From 0a083a66bcae51a485d45ba416eac1d1fbe4ca15 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Fri, 23 Jun 2017 01:04:56 +0200 Subject: vtls: move sha256sum into the Curl_ssl struct The SHA-256 checksumming is also an SSL backend-specific function. Let's include it in the struct declaring the functionality of SSL backends. In contrast to MD5, there is no fall-back code. To indicate this, the respective entries are NULL for those backends that offer no support for SHA-256 checksumming. Signed-off-by: Johannes Schindelin --- lib/vtls/axtls.c | 3 ++- lib/vtls/cyassl.c | 11 ++++++----- lib/vtls/cyassl.h | 6 ------ lib/vtls/darwinssl.c | 11 ++++++----- lib/vtls/darwinssl.h | 6 ------ lib/vtls/gskit.c | 3 ++- lib/vtls/gtls.c | 11 ++++++----- lib/vtls/gtls.h | 6 ------ lib/vtls/mbedtls.c | 11 ++++++++++- lib/vtls/mbedtls.h | 3 --- lib/vtls/nss.c | 11 ++++++----- lib/vtls/nssg.h | 6 ------ lib/vtls/openssl.c | 15 ++++++++++----- lib/vtls/openssl.h | 8 -------- lib/vtls/polarssl.c | 11 ++++++++++- lib/vtls/polarssl.h | 4 ---- lib/vtls/schannel.c | 3 ++- lib/vtls/vtls.c | 16 +++++++--------- lib/vtls/vtls.h | 2 ++ 19 files changed, 69 insertions(+), 78 deletions(-) diff --git a/lib/vtls/axtls.c b/lib/vtls/axtls.c index 138a80ade..3446dac44 100644 --- a/lib/vtls/axtls.c +++ b/lib/vtls/axtls.c @@ -722,7 +722,8 @@ const struct Curl_ssl Curl_ssl_axtls = { Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_none_md5sum /* md5sum */ + Curl_none_md5sum, /* md5sum */ + NULL /* sha256sum */ }; const struct Curl_ssl *Curl_ssl = &Curl_ssl_axtls; diff --git a/lib/vtls/cyassl.c b/lib/vtls/cyassl.c index 74052318f..62db13c1b 100644 --- a/lib/vtls/cyassl.c +++ b/lib/vtls/cyassl.c @@ -939,10 +939,10 @@ CURLcode Curl_cyassl_random(struct Curl_easy *data, return CURLE_OK; } -void Curl_cyassl_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum /* output */, - size_t unused) +static void Curl_cyassl_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum /* output */, + size_t unused) { Sha256 SHA256pw; (void)unused; @@ -971,7 +971,8 @@ const struct Curl_ssl Curl_ssl_cyassl = { Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_none_md5sum /* md5sum */ + Curl_none_md5sum, /* md5sum */ + Curl_cyassl_sha256sum /* sha256sum */ }; const struct Curl_ssl *Curl_ssl = &Curl_ssl_cyassl; diff --git a/lib/vtls/cyassl.h b/lib/vtls/cyassl.h index 23d7139be..abee7cf80 100644 --- a/lib/vtls/cyassl.h +++ b/lib/vtls/cyassl.h @@ -54,10 +54,6 @@ CURLcode Curl_cyassl_connect_nonblocking(struct connectdata *conn, CURLcode Curl_cyassl_random(struct Curl_easy *data, unsigned char *entropy, size_t length); -void Curl_cyassl_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t unused); extern const struct Curl_ssl Curl_ssl_cyassl; @@ -72,7 +68,5 @@ extern const struct Curl_ssl Curl_ssl_cyassl; #define have_curlssl_pinnedpubkey 1 #endif -#define curlssl_sha256sum(a,b,c,d) Curl_cyassl_sha256sum(a,b,c,d) - #endif /* USE_CYASSL */ #endif /* HEADER_CURL_CYASSL_H */ diff --git a/lib/vtls/darwinssl.c b/lib/vtls/darwinssl.c index 71e5a9790..23be96a20 100644 --- a/lib/vtls/darwinssl.c +++ b/lib/vtls/darwinssl.c @@ -2733,10 +2733,10 @@ static CURLcode Curl_darwinssl_md5sum(unsigned char *tmp, /* input */ return CURLE_OK; } -void Curl_darwinssl_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t sha256len) +static void Curl_darwinssl_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum, /* output */ + size_t sha256len) { assert(sha256len >= SHA256_DIGEST_LENGTH); (void)CC_SHA256(tmp, (CC_LONG)tmplen, sha256sum); @@ -2877,7 +2877,8 @@ const struct Curl_ssl Curl_ssl_darwinssl = { Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_darwinssl_false_start, /* false_start */ - Curl_darwinssl_md5sum /* md5sum */ + Curl_darwinssl_md5sum, /* md5sum */ + Curl_darwinssl_sha256sum /* sha256sum */ }; const struct Curl_ssl *Curl_ssl = &Curl_ssl_darwinssl; diff --git a/lib/vtls/darwinssl.h b/lib/vtls/darwinssl.h index 4815cec1e..37fe8164f 100644 --- a/lib/vtls/darwinssl.h +++ b/lib/vtls/darwinssl.h @@ -44,10 +44,6 @@ bool Curl_darwinssl_data_pending(const struct connectdata *conn, CURLcode Curl_darwinssl_random(struct Curl_easy *data, unsigned char *entropy, size_t length); -void Curl_darwinssl_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t sha256len); bool Curl_darwinssl_false_start(void); extern const struct Curl_ssl Curl_ssl_darwinssl; @@ -74,7 +70,5 @@ extern const struct Curl_ssl Curl_ssl_darwinssl; #define have_curlssl_pinnedpubkey 1 #endif /* DARWIN_SSL_PINNEDPUBKEY */ -#define curlssl_sha256sum(a,b,c,d) Curl_darwinssl_sha256sum(a, b, c, d) - #endif /* USE_DARWINSSL */ #endif /* HEADER_CURL_DARWINSSL_H */ diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c index ed1e39dbc..d82f658fd 100644 --- a/lib/vtls/gskit.c +++ b/lib/vtls/gskit.c @@ -1355,7 +1355,8 @@ const struct Curl_ssl Curl_ssl_gskit = { Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_none_md5sum /* md5sum */ + Curl_none_md5sum, /* md5sum */ + NULL /* sha256sum */ }; const struct Curl_ssl *Curl_ssl = &Curl_ssl_gskit; diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index ac5fe3321..3105a4b13 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -1758,10 +1758,10 @@ static CURLcode Curl_gtls_md5sum(unsigned char *tmp, /* input */ return CURLE_OK; } -void Curl_gtls_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t sha256len) +static void Curl_gtls_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum, /* output */ + size_t sha256len) { #if defined(USE_GNUTLS_NETTLE) struct sha256_ctx SHA256pw; @@ -1806,7 +1806,8 @@ const struct Curl_ssl Curl_ssl_gnutls = { Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_gtls_md5sum /* md5sum */ + Curl_gtls_md5sum, /* md5sum */ + Curl_gtls_sha256sum /* sha256sum */ }; const struct Curl_ssl *Curl_ssl = &Curl_ssl_gnutls; diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h index 626dbd33f..05bd834f2 100644 --- a/lib/vtls/gtls.h +++ b/lib/vtls/gtls.h @@ -46,10 +46,6 @@ int Curl_gtls_shutdown(struct connectdata *conn, int sockindex); CURLcode Curl_gtls_random(struct Curl_easy *data, unsigned char *entropy, size_t length); -void Curl_gtls_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t sha256len); bool Curl_gtls_cert_status_request(void); @@ -70,7 +66,5 @@ extern const struct Curl_ssl Curl_ssl_gnutls; /* this backend supports CURLOPT_PINNEDPUBLICKEY */ #define have_curlssl_pinnedpubkey 1 -#define curlssl_sha256sum(a,b,c,d) Curl_gtls_sha256sum(a,b,c,d) - #endif /* USE_GNUTLS */ #endif /* HEADER_CURL_GTLS_H */ diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c index 68ad9a499..0ab471306 100644 --- a/lib/vtls/mbedtls.c +++ b/lib/vtls/mbedtls.c @@ -1007,6 +1007,14 @@ bool Curl_mbedtls_data_pending(const struct connectdata *conn, int sockindex) return mbedtls_ssl_get_bytes_avail(&conn->ssl[sockindex].ssl) != 0; } +static void Curl_mbedtls_sha256sum(const unsigned char *input, + size_t inputlen, + unsigned char *sha256sum, + size_t sha256len UNUSED_PARAM) +{ + mbedtls_sha256(input, inputlen, sha256sum, 0); +} + const struct Curl_ssl Curl_ssl_mbedtls = { "mbedtls", /* name */ @@ -1027,7 +1035,8 @@ const struct Curl_ssl Curl_ssl_mbedtls = { Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_none_md5sum /* md5sum */ + Curl_none_md5sum, /* md5sum */ + Curl_mbedtls_sha256sum /* sha256sum */ }; const struct Curl_ssl *Curl_ssl = &Curl_ssl_mbedtls; diff --git a/lib/vtls/mbedtls.h b/lib/vtls/mbedtls.h index 1df297a5d..39e64c350 100644 --- a/lib/vtls/mbedtls.h +++ b/lib/vtls/mbedtls.h @@ -26,8 +26,6 @@ #ifdef USE_MBEDTLS -#include - /* Called on first use mbedTLS, setup threading if supported */ int Curl_mbedtls_init(void); void Curl_mbedtls_cleanup(void); @@ -62,7 +60,6 @@ CURLcode Curl_mbedtls_random(struct Curl_easy *data, unsigned char *entropy, extern const struct Curl_ssl Curl_ssl_mbedtls; #define CURL_SSL_BACKEND CURLSSLBACKEND_MBEDTLS -#define curlssl_sha256sum(a,b,c,d) mbedtls_sha256(a,b,c,0) #endif /* USE_MBEDTLS */ #endif /* HEADER_CURL_MBEDTLS_H */ diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 9490549a9..603601b55 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -2293,10 +2293,10 @@ static CURLcode Curl_nss_md5sum(unsigned char *tmp, /* input */ return CURLE_OK; } -void Curl_nss_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t sha256len) +static void Curl_nss_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum, /* output */ + size_t sha256len) { PK11Context *SHA256pw = PK11_CreateDigestContext(SEC_OID_SHA256); unsigned int SHA256out; @@ -2346,7 +2346,8 @@ const struct Curl_ssl Curl_ssl_nss = { Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_nss_false_start, /* false_start */ - Curl_nss_md5sum /* md5sum */ + Curl_nss_md5sum, /* md5sum */ + Curl_nss_sha256sum /* sha256sum */ }; const struct Curl_ssl *Curl_ssl = &Curl_ssl_nss; diff --git a/lib/vtls/nssg.h b/lib/vtls/nssg.h index d5473bfb9..37c4b5b71 100644 --- a/lib/vtls/nssg.h +++ b/lib/vtls/nssg.h @@ -51,10 +51,6 @@ CURLcode Curl_nss_random(struct Curl_easy *data, unsigned char *entropy, size_t length); -void Curl_nss_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum, /* output */ - size_t sha256len); bool Curl_nss_cert_status_request(void); @@ -77,7 +73,5 @@ extern const struct Curl_ssl Curl_ssl_nss; /* this backends supports CURLOPT_PINNEDPUBLICKEY */ #define have_curlssl_pinnedpubkey 1 -#define curlssl_sha256sum(a,b,c,d) Curl_nss_sha256sum(a,b,c,d) - #endif /* USE_NSS */ #endif /* HEADER_CURL_NSSG_H */ diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index e24c79515..eeecd9da6 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3364,10 +3364,10 @@ static CURLcode Curl_ossl_md5sum(unsigned char *tmp, /* input */ } #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) -void Curl_ossl_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum /* output */, - size_t unused) +static void Curl_ossl_sha256sum(const unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *sha256sum /* output */, + size_t unused) { SHA256_CTX SHA256pw; (void)unused; @@ -3407,7 +3407,12 @@ const struct Curl_ssl Curl_ssl_openssl = { Curl_ossl_set_engine_default, /* set_engine_default */ Curl_ossl_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_ossl_md5sum /* md5sum */ + Curl_ossl_md5sum, /* md5sum */ +#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) + Curl_ossl_sha256sum /* sha256sum */ +#else + NULL /* sha256sum */ +#endif }; const struct Curl_ssl *Curl_ssl = &Curl_ssl_openssl; diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h index 4abc6d4c4..8e14f4549 100644 --- a/lib/vtls/openssl.h +++ b/lib/vtls/openssl.h @@ -68,10 +68,6 @@ bool Curl_ossl_data_pending(const struct connectdata *conn, /* return 0 if a find random is filled in */ CURLcode Curl_ossl_random(struct Curl_easy *data, unsigned char *entropy, size_t length); -void Curl_ossl_sha256sum(const unsigned char *tmp, /* input */ - size_t tmplen, - unsigned char *sha256sum /* output */, - size_t unused); bool Curl_ossl_cert_status_request(void); @@ -95,10 +91,6 @@ extern const struct Curl_ssl Curl_ssl_openssl; /* this backend supports CURLOPT_PINNEDPUBLICKEY */ #define have_curlssl_pinnedpubkey 1 -#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) -#define curlssl_sha256sum(a,b,c,d) Curl_ossl_sha256sum(a,b,c,d) -#endif - #define DEFAULT_CIPHER_SELECTION \ "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH" diff --git a/lib/vtls/polarssl.c b/lib/vtls/polarssl.c index f2a7c93b8..5b48945a6 100644 --- a/lib/vtls/polarssl.c +++ b/lib/vtls/polarssl.c @@ -870,6 +870,14 @@ bool Curl_polarssl_data_pending(const struct connectdata *conn, int sockindex) return ssl_get_bytes_avail(&conn->ssl[sockindex].ssl) != 0; } +static void Curl_polarssl_sha256sum(const unsigned char *input, + size_t inputlen, + unsigned char *sha256sum, + size_t sha256len UNUSED_PARAM) +{ + sha256(input, inputlen, sha256sum, 0); +} + const struct Curl_ssl Curl_ssl_polarssl = { "polarssl", /* name */ @@ -893,7 +901,8 @@ const struct Curl_ssl Curl_ssl_polarssl = { Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_none_md5sum /* md5sum */ + Curl_none_md5sum, /* md5sum */ + Curl_polarssl_sha256sum /* sha256sum */ }; const struct Curl_ssl *Curl_ssl = &Curl_ssl_polarssl; diff --git a/lib/vtls/polarssl.h b/lib/vtls/polarssl.h index fc0a7ccd9..7109fe5ba 100644 --- a/lib/vtls/polarssl.h +++ b/lib/vtls/polarssl.h @@ -26,8 +26,6 @@ #ifdef USE_POLARSSL -#include - /* Called on first use PolarSSL, setup threading if supported */ int Curl_polarssl_init(void); void Curl_polarssl_cleanup(void); @@ -58,7 +56,5 @@ extern const struct Curl_ssl Curl_ssl_polarssl; /* this backends supports CURLOPT_PINNEDPUBLICKEY */ #define have_curlssl_pinnedpubkey 1 -#define curlssl_sha256sum(a,b,c,d) sha256(a,b,c,0) - #endif /* USE_POLARSSL */ #endif /* HEADER_CURL_POLARSSL_H */ diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c index ea3c221f3..6ee707b0d 100644 --- a/lib/vtls/schannel.c +++ b/lib/vtls/schannel.c @@ -1746,7 +1746,8 @@ const struct Curl_ssl Curl_ssl_schannel = { Curl_none_set_engine_default, /* set_engine_default */ Curl_none_engines_list, /* engines_list */ Curl_none_false_start, /* false_start */ - Curl_none_md5sum /* md5sum */ + Curl_none_md5sum, /* md5sum */ + NULL /* sha256sum */ }; const struct Curl_ssl *Curl_ssl = &Curl_ssl_schannel; diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c index 88ee1a759..86bb46c2a 100644 --- a/lib/vtls/vtls.c +++ b/lib/vtls/vtls.c @@ -791,12 +791,10 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, size_t size, pem_len; CURLcode pem_read; CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH; -#ifdef curlssl_sha256sum CURLcode encode; size_t encodedlen, pinkeylen; char *encoded, *pinkeycopy, *begin_pos, *end_pos; unsigned char *sha256sumdigest = NULL; -#endif /* if a path wasn't specified, don't pin */ if(!pinnedpubkey) @@ -806,13 +804,17 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, /* only do this if pinnedpubkey starts with "sha256//", length 8 */ if(strncmp(pinnedpubkey, "sha256//", 8) == 0) { -#ifdef curlssl_sha256sum + if(!Curl_ssl->sha256sum) { + /* without sha256 support, this cannot match */ + return result; + } + /* compute sha256sum of public key */ sha256sumdigest = malloc(SHA256_DIGEST_LENGTH); if(!sha256sumdigest) return CURLE_OUT_OF_MEMORY; - curlssl_sha256sum(pubkey, pubkeylen, - sha256sumdigest, SHA256_DIGEST_LENGTH); + Curl_ssl->sha256sum(pubkey, pubkeylen, + sha256sumdigest, SHA256_DIGEST_LENGTH); encode = Curl_base64_encode(data, (char *)sha256sumdigest, SHA256_DIGEST_LENGTH, &encoded, &encodedlen); Curl_safefree(sha256sumdigest); @@ -859,10 +861,6 @@ CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, } while(end_pos && begin_pos); Curl_safefree(encoded); Curl_safefree(pinkeycopy); -#else - /* without sha256 support, this cannot match */ - (void)data; -#endif return result; } diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h index f95b9236e..d42422d11 100644 --- a/lib/vtls/vtls.h +++ b/lib/vtls/vtls.h @@ -57,6 +57,8 @@ struct Curl_ssl { CURLcode (*md5sum)(unsigned char *input, size_t inputlen, unsigned char *md5sum, size_t md5sumlen); + void (*sha256sum)(const unsigned char *input, size_t inputlen, + unsigned char *sha256sum, size_t sha256sumlen); }; #ifdef USE_SSL -- cgit v1.2.3