VirtualBox

source: vbox/trunk/src/libs/curl-8.4.0/lib/vtls/vtls.c@ 103140

Last change on this file since 103140 was 101409, checked in by vboxsync, 20 months ago

curl-8.4.0: Applied and adjusted our curl changes to 8.3.0. bugref:10533
  • Property svn:eol-style set to native
File size: 53.7 KB
Line 
1/***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25/* This file is for implementing all "generic" SSL functions that all libcurl
26 internals should use. It is then responsible for calling the proper
27 "backend" function.
28
29 SSL-functions in libcurl should call functions in this source file, and not
30 to any specific SSL-layer.
31
32 Curl_ssl_ - prefix for generic ones
33
34 Note that this source code uses the functions of the configured SSL
35 backend via the global Curl_ssl instance.
36
37 "SSL/TLS Strong Encryption: An Introduction"
38 https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
39*/
40
41#include "curl_setup.h"
42
43#ifdef HAVE_SYS_TYPES_H
44#include <sys/types.h>
45#endif
46#ifdef HAVE_SYS_STAT_H
47#include <sys/stat.h>
48#endif
49#ifdef HAVE_FCNTL_H
50#include <fcntl.h>
51#endif
52
53#include "urldata.h"
54#include "cfilters.h"
55
56#include "vtls.h" /* generic SSL protos etc */
57#include "vtls_int.h"
58#include "slist.h"
59#include "sendf.h"
60#include "strcase.h"
61#include "url.h"
62#include "progress.h"
63#include "share.h"
64#include "multiif.h"
65#include "timeval.h"
66#include "curl_md5.h"
67#include "warnless.h"
68#include "curl_base64.h"
69#include "curl_printf.h"
70#include "strdup.h"
71
72/* The last #include files should be: */
73#include "curl_memory.h"
74#include "memdebug.h"
75
76
77/* convenience macro to check if this handle is using a shared SSL session */
78#define SSLSESSION_SHARED(data) (data->share && \
79 (data->share->specifier & \
80 (1<<CURL_LOCK_DATA_SSL_SESSION)))
81
82#define CLONE_STRING(var) \
83 do { \
84 if(source->var) { \
85 dest->var = strdup(source->var); \
86 if(!dest->var) \
87 return FALSE; \
88 } \
89 else \
90 dest->var = NULL; \
91 } while(0)
92
93#define CLONE_BLOB(var) \
94 do { \
95 if(blobdup(&dest->var, source->var)) \
96 return FALSE; \
97 } while(0)
98
99static CURLcode blobdup(struct curl_blob **dest,
100 struct curl_blob *src)
101{
102 DEBUGASSERT(dest);
103 DEBUGASSERT(!*dest);
104 if(src) {
105 /* only if there's data to dupe! */
106 struct curl_blob *d;
107 d = malloc(sizeof(struct curl_blob) + src->len);
108 if(!d)
109 return CURLE_OUT_OF_MEMORY;
110 d->len = src->len;
111 /* Always duplicate because the connection may survive longer than the
112 handle that passed in the blob. */
113 d->flags = CURL_BLOB_COPY;
114 d->data = (void *)((char *)d + sizeof(struct curl_blob));
115 memcpy(d->data, src->data, src->len);
116 *dest = d;
117 }
118 return CURLE_OK;
119}
120
121/* returns TRUE if the blobs are identical */
122static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
123{
124 if(!first && !second) /* both are NULL */
125 return TRUE;
126 if(!first || !second) /* one is NULL */
127 return FALSE;
128 if(first->len != second->len) /* different sizes */
129 return FALSE;
130 return !memcmp(first->data, second->data, first->len); /* same data */
131}
132
133#ifdef USE_SSL
134static const struct alpn_spec ALPN_SPEC_H10 = {
135 { ALPN_HTTP_1_0 }, 1
136};
137static const struct alpn_spec ALPN_SPEC_H11 = {
138 { ALPN_HTTP_1_1 }, 1
139};
140#ifdef USE_HTTP2
141static const struct alpn_spec ALPN_SPEC_H2_H11 = {
142 { ALPN_H2, ALPN_HTTP_1_1 }, 2
143};
144#endif
145
146static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn)
147{
148 if(!use_alpn)
149 return NULL;
150 if(httpwant == CURL_HTTP_VERSION_1_0)
151 return &ALPN_SPEC_H10;
152#ifdef USE_HTTP2
153 if(httpwant >= CURL_HTTP_VERSION_2)
154 return &ALPN_SPEC_H2_H11;
155#endif
156 return &ALPN_SPEC_H11;
157}
158#endif /* USE_SSL */
159
160
161bool
162Curl_ssl_config_matches(struct ssl_primary_config *data,
163 struct ssl_primary_config *needle)
164{
165 if((data->version == needle->version) &&
166 (data->version_max == needle->version_max) &&
167 (data->ssl_options == needle->ssl_options) &&
168 (data->verifypeer == needle->verifypeer) &&
169 (data->verifyhost == needle->verifyhost) &&
170 (data->verifystatus == needle->verifystatus) &&
171 blobcmp(data->cert_blob, needle->cert_blob) &&
172 blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
173 blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
174 Curl_safecmp(data->CApath, needle->CApath) &&
175 Curl_safecmp(data->CAfile, needle->CAfile) &&
176 Curl_safecmp(data->issuercert, needle->issuercert) &&
177 Curl_safecmp(data->clientcert, needle->clientcert) &&
178#ifdef USE_TLS_SRP
179 !Curl_timestrcmp(data->username, needle->username) &&
180 !Curl_timestrcmp(data->password, needle->password) &&
181#endif
182 strcasecompare(data->cipher_list, needle->cipher_list) &&
183 strcasecompare(data->cipher_list13, needle->cipher_list13) &&
184 strcasecompare(data->curves, needle->curves) &&
185 strcasecompare(data->CRLfile, needle->CRLfile) &&
186 strcasecompare(data->pinned_key, needle->pinned_key))
187 return TRUE;
188
189 return FALSE;
190}
191
192bool
193Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
194 struct ssl_primary_config *dest)
195{
196 dest->version = source->version;
197 dest->version_max = source->version_max;
198 dest->verifypeer = source->verifypeer;
199 dest->verifyhost = source->verifyhost;
200 dest->verifystatus = source->verifystatus;
201 dest->sessionid = source->sessionid;
202 dest->ssl_options = source->ssl_options;
203
204 CLONE_BLOB(cert_blob);
205 CLONE_BLOB(ca_info_blob);
206 CLONE_BLOB(issuercert_blob);
207 CLONE_STRING(CApath);
208 CLONE_STRING(CAfile);
209 CLONE_STRING(issuercert);
210 CLONE_STRING(clientcert);
211 CLONE_STRING(cipher_list);
212 CLONE_STRING(cipher_list13);
213 CLONE_STRING(pinned_key);
214 CLONE_STRING(curves);
215 CLONE_STRING(CRLfile);
216#ifdef USE_TLS_SRP
217 CLONE_STRING(username);
218 CLONE_STRING(password);
219#endif
220
221 return TRUE;
222}
223
224void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
225{
226 Curl_safefree(sslc->CApath);
227 Curl_safefree(sslc->CAfile);
228 Curl_safefree(sslc->issuercert);
229 Curl_safefree(sslc->clientcert);
230 Curl_safefree(sslc->cipher_list);
231 Curl_safefree(sslc->cipher_list13);
232 Curl_safefree(sslc->pinned_key);
233 Curl_safefree(sslc->cert_blob);
234 Curl_safefree(sslc->ca_info_blob);
235 Curl_safefree(sslc->issuercert_blob);
236 Curl_safefree(sslc->curves);
237 Curl_safefree(sslc->CRLfile);
238#ifdef USE_TLS_SRP
239 Curl_safefree(sslc->username);
240 Curl_safefree(sslc->password);
241#endif
242}
243
244#ifdef USE_SSL
245static int multissl_setup(const struct Curl_ssl *backend);
246#endif
247
248curl_sslbackend Curl_ssl_backend(void)
249{
250#ifdef USE_SSL
251 multissl_setup(NULL);
252 return Curl_ssl->info.id;
253#else
254 return CURLSSLBACKEND_NONE;
255#endif
256}
257
258#ifdef USE_SSL
259
260/* "global" init done? */
261static bool init_ssl = FALSE;
262
263/**
264 * Global SSL init
265 *
266 * @retval 0 error initializing SSL
267 * @retval 1 SSL initialized successfully
268 */
269int Curl_ssl_init(void)
270{
271 /* make sure this is only done once */
272 if(init_ssl)
273 return 1;
274 init_ssl = TRUE; /* never again */
275
276 return Curl_ssl->init();
277}
278
279#if defined(CURL_WITH_MULTI_SSL)
280static const struct Curl_ssl Curl_ssl_multi;
281#endif
282
283/* Global cleanup */
284void Curl_ssl_cleanup(void)
285{
286 if(init_ssl) {
287 /* only cleanup if we did a previous init */
288 Curl_ssl->cleanup();
289#if defined(CURL_WITH_MULTI_SSL)
290 Curl_ssl = &Curl_ssl_multi;
291#endif
292 init_ssl = FALSE;
293 }
294}
295
296static bool ssl_prefs_check(struct Curl_easy *data)
297{
298 /* check for CURLOPT_SSLVERSION invalid parameter value */
299 const unsigned char sslver = data->set.ssl.primary.version;
300 if(sslver >= CURL_SSLVERSION_LAST) {
301 failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
302 return FALSE;
303 }
304
305 switch(data->set.ssl.primary.version_max) {
306 case CURL_SSLVERSION_MAX_NONE:
307 case CURL_SSLVERSION_MAX_DEFAULT:
308 break;
309
310 default:
311 if((data->set.ssl.primary.version_max >> 16) < sslver) {
312 failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
313 return FALSE;
314 }
315 }
316
317 return TRUE;
318}
319
320static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
321 const struct alpn_spec *alpn)
322{
323 struct ssl_connect_data *ctx;
324
325 (void)data;
326 ctx = calloc(1, sizeof(*ctx));
327 if(!ctx)
328 return NULL;
329
330 ctx->alpn = alpn;
331 ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data);
332 if(!ctx->backend) {
333 free(ctx);
334 return NULL;
335 }
336 return ctx;
337}
338
339static void cf_ctx_free(struct ssl_connect_data *ctx)
340{
341 if(ctx) {
342 free(ctx->backend);
343 free(ctx);
344 }
345}
346
347static CURLcode ssl_connect(struct Curl_cfilter *cf, struct Curl_easy *data)
348{
349 struct ssl_connect_data *connssl = cf->ctx;
350 CURLcode result;
351
352 if(!ssl_prefs_check(data))
353 return CURLE_SSL_CONNECT_ERROR;
354
355 /* mark this is being ssl-enabled from here on. */
356 connssl->state = ssl_connection_negotiating;
357
358 result = Curl_ssl->connect_blocking(cf, data);
359
360 if(!result) {
361 DEBUGASSERT(connssl->state == ssl_connection_complete);
362 }
363
364 return result;
365}
366
367static CURLcode
368ssl_connect_nonblocking(struct Curl_cfilter *cf, struct Curl_easy *data,
369 bool *done)
370{
371 if(!ssl_prefs_check(data))
372 return CURLE_SSL_CONNECT_ERROR;
373
374 /* mark this is being ssl requested from here on. */
375 return Curl_ssl->connect_nonblocking(cf, data, done);
376}
377
378/*
379 * Lock shared SSL session data
380 */
381void Curl_ssl_sessionid_lock(struct Curl_easy *data)
382{
383 if(SSLSESSION_SHARED(data))
384 Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
385}
386
387/*
388 * Unlock shared SSL session data
389 */
390void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
391{
392 if(SSLSESSION_SHARED(data))
393 Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
394}
395
396/*
397 * Check if there's a session ID for the given connection in the cache, and if
398 * there's one suitable, it is provided. Returns TRUE when no entry matched.
399 */
400bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
401 struct Curl_easy *data,
402 void **ssl_sessionid,
403 size_t *idsize) /* set 0 if unknown */
404{
405 struct ssl_connect_data *connssl = cf->ctx;
406 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
407 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
408 struct Curl_ssl_session *check;
409 size_t i;
410 long *general_age;
411 bool no_match = TRUE;
412
413 *ssl_sessionid = NULL;
414 if(!ssl_config)
415 return TRUE;
416
417 DEBUGASSERT(ssl_config->primary.sessionid);
418
419 if(!ssl_config->primary.sessionid || !data->state.session)
420 /* session ID reuse is disabled or the session cache has not been
421 setup */
422 return TRUE;
423
424 /* Lock if shared */
425 if(SSLSESSION_SHARED(data))
426 general_age = &data->share->sessionage;
427 else
428 general_age = &data->state.sessionage;
429
430 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
431 check = &data->state.session[i];
432 if(!check->sessionid)
433 /* not session ID means blank entry */
434 continue;
435 if(strcasecompare(connssl->hostname, check->name) &&
436 ((!cf->conn->bits.conn_to_host && !check->conn_to_host) ||
437 (cf->conn->bits.conn_to_host && check->conn_to_host &&
438 strcasecompare(cf->conn->conn_to_host.name, check->conn_to_host))) &&
439 ((!cf->conn->bits.conn_to_port && check->conn_to_port == -1) ||
440 (cf->conn->bits.conn_to_port && check->conn_to_port != -1 &&
441 cf->conn->conn_to_port == check->conn_to_port)) &&
442 (connssl->port == check->remote_port) &&
443 strcasecompare(cf->conn->handler->scheme, check->scheme) &&
444 Curl_ssl_config_matches(conn_config, &check->ssl_config)) {
445 /* yes, we have a session ID! */
446 (*general_age)++; /* increase general age */
447 check->age = *general_age; /* set this as used in this age */
448 *ssl_sessionid = check->sessionid;
449 if(idsize)
450 *idsize = check->idsize;
451 no_match = FALSE;
452 break;
453 }
454 }
455
456 DEBUGF(infof(data, "%s Session ID in cache for %s %s://%s:%d",
457 no_match? "Didn't find": "Found",
458 Curl_ssl_cf_is_proxy(cf) ? "proxy" : "host",
459 cf->conn->handler->scheme, connssl->hostname, connssl->port));
460 return no_match;
461}
462
463/*
464 * Kill a single session ID entry in the cache.
465 */
466void Curl_ssl_kill_session(struct Curl_ssl_session *session)
467{
468 if(session->sessionid) {
469 /* defensive check */
470
471 /* free the ID the SSL-layer specific way */
472 Curl_ssl->session_free(session->sessionid);
473
474 session->sessionid = NULL;
475 session->age = 0; /* fresh */
476
477 Curl_free_primary_ssl_config(&session->ssl_config);
478
479 Curl_safefree(session->name);
480 Curl_safefree(session->conn_to_host);
481 }
482}
483
484/*
485 * Delete the given session ID from the cache.
486 */
487void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
488{
489 size_t i;
490
491 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
492 struct Curl_ssl_session *check = &data->state.session[i];
493
494 if(check->sessionid == ssl_sessionid) {
495 Curl_ssl_kill_session(check);
496 break;
497 }
498 }
499}
500
501/*
502 * Store session id in the session cache. The ID passed on to this function
503 * must already have been extracted and allocated the proper way for the SSL
504 * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
505 * later on.
506 */
507CURLcode Curl_ssl_addsessionid(struct Curl_cfilter *cf,
508 struct Curl_easy *data,
509 void *ssl_sessionid,
510 size_t idsize,
511 bool *added)
512{
513 struct ssl_connect_data *connssl = cf->ctx;
514 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
515 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
516 size_t i;
517 struct Curl_ssl_session *store;
518 long oldest_age;
519 char *clone_host;
520 char *clone_conn_to_host;
521 int conn_to_port;
522 long *general_age;
523
524 if(added)
525 *added = FALSE;
526
527 if(!data->state.session)
528 return CURLE_OK;
529
530 store = &data->state.session[0];
531 oldest_age = data->state.session[0].age; /* zero if unused */
532 (void)ssl_config;
533 DEBUGASSERT(ssl_config->primary.sessionid);
534
535 clone_host = strdup(connssl->hostname);
536 if(!clone_host)
537 return CURLE_OUT_OF_MEMORY; /* bail out */
538
539 if(cf->conn->bits.conn_to_host) {
540 clone_conn_to_host = strdup(cf->conn->conn_to_host.name);
541 if(!clone_conn_to_host) {
542 free(clone_host);
543 return CURLE_OUT_OF_MEMORY; /* bail out */
544 }
545 }
546 else
547 clone_conn_to_host = NULL;
548
549 if(cf->conn->bits.conn_to_port)
550 conn_to_port = cf->conn->conn_to_port;
551 else
552 conn_to_port = -1;
553
554 /* Now we should add the session ID and the host name to the cache, (remove
555 the oldest if necessary) */
556
557 /* If using shared SSL session, lock! */
558 if(SSLSESSION_SHARED(data)) {
559 general_age = &data->share->sessionage;
560 }
561 else {
562 general_age = &data->state.sessionage;
563 }
564
565 /* find an empty slot for us, or find the oldest */
566 for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
567 data->state.session[i].sessionid; i++) {
568 if(data->state.session[i].age < oldest_age) {
569 oldest_age = data->state.session[i].age;
570 store = &data->state.session[i];
571 }
572 }
573 if(i == data->set.general_ssl.max_ssl_sessions)
574 /* cache is full, we must "kill" the oldest entry! */
575 Curl_ssl_kill_session(store);
576 else
577 store = &data->state.session[i]; /* use this slot */
578
579 /* now init the session struct wisely */
580 store->sessionid = ssl_sessionid;
581 store->idsize = idsize;
582 store->age = *general_age; /* set current age */
583 /* free it if there's one already present */
584 free(store->name);
585 free(store->conn_to_host);
586 store->name = clone_host; /* clone host name */
587 store->conn_to_host = clone_conn_to_host; /* clone connect to host name */
588 store->conn_to_port = conn_to_port; /* connect to port number */
589 /* port number */
590 store->remote_port = connssl->port;
591 store->scheme = cf->conn->handler->scheme;
592
593 if(!Curl_clone_primary_ssl_config(conn_config, &store->ssl_config)) {
594 Curl_free_primary_ssl_config(&store->ssl_config);
595 store->sessionid = NULL; /* let caller free sessionid */
596 free(clone_host);
597 free(clone_conn_to_host);
598 return CURLE_OUT_OF_MEMORY;
599 }
600
601 if(added)
602 *added = TRUE;
603
604 DEBUGF(infof(data, "Added Session ID to cache for %s://%s:%d [%s]",
605 store->scheme, store->name, store->remote_port,
606 Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server"));
607 return CURLE_OK;
608}
609
610void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend)
611{
612 if(Curl_ssl->free_multi_ssl_backend_data && mbackend)
613 Curl_ssl->free_multi_ssl_backend_data(mbackend);
614}
615
616void Curl_ssl_close_all(struct Curl_easy *data)
617{
618 /* kill the session ID cache if not shared */
619 if(data->state.session && !SSLSESSION_SHARED(data)) {
620 size_t i;
621 for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
622 /* the single-killer function handles empty table slots */
623 Curl_ssl_kill_session(&data->state.session[i]);
624
625 /* free the cache data */
626 Curl_safefree(data->state.session);
627 }
628
629 Curl_ssl->close_all(data);
630}
631
632int Curl_ssl_get_select_socks(struct Curl_cfilter *cf, struct Curl_easy *data,
633 curl_socket_t *socks)
634{
635 struct ssl_connect_data *connssl = cf->ctx;
636 curl_socket_t sock = Curl_conn_cf_get_socket(cf->next, data);
637
638 if(sock == CURL_SOCKET_BAD)
639 return GETSOCK_BLANK;
640
641 if(connssl->connecting_state == ssl_connect_2_writing) {
642 /* we are only interested in writing */
643 socks[0] = sock;
644 return GETSOCK_WRITESOCK(0);
645 }
646 socks[0] = sock;
647 return GETSOCK_READSOCK(0);
648}
649
650/* Selects an SSL crypto engine
651 */
652CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
653{
654 return Curl_ssl->set_engine(data, engine);
655}
656
657/* Selects the default SSL crypto engine
658 */
659CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
660{
661 return Curl_ssl->set_engine_default(data);
662}
663
664/* Return list of OpenSSL crypto engine names. */
665struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
666{
667 return Curl_ssl->engines_list(data);
668}
669
670/*
671 * This sets up a session ID cache to the specified size. Make sure this code
672 * is agnostic to what underlying SSL technology we use.
673 */
674CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
675{
676 struct Curl_ssl_session *session;
677
678 if(data->state.session)
679 /* this is just a precaution to prevent multiple inits */
680 return CURLE_OK;
681
682 session = calloc(amount, sizeof(struct Curl_ssl_session));
683 if(!session)
684 return CURLE_OUT_OF_MEMORY;
685
686 /* store the info in the SSL section */
687 data->set.general_ssl.max_ssl_sessions = amount;
688 data->state.session = session;
689 data->state.sessionage = 1; /* this is brand new */
690 return CURLE_OK;
691}
692
693static size_t multissl_version(char *buffer, size_t size);
694
695void Curl_ssl_version(char *buffer, size_t size)
696{
697#ifdef CURL_WITH_MULTI_SSL
698 (void)multissl_version(buffer, size);
699#else
700 (void)Curl_ssl->version(buffer, size);
701#endif
702}
703
704void Curl_ssl_free_certinfo(struct Curl_easy *data)
705{
706 struct curl_certinfo *ci = &data->info.certs;
707
708 if(ci->num_of_certs) {
709 /* free all individual lists used */
710 int i;
711 for(i = 0; i<ci->num_of_certs; i++) {
712 curl_slist_free_all(ci->certinfo[i]);
713 ci->certinfo[i] = NULL;
714 }
715
716 free(ci->certinfo); /* free the actual array too */
717 ci->certinfo = NULL;
718 ci->num_of_certs = 0;
719 }
720}
721
722CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
723{
724 struct curl_certinfo *ci = &data->info.certs;
725 struct curl_slist **table;
726
727 /* Free any previous certificate information structures */
728 Curl_ssl_free_certinfo(data);
729
730 /* Allocate the required certificate information structures */
731 table = calloc((size_t) num, sizeof(struct curl_slist *));
732 if(!table)
733 return CURLE_OUT_OF_MEMORY;
734
735 ci->num_of_certs = num;
736 ci->certinfo = table;
737
738 return CURLE_OK;
739}
740
741/*
742 * 'value' is NOT a null-terminated string
743 */
744CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
745 int certnum,
746 const char *label,
747 const char *value,
748 size_t valuelen)
749{
750 struct curl_certinfo *ci = &data->info.certs;
751 char *output;
752 struct curl_slist *nl;
753 CURLcode result = CURLE_OK;
754 size_t labellen = strlen(label);
755 size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */
756
757 output = malloc(outlen);
758 if(!output)
759 return CURLE_OUT_OF_MEMORY;
760
761 /* sprintf the label and colon */
762 msnprintf(output, outlen, "%s:", label);
763
764 /* memcpy the value (it might not be null-terminated) */
765 memcpy(&output[labellen + 1], value, valuelen);
766
767 /* null-terminate the output */
768 output[labellen + 1 + valuelen] = 0;
769
770 nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);
771 if(!nl) {
772 free(output);
773 curl_slist_free_all(ci->certinfo[certnum]);
774 result = CURLE_OUT_OF_MEMORY;
775 }
776
777 ci->certinfo[certnum] = nl;
778 return result;
779}
780
781CURLcode Curl_ssl_random(struct Curl_easy *data,
782 unsigned char *entropy,
783 size_t length)
784{
785 return Curl_ssl->random(data, entropy, length);
786}
787
788/*
789 * Curl_ssl_snihost() converts the input host name to a suitable SNI name put
790 * in data->state.buffer. Returns a pointer to the name (or NULL if a problem)
791 * and stores the new length in 'olen'.
792 *
793 * SNI fields must not have any trailing dot and while RFC 6066 section 3 says
794 * the SNI field is case insensitive, browsers always send the data lowercase
795 * and subsequently there are numerous servers out there that don't work
796 * unless the name is lowercased.
797 */
798
799char *Curl_ssl_snihost(struct Curl_easy *data, const char *host, size_t *olen)
800{
801 size_t len = strlen(host);
802 if(len && (host[len-1] == '.'))
803 len--;
804 if(len >= data->set.buffer_size)
805 return NULL;
806
807 Curl_strntolower(data->state.buffer, host, len);
808 data->state.buffer[len] = 0;
809 if(olen)
810 *olen = len;
811 return data->state.buffer;
812}
813
814/*
815 * Public key pem to der conversion
816 */
817
818static CURLcode pubkey_pem_to_der(const char *pem,
819 unsigned char **der, size_t *der_len)
820{
821 char *stripped_pem, *begin_pos, *end_pos;
822 size_t pem_count, stripped_pem_count = 0, pem_len;
823 CURLcode result;
824
825 /* if no pem, exit. */
826 if(!pem)
827 return CURLE_BAD_CONTENT_ENCODING;
828
829 begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
830 if(!begin_pos)
831 return CURLE_BAD_CONTENT_ENCODING;
832
833 pem_count = begin_pos - pem;
834 /* Invalid if not at beginning AND not directly following \n */
835 if(0 != pem_count && '\n' != pem[pem_count - 1])
836 return CURLE_BAD_CONTENT_ENCODING;
837
838 /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
839 pem_count += 26;
840
841 /* Invalid if not directly following \n */
842 end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
843 if(!end_pos)
844 return CURLE_BAD_CONTENT_ENCODING;
845
846 pem_len = end_pos - pem;
847
848 stripped_pem = malloc(pem_len - pem_count + 1);
849 if(!stripped_pem)
850 return CURLE_OUT_OF_MEMORY;
851
852 /*
853 * Here we loop through the pem array one character at a time between the
854 * correct indices, and place each character that is not '\n' or '\r'
855 * into the stripped_pem array, which should represent the raw base64 string
856 */
857 while(pem_count < pem_len) {
858 if('\n' != pem[pem_count] && '\r' != pem[pem_count])
859 stripped_pem[stripped_pem_count++] = pem[pem_count];
860 ++pem_count;
861 }
862 /* Place the null terminator in the correct place */
863 stripped_pem[stripped_pem_count] = '\0';
864
865 result = Curl_base64_decode(stripped_pem, der, der_len);
866
867 Curl_safefree(stripped_pem);
868
869 return result;
870}
871
872/*
873 * Generic pinned public key check.
874 */
875
876CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
877 const char *pinnedpubkey,
878 const unsigned char *pubkey, size_t pubkeylen)
879{
880 FILE *fp;
881 unsigned char *buf = NULL, *pem_ptr = NULL;
882 CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
883#ifdef CURL_DISABLE_VERBOSE_STRINGS
884 (void)data;
885#endif
886
887 /* if a path wasn't specified, don't pin */
888 if(!pinnedpubkey)
889 return CURLE_OK;
890 if(!pubkey || !pubkeylen)
891 return result;
892
893 /* only do this if pinnedpubkey starts with "sha256//", length 8 */
894 if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
895 CURLcode encode;
896 size_t encodedlen = 0, pinkeylen;
897 char *encoded = NULL, *pinkeycopy, *begin_pos, *end_pos;
898 unsigned char *sha256sumdigest;
899
900 if(!Curl_ssl->sha256sum) {
901 /* without sha256 support, this cannot match */
902 return result;
903 }
904
905 /* compute sha256sum of public key */
906 sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
907 if(!sha256sumdigest)
908 return CURLE_OUT_OF_MEMORY;
909 encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
910 sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
911
912 if(!encode)
913 encode = Curl_base64_encode((char *)sha256sumdigest,
914 CURL_SHA256_DIGEST_LENGTH, &encoded,
915 &encodedlen);
916 Curl_safefree(sha256sumdigest);
917
918 if(encode)
919 return encode;
920
921 infof(data, " public key hash: sha256//%s", encoded);
922
923 /* it starts with sha256//, copy so we can modify it */
924 pinkeylen = strlen(pinnedpubkey) + 1;
925 pinkeycopy = malloc(pinkeylen);
926 if(!pinkeycopy) {
927 Curl_safefree(encoded);
928 return CURLE_OUT_OF_MEMORY;
929 }
930 memcpy(pinkeycopy, pinnedpubkey, pinkeylen);
931 /* point begin_pos to the copy, and start extracting keys */
932 begin_pos = pinkeycopy;
933 do {
934 end_pos = strstr(begin_pos, ";sha256//");
935 /*
936 * if there is an end_pos, null terminate,
937 * otherwise it'll go to the end of the original string
938 */
939 if(end_pos)
940 end_pos[0] = '\0';
941
942 /* compare base64 sha256 digests, 8 is the length of "sha256//" */
943 if(encodedlen == strlen(begin_pos + 8) &&
944 !memcmp(encoded, begin_pos + 8, encodedlen)) {
945 result = CURLE_OK;
946 break;
947 }
948
949 /*
950 * change back the null-terminator we changed earlier,
951 * and look for next begin
952 */
953 if(end_pos) {
954 end_pos[0] = ';';
955 begin_pos = strstr(end_pos, "sha256//");
956 }
957 } while(end_pos && begin_pos);
958 Curl_safefree(encoded);
959 Curl_safefree(pinkeycopy);
960 return result;
961 }
962
963 fp = fopen(pinnedpubkey, "rb");
964 if(!fp)
965 return result;
966
967 do {
968 long filesize;
969 size_t size, pem_len;
970 CURLcode pem_read;
971
972 /* Determine the file's size */
973 if(fseek(fp, 0, SEEK_END))
974 break;
975 filesize = ftell(fp);
976 if(fseek(fp, 0, SEEK_SET))
977 break;
978 if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
979 break;
980
981 /*
982 * if the size of our certificate is bigger than the file
983 * size then it can't match
984 */
985 size = curlx_sotouz((curl_off_t) filesize);
986 if(pubkeylen > size)
987 break;
988
989 /*
990 * Allocate buffer for the pinned key
991 * With 1 additional byte for null terminator in case of PEM key
992 */
993 buf = malloc(size + 1);
994 if(!buf)
995 break;
996
997 /* Returns number of elements read, which should be 1 */
998 if((int) fread(buf, size, 1, fp) != 1)
999 break;
1000
1001 /* If the sizes are the same, it can't be base64 encoded, must be der */
1002 if(pubkeylen == size) {
1003 if(!memcmp(pubkey, buf, pubkeylen))
1004 result = CURLE_OK;
1005 break;
1006 }
1007
1008 /*
1009 * Otherwise we will assume it's PEM and try to decode it
1010 * after placing null terminator
1011 */
1012 buf[size] = '\0';
1013 pem_read = pubkey_pem_to_der((const char *)buf, &pem_ptr, &pem_len);
1014 /* if it wasn't read successfully, exit */
1015 if(pem_read)
1016 break;
1017
1018 /*
1019 * if the size of our certificate doesn't match the size of
1020 * the decoded file, they can't be the same, otherwise compare
1021 */
1022 if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
1023 result = CURLE_OK;
1024 } while(0);
1025
1026 Curl_safefree(buf);
1027 Curl_safefree(pem_ptr);
1028 fclose(fp);
1029
1030 return result;
1031}
1032
1033/*
1034 * Check whether the SSL backend supports the status_request extension.
1035 */
1036bool Curl_ssl_cert_status_request(void)
1037{
1038 return Curl_ssl->cert_status_request();
1039}
1040
1041/*
1042 * Check whether the SSL backend supports false start.
1043 */
1044bool Curl_ssl_false_start(struct Curl_easy *data)
1045{
1046 (void)data;
1047 return Curl_ssl->false_start();
1048}
1049
1050/*
1051 * Default implementations for unsupported functions.
1052 */
1053
1054int Curl_none_init(void)
1055{
1056 return 1;
1057}
1058
1059void Curl_none_cleanup(void)
1060{ }
1061
1062int Curl_none_shutdown(struct Curl_cfilter *cf UNUSED_PARAM,
1063 struct Curl_easy *data UNUSED_PARAM)
1064{
1065 (void)data;
1066 (void)cf;
1067 return 0;
1068}
1069
1070int Curl_none_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data)
1071{
1072 (void)cf;
1073 (void)data;
1074 return -1;
1075}
1076
1077CURLcode Curl_none_random(struct Curl_easy *data UNUSED_PARAM,
1078 unsigned char *entropy UNUSED_PARAM,
1079 size_t length UNUSED_PARAM)
1080{
1081 (void)data;
1082 (void)entropy;
1083 (void)length;
1084 return CURLE_NOT_BUILT_IN;
1085}
1086
1087void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
1088{
1089 (void)data;
1090}
1091
1092void Curl_none_session_free(void *ptr UNUSED_PARAM)
1093{
1094 (void)ptr;
1095}
1096
1097bool Curl_none_data_pending(struct Curl_cfilter *cf UNUSED_PARAM,
1098 const struct Curl_easy *data UNUSED_PARAM)
1099{
1100 (void)cf;
1101 (void)data;
1102 return 0;
1103}
1104
1105bool Curl_none_cert_status_request(void)
1106{
1107 return FALSE;
1108}
1109
1110CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
1111 const char *engine UNUSED_PARAM)
1112{
1113 (void)data;
1114 (void)engine;
1115 return CURLE_NOT_BUILT_IN;
1116}
1117
1118CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
1119{
1120 (void)data;
1121 return CURLE_NOT_BUILT_IN;
1122}
1123
1124struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
1125{
1126 (void)data;
1127 return (struct curl_slist *)NULL;
1128}
1129
1130bool Curl_none_false_start(void)
1131{
1132 return FALSE;
1133}
1134
1135static int multissl_init(void)
1136{
1137 if(multissl_setup(NULL))
1138 return 1;
1139 return Curl_ssl->init();
1140}
1141
1142static CURLcode multissl_connect(struct Curl_cfilter *cf,
1143 struct Curl_easy *data)
1144{
1145 if(multissl_setup(NULL))
1146 return CURLE_FAILED_INIT;
1147 return Curl_ssl->connect_blocking(cf, data);
1148}
1149
1150static CURLcode multissl_connect_nonblocking(struct Curl_cfilter *cf,
1151 struct Curl_easy *data,
1152 bool *done)
1153{
1154 if(multissl_setup(NULL))
1155 return CURLE_FAILED_INIT;
1156 return Curl_ssl->connect_nonblocking(cf, data, done);
1157}
1158
1159static int multissl_get_select_socks(struct Curl_cfilter *cf,
1160 struct Curl_easy *data,
1161 curl_socket_t *socks)
1162{
1163 if(multissl_setup(NULL))
1164 return 0;
1165 return Curl_ssl->get_select_socks(cf, data, socks);
1166}
1167
1168static void *multissl_get_internals(struct ssl_connect_data *connssl,
1169 CURLINFO info)
1170{
1171 if(multissl_setup(NULL))
1172 return NULL;
1173 return Curl_ssl->get_internals(connssl, info);
1174}
1175
1176static void multissl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1177{
1178 if(multissl_setup(NULL))
1179 return;
1180 Curl_ssl->close(cf, data);
1181}
1182
1183static ssize_t multissl_recv_plain(struct Curl_cfilter *cf,
1184 struct Curl_easy *data,
1185 char *buf, size_t len, CURLcode *code)
1186{
1187 if(multissl_setup(NULL))
1188 return CURLE_FAILED_INIT;
1189 return Curl_ssl->recv_plain(cf, data, buf, len, code);
1190}
1191
1192static ssize_t multissl_send_plain(struct Curl_cfilter *cf,
1193 struct Curl_easy *data,
1194 const void *mem, size_t len,
1195 CURLcode *code)
1196{
1197 if(multissl_setup(NULL))
1198 return CURLE_FAILED_INIT;
1199 return Curl_ssl->send_plain(cf, data, mem, len, code);
1200}
1201
1202static const struct Curl_ssl Curl_ssl_multi = {
1203 { CURLSSLBACKEND_NONE, "multi" }, /* info */
1204 0, /* supports nothing */
1205 (size_t)-1, /* something insanely large to be on the safe side */
1206
1207 multissl_init, /* init */
1208 Curl_none_cleanup, /* cleanup */
1209 multissl_version, /* version */
1210 Curl_none_check_cxn, /* check_cxn */
1211 Curl_none_shutdown, /* shutdown */
1212 Curl_none_data_pending, /* data_pending */
1213 Curl_none_random, /* random */
1214 Curl_none_cert_status_request, /* cert_status_request */
1215 multissl_connect, /* connect */
1216 multissl_connect_nonblocking, /* connect_nonblocking */
1217 multissl_get_select_socks, /* getsock */
1218 multissl_get_internals, /* get_internals */
1219 multissl_close, /* close_one */
1220 Curl_none_close_all, /* close_all */
1221 Curl_none_session_free, /* session_free */
1222 Curl_none_set_engine, /* set_engine */
1223 Curl_none_set_engine_default, /* set_engine_default */
1224 Curl_none_engines_list, /* engines_list */
1225 Curl_none_false_start, /* false_start */
1226 NULL, /* sha256sum */
1227 NULL, /* associate_connection */
1228 NULL, /* disassociate_connection */
1229 NULL, /* free_multi_ssl_backend_data */
1230 multissl_recv_plain, /* recv decrypted data */
1231 multissl_send_plain, /* send data to encrypt */
1232};
1233
1234const struct Curl_ssl *Curl_ssl =
1235#if defined(CURL_WITH_MULTI_SSL)
1236 &Curl_ssl_multi;
1237#elif defined(USE_WOLFSSL)
1238 &Curl_ssl_wolfssl;
1239#elif defined(USE_SECTRANSP)
1240 &Curl_ssl_sectransp;
1241#elif defined(USE_GNUTLS)
1242 &Curl_ssl_gnutls;
1243#elif defined(USE_MBEDTLS)
1244 &Curl_ssl_mbedtls;
1245#elif defined(USE_RUSTLS)
1246 &Curl_ssl_rustls;
1247#elif defined(USE_OPENSSL)
1248 &Curl_ssl_openssl;
1249#elif defined(USE_SCHANNEL)
1250 &Curl_ssl_schannel;
1251#elif defined(USE_BEARSSL)
1252 &Curl_ssl_bearssl;
1253#else
1254#error "Missing struct Curl_ssl for selected SSL backend"
1255#endif
1256
1257static const struct Curl_ssl *available_backends[] = {
1258#if defined(USE_WOLFSSL)
1259 &Curl_ssl_wolfssl,
1260#endif
1261#if defined(USE_SECTRANSP)
1262 &Curl_ssl_sectransp,
1263#endif
1264#if defined(USE_GNUTLS)
1265 &Curl_ssl_gnutls,
1266#endif
1267#if defined(USE_MBEDTLS)
1268 &Curl_ssl_mbedtls,
1269#endif
1270#if defined(USE_OPENSSL)
1271 &Curl_ssl_openssl,
1272#endif
1273#if defined(USE_SCHANNEL)
1274 &Curl_ssl_schannel,
1275#endif
1276#if defined(USE_BEARSSL)
1277 &Curl_ssl_bearssl,
1278#endif
1279#if defined(USE_RUSTLS)
1280 &Curl_ssl_rustls,
1281#endif
1282 NULL
1283};
1284
1285static size_t multissl_version(char *buffer, size_t size)
1286{
1287 static const struct Curl_ssl *selected;
1288 static char backends[200];
1289 static size_t backends_len;
1290 const struct Curl_ssl *current;
1291
1292 current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
1293
1294 if(current != selected) {
1295 char *p = backends;
1296 char *end = backends + sizeof(backends);
1297 int i;
1298
1299 selected = current;
1300
1301 backends[0] = '\0';
1302
1303 for(i = 0; available_backends[i]; ++i) {
1304 char vb[200];
1305 bool paren = (selected != available_backends[i]);
1306
1307 if(available_backends[i]->version(vb, sizeof(vb))) {
1308 p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
1309 (paren ? "(" : ""), vb, (paren ? ")" : ""));
1310 }
1311 }
1312
1313 backends_len = p - backends;
1314 }
1315
1316 if(!size)
1317 return 0;
1318
1319 if(size <= backends_len) {
1320 strncpy(buffer, backends, size - 1);
1321 buffer[size - 1] = '\0';
1322 return size - 1;
1323 }
1324
1325 strcpy(buffer, backends);
1326 return backends_len;
1327}
1328
1329static int multissl_setup(const struct Curl_ssl *backend)
1330{
1331 const char *env;
1332 char *env_tmp;
1333
1334 if(Curl_ssl != &Curl_ssl_multi)
1335 return 1;
1336
1337 if(backend) {
1338 Curl_ssl = backend;
1339 return 0;
1340 }
1341
1342 if(!available_backends[0])
1343 return 1;
1344
1345 env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
1346#ifdef CURL_DEFAULT_SSL_BACKEND
1347 if(!env)
1348 env = CURL_DEFAULT_SSL_BACKEND;
1349#endif
1350 if(env) {
1351 int i;
1352 for(i = 0; available_backends[i]; i++) {
1353 if(strcasecompare(env, available_backends[i]->info.name)) {
1354 Curl_ssl = available_backends[i];
1355 free(env_tmp);
1356 return 0;
1357 }
1358 }
1359 }
1360
1361 /* Fall back to first available backend */
1362 Curl_ssl = available_backends[0];
1363 free(env_tmp);
1364 return 0;
1365}
1366
1367/* This function is used to select the SSL backend to use. It is called by
1368 curl_global_sslset (easy.c) which uses the global init lock. */
1369CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
1370 const curl_ssl_backend ***avail)
1371{
1372 int i;
1373
1374 if(avail)
1375 *avail = (const curl_ssl_backend **)&available_backends;
1376
1377 if(Curl_ssl != &Curl_ssl_multi)
1378 return id == Curl_ssl->info.id ||
1379 (name && strcasecompare(name, Curl_ssl->info.name)) ?
1380 CURLSSLSET_OK :
1381#if defined(CURL_WITH_MULTI_SSL)
1382 CURLSSLSET_TOO_LATE;
1383#else
1384 CURLSSLSET_UNKNOWN_BACKEND;
1385#endif
1386
1387 for(i = 0; available_backends[i]; i++) {
1388 if(available_backends[i]->info.id == id ||
1389 (name && strcasecompare(available_backends[i]->info.name, name))) {
1390 multissl_setup(available_backends[i]);
1391 return CURLSSLSET_OK;
1392 }
1393 }
1394
1395 return CURLSSLSET_UNKNOWN_BACKEND;
1396}
1397
1398#else /* USE_SSL */
1399CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
1400 const curl_ssl_backend ***avail)
1401{
1402 (void)id;
1403 (void)name;
1404 (void)avail;
1405 return CURLSSLSET_NO_BACKENDS;
1406}
1407
1408#endif /* !USE_SSL */
1409
1410#ifdef USE_SSL
1411
1412static void free_hostname(struct ssl_connect_data *connssl)
1413{
1414 if(connssl->dispname != connssl->hostname)
1415 free(connssl->dispname);
1416 free(connssl->hostname);
1417 connssl->hostname = connssl->dispname = NULL;
1418}
1419
1420static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1421{
1422 struct ssl_connect_data *connssl = cf->ctx;
1423 if(connssl) {
1424 Curl_ssl->close(cf, data);
1425 connssl->state = ssl_connection_none;
1426 free_hostname(connssl);
1427 }
1428 cf->connected = FALSE;
1429}
1430
1431static CURLcode reinit_hostname(struct Curl_cfilter *cf)
1432{
1433 struct ssl_connect_data *connssl = cf->ctx;
1434 const char *ehostname, *edispname;
1435 int eport;
1436
1437 /* We need the hostname for SNI negotiation. Once handshaked, this
1438 * remains the SNI hostname for the TLS connection. But when the
1439 * connection is reused, the settings in cf->conn might change.
1440 * So we keep a copy of the hostname we use for SNI.
1441 */
1442#ifndef CURL_DISABLE_PROXY
1443 if(Curl_ssl_cf_is_proxy(cf)) {
1444 ehostname = cf->conn->http_proxy.host.name;
1445 edispname = cf->conn->http_proxy.host.dispname;
1446 eport = cf->conn->http_proxy.port;
1447 }
1448 else
1449#endif
1450 {
1451 ehostname = cf->conn->host.name;
1452 edispname = cf->conn->host.dispname;
1453 eport = cf->conn->remote_port;
1454 }
1455
1456 /* change if ehostname changed */
1457 if(ehostname && (!connssl->hostname
1458 || strcmp(ehostname, connssl->hostname))) {
1459 free_hostname(connssl);
1460 connssl->hostname = strdup(ehostname);
1461 if(!connssl->hostname) {
1462 free_hostname(connssl);
1463 return CURLE_OUT_OF_MEMORY;
1464 }
1465 if(!edispname || !strcmp(ehostname, edispname))
1466 connssl->dispname = connssl->hostname;
1467 else {
1468 connssl->dispname = strdup(edispname);
1469 if(!connssl->dispname) {
1470 free_hostname(connssl);
1471 return CURLE_OUT_OF_MEMORY;
1472 }
1473 }
1474 }
1475 connssl->port = eport;
1476 return CURLE_OK;
1477}
1478
1479static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data)
1480{
1481 struct cf_call_data save;
1482
1483 CF_DATA_SAVE(save, cf, data);
1484 cf_close(cf, data);
1485 CF_DATA_RESTORE(cf, save);
1486 cf_ctx_free(cf->ctx);
1487 cf->ctx = NULL;
1488}
1489
1490static void ssl_cf_close(struct Curl_cfilter *cf,
1491 struct Curl_easy *data)
1492{
1493 struct cf_call_data save;
1494
1495 CF_DATA_SAVE(save, cf, data);
1496 cf_close(cf, data);
1497 if(cf->next)
1498 cf->next->cft->do_close(cf->next, data);
1499 CF_DATA_RESTORE(cf, save);
1500}
1501
1502static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
1503 struct Curl_easy *data,
1504 bool blocking, bool *done)
1505{
1506 struct ssl_connect_data *connssl = cf->ctx;
1507 struct cf_call_data save;
1508 CURLcode result;
1509
1510 if(cf->connected) {
1511 *done = TRUE;
1512 return CURLE_OK;
1513 }
1514
1515 CF_DATA_SAVE(save, cf, data);
1516 CURL_TRC_CF(data, cf, "cf_connect()");
1517 (void)connssl;
1518 DEBUGASSERT(data->conn);
1519 DEBUGASSERT(data->conn == cf->conn);
1520 DEBUGASSERT(connssl);
1521 DEBUGASSERT(cf->conn->host.name);
1522
1523 result = cf->next->cft->do_connect(cf->next, data, blocking, done);
1524 if(result || !*done)
1525 goto out;
1526
1527 *done = FALSE;
1528 result = reinit_hostname(cf);
1529 if(result)
1530 goto out;
1531
1532 if(blocking) {
1533 result = ssl_connect(cf, data);
1534 *done = (result == CURLE_OK);
1535 }
1536 else {
1537 result = ssl_connect_nonblocking(cf, data, done);
1538 }
1539
1540 if(!result && *done) {
1541 cf->connected = TRUE;
1542 connssl->handshake_done = Curl_now();
1543 DEBUGASSERT(connssl->state == ssl_connection_complete);
1544 }
1545out:
1546 CURL_TRC_CF(data, cf, "cf_connect() -> %d, done=%d", result, *done);
1547 CF_DATA_RESTORE(cf, save);
1548 return result;
1549}
1550
1551static bool ssl_cf_data_pending(struct Curl_cfilter *cf,
1552 const struct Curl_easy *data)
1553{
1554 struct cf_call_data save;
1555 bool result;
1556
1557 CF_DATA_SAVE(save, cf, data);
1558 if(Curl_ssl->data_pending(cf, data))
1559 result = TRUE;
1560 else
1561 result = cf->next->cft->has_data_pending(cf->next, data);
1562 CF_DATA_RESTORE(cf, save);
1563 return result;
1564}
1565
1566static ssize_t ssl_cf_send(struct Curl_cfilter *cf,
1567 struct Curl_easy *data, const void *buf, size_t len,
1568 CURLcode *err)
1569{
1570 struct cf_call_data save;
1571 ssize_t nwritten;
1572
1573 CF_DATA_SAVE(save, cf, data);
1574 *err = CURLE_OK;
1575 nwritten = Curl_ssl->send_plain(cf, data, buf, len, err);
1576 CF_DATA_RESTORE(cf, save);
1577 return nwritten;
1578}
1579
1580static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
1581 struct Curl_easy *data, char *buf, size_t len,
1582 CURLcode *err)
1583{
1584 struct cf_call_data save;
1585 ssize_t nread;
1586
1587 CF_DATA_SAVE(save, cf, data);
1588 *err = CURLE_OK;
1589 nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
1590 if(nread > 0) {
1591 DEBUGASSERT((size_t)nread <= len);
1592 }
1593 else if(nread == 0) {
1594 /* eof */
1595 *err = CURLE_OK;
1596 }
1597 CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, nread, *err);
1598 CF_DATA_RESTORE(cf, save);
1599 return nread;
1600}
1601
1602static int ssl_cf_get_select_socks(struct Curl_cfilter *cf,
1603 struct Curl_easy *data,
1604 curl_socket_t *socks)
1605{
1606 struct cf_call_data save;
1607 int fds = GETSOCK_BLANK;
1608
1609 if(!cf->next->connected) {
1610 fds = cf->next->cft->get_select_socks(cf->next, data, socks);
1611 }
1612 else if(!cf->connected) {
1613 CF_DATA_SAVE(save, cf, data);
1614 fds = Curl_ssl->get_select_socks(cf, data, socks);
1615 CF_DATA_RESTORE(cf, save);
1616 }
1617 return fds;
1618}
1619
1620static CURLcode ssl_cf_cntrl(struct Curl_cfilter *cf,
1621 struct Curl_easy *data,
1622 int event, int arg1, void *arg2)
1623{
1624 struct cf_call_data save;
1625
1626 (void)arg1;
1627 (void)arg2;
1628 switch(event) {
1629 case CF_CTRL_DATA_ATTACH:
1630 if(Curl_ssl->attach_data) {
1631 CF_DATA_SAVE(save, cf, data);
1632 Curl_ssl->attach_data(cf, data);
1633 CF_DATA_RESTORE(cf, save);
1634 }
1635 break;
1636 case CF_CTRL_DATA_DETACH:
1637 if(Curl_ssl->detach_data) {
1638 CF_DATA_SAVE(save, cf, data);
1639 Curl_ssl->detach_data(cf, data);
1640 CF_DATA_RESTORE(cf, save);
1641 }
1642 break;
1643 default:
1644 break;
1645 }
1646 return CURLE_OK;
1647}
1648
1649static CURLcode ssl_cf_query(struct Curl_cfilter *cf,
1650 struct Curl_easy *data,
1651 int query, int *pres1, void *pres2)
1652{
1653 struct ssl_connect_data *connssl = cf->ctx;
1654
1655 switch(query) {
1656 case CF_QUERY_TIMER_APPCONNECT: {
1657 struct curltime *when = pres2;
1658 if(cf->connected && !Curl_ssl_cf_is_proxy(cf))
1659 *when = connssl->handshake_done;
1660 return CURLE_OK;
1661 }
1662 default:
1663 break;
1664 }
1665 return cf->next?
1666 cf->next->cft->query(cf->next, data, query, pres1, pres2) :
1667 CURLE_UNKNOWN_OPTION;
1668}
1669
1670static bool cf_ssl_is_alive(struct Curl_cfilter *cf, struct Curl_easy *data,
1671 bool *input_pending)
1672{
1673 struct cf_call_data save;
1674 int result;
1675 /*
1676 * This function tries to determine connection status.
1677 *
1678 * Return codes:
1679 * 1 means the connection is still in place
1680 * 0 means the connection has been closed
1681 * -1 means the connection status is unknown
1682 */
1683 CF_DATA_SAVE(save, cf, data);
1684 result = Curl_ssl->check_cxn(cf, data);
1685 CF_DATA_RESTORE(cf, save);
1686 if(result > 0) {
1687 *input_pending = TRUE;
1688 return TRUE;
1689 }
1690 if(result == 0) {
1691 *input_pending = FALSE;
1692 return FALSE;
1693 }
1694 /* ssl backend does not know */
1695 return cf->next?
1696 cf->next->cft->is_alive(cf->next, data, input_pending) :
1697 FALSE; /* pessimistic in absence of data */
1698}
1699
1700struct Curl_cftype Curl_cft_ssl = {
1701 "SSL",
1702 CF_TYPE_SSL,
1703 CURL_LOG_LVL_NONE,
1704 ssl_cf_destroy,
1705 ssl_cf_connect,
1706 ssl_cf_close,
1707 Curl_cf_def_get_host,
1708 ssl_cf_get_select_socks,
1709 ssl_cf_data_pending,
1710 ssl_cf_send,
1711 ssl_cf_recv,
1712 ssl_cf_cntrl,
1713 cf_ssl_is_alive,
1714 Curl_cf_def_conn_keep_alive,
1715 ssl_cf_query,
1716};
1717
1718struct Curl_cftype Curl_cft_ssl_proxy = {
1719 "SSL-PROXY",
1720 CF_TYPE_SSL,
1721 CURL_LOG_LVL_NONE,
1722 ssl_cf_destroy,
1723 ssl_cf_connect,
1724 ssl_cf_close,
1725 Curl_cf_def_get_host,
1726 ssl_cf_get_select_socks,
1727 ssl_cf_data_pending,
1728 ssl_cf_send,
1729 ssl_cf_recv,
1730 ssl_cf_cntrl,
1731 cf_ssl_is_alive,
1732 Curl_cf_def_conn_keep_alive,
1733 Curl_cf_def_query,
1734};
1735
1736static CURLcode cf_ssl_create(struct Curl_cfilter **pcf,
1737 struct Curl_easy *data,
1738 struct connectdata *conn)
1739{
1740 struct Curl_cfilter *cf = NULL;
1741 struct ssl_connect_data *ctx;
1742 CURLcode result;
1743
1744 DEBUGASSERT(data->conn);
1745
1746 ctx = cf_ctx_new(data, alpn_get_spec(data->state.httpwant,
1747 conn->bits.tls_enable_alpn));
1748 if(!ctx) {
1749 result = CURLE_OUT_OF_MEMORY;
1750 goto out;
1751 }
1752
1753 result = Curl_cf_create(&cf, &Curl_cft_ssl, ctx);
1754
1755out:
1756 if(result)
1757 cf_ctx_free(ctx);
1758 *pcf = result? NULL : cf;
1759 return result;
1760}
1761
1762CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
1763 struct connectdata *conn,
1764 int sockindex)
1765{
1766 struct Curl_cfilter *cf;
1767 CURLcode result;
1768
1769 result = cf_ssl_create(&cf, data, conn);
1770 if(!result)
1771 Curl_conn_cf_add(data, conn, sockindex, cf);
1772 return result;
1773}
1774
1775CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
1776 struct Curl_easy *data)
1777{
1778 struct Curl_cfilter *cf;
1779 CURLcode result;
1780
1781 result = cf_ssl_create(&cf, data, cf_at->conn);
1782 if(!result)
1783 Curl_conn_cf_insert_after(cf_at, cf);
1784 return result;
1785}
1786
1787#ifndef CURL_DISABLE_PROXY
1788
1789static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
1790 struct Curl_easy *data,
1791 struct connectdata *conn)
1792{
1793 struct Curl_cfilter *cf = NULL;
1794 struct ssl_connect_data *ctx;
1795 CURLcode result;
1796 bool use_alpn = conn->bits.tls_enable_alpn;
1797 int httpwant = CURL_HTTP_VERSION_1_1;
1798
1799#ifdef USE_HTTP2
1800 if(conn->http_proxy.proxytype == CURLPROXY_HTTPS2) {
1801 use_alpn = TRUE;
1802 httpwant = CURL_HTTP_VERSION_2;
1803 }
1804#endif
1805
1806 ctx = cf_ctx_new(data, alpn_get_spec(httpwant, use_alpn));
1807 if(!ctx) {
1808 result = CURLE_OUT_OF_MEMORY;
1809 goto out;
1810 }
1811 result = Curl_cf_create(&cf, &Curl_cft_ssl_proxy, ctx);
1812
1813out:
1814 if(result)
1815 cf_ctx_free(ctx);
1816 *pcf = result? NULL : cf;
1817 return result;
1818}
1819
1820CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
1821 struct Curl_easy *data)
1822{
1823 struct Curl_cfilter *cf;
1824 CURLcode result;
1825
1826 result = cf_ssl_proxy_create(&cf, data, cf_at->conn);
1827 if(!result)
1828 Curl_conn_cf_insert_after(cf_at, cf);
1829 return result;
1830}
1831
1832#endif /* !CURL_DISABLE_PROXY */
1833
1834bool Curl_ssl_supports(struct Curl_easy *data, int option)
1835{
1836 (void)data;
1837 return (Curl_ssl->supports & option)? TRUE : FALSE;
1838}
1839
1840void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
1841 CURLINFO info, int n)
1842{
1843 void *result = NULL;
1844 (void)n;
1845 if(data->conn) {
1846 struct Curl_cfilter *cf;
1847 /* get first filter in chain, if any is present */
1848 cf = Curl_ssl_cf_get_ssl(data->conn->cfilter[sockindex]);
1849 if(cf) {
1850 struct cf_call_data save;
1851 CF_DATA_SAVE(save, cf, data);
1852 result = Curl_ssl->get_internals(cf->ctx, info);
1853 CF_DATA_RESTORE(cf, save);
1854 }
1855 }
1856 return result;
1857}
1858
1859CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
1860 int sockindex)
1861{
1862 struct Curl_cfilter *cf, *head;
1863 CURLcode result = CURLE_OK;
1864
1865 (void)data;
1866 head = data->conn? data->conn->cfilter[sockindex] : NULL;
1867 for(cf = head; cf; cf = cf->next) {
1868 if(cf->cft == &Curl_cft_ssl) {
1869 if(Curl_ssl->shut_down(cf, data))
1870 result = CURLE_SSL_SHUTDOWN_FAILED;
1871 Curl_conn_cf_discard_sub(head, cf, data, FALSE);
1872 break;
1873 }
1874 }
1875 return result;
1876}
1877
1878static struct Curl_cfilter *get_ssl_cf_engaged(struct connectdata *conn,
1879 int sockindex)
1880{
1881 struct Curl_cfilter *cf, *lowest_ssl_cf = NULL;
1882
1883 for(cf = conn->cfilter[sockindex]; cf; cf = cf->next) {
1884 if(cf->cft == &Curl_cft_ssl || cf->cft == &Curl_cft_ssl_proxy) {
1885 lowest_ssl_cf = cf;
1886 if(cf->connected || (cf->next && cf->next->connected)) {
1887 /* connected or about to start */
1888 return cf;
1889 }
1890 }
1891 }
1892 return lowest_ssl_cf;
1893}
1894
1895bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf)
1896{
1897 return (cf->cft == &Curl_cft_ssl_proxy);
1898}
1899
1900struct ssl_config_data *
1901Curl_ssl_cf_get_config(struct Curl_cfilter *cf, struct Curl_easy *data)
1902{
1903#ifdef CURL_DISABLE_PROXY
1904 (void)cf;
1905 return &data->set.ssl;
1906#else
1907 return Curl_ssl_cf_is_proxy(cf)? &data->set.proxy_ssl : &data->set.ssl;
1908#endif
1909}
1910
1911struct ssl_config_data *
1912Curl_ssl_get_config(struct Curl_easy *data, int sockindex)
1913{
1914 struct Curl_cfilter *cf;
1915
1916 (void)data;
1917 DEBUGASSERT(data->conn);
1918 cf = get_ssl_cf_engaged(data->conn, sockindex);
1919 return cf? Curl_ssl_cf_get_config(cf, data) : &data->set.ssl;
1920}
1921
1922struct ssl_primary_config *
1923Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf)
1924{
1925#ifdef CURL_DISABLE_PROXY
1926 return &cf->conn->ssl_config;
1927#else
1928 return Curl_ssl_cf_is_proxy(cf)?
1929 &cf->conn->proxy_ssl_config : &cf->conn->ssl_config;
1930#endif
1931}
1932
1933struct Curl_cfilter *Curl_ssl_cf_get_ssl(struct Curl_cfilter *cf)
1934{
1935 for(; cf; cf = cf->next) {
1936 if(cf->cft == &Curl_cft_ssl || cf->cft == &Curl_cft_ssl_proxy)
1937 return cf;
1938 }
1939 return NULL;
1940}
1941
1942CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf,
1943 const struct alpn_spec *spec)
1944{
1945 size_t i, len;
1946 int off = 0;
1947 unsigned char blen;
1948
1949 memset(buf, 0, sizeof(*buf));
1950 for(i = 0; spec && i < spec->count; ++i) {
1951 len = strlen(spec->entries[i]);
1952 if(len >= ALPN_NAME_MAX)
1953 return CURLE_FAILED_INIT;
1954 blen = (unsigned char)len;
1955 if(off + blen + 1 >= (int)sizeof(buf->data))
1956 return CURLE_FAILED_INIT;
1957 buf->data[off++] = blen;
1958 memcpy(buf->data + off, spec->entries[i], blen);
1959 off += blen;
1960 }
1961 buf->len = off;
1962 return CURLE_OK;
1963}
1964
1965CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
1966 const struct alpn_spec *spec)
1967{
1968 size_t i, len;
1969 size_t off = 0;
1970
1971 memset(buf, 0, sizeof(*buf));
1972 for(i = 0; spec && i < spec->count; ++i) {
1973 len = strlen(spec->entries[i]);
1974 if(len >= ALPN_NAME_MAX)
1975 return CURLE_FAILED_INIT;
1976 if(off + len + 2 >= sizeof(buf->data))
1977 return CURLE_FAILED_INIT;
1978 if(off)
1979 buf->data[off++] = ',';
1980 memcpy(buf->data + off, spec->entries[i], len);
1981 off += len;
1982 }
1983 buf->data[off] = '\0';
1984 buf->len = (int)off;
1985 return CURLE_OK;
1986}
1987
1988CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
1989 struct Curl_easy *data,
1990 const unsigned char *proto,
1991 size_t proto_len)
1992{
1993 int can_multi = 0;
1994 unsigned char *palpn =
1995#ifndef CURL_DISABLE_PROXY
1996 (cf->conn->bits.tunnel_proxy && Curl_ssl_cf_is_proxy(cf))?
1997 &cf->conn->proxy_alpn : &cf->conn->alpn
1998#else
1999 &cf->conn->alpn
2000#endif
2001 ;
2002
2003 if(proto && proto_len) {
2004 if(proto_len == ALPN_HTTP_1_1_LENGTH &&
2005 !memcmp(ALPN_HTTP_1_1, proto, ALPN_HTTP_1_1_LENGTH)) {
2006 *palpn = CURL_HTTP_VERSION_1_1;
2007 }
2008 else if(proto_len == ALPN_HTTP_1_0_LENGTH &&
2009 !memcmp(ALPN_HTTP_1_0, proto, ALPN_HTTP_1_0_LENGTH)) {
2010 *palpn = CURL_HTTP_VERSION_1_0;
2011 }
2012#ifdef USE_HTTP2
2013 else if(proto_len == ALPN_H2_LENGTH &&
2014 !memcmp(ALPN_H2, proto, ALPN_H2_LENGTH)) {
2015 *palpn = CURL_HTTP_VERSION_2;
2016 can_multi = 1;
2017 }
2018#endif
2019#ifdef USE_HTTP3
2020 else if(proto_len == ALPN_H3_LENGTH &&
2021 !memcmp(ALPN_H3, proto, ALPN_H3_LENGTH)) {
2022 *palpn = CURL_HTTP_VERSION_3;
2023 can_multi = 1;
2024 }
2025#endif
2026 else {
2027 *palpn = CURL_HTTP_VERSION_NONE;
2028 failf(data, "unsupported ALPN protocol: '%.*s'", (int)proto_len, proto);
2029 /* TODO: do we want to fail this? Previous code just ignored it and
2030 * some vtls backends even ignore the return code of this function. */
2031 /* return CURLE_NOT_BUILT_IN; */
2032 goto out;
2033 }
2034 infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, (int)proto_len, proto);
2035 }
2036 else {
2037 *palpn = CURL_HTTP_VERSION_NONE;
2038 infof(data, VTLS_INFOF_NO_ALPN);
2039 }
2040
2041out:
2042 if(!Curl_ssl_cf_is_proxy(cf))
2043 Curl_multiuse_state(data, can_multi?
2044 BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
2045 return CURLE_OK;
2046}
2047
2048#endif /* USE_SSL */
Note: See TracBrowser for help on using the repository browser.

© 2025 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette