Lines Matching +full:- +full:- +full:with +full:- +full:wolfssl
21 * SPDX-License-Identifier: curl
26 * Source file for all wolfSSL specific code for the TLS/SSL layer. No code
36 #include <wolfssl/options.h>
37 #include <wolfssl/version.h>
39 #if LIBWOLFSSL_VERSION_HEX < 0x03004006 /* wolfSSL 3.4.6 (2015) */
40 #error "wolfSSL version should be at least 3.4.6"
44 - the user's options.h generated by wolfSSL
45 - the symbols detected by curl's configure
49 /* HAVE_ALPN is wolfSSL's build time symbol for enabling ALPN in options.h. */
73 #include <wolfssl/ssl.h>
74 #include <wolfssl/error-ssl.h>
75 #include "wolfssl.h"
87 in wolfSSL's settings.h, and the latter two are build time symbols in
103 /* wolfSSL 5.7.4 and older do not have these symbols, but only the
122 * wolfSSL 4.4.0, but requires the -DHAVE_SECRET_CALLBACK build option. If that
126 * (--enable-opensslextra or --enable-all).
178 wolfssl_log_tls12_secret(WOLFSSL *ssl) in wolfssl_log_tls12_secret()
185 * SSL_version since the latter relies on OPENSSL_ALL (--enable-opensslall or in wolfssl_log_tls12_secret()
186 * --enable-all). Failing to perform this check could result in an unusable in wolfssl_log_tls12_secret()
228 return -1; in wolfssl_do_file_type()
298 return !cf->next || !cf->next->connected; in wolfssl_bio_cf_ctrl()
311 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_bio_cf_out_write()
313 (struct wolfssl_ctx *)connssl->backend; in wolfssl_bio_cf_out_write()
319 if(backend->shutting_down && backend->io_send_blocked_len && in wolfssl_bio_cf_out_write()
320 (backend->io_send_blocked_len < blen)) { in wolfssl_bio_cf_out_write()
321 /* bug in wolfSSL: <https://github.com/wolfSSL/wolfssl/issues/7784> in wolfssl_bio_cf_out_write()
325 " to %d bytes", blen, backend->io_send_blocked_len); in wolfssl_bio_cf_out_write()
326 skiplen = (ssize_t)(blen - backend->io_send_blocked_len); in wolfssl_bio_cf_out_write()
327 blen = backend->io_send_blocked_len; in wolfssl_bio_cf_out_write()
329 nwritten = Curl_conn_cf_send(cf->next, data, buf, blen, FALSE, &result); in wolfssl_bio_cf_out_write()
330 backend->io_result = result; in wolfssl_bio_cf_out_write()
331 CURL_TRC_CF(data, cf, "bio_write(len=%d) -> %zd, %d", in wolfssl_bio_cf_out_write()
338 if(backend->shutting_down && !backend->io_send_blocked_len) in wolfssl_bio_cf_out_write()
339 backend->io_send_blocked_len = blen; in wolfssl_bio_cf_out_write()
349 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_bio_cf_in_read()
351 (struct wolfssl_ctx *)connssl->backend; in wolfssl_bio_cf_in_read()
361 nread = Curl_conn_cf_recv(cf->next, data, buf, blen, &result); in wolfssl_bio_cf_in_read()
362 backend->io_result = result; in wolfssl_bio_cf_in_read()
363 CURL_TRC_CF(data, cf, "bio_read(len=%d) -> %zd, %d", blen, nread, result); in wolfssl_bio_cf_in_read()
370 connssl->peer_closed = TRUE; in wolfssl_bio_cf_in_read()
379 "wolfSSL CF BIO"); in wolfssl_bio_cf_init_methods()
449 static int wssl_vtls_new_session_cb(WOLFSSL *ssl, WOLFSSL_SESSION *session) in wssl_vtls_new_session_cb()
456 struct ssl_connect_data *connssl = cf->ctx; in wssl_vtls_new_session_cb()
461 (void)Curl_wssl_cache_session(cf, data, connssl->peer.scache_key, in wssl_vtls_new_session_cb()
463 connssl->negotiated.alpn); in wssl_vtls_new_session_cb()
478 if(!result && sc_session && sc_session->sdata && sc_session->sdata_len) { in Curl_wssl_setup_session()
480 /* wolfSSL changes the passed pointer for whatever reasons, yikes */ in Curl_wssl_setup_session()
481 const unsigned char *sdata = sc_session->sdata; in Curl_wssl_setup_session()
483 (long)sc_session->sdata_len); in Curl_wssl_setup_session()
485 int ret = wolfSSL_set_session(wss->handle, session); in Curl_wssl_setup_session()
510 const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; in wssl_populate_x509_store()
513 (ca_info_blob ? NULL : conn_config->CAfile); in wssl_populate_x509_store()
514 const char * const ssl_capath = conn_config->CApath; in wssl_populate_x509_store()
520 if(ssl_config->native_ca_store) { in wssl_populate_x509_store()
521 if(wolfSSL_CTX_load_system_CA_certs(wssl->ctx) != WOLFSSL_SUCCESS) { in wssl_populate_x509_store()
527 wssl->x509_store_setup = TRUE; in wssl_populate_x509_store()
534 if(wolfSSL_CTX_load_verify_buffer(wssl->ctx, ca_info_blob->data, in wssl_populate_x509_store()
535 (long)ca_info_blob->len, in wssl_populate_x509_store()
548 wssl->x509_store_setup = TRUE; in wssl_populate_x509_store()
560 if((ssl_cafile || ssl_capath) && (!wssl->x509_store_setup)) { in wssl_populate_x509_store()
562 wolfSSL_CTX_load_verify_locations_ex(wssl->ctx, in wssl_populate_x509_store()
567 if(conn_config->verifypeer) { in wssl_populate_x509_store()
576 /* Just continue with a warning if no strict certificate in wssl_populate_x509_store()
591 wssl->x509_store_setup = TRUE; in wssl_populate_x509_store()
595 /* key to use at `multi->proto_hash` */
607 DEBUGASSERT(key_len == (sizeof(MPROTO_WSSL_X509_KEY)-1)); in wssl_x509_share_free()
611 if(share->store) { in wssl_x509_share_free()
612 wolfSSL_X509_STORE_free(share->store); in wssl_x509_share_free()
614 free(share->CAfile); in wssl_x509_share_free()
622 const struct ssl_general_config *cfg = &data->set.general_ssl; in wssl_cached_x509_store_expired()
624 timediff_t elapsed_ms = Curl_timediff(now, mb->time); in wssl_cached_x509_store_expired()
625 timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000; in wssl_cached_x509_store_expired()
638 if(!mb->CAfile || !conn_config->CAfile) in wssl_cached_x509_store_different()
639 return mb->CAfile != conn_config->CAfile; in wssl_cached_x509_store_different()
641 return strcmp(mb->CAfile, conn_config->CAfile); in wssl_cached_x509_store_different()
647 struct Curl_multi *multi = data->multi; in wssl_get_cached_x509_store()
652 share = multi ? Curl_hash_pick(&multi->proto_hash, in wssl_get_cached_x509_store()
654 sizeof(MPROTO_WSSL_X509_KEY)-1) : NULL; in wssl_get_cached_x509_store()
655 if(share && share->store && in wssl_get_cached_x509_store()
658 store = share->store; in wssl_get_cached_x509_store()
669 struct Curl_multi *multi = data->multi; in wssl_set_cached_x509_store()
675 share = Curl_hash_pick(&multi->proto_hash, in wssl_set_cached_x509_store()
677 sizeof(MPROTO_WSSL_X509_KEY)-1); in wssl_set_cached_x509_store()
683 if(!Curl_hash_add2(&multi->proto_hash, in wssl_set_cached_x509_store()
685 sizeof(MPROTO_WSSL_X509_KEY)-1, in wssl_set_cached_x509_store()
695 if(conn_config->CAfile) { in wssl_set_cached_x509_store()
696 CAfile = strdup(conn_config->CAfile); in wssl_set_cached_x509_store()
703 if(share->store) { in wssl_set_cached_x509_store()
704 wolfSSL_X509_STORE_free(share->store); in wssl_set_cached_x509_store()
705 free(share->CAfile); in wssl_set_cached_x509_store()
708 share->time = Curl_now(); in wssl_set_cached_x509_store()
709 share->store = store; in wssl_set_cached_x509_store()
710 share->CAfile = CAfile; in wssl_set_cached_x509_store()
725 or no source is provided and we are falling back to wolfSSL's built-in in Curl_wssl_setup_x509_store()
727 cache_criteria_met = (data->set.general_ssl.ca_cache_timeout != 0) && in Curl_wssl_setup_x509_store()
728 conn_config->verifypeer && in Curl_wssl_setup_x509_store()
729 !conn_config->CApath && in Curl_wssl_setup_x509_store()
730 !conn_config->ca_info_blob && in Curl_wssl_setup_x509_store()
731 !ssl_config->primary.CRLfile && in Curl_wssl_setup_x509_store()
732 !ssl_config->native_ca_store; in Curl_wssl_setup_x509_store()
736 if(cached_store && wolfSSL_CTX_get_cert_store(wssl->ctx) == cached_store) { in Curl_wssl_setup_x509_store()
740 wolfSSL_CTX_set_cert_store(wssl->ctx, cached_store); in Curl_wssl_setup_x509_store()
743 /* wolfSSL's initial store in CTX is not shareable by default. in Curl_wssl_setup_x509_store()
750 wolfSSL_CTX_set_cert_store(wssl->ctx, store); in Curl_wssl_setup_x509_store()
759 WOLFSSL_X509_STORE *store = wolfSSL_CTX_get_cert_store(wssl->ctx); in Curl_wssl_setup_x509_store()
843 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_connect_step1()
845 (struct wolfssl_ctx *)connssl->backend; in wolfssl_connect_step1()
856 if(connssl->state == ssl_connection_complete) in wolfssl_connect_step1()
865 failf(data, "wolfSSL: could not create a client method"); in wolfssl_connect_step1()
869 if(backend->ctx) in wolfssl_connect_step1()
870 wolfSSL_CTX_free(backend->ctx); in wolfssl_connect_step1()
872 backend->ctx = wolfSSL_CTX_new(req_method); in wolfssl_connect_step1()
873 if(!backend->ctx) { in wolfssl_connect_step1()
874 failf(data, "wolfSSL: could not create a context"); in wolfssl_connect_step1()
878 switch(conn_config->version) { in wolfssl_connect_step1()
882 res = wolfSSL_CTX_set_min_proto_version(backend->ctx, TLS1_VERSION); in wolfssl_connect_step1()
885 res = wolfSSL_CTX_set_min_proto_version(backend->ctx, TLS1_1_VERSION); in wolfssl_connect_step1()
888 res = wolfSSL_CTX_set_min_proto_version(backend->ctx, TLS1_2_VERSION); in wolfssl_connect_step1()
892 res = wolfSSL_CTX_set_min_proto_version(backend->ctx, TLS1_3_VERSION); in wolfssl_connect_step1()
896 failf(data, "wolfSSL: unsupported minimum TLS version value"); in wolfssl_connect_step1()
900 failf(data, "wolfSSL: failed set the minimum TLS version"); in wolfssl_connect_step1()
904 switch(conn_config->version_max) { in wolfssl_connect_step1()
907 res = wolfSSL_CTX_set_max_proto_version(backend->ctx, TLS1_3_VERSION); in wolfssl_connect_step1()
911 res = wolfSSL_CTX_set_max_proto_version(backend->ctx, TLS1_2_VERSION); in wolfssl_connect_step1()
914 res = wolfSSL_CTX_set_max_proto_version(backend->ctx, TLS1_1_VERSION); in wolfssl_connect_step1()
917 res = wolfSSL_CTX_set_max_proto_version(backend->ctx, TLS1_VERSION); in wolfssl_connect_step1()
924 failf(data, "wolfSSL: unsupported maximum TLS version value"); in wolfssl_connect_step1()
928 failf(data, "wolfSSL: failed set the maximum TLS version"); in wolfssl_connect_step1()
934 char *ciphers = conn_config->cipher_list; in wolfssl_connect_step1()
936 if(!SSL_CTX_set_cipher_list(backend->ctx, ciphers)) { in wolfssl_connect_step1()
945 if(conn_config->cipher_list || conn_config->cipher_list13) { in wolfssl_connect_step1()
946 const char *ciphers12 = conn_config->cipher_list; in wolfssl_connect_step1()
947 const char *ciphers13 = conn_config->cipher_list13; in wolfssl_connect_step1()
970 if(!wolfSSL_CTX_set_cipher_list(backend->ctx, Curl_dyn_ptr(&c))) { in wolfssl_connect_step1()
980 curves = conn_config->curves; in wolfssl_connect_step1()
994 if(!wolfSSL_CTX_set1_curves_list(backend->ctx, curves)) { in wolfssl_connect_step1()
1003 if(ssl_config->primary.cert_blob || ssl_config->primary.clientcert) { in wolfssl_connect_step1()
1004 const char *cert_file = ssl_config->primary.clientcert; in wolfssl_connect_step1()
1005 const char *key_file = ssl_config->key; in wolfssl_connect_step1()
1006 const struct curl_blob *cert_blob = ssl_config->primary.cert_blob; in wolfssl_connect_step1()
1007 const struct curl_blob *key_blob = ssl_config->key_blob; in wolfssl_connect_step1()
1008 int file_type = wolfssl_do_file_type(ssl_config->cert_type); in wolfssl_connect_step1()
1014 wolfSSL_CTX_use_certificate_chain_buffer(backend->ctx, in wolfssl_connect_step1()
1015 cert_blob->data, in wolfssl_connect_step1()
1016 (long)cert_blob->len) : in wolfssl_connect_step1()
1017 wolfSSL_CTX_use_certificate_chain_file(backend->ctx, cert_file); in wolfssl_connect_step1()
1021 wolfSSL_CTX_use_certificate_buffer(backend->ctx, cert_blob->data, in wolfssl_connect_step1()
1022 (long)cert_blob->len, file_type) : in wolfssl_connect_step1()
1023 wolfSSL_CTX_use_certificate_file(backend->ctx, cert_file, file_type); in wolfssl_connect_step1()
1039 file_type = wolfssl_do_file_type(ssl_config->key_type); in wolfssl_connect_step1()
1042 wolfSSL_CTX_use_PrivateKey_buffer(backend->ctx, key_blob->data, in wolfssl_connect_step1()
1043 (long)key_blob->len, file_type) : in wolfssl_connect_step1()
1044 wolfSSL_CTX_use_PrivateKey_file(backend->ctx, key_file, file_type); in wolfssl_connect_step1()
1051 if(ssl_config->primary.cert_blob) { in wolfssl_connect_step1()
1052 const struct curl_blob *cert_blob = ssl_config->primary.cert_blob; in wolfssl_connect_step1()
1053 const struct curl_blob *key_blob = ssl_config->key_blob; in wolfssl_connect_step1()
1054 int file_type = wolfssl_do_file_type(ssl_config->cert_type); in wolfssl_connect_step1()
1059 rc = wolfSSL_CTX_use_certificate_chain_buffer(backend->ctx, in wolfssl_connect_step1()
1060 cert_blob->data, in wolfssl_connect_step1()
1061 (long)cert_blob->len); in wolfssl_connect_step1()
1064 rc = wolfSSL_CTX_use_certificate_buffer(backend->ctx, cert_blob->data, in wolfssl_connect_step1()
1065 (long)cert_blob->len, file_type); in wolfssl_connect_step1()
1079 file_type = wolfssl_do_file_type(ssl_config->key_type); in wolfssl_connect_step1()
1081 if(wolfSSL_CTX_use_PrivateKey_buffer(backend->ctx, key_blob->data, in wolfssl_connect_step1()
1082 (long)key_blob->len, in wolfssl_connect_step1()
1092 * anyway. In the latter case the result of the verification is checked with in wolfssl_connect_step1()
1094 wolfSSL_CTX_set_verify(backend->ctx, in wolfssl_connect_step1()
1095 conn_config->verifypeer ? WOLFSSL_VERIFY_PEER : in wolfssl_connect_step1()
1099 if(connssl->peer.sni) { in wolfssl_connect_step1()
1100 size_t sni_len = strlen(connssl->peer.sni); in wolfssl_connect_step1()
1102 if(wolfSSL_CTX_UseSNI(backend->ctx, WOLFSSL_SNI_HOST_NAME, in wolfssl_connect_step1()
1103 connssl->peer.sni, in wolfssl_connect_step1()
1112 /* give application a chance to interfere with SSL set up. */ in wolfssl_connect_step1()
1113 if(data->set.ssl.fsslctx) { in wolfssl_connect_step1()
1115 if(!backend->x509_store_setup) { in wolfssl_connect_step1()
1120 result = (*data->set.ssl.fsslctx)(data, backend->ctx, in wolfssl_connect_step1()
1121 data->set.ssl.fsslctxp); in wolfssl_connect_step1()
1128 else if(conn_config->verifypeer) { in wolfssl_connect_step1()
1129 failf(data, "SSL: Certificates cannot be loaded because wolfSSL was built" in wolfssl_connect_step1()
1130 " with \"no filesystem\". Either disable peer verification" in wolfssl_connect_step1()
1131 " (insecure) or if you are building an application with libcurl you" in wolfssl_connect_step1()
1138 if(backend->handle) in wolfssl_connect_step1()
1139 wolfSSL_free(backend->handle); in wolfssl_connect_step1()
1140 backend->handle = wolfSSL_new(backend->ctx); in wolfssl_connect_step1()
1141 if(!backend->handle) { in wolfssl_connect_step1()
1148 if(wolfSSL_UseKeyShare(backend->handle, pqkem) != WOLFSSL_SUCCESS) { in wolfssl_connect_step1()
1155 if(connssl->alpn) { in wolfssl_connect_step1()
1159 result = Curl_alpn_to_proto_str(&proto, connssl->alpn); in wolfssl_connect_step1()
1161 wolfSSL_UseALPN(backend->handle, in wolfssl_connect_step1()
1174 wolfSSL_KeepArrays(backend->handle); in wolfssl_connect_step1()
1176 wolfSSL_set_tls13_secret_cb(backend->handle, in wolfssl_connect_step1()
1183 if(wolfSSL_UseSecureRenegotiation(backend->handle) != SSL_SUCCESS) { in wolfssl_connect_step1()
1190 if(ssl_config->primary.cache_session) { in wolfssl_connect_step1()
1192 (void)Curl_wssl_setup_session(cf, data, backend, connssl->peer.scache_key); in wolfssl_connect_step1()
1194 wolfSSL_set_app_data(backend->handle, cf); in wolfssl_connect_step1()
1195 wolfSSL_CTX_sess_set_new_cb(backend->ctx, wssl_vtls_new_session_cb); in wolfssl_connect_step1()
1202 if(data->set.str[STRING_ECH_PUBLIC]) { in wolfssl_connect_step1()
1203 infof(data, "ECH: outername not (yet) supported with wolfSSL"); in wolfssl_connect_step1()
1206 if(data->set.tls_ech == CURLECH_GREASE) { in wolfssl_connect_step1()
1207 infof(data, "ECH: GREASE'd ECH not yet supported for wolfSSL"); in wolfssl_connect_step1()
1210 if(data->set.tls_ech & CURLECH_CLA_CFG in wolfssl_connect_step1()
1211 && data->set.str[STRING_ECH_CONFIG]) { in wolfssl_connect_step1()
1212 char *b64val = data->set.str[STRING_ECH_CONFIG]; in wolfssl_connect_step1()
1217 && wolfSSL_SetEchConfigsBase64(backend->handle, b64val, b64len) in wolfssl_connect_step1()
1219 if(data->set.tls_ech & CURLECH_HARD) in wolfssl_connect_step1()
1230 dns = Curl_fetch_addr(data, connssl->peer.hostname, connssl->peer.port); in wolfssl_connect_step1()
1233 if(data->set.tls_ech & CURLECH_HARD) in wolfssl_connect_step1()
1239 rinfo = dns->hinfo; in wolfssl_connect_step1()
1240 if(rinfo && rinfo->echconfiglist) { in wolfssl_connect_step1()
1241 unsigned char *ecl = rinfo->echconfiglist; in wolfssl_connect_step1()
1242 size_t elen = rinfo->echconfiglist_len; in wolfssl_connect_step1()
1245 if(wolfSSL_SetEchConfigs(backend->handle, ecl, (word32) elen) != in wolfssl_connect_step1()
1248 if(data->set.tls_ech & CURLECH_HARD) in wolfssl_connect_step1()
1258 if(data->set.tls_ech & CURLECH_HARD) in wolfssl_connect_step1()
1265 if(trying_ech_now && wolfSSL_set_min_proto_version(backend->handle, in wolfssl_connect_step1()
1283 wolfSSL_set_bio(backend->handle, bio, bio); in wolfssl_connect_step1()
1287 if(!wolfSSL_set_fd(backend->handle, in wolfssl_connect_step1()
1294 connssl->connecting_state = ssl_connect_2; in wolfssl_connect_step1()
1320 int ret = -1; in wolfssl_connect_step2()
1321 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_connect_step2()
1323 (struct wolfssl_ctx *)connssl->backend; in wolfssl_connect_step2()
1327 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : in wolfssl_connect_step2()
1328 data->set.str[STRING_SSL_PINNEDPUBLICKEY]; in wolfssl_connect_step2()
1330 const char * const pinnedpubkey = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; in wolfssl_connect_step2()
1338 if(conn_config->verifyhost) { in wolfssl_connect_step2()
1339 char *snihost = connssl->peer.sni ? in wolfssl_connect_step2()
1340 connssl->peer.sni : connssl->peer.hostname; in wolfssl_connect_step2()
1341 if(wolfSSL_check_domain_name(backend->handle, snihost) == WOLFSSL_FAILURE) in wolfssl_connect_step2()
1345 if(!backend->x509_store_setup) { in wolfssl_connect_step2()
1354 connssl->io_need = CURL_SSL_IO_NEED_NONE; in wolfssl_connect_step2()
1355 ret = wolfSSL_connect(backend->handle); in wolfssl_connect_step2()
1360 * proceed with logging secrets (for TLS 1.2 or older). in wolfssl_connect_step2()
1362 * During the handshake (ret==-1), wolfSSL_want_read() is true as it waits in wolfssl_connect_step2()
1365 * To log the secret on completion with a handshake failure, detect in wolfssl_connect_step2()
1367 * Note that OpenSSL SSL_want_read() is always true here. If wolfSSL ever in wolfssl_connect_step2()
1371 (!wolfSSL_want_read(backend->handle) && in wolfssl_connect_step2()
1372 !wolfSSL_want_write(backend->handle))) { in wolfssl_connect_step2()
1373 wolfssl_log_tls12_secret(backend->handle); in wolfssl_connect_step2()
1376 wolfSSL_FreeArrays(backend->handle); in wolfssl_connect_step2()
1382 int detail = wolfSSL_get_error(backend->handle, ret); in wolfssl_connect_step2()
1385 connssl->io_need = CURL_SSL_IO_NEED_RECV; in wolfssl_connect_step2()
1389 connssl->io_need = CURL_SSL_IO_NEED_SEND; in wolfssl_connect_step2()
1398 connssl->peer.dispname); in wolfssl_connect_step2()
1403 * == 0', CyaSSL version 2.4.0 will fail with an INCOMPLETE_DATA in wolfssl_connect_step2()
1407 if(conn_config->verifyhost) { in wolfssl_connect_step2()
1410 connssl->dispname); in wolfssl_connect_step2()
1416 connssl->dispname); in wolfssl_connect_step2()
1422 if(conn_config->verifypeer) { in wolfssl_connect_step2()
1427 /* Just continue with a warning if no strict certificate in wolfssl_connect_step2()
1442 else if(-1 == detail) { in wolfssl_connect_step2()
1449 rv = wolfSSL_GetEchConfigs(backend->handle, echConfigs, in wolfssl_connect_step2()
1466 else if(backend->io_result == CURLE_AGAIN) { in wolfssl_connect_step2()
1471 failf(data, "SSL_connect failed with error %d: %s", detail, in wolfssl_connect_step2()
1487 x509 = wolfSSL_get_peer_certificate(backend->handle); in wolfssl_connect_step2()
1504 if(!pubkey->header || pubkey->end <= pubkey->header) { in wolfssl_connect_step2()
1511 (const unsigned char *)pubkey->header, in wolfssl_connect_step2()
1512 (size_t)(pubkey->end - pubkey->header)); in wolfssl_connect_step2()
1519 failf(data, "Library lacks pinning support built-in"); in wolfssl_connect_step2()
1525 if(connssl->alpn) { in wolfssl_connect_step2()
1530 rc = wolfSSL_ALPN_GetProtocol(backend->handle, &protocol, &protocol_len); in wolfssl_connect_step2()
1545 connssl->connecting_state = ssl_connect_3; in wolfssl_connect_step2()
1548 wolfSSL_get_version(backend->handle), in wolfssl_connect_step2()
1549 wolfSSL_get_cipher_name(backend->handle)); in wolfssl_connect_step2()
1563 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_send()
1565 (struct wolfssl_ctx *)connssl->backend; in wolfssl_send()
1573 rc = wolfSSL_write(backend->handle, mem, memlen); in wolfssl_send()
1575 int err = wolfSSL_get_error(backend->handle, rc); in wolfssl_send()
1580 /* there is data pending, re-invoke SSL_write() */ in wolfssl_send()
1581 CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> AGAIN", len); in wolfssl_send()
1583 return -1; in wolfssl_send()
1585 if(backend->io_result == CURLE_AGAIN) { in wolfssl_send()
1586 CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> AGAIN", len); in wolfssl_send()
1588 return -1; in wolfssl_send()
1590 CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> %d, %d", len, rc, err); in wolfssl_send()
1599 return -1; in wolfssl_send()
1602 CURL_TRC_CF(data, cf, "wolfssl_send(len=%zu) -> %d", len, rc); in wolfssl_send()
1610 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_shutdown()
1611 struct wolfssl_ctx *wctx = (struct wolfssl_ctx *)connssl->backend; in wolfssl_shutdown()
1615 int nread = -1, err; in wolfssl_shutdown()
1620 if(!wctx->handle || cf->shutdown) { in wolfssl_shutdown()
1625 wctx->shutting_down = TRUE; in wolfssl_shutdown()
1626 connssl->io_need = CURL_SSL_IO_NEED_NONE; in wolfssl_shutdown()
1628 if(!(wolfSSL_get_shutdown(wctx->handle) & WOLFSSL_SENT_SHUTDOWN)) { in wolfssl_shutdown()
1632 nread = wolfSSL_read(wctx->handle, buf, (int)sizeof(buf)); in wolfssl_shutdown()
1633 err = wolfSSL_get_error(wctx->handle, nread); in wolfssl_shutdown()
1643 else if(!cf->next->cft->is_alive(cf->next, data, &input_pending)) { in wolfssl_shutdown()
1648 connssl->peer_closed = TRUE; in wolfssl_shutdown()
1659 if(wolfSSL_shutdown(wctx->handle) == 1) { in wolfssl_shutdown()
1664 if(WOLFSSL_ERROR_WANT_WRITE == wolfSSL_get_error(wctx->handle, nread)) { in wolfssl_shutdown()
1666 connssl->io_need = CURL_SSL_IO_NEED_SEND; in wolfssl_shutdown()
1675 nread = wolfSSL_read(wctx->handle, buf, (int)sizeof(buf)); in wolfssl_shutdown()
1679 err = wolfSSL_get_error(wctx->handle, nread); in wolfssl_shutdown()
1690 connssl->io_need = CURL_SSL_IO_NEED_RECV; in wolfssl_shutdown()
1694 connssl->io_need = CURL_SSL_IO_NEED_SEND; in wolfssl_shutdown()
1697 detail = wolfSSL_get_error(wctx->handle, err); in wolfssl_shutdown()
1707 cf->shutdown = (result || *done); in wolfssl_shutdown()
1713 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_close()
1715 (struct wolfssl_ctx *)connssl->backend; in wolfssl_close()
1721 if(backend->handle) { in wolfssl_close()
1722 wolfSSL_free(backend->handle); in wolfssl_close()
1723 backend->handle = NULL; in wolfssl_close()
1725 if(backend->ctx) { in wolfssl_close()
1726 wolfSSL_CTX_free(backend->ctx); in wolfssl_close()
1727 backend->ctx = NULL; in wolfssl_close()
1736 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_recv()
1738 (struct wolfssl_ctx *)connssl->backend; in wolfssl_recv()
1747 nread = wolfSSL_read(backend->handle, buf, buffsize); in wolfssl_recv()
1750 int err = wolfSSL_get_error(backend->handle, nread); in wolfssl_recv()
1754 CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> CLOSED", blen); in wolfssl_recv()
1760 if(!backend->io_result && connssl->peer_closed) { in wolfssl_recv()
1761 CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> CLOSED", blen); in wolfssl_recv()
1765 /* there is data pending, re-invoke wolfSSL_read() */ in wolfssl_recv()
1766 CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> AGAIN", blen); in wolfssl_recv()
1768 return -1; in wolfssl_recv()
1770 if(backend->io_result == CURLE_AGAIN) { in wolfssl_recv()
1771 CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> AGAIN", blen); in wolfssl_recv()
1773 return -1; in wolfssl_recv()
1775 else if(!backend->io_result && connssl->peer_closed) { in wolfssl_recv()
1776 CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> CLOSED", blen); in wolfssl_recv()
1788 return -1; in wolfssl_recv()
1791 CURL_TRC_CF(data, cf, "wolfssl_recv(len=%zu) -> %d", blen, nread); in wolfssl_recv()
1799 return msnprintf(buffer, size, "wolfSSL/%s", wolfSSL_lib_version()); in Curl_wssl_version()
1801 return msnprintf(buffer, size, "wolfSSL/%s", WOLFSSL_VERSION); in Curl_wssl_version()
1832 struct ssl_connect_data *ctx = cf->ctx; in wolfssl_data_pending()
1836 DEBUGASSERT(ctx && ctx->backend); in wolfssl_data_pending()
1838 backend = (struct wolfssl_ctx *)ctx->backend; in wolfssl_data_pending()
1839 if(backend->handle) /* SSL is in use */ in wolfssl_data_pending()
1840 return wolfSSL_pending(backend->handle); in wolfssl_data_pending()
1852 struct ssl_connect_data *connssl = cf->ctx; in wolfssl_connect_common()
1856 if(ssl_connection_complete == connssl->state) { in wolfssl_connect_common()
1861 if(ssl_connect_1 == connssl->connecting_state) { in wolfssl_connect_common()
1876 while(ssl_connect_2 == connssl->connecting_state) { in wolfssl_connect_common()
1888 if(connssl->io_need) { in wolfssl_connect_common()
1889 curl_socket_t writefd = (connssl->io_need & CURL_SSL_IO_NEED_SEND) ? in wolfssl_connect_common()
1891 curl_socket_t readfd = (connssl->io_need & CURL_SSL_IO_NEED_RECV) ? in wolfssl_connect_common()
1922 if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state))) in wolfssl_connect_common()
1926 if(ssl_connect_3 == connssl->connecting_state) { in wolfssl_connect_common()
1928 * wolfSSL already does that as part of the handshake. */ in wolfssl_connect_common()
1929 connssl->connecting_state = ssl_connect_done; in wolfssl_connect_common()
1932 if(ssl_connect_done == connssl->connecting_state) { in wolfssl_connect_common()
1933 connssl->state = ssl_connection_complete; in wolfssl_connect_common()
1940 connssl->connecting_state = ssl_connect_1; in wolfssl_connect_common()
2003 (struct wolfssl_ctx *)connssl->backend; in wolfssl_get_internals()
2006 return backend->handle; in wolfssl_get_internals()
2010 { CURLSSLBACKEND_WOLFSSL, "wolfssl" }, /* info */