1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25 /* This file is for implementing all "generic" SSL functions that all libcurl
26 internals should use. It is then responsible for calling the proper
27 "backend" function.
28
29 SSL-functions in libcurl should call functions in this source file, and not
30 to any specific SSL-layer.
31
32 Curl_ssl_ - prefix for generic ones
33
34 Note that this source code uses the functions of the configured SSL
35 backend via the global Curl_ssl instance.
36
37 "SSL/TLS Strong Encryption: An Introduction"
38 https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
39 */
40
41 #include "curl_setup.h"
42
43 #ifdef HAVE_SYS_TYPES_H
44 #include <sys/types.h>
45 #endif
46 #ifdef HAVE_SYS_STAT_H
47 #include <sys/stat.h>
48 #endif
49 #ifdef HAVE_FCNTL_H
50 #include <fcntl.h>
51 #endif
52
53 #include "urldata.h"
54 #include "cfilters.h"
55
56 #include "vtls.h" /* generic SSL protos etc */
57 #include "vtls_int.h"
58 #include "slist.h"
59 #include "sendf.h"
60 #include "strcase.h"
61 #include "url.h"
62 #include "progress.h"
63 #include "share.h"
64 #include "multiif.h"
65 #include "timeval.h"
66 #include "curl_md5.h"
67 #include "warnless.h"
68 #include "curl_base64.h"
69 #include "curl_printf.h"
70 #include "inet_pton.h"
71 #include "strdup.h"
72
73 /* The last #include files should be: */
74 #include "curl_memory.h"
75 #include "memdebug.h"
76
77
78 /* convenience macro to check if this handle is using a shared SSL session */
79 #define SSLSESSION_SHARED(data) (data->share && \
80 (data->share->specifier & \
81 (1<<CURL_LOCK_DATA_SSL_SESSION)))
82
83 #define CLONE_STRING(var) \
84 do { \
85 if(source->var) { \
86 dest->var = strdup(source->var); \
87 if(!dest->var) \
88 return FALSE; \
89 } \
90 else \
91 dest->var = NULL; \
92 } while(0)
93
94 #define CLONE_BLOB(var) \
95 do { \
96 if(blobdup(&dest->var, source->var)) \
97 return FALSE; \
98 } while(0)
99
blobdup(struct curl_blob ** dest,struct curl_blob * src)100 static CURLcode blobdup(struct curl_blob **dest,
101 struct curl_blob *src)
102 {
103 DEBUGASSERT(dest);
104 DEBUGASSERT(!*dest);
105 if(src) {
106 /* only if there's data to dupe! */
107 struct curl_blob *d;
108 d = malloc(sizeof(struct curl_blob) + src->len);
109 if(!d)
110 return CURLE_OUT_OF_MEMORY;
111 d->len = src->len;
112 /* Always duplicate because the connection may survive longer than the
113 handle that passed in the blob. */
114 d->flags = CURL_BLOB_COPY;
115 d->data = (void *)((char *)d + sizeof(struct curl_blob));
116 memcpy(d->data, src->data, src->len);
117 *dest = d;
118 }
119 return CURLE_OK;
120 }
121
122 /* returns TRUE if the blobs are identical */
blobcmp(struct curl_blob * first,struct curl_blob * second)123 static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
124 {
125 if(!first && !second) /* both are NULL */
126 return TRUE;
127 if(!first || !second) /* one is NULL */
128 return FALSE;
129 if(first->len != second->len) /* different sizes */
130 return FALSE;
131 return !memcmp(first->data, second->data, first->len); /* same data */
132 }
133
134 #ifdef USE_SSL
135 static const struct alpn_spec ALPN_SPEC_H11 = {
136 { ALPN_HTTP_1_1 }, 1
137 };
138 #ifdef USE_HTTP2
139 static const struct alpn_spec ALPN_SPEC_H2_H11 = {
140 { ALPN_H2, ALPN_HTTP_1_1 }, 2
141 };
142 #endif
143
alpn_get_spec(int httpwant,bool use_alpn)144 static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn)
145 {
146 if(!use_alpn)
147 return NULL;
148 #ifdef USE_HTTP2
149 if(httpwant >= CURL_HTTP_VERSION_2)
150 return &ALPN_SPEC_H2_H11;
151 #else
152 (void)httpwant;
153 #endif
154 /* Use the ALPN protocol "http/1.1" for HTTP/1.x.
155 Avoid "http/1.0" because some servers don't support it. */
156 return &ALPN_SPEC_H11;
157 }
158 #endif /* USE_SSL */
159
160
Curl_ssl_easy_config_init(struct Curl_easy * data)161 void Curl_ssl_easy_config_init(struct Curl_easy *data)
162 {
163 /*
164 * libcurl 7.10 introduced SSL verification *by default*! This needs to be
165 * switched off unless wanted.
166 */
167 data->set.ssl.primary.verifypeer = TRUE;
168 data->set.ssl.primary.verifyhost = TRUE;
169 data->set.ssl.primary.sessionid = TRUE; /* session ID caching by default */
170 #ifndef CURL_DISABLE_PROXY
171 data->set.proxy_ssl = data->set.ssl;
172 #endif
173 }
174
175 static bool
match_ssl_primary_config(struct Curl_easy * data,struct ssl_primary_config * c1,struct ssl_primary_config * c2)176 match_ssl_primary_config(struct Curl_easy *data,
177 struct ssl_primary_config *c1,
178 struct ssl_primary_config *c2)
179 {
180 (void)data;
181 if((c1->version == c2->version) &&
182 (c1->version_max == c2->version_max) &&
183 (c1->ssl_options == c2->ssl_options) &&
184 (c1->verifypeer == c2->verifypeer) &&
185 (c1->verifyhost == c2->verifyhost) &&
186 (c1->verifystatus == c2->verifystatus) &&
187 blobcmp(c1->cert_blob, c2->cert_blob) &&
188 blobcmp(c1->ca_info_blob, c2->ca_info_blob) &&
189 blobcmp(c1->issuercert_blob, c2->issuercert_blob) &&
190 Curl_safecmp(c1->CApath, c2->CApath) &&
191 Curl_safecmp(c1->CAfile, c2->CAfile) &&
192 Curl_safecmp(c1->issuercert, c2->issuercert) &&
193 Curl_safecmp(c1->clientcert, c2->clientcert) &&
194 #ifdef USE_TLS_SRP
195 !Curl_timestrcmp(c1->username, c2->username) &&
196 !Curl_timestrcmp(c1->password, c2->password) &&
197 #endif
198 strcasecompare(c1->cipher_list, c2->cipher_list) &&
199 strcasecompare(c1->cipher_list13, c2->cipher_list13) &&
200 strcasecompare(c1->curves, c2->curves) &&
201 strcasecompare(c1->CRLfile, c2->CRLfile) &&
202 strcasecompare(c1->pinned_key, c2->pinned_key))
203 return TRUE;
204
205 return FALSE;
206 }
207
Curl_ssl_conn_config_match(struct Curl_easy * data,struct connectdata * candidate,bool proxy)208 bool Curl_ssl_conn_config_match(struct Curl_easy *data,
209 struct connectdata *candidate,
210 bool proxy)
211 {
212 #ifndef CURL_DISABLE_PROXY
213 if(proxy)
214 return match_ssl_primary_config(data, &data->set.proxy_ssl.primary,
215 &candidate->proxy_ssl_config);
216 #else
217 (void)proxy;
218 #endif
219 return match_ssl_primary_config(data, &data->set.ssl.primary,
220 &candidate->ssl_config);
221 }
222
clone_ssl_primary_config(struct ssl_primary_config * source,struct ssl_primary_config * dest)223 static bool clone_ssl_primary_config(struct ssl_primary_config *source,
224 struct ssl_primary_config *dest)
225 {
226 dest->version = source->version;
227 dest->version_max = source->version_max;
228 dest->verifypeer = source->verifypeer;
229 dest->verifyhost = source->verifyhost;
230 dest->verifystatus = source->verifystatus;
231 dest->sessionid = source->sessionid;
232 dest->ssl_options = source->ssl_options;
233
234 CLONE_BLOB(cert_blob);
235 CLONE_BLOB(ca_info_blob);
236 CLONE_BLOB(issuercert_blob);
237 CLONE_STRING(CApath);
238 CLONE_STRING(CAfile);
239 CLONE_STRING(issuercert);
240 CLONE_STRING(clientcert);
241 CLONE_STRING(cipher_list);
242 CLONE_STRING(cipher_list13);
243 CLONE_STRING(pinned_key);
244 CLONE_STRING(curves);
245 CLONE_STRING(CRLfile);
246 #ifdef USE_TLS_SRP
247 CLONE_STRING(username);
248 CLONE_STRING(password);
249 #endif
250
251 return TRUE;
252 }
253
Curl_free_primary_ssl_config(struct ssl_primary_config * sslc)254 static void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
255 {
256 Curl_safefree(sslc->CApath);
257 Curl_safefree(sslc->CAfile);
258 Curl_safefree(sslc->issuercert);
259 Curl_safefree(sslc->clientcert);
260 Curl_safefree(sslc->cipher_list);
261 Curl_safefree(sslc->cipher_list13);
262 Curl_safefree(sslc->pinned_key);
263 Curl_safefree(sslc->cert_blob);
264 Curl_safefree(sslc->ca_info_blob);
265 Curl_safefree(sslc->issuercert_blob);
266 Curl_safefree(sslc->curves);
267 Curl_safefree(sslc->CRLfile);
268 #ifdef USE_TLS_SRP
269 Curl_safefree(sslc->username);
270 Curl_safefree(sslc->password);
271 #endif
272 }
273
Curl_ssl_easy_config_complete(struct Curl_easy * data)274 CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
275 {
276 data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
277 data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
278 data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
279 data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
280 data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
281 data->set.ssl.primary.cipher_list =
282 data->set.str[STRING_SSL_CIPHER_LIST];
283 data->set.ssl.primary.cipher_list13 =
284 data->set.str[STRING_SSL_CIPHER13_LIST];
285 data->set.ssl.primary.pinned_key =
286 data->set.str[STRING_SSL_PINNEDPUBLICKEY];
287 data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT];
288 data->set.ssl.primary.ca_info_blob = data->set.blobs[BLOB_CAINFO];
289 data->set.ssl.primary.curves = data->set.str[STRING_SSL_EC_CURVES];
290 #ifdef USE_TLS_SRP
291 data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
292 data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
293 #endif
294 data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
295 data->set.ssl.key = data->set.str[STRING_KEY];
296 data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
297 data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
298 data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
299 data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
300
301 #ifndef CURL_DISABLE_PROXY
302 data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
303 data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
304 data->set.proxy_ssl.primary.cipher_list =
305 data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
306 data->set.proxy_ssl.primary.cipher_list13 =
307 data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
308 data->set.proxy_ssl.primary.pinned_key =
309 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
310 data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
311 data->set.proxy_ssl.primary.ca_info_blob =
312 data->set.blobs[BLOB_CAINFO_PROXY];
313 data->set.proxy_ssl.primary.issuercert =
314 data->set.str[STRING_SSL_ISSUERCERT_PROXY];
315 data->set.proxy_ssl.primary.issuercert_blob =
316 data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
317 data->set.proxy_ssl.primary.CRLfile =
318 data->set.str[STRING_SSL_CRLFILE_PROXY];
319 data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
320 data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
321 data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
322 data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY];
323 data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
324 data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
325 #ifdef USE_TLS_SRP
326 data->set.proxy_ssl.primary.username =
327 data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
328 data->set.proxy_ssl.primary.password =
329 data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
330 #endif
331 #endif /* CURL_DISABLE_PROXY */
332
333 return CURLE_OK;
334 }
335
Curl_ssl_conn_config_init(struct Curl_easy * data,struct connectdata * conn)336 CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data,
337 struct connectdata *conn)
338 {
339 /* Clone "primary" SSL configurations from the esay handle to
340 * the connection. They are used for connection cache matching and
341 * probably outlive the easy handle */
342 if(!clone_ssl_primary_config(&data->set.ssl.primary, &conn->ssl_config))
343 return CURLE_OUT_OF_MEMORY;
344 #ifndef CURL_DISABLE_PROXY
345 if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary,
346 &conn->proxy_ssl_config))
347 return CURLE_OUT_OF_MEMORY;
348 #endif
349 return CURLE_OK;
350 }
351
Curl_ssl_conn_config_cleanup(struct connectdata * conn)352 void Curl_ssl_conn_config_cleanup(struct connectdata *conn)
353 {
354 Curl_free_primary_ssl_config(&conn->ssl_config);
355 #ifndef CURL_DISABLE_PROXY
356 Curl_free_primary_ssl_config(&conn->proxy_ssl_config);
357 #endif
358 }
359
Curl_ssl_conn_config_update(struct Curl_easy * data,bool for_proxy)360 void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy)
361 {
362 /* May be called on an easy that has no connection yet */
363 if(data->conn) {
364 struct ssl_primary_config *src, *dest;
365 #ifndef CURL_DISABLE_PROXY
366 src = for_proxy? &data->set.proxy_ssl.primary : &data->set.ssl.primary;
367 dest = for_proxy? &data->conn->proxy_ssl_config : &data->conn->ssl_config;
368 #else
369 (void)for_proxy;
370 src = &data->set.ssl.primary;
371 dest = &data->conn->ssl_config;
372 #endif
373 dest->verifyhost = src->verifyhost;
374 dest->verifypeer = src->verifypeer;
375 dest->verifystatus = src->verifystatus;
376 }
377 }
378
379 #ifdef USE_SSL
380 static int multissl_setup(const struct Curl_ssl *backend);
381 #endif
382
Curl_ssl_backend(void)383 curl_sslbackend Curl_ssl_backend(void)
384 {
385 #ifdef USE_SSL
386 multissl_setup(NULL);
387 return Curl_ssl->info.id;
388 #else
389 return CURLSSLBACKEND_NONE;
390 #endif
391 }
392
393 #ifdef USE_SSL
394
395 /* "global" init done? */
396 static bool init_ssl = FALSE;
397
398 /**
399 * Global SSL init
400 *
401 * @retval 0 error initializing SSL
402 * @retval 1 SSL initialized successfully
403 */
Curl_ssl_init(void)404 int Curl_ssl_init(void)
405 {
406 /* make sure this is only done once */
407 if(init_ssl)
408 return 1;
409 init_ssl = TRUE; /* never again */
410
411 return Curl_ssl->init();
412 }
413
414 #if defined(CURL_WITH_MULTI_SSL)
415 static const struct Curl_ssl Curl_ssl_multi;
416 #endif
417
418 /* Global cleanup */
Curl_ssl_cleanup(void)419 void Curl_ssl_cleanup(void)
420 {
421 if(init_ssl) {
422 /* only cleanup if we did a previous init */
423 Curl_ssl->cleanup();
424 #if defined(CURL_WITH_MULTI_SSL)
425 Curl_ssl = &Curl_ssl_multi;
426 #endif
427 init_ssl = FALSE;
428 }
429 }
430
ssl_prefs_check(struct Curl_easy * data)431 static bool ssl_prefs_check(struct Curl_easy *data)
432 {
433 /* check for CURLOPT_SSLVERSION invalid parameter value */
434 const unsigned char sslver = data->set.ssl.primary.version;
435 if(sslver >= CURL_SSLVERSION_LAST) {
436 failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
437 return FALSE;
438 }
439
440 switch(data->set.ssl.primary.version_max) {
441 case CURL_SSLVERSION_MAX_NONE:
442 case CURL_SSLVERSION_MAX_DEFAULT:
443 break;
444
445 default:
446 if((data->set.ssl.primary.version_max >> 16) < sslver) {
447 failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
448 return FALSE;
449 }
450 }
451
452 return TRUE;
453 }
454
cf_ctx_new(struct Curl_easy * data,const struct alpn_spec * alpn)455 static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
456 const struct alpn_spec *alpn)
457 {
458 struct ssl_connect_data *ctx;
459
460 (void)data;
461 ctx = calloc(1, sizeof(*ctx));
462 if(!ctx)
463 return NULL;
464
465 ctx->alpn = alpn;
466 ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data);
467 if(!ctx->backend) {
468 free(ctx);
469 return NULL;
470 }
471 return ctx;
472 }
473
cf_ctx_free(struct ssl_connect_data * ctx)474 static void cf_ctx_free(struct ssl_connect_data *ctx)
475 {
476 if(ctx) {
477 free(ctx->backend);
478 free(ctx);
479 }
480 }
481
ssl_connect(struct Curl_cfilter * cf,struct Curl_easy * data)482 static CURLcode ssl_connect(struct Curl_cfilter *cf, struct Curl_easy *data)
483 {
484 struct ssl_connect_data *connssl = cf->ctx;
485 CURLcode result;
486
487 if(!ssl_prefs_check(data))
488 return CURLE_SSL_CONNECT_ERROR;
489
490 /* mark this is being ssl-enabled from here on. */
491 connssl->state = ssl_connection_negotiating;
492
493 result = Curl_ssl->connect_blocking(cf, data);
494
495 if(!result) {
496 DEBUGASSERT(connssl->state == ssl_connection_complete);
497 }
498
499 return result;
500 }
501
502 static CURLcode
ssl_connect_nonblocking(struct Curl_cfilter * cf,struct Curl_easy * data,bool * done)503 ssl_connect_nonblocking(struct Curl_cfilter *cf, struct Curl_easy *data,
504 bool *done)
505 {
506 if(!ssl_prefs_check(data))
507 return CURLE_SSL_CONNECT_ERROR;
508
509 /* mark this is being ssl requested from here on. */
510 return Curl_ssl->connect_nonblocking(cf, data, done);
511 }
512
513 /*
514 * Lock shared SSL session data
515 */
Curl_ssl_sessionid_lock(struct Curl_easy * data)516 void Curl_ssl_sessionid_lock(struct Curl_easy *data)
517 {
518 if(SSLSESSION_SHARED(data))
519 Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
520 }
521
522 /*
523 * Unlock shared SSL session data
524 */
Curl_ssl_sessionid_unlock(struct Curl_easy * data)525 void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
526 {
527 if(SSLSESSION_SHARED(data))
528 Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
529 }
530
531 /*
532 * Check if there's a session ID for the given connection in the cache, and if
533 * there's one suitable, it is provided. Returns TRUE when no entry matched.
534 */
Curl_ssl_getsessionid(struct Curl_cfilter * cf,struct Curl_easy * data,const struct ssl_peer * peer,void ** ssl_sessionid,size_t * idsize)535 bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
536 struct Curl_easy *data,
537 const struct ssl_peer *peer,
538 void **ssl_sessionid,
539 size_t *idsize) /* set 0 if unknown */
540 {
541 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
542 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
543 struct Curl_ssl_session *check;
544 size_t i;
545 long *general_age;
546 bool no_match = TRUE;
547
548 *ssl_sessionid = NULL;
549 if(!ssl_config)
550 return TRUE;
551
552 DEBUGASSERT(ssl_config->primary.sessionid);
553
554 if(!ssl_config->primary.sessionid || !data->state.session)
555 /* session ID reuse is disabled or the session cache has not been
556 setup */
557 return TRUE;
558
559 /* Lock if shared */
560 if(SSLSESSION_SHARED(data))
561 general_age = &data->share->sessionage;
562 else
563 general_age = &data->state.sessionage;
564
565 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
566 check = &data->state.session[i];
567 if(!check->sessionid)
568 /* not session ID means blank entry */
569 continue;
570 if(strcasecompare(peer->hostname, check->name) &&
571 ((!cf->conn->bits.conn_to_host && !check->conn_to_host) ||
572 (cf->conn->bits.conn_to_host && check->conn_to_host &&
573 strcasecompare(cf->conn->conn_to_host.name, check->conn_to_host))) &&
574 ((!cf->conn->bits.conn_to_port && check->conn_to_port == -1) ||
575 (cf->conn->bits.conn_to_port && check->conn_to_port != -1 &&
576 cf->conn->conn_to_port == check->conn_to_port)) &&
577 (peer->port == check->remote_port) &&
578 (peer->transport == check->transport) &&
579 strcasecompare(cf->conn->handler->scheme, check->scheme) &&
580 match_ssl_primary_config(data, conn_config, &check->ssl_config)) {
581 /* yes, we have a session ID! */
582 (*general_age)++; /* increase general age */
583 check->age = *general_age; /* set this as used in this age */
584 *ssl_sessionid = check->sessionid;
585 if(idsize)
586 *idsize = check->idsize;
587 no_match = FALSE;
588 break;
589 }
590 }
591
592 DEBUGF(infof(data, "%s Session ID in cache for %s %s://%s:%d",
593 no_match? "Didn't find": "Found",
594 Curl_ssl_cf_is_proxy(cf) ? "proxy" : "host",
595 cf->conn->handler->scheme, peer->hostname, peer->port));
596 return no_match;
597 }
598
599 /*
600 * Kill a single session ID entry in the cache.
601 */
Curl_ssl_kill_session(struct Curl_ssl_session * session)602 void Curl_ssl_kill_session(struct Curl_ssl_session *session)
603 {
604 if(session->sessionid) {
605 /* defensive check */
606
607 /* free the ID the SSL-layer specific way */
608 session->sessionid_free(session->sessionid, session->idsize);
609
610 session->sessionid = NULL;
611 session->sessionid_free = NULL;
612 session->age = 0; /* fresh */
613
614 Curl_free_primary_ssl_config(&session->ssl_config);
615
616 Curl_safefree(session->name);
617 Curl_safefree(session->conn_to_host);
618 }
619 }
620
621 /*
622 * Delete the given session ID from the cache.
623 */
Curl_ssl_delsessionid(struct Curl_easy * data,void * ssl_sessionid)624 void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
625 {
626 size_t i;
627
628 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
629 struct Curl_ssl_session *check = &data->state.session[i];
630
631 if(check->sessionid == ssl_sessionid) {
632 Curl_ssl_kill_session(check);
633 break;
634 }
635 }
636 }
637
638 /*
639 * Store session id in the session cache. The ID passed on to this function
640 * must already have been extracted and allocated the proper way for the SSL
641 * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
642 * later on.
643 */
Curl_ssl_addsessionid(struct Curl_cfilter * cf,struct Curl_easy * data,const struct ssl_peer * peer,void * ssl_sessionid,size_t idsize,Curl_ssl_sessionid_dtor * sessionid_free_cb)644 CURLcode Curl_ssl_addsessionid(struct Curl_cfilter *cf,
645 struct Curl_easy *data,
646 const struct ssl_peer *peer,
647 void *ssl_sessionid,
648 size_t idsize,
649 Curl_ssl_sessionid_dtor *sessionid_free_cb)
650 {
651 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
652 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
653 size_t i;
654 struct Curl_ssl_session *store;
655 long oldest_age;
656 char *clone_host = NULL;
657 char *clone_conn_to_host = NULL;
658 int conn_to_port;
659 long *general_age;
660 CURLcode result = CURLE_OUT_OF_MEMORY;
661
662 DEBUGASSERT(ssl_sessionid);
663 DEBUGASSERT(sessionid_free_cb);
664
665 if(!data->state.session) {
666 sessionid_free_cb(ssl_sessionid, idsize);
667 return CURLE_OK;
668 }
669
670 store = &data->state.session[0];
671 oldest_age = data->state.session[0].age; /* zero if unused */
672 DEBUGASSERT(ssl_config->primary.sessionid);
673 (void)ssl_config;
674
675 clone_host = strdup(peer->hostname);
676 if(!clone_host)
677 goto out;
678
679 if(cf->conn->bits.conn_to_host) {
680 clone_conn_to_host = strdup(cf->conn->conn_to_host.name);
681 if(!clone_conn_to_host)
682 goto out;
683 }
684
685 if(cf->conn->bits.conn_to_port)
686 conn_to_port = cf->conn->conn_to_port;
687 else
688 conn_to_port = -1;
689
690 /* Now we should add the session ID and the host name to the cache, (remove
691 the oldest if necessary) */
692
693 /* If using shared SSL session, lock! */
694 if(SSLSESSION_SHARED(data)) {
695 general_age = &data->share->sessionage;
696 }
697 else {
698 general_age = &data->state.sessionage;
699 }
700
701 /* find an empty slot for us, or find the oldest */
702 for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
703 data->state.session[i].sessionid; i++) {
704 if(data->state.session[i].age < oldest_age) {
705 oldest_age = data->state.session[i].age;
706 store = &data->state.session[i];
707 }
708 }
709 if(i == data->set.general_ssl.max_ssl_sessions)
710 /* cache is full, we must "kill" the oldest entry! */
711 Curl_ssl_kill_session(store);
712 else
713 store = &data->state.session[i]; /* use this slot */
714
715 /* now init the session struct wisely */
716 if(!clone_ssl_primary_config(conn_config, &store->ssl_config)) {
717 Curl_free_primary_ssl_config(&store->ssl_config);
718 store->sessionid = NULL; /* let caller free sessionid */
719 goto out;
720 }
721 store->sessionid = ssl_sessionid;
722 store->idsize = idsize;
723 store->sessionid_free = sessionid_free_cb;
724 store->age = *general_age; /* set current age */
725 /* free it if there's one already present */
726 free(store->name);
727 free(store->conn_to_host);
728 store->name = clone_host; /* clone host name */
729 clone_host = NULL;
730 store->conn_to_host = clone_conn_to_host; /* clone connect to host name */
731 clone_conn_to_host = NULL;
732 store->conn_to_port = conn_to_port; /* connect to port number */
733 /* port number */
734 store->remote_port = peer->port;
735 store->scheme = cf->conn->handler->scheme;
736 store->transport = peer->transport;
737
738 result = CURLE_OK;
739
740 out:
741 free(clone_host);
742 free(clone_conn_to_host);
743 if(result) {
744 failf(data, "Failed to add Session ID to cache for %s://%s:%d [%s]",
745 store->scheme, store->name, store->remote_port,
746 Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server");
747 sessionid_free_cb(ssl_sessionid, idsize);
748 return result;
749 }
750 CURL_TRC_CF(data, cf, "Added Session ID to cache for %s://%s:%d [%s]",
751 store->scheme, store->name, store->remote_port,
752 Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server");
753 return CURLE_OK;
754 }
755
Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data * mbackend)756 void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend)
757 {
758 if(Curl_ssl->free_multi_ssl_backend_data && mbackend)
759 Curl_ssl->free_multi_ssl_backend_data(mbackend);
760 }
761
Curl_ssl_close_all(struct Curl_easy * data)762 void Curl_ssl_close_all(struct Curl_easy *data)
763 {
764 /* kill the session ID cache if not shared */
765 if(data->state.session && !SSLSESSION_SHARED(data)) {
766 size_t i;
767 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
768 /* the single-killer function handles empty table slots */
769 Curl_ssl_kill_session(&data->state.session[i]);
770
771 /* free the cache data */
772 Curl_safefree(data->state.session);
773 }
774
775 Curl_ssl->close_all(data);
776 }
777
Curl_ssl_adjust_pollset(struct Curl_cfilter * cf,struct Curl_easy * data,struct easy_pollset * ps)778 void Curl_ssl_adjust_pollset(struct Curl_cfilter *cf, struct Curl_easy *data,
779 struct easy_pollset *ps)
780 {
781 if(!cf->connected) {
782 struct ssl_connect_data *connssl = cf->ctx;
783 curl_socket_t sock = Curl_conn_cf_get_socket(cf->next, data);
784 if(sock != CURL_SOCKET_BAD) {
785 if(connssl->connecting_state == ssl_connect_2_writing) {
786 Curl_pollset_set_out_only(data, ps, sock);
787 CURL_TRC_CF(data, cf, "adjust_pollset, POLLOUT fd=%"
788 CURL_FORMAT_SOCKET_T, sock);
789 }
790 else {
791 Curl_pollset_set_in_only(data, ps, sock);
792 CURL_TRC_CF(data, cf, "adjust_pollset, POLLIN fd=%"
793 CURL_FORMAT_SOCKET_T, sock);
794 }
795 }
796 }
797 }
798
799 /* Selects an SSL crypto engine
800 */
Curl_ssl_set_engine(struct Curl_easy * data,const char * engine)801 CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
802 {
803 return Curl_ssl->set_engine(data, engine);
804 }
805
806 /* Selects the default SSL crypto engine
807 */
Curl_ssl_set_engine_default(struct Curl_easy * data)808 CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
809 {
810 return Curl_ssl->set_engine_default(data);
811 }
812
813 /* Return list of OpenSSL crypto engine names. */
Curl_ssl_engines_list(struct Curl_easy * data)814 struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
815 {
816 return Curl_ssl->engines_list(data);
817 }
818
819 /*
820 * This sets up a session ID cache to the specified size. Make sure this code
821 * is agnostic to what underlying SSL technology we use.
822 */
Curl_ssl_initsessions(struct Curl_easy * data,size_t amount)823 CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
824 {
825 struct Curl_ssl_session *session;
826
827 if(data->state.session)
828 /* this is just a precaution to prevent multiple inits */
829 return CURLE_OK;
830
831 session = calloc(amount, sizeof(struct Curl_ssl_session));
832 if(!session)
833 return CURLE_OUT_OF_MEMORY;
834
835 /* store the info in the SSL section */
836 data->set.general_ssl.max_ssl_sessions = amount;
837 data->state.session = session;
838 data->state.sessionage = 1; /* this is brand new */
839 return CURLE_OK;
840 }
841
842 static size_t multissl_version(char *buffer, size_t size);
843
Curl_ssl_version(char * buffer,size_t size)844 void Curl_ssl_version(char *buffer, size_t size)
845 {
846 #ifdef CURL_WITH_MULTI_SSL
847 (void)multissl_version(buffer, size);
848 #else
849 (void)Curl_ssl->version(buffer, size);
850 #endif
851 }
852
Curl_ssl_free_certinfo(struct Curl_easy * data)853 void Curl_ssl_free_certinfo(struct Curl_easy *data)
854 {
855 struct curl_certinfo *ci = &data->info.certs;
856
857 if(ci->num_of_certs) {
858 /* free all individual lists used */
859 int i;
860 for(i = 0; i<ci->num_of_certs; i++) {
861 curl_slist_free_all(ci->certinfo[i]);
862 ci->certinfo[i] = NULL;
863 }
864
865 free(ci->certinfo); /* free the actual array too */
866 ci->certinfo = NULL;
867 ci->num_of_certs = 0;
868 }
869 }
870
Curl_ssl_init_certinfo(struct Curl_easy * data,int num)871 CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
872 {
873 struct curl_certinfo *ci = &data->info.certs;
874 struct curl_slist **table;
875
876 /* Free any previous certificate information structures */
877 Curl_ssl_free_certinfo(data);
878
879 /* Allocate the required certificate information structures */
880 table = calloc((size_t) num, sizeof(struct curl_slist *));
881 if(!table)
882 return CURLE_OUT_OF_MEMORY;
883
884 ci->num_of_certs = num;
885 ci->certinfo = table;
886
887 return CURLE_OK;
888 }
889
890 /*
891 * 'value' is NOT a null-terminated string
892 */
Curl_ssl_push_certinfo_len(struct Curl_easy * data,int certnum,const char * label,const char * value,size_t valuelen)893 CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
894 int certnum,
895 const char *label,
896 const char *value,
897 size_t valuelen)
898 {
899 struct curl_certinfo *ci = &data->info.certs;
900 struct curl_slist *nl;
901 CURLcode result = CURLE_OK;
902 struct dynbuf build;
903
904 Curl_dyn_init(&build, 10000);
905
906 if(Curl_dyn_add(&build, label) ||
907 Curl_dyn_addn(&build, ":", 1) ||
908 Curl_dyn_addn(&build, value, valuelen))
909 return CURLE_OUT_OF_MEMORY;
910
911 nl = Curl_slist_append_nodup(ci->certinfo[certnum],
912 Curl_dyn_ptr(&build));
913 if(!nl) {
914 Curl_dyn_free(&build);
915 curl_slist_free_all(ci->certinfo[certnum]);
916 result = CURLE_OUT_OF_MEMORY;
917 }
918
919 ci->certinfo[certnum] = nl;
920 return result;
921 }
922
Curl_ssl_random(struct Curl_easy * data,unsigned char * entropy,size_t length)923 CURLcode Curl_ssl_random(struct Curl_easy *data,
924 unsigned char *entropy,
925 size_t length)
926 {
927 return Curl_ssl->random(data, entropy, length);
928 }
929
930 /*
931 * Public key pem to der conversion
932 */
933
pubkey_pem_to_der(const char * pem,unsigned char ** der,size_t * der_len)934 static CURLcode pubkey_pem_to_der(const char *pem,
935 unsigned char **der, size_t *der_len)
936 {
937 char *stripped_pem, *begin_pos, *end_pos;
938 size_t pem_count, stripped_pem_count = 0, pem_len;
939 CURLcode result;
940
941 /* if no pem, exit. */
942 if(!pem)
943 return CURLE_BAD_CONTENT_ENCODING;
944
945 begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
946 if(!begin_pos)
947 return CURLE_BAD_CONTENT_ENCODING;
948
949 pem_count = begin_pos - pem;
950 /* Invalid if not at beginning AND not directly following \n */
951 if(0 != pem_count && '\n' != pem[pem_count - 1])
952 return CURLE_BAD_CONTENT_ENCODING;
953
954 /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
955 pem_count += 26;
956
957 /* Invalid if not directly following \n */
958 end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
959 if(!end_pos)
960 return CURLE_BAD_CONTENT_ENCODING;
961
962 pem_len = end_pos - pem;
963
964 stripped_pem = malloc(pem_len - pem_count + 1);
965 if(!stripped_pem)
966 return CURLE_OUT_OF_MEMORY;
967
968 /*
969 * Here we loop through the pem array one character at a time between the
970 * correct indices, and place each character that is not '\n' or '\r'
971 * into the stripped_pem array, which should represent the raw base64 string
972 */
973 while(pem_count < pem_len) {
974 if('\n' != pem[pem_count] && '\r' != pem[pem_count])
975 stripped_pem[stripped_pem_count++] = pem[pem_count];
976 ++pem_count;
977 }
978 /* Place the null terminator in the correct place */
979 stripped_pem[stripped_pem_count] = '\0';
980
981 result = Curl_base64_decode(stripped_pem, der, der_len);
982
983 Curl_safefree(stripped_pem);
984
985 return result;
986 }
987
988 /*
989 * Generic pinned public key check.
990 */
991
Curl_pin_peer_pubkey(struct Curl_easy * data,const char * pinnedpubkey,const unsigned char * pubkey,size_t pubkeylen)992 CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
993 const char *pinnedpubkey,
994 const unsigned char *pubkey, size_t pubkeylen)
995 {
996 FILE *fp;
997 unsigned char *buf = NULL, *pem_ptr = NULL;
998 CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
999 #ifdef CURL_DISABLE_VERBOSE_STRINGS
1000 (void)data;
1001 #endif
1002
1003 /* if a path wasn't specified, don't pin */
1004 if(!pinnedpubkey)
1005 return CURLE_OK;
1006 if(!pubkey || !pubkeylen)
1007 return result;
1008
1009 /* only do this if pinnedpubkey starts with "sha256//", length 8 */
1010 if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
1011 CURLcode encode;
1012 size_t encodedlen = 0;
1013 char *encoded = NULL, *pinkeycopy, *begin_pos, *end_pos;
1014 unsigned char *sha256sumdigest;
1015
1016 if(!Curl_ssl->sha256sum) {
1017 /* without sha256 support, this cannot match */
1018 return result;
1019 }
1020
1021 /* compute sha256sum of public key */
1022 sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
1023 if(!sha256sumdigest)
1024 return CURLE_OUT_OF_MEMORY;
1025 encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
1026 sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
1027
1028 if(!encode)
1029 encode = Curl_base64_encode((char *)sha256sumdigest,
1030 CURL_SHA256_DIGEST_LENGTH, &encoded,
1031 &encodedlen);
1032 Curl_safefree(sha256sumdigest);
1033
1034 if(encode)
1035 return encode;
1036
1037 infof(data, " public key hash: sha256//%s", encoded);
1038
1039 /* it starts with sha256//, copy so we can modify it */
1040 pinkeycopy = strdup(pinnedpubkey);
1041 if(!pinkeycopy) {
1042 Curl_safefree(encoded);
1043 return CURLE_OUT_OF_MEMORY;
1044 }
1045 /* point begin_pos to the copy, and start extracting keys */
1046 begin_pos = pinkeycopy;
1047 do {
1048 end_pos = strstr(begin_pos, ";sha256//");
1049 /*
1050 * if there is an end_pos, null terminate,
1051 * otherwise it'll go to the end of the original string
1052 */
1053 if(end_pos)
1054 end_pos[0] = '\0';
1055
1056 /* compare base64 sha256 digests, 8 is the length of "sha256//" */
1057 if(encodedlen == strlen(begin_pos + 8) &&
1058 !memcmp(encoded, begin_pos + 8, encodedlen)) {
1059 result = CURLE_OK;
1060 break;
1061 }
1062
1063 /*
1064 * change back the null-terminator we changed earlier,
1065 * and look for next begin
1066 */
1067 if(end_pos) {
1068 end_pos[0] = ';';
1069 begin_pos = strstr(end_pos, "sha256//");
1070 }
1071 } while(end_pos && begin_pos);
1072 Curl_safefree(encoded);
1073 Curl_safefree(pinkeycopy);
1074 return result;
1075 }
1076
1077 fp = fopen(pinnedpubkey, "rb");
1078 if(!fp)
1079 return result;
1080
1081 do {
1082 long filesize;
1083 size_t size, pem_len;
1084 CURLcode pem_read;
1085
1086 /* Determine the file's size */
1087 if(fseek(fp, 0, SEEK_END))
1088 break;
1089 filesize = ftell(fp);
1090 if(fseek(fp, 0, SEEK_SET))
1091 break;
1092 if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
1093 break;
1094
1095 /*
1096 * if the size of our certificate is bigger than the file
1097 * size then it can't match
1098 */
1099 size = curlx_sotouz((curl_off_t) filesize);
1100 if(pubkeylen > size)
1101 break;
1102
1103 /*
1104 * Allocate buffer for the pinned key
1105 * With 1 additional byte for null terminator in case of PEM key
1106 */
1107 buf = malloc(size + 1);
1108 if(!buf)
1109 break;
1110
1111 /* Returns number of elements read, which should be 1 */
1112 if((int) fread(buf, size, 1, fp) != 1)
1113 break;
1114
1115 /* If the sizes are the same, it can't be base64 encoded, must be der */
1116 if(pubkeylen == size) {
1117 if(!memcmp(pubkey, buf, pubkeylen))
1118 result = CURLE_OK;
1119 break;
1120 }
1121
1122 /*
1123 * Otherwise we will assume it's PEM and try to decode it
1124 * after placing null terminator
1125 */
1126 buf[size] = '\0';
1127 pem_read = pubkey_pem_to_der((const char *)buf, &pem_ptr, &pem_len);
1128 /* if it wasn't read successfully, exit */
1129 if(pem_read)
1130 break;
1131
1132 /*
1133 * if the size of our certificate doesn't match the size of
1134 * the decoded file, they can't be the same, otherwise compare
1135 */
1136 if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
1137 result = CURLE_OK;
1138 } while(0);
1139
1140 Curl_safefree(buf);
1141 Curl_safefree(pem_ptr);
1142 fclose(fp);
1143
1144 return result;
1145 }
1146
1147 /*
1148 * Check whether the SSL backend supports the status_request extension.
1149 */
Curl_ssl_cert_status_request(void)1150 bool Curl_ssl_cert_status_request(void)
1151 {
1152 return Curl_ssl->cert_status_request();
1153 }
1154
1155 /*
1156 * Check whether the SSL backend supports false start.
1157 */
Curl_ssl_false_start(struct Curl_easy * data)1158 bool Curl_ssl_false_start(struct Curl_easy *data)
1159 {
1160 (void)data;
1161 return Curl_ssl->false_start();
1162 }
1163
1164 /*
1165 * Default implementations for unsupported functions.
1166 */
1167
Curl_none_init(void)1168 int Curl_none_init(void)
1169 {
1170 return 1;
1171 }
1172
Curl_none_cleanup(void)1173 void Curl_none_cleanup(void)
1174 { }
1175
Curl_none_shutdown(struct Curl_cfilter * cf UNUSED_PARAM,struct Curl_easy * data UNUSED_PARAM)1176 int Curl_none_shutdown(struct Curl_cfilter *cf UNUSED_PARAM,
1177 struct Curl_easy *data UNUSED_PARAM)
1178 {
1179 (void)data;
1180 (void)cf;
1181 return 0;
1182 }
1183
Curl_none_check_cxn(struct Curl_cfilter * cf,struct Curl_easy * data)1184 int Curl_none_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data)
1185 {
1186 (void)cf;
1187 (void)data;
1188 return -1;
1189 }
1190
Curl_none_random(struct Curl_easy * data UNUSED_PARAM,unsigned char * entropy UNUSED_PARAM,size_t length UNUSED_PARAM)1191 CURLcode Curl_none_random(struct Curl_easy *data UNUSED_PARAM,
1192 unsigned char *entropy UNUSED_PARAM,
1193 size_t length UNUSED_PARAM)
1194 {
1195 (void)data;
1196 (void)entropy;
1197 (void)length;
1198 return CURLE_NOT_BUILT_IN;
1199 }
1200
Curl_none_close_all(struct Curl_easy * data UNUSED_PARAM)1201 void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
1202 {
1203 (void)data;
1204 }
1205
Curl_none_session_free(void * ptr UNUSED_PARAM)1206 void Curl_none_session_free(void *ptr UNUSED_PARAM)
1207 {
1208 (void)ptr;
1209 }
1210
Curl_none_data_pending(struct Curl_cfilter * cf UNUSED_PARAM,const struct Curl_easy * data UNUSED_PARAM)1211 bool Curl_none_data_pending(struct Curl_cfilter *cf UNUSED_PARAM,
1212 const struct Curl_easy *data UNUSED_PARAM)
1213 {
1214 (void)cf;
1215 (void)data;
1216 return 0;
1217 }
1218
Curl_none_cert_status_request(void)1219 bool Curl_none_cert_status_request(void)
1220 {
1221 return FALSE;
1222 }
1223
Curl_none_set_engine(struct Curl_easy * data UNUSED_PARAM,const char * engine UNUSED_PARAM)1224 CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
1225 const char *engine UNUSED_PARAM)
1226 {
1227 (void)data;
1228 (void)engine;
1229 return CURLE_NOT_BUILT_IN;
1230 }
1231
Curl_none_set_engine_default(struct Curl_easy * data UNUSED_PARAM)1232 CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
1233 {
1234 (void)data;
1235 return CURLE_NOT_BUILT_IN;
1236 }
1237
Curl_none_engines_list(struct Curl_easy * data UNUSED_PARAM)1238 struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
1239 {
1240 (void)data;
1241 return (struct curl_slist *)NULL;
1242 }
1243
Curl_none_false_start(void)1244 bool Curl_none_false_start(void)
1245 {
1246 return FALSE;
1247 }
1248
multissl_init(void)1249 static int multissl_init(void)
1250 {
1251 if(multissl_setup(NULL))
1252 return 1;
1253 return Curl_ssl->init();
1254 }
1255
multissl_connect(struct Curl_cfilter * cf,struct Curl_easy * data)1256 static CURLcode multissl_connect(struct Curl_cfilter *cf,
1257 struct Curl_easy *data)
1258 {
1259 if(multissl_setup(NULL))
1260 return CURLE_FAILED_INIT;
1261 return Curl_ssl->connect_blocking(cf, data);
1262 }
1263
multissl_connect_nonblocking(struct Curl_cfilter * cf,struct Curl_easy * data,bool * done)1264 static CURLcode multissl_connect_nonblocking(struct Curl_cfilter *cf,
1265 struct Curl_easy *data,
1266 bool *done)
1267 {
1268 if(multissl_setup(NULL))
1269 return CURLE_FAILED_INIT;
1270 return Curl_ssl->connect_nonblocking(cf, data, done);
1271 }
1272
multissl_adjust_pollset(struct Curl_cfilter * cf,struct Curl_easy * data,struct easy_pollset * ps)1273 static void multissl_adjust_pollset(struct Curl_cfilter *cf,
1274 struct Curl_easy *data,
1275 struct easy_pollset *ps)
1276 {
1277 if(multissl_setup(NULL))
1278 return;
1279 Curl_ssl->adjust_pollset(cf, data, ps);
1280 }
1281
multissl_get_internals(struct ssl_connect_data * connssl,CURLINFO info)1282 static void *multissl_get_internals(struct ssl_connect_data *connssl,
1283 CURLINFO info)
1284 {
1285 if(multissl_setup(NULL))
1286 return NULL;
1287 return Curl_ssl->get_internals(connssl, info);
1288 }
1289
multissl_close(struct Curl_cfilter * cf,struct Curl_easy * data)1290 static void multissl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1291 {
1292 if(multissl_setup(NULL))
1293 return;
1294 Curl_ssl->close(cf, data);
1295 }
1296
multissl_recv_plain(struct Curl_cfilter * cf,struct Curl_easy * data,char * buf,size_t len,CURLcode * code)1297 static ssize_t multissl_recv_plain(struct Curl_cfilter *cf,
1298 struct Curl_easy *data,
1299 char *buf, size_t len, CURLcode *code)
1300 {
1301 if(multissl_setup(NULL))
1302 return CURLE_FAILED_INIT;
1303 return Curl_ssl->recv_plain(cf, data, buf, len, code);
1304 }
1305
multissl_send_plain(struct Curl_cfilter * cf,struct Curl_easy * data,const void * mem,size_t len,CURLcode * code)1306 static ssize_t multissl_send_plain(struct Curl_cfilter *cf,
1307 struct Curl_easy *data,
1308 const void *mem, size_t len,
1309 CURLcode *code)
1310 {
1311 if(multissl_setup(NULL))
1312 return CURLE_FAILED_INIT;
1313 return Curl_ssl->send_plain(cf, data, mem, len, code);
1314 }
1315
1316 static const struct Curl_ssl Curl_ssl_multi = {
1317 { CURLSSLBACKEND_NONE, "multi" }, /* info */
1318 0, /* supports nothing */
1319 (size_t)-1, /* something insanely large to be on the safe side */
1320
1321 multissl_init, /* init */
1322 Curl_none_cleanup, /* cleanup */
1323 multissl_version, /* version */
1324 Curl_none_check_cxn, /* check_cxn */
1325 Curl_none_shutdown, /* shutdown */
1326 Curl_none_data_pending, /* data_pending */
1327 Curl_none_random, /* random */
1328 Curl_none_cert_status_request, /* cert_status_request */
1329 multissl_connect, /* connect */
1330 multissl_connect_nonblocking, /* connect_nonblocking */
1331 multissl_adjust_pollset, /* adjust_pollset */
1332 multissl_get_internals, /* get_internals */
1333 multissl_close, /* close_one */
1334 Curl_none_close_all, /* close_all */
1335 Curl_none_set_engine, /* set_engine */
1336 Curl_none_set_engine_default, /* set_engine_default */
1337 Curl_none_engines_list, /* engines_list */
1338 Curl_none_false_start, /* false_start */
1339 NULL, /* sha256sum */
1340 NULL, /* associate_connection */
1341 NULL, /* disassociate_connection */
1342 NULL, /* free_multi_ssl_backend_data */
1343 multissl_recv_plain, /* recv decrypted data */
1344 multissl_send_plain, /* send data to encrypt */
1345 };
1346
1347 const struct Curl_ssl *Curl_ssl =
1348 #if defined(CURL_WITH_MULTI_SSL)
1349 &Curl_ssl_multi;
1350 #elif defined(USE_WOLFSSL)
1351 &Curl_ssl_wolfssl;
1352 #elif defined(USE_SECTRANSP)
1353 &Curl_ssl_sectransp;
1354 #elif defined(USE_GNUTLS)
1355 &Curl_ssl_gnutls;
1356 #elif defined(USE_MBEDTLS)
1357 &Curl_ssl_mbedtls;
1358 #elif defined(USE_RUSTLS)
1359 &Curl_ssl_rustls;
1360 #elif defined(USE_OPENSSL)
1361 &Curl_ssl_openssl;
1362 #elif defined(USE_SCHANNEL)
1363 &Curl_ssl_schannel;
1364 #elif defined(USE_BEARSSL)
1365 &Curl_ssl_bearssl;
1366 #else
1367 #error "Missing struct Curl_ssl for selected SSL backend"
1368 #endif
1369
1370 static const struct Curl_ssl *available_backends[] = {
1371 #if defined(USE_WOLFSSL)
1372 &Curl_ssl_wolfssl,
1373 #endif
1374 #if defined(USE_SECTRANSP)
1375 &Curl_ssl_sectransp,
1376 #endif
1377 #if defined(USE_GNUTLS)
1378 &Curl_ssl_gnutls,
1379 #endif
1380 #if defined(USE_MBEDTLS)
1381 &Curl_ssl_mbedtls,
1382 #endif
1383 #if defined(USE_OPENSSL)
1384 &Curl_ssl_openssl,
1385 #endif
1386 #if defined(USE_SCHANNEL)
1387 &Curl_ssl_schannel,
1388 #endif
1389 #if defined(USE_BEARSSL)
1390 &Curl_ssl_bearssl,
1391 #endif
1392 #if defined(USE_RUSTLS)
1393 &Curl_ssl_rustls,
1394 #endif
1395 NULL
1396 };
1397
multissl_version(char * buffer,size_t size)1398 static size_t multissl_version(char *buffer, size_t size)
1399 {
1400 static const struct Curl_ssl *selected;
1401 static char backends[200];
1402 static size_t backends_len;
1403 const struct Curl_ssl *current;
1404
1405 current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
1406
1407 if(current != selected) {
1408 char *p = backends;
1409 char *end = backends + sizeof(backends);
1410 int i;
1411
1412 selected = current;
1413
1414 backends[0] = '\0';
1415
1416 for(i = 0; available_backends[i]; ++i) {
1417 char vb[200];
1418 bool paren = (selected != available_backends[i]);
1419
1420 if(available_backends[i]->version(vb, sizeof(vb))) {
1421 p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
1422 (paren ? "(" : ""), vb, (paren ? ")" : ""));
1423 }
1424 }
1425
1426 backends_len = p - backends;
1427 }
1428
1429 if(size) {
1430 if(backends_len < size)
1431 strcpy(buffer, backends);
1432 else
1433 *buffer = 0; /* did not fit */
1434 }
1435 return 0;
1436 }
1437
multissl_setup(const struct Curl_ssl * backend)1438 static int multissl_setup(const struct Curl_ssl *backend)
1439 {
1440 const char *env;
1441 char *env_tmp;
1442
1443 if(Curl_ssl != &Curl_ssl_multi)
1444 return 1;
1445
1446 if(backend) {
1447 Curl_ssl = backend;
1448 return 0;
1449 }
1450
1451 if(!available_backends[0])
1452 return 1;
1453
1454 env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
1455 #ifdef CURL_DEFAULT_SSL_BACKEND
1456 if(!env)
1457 env = CURL_DEFAULT_SSL_BACKEND;
1458 #endif
1459 if(env) {
1460 int i;
1461 for(i = 0; available_backends[i]; i++) {
1462 if(strcasecompare(env, available_backends[i]->info.name)) {
1463 Curl_ssl = available_backends[i];
1464 free(env_tmp);
1465 return 0;
1466 }
1467 }
1468 }
1469
1470 /* Fall back to first available backend */
1471 Curl_ssl = available_backends[0];
1472 free(env_tmp);
1473 return 0;
1474 }
1475
1476 /* This function is used to select the SSL backend to use. It is called by
1477 curl_global_sslset (easy.c) which uses the global init lock. */
Curl_init_sslset_nolock(curl_sslbackend id,const char * name,const curl_ssl_backend *** avail)1478 CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
1479 const curl_ssl_backend ***avail)
1480 {
1481 int i;
1482
1483 if(avail)
1484 *avail = (const curl_ssl_backend **)&available_backends;
1485
1486 if(Curl_ssl != &Curl_ssl_multi)
1487 return id == Curl_ssl->info.id ||
1488 (name && strcasecompare(name, Curl_ssl->info.name)) ?
1489 CURLSSLSET_OK :
1490 #if defined(CURL_WITH_MULTI_SSL)
1491 CURLSSLSET_TOO_LATE;
1492 #else
1493 CURLSSLSET_UNKNOWN_BACKEND;
1494 #endif
1495
1496 for(i = 0; available_backends[i]; i++) {
1497 if(available_backends[i]->info.id == id ||
1498 (name && strcasecompare(available_backends[i]->info.name, name))) {
1499 multissl_setup(available_backends[i]);
1500 return CURLSSLSET_OK;
1501 }
1502 }
1503
1504 return CURLSSLSET_UNKNOWN_BACKEND;
1505 }
1506
1507 #else /* USE_SSL */
Curl_init_sslset_nolock(curl_sslbackend id,const char * name,const curl_ssl_backend *** avail)1508 CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
1509 const curl_ssl_backend ***avail)
1510 {
1511 (void)id;
1512 (void)name;
1513 (void)avail;
1514 return CURLSSLSET_NO_BACKENDS;
1515 }
1516
1517 #endif /* !USE_SSL */
1518
1519 #ifdef USE_SSL
1520
Curl_ssl_peer_cleanup(struct ssl_peer * peer)1521 void Curl_ssl_peer_cleanup(struct ssl_peer *peer)
1522 {
1523 if(peer->dispname != peer->hostname)
1524 free(peer->dispname);
1525 free(peer->sni);
1526 free(peer->hostname);
1527 peer->hostname = peer->sni = peer->dispname = NULL;
1528 peer->type = CURL_SSL_PEER_DNS;
1529 }
1530
cf_close(struct Curl_cfilter * cf,struct Curl_easy * data)1531 static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1532 {
1533 struct ssl_connect_data *connssl = cf->ctx;
1534 if(connssl) {
1535 Curl_ssl->close(cf, data);
1536 connssl->state = ssl_connection_none;
1537 Curl_ssl_peer_cleanup(&connssl->peer);
1538 }
1539 cf->connected = FALSE;
1540 }
1541
get_peer_type(const char * hostname)1542 static ssl_peer_type get_peer_type(const char *hostname)
1543 {
1544 if(hostname && hostname[0]) {
1545 #ifdef USE_IPV6
1546 struct in6_addr addr;
1547 #else
1548 struct in_addr addr;
1549 #endif
1550 if(Curl_inet_pton(AF_INET, hostname, &addr))
1551 return CURL_SSL_PEER_IPV4;
1552 #ifdef USE_IPV6
1553 else if(Curl_inet_pton(AF_INET6, hostname, &addr)) {
1554 return CURL_SSL_PEER_IPV6;
1555 }
1556 #endif
1557 }
1558 return CURL_SSL_PEER_DNS;
1559 }
1560
Curl_ssl_peer_init(struct ssl_peer * peer,struct Curl_cfilter * cf,int transport)1561 CURLcode Curl_ssl_peer_init(struct ssl_peer *peer, struct Curl_cfilter *cf,
1562 int transport)
1563 {
1564 const char *ehostname, *edispname;
1565 int eport;
1566
1567 /* We need the hostname for SNI negotiation. Once handshaked, this
1568 * remains the SNI hostname for the TLS connection. But when the
1569 * connection is reused, the settings in cf->conn might change.
1570 * So we keep a copy of the hostname we use for SNI.
1571 */
1572 #ifndef CURL_DISABLE_PROXY
1573 if(Curl_ssl_cf_is_proxy(cf)) {
1574 ehostname = cf->conn->http_proxy.host.name;
1575 edispname = cf->conn->http_proxy.host.dispname;
1576 eport = cf->conn->http_proxy.port;
1577 }
1578 else
1579 #endif
1580 {
1581 ehostname = cf->conn->host.name;
1582 edispname = cf->conn->host.dispname;
1583 eport = cf->conn->remote_port;
1584 }
1585
1586 /* change if ehostname changed */
1587 DEBUGASSERT(!ehostname || ehostname[0]);
1588 if(ehostname && (!peer->hostname
1589 || strcmp(ehostname, peer->hostname))) {
1590 Curl_ssl_peer_cleanup(peer);
1591 peer->hostname = strdup(ehostname);
1592 if(!peer->hostname) {
1593 Curl_ssl_peer_cleanup(peer);
1594 return CURLE_OUT_OF_MEMORY;
1595 }
1596 if(!edispname || !strcmp(ehostname, edispname))
1597 peer->dispname = peer->hostname;
1598 else {
1599 peer->dispname = strdup(edispname);
1600 if(!peer->dispname) {
1601 Curl_ssl_peer_cleanup(peer);
1602 return CURLE_OUT_OF_MEMORY;
1603 }
1604 }
1605
1606 peer->type = get_peer_type(peer->hostname);
1607 if(peer->type == CURL_SSL_PEER_DNS && peer->hostname[0]) {
1608 /* not an IP address, normalize according to RCC 6066 ch. 3,
1609 * max len of SNI is 2^16-1, no trailing dot */
1610 size_t len = strlen(peer->hostname);
1611 if(len && (peer->hostname[len-1] == '.'))
1612 len--;
1613 if(len < USHRT_MAX) {
1614 peer->sni = calloc(1, len + 1);
1615 if(!peer->sni) {
1616 Curl_ssl_peer_cleanup(peer);
1617 return CURLE_OUT_OF_MEMORY;
1618 }
1619 Curl_strntolower(peer->sni, peer->hostname, len);
1620 peer->sni[len] = 0;
1621 }
1622 }
1623
1624 }
1625 peer->port = eport;
1626 peer->transport = transport;
1627 return CURLE_OK;
1628 }
1629
ssl_cf_destroy(struct Curl_cfilter * cf,struct Curl_easy * data)1630 static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data)
1631 {
1632 struct cf_call_data save;
1633
1634 CF_DATA_SAVE(save, cf, data);
1635 cf_close(cf, data);
1636 CF_DATA_RESTORE(cf, save);
1637 cf_ctx_free(cf->ctx);
1638 cf->ctx = NULL;
1639 }
1640
ssl_cf_close(struct Curl_cfilter * cf,struct Curl_easy * data)1641 static void ssl_cf_close(struct Curl_cfilter *cf,
1642 struct Curl_easy *data)
1643 {
1644 struct cf_call_data save;
1645
1646 CF_DATA_SAVE(save, cf, data);
1647 cf_close(cf, data);
1648 if(cf->next)
1649 cf->next->cft->do_close(cf->next, data);
1650 CF_DATA_RESTORE(cf, save);
1651 }
1652
ssl_cf_connect(struct Curl_cfilter * cf,struct Curl_easy * data,bool blocking,bool * done)1653 static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
1654 struct Curl_easy *data,
1655 bool blocking, bool *done)
1656 {
1657 struct ssl_connect_data *connssl = cf->ctx;
1658 struct cf_call_data save;
1659 CURLcode result;
1660
1661 if(cf->connected) {
1662 *done = TRUE;
1663 return CURLE_OK;
1664 }
1665
1666 CF_DATA_SAVE(save, cf, data);
1667 CURL_TRC_CF(data, cf, "cf_connect()");
1668 (void)connssl;
1669 DEBUGASSERT(data->conn);
1670 DEBUGASSERT(data->conn == cf->conn);
1671 DEBUGASSERT(connssl);
1672 DEBUGASSERT(cf->conn->host.name);
1673
1674 result = cf->next->cft->do_connect(cf->next, data, blocking, done);
1675 if(result || !*done)
1676 goto out;
1677
1678 *done = FALSE;
1679 result = Curl_ssl_peer_init(&connssl->peer, cf, TRNSPRT_TCP);
1680 if(result)
1681 goto out;
1682
1683 if(blocking) {
1684 result = ssl_connect(cf, data);
1685 *done = (result == CURLE_OK);
1686 }
1687 else {
1688 result = ssl_connect_nonblocking(cf, data, done);
1689 }
1690
1691 if(!result && *done) {
1692 cf->connected = TRUE;
1693 connssl->handshake_done = Curl_now();
1694 DEBUGASSERT(connssl->state == ssl_connection_complete);
1695 }
1696 out:
1697 CURL_TRC_CF(data, cf, "cf_connect() -> %d, done=%d", result, *done);
1698 CF_DATA_RESTORE(cf, save);
1699 return result;
1700 }
1701
ssl_cf_data_pending(struct Curl_cfilter * cf,const struct Curl_easy * data)1702 static bool ssl_cf_data_pending(struct Curl_cfilter *cf,
1703 const struct Curl_easy *data)
1704 {
1705 struct cf_call_data save;
1706 bool result;
1707
1708 CF_DATA_SAVE(save, cf, data);
1709 if(Curl_ssl->data_pending(cf, data))
1710 result = TRUE;
1711 else
1712 result = cf->next->cft->has_data_pending(cf->next, data);
1713 CF_DATA_RESTORE(cf, save);
1714 return result;
1715 }
1716
ssl_cf_send(struct Curl_cfilter * cf,struct Curl_easy * data,const void * buf,size_t len,CURLcode * err)1717 static ssize_t ssl_cf_send(struct Curl_cfilter *cf,
1718 struct Curl_easy *data, const void *buf, size_t len,
1719 CURLcode *err)
1720 {
1721 struct cf_call_data save;
1722 ssize_t nwritten;
1723
1724 CF_DATA_SAVE(save, cf, data);
1725 *err = CURLE_OK;
1726 nwritten = Curl_ssl->send_plain(cf, data, buf, len, err);
1727 CF_DATA_RESTORE(cf, save);
1728 return nwritten;
1729 }
1730
ssl_cf_recv(struct Curl_cfilter * cf,struct Curl_easy * data,char * buf,size_t len,CURLcode * err)1731 static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
1732 struct Curl_easy *data, char *buf, size_t len,
1733 CURLcode *err)
1734 {
1735 struct cf_call_data save;
1736 ssize_t nread;
1737
1738 CF_DATA_SAVE(save, cf, data);
1739 *err = CURLE_OK;
1740 nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
1741 if(nread > 0) {
1742 DEBUGASSERT((size_t)nread <= len);
1743 }
1744 else if(nread == 0) {
1745 /* eof */
1746 *err = CURLE_OK;
1747 }
1748 CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len,
1749 nread, *err);
1750 CF_DATA_RESTORE(cf, save);
1751 return nread;
1752 }
1753
ssl_cf_adjust_pollset(struct Curl_cfilter * cf,struct Curl_easy * data,struct easy_pollset * ps)1754 static void ssl_cf_adjust_pollset(struct Curl_cfilter *cf,
1755 struct Curl_easy *data,
1756 struct easy_pollset *ps)
1757 {
1758 struct cf_call_data save;
1759
1760 if(!cf->connected) {
1761 CF_DATA_SAVE(save, cf, data);
1762 Curl_ssl->adjust_pollset(cf, data, ps);
1763 CF_DATA_RESTORE(cf, save);
1764 }
1765 }
1766
ssl_cf_cntrl(struct Curl_cfilter * cf,struct Curl_easy * data,int event,int arg1,void * arg2)1767 static CURLcode ssl_cf_cntrl(struct Curl_cfilter *cf,
1768 struct Curl_easy *data,
1769 int event, int arg1, void *arg2)
1770 {
1771 struct cf_call_data save;
1772
1773 (void)arg1;
1774 (void)arg2;
1775 switch(event) {
1776 case CF_CTRL_DATA_ATTACH:
1777 if(Curl_ssl->attach_data) {
1778 CF_DATA_SAVE(save, cf, data);
1779 Curl_ssl->attach_data(cf, data);
1780 CF_DATA_RESTORE(cf, save);
1781 }
1782 break;
1783 case CF_CTRL_DATA_DETACH:
1784 if(Curl_ssl->detach_data) {
1785 CF_DATA_SAVE(save, cf, data);
1786 Curl_ssl->detach_data(cf, data);
1787 CF_DATA_RESTORE(cf, save);
1788 }
1789 break;
1790 default:
1791 break;
1792 }
1793 return CURLE_OK;
1794 }
1795
ssl_cf_query(struct Curl_cfilter * cf,struct Curl_easy * data,int query,int * pres1,void * pres2)1796 static CURLcode ssl_cf_query(struct Curl_cfilter *cf,
1797 struct Curl_easy *data,
1798 int query, int *pres1, void *pres2)
1799 {
1800 struct ssl_connect_data *connssl = cf->ctx;
1801
1802 switch(query) {
1803 case CF_QUERY_TIMER_APPCONNECT: {
1804 struct curltime *when = pres2;
1805 if(cf->connected && !Curl_ssl_cf_is_proxy(cf))
1806 *when = connssl->handshake_done;
1807 return CURLE_OK;
1808 }
1809 default:
1810 break;
1811 }
1812 return cf->next?
1813 cf->next->cft->query(cf->next, data, query, pres1, pres2) :
1814 CURLE_UNKNOWN_OPTION;
1815 }
1816
cf_ssl_is_alive(struct Curl_cfilter * cf,struct Curl_easy * data,bool * input_pending)1817 static bool cf_ssl_is_alive(struct Curl_cfilter *cf, struct Curl_easy *data,
1818 bool *input_pending)
1819 {
1820 struct cf_call_data save;
1821 int result;
1822 /*
1823 * This function tries to determine connection status.
1824 *
1825 * Return codes:
1826 * 1 means the connection is still in place
1827 * 0 means the connection has been closed
1828 * -1 means the connection status is unknown
1829 */
1830 CF_DATA_SAVE(save, cf, data);
1831 result = Curl_ssl->check_cxn(cf, data);
1832 CF_DATA_RESTORE(cf, save);
1833 if(result > 0) {
1834 *input_pending = TRUE;
1835 return TRUE;
1836 }
1837 if(result == 0) {
1838 *input_pending = FALSE;
1839 return FALSE;
1840 }
1841 /* ssl backend does not know */
1842 return cf->next?
1843 cf->next->cft->is_alive(cf->next, data, input_pending) :
1844 FALSE; /* pessimistic in absence of data */
1845 }
1846
1847 struct Curl_cftype Curl_cft_ssl = {
1848 "SSL",
1849 CF_TYPE_SSL,
1850 CURL_LOG_LVL_NONE,
1851 ssl_cf_destroy,
1852 ssl_cf_connect,
1853 ssl_cf_close,
1854 Curl_cf_def_get_host,
1855 ssl_cf_adjust_pollset,
1856 ssl_cf_data_pending,
1857 ssl_cf_send,
1858 ssl_cf_recv,
1859 ssl_cf_cntrl,
1860 cf_ssl_is_alive,
1861 Curl_cf_def_conn_keep_alive,
1862 ssl_cf_query,
1863 };
1864
1865 #ifndef CURL_DISABLE_PROXY
1866
1867 struct Curl_cftype Curl_cft_ssl_proxy = {
1868 "SSL-PROXY",
1869 CF_TYPE_SSL|CF_TYPE_PROXY,
1870 CURL_LOG_LVL_NONE,
1871 ssl_cf_destroy,
1872 ssl_cf_connect,
1873 ssl_cf_close,
1874 Curl_cf_def_get_host,
1875 ssl_cf_adjust_pollset,
1876 ssl_cf_data_pending,
1877 ssl_cf_send,
1878 ssl_cf_recv,
1879 ssl_cf_cntrl,
1880 cf_ssl_is_alive,
1881 Curl_cf_def_conn_keep_alive,
1882 Curl_cf_def_query,
1883 };
1884
1885 #endif /* !CURL_DISABLE_PROXY */
1886
cf_ssl_create(struct Curl_cfilter ** pcf,struct Curl_easy * data,struct connectdata * conn)1887 static CURLcode cf_ssl_create(struct Curl_cfilter **pcf,
1888 struct Curl_easy *data,
1889 struct connectdata *conn)
1890 {
1891 struct Curl_cfilter *cf = NULL;
1892 struct ssl_connect_data *ctx;
1893 CURLcode result;
1894
1895 DEBUGASSERT(data->conn);
1896
1897 ctx = cf_ctx_new(data, alpn_get_spec(data->state.httpwant,
1898 conn->bits.tls_enable_alpn));
1899 if(!ctx) {
1900 result = CURLE_OUT_OF_MEMORY;
1901 goto out;
1902 }
1903
1904 result = Curl_cf_create(&cf, &Curl_cft_ssl, ctx);
1905
1906 out:
1907 if(result)
1908 cf_ctx_free(ctx);
1909 *pcf = result? NULL : cf;
1910 return result;
1911 }
1912
Curl_ssl_cfilter_add(struct Curl_easy * data,struct connectdata * conn,int sockindex)1913 CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
1914 struct connectdata *conn,
1915 int sockindex)
1916 {
1917 struct Curl_cfilter *cf;
1918 CURLcode result;
1919
1920 result = cf_ssl_create(&cf, data, conn);
1921 if(!result)
1922 Curl_conn_cf_add(data, conn, sockindex, cf);
1923 return result;
1924 }
1925
Curl_cf_ssl_insert_after(struct Curl_cfilter * cf_at,struct Curl_easy * data)1926 CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
1927 struct Curl_easy *data)
1928 {
1929 struct Curl_cfilter *cf;
1930 CURLcode result;
1931
1932 result = cf_ssl_create(&cf, data, cf_at->conn);
1933 if(!result)
1934 Curl_conn_cf_insert_after(cf_at, cf);
1935 return result;
1936 }
1937
1938 #ifndef CURL_DISABLE_PROXY
1939
cf_ssl_proxy_create(struct Curl_cfilter ** pcf,struct Curl_easy * data,struct connectdata * conn)1940 static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
1941 struct Curl_easy *data,
1942 struct connectdata *conn)
1943 {
1944 struct Curl_cfilter *cf = NULL;
1945 struct ssl_connect_data *ctx;
1946 CURLcode result;
1947 bool use_alpn = conn->bits.tls_enable_alpn;
1948 int httpwant = CURL_HTTP_VERSION_1_1;
1949
1950 #ifdef USE_HTTP2
1951 if(conn->http_proxy.proxytype == CURLPROXY_HTTPS2) {
1952 use_alpn = TRUE;
1953 httpwant = CURL_HTTP_VERSION_2;
1954 }
1955 #endif
1956
1957 ctx = cf_ctx_new(data, alpn_get_spec(httpwant, use_alpn));
1958 if(!ctx) {
1959 result = CURLE_OUT_OF_MEMORY;
1960 goto out;
1961 }
1962 result = Curl_cf_create(&cf, &Curl_cft_ssl_proxy, ctx);
1963
1964 out:
1965 if(result)
1966 cf_ctx_free(ctx);
1967 *pcf = result? NULL : cf;
1968 return result;
1969 }
1970
Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter * cf_at,struct Curl_easy * data)1971 CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
1972 struct Curl_easy *data)
1973 {
1974 struct Curl_cfilter *cf;
1975 CURLcode result;
1976
1977 result = cf_ssl_proxy_create(&cf, data, cf_at->conn);
1978 if(!result)
1979 Curl_conn_cf_insert_after(cf_at, cf);
1980 return result;
1981 }
1982
1983 #endif /* !CURL_DISABLE_PROXY */
1984
Curl_ssl_supports(struct Curl_easy * data,int option)1985 bool Curl_ssl_supports(struct Curl_easy *data, int option)
1986 {
1987 (void)data;
1988 return (Curl_ssl->supports & option)? TRUE : FALSE;
1989 }
1990
get_ssl_filter(struct Curl_cfilter * cf)1991 static struct Curl_cfilter *get_ssl_filter(struct Curl_cfilter *cf)
1992 {
1993 for(; cf; cf = cf->next) {
1994 if(cf->cft == &Curl_cft_ssl)
1995 return cf;
1996 #ifndef CURL_DISABLE_PROXY
1997 if(cf->cft == &Curl_cft_ssl_proxy)
1998 return cf;
1999 #endif
2000 }
2001 return NULL;
2002 }
2003
2004
Curl_ssl_get_internals(struct Curl_easy * data,int sockindex,CURLINFO info,int n)2005 void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
2006 CURLINFO info, int n)
2007 {
2008 void *result = NULL;
2009 (void)n;
2010 if(data->conn) {
2011 struct Curl_cfilter *cf;
2012 /* get first SSL filter in chain, if any is present */
2013 cf = get_ssl_filter(data->conn->cfilter[sockindex]);
2014 if(cf) {
2015 struct cf_call_data save;
2016 CF_DATA_SAVE(save, cf, data);
2017 result = Curl_ssl->get_internals(cf->ctx, info);
2018 CF_DATA_RESTORE(cf, save);
2019 }
2020 }
2021 return result;
2022 }
2023
Curl_ssl_cfilter_remove(struct Curl_easy * data,int sockindex)2024 CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
2025 int sockindex)
2026 {
2027 struct Curl_cfilter *cf, *head;
2028 CURLcode result = CURLE_OK;
2029
2030 (void)data;
2031 head = data->conn? data->conn->cfilter[sockindex] : NULL;
2032 for(cf = head; cf; cf = cf->next) {
2033 if(cf->cft == &Curl_cft_ssl) {
2034 if(Curl_ssl->shut_down(cf, data))
2035 result = CURLE_SSL_SHUTDOWN_FAILED;
2036 Curl_conn_cf_discard_sub(head, cf, data, FALSE);
2037 break;
2038 }
2039 }
2040 return result;
2041 }
2042
Curl_ssl_cf_is_proxy(struct Curl_cfilter * cf)2043 bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf)
2044 {
2045 return (cf->cft->flags & CF_TYPE_SSL) && (cf->cft->flags & CF_TYPE_PROXY);
2046 }
2047
2048 struct ssl_config_data *
Curl_ssl_cf_get_config(struct Curl_cfilter * cf,struct Curl_easy * data)2049 Curl_ssl_cf_get_config(struct Curl_cfilter *cf, struct Curl_easy *data)
2050 {
2051 #ifdef CURL_DISABLE_PROXY
2052 (void)cf;
2053 return &data->set.ssl;
2054 #else
2055 return Curl_ssl_cf_is_proxy(cf)? &data->set.proxy_ssl : &data->set.ssl;
2056 #endif
2057 }
2058
2059 struct ssl_primary_config *
Curl_ssl_cf_get_primary_config(struct Curl_cfilter * cf)2060 Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf)
2061 {
2062 #ifdef CURL_DISABLE_PROXY
2063 return &cf->conn->ssl_config;
2064 #else
2065 return Curl_ssl_cf_is_proxy(cf)?
2066 &cf->conn->proxy_ssl_config : &cf->conn->ssl_config;
2067 #endif
2068 }
2069
Curl_alpn_to_proto_buf(struct alpn_proto_buf * buf,const struct alpn_spec * spec)2070 CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf,
2071 const struct alpn_spec *spec)
2072 {
2073 size_t i, len;
2074 int off = 0;
2075 unsigned char blen;
2076
2077 memset(buf, 0, sizeof(*buf));
2078 for(i = 0; spec && i < spec->count; ++i) {
2079 len = strlen(spec->entries[i]);
2080 if(len >= ALPN_NAME_MAX)
2081 return CURLE_FAILED_INIT;
2082 blen = (unsigned char)len;
2083 if(off + blen + 1 >= (int)sizeof(buf->data))
2084 return CURLE_FAILED_INIT;
2085 buf->data[off++] = blen;
2086 memcpy(buf->data + off, spec->entries[i], blen);
2087 off += blen;
2088 }
2089 buf->len = off;
2090 return CURLE_OK;
2091 }
2092
Curl_alpn_to_proto_str(struct alpn_proto_buf * buf,const struct alpn_spec * spec)2093 CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
2094 const struct alpn_spec *spec)
2095 {
2096 size_t i, len;
2097 size_t off = 0;
2098
2099 memset(buf, 0, sizeof(*buf));
2100 for(i = 0; spec && i < spec->count; ++i) {
2101 len = strlen(spec->entries[i]);
2102 if(len >= ALPN_NAME_MAX)
2103 return CURLE_FAILED_INIT;
2104 if(off + len + 2 >= sizeof(buf->data))
2105 return CURLE_FAILED_INIT;
2106 if(off)
2107 buf->data[off++] = ',';
2108 memcpy(buf->data + off, spec->entries[i], len);
2109 off += len;
2110 }
2111 buf->data[off] = '\0';
2112 buf->len = (int)off;
2113 return CURLE_OK;
2114 }
2115
Curl_alpn_set_negotiated(struct Curl_cfilter * cf,struct Curl_easy * data,const unsigned char * proto,size_t proto_len)2116 CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
2117 struct Curl_easy *data,
2118 const unsigned char *proto,
2119 size_t proto_len)
2120 {
2121 int can_multi = 0;
2122 unsigned char *palpn =
2123 #ifndef CURL_DISABLE_PROXY
2124 (cf->conn->bits.tunnel_proxy && Curl_ssl_cf_is_proxy(cf))?
2125 &cf->conn->proxy_alpn : &cf->conn->alpn
2126 #else
2127 &cf->conn->alpn
2128 #endif
2129 ;
2130
2131 if(proto && proto_len) {
2132 if(proto_len == ALPN_HTTP_1_1_LENGTH &&
2133 !memcmp(ALPN_HTTP_1_1, proto, ALPN_HTTP_1_1_LENGTH)) {
2134 *palpn = CURL_HTTP_VERSION_1_1;
2135 }
2136 #ifdef USE_HTTP2
2137 else if(proto_len == ALPN_H2_LENGTH &&
2138 !memcmp(ALPN_H2, proto, ALPN_H2_LENGTH)) {
2139 *palpn = CURL_HTTP_VERSION_2;
2140 can_multi = 1;
2141 }
2142 #endif
2143 #ifdef USE_HTTP3
2144 else if(proto_len == ALPN_H3_LENGTH &&
2145 !memcmp(ALPN_H3, proto, ALPN_H3_LENGTH)) {
2146 *palpn = CURL_HTTP_VERSION_3;
2147 can_multi = 1;
2148 }
2149 #endif
2150 else {
2151 *palpn = CURL_HTTP_VERSION_NONE;
2152 failf(data, "unsupported ALPN protocol: '%.*s'", (int)proto_len, proto);
2153 /* TODO: do we want to fail this? Previous code just ignored it and
2154 * some vtls backends even ignore the return code of this function. */
2155 /* return CURLE_NOT_BUILT_IN; */
2156 goto out;
2157 }
2158 infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, (int)proto_len, proto);
2159 }
2160 else {
2161 *palpn = CURL_HTTP_VERSION_NONE;
2162 infof(data, VTLS_INFOF_NO_ALPN);
2163 }
2164
2165 out:
2166 if(!Curl_ssl_cf_is_proxy(cf))
2167 Curl_multiuse_state(data, can_multi?
2168 BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
2169 return CURLE_OK;
2170 }
2171
2172 #endif /* USE_SSL */
2173
