Lines Matching +full:wolfssl +full:- +full:version
21 * SPDX-License-Identifier: curl
26 * Source file for all wolfSSL specific code for the TLS/SSL layer. No code
36 #include <wolfssl/version.h>
37 #include <wolfssl/options.h>
40 - the user's options.h generated by wolfSSL
41 - the symbols detected by curl's configure
45 /* HAVE_ALPN is wolfSSL's build time symbol for enabling ALPN in options.h. */
68 #include <wolfssl/openssl/ssl.h>
69 #include <wolfssl/ssl.h>
70 #include <wolfssl/error-ssl.h>
71 #include "wolfssl.h"
80 (__data__->set.tls_ech && \
81 !(__data__->set.tls_ech & CURLECH_DISABLE)\
86 OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is
87 in wolfSSL's settings.h, and the latter two are build time symbols in
104 WOLFSSL *handle;
112 * WolfSSL 4.4.0, but requires the -DHAVE_SECRET_CALLBACK build option. If that
116 * (--enable-opensslextra or --enable-all).
175 * SSL_version since the latter relies on OPENSSL_ALL (--enable-opensslall or in wolfssl_log_tls12_secret()
176 * --enable-all). Failing to perform this check could result in an unusable in wolfssl_log_tls12_secret()
218 return -1; in do_file_type()
279 return (!cf->next || !cf->next->connected); in wolfssl_bio_cf_ctrl()
292 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_bio_cf_out_write()
294 (struct wolfssl_ssl_backend_data *)connssl->backend; in wolfssl_bio_cf_out_write()
300 nwritten = Curl_conn_cf_send(cf->next, data, buf, blen, &result); in wolfssl_bio_cf_out_write()
301 backend->io_result = result; in wolfssl_bio_cf_out_write()
302 CURL_TRC_CF(data, cf, "bio_write(len=%d) -> %zd, %d", in wolfssl_bio_cf_out_write()
313 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_bio_cf_in_read()
315 (struct wolfssl_ssl_backend_data *)connssl->backend; in wolfssl_bio_cf_in_read()
325 nread = Curl_conn_cf_recv(cf->next, data, buf, blen, &result); in wolfssl_bio_cf_in_read()
326 backend->io_result = result; in wolfssl_bio_cf_in_read()
327 CURL_TRC_CF(data, cf, "bio_read(len=%d) -> %zd, %d", blen, nread, result); in wolfssl_bio_cf_in_read()
332 connssl->peer_closed = TRUE; in wolfssl_bio_cf_in_read()
340 wolfssl_bio_cf_method = wolfSSL_BIO_meth_new(BIO_TYPE_MEM, "wolfSSL CF BIO"); in wolfssl_bio_cf_init_methods()
368 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_connect_step1()
370 (struct wolfssl_ssl_backend_data *)connssl->backend; in wolfssl_connect_step1()
372 const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; in wolfssl_connect_step1()
376 (ca_info_blob ? NULL : conn_config->CAfile); in wolfssl_connect_step1()
377 const char * const ssl_capath = conn_config->CApath; in wolfssl_connect_step1()
394 if(connssl->state == ssl_connection_complete) in wolfssl_connect_step1()
397 if(conn_config->version_max != CURL_SSLVERSION_MAX_NONE) { in wolfssl_connect_step1()
398 failf(data, "wolfSSL does not support to set maximum SSL/TLS version"); in wolfssl_connect_step1()
402 /* check to see if we've been told to use an explicit SSL/TLS version */ in wolfssl_connect_step1()
403 switch(conn_config->version) { in wolfssl_connect_step1()
407 /* minimum protocol version is set later after the CTX object is created */ in wolfssl_connect_step1()
410 infof(data, "wolfSSL <3.3.0 cannot be configured to use TLS 1.0-1.2, " in wolfssl_connect_step1()
422 failf(data, "wolfSSL does not support TLS 1.0"); in wolfssl_connect_step1()
430 failf(data, "wolfSSL does not support TLS 1.1"); in wolfssl_connect_step1()
439 failf(data, "wolfSSL does not support TLS 1.2"); in wolfssl_connect_step1()
449 failf(data, "wolfSSL: TLS 1.3 is not yet supported"); in wolfssl_connect_step1()
462 if(backend->ctx) in wolfssl_connect_step1()
463 wolfSSL_CTX_free(backend->ctx); in wolfssl_connect_step1()
464 backend->ctx = wolfSSL_CTX_new(req_method); in wolfssl_connect_step1()
466 if(!backend->ctx) { in wolfssl_connect_step1()
471 switch(conn_config->version) { in wolfssl_connect_step1()
475 /* Versions 3.3.0 to 3.4.6 we know the minimum protocol version is in wolfssl_connect_step1()
476 * whatever minimum version of TLS was built in and at least TLS 1.0. For in wolfssl_connect_step1()
479 * the minimum supported TLS version. in wolfssl_connect_step1()
481 if((wolfSSL_CTX_SetMinVersion(backend->ctx, WOLFSSL_TLSV1) != 1) && in wolfssl_connect_step1()
482 (wolfSSL_CTX_SetMinVersion(backend->ctx, WOLFSSL_TLSV1_1) != 1) && in wolfssl_connect_step1()
483 (wolfSSL_CTX_SetMinVersion(backend->ctx, WOLFSSL_TLSV1_2) != 1) in wolfssl_connect_step1()
485 && (wolfSSL_CTX_SetMinVersion(backend->ctx, WOLFSSL_TLSV1_3) != 1) in wolfssl_connect_step1()
488 failf(data, "SSL: couldn't set the minimum protocol version"); in wolfssl_connect_step1()
497 ciphers = conn_config->cipher_list; in wolfssl_connect_step1()
499 if(!SSL_CTX_set_cipher_list(backend->ctx, ciphers)) { in wolfssl_connect_step1()
506 curves = conn_config->curves; in wolfssl_connect_step1()
520 if(!SSL_CTX_set1_curves_list(backend->ctx, curves)) { in wolfssl_connect_step1()
529 if(ssl_config->native_ca_store) { in wolfssl_connect_step1()
530 if(wolfSSL_CTX_load_system_CA_certs(backend->ctx) != WOLFSSL_SUCCESS) { in wolfssl_connect_step1()
542 if(wolfSSL_CTX_load_verify_buffer(backend->ctx, ca_info_blob->data, in wolfssl_connect_step1()
543 ca_info_blob->len, in wolfssl_connect_step1()
563 wolfSSL_CTX_load_verify_locations_ex(backend->ctx, in wolfssl_connect_step1()
568 if(conn_config->verifypeer && !imported_ca_info_blob && in wolfssl_connect_step1()
593 if(ssl_config->primary.clientcert && ssl_config->key) { in wolfssl_connect_step1()
594 int file_type = do_file_type(ssl_config->cert_type); in wolfssl_connect_step1()
597 if(wolfSSL_CTX_use_certificate_chain_file(backend->ctx, in wolfssl_connect_step1()
598 ssl_config->primary.clientcert) in wolfssl_connect_step1()
605 if(wolfSSL_CTX_use_certificate_file(backend->ctx, in wolfssl_connect_step1()
606 ssl_config->primary.clientcert, in wolfssl_connect_step1()
617 file_type = do_file_type(ssl_config->key_type); in wolfssl_connect_step1()
618 if(wolfSSL_CTX_use_PrivateKey_file(backend->ctx, ssl_config->key, in wolfssl_connect_step1()
630 wolfSSL_CTX_set_verify(backend->ctx, in wolfssl_connect_step1()
631 conn_config->verifypeer?SSL_VERIFY_PEER: in wolfssl_connect_step1()
635 if(sni && connssl->peer.sni) { in wolfssl_connect_step1()
636 size_t sni_len = strlen(connssl->peer.sni); in wolfssl_connect_step1()
638 if(wolfSSL_CTX_UseSNI(backend->ctx, WOLFSSL_SNI_HOST_NAME, in wolfssl_connect_step1()
639 connssl->peer.sni, in wolfssl_connect_step1()
649 if(data->set.ssl.fsslctx) { in wolfssl_connect_step1()
650 CURLcode result = (*data->set.ssl.fsslctx)(data, backend->ctx, in wolfssl_connect_step1()
651 data->set.ssl.fsslctxp); in wolfssl_connect_step1()
658 else if(conn_config->verifypeer) { in wolfssl_connect_step1()
659 failf(data, "SSL: Certificates can't be loaded because wolfSSL was built" in wolfssl_connect_step1()
668 if(backend->handle) in wolfssl_connect_step1()
669 wolfSSL_free(backend->handle); in wolfssl_connect_step1()
670 backend->handle = wolfSSL_new(backend->ctx); in wolfssl_connect_step1()
671 if(!backend->handle) { in wolfssl_connect_step1()
678 if(wolfSSL_UseKeyShare(backend->handle, oqsAlg) != WOLFSSL_SUCCESS) { in wolfssl_connect_step1()
685 if(connssl->alpn) { in wolfssl_connect_step1()
689 result = Curl_alpn_to_proto_str(&proto, connssl->alpn); in wolfssl_connect_step1()
691 wolfSSL_UseALPN(backend->handle, (char *)proto.data, proto.len, in wolfssl_connect_step1()
703 wolfSSL_KeepArrays(backend->handle); in wolfssl_connect_step1()
705 wolfSSL_set_tls13_secret_cb(backend->handle, in wolfssl_connect_step1()
712 if(wolfSSL_UseSecureRenegotiation(backend->handle) != SSL_SUCCESS) { in wolfssl_connect_step1()
719 if(ssl_config->primary.sessionid) { in wolfssl_connect_step1()
723 if(!Curl_ssl_getsessionid(cf, data, &connssl->peer, in wolfssl_connect_step1()
726 if(!SSL_set_session(backend->handle, ssl_sessionid)) { in wolfssl_connect_step1()
740 if(data->set.str[STRING_ECH_PUBLIC]) { in wolfssl_connect_step1()
741 infof(data, "ECH: outername not (yet) supported with WolfSSL"); in wolfssl_connect_step1()
744 if(data->set.tls_ech == CURLECH_GREASE) { in wolfssl_connect_step1()
745 infof(data, "ECH: GREASE'd ECH not yet supported for wolfSSL"); in wolfssl_connect_step1()
748 if(data->set.tls_ech & CURLECH_CLA_CFG in wolfssl_connect_step1()
749 && data->set.str[STRING_ECH_CONFIG]) { in wolfssl_connect_step1()
750 char *b64val = data->set.str[STRING_ECH_CONFIG]; in wolfssl_connect_step1()
755 && wolfSSL_SetEchConfigsBase64(backend->handle, b64val, b64len) in wolfssl_connect_step1()
757 if(data->set.tls_ech & CURLECH_HARD) in wolfssl_connect_step1()
768 dns = Curl_fetch_addr(data, connssl->peer.hostname, connssl->peer.port); in wolfssl_connect_step1()
771 if(data->set.tls_ech & CURLECH_HARD) in wolfssl_connect_step1()
777 rinfo = dns->hinfo; in wolfssl_connect_step1()
778 if(rinfo && rinfo->echconfiglist) { in wolfssl_connect_step1()
779 unsigned char *ecl = rinfo->echconfiglist; in wolfssl_connect_step1()
780 size_t elen = rinfo->echconfiglist_len; in wolfssl_connect_step1()
783 if(wolfSSL_SetEchConfigs(backend->handle, ecl, (word32) elen) != in wolfssl_connect_step1()
786 if(data->set.tls_ech & CURLECH_HARD) in wolfssl_connect_step1()
796 if(data->set.tls_ech & CURLECH_HARD) in wolfssl_connect_step1()
804 && SSL_set_min_proto_version(backend->handle, TLS1_3_VERSION) != 1) { in wolfssl_connect_step1()
821 wolfSSL_set_bio(backend->handle, bio, bio); in wolfssl_connect_step1()
825 if(!wolfSSL_set_fd(backend->handle, in wolfssl_connect_step1()
832 connssl->connecting_state = ssl_connect_2; in wolfssl_connect_step1()
840 int ret = -1; in wolfssl_connect_step2()
841 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_connect_step2()
843 (struct wolfssl_ssl_backend_data *)connssl->backend; in wolfssl_connect_step2()
847 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: in wolfssl_connect_step2()
848 data->set.str[STRING_SSL_PINNEDPUBLICKEY]; in wolfssl_connect_step2()
850 const char * const pinnedpubkey = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; in wolfssl_connect_step2()
858 if(conn_config->verifyhost) { in wolfssl_connect_step2()
859 char *snihost = connssl->peer.sni? in wolfssl_connect_step2()
860 connssl->peer.sni : connssl->peer.hostname; in wolfssl_connect_step2()
861 if(wolfSSL_check_domain_name(backend->handle, snihost) == SSL_FAILURE) in wolfssl_connect_step2()
865 ret = wolfSSL_connect(backend->handle); in wolfssl_connect_step2()
872 * During the handshake (ret==-1), wolfSSL_want_read() is true as it waits in wolfssl_connect_step2()
877 * Note that OpenSSL SSL_want_read() is always true here. If wolfSSL ever in wolfssl_connect_step2()
881 (!wolfSSL_want_read(backend->handle) && in wolfssl_connect_step2()
882 !wolfSSL_want_write(backend->handle))) { in wolfssl_connect_step2()
883 wolfssl_log_tls12_secret(backend->handle); in wolfssl_connect_step2()
886 wolfSSL_FreeArrays(backend->handle); in wolfssl_connect_step2()
893 int detail = wolfSSL_get_error(backend->handle, ret); in wolfssl_connect_step2()
896 connssl->connecting_state = ssl_connect_2_reading; in wolfssl_connect_step2()
900 connssl->connecting_state = ssl_connect_2_writing; in wolfssl_connect_step2()
909 connssl->peer.dispname); in wolfssl_connect_step2()
914 * == 0', CyaSSL version 2.4.0 will fail with an INCOMPLETE_DATA in wolfssl_connect_step2()
918 if(conn_config->verifyhost) { in wolfssl_connect_step2()
921 connssl->dispname); in wolfssl_connect_step2()
927 connssl->dispname); in wolfssl_connect_step2()
934 if(conn_config->verifypeer) { in wolfssl_connect_step2()
947 else if(-1 == detail) { in wolfssl_connect_step2()
954 rv = wolfSSL_GetEchConfigs(backend->handle, echConfigs, in wolfssl_connect_step2()
971 else if(backend->io_result == CURLE_AGAIN) { in wolfssl_connect_step2()
990 x509 = wolfSSL_get_peer_certificate(backend->handle); in wolfssl_connect_step2()
1007 if(!pubkey->header || pubkey->end <= pubkey->header) { in wolfssl_connect_step2()
1014 (const unsigned char *)pubkey->header, in wolfssl_connect_step2()
1015 (size_t)(pubkey->end - pubkey->header)); in wolfssl_connect_step2()
1022 failf(data, "Library lacks pinning support built-in"); in wolfssl_connect_step2()
1028 if(connssl->alpn) { in wolfssl_connect_step2()
1033 rc = wolfSSL_ALPN_GetProtocol(backend->handle, &protocol, &protocol_len); in wolfssl_connect_step2()
1048 connssl->connecting_state = ssl_connect_3; in wolfssl_connect_step2()
1051 wolfSSL_get_version(backend->handle), in wolfssl_connect_step2()
1052 wolfSSL_get_cipher_name(backend->handle)); in wolfssl_connect_step2()
1072 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_connect_step3()
1074 (struct wolfssl_ssl_backend_data *)connssl->backend; in wolfssl_connect_step3()
1077 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); in wolfssl_connect_step3()
1080 if(ssl_config->primary.sessionid) { in wolfssl_connect_step3()
1082 WOLFSSL_SESSION *our_ssl_sessionid = wolfSSL_get1_session(backend->handle); in wolfssl_connect_step3()
1088 incache = !(Curl_ssl_getsessionid(cf, data, &connssl->peer, in wolfssl_connect_step3()
1095 result = Curl_ssl_addsessionid(cf, data, &connssl->peer, in wolfssl_connect_step3()
1106 connssl->connecting_state = ssl_connect_done; in wolfssl_connect_step3()
1118 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_send()
1120 (struct wolfssl_ssl_backend_data *)connssl->backend; in wolfssl_send()
1129 rc = wolfSSL_write(backend->handle, mem, memlen); in wolfssl_send()
1131 int err = wolfSSL_get_error(backend->handle, rc); in wolfssl_send()
1136 /* there's data pending, re-invoke SSL_write() */ in wolfssl_send()
1137 CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> AGAIN", len); in wolfssl_send()
1139 return -1; in wolfssl_send()
1141 if(backend->io_result == CURLE_AGAIN) { in wolfssl_send()
1142 CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> AGAIN", len); in wolfssl_send()
1144 return -1; in wolfssl_send()
1146 CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> %d, %d", len, rc, err); in wolfssl_send()
1151 return -1; in wolfssl_send()
1154 CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> %d", len, rc); in wolfssl_send()
1160 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_close()
1162 (struct wolfssl_ssl_backend_data *)connssl->backend; in wolfssl_close()
1168 if(backend->handle) { in wolfssl_close()
1172 (void)wolfSSL_read(backend->handle, buf, (int)sizeof(buf)); in wolfssl_close()
1173 if(!connssl->peer_closed) in wolfssl_close()
1174 (void)wolfSSL_shutdown(backend->handle); in wolfssl_close()
1175 wolfSSL_free(backend->handle); in wolfssl_close()
1176 backend->handle = NULL; in wolfssl_close()
1178 if(backend->ctx) { in wolfssl_close()
1179 wolfSSL_CTX_free(backend->ctx); in wolfssl_close()
1180 backend->ctx = NULL; in wolfssl_close()
1189 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_recv()
1191 (struct wolfssl_ssl_backend_data *)connssl->backend; in wolfssl_recv()
1201 nread = wolfSSL_read(backend->handle, buf, buffsize); in wolfssl_recv()
1204 int err = wolfSSL_get_error(backend->handle, nread); in wolfssl_recv()
1208 CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> CLOSED", blen); in wolfssl_recv()
1214 /* there's data pending, re-invoke wolfSSL_read() */ in wolfssl_recv()
1215 CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> AGAIN", blen); in wolfssl_recv()
1217 return -1; in wolfssl_recv()
1219 if(backend->io_result == CURLE_AGAIN) { in wolfssl_recv()
1220 CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> AGAIN", blen); in wolfssl_recv()
1222 return -1; in wolfssl_recv()
1227 return -1; in wolfssl_recv()
1230 CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> %d", blen, nread); in wolfssl_recv()
1238 return msnprintf(buffer, size, "wolfSSL/%s", wolfSSL_lib_version()); in wolfssl_version()
1240 return msnprintf(buffer, size, "wolfSSL/%s", WOLFSSL_VERSION); in wolfssl_version()
1271 struct ssl_connect_data *ctx = cf->ctx; in wolfssl_data_pending()
1275 DEBUGASSERT(ctx && ctx->backend); in wolfssl_data_pending()
1277 backend = (struct wolfssl_ssl_backend_data *)ctx->backend; in wolfssl_data_pending()
1278 if(backend->handle) /* SSL is in use */ in wolfssl_data_pending()
1279 return (0 != wolfSSL_pending(backend->handle)) ? TRUE : FALSE; in wolfssl_data_pending()
1287 * socket open (CCC - Clear Command Channel)
1292 struct ssl_connect_data *ctx = cf->ctx; in wolfssl_shutdown()
1297 DEBUGASSERT(ctx && ctx->backend); in wolfssl_shutdown()
1299 backend = (struct wolfssl_ssl_backend_data *)ctx->backend; in wolfssl_shutdown()
1300 if(backend->handle) { in wolfssl_shutdown()
1302 wolfSSL_free(backend->handle); in wolfssl_shutdown()
1303 backend->handle = NULL; in wolfssl_shutdown()
1316 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_connect_common()
1321 if(ssl_connection_complete == connssl->state) { in wolfssl_connect_common()
1326 if(ssl_connect_1 == connssl->connecting_state) { in wolfssl_connect_common()
1341 while(ssl_connect_2 == connssl->connecting_state || in wolfssl_connect_common()
1342 ssl_connect_2_reading == connssl->connecting_state || in wolfssl_connect_common()
1343 ssl_connect_2_writing == connssl->connecting_state) { in wolfssl_connect_common()
1355 if(connssl->connecting_state == ssl_connect_2_reading in wolfssl_connect_common()
1356 || connssl->connecting_state == ssl_connect_2_writing) { in wolfssl_connect_common()
1359 connssl->connecting_state?sockfd:CURL_SOCKET_BAD; in wolfssl_connect_common()
1361 connssl->connecting_state?sockfd:CURL_SOCKET_BAD; in wolfssl_connect_common()
1393 (ssl_connect_2 == connssl->connecting_state || in wolfssl_connect_common()
1394 ssl_connect_2_reading == connssl->connecting_state || in wolfssl_connect_common()
1395 ssl_connect_2_writing == connssl->connecting_state))) in wolfssl_connect_common()
1399 if(ssl_connect_3 == connssl->connecting_state) { in wolfssl_connect_common()
1405 if(ssl_connect_done == connssl->connecting_state) { in wolfssl_connect_common()
1406 connssl->state = ssl_connection_complete; in wolfssl_connect_common()
1413 connssl->connecting_state = ssl_connect_1; in wolfssl_connect_common()
1476 (struct wolfssl_ssl_backend_data *)connssl->backend; in wolfssl_get_internals()
1479 return backend->handle; in wolfssl_get_internals()
1483 { CURLSSLBACKEND_WOLFSSL, "WolfSSL" }, /* info */
1502 wolfssl_version, /* version */