diff options
Diffstat (limited to 'lib/vtls/polarssl.c')
-rw-r--r-- | lib/vtls/polarssl.c | 64 |
1 files changed, 33 insertions, 31 deletions
diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index a6a769091..d6b0f238e 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -147,12 +147,16 @@ polarssl_connect_step1(struct connectdata *conn, { struct Curl_easy *data = conn->data; struct ssl_connect_data* connssl = &conn->ssl[sockindex]; + const char *capath = SSL_CONN_CONFIG(CApath); + const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name : + conn->host.name; + const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port; int ret = -1; char errorbuf[128]; errorbuf[0]=0; /* PolarSSL only supports SSLv3 and TLSv1 */ - if(data->set.ssl.version == CURL_SSLVERSION_SSLv2) { + if(SSL_CONN_CONFIG(version) == CURL_SSLVERSION_SSLv2) { failf(data, "PolarSSL does not support SSLv2"); return CURLE_SSL_CONNECT_ERROR; } @@ -180,30 +184,29 @@ polarssl_connect_step1(struct connectdata *conn, /* Load the trusted CA */ memset(&connssl->cacert, 0, sizeof(x509_crt)); - if(data->set.str[STRING_SSL_CAFILE]) { + if(SSL_CONN_CONFIG(CAfile)) { ret = x509_crt_parse_file(&connssl->cacert, - data->set.str[STRING_SSL_CAFILE]); + SSL_CONN_CONFIG(CAfile)); if(ret<0) { error_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "Error reading ca cert file %s - PolarSSL: (-0x%04X) %s", - data->set.str[STRING_SSL_CAFILE], -ret, errorbuf); + SSL_CONN_CONFIG(CAfile), -ret, errorbuf); - if(data->set.ssl.verifypeer) + if(SSL_CONN_CONFIG(verifypeer)) return CURLE_SSL_CACERT_BADFILE; } } - if(data->set.str[STRING_SSL_CAPATH]) { - ret = x509_crt_parse_path(&connssl->cacert, - data->set.str[STRING_SSL_CAPATH]); + if(capath) { + ret = x509_crt_parse_path(&connssl->cacert, capath); if(ret<0) { error_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "Error reading ca cert path %s - PolarSSL: (-0x%04X) %s", - data->set.str[STRING_SSL_CAPATH], -ret, errorbuf); + capath, -ret, errorbuf); - if(data->set.ssl.verifypeer) + if(SSL_CONN_CONFIG(verifypeer)) return CURLE_SSL_CACERT_BADFILE; } } @@ -211,25 +214,25 @@ polarssl_connect_step1(struct connectdata *conn, /* Load the client certificate */ memset(&connssl->clicert, 0, sizeof(x509_crt)); - if(data->set.str[STRING_CERT]) { + if(SSL_SET_OPTION(cert)) { ret = x509_crt_parse_file(&connssl->clicert, - data->set.str[STRING_CERT]); + SSL_SET_OPTION(cert)); if(ret) { error_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "Error reading client cert file %s - PolarSSL: (-0x%04X) %s", - data->set.str[STRING_CERT], -ret, errorbuf); + SSL_SET_OPTION(cert), -ret, errorbuf); return CURLE_SSL_CERTPROBLEM; } } /* Load the client private key */ - if(data->set.str[STRING_KEY]) { + if(SSL_SET_OPTION(key)) { pk_context pk; pk_init(&pk); - ret = pk_parse_keyfile(&pk, data->set.str[STRING_KEY], - data->set.str[STRING_KEY_PASSWD]); + ret = pk_parse_keyfile(&pk, SSL_SET_OPTION(key), + SSL_SET_OPTION(key_passwd)); if(ret == 0 && !pk_can_do(&pk, POLARSSL_PK_RSA)) ret = POLARSSL_ERR_PK_TYPE_MISMATCH; if(ret == 0) @@ -241,7 +244,7 @@ polarssl_connect_step1(struct connectdata *conn, if(ret) { error_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "Error reading private key %s - PolarSSL: (-0x%04X) %s", - data->set.str[STRING_KEY], -ret, errorbuf); + SSL_SET_OPTION(key), -ret, errorbuf); return CURLE_SSL_CERTPROBLEM; } @@ -250,28 +253,27 @@ polarssl_connect_step1(struct connectdata *conn, /* Load the CRL */ memset(&connssl->crl, 0, sizeof(x509_crl)); - if(data->set.str[STRING_SSL_CRLFILE]) { + if(SSL_SET_OPTION(CRLfile)) { ret = x509_crl_parse_file(&connssl->crl, - data->set.str[STRING_SSL_CRLFILE]); + SSL_SET_OPTION(CRLfile)); if(ret) { error_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "Error reading CRL file %s - PolarSSL: (-0x%04X) %s", - data->set.str[STRING_SSL_CRLFILE], -ret, errorbuf); + SSL_SET_OPTION(CRLfile), -ret, errorbuf); return CURLE_SSL_CRL_BADFILE; } } - infof(data, "PolarSSL: Connecting to %s:%d\n", - conn->host.name, conn->remote_port); + infof(data, "PolarSSL: Connecting to %s:%d\n", hostname, port); if(ssl_init(&connssl->ssl)) { failf(data, "PolarSSL: ssl_init failed"); return CURLE_SSL_CONNECT_ERROR; } - switch(data->set.ssl.version) { + switch(SSL_CONN_CONFIG(version)) { case CURL_SSLVERSION_DEFAULT: case CURL_SSLVERSION_TLSv1: ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3, @@ -325,11 +327,11 @@ polarssl_connect_step1(struct connectdata *conn, ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites()); /* Check if there's a cached ID we can/should use here! */ - if(conn->ssl_config.sessionid) { + if(data->set.general_ssl.sessionid) { void *old_session = NULL; Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_session, NULL)) { + if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) { ret = ssl_set_session(&connssl->ssl, old_session); if(ret) { Curl_ssl_sessionid_unlock(conn); @@ -344,12 +346,12 @@ polarssl_connect_step1(struct connectdata *conn, ssl_set_ca_chain(&connssl->ssl, &connssl->cacert, &connssl->crl, - conn->host.name); + hostname); ssl_set_own_cert_rsa(&connssl->ssl, &connssl->clicert, &connssl->rsa); - if(ssl_set_hostname(&connssl->ssl, conn->host.name)) { + if(ssl_set_hostname(&connssl->ssl, hostname)) { /* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name to set in the SNI extension. So even if curl connects to a host specified as an IP address, this function must be used. */ @@ -428,7 +430,7 @@ polarssl_connect_step2(struct connectdata *conn, ret = ssl_get_verify_result(&conn->ssl[sockindex].ssl); - if(ret && data->set.ssl.verifypeer) { + if(ret && SSL_CONN_CONFIG(verifypeer)) { if(ret & BADCERT_EXPIRED) failf(data, "Cert verify failed: BADCERT_EXPIRED"); @@ -549,7 +551,7 @@ polarssl_connect_step3(struct connectdata *conn, DEBUGASSERT(ssl_connect_3 == connssl->connecting_state); - if(conn->ssl_config.sessionid) { + if(data->set.general_ssl.sessionid) { int ret; ssl_session *our_ssl_sessionid; void *old_ssl_sessionid = NULL; @@ -568,10 +570,10 @@ polarssl_connect_step3(struct connectdata *conn, /* If there's already a matching session in the cache, delete it */ Curl_ssl_sessionid_lock(conn); - if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL)) + if(!Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, sockindex)) Curl_ssl_delsessionid(conn, old_ssl_sessionid); - retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0); + retcode = Curl_ssl_addsessionid(conn, our_ssl_sessionid, 0, sockindex); Curl_ssl_sessionid_unlock(conn); if(retcode) { free(our_ssl_sessionid); |