aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls
diff options
context:
space:
mode:
Diffstat (limited to 'lib/vtls')
-rw-r--r--lib/vtls/gskit.c284
1 files changed, 143 insertions, 141 deletions
diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
index ae878c7bc..a3cf40b40 100644
--- a/lib/vtls/gskit.c
+++ b/lib/vtls/gskit.c
@@ -164,8 +164,6 @@ static bool is_separator(char c)
static CURLcode gskit_status(struct SessionHandle *data, int rc,
const char *procname, CURLcode defcode)
{
- CURLcode cc;
-
/* Process GSKit status and map it to a CURLcode. */
switch (rc) {
case GSK_OK:
@@ -298,7 +296,7 @@ static CURLcode set_ciphers(struct SessionHandle *data,
int i;
int l;
bool unsupported;
- CURLcode cc;
+ CURLcode result;
struct {
char *buf;
char *ptr;
@@ -331,7 +329,7 @@ static CURLcode set_ciphers(struct SessionHandle *data,
/* Process each cipher in input string. */
unsupported = FALSE;
- cc = CURLE_OK;
+ result = CURLE_OK;
for(;;) {
for(clp = cipherlist; *cipherlist && !is_separator(*cipherlist);)
cipherlist++;
@@ -344,7 +342,7 @@ static CURLcode set_ciphers(struct SessionHandle *data,
break;
if(!ctp->name) {
failf(data, "Unknown cipher %.*s", l, clp);
- cc = CURLE_SSL_CIPHER;
+ result = CURLE_SSL_CIPHER;
}
else {
unsupported |= !(ctp->versions & (CURL_GSKPROTO_SSLV2_MASK |
@@ -372,53 +370,53 @@ static CURLcode set_ciphers(struct SessionHandle *data,
/* Try to set-up TLSv1.1 and TLSv2.1 ciphers. */
if(*protoflags & CURL_GSKPROTO_TLSV11_MASK) {
- cc = set_buffer(data, h, GSK_TLSV11_CIPHER_SPECS,
- ciphers[CURL_GSKPROTO_TLSV11].buf, TRUE);
- if(cc == CURLE_UNSUPPORTED_PROTOCOL) {
- cc = CURLE_OK;
+ result = set_buffer(data, h, GSK_TLSV11_CIPHER_SPECS,
+ ciphers[CURL_GSKPROTO_TLSV11].buf, TRUE);
+ if(result == CURLE_UNSUPPORTED_PROTOCOL) {
+ result = CURLE_OK;
if(unsupported) {
failf(data, "TLSv1.1-only ciphers are not yet supported");
- cc = CURLE_SSL_CIPHER;
+ result = CURLE_SSL_CIPHER;
}
}
}
- if(cc == CURLE_OK && (*protoflags & CURL_GSKPROTO_TLSV12_MASK)) {
- cc = set_buffer(data, h, GSK_TLSV12_CIPHER_SPECS,
- ciphers[CURL_GSKPROTO_TLSV12].buf, TRUE);
- if(cc == CURLE_UNSUPPORTED_PROTOCOL) {
- cc = CURLE_OK;
+ if(!result && (*protoflags & CURL_GSKPROTO_TLSV12_MASK)) {
+ result = set_buffer(data, h, GSK_TLSV12_CIPHER_SPECS,
+ ciphers[CURL_GSKPROTO_TLSV12].buf, TRUE);
+ if(result == CURLE_UNSUPPORTED_PROTOCOL) {
+ result = CURLE_OK;
if(unsupported) {
failf(data, "TLSv1.2-only ciphers are not yet supported");
- cc = CURLE_SSL_CIPHER;
+ result = CURLE_SSL_CIPHER;
}
}
}
/* Try to set-up TLSv1.0 ciphers. If not successful, concatenate them to
the SSLv3 ciphers. OS/400 prior to version 7.1 will understand it. */
- if(cc == CURLE_OK && (*protoflags & CURL_GSKPROTO_TLSV10_MASK)) {
- cc = set_buffer(data, h, GSK_TLSV10_CIPHER_SPECS,
- ciphers[CURL_GSKPROTO_TLSV10].buf, TRUE);
- if(cc == CURLE_UNSUPPORTED_PROTOCOL) {
- cc = CURLE_OK;
+ if(!result && (*protoflags & CURL_GSKPROTO_TLSV10_MASK)) {
+ result = set_buffer(data, h, GSK_TLSV10_CIPHER_SPECS,
+ ciphers[CURL_GSKPROTO_TLSV10].buf, TRUE);
+ if(result == CURLE_UNSUPPORTED_PROTOCOL) {
+ result = CURLE_OK;
strcpy(ciphers[CURL_GSKPROTO_SSLV3].ptr,
ciphers[CURL_GSKPROTO_TLSV10].ptr);
}
}
/* Set-up other ciphers. */
- if(cc == CURLE_OK && (*protoflags & CURL_GSKPROTO_SSLV3_MASK))
- cc = set_buffer(data, h, GSK_V3_CIPHER_SPECS,
- ciphers[CURL_GSKPROTO_SSLV3].buf, FALSE);
- if(cc == CURLE_OK && (*protoflags & CURL_GSKPROTO_SSLV2_MASK))
- cc = set_buffer(data, h, GSK_V2_CIPHER_SPECS,
- ciphers[CURL_GSKPROTO_SSLV2].buf, FALSE);
+ if(!result && (*protoflags & CURL_GSKPROTO_SSLV3_MASK))
+ result = set_buffer(data, h, GSK_V3_CIPHER_SPECS,
+ ciphers[CURL_GSKPROTO_SSLV3].buf, FALSE);
+ if(!result && (*protoflags & CURL_GSKPROTO_SSLV2_MASK))
+ result = set_buffer(data, h, GSK_V2_CIPHER_SPECS,
+ ciphers[CURL_GSKPROTO_SSLV2].buf, FALSE);
/* Clean-up. */
for(i = 0; i < CURL_GSKPROTO_LAST; i++)
free(ciphers[i].buf);
- return cc;
+ return result;
}
@@ -442,7 +440,7 @@ static CURLcode init_environment(struct SessionHandle *data,
const char *password)
{
int rc;
- CURLcode c;
+ CURLcode result;
gsk_handle h;
/* Creates the GSKit environment. */
@@ -458,29 +456,29 @@ static CURLcode init_environment(struct SessionHandle *data,
return CURLE_SSL_CONNECT_ERROR;
}
- c = set_enum(data, h, GSK_SESSION_TYPE, GSK_CLIENT_SESSION, FALSE);
- if(c == CURLE_OK && appid)
- c = set_buffer(data, h, GSK_OS400_APPLICATION_ID, appid, FALSE);
- if(c == CURLE_OK && file)
- c = set_buffer(data, h, GSK_KEYRING_FILE, file, FALSE);
- if(c == CURLE_OK && label)
- c = set_buffer(data, h, GSK_KEYRING_LABEL, label, FALSE);
- if(c == CURLE_OK && password)
- c = set_buffer(data, h, GSK_KEYRING_PW, password, FALSE);
-
- if(c == CURLE_OK) {
+ result = set_enum(data, h, GSK_SESSION_TYPE, GSK_CLIENT_SESSION, FALSE);
+ if(!result && appid)
+ result = set_buffer(data, h, GSK_OS400_APPLICATION_ID, appid, FALSE);
+ if(!result && file)
+ result = set_buffer(data, h, GSK_KEYRING_FILE, file, FALSE);
+ if(!result && label)
+ result = set_buffer(data, h, GSK_KEYRING_LABEL, label, FALSE);
+ if(!result && password)
+ result = set_buffer(data, h, GSK_KEYRING_PW, password, FALSE);
+
+ if(!result) {
/* Locate CAs, Client certificate and key according to our settings.
Note: this call may be blocking for some tenths of seconds. */
- c = gskit_status(data, gsk_environment_init(h),
- "gsk_environment_init()", CURLE_SSL_CERTPROBLEM);
- if(c == CURLE_OK) {
+ result = gskit_status(data, gsk_environment_init(h),
+ "gsk_environment_init()", CURLE_SSL_CERTPROBLEM);
+ if(!result) {
*envir = h;
- return c;
+ return result;
}
}
/* Error: rollback. */
gsk_environment_close(&h);
- return c;
+ return result;
}
@@ -558,7 +556,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
gsk_handle envir;
- CURLcode cc;
+ CURLcode result;
int rc;
char *keyringfile;
char *keyringpwd;
@@ -600,18 +598,18 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
if(!envir) {
/* Use keyring mode. */
- cc = init_environment(data, &envir, (const char *) NULL,
- keyringfile, keyringlabel, keyringpwd);
- if(cc != CURLE_OK)
- return cc;
+ result = init_environment(data, &envir, (const char *) NULL,
+ keyringfile, keyringlabel, keyringpwd);
+ if(result)
+ return result;
}
/* Create secure session. */
- cc = gskit_status(data, gsk_secure_soc_open(envir, &connssl->handle),
- "gsk_secure_soc_open()", CURLE_SSL_CONNECT_ERROR);
+ result = gskit_status(data, gsk_secure_soc_open(envir, &connssl->handle),
+ "gsk_secure_soc_open()", CURLE_SSL_CONNECT_ERROR);
gsk_environment_close(&envir);
- if(cc != CURLE_OK)
- return cc;
+ if(result)
+ return result;
/* Determine which SSL/TLS version should be enabled. */
protoflags = CURL_GSKPROTO_SSLV3_MASK | CURL_GSKPROTO_TLSV10_MASK |
@@ -643,81 +641,84 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
/* Process SNI. Ignore if not supported (on OS400 < V7R1). */
if(sni) {
- cc = set_buffer(data, connssl->handle,
- GSK_SSL_EXTN_SERVERNAME_REQUEST, sni, TRUE);
- if(cc == CURLE_UNSUPPORTED_PROTOCOL)
- cc = CURLE_OK;
+ result = set_buffer(data, connssl->handle,
+ GSK_SSL_EXTN_SERVERNAME_REQUEST, sni, TRUE);
+ if(result == CURLE_UNSUPPORTED_PROTOCOL)
+ result = CURLE_OK;
}
/* Set session parameters. */
- if(cc == CURLE_OK) {
+ if(!result) {
/* Compute the handshake timeout. Since GSKit granularity is 1 second,
we round up the required value. */
timeout = Curl_timeleft(data, NULL, TRUE);
if(timeout < 0)
- cc = CURLE_OPERATION_TIMEDOUT;
+ result = CURLE_OPERATION_TIMEDOUT;
else
- cc = set_numeric(data, connssl->handle, GSK_HANDSHAKE_TIMEOUT,
- (timeout + 999) / 1000);
+ result = set_numeric(data, connssl->handle, GSK_HANDSHAKE_TIMEOUT,
+ (timeout + 999) / 1000);
}
- if(cc == CURLE_OK)
- cc = set_numeric(data, connssl->handle, GSK_FD, conn->sock[sockindex]);
- if(cc == CURLE_OK)
- cc = set_ciphers(data, connssl->handle, &protoflags);
+ if(!result)
+ result = set_numeric(data, connssl->handle, GSK_FD, conn->sock[sockindex]);
+ if(!result)
+ result = set_ciphers(data, connssl->handle, &protoflags);
if(!protoflags) {
failf(data, "No SSL protocol/cipher combination enabled");
- cc = CURLE_SSL_CIPHER;
+ result = CURLE_SSL_CIPHER;
}
- if(cc == CURLE_OK)
- cc = set_enum(data, connssl->handle, GSK_PROTOCOL_SSLV2,
- (protoflags & CURL_GSKPROTO_SSLV2_MASK)?
- GSK_PROTOCOL_SSLV2_ON: GSK_PROTOCOL_SSLV2_OFF, FALSE);
- if(cc == CURLE_OK)
- cc = set_enum(data, connssl->handle, GSK_PROTOCOL_SSLV3,
- (protoflags & CURL_GSKPROTO_SSLV3_MASK)?
- GSK_PROTOCOL_SSLV3_ON: GSK_PROTOCOL_SSLV3_OFF, FALSE);
- if(cc == CURLE_OK)
- cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1,
- (protoflags & CURL_GSKPROTO_TLSV10_MASK)?
- GSK_PROTOCOL_TLSV1_ON: GSK_PROTOCOL_TLSV1_OFF, FALSE);
- if(cc == CURLE_OK) {
- cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV11,
- (protoflags & CURL_GSKPROTO_TLSV11_MASK)?
- GSK_TRUE: GSK_FALSE, TRUE);
- if(cc == CURLE_UNSUPPORTED_PROTOCOL) {
- cc = CURLE_OK;
+ if(!result)
+ result = set_enum(data, connssl->handle, GSK_PROTOCOL_SSLV2,
+ (protoflags & CURL_GSKPROTO_SSLV2_MASK)?
+ GSK_PROTOCOL_SSLV2_ON: GSK_PROTOCOL_SSLV2_OFF, FALSE);
+ if(!result)
+ result = set_enum(data, connssl->handle, GSK_PROTOCOL_SSLV3,
+ (protoflags & CURL_GSKPROTO_SSLV3_MASK)?
+ GSK_PROTOCOL_SSLV3_ON: GSK_PROTOCOL_SSLV3_OFF, FALSE);
+ if(!result)
+ result = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1,
+ (protoflags & CURL_GSKPROTO_TLSV10_MASK)?
+ GSK_PROTOCOL_TLSV1_ON: GSK_PROTOCOL_TLSV1_OFF, FALSE);
+ if(!result) {
+ result = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV11,
+ (protoflags & CURL_GSKPROTO_TLSV11_MASK)?
+ GSK_TRUE: GSK_FALSE, TRUE);
+ if(result == CURLE_UNSUPPORTED_PROTOCOL) {
+ result = CURLE_OK;
if(protoflags == CURL_GSKPROTO_TLSV11_MASK) {
failf(data, "TLS 1.1 not yet supported");
- cc = CURLE_SSL_CIPHER;
+ result = CURLE_SSL_CIPHER;
}
}
}
- if(cc == CURLE_OK) {
- cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV12,
- (protoflags & CURL_GSKPROTO_TLSV12_MASK)?
- GSK_TRUE: GSK_FALSE, TRUE);
- if(cc == CURLE_UNSUPPORTED_PROTOCOL) {
- cc = CURLE_OK;
+ if(!result) {
+ result = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV12,
+ (protoflags & CURL_GSKPROTO_TLSV12_MASK)?
+ GSK_TRUE: GSK_FALSE, TRUE);
+ if(result == CURLE_UNSUPPORTED_PROTOCOL) {
+ result = CURLE_OK;
if(protoflags == CURL_GSKPROTO_TLSV12_MASK) {
failf(data, "TLS 1.2 not yet supported");
- cc = CURLE_SSL_CIPHER;
+ result = CURLE_SSL_CIPHER;
}
}
}
- if(cc == CURLE_OK)
- cc = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE,
- data->set.ssl.verifypeer? GSK_SERVER_AUTH_FULL:
- GSK_SERVER_AUTH_PASSTHRU, FALSE);
+ if(!result)
+ result = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE,
+ data->set.ssl.verifypeer? GSK_SERVER_AUTH_FULL:
+ GSK_SERVER_AUTH_PASSTHRU, FALSE);
- if(cc == CURLE_OK) {
+ if(!result) {
/* Start handshake. Try asynchronous first. */
memset(&commarea, 0, sizeof commarea);
connssl->iocport = QsoCreateIOCompletionPort();
if(connssl->iocport != -1) {
- cc = gskit_status(data, gsk_secure_soc_startInit(connssl->handle,
- connssl->iocport, &commarea),
- "gsk_secure_soc_startInit()", CURLE_SSL_CONNECT_ERROR);
- if(cc == CURLE_OK) {
+ result = gskit_status(data,
+ gsk_secure_soc_startInit(connssl->handle,
+ connssl->iocport,
+ &commarea),
+ "gsk_secure_soc_startInit()",
+ CURLE_SSL_CONNECT_ERROR);
+ if(!result) {
connssl->connecting_state = ssl_connect_2;
return CURLE_OK;
}
@@ -725,12 +726,13 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
close_async_handshake(connssl);
}
else if(errno != ENOBUFS)
- cc = gskit_status(data, GSK_ERROR_IO, "QsoCreateIOCompletionPort()", 0);
+ result = gskit_status(data, GSK_ERROR_IO,
+ "QsoCreateIOCompletionPort()", 0);
else {
/* No more completion port available. Use synchronous IO. */
- cc = gskit_status(data, gsk_secure_soc_init(connssl->handle),
- "gsk_secure_soc_init()", CURLE_SSL_CONNECT_ERROR);
- if(cc == CURLE_OK) {
+ result = gskit_status(data, gsk_secure_soc_init(connssl->handle),
+ "gsk_secure_soc_init()", CURLE_SSL_CONNECT_ERROR);
+ if(!result) {
connssl->connecting_state = ssl_connect_3;
return CURLE_OK;
}
@@ -739,7 +741,7 @@ static CURLcode gskit_connect_step1(struct connectdata *conn, int sockindex)
/* Error: rollback. */
close_one(connssl, data);
- return cc;
+ return result;
}
@@ -751,7 +753,7 @@ static CURLcode gskit_connect_step2(struct connectdata *conn, int sockindex,
Qso_OverlappedIO_t cstat;
long timeout_ms;
struct timeval stmv;
- CURLcode cc;
+ CURLcode result;
/* Poll or wait for end of SSL asynchronous handshake. */
@@ -786,12 +788,12 @@ static CURLcode gskit_connect_step2(struct connectdata *conn, int sockindex,
}
break;
}
- cc = gskit_status(data, cstat.returnValue, "SSL handshake",
- CURLE_SSL_CONNECT_ERROR);
- if(cc == CURLE_OK)
+ result = gskit_status(data, cstat.returnValue, "SSL handshake",
+ CURLE_SSL_CONNECT_ERROR);
+ if(!result)
connssl->connecting_state = ssl_connect_3;
close_async_handshake(connssl);
- return cc;
+ return result;
}
@@ -806,7 +808,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
const char *certend;
const char *ptr;
int i;
- CURLcode cc;
+ CURLcode result;
/* SSL handshake done: gather certificate info and verify host. */
@@ -839,9 +841,9 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
}
/* Verify host. */
- cc = Curl_verifyhost(conn, cert, certend);
- if(cc != CURLE_OK)
- return cc;
+ result = Curl_verifyhost(conn, cert, certend);
+ if(result)
+ return result;
/* The only place GSKit can get the whole CA chain is a validation
callback where no user data pointer is available. Therefore it's not
@@ -852,15 +854,15 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
if(Curl_ssl_init_certinfo(data, 1))
return CURLE_OUT_OF_MEMORY;
if(cert) {
- cc = Curl_extract_certinfo(conn, 0, cert, certend);
- if(cc != CURLE_OK)
- return cc;
+ result = Curl_extract_certinfo(conn, 0, cert, certend);
+ if(result)
+ return result;
}
}
/* Check pinned public key. */
ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
- if(cc == CURLE_OK && ptr) {
+ if(!result && ptr) {
curl_X509certificate x509;
curl_asn1Element *p;
@@ -868,10 +870,10 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
return CURLE_SSL_PINNEDPUBKEYNOTMATCH;
Curl_parseX509(&x509, cert, certend);
p = &x509.subjectPublicKeyInfo;
- cc = Curl_pin_peer_pubkey(ptr, p->header, p->end - p->header);
- if(cc != CURLE_OK) {
+ result = Curl_pin_peer_pubkey(ptr, p->header, p->end - p->header);
+ if(result) {
failf(data, "SSL: public key does not match pinned public key!");
- return cc;
+ return result;
}
}
@@ -887,7 +889,7 @@ static CURLcode gskit_connect_common(struct connectdata *conn, int sockindex,
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
long timeout_ms;
Qso_OverlappedIO_t cstat;
- CURLcode cc = CURLE_OK;
+ CURLcode result = CURLE_OK;
*done = connssl->state == ssl_connection_complete;
if(*done)
@@ -901,31 +903,31 @@ static CURLcode gskit_connect_common(struct connectdata *conn, int sockindex,
if(timeout_ms < 0) {
/* no need to continue if time already is up */
failf(data, "SSL connection timeout");
- cc = CURLE_OPERATION_TIMEDOUT;
+ result = CURLE_OPERATION_TIMEDOUT;
}
else
- cc = gskit_connect_step1(conn, sockindex);
+ result = gskit_connect_step1(conn, sockindex);
}
/* Step 2: check if handshake is over. */
- if(cc == CURLE_OK && connssl->connecting_state == ssl_connect_2) {
+ if(!result && connssl->connecting_state == ssl_connect_2) {
/* check allowed time left */
timeout_ms = Curl_timeleft(data, NULL, TRUE);
if(timeout_ms < 0) {
/* no need to continue if time already is up */
failf(data, "SSL connection timeout");
- cc = CURLE_OPERATION_TIMEDOUT;
+ result = CURLE_OPERATION_TIMEDOUT;
}
else
- cc = gskit_connect_step2(conn, sockindex, nonblocking);
+ result = gskit_connect_step2(conn, sockindex, nonblocking);
}
/* Step 3: gather certificate info, verify host. */
- if(cc == CURLE_OK && connssl->connecting_state == ssl_connect_3)
- cc = gskit_connect_step3(conn, sockindex);
+ if(!result && connssl->connecting_state == ssl_connect_3)
+ result = gskit_connect_step3(conn, sockindex);
- if(cc != CURLE_OK)
+ if(result)
close_one(connssl, data);
else if(connssl->connecting_state == ssl_connect_done) {
connssl->state = ssl_connection_complete;
@@ -935,7 +937,7 @@ static CURLcode gskit_connect_common(struct connectdata *conn, int sockindex,
*done = TRUE;
}
- return cc;
+ return result;
}
@@ -943,24 +945,24 @@ CURLcode Curl_gskit_connect_nonblocking(struct connectdata *conn,
int sockindex,
bool *done)
{
- CURLcode cc;
+ CURLcode result;
- cc = gskit_connect_common(conn, sockindex, TRUE, done);
- if(*done || cc != CURLE_OK)
+ result = gskit_connect_common(conn, sockindex, TRUE, done);
+ if(*done || result)
conn->ssl[sockindex].connecting_state = ssl_connect_1;
- return cc;
+ return result;
}
CURLcode Curl_gskit_connect(struct connectdata *conn, int sockindex)
{
- CURLcode retcode;
+ CURLcode result;
bool done;
conn->ssl[sockindex].connecting_state = ssl_connect_1;
- retcode = gskit_connect_common(conn, sockindex, FALSE, &done);
- if(retcode)
- return retcode;
+ result = gskit_connect_common(conn, sockindex, FALSE, &done);
+ if(result)
+ return result;
DEBUGASSERT(done);