vtls.c 54 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. /* This file is for implementing all "generic" SSL functions that all libcurl
  25. internals should use. It is then responsible for calling the proper
  26. "backend" function.
  27. SSL-functions in libcurl should call functions in this source file, and not
  28. to any specific SSL-layer.
  29. Curl_ssl_ - prefix for generic ones
  30. Note that this source code uses the functions of the configured SSL
  31. backend via the global Curl_ssl instance.
  32. "SSL/TLS Strong Encryption: An Introduction"
  33. https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
  34. */
  35. #include "curl_setup.h"
  36. #ifdef HAVE_SYS_TYPES_H
  37. #include <sys/types.h>
  38. #endif
  39. #ifdef HAVE_SYS_STAT_H
  40. #include <sys/stat.h>
  41. #endif
  42. #ifdef HAVE_FCNTL_H
  43. #include <fcntl.h>
  44. #endif
  45. #include "urldata.h"
  46. #include "cfilters.h"
  47. #include "vtls.h" /* generic SSL protos etc */
  48. #include "vtls_int.h"
  49. #include "slist.h"
  50. #include "sendf.h"
  51. #include "strcase.h"
  52. #include "url.h"
  53. #include "progress.h"
  54. #include "share.h"
  55. #include "multiif.h"
  56. #include "timeval.h"
  57. #include "curl_md5.h"
  58. #include "warnless.h"
  59. #include "curl_base64.h"
  60. #include "curl_printf.h"
  61. #include "strdup.h"
  62. /* The last #include files should be: */
  63. #include "curl_memory.h"
  64. #include "memdebug.h"
  65. /* convenience macro to check if this handle is using a shared SSL session */
  66. #define SSLSESSION_SHARED(data) (data->share && \
  67. (data->share->specifier & \
  68. (1<<CURL_LOCK_DATA_SSL_SESSION)))
  69. #define CLONE_STRING(var) \
  70. do { \
  71. if(source->var) { \
  72. dest->var = strdup(source->var); \
  73. if(!dest->var) \
  74. return FALSE; \
  75. } \
  76. else \
  77. dest->var = NULL; \
  78. } while(0)
  79. #define CLONE_BLOB(var) \
  80. do { \
  81. if(blobdup(&dest->var, source->var)) \
  82. return FALSE; \
  83. } while(0)
  84. static CURLcode blobdup(struct curl_blob **dest,
  85. struct curl_blob *src)
  86. {
  87. DEBUGASSERT(dest);
  88. DEBUGASSERT(!*dest);
  89. if(src) {
  90. /* only if there's data to dupe! */
  91. struct curl_blob *d;
  92. d = malloc(sizeof(struct curl_blob) + src->len);
  93. if(!d)
  94. return CURLE_OUT_OF_MEMORY;
  95. d->len = src->len;
  96. /* Always duplicate because the connection may survive longer than the
  97. handle that passed in the blob. */
  98. d->flags = CURL_BLOB_COPY;
  99. d->data = (void *)((char *)d + sizeof(struct curl_blob));
  100. memcpy(d->data, src->data, src->len);
  101. *dest = d;
  102. }
  103. return CURLE_OK;
  104. }
  105. /* returns TRUE if the blobs are identical */
  106. static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
  107. {
  108. if(!first && !second) /* both are NULL */
  109. return TRUE;
  110. if(!first || !second) /* one is NULL */
  111. return FALSE;
  112. if(first->len != second->len) /* different sizes */
  113. return FALSE;
  114. return !memcmp(first->data, second->data, first->len); /* same data */
  115. }
  116. #ifdef USE_SSL
  117. static const struct alpn_spec ALPN_SPEC_H10 = {
  118. { ALPN_HTTP_1_0 }, 1
  119. };
  120. static const struct alpn_spec ALPN_SPEC_H11 = {
  121. { ALPN_HTTP_1_1 }, 1
  122. };
  123. #ifdef USE_HTTP2
  124. static const struct alpn_spec ALPN_SPEC_H2_H11 = {
  125. { ALPN_H2, ALPN_HTTP_1_1 }, 2
  126. };
  127. #endif
  128. static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn)
  129. {
  130. if(!use_alpn)
  131. return NULL;
  132. if(httpwant == CURL_HTTP_VERSION_1_0)
  133. return &ALPN_SPEC_H10;
  134. #ifdef USE_HTTP2
  135. if(httpwant >= CURL_HTTP_VERSION_2)
  136. return &ALPN_SPEC_H2_H11;
  137. #endif
  138. return &ALPN_SPEC_H11;
  139. }
  140. #endif /* USE_SSL */
  141. bool
  142. Curl_ssl_config_matches(struct ssl_primary_config *data,
  143. struct ssl_primary_config *needle)
  144. {
  145. if((data->version == needle->version) &&
  146. (data->version_max == needle->version_max) &&
  147. (data->ssl_options == needle->ssl_options) &&
  148. (data->verifypeer == needle->verifypeer) &&
  149. (data->verifyhost == needle->verifyhost) &&
  150. (data->verifystatus == needle->verifystatus) &&
  151. blobcmp(data->cert_blob, needle->cert_blob) &&
  152. blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
  153. blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
  154. Curl_safecmp(data->CApath, needle->CApath) &&
  155. Curl_safecmp(data->CAfile, needle->CAfile) &&
  156. Curl_safecmp(data->issuercert, needle->issuercert) &&
  157. Curl_safecmp(data->clientcert, needle->clientcert) &&
  158. #ifdef USE_TLS_SRP
  159. !Curl_timestrcmp(data->username, needle->username) &&
  160. !Curl_timestrcmp(data->password, needle->password) &&
  161. #endif
  162. strcasecompare(data->cipher_list, needle->cipher_list) &&
  163. strcasecompare(data->cipher_list13, needle->cipher_list13) &&
  164. strcasecompare(data->curves, needle->curves) &&
  165. strcasecompare(data->CRLfile, needle->CRLfile) &&
  166. strcasecompare(data->pinned_key, needle->pinned_key))
  167. return TRUE;
  168. return FALSE;
  169. }
  170. bool
  171. Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
  172. struct ssl_primary_config *dest)
  173. {
  174. dest->version = source->version;
  175. dest->version_max = source->version_max;
  176. dest->verifypeer = source->verifypeer;
  177. dest->verifyhost = source->verifyhost;
  178. dest->verifystatus = source->verifystatus;
  179. dest->sessionid = source->sessionid;
  180. dest->ssl_options = source->ssl_options;
  181. CLONE_BLOB(cert_blob);
  182. CLONE_BLOB(ca_info_blob);
  183. CLONE_BLOB(issuercert_blob);
  184. CLONE_STRING(CApath);
  185. CLONE_STRING(CAfile);
  186. CLONE_STRING(issuercert);
  187. CLONE_STRING(clientcert);
  188. CLONE_STRING(cipher_list);
  189. CLONE_STRING(cipher_list13);
  190. CLONE_STRING(pinned_key);
  191. CLONE_STRING(curves);
  192. CLONE_STRING(CRLfile);
  193. #ifdef USE_TLS_SRP
  194. CLONE_STRING(username);
  195. CLONE_STRING(password);
  196. #endif
  197. return TRUE;
  198. }
  199. void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
  200. {
  201. Curl_safefree(sslc->CApath);
  202. Curl_safefree(sslc->CAfile);
  203. Curl_safefree(sslc->issuercert);
  204. Curl_safefree(sslc->clientcert);
  205. Curl_safefree(sslc->cipher_list);
  206. Curl_safefree(sslc->cipher_list13);
  207. Curl_safefree(sslc->pinned_key);
  208. Curl_safefree(sslc->cert_blob);
  209. Curl_safefree(sslc->ca_info_blob);
  210. Curl_safefree(sslc->issuercert_blob);
  211. Curl_safefree(sslc->curves);
  212. Curl_safefree(sslc->CRLfile);
  213. #ifdef USE_TLS_SRP
  214. Curl_safefree(sslc->username);
  215. Curl_safefree(sslc->password);
  216. #endif
  217. }
  218. #ifdef USE_SSL
  219. static int multissl_setup(const struct Curl_ssl *backend);
  220. #endif
  221. curl_sslbackend Curl_ssl_backend(void)
  222. {
  223. #ifdef USE_SSL
  224. multissl_setup(NULL);
  225. return Curl_ssl->info.id;
  226. #else
  227. return CURLSSLBACKEND_NONE;
  228. #endif
  229. }
  230. #ifdef USE_SSL
  231. /* "global" init done? */
  232. static bool init_ssl = FALSE;
  233. /**
  234. * Global SSL init
  235. *
  236. * @retval 0 error initializing SSL
  237. * @retval 1 SSL initialized successfully
  238. */
  239. int Curl_ssl_init(void)
  240. {
  241. /* make sure this is only done once */
  242. if(init_ssl)
  243. return 1;
  244. init_ssl = TRUE; /* never again */
  245. return Curl_ssl->init();
  246. }
  247. #if defined(CURL_WITH_MULTI_SSL)
  248. static const struct Curl_ssl Curl_ssl_multi;
  249. #endif
  250. /* Global cleanup */
  251. void Curl_ssl_cleanup(void)
  252. {
  253. if(init_ssl) {
  254. /* only cleanup if we did a previous init */
  255. Curl_ssl->cleanup();
  256. #if defined(CURL_WITH_MULTI_SSL)
  257. Curl_ssl = &Curl_ssl_multi;
  258. #endif
  259. init_ssl = FALSE;
  260. }
  261. }
  262. static bool ssl_prefs_check(struct Curl_easy *data)
  263. {
  264. /* check for CURLOPT_SSLVERSION invalid parameter value */
  265. const unsigned char sslver = data->set.ssl.primary.version;
  266. if(sslver >= CURL_SSLVERSION_LAST) {
  267. failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
  268. return FALSE;
  269. }
  270. switch(data->set.ssl.primary.version_max) {
  271. case CURL_SSLVERSION_MAX_NONE:
  272. case CURL_SSLVERSION_MAX_DEFAULT:
  273. break;
  274. default:
  275. if((data->set.ssl.primary.version_max >> 16) < sslver) {
  276. failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
  277. return FALSE;
  278. }
  279. }
  280. return TRUE;
  281. }
  282. static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
  283. const struct alpn_spec *alpn)
  284. {
  285. struct ssl_connect_data *ctx;
  286. (void)data;
  287. ctx = calloc(1, sizeof(*ctx));
  288. if(!ctx)
  289. return NULL;
  290. ctx->alpn = alpn;
  291. ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data);
  292. if(!ctx->backend) {
  293. free(ctx);
  294. return NULL;
  295. }
  296. return ctx;
  297. }
  298. static void cf_ctx_free(struct ssl_connect_data *ctx)
  299. {
  300. if(ctx) {
  301. free(ctx->backend);
  302. free(ctx);
  303. }
  304. }
  305. static CURLcode ssl_connect(struct Curl_cfilter *cf, struct Curl_easy *data)
  306. {
  307. struct ssl_connect_data *connssl = cf->ctx;
  308. CURLcode result;
  309. if(!ssl_prefs_check(data))
  310. return CURLE_SSL_CONNECT_ERROR;
  311. /* mark this is being ssl-enabled from here on. */
  312. connssl->state = ssl_connection_negotiating;
  313. result = Curl_ssl->connect_blocking(cf, data);
  314. if(!result) {
  315. DEBUGASSERT(connssl->state == ssl_connection_complete);
  316. }
  317. return result;
  318. }
  319. static CURLcode
  320. ssl_connect_nonblocking(struct Curl_cfilter *cf, struct Curl_easy *data,
  321. bool *done)
  322. {
  323. if(!ssl_prefs_check(data))
  324. return CURLE_SSL_CONNECT_ERROR;
  325. /* mark this is being ssl requested from here on. */
  326. return Curl_ssl->connect_nonblocking(cf, data, done);
  327. }
  328. /*
  329. * Lock shared SSL session data
  330. */
  331. void Curl_ssl_sessionid_lock(struct Curl_easy *data)
  332. {
  333. if(SSLSESSION_SHARED(data))
  334. Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
  335. }
  336. /*
  337. * Unlock shared SSL session data
  338. */
  339. void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
  340. {
  341. if(SSLSESSION_SHARED(data))
  342. Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
  343. }
  344. /*
  345. * Check if there's a session ID for the given connection in the cache, and if
  346. * there's one suitable, it is provided. Returns TRUE when no entry matched.
  347. */
  348. bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
  349. struct Curl_easy *data,
  350. void **ssl_sessionid,
  351. size_t *idsize) /* set 0 if unknown */
  352. {
  353. struct ssl_connect_data *connssl = cf->ctx;
  354. struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
  355. struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
  356. struct Curl_ssl_session *check;
  357. size_t i;
  358. long *general_age;
  359. bool no_match = TRUE;
  360. *ssl_sessionid = NULL;
  361. if(!ssl_config)
  362. return TRUE;
  363. DEBUGASSERT(ssl_config->primary.sessionid);
  364. if(!ssl_config->primary.sessionid || !data->state.session)
  365. /* session ID reuse is disabled or the session cache has not been
  366. setup */
  367. return TRUE;
  368. /* Lock if shared */
  369. if(SSLSESSION_SHARED(data))
  370. general_age = &data->share->sessionage;
  371. else
  372. general_age = &data->state.sessionage;
  373. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  374. check = &data->state.session[i];
  375. if(!check->sessionid)
  376. /* not session ID means blank entry */
  377. continue;
  378. if(strcasecompare(connssl->hostname, check->name) &&
  379. ((!cf->conn->bits.conn_to_host && !check->conn_to_host) ||
  380. (cf->conn->bits.conn_to_host && check->conn_to_host &&
  381. strcasecompare(cf->conn->conn_to_host.name, check->conn_to_host))) &&
  382. ((!cf->conn->bits.conn_to_port && check->conn_to_port == -1) ||
  383. (cf->conn->bits.conn_to_port && check->conn_to_port != -1 &&
  384. cf->conn->conn_to_port == check->conn_to_port)) &&
  385. (connssl->port == check->remote_port) &&
  386. strcasecompare(cf->conn->handler->scheme, check->scheme) &&
  387. Curl_ssl_config_matches(conn_config, &check->ssl_config)) {
  388. /* yes, we have a session ID! */
  389. (*general_age)++; /* increase general age */
  390. check->age = *general_age; /* set this as used in this age */
  391. *ssl_sessionid = check->sessionid;
  392. if(idsize)
  393. *idsize = check->idsize;
  394. no_match = FALSE;
  395. break;
  396. }
  397. }
  398. DEBUGF(infof(data, "%s Session ID in cache for %s %s://%s:%d",
  399. no_match? "Didn't find": "Found",
  400. Curl_ssl_cf_is_proxy(cf) ? "proxy" : "host",
  401. cf->conn->handler->scheme, connssl->hostname, connssl->port));
  402. return no_match;
  403. }
  404. /*
  405. * Kill a single session ID entry in the cache.
  406. */
  407. void Curl_ssl_kill_session(struct Curl_ssl_session *session)
  408. {
  409. if(session->sessionid) {
  410. /* defensive check */
  411. /* free the ID the SSL-layer specific way */
  412. Curl_ssl->session_free(session->sessionid);
  413. session->sessionid = NULL;
  414. session->age = 0; /* fresh */
  415. Curl_free_primary_ssl_config(&session->ssl_config);
  416. Curl_safefree(session->name);
  417. Curl_safefree(session->conn_to_host);
  418. }
  419. }
  420. /*
  421. * Delete the given session ID from the cache.
  422. */
  423. void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
  424. {
  425. size_t i;
  426. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  427. struct Curl_ssl_session *check = &data->state.session[i];
  428. if(check->sessionid == ssl_sessionid) {
  429. Curl_ssl_kill_session(check);
  430. break;
  431. }
  432. }
  433. }
  434. /*
  435. * Store session id in the session cache. The ID passed on to this function
  436. * must already have been extracted and allocated the proper way for the SSL
  437. * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
  438. * later on.
  439. */
  440. CURLcode Curl_ssl_addsessionid(struct Curl_cfilter *cf,
  441. struct Curl_easy *data,
  442. void *ssl_sessionid,
  443. size_t idsize,
  444. bool *added)
  445. {
  446. struct ssl_connect_data *connssl = cf->ctx;
  447. struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
  448. struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
  449. size_t i;
  450. struct Curl_ssl_session *store;
  451. long oldest_age;
  452. char *clone_host;
  453. char *clone_conn_to_host;
  454. int conn_to_port;
  455. long *general_age;
  456. if(added)
  457. *added = FALSE;
  458. if(!data->state.session)
  459. return CURLE_OK;
  460. store = &data->state.session[0];
  461. oldest_age = data->state.session[0].age; /* zero if unused */
  462. (void)ssl_config;
  463. DEBUGASSERT(ssl_config->primary.sessionid);
  464. clone_host = strdup(connssl->hostname);
  465. if(!clone_host)
  466. return CURLE_OUT_OF_MEMORY; /* bail out */
  467. if(cf->conn->bits.conn_to_host) {
  468. clone_conn_to_host = strdup(cf->conn->conn_to_host.name);
  469. if(!clone_conn_to_host) {
  470. free(clone_host);
  471. return CURLE_OUT_OF_MEMORY; /* bail out */
  472. }
  473. }
  474. else
  475. clone_conn_to_host = NULL;
  476. if(cf->conn->bits.conn_to_port)
  477. conn_to_port = cf->conn->conn_to_port;
  478. else
  479. conn_to_port = -1;
  480. /* Now we should add the session ID and the host name to the cache, (remove
  481. the oldest if necessary) */
  482. /* If using shared SSL session, lock! */
  483. if(SSLSESSION_SHARED(data)) {
  484. general_age = &data->share->sessionage;
  485. }
  486. else {
  487. general_age = &data->state.sessionage;
  488. }
  489. /* find an empty slot for us, or find the oldest */
  490. for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
  491. data->state.session[i].sessionid; i++) {
  492. if(data->state.session[i].age < oldest_age) {
  493. oldest_age = data->state.session[i].age;
  494. store = &data->state.session[i];
  495. }
  496. }
  497. if(i == data->set.general_ssl.max_ssl_sessions)
  498. /* cache is full, we must "kill" the oldest entry! */
  499. Curl_ssl_kill_session(store);
  500. else
  501. store = &data->state.session[i]; /* use this slot */
  502. /* now init the session struct wisely */
  503. store->sessionid = ssl_sessionid;
  504. store->idsize = idsize;
  505. store->age = *general_age; /* set current age */
  506. /* free it if there's one already present */
  507. free(store->name);
  508. free(store->conn_to_host);
  509. store->name = clone_host; /* clone host name */
  510. store->conn_to_host = clone_conn_to_host; /* clone connect to host name */
  511. store->conn_to_port = conn_to_port; /* connect to port number */
  512. /* port number */
  513. store->remote_port = connssl->port;
  514. store->scheme = cf->conn->handler->scheme;
  515. if(!Curl_clone_primary_ssl_config(conn_config, &store->ssl_config)) {
  516. Curl_free_primary_ssl_config(&store->ssl_config);
  517. store->sessionid = NULL; /* let caller free sessionid */
  518. free(clone_host);
  519. free(clone_conn_to_host);
  520. return CURLE_OUT_OF_MEMORY;
  521. }
  522. if(added)
  523. *added = TRUE;
  524. DEBUGF(infof(data, "Added Session ID to cache for %s://%s:%d [%s]",
  525. store->scheme, store->name, store->remote_port,
  526. Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server"));
  527. return CURLE_OK;
  528. }
  529. void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend)
  530. {
  531. if(Curl_ssl->free_multi_ssl_backend_data && mbackend)
  532. Curl_ssl->free_multi_ssl_backend_data(mbackend);
  533. }
  534. void Curl_ssl_close_all(struct Curl_easy *data)
  535. {
  536. /* kill the session ID cache if not shared */
  537. if(data->state.session && !SSLSESSION_SHARED(data)) {
  538. size_t i;
  539. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
  540. /* the single-killer function handles empty table slots */
  541. Curl_ssl_kill_session(&data->state.session[i]);
  542. /* free the cache data */
  543. Curl_safefree(data->state.session);
  544. }
  545. Curl_ssl->close_all(data);
  546. }
  547. int Curl_ssl_get_select_socks(struct Curl_cfilter *cf, struct Curl_easy *data,
  548. curl_socket_t *socks)
  549. {
  550. struct ssl_connect_data *connssl = cf->ctx;
  551. curl_socket_t sock = Curl_conn_cf_get_socket(cf->next, data);
  552. if(sock == CURL_SOCKET_BAD)
  553. return GETSOCK_BLANK;
  554. if(connssl->connecting_state == ssl_connect_2_writing) {
  555. /* we are only interested in writing */
  556. socks[0] = sock;
  557. return GETSOCK_WRITESOCK(0);
  558. }
  559. socks[0] = sock;
  560. return GETSOCK_READSOCK(0);
  561. }
  562. /* Selects an SSL crypto engine
  563. */
  564. CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
  565. {
  566. return Curl_ssl->set_engine(data, engine);
  567. }
  568. /* Selects the default SSL crypto engine
  569. */
  570. CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
  571. {
  572. return Curl_ssl->set_engine_default(data);
  573. }
  574. /* Return list of OpenSSL crypto engine names. */
  575. struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
  576. {
  577. return Curl_ssl->engines_list(data);
  578. }
  579. /*
  580. * This sets up a session ID cache to the specified size. Make sure this code
  581. * is agnostic to what underlying SSL technology we use.
  582. */
  583. CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
  584. {
  585. struct Curl_ssl_session *session;
  586. if(data->state.session)
  587. /* this is just a precaution to prevent multiple inits */
  588. return CURLE_OK;
  589. session = calloc(amount, sizeof(struct Curl_ssl_session));
  590. if(!session)
  591. return CURLE_OUT_OF_MEMORY;
  592. /* store the info in the SSL section */
  593. data->set.general_ssl.max_ssl_sessions = amount;
  594. data->state.session = session;
  595. data->state.sessionage = 1; /* this is brand new */
  596. return CURLE_OK;
  597. }
  598. static size_t multissl_version(char *buffer, size_t size);
  599. void Curl_ssl_version(char *buffer, size_t size)
  600. {
  601. #ifdef CURL_WITH_MULTI_SSL
  602. (void)multissl_version(buffer, size);
  603. #else
  604. (void)Curl_ssl->version(buffer, size);
  605. #endif
  606. }
  607. void Curl_ssl_free_certinfo(struct Curl_easy *data)
  608. {
  609. struct curl_certinfo *ci = &data->info.certs;
  610. if(ci->num_of_certs) {
  611. /* free all individual lists used */
  612. int i;
  613. for(i = 0; i<ci->num_of_certs; i++) {
  614. curl_slist_free_all(ci->certinfo[i]);
  615. ci->certinfo[i] = NULL;
  616. }
  617. free(ci->certinfo); /* free the actual array too */
  618. ci->certinfo = NULL;
  619. ci->num_of_certs = 0;
  620. }
  621. }
  622. CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
  623. {
  624. struct curl_certinfo *ci = &data->info.certs;
  625. struct curl_slist **table;
  626. /* Free any previous certificate information structures */
  627. Curl_ssl_free_certinfo(data);
  628. /* Allocate the required certificate information structures */
  629. table = calloc((size_t) num, sizeof(struct curl_slist *));
  630. if(!table)
  631. return CURLE_OUT_OF_MEMORY;
  632. ci->num_of_certs = num;
  633. ci->certinfo = table;
  634. return CURLE_OK;
  635. }
  636. /*
  637. * 'value' is NOT a null-terminated string
  638. */
  639. CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
  640. int certnum,
  641. const char *label,
  642. const char *value,
  643. size_t valuelen)
  644. {
  645. struct curl_certinfo *ci = &data->info.certs;
  646. char *output;
  647. struct curl_slist *nl;
  648. CURLcode result = CURLE_OK;
  649. size_t labellen = strlen(label);
  650. size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */
  651. output = malloc(outlen);
  652. if(!output)
  653. return CURLE_OUT_OF_MEMORY;
  654. /* sprintf the label and colon */
  655. msnprintf(output, outlen, "%s:", label);
  656. /* memcpy the value (it might not be null-terminated) */
  657. memcpy(&output[labellen + 1], value, valuelen);
  658. /* null-terminate the output */
  659. output[labellen + 1 + valuelen] = 0;
  660. nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);
  661. if(!nl) {
  662. free(output);
  663. curl_slist_free_all(ci->certinfo[certnum]);
  664. result = CURLE_OUT_OF_MEMORY;
  665. }
  666. ci->certinfo[certnum] = nl;
  667. return result;
  668. }
  669. CURLcode Curl_ssl_random(struct Curl_easy *data,
  670. unsigned char *entropy,
  671. size_t length)
  672. {
  673. return Curl_ssl->random(data, entropy, length);
  674. }
  675. /*
  676. * Curl_ssl_snihost() converts the input host name to a suitable SNI name put
  677. * in data->state.buffer. Returns a pointer to the name (or NULL if a problem)
  678. * and stores the new length in 'olen'.
  679. *
  680. * SNI fields must not have any trailing dot and while RFC 6066 section 3 says
  681. * the SNI field is case insensitive, browsers always send the data lowercase
  682. * and subsequently there are numerous servers out there that don't work
  683. * unless the name is lowercased.
  684. */
  685. char *Curl_ssl_snihost(struct Curl_easy *data, const char *host, size_t *olen)
  686. {
  687. size_t len = strlen(host);
  688. if(len && (host[len-1] == '.'))
  689. len--;
  690. if(len >= data->set.buffer_size)
  691. return NULL;
  692. Curl_strntolower(data->state.buffer, host, len);
  693. data->state.buffer[len] = 0;
  694. if(olen)
  695. *olen = len;
  696. return data->state.buffer;
  697. }
  698. /*
  699. * Public key pem to der conversion
  700. */
  701. static CURLcode pubkey_pem_to_der(const char *pem,
  702. unsigned char **der, size_t *der_len)
  703. {
  704. char *stripped_pem, *begin_pos, *end_pos;
  705. size_t pem_count, stripped_pem_count = 0, pem_len;
  706. CURLcode result;
  707. /* if no pem, exit. */
  708. if(!pem)
  709. return CURLE_BAD_CONTENT_ENCODING;
  710. begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
  711. if(!begin_pos)
  712. return CURLE_BAD_CONTENT_ENCODING;
  713. pem_count = begin_pos - pem;
  714. /* Invalid if not at beginning AND not directly following \n */
  715. if(0 != pem_count && '\n' != pem[pem_count - 1])
  716. return CURLE_BAD_CONTENT_ENCODING;
  717. /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
  718. pem_count += 26;
  719. /* Invalid if not directly following \n */
  720. end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
  721. if(!end_pos)
  722. return CURLE_BAD_CONTENT_ENCODING;
  723. pem_len = end_pos - pem;
  724. stripped_pem = malloc(pem_len - pem_count + 1);
  725. if(!stripped_pem)
  726. return CURLE_OUT_OF_MEMORY;
  727. /*
  728. * Here we loop through the pem array one character at a time between the
  729. * correct indices, and place each character that is not '\n' or '\r'
  730. * into the stripped_pem array, which should represent the raw base64 string
  731. */
  732. while(pem_count < pem_len) {
  733. if('\n' != pem[pem_count] && '\r' != pem[pem_count])
  734. stripped_pem[stripped_pem_count++] = pem[pem_count];
  735. ++pem_count;
  736. }
  737. /* Place the null terminator in the correct place */
  738. stripped_pem[stripped_pem_count] = '\0';
  739. result = Curl_base64_decode(stripped_pem, der, der_len);
  740. Curl_safefree(stripped_pem);
  741. return result;
  742. }
  743. /*
  744. * Generic pinned public key check.
  745. */
  746. CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
  747. const char *pinnedpubkey,
  748. const unsigned char *pubkey, size_t pubkeylen)
  749. {
  750. FILE *fp;
  751. unsigned char *buf = NULL, *pem_ptr = NULL;
  752. CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
  753. #ifdef CURL_DISABLE_VERBOSE_STRINGS
  754. (void)data;
  755. #endif
  756. /* if a path wasn't specified, don't pin */
  757. if(!pinnedpubkey)
  758. return CURLE_OK;
  759. if(!pubkey || !pubkeylen)
  760. return result;
  761. /* only do this if pinnedpubkey starts with "sha256//", length 8 */
  762. if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
  763. CURLcode encode;
  764. size_t encodedlen = 0, pinkeylen;
  765. char *encoded = NULL, *pinkeycopy, *begin_pos, *end_pos;
  766. unsigned char *sha256sumdigest;
  767. if(!Curl_ssl->sha256sum) {
  768. /* without sha256 support, this cannot match */
  769. return result;
  770. }
  771. /* compute sha256sum of public key */
  772. sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
  773. if(!sha256sumdigest)
  774. return CURLE_OUT_OF_MEMORY;
  775. encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
  776. sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
  777. if(!encode)
  778. encode = Curl_base64_encode((char *)sha256sumdigest,
  779. CURL_SHA256_DIGEST_LENGTH, &encoded,
  780. &encodedlen);
  781. Curl_safefree(sha256sumdigest);
  782. if(encode)
  783. return encode;
  784. infof(data, " public key hash: sha256//%s", encoded);
  785. /* it starts with sha256//, copy so we can modify it */
  786. pinkeylen = strlen(pinnedpubkey) + 1;
  787. pinkeycopy = malloc(pinkeylen);
  788. if(!pinkeycopy) {
  789. Curl_safefree(encoded);
  790. return CURLE_OUT_OF_MEMORY;
  791. }
  792. memcpy(pinkeycopy, pinnedpubkey, pinkeylen);
  793. /* point begin_pos to the copy, and start extracting keys */
  794. begin_pos = pinkeycopy;
  795. do {
  796. end_pos = strstr(begin_pos, ";sha256//");
  797. /*
  798. * if there is an end_pos, null terminate,
  799. * otherwise it'll go to the end of the original string
  800. */
  801. if(end_pos)
  802. end_pos[0] = '\0';
  803. /* compare base64 sha256 digests, 8 is the length of "sha256//" */
  804. if(encodedlen == strlen(begin_pos + 8) &&
  805. !memcmp(encoded, begin_pos + 8, encodedlen)) {
  806. result = CURLE_OK;
  807. break;
  808. }
  809. /*
  810. * change back the null-terminator we changed earlier,
  811. * and look for next begin
  812. */
  813. if(end_pos) {
  814. end_pos[0] = ';';
  815. begin_pos = strstr(end_pos, "sha256//");
  816. }
  817. } while(end_pos && begin_pos);
  818. Curl_safefree(encoded);
  819. Curl_safefree(pinkeycopy);
  820. return result;
  821. }
  822. fp = fopen(pinnedpubkey, "rb");
  823. if(!fp)
  824. return result;
  825. do {
  826. long filesize;
  827. size_t size, pem_len;
  828. CURLcode pem_read;
  829. /* Determine the file's size */
  830. if(fseek(fp, 0, SEEK_END))
  831. break;
  832. filesize = ftell(fp);
  833. if(fseek(fp, 0, SEEK_SET))
  834. break;
  835. if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
  836. break;
  837. /*
  838. * if the size of our certificate is bigger than the file
  839. * size then it can't match
  840. */
  841. size = curlx_sotouz((curl_off_t) filesize);
  842. if(pubkeylen > size)
  843. break;
  844. /*
  845. * Allocate buffer for the pinned key
  846. * With 1 additional byte for null terminator in case of PEM key
  847. */
  848. buf = malloc(size + 1);
  849. if(!buf)
  850. break;
  851. /* Returns number of elements read, which should be 1 */
  852. if((int) fread(buf, size, 1, fp) != 1)
  853. break;
  854. /* If the sizes are the same, it can't be base64 encoded, must be der */
  855. if(pubkeylen == size) {
  856. if(!memcmp(pubkey, buf, pubkeylen))
  857. result = CURLE_OK;
  858. break;
  859. }
  860. /*
  861. * Otherwise we will assume it's PEM and try to decode it
  862. * after placing null terminator
  863. */
  864. buf[size] = '\0';
  865. pem_read = pubkey_pem_to_der((const char *)buf, &pem_ptr, &pem_len);
  866. /* if it wasn't read successfully, exit */
  867. if(pem_read)
  868. break;
  869. /*
  870. * if the size of our certificate doesn't match the size of
  871. * the decoded file, they can't be the same, otherwise compare
  872. */
  873. if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
  874. result = CURLE_OK;
  875. } while(0);
  876. Curl_safefree(buf);
  877. Curl_safefree(pem_ptr);
  878. fclose(fp);
  879. return result;
  880. }
  881. /*
  882. * Check whether the SSL backend supports the status_request extension.
  883. */
  884. bool Curl_ssl_cert_status_request(void)
  885. {
  886. return Curl_ssl->cert_status_request();
  887. }
  888. /*
  889. * Check whether the SSL backend supports false start.
  890. */
  891. bool Curl_ssl_false_start(struct Curl_easy *data)
  892. {
  893. (void)data;
  894. return Curl_ssl->false_start();
  895. }
  896. /*
  897. * Default implementations for unsupported functions.
  898. */
  899. int Curl_none_init(void)
  900. {
  901. return 1;
  902. }
  903. void Curl_none_cleanup(void)
  904. { }
  905. int Curl_none_shutdown(struct Curl_cfilter *cf UNUSED_PARAM,
  906. struct Curl_easy *data UNUSED_PARAM)
  907. {
  908. (void)data;
  909. (void)cf;
  910. return 0;
  911. }
  912. int Curl_none_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data)
  913. {
  914. (void)cf;
  915. (void)data;
  916. return -1;
  917. }
  918. CURLcode Curl_none_random(struct Curl_easy *data UNUSED_PARAM,
  919. unsigned char *entropy UNUSED_PARAM,
  920. size_t length UNUSED_PARAM)
  921. {
  922. (void)data;
  923. (void)entropy;
  924. (void)length;
  925. return CURLE_NOT_BUILT_IN;
  926. }
  927. void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
  928. {
  929. (void)data;
  930. }
  931. void Curl_none_session_free(void *ptr UNUSED_PARAM)
  932. {
  933. (void)ptr;
  934. }
  935. bool Curl_none_data_pending(struct Curl_cfilter *cf UNUSED_PARAM,
  936. const struct Curl_easy *data UNUSED_PARAM)
  937. {
  938. (void)cf;
  939. (void)data;
  940. return 0;
  941. }
  942. bool Curl_none_cert_status_request(void)
  943. {
  944. return FALSE;
  945. }
  946. CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
  947. const char *engine UNUSED_PARAM)
  948. {
  949. (void)data;
  950. (void)engine;
  951. return CURLE_NOT_BUILT_IN;
  952. }
  953. CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
  954. {
  955. (void)data;
  956. return CURLE_NOT_BUILT_IN;
  957. }
  958. struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
  959. {
  960. (void)data;
  961. return (struct curl_slist *)NULL;
  962. }
  963. bool Curl_none_false_start(void)
  964. {
  965. return FALSE;
  966. }
  967. static int multissl_init(void)
  968. {
  969. if(multissl_setup(NULL))
  970. return 1;
  971. return Curl_ssl->init();
  972. }
  973. static CURLcode multissl_connect(struct Curl_cfilter *cf,
  974. struct Curl_easy *data)
  975. {
  976. if(multissl_setup(NULL))
  977. return CURLE_FAILED_INIT;
  978. return Curl_ssl->connect_blocking(cf, data);
  979. }
  980. static CURLcode multissl_connect_nonblocking(struct Curl_cfilter *cf,
  981. struct Curl_easy *data,
  982. bool *done)
  983. {
  984. if(multissl_setup(NULL))
  985. return CURLE_FAILED_INIT;
  986. return Curl_ssl->connect_nonblocking(cf, data, done);
  987. }
  988. static int multissl_get_select_socks(struct Curl_cfilter *cf,
  989. struct Curl_easy *data,
  990. curl_socket_t *socks)
  991. {
  992. if(multissl_setup(NULL))
  993. return 0;
  994. return Curl_ssl->get_select_socks(cf, data, socks);
  995. }
  996. static void *multissl_get_internals(struct ssl_connect_data *connssl,
  997. CURLINFO info)
  998. {
  999. if(multissl_setup(NULL))
  1000. return NULL;
  1001. return Curl_ssl->get_internals(connssl, info);
  1002. }
  1003. static void multissl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
  1004. {
  1005. if(multissl_setup(NULL))
  1006. return;
  1007. Curl_ssl->close(cf, data);
  1008. }
  1009. static ssize_t multissl_recv_plain(struct Curl_cfilter *cf,
  1010. struct Curl_easy *data,
  1011. char *buf, size_t len, CURLcode *code)
  1012. {
  1013. if(multissl_setup(NULL))
  1014. return CURLE_FAILED_INIT;
  1015. return Curl_ssl->recv_plain(cf, data, buf, len, code);
  1016. }
  1017. static ssize_t multissl_send_plain(struct Curl_cfilter *cf,
  1018. struct Curl_easy *data,
  1019. const void *mem, size_t len,
  1020. CURLcode *code)
  1021. {
  1022. if(multissl_setup(NULL))
  1023. return CURLE_FAILED_INIT;
  1024. return Curl_ssl->send_plain(cf, data, mem, len, code);
  1025. }
  1026. static const struct Curl_ssl Curl_ssl_multi = {
  1027. { CURLSSLBACKEND_NONE, "multi" }, /* info */
  1028. 0, /* supports nothing */
  1029. (size_t)-1, /* something insanely large to be on the safe side */
  1030. multissl_init, /* init */
  1031. Curl_none_cleanup, /* cleanup */
  1032. multissl_version, /* version */
  1033. Curl_none_check_cxn, /* check_cxn */
  1034. Curl_none_shutdown, /* shutdown */
  1035. Curl_none_data_pending, /* data_pending */
  1036. Curl_none_random, /* random */
  1037. Curl_none_cert_status_request, /* cert_status_request */
  1038. multissl_connect, /* connect */
  1039. multissl_connect_nonblocking, /* connect_nonblocking */
  1040. multissl_get_select_socks, /* getsock */
  1041. multissl_get_internals, /* get_internals */
  1042. multissl_close, /* close_one */
  1043. Curl_none_close_all, /* close_all */
  1044. Curl_none_session_free, /* session_free */
  1045. Curl_none_set_engine, /* set_engine */
  1046. Curl_none_set_engine_default, /* set_engine_default */
  1047. Curl_none_engines_list, /* engines_list */
  1048. Curl_none_false_start, /* false_start */
  1049. NULL, /* sha256sum */
  1050. NULL, /* associate_connection */
  1051. NULL, /* disassociate_connection */
  1052. NULL, /* free_multi_ssl_backend_data */
  1053. multissl_recv_plain, /* recv decrypted data */
  1054. multissl_send_plain, /* send data to encrypt */
  1055. };
  1056. const struct Curl_ssl *Curl_ssl =
  1057. #if defined(CURL_WITH_MULTI_SSL)
  1058. &Curl_ssl_multi;
  1059. #elif defined(USE_WOLFSSL)
  1060. &Curl_ssl_wolfssl;
  1061. #elif defined(USE_SECTRANSP)
  1062. &Curl_ssl_sectransp;
  1063. #elif defined(USE_GNUTLS)
  1064. &Curl_ssl_gnutls;
  1065. #elif defined(USE_MBEDTLS)
  1066. &Curl_ssl_mbedtls;
  1067. #elif defined(USE_RUSTLS)
  1068. &Curl_ssl_rustls;
  1069. #elif defined(USE_OPENSSL)
  1070. &Curl_ssl_openssl;
  1071. #elif defined(USE_SCHANNEL)
  1072. &Curl_ssl_schannel;
  1073. #elif defined(USE_BEARSSL)
  1074. &Curl_ssl_bearssl;
  1075. #else
  1076. #error "Missing struct Curl_ssl for selected SSL backend"
  1077. #endif
  1078. static const struct Curl_ssl *available_backends[] = {
  1079. #if defined(USE_WOLFSSL)
  1080. &Curl_ssl_wolfssl,
  1081. #endif
  1082. #if defined(USE_SECTRANSP)
  1083. &Curl_ssl_sectransp,
  1084. #endif
  1085. #if defined(USE_GNUTLS)
  1086. &Curl_ssl_gnutls,
  1087. #endif
  1088. #if defined(USE_MBEDTLS)
  1089. &Curl_ssl_mbedtls,
  1090. #endif
  1091. #if defined(USE_OPENSSL)
  1092. &Curl_ssl_openssl,
  1093. #endif
  1094. #if defined(USE_SCHANNEL)
  1095. &Curl_ssl_schannel,
  1096. #endif
  1097. #if defined(USE_BEARSSL)
  1098. &Curl_ssl_bearssl,
  1099. #endif
  1100. #if defined(USE_RUSTLS)
  1101. &Curl_ssl_rustls,
  1102. #endif
  1103. NULL
  1104. };
  1105. static size_t multissl_version(char *buffer, size_t size)
  1106. {
  1107. static const struct Curl_ssl *selected;
  1108. static char backends[200];
  1109. static size_t backends_len;
  1110. const struct Curl_ssl *current;
  1111. current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
  1112. if(current != selected) {
  1113. char *p = backends;
  1114. char *end = backends + sizeof(backends);
  1115. int i;
  1116. selected = current;
  1117. backends[0] = '\0';
  1118. for(i = 0; available_backends[i]; ++i) {
  1119. char vb[200];
  1120. bool paren = (selected != available_backends[i]);
  1121. if(available_backends[i]->version(vb, sizeof(vb))) {
  1122. p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
  1123. (paren ? "(" : ""), vb, (paren ? ")" : ""));
  1124. }
  1125. }
  1126. backends_len = p - backends;
  1127. }
  1128. if(!size)
  1129. return 0;
  1130. if(size <= backends_len) {
  1131. strncpy(buffer, backends, size - 1);
  1132. buffer[size - 1] = '\0';
  1133. return size - 1;
  1134. }
  1135. strcpy(buffer, backends);
  1136. return backends_len;
  1137. }
  1138. static int multissl_setup(const struct Curl_ssl *backend)
  1139. {
  1140. const char *env;
  1141. char *env_tmp;
  1142. if(Curl_ssl != &Curl_ssl_multi)
  1143. return 1;
  1144. if(backend) {
  1145. Curl_ssl = backend;
  1146. return 0;
  1147. }
  1148. if(!available_backends[0])
  1149. return 1;
  1150. env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
  1151. #ifdef CURL_DEFAULT_SSL_BACKEND
  1152. if(!env)
  1153. env = CURL_DEFAULT_SSL_BACKEND;
  1154. #endif
  1155. if(env) {
  1156. int i;
  1157. for(i = 0; available_backends[i]; i++) {
  1158. if(strcasecompare(env, available_backends[i]->info.name)) {
  1159. Curl_ssl = available_backends[i];
  1160. free(env_tmp);
  1161. return 0;
  1162. }
  1163. }
  1164. }
  1165. /* Fall back to first available backend */
  1166. Curl_ssl = available_backends[0];
  1167. free(env_tmp);
  1168. return 0;
  1169. }
  1170. /* This function is used to select the SSL backend to use. It is called by
  1171. curl_global_sslset (easy.c) which uses the global init lock. */
  1172. CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
  1173. const curl_ssl_backend ***avail)
  1174. {
  1175. int i;
  1176. if(avail)
  1177. *avail = (const curl_ssl_backend **)&available_backends;
  1178. if(Curl_ssl != &Curl_ssl_multi)
  1179. return id == Curl_ssl->info.id ||
  1180. (name && strcasecompare(name, Curl_ssl->info.name)) ?
  1181. CURLSSLSET_OK :
  1182. #if defined(CURL_WITH_MULTI_SSL)
  1183. CURLSSLSET_TOO_LATE;
  1184. #else
  1185. CURLSSLSET_UNKNOWN_BACKEND;
  1186. #endif
  1187. for(i = 0; available_backends[i]; i++) {
  1188. if(available_backends[i]->info.id == id ||
  1189. (name && strcasecompare(available_backends[i]->info.name, name))) {
  1190. multissl_setup(available_backends[i]);
  1191. return CURLSSLSET_OK;
  1192. }
  1193. }
  1194. return CURLSSLSET_UNKNOWN_BACKEND;
  1195. }
  1196. #else /* USE_SSL */
  1197. CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
  1198. const curl_ssl_backend ***avail)
  1199. {
  1200. (void)id;
  1201. (void)name;
  1202. (void)avail;
  1203. return CURLSSLSET_NO_BACKENDS;
  1204. }
  1205. #endif /* !USE_SSL */
  1206. #ifdef USE_SSL
  1207. static void free_hostname(struct ssl_connect_data *connssl)
  1208. {
  1209. if(connssl->dispname != connssl->hostname)
  1210. free(connssl->dispname);
  1211. free(connssl->hostname);
  1212. connssl->hostname = connssl->dispname = NULL;
  1213. }
  1214. static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data)
  1215. {
  1216. struct ssl_connect_data *connssl = cf->ctx;
  1217. if(connssl) {
  1218. Curl_ssl->close(cf, data);
  1219. connssl->state = ssl_connection_none;
  1220. free_hostname(connssl);
  1221. }
  1222. cf->connected = FALSE;
  1223. }
  1224. static CURLcode reinit_hostname(struct Curl_cfilter *cf)
  1225. {
  1226. struct ssl_connect_data *connssl = cf->ctx;
  1227. const char *ehostname, *edispname;
  1228. int eport;
  1229. /* We need the hostname for SNI negotiation. Once handshaked, this
  1230. * remains the SNI hostname for the TLS connection. But when the
  1231. * connection is reused, the settings in cf->conn might change.
  1232. * So we keep a copy of the hostname we use for SNI.
  1233. */
  1234. #ifndef CURL_DISABLE_PROXY
  1235. if(Curl_ssl_cf_is_proxy(cf)) {
  1236. ehostname = cf->conn->http_proxy.host.name;
  1237. edispname = cf->conn->http_proxy.host.dispname;
  1238. eport = cf->conn->http_proxy.port;
  1239. }
  1240. else
  1241. #endif
  1242. {
  1243. ehostname = cf->conn->host.name;
  1244. edispname = cf->conn->host.dispname;
  1245. eport = cf->conn->remote_port;
  1246. }
  1247. /* change if ehostname changed */
  1248. if(ehostname && (!connssl->hostname
  1249. || strcmp(ehostname, connssl->hostname))) {
  1250. free_hostname(connssl);
  1251. connssl->hostname = strdup(ehostname);
  1252. if(!connssl->hostname) {
  1253. free_hostname(connssl);
  1254. return CURLE_OUT_OF_MEMORY;
  1255. }
  1256. if(!edispname || !strcmp(ehostname, edispname))
  1257. connssl->dispname = connssl->hostname;
  1258. else {
  1259. connssl->dispname = strdup(edispname);
  1260. if(!connssl->dispname) {
  1261. free_hostname(connssl);
  1262. return CURLE_OUT_OF_MEMORY;
  1263. }
  1264. }
  1265. }
  1266. connssl->port = eport;
  1267. return CURLE_OK;
  1268. }
  1269. static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data)
  1270. {
  1271. struct cf_call_data save;
  1272. CF_DATA_SAVE(save, cf, data);
  1273. cf_close(cf, data);
  1274. CF_DATA_RESTORE(cf, save);
  1275. cf_ctx_free(cf->ctx);
  1276. cf->ctx = NULL;
  1277. }
  1278. static void ssl_cf_close(struct Curl_cfilter *cf,
  1279. struct Curl_easy *data)
  1280. {
  1281. struct cf_call_data save;
  1282. CF_DATA_SAVE(save, cf, data);
  1283. cf_close(cf, data);
  1284. cf->next->cft->do_close(cf->next, data);
  1285. CF_DATA_RESTORE(cf, save);
  1286. }
  1287. static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
  1288. struct Curl_easy *data,
  1289. bool blocking, bool *done)
  1290. {
  1291. struct ssl_connect_data *connssl = cf->ctx;
  1292. struct cf_call_data save;
  1293. CURLcode result;
  1294. if(cf->connected) {
  1295. *done = TRUE;
  1296. return CURLE_OK;
  1297. }
  1298. CF_DATA_SAVE(save, cf, data);
  1299. CURL_TRC_CF(data, cf, "cf_connect()");
  1300. (void)connssl;
  1301. DEBUGASSERT(data->conn);
  1302. DEBUGASSERT(data->conn == cf->conn);
  1303. DEBUGASSERT(connssl);
  1304. DEBUGASSERT(cf->conn->host.name);
  1305. result = cf->next->cft->do_connect(cf->next, data, blocking, done);
  1306. if(result || !*done)
  1307. goto out;
  1308. *done = FALSE;
  1309. result = reinit_hostname(cf);
  1310. if(result)
  1311. goto out;
  1312. if(blocking) {
  1313. result = ssl_connect(cf, data);
  1314. *done = (result == CURLE_OK);
  1315. }
  1316. else {
  1317. result = ssl_connect_nonblocking(cf, data, done);
  1318. }
  1319. if(!result && *done) {
  1320. cf->connected = TRUE;
  1321. connssl->handshake_done = Curl_now();
  1322. DEBUGASSERT(connssl->state == ssl_connection_complete);
  1323. }
  1324. out:
  1325. CURL_TRC_CF(data, cf, "cf_connect() -> %d, done=%d", result, *done);
  1326. CF_DATA_RESTORE(cf, save);
  1327. return result;
  1328. }
  1329. static bool ssl_cf_data_pending(struct Curl_cfilter *cf,
  1330. const struct Curl_easy *data)
  1331. {
  1332. struct cf_call_data save;
  1333. bool result;
  1334. CF_DATA_SAVE(save, cf, data);
  1335. if(Curl_ssl->data_pending(cf, data))
  1336. result = TRUE;
  1337. else
  1338. result = cf->next->cft->has_data_pending(cf->next, data);
  1339. CF_DATA_RESTORE(cf, save);
  1340. return result;
  1341. }
  1342. static ssize_t ssl_cf_send(struct Curl_cfilter *cf,
  1343. struct Curl_easy *data, const void *buf, size_t len,
  1344. CURLcode *err)
  1345. {
  1346. struct cf_call_data save;
  1347. ssize_t nwritten;
  1348. CF_DATA_SAVE(save, cf, data);
  1349. *err = CURLE_OK;
  1350. nwritten = Curl_ssl->send_plain(cf, data, buf, len, err);
  1351. CF_DATA_RESTORE(cf, save);
  1352. return nwritten;
  1353. }
  1354. static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
  1355. struct Curl_easy *data, char *buf, size_t len,
  1356. CURLcode *err)
  1357. {
  1358. struct cf_call_data save;
  1359. ssize_t nread;
  1360. CF_DATA_SAVE(save, cf, data);
  1361. *err = CURLE_OK;
  1362. nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
  1363. if(nread > 0) {
  1364. DEBUGASSERT((size_t)nread <= len);
  1365. }
  1366. else if(nread == 0) {
  1367. /* eof */
  1368. *err = CURLE_OK;
  1369. }
  1370. CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, nread, *err);
  1371. CF_DATA_RESTORE(cf, save);
  1372. return nread;
  1373. }
  1374. static int ssl_cf_get_select_socks(struct Curl_cfilter *cf,
  1375. struct Curl_easy *data,
  1376. curl_socket_t *socks)
  1377. {
  1378. struct cf_call_data save;
  1379. int fds = GETSOCK_BLANK;
  1380. if(!cf->next->connected) {
  1381. fds = cf->next->cft->get_select_socks(cf->next, data, socks);
  1382. }
  1383. else if(!cf->connected) {
  1384. CF_DATA_SAVE(save, cf, data);
  1385. fds = Curl_ssl->get_select_socks(cf, data, socks);
  1386. CF_DATA_RESTORE(cf, save);
  1387. }
  1388. return fds;
  1389. }
  1390. static CURLcode ssl_cf_cntrl(struct Curl_cfilter *cf,
  1391. struct Curl_easy *data,
  1392. int event, int arg1, void *arg2)
  1393. {
  1394. struct cf_call_data save;
  1395. (void)arg1;
  1396. (void)arg2;
  1397. switch(event) {
  1398. case CF_CTRL_DATA_ATTACH:
  1399. if(Curl_ssl->attach_data) {
  1400. CF_DATA_SAVE(save, cf, data);
  1401. Curl_ssl->attach_data(cf, data);
  1402. CF_DATA_RESTORE(cf, save);
  1403. }
  1404. break;
  1405. case CF_CTRL_DATA_DETACH:
  1406. if(Curl_ssl->detach_data) {
  1407. CF_DATA_SAVE(save, cf, data);
  1408. Curl_ssl->detach_data(cf, data);
  1409. CF_DATA_RESTORE(cf, save);
  1410. }
  1411. break;
  1412. default:
  1413. break;
  1414. }
  1415. return CURLE_OK;
  1416. }
  1417. static CURLcode ssl_cf_query(struct Curl_cfilter *cf,
  1418. struct Curl_easy *data,
  1419. int query, int *pres1, void *pres2)
  1420. {
  1421. struct ssl_connect_data *connssl = cf->ctx;
  1422. switch(query) {
  1423. case CF_QUERY_TIMER_APPCONNECT: {
  1424. struct curltime *when = pres2;
  1425. if(cf->connected && !Curl_ssl_cf_is_proxy(cf))
  1426. *when = connssl->handshake_done;
  1427. return CURLE_OK;
  1428. }
  1429. default:
  1430. break;
  1431. }
  1432. return cf->next?
  1433. cf->next->cft->query(cf->next, data, query, pres1, pres2) :
  1434. CURLE_UNKNOWN_OPTION;
  1435. }
  1436. static bool cf_ssl_is_alive(struct Curl_cfilter *cf, struct Curl_easy *data,
  1437. bool *input_pending)
  1438. {
  1439. struct cf_call_data save;
  1440. int result;
  1441. /*
  1442. * This function tries to determine connection status.
  1443. *
  1444. * Return codes:
  1445. * 1 means the connection is still in place
  1446. * 0 means the connection has been closed
  1447. * -1 means the connection status is unknown
  1448. */
  1449. CF_DATA_SAVE(save, cf, data);
  1450. result = Curl_ssl->check_cxn(cf, data);
  1451. CF_DATA_RESTORE(cf, save);
  1452. if(result > 0) {
  1453. *input_pending = TRUE;
  1454. return TRUE;
  1455. }
  1456. if(result == 0) {
  1457. *input_pending = FALSE;
  1458. return FALSE;
  1459. }
  1460. /* ssl backend does not know */
  1461. return cf->next?
  1462. cf->next->cft->is_alive(cf->next, data, input_pending) :
  1463. FALSE; /* pessimistic in absence of data */
  1464. }
  1465. struct Curl_cftype Curl_cft_ssl = {
  1466. "SSL",
  1467. CF_TYPE_SSL,
  1468. CURL_LOG_LVL_NONE,
  1469. ssl_cf_destroy,
  1470. ssl_cf_connect,
  1471. ssl_cf_close,
  1472. Curl_cf_def_get_host,
  1473. ssl_cf_get_select_socks,
  1474. ssl_cf_data_pending,
  1475. ssl_cf_send,
  1476. ssl_cf_recv,
  1477. ssl_cf_cntrl,
  1478. cf_ssl_is_alive,
  1479. Curl_cf_def_conn_keep_alive,
  1480. ssl_cf_query,
  1481. };
  1482. struct Curl_cftype Curl_cft_ssl_proxy = {
  1483. "SSL-PROXY",
  1484. CF_TYPE_SSL,
  1485. CURL_LOG_LVL_NONE,
  1486. ssl_cf_destroy,
  1487. ssl_cf_connect,
  1488. ssl_cf_close,
  1489. Curl_cf_def_get_host,
  1490. ssl_cf_get_select_socks,
  1491. ssl_cf_data_pending,
  1492. ssl_cf_send,
  1493. ssl_cf_recv,
  1494. ssl_cf_cntrl,
  1495. cf_ssl_is_alive,
  1496. Curl_cf_def_conn_keep_alive,
  1497. Curl_cf_def_query,
  1498. };
  1499. static CURLcode cf_ssl_create(struct Curl_cfilter **pcf,
  1500. struct Curl_easy *data,
  1501. struct connectdata *conn)
  1502. {
  1503. struct Curl_cfilter *cf = NULL;
  1504. struct ssl_connect_data *ctx;
  1505. CURLcode result;
  1506. DEBUGASSERT(data->conn);
  1507. ctx = cf_ctx_new(data, alpn_get_spec(data->state.httpwant,
  1508. conn->bits.tls_enable_alpn));
  1509. if(!ctx) {
  1510. result = CURLE_OUT_OF_MEMORY;
  1511. goto out;
  1512. }
  1513. result = Curl_cf_create(&cf, &Curl_cft_ssl, ctx);
  1514. out:
  1515. if(result)
  1516. cf_ctx_free(ctx);
  1517. *pcf = result? NULL : cf;
  1518. return result;
  1519. }
  1520. CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
  1521. struct connectdata *conn,
  1522. int sockindex)
  1523. {
  1524. struct Curl_cfilter *cf;
  1525. CURLcode result;
  1526. result = cf_ssl_create(&cf, data, conn);
  1527. if(!result)
  1528. Curl_conn_cf_add(data, conn, sockindex, cf);
  1529. return result;
  1530. }
  1531. CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
  1532. struct Curl_easy *data)
  1533. {
  1534. struct Curl_cfilter *cf;
  1535. CURLcode result;
  1536. result = cf_ssl_create(&cf, data, cf_at->conn);
  1537. if(!result)
  1538. Curl_conn_cf_insert_after(cf_at, cf);
  1539. return result;
  1540. }
  1541. #ifndef CURL_DISABLE_PROXY
  1542. static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
  1543. struct Curl_easy *data,
  1544. struct connectdata *conn)
  1545. {
  1546. struct Curl_cfilter *cf = NULL;
  1547. struct ssl_connect_data *ctx;
  1548. CURLcode result;
  1549. bool use_alpn = conn->bits.tls_enable_alpn;
  1550. int httpwant = CURL_HTTP_VERSION_1_1;
  1551. #ifdef USE_HTTP2
  1552. if(conn->http_proxy.proxytype == CURLPROXY_HTTPS2) {
  1553. use_alpn = TRUE;
  1554. httpwant = CURL_HTTP_VERSION_2;
  1555. }
  1556. #endif
  1557. ctx = cf_ctx_new(data, alpn_get_spec(httpwant, use_alpn));
  1558. if(!ctx) {
  1559. result = CURLE_OUT_OF_MEMORY;
  1560. goto out;
  1561. }
  1562. result = Curl_cf_create(&cf, &Curl_cft_ssl_proxy, ctx);
  1563. out:
  1564. if(result)
  1565. cf_ctx_free(ctx);
  1566. *pcf = result? NULL : cf;
  1567. return result;
  1568. }
  1569. CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
  1570. struct Curl_easy *data)
  1571. {
  1572. struct Curl_cfilter *cf;
  1573. CURLcode result;
  1574. result = cf_ssl_proxy_create(&cf, data, cf_at->conn);
  1575. if(!result)
  1576. Curl_conn_cf_insert_after(cf_at, cf);
  1577. return result;
  1578. }
  1579. #endif /* !CURL_DISABLE_PROXY */
  1580. bool Curl_ssl_supports(struct Curl_easy *data, int option)
  1581. {
  1582. (void)data;
  1583. return (Curl_ssl->supports & option)? TRUE : FALSE;
  1584. }
  1585. void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
  1586. CURLINFO info, int n)
  1587. {
  1588. void *result = NULL;
  1589. (void)n;
  1590. if(data->conn) {
  1591. struct Curl_cfilter *cf;
  1592. /* get first filter in chain, if any is present */
  1593. cf = Curl_ssl_cf_get_ssl(data->conn->cfilter[sockindex]);
  1594. if(cf) {
  1595. struct cf_call_data save;
  1596. CF_DATA_SAVE(save, cf, data);
  1597. result = Curl_ssl->get_internals(cf->ctx, info);
  1598. CF_DATA_RESTORE(cf, save);
  1599. }
  1600. }
  1601. return result;
  1602. }
  1603. CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
  1604. int sockindex)
  1605. {
  1606. struct Curl_cfilter *cf, *head;
  1607. CURLcode result = CURLE_OK;
  1608. (void)data;
  1609. head = data->conn? data->conn->cfilter[sockindex] : NULL;
  1610. for(cf = head; cf; cf = cf->next) {
  1611. if(cf->cft == &Curl_cft_ssl) {
  1612. if(Curl_ssl->shut_down(cf, data))
  1613. result = CURLE_SSL_SHUTDOWN_FAILED;
  1614. Curl_conn_cf_discard_sub(head, cf, data, FALSE);
  1615. break;
  1616. }
  1617. }
  1618. return result;
  1619. }
  1620. static struct Curl_cfilter *get_ssl_cf_engaged(struct connectdata *conn,
  1621. int sockindex)
  1622. {
  1623. struct Curl_cfilter *cf, *lowest_ssl_cf = NULL;
  1624. for(cf = conn->cfilter[sockindex]; cf; cf = cf->next) {
  1625. if(cf->cft == &Curl_cft_ssl || cf->cft == &Curl_cft_ssl_proxy) {
  1626. lowest_ssl_cf = cf;
  1627. if(cf->connected || (cf->next && cf->next->connected)) {
  1628. /* connected or about to start */
  1629. return cf;
  1630. }
  1631. }
  1632. }
  1633. return lowest_ssl_cf;
  1634. }
  1635. bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf)
  1636. {
  1637. return (cf->cft == &Curl_cft_ssl_proxy);
  1638. }
  1639. struct ssl_config_data *
  1640. Curl_ssl_cf_get_config(struct Curl_cfilter *cf, struct Curl_easy *data)
  1641. {
  1642. #ifdef CURL_DISABLE_PROXY
  1643. (void)cf;
  1644. return &data->set.ssl;
  1645. #else
  1646. return Curl_ssl_cf_is_proxy(cf)? &data->set.proxy_ssl : &data->set.ssl;
  1647. #endif
  1648. }
  1649. struct ssl_config_data *
  1650. Curl_ssl_get_config(struct Curl_easy *data, int sockindex)
  1651. {
  1652. struct Curl_cfilter *cf;
  1653. (void)data;
  1654. DEBUGASSERT(data->conn);
  1655. cf = get_ssl_cf_engaged(data->conn, sockindex);
  1656. return cf? Curl_ssl_cf_get_config(cf, data) : &data->set.ssl;
  1657. }
  1658. struct ssl_primary_config *
  1659. Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf)
  1660. {
  1661. #ifdef CURL_DISABLE_PROXY
  1662. return &cf->conn->ssl_config;
  1663. #else
  1664. return Curl_ssl_cf_is_proxy(cf)?
  1665. &cf->conn->proxy_ssl_config : &cf->conn->ssl_config;
  1666. #endif
  1667. }
  1668. struct Curl_cfilter *Curl_ssl_cf_get_ssl(struct Curl_cfilter *cf)
  1669. {
  1670. for(; cf; cf = cf->next) {
  1671. if(cf->cft == &Curl_cft_ssl || cf->cft == &Curl_cft_ssl_proxy)
  1672. return cf;
  1673. }
  1674. return NULL;
  1675. }
  1676. CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf,
  1677. const struct alpn_spec *spec)
  1678. {
  1679. size_t i, len;
  1680. int off = 0;
  1681. unsigned char blen;
  1682. memset(buf, 0, sizeof(*buf));
  1683. for(i = 0; spec && i < spec->count; ++i) {
  1684. len = strlen(spec->entries[i]);
  1685. if(len >= ALPN_NAME_MAX)
  1686. return CURLE_FAILED_INIT;
  1687. blen = (unsigned char)len;
  1688. if(off + blen + 1 >= (int)sizeof(buf->data))
  1689. return CURLE_FAILED_INIT;
  1690. buf->data[off++] = blen;
  1691. memcpy(buf->data + off, spec->entries[i], blen);
  1692. off += blen;
  1693. }
  1694. buf->len = off;
  1695. return CURLE_OK;
  1696. }
  1697. CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
  1698. const struct alpn_spec *spec)
  1699. {
  1700. size_t i, len;
  1701. size_t off = 0;
  1702. memset(buf, 0, sizeof(*buf));
  1703. for(i = 0; spec && i < spec->count; ++i) {
  1704. len = strlen(spec->entries[i]);
  1705. if(len >= ALPN_NAME_MAX)
  1706. return CURLE_FAILED_INIT;
  1707. if(off + len + 2 >= sizeof(buf->data))
  1708. return CURLE_FAILED_INIT;
  1709. if(off)
  1710. buf->data[off++] = ',';
  1711. memcpy(buf->data + off, spec->entries[i], len);
  1712. off += len;
  1713. }
  1714. buf->data[off] = '\0';
  1715. buf->len = (int)off;
  1716. return CURLE_OK;
  1717. }
  1718. CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
  1719. struct Curl_easy *data,
  1720. const unsigned char *proto,
  1721. size_t proto_len)
  1722. {
  1723. int can_multi = 0;
  1724. unsigned char *palpn =
  1725. #ifndef CURL_DISABLE_PROXY
  1726. (cf->conn->bits.tunnel_proxy && Curl_ssl_cf_is_proxy(cf))?
  1727. &cf->conn->proxy_alpn : &cf->conn->alpn
  1728. #else
  1729. &cf->conn->alpn
  1730. #endif
  1731. ;
  1732. if(proto && proto_len) {
  1733. if(proto_len == ALPN_HTTP_1_1_LENGTH &&
  1734. !memcmp(ALPN_HTTP_1_1, proto, ALPN_HTTP_1_1_LENGTH)) {
  1735. *palpn = CURL_HTTP_VERSION_1_1;
  1736. }
  1737. else if(proto_len == ALPN_HTTP_1_0_LENGTH &&
  1738. !memcmp(ALPN_HTTP_1_0, proto, ALPN_HTTP_1_0_LENGTH)) {
  1739. *palpn = CURL_HTTP_VERSION_1_0;
  1740. }
  1741. #ifdef USE_HTTP2
  1742. else if(proto_len == ALPN_H2_LENGTH &&
  1743. !memcmp(ALPN_H2, proto, ALPN_H2_LENGTH)) {
  1744. *palpn = CURL_HTTP_VERSION_2;
  1745. can_multi = 1;
  1746. }
  1747. #endif
  1748. #ifdef USE_HTTP3
  1749. else if(proto_len == ALPN_H3_LENGTH &&
  1750. !memcmp(ALPN_H3, proto, ALPN_H3_LENGTH)) {
  1751. *palpn = CURL_HTTP_VERSION_3;
  1752. can_multi = 1;
  1753. }
  1754. #endif
  1755. else {
  1756. *palpn = CURL_HTTP_VERSION_NONE;
  1757. failf(data, "unsupported ALPN protocol: '%.*s'", (int)proto_len, proto);
  1758. /* TODO: do we want to fail this? Previous code just ignored it and
  1759. * some vtls backends even ignore the return code of this function. */
  1760. /* return CURLE_NOT_BUILT_IN; */
  1761. goto out;
  1762. }
  1763. infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, (int)proto_len, proto);
  1764. }
  1765. else {
  1766. *palpn = CURL_HTTP_VERSION_NONE;
  1767. infof(data, VTLS_INFOF_NO_ALPN);
  1768. }
  1769. out:
  1770. if(!Curl_ssl_cf_is_proxy(cf))
  1771. Curl_multiuse_state(data, can_multi?
  1772. BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
  1773. return CURLE_OK;
  1774. }
  1775. #endif /* USE_SSL */