1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25 /* This file is for implementing all "generic" SSL functions that all libcurl
26 internals should use. It is then responsible for calling the proper
27 "backend" function.
28
29 SSL-functions in libcurl should call functions in this source file, and not
30 to any specific SSL-layer.
31
32 Curl_ssl_ - prefix for generic ones
33
34 Note that this source code uses the functions of the configured SSL
35 backend via the global Curl_ssl instance.
36
37 "SSL/TLS Strong Encryption: An Introduction"
38 https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
39 */
40
41 #include "curl_setup.h"
42
43 #ifdef HAVE_SYS_TYPES_H
44 #include <sys/types.h>
45 #endif
46 #ifdef HAVE_SYS_STAT_H
47 #include <sys/stat.h>
48 #endif
49 #ifdef HAVE_FCNTL_H
50 #include <fcntl.h>
51 #endif
52
53 #include "urldata.h"
54 #include "cfilters.h"
55
56 #include "vtls.h" /* generic SSL protos etc */
57 #include "vtls_int.h"
58
59 #include "openssl.h" /* OpenSSL versions */
60 #include "gtls.h" /* GnuTLS versions */
61 #include "wolfssl.h" /* wolfSSL versions */
62 #include "schannel.h" /* Schannel SSPI version */
63 #include "sectransp.h" /* Secure Transport (Darwin) version */
64 #include "mbedtls.h" /* mbedTLS versions */
65 #include "bearssl.h" /* BearSSL versions */
66 #include "rustls.h" /* Rustls versions */
67
68 #include "slist.h"
69 #include "sendf.h"
70 #include "strcase.h"
71 #include "url.h"
72 #include "progress.h"
73 #include "share.h"
74 #include "multiif.h"
75 #include "timeval.h"
76 #include "curl_md5.h"
77 #include "warnless.h"
78 #include "curl_base64.h"
79 #include "curl_printf.h"
80 #include "inet_pton.h"
81 #include "connect.h"
82 #include "select.h"
83 #include "strdup.h"
84 #include "rand.h"
85
86 /* The last #include files should be: */
87 #include "curl_memory.h"
88 #include "memdebug.h"
89
90
91 /* convenience macro to check if this handle is using a shared SSL session */
92 #define SSLSESSION_SHARED(data) (data->share && \
93 (data->share->specifier & \
94 (1<<CURL_LOCK_DATA_SSL_SESSION)))
95
96 #define CLONE_STRING(var) \
97 do { \
98 if(source->var) { \
99 dest->var = strdup(source->var); \
100 if(!dest->var) \
101 return FALSE; \
102 } \
103 else \
104 dest->var = NULL; \
105 } while(0)
106
107 #define CLONE_BLOB(var) \
108 do { \
109 if(blobdup(&dest->var, source->var)) \
110 return FALSE; \
111 } while(0)
112
blobdup(struct curl_blob ** dest,struct curl_blob * src)113 static CURLcode blobdup(struct curl_blob **dest,
114 struct curl_blob *src)
115 {
116 DEBUGASSERT(dest);
117 DEBUGASSERT(!*dest);
118 if(src) {
119 /* only if there is data to dupe! */
120 struct curl_blob *d;
121 d = malloc(sizeof(struct curl_blob) + src->len);
122 if(!d)
123 return CURLE_OUT_OF_MEMORY;
124 d->len = src->len;
125 /* Always duplicate because the connection may survive longer than the
126 handle that passed in the blob. */
127 d->flags = CURL_BLOB_COPY;
128 d->data = (void *)((char *)d + sizeof(struct curl_blob));
129 memcpy(d->data, src->data, src->len);
130 *dest = d;
131 }
132 return CURLE_OK;
133 }
134
135 /* returns TRUE if the blobs are identical */
blobcmp(struct curl_blob * first,struct curl_blob * second)136 static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
137 {
138 if(!first && !second) /* both are NULL */
139 return TRUE;
140 if(!first || !second) /* one is NULL */
141 return FALSE;
142 if(first->len != second->len) /* different sizes */
143 return FALSE;
144 return !memcmp(first->data, second->data, first->len); /* same data */
145 }
146
147 #ifdef USE_SSL
148 static const struct alpn_spec ALPN_SPEC_H11 = {
149 { ALPN_HTTP_1_1 }, 1
150 };
151 #ifdef USE_HTTP2
152 static const struct alpn_spec ALPN_SPEC_H2 = {
153 { ALPN_H2 }, 1
154 };
155 static const struct alpn_spec ALPN_SPEC_H2_H11 = {
156 { ALPN_H2, ALPN_HTTP_1_1 }, 2
157 };
158 #endif
159
alpn_get_spec(int httpwant,bool use_alpn)160 static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn)
161 {
162 if(!use_alpn)
163 return NULL;
164 #ifdef USE_HTTP2
165 if(httpwant == CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE)
166 return &ALPN_SPEC_H2;
167 if(httpwant >= CURL_HTTP_VERSION_2)
168 return &ALPN_SPEC_H2_H11;
169 #else
170 (void)httpwant;
171 #endif
172 /* Use the ALPN protocol "http/1.1" for HTTP/1.x.
173 Avoid "http/1.0" because some servers do not support it. */
174 return &ALPN_SPEC_H11;
175 }
176 #endif /* USE_SSL */
177
178
Curl_ssl_easy_config_init(struct Curl_easy * data)179 void Curl_ssl_easy_config_init(struct Curl_easy *data)
180 {
181 /*
182 * libcurl 7.10 introduced SSL verification *by default*! This needs to be
183 * switched off unless wanted.
184 */
185 data->set.ssl.primary.verifypeer = TRUE;
186 data->set.ssl.primary.verifyhost = TRUE;
187 data->set.ssl.primary.cache_session = TRUE; /* caching by default */
188 #ifndef CURL_DISABLE_PROXY
189 data->set.proxy_ssl = data->set.ssl;
190 #endif
191 }
192
193 static bool
match_ssl_primary_config(struct Curl_easy * data,struct ssl_primary_config * c1,struct ssl_primary_config * c2)194 match_ssl_primary_config(struct Curl_easy *data,
195 struct ssl_primary_config *c1,
196 struct ssl_primary_config *c2)
197 {
198 (void)data;
199 if((c1->version == c2->version) &&
200 (c1->version_max == c2->version_max) &&
201 (c1->ssl_options == c2->ssl_options) &&
202 (c1->verifypeer == c2->verifypeer) &&
203 (c1->verifyhost == c2->verifyhost) &&
204 (c1->verifystatus == c2->verifystatus) &&
205 blobcmp(c1->cert_blob, c2->cert_blob) &&
206 blobcmp(c1->ca_info_blob, c2->ca_info_blob) &&
207 blobcmp(c1->issuercert_blob, c2->issuercert_blob) &&
208 Curl_safecmp(c1->CApath, c2->CApath) &&
209 Curl_safecmp(c1->CAfile, c2->CAfile) &&
210 Curl_safecmp(c1->issuercert, c2->issuercert) &&
211 Curl_safecmp(c1->clientcert, c2->clientcert) &&
212 #ifdef USE_TLS_SRP
213 !Curl_timestrcmp(c1->username, c2->username) &&
214 !Curl_timestrcmp(c1->password, c2->password) &&
215 #endif
216 strcasecompare(c1->cipher_list, c2->cipher_list) &&
217 strcasecompare(c1->cipher_list13, c2->cipher_list13) &&
218 strcasecompare(c1->curves, c2->curves) &&
219 strcasecompare(c1->CRLfile, c2->CRLfile) &&
220 strcasecompare(c1->pinned_key, c2->pinned_key))
221 return TRUE;
222
223 return FALSE;
224 }
225
Curl_ssl_conn_config_match(struct Curl_easy * data,struct connectdata * candidate,bool proxy)226 bool Curl_ssl_conn_config_match(struct Curl_easy *data,
227 struct connectdata *candidate,
228 bool proxy)
229 {
230 #ifndef CURL_DISABLE_PROXY
231 if(proxy)
232 return match_ssl_primary_config(data, &data->set.proxy_ssl.primary,
233 &candidate->proxy_ssl_config);
234 #else
235 (void)proxy;
236 #endif
237 return match_ssl_primary_config(data, &data->set.ssl.primary,
238 &candidate->ssl_config);
239 }
240
clone_ssl_primary_config(struct ssl_primary_config * source,struct ssl_primary_config * dest)241 static bool clone_ssl_primary_config(struct ssl_primary_config *source,
242 struct ssl_primary_config *dest)
243 {
244 dest->version = source->version;
245 dest->version_max = source->version_max;
246 dest->verifypeer = source->verifypeer;
247 dest->verifyhost = source->verifyhost;
248 dest->verifystatus = source->verifystatus;
249 dest->cache_session = source->cache_session;
250 dest->ssl_options = source->ssl_options;
251
252 CLONE_BLOB(cert_blob);
253 CLONE_BLOB(ca_info_blob);
254 CLONE_BLOB(issuercert_blob);
255 CLONE_STRING(CApath);
256 CLONE_STRING(CAfile);
257 CLONE_STRING(issuercert);
258 CLONE_STRING(clientcert);
259 CLONE_STRING(cipher_list);
260 CLONE_STRING(cipher_list13);
261 CLONE_STRING(pinned_key);
262 CLONE_STRING(curves);
263 CLONE_STRING(CRLfile);
264 #ifdef USE_TLS_SRP
265 CLONE_STRING(username);
266 CLONE_STRING(password);
267 #endif
268
269 return TRUE;
270 }
271
free_primary_ssl_config(struct ssl_primary_config * sslc)272 static void free_primary_ssl_config(struct ssl_primary_config *sslc)
273 {
274 Curl_safefree(sslc->CApath);
275 Curl_safefree(sslc->CAfile);
276 Curl_safefree(sslc->issuercert);
277 Curl_safefree(sslc->clientcert);
278 Curl_safefree(sslc->cipher_list);
279 Curl_safefree(sslc->cipher_list13);
280 Curl_safefree(sslc->pinned_key);
281 Curl_safefree(sslc->cert_blob);
282 Curl_safefree(sslc->ca_info_blob);
283 Curl_safefree(sslc->issuercert_blob);
284 Curl_safefree(sslc->curves);
285 Curl_safefree(sslc->CRLfile);
286 #ifdef USE_TLS_SRP
287 Curl_safefree(sslc->username);
288 Curl_safefree(sslc->password);
289 #endif
290 }
291
Curl_ssl_easy_config_complete(struct Curl_easy * data)292 CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
293 {
294 data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
295 data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
296 data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
297 data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
298 data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
299 data->set.ssl.primary.cipher_list =
300 data->set.str[STRING_SSL_CIPHER_LIST];
301 data->set.ssl.primary.cipher_list13 =
302 data->set.str[STRING_SSL_CIPHER13_LIST];
303 data->set.ssl.primary.pinned_key =
304 data->set.str[STRING_SSL_PINNEDPUBLICKEY];
305 data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT];
306 data->set.ssl.primary.ca_info_blob = data->set.blobs[BLOB_CAINFO];
307 data->set.ssl.primary.curves = data->set.str[STRING_SSL_EC_CURVES];
308 #ifdef USE_TLS_SRP
309 data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
310 data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
311 #endif
312 data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
313 data->set.ssl.key = data->set.str[STRING_KEY];
314 data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
315 data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
316 data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
317 data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
318
319 #ifndef CURL_DISABLE_PROXY
320 data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
321 data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
322 data->set.proxy_ssl.primary.cipher_list =
323 data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
324 data->set.proxy_ssl.primary.cipher_list13 =
325 data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
326 data->set.proxy_ssl.primary.pinned_key =
327 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
328 data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
329 data->set.proxy_ssl.primary.ca_info_blob =
330 data->set.blobs[BLOB_CAINFO_PROXY];
331 data->set.proxy_ssl.primary.issuercert =
332 data->set.str[STRING_SSL_ISSUERCERT_PROXY];
333 data->set.proxy_ssl.primary.issuercert_blob =
334 data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
335 data->set.proxy_ssl.primary.CRLfile =
336 data->set.str[STRING_SSL_CRLFILE_PROXY];
337 data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
338 data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
339 data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
340 data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY];
341 data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
342 data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
343 #ifdef USE_TLS_SRP
344 data->set.proxy_ssl.primary.username =
345 data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
346 data->set.proxy_ssl.primary.password =
347 data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
348 #endif
349 #endif /* CURL_DISABLE_PROXY */
350
351 return CURLE_OK;
352 }
353
Curl_ssl_conn_config_init(struct Curl_easy * data,struct connectdata * conn)354 CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data,
355 struct connectdata *conn)
356 {
357 /* Clone "primary" SSL configurations from the esay handle to
358 * the connection. They are used for connection cache matching and
359 * probably outlive the easy handle */
360 if(!clone_ssl_primary_config(&data->set.ssl.primary, &conn->ssl_config))
361 return CURLE_OUT_OF_MEMORY;
362 #ifndef CURL_DISABLE_PROXY
363 if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary,
364 &conn->proxy_ssl_config))
365 return CURLE_OUT_OF_MEMORY;
366 #endif
367 return CURLE_OK;
368 }
369
Curl_ssl_conn_config_cleanup(struct connectdata * conn)370 void Curl_ssl_conn_config_cleanup(struct connectdata *conn)
371 {
372 free_primary_ssl_config(&conn->ssl_config);
373 #ifndef CURL_DISABLE_PROXY
374 free_primary_ssl_config(&conn->proxy_ssl_config);
375 #endif
376 }
377
Curl_ssl_conn_config_update(struct Curl_easy * data,bool for_proxy)378 void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy)
379 {
380 /* May be called on an easy that has no connection yet */
381 if(data->conn) {
382 struct ssl_primary_config *src, *dest;
383 #ifndef CURL_DISABLE_PROXY
384 src = for_proxy ? &data->set.proxy_ssl.primary : &data->set.ssl.primary;
385 dest = for_proxy ? &data->conn->proxy_ssl_config : &data->conn->ssl_config;
386 #else
387 (void)for_proxy;
388 src = &data->set.ssl.primary;
389 dest = &data->conn->ssl_config;
390 #endif
391 dest->verifyhost = src->verifyhost;
392 dest->verifypeer = src->verifypeer;
393 dest->verifystatus = src->verifystatus;
394 }
395 }
396
397 #ifdef USE_SSL
398 static int multissl_setup(const struct Curl_ssl *backend);
399 #endif
400
Curl_ssl_backend(void)401 curl_sslbackend Curl_ssl_backend(void)
402 {
403 #ifdef USE_SSL
404 multissl_setup(NULL);
405 return Curl_ssl->info.id;
406 #else
407 return CURLSSLBACKEND_NONE;
408 #endif
409 }
410
411 #ifdef USE_SSL
412
413 /* "global" init done? */
414 static bool init_ssl = FALSE;
415
416 /**
417 * Global SSL init
418 *
419 * @retval 0 error initializing SSL
420 * @retval 1 SSL initialized successfully
421 */
Curl_ssl_init(void)422 int Curl_ssl_init(void)
423 {
424 /* make sure this is only done once */
425 if(init_ssl)
426 return 1;
427 init_ssl = TRUE; /* never again */
428
429 return Curl_ssl->init();
430 }
431
ssl_prefs_check(struct Curl_easy * data)432 static bool ssl_prefs_check(struct Curl_easy *data)
433 {
434 /* check for CURLOPT_SSLVERSION invalid parameter value */
435 const unsigned char sslver = data->set.ssl.primary.version;
436 if(sslver >= CURL_SSLVERSION_LAST) {
437 failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
438 return FALSE;
439 }
440
441 switch(data->set.ssl.primary.version_max) {
442 case CURL_SSLVERSION_MAX_NONE:
443 case CURL_SSLVERSION_MAX_DEFAULT:
444 break;
445
446 default:
447 if((data->set.ssl.primary.version_max >> 16) < sslver) {
448 failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
449 return FALSE;
450 }
451 }
452
453 return TRUE;
454 }
455
cf_ctx_new(struct Curl_easy * data,const struct alpn_spec * alpn)456 static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
457 const struct alpn_spec *alpn)
458 {
459 struct ssl_connect_data *ctx;
460
461 (void)data;
462 ctx = calloc(1, sizeof(*ctx));
463 if(!ctx)
464 return NULL;
465
466 ctx->alpn = alpn;
467 Curl_bufq_init2(&ctx->earlydata, CURL_SSL_EARLY_MAX, 1, BUFQ_OPT_NO_SPARES);
468 ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data);
469 if(!ctx->backend) {
470 free(ctx);
471 return NULL;
472 }
473 return ctx;
474 }
475
cf_ctx_free(struct ssl_connect_data * ctx)476 static void cf_ctx_free(struct ssl_connect_data *ctx)
477 {
478 if(ctx) {
479 Curl_safefree(ctx->alpn_negotiated);
480 Curl_bufq_free(&ctx->earlydata);
481 free(ctx->backend);
482 free(ctx);
483 }
484 }
485
ssl_connect(struct Curl_cfilter * cf,struct Curl_easy * data)486 static CURLcode ssl_connect(struct Curl_cfilter *cf, struct Curl_easy *data)
487 {
488 struct ssl_connect_data *connssl = cf->ctx;
489 CURLcode result;
490
491 if(!ssl_prefs_check(data))
492 return CURLE_SSL_CONNECT_ERROR;
493
494 /* mark this is being ssl-enabled from here on. */
495 connssl->state = ssl_connection_negotiating;
496
497 result = Curl_ssl->connect_blocking(cf, data);
498
499 if(!result) {
500 DEBUGASSERT(connssl->state == ssl_connection_complete);
501 }
502
503 return result;
504 }
505
506 static CURLcode
ssl_connect_nonblocking(struct Curl_cfilter * cf,struct Curl_easy * data,bool * done)507 ssl_connect_nonblocking(struct Curl_cfilter *cf, struct Curl_easy *data,
508 bool *done)
509 {
510 if(!ssl_prefs_check(data))
511 return CURLE_SSL_CONNECT_ERROR;
512
513 /* mark this is being ssl requested from here on. */
514 return Curl_ssl->connect_nonblocking(cf, data, done);
515 }
516
517 /*
518 * Lock shared SSL session data
519 */
Curl_ssl_sessionid_lock(struct Curl_easy * data)520 void Curl_ssl_sessionid_lock(struct Curl_easy *data)
521 {
522 if(SSLSESSION_SHARED(data))
523 Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
524 }
525
526 /*
527 * Unlock shared SSL session data
528 */
Curl_ssl_sessionid_unlock(struct Curl_easy * data)529 void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
530 {
531 if(SSLSESSION_SHARED(data))
532 Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
533 }
534
535 /*
536 * Check if there is a session ID for the given connection in the cache, and if
537 * there is one suitable, it is provided. Returns TRUE when no entry matched.
538 */
Curl_ssl_getsessionid(struct Curl_cfilter * cf,struct Curl_easy * data,const struct ssl_peer * peer,void ** ssl_sessionid,size_t * idsize,char ** palpn)539 bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
540 struct Curl_easy *data,
541 const struct ssl_peer *peer,
542 void **ssl_sessionid,
543 size_t *idsize, /* set 0 if unknown */
544 char **palpn)
545 {
546 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
547 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
548 struct Curl_ssl_session *check;
549 size_t i;
550 long *general_age;
551 bool no_match = TRUE;
552
553 *ssl_sessionid = NULL;
554 if(palpn)
555 *palpn = NULL;
556 if(!ssl_config)
557 return TRUE;
558
559 DEBUGASSERT(ssl_config->primary.cache_session);
560
561 if(!ssl_config->primary.cache_session || !data->state.session)
562 /* session ID reuse is disabled or the session cache has not been
563 setup */
564 return TRUE;
565
566 /* Lock if shared */
567 if(SSLSESSION_SHARED(data))
568 general_age = &data->share->sessionage;
569 else
570 general_age = &data->state.sessionage;
571
572 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
573 check = &data->state.session[i];
574 if(!check->sessionid)
575 /* not session ID means blank entry */
576 continue;
577 if(strcasecompare(peer->hostname, check->name) &&
578 ((!cf->conn->bits.conn_to_host && !check->conn_to_host) ||
579 (cf->conn->bits.conn_to_host && check->conn_to_host &&
580 strcasecompare(cf->conn->conn_to_host.name, check->conn_to_host))) &&
581 ((!cf->conn->bits.conn_to_port && check->conn_to_port == -1) ||
582 (cf->conn->bits.conn_to_port && check->conn_to_port != -1 &&
583 cf->conn->conn_to_port == check->conn_to_port)) &&
584 (peer->port == check->remote_port) &&
585 (peer->transport == check->transport) &&
586 strcasecompare(cf->conn->handler->scheme, check->scheme) &&
587 match_ssl_primary_config(data, conn_config, &check->ssl_config)) {
588 /* yes, we have a session ID! */
589 (*general_age)++; /* increase general age */
590 check->age = *general_age; /* set this as used in this age */
591 *ssl_sessionid = check->sessionid;
592 if(idsize)
593 *idsize = check->idsize;
594 if(palpn)
595 *palpn = check->alpn;
596 no_match = FALSE;
597 break;
598 }
599 }
600
601 CURL_TRC_CF(data, cf, "%s cached session ID for %s://%s:%d",
602 no_match ? "No" : "Found",
603 cf->conn->handler->scheme, peer->hostname, peer->port);
604 return no_match;
605 }
606
607 /*
608 * Kill a single session ID entry in the cache.
609 */
Curl_ssl_kill_session(struct Curl_ssl_session * session)610 void Curl_ssl_kill_session(struct Curl_ssl_session *session)
611 {
612 if(session->sessionid) {
613 /* defensive check */
614
615 /* free the ID the SSL-layer specific way */
616 session->sessionid_free(session->sessionid, session->idsize);
617
618 session->sessionid = NULL;
619 session->sessionid_free = NULL;
620 session->age = 0; /* fresh */
621
622 free_primary_ssl_config(&session->ssl_config);
623
624 Curl_safefree(session->name);
625 Curl_safefree(session->conn_to_host);
626 Curl_safefree(session->alpn);
627 }
628 }
629
630 /*
631 * Delete the given session ID from the cache.
632 */
Curl_ssl_delsessionid(struct Curl_easy * data,void * ssl_sessionid)633 void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
634 {
635 size_t i;
636
637 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
638 struct Curl_ssl_session *check = &data->state.session[i];
639
640 if(check->sessionid == ssl_sessionid) {
641 Curl_ssl_kill_session(check);
642 break;
643 }
644 }
645 }
646
Curl_ssl_set_sessionid(struct Curl_cfilter * cf,struct Curl_easy * data,const struct ssl_peer * peer,const char * alpn,void * ssl_sessionid,size_t idsize,Curl_ssl_sessionid_dtor * sessionid_free_cb)647 CURLcode Curl_ssl_set_sessionid(struct Curl_cfilter *cf,
648 struct Curl_easy *data,
649 const struct ssl_peer *peer,
650 const char *alpn,
651 void *ssl_sessionid,
652 size_t idsize,
653 Curl_ssl_sessionid_dtor *sessionid_free_cb)
654 {
655 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
656 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
657 size_t i;
658 struct Curl_ssl_session *store;
659 long oldest_age;
660 char *clone_host = NULL;
661 char *clone_conn_to_host = NULL;
662 char *clone_alpn = NULL;
663 int conn_to_port;
664 long *general_age;
665 void *old_sessionid;
666 size_t old_size;
667 CURLcode result = CURLE_OUT_OF_MEMORY;
668
669 DEBUGASSERT(ssl_sessionid);
670 DEBUGASSERT(sessionid_free_cb);
671
672 if(!data->state.session) {
673 sessionid_free_cb(ssl_sessionid, idsize);
674 return CURLE_OK;
675 }
676
677 if(!Curl_ssl_getsessionid(cf, data, peer, &old_sessionid, &old_size, NULL)) {
678 if((old_size == idsize) &&
679 ((old_sessionid == ssl_sessionid) ||
680 (idsize && !memcmp(old_sessionid, ssl_sessionid, idsize)))) {
681 /* the very same */
682 sessionid_free_cb(ssl_sessionid, idsize);
683 return CURLE_OK;
684 }
685 Curl_ssl_delsessionid(data, old_sessionid);
686 }
687
688 store = &data->state.session[0];
689 oldest_age = data->state.session[0].age; /* zero if unused */
690 DEBUGASSERT(ssl_config->primary.cache_session);
691 (void)ssl_config;
692
693 clone_host = strdup(peer->hostname);
694 if(!clone_host)
695 goto out;
696
697 if(cf->conn->bits.conn_to_host) {
698 clone_conn_to_host = strdup(cf->conn->conn_to_host.name);
699 if(!clone_conn_to_host)
700 goto out;
701 }
702
703 clone_alpn = alpn ? strdup(alpn) : NULL;
704 if(alpn && !clone_alpn)
705 goto out;
706
707 if(cf->conn->bits.conn_to_port)
708 conn_to_port = cf->conn->conn_to_port;
709 else
710 conn_to_port = -1;
711
712 /* Now we should add the session ID and the hostname to the cache, (remove
713 the oldest if necessary) */
714
715 /* If using shared SSL session, lock! */
716 if(SSLSESSION_SHARED(data)) {
717 general_age = &data->share->sessionage;
718 }
719 else {
720 general_age = &data->state.sessionage;
721 }
722
723 /* find an empty slot for us, or find the oldest */
724 for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
725 data->state.session[i].sessionid; i++) {
726 if(data->state.session[i].age < oldest_age) {
727 oldest_age = data->state.session[i].age;
728 store = &data->state.session[i];
729 }
730 }
731 if(i == data->set.general_ssl.max_ssl_sessions)
732 /* cache is full, we must "kill" the oldest entry! */
733 Curl_ssl_kill_session(store);
734 else
735 store = &data->state.session[i]; /* use this slot */
736
737 /* now init the session struct wisely */
738 if(!clone_ssl_primary_config(conn_config, &store->ssl_config)) {
739 free_primary_ssl_config(&store->ssl_config);
740 store->sessionid = NULL; /* let caller free sessionid */
741 goto out;
742 }
743 store->sessionid = ssl_sessionid;
744 store->idsize = idsize;
745 store->sessionid_free = sessionid_free_cb;
746 store->age = *general_age; /* set current age */
747 /* free it if there is one already present */
748 free(store->name);
749 free(store->conn_to_host);
750 store->name = clone_host; /* clone hostname */
751 clone_host = NULL;
752 store->conn_to_host = clone_conn_to_host; /* clone connect to hostname */
753 clone_conn_to_host = NULL;
754 store->conn_to_port = conn_to_port; /* connect to port number */
755 store->alpn = clone_alpn;
756 clone_alpn = NULL;
757 /* port number */
758 store->remote_port = peer->port;
759 store->scheme = cf->conn->handler->scheme;
760 store->transport = peer->transport;
761
762 result = CURLE_OK;
763
764 out:
765 free(clone_host);
766 free(clone_conn_to_host);
767 free(clone_alpn);
768 if(result) {
769 failf(data, "Failed to add Session ID to cache for %s://%s:%d [%s]",
770 store->scheme, store->name, store->remote_port,
771 Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server");
772 sessionid_free_cb(ssl_sessionid, idsize);
773 return result;
774 }
775 CURL_TRC_CF(data, cf, "Added Session ID to cache for %s://%s:%d [%s]",
776 store->scheme, store->name, store->remote_port,
777 Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server");
778 return CURLE_OK;
779 }
780
Curl_ssl_get_channel_binding(struct Curl_easy * data,int sockindex,struct dynbuf * binding)781 CURLcode Curl_ssl_get_channel_binding(struct Curl_easy *data, int sockindex,
782 struct dynbuf *binding)
783 {
784 if(Curl_ssl->get_channel_binding)
785 return Curl_ssl->get_channel_binding(data, sockindex, binding);
786 return CURLE_OK;
787 }
788
Curl_ssl_close_all(struct Curl_easy * data)789 void Curl_ssl_close_all(struct Curl_easy *data)
790 {
791 /* kill the session ID cache if not shared */
792 if(data->state.session && !SSLSESSION_SHARED(data)) {
793 size_t i;
794 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
795 /* the single-killer function handles empty table slots */
796 Curl_ssl_kill_session(&data->state.session[i]);
797
798 /* free the cache data */
799 Curl_safefree(data->state.session);
800 }
801
802 Curl_ssl->close_all(data);
803 }
804
Curl_ssl_adjust_pollset(struct Curl_cfilter * cf,struct Curl_easy * data,struct easy_pollset * ps)805 void Curl_ssl_adjust_pollset(struct Curl_cfilter *cf, struct Curl_easy *data,
806 struct easy_pollset *ps)
807 {
808 struct ssl_connect_data *connssl = cf->ctx;
809
810 if(connssl->io_need) {
811 curl_socket_t sock = Curl_conn_cf_get_socket(cf->next, data);
812 if(sock != CURL_SOCKET_BAD) {
813 if(connssl->io_need & CURL_SSL_IO_NEED_SEND) {
814 Curl_pollset_set_out_only(data, ps, sock);
815 CURL_TRC_CF(data, cf, "adjust_pollset, POLLOUT fd=%" FMT_SOCKET_T,
816 sock);
817 }
818 else {
819 Curl_pollset_set_in_only(data, ps, sock);
820 CURL_TRC_CF(data, cf, "adjust_pollset, POLLIN fd=%" FMT_SOCKET_T,
821 sock);
822 }
823 }
824 }
825 }
826
827 /* Selects an SSL crypto engine
828 */
Curl_ssl_set_engine(struct Curl_easy * data,const char * engine)829 CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
830 {
831 return Curl_ssl->set_engine(data, engine);
832 }
833
834 /* Selects the default SSL crypto engine
835 */
Curl_ssl_set_engine_default(struct Curl_easy * data)836 CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
837 {
838 return Curl_ssl->set_engine_default(data);
839 }
840
841 /* Return list of OpenSSL crypto engine names. */
Curl_ssl_engines_list(struct Curl_easy * data)842 struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
843 {
844 return Curl_ssl->engines_list(data);
845 }
846
847 /*
848 * This sets up a session ID cache to the specified size. Make sure this code
849 * is agnostic to what underlying SSL technology we use.
850 */
Curl_ssl_initsessions(struct Curl_easy * data,size_t amount)851 CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
852 {
853 struct Curl_ssl_session *session;
854
855 if(data->state.session)
856 /* this is just a precaution to prevent multiple inits */
857 return CURLE_OK;
858
859 session = calloc(amount, sizeof(struct Curl_ssl_session));
860 if(!session)
861 return CURLE_OUT_OF_MEMORY;
862
863 /* store the info in the SSL section */
864 data->set.general_ssl.max_ssl_sessions = amount;
865 data->state.session = session;
866 data->state.sessionage = 1; /* this is brand new */
867 return CURLE_OK;
868 }
869
870 static size_t multissl_version(char *buffer, size_t size);
871
Curl_ssl_version(char * buffer,size_t size)872 void Curl_ssl_version(char *buffer, size_t size)
873 {
874 #ifdef CURL_WITH_MULTI_SSL
875 (void)multissl_version(buffer, size);
876 #else
877 (void)Curl_ssl->version(buffer, size);
878 #endif
879 }
880
Curl_ssl_free_certinfo(struct Curl_easy * data)881 void Curl_ssl_free_certinfo(struct Curl_easy *data)
882 {
883 struct curl_certinfo *ci = &data->info.certs;
884
885 if(ci->num_of_certs) {
886 /* free all individual lists used */
887 int i;
888 for(i = 0; i < ci->num_of_certs; i++) {
889 curl_slist_free_all(ci->certinfo[i]);
890 ci->certinfo[i] = NULL;
891 }
892
893 free(ci->certinfo); /* free the actual array too */
894 ci->certinfo = NULL;
895 ci->num_of_certs = 0;
896 }
897 }
898
Curl_ssl_init_certinfo(struct Curl_easy * data,int num)899 CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
900 {
901 struct curl_certinfo *ci = &data->info.certs;
902 struct curl_slist **table;
903
904 /* Free any previous certificate information structures */
905 Curl_ssl_free_certinfo(data);
906
907 /* Allocate the required certificate information structures */
908 table = calloc((size_t) num, sizeof(struct curl_slist *));
909 if(!table)
910 return CURLE_OUT_OF_MEMORY;
911
912 ci->num_of_certs = num;
913 ci->certinfo = table;
914
915 return CURLE_OK;
916 }
917
918 /*
919 * 'value' is NOT a null-terminated string
920 */
Curl_ssl_push_certinfo_len(struct Curl_easy * data,int certnum,const char * label,const char * value,size_t valuelen)921 CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
922 int certnum,
923 const char *label,
924 const char *value,
925 size_t valuelen)
926 {
927 struct curl_certinfo *ci = &data->info.certs;
928 struct curl_slist *nl;
929 CURLcode result = CURLE_OK;
930 struct dynbuf build;
931
932 DEBUGASSERT(certnum < ci->num_of_certs);
933
934 Curl_dyn_init(&build, CURL_X509_STR_MAX);
935
936 if(Curl_dyn_add(&build, label) ||
937 Curl_dyn_addn(&build, ":", 1) ||
938 Curl_dyn_addn(&build, value, valuelen))
939 return CURLE_OUT_OF_MEMORY;
940
941 nl = Curl_slist_append_nodup(ci->certinfo[certnum],
942 Curl_dyn_ptr(&build));
943 if(!nl) {
944 Curl_dyn_free(&build);
945 curl_slist_free_all(ci->certinfo[certnum]);
946 result = CURLE_OUT_OF_MEMORY;
947 }
948
949 ci->certinfo[certnum] = nl;
950 return result;
951 }
952
953 /* get 32 bits of random */
Curl_ssl_random(struct Curl_easy * data,unsigned char * entropy,size_t length)954 CURLcode Curl_ssl_random(struct Curl_easy *data,
955 unsigned char *entropy,
956 size_t length)
957 {
958 DEBUGASSERT(length == sizeof(int));
959 if(Curl_ssl->random)
960 return Curl_ssl->random(data, entropy, length);
961 else
962 return CURLE_NOT_BUILT_IN;
963 }
964
965 /*
966 * Public key pem to der conversion
967 */
968
pubkey_pem_to_der(const char * pem,unsigned char ** der,size_t * der_len)969 static CURLcode pubkey_pem_to_der(const char *pem,
970 unsigned char **der, size_t *der_len)
971 {
972 char *begin_pos, *end_pos;
973 size_t pem_count, pem_len;
974 CURLcode result;
975 struct dynbuf pbuf;
976
977 /* if no pem, exit. */
978 if(!pem)
979 return CURLE_BAD_CONTENT_ENCODING;
980
981 Curl_dyn_init(&pbuf, MAX_PINNED_PUBKEY_SIZE);
982
983 begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
984 if(!begin_pos)
985 return CURLE_BAD_CONTENT_ENCODING;
986
987 pem_count = begin_pos - pem;
988 /* Invalid if not at beginning AND not directly following \n */
989 if(0 != pem_count && '\n' != pem[pem_count - 1])
990 return CURLE_BAD_CONTENT_ENCODING;
991
992 /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
993 pem_count += 26;
994
995 /* Invalid if not directly following \n */
996 end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
997 if(!end_pos)
998 return CURLE_BAD_CONTENT_ENCODING;
999
1000 pem_len = end_pos - pem;
1001
1002 /*
1003 * Here we loop through the pem array one character at a time between the
1004 * correct indices, and place each character that is not '\n' or '\r'
1005 * into the stripped_pem array, which should represent the raw base64 string
1006 */
1007 while(pem_count < pem_len) {
1008 if('\n' != pem[pem_count] && '\r' != pem[pem_count]) {
1009 result = Curl_dyn_addn(&pbuf, &pem[pem_count], 1);
1010 if(result)
1011 return result;
1012 }
1013 ++pem_count;
1014 }
1015
1016 result = Curl_base64_decode(Curl_dyn_ptr(&pbuf), der, der_len);
1017
1018 Curl_dyn_free(&pbuf);
1019
1020 return result;
1021 }
1022
1023 /*
1024 * Generic pinned public key check.
1025 */
1026
Curl_pin_peer_pubkey(struct Curl_easy * data,const char * pinnedpubkey,const unsigned char * pubkey,size_t pubkeylen)1027 CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
1028 const char *pinnedpubkey,
1029 const unsigned char *pubkey, size_t pubkeylen)
1030 {
1031 CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
1032 #ifdef CURL_DISABLE_VERBOSE_STRINGS
1033 (void)data;
1034 #endif
1035
1036 /* if a path was not specified, do not pin */
1037 if(!pinnedpubkey)
1038 return CURLE_OK;
1039 if(!pubkey || !pubkeylen)
1040 return result;
1041
1042 /* only do this if pinnedpubkey starts with "sha256//", length 8 */
1043 if(!strncmp(pinnedpubkey, "sha256//", 8)) {
1044 CURLcode encode;
1045 size_t encodedlen = 0;
1046 char *encoded = NULL, *pinkeycopy, *begin_pos, *end_pos;
1047 unsigned char *sha256sumdigest;
1048
1049 if(!Curl_ssl->sha256sum) {
1050 /* without sha256 support, this cannot match */
1051 return result;
1052 }
1053
1054 /* compute sha256sum of public key */
1055 sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
1056 if(!sha256sumdigest)
1057 return CURLE_OUT_OF_MEMORY;
1058 encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
1059 sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
1060
1061 if(!encode)
1062 encode = Curl_base64_encode((char *)sha256sumdigest,
1063 CURL_SHA256_DIGEST_LENGTH, &encoded,
1064 &encodedlen);
1065 Curl_safefree(sha256sumdigest);
1066
1067 if(encode)
1068 return encode;
1069
1070 infof(data, " public key hash: sha256//%s", encoded);
1071
1072 /* it starts with sha256//, copy so we can modify it */
1073 pinkeycopy = strdup(pinnedpubkey);
1074 if(!pinkeycopy) {
1075 Curl_safefree(encoded);
1076 return CURLE_OUT_OF_MEMORY;
1077 }
1078 /* point begin_pos to the copy, and start extracting keys */
1079 begin_pos = pinkeycopy;
1080 do {
1081 end_pos = strstr(begin_pos, ";sha256//");
1082 /*
1083 * if there is an end_pos, null terminate,
1084 * otherwise it will go to the end of the original string
1085 */
1086 if(end_pos)
1087 end_pos[0] = '\0';
1088
1089 /* compare base64 sha256 digests, 8 is the length of "sha256//" */
1090 if(encodedlen == strlen(begin_pos + 8) &&
1091 !memcmp(encoded, begin_pos + 8, encodedlen)) {
1092 result = CURLE_OK;
1093 break;
1094 }
1095
1096 /*
1097 * change back the null-terminator we changed earlier,
1098 * and look for next begin
1099 */
1100 if(end_pos) {
1101 end_pos[0] = ';';
1102 begin_pos = strstr(end_pos, "sha256//");
1103 }
1104 } while(end_pos && begin_pos);
1105 Curl_safefree(encoded);
1106 Curl_safefree(pinkeycopy);
1107 }
1108 else {
1109 long filesize;
1110 size_t size, pem_len;
1111 CURLcode pem_read;
1112 struct dynbuf buf;
1113 char unsigned *pem_ptr = NULL;
1114 size_t left;
1115 FILE *fp = fopen(pinnedpubkey, "rb");
1116 if(!fp)
1117 return result;
1118
1119 Curl_dyn_init(&buf, MAX_PINNED_PUBKEY_SIZE);
1120
1121 /* Determine the file's size */
1122 if(fseek(fp, 0, SEEK_END))
1123 goto end;
1124 filesize = ftell(fp);
1125 if(fseek(fp, 0, SEEK_SET))
1126 goto end;
1127 if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
1128 goto end;
1129
1130 /*
1131 * if the size of our certificate is bigger than the file
1132 * size then it cannot match
1133 */
1134 size = curlx_sotouz((curl_off_t) filesize);
1135 if(pubkeylen > size)
1136 goto end;
1137
1138 /*
1139 * Read the file into the dynbuf
1140 */
1141 left = size;
1142 do {
1143 char buffer[1024];
1144 size_t want = left > sizeof(buffer) ? sizeof(buffer) : left;
1145 if(want != fread(buffer, 1, want, fp))
1146 goto end;
1147 if(Curl_dyn_addn(&buf, buffer, want))
1148 goto end;
1149 left -= want;
1150 } while(left);
1151
1152 /* If the sizes are the same, it cannot be base64 encoded, must be der */
1153 if(pubkeylen == size) {
1154 if(!memcmp(pubkey, Curl_dyn_ptr(&buf), pubkeylen))
1155 result = CURLE_OK;
1156 goto end;
1157 }
1158
1159 /*
1160 * Otherwise we will assume it is PEM and try to decode it
1161 * after placing null terminator
1162 */
1163 pem_read = pubkey_pem_to_der(Curl_dyn_ptr(&buf), &pem_ptr, &pem_len);
1164 /* if it was not read successfully, exit */
1165 if(pem_read)
1166 goto end;
1167
1168 /*
1169 * if the size of our certificate does not match the size of
1170 * the decoded file, they cannot be the same, otherwise compare
1171 */
1172 if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
1173 result = CURLE_OK;
1174 end:
1175 Curl_dyn_free(&buf);
1176 Curl_safefree(pem_ptr);
1177 fclose(fp);
1178 }
1179
1180 return result;
1181 }
1182
1183 /*
1184 * Check whether the SSL backend supports the status_request extension.
1185 */
Curl_ssl_cert_status_request(void)1186 bool Curl_ssl_cert_status_request(void)
1187 {
1188 return Curl_ssl->cert_status_request();
1189 }
1190
1191 /*
1192 * Check whether the SSL backend supports false start.
1193 */
Curl_ssl_false_start(struct Curl_easy * data)1194 bool Curl_ssl_false_start(struct Curl_easy *data)
1195 {
1196 (void)data;
1197 return Curl_ssl->false_start();
1198 }
1199
1200 /*
1201 * Default implementations for unsupported functions.
1202 */
1203
Curl_none_init(void)1204 int Curl_none_init(void)
1205 {
1206 return 1;
1207 }
1208
Curl_none_cleanup(void)1209 void Curl_none_cleanup(void)
1210 { }
1211
Curl_none_shutdown(struct Curl_cfilter * cf UNUSED_PARAM,struct Curl_easy * data UNUSED_PARAM,bool send_shutdown UNUSED_PARAM,bool * done)1212 CURLcode Curl_none_shutdown(struct Curl_cfilter *cf UNUSED_PARAM,
1213 struct Curl_easy *data UNUSED_PARAM,
1214 bool send_shutdown UNUSED_PARAM,
1215 bool *done)
1216 {
1217 (void)data;
1218 (void)cf;
1219 (void)send_shutdown;
1220 /* Every SSL backend should have a shutdown implementation. Until we
1221 * have implemented that, we put this fake in place. */
1222 *done = TRUE;
1223 return CURLE_OK;
1224 }
1225
Curl_none_check_cxn(struct Curl_cfilter * cf,struct Curl_easy * data)1226 int Curl_none_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data)
1227 {
1228 (void)cf;
1229 (void)data;
1230 return -1;
1231 }
1232
Curl_none_close_all(struct Curl_easy * data UNUSED_PARAM)1233 void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
1234 {
1235 (void)data;
1236 }
1237
Curl_none_session_free(void * ptr UNUSED_PARAM)1238 void Curl_none_session_free(void *ptr UNUSED_PARAM)
1239 {
1240 (void)ptr;
1241 }
1242
Curl_none_data_pending(struct Curl_cfilter * cf UNUSED_PARAM,const struct Curl_easy * data UNUSED_PARAM)1243 bool Curl_none_data_pending(struct Curl_cfilter *cf UNUSED_PARAM,
1244 const struct Curl_easy *data UNUSED_PARAM)
1245 {
1246 (void)cf;
1247 (void)data;
1248 return 0;
1249 }
1250
Curl_none_cert_status_request(void)1251 bool Curl_none_cert_status_request(void)
1252 {
1253 return FALSE;
1254 }
1255
Curl_none_set_engine(struct Curl_easy * data UNUSED_PARAM,const char * engine UNUSED_PARAM)1256 CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
1257 const char *engine UNUSED_PARAM)
1258 {
1259 (void)data;
1260 (void)engine;
1261 return CURLE_NOT_BUILT_IN;
1262 }
1263
Curl_none_set_engine_default(struct Curl_easy * data UNUSED_PARAM)1264 CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
1265 {
1266 (void)data;
1267 return CURLE_NOT_BUILT_IN;
1268 }
1269
Curl_none_engines_list(struct Curl_easy * data UNUSED_PARAM)1270 struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
1271 {
1272 (void)data;
1273 return (struct curl_slist *)NULL;
1274 }
1275
Curl_none_false_start(void)1276 bool Curl_none_false_start(void)
1277 {
1278 return FALSE;
1279 }
1280
multissl_init(void)1281 static int multissl_init(void)
1282 {
1283 if(multissl_setup(NULL))
1284 return 1;
1285 return Curl_ssl->init();
1286 }
1287
multissl_connect(struct Curl_cfilter * cf,struct Curl_easy * data)1288 static CURLcode multissl_connect(struct Curl_cfilter *cf,
1289 struct Curl_easy *data)
1290 {
1291 if(multissl_setup(NULL))
1292 return CURLE_FAILED_INIT;
1293 return Curl_ssl->connect_blocking(cf, data);
1294 }
1295
multissl_connect_nonblocking(struct Curl_cfilter * cf,struct Curl_easy * data,bool * done)1296 static CURLcode multissl_connect_nonblocking(struct Curl_cfilter *cf,
1297 struct Curl_easy *data,
1298 bool *done)
1299 {
1300 if(multissl_setup(NULL))
1301 return CURLE_FAILED_INIT;
1302 return Curl_ssl->connect_nonblocking(cf, data, done);
1303 }
1304
multissl_adjust_pollset(struct Curl_cfilter * cf,struct Curl_easy * data,struct easy_pollset * ps)1305 static void multissl_adjust_pollset(struct Curl_cfilter *cf,
1306 struct Curl_easy *data,
1307 struct easy_pollset *ps)
1308 {
1309 if(multissl_setup(NULL))
1310 return;
1311 Curl_ssl->adjust_pollset(cf, data, ps);
1312 }
1313
multissl_get_internals(struct ssl_connect_data * connssl,CURLINFO info)1314 static void *multissl_get_internals(struct ssl_connect_data *connssl,
1315 CURLINFO info)
1316 {
1317 if(multissl_setup(NULL))
1318 return NULL;
1319 return Curl_ssl->get_internals(connssl, info);
1320 }
1321
multissl_close(struct Curl_cfilter * cf,struct Curl_easy * data)1322 static void multissl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1323 {
1324 if(multissl_setup(NULL))
1325 return;
1326 Curl_ssl->close(cf, data);
1327 }
1328
multissl_recv_plain(struct Curl_cfilter * cf,struct Curl_easy * data,char * buf,size_t len,CURLcode * code)1329 static ssize_t multissl_recv_plain(struct Curl_cfilter *cf,
1330 struct Curl_easy *data,
1331 char *buf, size_t len, CURLcode *code)
1332 {
1333 if(multissl_setup(NULL))
1334 return CURLE_FAILED_INIT;
1335 return Curl_ssl->recv_plain(cf, data, buf, len, code);
1336 }
1337
multissl_send_plain(struct Curl_cfilter * cf,struct Curl_easy * data,const void * mem,size_t len,CURLcode * code)1338 static ssize_t multissl_send_plain(struct Curl_cfilter *cf,
1339 struct Curl_easy *data,
1340 const void *mem, size_t len,
1341 CURLcode *code)
1342 {
1343 if(multissl_setup(NULL))
1344 return CURLE_FAILED_INIT;
1345 return Curl_ssl->send_plain(cf, data, mem, len, code);
1346 }
1347
1348 static const struct Curl_ssl Curl_ssl_multi = {
1349 { CURLSSLBACKEND_NONE, "multi" }, /* info */
1350 0, /* supports nothing */
1351 (size_t)-1, /* something insanely large to be on the safe side */
1352
1353 multissl_init, /* init */
1354 Curl_none_cleanup, /* cleanup */
1355 multissl_version, /* version */
1356 Curl_none_check_cxn, /* check_cxn */
1357 Curl_none_shutdown, /* shutdown */
1358 Curl_none_data_pending, /* data_pending */
1359 NULL, /* random */
1360 Curl_none_cert_status_request, /* cert_status_request */
1361 multissl_connect, /* connect */
1362 multissl_connect_nonblocking, /* connect_nonblocking */
1363 multissl_adjust_pollset, /* adjust_pollset */
1364 multissl_get_internals, /* get_internals */
1365 multissl_close, /* close_one */
1366 Curl_none_close_all, /* close_all */
1367 Curl_none_set_engine, /* set_engine */
1368 Curl_none_set_engine_default, /* set_engine_default */
1369 Curl_none_engines_list, /* engines_list */
1370 Curl_none_false_start, /* false_start */
1371 NULL, /* sha256sum */
1372 NULL, /* associate_connection */
1373 NULL, /* disassociate_connection */
1374 multissl_recv_plain, /* recv decrypted data */
1375 multissl_send_plain, /* send data to encrypt */
1376 NULL, /* get_channel_binding */
1377 };
1378
1379 const struct Curl_ssl *Curl_ssl =
1380 #if defined(CURL_WITH_MULTI_SSL)
1381 &Curl_ssl_multi;
1382 #elif defined(USE_WOLFSSL)
1383 &Curl_ssl_wolfssl;
1384 #elif defined(USE_GNUTLS)
1385 &Curl_ssl_gnutls;
1386 #elif defined(USE_MBEDTLS)
1387 &Curl_ssl_mbedtls;
1388 #elif defined(USE_RUSTLS)
1389 &Curl_ssl_rustls;
1390 #elif defined(USE_OPENSSL)
1391 &Curl_ssl_openssl;
1392 #elif defined(USE_SECTRANSP)
1393 &Curl_ssl_sectransp;
1394 #elif defined(USE_SCHANNEL)
1395 &Curl_ssl_schannel;
1396 #elif defined(USE_BEARSSL)
1397 &Curl_ssl_bearssl;
1398 #else
1399 #error "Missing struct Curl_ssl for selected SSL backend"
1400 #endif
1401
1402 static const struct Curl_ssl *available_backends[] = {
1403 #if defined(USE_WOLFSSL)
1404 &Curl_ssl_wolfssl,
1405 #endif
1406 #if defined(USE_GNUTLS)
1407 &Curl_ssl_gnutls,
1408 #endif
1409 #if defined(USE_MBEDTLS)
1410 &Curl_ssl_mbedtls,
1411 #endif
1412 #if defined(USE_OPENSSL)
1413 &Curl_ssl_openssl,
1414 #endif
1415 #if defined(USE_SECTRANSP)
1416 &Curl_ssl_sectransp,
1417 #endif
1418 #if defined(USE_SCHANNEL)
1419 &Curl_ssl_schannel,
1420 #endif
1421 #if defined(USE_BEARSSL)
1422 &Curl_ssl_bearssl,
1423 #endif
1424 #if defined(USE_RUSTLS)
1425 &Curl_ssl_rustls,
1426 #endif
1427 NULL
1428 };
1429
1430 /* Global cleanup */
Curl_ssl_cleanup(void)1431 void Curl_ssl_cleanup(void)
1432 {
1433 if(init_ssl) {
1434 /* only cleanup if we did a previous init */
1435 Curl_ssl->cleanup();
1436 #if defined(CURL_WITH_MULTI_SSL)
1437 Curl_ssl = &Curl_ssl_multi;
1438 #endif
1439 init_ssl = FALSE;
1440 }
1441 }
1442
multissl_version(char * buffer,size_t size)1443 static size_t multissl_version(char *buffer, size_t size)
1444 {
1445 static const struct Curl_ssl *selected;
1446 static char backends[200];
1447 static size_t backends_len;
1448 const struct Curl_ssl *current;
1449
1450 current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
1451
1452 if(current != selected) {
1453 char *p = backends;
1454 char *end = backends + sizeof(backends);
1455 int i;
1456
1457 selected = current;
1458
1459 backends[0] = '\0';
1460
1461 for(i = 0; available_backends[i]; ++i) {
1462 char vb[200];
1463 bool paren = (selected != available_backends[i]);
1464
1465 if(available_backends[i]->version(vb, sizeof(vb))) {
1466 p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
1467 (paren ? "(" : ""), vb, (paren ? ")" : ""));
1468 }
1469 }
1470
1471 backends_len = p - backends;
1472 }
1473
1474 if(size) {
1475 if(backends_len < size)
1476 strcpy(buffer, backends);
1477 else
1478 *buffer = 0; /* did not fit */
1479 }
1480 return 0;
1481 }
1482
multissl_setup(const struct Curl_ssl * backend)1483 static int multissl_setup(const struct Curl_ssl *backend)
1484 {
1485 const char *env;
1486 char *env_tmp;
1487
1488 if(Curl_ssl != &Curl_ssl_multi)
1489 return 1;
1490
1491 if(backend) {
1492 Curl_ssl = backend;
1493 return 0;
1494 }
1495
1496 if(!available_backends[0])
1497 return 1;
1498
1499 env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
1500 #ifdef CURL_DEFAULT_SSL_BACKEND
1501 if(!env)
1502 env = CURL_DEFAULT_SSL_BACKEND;
1503 #endif
1504 if(env) {
1505 int i;
1506 for(i = 0; available_backends[i]; i++) {
1507 if(strcasecompare(env, available_backends[i]->info.name)) {
1508 Curl_ssl = available_backends[i];
1509 free(env_tmp);
1510 return 0;
1511 }
1512 }
1513 }
1514
1515 /* Fall back to first available backend */
1516 Curl_ssl = available_backends[0];
1517 free(env_tmp);
1518 return 0;
1519 }
1520
1521 /* This function is used to select the SSL backend to use. It is called by
1522 curl_global_sslset (easy.c) which uses the global init lock. */
Curl_init_sslset_nolock(curl_sslbackend id,const char * name,const curl_ssl_backend *** avail)1523 CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
1524 const curl_ssl_backend ***avail)
1525 {
1526 int i;
1527
1528 if(avail)
1529 *avail = (const curl_ssl_backend **)&available_backends;
1530
1531 if(Curl_ssl != &Curl_ssl_multi)
1532 return id == Curl_ssl->info.id ||
1533 (name && strcasecompare(name, Curl_ssl->info.name)) ?
1534 CURLSSLSET_OK :
1535 #if defined(CURL_WITH_MULTI_SSL)
1536 CURLSSLSET_TOO_LATE;
1537 #else
1538 CURLSSLSET_UNKNOWN_BACKEND;
1539 #endif
1540
1541 for(i = 0; available_backends[i]; i++) {
1542 if(available_backends[i]->info.id == id ||
1543 (name && strcasecompare(available_backends[i]->info.name, name))) {
1544 multissl_setup(available_backends[i]);
1545 return CURLSSLSET_OK;
1546 }
1547 }
1548
1549 return CURLSSLSET_UNKNOWN_BACKEND;
1550 }
1551
1552 #else /* USE_SSL */
Curl_init_sslset_nolock(curl_sslbackend id,const char * name,const curl_ssl_backend *** avail)1553 CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
1554 const curl_ssl_backend ***avail)
1555 {
1556 (void)id;
1557 (void)name;
1558 (void)avail;
1559 return CURLSSLSET_NO_BACKENDS;
1560 }
1561
1562 #endif /* !USE_SSL */
1563
1564 #ifdef USE_SSL
1565
Curl_ssl_peer_cleanup(struct ssl_peer * peer)1566 void Curl_ssl_peer_cleanup(struct ssl_peer *peer)
1567 {
1568 if(peer->dispname != peer->hostname)
1569 free(peer->dispname);
1570 free(peer->sni);
1571 free(peer->hostname);
1572 peer->hostname = peer->sni = peer->dispname = NULL;
1573 peer->type = CURL_SSL_PEER_DNS;
1574 }
1575
cf_close(struct Curl_cfilter * cf,struct Curl_easy * data)1576 static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1577 {
1578 struct ssl_connect_data *connssl = cf->ctx;
1579 if(connssl) {
1580 Curl_ssl->close(cf, data);
1581 connssl->state = ssl_connection_none;
1582 Curl_ssl_peer_cleanup(&connssl->peer);
1583 }
1584 cf->connected = FALSE;
1585 }
1586
get_peer_type(const char * hostname)1587 static ssl_peer_type get_peer_type(const char *hostname)
1588 {
1589 if(hostname && hostname[0]) {
1590 #ifdef USE_IPV6
1591 struct in6_addr addr;
1592 #else
1593 struct in_addr addr;
1594 #endif
1595 if(Curl_inet_pton(AF_INET, hostname, &addr))
1596 return CURL_SSL_PEER_IPV4;
1597 #ifdef USE_IPV6
1598 else if(Curl_inet_pton(AF_INET6, hostname, &addr)) {
1599 return CURL_SSL_PEER_IPV6;
1600 }
1601 #endif
1602 }
1603 return CURL_SSL_PEER_DNS;
1604 }
1605
Curl_ssl_peer_init(struct ssl_peer * peer,struct Curl_cfilter * cf,int transport)1606 CURLcode Curl_ssl_peer_init(struct ssl_peer *peer, struct Curl_cfilter *cf,
1607 int transport)
1608 {
1609 const char *ehostname, *edispname;
1610 CURLcode result = CURLE_OUT_OF_MEMORY;
1611
1612 /* We expect a clean struct, e.g. called only ONCE */
1613 DEBUGASSERT(peer);
1614 DEBUGASSERT(!peer->hostname);
1615 DEBUGASSERT(!peer->dispname);
1616 DEBUGASSERT(!peer->sni);
1617 /* We need the hostname for SNI negotiation. Once handshaked, this remains
1618 * the SNI hostname for the TLS connection. When the connection is reused,
1619 * the settings in cf->conn might change. We keep a copy of the hostname we
1620 * use for SNI.
1621 */
1622 peer->transport = transport;
1623 #ifndef CURL_DISABLE_PROXY
1624 if(Curl_ssl_cf_is_proxy(cf)) {
1625 ehostname = cf->conn->http_proxy.host.name;
1626 edispname = cf->conn->http_proxy.host.dispname;
1627 peer->port = cf->conn->http_proxy.port;
1628 }
1629 else
1630 #endif
1631 {
1632 ehostname = cf->conn->host.name;
1633 edispname = cf->conn->host.dispname;
1634 peer->port = cf->conn->remote_port;
1635 }
1636
1637 /* hostname MUST exist and not be empty */
1638 if(!ehostname || !ehostname[0]) {
1639 result = CURLE_FAILED_INIT;
1640 goto out;
1641 }
1642
1643 peer->hostname = strdup(ehostname);
1644 if(!peer->hostname)
1645 goto out;
1646 if(!edispname || !strcmp(ehostname, edispname))
1647 peer->dispname = peer->hostname;
1648 else {
1649 peer->dispname = strdup(edispname);
1650 if(!peer->dispname)
1651 goto out;
1652 }
1653 peer->type = get_peer_type(peer->hostname);
1654 if(peer->type == CURL_SSL_PEER_DNS) {
1655 /* not an IP address, normalize according to RCC 6066 ch. 3,
1656 * max len of SNI is 2^16-1, no trailing dot */
1657 size_t len = strlen(peer->hostname);
1658 if(len && (peer->hostname[len-1] == '.'))
1659 len--;
1660 if(len < USHRT_MAX) {
1661 peer->sni = calloc(1, len + 1);
1662 if(!peer->sni)
1663 goto out;
1664 Curl_strntolower(peer->sni, peer->hostname, len);
1665 peer->sni[len] = 0;
1666 }
1667 }
1668 result = CURLE_OK;
1669
1670 out:
1671 if(result)
1672 Curl_ssl_peer_cleanup(peer);
1673 return result;
1674 }
1675
ssl_cf_destroy(struct Curl_cfilter * cf,struct Curl_easy * data)1676 static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data)
1677 {
1678 struct cf_call_data save;
1679
1680 CF_DATA_SAVE(save, cf, data);
1681 cf_close(cf, data);
1682 CF_DATA_RESTORE(cf, save);
1683 cf_ctx_free(cf->ctx);
1684 cf->ctx = NULL;
1685 }
1686
ssl_cf_close(struct Curl_cfilter * cf,struct Curl_easy * data)1687 static void ssl_cf_close(struct Curl_cfilter *cf,
1688 struct Curl_easy *data)
1689 {
1690 struct cf_call_data save;
1691
1692 CF_DATA_SAVE(save, cf, data);
1693 cf_close(cf, data);
1694 if(cf->next)
1695 cf->next->cft->do_close(cf->next, data);
1696 CF_DATA_RESTORE(cf, save);
1697 }
1698
ssl_cf_connect(struct Curl_cfilter * cf,struct Curl_easy * data,bool blocking,bool * done)1699 static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
1700 struct Curl_easy *data,
1701 bool blocking, bool *done)
1702 {
1703 struct ssl_connect_data *connssl = cf->ctx;
1704 struct cf_call_data save;
1705 CURLcode result;
1706
1707 if(cf->connected) {
1708 *done = TRUE;
1709 return CURLE_OK;
1710 }
1711
1712 if(!cf->next) {
1713 *done = FALSE;
1714 return CURLE_FAILED_INIT;
1715 }
1716
1717 if(!cf->next->connected) {
1718 result = cf->next->cft->do_connect(cf->next, data, blocking, done);
1719 if(result || !*done)
1720 return result;
1721 }
1722
1723 CF_DATA_SAVE(save, cf, data);
1724 CURL_TRC_CF(data, cf, "cf_connect()");
1725 DEBUGASSERT(data->conn);
1726 DEBUGASSERT(data->conn == cf->conn);
1727 DEBUGASSERT(connssl);
1728
1729 *done = FALSE;
1730 if(!connssl->peer.hostname) {
1731 result = Curl_ssl_peer_init(&connssl->peer, cf, TRNSPRT_TCP);
1732 if(result)
1733 goto out;
1734 }
1735
1736 if(blocking) {
1737 result = ssl_connect(cf, data);
1738 *done = (result == CURLE_OK);
1739 }
1740 else {
1741 result = ssl_connect_nonblocking(cf, data, done);
1742 }
1743
1744 if(!result && *done) {
1745 cf->connected = TRUE;
1746 connssl->handshake_done = Curl_now();
1747 /* Connection can be deferred when sending early data */
1748 DEBUGASSERT(connssl->state == ssl_connection_complete ||
1749 connssl->state == ssl_connection_deferred);
1750 }
1751 out:
1752 CURL_TRC_CF(data, cf, "cf_connect() -> %d, done=%d", result, *done);
1753 CF_DATA_RESTORE(cf, save);
1754 return result;
1755 }
1756
ssl_cf_data_pending(struct Curl_cfilter * cf,const struct Curl_easy * data)1757 static bool ssl_cf_data_pending(struct Curl_cfilter *cf,
1758 const struct Curl_easy *data)
1759 {
1760 struct cf_call_data save;
1761 bool result;
1762
1763 CF_DATA_SAVE(save, cf, data);
1764 if(Curl_ssl->data_pending(cf, data))
1765 result = TRUE;
1766 else
1767 result = cf->next->cft->has_data_pending(cf->next, data);
1768 CF_DATA_RESTORE(cf, save);
1769 return result;
1770 }
1771
ssl_cf_send(struct Curl_cfilter * cf,struct Curl_easy * data,const void * buf,size_t len,bool eos,CURLcode * err)1772 static ssize_t ssl_cf_send(struct Curl_cfilter *cf,
1773 struct Curl_easy *data, const void *buf, size_t len,
1774 bool eos, CURLcode *err)
1775 {
1776 struct cf_call_data save;
1777 ssize_t nwritten = 0;
1778
1779 (void)eos;
1780 /* OpenSSL and maybe other TLS libs do not like 0-length writes. Skip. */
1781 *err = CURLE_OK;
1782 if(len > 0) {
1783 CF_DATA_SAVE(save, cf, data);
1784 nwritten = Curl_ssl->send_plain(cf, data, buf, len, err);
1785 CF_DATA_RESTORE(cf, save);
1786 }
1787 return nwritten;
1788 }
1789
ssl_cf_recv(struct Curl_cfilter * cf,struct Curl_easy * data,char * buf,size_t len,CURLcode * err)1790 static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
1791 struct Curl_easy *data, char *buf, size_t len,
1792 CURLcode *err)
1793 {
1794 struct cf_call_data save;
1795 ssize_t nread;
1796
1797 CF_DATA_SAVE(save, cf, data);
1798 *err = CURLE_OK;
1799 nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
1800 if(nread > 0) {
1801 DEBUGASSERT((size_t)nread <= len);
1802 }
1803 else if(nread == 0) {
1804 /* eof */
1805 *err = CURLE_OK;
1806 }
1807 CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len,
1808 nread, *err);
1809 CF_DATA_RESTORE(cf, save);
1810 return nread;
1811 }
1812
ssl_cf_shutdown(struct Curl_cfilter * cf,struct Curl_easy * data,bool * done)1813 static CURLcode ssl_cf_shutdown(struct Curl_cfilter *cf,
1814 struct Curl_easy *data,
1815 bool *done)
1816 {
1817 CURLcode result = CURLE_OK;
1818
1819 *done = TRUE;
1820 if(!cf->shutdown) {
1821 struct cf_call_data save;
1822
1823 CF_DATA_SAVE(save, cf, data);
1824 result = Curl_ssl->shut_down(cf, data, TRUE, done);
1825 CURL_TRC_CF(data, cf, "cf_shutdown -> %d, done=%d", result, *done);
1826 CF_DATA_RESTORE(cf, save);
1827 cf->shutdown = (result || *done);
1828 }
1829 return result;
1830 }
1831
ssl_cf_adjust_pollset(struct Curl_cfilter * cf,struct Curl_easy * data,struct easy_pollset * ps)1832 static void ssl_cf_adjust_pollset(struct Curl_cfilter *cf,
1833 struct Curl_easy *data,
1834 struct easy_pollset *ps)
1835 {
1836 struct cf_call_data save;
1837
1838 CF_DATA_SAVE(save, cf, data);
1839 Curl_ssl->adjust_pollset(cf, data, ps);
1840 CF_DATA_RESTORE(cf, save);
1841 }
1842
ssl_cf_cntrl(struct Curl_cfilter * cf,struct Curl_easy * data,int event,int arg1,void * arg2)1843 static CURLcode ssl_cf_cntrl(struct Curl_cfilter *cf,
1844 struct Curl_easy *data,
1845 int event, int arg1, void *arg2)
1846 {
1847 struct cf_call_data save;
1848
1849 (void)arg1;
1850 (void)arg2;
1851 switch(event) {
1852 case CF_CTRL_DATA_ATTACH:
1853 if(Curl_ssl->attach_data) {
1854 CF_DATA_SAVE(save, cf, data);
1855 Curl_ssl->attach_data(cf, data);
1856 CF_DATA_RESTORE(cf, save);
1857 }
1858 break;
1859 case CF_CTRL_DATA_DETACH:
1860 if(Curl_ssl->detach_data) {
1861 CF_DATA_SAVE(save, cf, data);
1862 Curl_ssl->detach_data(cf, data);
1863 CF_DATA_RESTORE(cf, save);
1864 }
1865 break;
1866 default:
1867 break;
1868 }
1869 return CURLE_OK;
1870 }
1871
ssl_cf_query(struct Curl_cfilter * cf,struct Curl_easy * data,int query,int * pres1,void * pres2)1872 static CURLcode ssl_cf_query(struct Curl_cfilter *cf,
1873 struct Curl_easy *data,
1874 int query, int *pres1, void *pres2)
1875 {
1876 struct ssl_connect_data *connssl = cf->ctx;
1877
1878 switch(query) {
1879 case CF_QUERY_TIMER_APPCONNECT: {
1880 struct curltime *when = pres2;
1881 if(cf->connected && !Curl_ssl_cf_is_proxy(cf))
1882 *when = connssl->handshake_done;
1883 return CURLE_OK;
1884 }
1885 default:
1886 break;
1887 }
1888 return cf->next ?
1889 cf->next->cft->query(cf->next, data, query, pres1, pres2) :
1890 CURLE_UNKNOWN_OPTION;
1891 }
1892
cf_ssl_is_alive(struct Curl_cfilter * cf,struct Curl_easy * data,bool * input_pending)1893 static bool cf_ssl_is_alive(struct Curl_cfilter *cf, struct Curl_easy *data,
1894 bool *input_pending)
1895 {
1896 struct cf_call_data save;
1897 int result;
1898 /*
1899 * This function tries to determine connection status.
1900 *
1901 * Return codes:
1902 * 1 means the connection is still in place
1903 * 0 means the connection has been closed
1904 * -1 means the connection status is unknown
1905 */
1906 CF_DATA_SAVE(save, cf, data);
1907 result = Curl_ssl->check_cxn(cf, data);
1908 CF_DATA_RESTORE(cf, save);
1909 if(result > 0) {
1910 *input_pending = TRUE;
1911 return TRUE;
1912 }
1913 if(result == 0) {
1914 *input_pending = FALSE;
1915 return FALSE;
1916 }
1917 /* ssl backend does not know */
1918 return cf->next ?
1919 cf->next->cft->is_alive(cf->next, data, input_pending) :
1920 FALSE; /* pessimistic in absence of data */
1921 }
1922
1923 struct Curl_cftype Curl_cft_ssl = {
1924 "SSL",
1925 CF_TYPE_SSL,
1926 CURL_LOG_LVL_NONE,
1927 ssl_cf_destroy,
1928 ssl_cf_connect,
1929 ssl_cf_close,
1930 ssl_cf_shutdown,
1931 Curl_cf_def_get_host,
1932 ssl_cf_adjust_pollset,
1933 ssl_cf_data_pending,
1934 ssl_cf_send,
1935 ssl_cf_recv,
1936 ssl_cf_cntrl,
1937 cf_ssl_is_alive,
1938 Curl_cf_def_conn_keep_alive,
1939 ssl_cf_query,
1940 };
1941
1942 #ifndef CURL_DISABLE_PROXY
1943
1944 struct Curl_cftype Curl_cft_ssl_proxy = {
1945 "SSL-PROXY",
1946 CF_TYPE_SSL|CF_TYPE_PROXY,
1947 CURL_LOG_LVL_NONE,
1948 ssl_cf_destroy,
1949 ssl_cf_connect,
1950 ssl_cf_close,
1951 ssl_cf_shutdown,
1952 Curl_cf_def_get_host,
1953 ssl_cf_adjust_pollset,
1954 ssl_cf_data_pending,
1955 ssl_cf_send,
1956 ssl_cf_recv,
1957 ssl_cf_cntrl,
1958 cf_ssl_is_alive,
1959 Curl_cf_def_conn_keep_alive,
1960 Curl_cf_def_query,
1961 };
1962
1963 #endif /* !CURL_DISABLE_PROXY */
1964
cf_ssl_create(struct Curl_cfilter ** pcf,struct Curl_easy * data,struct connectdata * conn)1965 static CURLcode cf_ssl_create(struct Curl_cfilter **pcf,
1966 struct Curl_easy *data,
1967 struct connectdata *conn)
1968 {
1969 struct Curl_cfilter *cf = NULL;
1970 struct ssl_connect_data *ctx;
1971 CURLcode result;
1972
1973 DEBUGASSERT(data->conn);
1974
1975 ctx = cf_ctx_new(data, alpn_get_spec(data->state.httpwant,
1976 conn->bits.tls_enable_alpn));
1977 if(!ctx) {
1978 result = CURLE_OUT_OF_MEMORY;
1979 goto out;
1980 }
1981
1982 result = Curl_cf_create(&cf, &Curl_cft_ssl, ctx);
1983
1984 out:
1985 if(result)
1986 cf_ctx_free(ctx);
1987 *pcf = result ? NULL : cf;
1988 return result;
1989 }
1990
Curl_ssl_cfilter_add(struct Curl_easy * data,struct connectdata * conn,int sockindex)1991 CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
1992 struct connectdata *conn,
1993 int sockindex)
1994 {
1995 struct Curl_cfilter *cf;
1996 CURLcode result;
1997
1998 result = cf_ssl_create(&cf, data, conn);
1999 if(!result)
2000 Curl_conn_cf_add(data, conn, sockindex, cf);
2001 return result;
2002 }
2003
Curl_cf_ssl_insert_after(struct Curl_cfilter * cf_at,struct Curl_easy * data)2004 CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
2005 struct Curl_easy *data)
2006 {
2007 struct Curl_cfilter *cf;
2008 CURLcode result;
2009
2010 result = cf_ssl_create(&cf, data, cf_at->conn);
2011 if(!result)
2012 Curl_conn_cf_insert_after(cf_at, cf);
2013 return result;
2014 }
2015
2016 #ifndef CURL_DISABLE_PROXY
2017
cf_ssl_proxy_create(struct Curl_cfilter ** pcf,struct Curl_easy * data,struct connectdata * conn)2018 static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
2019 struct Curl_easy *data,
2020 struct connectdata *conn)
2021 {
2022 struct Curl_cfilter *cf = NULL;
2023 struct ssl_connect_data *ctx;
2024 CURLcode result;
2025 bool use_alpn = conn->bits.tls_enable_alpn;
2026 int httpwant = CURL_HTTP_VERSION_1_1;
2027
2028 #ifdef USE_HTTP2
2029 if(conn->http_proxy.proxytype == CURLPROXY_HTTPS2) {
2030 use_alpn = TRUE;
2031 httpwant = CURL_HTTP_VERSION_2;
2032 }
2033 #endif
2034
2035 ctx = cf_ctx_new(data, alpn_get_spec(httpwant, use_alpn));
2036 if(!ctx) {
2037 result = CURLE_OUT_OF_MEMORY;
2038 goto out;
2039 }
2040 result = Curl_cf_create(&cf, &Curl_cft_ssl_proxy, ctx);
2041
2042 out:
2043 if(result)
2044 cf_ctx_free(ctx);
2045 *pcf = result ? NULL : cf;
2046 return result;
2047 }
2048
Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter * cf_at,struct Curl_easy * data)2049 CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
2050 struct Curl_easy *data)
2051 {
2052 struct Curl_cfilter *cf;
2053 CURLcode result;
2054
2055 result = cf_ssl_proxy_create(&cf, data, cf_at->conn);
2056 if(!result)
2057 Curl_conn_cf_insert_after(cf_at, cf);
2058 return result;
2059 }
2060
2061 #endif /* !CURL_DISABLE_PROXY */
2062
Curl_ssl_supports(struct Curl_easy * data,unsigned int ssl_option)2063 bool Curl_ssl_supports(struct Curl_easy *data, unsigned int ssl_option)
2064 {
2065 (void)data;
2066 return (Curl_ssl->supports & ssl_option);
2067 }
2068
get_ssl_filter(struct Curl_cfilter * cf)2069 static struct Curl_cfilter *get_ssl_filter(struct Curl_cfilter *cf)
2070 {
2071 for(; cf; cf = cf->next) {
2072 if(cf->cft == &Curl_cft_ssl)
2073 return cf;
2074 #ifndef CURL_DISABLE_PROXY
2075 if(cf->cft == &Curl_cft_ssl_proxy)
2076 return cf;
2077 #endif
2078 }
2079 return NULL;
2080 }
2081
2082
Curl_ssl_get_internals(struct Curl_easy * data,int sockindex,CURLINFO info,int n)2083 void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
2084 CURLINFO info, int n)
2085 {
2086 void *result = NULL;
2087 (void)n;
2088 if(data->conn) {
2089 struct Curl_cfilter *cf;
2090 /* get first SSL filter in chain, if any is present */
2091 cf = get_ssl_filter(data->conn->cfilter[sockindex]);
2092 if(cf) {
2093 struct cf_call_data save;
2094 CF_DATA_SAVE(save, cf, data);
2095 result = Curl_ssl->get_internals(cf->ctx, info);
2096 CF_DATA_RESTORE(cf, save);
2097 }
2098 }
2099 return result;
2100 }
2101
vtls_shutdown_blocking(struct Curl_cfilter * cf,struct Curl_easy * data,bool send_shutdown,bool * done)2102 static CURLcode vtls_shutdown_blocking(struct Curl_cfilter *cf,
2103 struct Curl_easy *data,
2104 bool send_shutdown, bool *done)
2105 {
2106 struct ssl_connect_data *connssl = cf->ctx;
2107 struct cf_call_data save;
2108 CURLcode result = CURLE_OK;
2109 timediff_t timeout_ms;
2110 int what, loop = 10;
2111
2112 if(cf->shutdown) {
2113 *done = TRUE;
2114 return CURLE_OK;
2115 }
2116 CF_DATA_SAVE(save, cf, data);
2117
2118 *done = FALSE;
2119 while(!result && !*done && loop--) {
2120 timeout_ms = Curl_shutdown_timeleft(cf->conn, cf->sockindex, NULL);
2121
2122 if(timeout_ms < 0) {
2123 /* no need to continue if time is already up */
2124 failf(data, "SSL shutdown timeout");
2125 return CURLE_OPERATION_TIMEDOUT;
2126 }
2127
2128 result = Curl_ssl->shut_down(cf, data, send_shutdown, done);
2129 if(result ||*done)
2130 goto out;
2131
2132 if(connssl->io_need) {
2133 what = Curl_conn_cf_poll(cf, data, timeout_ms);
2134 if(what < 0) {
2135 /* fatal error */
2136 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
2137 result = CURLE_RECV_ERROR;
2138 goto out;
2139 }
2140 else if(0 == what) {
2141 /* timeout */
2142 failf(data, "SSL shutdown timeout");
2143 result = CURLE_OPERATION_TIMEDOUT;
2144 goto out;
2145 }
2146 /* socket is readable or writable */
2147 }
2148 }
2149 out:
2150 CF_DATA_RESTORE(cf, save);
2151 cf->shutdown = (result || *done);
2152 return result;
2153 }
2154
Curl_ssl_cfilter_remove(struct Curl_easy * data,int sockindex,bool send_shutdown)2155 CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
2156 int sockindex, bool send_shutdown)
2157 {
2158 struct Curl_cfilter *cf, *head;
2159 CURLcode result = CURLE_OK;
2160
2161 head = data->conn ? data->conn->cfilter[sockindex] : NULL;
2162 for(cf = head; cf; cf = cf->next) {
2163 if(cf->cft == &Curl_cft_ssl) {
2164 bool done;
2165 CURL_TRC_CF(data, cf, "shutdown and remove SSL, start");
2166 Curl_shutdown_start(data, sockindex, NULL);
2167 result = vtls_shutdown_blocking(cf, data, send_shutdown, &done);
2168 Curl_shutdown_clear(data, sockindex);
2169 if(!result && !done) /* blocking failed? */
2170 result = CURLE_SSL_SHUTDOWN_FAILED;
2171 Curl_conn_cf_discard_sub(head, cf, data, FALSE);
2172 CURL_TRC_CF(data, cf, "shutdown and remove SSL, done -> %d", result);
2173 break;
2174 }
2175 }
2176 return result;
2177 }
2178
Curl_ssl_cf_is_proxy(struct Curl_cfilter * cf)2179 bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf)
2180 {
2181 return (cf->cft->flags & CF_TYPE_SSL) && (cf->cft->flags & CF_TYPE_PROXY);
2182 }
2183
2184 struct ssl_config_data *
Curl_ssl_cf_get_config(struct Curl_cfilter * cf,struct Curl_easy * data)2185 Curl_ssl_cf_get_config(struct Curl_cfilter *cf, struct Curl_easy *data)
2186 {
2187 #ifdef CURL_DISABLE_PROXY
2188 (void)cf;
2189 return &data->set.ssl;
2190 #else
2191 return Curl_ssl_cf_is_proxy(cf) ? &data->set.proxy_ssl : &data->set.ssl;
2192 #endif
2193 }
2194
2195 struct ssl_primary_config *
Curl_ssl_cf_get_primary_config(struct Curl_cfilter * cf)2196 Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf)
2197 {
2198 #ifdef CURL_DISABLE_PROXY
2199 return &cf->conn->ssl_config;
2200 #else
2201 return Curl_ssl_cf_is_proxy(cf) ?
2202 &cf->conn->proxy_ssl_config : &cf->conn->ssl_config;
2203 #endif
2204 }
2205
Curl_alpn_to_proto_buf(struct alpn_proto_buf * buf,const struct alpn_spec * spec)2206 CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf,
2207 const struct alpn_spec *spec)
2208 {
2209 size_t i, len;
2210 int off = 0;
2211 unsigned char blen;
2212
2213 memset(buf, 0, sizeof(*buf));
2214 for(i = 0; spec && i < spec->count; ++i) {
2215 len = strlen(spec->entries[i]);
2216 if(len >= ALPN_NAME_MAX)
2217 return CURLE_FAILED_INIT;
2218 blen = (unsigned char)len;
2219 if(off + blen + 1 >= (int)sizeof(buf->data))
2220 return CURLE_FAILED_INIT;
2221 buf->data[off++] = blen;
2222 memcpy(buf->data + off, spec->entries[i], blen);
2223 off += blen;
2224 }
2225 buf->len = off;
2226 return CURLE_OK;
2227 }
2228
Curl_alpn_to_proto_str(struct alpn_proto_buf * buf,const struct alpn_spec * spec)2229 CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
2230 const struct alpn_spec *spec)
2231 {
2232 size_t i, len;
2233 size_t off = 0;
2234
2235 memset(buf, 0, sizeof(*buf));
2236 for(i = 0; spec && i < spec->count; ++i) {
2237 len = strlen(spec->entries[i]);
2238 if(len >= ALPN_NAME_MAX)
2239 return CURLE_FAILED_INIT;
2240 if(off + len + 2 >= sizeof(buf->data))
2241 return CURLE_FAILED_INIT;
2242 if(off)
2243 buf->data[off++] = ',';
2244 memcpy(buf->data + off, spec->entries[i], len);
2245 off += len;
2246 }
2247 buf->data[off] = '\0';
2248 buf->len = (int)off;
2249 return CURLE_OK;
2250 }
2251
Curl_alpn_contains_proto(const struct alpn_spec * spec,const char * proto)2252 bool Curl_alpn_contains_proto(const struct alpn_spec *spec,
2253 const char *proto)
2254 {
2255 size_t i, plen = proto ? strlen(proto) : 0;
2256 for(i = 0; spec && plen && i < spec->count; ++i) {
2257 size_t slen = strlen(spec->entries[i]);
2258 if((slen == plen) && !memcmp(proto, spec->entries[i], plen))
2259 return TRUE;
2260 }
2261 return FALSE;
2262 }
2263
Curl_alpn_set_negotiated(struct Curl_cfilter * cf,struct Curl_easy * data,struct ssl_connect_data * connssl,const unsigned char * proto,size_t proto_len)2264 CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
2265 struct Curl_easy *data,
2266 struct ssl_connect_data *connssl,
2267 const unsigned char *proto,
2268 size_t proto_len)
2269 {
2270 CURLcode result = CURLE_OK;
2271 unsigned char *palpn =
2272 #ifndef CURL_DISABLE_PROXY
2273 (cf->conn->bits.tunnel_proxy && Curl_ssl_cf_is_proxy(cf)) ?
2274 &cf->conn->proxy_alpn : &cf->conn->alpn
2275 #else
2276 &cf->conn->alpn
2277 #endif
2278 ;
2279
2280 if(connssl->alpn_negotiated) {
2281 /* When we ask for a specific ALPN protocol, we need the confirmation
2282 * of it by the server, as we have installed protocol handler and
2283 * connection filter chain for exactly this protocol. */
2284 if(!proto_len) {
2285 failf(data, "ALPN: asked for '%s' from previous session, "
2286 "but server did not confirm it. Refusing to continue.",
2287 connssl->alpn_negotiated);
2288 result = CURLE_SSL_CONNECT_ERROR;
2289 goto out;
2290 }
2291 else if((strlen(connssl->alpn_negotiated) != proto_len) ||
2292 memcmp(connssl->alpn_negotiated, proto, proto_len)) {
2293 failf(data, "ALPN: asked for '%s' from previous session, but server "
2294 "selected '%.*s'. Refusing to continue.",
2295 connssl->alpn_negotiated, (int)proto_len, proto);
2296 result = CURLE_SSL_CONNECT_ERROR;
2297 goto out;
2298 }
2299 /* ALPN is exactly what we asked for, done. */
2300 infof(data, "ALPN: server confirmed to use '%s'",
2301 connssl->alpn_negotiated);
2302 goto out;
2303 }
2304
2305 if(proto && proto_len) {
2306 if(memchr(proto, '\0', proto_len)) {
2307 failf(data, "ALPN: server selected protocol contains NUL. "
2308 "Refusing to continue.");
2309 result = CURLE_SSL_CONNECT_ERROR;
2310 goto out;
2311 }
2312 connssl->alpn_negotiated = malloc(proto_len + 1);
2313 if(!connssl->alpn_negotiated)
2314 return CURLE_OUT_OF_MEMORY;
2315 memcpy(connssl->alpn_negotiated, proto, proto_len);
2316 connssl->alpn_negotiated[proto_len] = 0;
2317 }
2318
2319 if(proto && proto_len) {
2320 if(proto_len == ALPN_HTTP_1_1_LENGTH &&
2321 !memcmp(ALPN_HTTP_1_1, proto, ALPN_HTTP_1_1_LENGTH)) {
2322 *palpn = CURL_HTTP_VERSION_1_1;
2323 }
2324 #ifdef USE_HTTP2
2325 else if(proto_len == ALPN_H2_LENGTH &&
2326 !memcmp(ALPN_H2, proto, ALPN_H2_LENGTH)) {
2327 *palpn = CURL_HTTP_VERSION_2;
2328 }
2329 #endif
2330 #ifdef USE_HTTP3
2331 else if(proto_len == ALPN_H3_LENGTH &&
2332 !memcmp(ALPN_H3, proto, ALPN_H3_LENGTH)) {
2333 *palpn = CURL_HTTP_VERSION_3;
2334 }
2335 #endif
2336 else {
2337 *palpn = CURL_HTTP_VERSION_NONE;
2338 failf(data, "unsupported ALPN protocol: '%.*s'", (int)proto_len, proto);
2339 /* TODO: do we want to fail this? Previous code just ignored it and
2340 * some vtls backends even ignore the return code of this function. */
2341 /* return CURLE_NOT_BUILT_IN; */
2342 goto out;
2343 }
2344
2345 if(connssl->state == ssl_connection_deferred)
2346 infof(data, VTLS_INFOF_ALPN_DEFERRED, (int)proto_len, proto);
2347 else
2348 infof(data, VTLS_INFOF_ALPN_ACCEPTED, (int)proto_len, proto);
2349 }
2350 else {
2351 *palpn = CURL_HTTP_VERSION_NONE;
2352 if(connssl->state == ssl_connection_deferred)
2353 infof(data, VTLS_INFOF_NO_ALPN_DEFERRED);
2354 else
2355 infof(data, VTLS_INFOF_NO_ALPN);
2356 }
2357
2358 out:
2359 return result;
2360 }
2361
2362 #endif /* USE_SSL */
2363
