xref: /curl/lib/vtls/openssl.c (revision 1cd745a5)
1 /***************************************************************************
2  *                                  _   _ ____  _
3  *  Project                     ___| | | |  _ \| |
4  *                             / __| | | | |_) | |
5  *                            | (__| |_| |  _ <| |___
6  *                             \___|\___/|_| \_\_____|
7  *
8  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9  *
10  * This software is licensed as described in the file COPYING, which
11  * you should have received as part of this distribution. The terms
12  * are also available at https://curl.se/docs/copyright.html.
13  *
14  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15  * copies of the Software, and permit persons to whom the Software is
16  * furnished to do so, under the terms of the COPYING file.
17  *
18  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19  * KIND, either express or implied.
20  *
21  * SPDX-License-Identifier: curl
22  *
23  ***************************************************************************/
24 
25 /*
26  * Source file for all OpenSSL-specific code for the TLS/SSL layer. No code
27  * but vtls.c should ever call or use these functions.
28  */
29 
30 #include "curl_setup.h"
31 
32 #if defined(USE_QUICHE) || defined(USE_OPENSSL)
33 
34 #include <limits.h>
35 
36 /* Wincrypt must be included before anything that could include OpenSSL. */
37 #if defined(USE_WIN32_CRYPTO)
38 #include <wincrypt.h>
39 /* Undefine wincrypt conflicting symbols for BoringSSL. */
40 #undef X509_NAME
41 #undef X509_EXTENSIONS
42 #undef PKCS7_ISSUER_AND_SERIAL
43 #undef PKCS7_SIGNER_INFO
44 #undef OCSP_REQUEST
45 #undef OCSP_RESPONSE
46 #endif
47 
48 #include "urldata.h"
49 #include "sendf.h"
50 #include "formdata.h" /* for the boundary function */
51 #include "url.h" /* for the ssl config check function */
52 #include "inet_pton.h"
53 #include "openssl.h"
54 #include "connect.h"
55 #include "slist.h"
56 #include "select.h"
57 #include "vtls.h"
58 #include "vtls_int.h"
59 #include "vauth/vauth.h"
60 #include "keylog.h"
61 #include "strcase.h"
62 #include "hostcheck.h"
63 #include "multiif.h"
64 #include "strerror.h"
65 #include "curl_printf.h"
66 
67 #include <openssl/ssl.h>
68 #include <openssl/rand.h>
69 #include <openssl/x509v3.h>
70 #ifndef OPENSSL_NO_DSA
71 #include <openssl/dsa.h>
72 #endif
73 #include <openssl/dh.h>
74 #include <openssl/err.h>
75 #include <openssl/md5.h>
76 #include <openssl/conf.h>
77 #include <openssl/bn.h>
78 #include <openssl/rsa.h>
79 #include <openssl/bio.h>
80 #include <openssl/buffer.h>
81 #include <openssl/pkcs12.h>
82 #include <openssl/tls1.h>
83 #include <openssl/evp.h>
84 
85 #ifdef USE_ECH
86 # if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
87 #  include <openssl/ech.h>
88 # endif
89 # include "curl_base64.h"
90 # define ECH_ENABLED(__data__) \
91     (__data__->set.tls_ech && \
92      !(__data__->set.tls_ech & CURLECH_DISABLE)\
93     )
94 #endif /* USE_ECH */
95 
96 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
97 #include <openssl/ocsp.h>
98 #endif
99 
100 #if (OPENSSL_VERSION_NUMBER >= 0x0090700fL) && /* 0.9.7 or later */     \
101   !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_UI_CONSOLE)
102 #define USE_OPENSSL_ENGINE
103 #include <openssl/engine.h>
104 #endif
105 
106 #include "warnless.h"
107 
108 /* The last #include files should be: */
109 #include "curl_memory.h"
110 #include "memdebug.h"
111 
112 #ifndef ARRAYSIZE
113 #define ARRAYSIZE(A) (sizeof(A)/sizeof((A)[0]))
114 #endif
115 
116 /* Uncomment the ALLOW_RENEG line to a real #define if you want to allow TLS
117    renegotiations when built with BoringSSL. Renegotiating is non-compliant
118    with HTTP/2 and "an extremely dangerous protocol feature". Beware.
119 
120 #define ALLOW_RENEG 1
121  */
122 
123 #ifndef OPENSSL_VERSION_NUMBER
124 #error "OPENSSL_VERSION_NUMBER not defined"
125 #endif
126 
127 #ifdef USE_OPENSSL_ENGINE
128 #include <openssl/ui.h>
129 #endif
130 
131 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
132 #define SSL_METHOD_QUAL const
133 #else
134 #define SSL_METHOD_QUAL
135 #endif
136 
137 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
138 #define HAVE_ERR_REMOVE_THREAD_STATE 1
139 #endif
140 
141 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
142     !(defined(LIBRESSL_VERSION_NUMBER) && \
143       LIBRESSL_VERSION_NUMBER < 0x20700000L)
144 #define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
145 #define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */
146 #define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */
147 #define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */
148 #define CONST_EXTS const
149 #define HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED 1
150 
151 /* funny typecast define due to difference in API */
152 #ifdef LIBRESSL_VERSION_NUMBER
153 #define ARG2_X509_signature_print (X509_ALGOR *)
154 #else
155 #define ARG2_X509_signature_print
156 #endif
157 
158 #else
159 /* For OpenSSL before 1.1.0 */
160 #define ASN1_STRING_get0_data(x) ASN1_STRING_data(x)
161 #define X509_get0_notBefore(x) X509_get_notBefore(x)
162 #define X509_get0_notAfter(x) X509_get_notAfter(x)
163 #define CONST_EXTS /* nope */
164 #ifndef LIBRESSL_VERSION_NUMBER
165 #define OpenSSL_version_num() SSLeay()
166 #endif
167 #endif
168 
169 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \
170     !(defined(LIBRESSL_VERSION_NUMBER) && \
171       LIBRESSL_VERSION_NUMBER < 0x20700000L)
172 #define HAVE_X509_GET0_SIGNATURE 1
173 #endif
174 
175 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) /* 1.0.2 or later */
176 #define HAVE_SSL_GET_SHUTDOWN 1
177 #endif
178 
179 #if OPENSSL_VERSION_NUMBER >= 0x10002003L && \
180   OPENSSL_VERSION_NUMBER <= 0x10002FFFL && \
181   !defined(OPENSSL_NO_COMP)
182 #define HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 1
183 #endif
184 
185 #if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
186 /* not present in older OpenSSL */
187 #define OPENSSL_load_builtin_modules(x)
188 #endif
189 
190 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
191 #define HAVE_EVP_PKEY_GET_PARAMS 1
192 #endif
193 
194 #ifdef HAVE_EVP_PKEY_GET_PARAMS
195 #include <openssl/core_names.h>
196 #define DECLARE_PKEY_PARAM_BIGNUM(name) BIGNUM *name = NULL
197 #define FREE_PKEY_PARAM_BIGNUM(name) BN_clear_free(name)
198 #else
199 #define DECLARE_PKEY_PARAM_BIGNUM(name) const BIGNUM *name
200 #define FREE_PKEY_PARAM_BIGNUM(name)
201 #endif
202 
203 /*
204  * Whether SSL_CTX_set_keylog_callback is available.
205  * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287
206  * BoringSSL: supported since d28f59c27bac (committed 2015-11-19)
207  * LibreSSL: not supported. 3.5.0+ has a stub function that does nothing.
208  */
209 #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
210      !defined(LIBRESSL_VERSION_NUMBER)) || \
211     defined(OPENSSL_IS_BORINGSSL)
212 #define HAVE_KEYLOG_CALLBACK
213 #endif
214 
215 /* Whether SSL_CTX_set_ciphersuites is available.
216  * OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
217  * BoringSSL: no
218  * LibreSSL: supported since 3.4.1 (released 2021-10-14)
219  */
220 #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L && \
221       !defined(LIBRESSL_VERSION_NUMBER)) || \
222      (defined(LIBRESSL_VERSION_NUMBER) && \
223       LIBRESSL_VERSION_NUMBER >= 0x3040100fL)) && \
224     !defined(OPENSSL_IS_BORINGSSL)
225   #define HAVE_SSL_CTX_SET_CIPHERSUITES
226   #if !defined(OPENSSL_IS_AWSLC)
227     #define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
228   #endif
229 #endif
230 
231 /*
232  * Whether SSL_CTX_set1_curves_list is available.
233  * OpenSSL: supported since 1.0.2, see
234  *   https://docs.openssl.org/master/man3/SSL_CTX_set1_curves/
235  * BoringSSL: supported since 5fd1807d95f7 (committed 2016-09-30)
236  * LibreSSL: since 2.5.3 (April 12, 2017)
237  */
238 #if (OPENSSL_VERSION_NUMBER >= 0x10002000L) ||  \
239   defined(OPENSSL_IS_BORINGSSL)
240 #define HAVE_SSL_CTX_SET_EC_CURVES
241 #endif
242 
243 #if defined(LIBRESSL_VERSION_NUMBER)
244 #define OSSL_PACKAGE "LibreSSL"
245 #elif defined(OPENSSL_IS_BORINGSSL)
246 #define OSSL_PACKAGE "BoringSSL"
247 #elif defined(OPENSSL_IS_AWSLC)
248 #define OSSL_PACKAGE "AWS-LC"
249 #else
250 # if (defined(USE_NGTCP2) && defined(USE_NGHTTP3)) || defined(USE_MSH3)
251 #   define OSSL_PACKAGE "quictls"
252 # else
253 #   define OSSL_PACKAGE "OpenSSL"
254 #endif
255 #endif
256 
257 #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
258 typedef size_t numcert_t;
259 #else
260 typedef int numcert_t;
261 #endif
262 #define ossl_valsize_t numcert_t
263 
264 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
265 /* up2date versions of OpenSSL maintain reasonably secure defaults without
266  * breaking compatibility, so it is better not to override the defaults in curl
267  */
268 #define DEFAULT_CIPHER_SELECTION NULL
269 #else
270 /* not the case with old versions of OpenSSL */
271 #define DEFAULT_CIPHER_SELECTION \
272   "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
273 #endif
274 
275 #ifdef HAVE_OPENSSL_SRP
276 /* the function exists */
277 #ifdef USE_TLS_SRP
278 /* the functionality is not disabled */
279 #define USE_OPENSSL_SRP
280 #endif
281 #endif
282 
283 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
284 #define HAVE_RANDOM_INIT_BY_DEFAULT 1
285 #endif
286 
287 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
288     !(defined(LIBRESSL_VERSION_NUMBER) && \
289       LIBRESSL_VERSION_NUMBER < 0x2070100fL) && \
290     !defined(OPENSSL_IS_BORINGSSL) && \
291     !defined(OPENSSL_IS_AWSLC)
292 #define HAVE_OPENSSL_VERSION
293 #endif
294 
295 #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
296 typedef uint32_t sslerr_t;
297 #else
298 typedef unsigned long sslerr_t;
299 #endif
300 
301 /*
302  * Whether the OpenSSL version has the API needed to support sharing an
303  * X509_STORE between connections. The API is:
304  * * `X509_STORE_up_ref`       -- Introduced: OpenSSL 1.1.0.
305  */
306 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* OpenSSL >= 1.1.0 */
307 #define HAVE_SSL_X509_STORE_SHARE
308 #endif
309 
310 /* What API version do we use? */
311 #if defined(LIBRESSL_VERSION_NUMBER)
312 #define USE_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f)
313 #else /* !LIBRESSL_VERSION_NUMBER */
314 #define USE_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
315 #endif /* !LIBRESSL_VERSION_NUMBER */
316 
317 static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl);
318 
319 static CURLcode push_certinfo(struct Curl_easy *data,
320                               BIO *mem, const char *label, int num)
321   WARN_UNUSED_RESULT;
322 
push_certinfo(struct Curl_easy * data,BIO * mem,const char * label,int num)323 static CURLcode push_certinfo(struct Curl_easy *data,
324                               BIO *mem, const char *label, int num)
325 {
326   char *ptr;
327   long len = BIO_get_mem_data(mem, &ptr);
328   CURLcode result = Curl_ssl_push_certinfo_len(data, num, label, ptr, len);
329   (void)BIO_reset(mem);
330   return result;
331 }
332 
pubkey_show(struct Curl_easy * data,BIO * mem,int num,const char * type,const char * name,const BIGNUM * bn)333 static CURLcode pubkey_show(struct Curl_easy *data,
334                             BIO *mem,
335                             int num,
336                             const char *type,
337                             const char *name,
338                             const BIGNUM *bn)
339 {
340   char namebuf[32];
341 
342   msnprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name);
343 
344   if(bn)
345     BN_print(mem, bn);
346   return push_certinfo(data, mem, namebuf, num);
347 }
348 
349 #ifdef HAVE_OPAQUE_RSA_DSA_DH
350 #define print_pubkey_BN(_type, _name, _num)              \
351   pubkey_show(data, mem, _num, #_type, #_name, _name)
352 
353 #else
354 #define print_pubkey_BN(_type, _name, _num)    \
355 do {                              \
356   if(_type->_name) { \
357     pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \
358   } \
359 } while(0)
360 #endif
361 
asn1_object_dump(ASN1_OBJECT * a,char * buf,size_t len)362 static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len)
363 {
364   int i, ilen;
365 
366   ilen = (int)len;
367   if(ilen < 0)
368     return 1; /* buffer too big */
369 
370   i = i2t_ASN1_OBJECT(buf, ilen, a);
371 
372   if(i >= ilen)
373     return 1; /* buffer too small */
374 
375   return 0;
376 }
377 
X509V3_ext(struct Curl_easy * data,int certnum,CONST_EXTS STACK_OF (X509_EXTENSION)* exts)378 static CURLcode X509V3_ext(struct Curl_easy *data,
379                            int certnum,
380                            CONST_EXTS STACK_OF(X509_EXTENSION) *exts)
381 {
382   int i;
383   CURLcode result = CURLE_OK;
384 
385   if((int)sk_X509_EXTENSION_num(exts) <= 0)
386     /* no extensions, bail out */
387     return result;
388 
389   for(i = 0; i < (int)sk_X509_EXTENSION_num(exts); i++) {
390     ASN1_OBJECT *obj;
391     X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, (ossl_valsize_t)i);
392     BUF_MEM *biomem;
393     char namebuf[128];
394     BIO *bio_out = BIO_new(BIO_s_mem());
395 
396     if(!bio_out)
397       return result;
398 
399     obj = X509_EXTENSION_get_object(ext);
400 
401     asn1_object_dump(obj, namebuf, sizeof(namebuf));
402 
403     if(!X509V3_EXT_print(bio_out, ext, 0, 0))
404       ASN1_STRING_print(bio_out, (ASN1_STRING *)X509_EXTENSION_get_data(ext));
405 
406     BIO_get_mem_ptr(bio_out, &biomem);
407     result = Curl_ssl_push_certinfo_len(data, certnum, namebuf, biomem->data,
408                                         biomem->length);
409     BIO_free(bio_out);
410     if(result)
411       break;
412   }
413   return result;
414 }
415 
ossl_certchain(struct Curl_easy * data,SSL * ssl)416 static CURLcode ossl_certchain(struct Curl_easy *data, SSL *ssl)
417 {
418   CURLcode result;
419   STACK_OF(X509) *sk;
420   int i;
421   numcert_t numcerts;
422   BIO *mem;
423 
424   DEBUGASSERT(ssl);
425 
426   sk = SSL_get_peer_cert_chain(ssl);
427   if(!sk) {
428     return CURLE_OUT_OF_MEMORY;
429   }
430 
431   numcerts = sk_X509_num(sk);
432 
433   result = Curl_ssl_init_certinfo(data, (int)numcerts);
434   if(result)
435     return result;
436 
437   mem = BIO_new(BIO_s_mem());
438   if(!mem)
439     result = CURLE_OUT_OF_MEMORY;
440 
441   for(i = 0; !result && (i < (int)numcerts); i++) {
442     ASN1_INTEGER *num;
443     X509 *x = sk_X509_value(sk, (ossl_valsize_t)i);
444     EVP_PKEY *pubkey = NULL;
445     int j;
446     const ASN1_BIT_STRING *psig = NULL;
447 
448     X509_NAME_print_ex(mem, X509_get_subject_name(x), 0, XN_FLAG_ONELINE);
449     result = push_certinfo(data, mem, "Subject", i);
450     if(result)
451       break;
452 
453     X509_NAME_print_ex(mem, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE);
454     result = push_certinfo(data, mem, "Issuer", i);
455     if(result)
456       break;
457 
458     BIO_printf(mem, "%lx", X509_get_version(x));
459     result = push_certinfo(data, mem, "Version", i);
460     if(result)
461       break;
462 
463     num = X509_get_serialNumber(x);
464     if(num->type == V_ASN1_NEG_INTEGER)
465       BIO_puts(mem, "-");
466     for(j = 0; j < num->length; j++)
467       BIO_printf(mem, "%02x", num->data[j]);
468     result = push_certinfo(data, mem, "Serial Number", i);
469     if(result)
470       break;
471 
472 #if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS)
473     {
474       const X509_ALGOR *sigalg = NULL;
475       X509_PUBKEY *xpubkey = NULL;
476       ASN1_OBJECT *pubkeyoid = NULL;
477 
478       X509_get0_signature(&psig, &sigalg, x);
479       if(sigalg) {
480         const ASN1_OBJECT *sigalgoid = NULL;
481         X509_ALGOR_get0(&sigalgoid, NULL, NULL, sigalg);
482         i2a_ASN1_OBJECT(mem, sigalgoid);
483         result = push_certinfo(data, mem, "Signature Algorithm", i);
484         if(result)
485           break;
486       }
487 
488       xpubkey = X509_get_X509_PUBKEY(x);
489       if(xpubkey) {
490         X509_PUBKEY_get0_param(&pubkeyoid, NULL, NULL, NULL, xpubkey);
491         if(pubkeyoid) {
492           i2a_ASN1_OBJECT(mem, pubkeyoid);
493           result = push_certinfo(data, mem, "Public Key Algorithm", i);
494           if(result)
495             break;
496         }
497       }
498 
499       result = X509V3_ext(data, i, X509_get0_extensions(x));
500       if(result)
501         break;
502     }
503 #else
504     {
505       /* before OpenSSL 1.0.2 */
506       X509_CINF *cinf = x->cert_info;
507 
508       i2a_ASN1_OBJECT(mem, cinf->signature->algorithm);
509       result = push_certinfo(data, mem, "Signature Algorithm", i);
510 
511       if(!result) {
512         i2a_ASN1_OBJECT(mem, cinf->key->algor->algorithm);
513         result = push_certinfo(data, mem, "Public Key Algorithm", i);
514       }
515 
516       if(!result)
517         result = X509V3_ext(data, i, cinf->extensions);
518 
519       if(result)
520         break;
521 
522       psig = x->signature;
523     }
524 #endif
525 
526     ASN1_TIME_print(mem, X509_get0_notBefore(x));
527     result = push_certinfo(data, mem, "Start date", i);
528     if(result)
529       break;
530 
531     ASN1_TIME_print(mem, X509_get0_notAfter(x));
532     result = push_certinfo(data, mem, "Expire date", i);
533     if(result)
534       break;
535 
536     pubkey = X509_get_pubkey(x);
537     if(!pubkey)
538       infof(data, "   Unable to load public key");
539     else {
540       int pktype;
541 #ifdef HAVE_OPAQUE_EVP_PKEY
542       pktype = EVP_PKEY_id(pubkey);
543 #else
544       pktype = pubkey->type;
545 #endif
546       switch(pktype) {
547       case EVP_PKEY_RSA: {
548 #ifndef HAVE_EVP_PKEY_GET_PARAMS
549         RSA *rsa;
550 #ifdef HAVE_OPAQUE_EVP_PKEY
551         rsa = EVP_PKEY_get0_RSA(pubkey);
552 #else
553         rsa = pubkey->pkey.rsa;
554 #endif /* HAVE_OPAQUE_EVP_PKEY */
555 #endif /* !HAVE_EVP_PKEY_GET_PARAMS */
556 
557         {
558 #ifdef HAVE_OPAQUE_RSA_DSA_DH
559           DECLARE_PKEY_PARAM_BIGNUM(n);
560           DECLARE_PKEY_PARAM_BIGNUM(e);
561 #ifdef HAVE_EVP_PKEY_GET_PARAMS
562           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_N, &n);
563           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_E, &e);
564 #else
565           RSA_get0_key(rsa, &n, &e, NULL);
566 #endif /* HAVE_EVP_PKEY_GET_PARAMS */
567           BIO_printf(mem, "%d", n ? BN_num_bits(n) : 0);
568 #else
569           BIO_printf(mem, "%d", rsa->n ? BN_num_bits(rsa->n) : 0);
570 #endif /* HAVE_OPAQUE_RSA_DSA_DH */
571           result = push_certinfo(data, mem, "RSA Public Key", i);
572           if(result)
573             break;
574           print_pubkey_BN(rsa, n, i);
575           print_pubkey_BN(rsa, e, i);
576           FREE_PKEY_PARAM_BIGNUM(n);
577           FREE_PKEY_PARAM_BIGNUM(e);
578         }
579 
580         break;
581       }
582       case EVP_PKEY_DSA:
583       {
584 #ifndef OPENSSL_NO_DSA
585 #ifndef HAVE_EVP_PKEY_GET_PARAMS
586         DSA *dsa;
587 #ifdef HAVE_OPAQUE_EVP_PKEY
588         dsa = EVP_PKEY_get0_DSA(pubkey);
589 #else
590         dsa = pubkey->pkey.dsa;
591 #endif /* HAVE_OPAQUE_EVP_PKEY */
592 #endif /* !HAVE_EVP_PKEY_GET_PARAMS */
593         {
594 #ifdef HAVE_OPAQUE_RSA_DSA_DH
595           DECLARE_PKEY_PARAM_BIGNUM(p);
596           DECLARE_PKEY_PARAM_BIGNUM(q);
597           DECLARE_PKEY_PARAM_BIGNUM(g);
598           DECLARE_PKEY_PARAM_BIGNUM(pub_key);
599 #ifdef HAVE_EVP_PKEY_GET_PARAMS
600           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_P, &p);
601           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_Q, &q);
602           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_G, &g);
603           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
604 #else
605           DSA_get0_pqg(dsa, &p, &q, &g);
606           DSA_get0_key(dsa, &pub_key, NULL);
607 #endif /* HAVE_EVP_PKEY_GET_PARAMS */
608 #endif /* HAVE_OPAQUE_RSA_DSA_DH */
609           print_pubkey_BN(dsa, p, i);
610           print_pubkey_BN(dsa, q, i);
611           print_pubkey_BN(dsa, g, i);
612           print_pubkey_BN(dsa, pub_key, i);
613           FREE_PKEY_PARAM_BIGNUM(p);
614           FREE_PKEY_PARAM_BIGNUM(q);
615           FREE_PKEY_PARAM_BIGNUM(g);
616           FREE_PKEY_PARAM_BIGNUM(pub_key);
617         }
618 #endif /* !OPENSSL_NO_DSA */
619         break;
620       }
621       case EVP_PKEY_DH: {
622 #ifndef HAVE_EVP_PKEY_GET_PARAMS
623         DH *dh;
624 #ifdef HAVE_OPAQUE_EVP_PKEY
625         dh = EVP_PKEY_get0_DH(pubkey);
626 #else
627         dh = pubkey->pkey.dh;
628 #endif /* HAVE_OPAQUE_EVP_PKEY */
629 #endif /* !HAVE_EVP_PKEY_GET_PARAMS */
630         {
631 #ifdef HAVE_OPAQUE_RSA_DSA_DH
632           DECLARE_PKEY_PARAM_BIGNUM(p);
633           DECLARE_PKEY_PARAM_BIGNUM(q);
634           DECLARE_PKEY_PARAM_BIGNUM(g);
635           DECLARE_PKEY_PARAM_BIGNUM(pub_key);
636 #ifdef HAVE_EVP_PKEY_GET_PARAMS
637           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_P, &p);
638           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_Q, &q);
639           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_G, &g);
640           EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
641 #else
642           DH_get0_pqg(dh, &p, &q, &g);
643           DH_get0_key(dh, &pub_key, NULL);
644 #endif /* HAVE_EVP_PKEY_GET_PARAMS */
645           print_pubkey_BN(dh, p, i);
646           print_pubkey_BN(dh, q, i);
647           print_pubkey_BN(dh, g, i);
648 #else
649           print_pubkey_BN(dh, p, i);
650           print_pubkey_BN(dh, g, i);
651 #endif /* HAVE_OPAQUE_RSA_DSA_DH */
652           print_pubkey_BN(dh, pub_key, i);
653           FREE_PKEY_PARAM_BIGNUM(p);
654           FREE_PKEY_PARAM_BIGNUM(q);
655           FREE_PKEY_PARAM_BIGNUM(g);
656           FREE_PKEY_PARAM_BIGNUM(pub_key);
657         }
658         break;
659       }
660       }
661       EVP_PKEY_free(pubkey);
662     }
663 
664     if(!result && psig) {
665       for(j = 0; j < psig->length; j++)
666         BIO_printf(mem, "%02x:", psig->data[j]);
667       result = push_certinfo(data, mem, "Signature", i);
668     }
669 
670     if(!result) {
671       PEM_write_bio_X509(mem, x);
672       result = push_certinfo(data, mem, "Cert", i);
673     }
674   }
675 
676   BIO_free(mem);
677 
678   if(result)
679     /* cleanup all leftovers */
680     Curl_ssl_free_certinfo(data);
681 
682   return result;
683 }
684 
685 #endif /* quiche or OpenSSL */
686 
687 #ifdef USE_OPENSSL
688 
689 #if USE_PRE_1_1_API
690 #if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
691 #define BIO_set_init(x,v)          ((x)->init=(v))
692 #define BIO_get_data(x)            ((x)->ptr)
693 #define BIO_set_data(x,v)          ((x)->ptr=(v))
694 #endif
695 #define BIO_get_shutdown(x)        ((x)->shutdown)
696 #define BIO_set_shutdown(x,v)      ((x)->shutdown=(v))
697 #endif /* USE_PRE_1_1_API */
698 
ossl_bio_cf_create(BIO * bio)699 static int ossl_bio_cf_create(BIO *bio)
700 {
701   BIO_set_shutdown(bio, 1);
702   BIO_set_init(bio, 1);
703 #if USE_PRE_1_1_API
704   bio->num = -1;
705 #endif
706   BIO_set_data(bio, NULL);
707   return 1;
708 }
709 
ossl_bio_cf_destroy(BIO * bio)710 static int ossl_bio_cf_destroy(BIO *bio)
711 {
712   if(!bio)
713     return 0;
714   return 1;
715 }
716 
ossl_bio_cf_ctrl(BIO * bio,int cmd,long num,void * ptr)717 static long ossl_bio_cf_ctrl(BIO *bio, int cmd, long num, void *ptr)
718 {
719   struct Curl_cfilter *cf = BIO_get_data(bio);
720   long ret = 1;
721 
722   (void)cf;
723   (void)ptr;
724   switch(cmd) {
725   case BIO_CTRL_GET_CLOSE:
726     ret = (long)BIO_get_shutdown(bio);
727     break;
728   case BIO_CTRL_SET_CLOSE:
729     BIO_set_shutdown(bio, (int)num);
730     break;
731   case BIO_CTRL_FLUSH:
732     /* we do no delayed writes, but if we ever would, this
733      * needs to trigger it. */
734     ret = 1;
735     break;
736   case BIO_CTRL_DUP:
737     ret = 1;
738     break;
739 #ifdef BIO_CTRL_EOF
740   case BIO_CTRL_EOF:
741     /* EOF has been reached on input? */
742     return (!cf->next || !cf->next->connected);
743 #endif
744   default:
745     ret = 0;
746     break;
747   }
748   return ret;
749 }
750 
ossl_bio_cf_out_write(BIO * bio,const char * buf,int blen)751 static int ossl_bio_cf_out_write(BIO *bio, const char *buf, int blen)
752 {
753   struct Curl_cfilter *cf = BIO_get_data(bio);
754   struct ssl_connect_data *connssl = cf->ctx;
755   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
756   struct Curl_easy *data = CF_DATA_CURRENT(cf);
757   ssize_t nwritten;
758   CURLcode result = CURLE_SEND_ERROR;
759 
760   DEBUGASSERT(data);
761   if(blen < 0)
762     return 0;
763 
764   nwritten = Curl_conn_cf_send(cf->next, data, buf, (size_t)blen, FALSE,
765                                &result);
766   CURL_TRC_CF(data, cf, "ossl_bio_cf_out_write(len=%d) -> %d, err=%d",
767               blen, (int)nwritten, result);
768   BIO_clear_retry_flags(bio);
769   octx->io_result = result;
770   if(nwritten < 0) {
771     if(CURLE_AGAIN == result)
772       BIO_set_retry_write(bio);
773   }
774   return (int)nwritten;
775 }
776 
ossl_bio_cf_in_read(BIO * bio,char * buf,int blen)777 static int ossl_bio_cf_in_read(BIO *bio, char *buf, int blen)
778 {
779   struct Curl_cfilter *cf = BIO_get_data(bio);
780   struct ssl_connect_data *connssl = cf->ctx;
781   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
782   struct Curl_easy *data = CF_DATA_CURRENT(cf);
783   ssize_t nread;
784   CURLcode result = CURLE_RECV_ERROR;
785 
786   DEBUGASSERT(data);
787   /* OpenSSL catches this case, so should we. */
788   if(!buf)
789     return 0;
790   if(blen < 0)
791     return 0;
792 
793   nread = Curl_conn_cf_recv(cf->next, data, buf, (size_t)blen, &result);
794   CURL_TRC_CF(data, cf, "ossl_bio_cf_in_read(len=%d) -> %d, err=%d",
795               blen, (int)nread, result);
796   BIO_clear_retry_flags(bio);
797   octx->io_result = result;
798   if(nread < 0) {
799     if(CURLE_AGAIN == result)
800       BIO_set_retry_read(bio);
801   }
802   else if(nread == 0) {
803     connssl->peer_closed = TRUE;
804   }
805 
806   /* Before returning server replies to the SSL instance, we need
807    * to have setup the x509 store or verification will fail. */
808   if(!octx->x509_store_setup) {
809     result = Curl_ssl_setup_x509_store(cf, data, octx->ssl_ctx);
810     if(result) {
811       octx->io_result = result;
812       return -1;
813     }
814     octx->x509_store_setup = TRUE;
815   }
816 
817   return (int)nread;
818 }
819 
820 #if USE_PRE_1_1_API
821 
822 static BIO_METHOD ossl_bio_cf_meth_1_0 = {
823   BIO_TYPE_MEM,
824   "OpenSSL CF BIO",
825   ossl_bio_cf_out_write,
826   ossl_bio_cf_in_read,
827   NULL,                    /* puts is never called */
828   NULL,                    /* gets is never called */
829   ossl_bio_cf_ctrl,
830   ossl_bio_cf_create,
831   ossl_bio_cf_destroy,
832   NULL
833 };
834 
ossl_bio_cf_method_create(void)835 static BIO_METHOD *ossl_bio_cf_method_create(void)
836 {
837   return &ossl_bio_cf_meth_1_0;
838 }
839 
840 #define ossl_bio_cf_method_free(m) Curl_nop_stmt
841 
842 #else
843 
ossl_bio_cf_method_create(void)844 static BIO_METHOD *ossl_bio_cf_method_create(void)
845 {
846   BIO_METHOD *m = BIO_meth_new(BIO_TYPE_MEM, "OpenSSL CF BIO");
847   if(m) {
848     BIO_meth_set_write(m, &ossl_bio_cf_out_write);
849     BIO_meth_set_read(m, &ossl_bio_cf_in_read);
850     BIO_meth_set_ctrl(m, &ossl_bio_cf_ctrl);
851     BIO_meth_set_create(m, &ossl_bio_cf_create);
852     BIO_meth_set_destroy(m, &ossl_bio_cf_destroy);
853   }
854   return m;
855 }
856 
ossl_bio_cf_method_free(BIO_METHOD * m)857 static void ossl_bio_cf_method_free(BIO_METHOD *m)
858 {
859   if(m)
860     BIO_meth_free(m);
861 }
862 
863 #endif
864 
865 
866 /*
867  * Number of bytes to read from the random number seed file. This must be
868  * a finite value (because some entropy "files" like /dev/urandom have
869  * an infinite length), but must be large enough to provide enough
870  * entropy to properly seed OpenSSL's PRNG.
871  */
872 #define RAND_LOAD_LENGTH 1024
873 
874 #ifdef HAVE_KEYLOG_CALLBACK
ossl_keylog_callback(const SSL * ssl,const char * line)875 static void ossl_keylog_callback(const SSL *ssl, const char *line)
876 {
877   (void)ssl;
878 
879   Curl_tls_keylog_write_line(line);
880 }
881 #else
882 /*
883  * ossl_log_tls12_secret is called by libcurl to make the CLIENT_RANDOMs if the
884  * OpenSSL being used does not have native support for doing that.
885  */
886 static void
ossl_log_tls12_secret(const SSL * ssl,bool * keylog_done)887 ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done)
888 {
889   const SSL_SESSION *session = SSL_get_session(ssl);
890   unsigned char client_random[SSL3_RANDOM_SIZE];
891   unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
892   int master_key_length = 0;
893 
894   if(!session || *keylog_done)
895     return;
896 
897 #if OPENSSL_VERSION_NUMBER >= 0x10100000L &&    \
898   !(defined(LIBRESSL_VERSION_NUMBER) &&         \
899     LIBRESSL_VERSION_NUMBER < 0x20700000L)
900   /* ssl->s3 is not checked in OpenSSL 1.1.0-pre6, but let's assume that
901    * we have a valid SSL context if we have a non-NULL session. */
902   SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE);
903   master_key_length = (int)
904     SSL_SESSION_get_master_key(session, master_key, SSL_MAX_MASTER_KEY_LENGTH);
905 #else
906   if(ssl->s3 && session->master_key_length > 0) {
907     master_key_length = session->master_key_length;
908     memcpy(master_key, session->master_key, session->master_key_length);
909     memcpy(client_random, ssl->s3->client_random, SSL3_RANDOM_SIZE);
910   }
911 #endif
912 
913   /* The handshake has not progressed sufficiently yet, or this is a TLS 1.3
914    * session (when curl was built with older OpenSSL headers and running with
915    * newer OpenSSL runtime libraries). */
916   if(master_key_length <= 0)
917     return;
918 
919   *keylog_done = TRUE;
920   Curl_tls_keylog_write("CLIENT_RANDOM", client_random,
921                         master_key, master_key_length);
922 }
923 #endif /* !HAVE_KEYLOG_CALLBACK */
924 
SSL_ERROR_to_str(int err)925 static const char *SSL_ERROR_to_str(int err)
926 {
927   switch(err) {
928   case SSL_ERROR_NONE:
929     return "SSL_ERROR_NONE";
930   case SSL_ERROR_SSL:
931     return "SSL_ERROR_SSL";
932   case SSL_ERROR_WANT_READ:
933     return "SSL_ERROR_WANT_READ";
934   case SSL_ERROR_WANT_WRITE:
935     return "SSL_ERROR_WANT_WRITE";
936   case SSL_ERROR_WANT_X509_LOOKUP:
937     return "SSL_ERROR_WANT_X509_LOOKUP";
938   case SSL_ERROR_SYSCALL:
939     return "SSL_ERROR_SYSCALL";
940   case SSL_ERROR_ZERO_RETURN:
941     return "SSL_ERROR_ZERO_RETURN";
942   case SSL_ERROR_WANT_CONNECT:
943     return "SSL_ERROR_WANT_CONNECT";
944   case SSL_ERROR_WANT_ACCEPT:
945     return "SSL_ERROR_WANT_ACCEPT";
946 #if defined(SSL_ERROR_WANT_ASYNC)
947   case SSL_ERROR_WANT_ASYNC:
948     return "SSL_ERROR_WANT_ASYNC";
949 #endif
950 #if defined(SSL_ERROR_WANT_ASYNC_JOB)
951   case SSL_ERROR_WANT_ASYNC_JOB:
952     return "SSL_ERROR_WANT_ASYNC_JOB";
953 #endif
954 #if defined(SSL_ERROR_WANT_EARLY)
955   case SSL_ERROR_WANT_EARLY:
956     return "SSL_ERROR_WANT_EARLY";
957 #endif
958   default:
959     return "SSL_ERROR unknown";
960   }
961 }
962 
963 static size_t ossl_version(char *buffer, size_t size);
964 
965 /* Return error string for last OpenSSL error
966  */
ossl_strerror(unsigned long error,char * buf,size_t size)967 static char *ossl_strerror(unsigned long error, char *buf, size_t size)
968 {
969   size_t len;
970   DEBUGASSERT(size);
971   *buf = '\0';
972 
973   len = ossl_version(buf, size);
974   DEBUGASSERT(len < (size - 2));
975   if(len < (size - 2)) {
976     buf += len;
977     size -= (len + 2);
978     *buf++ = ':';
979     *buf++ = ' ';
980     *buf = '\0';
981   }
982 
983 #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
984   ERR_error_string_n((uint32_t)error, buf, size);
985 #else
986   ERR_error_string_n(error, buf, size);
987 #endif
988 
989   if(!*buf) {
990     const char *msg = error ? "Unknown error" : "No error";
991     if(strlen(msg) < size)
992       strcpy(buf, msg);
993   }
994 
995   return buf;
996 }
997 
passwd_callback(char * buf,int num,int encrypting,void * global_passwd)998 static int passwd_callback(char *buf, int num, int encrypting,
999                            void *global_passwd)
1000 {
1001   DEBUGASSERT(0 == encrypting);
1002 
1003   if(!encrypting && num >= 0) {
1004     int klen = curlx_uztosi(strlen((char *)global_passwd));
1005     if(num > klen) {
1006       memcpy(buf, global_passwd, klen + 1);
1007       return klen;
1008     }
1009   }
1010   return 0;
1011 }
1012 
1013 /*
1014  * rand_enough() returns TRUE if we have seeded the random engine properly.
1015  */
rand_enough(void)1016 static bool rand_enough(void)
1017 {
1018   return (0 != RAND_status());
1019 }
1020 
ossl_seed(struct Curl_easy * data)1021 static CURLcode ossl_seed(struct Curl_easy *data)
1022 {
1023   /* This might get called before it has been added to a multi handle */
1024   if(data->multi && data->multi->ssl_seeded)
1025     return CURLE_OK;
1026 
1027   if(rand_enough()) {
1028     /* OpenSSL 1.1.0+ should return here */
1029     if(data->multi)
1030       data->multi->ssl_seeded = TRUE;
1031     return CURLE_OK;
1032   }
1033 #ifdef HAVE_RANDOM_INIT_BY_DEFAULT
1034   /* with OpenSSL 1.1.0+, a failed RAND_status is a showstopper */
1035   failf(data, "Insufficient randomness");
1036   return CURLE_SSL_CONNECT_ERROR;
1037 #else
1038 
1039   /* fallback to a custom seeding of the PRNG using a hash based on a current
1040      time */
1041   do {
1042     unsigned char randb[64];
1043     size_t len = sizeof(randb);
1044     size_t i, i_max;
1045     for(i = 0, i_max = len / sizeof(struct curltime); i < i_max; ++i) {
1046       struct curltime tv = Curl_now();
1047       Curl_wait_ms(1);
1048       tv.tv_sec *= (time_t)i + 1;
1049       tv.tv_usec *= (int)i + 2;
1050       tv.tv_sec ^= ((Curl_now().tv_sec + (time_t)Curl_now().tv_usec) *
1051                     (time_t)(i + 3)) << 8;
1052       tv.tv_usec ^= (int) ((Curl_now().tv_sec + (time_t)Curl_now().tv_usec) *
1053                            (time_t)(i + 4)) << 16;
1054       memcpy(&randb[i * sizeof(struct curltime)], &tv,
1055              sizeof(struct curltime));
1056     }
1057     RAND_add(randb, (int)len, (double)len/2);
1058   } while(!rand_enough());
1059 
1060   {
1061     /* generates a default path for the random seed file */
1062     char fname[256];
1063     fname[0] = 0; /* blank it first */
1064     RAND_file_name(fname, sizeof(fname));
1065     if(fname[0]) {
1066       /* we got a filename to try */
1067       RAND_load_file(fname, RAND_LOAD_LENGTH);
1068       if(rand_enough())
1069         return CURLE_OK;
1070     }
1071   }
1072 
1073   infof(data, "libcurl is now using a weak random seed");
1074   return (rand_enough() ? CURLE_OK :
1075           CURLE_SSL_CONNECT_ERROR /* confusing error code */);
1076 #endif
1077 }
1078 
1079 #ifndef SSL_FILETYPE_ENGINE
1080 #define SSL_FILETYPE_ENGINE 42
1081 #endif
1082 #ifndef SSL_FILETYPE_PKCS12
1083 #define SSL_FILETYPE_PKCS12 43
1084 #endif
ossl_do_file_type(const char * type)1085 static int ossl_do_file_type(const char *type)
1086 {
1087   if(!type || !type[0])
1088     return SSL_FILETYPE_PEM;
1089   if(strcasecompare(type, "PEM"))
1090     return SSL_FILETYPE_PEM;
1091   if(strcasecompare(type, "DER"))
1092     return SSL_FILETYPE_ASN1;
1093   if(strcasecompare(type, "ENG"))
1094     return SSL_FILETYPE_ENGINE;
1095   if(strcasecompare(type, "P12"))
1096     return SSL_FILETYPE_PKCS12;
1097   return -1;
1098 }
1099 
1100 #ifdef USE_OPENSSL_ENGINE
1101 /*
1102  * Supply default password to the engine user interface conversation.
1103  * The password is passed by OpenSSL engine from ENGINE_load_private_key()
1104  * last argument to the ui and can be obtained by UI_get0_user_data(ui) here.
1105  */
ssl_ui_reader(UI * ui,UI_STRING * uis)1106 static int ssl_ui_reader(UI *ui, UI_STRING *uis)
1107 {
1108   const char *password;
1109   switch(UI_get_string_type(uis)) {
1110   case UIT_PROMPT:
1111   case UIT_VERIFY:
1112     password = (const char *)UI_get0_user_data(ui);
1113     if(password && (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
1114       UI_set_result(ui, uis, password);
1115       return 1;
1116     }
1117     FALLTHROUGH();
1118   default:
1119     break;
1120   }
1121   return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
1122 }
1123 
1124 /*
1125  * Suppress interactive request for a default password if available.
1126  */
ssl_ui_writer(UI * ui,UI_STRING * uis)1127 static int ssl_ui_writer(UI *ui, UI_STRING *uis)
1128 {
1129   switch(UI_get_string_type(uis)) {
1130   case UIT_PROMPT:
1131   case UIT_VERIFY:
1132     if(UI_get0_user_data(ui) &&
1133        (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
1134       return 1;
1135     }
1136     FALLTHROUGH();
1137   default:
1138     break;
1139   }
1140   return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
1141 }
1142 
1143 /*
1144  * Check if a given string is a PKCS#11 URI
1145  */
is_pkcs11_uri(const char * string)1146 static bool is_pkcs11_uri(const char *string)
1147 {
1148   return (string && strncasecompare(string, "pkcs11:", 7));
1149 }
1150 
1151 #endif
1152 
1153 static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine);
1154 
1155 static int
SSL_CTX_use_certificate_blob(SSL_CTX * ctx,const struct curl_blob * blob,int type,const char * key_passwd)1156 SSL_CTX_use_certificate_blob(SSL_CTX *ctx, const struct curl_blob *blob,
1157                              int type, const char *key_passwd)
1158 {
1159   int ret = 0;
1160   X509 *x = NULL;
1161   /* the typecast of blob->len is fine since it is guaranteed to never be
1162      larger than CURL_MAX_INPUT_LENGTH */
1163   BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
1164   if(!in)
1165     return CURLE_OUT_OF_MEMORY;
1166 
1167   if(type == SSL_FILETYPE_ASN1) {
1168     /* j = ERR_R_ASN1_LIB; */
1169     x = d2i_X509_bio(in, NULL);
1170   }
1171   else if(type == SSL_FILETYPE_PEM) {
1172     /* ERR_R_PEM_LIB; */
1173     x = PEM_read_bio_X509(in, NULL,
1174                           passwd_callback, (void *)key_passwd);
1175   }
1176   else {
1177     ret = 0;
1178     goto end;
1179   }
1180 
1181   if(!x) {
1182     ret = 0;
1183     goto end;
1184   }
1185 
1186   ret = SSL_CTX_use_certificate(ctx, x);
1187 end:
1188   X509_free(x);
1189   BIO_free(in);
1190   return ret;
1191 }
1192 
1193 static int
SSL_CTX_use_PrivateKey_blob(SSL_CTX * ctx,const struct curl_blob * blob,int type,const char * key_passwd)1194 SSL_CTX_use_PrivateKey_blob(SSL_CTX *ctx, const struct curl_blob *blob,
1195                             int type, const char *key_passwd)
1196 {
1197   int ret = 0;
1198   EVP_PKEY *pkey = NULL;
1199   BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
1200   if(!in)
1201     return CURLE_OUT_OF_MEMORY;
1202 
1203   if(type == SSL_FILETYPE_PEM)
1204     pkey = PEM_read_bio_PrivateKey(in, NULL, passwd_callback,
1205                                    (void *)key_passwd);
1206   else if(type == SSL_FILETYPE_ASN1)
1207     pkey = d2i_PrivateKey_bio(in, NULL);
1208   else {
1209     ret = 0;
1210     goto end;
1211   }
1212   if(!pkey) {
1213     ret = 0;
1214     goto end;
1215   }
1216   ret = SSL_CTX_use_PrivateKey(ctx, pkey);
1217   EVP_PKEY_free(pkey);
1218 end:
1219   BIO_free(in);
1220   return ret;
1221 }
1222 
1223 static int
SSL_CTX_use_certificate_chain_blob(SSL_CTX * ctx,const struct curl_blob * blob,const char * key_passwd)1224 SSL_CTX_use_certificate_chain_blob(SSL_CTX *ctx, const struct curl_blob *blob,
1225                                    const char *key_passwd)
1226 {
1227 /* SSL_CTX_add1_chain_cert introduced in OpenSSL 1.0.2 */
1228 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* OpenSSL 1.0.2 or later */ \
1229   !(defined(LIBRESSL_VERSION_NUMBER) &&                                     \
1230     (LIBRESSL_VERSION_NUMBER < 0x2090100fL)) /* LibreSSL 2.9.1 or later */
1231   int ret = 0;
1232   X509 *x = NULL;
1233   void *passwd_callback_userdata = (void *)key_passwd;
1234   BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
1235   if(!in)
1236     return CURLE_OUT_OF_MEMORY;
1237 
1238   ERR_clear_error();
1239 
1240   x = PEM_read_bio_X509_AUX(in, NULL,
1241                             passwd_callback, (void *)key_passwd);
1242 
1243   if(!x) {
1244     ret = 0;
1245     goto end;
1246   }
1247 
1248   ret = SSL_CTX_use_certificate(ctx, x);
1249 
1250   if(ERR_peek_error() != 0)
1251     ret = 0;
1252 
1253   if(ret) {
1254     X509 *ca;
1255     sslerr_t err;
1256 
1257     if(!SSL_CTX_clear_chain_certs(ctx)) {
1258       ret = 0;
1259       goto end;
1260     }
1261 
1262     while((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
1263                                   passwd_callback_userdata))
1264           != NULL) {
1265 
1266       if(!SSL_CTX_add0_chain_cert(ctx, ca)) {
1267         X509_free(ca);
1268         ret = 0;
1269         goto end;
1270       }
1271     }
1272 
1273     err = ERR_peek_last_error();
1274     if((ERR_GET_LIB(err) == ERR_LIB_PEM) &&
1275        (ERR_GET_REASON(err) == PEM_R_NO_START_LINE))
1276       ERR_clear_error();
1277     else
1278       ret = 0;
1279   }
1280 
1281 end:
1282   X509_free(x);
1283   BIO_free(in);
1284   return ret;
1285 #else
1286   (void)ctx; /* unused */
1287   (void)blob; /* unused */
1288   (void)key_passwd; /* unused */
1289   return 0;
1290 #endif
1291 }
1292 
1293 static
cert_stuff(struct Curl_easy * data,SSL_CTX * ctx,char * cert_file,const struct curl_blob * cert_blob,const char * cert_type,char * key_file,const struct curl_blob * key_blob,const char * key_type,char * key_passwd)1294 int cert_stuff(struct Curl_easy *data,
1295                SSL_CTX* ctx,
1296                char *cert_file,
1297                const struct curl_blob *cert_blob,
1298                const char *cert_type,
1299                char *key_file,
1300                const struct curl_blob *key_blob,
1301                const char *key_type,
1302                char *key_passwd)
1303 {
1304   char error_buffer[256];
1305   bool check_privkey = TRUE;
1306 
1307   int file_type = ossl_do_file_type(cert_type);
1308 
1309   if(cert_file || cert_blob || (file_type == SSL_FILETYPE_ENGINE)) {
1310     SSL *ssl;
1311     X509 *x509;
1312     int cert_done = 0;
1313     int cert_use_result;
1314 
1315     if(key_passwd) {
1316       /* set the password in the callback userdata */
1317       SSL_CTX_set_default_passwd_cb_userdata(ctx, key_passwd);
1318       /* Set passwd callback: */
1319       SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
1320     }
1321 
1322 
1323     switch(file_type) {
1324     case SSL_FILETYPE_PEM:
1325       /* SSL_CTX_use_certificate_chain_file() only works on PEM files */
1326       cert_use_result = cert_blob ?
1327         SSL_CTX_use_certificate_chain_blob(ctx, cert_blob, key_passwd) :
1328         SSL_CTX_use_certificate_chain_file(ctx, cert_file);
1329       if(cert_use_result != 1) {
1330         failf(data,
1331               "could not load PEM client certificate from %s, " OSSL_PACKAGE
1332               " error %s, "
1333               "(no key found, wrong pass phrase, or wrong file format?)",
1334               (cert_blob ? "CURLOPT_SSLCERT_BLOB" : cert_file),
1335               ossl_strerror(ERR_get_error(), error_buffer,
1336                             sizeof(error_buffer)) );
1337         return 0;
1338       }
1339       break;
1340 
1341     case SSL_FILETYPE_ASN1:
1342       /* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but
1343          we use the case above for PEM so this can only be performed with
1344          ASN1 files. */
1345 
1346       cert_use_result = cert_blob ?
1347         SSL_CTX_use_certificate_blob(ctx, cert_blob,
1348                                      file_type, key_passwd) :
1349       SSL_CTX_use_certificate_file(ctx, cert_file, file_type);
1350       if(cert_use_result != 1) {
1351         failf(data,
1352               "could not load ASN1 client certificate from %s, " OSSL_PACKAGE
1353               " error %s, "
1354               "(no key found, wrong pass phrase, or wrong file format?)",
1355               (cert_blob ? "CURLOPT_SSLCERT_BLOB" : cert_file),
1356               ossl_strerror(ERR_get_error(), error_buffer,
1357                             sizeof(error_buffer)) );
1358         return 0;
1359       }
1360       break;
1361     case SSL_FILETYPE_ENGINE:
1362 #if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
1363     {
1364       /* Implicitly use pkcs11 engine if none was provided and the
1365        * cert_file is a PKCS#11 URI */
1366       if(!data->state.engine) {
1367         if(is_pkcs11_uri(cert_file)) {
1368           if(ossl_set_engine(data, "pkcs11") != CURLE_OK) {
1369             return 0;
1370           }
1371         }
1372       }
1373 
1374       if(data->state.engine) {
1375         const char *cmd_name = "LOAD_CERT_CTRL";
1376         struct {
1377           const char *cert_id;
1378           X509 *cert;
1379         } params;
1380 
1381         params.cert_id = cert_file;
1382         params.cert = NULL;
1383 
1384         /* Does the engine supports LOAD_CERT_CTRL ? */
1385         if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
1386                         0, (void *)cmd_name, NULL)) {
1387           failf(data, "ssl engine does not support loading certificates");
1388           return 0;
1389         }
1390 
1391         /* Load the certificate from the engine */
1392         if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
1393                             0, &params, NULL, 1)) {
1394           failf(data, "ssl engine cannot load client cert with id"
1395                 " '%s' [%s]", cert_file,
1396                 ossl_strerror(ERR_get_error(), error_buffer,
1397                               sizeof(error_buffer)));
1398           return 0;
1399         }
1400 
1401         if(!params.cert) {
1402           failf(data, "ssl engine did not initialized the certificate "
1403                 "properly.");
1404           return 0;
1405         }
1406 
1407         if(SSL_CTX_use_certificate(ctx, params.cert) != 1) {
1408           failf(data, "unable to set client certificate [%s]",
1409                 ossl_strerror(ERR_get_error(), error_buffer,
1410                               sizeof(error_buffer)));
1411           return 0;
1412         }
1413         X509_free(params.cert); /* we do not need the handle any more... */
1414       }
1415       else {
1416         failf(data, "crypto engine not set, cannot load certificate");
1417         return 0;
1418       }
1419     }
1420     break;
1421 #else
1422     failf(data, "file type ENG for certificate not implemented");
1423     return 0;
1424 #endif
1425 
1426     case SSL_FILETYPE_PKCS12:
1427     {
1428       BIO *cert_bio = NULL;
1429       PKCS12 *p12 = NULL;
1430       EVP_PKEY *pri;
1431       STACK_OF(X509) *ca = NULL;
1432       if(cert_blob) {
1433         cert_bio = BIO_new_mem_buf(cert_blob->data, (int)(cert_blob->len));
1434         if(!cert_bio) {
1435           failf(data,
1436                 "BIO_new_mem_buf NULL, " OSSL_PACKAGE
1437                 " error %s",
1438                 ossl_strerror(ERR_get_error(), error_buffer,
1439                               sizeof(error_buffer)) );
1440           return 0;
1441         }
1442       }
1443       else {
1444         cert_bio = BIO_new(BIO_s_file());
1445         if(!cert_bio) {
1446           failf(data,
1447                 "BIO_new return NULL, " OSSL_PACKAGE
1448                 " error %s",
1449                 ossl_strerror(ERR_get_error(), error_buffer,
1450                               sizeof(error_buffer)) );
1451           return 0;
1452         }
1453 
1454         if(BIO_read_filename(cert_bio, cert_file) <= 0) {
1455           failf(data, "could not open PKCS12 file '%s'", cert_file);
1456           BIO_free(cert_bio);
1457           return 0;
1458         }
1459       }
1460 
1461       p12 = d2i_PKCS12_bio(cert_bio, NULL);
1462       BIO_free(cert_bio);
1463 
1464       if(!p12) {
1465         failf(data, "error reading PKCS12 file '%s'",
1466               cert_blob ? "(memory blob)" : cert_file);
1467         return 0;
1468       }
1469 
1470       PKCS12_PBE_add();
1471 
1472       if(!PKCS12_parse(p12, key_passwd, &pri, &x509,
1473                        &ca)) {
1474         failf(data,
1475               "could not parse PKCS12 file, check password, " OSSL_PACKAGE
1476               " error %s",
1477               ossl_strerror(ERR_get_error(), error_buffer,
1478                             sizeof(error_buffer)) );
1479         PKCS12_free(p12);
1480         return 0;
1481       }
1482 
1483       PKCS12_free(p12);
1484 
1485       if(SSL_CTX_use_certificate(ctx, x509) != 1) {
1486         failf(data,
1487               "could not load PKCS12 client certificate, " OSSL_PACKAGE
1488               " error %s",
1489               ossl_strerror(ERR_get_error(), error_buffer,
1490                             sizeof(error_buffer)) );
1491         goto fail;
1492       }
1493 
1494       if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
1495         failf(data, "unable to use private key from PKCS12 file '%s'",
1496               cert_file);
1497         goto fail;
1498       }
1499 
1500       if(!SSL_CTX_check_private_key (ctx)) {
1501         failf(data, "private key from PKCS12 file '%s' "
1502               "does not match certificate in same file", cert_file);
1503         goto fail;
1504       }
1505       /* Set Certificate Verification chain */
1506       if(ca) {
1507         while(sk_X509_num(ca)) {
1508           /*
1509            * Note that sk_X509_pop() is used below to make sure the cert is
1510            * removed from the stack properly before getting passed to
1511            * SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously
1512            * we used sk_X509_value() instead, but then we would clean it in the
1513            * subsequent sk_X509_pop_free() call.
1514            */
1515           X509 *x = sk_X509_pop(ca);
1516           if(!SSL_CTX_add_client_CA(ctx, x)) {
1517             X509_free(x);
1518             failf(data, "cannot add certificate to client CA list");
1519             goto fail;
1520           }
1521           if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
1522             X509_free(x);
1523             failf(data, "cannot add certificate to certificate chain");
1524             goto fail;
1525           }
1526         }
1527       }
1528 
1529       cert_done = 1;
1530 fail:
1531       EVP_PKEY_free(pri);
1532       X509_free(x509);
1533       sk_X509_pop_free(ca, X509_free);
1534       if(!cert_done)
1535         return 0; /* failure! */
1536       break;
1537     }
1538     default:
1539       failf(data, "not supported file type '%s' for certificate", cert_type);
1540       return 0;
1541     }
1542 
1543     if((!key_file) && (!key_blob)) {
1544       key_file = cert_file;
1545       key_blob = cert_blob;
1546     }
1547     else
1548       file_type = ossl_do_file_type(key_type);
1549 
1550     switch(file_type) {
1551     case SSL_FILETYPE_PEM:
1552       if(cert_done)
1553         break;
1554       FALLTHROUGH();
1555     case SSL_FILETYPE_ASN1:
1556       cert_use_result = key_blob ?
1557         SSL_CTX_use_PrivateKey_blob(ctx, key_blob, file_type, key_passwd) :
1558       SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type);
1559       if(cert_use_result != 1) {
1560         failf(data, "unable to set private key file: '%s' type %s",
1561               key_file ? key_file : "(memory blob)",
1562               key_type ? key_type : "PEM");
1563         return 0;
1564       }
1565       break;
1566     case SSL_FILETYPE_ENGINE:
1567 #ifdef USE_OPENSSL_ENGINE
1568     {
1569       EVP_PKEY *priv_key = NULL;
1570 
1571       /* Implicitly use pkcs11 engine if none was provided and the
1572        * key_file is a PKCS#11 URI */
1573       if(!data->state.engine) {
1574         if(is_pkcs11_uri(key_file)) {
1575           if(ossl_set_engine(data, "pkcs11") != CURLE_OK) {
1576             return 0;
1577           }
1578         }
1579       }
1580 
1581       if(data->state.engine) {
1582         UI_METHOD *ui_method =
1583           UI_create_method((char *)"curl user interface");
1584         if(!ui_method) {
1585           failf(data, "unable do create " OSSL_PACKAGE
1586                 " user-interface method");
1587           return 0;
1588         }
1589         UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
1590         UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
1591         UI_method_set_reader(ui_method, ssl_ui_reader);
1592         UI_method_set_writer(ui_method, ssl_ui_writer);
1593         priv_key = ENGINE_load_private_key(data->state.engine, key_file,
1594                                            ui_method,
1595                                            key_passwd);
1596         UI_destroy_method(ui_method);
1597         if(!priv_key) {
1598           failf(data, "failed to load private key from crypto engine");
1599           return 0;
1600         }
1601         if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
1602           failf(data, "unable to set private key");
1603           EVP_PKEY_free(priv_key);
1604           return 0;
1605         }
1606         EVP_PKEY_free(priv_key);  /* we do not need the handle any more... */
1607       }
1608       else {
1609         failf(data, "crypto engine not set, cannot load private key");
1610         return 0;
1611       }
1612     }
1613     break;
1614 #else
1615     failf(data, "file type ENG for private key not supported");
1616     return 0;
1617 #endif
1618     case SSL_FILETYPE_PKCS12:
1619       if(!cert_done) {
1620         failf(data, "file type P12 for private key not supported");
1621         return 0;
1622       }
1623       break;
1624     default:
1625       failf(data, "not supported file type for private key");
1626       return 0;
1627     }
1628 
1629     ssl = SSL_new(ctx);
1630     if(!ssl) {
1631       failf(data, "unable to create an SSL structure");
1632       return 0;
1633     }
1634 
1635     x509 = SSL_get_certificate(ssl);
1636 
1637     /* This version was provided by Evan Jordan and is supposed to not
1638        leak memory as the previous version: */
1639     if(x509) {
1640       EVP_PKEY *pktmp = X509_get_pubkey(x509);
1641       EVP_PKEY_copy_parameters(pktmp, SSL_get_privatekey(ssl));
1642       EVP_PKEY_free(pktmp);
1643     }
1644 
1645 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_IS_BORINGSSL) &&       \
1646   !defined(OPENSSL_NO_DEPRECATED_3_0)
1647     {
1648       /* If RSA is used, do not check the private key if its flags indicate
1649        * it does not support it. */
1650       EVP_PKEY *priv_key = SSL_get_privatekey(ssl);
1651       int pktype;
1652 #ifdef HAVE_OPAQUE_EVP_PKEY
1653       pktype = EVP_PKEY_id(priv_key);
1654 #else
1655       pktype = priv_key->type;
1656 #endif
1657       if(pktype == EVP_PKEY_RSA) {
1658         RSA *rsa = EVP_PKEY_get1_RSA(priv_key);
1659         if(RSA_flags(rsa) & RSA_METHOD_FLAG_NO_CHECK)
1660           check_privkey = FALSE;
1661         RSA_free(rsa); /* Decrement reference count */
1662       }
1663     }
1664 #endif
1665 
1666     SSL_free(ssl);
1667 
1668     /* If we are using DSA, we can copy the parameters from
1669      * the private key */
1670 
1671     if(check_privkey == TRUE) {
1672       /* Now we know that a key and cert have been set against
1673        * the SSL context */
1674       if(!SSL_CTX_check_private_key(ctx)) {
1675         failf(data, "Private key does not match the certificate public key");
1676         return 0;
1677       }
1678     }
1679   }
1680   return 1;
1681 }
1682 
1683 /* returns non-zero on failure */
x509_name_oneline(X509_NAME * a,struct dynbuf * d)1684 static CURLcode x509_name_oneline(X509_NAME *a, struct dynbuf *d)
1685 {
1686   BIO *bio_out = BIO_new(BIO_s_mem());
1687   BUF_MEM *biomem;
1688   int rc;
1689   CURLcode result = CURLE_OUT_OF_MEMORY;
1690 
1691   if(bio_out) {
1692     Curl_dyn_reset(d);
1693     rc = X509_NAME_print_ex(bio_out, a, 0, XN_FLAG_SEP_SPLUS_SPC);
1694     if(rc != -1) {
1695       BIO_get_mem_ptr(bio_out, &biomem);
1696       result = Curl_dyn_addn(d, biomem->data, biomem->length);
1697       BIO_free(bio_out);
1698     }
1699   }
1700   return result;
1701 }
1702 
1703 /**
1704  * Global SSL init
1705  *
1706  * @retval 0 error initializing SSL
1707  * @retval 1 SSL initialized successfully
1708  */
ossl_init(void)1709 static int ossl_init(void)
1710 {
1711 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&  \
1712   (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
1713   const uint64_t flags =
1714 #ifdef OPENSSL_INIT_ENGINE_ALL_BUILTIN
1715     /* not present in BoringSSL */
1716     OPENSSL_INIT_ENGINE_ALL_BUILTIN |
1717 #endif
1718 #ifdef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
1719     OPENSSL_INIT_NO_LOAD_CONFIG |
1720 #else
1721     OPENSSL_INIT_LOAD_CONFIG |
1722 #endif
1723     0;
1724   OPENSSL_init_ssl(flags, NULL);
1725 #else
1726   OPENSSL_load_builtin_modules();
1727 
1728 #ifdef USE_OPENSSL_ENGINE
1729   ENGINE_load_builtin_engines();
1730 #endif
1731 
1732 /* CONF_MFLAGS_DEFAULT_SECTION was introduced some time between 0.9.8b and
1733    0.9.8e */
1734 #ifndef CONF_MFLAGS_DEFAULT_SECTION
1735 #define CONF_MFLAGS_DEFAULT_SECTION 0x0
1736 #endif
1737 
1738 #ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
1739   CONF_modules_load_file(NULL, NULL,
1740                          CONF_MFLAGS_DEFAULT_SECTION|
1741                          CONF_MFLAGS_IGNORE_MISSING_FILE);
1742 #endif
1743 
1744   /* Let's get nice error messages */
1745   SSL_load_error_strings();
1746 
1747   /* Init the global ciphers and digests */
1748   if(!SSLeay_add_ssl_algorithms())
1749     return 0;
1750 
1751   OpenSSL_add_all_algorithms();
1752 #endif
1753 
1754   Curl_tls_keylog_open();
1755 
1756   return 1;
1757 }
1758 
1759 /* Global cleanup */
ossl_cleanup(void)1760 static void ossl_cleanup(void)
1761 {
1762 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&  \
1763   (!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x2070000fL)
1764   /* OpenSSL 1.1 deprecates all these cleanup functions and
1765      turns them into no-ops in OpenSSL 1.0 compatibility mode */
1766 #else
1767   /* Free ciphers and digests lists */
1768   EVP_cleanup();
1769 
1770 #ifdef USE_OPENSSL_ENGINE
1771   /* Free engine list */
1772   ENGINE_cleanup();
1773 #endif
1774 
1775   /* Free OpenSSL error strings */
1776   ERR_free_strings();
1777 
1778   /* Free thread local error state, destroying hash upon zero refcount */
1779 #ifdef HAVE_ERR_REMOVE_THREAD_STATE
1780   ERR_remove_thread_state(NULL);
1781 #else
1782   ERR_remove_state(0);
1783 #endif
1784 
1785   /* Free all memory allocated by all configuration modules */
1786   CONF_modules_free();
1787 
1788 #ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS
1789   SSL_COMP_free_compression_methods();
1790 #endif
1791 #endif
1792 
1793   Curl_tls_keylog_close();
1794 }
1795 
1796 /* Selects an OpenSSL crypto engine
1797  */
ossl_set_engine(struct Curl_easy * data,const char * engine)1798 static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine)
1799 {
1800 #ifdef USE_OPENSSL_ENGINE
1801   ENGINE *e;
1802 
1803 #if OPENSSL_VERSION_NUMBER >= 0x00909000L
1804   e = ENGINE_by_id(engine);
1805 #else
1806   /* avoid memory leak */
1807   for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
1808     const char *e_id = ENGINE_get_id(e);
1809     if(!strcmp(engine, e_id))
1810       break;
1811   }
1812 #endif
1813 
1814   if(!e) {
1815     failf(data, "SSL Engine '%s' not found", engine);
1816     return CURLE_SSL_ENGINE_NOTFOUND;
1817   }
1818 
1819   if(data->state.engine) {
1820     ENGINE_finish(data->state.engine);
1821     ENGINE_free(data->state.engine);
1822     data->state.engine = NULL;
1823   }
1824   if(!ENGINE_init(e)) {
1825     char buf[256];
1826 
1827     ENGINE_free(e);
1828     failf(data, "Failed to initialise SSL Engine '%s': %s",
1829           engine, ossl_strerror(ERR_get_error(), buf, sizeof(buf)));
1830     return CURLE_SSL_ENGINE_INITFAILED;
1831   }
1832   data->state.engine = e;
1833   return CURLE_OK;
1834 #else
1835   (void)engine;
1836   failf(data, "SSL Engine not supported");
1837   return CURLE_SSL_ENGINE_NOTFOUND;
1838 #endif
1839 }
1840 
1841 /* Sets engine as default for all SSL operations
1842  */
ossl_set_engine_default(struct Curl_easy * data)1843 static CURLcode ossl_set_engine_default(struct Curl_easy *data)
1844 {
1845 #ifdef USE_OPENSSL_ENGINE
1846   if(data->state.engine) {
1847     if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
1848       infof(data, "set default crypto engine '%s'",
1849             ENGINE_get_id(data->state.engine));
1850     }
1851     else {
1852       failf(data, "set default crypto engine '%s' failed",
1853             ENGINE_get_id(data->state.engine));
1854       return CURLE_SSL_ENGINE_SETFAILED;
1855     }
1856   }
1857 #else
1858   (void) data;
1859 #endif
1860   return CURLE_OK;
1861 }
1862 
1863 /* Return list of OpenSSL crypto engine names.
1864  */
ossl_engines_list(struct Curl_easy * data)1865 static struct curl_slist *ossl_engines_list(struct Curl_easy *data)
1866 {
1867   struct curl_slist *list = NULL;
1868 #ifdef USE_OPENSSL_ENGINE
1869   struct curl_slist *beg;
1870   ENGINE *e;
1871 
1872   for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
1873     beg = curl_slist_append(list, ENGINE_get_id(e));
1874     if(!beg) {
1875       curl_slist_free_all(list);
1876       return NULL;
1877     }
1878     list = beg;
1879   }
1880 #endif
1881   (void) data;
1882   return list;
1883 }
1884 
ossl_shutdown(struct Curl_cfilter * cf,struct Curl_easy * data,bool send_shutdown,bool * done)1885 static CURLcode ossl_shutdown(struct Curl_cfilter *cf,
1886                               struct Curl_easy *data,
1887                               bool send_shutdown, bool *done)
1888 {
1889   struct ssl_connect_data *connssl = cf->ctx;
1890   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
1891   CURLcode result = CURLE_OK;
1892   char buf[1024];
1893   int nread = -1, err;
1894   unsigned long sslerr;
1895   size_t i;
1896 
1897   DEBUGASSERT(octx);
1898   if(!octx->ssl || cf->shutdown) {
1899     *done = TRUE;
1900     goto out;
1901   }
1902 
1903   connssl->io_need = CURL_SSL_IO_NEED_NONE;
1904   *done = FALSE;
1905   if(!(SSL_get_shutdown(octx->ssl) & SSL_SENT_SHUTDOWN)) {
1906     /* We have not started the shutdown from our side yet. Check
1907      * if the server already sent us one. */
1908     ERR_clear_error();
1909     for(i = 0; i < 10; ++i) {
1910       nread = SSL_read(octx->ssl, buf, (int)sizeof(buf));
1911       CURL_TRC_CF(data, cf, "SSL shutdown not sent, read -> %d", nread);
1912       if(nread <= 0)
1913         break;
1914     }
1915     err = SSL_get_error(octx->ssl, nread);
1916     if(!nread && err == SSL_ERROR_ZERO_RETURN) {
1917       bool input_pending;
1918       /* Yes, it did. */
1919       if(!send_shutdown) {
1920         CURL_TRC_CF(data, cf, "SSL shutdown received, not sending");
1921         *done = TRUE;
1922         goto out;
1923       }
1924       else if(!cf->next->cft->is_alive(cf->next, data, &input_pending)) {
1925         /* Server closed the connection after its closy notify. It
1926          * seems not interested to see our close notify, so do not
1927          * send it. We are done. */
1928         connssl->peer_closed = TRUE;
1929         CURL_TRC_CF(data, cf, "peer closed connection");
1930         *done = TRUE;
1931         goto out;
1932       }
1933     }
1934   }
1935 
1936   /* SSL should now have started the shutdown from our side. Since it
1937    * was not complete, we are lacking the close notify from the server. */
1938   if(send_shutdown && !(SSL_get_shutdown(octx->ssl) & SSL_SENT_SHUTDOWN)) {
1939     ERR_clear_error();
1940     CURL_TRC_CF(data, cf, "send SSL close notify");
1941     if(SSL_shutdown(octx->ssl) == 1) {
1942       CURL_TRC_CF(data, cf, "SSL shutdown finished");
1943       *done = TRUE;
1944       goto out;
1945     }
1946     if(SSL_ERROR_WANT_WRITE == SSL_get_error(octx->ssl, nread)) {
1947       CURL_TRC_CF(data, cf, "SSL shutdown still wants to send");
1948       connssl->io_need = CURL_SSL_IO_NEED_SEND;
1949       goto out;
1950     }
1951     /* Having sent the close notify, we use SSL_read() to get the
1952      * missing close notify from the server. */
1953   }
1954 
1955   for(i = 0; i < 10; ++i) {
1956     ERR_clear_error();
1957     nread = SSL_read(octx->ssl, buf, (int)sizeof(buf));
1958     CURL_TRC_CF(data, cf, "SSL shutdown read -> %d", nread);
1959     if(nread <= 0)
1960       break;
1961   }
1962   err = SSL_get_error(octx->ssl, nread);
1963   switch(err) {
1964   case SSL_ERROR_ZERO_RETURN: /* no more data */
1965     if(SSL_shutdown(octx->ssl) == 1)
1966       CURL_TRC_CF(data, cf, "SSL shutdown finished");
1967     else
1968       CURL_TRC_CF(data, cf, "SSL shutdown not received, but closed");
1969     *done = TRUE;
1970     break;
1971   case SSL_ERROR_NONE: /* just did not get anything */
1972   case SSL_ERROR_WANT_READ:
1973     /* SSL has send its notify and now wants to read the reply
1974      * from the server. We are not really interested in that. */
1975     CURL_TRC_CF(data, cf, "SSL shutdown sent, want receive");
1976     connssl->io_need = CURL_SSL_IO_NEED_RECV;
1977     break;
1978   case SSL_ERROR_WANT_WRITE:
1979     CURL_TRC_CF(data, cf, "SSL shutdown send blocked");
1980     connssl->io_need = CURL_SSL_IO_NEED_SEND;
1981     break;
1982   default:
1983     /* Server seems to have closed the connection without sending us
1984      * a close notify. */
1985     sslerr = ERR_get_error();
1986     CURL_TRC_CF(data, cf, "SSL shutdown, ignore recv error: '%s', errno %d",
1987                 (sslerr ?
1988                  ossl_strerror(sslerr, buf, sizeof(buf)) :
1989                  SSL_ERROR_to_str(err)),
1990                 SOCKERRNO);
1991     *done = TRUE;
1992     result = CURLE_OK;
1993     break;
1994   }
1995 
1996 out:
1997   cf->shutdown = (result || *done);
1998   return result;
1999 }
2000 
ossl_close(struct Curl_cfilter * cf,struct Curl_easy * data)2001 static void ossl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
2002 {
2003   struct ssl_connect_data *connssl = cf->ctx;
2004   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
2005 
2006   (void)data;
2007   DEBUGASSERT(octx);
2008 
2009   if(octx->ssl) {
2010     SSL_free(octx->ssl);
2011     octx->ssl = NULL;
2012   }
2013   if(octx->ssl_ctx) {
2014     SSL_CTX_free(octx->ssl_ctx);
2015     octx->ssl_ctx = NULL;
2016     octx->x509_store_setup = FALSE;
2017   }
2018   if(octx->bio_method) {
2019     ossl_bio_cf_method_free(octx->bio_method);
2020     octx->bio_method = NULL;
2021   }
2022 }
2023 
ossl_session_free(void * sessionid,size_t idsize)2024 static void ossl_session_free(void *sessionid, size_t idsize)
2025 {
2026   /* free the ID */
2027   (void)idsize;
2028   free(sessionid);
2029 }
2030 
2031 /*
2032  * This function is called when the 'data' struct is going away. Close
2033  * down everything and free all resources!
2034  */
ossl_close_all(struct Curl_easy * data)2035 static void ossl_close_all(struct Curl_easy *data)
2036 {
2037 #ifdef USE_OPENSSL_ENGINE
2038   if(data->state.engine) {
2039     ENGINE_finish(data->state.engine);
2040     ENGINE_free(data->state.engine);
2041     data->state.engine = NULL;
2042   }
2043 #else
2044   (void)data;
2045 #endif
2046 #if !defined(HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED) &&        \
2047   defined(HAVE_ERR_REMOVE_THREAD_STATE)
2048   /* OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
2049      so we need to clean it here in case the thread will be killed. All OpenSSL
2050      code should extract the error in association with the error so clearing
2051      this queue here should be harmless at worst. */
2052   ERR_remove_thread_state(NULL);
2053 #endif
2054 }
2055 
2056 /* ====================================================== */
2057 
2058 /*
2059  * Match subjectAltName against the hostname.
2060  */
subj_alt_hostcheck(struct Curl_easy * data,const char * match_pattern,size_t matchlen,const char * hostname,size_t hostlen,const char * dispname)2061 static bool subj_alt_hostcheck(struct Curl_easy *data,
2062                                const char *match_pattern,
2063                                size_t matchlen,
2064                                const char *hostname,
2065                                size_t hostlen,
2066                                const char *dispname)
2067 {
2068 #ifdef CURL_DISABLE_VERBOSE_STRINGS
2069   (void)dispname;
2070   (void)data;
2071 #endif
2072   if(Curl_cert_hostcheck(match_pattern, matchlen, hostname, hostlen)) {
2073     infof(data, " subjectAltName: host \"%s\" matched cert's \"%s\"",
2074           dispname, match_pattern);
2075     return TRUE;
2076   }
2077   return FALSE;
2078 }
2079 
2080 /* Quote from RFC2818 section 3.1 "Server Identity"
2081 
2082    If a subjectAltName extension of type dNSName is present, that MUST
2083    be used as the identity. Otherwise, the (most specific) Common Name
2084    field in the Subject field of the certificate MUST be used. Although
2085    the use of the Common Name is existing practice, it is deprecated and
2086    Certification Authorities are encouraged to use the dNSName instead.
2087 
2088    Matching is performed using the matching rules specified by
2089    [RFC2459]. If more than one identity of a given type is present in
2090    the certificate (e.g., more than one dNSName name, a match in any one
2091    of the set is considered acceptable.) Names may contain the wildcard
2092    character * which is considered to match any single domain name
2093    component or component fragment. E.g., *.a.com matches foo.a.com but
2094    not bar.foo.a.com. f*.com matches foo.com but not bar.com.
2095 
2096    In some cases, the URI is specified as an IP address rather than a
2097    hostname. In this case, the iPAddress subjectAltName must be present
2098    in the certificate and must exactly match the IP in the URI.
2099 
2100    This function is now used from ngtcp2 (QUIC) as well.
2101 */
ossl_verifyhost(struct Curl_easy * data,struct connectdata * conn,struct ssl_peer * peer,X509 * server_cert)2102 static CURLcode ossl_verifyhost(struct Curl_easy *data,
2103                                 struct connectdata *conn,
2104                                 struct ssl_peer *peer, X509 *server_cert)
2105 {
2106   bool matched = FALSE;
2107   int target; /* target type, GEN_DNS or GEN_IPADD */
2108   size_t addrlen = 0;
2109   STACK_OF(GENERAL_NAME) *altnames;
2110 #ifdef USE_IPV6
2111   struct in6_addr addr;
2112 #else
2113   struct in_addr addr;
2114 #endif
2115   CURLcode result = CURLE_OK;
2116   bool dNSName = FALSE; /* if a dNSName field exists in the cert */
2117   bool iPAddress = FALSE; /* if an iPAddress field exists in the cert */
2118   size_t hostlen;
2119 
2120   (void)conn;
2121   hostlen = strlen(peer->hostname);
2122   switch(peer->type) {
2123   case CURL_SSL_PEER_IPV4:
2124     if(!Curl_inet_pton(AF_INET, peer->hostname, &addr))
2125       return CURLE_PEER_FAILED_VERIFICATION;
2126     target = GEN_IPADD;
2127     addrlen = sizeof(struct in_addr);
2128     break;
2129 #ifdef USE_IPV6
2130   case CURL_SSL_PEER_IPV6:
2131     if(!Curl_inet_pton(AF_INET6, peer->hostname, &addr))
2132       return CURLE_PEER_FAILED_VERIFICATION;
2133     target = GEN_IPADD;
2134     addrlen = sizeof(struct in6_addr);
2135     break;
2136 #endif
2137   case CURL_SSL_PEER_DNS:
2138     target = GEN_DNS;
2139     break;
2140   default:
2141     DEBUGASSERT(0);
2142     failf(data, "unexpected ssl peer type: %d", peer->type);
2143     return CURLE_PEER_FAILED_VERIFICATION;
2144   }
2145 
2146   /* get a "list" of alternative names */
2147   altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
2148 
2149   if(altnames) {
2150 #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
2151     size_t numalts;
2152     size_t i;
2153 #else
2154     int numalts;
2155     int i;
2156 #endif
2157     bool dnsmatched = FALSE;
2158     bool ipmatched = FALSE;
2159 
2160     /* get amount of alternatives, RFC2459 claims there MUST be at least
2161        one, but we do not depend on it... */
2162     numalts = sk_GENERAL_NAME_num(altnames);
2163 
2164     /* loop through all alternatives - until a dnsmatch */
2165     for(i = 0; (i < numalts) && !dnsmatched; i++) {
2166       /* get a handle to alternative name number i */
2167       const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
2168 
2169       if(check->type == GEN_DNS)
2170         dNSName = TRUE;
2171       else if(check->type == GEN_IPADD)
2172         iPAddress = TRUE;
2173 
2174       /* only check alternatives of the same type the target is */
2175       if(check->type == target) {
2176         /* get data and length */
2177         const char *altptr = (char *)ASN1_STRING_get0_data(check->d.ia5);
2178         size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
2179 
2180         switch(target) {
2181         case GEN_DNS: /* name/pattern comparison */
2182           /* The OpenSSL manpage explicitly says: "In general it cannot be
2183              assumed that the data returned by ASN1_STRING_data() is null
2184              terminated or does not contain embedded nulls." But also that
2185              "The actual format of the data will depend on the actual string
2186              type itself: for example for an IA5String the data will be ASCII"
2187 
2188              It has been however verified that in 0.9.6 and 0.9.7, IA5String
2189              is always null-terminated.
2190           */
2191           if((altlen == strlen(altptr)) &&
2192              /* if this is not true, there was an embedded zero in the name
2193                 string and we cannot match it. */
2194              subj_alt_hostcheck(data, altptr, altlen,
2195                                 peer->hostname, hostlen,
2196                                 peer->dispname)) {
2197             dnsmatched = TRUE;
2198           }
2199           break;
2200 
2201         case GEN_IPADD: /* IP address comparison */
2202           /* compare alternative IP address if the data chunk is the same size
2203              our server IP address is */
2204           if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
2205             ipmatched = TRUE;
2206             infof(data,
2207                   " subjectAltName: host \"%s\" matched cert's IP address!",
2208                   peer->dispname);
2209           }
2210           break;
2211         }
2212       }
2213     }
2214     GENERAL_NAMES_free(altnames);
2215 
2216     if(dnsmatched || ipmatched)
2217       matched = TRUE;
2218   }
2219 
2220   if(matched)
2221     /* an alternative name matched */
2222     ;
2223   else if(dNSName || iPAddress) {
2224     const char *tname = (peer->type == CURL_SSL_PEER_DNS) ? "hostname" :
2225                         (peer->type == CURL_SSL_PEER_IPV4) ?
2226                         "ipv4 address" : "ipv6 address";
2227     infof(data, " subjectAltName does not match %s %s", tname, peer->dispname);
2228     failf(data, "SSL: no alternative certificate subject name matches "
2229           "target %s '%s'", tname, peer->dispname);
2230     result = CURLE_PEER_FAILED_VERIFICATION;
2231   }
2232   else {
2233     /* we have to look to the last occurrence of a commonName in the
2234        distinguished one to get the most significant one. */
2235     int i = -1;
2236     unsigned char *cn = NULL;
2237     int cnlen = 0;
2238     bool free_cn = FALSE;
2239 
2240     /* The following is done because of a bug in 0.9.6b */
2241     X509_NAME *name = X509_get_subject_name(server_cert);
2242     if(name) {
2243       int j;
2244       while((j = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= 0)
2245         i = j;
2246     }
2247 
2248     /* we have the name entry and we will now convert this to a string
2249        that we can use for comparison. Doing this we support BMPstring,
2250        UTF8, etc. */
2251 
2252     if(i >= 0) {
2253       ASN1_STRING *tmp =
2254         X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
2255 
2256       /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
2257          is already UTF-8 encoded. We check for this case and copy the raw
2258          string manually to avoid the problem. This code can be made
2259          conditional in the future when OpenSSL has been fixed. */
2260       if(tmp) {
2261         if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
2262           cnlen = ASN1_STRING_length(tmp);
2263           cn = (unsigned char *) ASN1_STRING_get0_data(tmp);
2264         }
2265         else { /* not a UTF8 name */
2266           cnlen = ASN1_STRING_to_UTF8(&cn, tmp);
2267           free_cn = TRUE;
2268         }
2269 
2270         if((cnlen <= 0) || !cn)
2271           result = CURLE_OUT_OF_MEMORY;
2272         else if((size_t)cnlen != strlen((char *)cn)) {
2273           /* there was a terminating zero before the end of string, this
2274              cannot match and we return failure! */
2275           failf(data, "SSL: illegal cert name field");
2276           result = CURLE_PEER_FAILED_VERIFICATION;
2277         }
2278       }
2279     }
2280 
2281     if(result)
2282       /* error already detected, pass through */
2283       ;
2284     else if(!cn) {
2285       failf(data,
2286             "SSL: unable to obtain common name from peer certificate");
2287       result = CURLE_PEER_FAILED_VERIFICATION;
2288     }
2289     else if(!Curl_cert_hostcheck((const char *)cn, cnlen,
2290                                  peer->hostname, hostlen)) {
2291       failf(data, "SSL: certificate subject name '%s' does not match "
2292             "target hostname '%s'", cn, peer->dispname);
2293       result = CURLE_PEER_FAILED_VERIFICATION;
2294     }
2295     else {
2296       infof(data, " common name: %s (matched)", cn);
2297     }
2298     if(free_cn)
2299       OPENSSL_free(cn);
2300   }
2301 
2302   return result;
2303 }
2304 
2305 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
2306   !defined(OPENSSL_NO_OCSP)
verifystatus(struct Curl_cfilter * cf,struct Curl_easy * data,struct ossl_ctx * octx)2307 static CURLcode verifystatus(struct Curl_cfilter *cf,
2308                              struct Curl_easy *data,
2309                              struct ossl_ctx *octx)
2310 {
2311   int i, ocsp_status;
2312 #if defined(OPENSSL_IS_AWSLC)
2313   const uint8_t *status;
2314 #else
2315   unsigned char *status;
2316 #endif
2317   const unsigned char *p;
2318   CURLcode result = CURLE_OK;
2319   OCSP_RESPONSE *rsp = NULL;
2320   OCSP_BASICRESP *br = NULL;
2321   X509_STORE     *st = NULL;
2322   STACK_OF(X509) *ch = NULL;
2323   X509 *cert;
2324   OCSP_CERTID *id = NULL;
2325   int cert_status, crl_reason;
2326   ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
2327   int ret;
2328   long len;
2329 
2330   (void)cf;
2331   DEBUGASSERT(octx);
2332 
2333   len = (long)SSL_get_tlsext_status_ocsp_resp(octx->ssl, &status);
2334 
2335   if(!status) {
2336     failf(data, "No OCSP response received");
2337     result = CURLE_SSL_INVALIDCERTSTATUS;
2338     goto end;
2339   }
2340   p = status;
2341   rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
2342   if(!rsp) {
2343     failf(data, "Invalid OCSP response");
2344     result = CURLE_SSL_INVALIDCERTSTATUS;
2345     goto end;
2346   }
2347 
2348   ocsp_status = OCSP_response_status(rsp);
2349   if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
2350     failf(data, "Invalid OCSP response status: %s (%d)",
2351           OCSP_response_status_str(ocsp_status), ocsp_status);
2352     result = CURLE_SSL_INVALIDCERTSTATUS;
2353     goto end;
2354   }
2355 
2356   br = OCSP_response_get1_basic(rsp);
2357   if(!br) {
2358     failf(data, "Invalid OCSP response");
2359     result = CURLE_SSL_INVALIDCERTSTATUS;
2360     goto end;
2361   }
2362 
2363   ch = SSL_get_peer_cert_chain(octx->ssl);
2364   if(!ch) {
2365     failf(data, "Could not get peer certificate chain");
2366     result = CURLE_SSL_INVALIDCERTSTATUS;
2367     goto end;
2368   }
2369   st = SSL_CTX_get_cert_store(octx->ssl_ctx);
2370 
2371 #if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \
2372      (defined(LIBRESSL_VERSION_NUMBER) &&                               \
2373       LIBRESSL_VERSION_NUMBER <= 0x2040200fL))
2374   /* The authorized responder cert in the OCSP response MUST be signed by the
2375      peer cert's issuer (see RFC6960 section 4.2.2.2). If that is a root cert,
2376      no problem, but if it is an intermediate cert OpenSSL has a bug where it
2377      expects this issuer to be present in the chain embedded in the OCSP
2378      response. So we add it if necessary. */
2379 
2380   /* First make sure the peer cert chain includes both a peer and an issuer,
2381      and the OCSP response contains a responder cert. */
2382   if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
2383     X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
2384 
2385     /* Find issuer of responder cert and add it to the OCSP response chain */
2386     for(i = 0; i < sk_X509_num(ch); i++) {
2387       X509 *issuer = sk_X509_value(ch, i);
2388       if(X509_check_issued(issuer, responder) == X509_V_OK) {
2389         if(!OCSP_basic_add1_cert(br, issuer)) {
2390           failf(data, "Could not add issuer cert to OCSP response");
2391           result = CURLE_SSL_INVALIDCERTSTATUS;
2392           goto end;
2393         }
2394       }
2395     }
2396   }
2397 #endif
2398 
2399   if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
2400     failf(data, "OCSP response verification failed");
2401     result = CURLE_SSL_INVALIDCERTSTATUS;
2402     goto end;
2403   }
2404 
2405   /* Compute the certificate's ID */
2406   cert = SSL_get1_peer_certificate(octx->ssl);
2407   if(!cert) {
2408     failf(data, "Error getting peer certificate");
2409     result = CURLE_SSL_INVALIDCERTSTATUS;
2410     goto end;
2411   }
2412 
2413   for(i = 0; i < (int)sk_X509_num(ch); i++) {
2414     X509 *issuer = sk_X509_value(ch, (ossl_valsize_t)i);
2415     if(X509_check_issued(issuer, cert) == X509_V_OK) {
2416       id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
2417       break;
2418     }
2419   }
2420   X509_free(cert);
2421 
2422   if(!id) {
2423     failf(data, "Error computing OCSP ID");
2424     result = CURLE_SSL_INVALIDCERTSTATUS;
2425     goto end;
2426   }
2427 
2428   /* Find the single OCSP response corresponding to the certificate ID */
2429   ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
2430                               &thisupd, &nextupd);
2431   OCSP_CERTID_free(id);
2432   if(ret != 1) {
2433     failf(data, "Could not find certificate ID in OCSP response");
2434     result = CURLE_SSL_INVALIDCERTSTATUS;
2435     goto end;
2436   }
2437 
2438   /* Validate the corresponding single OCSP response */
2439   if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
2440     failf(data, "OCSP response has expired");
2441     result = CURLE_SSL_INVALIDCERTSTATUS;
2442     goto end;
2443   }
2444 
2445   infof(data, "SSL certificate status: %s (%d)",
2446         OCSP_cert_status_str(cert_status), cert_status);
2447 
2448   switch(cert_status) {
2449   case V_OCSP_CERTSTATUS_GOOD:
2450     break;
2451 
2452   case V_OCSP_CERTSTATUS_REVOKED:
2453     result = CURLE_SSL_INVALIDCERTSTATUS;
2454     failf(data, "SSL certificate revocation reason: %s (%d)",
2455           OCSP_crl_reason_str(crl_reason), crl_reason);
2456     goto end;
2457 
2458   case V_OCSP_CERTSTATUS_UNKNOWN:
2459   default:
2460     result = CURLE_SSL_INVALIDCERTSTATUS;
2461     goto end;
2462   }
2463 
2464 end:
2465   if(br)
2466     OCSP_BASICRESP_free(br);
2467   OCSP_RESPONSE_free(rsp);
2468 
2469   return result;
2470 }
2471 #endif
2472 
2473 #endif /* USE_OPENSSL */
2474 
2475 /* The SSL_CTRL_SET_MSG_CALLBACK does not exist in ancient OpenSSL versions
2476    and thus this cannot be done there. */
2477 #ifdef SSL_CTRL_SET_MSG_CALLBACK
2478 
ssl_msg_type(int ssl_ver,int msg)2479 static const char *ssl_msg_type(int ssl_ver, int msg)
2480 {
2481 #ifdef SSL2_VERSION_MAJOR
2482   if(ssl_ver == SSL2_VERSION_MAJOR) {
2483     switch(msg) {
2484     case SSL2_MT_ERROR:
2485       return "Error";
2486     case SSL2_MT_CLIENT_HELLO:
2487       return "Client hello";
2488     case SSL2_MT_CLIENT_MASTER_KEY:
2489       return "Client key";
2490     case SSL2_MT_CLIENT_FINISHED:
2491       return "Client finished";
2492     case SSL2_MT_SERVER_HELLO:
2493       return "Server hello";
2494     case SSL2_MT_SERVER_VERIFY:
2495       return "Server verify";
2496     case SSL2_MT_SERVER_FINISHED:
2497       return "Server finished";
2498     case SSL2_MT_REQUEST_CERTIFICATE:
2499       return "Request CERT";
2500     case SSL2_MT_CLIENT_CERTIFICATE:
2501       return "Client CERT";
2502     }
2503   }
2504   else
2505 #endif
2506   if(ssl_ver == SSL3_VERSION_MAJOR) {
2507     switch(msg) {
2508     case SSL3_MT_HELLO_REQUEST:
2509       return "Hello request";
2510     case SSL3_MT_CLIENT_HELLO:
2511       return "Client hello";
2512     case SSL3_MT_SERVER_HELLO:
2513       return "Server hello";
2514 #ifdef SSL3_MT_NEWSESSION_TICKET
2515     case SSL3_MT_NEWSESSION_TICKET:
2516       return "Newsession Ticket";
2517 #endif
2518     case SSL3_MT_CERTIFICATE:
2519       return "Certificate";
2520     case SSL3_MT_SERVER_KEY_EXCHANGE:
2521       return "Server key exchange";
2522     case SSL3_MT_CLIENT_KEY_EXCHANGE:
2523       return "Client key exchange";
2524     case SSL3_MT_CERTIFICATE_REQUEST:
2525       return "Request CERT";
2526     case SSL3_MT_SERVER_DONE:
2527       return "Server finished";
2528     case SSL3_MT_CERTIFICATE_VERIFY:
2529       return "CERT verify";
2530     case SSL3_MT_FINISHED:
2531       return "Finished";
2532 #ifdef SSL3_MT_CERTIFICATE_STATUS
2533     case SSL3_MT_CERTIFICATE_STATUS:
2534       return "Certificate Status";
2535 #endif
2536 #ifdef SSL3_MT_ENCRYPTED_EXTENSIONS
2537     case SSL3_MT_ENCRYPTED_EXTENSIONS:
2538       return "Encrypted Extensions";
2539 #endif
2540 #ifdef SSL3_MT_SUPPLEMENTAL_DATA
2541     case SSL3_MT_SUPPLEMENTAL_DATA:
2542       return "Supplemental data";
2543 #endif
2544 #ifdef SSL3_MT_END_OF_EARLY_DATA
2545     case SSL3_MT_END_OF_EARLY_DATA:
2546       return "End of early data";
2547 #endif
2548 #ifdef SSL3_MT_KEY_UPDATE
2549     case SSL3_MT_KEY_UPDATE:
2550       return "Key update";
2551 #endif
2552 #ifdef SSL3_MT_NEXT_PROTO
2553     case SSL3_MT_NEXT_PROTO:
2554       return "Next protocol";
2555 #endif
2556 #ifdef SSL3_MT_MESSAGE_HASH
2557     case SSL3_MT_MESSAGE_HASH:
2558       return "Message hash";
2559 #endif
2560     }
2561   }
2562   return "Unknown";
2563 }
2564 
tls_rt_type(int type)2565 static const char *tls_rt_type(int type)
2566 {
2567   switch(type) {
2568 #ifdef SSL3_RT_HEADER
2569   case SSL3_RT_HEADER:
2570     return "TLS header";
2571 #endif
2572   case SSL3_RT_CHANGE_CIPHER_SPEC:
2573     return "TLS change cipher";
2574   case SSL3_RT_ALERT:
2575     return "TLS alert";
2576   case SSL3_RT_HANDSHAKE:
2577     return "TLS handshake";
2578   case SSL3_RT_APPLICATION_DATA:
2579     return "TLS app data";
2580   default:
2581     return "TLS Unknown";
2582   }
2583 }
2584 
2585 /*
2586  * Our callback from the SSL/TLS layers.
2587  */
ossl_trace(int direction,int ssl_ver,int content_type,const void * buf,size_t len,SSL * ssl,void * userp)2588 static void ossl_trace(int direction, int ssl_ver, int content_type,
2589                        const void *buf, size_t len, SSL *ssl,
2590                        void *userp)
2591 {
2592   const char *verstr = "???";
2593   struct Curl_cfilter *cf = userp;
2594   struct Curl_easy *data = NULL;
2595   char unknown[32];
2596 
2597   if(!cf)
2598     return;
2599   data = CF_DATA_CURRENT(cf);
2600   if(!data || !data->set.fdebug || (direction && direction != 1))
2601     return;
2602 
2603   switch(ssl_ver) {
2604 #ifdef SSL2_VERSION /* removed in recent versions */
2605   case SSL2_VERSION:
2606     verstr = "SSLv2";
2607     break;
2608 #endif
2609 #ifdef SSL3_VERSION
2610   case SSL3_VERSION:
2611     verstr = "SSLv3";
2612     break;
2613 #endif
2614   case TLS1_VERSION:
2615     verstr = "TLSv1.0";
2616     break;
2617 #ifdef TLS1_1_VERSION
2618   case TLS1_1_VERSION:
2619     verstr = "TLSv1.1";
2620     break;
2621 #endif
2622 #ifdef TLS1_2_VERSION
2623   case TLS1_2_VERSION:
2624     verstr = "TLSv1.2";
2625     break;
2626 #endif
2627 #ifdef TLS1_3_VERSION
2628   case TLS1_3_VERSION:
2629     verstr = "TLSv1.3";
2630     break;
2631 #endif
2632   case 0:
2633     break;
2634   default:
2635     msnprintf(unknown, sizeof(unknown), "(%x)", ssl_ver);
2636     verstr = unknown;
2637     break;
2638   }
2639 
2640   /* Log progress for interesting records only (like Handshake or Alert), skip
2641    * all raw record headers (content_type == SSL3_RT_HEADER or ssl_ver == 0).
2642    * For TLS 1.3, skip notification of the decrypted inner Content-Type.
2643    */
2644   if(ssl_ver
2645 #ifdef SSL3_RT_HEADER
2646      && content_type != SSL3_RT_HEADER
2647 #endif
2648 #ifdef SSL3_RT_INNER_CONTENT_TYPE
2649      && content_type != SSL3_RT_INNER_CONTENT_TYPE
2650 #endif
2651     ) {
2652     const char *msg_name, *tls_rt_name;
2653     char ssl_buf[1024];
2654     int msg_type, txt_len;
2655 
2656     /* the info given when the version is zero is not that useful for us */
2657 
2658     ssl_ver >>= 8; /* check the upper 8 bits only below */
2659 
2660     /* SSLv2 does not seem to have TLS record-type headers, so OpenSSL
2661      * always pass-up content-type as 0. But the interesting message-type
2662      * is at 'buf[0]'.
2663      */
2664     if(ssl_ver == SSL3_VERSION_MAJOR && content_type)
2665       tls_rt_name = tls_rt_type(content_type);
2666     else
2667       tls_rt_name = "";
2668 
2669     if(content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
2670       msg_type = *(char *)buf;
2671       msg_name = "Change cipher spec";
2672     }
2673     else if(content_type == SSL3_RT_ALERT) {
2674       msg_type = (((char *)buf)[0] << 8) + ((char *)buf)[1];
2675       msg_name = SSL_alert_desc_string_long(msg_type);
2676     }
2677     else {
2678       msg_type = *(char *)buf;
2679       msg_name = ssl_msg_type(ssl_ver, msg_type);
2680     }
2681 
2682     txt_len = msnprintf(ssl_buf, sizeof(ssl_buf),
2683                         "%s (%s), %s, %s (%d):\n",
2684                         verstr, direction ? "OUT" : "IN",
2685                         tls_rt_name, msg_name, msg_type);
2686     Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len);
2687   }
2688 
2689   Curl_debug(data, (direction == 1) ? CURLINFO_SSL_DATA_OUT :
2690              CURLINFO_SSL_DATA_IN, (char *)buf, len);
2691   (void) ssl;
2692 }
2693 #endif
2694 
2695 #ifdef USE_OPENSSL
2696 /* ====================================================== */
2697 
2698 /* Check for OpenSSL 1.0.2 which has ALPN support. */
2699 #undef HAS_ALPN
2700 #if OPENSSL_VERSION_NUMBER >= 0x10002000L       \
2701   && !defined(OPENSSL_NO_TLSEXT)
2702 #  define HAS_ALPN 1
2703 #endif
2704 
2705 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */
2706 static CURLcode
ossl_set_ssl_version_min_max(struct Curl_cfilter * cf,SSL_CTX * ctx)2707 ossl_set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx)
2708 {
2709   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
2710   /* first, TLS min version... */
2711   long curl_ssl_version_min = conn_config->version;
2712   long curl_ssl_version_max;
2713 
2714   /* convert curl min SSL version option to OpenSSL constant */
2715 #if (defined(OPENSSL_IS_BORINGSSL)  || \
2716      defined(OPENSSL_IS_AWSLC)      || \
2717      defined(LIBRESSL_VERSION_NUMBER))
2718   uint16_t ossl_ssl_version_min = 0;
2719   uint16_t ossl_ssl_version_max = 0;
2720 #else
2721   long ossl_ssl_version_min = 0;
2722   long ossl_ssl_version_max = 0;
2723 #endif
2724   switch(curl_ssl_version_min) {
2725   case CURL_SSLVERSION_TLSv1: /* TLS 1.x */
2726   case CURL_SSLVERSION_TLSv1_0:
2727     ossl_ssl_version_min = TLS1_VERSION;
2728     break;
2729   case CURL_SSLVERSION_TLSv1_1:
2730     ossl_ssl_version_min = TLS1_1_VERSION;
2731     break;
2732   case CURL_SSLVERSION_TLSv1_2:
2733     ossl_ssl_version_min = TLS1_2_VERSION;
2734     break;
2735   case CURL_SSLVERSION_TLSv1_3:
2736 #ifdef TLS1_3_VERSION
2737     ossl_ssl_version_min = TLS1_3_VERSION;
2738     break;
2739 #else
2740     return CURLE_NOT_BUILT_IN;
2741 #endif
2742   }
2743 
2744   /* CURL_SSLVERSION_DEFAULT means that no option was selected.
2745      We do not want to pass 0 to SSL_CTX_set_min_proto_version as
2746      it would enable all versions down to the lowest supported by
2747      the library.
2748      So we skip this, and stay with the library default
2749   */
2750   if(curl_ssl_version_min != CURL_SSLVERSION_DEFAULT) {
2751     if(!SSL_CTX_set_min_proto_version(ctx, ossl_ssl_version_min)) {
2752       return CURLE_SSL_CONNECT_ERROR;
2753     }
2754   }
2755 
2756   /* ... then, TLS max version */
2757   curl_ssl_version_max = (long)conn_config->version_max;
2758 
2759   /* convert curl max SSL version option to OpenSSL constant */
2760   switch(curl_ssl_version_max) {
2761   case CURL_SSLVERSION_MAX_TLSv1_0:
2762     ossl_ssl_version_max = TLS1_VERSION;
2763     break;
2764   case CURL_SSLVERSION_MAX_TLSv1_1:
2765     ossl_ssl_version_max = TLS1_1_VERSION;
2766     break;
2767   case CURL_SSLVERSION_MAX_TLSv1_2:
2768     ossl_ssl_version_max = TLS1_2_VERSION;
2769     break;
2770 #ifdef TLS1_3_VERSION
2771   case CURL_SSLVERSION_MAX_TLSv1_3:
2772     ossl_ssl_version_max = TLS1_3_VERSION;
2773     break;
2774 #endif
2775   case CURL_SSLVERSION_MAX_NONE:  /* none selected */
2776   case CURL_SSLVERSION_MAX_DEFAULT:  /* max selected */
2777   default:
2778     /* SSL_CTX_set_max_proto_version states that:
2779        setting the maximum to 0 will enable
2780        protocol versions up to the highest version
2781        supported by the library */
2782     ossl_ssl_version_max = 0;
2783     break;
2784   }
2785 
2786   if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
2787     return CURLE_SSL_CONNECT_ERROR;
2788   }
2789 
2790   return CURLE_OK;
2791 }
2792 #endif
2793 
2794 #if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
2795 typedef uint32_t ctx_option_t;
2796 #elif OPENSSL_VERSION_NUMBER >= 0x30000000L
2797 typedef uint64_t ctx_option_t;
2798 #elif OPENSSL_VERSION_NUMBER >= 0x10100000L && \
2799   !defined(LIBRESSL_VERSION_NUMBER)
2800 typedef unsigned long ctx_option_t;
2801 #else
2802 typedef long ctx_option_t;
2803 #endif
2804 
2805 #if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* 1.1.0 */
2806 static CURLcode
ossl_set_ssl_version_min_max_legacy(ctx_option_t * ctx_options,struct Curl_cfilter * cf,struct Curl_easy * data)2807 ossl_set_ssl_version_min_max_legacy(ctx_option_t *ctx_options,
2808                                     struct Curl_cfilter *cf,
2809                                     struct Curl_easy *data)
2810 {
2811   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
2812   long ssl_version = conn_config->version;
2813   long ssl_version_max = conn_config->version_max;
2814 
2815   (void) data; /* In case it is unused. */
2816 
2817   switch(ssl_version) {
2818   case CURL_SSLVERSION_TLSv1_3:
2819 #ifdef TLS1_3_VERSION
2820   {
2821     struct ssl_connect_data *connssl = cf->ctx;
2822     struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
2823     DEBUGASSERT(octx);
2824     SSL_CTX_set_max_proto_version(octx->ssl_ctx, TLS1_3_VERSION);
2825     *ctx_options |= SSL_OP_NO_TLSv1_2;
2826   }
2827 #else
2828   (void)ctx_options;
2829   failf(data, OSSL_PACKAGE " was built without TLS 1.3 support");
2830   return CURLE_NOT_BUILT_IN;
2831 #endif
2832   FALLTHROUGH();
2833   case CURL_SSLVERSION_TLSv1_2:
2834 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2835     *ctx_options |= SSL_OP_NO_TLSv1_1;
2836 #else
2837     failf(data, OSSL_PACKAGE " was built without TLS 1.2 support");
2838     return CURLE_NOT_BUILT_IN;
2839 #endif
2840     FALLTHROUGH();
2841   case CURL_SSLVERSION_TLSv1_1:
2842 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2843     *ctx_options |= SSL_OP_NO_TLSv1;
2844 #else
2845     failf(data, OSSL_PACKAGE " was built without TLS 1.1 support");
2846     return CURLE_NOT_BUILT_IN;
2847 #endif
2848     FALLTHROUGH();
2849   case CURL_SSLVERSION_TLSv1_0:
2850   case CURL_SSLVERSION_TLSv1:
2851     break;
2852   }
2853 
2854   switch(ssl_version_max) {
2855   case CURL_SSLVERSION_MAX_TLSv1_0:
2856 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2857     *ctx_options |= SSL_OP_NO_TLSv1_1;
2858 #endif
2859     FALLTHROUGH();
2860   case CURL_SSLVERSION_MAX_TLSv1_1:
2861 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2862     *ctx_options |= SSL_OP_NO_TLSv1_2;
2863 #endif
2864     FALLTHROUGH();
2865   case CURL_SSLVERSION_MAX_TLSv1_2:
2866 #ifdef TLS1_3_VERSION
2867     *ctx_options |= SSL_OP_NO_TLSv1_3;
2868 #endif
2869     break;
2870   case CURL_SSLVERSION_MAX_TLSv1_3:
2871 #ifdef TLS1_3_VERSION
2872     break;
2873 #else
2874     failf(data, OSSL_PACKAGE " was built without TLS 1.3 support");
2875     return CURLE_NOT_BUILT_IN;
2876 #endif
2877   }
2878   return CURLE_OK;
2879 }
2880 #endif
2881 
Curl_ossl_add_session(struct Curl_cfilter * cf,struct Curl_easy * data,const struct ssl_peer * peer,SSL_SESSION * session)2882 CURLcode Curl_ossl_add_session(struct Curl_cfilter *cf,
2883                                struct Curl_easy *data,
2884                                const struct ssl_peer *peer,
2885                                SSL_SESSION *session)
2886 {
2887   const struct ssl_config_data *config;
2888   CURLcode result = CURLE_OK;
2889   size_t der_session_size;
2890   unsigned char *der_session_buf;
2891   unsigned char *der_session_ptr;
2892 
2893   if(!cf || !data)
2894     goto out;
2895 
2896   config = Curl_ssl_cf_get_config(cf, data);
2897   if(config->primary.cache_session) {
2898 
2899     der_session_size = i2d_SSL_SESSION(session, NULL);
2900     if(der_session_size == 0) {
2901       result = CURLE_OUT_OF_MEMORY;
2902       goto out;
2903     }
2904 
2905     der_session_buf = der_session_ptr = malloc(der_session_size);
2906     if(!der_session_buf) {
2907       result = CURLE_OUT_OF_MEMORY;
2908       goto out;
2909     }
2910 
2911     der_session_size = i2d_SSL_SESSION(session, &der_session_ptr);
2912     if(der_session_size == 0) {
2913       result = CURLE_OUT_OF_MEMORY;
2914       free(der_session_buf);
2915       goto out;
2916     }
2917 
2918     Curl_ssl_sessionid_lock(data);
2919     result = Curl_ssl_set_sessionid(cf, data, peer, NULL, der_session_buf,
2920                                     der_session_size, ossl_session_free);
2921     Curl_ssl_sessionid_unlock(data);
2922   }
2923 
2924 out:
2925   return result;
2926 }
2927 
2928 /* The "new session" callback must return zero if the session can be removed
2929  * or non-zero if the session has been put into the session cache.
2930  */
ossl_new_session_cb(SSL * ssl,SSL_SESSION * ssl_sessionid)2931 static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
2932 {
2933   struct Curl_cfilter *cf;
2934   struct Curl_easy *data;
2935   struct ssl_connect_data *connssl;
2936 
2937   cf = (struct Curl_cfilter*) SSL_get_app_data(ssl);
2938   connssl = cf ? cf->ctx : NULL;
2939   data = connssl ? CF_DATA_CURRENT(cf) : NULL;
2940   Curl_ossl_add_session(cf, data, &connssl->peer, ssl_sessionid);
2941   return 0;
2942 }
2943 
load_cacert_from_memory(X509_STORE * store,const struct curl_blob * ca_info_blob)2944 static CURLcode load_cacert_from_memory(X509_STORE *store,
2945                                         const struct curl_blob *ca_info_blob)
2946 {
2947   /* these need to be freed at the end */
2948   BIO *cbio = NULL;
2949   STACK_OF(X509_INFO) *inf = NULL;
2950 
2951   /* everything else is just a reference */
2952   int i, count = 0;
2953   X509_INFO *itmp = NULL;
2954 
2955   if(ca_info_blob->len > (size_t)INT_MAX)
2956     return CURLE_SSL_CACERT_BADFILE;
2957 
2958   cbio = BIO_new_mem_buf(ca_info_blob->data, (int)ca_info_blob->len);
2959   if(!cbio)
2960     return CURLE_OUT_OF_MEMORY;
2961 
2962   inf = PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL);
2963   if(!inf) {
2964     BIO_free(cbio);
2965     return CURLE_SSL_CACERT_BADFILE;
2966   }
2967 
2968   /* add each entry from PEM file to x509_store */
2969   for(i = 0; i < (int)sk_X509_INFO_num(inf); ++i) {
2970     itmp = sk_X509_INFO_value(inf, (ossl_valsize_t)i);
2971     if(itmp->x509) {
2972       if(X509_STORE_add_cert(store, itmp->x509)) {
2973         ++count;
2974       }
2975       else {
2976         /* set count to 0 to return an error */
2977         count = 0;
2978         break;
2979       }
2980     }
2981     if(itmp->crl) {
2982       if(X509_STORE_add_crl(store, itmp->crl)) {
2983         ++count;
2984       }
2985       else {
2986         /* set count to 0 to return an error */
2987         count = 0;
2988         break;
2989       }
2990     }
2991   }
2992 
2993   sk_X509_INFO_pop_free(inf, X509_INFO_free);
2994   BIO_free(cbio);
2995 
2996   /* if we did not end up importing anything, treat that as an error */
2997   return (count > 0) ? CURLE_OK : CURLE_SSL_CACERT_BADFILE;
2998 }
2999 
3000 #if defined(USE_WIN32_CRYPTO)
import_windows_cert_store(struct Curl_easy * data,const char * name,X509_STORE * store,bool * imported)3001 static CURLcode import_windows_cert_store(struct Curl_easy *data,
3002                                           const char *name,
3003                                           X509_STORE *store,
3004                                           bool *imported)
3005 {
3006   CURLcode result = CURLE_OK;
3007   HCERTSTORE hStore;
3008 
3009   *imported = FALSE;
3010 
3011   hStore = CertOpenSystemStoreA(0, name);
3012   if(hStore) {
3013     PCCERT_CONTEXT pContext = NULL;
3014     /* The array of enhanced key usage OIDs will vary per certificate and
3015        is declared outside of the loop so that rather than malloc/free each
3016        iteration we can grow it with realloc, when necessary. */
3017     CERT_ENHKEY_USAGE *enhkey_usage = NULL;
3018     DWORD enhkey_usage_size = 0;
3019 
3020     /* This loop makes a best effort to import all valid certificates from
3021        the MS root store. If a certificate cannot be imported it is
3022        skipped. 'result' is used to store only hard-fail conditions (such
3023        as out of memory) that cause an early break. */
3024     result = CURLE_OK;
3025     for(;;) {
3026       X509 *x509;
3027       FILETIME now;
3028       BYTE key_usage[2];
3029       DWORD req_size;
3030       const unsigned char *encoded_cert;
3031       pContext = CertEnumCertificatesInStore(hStore, pContext);
3032       if(!pContext)
3033         break;
3034 
3035 #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
3036       else {
3037         char cert_name[256];
3038         if(!CertGetNameStringA(pContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0,
3039                                NULL, cert_name, sizeof(cert_name)))
3040           infof(data, "SSL: unknown cert name");
3041         else
3042           infof(data, "SSL: Checking cert \"%s\"", cert_name);
3043       }
3044 #endif
3045       encoded_cert = (const unsigned char *)pContext->pbCertEncoded;
3046       if(!encoded_cert)
3047         continue;
3048 
3049       GetSystemTimeAsFileTime(&now);
3050       if(CompareFileTime(&pContext->pCertInfo->NotBefore, &now) > 0 ||
3051          CompareFileTime(&now, &pContext->pCertInfo->NotAfter) > 0)
3052         continue;
3053 
3054       /* If key usage exists check for signing attribute */
3055       if(CertGetIntendedKeyUsage(pContext->dwCertEncodingType,
3056                                  pContext->pCertInfo,
3057                                  key_usage, sizeof(key_usage))) {
3058         if(!(key_usage[0] & CERT_KEY_CERT_SIGN_KEY_USAGE))
3059           continue;
3060       }
3061       else if(GetLastError())
3062         continue;
3063 
3064       /* If enhanced key usage exists check for server auth attribute.
3065        *
3066        * Note "In a Microsoft environment, a certificate might also have
3067        * EKU extended properties that specify valid uses for the
3068        * certificate."  The call below checks both, and behavior varies
3069        * depending on what is found. For more details see
3070        * CertGetEnhancedKeyUsage doc.
3071        */
3072       if(CertGetEnhancedKeyUsage(pContext, 0, NULL, &req_size)) {
3073         if(req_size && req_size > enhkey_usage_size) {
3074           void *tmp = realloc(enhkey_usage, req_size);
3075 
3076           if(!tmp) {
3077             failf(data, "SSL: Out of memory allocating for OID list");
3078             result = CURLE_OUT_OF_MEMORY;
3079             break;
3080           }
3081 
3082           enhkey_usage = (CERT_ENHKEY_USAGE *)tmp;
3083           enhkey_usage_size = req_size;
3084         }
3085 
3086         if(CertGetEnhancedKeyUsage(pContext, 0, enhkey_usage, &req_size)) {
3087           if(!enhkey_usage->cUsageIdentifier) {
3088             /* "If GetLastError returns CRYPT_E_NOT_FOUND, the certificate
3089                is good for all uses. If it returns zero, the certificate
3090                has no valid uses." */
3091             if((HRESULT)GetLastError() != CRYPT_E_NOT_FOUND)
3092               continue;
3093           }
3094           else {
3095             DWORD i;
3096             bool found = FALSE;
3097 
3098             for(i = 0; i < enhkey_usage->cUsageIdentifier; ++i) {
3099               if(!strcmp("1.3.6.1.5.5.7.3.1" /* OID server auth */,
3100                          enhkey_usage->rgpszUsageIdentifier[i])) {
3101                 found = TRUE;
3102                 break;
3103               }
3104             }
3105 
3106             if(!found)
3107               continue;
3108           }
3109         }
3110         else
3111           continue;
3112       }
3113       else
3114         continue;
3115 
3116       x509 = d2i_X509(NULL, &encoded_cert, (long)pContext->cbCertEncoded);
3117       if(!x509)
3118         continue;
3119 
3120       /* Try to import the certificate. This may fail for legitimate
3121          reasons such as duplicate certificate, which is allowed by MS but
3122          not OpenSSL. */
3123       if(X509_STORE_add_cert(store, x509) == 1) {
3124 #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
3125         infof(data, "SSL: Imported cert");
3126 #endif
3127         *imported = TRUE;
3128       }
3129       X509_free(x509);
3130     }
3131 
3132     free(enhkey_usage);
3133     CertFreeCertificateContext(pContext);
3134     CertCloseStore(hStore, 0);
3135 
3136     if(result)
3137       return result;
3138   }
3139 
3140   return result;
3141 }
3142 #endif
3143 
populate_x509_store(struct Curl_cfilter * cf,struct Curl_easy * data,X509_STORE * store)3144 static CURLcode populate_x509_store(struct Curl_cfilter *cf,
3145                                     struct Curl_easy *data,
3146                                     X509_STORE *store)
3147 {
3148   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3149   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3150   CURLcode result = CURLE_OK;
3151   X509_LOOKUP *lookup = NULL;
3152   const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
3153   const char * const ssl_cafile =
3154     /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
3155     (ca_info_blob ? NULL : conn_config->CAfile);
3156   const char * const ssl_capath = conn_config->CApath;
3157   const char * const ssl_crlfile = ssl_config->primary.CRLfile;
3158   const bool verifypeer = conn_config->verifypeer;
3159   bool imported_native_ca = FALSE;
3160   bool imported_ca_info_blob = FALSE;
3161 
3162   CURL_TRC_CF(data, cf, "populate_x509_store, path=%s, blob=%d",
3163               ssl_cafile ? ssl_cafile : "none", !!ca_info_blob);
3164   if(!store)
3165     return CURLE_OUT_OF_MEMORY;
3166 
3167   if(verifypeer) {
3168 #if defined(USE_WIN32_CRYPTO)
3169     /* Import certificates from the Windows root certificate store if
3170        requested.
3171        https://stackoverflow.com/questions/9507184/
3172        https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L1037
3173        https://datatracker.ietf.org/doc/html/rfc5280 */
3174     if(ssl_config->native_ca_store) {
3175       const char *storeNames[] = {
3176         "ROOT",   /* Trusted Root Certification Authorities */
3177         "CA"      /* Intermediate Certification Authorities */
3178       };
3179       size_t i;
3180       for(i = 0; i < ARRAYSIZE(storeNames); ++i) {
3181         bool imported = FALSE;
3182         result = import_windows_cert_store(data, storeNames[i], store,
3183                                            &imported);
3184         if(result)
3185           return result;
3186         if(imported) {
3187           infof(data, "successfully imported Windows %s store", storeNames[i]);
3188           imported_native_ca = TRUE;
3189         }
3190         else
3191           infof(data, "error importing Windows %s store, continuing anyway",
3192                 storeNames[i]);
3193       }
3194     }
3195 #endif
3196     if(ca_info_blob) {
3197       result = load_cacert_from_memory(store, ca_info_blob);
3198       if(result) {
3199         failf(data, "error importing CA certificate blob");
3200         return result;
3201       }
3202       else {
3203         imported_ca_info_blob = TRUE;
3204         infof(data, "successfully imported CA certificate blob");
3205       }
3206     }
3207 
3208     if(ssl_cafile || ssl_capath) {
3209 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
3210       /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */
3211       if(ssl_cafile && !X509_STORE_load_file(store, ssl_cafile)) {
3212         if(!imported_native_ca && !imported_ca_info_blob) {
3213           /* Fail if we insist on successfully verifying the server. */
3214           failf(data, "error setting certificate file: %s", ssl_cafile);
3215           return CURLE_SSL_CACERT_BADFILE;
3216         }
3217         else
3218           infof(data, "error setting certificate file, continuing anyway");
3219       }
3220       if(ssl_capath && !X509_STORE_load_path(store, ssl_capath)) {
3221         if(!imported_native_ca && !imported_ca_info_blob) {
3222           /* Fail if we insist on successfully verifying the server. */
3223           failf(data, "error setting certificate path: %s", ssl_capath);
3224           return CURLE_SSL_CACERT_BADFILE;
3225         }
3226         else
3227           infof(data, "error setting certificate path, continuing anyway");
3228       }
3229 #else
3230       /* tell OpenSSL where to find CA certificates that are used to verify the
3231          server's certificate. */
3232       if(!X509_STORE_load_locations(store, ssl_cafile, ssl_capath)) {
3233         if(!imported_native_ca && !imported_ca_info_blob) {
3234           /* Fail if we insist on successfully verifying the server. */
3235           failf(data, "error setting certificate verify locations:"
3236                 "  CAfile: %s CApath: %s",
3237                 ssl_cafile ? ssl_cafile : "none",
3238                 ssl_capath ? ssl_capath : "none");
3239           return CURLE_SSL_CACERT_BADFILE;
3240         }
3241         else {
3242           infof(data, "error setting certificate verify locations,"
3243                 " continuing anyway");
3244         }
3245       }
3246 #endif
3247       infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
3248       infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
3249     }
3250 
3251 #ifdef CURL_CA_FALLBACK
3252     if(!ssl_cafile && !ssl_capath &&
3253        !imported_native_ca && !imported_ca_info_blob) {
3254       /* verifying the peer without any CA certificates will not
3255          work so use OpenSSL's built-in default as fallback */
3256       X509_STORE_set_default_paths(store);
3257     }
3258 #endif
3259   }
3260 
3261   if(ssl_crlfile) {
3262     /* tell OpenSSL where to find CRL file that is used to check certificate
3263      * revocation */
3264     lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
3265     if(!lookup ||
3266        (!X509_load_crl_file(lookup, ssl_crlfile, X509_FILETYPE_PEM)) ) {
3267       failf(data, "error loading CRL file: %s", ssl_crlfile);
3268       return CURLE_SSL_CRL_BADFILE;
3269     }
3270     /* Everything is fine. */
3271     infof(data, "successfully loaded CRL file:");
3272     X509_STORE_set_flags(store,
3273                          X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
3274 
3275     infof(data, "  CRLfile: %s", ssl_crlfile);
3276   }
3277 
3278   if(verifypeer) {
3279     /* Try building a chain using issuers in the trusted store first to avoid
3280        problems with server-sent legacy intermediates. Newer versions of
3281        OpenSSL do alternate chain checking by default but we do not know how to
3282        determine that in a reliable manner.
3283        https://web.archive.org/web/20190422050538/
3284        rt.openssl.org/Ticket/Display.html?id=3621
3285     */
3286 #if defined(X509_V_FLAG_TRUSTED_FIRST)
3287     X509_STORE_set_flags(store, X509_V_FLAG_TRUSTED_FIRST);
3288 #endif
3289 #ifdef X509_V_FLAG_PARTIAL_CHAIN
3290     if(!ssl_config->no_partialchain && !ssl_crlfile) {
3291       /* Have intermediate certificates in the trust store be treated as
3292          trust-anchors, in the same way as self-signed root CA certificates
3293          are. This allows users to verify servers using the intermediate cert
3294          only, instead of needing the whole chain.
3295 
3296          Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
3297          cannot do partial chains with a CRL check.
3298       */
3299       X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
3300     }
3301 #endif
3302   }
3303 
3304   return result;
3305 }
3306 
3307 #if defined(HAVE_SSL_X509_STORE_SHARE)
3308 
3309 /* key to use at `multi->proto_hash` */
3310 #define MPROTO_OSSL_X509_KEY   "tls:ossl:x509:share"
3311 
3312 struct ossl_x509_share {
3313   char *CAfile;         /* CAfile path used to generate X509 store */
3314   X509_STORE *store;    /* cached X509 store or NULL if none */
3315   struct curltime time; /* when the cached store was created */
3316 };
3317 
oss_x509_share_free(void * key,size_t key_len,void * p)3318 static void oss_x509_share_free(void *key, size_t key_len, void *p)
3319 {
3320   struct ossl_x509_share *share = p;
3321   DEBUGASSERT(key_len == (sizeof(MPROTO_OSSL_X509_KEY)-1));
3322   DEBUGASSERT(!memcmp(MPROTO_OSSL_X509_KEY, key, key_len));
3323   (void)key;
3324   (void)key_len;
3325   if(share->store) {
3326     X509_STORE_free(share->store);
3327   }
3328   free(share->CAfile);
3329   free(share);
3330 }
3331 
3332 static bool
cached_x509_store_expired(const struct Curl_easy * data,const struct ossl_x509_share * mb)3333 cached_x509_store_expired(const struct Curl_easy *data,
3334                           const struct ossl_x509_share *mb)
3335 {
3336   const struct ssl_general_config *cfg = &data->set.general_ssl;
3337   if(cfg->ca_cache_timeout < 0)
3338     return FALSE;
3339   else {
3340     struct curltime now = Curl_now();
3341     timediff_t elapsed_ms = Curl_timediff(now, mb->time);
3342     timediff_t timeout_ms = cfg->ca_cache_timeout * (timediff_t)1000;
3343 
3344     return elapsed_ms >= timeout_ms;
3345   }
3346 }
3347 
3348 static bool
cached_x509_store_different(struct Curl_cfilter * cf,const struct ossl_x509_share * mb)3349 cached_x509_store_different(struct Curl_cfilter *cf,
3350                             const struct ossl_x509_share *mb)
3351 {
3352   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3353   if(!mb->CAfile || !conn_config->CAfile)
3354     return mb->CAfile != conn_config->CAfile;
3355 
3356   return strcmp(mb->CAfile, conn_config->CAfile);
3357 }
3358 
get_cached_x509_store(struct Curl_cfilter * cf,const struct Curl_easy * data)3359 static X509_STORE *get_cached_x509_store(struct Curl_cfilter *cf,
3360                                          const struct Curl_easy *data)
3361 {
3362   struct Curl_multi *multi = data->multi;
3363   struct ossl_x509_share *share;
3364   X509_STORE *store = NULL;
3365 
3366   DEBUGASSERT(multi);
3367   share = multi ? Curl_hash_pick(&multi->proto_hash,
3368                                  (void *)MPROTO_OSSL_X509_KEY,
3369                                  sizeof(MPROTO_OSSL_X509_KEY)-1) : NULL;
3370   if(share && share->store &&
3371      !cached_x509_store_expired(data, share) &&
3372      !cached_x509_store_different(cf, share)) {
3373     store = share->store;
3374   }
3375 
3376   return store;
3377 }
3378 
set_cached_x509_store(struct Curl_cfilter * cf,const struct Curl_easy * data,X509_STORE * store)3379 static void set_cached_x509_store(struct Curl_cfilter *cf,
3380                                   const struct Curl_easy *data,
3381                                   X509_STORE *store)
3382 {
3383   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3384   struct Curl_multi *multi = data->multi;
3385   struct ossl_x509_share *share;
3386 
3387   DEBUGASSERT(multi);
3388   if(!multi)
3389     return;
3390   share = Curl_hash_pick(&multi->proto_hash,
3391                          (void *)MPROTO_OSSL_X509_KEY,
3392                          sizeof(MPROTO_OSSL_X509_KEY)-1);
3393 
3394   if(!share) {
3395     share = calloc(1, sizeof(*share));
3396     if(!share)
3397       return;
3398     if(!Curl_hash_add2(&multi->proto_hash,
3399                        (void *)MPROTO_OSSL_X509_KEY,
3400                        sizeof(MPROTO_OSSL_X509_KEY)-1,
3401                        share, oss_x509_share_free)) {
3402       free(share);
3403       return;
3404     }
3405   }
3406 
3407   if(X509_STORE_up_ref(store)) {
3408     char *CAfile = NULL;
3409 
3410     if(conn_config->CAfile) {
3411       CAfile = strdup(conn_config->CAfile);
3412       if(!CAfile) {
3413         X509_STORE_free(store);
3414         return;
3415       }
3416     }
3417 
3418     if(share->store) {
3419       X509_STORE_free(share->store);
3420       free(share->CAfile);
3421     }
3422 
3423     share->time = Curl_now();
3424     share->store = store;
3425     share->CAfile = CAfile;
3426   }
3427 }
3428 
Curl_ssl_setup_x509_store(struct Curl_cfilter * cf,struct Curl_easy * data,SSL_CTX * ssl_ctx)3429 CURLcode Curl_ssl_setup_x509_store(struct Curl_cfilter *cf,
3430                                    struct Curl_easy *data,
3431                                    SSL_CTX *ssl_ctx)
3432 {
3433   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3434   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3435   CURLcode result = CURLE_OK;
3436   X509_STORE *cached_store;
3437   bool cache_criteria_met;
3438 
3439   /* Consider the X509 store cacheable if it comes exclusively from a CAfile,
3440      or no source is provided and we are falling back to OpenSSL's built-in
3441      default. */
3442   cache_criteria_met = (data->set.general_ssl.ca_cache_timeout != 0) &&
3443     conn_config->verifypeer &&
3444     !conn_config->CApath &&
3445     !conn_config->ca_info_blob &&
3446     !ssl_config->primary.CRLfile &&
3447     !ssl_config->native_ca_store;
3448 
3449   cached_store = get_cached_x509_store(cf, data);
3450   if(cached_store && cache_criteria_met && X509_STORE_up_ref(cached_store)) {
3451     SSL_CTX_set_cert_store(ssl_ctx, cached_store);
3452   }
3453   else {
3454     X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
3455 
3456     result = populate_x509_store(cf, data, store);
3457     if(result == CURLE_OK && cache_criteria_met) {
3458       set_cached_x509_store(cf, data, store);
3459     }
3460   }
3461 
3462   return result;
3463 }
3464 #else /* HAVE_SSL_X509_STORE_SHARE */
Curl_ssl_setup_x509_store(struct Curl_cfilter * cf,struct Curl_easy * data,SSL_CTX * ssl_ctx)3465 CURLcode Curl_ssl_setup_x509_store(struct Curl_cfilter *cf,
3466                                    struct Curl_easy *data,
3467                                    SSL_CTX *ssl_ctx)
3468 {
3469   X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx);
3470 
3471   return populate_x509_store(cf, data, store);
3472 }
3473 #endif /* HAVE_SSL_X509_STORE_SHARE */
3474 
Curl_ossl_ctx_init(struct ossl_ctx * octx,struct Curl_cfilter * cf,struct Curl_easy * data,struct ssl_peer * peer,int transport,const unsigned char * alpn,size_t alpn_len,Curl_ossl_ctx_setup_cb * cb_setup,void * cb_user_data,Curl_ossl_new_session_cb * cb_new_session,void * ssl_user_data)3475 CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
3476                             struct Curl_cfilter *cf,
3477                             struct Curl_easy *data,
3478                             struct ssl_peer *peer,
3479                             int transport, /* TCP or QUIC */
3480                             const unsigned char *alpn, size_t alpn_len,
3481                             Curl_ossl_ctx_setup_cb *cb_setup,
3482                             void *cb_user_data,
3483                             Curl_ossl_new_session_cb *cb_new_session,
3484                             void *ssl_user_data)
3485 {
3486   CURLcode result = CURLE_OK;
3487   const char *ciphers;
3488   SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
3489   ctx_option_t ctx_options = 0;
3490   SSL_SESSION *ssl_session = NULL;
3491   const unsigned char *der_sessionid = NULL;
3492   size_t der_sessionid_size = 0;
3493   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
3494   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
3495   const long int ssl_version_min = conn_config->version;
3496   char * const ssl_cert = ssl_config->primary.clientcert;
3497   const struct curl_blob *ssl_cert_blob = ssl_config->primary.cert_blob;
3498   const char * const ssl_cert_type = ssl_config->cert_type;
3499   const bool verifypeer = conn_config->verifypeer;
3500   char error_buffer[256];
3501 
3502   /* Make funny stuff to get random input */
3503   result = ossl_seed(data);
3504   if(result)
3505     return result;
3506 
3507   ssl_config->certverifyresult = !X509_V_OK;
3508 
3509   switch(transport) {
3510   case TRNSPRT_TCP:
3511     /* check to see if we have been told to use an explicit SSL/TLS version */
3512     switch(ssl_version_min) {
3513     case CURL_SSLVERSION_DEFAULT:
3514     case CURL_SSLVERSION_TLSv1:
3515     case CURL_SSLVERSION_TLSv1_0:
3516     case CURL_SSLVERSION_TLSv1_1:
3517     case CURL_SSLVERSION_TLSv1_2:
3518     case CURL_SSLVERSION_TLSv1_3:
3519       /* it will be handled later with the context options */
3520   #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
3521       req_method = TLS_client_method();
3522   #else
3523       req_method = SSLv23_client_method();
3524   #endif
3525       break;
3526     case CURL_SSLVERSION_SSLv2:
3527       failf(data, "No SSLv2 support");
3528       return CURLE_NOT_BUILT_IN;
3529     case CURL_SSLVERSION_SSLv3:
3530       failf(data, "No SSLv3 support");
3531       return CURLE_NOT_BUILT_IN;
3532     default:
3533       failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
3534       return CURLE_SSL_CONNECT_ERROR;
3535     }
3536     break;
3537   case TRNSPRT_QUIC:
3538     if(conn_config->version_max &&
3539        (conn_config->version_max != CURL_SSLVERSION_MAX_TLSv1_3)) {
3540       failf(data, "QUIC needs at least TLS version 1.3");
3541       return CURLE_SSL_CONNECT_ERROR;
3542     }
3543 
3544 #ifdef USE_OPENSSL_QUIC
3545     req_method = OSSL_QUIC_client_method();
3546 #elif (OPENSSL_VERSION_NUMBER >= 0x10100000L)
3547     req_method = TLS_method();
3548 #else
3549     req_method = SSLv23_client_method();
3550 #endif
3551     break;
3552   default:
3553     failf(data, "unsupported transport %d in SSL init", transport);
3554     return CURLE_SSL_CONNECT_ERROR;
3555   }
3556 
3557 
3558   DEBUGASSERT(!octx->ssl_ctx);
3559   octx->ssl_ctx = SSL_CTX_new(req_method);
3560 
3561   if(!octx->ssl_ctx) {
3562     failf(data, "SSL: could not create a context: %s",
3563           ossl_strerror(ERR_peek_error(), error_buffer, sizeof(error_buffer)));
3564     return CURLE_OUT_OF_MEMORY;
3565   }
3566 
3567   if(cb_setup) {
3568     result = cb_setup(cf, data, cb_user_data);
3569     if(result)
3570       return result;
3571   }
3572 
3573 #ifdef SSL_CTRL_SET_MSG_CALLBACK
3574   if(data->set.fdebug && data->set.verbose) {
3575     /* the SSL trace callback is only used for verbose logging */
3576     SSL_CTX_set_msg_callback(octx->ssl_ctx, ossl_trace);
3577     SSL_CTX_set_msg_callback_arg(octx->ssl_ctx, cf);
3578   }
3579 #endif
3580 
3581   /* OpenSSL contains code to work around lots of bugs and flaws in various
3582      SSL-implementations. SSL_CTX_set_options() is used to enabled those
3583      work-arounds. The manpage for this option states that SSL_OP_ALL enables
3584      all the work-arounds and that "It is usually safe to use SSL_OP_ALL to
3585      enable the bug workaround options if compatibility with somewhat broken
3586      implementations is desired."
3587 
3588      The "-no_ticket" option was introduced in OpenSSL 0.9.8j. it is a flag to
3589      disable "rfc4507bis session ticket support". rfc4507bis was later turned
3590      into the proper RFC5077: https://datatracker.ietf.org/doc/html/rfc5077
3591 
3592      The enabled extension concerns the session management. I wonder how often
3593      libcurl stops a connection and then resumes a TLS session. Also, sending
3594      the session data is some overhead. I suggest that you just use your
3595      proposed patch (which explicitly disables TICKET).
3596 
3597      If someone writes an application with libcurl and OpenSSL who wants to
3598      enable the feature, one can do this in the SSL callback.
3599 
3600      SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
3601      interoperability with web server Netscape Enterprise Server 2.0.1 which
3602      was released back in 1996.
3603 
3604      Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
3605      become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
3606      CVE-2010-4180 when using previous OpenSSL versions we no longer enable
3607      this option regardless of OpenSSL version and SSL_OP_ALL definition.
3608 
3609      OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability:
3610      https://web.archive.org/web/20240114184648/openssl.org/~bodo/tls-cbc.txt.
3611      In 0.9.6e they added a bit to SSL_OP_ALL that _disables_ that work-around
3612      despite the fact that SSL_OP_ALL is documented to do "rather harmless"
3613      workarounds. In order to keep the secure work-around, the
3614      SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit must not be set.
3615   */
3616 
3617   ctx_options = SSL_OP_ALL;
3618 
3619 #ifdef SSL_OP_NO_TICKET
3620   ctx_options |= SSL_OP_NO_TICKET;
3621 #endif
3622 
3623 #ifdef SSL_OP_NO_COMPRESSION
3624   ctx_options |= SSL_OP_NO_COMPRESSION;
3625 #endif
3626 
3627 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
3628   /* mitigate CVE-2010-4180 */
3629   ctx_options &= ~(ctx_option_t)SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
3630 #endif
3631 
3632 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
3633   /* unless the user explicitly asks to allow the protocol vulnerability we
3634      use the work-around */
3635   if(!ssl_config->enable_beast)
3636     ctx_options &= ~(ctx_option_t)SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
3637 #endif
3638 
3639   switch(ssl_version_min) {
3640   case CURL_SSLVERSION_SSLv2:
3641   case CURL_SSLVERSION_SSLv3:
3642     return CURLE_NOT_BUILT_IN;
3643 
3644     /* "--tlsv<x.y>" options mean TLS >= version <x.y> */
3645   case CURL_SSLVERSION_DEFAULT:
3646   case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */
3647   case CURL_SSLVERSION_TLSv1_0: /* TLS >= version 1.0 */
3648   case CURL_SSLVERSION_TLSv1_1: /* TLS >= version 1.1 */
3649   case CURL_SSLVERSION_TLSv1_2: /* TLS >= version 1.2 */
3650   case CURL_SSLVERSION_TLSv1_3: /* TLS >= version 1.3 */
3651     /* asking for any TLS version as the minimum, means no SSL versions
3652        allowed */
3653     ctx_options |= SSL_OP_NO_SSLv2;
3654     ctx_options |= SSL_OP_NO_SSLv3;
3655 
3656 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */
3657     result = ossl_set_ssl_version_min_max(cf, octx->ssl_ctx);
3658 #else
3659     result = ossl_set_ssl_version_min_max_legacy(&ctx_options, cf, data);
3660 #endif
3661     if(result != CURLE_OK)
3662       return result;
3663     break;
3664 
3665   default:
3666     failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
3667     return CURLE_SSL_CONNECT_ERROR;
3668   }
3669 
3670   SSL_CTX_set_options(octx->ssl_ctx, ctx_options);
3671 
3672 #ifdef SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER
3673   /* We do retry writes sometimes from another buffer address */
3674   SSL_CTX_set_mode(octx->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
3675 #endif
3676 
3677   if(alpn && alpn_len) {
3678 #ifdef HAS_ALPN
3679     if(SSL_CTX_set_alpn_protos(octx->ssl_ctx, alpn, (int)alpn_len)) {
3680       failf(data, "Error setting ALPN");
3681       return CURLE_SSL_CONNECT_ERROR;
3682     }
3683 #endif
3684   }
3685 
3686   if(ssl_cert || ssl_cert_blob || ssl_cert_type) {
3687     if(!result &&
3688        !cert_stuff(data, octx->ssl_ctx,
3689                    ssl_cert, ssl_cert_blob, ssl_cert_type,
3690                    ssl_config->key, ssl_config->key_blob,
3691                    ssl_config->key_type, ssl_config->key_passwd))
3692       result = CURLE_SSL_CERTPROBLEM;
3693     if(result)
3694       /* failf() is already done in cert_stuff() */
3695       return result;
3696   }
3697 
3698   ciphers = conn_config->cipher_list;
3699   if(!ciphers && (peer->transport != TRNSPRT_QUIC))
3700     ciphers = DEFAULT_CIPHER_SELECTION;
3701   if(ciphers) {
3702     if(!SSL_CTX_set_cipher_list(octx->ssl_ctx, ciphers)) {
3703       failf(data, "failed setting cipher list: %s", ciphers);
3704       return CURLE_SSL_CIPHER;
3705     }
3706     infof(data, "Cipher selection: %s", ciphers);
3707   }
3708 
3709 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
3710   {
3711     const char *ciphers13 = conn_config->cipher_list13;
3712     if(ciphers13) {
3713       if(!SSL_CTX_set_ciphersuites(octx->ssl_ctx, ciphers13)) {
3714         failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers13);
3715         return CURLE_SSL_CIPHER;
3716       }
3717       infof(data, "TLS 1.3 cipher selection: %s", ciphers13);
3718     }
3719   }
3720 #endif
3721 
3722 #ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
3723   /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
3724   SSL_CTX_set_post_handshake_auth(octx->ssl_ctx, 1);
3725 #endif
3726 
3727 #ifdef HAVE_SSL_CTX_SET_EC_CURVES
3728   {
3729     const char *curves = conn_config->curves;
3730     if(curves) {
3731       if(!SSL_CTX_set1_curves_list(octx->ssl_ctx, curves)) {
3732         failf(data, "failed setting curves list: '%s'", curves);
3733         return CURLE_SSL_CIPHER;
3734       }
3735     }
3736   }
3737 #endif
3738 
3739 #ifdef USE_OPENSSL_SRP
3740   if(ssl_config->primary.username && Curl_auth_allowed_to_host(data)) {
3741     char * const ssl_username = ssl_config->primary.username;
3742     char * const ssl_password = ssl_config->primary.password;
3743     infof(data, "Using TLS-SRP username: %s", ssl_username);
3744 
3745     if(!SSL_CTX_set_srp_username(octx->ssl_ctx, ssl_username)) {
3746       failf(data, "Unable to set SRP username");
3747       return CURLE_BAD_FUNCTION_ARGUMENT;
3748     }
3749     if(!SSL_CTX_set_srp_password(octx->ssl_ctx, ssl_password)) {
3750       failf(data, "failed setting SRP password");
3751       return CURLE_BAD_FUNCTION_ARGUMENT;
3752     }
3753     if(!conn_config->cipher_list) {
3754       infof(data, "Setting cipher list SRP");
3755 
3756       if(!SSL_CTX_set_cipher_list(octx->ssl_ctx, "SRP")) {
3757         failf(data, "failed setting SRP cipher list");
3758         return CURLE_SSL_CIPHER;
3759       }
3760     }
3761   }
3762 #endif
3763 
3764   /* OpenSSL always tries to verify the peer, this only says whether it should
3765    * fail to connect if the verification fails, or if it should continue
3766    * anyway. In the latter case the result of the verification is checked with
3767    * SSL_get_verify_result() below. */
3768   SSL_CTX_set_verify(octx->ssl_ctx,
3769                      verifypeer ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
3770 
3771   /* Enable logging of secrets to the file specified in env SSLKEYLOGFILE. */
3772 #ifdef HAVE_KEYLOG_CALLBACK
3773   if(Curl_tls_keylog_enabled()) {
3774     SSL_CTX_set_keylog_callback(octx->ssl_ctx, ossl_keylog_callback);
3775   }
3776 #endif
3777 
3778   if(cb_new_session) {
3779     /* Enable the session cache because it is a prerequisite for the
3780      * "new session" callback. Use the "external storage" mode to prevent
3781      * OpenSSL from creating an internal session cache.
3782      */
3783     SSL_CTX_set_session_cache_mode(octx->ssl_ctx,
3784                                    SSL_SESS_CACHE_CLIENT |
3785                                    SSL_SESS_CACHE_NO_INTERNAL);
3786     SSL_CTX_sess_set_new_cb(octx->ssl_ctx, cb_new_session);
3787   }
3788 
3789   /* give application a chance to interfere with SSL set up. */
3790   if(data->set.ssl.fsslctx) {
3791     /* When a user callback is installed to modify the SSL_CTX,
3792      * we need to do the full initialization before calling it.
3793      * See: #11800 */
3794     if(!octx->x509_store_setup) {
3795       result = Curl_ssl_setup_x509_store(cf, data, octx->ssl_ctx);
3796       if(result)
3797         return result;
3798       octx->x509_store_setup = TRUE;
3799     }
3800     Curl_set_in_callback(data, TRUE);
3801     result = (*data->set.ssl.fsslctx)(data, octx->ssl_ctx,
3802                                       data->set.ssl.fsslctxp);
3803     Curl_set_in_callback(data, FALSE);
3804     if(result) {
3805       failf(data, "error signaled by ssl ctx callback");
3806       return result;
3807     }
3808   }
3809 
3810   /* Let's make an SSL structure */
3811   if(octx->ssl)
3812     SSL_free(octx->ssl);
3813   octx->ssl = SSL_new(octx->ssl_ctx);
3814   if(!octx->ssl) {
3815     failf(data, "SSL: could not create a context (handle)");
3816     return CURLE_OUT_OF_MEMORY;
3817   }
3818 
3819   SSL_set_app_data(octx->ssl, ssl_user_data);
3820 
3821 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
3822   !defined(OPENSSL_NO_OCSP)
3823   if(conn_config->verifystatus)
3824     SSL_set_tlsext_status_type(octx->ssl, TLSEXT_STATUSTYPE_ocsp);
3825 #endif
3826 
3827 #if (defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)) && \
3828     defined(ALLOW_RENEG)
3829   SSL_set_renegotiate_mode(octx->ssl, ssl_renegotiate_freely);
3830 #endif
3831 
3832   SSL_set_connect_state(octx->ssl);
3833 
3834   octx->server_cert = 0x0;
3835 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
3836   if(peer->sni) {
3837     if(!SSL_set_tlsext_host_name(octx->ssl, peer->sni)) {
3838       failf(data, "Failed set SNI");
3839       return CURLE_SSL_CONNECT_ERROR;
3840     }
3841   }
3842 
3843 #ifdef USE_ECH
3844   if(ECH_ENABLED(data)) {
3845     unsigned char *ech_config = NULL;
3846     size_t ech_config_len = 0;
3847     char *outername = data->set.str[STRING_ECH_PUBLIC];
3848     int trying_ech_now = 0;
3849 
3850     if(data->set.tls_ech & CURLECH_GREASE) {
3851       infof(data, "ECH: will GREASE ClientHello");
3852 # if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
3853       SSL_set_enable_ech_grease(octx->ssl, 1);
3854 # else
3855       SSL_set_options(octx->ssl, SSL_OP_ECH_GREASE);
3856 # endif
3857     }
3858     else if(data->set.tls_ech & CURLECH_CLA_CFG) {
3859 # if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
3860       /* have to do base64 decode here for BoringSSL */
3861       const char *b64 = data->set.str[STRING_ECH_CONFIG];
3862 
3863       if(!b64) {
3864         infof(data, "ECH: ECHConfig from command line empty");
3865         return CURLE_SSL_CONNECT_ERROR;
3866       }
3867       ech_config_len = 2 * strlen(b64);
3868       result = Curl_base64_decode(b64, &ech_config, &ech_config_len);
3869       if(result || !ech_config) {
3870         infof(data, "ECH: cannot base64 decode ECHConfig from command line");
3871         if(data->set.tls_ech & CURLECH_HARD)
3872           return result;
3873       }
3874       if(SSL_set1_ech_config_list(octx->ssl, ech_config,
3875                                   ech_config_len) != 1) {
3876         infof(data, "ECH: SSL_ECH_set1_echconfig failed");
3877         if(data->set.tls_ech & CURLECH_HARD) {
3878           free(ech_config);
3879           return CURLE_SSL_CONNECT_ERROR;
3880         }
3881       }
3882       free(ech_config);
3883       trying_ech_now = 1;
3884 # else
3885       ech_config = (unsigned char *) data->set.str[STRING_ECH_CONFIG];
3886       if(!ech_config) {
3887         infof(data, "ECH: ECHConfig from command line empty");
3888         return CURLE_SSL_CONNECT_ERROR;
3889       }
3890       ech_config_len = strlen(data->set.str[STRING_ECH_CONFIG]);
3891       if(SSL_ech_set1_echconfig(octx->ssl, ech_config, ech_config_len) != 1) {
3892         infof(data, "ECH: SSL_ECH_set1_echconfig failed");
3893         if(data->set.tls_ech & CURLECH_HARD)
3894           return CURLE_SSL_CONNECT_ERROR;
3895       }
3896       else
3897         trying_ech_now = 1;
3898 # endif
3899       infof(data, "ECH: ECHConfig from command line");
3900     }
3901     else {
3902       struct Curl_dns_entry *dns = NULL;
3903 
3904       if(peer->hostname)
3905         dns = Curl_fetch_addr(data, peer->hostname, peer->port);
3906       if(!dns) {
3907         infof(data, "ECH: requested but no DNS info available");
3908         if(data->set.tls_ech & CURLECH_HARD)
3909           return CURLE_SSL_CONNECT_ERROR;
3910       }
3911       else {
3912         struct Curl_https_rrinfo *rinfo = NULL;
3913 
3914         rinfo = dns->hinfo;
3915         if(rinfo && rinfo->echconfiglist) {
3916           unsigned char *ecl = rinfo->echconfiglist;
3917           size_t elen = rinfo->echconfiglist_len;
3918 
3919           infof(data, "ECH: ECHConfig from DoH HTTPS RR");
3920 # if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
3921           if(SSL_ech_set1_echconfig(octx->ssl, ecl, elen) != 1) {
3922             infof(data, "ECH: SSL_ECH_set1_echconfig failed");
3923             if(data->set.tls_ech & CURLECH_HARD)
3924               return CURLE_SSL_CONNECT_ERROR;
3925           }
3926 # else
3927           if(SSL_set1_ech_config_list(octx->ssl, ecl, elen) != 1) {
3928             infof(data, "ECH: SSL_set1_ech_config_list failed (BoringSSL)");
3929             if(data->set.tls_ech & CURLECH_HARD)
3930               return CURLE_SSL_CONNECT_ERROR;
3931           }
3932 # endif
3933           else {
3934             trying_ech_now = 1;
3935             infof(data, "ECH: imported ECHConfigList of length %zu", elen);
3936           }
3937         }
3938         else {
3939           infof(data, "ECH: requested but no ECHConfig available");
3940           if(data->set.tls_ech & CURLECH_HARD)
3941             return CURLE_SSL_CONNECT_ERROR;
3942         }
3943         Curl_resolv_unlink(data, &dns);
3944       }
3945     }
3946 # if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
3947     if(trying_ech_now && outername) {
3948       infof(data, "ECH: setting public_name not supported with BoringSSL");
3949       return CURLE_SSL_CONNECT_ERROR;
3950     }
3951 # else
3952     if(trying_ech_now && outername) {
3953       infof(data, "ECH: inner: '%s', outer: '%s'",
3954             peer->hostname ? peer->hostname : "NULL", outername);
3955       result = SSL_ech_set_server_names(octx->ssl,
3956                                         peer->hostname, outername,
3957                                         0 /* do send outer */);
3958       if(result != 1) {
3959         infof(data, "ECH: rv failed to set server name(s) %d [ERROR]", result);
3960         return CURLE_SSL_CONNECT_ERROR;
3961       }
3962     }
3963 # endif  /* OPENSSL_IS_BORINGSSL || OPENSSL_IS_AWSLC */
3964     if(trying_ech_now
3965        && SSL_set_min_proto_version(octx->ssl, TLS1_3_VERSION) != 1) {
3966       infof(data, "ECH: cannot force TLSv1.3 [ERROR]");
3967       return CURLE_SSL_CONNECT_ERROR;
3968     }
3969   }
3970 #endif  /* USE_ECH */
3971 
3972 #endif
3973 
3974   octx->reused_session = FALSE;
3975   if(ssl_config->primary.cache_session) {
3976     Curl_ssl_sessionid_lock(data);
3977     if(!Curl_ssl_getsessionid(cf, data, peer, (void **)&der_sessionid,
3978       &der_sessionid_size, NULL)) {
3979       /* we got a session id, use it! */
3980       ssl_session = d2i_SSL_SESSION(NULL, &der_sessionid,
3981         (long)der_sessionid_size);
3982       if(ssl_session) {
3983         if(!SSL_set_session(octx->ssl, ssl_session)) {
3984           Curl_ssl_sessionid_unlock(data);
3985           SSL_SESSION_free(ssl_session);
3986           failf(data, "SSL: SSL_set_session failed: %s",
3987                 ossl_strerror(ERR_get_error(), error_buffer,
3988                               sizeof(error_buffer)));
3989           return CURLE_SSL_CONNECT_ERROR;
3990         }
3991         SSL_SESSION_free(ssl_session);
3992         /* Informational message */
3993         infof(data, "SSL reusing session ID");
3994         octx->reused_session = TRUE;
3995       }
3996       else {
3997         Curl_ssl_sessionid_unlock(data);
3998         return CURLE_SSL_CONNECT_ERROR;
3999       }
4000     }
4001     Curl_ssl_sessionid_unlock(data);
4002   }
4003 
4004   return CURLE_OK;
4005 }
4006 
ossl_connect_step1(struct Curl_cfilter * cf,struct Curl_easy * data)4007 static CURLcode ossl_connect_step1(struct Curl_cfilter *cf,
4008                                    struct Curl_easy *data)
4009 {
4010   struct ssl_connect_data *connssl = cf->ctx;
4011   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
4012   struct alpn_proto_buf proto;
4013   BIO *bio;
4014   CURLcode result;
4015 
4016   DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
4017   DEBUGASSERT(octx);
4018   memset(&proto, 0, sizeof(proto));
4019 #ifdef HAS_ALPN
4020   if(connssl->alpn) {
4021     result = Curl_alpn_to_proto_buf(&proto, connssl->alpn);
4022     if(result) {
4023       failf(data, "Error determining ALPN");
4024       return CURLE_SSL_CONNECT_ERROR;
4025     }
4026   }
4027 #endif
4028 
4029   result = Curl_ossl_ctx_init(octx, cf, data, &connssl->peer, TRNSPRT_TCP,
4030                               proto.data, proto.len, NULL, NULL,
4031                               ossl_new_session_cb, cf);
4032   if(result)
4033     return result;
4034 
4035   octx->bio_method = ossl_bio_cf_method_create();
4036   if(!octx->bio_method)
4037     return CURLE_OUT_OF_MEMORY;
4038   bio = BIO_new(octx->bio_method);
4039   if(!bio)
4040     return CURLE_OUT_OF_MEMORY;
4041 
4042   BIO_set_data(bio, cf);
4043 #ifdef HAVE_SSL_SET0_WBIO
4044   /* with OpenSSL v1.1.1 we get an alternative to SSL_set_bio() that works
4045    * without backward compat quirks. Every call takes one reference, so we
4046    * up it and pass. SSL* then owns it and will free.
4047    * We check on the function in configure, since LibreSSL and friends
4048    * each have their own versions to add support for this. */
4049   BIO_up_ref(bio);
4050   SSL_set0_rbio(octx->ssl, bio);
4051   SSL_set0_wbio(octx->ssl, bio);
4052 #else
4053   SSL_set_bio(octx->ssl, bio, bio);
4054 #endif
4055 
4056 #ifdef HAS_ALPN
4057   if(connssl->alpn) {
4058     Curl_alpn_to_proto_str(&proto, connssl->alpn);
4059     infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
4060   }
4061 #endif
4062   connssl->connecting_state = ssl_connect_2;
4063   return CURLE_OK;
4064 }
4065 
4066 #ifdef USE_ECH
4067 /* If we have retry configs, then trace those out */
ossl_trace_ech_retry_configs(struct Curl_easy * data,SSL * ssl,int reason)4068 static void ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL* ssl,
4069                                          int reason)
4070 {
4071   CURLcode result = CURLE_OK;
4072   size_t rcl = 0;
4073   int rv = 1;
4074 # if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
4075   char *inner = NULL;
4076   unsigned char *rcs = NULL;
4077   char *outer = NULL;
4078 # else
4079   const char *inner = NULL;
4080   const uint8_t *rcs = NULL;
4081   const char *outer = NULL;
4082   size_t out_name_len = 0;
4083   int servername_type = 0;
4084 # endif
4085 
4086   /* nothing to trace if not doing ECH */
4087   if(!ECH_ENABLED(data))
4088     return;
4089 # if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
4090   rv = SSL_ech_get_retry_config(ssl, &rcs, &rcl);
4091 # else
4092   SSL_get0_ech_retry_configs(ssl, &rcs, &rcl);
4093   rv = (int)rcl;
4094 # endif
4095 
4096   if(rv && rcs) {
4097 # define HEXSTR_MAX 800
4098     char *b64str = NULL;
4099     size_t blen = 0;
4100 
4101     result = Curl_base64_encode((const char *)rcs, rcl,
4102                                 &b64str, &blen);
4103     if(!result && b64str)
4104       infof(data, "ECH: retry_configs %s", b64str);
4105     free(b64str);
4106 # if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
4107     rv = SSL_ech_get_status(ssl, &inner, &outer);
4108     infof(data, "ECH: retry_configs for %s from %s, %d %d",
4109           inner ? inner : "NULL", outer ? outer : "NULL", reason, rv);
4110 # else
4111     rv = SSL_ech_accepted(ssl);
4112     servername_type = SSL_get_servername_type(ssl);
4113     inner = SSL_get_servername(ssl, servername_type);
4114     SSL_get0_ech_name_override(ssl, &outer, &out_name_len);
4115     /* TODO: get the inner from BoringSSL */
4116     infof(data, "ECH: retry_configs for %s from %s, %d %d",
4117           inner ? inner : "NULL", outer ? outer : "NULL", reason, rv);
4118 # endif
4119   }
4120   else
4121     infof(data, "ECH: no retry_configs (rv = %d)", rv);
4122 # if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
4123   OPENSSL_free((void *)rcs);
4124 # endif
4125   return;
4126 }
4127 
4128 #endif
4129 
ossl_connect_step2(struct Curl_cfilter * cf,struct Curl_easy * data)4130 static CURLcode ossl_connect_step2(struct Curl_cfilter *cf,
4131                                    struct Curl_easy *data)
4132 {
4133   int err;
4134   struct ssl_connect_data *connssl = cf->ctx;
4135   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
4136   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
4137   DEBUGASSERT(ssl_connect_2 == connssl->connecting_state);
4138   DEBUGASSERT(octx);
4139 
4140   connssl->io_need = CURL_SSL_IO_NEED_NONE;
4141   ERR_clear_error();
4142 
4143   err = SSL_connect(octx->ssl);
4144 
4145   if(!octx->x509_store_setup) {
4146     /* After having send off the ClientHello, we prepare the x509
4147      * store to verify the coming certificate from the server */
4148     CURLcode result = Curl_ssl_setup_x509_store(cf, data, octx->ssl_ctx);
4149     if(result)
4150       return result;
4151     octx->x509_store_setup = TRUE;
4152   }
4153 
4154 #ifndef HAVE_KEYLOG_CALLBACK
4155   /* If key logging is enabled, wait for the handshake to complete and then
4156    * proceed with logging secrets (for TLS 1.2 or older).
4157    */
4158   if(Curl_tls_keylog_enabled() && !octx->keylog_done)
4159     ossl_log_tls12_secret(octx->ssl, &octx->keylog_done);
4160 #endif
4161 
4162   /* 1  is fine
4163      0  is "not successful but was shut down controlled"
4164      <0 is "handshake was not successful, because a fatal error occurred" */
4165   if(1 != err) {
4166     int detail = SSL_get_error(octx->ssl, err);
4167     CURL_TRC_CF(data, cf, "SSL_connect() -> err=%d, detail=%d", err, detail);
4168 
4169     if(SSL_ERROR_WANT_READ == detail) {
4170       CURL_TRC_CF(data, cf, "SSL_connect() -> want recv");
4171       connssl->io_need = CURL_SSL_IO_NEED_RECV;
4172       return CURLE_OK;
4173     }
4174     if(SSL_ERROR_WANT_WRITE == detail) {
4175       CURL_TRC_CF(data, cf, "SSL_connect() -> want send");
4176       connssl->io_need = CURL_SSL_IO_NEED_SEND;
4177       return CURLE_OK;
4178     }
4179 #ifdef SSL_ERROR_WANT_ASYNC
4180     if(SSL_ERROR_WANT_ASYNC == detail) {
4181       CURL_TRC_CF(data, cf, "SSL_connect() -> want async");
4182       connssl->io_need = CURL_SSL_IO_NEED_RECV;
4183       connssl->connecting_state = ssl_connect_2;
4184       return CURLE_OK;
4185     }
4186 #endif
4187 #ifdef SSL_ERROR_WANT_RETRY_VERIFY
4188     if(SSL_ERROR_WANT_RETRY_VERIFY == detail) {
4189       CURL_TRC_CF(data, cf, "SSL_connect() -> want retry_verify");
4190       connssl->io_need = CURL_SSL_IO_NEED_RECV;
4191       connssl->connecting_state = ssl_connect_2;
4192       return CURLE_OK;
4193     }
4194 #endif
4195     else {
4196       /* untreated error */
4197       sslerr_t errdetail;
4198       char error_buffer[256]="";
4199       CURLcode result;
4200       long lerr;
4201       int lib;
4202       int reason;
4203 
4204       /* the connection failed, we are not waiting for anything else. */
4205       connssl->connecting_state = ssl_connect_2;
4206 
4207       /* Get the earliest error code from the thread's error queue and remove
4208          the entry. */
4209       errdetail = ERR_get_error();
4210 
4211       /* Extract which lib and reason */
4212       lib = ERR_GET_LIB(errdetail);
4213       reason = ERR_GET_REASON(errdetail);
4214 
4215       if((lib == ERR_LIB_SSL) &&
4216          ((reason == SSL_R_CERTIFICATE_VERIFY_FAILED) ||
4217           (reason == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED))) {
4218         result = CURLE_PEER_FAILED_VERIFICATION;
4219 
4220         lerr = SSL_get_verify_result(octx->ssl);
4221         if(lerr != X509_V_OK) {
4222           ssl_config->certverifyresult = lerr;
4223           msnprintf(error_buffer, sizeof(error_buffer),
4224                     "SSL certificate problem: %s",
4225                     X509_verify_cert_error_string(lerr));
4226         }
4227         else {
4228           failf(data, "%s", "SSL certificate verification failed");
4229           return result;
4230         }
4231       }
4232 #if defined(SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)
4233       /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
4234          OpenSSL version above v1.1.1, not LibreSSL, BoringSSL, or AWS-LC */
4235       else if((lib == ERR_LIB_SSL) &&
4236               (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
4237         /* If client certificate is required, communicate the
4238            error to client */
4239         result = CURLE_SSL_CLIENTCERT;
4240         failf(data, "TLS cert problem: %s",
4241               ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)));
4242       }
4243 #endif
4244 #ifdef USE_ECH
4245       else if((lib == ERR_LIB_SSL) &&
4246 # if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
4247               (reason == SSL_R_ECH_REQUIRED)) {
4248 # else
4249               (reason == SSL_R_ECH_REJECTED)) {
4250 # endif
4251 
4252         /* trace retry_configs if we got some */
4253         ossl_trace_ech_retry_configs(data, octx->ssl, reason);
4254 
4255         result = CURLE_ECH_REQUIRED;
4256         failf(data, "ECH required: %s",
4257               ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)));
4258       }
4259 #endif
4260       else {
4261         result = CURLE_SSL_CONNECT_ERROR;
4262         failf(data, "TLS connect error: %s",
4263               ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)));
4264       }
4265 
4266       /* detail is already set to the SSL error above */
4267 
4268       /* If we e.g. use SSLv2 request-method and the server does not like us
4269        * (RST connection, etc.), OpenSSL gives no explanation whatsoever and
4270        * the SO_ERROR is also lost.
4271        */
4272       if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
4273         char extramsg[80]="";
4274         int sockerr = SOCKERRNO;
4275 
4276         if(sockerr && detail == SSL_ERROR_SYSCALL)
4277           Curl_strerror(sockerr, extramsg, sizeof(extramsg));
4278         failf(data, OSSL_PACKAGE " SSL_connect: %s in connection to %s:%d ",
4279               extramsg[0] ? extramsg : SSL_ERROR_to_str(detail),
4280               connssl->peer.hostname, connssl->peer.port);
4281         return result;
4282       }
4283 
4284       return result;
4285     }
4286   }
4287   else {
4288     int psigtype_nid = NID_undef;
4289     const char *negotiated_group_name = NULL;
4290 
4291     /* we connected fine, we are not waiting for anything else. */
4292     connssl->connecting_state = ssl_connect_3;
4293 
4294 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
4295     SSL_get_peer_signature_type_nid(octx->ssl, &psigtype_nid);
4296 #if (OPENSSL_VERSION_NUMBER >= 0x30200000L)
4297     negotiated_group_name = SSL_get0_group_name(octx->ssl);
4298 #else
4299     negotiated_group_name =
4300       OBJ_nid2sn(SSL_get_negotiated_group(octx->ssl) & 0x0000FFFF);
4301 #endif
4302 #endif
4303 
4304     /* Informational message */
4305     infof(data, "SSL connection using %s / %s / %s / %s",
4306           SSL_get_version(octx->ssl),
4307           SSL_get_cipher(octx->ssl),
4308           negotiated_group_name ? negotiated_group_name : "[blank]",
4309           OBJ_nid2sn(psigtype_nid));
4310 
4311 #ifdef USE_ECH
4312 # if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
4313     if(ECH_ENABLED(data)) {
4314       char *inner = NULL, *outer = NULL;
4315       const char *status = NULL;
4316       int rv;
4317 
4318       rv = SSL_ech_get_status(octx->ssl, &inner, &outer);
4319       switch(rv) {
4320       case SSL_ECH_STATUS_SUCCESS:
4321         status = "succeeded";
4322         break;
4323       case SSL_ECH_STATUS_GREASE_ECH:
4324         status = "sent GREASE, got retry-configs";
4325         break;
4326       case SSL_ECH_STATUS_GREASE:
4327         status = "sent GREASE";
4328         break;
4329       case SSL_ECH_STATUS_NOT_TRIED:
4330         status = "not attempted";
4331         break;
4332       case SSL_ECH_STATUS_NOT_CONFIGURED:
4333         status = "not configured";
4334         break;
4335       case SSL_ECH_STATUS_BACKEND:
4336         status = "backend (unexpected)";
4337         break;
4338       case SSL_ECH_STATUS_FAILED:
4339         status = "failed";
4340         break;
4341       case SSL_ECH_STATUS_BAD_CALL:
4342         status = "bad call (unexpected)";
4343         break;
4344       case SSL_ECH_STATUS_BAD_NAME:
4345         status = "bad name (unexpected)";
4346         break;
4347       default:
4348         status = "unexpected status";
4349         infof(data, "ECH: unexpected status %d",rv);
4350       }
4351       infof(data, "ECH: result: status is %s, inner is %s, outer is %s",
4352             (status ? status : "NULL"),
4353             (inner ? inner : "NULL"),
4354             (outer ? outer : "NULL"));
4355       OPENSSL_free(inner);
4356       OPENSSL_free(outer);
4357       if(rv == SSL_ECH_STATUS_GREASE_ECH) {
4358         /* trace retry_configs if we got some */
4359         ossl_trace_ech_retry_configs(data, octx->ssl, 0);
4360       }
4361       if(rv != SSL_ECH_STATUS_SUCCESS
4362          && data->set.tls_ech & CURLECH_HARD) {
4363         infof(data, "ECH: ech-hard failed");
4364         return CURLE_SSL_CONNECT_ERROR;
4365       }
4366    }
4367    else {
4368       infof(data, "ECH: result: status is not attempted");
4369    }
4370 # endif  /* !OPENSSL_IS_BORINGSSL && !OPENSSL_IS_AWSLC */
4371 #endif  /* USE_ECH */
4372 
4373 #ifdef HAS_ALPN
4374     /* Sets data and len to negotiated protocol, len is 0 if no protocol was
4375      * negotiated
4376      */
4377     if(connssl->alpn) {
4378       const unsigned char *neg_protocol;
4379       unsigned int len;
4380       SSL_get0_alpn_selected(octx->ssl, &neg_protocol, &len);
4381 
4382       return Curl_alpn_set_negotiated(cf, data, connssl, neg_protocol, len);
4383     }
4384 #endif
4385 
4386     return CURLE_OK;
4387   }
4388 }
4389 
4390 /*
4391  * Heavily modified from:
4392  * https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
4393  */
4394 static CURLcode ossl_pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
4395                                          const char *pinnedpubkey)
4396 {
4397   /* Scratch */
4398   int len1 = 0, len2 = 0;
4399   unsigned char *buff1 = NULL, *temp = NULL;
4400 
4401   /* Result is returned to caller */
4402   CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
4403 
4404   /* if a path was not specified, do not pin */
4405   if(!pinnedpubkey)
4406     return CURLE_OK;
4407 
4408   if(!cert)
4409     return result;
4410 
4411   do {
4412     /* Begin Gyrations to get the subjectPublicKeyInfo     */
4413     /* Thanks to Viktor Dukhovni on the OpenSSL mailing list */
4414 
4415     /* https://groups.google.com/group/mailing.openssl.users/browse_thread
4416        /thread/d61858dae102c6c7 */
4417     len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
4418     if(len1 < 1)
4419       break; /* failed */
4420 
4421     buff1 = temp = malloc(len1);
4422     if(!buff1)
4423       break; /* failed */
4424 
4425     /* https://docs.openssl.org/master/man3/d2i_X509/ */
4426     len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
4427 
4428     /*
4429      * These checks are verifying we got back the same values as when we
4430      * sized the buffer. it is pretty weak since they should always be the
4431      * same. But it gives us something to test.
4432      */
4433     if((len1 != len2) || !temp || ((temp - buff1) != len1))
4434       break; /* failed */
4435 
4436     /* End Gyrations */
4437 
4438     /* The one good exit point */
4439     result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
4440   } while(0);
4441 
4442   if(buff1)
4443     free(buff1);
4444 
4445   return result;
4446 }
4447 
4448 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) &&  \
4449   !(defined(LIBRESSL_VERSION_NUMBER) && \
4450     LIBRESSL_VERSION_NUMBER < 0x3060000fL) && \
4451   !defined(OPENSSL_IS_BORINGSSL) && \
4452   !defined(OPENSSL_IS_AWSLC) && \
4453   !defined(CURL_DISABLE_VERBOSE_STRINGS)
4454 static void infof_certstack(struct Curl_easy *data, const SSL *ssl)
4455 {
4456   STACK_OF(X509) *certstack;
4457   long verify_result;
4458   int num_cert_levels;
4459   int cert_level;
4460 
4461   verify_result = SSL_get_verify_result(ssl);
4462   if(verify_result != X509_V_OK)
4463     certstack = SSL_get_peer_cert_chain(ssl);
4464   else
4465     certstack = SSL_get0_verified_chain(ssl);
4466   num_cert_levels = sk_X509_num(certstack);
4467 
4468   for(cert_level = 0; cert_level < num_cert_levels; cert_level++) {
4469     char cert_algorithm[80] = "";
4470     char group_name_final[80] = "";
4471     const X509_ALGOR *palg_cert = NULL;
4472     const ASN1_OBJECT *paobj_cert = NULL;
4473     X509 *current_cert;
4474     EVP_PKEY *current_pkey;
4475     int key_bits;
4476     int key_sec_bits;
4477     int get_group_name;
4478     const char *type_name;
4479 
4480     current_cert = sk_X509_value(certstack, cert_level);
4481 
4482     X509_get0_signature(NULL, &palg_cert, current_cert);
4483     X509_ALGOR_get0(&paobj_cert, NULL, NULL, palg_cert);
4484     OBJ_obj2txt(cert_algorithm, sizeof(cert_algorithm), paobj_cert, 0);
4485 
4486     current_pkey = X509_get0_pubkey(current_cert);
4487     key_bits = EVP_PKEY_bits(current_pkey);
4488 #if (OPENSSL_VERSION_NUMBER < 0x30000000L)
4489 #define EVP_PKEY_get_security_bits EVP_PKEY_security_bits
4490 #endif
4491     key_sec_bits = EVP_PKEY_get_security_bits(current_pkey);
4492 #if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
4493     {
4494       char group_name[80] = "";
4495       get_group_name = EVP_PKEY_get_group_name(current_pkey, group_name,
4496                                                sizeof(group_name), NULL);
4497       msnprintf(group_name_final, sizeof(group_name_final), "/%s", group_name);
4498     }
4499     type_name = EVP_PKEY_get0_type_name(current_pkey);
4500 #else
4501     get_group_name = 0;
4502     type_name = NULL;
4503 #endif
4504 
4505     infof(data,
4506           "  Certificate level %d: "
4507           "Public key type %s%s (%d/%d Bits/secBits), signed using %s",
4508           cert_level, type_name ? type_name : "?",
4509           get_group_name == 0 ? "" : group_name_final,
4510           key_bits, key_sec_bits, cert_algorithm);
4511   }
4512 }
4513 #else
4514 #define infof_certstack(data, ssl)
4515 #endif
4516 
4517 #define MAX_CERT_NAME_LENGTH 2048
4518 
4519 CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf,
4520                                   struct Curl_easy *data,
4521                                   struct ossl_ctx *octx,
4522                                   struct ssl_peer *peer)
4523 {
4524   struct connectdata *conn = cf->conn;
4525   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
4526   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
4527   CURLcode result = CURLE_OK;
4528   long lerr;
4529   X509 *issuer;
4530   BIO *fp = NULL;
4531   char error_buffer[256]="";
4532   const char *ptr;
4533   BIO *mem = BIO_new(BIO_s_mem());
4534   bool strict = (conn_config->verifypeer || conn_config->verifyhost);
4535   struct dynbuf dname;
4536 
4537   DEBUGASSERT(octx);
4538 
4539   Curl_dyn_init(&dname, MAX_CERT_NAME_LENGTH);
4540 
4541   if(!mem) {
4542     failf(data,
4543           "BIO_new return NULL, " OSSL_PACKAGE
4544           " error %s",
4545           ossl_strerror(ERR_get_error(), error_buffer,
4546                         sizeof(error_buffer)) );
4547     return CURLE_OUT_OF_MEMORY;
4548   }
4549 
4550   if(data->set.ssl.certinfo)
4551     /* asked to gather certificate info */
4552     (void)ossl_certchain(data, octx->ssl);
4553 
4554   octx->server_cert = SSL_get1_peer_certificate(octx->ssl);
4555   if(!octx->server_cert) {
4556     BIO_free(mem);
4557     if(!strict)
4558       return CURLE_OK;
4559 
4560     failf(data, "SSL: could not get peer certificate");
4561     return CURLE_PEER_FAILED_VERIFICATION;
4562   }
4563 
4564   infof(data, "%s certificate:",
4565         Curl_ssl_cf_is_proxy(cf) ? "Proxy" : "Server");
4566 
4567   result = x509_name_oneline(X509_get_subject_name(octx->server_cert),
4568                              &dname);
4569   infof(data, " subject: %s", result ? "[NONE]" : Curl_dyn_ptr(&dname));
4570 
4571 #ifndef CURL_DISABLE_VERBOSE_STRINGS
4572   {
4573     long len;
4574     ASN1_TIME_print(mem, X509_get0_notBefore(octx->server_cert));
4575     len = BIO_get_mem_data(mem, (char **) &ptr);
4576     infof(data, " start date: %.*s", (int)len, ptr);
4577     (void)BIO_reset(mem);
4578 
4579     ASN1_TIME_print(mem, X509_get0_notAfter(octx->server_cert));
4580     len = BIO_get_mem_data(mem, (char **) &ptr);
4581     infof(data, " expire date: %.*s", (int)len, ptr);
4582     (void)BIO_reset(mem);
4583   }
4584 #endif
4585 
4586   BIO_free(mem);
4587 
4588   if(conn_config->verifyhost) {
4589     result = ossl_verifyhost(data, conn, peer, octx->server_cert);
4590     if(result) {
4591       X509_free(octx->server_cert);
4592       octx->server_cert = NULL;
4593       Curl_dyn_free(&dname);
4594       return result;
4595     }
4596   }
4597 
4598   result = x509_name_oneline(X509_get_issuer_name(octx->server_cert),
4599                              &dname);
4600   if(result) {
4601     if(strict)
4602       failf(data, "SSL: could not get X509-issuer name");
4603     result = CURLE_PEER_FAILED_VERIFICATION;
4604   }
4605   else {
4606     infof(data, " issuer: %s", Curl_dyn_ptr(&dname));
4607     Curl_dyn_free(&dname);
4608 
4609     /* We could do all sorts of certificate verification stuff here before
4610        deallocating the certificate. */
4611 
4612     /* e.g. match issuer name with provided issuer certificate */
4613     if(conn_config->issuercert || conn_config->issuercert_blob) {
4614       if(conn_config->issuercert_blob) {
4615         fp = BIO_new_mem_buf(conn_config->issuercert_blob->data,
4616                              (int)conn_config->issuercert_blob->len);
4617         if(!fp) {
4618           failf(data,
4619                 "BIO_new_mem_buf NULL, " OSSL_PACKAGE
4620                 " error %s",
4621                 ossl_strerror(ERR_get_error(), error_buffer,
4622                               sizeof(error_buffer)) );
4623           X509_free(octx->server_cert);
4624           octx->server_cert = NULL;
4625           return CURLE_OUT_OF_MEMORY;
4626         }
4627       }
4628       else {
4629         fp = BIO_new(BIO_s_file());
4630         if(!fp) {
4631           failf(data,
4632                 "BIO_new return NULL, " OSSL_PACKAGE
4633                 " error %s",
4634                 ossl_strerror(ERR_get_error(), error_buffer,
4635                               sizeof(error_buffer)) );
4636           X509_free(octx->server_cert);
4637           octx->server_cert = NULL;
4638           return CURLE_OUT_OF_MEMORY;
4639         }
4640 
4641         if(BIO_read_filename(fp, conn_config->issuercert) <= 0) {
4642           if(strict)
4643             failf(data, "SSL: Unable to open issuer cert (%s)",
4644                   conn_config->issuercert);
4645           BIO_free(fp);
4646           X509_free(octx->server_cert);
4647           octx->server_cert = NULL;
4648           return CURLE_SSL_ISSUER_ERROR;
4649         }
4650       }
4651 
4652       issuer = PEM_read_bio_X509(fp, NULL, ZERO_NULL, NULL);
4653       if(!issuer) {
4654         if(strict)
4655           failf(data, "SSL: Unable to read issuer cert (%s)",
4656                 conn_config->issuercert);
4657         BIO_free(fp);
4658         X509_free(issuer);
4659         X509_free(octx->server_cert);
4660         octx->server_cert = NULL;
4661         return CURLE_SSL_ISSUER_ERROR;
4662       }
4663 
4664       if(X509_check_issued(issuer, octx->server_cert) != X509_V_OK) {
4665         if(strict)
4666           failf(data, "SSL: Certificate issuer check failed (%s)",
4667                 conn_config->issuercert);
4668         BIO_free(fp);
4669         X509_free(issuer);
4670         X509_free(octx->server_cert);
4671         octx->server_cert = NULL;
4672         return CURLE_SSL_ISSUER_ERROR;
4673       }
4674 
4675       infof(data, " SSL certificate issuer check ok (%s)",
4676             conn_config->issuercert);
4677       BIO_free(fp);
4678       X509_free(issuer);
4679     }
4680 
4681     lerr = SSL_get_verify_result(octx->ssl);
4682     ssl_config->certverifyresult = lerr;
4683     if(lerr != X509_V_OK) {
4684       if(conn_config->verifypeer) {
4685         /* We probably never reach this, because SSL_connect() will fail
4686            and we return earlier if verifypeer is set? */
4687         if(strict)
4688           failf(data, "SSL certificate verify result: %s (%ld)",
4689                 X509_verify_cert_error_string(lerr), lerr);
4690         result = CURLE_PEER_FAILED_VERIFICATION;
4691       }
4692       else
4693         infof(data, " SSL certificate verify result: %s (%ld),"
4694               " continuing anyway.",
4695               X509_verify_cert_error_string(lerr), lerr);
4696     }
4697     else
4698       infof(data, " SSL certificate verify ok.");
4699   }
4700   infof_certstack(data, octx->ssl);
4701 
4702 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
4703   !defined(OPENSSL_NO_OCSP)
4704   if(conn_config->verifystatus && !octx->reused_session) {
4705     /* do not do this after Session ID reuse */
4706     result = verifystatus(cf, data, octx);
4707     if(result) {
4708       /* when verifystatus failed, remove the session id from the cache again
4709          if present */
4710       if(!Curl_ssl_cf_is_proxy(cf)) {
4711         void *old_ssl_sessionid = NULL;
4712         bool incache;
4713         Curl_ssl_sessionid_lock(data);
4714         incache = !(Curl_ssl_getsessionid(cf, data, peer,
4715                                           &old_ssl_sessionid, NULL, NULL));
4716         if(incache) {
4717           infof(data, "Remove session ID again from cache");
4718           Curl_ssl_delsessionid(data, old_ssl_sessionid);
4719         }
4720         Curl_ssl_sessionid_unlock(data);
4721       }
4722 
4723       X509_free(octx->server_cert);
4724       octx->server_cert = NULL;
4725       return result;
4726     }
4727   }
4728 #endif
4729 
4730   if(!strict)
4731     /* when not strict, we do not bother about the verify cert problems */
4732     result = CURLE_OK;
4733 
4734 #ifndef CURL_DISABLE_PROXY
4735   ptr = Curl_ssl_cf_is_proxy(cf) ?
4736     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
4737     data->set.str[STRING_SSL_PINNEDPUBLICKEY];
4738 #else
4739   ptr = data->set.str[STRING_SSL_PINNEDPUBLICKEY];
4740 #endif
4741   if(!result && ptr) {
4742     result = ossl_pkp_pin_peer_pubkey(data, octx->server_cert, ptr);
4743     if(result)
4744       failf(data, "SSL: public key does not match pinned public key");
4745   }
4746 
4747   X509_free(octx->server_cert);
4748   octx->server_cert = NULL;
4749 
4750   return result;
4751 }
4752 
4753 static CURLcode ossl_connect_step3(struct Curl_cfilter *cf,
4754                                    struct Curl_easy *data)
4755 {
4756   CURLcode result = CURLE_OK;
4757   struct ssl_connect_data *connssl = cf->ctx;
4758   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
4759 
4760   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
4761 
4762   /*
4763    * We check certificates to authenticate the server; otherwise we risk
4764    * man-in-the-middle attack; NEVERTHELESS, if we are told explicitly not to
4765    * verify the peer, ignore faults and failures from the server cert
4766    * operations.
4767    */
4768 
4769   result = Curl_oss_check_peer_cert(cf, data, octx, &connssl->peer);
4770   if(!result)
4771     connssl->connecting_state = ssl_connect_done;
4772 
4773   return result;
4774 }
4775 
4776 static CURLcode ossl_connect_common(struct Curl_cfilter *cf,
4777                                     struct Curl_easy *data,
4778                                     bool nonblocking,
4779                                     bool *done)
4780 {
4781   CURLcode result = CURLE_OK;
4782   struct ssl_connect_data *connssl = cf->ctx;
4783   curl_socket_t sockfd = Curl_conn_cf_get_socket(cf, data);
4784   int what;
4785 
4786   connssl->io_need = CURL_SSL_IO_NEED_NONE;
4787   /* check if the connection has already been established */
4788   if(ssl_connection_complete == connssl->state) {
4789     *done = TRUE;
4790     return CURLE_OK;
4791   }
4792 
4793   if(ssl_connect_1 == connssl->connecting_state) {
4794     /* Find out how much more time we are allowed */
4795     const timediff_t timeout_ms = Curl_timeleft(data, NULL, TRUE);
4796 
4797     if(timeout_ms < 0) {
4798       /* no need to continue if time is already up */
4799       failf(data, "SSL connection timeout");
4800       return CURLE_OPERATION_TIMEDOUT;
4801     }
4802 
4803     result = ossl_connect_step1(cf, data);
4804     if(result)
4805       goto out;
4806   }
4807 
4808   while(ssl_connect_2 == connssl->connecting_state) {
4809 
4810     /* check allowed time left */
4811     const timediff_t timeout_ms = Curl_timeleft(data, NULL, TRUE);
4812 
4813     if(timeout_ms < 0) {
4814       /* no need to continue if time already is up */
4815       failf(data, "SSL connection timeout");
4816       result = CURLE_OPERATION_TIMEDOUT;
4817       goto out;
4818     }
4819 
4820     /* if ssl is expecting something, check if it is available. */
4821     if(!nonblocking && connssl->io_need) {
4822       curl_socket_t writefd = (connssl->io_need & CURL_SSL_IO_NEED_SEND) ?
4823         sockfd : CURL_SOCKET_BAD;
4824       curl_socket_t readfd = (connssl->io_need & CURL_SSL_IO_NEED_RECV) ?
4825         sockfd : CURL_SOCKET_BAD;
4826 
4827       what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
4828                                timeout_ms);
4829       if(what < 0) {
4830         /* fatal error */
4831         failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
4832         result = CURLE_SSL_CONNECT_ERROR;
4833         goto out;
4834       }
4835       if(0 == what) {
4836         /* timeout */
4837         failf(data, "SSL connection timeout");
4838         result = CURLE_OPERATION_TIMEDOUT;
4839         goto out;
4840       }
4841       /* socket is readable or writable */
4842     }
4843 
4844     /* Run transaction, and return to the caller if it failed or if this
4845      * connection is done nonblocking and this loop would execute again. This
4846      * permits the owner of a multi handle to abort a connection attempt
4847      * before step2 has completed while ensuring that a client using select()
4848      * or epoll() will always have a valid fdset to wait on.
4849      */
4850     result = ossl_connect_step2(cf, data);
4851     if(result || (nonblocking && (ssl_connect_2 == connssl->connecting_state)))
4852       goto out;
4853 
4854   } /* repeat step2 until all transactions are done. */
4855 
4856   if(ssl_connect_3 == connssl->connecting_state) {
4857     result = ossl_connect_step3(cf, data);
4858     if(result)
4859       goto out;
4860   }
4861 
4862   if(ssl_connect_done == connssl->connecting_state) {
4863     connssl->state = ssl_connection_complete;
4864     *done = TRUE;
4865   }
4866   else
4867     *done = FALSE;
4868 
4869   /* Reset our connect state machine */
4870   connssl->connecting_state = ssl_connect_1;
4871 
4872 out:
4873   return result;
4874 }
4875 
4876 static CURLcode ossl_connect_nonblocking(struct Curl_cfilter *cf,
4877                                          struct Curl_easy *data,
4878                                          bool *done)
4879 {
4880   return ossl_connect_common(cf, data, TRUE, done);
4881 }
4882 
4883 static CURLcode ossl_connect(struct Curl_cfilter *cf,
4884                              struct Curl_easy *data)
4885 {
4886   CURLcode result;
4887   bool done = FALSE;
4888 
4889   result = ossl_connect_common(cf, data, FALSE, &done);
4890   if(result)
4891     return result;
4892 
4893   DEBUGASSERT(done);
4894 
4895   return CURLE_OK;
4896 }
4897 
4898 static bool ossl_data_pending(struct Curl_cfilter *cf,
4899                               const struct Curl_easy *data)
4900 {
4901   struct ssl_connect_data *connssl = cf->ctx;
4902   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
4903 
4904   (void)data;
4905   DEBUGASSERT(connssl && octx);
4906   if(octx->ssl && SSL_pending(octx->ssl))
4907     return TRUE;
4908   return FALSE;
4909 }
4910 
4911 static ssize_t ossl_send(struct Curl_cfilter *cf,
4912                          struct Curl_easy *data,
4913                          const void *mem,
4914                          size_t len,
4915                          CURLcode *curlcode)
4916 {
4917   /* SSL_write() is said to return 'int' while write() and send() returns
4918      'size_t' */
4919   int err;
4920   char error_buffer[256];
4921   sslerr_t sslerror;
4922   int memlen;
4923   int rc;
4924   struct ssl_connect_data *connssl = cf->ctx;
4925   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
4926 
4927   (void)data;
4928   DEBUGASSERT(octx);
4929 
4930   ERR_clear_error();
4931 
4932   connssl->io_need = CURL_SSL_IO_NEED_NONE;
4933   memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
4934   rc = SSL_write(octx->ssl, mem, memlen);
4935 
4936   if(rc <= 0) {
4937     err = SSL_get_error(octx->ssl, rc);
4938 
4939     switch(err) {
4940     case SSL_ERROR_WANT_READ:
4941       connssl->io_need = CURL_SSL_IO_NEED_RECV;
4942       *curlcode = CURLE_AGAIN;
4943       rc = -1;
4944       goto out;
4945     case SSL_ERROR_WANT_WRITE:
4946       *curlcode = CURLE_AGAIN;
4947       rc = -1;
4948       goto out;
4949     case SSL_ERROR_SYSCALL:
4950     {
4951       int sockerr = SOCKERRNO;
4952 
4953       if(octx->io_result == CURLE_AGAIN) {
4954         *curlcode = CURLE_AGAIN;
4955         rc = -1;
4956         goto out;
4957       }
4958       sslerror = ERR_get_error();
4959       if(sslerror)
4960         ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
4961       else if(sockerr)
4962         Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
4963       else
4964         msnprintf(error_buffer, sizeof(error_buffer), "%s",
4965                   SSL_ERROR_to_str(err));
4966 
4967       failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d",
4968             error_buffer, sockerr);
4969       *curlcode = CURLE_SEND_ERROR;
4970       rc = -1;
4971       goto out;
4972     }
4973     case SSL_ERROR_SSL: {
4974       /*  A failure in the SSL library occurred, usually a protocol error.
4975           The OpenSSL error queue contains more information on the error. */
4976       sslerror = ERR_get_error();
4977       failf(data, "SSL_write() error: %s",
4978             ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)));
4979       *curlcode = CURLE_SEND_ERROR;
4980       rc = -1;
4981       goto out;
4982     }
4983     default:
4984       /* a true error */
4985       failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d",
4986             SSL_ERROR_to_str(err), SOCKERRNO);
4987       *curlcode = CURLE_SEND_ERROR;
4988       rc = -1;
4989       goto out;
4990     }
4991   }
4992   *curlcode = CURLE_OK;
4993 
4994 out:
4995   return (ssize_t)rc; /* number of bytes */
4996 }
4997 
4998 static ssize_t ossl_recv(struct Curl_cfilter *cf,
4999                          struct Curl_easy *data,   /* transfer */
5000                          char *buf,                /* store read data here */
5001                          size_t buffersize,        /* max amount to read */
5002                          CURLcode *curlcode)
5003 {
5004   char error_buffer[256];
5005   unsigned long sslerror;
5006   ssize_t nread;
5007   int buffsize;
5008   struct connectdata *conn = cf->conn;
5009   struct ssl_connect_data *connssl = cf->ctx;
5010   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
5011 
5012   (void)data;
5013   DEBUGASSERT(octx);
5014 
5015   ERR_clear_error();
5016 
5017   connssl->io_need = CURL_SSL_IO_NEED_NONE;
5018   buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
5019   nread = (ssize_t)SSL_read(octx->ssl, buf, buffsize);
5020 
5021   if(nread <= 0) {
5022     /* failed SSL_read */
5023     int err = SSL_get_error(octx->ssl, (int)nread);
5024 
5025     switch(err) {
5026     case SSL_ERROR_NONE: /* this is not an error */
5027       break;
5028     case SSL_ERROR_ZERO_RETURN: /* no more data */
5029       /* close_notify alert */
5030       if(cf->sockindex == FIRSTSOCKET)
5031         /* mark the connection for close if it is indeed the control
5032            connection */
5033         connclose(conn, "TLS close_notify");
5034       break;
5035     case SSL_ERROR_WANT_READ:
5036       *curlcode = CURLE_AGAIN;
5037       nread = -1;
5038       goto out;
5039     case SSL_ERROR_WANT_WRITE:
5040       connssl->io_need = CURL_SSL_IO_NEED_SEND;
5041       *curlcode = CURLE_AGAIN;
5042       nread = -1;
5043       goto out;
5044     default:
5045       /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
5046          value/errno" */
5047       /* https://docs.openssl.org/master/man3/ERR_get_error/ */
5048       if(octx->io_result == CURLE_AGAIN) {
5049         *curlcode = CURLE_AGAIN;
5050         nread = -1;
5051         goto out;
5052       }
5053       sslerror = ERR_get_error();
5054       if((nread < 0) || sslerror) {
5055         /* If the return code was negative or there actually is an error in the
5056            queue */
5057         int sockerr = SOCKERRNO;
5058         if(sslerror)
5059           ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
5060         else if(sockerr && err == SSL_ERROR_SYSCALL)
5061           Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
5062         else
5063           msnprintf(error_buffer, sizeof(error_buffer), "%s",
5064                     SSL_ERROR_to_str(err));
5065         failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d",
5066               error_buffer, sockerr);
5067         *curlcode = CURLE_RECV_ERROR;
5068         nread = -1;
5069         goto out;
5070       }
5071       /* For debug builds be a little stricter and error on any
5072          SSL_ERROR_SYSCALL. For example a server may have closed the connection
5073          abruptly without a close_notify alert. For compatibility with older
5074          peers we do not do this by default. #4624
5075 
5076          We can use this to gauge how many users may be affected, and
5077          if it goes ok eventually transition to allow in dev and release with
5078          the newest OpenSSL: #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) */
5079 #ifdef DEBUGBUILD
5080       if(err == SSL_ERROR_SYSCALL) {
5081         int sockerr = SOCKERRNO;
5082         if(sockerr)
5083           Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
5084         else {
5085           msnprintf(error_buffer, sizeof(error_buffer),
5086                     "Connection closed abruptly");
5087         }
5088         failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d"
5089               " (Fatal because this is a curl debug build)",
5090               error_buffer, sockerr);
5091         *curlcode = CURLE_RECV_ERROR;
5092         nread = -1;
5093         goto out;
5094       }
5095 #endif
5096     }
5097   }
5098 
5099 out:
5100   return nread;
5101 }
5102 
5103 static CURLcode ossl_get_channel_binding(struct Curl_easy *data, int sockindex,
5104                                          struct dynbuf *binding)
5105 {
5106   /* required for X509_get_signature_nid support */
5107 #if OPENSSL_VERSION_NUMBER > 0x10100000L
5108   X509 *cert;
5109   int algo_nid;
5110   const EVP_MD *algo_type;
5111   const char *algo_name;
5112   unsigned int length;
5113   unsigned char buf[EVP_MAX_MD_SIZE];
5114 
5115   const char prefix[] = "tls-server-end-point:";
5116   struct connectdata *conn = data->conn;
5117   struct Curl_cfilter *cf = conn->cfilter[sockindex];
5118   struct ossl_ctx *octx = NULL;
5119 
5120   do {
5121     const struct Curl_cftype *cft = cf->cft;
5122     struct ssl_connect_data *connssl = cf->ctx;
5123 
5124     if(cft->name && !strcmp(cft->name, "SSL")) {
5125       octx = (struct ossl_ctx *)connssl->backend;
5126       break;
5127     }
5128 
5129     if(cf->next)
5130       cf = cf->next;
5131 
5132   } while(cf->next);
5133 
5134   if(!octx) {
5135     failf(data, "Failed to find the SSL filter");
5136     return CURLE_BAD_FUNCTION_ARGUMENT;
5137   }
5138 
5139   cert = SSL_get1_peer_certificate(octx->ssl);
5140   if(!cert) {
5141     /* No server certificate, don't do channel binding */
5142     return CURLE_OK;
5143   }
5144 
5145   if(!OBJ_find_sigid_algs(X509_get_signature_nid(cert), &algo_nid, NULL)) {
5146     failf(data,
5147           "Unable to find digest NID for certificate signature algorithm");
5148     return CURLE_SSL_INVALIDCERTSTATUS;
5149   }
5150 
5151   /* https://datatracker.ietf.org/doc/html/rfc5929#section-4.1 */
5152   if(algo_nid == NID_md5 || algo_nid == NID_sha1) {
5153     algo_type = EVP_sha256();
5154   }
5155   else {
5156     algo_type = EVP_get_digestbynid(algo_nid);
5157     if(!algo_type) {
5158       algo_name = OBJ_nid2sn(algo_nid);
5159       failf(data, "Could not find digest algorithm %s (NID %d)",
5160             algo_name ? algo_name : "(null)", algo_nid);
5161       return CURLE_SSL_INVALIDCERTSTATUS;
5162     }
5163   }
5164 
5165   if(!X509_digest(cert, algo_type, buf, &length)) {
5166     failf(data, "X509_digest() failed");
5167     return CURLE_SSL_INVALIDCERTSTATUS;
5168   }
5169 
5170   /* Append "tls-server-end-point:" */
5171   if(Curl_dyn_addn(binding, prefix, sizeof(prefix) - 1) != CURLE_OK)
5172     return CURLE_OUT_OF_MEMORY;
5173   /* Append digest */
5174   if(Curl_dyn_addn(binding, buf, length))
5175     return CURLE_OUT_OF_MEMORY;
5176 
5177   return CURLE_OK;
5178 #else
5179   /* No X509_get_signature_nid support */
5180   (void)data; /* unused */
5181   (void)sockindex; /* unused */
5182   (void)binding; /* unused */
5183   return CURLE_OK;
5184 #endif
5185 }
5186 
5187 static size_t ossl_version(char *buffer, size_t size)
5188 {
5189 #ifdef LIBRESSL_VERSION_NUMBER
5190 #ifdef HAVE_OPENSSL_VERSION
5191   char *p;
5192   size_t count;
5193   const char *ver = OpenSSL_version(OPENSSL_VERSION);
5194   const char expected[] = OSSL_PACKAGE " "; /* ie "LibreSSL " */
5195   if(strncasecompare(ver, expected, sizeof(expected) - 1)) {
5196     ver += sizeof(expected) - 1;
5197   }
5198   count = msnprintf(buffer, size, "%s/%s", OSSL_PACKAGE, ver);
5199   for(p = buffer; *p; ++p) {
5200     if(ISBLANK(*p))
5201       *p = '_';
5202   }
5203   return count;
5204 #else
5205   return msnprintf(buffer, size, "%s/%lx.%lx.%lx",
5206                    OSSL_PACKAGE,
5207                    (LIBRESSL_VERSION_NUMBER >> 28) & 0xf,
5208                    (LIBRESSL_VERSION_NUMBER >> 20) & 0xff,
5209                    (LIBRESSL_VERSION_NUMBER >> 12) & 0xff);
5210 #endif
5211 #elif defined(OPENSSL_IS_BORINGSSL)
5212 #ifdef CURL_BORINGSSL_VERSION
5213   return msnprintf(buffer, size, "%s/%s",
5214                    OSSL_PACKAGE,
5215                    CURL_BORINGSSL_VERSION);
5216 #else
5217   return msnprintf(buffer, size, OSSL_PACKAGE);
5218 #endif
5219 #elif defined(OPENSSL_IS_AWSLC)
5220   return msnprintf(buffer, size, "%s/%s",
5221                    OSSL_PACKAGE,
5222                    AWSLC_VERSION_NUMBER_STRING);
5223 #elif defined(HAVE_OPENSSL_VERSION) && defined(OPENSSL_VERSION_STRING)
5224   return msnprintf(buffer, size, "%s/%s",
5225                    OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING));
5226 #else
5227   /* not LibreSSL, BoringSSL and not using OpenSSL_version */
5228 
5229   char sub[3];
5230   unsigned long ssleay_value;
5231   sub[2]='\0';
5232   sub[1]='\0';
5233   ssleay_value = OpenSSL_version_num();
5234   if(ssleay_value < 0x906000) {
5235     ssleay_value = SSLEAY_VERSION_NUMBER;
5236     sub[0]='\0';
5237   }
5238   else {
5239     if(ssleay_value&0xff0) {
5240       int minor_ver = (ssleay_value >> 4) & 0xff;
5241       if(minor_ver > 26) {
5242         /* handle extended version introduced for 0.9.8za */
5243         sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
5244         sub[0] = 'z';
5245       }
5246       else {
5247         sub[0] = (char) (minor_ver + 'a' - 1);
5248       }
5249     }
5250     else
5251       sub[0]='\0';
5252   }
5253 
5254   return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s"
5255 #ifdef OPENSSL_FIPS
5256                    "-fips"
5257 #endif
5258                    ,
5259                    OSSL_PACKAGE,
5260                    (ssleay_value >> 28) & 0xf,
5261                    (ssleay_value >> 20) & 0xff,
5262                    (ssleay_value >> 12) & 0xff,
5263                    sub);
5264 #endif /* OPENSSL_IS_BORINGSSL */
5265 }
5266 
5267 /* can be called with data == NULL */
5268 static CURLcode ossl_random(struct Curl_easy *data,
5269                             unsigned char *entropy, size_t length)
5270 {
5271   int rc;
5272   if(data) {
5273     if(ossl_seed(data)) /* Initiate the seed if not already done */
5274       return CURLE_FAILED_INIT; /* could not seed for some reason */
5275   }
5276   else {
5277     if(!rand_enough())
5278       return CURLE_FAILED_INIT;
5279   }
5280   /* RAND_bytes() returns 1 on success, 0 otherwise.  */
5281   rc = RAND_bytes(entropy, (ossl_valsize_t)curlx_uztosi(length));
5282   return (rc == 1 ? CURLE_OK : CURLE_FAILED_INIT);
5283 }
5284 
5285 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
5286 static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */
5287                                size_t tmplen,
5288                                unsigned char *sha256sum /* output */,
5289                                size_t unused)
5290 {
5291   EVP_MD_CTX *mdctx;
5292   unsigned int len = 0;
5293   (void) unused;
5294 
5295   mdctx = EVP_MD_CTX_create();
5296   if(!mdctx)
5297     return CURLE_OUT_OF_MEMORY;
5298   if(!EVP_DigestInit(mdctx, EVP_sha256())) {
5299     EVP_MD_CTX_destroy(mdctx);
5300     return CURLE_FAILED_INIT;
5301   }
5302   EVP_DigestUpdate(mdctx, tmp, tmplen);
5303   EVP_DigestFinal_ex(mdctx, sha256sum, &len);
5304   EVP_MD_CTX_destroy(mdctx);
5305   return CURLE_OK;
5306 }
5307 #endif
5308 
5309 static bool ossl_cert_status_request(void)
5310 {
5311 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
5312   !defined(OPENSSL_NO_OCSP)
5313   return TRUE;
5314 #else
5315   return FALSE;
5316 #endif
5317 }
5318 
5319 static void *ossl_get_internals(struct ssl_connect_data *connssl,
5320                                 CURLINFO info)
5321 {
5322   /* Legacy: CURLINFO_TLS_SESSION must return an SSL_CTX pointer. */
5323   struct ossl_ctx *octx = (struct ossl_ctx *)connssl->backend;
5324   DEBUGASSERT(octx);
5325   return info == CURLINFO_TLS_SESSION ?
5326     (void *)octx->ssl_ctx : (void *)octx->ssl;
5327 }
5328 
5329 const struct Curl_ssl Curl_ssl_openssl = {
5330   { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */
5331 
5332   SSLSUPP_CA_PATH |
5333   SSLSUPP_CAINFO_BLOB |
5334   SSLSUPP_CERTINFO |
5335   SSLSUPP_PINNEDPUBKEY |
5336   SSLSUPP_SSL_CTX |
5337 #ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
5338   SSLSUPP_TLS13_CIPHERSUITES |
5339 #endif
5340 #ifdef USE_ECH
5341   SSLSUPP_ECH |
5342 #endif
5343   SSLSUPP_CA_CACHE |
5344   SSLSUPP_HTTPS_PROXY |
5345   SSLSUPP_CIPHER_LIST,
5346 
5347   sizeof(struct ossl_ctx),
5348 
5349   ossl_init,                /* init */
5350   ossl_cleanup,             /* cleanup */
5351   ossl_version,             /* version */
5352   Curl_none_check_cxn,      /* check_cxn */
5353   ossl_shutdown,            /* shutdown */
5354   ossl_data_pending,        /* data_pending */
5355   ossl_random,              /* random */
5356   ossl_cert_status_request, /* cert_status_request */
5357   ossl_connect,             /* connect */
5358   ossl_connect_nonblocking, /* connect_nonblocking */
5359   Curl_ssl_adjust_pollset,  /* adjust_pollset */
5360   ossl_get_internals,       /* get_internals */
5361   ossl_close,               /* close_one */
5362   ossl_close_all,           /* close_all */
5363   ossl_set_engine,          /* set_engine */
5364   ossl_set_engine_default,  /* set_engine_default */
5365   ossl_engines_list,        /* engines_list */
5366   Curl_none_false_start,    /* false_start */
5367 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
5368   ossl_sha256sum,           /* sha256sum */
5369 #else
5370   NULL,                     /* sha256sum */
5371 #endif
5372   NULL,                     /* use of data in this connection */
5373   NULL,                     /* remote of data from this connection */
5374   ossl_recv,                /* recv decrypted data */
5375   ossl_send,                /* send data to encrypt */
5376   ossl_get_channel_binding  /* get_channel_binding */
5377 };
5378 
5379 #endif /* USE_OPENSSL */
5380