VirtualBox

source: vbox/trunk/src/libs/curl-8.11.1/lib/vtls/vtls.c@ 108333

最後變更 在這個檔案從108333是 108048,由 vboxsync 提交於 7 週 前

curl-8.11.1: Applied and adjusted our curl changes to 8.7.1. jiraref:VBP-1535
  • 屬性 svn:eol-style 設為 native
檔案大小: 64.5 KB
 
1/***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <[email protected]>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25/* This file is for implementing all "generic" SSL functions that all libcurl
26 internals should use. It is then responsible for calling the proper
27 "backend" function.
28
29 SSL-functions in libcurl should call functions in this source file, and not
30 to any specific SSL-layer.
31
32 Curl_ssl_ - prefix for generic ones
33
34 Note that this source code uses the functions of the configured SSL
35 backend via the global Curl_ssl instance.
36
37 "SSL/TLS Strong Encryption: An Introduction"
38 https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
39*/
40
41#include "curl_setup.h"
42
43#ifdef HAVE_SYS_TYPES_H
44#include <sys/types.h>
45#endif
46#ifdef HAVE_SYS_STAT_H
47#include <sys/stat.h>
48#endif
49#ifdef HAVE_FCNTL_H
50#include <fcntl.h>
51#endif
52
53#include "urldata.h"
54#include "cfilters.h"
55
56#include "vtls.h" /* generic SSL protos etc */
57#include "vtls_int.h"
58
59#include "openssl.h" /* OpenSSL versions */
60#include "gtls.h" /* GnuTLS versions */
61#include "wolfssl.h" /* wolfSSL versions */
62#include "schannel.h" /* Schannel SSPI version */
63#include "sectransp.h" /* Secure Transport (Darwin) version */
64#include "mbedtls.h" /* mbedTLS versions */
65#include "bearssl.h" /* BearSSL versions */
66#include "rustls.h" /* Rustls versions */
67
68#include "slist.h"
69#include "sendf.h"
70#include "strcase.h"
71#include "url.h"
72#include "progress.h"
73#include "share.h"
74#include "multiif.h"
75#include "timeval.h"
76#include "curl_md5.h"
77#include "warnless.h"
78#include "curl_base64.h"
79#include "curl_printf.h"
80#include "inet_pton.h"
81#include "connect.h"
82#include "select.h"
83#include "strdup.h"
84#include "rand.h"
85
86/* The last #include files should be: */
87#include "curl_memory.h"
88#include "memdebug.h"
89
90
91/* convenience macro to check if this handle is using a shared SSL session */
92#define SSLSESSION_SHARED(data) (data->share && \
93 (data->share->specifier & \
94 (1<<CURL_LOCK_DATA_SSL_SESSION)))
95
96#define CLONE_STRING(var) \
97 do { \
98 if(source->var) { \
99 dest->var = strdup(source->var); \
100 if(!dest->var) \
101 return FALSE; \
102 } \
103 else \
104 dest->var = NULL; \
105 } while(0)
106
107#define CLONE_BLOB(var) \
108 do { \
109 if(blobdup(&dest->var, source->var)) \
110 return FALSE; \
111 } while(0)
112
113static CURLcode blobdup(struct curl_blob **dest,
114 struct curl_blob *src)
115{
116 DEBUGASSERT(dest);
117 DEBUGASSERT(!*dest);
118 if(src) {
119 /* only if there is data to dupe! */
120 struct curl_blob *d;
121 d = malloc(sizeof(struct curl_blob) + src->len);
122 if(!d)
123 return CURLE_OUT_OF_MEMORY;
124 d->len = src->len;
125 /* Always duplicate because the connection may survive longer than the
126 handle that passed in the blob. */
127 d->flags = CURL_BLOB_COPY;
128 d->data = (void *)((char *)d + sizeof(struct curl_blob));
129 memcpy(d->data, src->data, src->len);
130 *dest = d;
131 }
132 return CURLE_OK;
133}
134
135/* returns TRUE if the blobs are identical */
136static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
137{
138 if(!first && !second) /* both are NULL */
139 return TRUE;
140 if(!first || !second) /* one is NULL */
141 return FALSE;
142 if(first->len != second->len) /* different sizes */
143 return FALSE;
144 return !memcmp(first->data, second->data, first->len); /* same data */
145}
146
147#ifdef USE_SSL
148static const struct alpn_spec ALPN_SPEC_H11 = {
149 { ALPN_HTTP_1_1 }, 1
150};
151#ifdef USE_HTTP2
152static const struct alpn_spec ALPN_SPEC_H2 = {
153 { ALPN_H2 }, 1
154};
155static const struct alpn_spec ALPN_SPEC_H2_H11 = {
156 { ALPN_H2, ALPN_HTTP_1_1 }, 2
157};
158#endif
159
160static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn)
161{
162 if(!use_alpn)
163 return NULL;
164#ifdef USE_HTTP2
165 if(httpwant == CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE)
166 return &ALPN_SPEC_H2;
167 if(httpwant >= CURL_HTTP_VERSION_2)
168 return &ALPN_SPEC_H2_H11;
169#else
170 (void)httpwant;
171#endif
172 /* Use the ALPN protocol "http/1.1" for HTTP/1.x.
173 Avoid "http/1.0" because some servers do not support it. */
174 return &ALPN_SPEC_H11;
175}
176#endif /* USE_SSL */
177
178
179void Curl_ssl_easy_config_init(struct Curl_easy *data)
180{
181 /*
182 * libcurl 7.10 introduced SSL verification *by default*! This needs to be
183 * switched off unless wanted.
184 */
185 data->set.ssl.primary.verifypeer = TRUE;
186 data->set.ssl.primary.verifyhost = TRUE;
187 data->set.ssl.primary.cache_session = TRUE; /* caching by default */
188#ifndef CURL_DISABLE_PROXY
189 data->set.proxy_ssl = data->set.ssl;
190#endif
191}
192
193static bool
194match_ssl_primary_config(struct Curl_easy *data,
195 struct ssl_primary_config *c1,
196 struct ssl_primary_config *c2)
197{
198 (void)data;
199 if((c1->version == c2->version) &&
200 (c1->version_max == c2->version_max) &&
201 (c1->ssl_options == c2->ssl_options) &&
202 (c1->verifypeer == c2->verifypeer) &&
203 (c1->verifyhost == c2->verifyhost) &&
204 (c1->verifystatus == c2->verifystatus) &&
205 blobcmp(c1->cert_blob, c2->cert_blob) &&
206 blobcmp(c1->ca_info_blob, c2->ca_info_blob) &&
207 blobcmp(c1->issuercert_blob, c2->issuercert_blob) &&
208 Curl_safecmp(c1->CApath, c2->CApath) &&
209 Curl_safecmp(c1->CAfile, c2->CAfile) &&
210 Curl_safecmp(c1->issuercert, c2->issuercert) &&
211 Curl_safecmp(c1->clientcert, c2->clientcert) &&
212#ifdef USE_TLS_SRP
213 !Curl_timestrcmp(c1->username, c2->username) &&
214 !Curl_timestrcmp(c1->password, c2->password) &&
215#endif
216 strcasecompare(c1->cipher_list, c2->cipher_list) &&
217 strcasecompare(c1->cipher_list13, c2->cipher_list13) &&
218 strcasecompare(c1->curves, c2->curves) &&
219 strcasecompare(c1->CRLfile, c2->CRLfile) &&
220 strcasecompare(c1->pinned_key, c2->pinned_key))
221 return TRUE;
222
223 return FALSE;
224}
225
226bool Curl_ssl_conn_config_match(struct Curl_easy *data,
227 struct connectdata *candidate,
228 bool proxy)
229{
230#ifndef CURL_DISABLE_PROXY
231 if(proxy)
232 return match_ssl_primary_config(data, &data->set.proxy_ssl.primary,
233 &candidate->proxy_ssl_config);
234#else
235 (void)proxy;
236#endif
237 return match_ssl_primary_config(data, &data->set.ssl.primary,
238 &candidate->ssl_config);
239}
240
241static bool clone_ssl_primary_config(struct ssl_primary_config *source,
242 struct ssl_primary_config *dest)
243{
244 dest->version = source->version;
245 dest->version_max = source->version_max;
246 dest->verifypeer = source->verifypeer;
247 dest->verifyhost = source->verifyhost;
248 dest->verifystatus = source->verifystatus;
249 dest->cache_session = source->cache_session;
250 dest->ssl_options = source->ssl_options;
251
252 CLONE_BLOB(cert_blob);
253 CLONE_BLOB(ca_info_blob);
254 CLONE_BLOB(issuercert_blob);
255 CLONE_STRING(CApath);
256 CLONE_STRING(CAfile);
257 CLONE_STRING(issuercert);
258 CLONE_STRING(clientcert);
259 CLONE_STRING(cipher_list);
260 CLONE_STRING(cipher_list13);
261 CLONE_STRING(pinned_key);
262 CLONE_STRING(curves);
263 CLONE_STRING(CRLfile);
264#ifdef USE_TLS_SRP
265 CLONE_STRING(username);
266 CLONE_STRING(password);
267#endif
268
269 return TRUE;
270}
271
272static void free_primary_ssl_config(struct ssl_primary_config *sslc)
273{
274 Curl_safefree(sslc->CApath);
275 Curl_safefree(sslc->CAfile);
276 Curl_safefree(sslc->issuercert);
277 Curl_safefree(sslc->clientcert);
278 Curl_safefree(sslc->cipher_list);
279 Curl_safefree(sslc->cipher_list13);
280 Curl_safefree(sslc->pinned_key);
281 Curl_safefree(sslc->cert_blob);
282 Curl_safefree(sslc->ca_info_blob);
283 Curl_safefree(sslc->issuercert_blob);
284 Curl_safefree(sslc->curves);
285 Curl_safefree(sslc->CRLfile);
286#ifdef USE_TLS_SRP
287 Curl_safefree(sslc->username);
288 Curl_safefree(sslc->password);
289#endif
290}
291
292CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
293{
294 data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
295 data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
296 data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
297 data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
298 data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
299 data->set.ssl.primary.cipher_list =
300 data->set.str[STRING_SSL_CIPHER_LIST];
301 data->set.ssl.primary.cipher_list13 =
302 data->set.str[STRING_SSL_CIPHER13_LIST];
303 data->set.ssl.primary.pinned_key =
304 data->set.str[STRING_SSL_PINNEDPUBLICKEY];
305 data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT];
306 data->set.ssl.primary.ca_info_blob = data->set.blobs[BLOB_CAINFO];
307 data->set.ssl.primary.curves = data->set.str[STRING_SSL_EC_CURVES];
308#ifdef USE_TLS_SRP
309 data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
310 data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
311#endif
312 data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
313 data->set.ssl.key = data->set.str[STRING_KEY];
314 data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
315 data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
316 data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
317 data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
318
319#ifndef CURL_DISABLE_PROXY
320 data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
321 data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
322 data->set.proxy_ssl.primary.cipher_list =
323 data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
324 data->set.proxy_ssl.primary.cipher_list13 =
325 data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
326 data->set.proxy_ssl.primary.pinned_key =
327 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
328 data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
329 data->set.proxy_ssl.primary.ca_info_blob =
330 data->set.blobs[BLOB_CAINFO_PROXY];
331 data->set.proxy_ssl.primary.issuercert =
332 data->set.str[STRING_SSL_ISSUERCERT_PROXY];
333 data->set.proxy_ssl.primary.issuercert_blob =
334 data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
335 data->set.proxy_ssl.primary.CRLfile =
336 data->set.str[STRING_SSL_CRLFILE_PROXY];
337 data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
338 data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
339 data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
340 data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY];
341 data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
342 data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
343#ifdef USE_TLS_SRP
344 data->set.proxy_ssl.primary.username =
345 data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
346 data->set.proxy_ssl.primary.password =
347 data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
348#endif
349#endif /* CURL_DISABLE_PROXY */
350
351 return CURLE_OK;
352}
353
354CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data,
355 struct connectdata *conn)
356{
357 /* Clone "primary" SSL configurations from the esay handle to
358 * the connection. They are used for connection cache matching and
359 * probably outlive the easy handle */
360 if(!clone_ssl_primary_config(&data->set.ssl.primary, &conn->ssl_config))
361 return CURLE_OUT_OF_MEMORY;
362#ifndef CURL_DISABLE_PROXY
363 if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary,
364 &conn->proxy_ssl_config))
365 return CURLE_OUT_OF_MEMORY;
366#endif
367 return CURLE_OK;
368}
369
370void Curl_ssl_conn_config_cleanup(struct connectdata *conn)
371{
372 free_primary_ssl_config(&conn->ssl_config);
373#ifndef CURL_DISABLE_PROXY
374 free_primary_ssl_config(&conn->proxy_ssl_config);
375#endif
376}
377
378void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy)
379{
380 /* May be called on an easy that has no connection yet */
381 if(data->conn) {
382 struct ssl_primary_config *src, *dest;
383#ifndef CURL_DISABLE_PROXY
384 src = for_proxy ? &data->set.proxy_ssl.primary : &data->set.ssl.primary;
385 dest = for_proxy ? &data->conn->proxy_ssl_config : &data->conn->ssl_config;
386#else
387 (void)for_proxy;
388 src = &data->set.ssl.primary;
389 dest = &data->conn->ssl_config;
390#endif
391 dest->verifyhost = src->verifyhost;
392 dest->verifypeer = src->verifypeer;
393 dest->verifystatus = src->verifystatus;
394 }
395}
396
397#ifdef USE_SSL
398static int multissl_setup(const struct Curl_ssl *backend);
399#endif
400
401curl_sslbackend Curl_ssl_backend(void)
402{
403#ifdef USE_SSL
404 multissl_setup(NULL);
405 return Curl_ssl->info.id;
406#else
407 return CURLSSLBACKEND_NONE;
408#endif
409}
410
411#ifdef USE_SSL
412
413/* "global" init done? */
414static bool init_ssl = FALSE;
415
416/**
417 * Global SSL init
418 *
419 * @retval 0 error initializing SSL
420 * @retval 1 SSL initialized successfully
421 */
422int Curl_ssl_init(void)
423{
424 /* make sure this is only done once */
425 if(init_ssl)
426 return 1;
427 init_ssl = TRUE; /* never again */
428
429 return Curl_ssl->init();
430}
431
432static bool ssl_prefs_check(struct Curl_easy *data)
433{
434 /* check for CURLOPT_SSLVERSION invalid parameter value */
435 const unsigned char sslver = data->set.ssl.primary.version;
436 if(sslver >= CURL_SSLVERSION_LAST) {
437 failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
438 return FALSE;
439 }
440
441 switch(data->set.ssl.primary.version_max) {
442 case CURL_SSLVERSION_MAX_NONE:
443 case CURL_SSLVERSION_MAX_DEFAULT:
444 break;
445
446 default:
447 if((data->set.ssl.primary.version_max >> 16) < sslver) {
448 failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
449 return FALSE;
450 }
451 }
452
453 return TRUE;
454}
455
456static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
457 const struct alpn_spec *alpn)
458{
459 struct ssl_connect_data *ctx;
460
461 (void)data;
462 ctx = calloc(1, sizeof(*ctx));
463 if(!ctx)
464 return NULL;
465
466 ctx->alpn = alpn;
467 Curl_bufq_init2(&ctx->earlydata, CURL_SSL_EARLY_MAX, 1, BUFQ_OPT_NO_SPARES);
468 ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data);
469 if(!ctx->backend) {
470 free(ctx);
471 return NULL;
472 }
473 return ctx;
474}
475
476static void cf_ctx_free(struct ssl_connect_data *ctx)
477{
478 if(ctx) {
479 Curl_safefree(ctx->alpn_negotiated);
480 Curl_bufq_free(&ctx->earlydata);
481 free(ctx->backend);
482 free(ctx);
483 }
484}
485
486static CURLcode ssl_connect(struct Curl_cfilter *cf, struct Curl_easy *data)
487{
488 struct ssl_connect_data *connssl = cf->ctx;
489 CURLcode result;
490
491 if(!ssl_prefs_check(data))
492 return CURLE_SSL_CONNECT_ERROR;
493
494 /* mark this is being ssl-enabled from here on. */
495 connssl->state = ssl_connection_negotiating;
496
497 result = Curl_ssl->connect_blocking(cf, data);
498
499 if(!result) {
500 DEBUGASSERT(connssl->state == ssl_connection_complete);
501 }
502
503 return result;
504}
505
506static CURLcode
507ssl_connect_nonblocking(struct Curl_cfilter *cf, struct Curl_easy *data,
508 bool *done)
509{
510 if(!ssl_prefs_check(data))
511 return CURLE_SSL_CONNECT_ERROR;
512
513 /* mark this is being ssl requested from here on. */
514 return Curl_ssl->connect_nonblocking(cf, data, done);
515}
516
517/*
518 * Lock shared SSL session data
519 */
520void Curl_ssl_sessionid_lock(struct Curl_easy *data)
521{
522 if(SSLSESSION_SHARED(data))
523 Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
524}
525
526/*
527 * Unlock shared SSL session data
528 */
529void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
530{
531 if(SSLSESSION_SHARED(data))
532 Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
533}
534
535/*
536 * Check if there is a session ID for the given connection in the cache, and if
537 * there is one suitable, it is provided. Returns TRUE when no entry matched.
538 */
539bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
540 struct Curl_easy *data,
541 const struct ssl_peer *peer,
542 void **ssl_sessionid,
543 size_t *idsize, /* set 0 if unknown */
544 char **palpn)
545{
546 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
547 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
548 struct Curl_ssl_session *check;
549 size_t i;
550 long *general_age;
551 bool no_match = TRUE;
552
553 *ssl_sessionid = NULL;
554 if(palpn)
555 *palpn = NULL;
556 if(!ssl_config)
557 return TRUE;
558
559 DEBUGASSERT(ssl_config->primary.cache_session);
560
561 if(!ssl_config->primary.cache_session || !data->state.session)
562 /* session ID reuse is disabled or the session cache has not been
563 setup */
564 return TRUE;
565
566 /* Lock if shared */
567 if(SSLSESSION_SHARED(data))
568 general_age = &data->share->sessionage;
569 else
570 general_age = &data->state.sessionage;
571
572 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
573 check = &data->state.session[i];
574 if(!check->sessionid)
575 /* not session ID means blank entry */
576 continue;
577 if(strcasecompare(peer->hostname, check->name) &&
578 ((!cf->conn->bits.conn_to_host && !check->conn_to_host) ||
579 (cf->conn->bits.conn_to_host && check->conn_to_host &&
580 strcasecompare(cf->conn->conn_to_host.name, check->conn_to_host))) &&
581 ((!cf->conn->bits.conn_to_port && check->conn_to_port == -1) ||
582 (cf->conn->bits.conn_to_port && check->conn_to_port != -1 &&
583 cf->conn->conn_to_port == check->conn_to_port)) &&
584 (peer->port == check->remote_port) &&
585 (peer->transport == check->transport) &&
586 strcasecompare(cf->conn->handler->scheme, check->scheme) &&
587 match_ssl_primary_config(data, conn_config, &check->ssl_config)) {
588 /* yes, we have a session ID! */
589 (*general_age)++; /* increase general age */
590 check->age = *general_age; /* set this as used in this age */
591 *ssl_sessionid = check->sessionid;
592 if(idsize)
593 *idsize = check->idsize;
594 if(palpn)
595 *palpn = check->alpn;
596 no_match = FALSE;
597 break;
598 }
599 }
600
601 CURL_TRC_CF(data, cf, "%s cached session ID for %s://%s:%d",
602 no_match ? "No" : "Found",
603 cf->conn->handler->scheme, peer->hostname, peer->port);
604 return no_match;
605}
606
607/*
608 * Kill a single session ID entry in the cache.
609 */
610void Curl_ssl_kill_session(struct Curl_ssl_session *session)
611{
612 if(session->sessionid) {
613 /* defensive check */
614
615 /* free the ID the SSL-layer specific way */
616 session->sessionid_free(session->sessionid, session->idsize);
617
618 session->sessionid = NULL;
619 session->sessionid_free = NULL;
620 session->age = 0; /* fresh */
621
622 free_primary_ssl_config(&session->ssl_config);
623
624 Curl_safefree(session->name);
625 Curl_safefree(session->conn_to_host);
626 Curl_safefree(session->alpn);
627 }
628}
629
630/*
631 * Delete the given session ID from the cache.
632 */
633void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
634{
635 size_t i;
636
637 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
638 struct Curl_ssl_session *check = &data->state.session[i];
639
640 if(check->sessionid == ssl_sessionid) {
641 Curl_ssl_kill_session(check);
642 break;
643 }
644 }
645}
646
647CURLcode Curl_ssl_set_sessionid(struct Curl_cfilter *cf,
648 struct Curl_easy *data,
649 const struct ssl_peer *peer,
650 const char *alpn,
651 void *ssl_sessionid,
652 size_t idsize,
653 Curl_ssl_sessionid_dtor *sessionid_free_cb)
654{
655 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
656 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
657 size_t i;
658 struct Curl_ssl_session *store;
659 long oldest_age;
660 char *clone_host = NULL;
661 char *clone_conn_to_host = NULL;
662 char *clone_alpn = NULL;
663 int conn_to_port;
664 long *general_age;
665 void *old_sessionid;
666 size_t old_size;
667 CURLcode result = CURLE_OUT_OF_MEMORY;
668
669 DEBUGASSERT(ssl_sessionid);
670 DEBUGASSERT(sessionid_free_cb);
671
672 if(!data->state.session) {
673 sessionid_free_cb(ssl_sessionid, idsize);
674 return CURLE_OK;
675 }
676
677 if(!Curl_ssl_getsessionid(cf, data, peer, &old_sessionid, &old_size, NULL)) {
678 if((old_size == idsize) &&
679 ((old_sessionid == ssl_sessionid) ||
680 (idsize && !memcmp(old_sessionid, ssl_sessionid, idsize)))) {
681 /* the very same */
682 sessionid_free_cb(ssl_sessionid, idsize);
683 return CURLE_OK;
684 }
685 Curl_ssl_delsessionid(data, old_sessionid);
686 }
687
688 store = &data->state.session[0];
689 oldest_age = data->state.session[0].age; /* zero if unused */
690 DEBUGASSERT(ssl_config->primary.cache_session);
691 (void)ssl_config;
692
693 clone_host = strdup(peer->hostname);
694 if(!clone_host)
695 goto out;
696
697 if(cf->conn->bits.conn_to_host) {
698 clone_conn_to_host = strdup(cf->conn->conn_to_host.name);
699 if(!clone_conn_to_host)
700 goto out;
701 }
702
703 clone_alpn = alpn ? strdup(alpn) : NULL;
704 if(alpn && !clone_alpn)
705 goto out;
706
707 if(cf->conn->bits.conn_to_port)
708 conn_to_port = cf->conn->conn_to_port;
709 else
710 conn_to_port = -1;
711
712 /* Now we should add the session ID and the hostname to the cache, (remove
713 the oldest if necessary) */
714
715 /* If using shared SSL session, lock! */
716 if(SSLSESSION_SHARED(data)) {
717 general_age = &data->share->sessionage;
718 }
719 else {
720 general_age = &data->state.sessionage;
721 }
722
723 /* find an empty slot for us, or find the oldest */
724 for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
725 data->state.session[i].sessionid; i++) {
726 if(data->state.session[i].age < oldest_age) {
727 oldest_age = data->state.session[i].age;
728 store = &data->state.session[i];
729 }
730 }
731 if(i == data->set.general_ssl.max_ssl_sessions)
732 /* cache is full, we must "kill" the oldest entry! */
733 Curl_ssl_kill_session(store);
734 else
735 store = &data->state.session[i]; /* use this slot */
736
737 /* now init the session struct wisely */
738 if(!clone_ssl_primary_config(conn_config, &store->ssl_config)) {
739 free_primary_ssl_config(&store->ssl_config);
740 store->sessionid = NULL; /* let caller free sessionid */
741 goto out;
742 }
743 store->sessionid = ssl_sessionid;
744 store->idsize = idsize;
745 store->sessionid_free = sessionid_free_cb;
746 store->age = *general_age; /* set current age */
747 /* free it if there is one already present */
748 free(store->name);
749 free(store->conn_to_host);
750 store->name = clone_host; /* clone hostname */
751 clone_host = NULL;
752 store->conn_to_host = clone_conn_to_host; /* clone connect to hostname */
753 clone_conn_to_host = NULL;
754 store->conn_to_port = conn_to_port; /* connect to port number */
755 store->alpn = clone_alpn;
756 clone_alpn = NULL;
757 /* port number */
758 store->remote_port = peer->port;
759 store->scheme = cf->conn->handler->scheme;
760 store->transport = peer->transport;
761
762 result = CURLE_OK;
763
764out:
765 free(clone_host);
766 free(clone_conn_to_host);
767 free(clone_alpn);
768 if(result) {
769 failf(data, "Failed to add Session ID to cache for %s://%s:%d [%s]",
770 store->scheme, store->name, store->remote_port,
771 Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server");
772 sessionid_free_cb(ssl_sessionid, idsize);
773 return result;
774 }
775 CURL_TRC_CF(data, cf, "Added Session ID to cache for %s://%s:%d [%s]",
776 store->scheme, store->name, store->remote_port,
777 Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server");
778 return CURLE_OK;
779}
780
781CURLcode Curl_ssl_get_channel_binding(struct Curl_easy *data, int sockindex,
782 struct dynbuf *binding)
783{
784 if(Curl_ssl->get_channel_binding)
785 return Curl_ssl->get_channel_binding(data, sockindex, binding);
786 return CURLE_OK;
787}
788
789void Curl_ssl_close_all(struct Curl_easy *data)
790{
791 /* kill the session ID cache if not shared */
792 if(data->state.session && !SSLSESSION_SHARED(data)) {
793 size_t i;
794 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
795 /* the single-killer function handles empty table slots */
796 Curl_ssl_kill_session(&data->state.session[i]);
797
798 /* free the cache data */
799 Curl_safefree(data->state.session);
800 }
801
802 Curl_ssl->close_all(data);
803}
804
805void Curl_ssl_adjust_pollset(struct Curl_cfilter *cf, struct Curl_easy *data,
806 struct easy_pollset *ps)
807{
808 struct ssl_connect_data *connssl = cf->ctx;
809
810 if(connssl->io_need) {
811 curl_socket_t sock = Curl_conn_cf_get_socket(cf->next, data);
812 if(sock != CURL_SOCKET_BAD) {
813 if(connssl->io_need & CURL_SSL_IO_NEED_SEND) {
814 Curl_pollset_set_out_only(data, ps, sock);
815 CURL_TRC_CF(data, cf, "adjust_pollset, POLLOUT fd=%" FMT_SOCKET_T,
816 sock);
817 }
818 else {
819 Curl_pollset_set_in_only(data, ps, sock);
820 CURL_TRC_CF(data, cf, "adjust_pollset, POLLIN fd=%" FMT_SOCKET_T,
821 sock);
822 }
823 }
824 }
825}
826
827/* Selects an SSL crypto engine
828 */
829CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
830{
831 return Curl_ssl->set_engine(data, engine);
832}
833
834/* Selects the default SSL crypto engine
835 */
836CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
837{
838 return Curl_ssl->set_engine_default(data);
839}
840
841/* Return list of OpenSSL crypto engine names. */
842struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
843{
844 return Curl_ssl->engines_list(data);
845}
846
847/*
848 * This sets up a session ID cache to the specified size. Make sure this code
849 * is agnostic to what underlying SSL technology we use.
850 */
851CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
852{
853 struct Curl_ssl_session *session;
854
855 if(data->state.session)
856 /* this is just a precaution to prevent multiple inits */
857 return CURLE_OK;
858
859 session = calloc(amount, sizeof(struct Curl_ssl_session));
860 if(!session)
861 return CURLE_OUT_OF_MEMORY;
862
863 /* store the info in the SSL section */
864 data->set.general_ssl.max_ssl_sessions = amount;
865 data->state.session = session;
866 data->state.sessionage = 1; /* this is brand new */
867 return CURLE_OK;
868}
869
870static size_t multissl_version(char *buffer, size_t size);
871
872void Curl_ssl_version(char *buffer, size_t size)
873{
874#ifdef CURL_WITH_MULTI_SSL
875 (void)multissl_version(buffer, size);
876#else
877 (void)Curl_ssl->version(buffer, size);
878#endif
879}
880
881void Curl_ssl_free_certinfo(struct Curl_easy *data)
882{
883 struct curl_certinfo *ci = &data->info.certs;
884
885 if(ci->num_of_certs) {
886 /* free all individual lists used */
887 int i;
888 for(i = 0; i < ci->num_of_certs; i++) {
889 curl_slist_free_all(ci->certinfo[i]);
890 ci->certinfo[i] = NULL;
891 }
892
893 free(ci->certinfo); /* free the actual array too */
894 ci->certinfo = NULL;
895 ci->num_of_certs = 0;
896 }
897}
898
899CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
900{
901 struct curl_certinfo *ci = &data->info.certs;
902 struct curl_slist **table;
903
904 /* Free any previous certificate information structures */
905 Curl_ssl_free_certinfo(data);
906
907 /* Allocate the required certificate information structures */
908 table = calloc((size_t) num, sizeof(struct curl_slist *));
909 if(!table)
910 return CURLE_OUT_OF_MEMORY;
911
912 ci->num_of_certs = num;
913 ci->certinfo = table;
914
915 return CURLE_OK;
916}
917
918/*
919 * 'value' is NOT a null-terminated string
920 */
921CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
922 int certnum,
923 const char *label,
924 const char *value,
925 size_t valuelen)
926{
927 struct curl_certinfo *ci = &data->info.certs;
928 struct curl_slist *nl;
929 CURLcode result = CURLE_OK;
930 struct dynbuf build;
931
932 DEBUGASSERT(certnum < ci->num_of_certs);
933
934 Curl_dyn_init(&build, CURL_X509_STR_MAX);
935
936 if(Curl_dyn_add(&build, label) ||
937 Curl_dyn_addn(&build, ":", 1) ||
938 Curl_dyn_addn(&build, value, valuelen))
939 return CURLE_OUT_OF_MEMORY;
940
941 nl = Curl_slist_append_nodup(ci->certinfo[certnum],
942 Curl_dyn_ptr(&build));
943 if(!nl) {
944 Curl_dyn_free(&build);
945 curl_slist_free_all(ci->certinfo[certnum]);
946 result = CURLE_OUT_OF_MEMORY;
947 }
948
949 ci->certinfo[certnum] = nl;
950 return result;
951}
952
953/* get 32 bits of random */
954CURLcode Curl_ssl_random(struct Curl_easy *data,
955 unsigned char *entropy,
956 size_t length)
957{
958 DEBUGASSERT(length == sizeof(int));
959 if(Curl_ssl->random)
960 return Curl_ssl->random(data, entropy, length);
961 else
962 return CURLE_NOT_BUILT_IN;
963}
964
965/*
966 * Public key pem to der conversion
967 */
968
969static CURLcode pubkey_pem_to_der(const char *pem,
970 unsigned char **der, size_t *der_len)
971{
972 char *begin_pos, *end_pos;
973 size_t pem_count, pem_len;
974 CURLcode result;
975 struct dynbuf pbuf;
976
977 /* if no pem, exit. */
978 if(!pem)
979 return CURLE_BAD_CONTENT_ENCODING;
980
981 Curl_dyn_init(&pbuf, MAX_PINNED_PUBKEY_SIZE);
982
983 begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
984 if(!begin_pos)
985 return CURLE_BAD_CONTENT_ENCODING;
986
987 pem_count = begin_pos - pem;
988 /* Invalid if not at beginning AND not directly following \n */
989 if(0 != pem_count && '\n' != pem[pem_count - 1])
990 return CURLE_BAD_CONTENT_ENCODING;
991
992 /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
993 pem_count += 26;
994
995 /* Invalid if not directly following \n */
996 end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
997 if(!end_pos)
998 return CURLE_BAD_CONTENT_ENCODING;
999
1000 pem_len = end_pos - pem;
1001
1002 /*
1003 * Here we loop through the pem array one character at a time between the
1004 * correct indices, and place each character that is not '\n' or '\r'
1005 * into the stripped_pem array, which should represent the raw base64 string
1006 */
1007 while(pem_count < pem_len) {
1008 if('\n' != pem[pem_count] && '\r' != pem[pem_count]) {
1009 result = Curl_dyn_addn(&pbuf, &pem[pem_count], 1);
1010 if(result)
1011 return result;
1012 }
1013 ++pem_count;
1014 }
1015
1016 result = Curl_base64_decode(Curl_dyn_ptr(&pbuf), der, der_len);
1017
1018 Curl_dyn_free(&pbuf);
1019
1020 return result;
1021}
1022
1023/*
1024 * Generic pinned public key check.
1025 */
1026
1027CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
1028 const char *pinnedpubkey,
1029 const unsigned char *pubkey, size_t pubkeylen)
1030{
1031 CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
1032#ifdef CURL_DISABLE_VERBOSE_STRINGS
1033 (void)data;
1034#endif
1035
1036 /* if a path was not specified, do not pin */
1037 if(!pinnedpubkey)
1038 return CURLE_OK;
1039 if(!pubkey || !pubkeylen)
1040 return result;
1041
1042 /* only do this if pinnedpubkey starts with "sha256//", length 8 */
1043 if(!strncmp(pinnedpubkey, "sha256//", 8)) {
1044 CURLcode encode;
1045 size_t encodedlen = 0;
1046 char *encoded = NULL, *pinkeycopy, *begin_pos, *end_pos;
1047 unsigned char *sha256sumdigest;
1048
1049 if(!Curl_ssl->sha256sum) {
1050 /* without sha256 support, this cannot match */
1051 return result;
1052 }
1053
1054 /* compute sha256sum of public key */
1055 sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
1056 if(!sha256sumdigest)
1057 return CURLE_OUT_OF_MEMORY;
1058 encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
1059 sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
1060
1061 if(!encode)
1062 encode = Curl_base64_encode((char *)sha256sumdigest,
1063 CURL_SHA256_DIGEST_LENGTH, &encoded,
1064 &encodedlen);
1065 Curl_safefree(sha256sumdigest);
1066
1067 if(encode)
1068 return encode;
1069
1070 infof(data, " public key hash: sha256//%s", encoded);
1071
1072 /* it starts with sha256//, copy so we can modify it */
1073 pinkeycopy = strdup(pinnedpubkey);
1074 if(!pinkeycopy) {
1075 Curl_safefree(encoded);
1076 return CURLE_OUT_OF_MEMORY;
1077 }
1078 /* point begin_pos to the copy, and start extracting keys */
1079 begin_pos = pinkeycopy;
1080 do {
1081 end_pos = strstr(begin_pos, ";sha256//");
1082 /*
1083 * if there is an end_pos, null terminate,
1084 * otherwise it will go to the end of the original string
1085 */
1086 if(end_pos)
1087 end_pos[0] = '\0';
1088
1089 /* compare base64 sha256 digests, 8 is the length of "sha256//" */
1090 if(encodedlen == strlen(begin_pos + 8) &&
1091 !memcmp(encoded, begin_pos + 8, encodedlen)) {
1092 result = CURLE_OK;
1093 break;
1094 }
1095
1096 /*
1097 * change back the null-terminator we changed earlier,
1098 * and look for next begin
1099 */
1100 if(end_pos) {
1101 end_pos[0] = ';';
1102 begin_pos = strstr(end_pos, "sha256//");
1103 }
1104 } while(end_pos && begin_pos);
1105 Curl_safefree(encoded);
1106 Curl_safefree(pinkeycopy);
1107 }
1108 else {
1109 long filesize;
1110 size_t size, pem_len;
1111 CURLcode pem_read;
1112 struct dynbuf buf;
1113 char unsigned *pem_ptr = NULL;
1114 size_t left;
1115 FILE *fp = fopen(pinnedpubkey, "rb");
1116 if(!fp)
1117 return result;
1118
1119 Curl_dyn_init(&buf, MAX_PINNED_PUBKEY_SIZE);
1120
1121 /* Determine the file's size */
1122 if(fseek(fp, 0, SEEK_END))
1123 goto end;
1124 filesize = ftell(fp);
1125 if(fseek(fp, 0, SEEK_SET))
1126 goto end;
1127 if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
1128 goto end;
1129
1130 /*
1131 * if the size of our certificate is bigger than the file
1132 * size then it cannot match
1133 */
1134 size = curlx_sotouz((curl_off_t) filesize);
1135 if(pubkeylen > size)
1136 goto end;
1137
1138 /*
1139 * Read the file into the dynbuf
1140 */
1141 left = size;
1142 do {
1143 char buffer[1024];
1144 size_t want = left > sizeof(buffer) ? sizeof(buffer) : left;
1145 if(want != fread(buffer, 1, want, fp))
1146 goto end;
1147 if(Curl_dyn_addn(&buf, buffer, want))
1148 goto end;
1149 left -= want;
1150 } while(left);
1151
1152 /* If the sizes are the same, it cannot be base64 encoded, must be der */
1153 if(pubkeylen == size) {
1154 if(!memcmp(pubkey, Curl_dyn_ptr(&buf), pubkeylen))
1155 result = CURLE_OK;
1156 goto end;
1157 }
1158
1159 /*
1160 * Otherwise we will assume it is PEM and try to decode it
1161 * after placing null terminator
1162 */
1163 pem_read = pubkey_pem_to_der(Curl_dyn_ptr(&buf), &pem_ptr, &pem_len);
1164 /* if it was not read successfully, exit */
1165 if(pem_read)
1166 goto end;
1167
1168 /*
1169 * if the size of our certificate does not match the size of
1170 * the decoded file, they cannot be the same, otherwise compare
1171 */
1172 if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
1173 result = CURLE_OK;
1174end:
1175 Curl_dyn_free(&buf);
1176 Curl_safefree(pem_ptr);
1177 fclose(fp);
1178 }
1179
1180 return result;
1181}
1182
1183/*
1184 * Check whether the SSL backend supports the status_request extension.
1185 */
1186bool Curl_ssl_cert_status_request(void)
1187{
1188 return Curl_ssl->cert_status_request();
1189}
1190
1191/*
1192 * Check whether the SSL backend supports false start.
1193 */
1194bool Curl_ssl_false_start(struct Curl_easy *data)
1195{
1196 (void)data;
1197 return Curl_ssl->false_start();
1198}
1199
1200/*
1201 * Default implementations for unsupported functions.
1202 */
1203
1204int Curl_none_init(void)
1205{
1206 return 1;
1207}
1208
1209void Curl_none_cleanup(void)
1210{ }
1211
1212CURLcode Curl_none_shutdown(struct Curl_cfilter *cf UNUSED_PARAM,
1213 struct Curl_easy *data UNUSED_PARAM,
1214 bool send_shutdown UNUSED_PARAM,
1215 bool *done)
1216{
1217 (void)data;
1218 (void)cf;
1219 (void)send_shutdown;
1220 /* Every SSL backend should have a shutdown implementation. Until we
1221 * have implemented that, we put this fake in place. */
1222 *done = TRUE;
1223 return CURLE_OK;
1224}
1225
1226int Curl_none_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data)
1227{
1228 (void)cf;
1229 (void)data;
1230 return -1;
1231}
1232
1233void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
1234{
1235 (void)data;
1236}
1237
1238void Curl_none_session_free(void *ptr UNUSED_PARAM)
1239{
1240 (void)ptr;
1241}
1242
1243bool Curl_none_data_pending(struct Curl_cfilter *cf UNUSED_PARAM,
1244 const struct Curl_easy *data UNUSED_PARAM)
1245{
1246 (void)cf;
1247 (void)data;
1248 return 0;
1249}
1250
1251bool Curl_none_cert_status_request(void)
1252{
1253 return FALSE;
1254}
1255
1256CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
1257 const char *engine UNUSED_PARAM)
1258{
1259 (void)data;
1260 (void)engine;
1261 return CURLE_NOT_BUILT_IN;
1262}
1263
1264CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
1265{
1266 (void)data;
1267 return CURLE_NOT_BUILT_IN;
1268}
1269
1270struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
1271{
1272 (void)data;
1273 return (struct curl_slist *)NULL;
1274}
1275
1276bool Curl_none_false_start(void)
1277{
1278 return FALSE;
1279}
1280
1281static int multissl_init(void)
1282{
1283 if(multissl_setup(NULL))
1284 return 1;
1285 return Curl_ssl->init();
1286}
1287
1288static CURLcode multissl_connect(struct Curl_cfilter *cf,
1289 struct Curl_easy *data)
1290{
1291 if(multissl_setup(NULL))
1292 return CURLE_FAILED_INIT;
1293 return Curl_ssl->connect_blocking(cf, data);
1294}
1295
1296static CURLcode multissl_connect_nonblocking(struct Curl_cfilter *cf,
1297 struct Curl_easy *data,
1298 bool *done)
1299{
1300 if(multissl_setup(NULL))
1301 return CURLE_FAILED_INIT;
1302 return Curl_ssl->connect_nonblocking(cf, data, done);
1303}
1304
1305static void multissl_adjust_pollset(struct Curl_cfilter *cf,
1306 struct Curl_easy *data,
1307 struct easy_pollset *ps)
1308{
1309 if(multissl_setup(NULL))
1310 return;
1311 Curl_ssl->adjust_pollset(cf, data, ps);
1312}
1313
1314static void *multissl_get_internals(struct ssl_connect_data *connssl,
1315 CURLINFO info)
1316{
1317 if(multissl_setup(NULL))
1318 return NULL;
1319 return Curl_ssl->get_internals(connssl, info);
1320}
1321
1322static void multissl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1323{
1324 if(multissl_setup(NULL))
1325 return;
1326 Curl_ssl->close(cf, data);
1327}
1328
1329static ssize_t multissl_recv_plain(struct Curl_cfilter *cf,
1330 struct Curl_easy *data,
1331 char *buf, size_t len, CURLcode *code)
1332{
1333 if(multissl_setup(NULL))
1334 return CURLE_FAILED_INIT;
1335 return Curl_ssl->recv_plain(cf, data, buf, len, code);
1336}
1337
1338static ssize_t multissl_send_plain(struct Curl_cfilter *cf,
1339 struct Curl_easy *data,
1340 const void *mem, size_t len,
1341 CURLcode *code)
1342{
1343 if(multissl_setup(NULL))
1344 return CURLE_FAILED_INIT;
1345 return Curl_ssl->send_plain(cf, data, mem, len, code);
1346}
1347
1348static const struct Curl_ssl Curl_ssl_multi = {
1349 { CURLSSLBACKEND_NONE, "multi" }, /* info */
1350 0, /* supports nothing */
1351 (size_t)-1, /* something insanely large to be on the safe side */
1352
1353 multissl_init, /* init */
1354 Curl_none_cleanup, /* cleanup */
1355 multissl_version, /* version */
1356 Curl_none_check_cxn, /* check_cxn */
1357 Curl_none_shutdown, /* shutdown */
1358 Curl_none_data_pending, /* data_pending */
1359 NULL, /* random */
1360 Curl_none_cert_status_request, /* cert_status_request */
1361 multissl_connect, /* connect */
1362 multissl_connect_nonblocking, /* connect_nonblocking */
1363 multissl_adjust_pollset, /* adjust_pollset */
1364 multissl_get_internals, /* get_internals */
1365 multissl_close, /* close_one */
1366 Curl_none_close_all, /* close_all */
1367 Curl_none_set_engine, /* set_engine */
1368 Curl_none_set_engine_default, /* set_engine_default */
1369 Curl_none_engines_list, /* engines_list */
1370 Curl_none_false_start, /* false_start */
1371 NULL, /* sha256sum */
1372 NULL, /* associate_connection */
1373 NULL, /* disassociate_connection */
1374 multissl_recv_plain, /* recv decrypted data */
1375 multissl_send_plain, /* send data to encrypt */
1376 NULL, /* get_channel_binding */
1377};
1378
1379const struct Curl_ssl *Curl_ssl =
1380#if defined(CURL_WITH_MULTI_SSL)
1381 &Curl_ssl_multi;
1382#elif defined(USE_WOLFSSL)
1383 &Curl_ssl_wolfssl;
1384#elif defined(USE_GNUTLS)
1385 &Curl_ssl_gnutls;
1386#elif defined(USE_MBEDTLS)
1387 &Curl_ssl_mbedtls;
1388#elif defined(USE_RUSTLS)
1389 &Curl_ssl_rustls;
1390#elif defined(USE_OPENSSL)
1391 &Curl_ssl_openssl;
1392#elif defined(USE_SECTRANSP)
1393 &Curl_ssl_sectransp;
1394#elif defined(USE_SCHANNEL)
1395 &Curl_ssl_schannel;
1396#elif defined(USE_BEARSSL)
1397 &Curl_ssl_bearssl;
1398#else
1399#error "Missing struct Curl_ssl for selected SSL backend"
1400#endif
1401
1402static const struct Curl_ssl *available_backends[] = {
1403#if defined(USE_WOLFSSL)
1404 &Curl_ssl_wolfssl,
1405#endif
1406#if defined(USE_GNUTLS)
1407 &Curl_ssl_gnutls,
1408#endif
1409#if defined(USE_MBEDTLS)
1410 &Curl_ssl_mbedtls,
1411#endif
1412#if defined(USE_OPENSSL)
1413 &Curl_ssl_openssl,
1414#endif
1415#if defined(USE_SECTRANSP)
1416 &Curl_ssl_sectransp,
1417#endif
1418#if defined(USE_SCHANNEL)
1419 &Curl_ssl_schannel,
1420#endif
1421#if defined(USE_BEARSSL)
1422 &Curl_ssl_bearssl,
1423#endif
1424#if defined(USE_RUSTLS)
1425 &Curl_ssl_rustls,
1426#endif
1427 NULL
1428};
1429
1430/* Global cleanup */
1431void Curl_ssl_cleanup(void)
1432{
1433 if(init_ssl) {
1434 /* only cleanup if we did a previous init */
1435 Curl_ssl->cleanup();
1436#if defined(CURL_WITH_MULTI_SSL)
1437 Curl_ssl = &Curl_ssl_multi;
1438#endif
1439 init_ssl = FALSE;
1440 }
1441}
1442
1443static size_t multissl_version(char *buffer, size_t size)
1444{
1445 static const struct Curl_ssl *selected;
1446 static char backends[200];
1447 static size_t backends_len;
1448 const struct Curl_ssl *current;
1449
1450 current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
1451
1452 if(current != selected) {
1453 char *p = backends;
1454 char *end = backends + sizeof(backends);
1455 int i;
1456
1457 selected = current;
1458
1459 backends[0] = '\0';
1460
1461 for(i = 0; available_backends[i]; ++i) {
1462 char vb[200];
1463 bool paren = (selected != available_backends[i]);
1464
1465 if(available_backends[i]->version(vb, sizeof(vb))) {
1466 p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
1467 (paren ? "(" : ""), vb, (paren ? ")" : ""));
1468 }
1469 }
1470
1471 backends_len = p - backends;
1472 }
1473
1474 if(size) {
1475 if(backends_len < size)
1476 strcpy(buffer, backends);
1477 else
1478 *buffer = 0; /* did not fit */
1479 }
1480 return 0;
1481}
1482
1483static int multissl_setup(const struct Curl_ssl *backend)
1484{
1485 const char *env;
1486 char *env_tmp;
1487
1488 if(Curl_ssl != &Curl_ssl_multi)
1489 return 1;
1490
1491 if(backend) {
1492 Curl_ssl = backend;
1493 return 0;
1494 }
1495
1496 if(!available_backends[0])
1497 return 1;
1498
1499 env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
1500#ifdef CURL_DEFAULT_SSL_BACKEND
1501 if(!env)
1502 env = CURL_DEFAULT_SSL_BACKEND;
1503#endif
1504 if(env) {
1505 int i;
1506 for(i = 0; available_backends[i]; i++) {
1507 if(strcasecompare(env, available_backends[i]->info.name)) {
1508 Curl_ssl = available_backends[i];
1509 free(env_tmp);
1510 return 0;
1511 }
1512 }
1513 }
1514
1515 /* Fall back to first available backend */
1516 Curl_ssl = available_backends[0];
1517 free(env_tmp);
1518 return 0;
1519}
1520
1521/* This function is used to select the SSL backend to use. It is called by
1522 curl_global_sslset (easy.c) which uses the global init lock. */
1523CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
1524 const curl_ssl_backend ***avail)
1525{
1526 int i;
1527
1528 if(avail)
1529 *avail = (const curl_ssl_backend **)&available_backends;
1530
1531 if(Curl_ssl != &Curl_ssl_multi)
1532 return id == Curl_ssl->info.id ||
1533 (name && strcasecompare(name, Curl_ssl->info.name)) ?
1534 CURLSSLSET_OK :
1535#if defined(CURL_WITH_MULTI_SSL)
1536 CURLSSLSET_TOO_LATE;
1537#else
1538 CURLSSLSET_UNKNOWN_BACKEND;
1539#endif
1540
1541 for(i = 0; available_backends[i]; i++) {
1542 if(available_backends[i]->info.id == id ||
1543 (name && strcasecompare(available_backends[i]->info.name, name))) {
1544 multissl_setup(available_backends[i]);
1545 return CURLSSLSET_OK;
1546 }
1547 }
1548
1549 return CURLSSLSET_UNKNOWN_BACKEND;
1550}
1551
1552#else /* USE_SSL */
1553CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
1554 const curl_ssl_backend ***avail)
1555{
1556 (void)id;
1557 (void)name;
1558 (void)avail;
1559 return CURLSSLSET_NO_BACKENDS;
1560}
1561
1562#endif /* !USE_SSL */
1563
1564#ifdef USE_SSL
1565
1566void Curl_ssl_peer_cleanup(struct ssl_peer *peer)
1567{
1568 if(peer->dispname != peer->hostname)
1569 free(peer->dispname);
1570 free(peer->sni);
1571 free(peer->hostname);
1572 peer->hostname = peer->sni = peer->dispname = NULL;
1573 peer->type = CURL_SSL_PEER_DNS;
1574}
1575
1576static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1577{
1578 struct ssl_connect_data *connssl = cf->ctx;
1579 if(connssl) {
1580 Curl_ssl->close(cf, data);
1581 connssl->state = ssl_connection_none;
1582 Curl_ssl_peer_cleanup(&connssl->peer);
1583 }
1584 cf->connected = FALSE;
1585}
1586
1587static ssl_peer_type get_peer_type(const char *hostname)
1588{
1589 if(hostname && hostname[0]) {
1590#ifdef USE_IPV6
1591 struct in6_addr addr;
1592#else
1593 struct in_addr addr;
1594#endif
1595 if(Curl_inet_pton(AF_INET, hostname, &addr))
1596 return CURL_SSL_PEER_IPV4;
1597#ifdef USE_IPV6
1598 else if(Curl_inet_pton(AF_INET6, hostname, &addr)) {
1599 return CURL_SSL_PEER_IPV6;
1600 }
1601#endif
1602 }
1603 return CURL_SSL_PEER_DNS;
1604}
1605
1606CURLcode Curl_ssl_peer_init(struct ssl_peer *peer, struct Curl_cfilter *cf,
1607 int transport)
1608{
1609 const char *ehostname, *edispname;
1610 CURLcode result = CURLE_OUT_OF_MEMORY;
1611
1612 /* We expect a clean struct, e.g. called only ONCE */
1613 DEBUGASSERT(peer);
1614 DEBUGASSERT(!peer->hostname);
1615 DEBUGASSERT(!peer->dispname);
1616 DEBUGASSERT(!peer->sni);
1617 /* We need the hostname for SNI negotiation. Once handshaked, this remains
1618 * the SNI hostname for the TLS connection. When the connection is reused,
1619 * the settings in cf->conn might change. We keep a copy of the hostname we
1620 * use for SNI.
1621 */
1622 peer->transport = transport;
1623#ifndef CURL_DISABLE_PROXY
1624 if(Curl_ssl_cf_is_proxy(cf)) {
1625 ehostname = cf->conn->http_proxy.host.name;
1626 edispname = cf->conn->http_proxy.host.dispname;
1627 peer->port = cf->conn->http_proxy.port;
1628 }
1629 else
1630#endif
1631 {
1632 ehostname = cf->conn->host.name;
1633 edispname = cf->conn->host.dispname;
1634 peer->port = cf->conn->remote_port;
1635 }
1636
1637 /* hostname MUST exist and not be empty */
1638 if(!ehostname || !ehostname[0]) {
1639 result = CURLE_FAILED_INIT;
1640 goto out;
1641 }
1642
1643 peer->hostname = strdup(ehostname);
1644 if(!peer->hostname)
1645 goto out;
1646 if(!edispname || !strcmp(ehostname, edispname))
1647 peer->dispname = peer->hostname;
1648 else {
1649 peer->dispname = strdup(edispname);
1650 if(!peer->dispname)
1651 goto out;
1652 }
1653 peer->type = get_peer_type(peer->hostname);
1654 if(peer->type == CURL_SSL_PEER_DNS) {
1655 /* not an IP address, normalize according to RCC 6066 ch. 3,
1656 * max len of SNI is 2^16-1, no trailing dot */
1657 size_t len = strlen(peer->hostname);
1658 if(len && (peer->hostname[len-1] == '.'))
1659 len--;
1660 if(len < USHRT_MAX) {
1661 peer->sni = calloc(1, len + 1);
1662 if(!peer->sni)
1663 goto out;
1664 Curl_strntolower(peer->sni, peer->hostname, len);
1665 peer->sni[len] = 0;
1666 }
1667 }
1668 result = CURLE_OK;
1669
1670out:
1671 if(result)
1672 Curl_ssl_peer_cleanup(peer);
1673 return result;
1674}
1675
1676static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data)
1677{
1678 struct cf_call_data save;
1679
1680 CF_DATA_SAVE(save, cf, data);
1681 cf_close(cf, data);
1682 CF_DATA_RESTORE(cf, save);
1683 cf_ctx_free(cf->ctx);
1684 cf->ctx = NULL;
1685}
1686
1687static void ssl_cf_close(struct Curl_cfilter *cf,
1688 struct Curl_easy *data)
1689{
1690 struct cf_call_data save;
1691
1692 CF_DATA_SAVE(save, cf, data);
1693 cf_close(cf, data);
1694 if(cf->next)
1695 cf->next->cft->do_close(cf->next, data);
1696 CF_DATA_RESTORE(cf, save);
1697}
1698
1699static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
1700 struct Curl_easy *data,
1701 bool blocking, bool *done)
1702{
1703 struct ssl_connect_data *connssl = cf->ctx;
1704 struct cf_call_data save;
1705 CURLcode result;
1706
1707 if(cf->connected) {
1708 *done = TRUE;
1709 return CURLE_OK;
1710 }
1711
1712 if(!cf->next) {
1713 *done = FALSE;
1714 return CURLE_FAILED_INIT;
1715 }
1716
1717 if(!cf->next->connected) {
1718 result = cf->next->cft->do_connect(cf->next, data, blocking, done);
1719 if(result || !*done)
1720 return result;
1721 }
1722
1723 CF_DATA_SAVE(save, cf, data);
1724 CURL_TRC_CF(data, cf, "cf_connect()");
1725 DEBUGASSERT(data->conn);
1726 DEBUGASSERT(data->conn == cf->conn);
1727 DEBUGASSERT(connssl);
1728
1729 *done = FALSE;
1730 if(!connssl->peer.hostname) {
1731 result = Curl_ssl_peer_init(&connssl->peer, cf, TRNSPRT_TCP);
1732 if(result)
1733 goto out;
1734 }
1735
1736 if(blocking) {
1737 result = ssl_connect(cf, data);
1738 *done = (result == CURLE_OK);
1739 }
1740 else {
1741 result = ssl_connect_nonblocking(cf, data, done);
1742 }
1743
1744 if(!result && *done) {
1745 cf->connected = TRUE;
1746 connssl->handshake_done = Curl_now();
1747 /* Connection can be deferred when sending early data */
1748 DEBUGASSERT(connssl->state == ssl_connection_complete ||
1749 connssl->state == ssl_connection_deferred);
1750 }
1751out:
1752 CURL_TRC_CF(data, cf, "cf_connect() -> %d, done=%d", result, *done);
1753 CF_DATA_RESTORE(cf, save);
1754 return result;
1755}
1756
1757static bool ssl_cf_data_pending(struct Curl_cfilter *cf,
1758 const struct Curl_easy *data)
1759{
1760 struct cf_call_data save;
1761 bool result;
1762
1763 CF_DATA_SAVE(save, cf, data);
1764 if(Curl_ssl->data_pending(cf, data))
1765 result = TRUE;
1766 else
1767 result = cf->next->cft->has_data_pending(cf->next, data);
1768 CF_DATA_RESTORE(cf, save);
1769 return result;
1770}
1771
1772static ssize_t ssl_cf_send(struct Curl_cfilter *cf,
1773 struct Curl_easy *data, const void *buf, size_t len,
1774 bool eos, CURLcode *err)
1775{
1776 struct cf_call_data save;
1777 ssize_t nwritten = 0;
1778
1779 (void)eos;
1780 /* OpenSSL and maybe other TLS libs do not like 0-length writes. Skip. */
1781 *err = CURLE_OK;
1782 if(len > 0) {
1783 CF_DATA_SAVE(save, cf, data);
1784 nwritten = Curl_ssl->send_plain(cf, data, buf, len, err);
1785 CF_DATA_RESTORE(cf, save);
1786 }
1787 return nwritten;
1788}
1789
1790static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
1791 struct Curl_easy *data, char *buf, size_t len,
1792 CURLcode *err)
1793{
1794 struct cf_call_data save;
1795 ssize_t nread;
1796
1797 CF_DATA_SAVE(save, cf, data);
1798 *err = CURLE_OK;
1799 nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
1800 if(nread > 0) {
1801 DEBUGASSERT((size_t)nread <= len);
1802 }
1803 else if(nread == 0) {
1804 /* eof */
1805 *err = CURLE_OK;
1806 }
1807 CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len,
1808 nread, *err);
1809 CF_DATA_RESTORE(cf, save);
1810 return nread;
1811}
1812
1813static CURLcode ssl_cf_shutdown(struct Curl_cfilter *cf,
1814 struct Curl_easy *data,
1815 bool *done)
1816{
1817 CURLcode result = CURLE_OK;
1818
1819 *done = TRUE;
1820 if(!cf->shutdown) {
1821 struct cf_call_data save;
1822
1823 CF_DATA_SAVE(save, cf, data);
1824 result = Curl_ssl->shut_down(cf, data, TRUE, done);
1825 CURL_TRC_CF(data, cf, "cf_shutdown -> %d, done=%d", result, *done);
1826 CF_DATA_RESTORE(cf, save);
1827 cf->shutdown = (result || *done);
1828 }
1829 return result;
1830}
1831
1832static void ssl_cf_adjust_pollset(struct Curl_cfilter *cf,
1833 struct Curl_easy *data,
1834 struct easy_pollset *ps)
1835{
1836 struct cf_call_data save;
1837
1838 CF_DATA_SAVE(save, cf, data);
1839 Curl_ssl->adjust_pollset(cf, data, ps);
1840 CF_DATA_RESTORE(cf, save);
1841}
1842
1843static CURLcode ssl_cf_cntrl(struct Curl_cfilter *cf,
1844 struct Curl_easy *data,
1845 int event, int arg1, void *arg2)
1846{
1847 struct cf_call_data save;
1848
1849 (void)arg1;
1850 (void)arg2;
1851 switch(event) {
1852 case CF_CTRL_DATA_ATTACH:
1853 if(Curl_ssl->attach_data) {
1854 CF_DATA_SAVE(save, cf, data);
1855 Curl_ssl->attach_data(cf, data);
1856 CF_DATA_RESTORE(cf, save);
1857 }
1858 break;
1859 case CF_CTRL_DATA_DETACH:
1860 if(Curl_ssl->detach_data) {
1861 CF_DATA_SAVE(save, cf, data);
1862 Curl_ssl->detach_data(cf, data);
1863 CF_DATA_RESTORE(cf, save);
1864 }
1865 break;
1866 default:
1867 break;
1868 }
1869 return CURLE_OK;
1870}
1871
1872static CURLcode ssl_cf_query(struct Curl_cfilter *cf,
1873 struct Curl_easy *data,
1874 int query, int *pres1, void *pres2)
1875{
1876 struct ssl_connect_data *connssl = cf->ctx;
1877
1878 switch(query) {
1879 case CF_QUERY_TIMER_APPCONNECT: {
1880 struct curltime *when = pres2;
1881 if(cf->connected && !Curl_ssl_cf_is_proxy(cf))
1882 *when = connssl->handshake_done;
1883 return CURLE_OK;
1884 }
1885 default:
1886 break;
1887 }
1888 return cf->next ?
1889 cf->next->cft->query(cf->next, data, query, pres1, pres2) :
1890 CURLE_UNKNOWN_OPTION;
1891}
1892
1893static bool cf_ssl_is_alive(struct Curl_cfilter *cf, struct Curl_easy *data,
1894 bool *input_pending)
1895{
1896 struct cf_call_data save;
1897 int result;
1898 /*
1899 * This function tries to determine connection status.
1900 *
1901 * Return codes:
1902 * 1 means the connection is still in place
1903 * 0 means the connection has been closed
1904 * -1 means the connection status is unknown
1905 */
1906 CF_DATA_SAVE(save, cf, data);
1907 result = Curl_ssl->check_cxn(cf, data);
1908 CF_DATA_RESTORE(cf, save);
1909 if(result > 0) {
1910 *input_pending = TRUE;
1911 return TRUE;
1912 }
1913 if(result == 0) {
1914 *input_pending = FALSE;
1915 return FALSE;
1916 }
1917 /* ssl backend does not know */
1918 return cf->next ?
1919 cf->next->cft->is_alive(cf->next, data, input_pending) :
1920 FALSE; /* pessimistic in absence of data */
1921}
1922
1923struct Curl_cftype Curl_cft_ssl = {
1924 "SSL",
1925 CF_TYPE_SSL,
1926 CURL_LOG_LVL_NONE,
1927 ssl_cf_destroy,
1928 ssl_cf_connect,
1929 ssl_cf_close,
1930 ssl_cf_shutdown,
1931 Curl_cf_def_get_host,
1932 ssl_cf_adjust_pollset,
1933 ssl_cf_data_pending,
1934 ssl_cf_send,
1935 ssl_cf_recv,
1936 ssl_cf_cntrl,
1937 cf_ssl_is_alive,
1938 Curl_cf_def_conn_keep_alive,
1939 ssl_cf_query,
1940};
1941
1942#ifndef CURL_DISABLE_PROXY
1943
1944struct Curl_cftype Curl_cft_ssl_proxy = {
1945 "SSL-PROXY",
1946 CF_TYPE_SSL|CF_TYPE_PROXY,
1947 CURL_LOG_LVL_NONE,
1948 ssl_cf_destroy,
1949 ssl_cf_connect,
1950 ssl_cf_close,
1951 ssl_cf_shutdown,
1952 Curl_cf_def_get_host,
1953 ssl_cf_adjust_pollset,
1954 ssl_cf_data_pending,
1955 ssl_cf_send,
1956 ssl_cf_recv,
1957 ssl_cf_cntrl,
1958 cf_ssl_is_alive,
1959 Curl_cf_def_conn_keep_alive,
1960 Curl_cf_def_query,
1961};
1962
1963#endif /* !CURL_DISABLE_PROXY */
1964
1965static CURLcode cf_ssl_create(struct Curl_cfilter **pcf,
1966 struct Curl_easy *data,
1967 struct connectdata *conn)
1968{
1969 struct Curl_cfilter *cf = NULL;
1970 struct ssl_connect_data *ctx;
1971 CURLcode result;
1972
1973 DEBUGASSERT(data->conn);
1974
1975 ctx = cf_ctx_new(data, alpn_get_spec(data->state.httpwant,
1976 conn->bits.tls_enable_alpn));
1977 if(!ctx) {
1978 result = CURLE_OUT_OF_MEMORY;
1979 goto out;
1980 }
1981
1982 result = Curl_cf_create(&cf, &Curl_cft_ssl, ctx);
1983
1984out:
1985 if(result)
1986 cf_ctx_free(ctx);
1987 *pcf = result ? NULL : cf;
1988 return result;
1989}
1990
1991CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
1992 struct connectdata *conn,
1993 int sockindex)
1994{
1995 struct Curl_cfilter *cf;
1996 CURLcode result;
1997
1998 result = cf_ssl_create(&cf, data, conn);
1999 if(!result)
2000 Curl_conn_cf_add(data, conn, sockindex, cf);
2001 return result;
2002}
2003
2004CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
2005 struct Curl_easy *data)
2006{
2007 struct Curl_cfilter *cf;
2008 CURLcode result;
2009
2010 result = cf_ssl_create(&cf, data, cf_at->conn);
2011 if(!result)
2012 Curl_conn_cf_insert_after(cf_at, cf);
2013 return result;
2014}
2015
2016#ifndef CURL_DISABLE_PROXY
2017
2018static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
2019 struct Curl_easy *data,
2020 struct connectdata *conn)
2021{
2022 struct Curl_cfilter *cf = NULL;
2023 struct ssl_connect_data *ctx;
2024 CURLcode result;
2025 bool use_alpn = conn->bits.tls_enable_alpn;
2026 int httpwant = CURL_HTTP_VERSION_1_1;
2027
2028#ifdef USE_HTTP2
2029 if(conn->http_proxy.proxytype == CURLPROXY_HTTPS2) {
2030 use_alpn = TRUE;
2031 httpwant = CURL_HTTP_VERSION_2;
2032 }
2033#endif
2034
2035 ctx = cf_ctx_new(data, alpn_get_spec(httpwant, use_alpn));
2036 if(!ctx) {
2037 result = CURLE_OUT_OF_MEMORY;
2038 goto out;
2039 }
2040 result = Curl_cf_create(&cf, &Curl_cft_ssl_proxy, ctx);
2041
2042out:
2043 if(result)
2044 cf_ctx_free(ctx);
2045 *pcf = result ? NULL : cf;
2046 return result;
2047}
2048
2049CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
2050 struct Curl_easy *data)
2051{
2052 struct Curl_cfilter *cf;
2053 CURLcode result;
2054
2055 result = cf_ssl_proxy_create(&cf, data, cf_at->conn);
2056 if(!result)
2057 Curl_conn_cf_insert_after(cf_at, cf);
2058 return result;
2059}
2060
2061#endif /* !CURL_DISABLE_PROXY */
2062
2063bool Curl_ssl_supports(struct Curl_easy *data, unsigned int ssl_option)
2064{
2065 (void)data;
2066 return (Curl_ssl->supports & ssl_option);
2067}
2068
2069static struct Curl_cfilter *get_ssl_filter(struct Curl_cfilter *cf)
2070{
2071 for(; cf; cf = cf->next) {
2072 if(cf->cft == &Curl_cft_ssl)
2073 return cf;
2074#ifndef CURL_DISABLE_PROXY
2075 if(cf->cft == &Curl_cft_ssl_proxy)
2076 return cf;
2077#endif
2078 }
2079 return NULL;
2080}
2081
2082
2083void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
2084 CURLINFO info, int n)
2085{
2086 void *result = NULL;
2087 (void)n;
2088 if(data->conn) {
2089 struct Curl_cfilter *cf;
2090 /* get first SSL filter in chain, if any is present */
2091 cf = get_ssl_filter(data->conn->cfilter[sockindex]);
2092 if(cf) {
2093 struct cf_call_data save;
2094 CF_DATA_SAVE(save, cf, data);
2095 result = Curl_ssl->get_internals(cf->ctx, info);
2096 CF_DATA_RESTORE(cf, save);
2097 }
2098 }
2099 return result;
2100}
2101
2102static CURLcode vtls_shutdown_blocking(struct Curl_cfilter *cf,
2103 struct Curl_easy *data,
2104 bool send_shutdown, bool *done)
2105{
2106 struct ssl_connect_data *connssl = cf->ctx;
2107 struct cf_call_data save;
2108 CURLcode result = CURLE_OK;
2109 timediff_t timeout_ms;
2110 int what, loop = 10;
2111
2112 if(cf->shutdown) {
2113 *done = TRUE;
2114 return CURLE_OK;
2115 }
2116 CF_DATA_SAVE(save, cf, data);
2117
2118 *done = FALSE;
2119 while(!result && !*done && loop--) {
2120 timeout_ms = Curl_shutdown_timeleft(cf->conn, cf->sockindex, NULL);
2121
2122 if(timeout_ms < 0) {
2123 /* no need to continue if time is already up */
2124 failf(data, "SSL shutdown timeout");
2125 return CURLE_OPERATION_TIMEDOUT;
2126 }
2127
2128 result = Curl_ssl->shut_down(cf, data, send_shutdown, done);
2129 if(result ||*done)
2130 goto out;
2131
2132 if(connssl->io_need) {
2133 what = Curl_conn_cf_poll(cf, data, timeout_ms);
2134 if(what < 0) {
2135 /* fatal error */
2136 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
2137 result = CURLE_RECV_ERROR;
2138 goto out;
2139 }
2140 else if(0 == what) {
2141 /* timeout */
2142 failf(data, "SSL shutdown timeout");
2143 result = CURLE_OPERATION_TIMEDOUT;
2144 goto out;
2145 }
2146 /* socket is readable or writable */
2147 }
2148 }
2149out:
2150 CF_DATA_RESTORE(cf, save);
2151 cf->shutdown = (result || *done);
2152 return result;
2153}
2154
2155CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
2156 int sockindex, bool send_shutdown)
2157{
2158 struct Curl_cfilter *cf, *head;
2159 CURLcode result = CURLE_OK;
2160
2161 head = data->conn ? data->conn->cfilter[sockindex] : NULL;
2162 for(cf = head; cf; cf = cf->next) {
2163 if(cf->cft == &Curl_cft_ssl) {
2164 bool done;
2165 CURL_TRC_CF(data, cf, "shutdown and remove SSL, start");
2166 Curl_shutdown_start(data, sockindex, NULL);
2167 result = vtls_shutdown_blocking(cf, data, send_shutdown, &done);
2168 Curl_shutdown_clear(data, sockindex);
2169 if(!result && !done) /* blocking failed? */
2170 result = CURLE_SSL_SHUTDOWN_FAILED;
2171 Curl_conn_cf_discard_sub(head, cf, data, FALSE);
2172 CURL_TRC_CF(data, cf, "shutdown and remove SSL, done -> %d", result);
2173 break;
2174 }
2175 }
2176 return result;
2177}
2178
2179bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf)
2180{
2181 return (cf->cft->flags & CF_TYPE_SSL) && (cf->cft->flags & CF_TYPE_PROXY);
2182}
2183
2184struct ssl_config_data *
2185Curl_ssl_cf_get_config(struct Curl_cfilter *cf, struct Curl_easy *data)
2186{
2187#ifdef CURL_DISABLE_PROXY
2188 (void)cf;
2189 return &data->set.ssl;
2190#else
2191 return Curl_ssl_cf_is_proxy(cf) ? &data->set.proxy_ssl : &data->set.ssl;
2192#endif
2193}
2194
2195struct ssl_primary_config *
2196Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf)
2197{
2198#ifdef CURL_DISABLE_PROXY
2199 return &cf->conn->ssl_config;
2200#else
2201 return Curl_ssl_cf_is_proxy(cf) ?
2202 &cf->conn->proxy_ssl_config : &cf->conn->ssl_config;
2203#endif
2204}
2205
2206CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf,
2207 const struct alpn_spec *spec)
2208{
2209 size_t i, len;
2210 int off = 0;
2211 unsigned char blen;
2212
2213 memset(buf, 0, sizeof(*buf));
2214 for(i = 0; spec && i < spec->count; ++i) {
2215 len = strlen(spec->entries[i]);
2216 if(len >= ALPN_NAME_MAX)
2217 return CURLE_FAILED_INIT;
2218 blen = (unsigned char)len;
2219 if(off + blen + 1 >= (int)sizeof(buf->data))
2220 return CURLE_FAILED_INIT;
2221 buf->data[off++] = blen;
2222 memcpy(buf->data + off, spec->entries[i], blen);
2223 off += blen;
2224 }
2225 buf->len = off;
2226 return CURLE_OK;
2227}
2228
2229CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
2230 const struct alpn_spec *spec)
2231{
2232 size_t i, len;
2233 size_t off = 0;
2234
2235 memset(buf, 0, sizeof(*buf));
2236 for(i = 0; spec && i < spec->count; ++i) {
2237 len = strlen(spec->entries[i]);
2238 if(len >= ALPN_NAME_MAX)
2239 return CURLE_FAILED_INIT;
2240 if(off + len + 2 >= sizeof(buf->data))
2241 return CURLE_FAILED_INIT;
2242 if(off)
2243 buf->data[off++] = ',';
2244 memcpy(buf->data + off, spec->entries[i], len);
2245 off += len;
2246 }
2247 buf->data[off] = '\0';
2248 buf->len = (int)off;
2249 return CURLE_OK;
2250}
2251
2252bool Curl_alpn_contains_proto(const struct alpn_spec *spec,
2253 const char *proto)
2254{
2255 size_t i, plen = proto ? strlen(proto) : 0;
2256 for(i = 0; spec && plen && i < spec->count; ++i) {
2257 size_t slen = strlen(spec->entries[i]);
2258 if((slen == plen) && !memcmp(proto, spec->entries[i], plen))
2259 return TRUE;
2260 }
2261 return FALSE;
2262}
2263
2264CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
2265 struct Curl_easy *data,
2266 struct ssl_connect_data *connssl,
2267 const unsigned char *proto,
2268 size_t proto_len)
2269{
2270 CURLcode result = CURLE_OK;
2271 unsigned char *palpn =
2272#ifndef CURL_DISABLE_PROXY
2273 (cf->conn->bits.tunnel_proxy && Curl_ssl_cf_is_proxy(cf)) ?
2274 &cf->conn->proxy_alpn : &cf->conn->alpn
2275#else
2276 &cf->conn->alpn
2277#endif
2278 ;
2279
2280 if(connssl->alpn_negotiated) {
2281 /* When we ask for a specific ALPN protocol, we need the confirmation
2282 * of it by the server, as we have installed protocol handler and
2283 * connection filter chain for exactly this protocol. */
2284 if(!proto_len) {
2285 failf(data, "ALPN: asked for '%s' from previous session, "
2286 "but server did not confirm it. Refusing to continue.",
2287 connssl->alpn_negotiated);
2288 result = CURLE_SSL_CONNECT_ERROR;
2289 goto out;
2290 }
2291 else if((strlen(connssl->alpn_negotiated) != proto_len) ||
2292 memcmp(connssl->alpn_negotiated, proto, proto_len)) {
2293 failf(data, "ALPN: asked for '%s' from previous session, but server "
2294 "selected '%.*s'. Refusing to continue.",
2295 connssl->alpn_negotiated, (int)proto_len, proto);
2296 result = CURLE_SSL_CONNECT_ERROR;
2297 goto out;
2298 }
2299 /* ALPN is exactly what we asked for, done. */
2300 infof(data, "ALPN: server confirmed to use '%s'",
2301 connssl->alpn_negotiated);
2302 goto out;
2303 }
2304
2305 if(proto && proto_len) {
2306 if(memchr(proto, '\0', proto_len)) {
2307 failf(data, "ALPN: server selected protocol contains NUL. "
2308 "Refusing to continue.");
2309 result = CURLE_SSL_CONNECT_ERROR;
2310 goto out;
2311 }
2312 connssl->alpn_negotiated = malloc(proto_len + 1);
2313 if(!connssl->alpn_negotiated)
2314 return CURLE_OUT_OF_MEMORY;
2315 memcpy(connssl->alpn_negotiated, proto, proto_len);
2316 connssl->alpn_negotiated[proto_len] = 0;
2317 }
2318
2319 if(proto && proto_len) {
2320 if(proto_len == ALPN_HTTP_1_1_LENGTH &&
2321 !memcmp(ALPN_HTTP_1_1, proto, ALPN_HTTP_1_1_LENGTH)) {
2322 *palpn = CURL_HTTP_VERSION_1_1;
2323 }
2324#ifdef USE_HTTP2
2325 else if(proto_len == ALPN_H2_LENGTH &&
2326 !memcmp(ALPN_H2, proto, ALPN_H2_LENGTH)) {
2327 *palpn = CURL_HTTP_VERSION_2;
2328 }
2329#endif
2330#ifdef USE_HTTP3
2331 else if(proto_len == ALPN_H3_LENGTH &&
2332 !memcmp(ALPN_H3, proto, ALPN_H3_LENGTH)) {
2333 *palpn = CURL_HTTP_VERSION_3;
2334 }
2335#endif
2336 else {
2337 *palpn = CURL_HTTP_VERSION_NONE;
2338 failf(data, "unsupported ALPN protocol: '%.*s'", (int)proto_len, proto);
2339 /* TODO: do we want to fail this? Previous code just ignored it and
2340 * some vtls backends even ignore the return code of this function. */
2341 /* return CURLE_NOT_BUILT_IN; */
2342 goto out;
2343 }
2344
2345 if(connssl->state == ssl_connection_deferred)
2346 infof(data, VTLS_INFOF_ALPN_DEFERRED, (int)proto_len, proto);
2347 else
2348 infof(data, VTLS_INFOF_ALPN_ACCEPTED, (int)proto_len, proto);
2349 }
2350 else {
2351 *palpn = CURL_HTTP_VERSION_NONE;
2352 if(connssl->state == ssl_connection_deferred)
2353 infof(data, VTLS_INFOF_NO_ALPN_DEFERRED);
2354 else
2355 infof(data, VTLS_INFOF_NO_ALPN);
2356 }
2357
2358out:
2359 return result;
2360}
2361
2362#endif /* USE_SSL */
注意: 瀏覽 TracBrowser 來幫助您使用儲存庫瀏覽器

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette