generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

gskit: adapt to new ssl proxy parameters

Browse Source
This commit is contained in:
Patrick Monnerat
2015-12-15 14:30:25 +01:00
parent 4e28002898
commit 4bb13975a8
2 changed files with 48 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
lib/vtls/gskit.c
View File

@@ -289,10 +289,11 @@ static CURLcode set_callback(struct SessionHandle *data,
}
static CURLcode set_ciphers(struct SessionHandle *data,
static CURLcode set_ciphers(struct connectdata *conn,
gsk_handle h, unsigned int *protoflags)
{
const char *cipherlist = data->set.str[STRING_SSL_CIPHER_LIST];
struct SessionHandle *data = conn->data;
const char *cipherlist = SSL_CONN_CONFIG(cipher_list);
const char *clp;
const gskit_cipher *ctp;
int i;
@@ -501,16 +502,16 @@ static void close_async_handshake(struct ssl_connect_data *connssl)
}
static void close_one(struct ssl_connect_data *conn,
static void close_one(struct ssl_connect_data *connssl,
struct SessionHandle *data)
{
if(conn->handle) {
gskit_status(data, gsk_secure_soc_close(&conn->handle),
if(connssl->handle) {
gskit_status(data, gsk_secure_soc_close(&connssl->handle),
"gsk_secure_soc_close()", 0);
conn->handle = (gsk_handle) NULL;
connssl->handle = (gsk_handle) NULL;
}
if(conn->iocport >= 0)
close_async_handshake(conn);
if(connssl->iocport >= 0)
close_async_handshake(connssl);
}
@@ -560,14 +561,28 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
gsk_handle envir;
CURLcode result;
int rc;
char *keyringfile;
char *keyringpwd;
char *keyringlabel;
char *sni;
const char * const keyringfile = SSL_CONN_CONFIG(CAfile);
const char * const keyringpwd = SSL_SET_OPTION(key_passwd);
const char * const keyringlabel = SSL_SET_OPTION(cert);
const long int ssl_version = SSL_CONN_CONFIG(version);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char * const hostname = SSL_IS_PROXY()? conn->http_proxy.host.name:
conn->host.name;
const char *sni;
unsigned int protoflags;
long timeout;
Qso_OverlappedIO_t commarea;
/* GSKit does not feature an easy way to manipulate the encrypted data,
thus SSL stacking is not yet implemented.
GSKit always reads/writes the encrypted data from/to a file descriptor:
the stacking could therefore be implemented via a socketpair() and
and by periodically calling an interface procedure (no threads, no fork on
OS/400 in interactive mode). */
if(conn->proxy_ssl[sockindex].use)
return CURLE_UNSUPPORTED_PROTOCOL;
/* Create SSL environment, start (preferably asynchronous) handshake. */
connssl->handle = (gsk_handle) NULL;
@@ -586,9 +601,6 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
* application identifier mode is tried first, as recommended in IBM doc.
*/
keyringfile = data->set.str[STRING_SSL_CAFILE];
keyringpwd = data->set.str[STRING_KEY_PASSWD];
keyringlabel = data->set.str[STRING_CERT];
envir = (gsk_handle) NULL;
if(keyringlabel && *keyringlabel && !keyringpwd &&
@@ -616,15 +628,15 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
/* Determine which SSL/TLS version should be enabled. */
protoflags = CURL_GSKPROTO_TLSV10_MASK | CURL_GSKPROTO_TLSV11_MASK |
CURL_GSKPROTO_TLSV12_MASK;
sni = conn->host.name;
switch (data->set.ssl.version) {
sni = hostname;
switch (ssl_version) {
case CURL_SSLVERSION_SSLv2:
protoflags = CURL_GSKPROTO_SSLV2_MASK;
sni = (char *) NULL;
sni = NULL;
break;
case CURL_SSLVERSION_SSLv3:
protoflags = CURL_GSKPROTO_SSLV3_MASK;
sni = (char *) NULL;
sni = NULL;
break;
case CURL_SSLVERSION_TLSv1:
protoflags = CURL_GSKPROTO_TLSV10_MASK |
@@ -663,7 +675,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
if(!result)
result = set_numeric(data, connssl->handle, GSK_FD, conn->sock[sockindex]);
if(!result)
result = set_ciphers(data, connssl->handle, &protoflags);
result = set_ciphers(conn, connssl->handle, &protoflags);
if(!protoflags) {
failf(data, "No SSL protocol/cipher combination enabled");
result = CURLE_SSL_CIPHER;
@@ -706,7 +718,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
}
if(!result)
result = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE,
data->set.ssl.verifypeer? GSK_SERVER_AUTH_FULL:
verifypeer? GSK_SERVER_AUTH_FULL:
GSK_SERVER_AUTH_PASSTHRU, FALSE);
if(!result) {
@@ -977,10 +989,9 @@ CURLcode Curl_gskit_connect(struct connectdata *conn, int sockindex)
void Curl_gskit_close(struct connectdata *conn, int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
if(connssl->use)
close_one(connssl, data);
close_one(&conn->ssl[sockindex], data);
close_one(&conn->proxy_ssl[sockindex], data);
}

21
lib/x509asn1.c
View File

@@ -1063,6 +1063,11 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
int matched = -1;
size_t addrlen = (size_t) -1;
ssize_t len;
const char * const hostname = SSL_IS_PROXY()? conn->http_proxy.host.name:
conn->host.name;
const char * const dispname = SSL_IS_PROXY()?
conn->http_proxy.host.dispname:
conn->host.dispname;
#ifdef ENABLE_IPV6
struct in6_addr addr;
#else
@@ -1072,7 +1077,7 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
/* Verify that connection server matches info in X509 certificate at
`beg'..`end'. */
if(!data->set.ssl.verifyhost)
if(!SSL_CONN_CONFIG(verifyhost))
return CURLE_OK;
if(!beg)
@@ -1081,11 +1086,11 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
/* Get the server IP address. */
#ifdef ENABLE_IPV6
if(conn->bits.ipv6_ip && Curl_inet_pton(AF_INET6, conn->host.name, &addr))
if(conn->bits.ipv6_ip && Curl_inet_pton(AF_INET6, hostname, &addr))
addrlen = sizeof(struct in6_addr);
else
#endif
if(Curl_inet_pton(AF_INET, conn->host.name, &addr))
if(Curl_inet_pton(AF_INET, hostname, &addr))
addrlen = sizeof(struct in_addr);
/* Process extensions. */
@@ -1110,7 +1115,7 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
name.beg, name.end);
if(len > 0)
if(strlen(dnsname) == (size_t) len)
i = Curl_cert_hostcheck((const char *) dnsname, conn->host.name);
i = Curl_cert_hostcheck((const char *) dnsname, hostname);
free(dnsname);
if(!i)
return CURLE_PEER_FAILED_VERIFICATION;
@@ -1129,12 +1134,12 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
switch (matched) {
case 1:
/* an alternative name matched the server hostname */
infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname);
infof(data, "\t subjectAltName: %s matched\n", dispname);
return CURLE_OK;
case 0:
/* an alternative name field existed, but didn't match and then
we MUST fail */
infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname);
infof(data, "\t subjectAltName does not match %s\n", dispname);
return CURLE_PEER_FAILED_VERIFICATION;
}
@@ -1166,14 +1171,14 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
}
if(strlen(dnsname) != (size_t) len) /* Nul byte in string ? */
failf(data, "SSL: illegal cert name field");
else if(Curl_cert_hostcheck((const char *) dnsname, conn->host.name)) {
else if(Curl_cert_hostcheck((const char *) dnsname, hostname)) {
infof(data, "\t common name: %s (matched)\n", dnsname);
free(dnsname);
return CURLE_OK;
}
else
failf(data, "SSL: certificate subject name '%s' does not match "
"target host name '%s'", dnsname, conn->host.dispname);
"target host name '%s'", dnsname, dispname);
free(dnsname);
}