generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

gskit: adapt to new ssl proxy parameters

Browse Source
This commit is contained in:
Patrick Monnerat
2015-12-15 14:30:25 +01:00
parent 4e28002898
commit 4bb13975a8
2 changed files with 48 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
lib/vtls/gskit.c
View File

@@ -289,10 +289,11 @@ static CURLcode set_callback(struct SessionHandle *data,
} }
static CURLcode set_ciphers(struct SessionHandle *data, static CURLcode set_ciphers(struct connectdata *conn,
gsk_handle h, unsigned int *protoflags) gsk_handle h, unsigned int *protoflags)
{ {
const char *cipherlist = data->set.str[STRING_SSL_CIPHER_LIST]; struct SessionHandle *data = conn->data;
const char *cipherlist = SSL_CONN_CONFIG(cipher_list);
const char *clp; const char *clp;
const gskit_cipher *ctp; const gskit_cipher *ctp;
int i; int i;
@@ -501,16 +502,16 @@ static void close_async_handshake(struct ssl_connect_data *connssl)
} }
static void close_one(struct ssl_connect_data *conn, static void close_one(struct ssl_connect_data *connssl,
struct SessionHandle *data) struct SessionHandle *data)
{ {
if(conn->handle) { if(connssl->handle) {
gskit_status(data, gsk_secure_soc_close(&conn->handle), gskit_status(data, gsk_secure_soc_close(&connssl->handle),
"gsk_secure_soc_close()", 0); "gsk_secure_soc_close()", 0);
conn->handle = (gsk_handle) NULL; connssl->handle = (gsk_handle) NULL;
} }
if(conn->iocport >= 0) if(connssl->iocport >= 0)
close_async_handshake(conn); close_async_handshake(connssl);
} }
@@ -560,14 +561,28 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
gsk_handle envir; gsk_handle envir;
CURLcode result; CURLcode result;
int rc; int rc;
char *keyringfile; const char * const keyringfile = SSL_CONN_CONFIG(CAfile);
char *keyringpwd; const char * const keyringpwd = SSL_SET_OPTION(key_passwd);
char *keyringlabel; const char * const keyringlabel = SSL_SET_OPTION(cert);
char *sni; const long int ssl_version = SSL_CONN_CONFIG(version);
const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
const char * const hostname = SSL_IS_PROXY()? conn->http_proxy.host.name:
conn->host.name;
const char *sni;
unsigned int protoflags; unsigned int protoflags;
long timeout; long timeout;
Qso_OverlappedIO_t commarea; Qso_OverlappedIO_t commarea;
/* GSKit does not feature an easy way to manipulate the encrypted data,
thus SSL stacking is not yet implemented.
GSKit always reads/writes the encrypted data from/to a file descriptor:
the stacking could therefore be implemented via a socketpair() and
and by periodically calling an interface procedure (no threads, no fork on
OS/400 in interactive mode). */
if(conn->proxy_ssl[sockindex].use)
return CURLE_UNSUPPORTED_PROTOCOL;
/* Create SSL environment, start (preferably asynchronous) handshake. */ /* Create SSL environment, start (preferably asynchronous) handshake. */
connssl->handle = (gsk_handle) NULL; connssl->handle = (gsk_handle) NULL;
@@ -586,9 +601,6 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
* application identifier mode is tried first, as recommended in IBM doc. * application identifier mode is tried first, as recommended in IBM doc.
*/ */
keyringfile = data->set.str[STRING_SSL_CAFILE];
keyringpwd = data->set.str[STRING_KEY_PASSWD];
keyringlabel = data->set.str[STRING_CERT];
envir = (gsk_handle) NULL; envir = (gsk_handle) NULL;
if(keyringlabel && *keyringlabel && !keyringpwd && if(keyringlabel && *keyringlabel && !keyringpwd &&
@@ -616,15 +628,15 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
/* Determine which SSL/TLS version should be enabled. */ /* Determine which SSL/TLS version should be enabled. */
protoflags = CURL_GSKPROTO_TLSV10_MASK | CURL_GSKPROTO_TLSV11_MASK | protoflags = CURL_GSKPROTO_TLSV10_MASK | CURL_GSKPROTO_TLSV11_MASK |
CURL_GSKPROTO_TLSV12_MASK; CURL_GSKPROTO_TLSV12_MASK;
sni = conn->host.name; sni = hostname;
switch (data->set.ssl.version) { switch (ssl_version) {
case CURL_SSLVERSION_SSLv2: case CURL_SSLVERSION_SSLv2:
protoflags = CURL_GSKPROTO_SSLV2_MASK; protoflags = CURL_GSKPROTO_SSLV2_MASK;
sni = (char *) NULL; sni = NULL;
break; break;
case CURL_SSLVERSION_SSLv3: case CURL_SSLVERSION_SSLv3:
protoflags = CURL_GSKPROTO_SSLV3_MASK; protoflags = CURL_GSKPROTO_SSLV3_MASK;
sni = (char *) NULL; sni = NULL;
break; break;
case CURL_SSLVERSION_TLSv1: case CURL_SSLVERSION_TLSv1:
protoflags = CURL_GSKPROTO_TLSV10_MASK | protoflags = CURL_GSKPROTO_TLSV10_MASK |
@@ -663,7 +675,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
if(!result) if(!result)
result = set_numeric(data, connssl->handle, GSK_FD, conn->sock[sockindex]); result = set_numeric(data, connssl->handle, GSK_FD, conn->sock[sockindex]);
if(!result) if(!result)
result = set_ciphers(data, connssl->handle, &protoflags); result = set_ciphers(conn, connssl->handle, &protoflags);
if(!protoflags) { if(!protoflags) {
failf(data, "No SSL protocol/cipher combination enabled"); failf(data, "No SSL protocol/cipher combination enabled");
result = CURLE_SSL_CIPHER; result = CURLE_SSL_CIPHER;
@@ -706,7 +718,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
} }
if(!result) if(!result)
result = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE, result = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE,
data->set.ssl.verifypeer? GSK_SERVER_AUTH_FULL: verifypeer? GSK_SERVER_AUTH_FULL:
GSK_SERVER_AUTH_PASSTHRU, FALSE); GSK_SERVER_AUTH_PASSTHRU, FALSE);
if(!result) { if(!result) {
@@ -977,10 +989,9 @@ CURLcode Curl_gskit_connect(struct connectdata *conn, int sockindex)
void Curl_gskit_close(struct connectdata *conn, int sockindex) void Curl_gskit_close(struct connectdata *conn, int sockindex)
{ {
struct SessionHandle *data = conn->data; struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
if(connssl->use) close_one(&conn->ssl[sockindex], data);
close_one(connssl, data); close_one(&conn->proxy_ssl[sockindex], data);
} }

21
lib/x509asn1.c
View File

@@ -1063,6 +1063,11 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
int matched = -1; int matched = -1;
size_t addrlen = (size_t) -1; size_t addrlen = (size_t) -1;
ssize_t len; ssize_t len;
const char * const hostname = SSL_IS_PROXY()? conn->http_proxy.host.name:
conn->host.name;
const char * const dispname = SSL_IS_PROXY()?
conn->http_proxy.host.dispname:
conn->host.dispname;
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
struct in6_addr addr; struct in6_addr addr;
#else #else
@@ -1072,7 +1077,7 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
/* Verify that connection server matches info in X509 certificate at /* Verify that connection server matches info in X509 certificate at
`beg'..`end'. */ `beg'..`end'. */
if(!data->set.ssl.verifyhost) if(!SSL_CONN_CONFIG(verifyhost))
return CURLE_OK; return CURLE_OK;
if(!beg) if(!beg)
@@ -1081,11 +1086,11 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
/* Get the server IP address. */ /* Get the server IP address. */
#ifdef ENABLE_IPV6 #ifdef ENABLE_IPV6
if(conn->bits.ipv6_ip && Curl_inet_pton(AF_INET6, conn->host.name, &addr)) if(conn->bits.ipv6_ip && Curl_inet_pton(AF_INET6, hostname, &addr))
addrlen = sizeof(struct in6_addr); addrlen = sizeof(struct in6_addr);
else else
#endif #endif
if(Curl_inet_pton(AF_INET, conn->host.name, &addr)) if(Curl_inet_pton(AF_INET, hostname, &addr))
addrlen = sizeof(struct in_addr); addrlen = sizeof(struct in_addr);
/* Process extensions. */ /* Process extensions. */
@@ -1110,7 +1115,7 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
name.beg, name.end); name.beg, name.end);
if(len > 0) if(len > 0)
if(strlen(dnsname) == (size_t) len) if(strlen(dnsname) == (size_t) len)
i = Curl_cert_hostcheck((const char *) dnsname, conn->host.name); i = Curl_cert_hostcheck((const char *) dnsname, hostname);
free(dnsname); free(dnsname);
if(!i) if(!i)
return CURLE_PEER_FAILED_VERIFICATION; return CURLE_PEER_FAILED_VERIFICATION;
@@ -1129,12 +1134,12 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
switch (matched) { switch (matched) {
case 1: case 1:
/* an alternative name matched the server hostname */ /* an alternative name matched the server hostname */
infof(data, "\t subjectAltName: %s matched\n", conn->host.dispname); infof(data, "\t subjectAltName: %s matched\n", dispname);
return CURLE_OK; return CURLE_OK;
case 0: case 0:
/* an alternative name field existed, but didn't match and then /* an alternative name field existed, but didn't match and then
we MUST fail */ we MUST fail */
infof(data, "\t subjectAltName does not match %s\n", conn->host.dispname); infof(data, "\t subjectAltName does not match %s\n", dispname);
return CURLE_PEER_FAILED_VERIFICATION; return CURLE_PEER_FAILED_VERIFICATION;
} }
@@ -1166,14 +1171,14 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
} }
if(strlen(dnsname) != (size_t) len) /* Nul byte in string ? */ if(strlen(dnsname) != (size_t) len) /* Nul byte in string ? */
failf(data, "SSL: illegal cert name field"); failf(data, "SSL: illegal cert name field");
else if(Curl_cert_hostcheck((const char *) dnsname, conn->host.name)) { else if(Curl_cert_hostcheck((const char *) dnsname, hostname)) {
infof(data, "\t common name: %s (matched)\n", dnsname); infof(data, "\t common name: %s (matched)\n", dnsname);
free(dnsname); free(dnsname);
return CURLE_OK; return CURLE_OK;
} }
else else
failf(data, "SSL: certificate subject name '%s' does not match " failf(data, "SSL: certificate subject name '%s' does not match "
"target host name '%s'", dnsname, conn->host.dispname); "target host name '%s'", dnsname, dispname);
free(dnsname); free(dnsname);
} }