#include "setup.h"
#ifdef USE_QSOSSL
#include <qsossl.h>
#include <errno.h>
#include <string.h>
#ifdef HAVE_LIMITS_H
# include <limits.h>
#endif
#include <curl/curl.h>
#include "urldata.h"
#include "sendf.h"
#include "qssl.h"
#include "sslgen.h"
#include "connect.h"
#include "select.h"
#include "curl_memory.h"
#include "memdebug.h"
int Curl_qsossl_init(void)
{
return 1;
}
void Curl_qsossl_cleanup(void)
{
}
static CURLcode Curl_qsossl_init_session(struct SessionHandle * data)
{
int rc;
char * certname;
SSLInit initstr;
SSLInitApp initappstr;
certname = data->set.str[STRING_CERT];
if(!certname) {
certname = data->set.str[STRING_SSL_CAFILE];
if(!certname)
return CURLE_OK;
}
memset((char *) &initappstr, 0, sizeof initappstr);
initappstr.applicationID = certname;
initappstr.applicationIDLen = strlen(certname);
initappstr.protocol = SSL_VERSION_CURRENT;
initappstr.sessionType = SSL_REGISTERED_AS_CLIENT;
rc = SSL_Init_Application(&initappstr);
if(rc == SSL_ERROR_NOT_REGISTERED) {
initstr.keyringFileName = certname;
initstr.keyringPassword = data->set.str[STRING_KEY];
initstr.cipherSuiteList = NULL;
initstr.cipherSuiteListLen = 0;
rc = SSL_Init(&initstr);
}
switch (rc) {
case 0:
break;
case SSL_ERROR_IO:
failf(data, "SSL_Init() I/O error: %s", strerror(errno));
return CURLE_SSL_CONNECT_ERROR;
case SSL_ERROR_BAD_CIPHER_SUITE:
return CURLE_SSL_CIPHER;
case SSL_ERROR_KEYPASSWORD_EXPIRED:
case SSL_ERROR_NOT_REGISTERED:
return CURLE_SSL_CONNECT_ERROR;
case SSL_ERROR_NO_KEYRING:
return CURLE_SSL_CACERT;
case SSL_ERROR_CERT_EXPIRED:
return CURLE_SSL_CERTPROBLEM;
default:
failf(data, "SSL_Init(): %s", SSL_Strerror(rc, NULL));
return CURLE_SSL_CONNECT_ERROR;
}
return CURLE_OK;
}
static CURLcode Curl_qsossl_create(struct connectdata * conn, int sockindex)
{
SSLHandle * h;
struct ssl_connect_data * connssl = &conn->ssl[sockindex];
h = SSL_Create(conn->sock[sockindex], SSL_ENCRYPT);
if(!h) {
failf(conn->data, "SSL_Create() I/O error: %s", strerror(errno));
return CURLE_SSL_CONNECT_ERROR;
}
connssl->handle = h;
return CURLE_OK;
}
static int Curl_qsossl_trap_cert(SSLHandle * h)
{
return 1;
}
static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex)
{
int rc;
struct SessionHandle * data = conn->data;
struct ssl_connect_data * connssl = &conn->ssl[sockindex];
SSLHandle * h = connssl->handle;
long timeout_ms;
h->exitPgm = NULL;
if(!data->set.ssl.verifyhost)
h->exitPgm = Curl_qsossl_trap_cert;
timeout_ms = Curl_timeleft(data, NULL, TRUE);
if(timeout_ms < 0) {
failf(data, "Connection time-out");
return CURLE_OPERATION_TIMEDOUT;
}
h->timeout = (timeout_ms + 1000 - 1) / 1000;
switch (data->set.ssl.version) {
default:
case CURL_SSLVERSION_DEFAULT:
h->protocol = SSL_VERSION_CURRENT;
break;
case CURL_SSLVERSION_TLSv1:
h->protocol = TLS_VERSION_1;
break;
case CURL_SSLVERSION_SSLv2:
h->protocol = SSL_VERSION_2;
break;
case CURL_SSLVERSION_SSLv3:
h->protocol = SSL_VERSION_3;
break;
}
rc = SSL_Handshake(h, SSL_HANDSHAKE_AS_CLIENT);
switch (rc) {
case 0:
break;
case SSL_ERROR_BAD_CERTIFICATE:
case SSL_ERROR_BAD_CERT_SIG:
case SSL_ERROR_NOT_TRUSTED_ROOT:
return CURLE_PEER_FAILED_VERIFICATION;
case SSL_ERROR_BAD_CIPHER_SUITE:
case SSL_ERROR_NO_CIPHERS:
return CURLE_SSL_CIPHER;
case SSL_ERROR_CERTIFICATE_REJECTED:
case SSL_ERROR_CERT_EXPIRED:
case SSL_ERROR_NO_CERTIFICATE:
return CURLE_SSL_CERTPROBLEM;
case SSL_ERROR_IO:
failf(data, "SSL_Handshake() I/O error: %s", strerror(errno));
return CURLE_SSL_CONNECT_ERROR;
default:
failf(data, "SSL_Handshake(): %s", SSL_Strerror(rc, NULL));
return CURLE_SSL_CONNECT_ERROR;
}
return CURLE_OK;
}
static Curl_recv qsossl_recv;
static Curl_send qsossl_send;
CURLcode Curl_qsossl_connect(struct connectdata * conn, int sockindex)
{
struct SessionHandle * data = conn->data;
struct ssl_connect_data * connssl = &conn->ssl[sockindex];
int rc;
rc = Curl_qsossl_init_session(data);
if(rc == CURLE_OK) {
rc = Curl_qsossl_create(conn, sockindex);
if(rc == CURLE_OK)
rc = Curl_qsossl_handshake(conn, sockindex);
else {
SSL_Destroy(connssl->handle);
connssl->handle = NULL;
connssl->use = FALSE;
connssl->state = ssl_connection_none;
}
}
if (rc == CURLE_OK) {
connssl->state = ssl_connection_complete;
conn->recv[sockindex] = qsossl_recv;
conn->send[sockindex] = qsossl_send;
}
return rc;
}
static int Curl_qsossl_close_one(struct ssl_connect_data * conn,
struct SessionHandle * data)
{
int rc;
if(!conn->handle)
return 0;
rc = SSL_Destroy(conn->handle);
if(rc) {
if(rc == SSL_ERROR_IO) {
failf(data, "SSL_Destroy() I/O error: %s", strerror(errno));
return -1;
}
failf(data, "SSL_Destroy() returned error %s", SSL_Strerror(rc, NULL));
return -1;
}
conn->handle = NULL;
return 0;
}
void Curl_qsossl_close(struct connectdata *conn, int sockindex)
{
struct SessionHandle *data = conn->data;
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
if(connssl->use)
(void) Curl_qsossl_close_one(connssl, data);
}
int Curl_qsossl_close_all(struct SessionHandle * data)
{
(void) data;
return 0;
}
int Curl_qsossl_shutdown(struct connectdata * conn, int sockindex)
{
struct ssl_connect_data * connssl = &conn->ssl[sockindex];
struct SessionHandle *data = conn->data;
ssize_t nread;
int what;
int rc;
char buf[120];
if(!connssl->handle)
return 0;
if(data->set.ftp_ccc != CURLFTPSSL_CCC_ACTIVE)
return 0;
if(Curl_qsossl_close_one(connssl, data))
return -1;
rc = 0;
what = Curl_socket_ready(conn->sock[sockindex],
CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT);
for (;;) {
if(what < 0) {
failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
rc = -1;
break;
}
if(!what) {
failf(data, "SSL shutdown timeout");
break;
}
nread = read(conn->sock[sockindex], buf, sizeof(buf));
if(nread < 0) {
failf(data, "read: %s", strerror(errno));
rc = -1;
}
if(nread <= 0)
break;
what = Curl_socket_ready(conn->sock[sockindex], CURL_SOCKET_BAD, 0);
}
return rc;
}
static ssize_t qsossl_send(struct connectdata * conn, int sockindex,
const void * mem, size_t len, CURLcode * curlcode)
{
int rc;
rc = SSL_Write(conn->ssl[sockindex].handle, (void *) mem, (int) len);
if(rc < 0) {
switch(rc) {
case SSL_ERROR_BAD_STATE:
*curlcode = CURLE_AGAIN;
return -1;
case SSL_ERROR_IO:
switch (errno) {
case EWOULDBLOCK:
case EINTR:
*curlcode = CURLE_AGAIN;
return -1;
}
failf(conn->data, "SSL_Write() I/O error: %s", strerror(errno));
*curlcode = CURLE_SEND_ERROR;
return -1;
}
failf(conn->data, "SSL_Write() returned error %s",
SSL_Strerror(rc, NULL));
*curlcode = CURLE_SEND_ERROR;
return -1;
}
return (ssize_t) rc;
}
static ssize_t qsossl_recv(struct connectdata * conn, int num, char * buf,
size_t buffersize, CURLcode * curlcode)
{
char error_buffer[120];
unsigned long sslerror;
int buffsize;
int nread;
buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
nread = SSL_Read(conn->ssl[num].handle, buf, buffsize);
if(nread < 0) {
switch (nread) {
case SSL_ERROR_BAD_STATE:
*curlcode = CURLE_AGAIN;
return -1;
case SSL_ERROR_IO:
switch (errno) {
case EWOULDBLOCK:
*curlcode = CURLE_AGAIN;
return -1;
}
failf(conn->data, "SSL_Read() I/O error: %s", strerror(errno));
*curlcode = CURLE_RECV_ERROR;
return -1;
default:
failf(conn->data, "SSL read error: %s", SSL_Strerror(nread, NULL));
*curlcode = CURLE_RECV_ERROR;
return -1;
}
}
return (ssize_t) nread;
}
size_t Curl_qsossl_version(char * buffer, size_t size)
{
strncpy(buffer, "IBM OS/400 SSL", size);
return strlen(buffer);
}
int Curl_qsossl_check_cxn(struct connectdata * cxn)
{
int err;
int errlen;
if(!cxn->ssl[FIRSTSOCKET].handle)
return 0;
err = 0;
errlen = sizeof err;
if(getsockopt(cxn->sock[FIRSTSOCKET], SOL_SOCKET, SO_ERROR,
(unsigned char *) &err, &errlen) ||
errlen != sizeof err || err)
return 0;
return -1;
}
#endif