| 1 | /*************************************************************************** |
|---|---|
| 2 | * _ _ ____ _ |
| 3 | * Project ___| | | | _ \| | |
| 4 | * / __| | | | |_) | | |
| 5 | * | (__| |_| | _ <| |___ |
| 6 | * \___|\___/|_| \_\_____| |
| 7 | * |
| 8 | * Copyright (C) Jacob Hoffman-Andrews, |
| 9 | * <github@hoffman-andrews.com> |
| 10 | * |
| 11 | * This software is licensed as described in the file COPYING, which |
| 12 | * you should have received as part of this distribution. The terms |
| 13 | * are also available at https://curl.se/docs/copyright.html. |
| 14 | * |
| 15 | * You may opt to use, copy, modify, merge, publish, distribute and/or sell |
| 16 | * copies of the Software, and permit persons to whom the Software is |
| 17 | * furnished to do so, under the terms of the COPYING file. |
| 18 | * |
| 19 | * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY |
| 20 | * KIND, either express or implied. |
| 21 | * |
| 22 | * SPDX-License-Identifier: curl |
| 23 | * |
| 24 | ***************************************************************************/ |
| 25 | #include "curl_setup.h" |
| 26 | |
| 27 | #ifdef USE_RUSTLS |
| 28 | |
| 29 | #include "curl_printf.h" |
| 30 | |
| 31 | #include <errno.h> |
| 32 | #include <rustls.h> |
| 33 | |
| 34 | #include "inet_pton.h" |
| 35 | #include "urldata.h" |
| 36 | #include "sendf.h" |
| 37 | #include "vtls.h" |
| 38 | #include "vtls_int.h" |
| 39 | #include "select.h" |
| 40 | #include "strerror.h" |
| 41 | #include "multiif.h" |
| 42 | |
| 43 | struct rustls_ssl_backend_data |
| 44 | { |
| 45 | const struct rustls_client_config *config; |
| 46 | struct rustls_connection *conn; |
| 47 | bool data_pending; |
| 48 | }; |
| 49 | |
| 50 | /* For a given rustls_result error code, return the best-matching CURLcode. */ |
| 51 | static CURLcode map_error(rustls_result r) |
| 52 | { |
| 53 | if(rustls_result_is_cert_error(r)) { |
| 54 | return CURLE_PEER_FAILED_VERIFICATION; |
| 55 | } |
| 56 | switch(r) { |
| 57 | case RUSTLS_RESULT_OK: |
| 58 | return CURLE_OK; |
| 59 | case RUSTLS_RESULT_NULL_PARAMETER: |
| 60 | return CURLE_BAD_FUNCTION_ARGUMENT; |
| 61 | default: |
| 62 | return CURLE_READ_ERROR; |
| 63 | } |
| 64 | } |
| 65 | |
| 66 | static bool |
| 67 | cr_data_pending(struct Curl_cfilter *cf, const struct Curl_easy *data) |
| 68 | { |
| 69 | struct ssl_connect_data *ctx = cf->ctx; |
| 70 | struct rustls_ssl_backend_data *backend; |
| 71 | |
| 72 | (void)data; |
| 73 | DEBUGASSERT(ctx && ctx->backend); |
| 74 | backend = (struct rustls_ssl_backend_data *)ctx->backend; |
| 75 | return backend->data_pending; |
| 76 | } |
| 77 | |
| 78 | static CURLcode |
| 79 | cr_connect(struct Curl_cfilter *cf UNUSED_PARAM, |
| 80 | struct Curl_easy *data UNUSED_PARAM) |
| 81 | { |
| 82 | infof(data, "rustls_connect: unimplemented"); |
| 83 | return CURLE_SSL_CONNECT_ERROR; |
| 84 | } |
| 85 | |
| 86 | struct io_ctx { |
| 87 | struct Curl_cfilter *cf; |
| 88 | struct Curl_easy *data; |
| 89 | }; |
| 90 | |
| 91 | static int |
| 92 | read_cb(void *userdata, uint8_t *buf, uintptr_t len, uintptr_t *out_n) |
| 93 | { |
| 94 | struct io_ctx *io_ctx = userdata; |
| 95 | CURLcode result; |
| 96 | int ret = 0; |
| 97 | ssize_t nread = Curl_conn_cf_recv(io_ctx->cf->next, io_ctx->data, |
| 98 | (char *)buf, len, &result); |
| 99 | if(nread < 0) { |
| 100 | nread = 0; |
| 101 | if(CURLE_AGAIN == result) |
| 102 | ret = EAGAIN; |
| 103 | else |
| 104 | ret = EINVAL; |
| 105 | } |
| 106 | *out_n = (int)nread; |
| 107 | return ret; |
| 108 | } |
| 109 | |
| 110 | static int |
| 111 | write_cb(void *userdata, const uint8_t *buf, uintptr_t len, uintptr_t *out_n) |
| 112 | { |
| 113 | struct io_ctx *io_ctx = userdata; |
| 114 | CURLcode result; |
| 115 | int ret = 0; |
| 116 | ssize_t nwritten = Curl_conn_cf_send(io_ctx->cf->next, io_ctx->data, |
| 117 | (const char *)buf, len, &result); |
| 118 | if(nwritten < 0) { |
| 119 | nwritten = 0; |
| 120 | if(CURLE_AGAIN == result) |
| 121 | ret = EAGAIN; |
| 122 | else |
| 123 | ret = EINVAL; |
| 124 | } |
| 125 | *out_n = (int)nwritten; |
| 126 | /* |
| 127 | CURL_TRC_CFX(io_ctx->data, io_ctx->cf, "cf->next send(len=%zu) -> %zd, %d", |
| 128 | len, nwritten, result)); |
| 129 | */ |
| 130 | return ret; |
| 131 | } |
| 132 | |
| 133 | static ssize_t tls_recv_more(struct Curl_cfilter *cf, |
| 134 | struct Curl_easy *data, CURLcode *err) |
| 135 | { |
| 136 | struct ssl_connect_data *const connssl = cf->ctx; |
| 137 | struct rustls_ssl_backend_data *const backend = |
| 138 | (struct rustls_ssl_backend_data *)connssl->backend; |
| 139 | struct io_ctx io_ctx; |
| 140 | size_t tls_bytes_read = 0; |
| 141 | rustls_io_result io_error; |
| 142 | rustls_result rresult = 0; |
| 143 | |
| 144 | io_ctx.cf = cf; |
| 145 | io_ctx.data = data; |
| 146 | io_error = rustls_connection_read_tls(backend->conn, read_cb, &io_ctx, |
| 147 | &tls_bytes_read); |
| 148 | if(io_error == EAGAIN || io_error == EWOULDBLOCK) { |
| 149 | *err = CURLE_AGAIN; |
| 150 | return -1; |
| 151 | } |
| 152 | else if(io_error) { |
| 153 | char buffer[STRERROR_LEN]; |
| 154 | failf(data, "reading from socket: %s", |
| 155 | Curl_strerror(io_error, buffer, sizeof(buffer))); |
| 156 | *err = CURLE_READ_ERROR; |
| 157 | return -1; |
| 158 | } |
| 159 | |
| 160 | rresult = rustls_connection_process_new_packets(backend->conn); |
| 161 | if(rresult != RUSTLS_RESULT_OK) { |
| 162 | char errorbuf[255]; |
| 163 | size_t errorlen; |
| 164 | rustls_error(rresult, errorbuf, sizeof(errorbuf), &errorlen); |
| 165 | failf(data, "rustls_connection_process_new_packets: %.*s", |
| 166 | errorlen, errorbuf); |
| 167 | *err = map_error(rresult); |
| 168 | return -1; |
| 169 | } |
| 170 | |
| 171 | backend->data_pending = TRUE; |
| 172 | *err = CURLE_OK; |
| 173 | return (ssize_t)tls_bytes_read; |
| 174 | } |
| 175 | |
| 176 | /* |
| 177 | * On each run: |
| 178 | * - Read a chunk of bytes from the socket into rustls' TLS input buffer. |
| 179 | * - Tell rustls to process any new packets. |
| 180 | * - Read out as many plaintext bytes from rustls as possible, until hitting |
| 181 | * error, EOF, or EAGAIN/EWOULDBLOCK, or plainbuf/plainlen is filled up. |
| 182 | * |
| 183 | * It's okay to call this function with plainbuf == NULL and plainlen == 0. |
| 184 | * In that case, it will copy bytes from the socket into rustls' TLS input |
| 185 | * buffer, and process packets, but won't consume bytes from rustls' plaintext |
| 186 | * output buffer. |
| 187 | */ |
| 188 | static ssize_t |
| 189 | cr_recv(struct Curl_cfilter *cf, struct Curl_easy *data, |
| 190 | char *plainbuf, size_t plainlen, CURLcode *err) |
| 191 | { |
| 192 | struct ssl_connect_data *const connssl = cf->ctx; |
| 193 | struct rustls_ssl_backend_data *const backend = |
| 194 | (struct rustls_ssl_backend_data *)connssl->backend; |
| 195 | struct rustls_connection *rconn = NULL; |
| 196 | size_t n = 0; |
| 197 | size_t plain_bytes_copied = 0; |
| 198 | rustls_result rresult = 0; |
| 199 | ssize_t nread; |
| 200 | bool eof = FALSE; |
| 201 | |
| 202 | DEBUGASSERT(backend); |
| 203 | rconn = backend->conn; |
| 204 | |
| 205 | while(plain_bytes_copied < plainlen) { |
| 206 | if(!backend->data_pending) { |
| 207 | if(tls_recv_more(cf, data, err) < 0) { |
| 208 | if(*err != CURLE_AGAIN) { |
| 209 | nread = -1; |
| 210 | goto out; |
| 211 | } |
| 212 | break; |
| 213 | } |
| 214 | } |
| 215 | |
| 216 | rresult = rustls_connection_read(rconn, |
| 217 | (uint8_t *)plainbuf + plain_bytes_copied, |
| 218 | plainlen - plain_bytes_copied, |
| 219 | &n); |
| 220 | if(rresult == RUSTLS_RESULT_PLAINTEXT_EMPTY) { |
| 221 | backend->data_pending = FALSE; |
| 222 | } |
| 223 | else if(rresult == RUSTLS_RESULT_UNEXPECTED_EOF) { |
| 224 | failf(data, "rustls: peer closed TCP connection " |
| 225 | "without first closing TLS connection"); |
| 226 | *err = CURLE_READ_ERROR; |
| 227 | nread = -1; |
| 228 | goto out; |
| 229 | } |
| 230 | else if(rresult != RUSTLS_RESULT_OK) { |
| 231 | /* n always equals 0 in this case, don't need to check it */ |
| 232 | char errorbuf[255]; |
| 233 | size_t errorlen; |
| 234 | rustls_error(rresult, errorbuf, sizeof(errorbuf), &errorlen); |
| 235 | failf(data, "rustls_connection_read: %.*s", errorlen, errorbuf); |
| 236 | *err = CURLE_READ_ERROR; |
| 237 | nread = -1; |
| 238 | goto out; |
| 239 | } |
| 240 | else if(n == 0) { |
| 241 | /* n == 0 indicates clean EOF, but we may have read some other |
| 242 | plaintext bytes before we reached this. Break out of the loop |
| 243 | so we can figure out whether to return success or EOF. */ |
| 244 | eof = TRUE; |
| 245 | break; |
| 246 | } |
| 247 | else { |
| 248 | plain_bytes_copied += n; |
| 249 | } |
| 250 | } |
| 251 | |
| 252 | if(plain_bytes_copied) { |
| 253 | *err = CURLE_OK; |
| 254 | nread = (ssize_t)plain_bytes_copied; |
| 255 | } |
| 256 | else if(eof) { |
| 257 | *err = CURLE_OK; |
| 258 | nread = 0; |
| 259 | } |
| 260 | else { |
| 261 | *err = CURLE_AGAIN; |
| 262 | nread = -1; |
| 263 | } |
| 264 | |
| 265 | out: |
| 266 | CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", |
| 267 | plainlen, nread, *err); |
| 268 | return nread; |
| 269 | } |
| 270 | |
| 271 | /* |
| 272 | * On each call: |
| 273 | * - Copy `plainlen` bytes into rustls' plaintext input buffer (if > 0). |
| 274 | * - Fully drain rustls' plaintext output buffer into the socket until |
| 275 | * we get either an error or EAGAIN/EWOULDBLOCK. |
| 276 | * |
| 277 | * It's okay to call this function with plainbuf == NULL and plainlen == 0. |
| 278 | * In that case, it won't read anything into rustls' plaintext input buffer. |
| 279 | * It will only drain rustls' plaintext output buffer into the socket. |
| 280 | */ |
| 281 | static ssize_t |
| 282 | cr_send(struct Curl_cfilter *cf, struct Curl_easy *data, |
| 283 | const void *plainbuf, size_t plainlen, CURLcode *err) |
| 284 | { |
| 285 | struct ssl_connect_data *const connssl = cf->ctx; |
| 286 | struct rustls_ssl_backend_data *const backend = |
| 287 | (struct rustls_ssl_backend_data *)connssl->backend; |
| 288 | struct rustls_connection *rconn = NULL; |
| 289 | struct io_ctx io_ctx; |
| 290 | size_t plainwritten = 0; |
| 291 | size_t tlswritten = 0; |
| 292 | size_t tlswritten_total = 0; |
| 293 | rustls_result rresult; |
| 294 | rustls_io_result io_error; |
| 295 | char errorbuf[256]; |
| 296 | size_t errorlen; |
| 297 | |
| 298 | DEBUGASSERT(backend); |
| 299 | rconn = backend->conn; |
| 300 | |
| 301 | CURL_TRC_CF(data, cf, "cf_send: %ld plain bytes", plainlen); |
| 302 | |
| 303 | io_ctx.cf = cf; |
| 304 | io_ctx.data = data; |
| 305 | |
| 306 | if(plainlen > 0) { |
| 307 | rresult = rustls_connection_write(rconn, plainbuf, plainlen, |
| 308 | &plainwritten); |
| 309 | if(rresult != RUSTLS_RESULT_OK) { |
| 310 | rustls_error(rresult, errorbuf, sizeof(errorbuf), &errorlen); |
| 311 | failf(data, "rustls_connection_write: %.*s", errorlen, errorbuf); |
| 312 | *err = CURLE_WRITE_ERROR; |
| 313 | return -1; |
| 314 | } |
| 315 | else if(plainwritten == 0) { |
| 316 | failf(data, "rustls_connection_write: EOF"); |
| 317 | *err = CURLE_WRITE_ERROR; |
| 318 | return -1; |
| 319 | } |
| 320 | } |
| 321 | |
| 322 | while(rustls_connection_wants_write(rconn)) { |
| 323 | io_error = rustls_connection_write_tls(rconn, write_cb, &io_ctx, |
| 324 | &tlswritten); |
| 325 | if(io_error == EAGAIN || io_error == EWOULDBLOCK) { |
| 326 | CURL_TRC_CF(data, cf, "cf_send: EAGAIN after %zu bytes", |
| 327 | tlswritten_total); |
| 328 | *err = CURLE_AGAIN; |
| 329 | return -1; |
| 330 | } |
| 331 | else if(io_error) { |
| 332 | char buffer[STRERROR_LEN]; |
| 333 | failf(data, "writing to socket: %s", |
| 334 | Curl_strerror(io_error, buffer, sizeof(buffer))); |
| 335 | *err = CURLE_WRITE_ERROR; |
| 336 | return -1; |
| 337 | } |
| 338 | if(tlswritten == 0) { |
| 339 | failf(data, "EOF in swrite"); |
| 340 | *err = CURLE_WRITE_ERROR; |
| 341 | return -1; |
| 342 | } |
| 343 | CURL_TRC_CF(data, cf, "cf_send: wrote %zu TLS bytes", tlswritten); |
| 344 | tlswritten_total += tlswritten; |
| 345 | } |
| 346 | |
| 347 | return plainwritten; |
| 348 | } |
| 349 | |
| 350 | /* A server certificate verify callback for rustls that always returns |
| 351 | RUSTLS_RESULT_OK, or in other words disable certificate verification. */ |
| 352 | static enum rustls_result |
| 353 | cr_verify_none(void *userdata UNUSED_PARAM, |
| 354 | const rustls_verify_server_cert_params *params UNUSED_PARAM) |
| 355 | { |
| 356 | return RUSTLS_RESULT_OK; |
| 357 | } |
| 358 | |
| 359 | static bool |
| 360 | cr_hostname_is_ip(const char *hostname) |
| 361 | { |
| 362 | struct in_addr in; |
| 363 | #ifdef ENABLE_IPV6 |
| 364 | struct in6_addr in6; |
| 365 | if(Curl_inet_pton(AF_INET6, hostname, &in6) > 0) { |
| 366 | return true; |
| 367 | } |
| 368 | #endif /* ENABLE_IPV6 */ |
| 369 | if(Curl_inet_pton(AF_INET, hostname, &in) > 0) { |
| 370 | return true; |
| 371 | } |
| 372 | return false; |
| 373 | } |
| 374 | |
| 375 | static CURLcode |
| 376 | cr_init_backend(struct Curl_cfilter *cf, struct Curl_easy *data, |
| 377 | struct rustls_ssl_backend_data *const backend) |
| 378 | { |
| 379 | struct ssl_connect_data *connssl = cf->ctx; |
| 380 | struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf); |
| 381 | struct rustls_connection *rconn = NULL; |
| 382 | struct rustls_client_config_builder *config_builder = NULL; |
| 383 | struct rustls_root_cert_store *roots = NULL; |
| 384 | const struct curl_blob *ca_info_blob = conn_config->ca_info_blob; |
| 385 | const char * const ssl_cafile = |
| 386 | /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */ |
| 387 | (ca_info_blob ? NULL : conn_config->CAfile); |
| 388 | const bool verifypeer = conn_config->verifypeer; |
| 389 | const char *hostname = connssl->hostname; |
| 390 | char errorbuf[256]; |
| 391 | size_t errorlen; |
| 392 | int result; |
| 393 | |
| 394 | DEBUGASSERT(backend); |
| 395 | rconn = backend->conn; |
| 396 | |
| 397 | config_builder = rustls_client_config_builder_new(); |
| 398 | if(connssl->alpn) { |
| 399 | struct alpn_proto_buf proto; |
| 400 | rustls_slice_bytes alpn[ALPN_ENTRIES_MAX]; |
| 401 | size_t i; |
| 402 | |
| 403 | for(i = 0; i < connssl->alpn->count; ++i) { |
| 404 | alpn[i].data = (const uint8_t *)connssl->alpn->entries[i]; |
| 405 | alpn[i].len = strlen(connssl->alpn->entries[i]); |
| 406 | } |
| 407 | rustls_client_config_builder_set_alpn_protocols(config_builder, alpn, |
| 408 | connssl->alpn->count); |
| 409 | Curl_alpn_to_proto_str(&proto, connssl->alpn); |
| 410 | infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data); |
| 411 | } |
| 412 | if(!verifypeer) { |
| 413 | rustls_client_config_builder_dangerous_set_certificate_verifier( |
| 414 | config_builder, cr_verify_none); |
| 415 | /* rustls doesn't support IP addresses (as of 0.19.0), and will reject |
| 416 | * connections created with an IP address, even when certificate |
| 417 | * verification is turned off. Set a placeholder hostname and disable |
| 418 | * SNI. */ |
| 419 | if(cr_hostname_is_ip(hostname)) { |
| 420 | rustls_client_config_builder_set_enable_sni(config_builder, false); |
| 421 | hostname = "example.invalid"; |
| 422 | } |
| 423 | } |
| 424 | else if(ca_info_blob) { |
| 425 | roots = rustls_root_cert_store_new(); |
| 426 | |
| 427 | /* Enable strict parsing only if verification isn't disabled. */ |
| 428 | result = rustls_root_cert_store_add_pem(roots, ca_info_blob->data, |
| 429 | ca_info_blob->len, verifypeer); |
| 430 | if(result != RUSTLS_RESULT_OK) { |
| 431 | failf(data, "rustls: failed to parse trusted certificates from blob"); |
| 432 | rustls_root_cert_store_free(roots); |
| 433 | rustls_client_config_free( |
| 434 | rustls_client_config_builder_build(config_builder)); |
| 435 | return CURLE_SSL_CACERT_BADFILE; |
| 436 | } |
| 437 | |
| 438 | result = rustls_client_config_builder_use_roots(config_builder, roots); |
| 439 | rustls_root_cert_store_free(roots); |
| 440 | if(result != RUSTLS_RESULT_OK) { |
| 441 | failf(data, "rustls: failed to load trusted certificates"); |
| 442 | rustls_client_config_free( |
| 443 | rustls_client_config_builder_build(config_builder)); |
| 444 | return CURLE_SSL_CACERT_BADFILE; |
| 445 | } |
| 446 | } |
| 447 | else if(ssl_cafile) { |
| 448 | result = rustls_client_config_builder_load_roots_from_file( |
| 449 | config_builder, ssl_cafile); |
| 450 | if(result != RUSTLS_RESULT_OK) { |
| 451 | failf(data, "rustls: failed to load trusted certificates"); |
| 452 | rustls_client_config_free( |
| 453 | rustls_client_config_builder_build(config_builder)); |
| 454 | return CURLE_SSL_CACERT_BADFILE; |
| 455 | } |
| 456 | } |
| 457 | |
| 458 | backend->config = rustls_client_config_builder_build(config_builder); |
| 459 | DEBUGASSERT(rconn == NULL); |
| 460 | { |
| 461 | char *snihost = Curl_ssl_snihost(data, hostname, NULL); |
| 462 | if(!snihost) { |
| 463 | failf(data, "rustls: failed to get SNI"); |
| 464 | return CURLE_SSL_CONNECT_ERROR; |
| 465 | } |
| 466 | result = rustls_client_connection_new(backend->config, snihost, &rconn); |
| 467 | } |
| 468 | if(result != RUSTLS_RESULT_OK) { |
| 469 | rustls_error(result, errorbuf, sizeof(errorbuf), &errorlen); |
| 470 | failf(data, "rustls_client_connection_new: %.*s", errorlen, errorbuf); |
| 471 | return CURLE_COULDNT_CONNECT; |
| 472 | } |
| 473 | rustls_connection_set_userdata(rconn, backend); |
| 474 | backend->conn = rconn; |
| 475 | return CURLE_OK; |
| 476 | } |
| 477 | |
| 478 | static void |
| 479 | cr_set_negotiated_alpn(struct Curl_cfilter *cf, struct Curl_easy *data, |
| 480 | const struct rustls_connection *rconn) |
| 481 | { |
| 482 | const uint8_t *protocol = NULL; |
| 483 | size_t len = 0; |
| 484 | |
| 485 | rustls_connection_get_alpn_protocol(rconn, &protocol, &len); |
| 486 | Curl_alpn_set_negotiated(cf, data, protocol, len); |
| 487 | } |
| 488 | |
| 489 | static CURLcode |
| 490 | cr_connect_nonblocking(struct Curl_cfilter *cf, |
| 491 | struct Curl_easy *data, bool *done) |
| 492 | { |
| 493 | struct ssl_connect_data *const connssl = cf->ctx; |
| 494 | curl_socket_t sockfd = Curl_conn_cf_get_socket(cf, data); |
| 495 | struct rustls_ssl_backend_data *const backend = |
| 496 | (struct rustls_ssl_backend_data *)connssl->backend; |
| 497 | struct rustls_connection *rconn = NULL; |
| 498 | CURLcode tmperr = CURLE_OK; |
| 499 | int result; |
| 500 | int what; |
| 501 | bool wants_read; |
| 502 | bool wants_write; |
| 503 | curl_socket_t writefd; |
| 504 | curl_socket_t readfd; |
| 505 | |
| 506 | DEBUGASSERT(backend); |
| 507 | |
| 508 | if(ssl_connection_none == connssl->state) { |
| 509 | result = cr_init_backend(cf, data, |
| 510 | (struct rustls_ssl_backend_data *)connssl->backend); |
| 511 | if(result != CURLE_OK) { |
| 512 | return result; |
| 513 | } |
| 514 | connssl->state = ssl_connection_negotiating; |
| 515 | } |
| 516 | |
| 517 | rconn = backend->conn; |
| 518 | |
| 519 | /* Read/write data until the handshake is done or the socket would block. */ |
| 520 | for(;;) { |
| 521 | /* |
| 522 | * Connection has been established according to rustls. Set send/recv |
| 523 | * handlers, and update the state machine. |
| 524 | */ |
| 525 | if(!rustls_connection_is_handshaking(rconn)) { |
| 526 | infof(data, "Done handshaking"); |
| 527 | /* Done with the handshake. Set up callbacks to send/receive data. */ |
| 528 | connssl->state = ssl_connection_complete; |
| 529 | |
| 530 | cr_set_negotiated_alpn(cf, data, rconn); |
| 531 | |
| 532 | *done = TRUE; |
| 533 | return CURLE_OK; |
| 534 | } |
| 535 | |
| 536 | wants_read = rustls_connection_wants_read(rconn); |
| 537 | wants_write = rustls_connection_wants_write(rconn); |
| 538 | DEBUGASSERT(wants_read || wants_write); |
| 539 | writefd = wants_write?sockfd:CURL_SOCKET_BAD; |
| 540 | readfd = wants_read?sockfd:CURL_SOCKET_BAD; |
| 541 | |
| 542 | what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd, 0); |
| 543 | if(what < 0) { |
| 544 | /* fatal error */ |
| 545 | failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO); |
| 546 | return CURLE_SSL_CONNECT_ERROR; |
| 547 | } |
| 548 | if(0 == what) { |
| 549 | infof(data, "Curl_socket_check: %s would block", |
| 550 | wants_read&&wants_write ? "writing and reading": |
| 551 | wants_write ? "writing": "reading"); |
| 552 | *done = FALSE; |
| 553 | return CURLE_OK; |
| 554 | } |
| 555 | /* socket is readable or writable */ |
| 556 | |
| 557 | if(wants_write) { |
| 558 | infof(data, "rustls_connection wants us to write_tls."); |
| 559 | cr_send(cf, data, NULL, 0, &tmperr); |
| 560 | if(tmperr == CURLE_AGAIN) { |
| 561 | infof(data, "writing would block"); |
| 562 | /* fall through */ |
| 563 | } |
| 564 | else if(tmperr != CURLE_OK) { |
| 565 | return tmperr; |
| 566 | } |
| 567 | } |
| 568 | |
| 569 | if(wants_read) { |
| 570 | infof(data, "rustls_connection wants us to read_tls."); |
| 571 | |
| 572 | if(tls_recv_more(cf, data, &tmperr) < 0) { |
| 573 | if(tmperr == CURLE_AGAIN) { |
| 574 | infof(data, "reading would block"); |
| 575 | /* fall through */ |
| 576 | } |
| 577 | else if(tmperr == CURLE_READ_ERROR) { |
| 578 | return CURLE_SSL_CONNECT_ERROR; |
| 579 | } |
| 580 | else { |
| 581 | return tmperr; |
| 582 | } |
| 583 | } |
| 584 | } |
| 585 | } |
| 586 | |
| 587 | /* We should never fall through the loop. We should return either because |
| 588 | the handshake is done or because we can't read/write without blocking. */ |
| 589 | DEBUGASSERT(false); |
| 590 | } |
| 591 | |
| 592 | /* returns a bitmap of flags for this connection's first socket indicating |
| 593 | whether we want to read or write */ |
| 594 | static int |
| 595 | cr_get_select_socks(struct Curl_cfilter *cf, struct Curl_easy *data, |
| 596 | curl_socket_t *socks) |
| 597 | { |
| 598 | struct ssl_connect_data *const connssl = cf->ctx; |
| 599 | curl_socket_t sockfd = Curl_conn_cf_get_socket(cf, data); |
| 600 | struct rustls_ssl_backend_data *const backend = |
| 601 | (struct rustls_ssl_backend_data *)connssl->backend; |
| 602 | struct rustls_connection *rconn = NULL; |
| 603 | |
| 604 | (void)data; |
| 605 | DEBUGASSERT(backend); |
| 606 | rconn = backend->conn; |
| 607 | |
| 608 | if(rustls_connection_wants_write(rconn)) { |
| 609 | socks[0] = sockfd; |
| 610 | return GETSOCK_WRITESOCK(0); |
| 611 | } |
| 612 | if(rustls_connection_wants_read(rconn)) { |
| 613 | socks[0] = sockfd; |
| 614 | return GETSOCK_READSOCK(0); |
| 615 | } |
| 616 | |
| 617 | return GETSOCK_BLANK; |
| 618 | } |
| 619 | |
| 620 | static void * |
| 621 | cr_get_internals(struct ssl_connect_data *connssl, |
| 622 | CURLINFO info UNUSED_PARAM) |
| 623 | { |
| 624 | struct rustls_ssl_backend_data *backend = |
| 625 | (struct rustls_ssl_backend_data *)connssl->backend; |
| 626 | DEBUGASSERT(backend); |
| 627 | return &backend->conn; |
| 628 | } |
| 629 | |
| 630 | static void |
| 631 | cr_close(struct Curl_cfilter *cf, struct Curl_easy *data) |
| 632 | { |
| 633 | struct ssl_connect_data *connssl = cf->ctx; |
| 634 | struct rustls_ssl_backend_data *backend = |
| 635 | (struct rustls_ssl_backend_data *)connssl->backend; |
| 636 | CURLcode tmperr = CURLE_OK; |
| 637 | ssize_t n = 0; |
| 638 | |
| 639 | DEBUGASSERT(backend); |
| 640 | |
| 641 | if(backend->conn) { |
| 642 | rustls_connection_send_close_notify(backend->conn); |
| 643 | n = cr_send(cf, data, NULL, 0, &tmperr); |
| 644 | if(n < 0) { |
| 645 | failf(data, "rustls: error sending close_notify: %d", tmperr); |
| 646 | } |
| 647 | |
| 648 | rustls_connection_free(backend->conn); |
| 649 | backend->conn = NULL; |
| 650 | } |
| 651 | if(backend->config) { |
| 652 | rustls_client_config_free(backend->config); |
| 653 | backend->config = NULL; |
| 654 | } |
| 655 | } |
| 656 | |
| 657 | static size_t cr_version(char *buffer, size_t size) |
| 658 | { |
| 659 | struct rustls_str ver = rustls_version(); |
| 660 | return msnprintf(buffer, size, "%.*s", (int)ver.len, ver.data); |
| 661 | } |
| 662 | |
| 663 | const struct Curl_ssl Curl_ssl_rustls = { |
| 664 | { CURLSSLBACKEND_RUSTLS, "rustls"}, |
| 665 | SSLSUPP_CAINFO_BLOB | /* supports */ |
| 666 | SSLSUPP_TLS13_CIPHERSUITES | |
| 667 | SSLSUPP_HTTPS_PROXY, |
| 668 | sizeof(struct rustls_ssl_backend_data), |
| 669 | |
| 670 | Curl_none_init, /* init */ |
| 671 | Curl_none_cleanup, /* cleanup */ |
| 672 | cr_version, /* version */ |
| 673 | Curl_none_check_cxn, /* check_cxn */ |
| 674 | Curl_none_shutdown, /* shutdown */ |
| 675 | cr_data_pending, /* data_pending */ |
| 676 | Curl_none_random, /* random */ |
| 677 | Curl_none_cert_status_request, /* cert_status_request */ |
| 678 | cr_connect, /* connect */ |
| 679 | cr_connect_nonblocking, /* connect_nonblocking */ |
| 680 | cr_get_select_socks, /* get_select_socks */ |
| 681 | cr_get_internals, /* get_internals */ |
| 682 | cr_close, /* close_one */ |
| 683 | Curl_none_close_all, /* close_all */ |
| 684 | Curl_none_session_free, /* session_free */ |
| 685 | Curl_none_set_engine, /* set_engine */ |
| 686 | Curl_none_set_engine_default, /* set_engine_default */ |
| 687 | Curl_none_engines_list, /* engines_list */ |
| 688 | Curl_none_false_start, /* false_start */ |
| 689 | NULL, /* sha256sum */ |
| 690 | NULL, /* associate_connection */ |
| 691 | NULL, /* disassociate_connection */ |
| 692 | NULL, /* free_multi_ssl_backend_data */ |
| 693 | cr_recv, /* recv decrypted data */ |
| 694 | cr_send, /* send data to encrypt */ |
| 695 | }; |
| 696 | |
| 697 | #endif /* USE_RUSTLS */ |
| 698 |
Generated on 2024-Jan-11 from project Velox revision 1.0.1
Powered by 
Code Browser 2.1
Generator usage only permitted with license.