SSL connected\n");
601 mbed_connect_step3(struct connectdata *conn,
604 CURLcode retcode = CURLE_OK;
605 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
606 struct Curl_easy *data = conn->data;
608 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
610 if(conn->ssl_config.sessionid) {
612 mbedtls_ssl_session *our_ssl_sessionid;
613 void *old_ssl_sessionid = NULL;
615 our_ssl_sessionid = malloc(sizeof(mbedtls_ssl_session));
616 if(!our_ssl_sessionid)
617 return CURLE_OUT_OF_MEMORY;
619 mbedtls_ssl_session_init(our_ssl_sessionid);
621 ret = mbedtls_ssl_get_session(&connssl->ssl, our_ssl_sessionid);
623 failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret);
624 return CURLE_SSL_CONNECT_ERROR;
627 /* If there's already a matching session in the cache, delete it */
628 Curl_ssl_sessionid_lock(conn);
629 if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL))
630 Curl_ssl_delsessionid(conn, old_ssl_sessionid);
632 retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0);
633 Curl_ssl_sessionid_unlock(conn);
635 free(our_ssl_sessionid);
636 failf(data, "failed to store ssl session");
641 connssl->connecting_state = ssl_connect_done;
646 static ssize_t mbed_send(struct connectdata *conn, int sockindex,
647 const void *mem, size_t len,
652 ret = mbedtls_ssl_write(&conn->ssl[sockindex].ssl,
653 (unsigned char *)mem, len);
656 *curlcode = (ret == MBEDTLS_ERR_SSL_WANT_WRITE) ?
657 CURLE_AGAIN : CURLE_SEND_ERROR;
664 void Curl_mbedtls_close_all(struct Curl_easy *data)
669 void Curl_mbedtls_close(struct connectdata *conn, int sockindex)
671 mbedtls_pk_free(&conn->ssl[sockindex].pk);
672 mbedtls_x509_crt_free(&conn->ssl[sockindex].clicert);
673 mbedtls_x509_crt_free(&conn->ssl[sockindex].cacert);
674 mbedtls_x509_crl_free(&conn->ssl[sockindex].crl);
675 mbedtls_ssl_config_free(&conn->ssl[sockindex].config);
676 mbedtls_ssl_free(&conn->ssl[sockindex].ssl);
677 mbedtls_ctr_drbg_free(&conn->ssl[sockindex].ctr_drbg);
678 #ifndef THREADING_SUPPORT
679 mbedtls_entropy_free(&conn->ssl[sockindex].entropy);
680 #endif /* THREADING_SUPPORT */
683 static ssize_t mbed_recv(struct connectdata *conn, int num,
684 char *buf, size_t buffersize,
690 memset(buf, 0, buffersize);
691 ret = mbedtls_ssl_read(&conn->ssl[num].ssl, (unsigned char *)buf,
695 if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY)
698 *curlcode = (ret == MBEDTLS_ERR_SSL_WANT_READ) ?
699 CURLE_AGAIN : CURLE_RECV_ERROR;
708 void Curl_mbedtls_session_free(void *ptr)
710 mbedtls_ssl_session_free(ptr);
714 size_t Curl_mbedtls_version(char *buffer, size_t size)
716 unsigned int version = mbedtls_version_get_number();
717 return snprintf(buffer, size, "mbedTLS/%d.%d.%d", version>>24,
718 (version>>16)&0xff, (version>>8)&0xff);
722 mbed_connect_common(struct connectdata *conn,
728 struct Curl_easy *data = conn->data;
729 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
730 curl_socket_t sockfd = conn->sock[sockindex];
734 /* check if the connection has already been established */
735 if(ssl_connection_complete == connssl->state) {
740 if(ssl_connect_1==connssl->connecting_state) {
741 /* Find out how much more time we're allowed */
742 timeout_ms = Curl_timeleft(data, NULL, TRUE);
745 /* no need to continue if time already is up */
746 failf(data, "SSL connection timeout");
747 return CURLE_OPERATION_TIMEDOUT;
749 retcode = mbed_connect_step1(conn, sockindex);
754 while(ssl_connect_2 == connssl->connecting_state ||
755 ssl_connect_2_reading == connssl->connecting_state ||
756 ssl_connect_2_writing == connssl->connecting_state) {
758 /* check allowed time left */
759 timeout_ms = Curl_timeleft(data, NULL, TRUE);
762 /* no need to continue if time already is up */
763 failf(data, "SSL connection timeout");
764 return CURLE_OPERATION_TIMEDOUT;
767 /* if ssl is expecting something, check if it's available. */
768 if(connssl->connecting_state == ssl_connect_2_reading
769 || connssl->connecting_state == ssl_connect_2_writing) {
771 curl_socket_t writefd = ssl_connect_2_writing==
772 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
773 curl_socket_t readfd = ssl_connect_2_reading==
774 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
776 what = Curl_socket_ready(readfd, writefd, nonblocking ? 0 : timeout_ms);
779 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
780 return CURLE_SSL_CONNECT_ERROR;
789 failf(data, "SSL connection timeout");
790 return CURLE_OPERATION_TIMEDOUT;
793 /* socket is readable or writable */
796 /* Run transaction, and return to the caller if it failed or if
797 * this connection is part of a multi handle and this loop would
798 * execute again. This permits the owner of a multi handle to
799 * abort a connection attempt before step2 has completed while
800 * ensuring that a client using select() or epoll() will always
801 * have a valid fdset to wait on.
803 retcode = mbed_connect_step2(conn, sockindex);
804 if(retcode || (nonblocking &&
805 (ssl_connect_2 == connssl->connecting_state ||
806 ssl_connect_2_reading == connssl->connecting_state ||
807 ssl_connect_2_writing == connssl->connecting_state)))
810 } /* repeat step2 until all transactions are done. */
812 if(ssl_connect_3==connssl->connecting_state) {
813 retcode = mbed_connect_step3(conn, sockindex);
818 if(ssl_connect_done==connssl->connecting_state) {
819 connssl->state = ssl_connection_complete;
820 conn->recv[sockindex] = mbed_recv;
821 conn->send[sockindex] = mbed_send;
827 /* Reset our connect state machine */
828 connssl->connecting_state = ssl_connect_1;
834 Curl_mbedtls_connect_nonblocking(struct connectdata *conn,
838 return mbed_connect_common(conn, sockindex, TRUE, done);
843 Curl_mbedtls_connect(struct connectdata *conn,
849 retcode = mbed_connect_common(conn, sockindex, FALSE, &done);
859 * return 0 error initializing SSL
860 * return 1 SSL initialized successfully
862 int Curl_mbedtls_init(void)
864 return Curl_polarsslthreadlock_thread_setup();
867 void Curl_mbedtls_cleanup(void)
869 (void)Curl_polarsslthreadlock_thread_cleanup();
872 int Curl_mbedtls_data_pending(const struct connectdata *conn, int sockindex)
874 mbedtls_ssl_context *ssl =
875 (mbedtls_ssl_context *)&conn->ssl[sockindex].ssl;
876 return ssl->in_msglen != 0;
879 #endif /* USE_MBEDTLS */