vtls.c 58 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. /* This file is for implementing all "generic" SSL functions that all libcurl
  25. internals should use. It is then responsible for calling the proper
  26. "backend" function.
  27. SSL-functions in libcurl should call functions in this source file, and not
  28. to any specific SSL-layer.
  29. Curl_ssl_ - prefix for generic ones
  30. Note that this source code uses the functions of the configured SSL
  31. backend via the global Curl_ssl instance.
  32. "SSL/TLS Strong Encryption: An Introduction"
  33. https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
  34. */
  35. #include "curl_setup.h"
  36. #ifdef HAVE_SYS_TYPES_H
  37. #include <sys/types.h>
  38. #endif
  39. #ifdef HAVE_SYS_STAT_H
  40. #include <sys/stat.h>
  41. #endif
  42. #ifdef HAVE_FCNTL_H
  43. #include <fcntl.h>
  44. #endif
  45. #include "urldata.h"
  46. #include "cfilters.h"
  47. #include "vtls.h" /* generic SSL protos etc */
  48. #include "vtls_int.h"
  49. #include "slist.h"
  50. #include "sendf.h"
  51. #include "strcase.h"
  52. #include "url.h"
  53. #include "progress.h"
  54. #include "share.h"
  55. #include "multiif.h"
  56. #include "timeval.h"
  57. #include "curl_md5.h"
  58. #include "warnless.h"
  59. #include "curl_base64.h"
  60. #include "curl_printf.h"
  61. #include "inet_pton.h"
  62. #include "strdup.h"
  63. /* The last #include files should be: */
  64. #include "curl_memory.h"
  65. #include "memdebug.h"
  66. /* convenience macro to check if this handle is using a shared SSL session */
  67. #define SSLSESSION_SHARED(data) (data->share && \
  68. (data->share->specifier & \
  69. (1<<CURL_LOCK_DATA_SSL_SESSION)))
  70. #define CLONE_STRING(var) \
  71. do { \
  72. if(source->var) { \
  73. dest->var = strdup(source->var); \
  74. if(!dest->var) \
  75. return FALSE; \
  76. } \
  77. else \
  78. dest->var = NULL; \
  79. } while(0)
  80. #define CLONE_BLOB(var) \
  81. do { \
  82. if(blobdup(&dest->var, source->var)) \
  83. return FALSE; \
  84. } while(0)
  85. static CURLcode blobdup(struct curl_blob **dest,
  86. struct curl_blob *src)
  87. {
  88. DEBUGASSERT(dest);
  89. DEBUGASSERT(!*dest);
  90. if(src) {
  91. /* only if there's data to dupe! */
  92. struct curl_blob *d;
  93. d = malloc(sizeof(struct curl_blob) + src->len);
  94. if(!d)
  95. return CURLE_OUT_OF_MEMORY;
  96. d->len = src->len;
  97. /* Always duplicate because the connection may survive longer than the
  98. handle that passed in the blob. */
  99. d->flags = CURL_BLOB_COPY;
  100. d->data = (void *)((char *)d + sizeof(struct curl_blob));
  101. memcpy(d->data, src->data, src->len);
  102. *dest = d;
  103. }
  104. return CURLE_OK;
  105. }
  106. /* returns TRUE if the blobs are identical */
  107. static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
  108. {
  109. if(!first && !second) /* both are NULL */
  110. return TRUE;
  111. if(!first || !second) /* one is NULL */
  112. return FALSE;
  113. if(first->len != second->len) /* different sizes */
  114. return FALSE;
  115. return !memcmp(first->data, second->data, first->len); /* same data */
  116. }
  117. #ifdef USE_SSL
  118. static const struct alpn_spec ALPN_SPEC_H11 = {
  119. { ALPN_HTTP_1_1 }, 1
  120. };
  121. #ifdef USE_HTTP2
  122. static const struct alpn_spec ALPN_SPEC_H2_H11 = {
  123. { ALPN_H2, ALPN_HTTP_1_1 }, 2
  124. };
  125. #endif
  126. static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn)
  127. {
  128. if(!use_alpn)
  129. return NULL;
  130. #ifdef USE_HTTP2
  131. if(httpwant >= CURL_HTTP_VERSION_2)
  132. return &ALPN_SPEC_H2_H11;
  133. #else
  134. (void)httpwant;
  135. #endif
  136. /* Use the ALPN protocol "http/1.1" for HTTP/1.x.
  137. Avoid "http/1.0" because some servers don't support it. */
  138. return &ALPN_SPEC_H11;
  139. }
  140. #endif /* USE_SSL */
  141. void Curl_ssl_easy_config_init(struct Curl_easy *data)
  142. {
  143. /*
  144. * libcurl 7.10 introduced SSL verification *by default*! This needs to be
  145. * switched off unless wanted.
  146. */
  147. data->set.ssl.primary.verifypeer = TRUE;
  148. data->set.ssl.primary.verifyhost = TRUE;
  149. data->set.ssl.primary.sessionid = TRUE; /* session ID caching by default */
  150. #ifndef CURL_DISABLE_PROXY
  151. data->set.proxy_ssl = data->set.ssl;
  152. #endif
  153. }
  154. static bool
  155. match_ssl_primary_config(struct Curl_easy *data,
  156. struct ssl_primary_config *c1,
  157. struct ssl_primary_config *c2)
  158. {
  159. (void)data;
  160. if((c1->version == c2->version) &&
  161. (c1->version_max == c2->version_max) &&
  162. (c1->ssl_options == c2->ssl_options) &&
  163. (c1->verifypeer == c2->verifypeer) &&
  164. (c1->verifyhost == c2->verifyhost) &&
  165. (c1->verifystatus == c2->verifystatus) &&
  166. blobcmp(c1->cert_blob, c2->cert_blob) &&
  167. blobcmp(c1->ca_info_blob, c2->ca_info_blob) &&
  168. blobcmp(c1->issuercert_blob, c2->issuercert_blob) &&
  169. Curl_safecmp(c1->CApath, c2->CApath) &&
  170. Curl_safecmp(c1->CAfile, c2->CAfile) &&
  171. Curl_safecmp(c1->issuercert, c2->issuercert) &&
  172. Curl_safecmp(c1->clientcert, c2->clientcert) &&
  173. #ifdef USE_TLS_SRP
  174. !Curl_timestrcmp(c1->username, c2->username) &&
  175. !Curl_timestrcmp(c1->password, c2->password) &&
  176. #endif
  177. strcasecompare(c1->cipher_list, c2->cipher_list) &&
  178. strcasecompare(c1->cipher_list13, c2->cipher_list13) &&
  179. strcasecompare(c1->curves, c2->curves) &&
  180. strcasecompare(c1->CRLfile, c2->CRLfile) &&
  181. strcasecompare(c1->pinned_key, c2->pinned_key))
  182. return TRUE;
  183. return FALSE;
  184. }
  185. bool Curl_ssl_conn_config_match(struct Curl_easy *data,
  186. struct connectdata *candidate,
  187. bool proxy)
  188. {
  189. #ifndef CURL_DISABLE_PROXY
  190. if(proxy)
  191. return match_ssl_primary_config(data, &data->set.proxy_ssl.primary,
  192. &candidate->proxy_ssl_config);
  193. #else
  194. (void)proxy;
  195. #endif
  196. return match_ssl_primary_config(data, &data->set.ssl.primary,
  197. &candidate->ssl_config);
  198. }
  199. static bool clone_ssl_primary_config(struct ssl_primary_config *source,
  200. struct ssl_primary_config *dest)
  201. {
  202. dest->version = source->version;
  203. dest->version_max = source->version_max;
  204. dest->verifypeer = source->verifypeer;
  205. dest->verifyhost = source->verifyhost;
  206. dest->verifystatus = source->verifystatus;
  207. dest->sessionid = source->sessionid;
  208. dest->ssl_options = source->ssl_options;
  209. CLONE_BLOB(cert_blob);
  210. CLONE_BLOB(ca_info_blob);
  211. CLONE_BLOB(issuercert_blob);
  212. CLONE_STRING(CApath);
  213. CLONE_STRING(CAfile);
  214. CLONE_STRING(issuercert);
  215. CLONE_STRING(clientcert);
  216. CLONE_STRING(cipher_list);
  217. CLONE_STRING(cipher_list13);
  218. CLONE_STRING(pinned_key);
  219. CLONE_STRING(curves);
  220. CLONE_STRING(CRLfile);
  221. #ifdef USE_TLS_SRP
  222. CLONE_STRING(username);
  223. CLONE_STRING(password);
  224. #endif
  225. return TRUE;
  226. }
  227. static void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
  228. {
  229. Curl_safefree(sslc->CApath);
  230. Curl_safefree(sslc->CAfile);
  231. Curl_safefree(sslc->issuercert);
  232. Curl_safefree(sslc->clientcert);
  233. Curl_safefree(sslc->cipher_list);
  234. Curl_safefree(sslc->cipher_list13);
  235. Curl_safefree(sslc->pinned_key);
  236. Curl_safefree(sslc->cert_blob);
  237. Curl_safefree(sslc->ca_info_blob);
  238. Curl_safefree(sslc->issuercert_blob);
  239. Curl_safefree(sslc->curves);
  240. Curl_safefree(sslc->CRLfile);
  241. #ifdef USE_TLS_SRP
  242. Curl_safefree(sslc->username);
  243. Curl_safefree(sslc->password);
  244. #endif
  245. }
  246. CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
  247. {
  248. data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
  249. data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
  250. data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
  251. data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
  252. data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
  253. data->set.ssl.primary.cipher_list =
  254. data->set.str[STRING_SSL_CIPHER_LIST];
  255. data->set.ssl.primary.cipher_list13 =
  256. data->set.str[STRING_SSL_CIPHER13_LIST];
  257. data->set.ssl.primary.pinned_key =
  258. data->set.str[STRING_SSL_PINNEDPUBLICKEY];
  259. data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT];
  260. data->set.ssl.primary.ca_info_blob = data->set.blobs[BLOB_CAINFO];
  261. data->set.ssl.primary.curves = data->set.str[STRING_SSL_EC_CURVES];
  262. #ifdef USE_TLS_SRP
  263. data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
  264. data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
  265. #endif
  266. data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
  267. data->set.ssl.key = data->set.str[STRING_KEY];
  268. data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
  269. data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
  270. data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
  271. data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
  272. #ifndef CURL_DISABLE_PROXY
  273. data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
  274. data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
  275. data->set.proxy_ssl.primary.cipher_list =
  276. data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
  277. data->set.proxy_ssl.primary.cipher_list13 =
  278. data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
  279. data->set.proxy_ssl.primary.pinned_key =
  280. data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
  281. data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
  282. data->set.proxy_ssl.primary.ca_info_blob =
  283. data->set.blobs[BLOB_CAINFO_PROXY];
  284. data->set.proxy_ssl.primary.issuercert =
  285. data->set.str[STRING_SSL_ISSUERCERT_PROXY];
  286. data->set.proxy_ssl.primary.issuercert_blob =
  287. data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
  288. data->set.proxy_ssl.primary.CRLfile =
  289. data->set.str[STRING_SSL_CRLFILE_PROXY];
  290. data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
  291. data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
  292. data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
  293. data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY];
  294. data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
  295. data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
  296. #ifdef USE_TLS_SRP
  297. data->set.proxy_ssl.primary.username =
  298. data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
  299. data->set.proxy_ssl.primary.password =
  300. data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
  301. #endif
  302. #endif /* CURL_DISABLE_PROXY */
  303. return CURLE_OK;
  304. }
  305. CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data,
  306. struct connectdata *conn)
  307. {
  308. /* Clone "primary" SSL configurations from the esay handle to
  309. * the connection. They are used for connection cache matching and
  310. * probably outlive the easy handle */
  311. if(!clone_ssl_primary_config(&data->set.ssl.primary, &conn->ssl_config))
  312. return CURLE_OUT_OF_MEMORY;
  313. #ifndef CURL_DISABLE_PROXY
  314. if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary,
  315. &conn->proxy_ssl_config))
  316. return CURLE_OUT_OF_MEMORY;
  317. #endif
  318. return CURLE_OK;
  319. }
  320. void Curl_ssl_conn_config_cleanup(struct connectdata *conn)
  321. {
  322. Curl_free_primary_ssl_config(&conn->ssl_config);
  323. #ifndef CURL_DISABLE_PROXY
  324. Curl_free_primary_ssl_config(&conn->proxy_ssl_config);
  325. #endif
  326. }
  327. void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy)
  328. {
  329. /* May be called on an easy that has no connection yet */
  330. if(data->conn) {
  331. struct ssl_primary_config *src, *dest;
  332. #ifndef CURL_DISABLE_PROXY
  333. src = for_proxy? &data->set.proxy_ssl.primary : &data->set.ssl.primary;
  334. dest = for_proxy? &data->conn->proxy_ssl_config : &data->conn->ssl_config;
  335. #else
  336. (void)for_proxy;
  337. src = &data->set.ssl.primary;
  338. dest = &data->conn->ssl_config;
  339. #endif
  340. dest->verifyhost = src->verifyhost;
  341. dest->verifypeer = src->verifypeer;
  342. dest->verifystatus = src->verifystatus;
  343. }
  344. }
  345. #ifdef USE_SSL
  346. static int multissl_setup(const struct Curl_ssl *backend);
  347. #endif
  348. curl_sslbackend Curl_ssl_backend(void)
  349. {
  350. #ifdef USE_SSL
  351. multissl_setup(NULL);
  352. return Curl_ssl->info.id;
  353. #else
  354. return CURLSSLBACKEND_NONE;
  355. #endif
  356. }
  357. #ifdef USE_SSL
  358. /* "global" init done? */
  359. static bool init_ssl = FALSE;
  360. /**
  361. * Global SSL init
  362. *
  363. * @retval 0 error initializing SSL
  364. * @retval 1 SSL initialized successfully
  365. */
  366. int Curl_ssl_init(void)
  367. {
  368. /* make sure this is only done once */
  369. if(init_ssl)
  370. return 1;
  371. init_ssl = TRUE; /* never again */
  372. return Curl_ssl->init();
  373. }
  374. #if defined(CURL_WITH_MULTI_SSL)
  375. static const struct Curl_ssl Curl_ssl_multi;
  376. #endif
  377. /* Global cleanup */
  378. void Curl_ssl_cleanup(void)
  379. {
  380. if(init_ssl) {
  381. /* only cleanup if we did a previous init */
  382. Curl_ssl->cleanup();
  383. #if defined(CURL_WITH_MULTI_SSL)
  384. Curl_ssl = &Curl_ssl_multi;
  385. #endif
  386. init_ssl = FALSE;
  387. }
  388. }
  389. static bool ssl_prefs_check(struct Curl_easy *data)
  390. {
  391. /* check for CURLOPT_SSLVERSION invalid parameter value */
  392. const unsigned char sslver = data->set.ssl.primary.version;
  393. if(sslver >= CURL_SSLVERSION_LAST) {
  394. failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
  395. return FALSE;
  396. }
  397. switch(data->set.ssl.primary.version_max) {
  398. case CURL_SSLVERSION_MAX_NONE:
  399. case CURL_SSLVERSION_MAX_DEFAULT:
  400. break;
  401. default:
  402. if((data->set.ssl.primary.version_max >> 16) < sslver) {
  403. failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
  404. return FALSE;
  405. }
  406. }
  407. return TRUE;
  408. }
  409. static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
  410. const struct alpn_spec *alpn)
  411. {
  412. struct ssl_connect_data *ctx;
  413. (void)data;
  414. ctx = calloc(1, sizeof(*ctx));
  415. if(!ctx)
  416. return NULL;
  417. ctx->alpn = alpn;
  418. ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data);
  419. if(!ctx->backend) {
  420. free(ctx);
  421. return NULL;
  422. }
  423. return ctx;
  424. }
  425. static void cf_ctx_free(struct ssl_connect_data *ctx)
  426. {
  427. if(ctx) {
  428. free(ctx->backend);
  429. free(ctx);
  430. }
  431. }
  432. static CURLcode ssl_connect(struct Curl_cfilter *cf, struct Curl_easy *data)
  433. {
  434. struct ssl_connect_data *connssl = cf->ctx;
  435. CURLcode result;
  436. if(!ssl_prefs_check(data))
  437. return CURLE_SSL_CONNECT_ERROR;
  438. /* mark this is being ssl-enabled from here on. */
  439. connssl->state = ssl_connection_negotiating;
  440. result = Curl_ssl->connect_blocking(cf, data);
  441. if(!result) {
  442. DEBUGASSERT(connssl->state == ssl_connection_complete);
  443. }
  444. return result;
  445. }
  446. static CURLcode
  447. ssl_connect_nonblocking(struct Curl_cfilter *cf, struct Curl_easy *data,
  448. bool *done)
  449. {
  450. if(!ssl_prefs_check(data))
  451. return CURLE_SSL_CONNECT_ERROR;
  452. /* mark this is being ssl requested from here on. */
  453. return Curl_ssl->connect_nonblocking(cf, data, done);
  454. }
  455. /*
  456. * Lock shared SSL session data
  457. */
  458. void Curl_ssl_sessionid_lock(struct Curl_easy *data)
  459. {
  460. if(SSLSESSION_SHARED(data))
  461. Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
  462. }
  463. /*
  464. * Unlock shared SSL session data
  465. */
  466. void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
  467. {
  468. if(SSLSESSION_SHARED(data))
  469. Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
  470. }
  471. /*
  472. * Check if there's a session ID for the given connection in the cache, and if
  473. * there's one suitable, it is provided. Returns TRUE when no entry matched.
  474. */
  475. bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
  476. struct Curl_easy *data,
  477. void **ssl_sessionid,
  478. size_t *idsize) /* set 0 if unknown */
  479. {
  480. struct ssl_connect_data *connssl = cf->ctx;
  481. struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
  482. struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
  483. struct Curl_ssl_session *check;
  484. size_t i;
  485. long *general_age;
  486. bool no_match = TRUE;
  487. *ssl_sessionid = NULL;
  488. if(!ssl_config)
  489. return TRUE;
  490. DEBUGASSERT(ssl_config->primary.sessionid);
  491. if(!ssl_config->primary.sessionid || !data->state.session)
  492. /* session ID reuse is disabled or the session cache has not been
  493. setup */
  494. return TRUE;
  495. /* Lock if shared */
  496. if(SSLSESSION_SHARED(data))
  497. general_age = &data->share->sessionage;
  498. else
  499. general_age = &data->state.sessionage;
  500. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  501. check = &data->state.session[i];
  502. if(!check->sessionid)
  503. /* not session ID means blank entry */
  504. continue;
  505. if(strcasecompare(connssl->peer.hostname, check->name) &&
  506. ((!cf->conn->bits.conn_to_host && !check->conn_to_host) ||
  507. (cf->conn->bits.conn_to_host && check->conn_to_host &&
  508. strcasecompare(cf->conn->conn_to_host.name, check->conn_to_host))) &&
  509. ((!cf->conn->bits.conn_to_port && check->conn_to_port == -1) ||
  510. (cf->conn->bits.conn_to_port && check->conn_to_port != -1 &&
  511. cf->conn->conn_to_port == check->conn_to_port)) &&
  512. (connssl->port == check->remote_port) &&
  513. strcasecompare(cf->conn->handler->scheme, check->scheme) &&
  514. match_ssl_primary_config(data, conn_config, &check->ssl_config)) {
  515. /* yes, we have a session ID! */
  516. (*general_age)++; /* increase general age */
  517. check->age = *general_age; /* set this as used in this age */
  518. *ssl_sessionid = check->sessionid;
  519. if(idsize)
  520. *idsize = check->idsize;
  521. no_match = FALSE;
  522. break;
  523. }
  524. }
  525. DEBUGF(infof(data, "%s Session ID in cache for %s %s://%s:%d",
  526. no_match? "Didn't find": "Found",
  527. Curl_ssl_cf_is_proxy(cf) ? "proxy" : "host",
  528. cf->conn->handler->scheme, connssl->peer.hostname,
  529. connssl->port));
  530. return no_match;
  531. }
  532. /*
  533. * Kill a single session ID entry in the cache.
  534. */
  535. void Curl_ssl_kill_session(struct Curl_ssl_session *session)
  536. {
  537. if(session->sessionid) {
  538. /* defensive check */
  539. /* free the ID the SSL-layer specific way */
  540. Curl_ssl->session_free(session->sessionid);
  541. session->sessionid = NULL;
  542. session->age = 0; /* fresh */
  543. Curl_free_primary_ssl_config(&session->ssl_config);
  544. Curl_safefree(session->name);
  545. Curl_safefree(session->conn_to_host);
  546. }
  547. }
  548. /*
  549. * Delete the given session ID from the cache.
  550. */
  551. void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
  552. {
  553. size_t i;
  554. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  555. struct Curl_ssl_session *check = &data->state.session[i];
  556. if(check->sessionid == ssl_sessionid) {
  557. Curl_ssl_kill_session(check);
  558. break;
  559. }
  560. }
  561. }
  562. /*
  563. * Store session id in the session cache. The ID passed on to this function
  564. * must already have been extracted and allocated the proper way for the SSL
  565. * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
  566. * later on.
  567. */
  568. CURLcode Curl_ssl_addsessionid(struct Curl_cfilter *cf,
  569. struct Curl_easy *data,
  570. void *ssl_sessionid,
  571. size_t idsize,
  572. bool *added)
  573. {
  574. struct ssl_connect_data *connssl = cf->ctx;
  575. struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
  576. struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
  577. size_t i;
  578. struct Curl_ssl_session *store;
  579. long oldest_age;
  580. char *clone_host;
  581. char *clone_conn_to_host;
  582. int conn_to_port;
  583. long *general_age;
  584. if(added)
  585. *added = FALSE;
  586. if(!data->state.session)
  587. return CURLE_OK;
  588. store = &data->state.session[0];
  589. oldest_age = data->state.session[0].age; /* zero if unused */
  590. (void)ssl_config;
  591. DEBUGASSERT(ssl_config->primary.sessionid);
  592. clone_host = strdup(connssl->peer.hostname);
  593. if(!clone_host)
  594. return CURLE_OUT_OF_MEMORY; /* bail out */
  595. if(cf->conn->bits.conn_to_host) {
  596. clone_conn_to_host = strdup(cf->conn->conn_to_host.name);
  597. if(!clone_conn_to_host) {
  598. free(clone_host);
  599. return CURLE_OUT_OF_MEMORY; /* bail out */
  600. }
  601. }
  602. else
  603. clone_conn_to_host = NULL;
  604. if(cf->conn->bits.conn_to_port)
  605. conn_to_port = cf->conn->conn_to_port;
  606. else
  607. conn_to_port = -1;
  608. /* Now we should add the session ID and the host name to the cache, (remove
  609. the oldest if necessary) */
  610. /* If using shared SSL session, lock! */
  611. if(SSLSESSION_SHARED(data)) {
  612. general_age = &data->share->sessionage;
  613. }
  614. else {
  615. general_age = &data->state.sessionage;
  616. }
  617. /* find an empty slot for us, or find the oldest */
  618. for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
  619. data->state.session[i].sessionid; i++) {
  620. if(data->state.session[i].age < oldest_age) {
  621. oldest_age = data->state.session[i].age;
  622. store = &data->state.session[i];
  623. }
  624. }
  625. if(i == data->set.general_ssl.max_ssl_sessions)
  626. /* cache is full, we must "kill" the oldest entry! */
  627. Curl_ssl_kill_session(store);
  628. else
  629. store = &data->state.session[i]; /* use this slot */
  630. /* now init the session struct wisely */
  631. store->sessionid = ssl_sessionid;
  632. store->idsize = idsize;
  633. store->age = *general_age; /* set current age */
  634. /* free it if there's one already present */
  635. free(store->name);
  636. free(store->conn_to_host);
  637. store->name = clone_host; /* clone host name */
  638. store->conn_to_host = clone_conn_to_host; /* clone connect to host name */
  639. store->conn_to_port = conn_to_port; /* connect to port number */
  640. /* port number */
  641. store->remote_port = connssl->port;
  642. store->scheme = cf->conn->handler->scheme;
  643. if(!clone_ssl_primary_config(conn_config, &store->ssl_config)) {
  644. Curl_free_primary_ssl_config(&store->ssl_config);
  645. store->sessionid = NULL; /* let caller free sessionid */
  646. free(clone_host);
  647. free(clone_conn_to_host);
  648. return CURLE_OUT_OF_MEMORY;
  649. }
  650. if(added)
  651. *added = TRUE;
  652. DEBUGF(infof(data, "Added Session ID to cache for %s://%s:%d [%s]",
  653. store->scheme, store->name, store->remote_port,
  654. Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server"));
  655. return CURLE_OK;
  656. }
  657. void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend)
  658. {
  659. if(Curl_ssl->free_multi_ssl_backend_data && mbackend)
  660. Curl_ssl->free_multi_ssl_backend_data(mbackend);
  661. }
  662. void Curl_ssl_close_all(struct Curl_easy *data)
  663. {
  664. /* kill the session ID cache if not shared */
  665. if(data->state.session && !SSLSESSION_SHARED(data)) {
  666. size_t i;
  667. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
  668. /* the single-killer function handles empty table slots */
  669. Curl_ssl_kill_session(&data->state.session[i]);
  670. /* free the cache data */
  671. Curl_safefree(data->state.session);
  672. }
  673. Curl_ssl->close_all(data);
  674. }
  675. void Curl_ssl_adjust_pollset(struct Curl_cfilter *cf, struct Curl_easy *data,
  676. struct easy_pollset *ps)
  677. {
  678. if(!cf->connected) {
  679. struct ssl_connect_data *connssl = cf->ctx;
  680. curl_socket_t sock = Curl_conn_cf_get_socket(cf->next, data);
  681. if(sock != CURL_SOCKET_BAD) {
  682. if(connssl->connecting_state == ssl_connect_2_writing) {
  683. Curl_pollset_set_out_only(data, ps, sock);
  684. }
  685. else {
  686. Curl_pollset_set_in_only(data, ps, sock);
  687. }
  688. }
  689. }
  690. }
  691. /* Selects an SSL crypto engine
  692. */
  693. CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
  694. {
  695. return Curl_ssl->set_engine(data, engine);
  696. }
  697. /* Selects the default SSL crypto engine
  698. */
  699. CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
  700. {
  701. return Curl_ssl->set_engine_default(data);
  702. }
  703. /* Return list of OpenSSL crypto engine names. */
  704. struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
  705. {
  706. return Curl_ssl->engines_list(data);
  707. }
  708. /*
  709. * This sets up a session ID cache to the specified size. Make sure this code
  710. * is agnostic to what underlying SSL technology we use.
  711. */
  712. CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
  713. {
  714. struct Curl_ssl_session *session;
  715. if(data->state.session)
  716. /* this is just a precaution to prevent multiple inits */
  717. return CURLE_OK;
  718. session = calloc(amount, sizeof(struct Curl_ssl_session));
  719. if(!session)
  720. return CURLE_OUT_OF_MEMORY;
  721. /* store the info in the SSL section */
  722. data->set.general_ssl.max_ssl_sessions = amount;
  723. data->state.session = session;
  724. data->state.sessionage = 1; /* this is brand new */
  725. return CURLE_OK;
  726. }
  727. static size_t multissl_version(char *buffer, size_t size);
  728. void Curl_ssl_version(char *buffer, size_t size)
  729. {
  730. #ifdef CURL_WITH_MULTI_SSL
  731. (void)multissl_version(buffer, size);
  732. #else
  733. (void)Curl_ssl->version(buffer, size);
  734. #endif
  735. }
  736. void Curl_ssl_free_certinfo(struct Curl_easy *data)
  737. {
  738. struct curl_certinfo *ci = &data->info.certs;
  739. if(ci->num_of_certs) {
  740. /* free all individual lists used */
  741. int i;
  742. for(i = 0; i<ci->num_of_certs; i++) {
  743. curl_slist_free_all(ci->certinfo[i]);
  744. ci->certinfo[i] = NULL;
  745. }
  746. free(ci->certinfo); /* free the actual array too */
  747. ci->certinfo = NULL;
  748. ci->num_of_certs = 0;
  749. }
  750. }
  751. CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
  752. {
  753. struct curl_certinfo *ci = &data->info.certs;
  754. struct curl_slist **table;
  755. /* Free any previous certificate information structures */
  756. Curl_ssl_free_certinfo(data);
  757. /* Allocate the required certificate information structures */
  758. table = calloc((size_t) num, sizeof(struct curl_slist *));
  759. if(!table)
  760. return CURLE_OUT_OF_MEMORY;
  761. ci->num_of_certs = num;
  762. ci->certinfo = table;
  763. return CURLE_OK;
  764. }
  765. /*
  766. * 'value' is NOT a null-terminated string
  767. */
  768. CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
  769. int certnum,
  770. const char *label,
  771. const char *value,
  772. size_t valuelen)
  773. {
  774. struct curl_certinfo *ci = &data->info.certs;
  775. char *output;
  776. struct curl_slist *nl;
  777. CURLcode result = CURLE_OK;
  778. size_t labellen = strlen(label);
  779. size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */
  780. output = malloc(outlen);
  781. if(!output)
  782. return CURLE_OUT_OF_MEMORY;
  783. /* sprintf the label and colon */
  784. msnprintf(output, outlen, "%s:", label);
  785. /* memcpy the value (it might not be null-terminated) */
  786. memcpy(&output[labellen + 1], value, valuelen);
  787. /* null-terminate the output */
  788. output[labellen + 1 + valuelen] = 0;
  789. nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);
  790. if(!nl) {
  791. free(output);
  792. curl_slist_free_all(ci->certinfo[certnum]);
  793. result = CURLE_OUT_OF_MEMORY;
  794. }
  795. ci->certinfo[certnum] = nl;
  796. return result;
  797. }
  798. CURLcode Curl_ssl_random(struct Curl_easy *data,
  799. unsigned char *entropy,
  800. size_t length)
  801. {
  802. return Curl_ssl->random(data, entropy, length);
  803. }
  804. /*
  805. * Public key pem to der conversion
  806. */
  807. static CURLcode pubkey_pem_to_der(const char *pem,
  808. unsigned char **der, size_t *der_len)
  809. {
  810. char *stripped_pem, *begin_pos, *end_pos;
  811. size_t pem_count, stripped_pem_count = 0, pem_len;
  812. CURLcode result;
  813. /* if no pem, exit. */
  814. if(!pem)
  815. return CURLE_BAD_CONTENT_ENCODING;
  816. begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
  817. if(!begin_pos)
  818. return CURLE_BAD_CONTENT_ENCODING;
  819. pem_count = begin_pos - pem;
  820. /* Invalid if not at beginning AND not directly following \n */
  821. if(0 != pem_count && '\n' != pem[pem_count - 1])
  822. return CURLE_BAD_CONTENT_ENCODING;
  823. /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
  824. pem_count += 26;
  825. /* Invalid if not directly following \n */
  826. end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
  827. if(!end_pos)
  828. return CURLE_BAD_CONTENT_ENCODING;
  829. pem_len = end_pos - pem;
  830. stripped_pem = malloc(pem_len - pem_count + 1);
  831. if(!stripped_pem)
  832. return CURLE_OUT_OF_MEMORY;
  833. /*
  834. * Here we loop through the pem array one character at a time between the
  835. * correct indices, and place each character that is not '\n' or '\r'
  836. * into the stripped_pem array, which should represent the raw base64 string
  837. */
  838. while(pem_count < pem_len) {
  839. if('\n' != pem[pem_count] && '\r' != pem[pem_count])
  840. stripped_pem[stripped_pem_count++] = pem[pem_count];
  841. ++pem_count;
  842. }
  843. /* Place the null terminator in the correct place */
  844. stripped_pem[stripped_pem_count] = '\0';
  845. result = Curl_base64_decode(stripped_pem, der, der_len);
  846. Curl_safefree(stripped_pem);
  847. return result;
  848. }
  849. /*
  850. * Generic pinned public key check.
  851. */
  852. CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
  853. const char *pinnedpubkey,
  854. const unsigned char *pubkey, size_t pubkeylen)
  855. {
  856. FILE *fp;
  857. unsigned char *buf = NULL, *pem_ptr = NULL;
  858. CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
  859. #ifdef CURL_DISABLE_VERBOSE_STRINGS
  860. (void)data;
  861. #endif
  862. /* if a path wasn't specified, don't pin */
  863. if(!pinnedpubkey)
  864. return CURLE_OK;
  865. if(!pubkey || !pubkeylen)
  866. return result;
  867. /* only do this if pinnedpubkey starts with "sha256//", length 8 */
  868. if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
  869. CURLcode encode;
  870. size_t encodedlen = 0, pinkeylen;
  871. char *encoded = NULL, *pinkeycopy, *begin_pos, *end_pos;
  872. unsigned char *sha256sumdigest;
  873. if(!Curl_ssl->sha256sum) {
  874. /* without sha256 support, this cannot match */
  875. return result;
  876. }
  877. /* compute sha256sum of public key */
  878. sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
  879. if(!sha256sumdigest)
  880. return CURLE_OUT_OF_MEMORY;
  881. encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
  882. sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
  883. if(!encode)
  884. encode = Curl_base64_encode((char *)sha256sumdigest,
  885. CURL_SHA256_DIGEST_LENGTH, &encoded,
  886. &encodedlen);
  887. Curl_safefree(sha256sumdigest);
  888. if(encode)
  889. return encode;
  890. infof(data, " public key hash: sha256//%s", encoded);
  891. /* it starts with sha256//, copy so we can modify it */
  892. pinkeylen = strlen(pinnedpubkey) + 1;
  893. pinkeycopy = malloc(pinkeylen);
  894. if(!pinkeycopy) {
  895. Curl_safefree(encoded);
  896. return CURLE_OUT_OF_MEMORY;
  897. }
  898. memcpy(pinkeycopy, pinnedpubkey, pinkeylen);
  899. /* point begin_pos to the copy, and start extracting keys */
  900. begin_pos = pinkeycopy;
  901. do {
  902. end_pos = strstr(begin_pos, ";sha256//");
  903. /*
  904. * if there is an end_pos, null terminate,
  905. * otherwise it'll go to the end of the original string
  906. */
  907. if(end_pos)
  908. end_pos[0] = '\0';
  909. /* compare base64 sha256 digests, 8 is the length of "sha256//" */
  910. if(encodedlen == strlen(begin_pos + 8) &&
  911. !memcmp(encoded, begin_pos + 8, encodedlen)) {
  912. result = CURLE_OK;
  913. break;
  914. }
  915. /*
  916. * change back the null-terminator we changed earlier,
  917. * and look for next begin
  918. */
  919. if(end_pos) {
  920. end_pos[0] = ';';
  921. begin_pos = strstr(end_pos, "sha256//");
  922. }
  923. } while(end_pos && begin_pos);
  924. Curl_safefree(encoded);
  925. Curl_safefree(pinkeycopy);
  926. return result;
  927. }
  928. fp = fopen(pinnedpubkey, "rb");
  929. if(!fp)
  930. return result;
  931. do {
  932. long filesize;
  933. size_t size, pem_len;
  934. CURLcode pem_read;
  935. /* Determine the file's size */
  936. if(fseek(fp, 0, SEEK_END))
  937. break;
  938. filesize = ftell(fp);
  939. if(fseek(fp, 0, SEEK_SET))
  940. break;
  941. if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
  942. break;
  943. /*
  944. * if the size of our certificate is bigger than the file
  945. * size then it can't match
  946. */
  947. size = curlx_sotouz((curl_off_t) filesize);
  948. if(pubkeylen > size)
  949. break;
  950. /*
  951. * Allocate buffer for the pinned key
  952. * With 1 additional byte for null terminator in case of PEM key
  953. */
  954. buf = malloc(size + 1);
  955. if(!buf)
  956. break;
  957. /* Returns number of elements read, which should be 1 */
  958. if((int) fread(buf, size, 1, fp) != 1)
  959. break;
  960. /* If the sizes are the same, it can't be base64 encoded, must be der */
  961. if(pubkeylen == size) {
  962. if(!memcmp(pubkey, buf, pubkeylen))
  963. result = CURLE_OK;
  964. break;
  965. }
  966. /*
  967. * Otherwise we will assume it's PEM and try to decode it
  968. * after placing null terminator
  969. */
  970. buf[size] = '\0';
  971. pem_read = pubkey_pem_to_der((const char *)buf, &pem_ptr, &pem_len);
  972. /* if it wasn't read successfully, exit */
  973. if(pem_read)
  974. break;
  975. /*
  976. * if the size of our certificate doesn't match the size of
  977. * the decoded file, they can't be the same, otherwise compare
  978. */
  979. if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
  980. result = CURLE_OK;
  981. } while(0);
  982. Curl_safefree(buf);
  983. Curl_safefree(pem_ptr);
  984. fclose(fp);
  985. return result;
  986. }
  987. /*
  988. * Check whether the SSL backend supports the status_request extension.
  989. */
  990. bool Curl_ssl_cert_status_request(void)
  991. {
  992. return Curl_ssl->cert_status_request();
  993. }
  994. /*
  995. * Check whether the SSL backend supports false start.
  996. */
  997. bool Curl_ssl_false_start(struct Curl_easy *data)
  998. {
  999. (void)data;
  1000. return Curl_ssl->false_start();
  1001. }
  1002. /*
  1003. * Default implementations for unsupported functions.
  1004. */
  1005. int Curl_none_init(void)
  1006. {
  1007. return 1;
  1008. }
  1009. void Curl_none_cleanup(void)
  1010. { }
  1011. int Curl_none_shutdown(struct Curl_cfilter *cf UNUSED_PARAM,
  1012. struct Curl_easy *data UNUSED_PARAM)
  1013. {
  1014. (void)data;
  1015. (void)cf;
  1016. return 0;
  1017. }
  1018. int Curl_none_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data)
  1019. {
  1020. (void)cf;
  1021. (void)data;
  1022. return -1;
  1023. }
  1024. CURLcode Curl_none_random(struct Curl_easy *data UNUSED_PARAM,
  1025. unsigned char *entropy UNUSED_PARAM,
  1026. size_t length UNUSED_PARAM)
  1027. {
  1028. (void)data;
  1029. (void)entropy;
  1030. (void)length;
  1031. return CURLE_NOT_BUILT_IN;
  1032. }
  1033. void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
  1034. {
  1035. (void)data;
  1036. }
  1037. void Curl_none_session_free(void *ptr UNUSED_PARAM)
  1038. {
  1039. (void)ptr;
  1040. }
  1041. bool Curl_none_data_pending(struct Curl_cfilter *cf UNUSED_PARAM,
  1042. const struct Curl_easy *data UNUSED_PARAM)
  1043. {
  1044. (void)cf;
  1045. (void)data;
  1046. return 0;
  1047. }
  1048. bool Curl_none_cert_status_request(void)
  1049. {
  1050. return FALSE;
  1051. }
  1052. CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
  1053. const char *engine UNUSED_PARAM)
  1054. {
  1055. (void)data;
  1056. (void)engine;
  1057. return CURLE_NOT_BUILT_IN;
  1058. }
  1059. CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
  1060. {
  1061. (void)data;
  1062. return CURLE_NOT_BUILT_IN;
  1063. }
  1064. struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
  1065. {
  1066. (void)data;
  1067. return (struct curl_slist *)NULL;
  1068. }
  1069. bool Curl_none_false_start(void)
  1070. {
  1071. return FALSE;
  1072. }
  1073. static int multissl_init(void)
  1074. {
  1075. if(multissl_setup(NULL))
  1076. return 1;
  1077. return Curl_ssl->init();
  1078. }
  1079. static CURLcode multissl_connect(struct Curl_cfilter *cf,
  1080. struct Curl_easy *data)
  1081. {
  1082. if(multissl_setup(NULL))
  1083. return CURLE_FAILED_INIT;
  1084. return Curl_ssl->connect_blocking(cf, data);
  1085. }
  1086. static CURLcode multissl_connect_nonblocking(struct Curl_cfilter *cf,
  1087. struct Curl_easy *data,
  1088. bool *done)
  1089. {
  1090. if(multissl_setup(NULL))
  1091. return CURLE_FAILED_INIT;
  1092. return Curl_ssl->connect_nonblocking(cf, data, done);
  1093. }
  1094. static void multissl_adjust_pollset(struct Curl_cfilter *cf,
  1095. struct Curl_easy *data,
  1096. struct easy_pollset *ps)
  1097. {
  1098. if(multissl_setup(NULL))
  1099. return;
  1100. Curl_ssl->adjust_pollset(cf, data, ps);
  1101. }
  1102. static void *multissl_get_internals(struct ssl_connect_data *connssl,
  1103. CURLINFO info)
  1104. {
  1105. if(multissl_setup(NULL))
  1106. return NULL;
  1107. return Curl_ssl->get_internals(connssl, info);
  1108. }
  1109. static void multissl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
  1110. {
  1111. if(multissl_setup(NULL))
  1112. return;
  1113. Curl_ssl->close(cf, data);
  1114. }
  1115. static ssize_t multissl_recv_plain(struct Curl_cfilter *cf,
  1116. struct Curl_easy *data,
  1117. char *buf, size_t len, CURLcode *code)
  1118. {
  1119. if(multissl_setup(NULL))
  1120. return CURLE_FAILED_INIT;
  1121. return Curl_ssl->recv_plain(cf, data, buf, len, code);
  1122. }
  1123. static ssize_t multissl_send_plain(struct Curl_cfilter *cf,
  1124. struct Curl_easy *data,
  1125. const void *mem, size_t len,
  1126. CURLcode *code)
  1127. {
  1128. if(multissl_setup(NULL))
  1129. return CURLE_FAILED_INIT;
  1130. return Curl_ssl->send_plain(cf, data, mem, len, code);
  1131. }
  1132. static const struct Curl_ssl Curl_ssl_multi = {
  1133. { CURLSSLBACKEND_NONE, "multi" }, /* info */
  1134. 0, /* supports nothing */
  1135. (size_t)-1, /* something insanely large to be on the safe side */
  1136. multissl_init, /* init */
  1137. Curl_none_cleanup, /* cleanup */
  1138. multissl_version, /* version */
  1139. Curl_none_check_cxn, /* check_cxn */
  1140. Curl_none_shutdown, /* shutdown */
  1141. Curl_none_data_pending, /* data_pending */
  1142. Curl_none_random, /* random */
  1143. Curl_none_cert_status_request, /* cert_status_request */
  1144. multissl_connect, /* connect */
  1145. multissl_connect_nonblocking, /* connect_nonblocking */
  1146. multissl_adjust_pollset, /* adjust_pollset */
  1147. multissl_get_internals, /* get_internals */
  1148. multissl_close, /* close_one */
  1149. Curl_none_close_all, /* close_all */
  1150. Curl_none_session_free, /* session_free */
  1151. Curl_none_set_engine, /* set_engine */
  1152. Curl_none_set_engine_default, /* set_engine_default */
  1153. Curl_none_engines_list, /* engines_list */
  1154. Curl_none_false_start, /* false_start */
  1155. NULL, /* sha256sum */
  1156. NULL, /* associate_connection */
  1157. NULL, /* disassociate_connection */
  1158. NULL, /* free_multi_ssl_backend_data */
  1159. multissl_recv_plain, /* recv decrypted data */
  1160. multissl_send_plain, /* send data to encrypt */
  1161. };
  1162. const struct Curl_ssl *Curl_ssl =
  1163. #if defined(CURL_WITH_MULTI_SSL)
  1164. &Curl_ssl_multi;
  1165. #elif defined(USE_WOLFSSL)
  1166. &Curl_ssl_wolfssl;
  1167. #elif defined(USE_SECTRANSP)
  1168. &Curl_ssl_sectransp;
  1169. #elif defined(USE_GNUTLS)
  1170. &Curl_ssl_gnutls;
  1171. #elif defined(USE_MBEDTLS)
  1172. &Curl_ssl_mbedtls;
  1173. #elif defined(USE_RUSTLS)
  1174. &Curl_ssl_rustls;
  1175. #elif defined(USE_OPENSSL)
  1176. &Curl_ssl_openssl;
  1177. #elif defined(USE_SCHANNEL)
  1178. &Curl_ssl_schannel;
  1179. #elif defined(USE_BEARSSL)
  1180. &Curl_ssl_bearssl;
  1181. #else
  1182. #error "Missing struct Curl_ssl for selected SSL backend"
  1183. #endif
  1184. static const struct Curl_ssl *available_backends[] = {
  1185. #if defined(USE_WOLFSSL)
  1186. &Curl_ssl_wolfssl,
  1187. #endif
  1188. #if defined(USE_SECTRANSP)
  1189. &Curl_ssl_sectransp,
  1190. #endif
  1191. #if defined(USE_GNUTLS)
  1192. &Curl_ssl_gnutls,
  1193. #endif
  1194. #if defined(USE_MBEDTLS)
  1195. &Curl_ssl_mbedtls,
  1196. #endif
  1197. #if defined(USE_OPENSSL)
  1198. &Curl_ssl_openssl,
  1199. #endif
  1200. #if defined(USE_SCHANNEL)
  1201. &Curl_ssl_schannel,
  1202. #endif
  1203. #if defined(USE_BEARSSL)
  1204. &Curl_ssl_bearssl,
  1205. #endif
  1206. #if defined(USE_RUSTLS)
  1207. &Curl_ssl_rustls,
  1208. #endif
  1209. NULL
  1210. };
  1211. static size_t multissl_version(char *buffer, size_t size)
  1212. {
  1213. static const struct Curl_ssl *selected;
  1214. static char backends[200];
  1215. static size_t backends_len;
  1216. const struct Curl_ssl *current;
  1217. current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
  1218. if(current != selected) {
  1219. char *p = backends;
  1220. char *end = backends + sizeof(backends);
  1221. int i;
  1222. selected = current;
  1223. backends[0] = '\0';
  1224. for(i = 0; available_backends[i]; ++i) {
  1225. char vb[200];
  1226. bool paren = (selected != available_backends[i]);
  1227. if(available_backends[i]->version(vb, sizeof(vb))) {
  1228. p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
  1229. (paren ? "(" : ""), vb, (paren ? ")" : ""));
  1230. }
  1231. }
  1232. backends_len = p - backends;
  1233. }
  1234. if(!size)
  1235. return 0;
  1236. if(size <= backends_len) {
  1237. strncpy(buffer, backends, size - 1);
  1238. buffer[size - 1] = '\0';
  1239. return size - 1;
  1240. }
  1241. strcpy(buffer, backends);
  1242. return backends_len;
  1243. }
  1244. static int multissl_setup(const struct Curl_ssl *backend)
  1245. {
  1246. const char *env;
  1247. char *env_tmp;
  1248. if(Curl_ssl != &Curl_ssl_multi)
  1249. return 1;
  1250. if(backend) {
  1251. Curl_ssl = backend;
  1252. return 0;
  1253. }
  1254. if(!available_backends[0])
  1255. return 1;
  1256. env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
  1257. #ifdef CURL_DEFAULT_SSL_BACKEND
  1258. if(!env)
  1259. env = CURL_DEFAULT_SSL_BACKEND;
  1260. #endif
  1261. if(env) {
  1262. int i;
  1263. for(i = 0; available_backends[i]; i++) {
  1264. if(strcasecompare(env, available_backends[i]->info.name)) {
  1265. Curl_ssl = available_backends[i];
  1266. free(env_tmp);
  1267. return 0;
  1268. }
  1269. }
  1270. }
  1271. /* Fall back to first available backend */
  1272. Curl_ssl = available_backends[0];
  1273. free(env_tmp);
  1274. return 0;
  1275. }
  1276. /* This function is used to select the SSL backend to use. It is called by
  1277. curl_global_sslset (easy.c) which uses the global init lock. */
  1278. CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
  1279. const curl_ssl_backend ***avail)
  1280. {
  1281. int i;
  1282. if(avail)
  1283. *avail = (const curl_ssl_backend **)&available_backends;
  1284. if(Curl_ssl != &Curl_ssl_multi)
  1285. return id == Curl_ssl->info.id ||
  1286. (name && strcasecompare(name, Curl_ssl->info.name)) ?
  1287. CURLSSLSET_OK :
  1288. #if defined(CURL_WITH_MULTI_SSL)
  1289. CURLSSLSET_TOO_LATE;
  1290. #else
  1291. CURLSSLSET_UNKNOWN_BACKEND;
  1292. #endif
  1293. for(i = 0; available_backends[i]; i++) {
  1294. if(available_backends[i]->info.id == id ||
  1295. (name && strcasecompare(available_backends[i]->info.name, name))) {
  1296. multissl_setup(available_backends[i]);
  1297. return CURLSSLSET_OK;
  1298. }
  1299. }
  1300. return CURLSSLSET_UNKNOWN_BACKEND;
  1301. }
  1302. #else /* USE_SSL */
  1303. CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
  1304. const curl_ssl_backend ***avail)
  1305. {
  1306. (void)id;
  1307. (void)name;
  1308. (void)avail;
  1309. return CURLSSLSET_NO_BACKENDS;
  1310. }
  1311. #endif /* !USE_SSL */
  1312. #ifdef USE_SSL
  1313. void Curl_ssl_peer_cleanup(struct ssl_peer *peer)
  1314. {
  1315. if(peer->dispname != peer->hostname)
  1316. free(peer->dispname);
  1317. free(peer->sni);
  1318. free(peer->hostname);
  1319. peer->hostname = peer->sni = peer->dispname = NULL;
  1320. peer->is_ip_address = FALSE;
  1321. }
  1322. static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data)
  1323. {
  1324. struct ssl_connect_data *connssl = cf->ctx;
  1325. if(connssl) {
  1326. Curl_ssl->close(cf, data);
  1327. connssl->state = ssl_connection_none;
  1328. Curl_ssl_peer_cleanup(&connssl->peer);
  1329. }
  1330. cf->connected = FALSE;
  1331. }
  1332. static int is_ip_address(const char *hostname)
  1333. {
  1334. #ifdef ENABLE_IPV6
  1335. struct in6_addr addr;
  1336. #else
  1337. struct in_addr addr;
  1338. #endif
  1339. return (hostname && hostname[0] && (Curl_inet_pton(AF_INET, hostname, &addr)
  1340. #ifdef ENABLE_IPV6
  1341. || Curl_inet_pton(AF_INET6, hostname, &addr)
  1342. #endif
  1343. ));
  1344. }
  1345. CURLcode Curl_ssl_peer_init(struct ssl_peer *peer, struct Curl_cfilter *cf)
  1346. {
  1347. struct ssl_connect_data *connssl = cf->ctx;
  1348. const char *ehostname, *edispname;
  1349. int eport;
  1350. /* We need the hostname for SNI negotiation. Once handshaked, this
  1351. * remains the SNI hostname for the TLS connection. But when the
  1352. * connection is reused, the settings in cf->conn might change.
  1353. * So we keep a copy of the hostname we use for SNI.
  1354. */
  1355. #ifndef CURL_DISABLE_PROXY
  1356. if(Curl_ssl_cf_is_proxy(cf)) {
  1357. ehostname = cf->conn->http_proxy.host.name;
  1358. edispname = cf->conn->http_proxy.host.dispname;
  1359. eport = cf->conn->http_proxy.port;
  1360. }
  1361. else
  1362. #endif
  1363. {
  1364. ehostname = cf->conn->host.name;
  1365. edispname = cf->conn->host.dispname;
  1366. eport = cf->conn->remote_port;
  1367. }
  1368. /* change if ehostname changed */
  1369. if(ehostname && (!peer->hostname
  1370. || strcmp(ehostname, peer->hostname))) {
  1371. Curl_ssl_peer_cleanup(peer);
  1372. peer->hostname = strdup(ehostname);
  1373. if(!peer->hostname) {
  1374. Curl_ssl_peer_cleanup(peer);
  1375. return CURLE_OUT_OF_MEMORY;
  1376. }
  1377. if(!edispname || !strcmp(ehostname, edispname))
  1378. peer->dispname = peer->hostname;
  1379. else {
  1380. peer->dispname = strdup(edispname);
  1381. if(!peer->dispname) {
  1382. Curl_ssl_peer_cleanup(peer);
  1383. return CURLE_OUT_OF_MEMORY;
  1384. }
  1385. }
  1386. peer->sni = NULL;
  1387. peer->is_ip_address = is_ip_address(peer->hostname)? TRUE : FALSE;
  1388. if(peer->hostname[0] && !peer->is_ip_address) {
  1389. /* not an IP address, normalize according to RCC 6066 ch. 3,
  1390. * max len of SNI is 2^16-1, no trailing dot */
  1391. size_t len = strlen(peer->hostname);
  1392. if(len && (peer->hostname[len-1] == '.'))
  1393. len--;
  1394. if(len < USHRT_MAX) {
  1395. peer->sni = calloc(1, len + 1);
  1396. if(!peer->sni) {
  1397. Curl_ssl_peer_cleanup(peer);
  1398. return CURLE_OUT_OF_MEMORY;
  1399. }
  1400. Curl_strntolower(peer->sni, peer->hostname, len);
  1401. peer->sni[len] = 0;
  1402. }
  1403. }
  1404. }
  1405. connssl->port = eport;
  1406. return CURLE_OK;
  1407. }
  1408. static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data)
  1409. {
  1410. struct cf_call_data save;
  1411. CF_DATA_SAVE(save, cf, data);
  1412. cf_close(cf, data);
  1413. CF_DATA_RESTORE(cf, save);
  1414. cf_ctx_free(cf->ctx);
  1415. cf->ctx = NULL;
  1416. }
  1417. static void ssl_cf_close(struct Curl_cfilter *cf,
  1418. struct Curl_easy *data)
  1419. {
  1420. struct cf_call_data save;
  1421. CF_DATA_SAVE(save, cf, data);
  1422. cf_close(cf, data);
  1423. if(cf->next)
  1424. cf->next->cft->do_close(cf->next, data);
  1425. CF_DATA_RESTORE(cf, save);
  1426. }
  1427. static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
  1428. struct Curl_easy *data,
  1429. bool blocking, bool *done)
  1430. {
  1431. struct ssl_connect_data *connssl = cf->ctx;
  1432. struct cf_call_data save;
  1433. CURLcode result;
  1434. if(cf->connected) {
  1435. *done = TRUE;
  1436. return CURLE_OK;
  1437. }
  1438. CF_DATA_SAVE(save, cf, data);
  1439. CURL_TRC_CF(data, cf, "cf_connect()");
  1440. (void)connssl;
  1441. DEBUGASSERT(data->conn);
  1442. DEBUGASSERT(data->conn == cf->conn);
  1443. DEBUGASSERT(connssl);
  1444. DEBUGASSERT(cf->conn->host.name);
  1445. result = cf->next->cft->do_connect(cf->next, data, blocking, done);
  1446. if(result || !*done)
  1447. goto out;
  1448. *done = FALSE;
  1449. result = Curl_ssl_peer_init(&connssl->peer, cf);
  1450. if(result)
  1451. goto out;
  1452. if(blocking) {
  1453. result = ssl_connect(cf, data);
  1454. *done = (result == CURLE_OK);
  1455. }
  1456. else {
  1457. result = ssl_connect_nonblocking(cf, data, done);
  1458. }
  1459. if(!result && *done) {
  1460. cf->connected = TRUE;
  1461. connssl->handshake_done = Curl_now();
  1462. DEBUGASSERT(connssl->state == ssl_connection_complete);
  1463. }
  1464. out:
  1465. CURL_TRC_CF(data, cf, "cf_connect() -> %d, done=%d", result, *done);
  1466. CF_DATA_RESTORE(cf, save);
  1467. return result;
  1468. }
  1469. static bool ssl_cf_data_pending(struct Curl_cfilter *cf,
  1470. const struct Curl_easy *data)
  1471. {
  1472. struct cf_call_data save;
  1473. bool result;
  1474. CF_DATA_SAVE(save, cf, data);
  1475. if(Curl_ssl->data_pending(cf, data))
  1476. result = TRUE;
  1477. else
  1478. result = cf->next->cft->has_data_pending(cf->next, data);
  1479. CF_DATA_RESTORE(cf, save);
  1480. return result;
  1481. }
  1482. static ssize_t ssl_cf_send(struct Curl_cfilter *cf,
  1483. struct Curl_easy *data, const void *buf, size_t len,
  1484. CURLcode *err)
  1485. {
  1486. struct cf_call_data save;
  1487. ssize_t nwritten;
  1488. CF_DATA_SAVE(save, cf, data);
  1489. *err = CURLE_OK;
  1490. nwritten = Curl_ssl->send_plain(cf, data, buf, len, err);
  1491. CF_DATA_RESTORE(cf, save);
  1492. return nwritten;
  1493. }
  1494. static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
  1495. struct Curl_easy *data, char *buf, size_t len,
  1496. CURLcode *err)
  1497. {
  1498. struct cf_call_data save;
  1499. ssize_t nread;
  1500. CF_DATA_SAVE(save, cf, data);
  1501. *err = CURLE_OK;
  1502. nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
  1503. if(nread > 0) {
  1504. DEBUGASSERT((size_t)nread <= len);
  1505. }
  1506. else if(nread == 0) {
  1507. /* eof */
  1508. *err = CURLE_OK;
  1509. }
  1510. CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, nread, *err);
  1511. CF_DATA_RESTORE(cf, save);
  1512. return nread;
  1513. }
  1514. static void ssl_cf_adjust_pollset(struct Curl_cfilter *cf,
  1515. struct Curl_easy *data,
  1516. struct easy_pollset *ps)
  1517. {
  1518. struct cf_call_data save;
  1519. if(!cf->connected) {
  1520. CF_DATA_SAVE(save, cf, data);
  1521. Curl_ssl->adjust_pollset(cf, data, ps);
  1522. CF_DATA_RESTORE(cf, save);
  1523. }
  1524. }
  1525. static CURLcode ssl_cf_cntrl(struct Curl_cfilter *cf,
  1526. struct Curl_easy *data,
  1527. int event, int arg1, void *arg2)
  1528. {
  1529. struct cf_call_data save;
  1530. (void)arg1;
  1531. (void)arg2;
  1532. switch(event) {
  1533. case CF_CTRL_DATA_ATTACH:
  1534. if(Curl_ssl->attach_data) {
  1535. CF_DATA_SAVE(save, cf, data);
  1536. Curl_ssl->attach_data(cf, data);
  1537. CF_DATA_RESTORE(cf, save);
  1538. }
  1539. break;
  1540. case CF_CTRL_DATA_DETACH:
  1541. if(Curl_ssl->detach_data) {
  1542. CF_DATA_SAVE(save, cf, data);
  1543. Curl_ssl->detach_data(cf, data);
  1544. CF_DATA_RESTORE(cf, save);
  1545. }
  1546. break;
  1547. default:
  1548. break;
  1549. }
  1550. return CURLE_OK;
  1551. }
  1552. static CURLcode ssl_cf_query(struct Curl_cfilter *cf,
  1553. struct Curl_easy *data,
  1554. int query, int *pres1, void *pres2)
  1555. {
  1556. struct ssl_connect_data *connssl = cf->ctx;
  1557. switch(query) {
  1558. case CF_QUERY_TIMER_APPCONNECT: {
  1559. struct curltime *when = pres2;
  1560. if(cf->connected && !Curl_ssl_cf_is_proxy(cf))
  1561. *when = connssl->handshake_done;
  1562. return CURLE_OK;
  1563. }
  1564. default:
  1565. break;
  1566. }
  1567. return cf->next?
  1568. cf->next->cft->query(cf->next, data, query, pres1, pres2) :
  1569. CURLE_UNKNOWN_OPTION;
  1570. }
  1571. static bool cf_ssl_is_alive(struct Curl_cfilter *cf, struct Curl_easy *data,
  1572. bool *input_pending)
  1573. {
  1574. struct cf_call_data save;
  1575. int result;
  1576. /*
  1577. * This function tries to determine connection status.
  1578. *
  1579. * Return codes:
  1580. * 1 means the connection is still in place
  1581. * 0 means the connection has been closed
  1582. * -1 means the connection status is unknown
  1583. */
  1584. CF_DATA_SAVE(save, cf, data);
  1585. result = Curl_ssl->check_cxn(cf, data);
  1586. CF_DATA_RESTORE(cf, save);
  1587. if(result > 0) {
  1588. *input_pending = TRUE;
  1589. return TRUE;
  1590. }
  1591. if(result == 0) {
  1592. *input_pending = FALSE;
  1593. return FALSE;
  1594. }
  1595. /* ssl backend does not know */
  1596. return cf->next?
  1597. cf->next->cft->is_alive(cf->next, data, input_pending) :
  1598. FALSE; /* pessimistic in absence of data */
  1599. }
  1600. struct Curl_cftype Curl_cft_ssl = {
  1601. "SSL",
  1602. CF_TYPE_SSL,
  1603. CURL_LOG_LVL_NONE,
  1604. ssl_cf_destroy,
  1605. ssl_cf_connect,
  1606. ssl_cf_close,
  1607. Curl_cf_def_get_host,
  1608. ssl_cf_adjust_pollset,
  1609. ssl_cf_data_pending,
  1610. ssl_cf_send,
  1611. ssl_cf_recv,
  1612. ssl_cf_cntrl,
  1613. cf_ssl_is_alive,
  1614. Curl_cf_def_conn_keep_alive,
  1615. ssl_cf_query,
  1616. };
  1617. struct Curl_cftype Curl_cft_ssl_proxy = {
  1618. "SSL-PROXY",
  1619. CF_TYPE_SSL,
  1620. CURL_LOG_LVL_NONE,
  1621. ssl_cf_destroy,
  1622. ssl_cf_connect,
  1623. ssl_cf_close,
  1624. Curl_cf_def_get_host,
  1625. ssl_cf_adjust_pollset,
  1626. ssl_cf_data_pending,
  1627. ssl_cf_send,
  1628. ssl_cf_recv,
  1629. ssl_cf_cntrl,
  1630. cf_ssl_is_alive,
  1631. Curl_cf_def_conn_keep_alive,
  1632. Curl_cf_def_query,
  1633. };
  1634. static CURLcode cf_ssl_create(struct Curl_cfilter **pcf,
  1635. struct Curl_easy *data,
  1636. struct connectdata *conn)
  1637. {
  1638. struct Curl_cfilter *cf = NULL;
  1639. struct ssl_connect_data *ctx;
  1640. CURLcode result;
  1641. DEBUGASSERT(data->conn);
  1642. ctx = cf_ctx_new(data, alpn_get_spec(data->state.httpwant,
  1643. conn->bits.tls_enable_alpn));
  1644. if(!ctx) {
  1645. result = CURLE_OUT_OF_MEMORY;
  1646. goto out;
  1647. }
  1648. result = Curl_cf_create(&cf, &Curl_cft_ssl, ctx);
  1649. out:
  1650. if(result)
  1651. cf_ctx_free(ctx);
  1652. *pcf = result? NULL : cf;
  1653. return result;
  1654. }
  1655. CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
  1656. struct connectdata *conn,
  1657. int sockindex)
  1658. {
  1659. struct Curl_cfilter *cf;
  1660. CURLcode result;
  1661. result = cf_ssl_create(&cf, data, conn);
  1662. if(!result)
  1663. Curl_conn_cf_add(data, conn, sockindex, cf);
  1664. return result;
  1665. }
  1666. CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
  1667. struct Curl_easy *data)
  1668. {
  1669. struct Curl_cfilter *cf;
  1670. CURLcode result;
  1671. result = cf_ssl_create(&cf, data, cf_at->conn);
  1672. if(!result)
  1673. Curl_conn_cf_insert_after(cf_at, cf);
  1674. return result;
  1675. }
  1676. #ifndef CURL_DISABLE_PROXY
  1677. static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
  1678. struct Curl_easy *data,
  1679. struct connectdata *conn)
  1680. {
  1681. struct Curl_cfilter *cf = NULL;
  1682. struct ssl_connect_data *ctx;
  1683. CURLcode result;
  1684. bool use_alpn = conn->bits.tls_enable_alpn;
  1685. int httpwant = CURL_HTTP_VERSION_1_1;
  1686. #ifdef USE_HTTP2
  1687. if(conn->http_proxy.proxytype == CURLPROXY_HTTPS2) {
  1688. use_alpn = TRUE;
  1689. httpwant = CURL_HTTP_VERSION_2;
  1690. }
  1691. #endif
  1692. ctx = cf_ctx_new(data, alpn_get_spec(httpwant, use_alpn));
  1693. if(!ctx) {
  1694. result = CURLE_OUT_OF_MEMORY;
  1695. goto out;
  1696. }
  1697. result = Curl_cf_create(&cf, &Curl_cft_ssl_proxy, ctx);
  1698. out:
  1699. if(result)
  1700. cf_ctx_free(ctx);
  1701. *pcf = result? NULL : cf;
  1702. return result;
  1703. }
  1704. CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
  1705. struct Curl_easy *data)
  1706. {
  1707. struct Curl_cfilter *cf;
  1708. CURLcode result;
  1709. result = cf_ssl_proxy_create(&cf, data, cf_at->conn);
  1710. if(!result)
  1711. Curl_conn_cf_insert_after(cf_at, cf);
  1712. return result;
  1713. }
  1714. #endif /* !CURL_DISABLE_PROXY */
  1715. bool Curl_ssl_supports(struct Curl_easy *data, int option)
  1716. {
  1717. (void)data;
  1718. return (Curl_ssl->supports & option)? TRUE : FALSE;
  1719. }
  1720. static struct Curl_cfilter *get_ssl_filter(struct Curl_cfilter *cf)
  1721. {
  1722. for(; cf; cf = cf->next) {
  1723. if(cf->cft == &Curl_cft_ssl || cf->cft == &Curl_cft_ssl_proxy)
  1724. return cf;
  1725. }
  1726. return NULL;
  1727. }
  1728. void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
  1729. CURLINFO info, int n)
  1730. {
  1731. void *result = NULL;
  1732. (void)n;
  1733. if(data->conn) {
  1734. struct Curl_cfilter *cf;
  1735. /* get first SSL filter in chain, if any is present */
  1736. cf = get_ssl_filter(data->conn->cfilter[sockindex]);
  1737. if(cf) {
  1738. struct cf_call_data save;
  1739. CF_DATA_SAVE(save, cf, data);
  1740. result = Curl_ssl->get_internals(cf->ctx, info);
  1741. CF_DATA_RESTORE(cf, save);
  1742. }
  1743. }
  1744. return result;
  1745. }
  1746. CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
  1747. int sockindex)
  1748. {
  1749. struct Curl_cfilter *cf, *head;
  1750. CURLcode result = CURLE_OK;
  1751. (void)data;
  1752. head = data->conn? data->conn->cfilter[sockindex] : NULL;
  1753. for(cf = head; cf; cf = cf->next) {
  1754. if(cf->cft == &Curl_cft_ssl) {
  1755. if(Curl_ssl->shut_down(cf, data))
  1756. result = CURLE_SSL_SHUTDOWN_FAILED;
  1757. Curl_conn_cf_discard_sub(head, cf, data, FALSE);
  1758. break;
  1759. }
  1760. }
  1761. return result;
  1762. }
  1763. bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf)
  1764. {
  1765. return (cf->cft == &Curl_cft_ssl_proxy);
  1766. }
  1767. struct ssl_config_data *
  1768. Curl_ssl_cf_get_config(struct Curl_cfilter *cf, struct Curl_easy *data)
  1769. {
  1770. #ifdef CURL_DISABLE_PROXY
  1771. (void)cf;
  1772. return &data->set.ssl;
  1773. #else
  1774. return Curl_ssl_cf_is_proxy(cf)? &data->set.proxy_ssl : &data->set.ssl;
  1775. #endif
  1776. }
  1777. struct ssl_primary_config *
  1778. Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf)
  1779. {
  1780. #ifdef CURL_DISABLE_PROXY
  1781. return &cf->conn->ssl_config;
  1782. #else
  1783. return Curl_ssl_cf_is_proxy(cf)?
  1784. &cf->conn->proxy_ssl_config : &cf->conn->ssl_config;
  1785. #endif
  1786. }
  1787. CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf,
  1788. const struct alpn_spec *spec)
  1789. {
  1790. size_t i, len;
  1791. int off = 0;
  1792. unsigned char blen;
  1793. memset(buf, 0, sizeof(*buf));
  1794. for(i = 0; spec && i < spec->count; ++i) {
  1795. len = strlen(spec->entries[i]);
  1796. if(len >= ALPN_NAME_MAX)
  1797. return CURLE_FAILED_INIT;
  1798. blen = (unsigned char)len;
  1799. if(off + blen + 1 >= (int)sizeof(buf->data))
  1800. return CURLE_FAILED_INIT;
  1801. buf->data[off++] = blen;
  1802. memcpy(buf->data + off, spec->entries[i], blen);
  1803. off += blen;
  1804. }
  1805. buf->len = off;
  1806. return CURLE_OK;
  1807. }
  1808. CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
  1809. const struct alpn_spec *spec)
  1810. {
  1811. size_t i, len;
  1812. size_t off = 0;
  1813. memset(buf, 0, sizeof(*buf));
  1814. for(i = 0; spec && i < spec->count; ++i) {
  1815. len = strlen(spec->entries[i]);
  1816. if(len >= ALPN_NAME_MAX)
  1817. return CURLE_FAILED_INIT;
  1818. if(off + len + 2 >= sizeof(buf->data))
  1819. return CURLE_FAILED_INIT;
  1820. if(off)
  1821. buf->data[off++] = ',';
  1822. memcpy(buf->data + off, spec->entries[i], len);
  1823. off += len;
  1824. }
  1825. buf->data[off] = '\0';
  1826. buf->len = (int)off;
  1827. return CURLE_OK;
  1828. }
  1829. CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
  1830. struct Curl_easy *data,
  1831. const unsigned char *proto,
  1832. size_t proto_len)
  1833. {
  1834. int can_multi = 0;
  1835. unsigned char *palpn =
  1836. #ifndef CURL_DISABLE_PROXY
  1837. (cf->conn->bits.tunnel_proxy && Curl_ssl_cf_is_proxy(cf))?
  1838. &cf->conn->proxy_alpn : &cf->conn->alpn
  1839. #else
  1840. &cf->conn->alpn
  1841. #endif
  1842. ;
  1843. if(proto && proto_len) {
  1844. if(proto_len == ALPN_HTTP_1_1_LENGTH &&
  1845. !memcmp(ALPN_HTTP_1_1, proto, ALPN_HTTP_1_1_LENGTH)) {
  1846. *palpn = CURL_HTTP_VERSION_1_1;
  1847. }
  1848. #ifdef USE_HTTP2
  1849. else if(proto_len == ALPN_H2_LENGTH &&
  1850. !memcmp(ALPN_H2, proto, ALPN_H2_LENGTH)) {
  1851. *palpn = CURL_HTTP_VERSION_2;
  1852. can_multi = 1;
  1853. }
  1854. #endif
  1855. #ifdef USE_HTTP3
  1856. else if(proto_len == ALPN_H3_LENGTH &&
  1857. !memcmp(ALPN_H3, proto, ALPN_H3_LENGTH)) {
  1858. *palpn = CURL_HTTP_VERSION_3;
  1859. can_multi = 1;
  1860. }
  1861. #endif
  1862. else {
  1863. *palpn = CURL_HTTP_VERSION_NONE;
  1864. failf(data, "unsupported ALPN protocol: '%.*s'", (int)proto_len, proto);
  1865. /* TODO: do we want to fail this? Previous code just ignored it and
  1866. * some vtls backends even ignore the return code of this function. */
  1867. /* return CURLE_NOT_BUILT_IN; */
  1868. goto out;
  1869. }
  1870. infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, (int)proto_len, proto);
  1871. }
  1872. else {
  1873. *palpn = CURL_HTTP_VERSION_NONE;
  1874. infof(data, VTLS_INFOF_NO_ALPN);
  1875. }
  1876. out:
  1877. if(!Curl_ssl_cf_is_proxy(cf))
  1878. Curl_multiuse_state(data, can_multi?
  1879. BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
  1880. return CURLE_OK;
  1881. }
  1882. #endif /* USE_SSL */