Lines Matching +full:mbedtls +full:- +full:version
9 * Copyright (C) Hoi-Ho Chan, <hoiho.chan@gmail.com>
22 * SPDX-License-Identifier: curl
27 * Source file for all mbedTLS-specific code for the TLS/SSL layer. No code
36 /* Define this to enable lots of debugging for mbedTLS */
41 /* mbedTLS (as of v3.5.1) has a duplicate function declaration
43 #pragma GCC diagnostic ignored "-Wredundant-decls"
46 #include <mbedtls/version.h>
48 #include <mbedtls/net_sockets.h>
50 #include <mbedtls/net.h>
52 #include <mbedtls/ssl.h>
53 #include <mbedtls/x509.h>
55 #include <mbedtls/error.h>
56 #include <mbedtls/entropy.h>
57 #include <mbedtls/ctr_drbg.h>
58 #include <mbedtls/sha256.h>
62 # include <mbedtls/debug.h>
75 #include "mbedtls.h"
180 if(len && (line[len - 1] == '\n')) in mbed_debug()
182 len--; in mbed_debug()
200 nwritten = Curl_conn_cf_send(cf->next, data, (char *)buf, blen, &result); in mbedtls_bio_cf_write()
201 CURL_TRC_CF(data, cf, "mbedtls_bio_cf_out_write(len=%zu) -> %zd, err=%d", in mbedtls_bio_cf_write()
223 nread = Curl_conn_cf_recv(cf->next, data, (char *)buf, blen, &result); in mbedtls_bio_cf_read()
224 CURL_TRC_CF(data, cf, "mbedtls_bio_cf_in_read(len=%zu) -> %zd, err=%d", in mbedtls_bio_cf_read()
237 /* Hashes from SHA-1 and above */
250 howto-determine-exact-buffer-len-for-mbedtls_pk_write_pubkey_der
260 mbedtls_ssl_protocol_version* mbedver, long version) in mbedtls_version_from_curl() argument
262 switch(version) { in mbedtls_version_from_curl()
280 static CURLcode mbedtls_version_from_curl(int *mbedver, long version) in mbedtls_version_from_curl() argument
283 switch(version) { in mbedtls_version_from_curl()
293 switch(version) { in mbedtls_version_from_curl()
315 struct ssl_connect_data *connssl = cf->ctx; in set_ssl_version_min_max()
317 (struct mbed_ssl_backend_data *)connssl->backend; in set_ssl_version_min_max()
333 long ssl_version = conn_config->version; in set_ssl_version_min_max()
334 long ssl_version_max = conn_config->version_max; in set_ssl_version_min_max()
359 failf(data, "unsupported min version passed via CURLOPT_SSLVERSION"); in set_ssl_version_min_max()
364 failf(data, "unsupported max version passed via CURLOPT_SSLVERSION"); in set_ssl_version_min_max()
369 mbedtls_ssl_conf_min_tls_version(&backend->config, mbedtls_ver_min); in set_ssl_version_min_max()
370 mbedtls_ssl_conf_max_tls_version(&backend->config, mbedtls_ver_max); in set_ssl_version_min_max()
372 mbedtls_ssl_conf_min_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3, in set_ssl_version_min_max()
374 mbedtls_ssl_conf_max_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3, in set_ssl_version_min_max()
380 mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_REQUIRED); in set_ssl_version_min_max()
383 mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_OPTIONAL); in set_ssl_version_min_max()
386 mbedtls_ssl_conf_authmode(&backend->config, MBEDTLS_SSL_VERIFY_OPTIONAL); in set_ssl_version_min_max()
393 in mbedTLS. The number is not reserved by IANA nor is the
412 size_t len = *end - *str; in mbed_cipher_suite_walk_str()
454 infof(data, "mbedTLS: unknown cipher in list: \"%.*s\"", in mbed_set_selected_ciphers()
455 (int) (end - ptr), ptr); in mbed_set_selected_ciphers()
462 infof(data, "mbedTLS: duplicate cipher in list: \"%.*s\"", in mbed_set_selected_ciphers()
463 (int) (end - ptr), ptr); in mbed_set_selected_ciphers()
474 failf(data, "mbedTLS: no supported cipher in list"); in mbed_set_selected_ciphers()
480 backend->ciphersuites = selected; in mbed_set_selected_ciphers()
481 mbedtls_ssl_conf_ciphersuites(&backend->config, backend->ciphersuites); in mbed_set_selected_ciphers()
488 struct ssl_connect_data *connssl = cf->ctx; in mbed_connect_step1()
490 (struct mbed_ssl_backend_data *)connssl->backend; in mbed_connect_step1()
492 const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; in mbed_connect_step1()
496 (ca_info_blob ? NULL : conn_config->CAfile); in mbed_connect_step1()
497 const bool verifypeer = conn_config->verifypeer; in mbed_connect_step1()
498 const char * const ssl_capath = conn_config->CApath; in mbed_connect_step1()
499 char * const ssl_cert = ssl_config->primary.clientcert; in mbed_connect_step1()
500 const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob; in mbed_connect_step1()
501 const char * const ssl_crlfile = ssl_config->primary.CRLfile; in mbed_connect_step1()
502 const char *hostname = connssl->peer.hostname; in mbed_connect_step1()
503 int ret = -1; in mbed_connect_step1()
508 if((conn_config->version == CURL_SSLVERSION_SSLv2) || in mbed_connect_step1()
509 (conn_config->version == CURL_SSLVERSION_SSLv3)) { in mbed_connect_step1()
510 failf(data, "Not supported SSL version"); in mbed_connect_step1()
518 failf(data, "mbedTLS psa_crypto_init returned (-0x%04X) %s", in mbed_connect_step1()
519 -ret, errorbuf); in mbed_connect_step1()
525 mbedtls_ctr_drbg_init(&backend->ctr_drbg); in mbed_connect_step1()
527 ret = mbedtls_ctr_drbg_seed(&backend->ctr_drbg, entropy_func_mutex, in mbed_connect_step1()
531 failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s", in mbed_connect_step1()
532 -ret, errorbuf); in mbed_connect_step1()
536 mbedtls_entropy_init(&backend->entropy); in mbed_connect_step1()
537 mbedtls_ctr_drbg_init(&backend->ctr_drbg); in mbed_connect_step1()
539 ret = mbedtls_ctr_drbg_seed(&backend->ctr_drbg, mbedtls_entropy_func, in mbed_connect_step1()
540 &backend->entropy, NULL, 0); in mbed_connect_step1()
543 failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s", in mbed_connect_step1()
544 -ret, errorbuf); in mbed_connect_step1()
550 mbedtls_x509_crt_init(&backend->cacert); in mbed_connect_step1()
556 unsigned char *newblob = Curl_memdup0(ca_info_blob->data, in mbed_connect_step1()
557 ca_info_blob->len); in mbed_connect_step1()
560 ret = mbedtls_x509_crt_parse(&backend->cacert, newblob, in mbed_connect_step1()
561 ca_info_blob->len + 1); in mbed_connect_step1()
565 failf(data, "Error importing ca cert blob - mbedTLS: (-0x%04X) %s", in mbed_connect_step1()
566 -ret, errorbuf); in mbed_connect_step1()
573 ret = mbedtls_x509_crt_parse_file(&backend->cacert, ssl_cafile); in mbed_connect_step1()
577 failf(data, "Error reading ca cert file %s - mbedTLS: (-0x%04X) %s", in mbed_connect_step1()
578 ssl_cafile, -ret, errorbuf); in mbed_connect_step1()
582 failf(data, "mbedtls: functions that use the filesystem not built in"); in mbed_connect_step1()
589 ret = mbedtls_x509_crt_parse_path(&backend->cacert, ssl_capath); in mbed_connect_step1()
593 failf(data, "Error reading ca cert path %s - mbedTLS: (-0x%04X) %s", in mbed_connect_step1()
594 ssl_capath, -ret, errorbuf); in mbed_connect_step1()
600 failf(data, "mbedtls: functions that use the filesystem not built in"); in mbed_connect_step1()
606 mbedtls_x509_crt_init(&backend->clicert); in mbed_connect_step1()
610 ret = mbedtls_x509_crt_parse_file(&backend->clicert, ssl_cert); in mbed_connect_step1()
614 failf(data, "Error reading client cert file %s - mbedTLS: (-0x%04X) %s", in mbed_connect_step1()
615 ssl_cert, -ret, errorbuf); in mbed_connect_step1()
620 failf(data, "mbedtls: functions that use the filesystem not built in"); in mbed_connect_step1()
629 unsigned char *newblob = Curl_memdup0(ssl_cert_blob->data, in mbed_connect_step1()
630 ssl_cert_blob->len); in mbed_connect_step1()
633 ret = mbedtls_x509_crt_parse(&backend->clicert, newblob, in mbed_connect_step1()
634 ssl_cert_blob->len + 1); in mbed_connect_step1()
639 failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s", in mbed_connect_step1()
640 ssl_config->key, -ret, errorbuf); in mbed_connect_step1()
646 mbedtls_pk_init(&backend->pk); in mbed_connect_step1()
648 if(ssl_config->key || ssl_config->key_blob) { in mbed_connect_step1()
649 if(ssl_config->key) { in mbed_connect_step1()
652 ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key, in mbed_connect_step1()
653 ssl_config->key_passwd, in mbed_connect_step1()
655 &backend->ctr_drbg); in mbed_connect_step1()
657 ret = mbedtls_pk_parse_keyfile(&backend->pk, ssl_config->key, in mbed_connect_step1()
658 ssl_config->key_passwd); in mbed_connect_step1()
663 failf(data, "Error reading private key %s - mbedTLS: (-0x%04X) %s", in mbed_connect_step1()
664 ssl_config->key, -ret, errorbuf); in mbed_connect_step1()
668 failf(data, "mbedtls: functions that use the filesystem not built in"); in mbed_connect_step1()
673 const struct curl_blob *ssl_key_blob = ssl_config->key_blob; in mbed_connect_step1()
675 (const unsigned char *)ssl_key_blob->data; in mbed_connect_step1()
676 const char *passwd = ssl_config->key_passwd; in mbed_connect_step1()
678 ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len, in mbed_connect_step1()
682 &backend->ctr_drbg); in mbed_connect_step1()
684 ret = mbedtls_pk_parse_key(&backend->pk, key_data, ssl_key_blob->len, in mbed_connect_step1()
691 failf(data, "Error parsing private key - mbedTLS: (-0x%04X) %s", in mbed_connect_step1()
692 -ret, errorbuf); in mbed_connect_step1()
697 if(ret == 0 && !(mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_RSA) || in mbed_connect_step1()
698 mbedtls_pk_can_do(&backend->pk, MBEDTLS_PK_ECKEY))) in mbed_connect_step1()
704 mbedtls_x509_crl_init(&backend->crl); in mbed_connect_step1()
708 ret = mbedtls_x509_crl_parse_file(&backend->crl, ssl_crlfile); in mbed_connect_step1()
712 failf(data, "Error reading CRL file %s - mbedTLS: (-0x%04X) %s", in mbed_connect_step1()
713 ssl_crlfile, -ret, errorbuf); in mbed_connect_step1()
718 failf(data, "mbedtls: functions that use the filesystem not built in"); in mbed_connect_step1()
724 failf(data, "mbedtls: crl support not built in"); in mbed_connect_step1()
729 infof(data, "mbedTLS: Connecting to %s:%d", hostname, connssl->peer.port); in mbed_connect_step1()
731 mbedtls_ssl_config_init(&backend->config); in mbed_connect_step1()
732 ret = mbedtls_ssl_config_defaults(&backend->config, in mbed_connect_step1()
737 failf(data, "mbedTLS: ssl_config failed"); in mbed_connect_step1()
741 mbedtls_ssl_init(&backend->ssl); in mbed_connect_step1()
744 mbedtls_ssl_conf_cert_profile(&backend->config, in mbed_connect_step1()
747 switch(conn_config->version) { in mbed_connect_step1()
751 mbedtls_ssl_conf_min_version(&backend->config, MBEDTLS_SSL_MAJOR_VERSION_3, in mbed_connect_step1()
753 infof(data, "mbedTLS: Set min SSL version to TLS 1.0"); in mbed_connect_step1()
771 mbedtls_ssl_conf_rng(&backend->config, mbedtls_ctr_drbg_random, in mbed_connect_step1()
772 &backend->ctr_drbg); in mbed_connect_step1()
774 ret = mbedtls_ssl_setup(&backend->ssl, &backend->config); in mbed_connect_step1()
777 failf(data, "ssl_setup failed - mbedTLS: (-0x%04X) %s", in mbed_connect_step1()
778 -ret, errorbuf); in mbed_connect_step1()
782 mbedtls_ssl_set_bio(&backend->ssl, cf, in mbed_connect_step1()
787 if(conn_config->cipher_list) { in mbed_connect_step1()
788 ret = mbed_set_selected_ciphers(data, backend, conn_config->cipher_list); in mbed_connect_step1()
790 failf(data, "mbedTLS: failed to set cipher suites"); in mbed_connect_step1()
795 mbedtls_ssl_conf_ciphersuites(&backend->config, in mbed_connect_step1()
801 mbedtls_ssl_conf_renegotiation(&backend->config, in mbed_connect_step1()
806 mbedtls_ssl_conf_session_tickets(&backend->config, in mbed_connect_step1()
811 if(ssl_config->primary.sessionid) { in mbed_connect_step1()
815 if(!Curl_ssl_getsessionid(cf, data, &connssl->peer, &old_session, NULL)) { in mbed_connect_step1()
816 ret = mbedtls_ssl_set_session(&backend->ssl, old_session); in mbed_connect_step1()
819 failf(data, "mbedtls_ssl_set_session returned -0x%x", -ret); in mbed_connect_step1()
822 infof(data, "mbedTLS reusing session"); in mbed_connect_step1()
827 mbedtls_ssl_conf_ca_chain(&backend->config, in mbed_connect_step1()
828 &backend->cacert, in mbed_connect_step1()
830 &backend->crl); in mbed_connect_step1()
835 if(ssl_config->key || ssl_config->key_blob) { in mbed_connect_step1()
836 mbedtls_ssl_conf_own_cert(&backend->config, in mbed_connect_step1()
837 &backend->clicert, &backend->pk); in mbed_connect_step1()
840 if(mbedtls_ssl_set_hostname(&backend->ssl, connssl->peer.sni? in mbed_connect_step1()
841 connssl->peer.sni : connssl->peer.hostname)) { in mbed_connect_step1()
850 if(connssl->alpn) { in mbed_connect_step1()
854 for(i = 0; i < connssl->alpn->count; ++i) { in mbed_connect_step1()
855 backend->protocols[i] = connssl->alpn->entries[i]; in mbed_connect_step1()
859 if(mbedtls_ssl_conf_alpn_protocols(&backend->config, in mbed_connect_step1()
860 &backend->protocols[0])) { in mbed_connect_step1()
864 Curl_alpn_to_proto_str(&proto, connssl->alpn); in mbed_connect_step1()
870 /* In order to make that work in mbedtls MBEDTLS_DEBUG_C must be defined. */ in mbed_connect_step1()
871 mbedtls_ssl_conf_dbg(&backend->config, mbed_debug, data); in mbed_connect_step1()
872 /* - 0 No debug in mbed_connect_step1()
873 * - 1 Error in mbed_connect_step1()
874 * - 2 State change in mbed_connect_step1()
875 * - 3 Informational in mbed_connect_step1()
876 * - 4 Verbose in mbed_connect_step1()
881 /* give application a chance to interfere with mbedTLS set up. */ in mbed_connect_step1()
882 if(data->set.ssl.fsslctx) { in mbed_connect_step1()
883 ret = (*data->set.ssl.fsslctx)(data, &backend->config, in mbed_connect_step1()
884 data->set.ssl.fsslctxp); in mbed_connect_step1()
891 connssl->connecting_state = ssl_connect_2; in mbed_connect_step1()
900 struct ssl_connect_data *connssl = cf->ctx;
902 (struct mbed_ssl_backend_data *)connssl->backend;
909 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]:
910 data->set.str[STRING_SSL_PINNEDPUBLICKEY];
912 const char * const pinnedpubkey = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
917 ret = mbedtls_ssl_handshake(&backend->ssl);
920 connssl->connecting_state = ssl_connect_2_reading;
924 connssl->connecting_state = ssl_connect_2_writing;
930 failf(data, "ssl_handshake returned - mbedTLS: (-0x%04X) %s",
931 -ret, errorbuf);
936 mbedtls_ssl_get_ciphersuite_id_from_ssl(&backend->ssl);
938 infof(data, "mbedTLS: Handshake complete, cipher is %s", cipher_str);
940 ret = mbedtls_ssl_get_verify_result(&backend->ssl);
942 if(!conn_config->verifyhost)
946 if(ret && conn_config->verifypeer) {
965 peercert = mbedtls_ssl_get_peer_cert(&backend->ssl);
967 if(peercert && data->set.verbose) {
993 if(!peercert || !peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(p) ||
994 !peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len)) {
996 if(!peercert || !peercert->raw.p || !peercert->raw.len) {
1017 needs a non-const key, for now.
1018 https://github.com/ARMmbed/mbedtls/issues/396 */
1021 peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(p),
1022 peercert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len))) {
1024 if(mbedtls_x509_crt_parse_der(p, peercert->raw.p, peercert->raw.len)) {
1032 size = mbedtls_pk_write_pubkey_der(&p->MBEDTLS_PRIVATE(pk), pubkey,
1035 size = mbedtls_pk_write_pubkey_der(&p->pk, pubkey, PUB_DER_MAX_BYTES);
1047 &pubkey[PUB_DER_MAX_BYTES - size], size);
1058 if(connssl->alpn) {
1059 const char *proto = mbedtls_ssl_get_alpn_protocol(&backend->ssl);
1066 connssl->connecting_state = ssl_connect_3;
1083 struct ssl_connect_data *connssl = cf->ctx;
1085 (struct mbed_ssl_backend_data *)connssl->backend;
1088 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
1091 if(ssl_config->primary.sessionid) {
1102 ret = mbedtls_ssl_get_session(&backend->ssl, our_ssl_sessionid);
1107 failf(data, "mbedtls_ssl_get_session returned -0x%x", -ret);
1113 if(!Curl_ssl_getsessionid(cf, data, &connssl->peer,
1117 retcode = Curl_ssl_addsessionid(cf, data, &connssl->peer,
1125 connssl->connecting_state = ssl_connect_done;
1134 struct ssl_connect_data *connssl = cf->ctx;
1136 (struct mbed_ssl_backend_data *)connssl->backend;
1137 int ret = -1;
1141 ret = mbedtls_ssl_write(&backend->ssl, (unsigned char *)mem, len);
1146 ret = -1;
1159 struct ssl_connect_data *connssl = cf->ctx;
1161 (struct mbed_ssl_backend_data *)connssl->backend;
1169 (void)mbedtls_ssl_read(&backend->ssl, (unsigned char *)buf, sizeof(buf));
1171 mbedtls_pk_free(&backend->pk);
1172 mbedtls_x509_crt_free(&backend->clicert);
1173 mbedtls_x509_crt_free(&backend->cacert);
1175 mbedtls_x509_crl_free(&backend->crl);
1177 Curl_safefree(backend->ciphersuites);
1178 mbedtls_ssl_config_free(&backend->config);
1179 mbedtls_ssl_free(&backend->ssl);
1180 mbedtls_ctr_drbg_free(&backend->ctr_drbg);
1182 mbedtls_entropy_free(&backend->entropy);
1190 struct ssl_connect_data *connssl = cf->ctx;
1192 (struct mbed_ssl_backend_data *)connssl->backend;
1193 int ret = -1;
1194 ssize_t len = -1;
1199 ret = mbedtls_ssl_read(&backend->ssl, (unsigned char *)buf,
1211 return -1;
1223 unsigned int version = mbedtls_version_get_number(); local
1224 return msnprintf(buffer, size, "mbedTLS/%u.%u.%u", version>>24,
1225 (version>>16)&0xff, (version>>8)&0xff);
1227 return msnprintf(buffer, size, "mbedTLS/%s", MBEDTLS_VERSION_STRING);
1235 int ret = -1;
1247 failf(data, "mbedtls_ctr_drbg_seed returned (-0x%04X) %s",
1248 -ret, errorbuf);
1255 failf(data, "mbedtls_ctr_drbg_random returned (-0x%04X) %s",
1256 -ret, errorbuf);
1281 struct ssl_connect_data *connssl = cf->ctx;
1287 if(ssl_connection_complete == connssl->state) {
1292 if(ssl_connect_1 == connssl->connecting_state) {
1306 while(ssl_connect_2 == connssl->connecting_state ||
1307 ssl_connect_2_reading == connssl->connecting_state ||
1308 ssl_connect_2_writing == connssl->connecting_state) {
1320 if(connssl->connecting_state == ssl_connect_2_reading
1321 || connssl->connecting_state == ssl_connect_2_writing) {
1324 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
1326 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
1358 (ssl_connect_2 == connssl->connecting_state ||
1359 ssl_connect_2_reading == connssl->connecting_state ||
1360 ssl_connect_2_writing == connssl->connecting_state)))
1365 if(ssl_connect_3 == connssl->connecting_state) {
1371 if(ssl_connect_done == connssl->connecting_state) {
1372 connssl->state = ssl_connection_complete;
1379 connssl->connecting_state = ssl_connect_1;
1432 struct ssl_connect_data *ctx = cf->ctx;
1436 DEBUGASSERT(ctx && ctx->backend);
1437 backend = (struct mbed_ssl_backend_data *)ctx->backend;
1438 return mbedtls_ssl_get_bytes_avail(&backend->ssl) != 0;
1446 /* TODO: explain this for different mbedtls 2.x vs 3 version */
1466 (struct mbed_ssl_backend_data *)connssl->backend;
1469 return &backend->ssl;
1473 { CURLSSLBACKEND_MBEDTLS, "mbedtls" }, /* info */
1485 mbedtls_version, /* version */