summaryrefslogtreecommitdiff
path: root/lib/vtls/wolfssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/vtls/wolfssl.c')
-rw-r--r--lib/vtls/wolfssl.c313
1 files changed, 162 insertions, 151 deletions
diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
index d04396209..afbb9b821 100644
--- a/lib/vtls/wolfssl.c
+++ b/lib/vtls/wolfssl.c
@@ -938,6 +938,163 @@ wssl_legacy_CTX_set_max_proto_version(WOLFSSL_CTX* ctx, int version)
#define wolfSSL_CTX_set_max_proto_version wssl_legacy_CTX_set_max_proto_version
#endif
+static CURLcode client_certificate(struct Curl_easy *data,
+ struct ssl_config_data *ssl_config,
+ struct wssl_ctx *wctx)
+{
+ /* Load the client certificate, and private key */
+#ifndef NO_FILESYSTEM
+ if(ssl_config->primary.cert_blob || ssl_config->primary.clientcert) {
+ const char *cert_file = ssl_config->primary.clientcert;
+ const char *key_file = ssl_config->key;
+ const struct curl_blob *cert_blob = ssl_config->primary.cert_blob;
+ const struct curl_blob *key_blob = ssl_config->key_blob;
+ int file_type = wssl_do_file_type(ssl_config->cert_type);
+ int rc;
+
+ switch(file_type) {
+ case WOLFSSL_FILETYPE_PEM:
+ rc = cert_blob ?
+ wolfSSL_CTX_use_certificate_chain_buffer(wctx->ssl_ctx,
+ cert_blob->data,
+ (long)cert_blob->len) :
+ wolfSSL_CTX_use_certificate_chain_file(wctx->ssl_ctx, cert_file);
+ break;
+ case WOLFSSL_FILETYPE_ASN1:
+ rc = cert_blob ?
+ wolfSSL_CTX_use_certificate_buffer(wctx->ssl_ctx, cert_blob->data,
+ (long)cert_blob->len, file_type) :
+ wolfSSL_CTX_use_certificate_file(wctx->ssl_ctx, cert_file, file_type);
+ break;
+ default:
+ failf(data, "unknown cert type");
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+ if(rc != 1) {
+ failf(data, "unable to use client certificate");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+ if(!key_blob && !key_file) {
+ key_blob = cert_blob;
+ key_file = cert_file;
+ }
+ else
+ file_type = wssl_do_file_type(ssl_config->key_type);
+
+ rc = key_blob ?
+ wolfSSL_CTX_use_PrivateKey_buffer(wctx->ssl_ctx, key_blob->data,
+ (long)key_blob->len, file_type) :
+ wolfSSL_CTX_use_PrivateKey_file(wctx->ssl_ctx, key_file, file_type);
+ if(rc != 1) {
+ failf(data, "unable to set private key");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
+#else /* NO_FILESYSTEM */
+ if(ssl_config->primary.cert_blob) {
+ const struct curl_blob *cert_blob = ssl_config->primary.cert_blob;
+ const struct curl_blob *key_blob = ssl_config->key_blob;
+ int file_type = wssl_do_file_type(ssl_config->cert_type);
+ int rc;
+
+ switch(file_type) {
+ case WOLFSSL_FILETYPE_PEM:
+ rc = wolfSSL_CTX_use_certificate_chain_buffer(wctx->ssl_ctx,
+ cert_blob->data,
+ (long)cert_blob->len);
+ break;
+ case WOLFSSL_FILETYPE_ASN1:
+ rc = wolfSSL_CTX_use_certificate_buffer(wctx->ssl_ctx, cert_blob->data,
+ (long)cert_blob->len, file_type);
+ break;
+ default:
+ failf(data, "unknown cert type");
+ return CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+ if(rc != 1) {
+ failf(data, "unable to use client certificate");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+ if(!key_blob)
+ key_blob = cert_blob;
+ else
+ file_type = wssl_do_file_type(ssl_config->key_type);
+
+ if(wolfSSL_CTX_use_PrivateKey_buffer(wctx->ssl_ctx, key_blob->data,
+ (long)key_blob->len,
+ file_type) != 1) {
+ failf(data, "unable to set private key");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ }
+#endif /* !NO_FILESYSTEM */
+ return CURLE_OK;
+}
+
+static CURLcode ssl_version(struct Curl_easy *data,
+ struct ssl_primary_config *conn_config,
+ struct wssl_ctx *wctx)
+{
+ int res;
+ switch(conn_config->version) {
+ case CURL_SSLVERSION_DEFAULT:
+ case CURL_SSLVERSION_TLSv1:
+ case CURL_SSLVERSION_TLSv1_0:
+ res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_VERSION);
+ break;
+ case CURL_SSLVERSION_TLSv1_1:
+ res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_1_VERSION);
+ break;
+ case CURL_SSLVERSION_TLSv1_2:
+ res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_2_VERSION);
+ break;
+#ifdef WOLFSSL_TLS13
+ case CURL_SSLVERSION_TLSv1_3:
+ res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_3_VERSION);
+ break;
+#endif
+ default:
+ failf(data, "wolfSSL: unsupported minimum TLS version value");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ if(res != WOLFSSL_SUCCESS) {
+ failf(data, "wolfSSL: failed set the minimum TLS version");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+
+ switch(conn_config->version_max) {
+#ifdef WOLFSSL_TLS13
+ case CURL_SSLVERSION_MAX_TLSv1_3:
+ res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_3_VERSION);
+ break;
+#endif
+ case CURL_SSLVERSION_MAX_TLSv1_2:
+ res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_2_VERSION);
+ break;
+ case CURL_SSLVERSION_MAX_TLSv1_1:
+ res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_1_VERSION);
+ break;
+ case CURL_SSLVERSION_MAX_TLSv1_0:
+ res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_VERSION);
+ break;
+ case CURL_SSLVERSION_MAX_DEFAULT:
+ case CURL_SSLVERSION_MAX_NONE:
+ res = WOLFSSL_SUCCESS;
+ break;
+ default:
+ failf(data, "wolfSSL: unsupported maximum TLS version value");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ if(res != WOLFSSL_SUCCESS) {
+ failf(data, "wolfSSL: failed set the maximum TLS version");
+ return CURLE_SSL_CONNECT_ERROR;
+ }
+ return CURLE_OK;
+}
+
+
#define QUIC_CIPHERS \
"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_" \
"POLY1305_SHA256:TLS_AES_128_CCM_SHA256"
@@ -957,7 +1114,6 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
struct ssl_primary_config *conn_config;
WOLFSSL_METHOD* req_method = NULL;
struct alpn_spec alpns;
- int res;
char *curves;
#ifdef WOLFSSL_HAVE_KYBER
word16 pqkem = 0;
@@ -998,63 +1154,9 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
goto out;
}
- switch(conn_config->version) {
- case CURL_SSLVERSION_DEFAULT:
- case CURL_SSLVERSION_TLSv1:
- case CURL_SSLVERSION_TLSv1_0:
- res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_VERSION);
- break;
- case CURL_SSLVERSION_TLSv1_1:
- res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_1_VERSION);
- break;
- case CURL_SSLVERSION_TLSv1_2:
- res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_2_VERSION);
- break;
-#ifdef WOLFSSL_TLS13
- case CURL_SSLVERSION_TLSv1_3:
- res = wolfSSL_CTX_set_min_proto_version(wctx->ssl_ctx, TLS1_3_VERSION);
- break;
-#endif
- default:
- failf(data, "wolfSSL: unsupported minimum TLS version value");
- result = CURLE_SSL_CONNECT_ERROR;
- goto out;
- }
- if(res != WOLFSSL_SUCCESS) {
- failf(data, "wolfSSL: failed set the minimum TLS version");
- result = CURLE_SSL_CONNECT_ERROR;
- goto out;
- }
-
- switch(conn_config->version_max) {
-#ifdef WOLFSSL_TLS13
- case CURL_SSLVERSION_MAX_TLSv1_3:
- res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_3_VERSION);
- break;
-#endif
- case CURL_SSLVERSION_MAX_TLSv1_2:
- res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_2_VERSION);
- break;
- case CURL_SSLVERSION_MAX_TLSv1_1:
- res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_1_VERSION);
- break;
- case CURL_SSLVERSION_MAX_TLSv1_0:
- res = wolfSSL_CTX_set_max_proto_version(wctx->ssl_ctx, TLS1_VERSION);
- break;
- case CURL_SSLVERSION_MAX_DEFAULT:
- case CURL_SSLVERSION_MAX_NONE:
- res = WOLFSSL_SUCCESS;
- break;
- default:
- failf(data, "wolfSSL: unsupported maximum TLS version value");
- result = CURLE_SSL_CONNECT_ERROR;
- goto out;
- }
- if(res != WOLFSSL_SUCCESS) {
- failf(data, "wolfSSL: failed set the maximum TLS version");
- result = CURLE_SSL_CONNECT_ERROR;
+ result = ssl_version(data, conn_config, wctx);
+ if(result)
goto out;
- }
#ifndef WOLFSSL_TLS13
{
@@ -1129,100 +1231,9 @@ CURLcode Curl_wssl_ctx_init(struct wssl_ctx *wctx,
}
}
- /* Load the client certificate, and private key */
-#ifndef NO_FILESYSTEM
- if(ssl_config->primary.cert_blob || ssl_config->primary.clientcert) {
- const char *cert_file = ssl_config->primary.clientcert;
- const char *key_file = ssl_config->key;
- const struct curl_blob *cert_blob = ssl_config->primary.cert_blob;
- const struct curl_blob *key_blob = ssl_config->key_blob;
- int file_type = wssl_do_file_type(ssl_config->cert_type);
- int rc;
-
- switch(file_type) {
- case WOLFSSL_FILETYPE_PEM:
- rc = cert_blob ?
- wolfSSL_CTX_use_certificate_chain_buffer(wctx->ssl_ctx,
- cert_blob->data,
- (long)cert_blob->len) :
- wolfSSL_CTX_use_certificate_chain_file(wctx->ssl_ctx, cert_file);
- break;
- case WOLFSSL_FILETYPE_ASN1:
- rc = cert_blob ?
- wolfSSL_CTX_use_certificate_buffer(wctx->ssl_ctx, cert_blob->data,
- (long)cert_blob->len, file_type) :
- wolfSSL_CTX_use_certificate_file(wctx->ssl_ctx, cert_file, file_type);
- break;
- default:
- failf(data, "unknown cert type");
- result = CURLE_BAD_FUNCTION_ARGUMENT;
- goto out;
- }
- if(rc != 1) {
- failf(data, "unable to use client certificate");
- result = CURLE_SSL_CONNECT_ERROR;
- goto out;
- }
-
- if(!key_blob && !key_file) {
- key_blob = cert_blob;
- key_file = cert_file;
- }
- else
- file_type = wssl_do_file_type(ssl_config->key_type);
-
- rc = key_blob ?
- wolfSSL_CTX_use_PrivateKey_buffer(wctx->ssl_ctx, key_blob->data,
- (long)key_blob->len, file_type) :
- wolfSSL_CTX_use_PrivateKey_file(wctx->ssl_ctx, key_file, file_type);
- if(rc != 1) {
- failf(data, "unable to set private key");
- result = CURLE_SSL_CONNECT_ERROR;
- goto out;
- }
- }
-#else /* NO_FILESYSTEM */
- if(ssl_config->primary.cert_blob) {
- const struct curl_blob *cert_blob = ssl_config->primary.cert_blob;
- const struct curl_blob *key_blob = ssl_config->key_blob;
- int file_type = wssl_do_file_type(ssl_config->cert_type);
- int rc;
-
- switch(file_type) {
- case WOLFSSL_FILETYPE_PEM:
- rc = wolfSSL_CTX_use_certificate_chain_buffer(wctx->ssl_ctx,
- cert_blob->data,
- (long)cert_blob->len);
- break;
- case WOLFSSL_FILETYPE_ASN1:
- rc = wolfSSL_CTX_use_certificate_buffer(wctx->ssl_ctx, cert_blob->data,
- (long)cert_blob->len, file_type);
- break;
- default:
- failf(data, "unknown cert type");
- result = CURLE_BAD_FUNCTION_ARGUMENT;
- goto out;
- }
- if(rc != 1) {
- failf(data, "unable to use client certificate");
- result = CURLE_SSL_CONNECT_ERROR;
- goto out;
- }
-
- if(!key_blob)
- key_blob = cert_blob;
- else
- file_type = wssl_do_file_type(ssl_config->key_type);
-
- if(wolfSSL_CTX_use_PrivateKey_buffer(wctx->ssl_ctx, key_blob->data,
- (long)key_blob->len,
- file_type) != 1) {
- failf(data, "unable to set private key");
- result = CURLE_SSL_CONNECT_ERROR;
- goto out;
- }
- }
-#endif /* !NO_FILESYSTEM */
+ result = client_certificate(data, ssl_config, wctx);
+ if(result)
+ goto out;
/* SSL always tries to verify the peer, this only says whether it should
* fail to connect if the verification fails, or if it should continue
generated by cgit v1.2.3 (git 2.46.0) at 2025-09-03 00:13:08 +0000