sslgen.c 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2007, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at http://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * $Id$
  22. ***************************************************************************/
  23. /* This file is for "generic" SSL functions that all libcurl internals should
  24. use. It is responsible for calling the proper 'ossl' function in ssluse.c
  25. (OpenSSL based) or the 'gtls' function in gtls.c (GnuTLS based).
  26. SSL-functions in libcurl should call functions in this source file, and not
  27. to any specific SSL-layer.
  28. Curl_ssl_ - prefix for generic ones
  29. Curl_ossl_ - prefix for OpenSSL ones
  30. Curl_gtls_ - prefix for GnuTLS ones
  31. "SSL/TLS Strong Encryption: An Introduction"
  32. http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html
  33. */
  34. #include "setup.h"
  35. #include <string.h>
  36. #include <stdlib.h>
  37. #include <ctype.h>
  38. #ifdef HAVE_SYS_TYPES_H
  39. #include <sys/types.h>
  40. #endif
  41. #ifdef HAVE_SYS_SOCKET_H
  42. #include <sys/socket.h>
  43. #endif
  44. #include "urldata.h"
  45. #define SSLGEN_C
  46. #include "sslgen.h" /* generic SSL protos etc */
  47. #include "ssluse.h" /* OpenSSL versions */
  48. #include "gtls.h" /* GnuTLS versions */
  49. #include "sendf.h"
  50. #include "strequal.h"
  51. #include "url.h"
  52. #include "memory.h"
  53. /* The last #include file should be: */
  54. #include "memdebug.h"
  55. /* "global" init done? */
  56. static bool init_ssl=FALSE;
  57. static bool safe_strequal(char* str1, char* str2);
  58. static bool safe_strequal(char* str1, char* str2)
  59. {
  60. if(str1 && str2)
  61. /* both pointers point to something then compare them */
  62. return (bool)(0 != strequal(str1, str2));
  63. else
  64. /* if both pointers are NULL then treat them as equal */
  65. return (bool)(!str1 && !str2);
  66. }
  67. bool
  68. Curl_ssl_config_matches(struct ssl_config_data* data,
  69. struct ssl_config_data* needle)
  70. {
  71. if((data->version == needle->version) &&
  72. (data->verifypeer == needle->verifypeer) &&
  73. (data->verifyhost == needle->verifyhost) &&
  74. safe_strequal(data->CApath, needle->CApath) &&
  75. safe_strequal(data->CAfile, needle->CAfile) &&
  76. safe_strequal(data->random_file, needle->random_file) &&
  77. safe_strequal(data->egdsocket, needle->egdsocket) &&
  78. safe_strequal(data->cipher_list, needle->cipher_list))
  79. return TRUE;
  80. return FALSE;
  81. }
  82. bool
  83. Curl_clone_ssl_config(struct ssl_config_data *source,
  84. struct ssl_config_data *dest)
  85. {
  86. dest->verifyhost = source->verifyhost;
  87. dest->verifypeer = source->verifypeer;
  88. dest->version = source->version;
  89. if(source->CAfile) {
  90. dest->CAfile = strdup(source->CAfile);
  91. if(!dest->CAfile)
  92. return FALSE;
  93. }
  94. if(source->CApath) {
  95. dest->CApath = strdup(source->CApath);
  96. if(!dest->CApath)
  97. return FALSE;
  98. }
  99. if(source->cipher_list) {
  100. dest->cipher_list = strdup(source->cipher_list);
  101. if(!dest->cipher_list)
  102. return FALSE;
  103. }
  104. if(source->egdsocket) {
  105. dest->egdsocket = strdup(source->egdsocket);
  106. if(!dest->egdsocket)
  107. return FALSE;
  108. }
  109. if(source->random_file) {
  110. dest->random_file = strdup(source->random_file);
  111. if(!dest->random_file)
  112. return FALSE;
  113. }
  114. return TRUE;
  115. }
  116. void Curl_free_ssl_config(struct ssl_config_data* sslc)
  117. {
  118. if(sslc->CAfile)
  119. free(sslc->CAfile);
  120. if(sslc->CApath)
  121. free(sslc->CApath);
  122. if(sslc->cipher_list)
  123. free(sslc->cipher_list);
  124. if(sslc->egdsocket)
  125. free(sslc->egdsocket);
  126. if(sslc->random_file)
  127. free(sslc->random_file);
  128. }
  129. /**
  130. * Global SSL init
  131. *
  132. * @retval 0 error initializing SSL
  133. * @retval 1 SSL initialized successfully
  134. */
  135. int Curl_ssl_init(void)
  136. {
  137. /* make sure this is only done once */
  138. if(init_ssl)
  139. return 1;
  140. init_ssl = TRUE; /* never again */
  141. #ifdef USE_SSLEAY
  142. return Curl_ossl_init();
  143. #else
  144. #ifdef USE_GNUTLS
  145. return Curl_gtls_init();
  146. #else
  147. /* no SSL support */
  148. return 1;
  149. #endif /* USE_GNUTLS */
  150. #endif /* USE_SSLEAY */
  151. }
  152. /* Global cleanup */
  153. void Curl_ssl_cleanup(void)
  154. {
  155. if(init_ssl) {
  156. /* only cleanup if we did a previous init */
  157. #ifdef USE_SSLEAY
  158. Curl_ossl_cleanup();
  159. #else
  160. #ifdef USE_GNUTLS
  161. Curl_gtls_cleanup();
  162. #endif /* USE_GNUTLS */
  163. #endif /* USE_SSLEAY */
  164. init_ssl = FALSE;
  165. }
  166. }
  167. CURLcode
  168. Curl_ssl_connect(struct connectdata *conn, int sockindex)
  169. {
  170. #ifdef USE_SSL
  171. /* mark this is being ssl enabled from here on. */
  172. conn->ssl[sockindex].use = TRUE;
  173. #ifdef USE_SSLEAY
  174. return Curl_ossl_connect(conn, sockindex);
  175. #else
  176. #ifdef USE_GNUTLS
  177. return Curl_gtls_connect(conn, sockindex);
  178. #endif /* USE_GNUTLS */
  179. #endif /* USE_SSLEAY */
  180. #else
  181. /* without SSL */
  182. (void)conn;
  183. (void)sockindex;
  184. return CURLE_OK;
  185. #endif /* USE_SSL */
  186. }
  187. CURLcode
  188. Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex,
  189. bool *done)
  190. {
  191. #if defined(USE_SSL) && defined(USE_SSLEAY)
  192. /* mark this is being ssl enabled from here on. */
  193. conn->ssl[sockindex].use = TRUE;
  194. return Curl_ossl_connect_nonblocking(conn, sockindex, done);
  195. #else
  196. /* not implemented!
  197. fallback to BLOCKING call. */
  198. *done = TRUE;
  199. return Curl_ssl_connect(conn, sockindex);
  200. #endif
  201. }
  202. #ifdef USE_SSL
  203. /*
  204. * Check if there's a session ID for the given connection in the cache, and if
  205. * there's one suitable, it is provided. Returns TRUE when no entry matched.
  206. */
  207. int Curl_ssl_getsessionid(struct connectdata *conn,
  208. void **ssl_sessionid,
  209. size_t *idsize) /* set 0 if unknown */
  210. {
  211. struct curl_ssl_session *check;
  212. struct SessionHandle *data = conn->data;
  213. long i;
  214. if(!conn->ssl_config.sessionid)
  215. /* session ID re-use is disabled */
  216. return TRUE;
  217. for(i=0; i< data->set.ssl.numsessions; i++) {
  218. check = &data->state.session[i];
  219. if(!check->sessionid)
  220. /* not session ID means blank entry */
  221. continue;
  222. if(curl_strequal(conn->host.name, check->name) &&
  223. (conn->remote_port == check->remote_port) &&
  224. Curl_ssl_config_matches(&conn->ssl_config, &check->ssl_config)) {
  225. /* yes, we have a session ID! */
  226. data->state.sessionage++; /* increase general age */
  227. check->age = data->state.sessionage; /* set this as used in this age */
  228. *ssl_sessionid = check->sessionid;
  229. if(idsize)
  230. *idsize = check->idsize;
  231. return FALSE;
  232. }
  233. }
  234. *ssl_sessionid = NULL;
  235. return TRUE;
  236. }
  237. /*
  238. * Kill a single session ID entry in the cache.
  239. */
  240. static int kill_session(struct curl_ssl_session *session)
  241. {
  242. if(session->sessionid) {
  243. /* defensive check */
  244. /* free the ID the SSL-layer specific way */
  245. #ifdef USE_SSLEAY
  246. Curl_ossl_session_free(session->sessionid);
  247. #else
  248. Curl_gtls_session_free(session->sessionid);
  249. #endif
  250. session->sessionid=NULL;
  251. session->age = 0; /* fresh */
  252. Curl_free_ssl_config(&session->ssl_config);
  253. Curl_safefree(session->name);
  254. session->name = NULL; /* no name */
  255. return 0; /* ok */
  256. }
  257. else
  258. return 1;
  259. }
  260. /*
  261. * Store session id in the session cache. The ID passed on to this function
  262. * must already have been extracted and allocated the proper way for the SSL
  263. * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
  264. * later on.
  265. */
  266. CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
  267. void *ssl_sessionid,
  268. size_t idsize)
  269. {
  270. int i;
  271. struct SessionHandle *data=conn->data; /* the mother of all structs */
  272. struct curl_ssl_session *store = &data->state.session[0];
  273. long oldest_age=data->state.session[0].age; /* zero if unused */
  274. char *clone_host;
  275. /* Even though session ID re-use might be disabled, that only disables USING
  276. IT. We still store it here in case the re-using is again enabled for an
  277. upcoming transfer */
  278. clone_host = strdup(conn->host.name);
  279. if(!clone_host)
  280. return CURLE_OUT_OF_MEMORY; /* bail out */
  281. /* Now we should add the session ID and the host name to the cache, (remove
  282. the oldest if necessary) */
  283. /* find an empty slot for us, or find the oldest */
  284. for(i=1; (i<data->set.ssl.numsessions) &&
  285. data->state.session[i].sessionid; i++) {
  286. if(data->state.session[i].age < oldest_age) {
  287. oldest_age = data->state.session[i].age;
  288. store = &data->state.session[i];
  289. }
  290. }
  291. if(i == data->set.ssl.numsessions)
  292. /* cache is full, we must "kill" the oldest entry! */
  293. kill_session(store);
  294. else
  295. store = &data->state.session[i]; /* use this slot */
  296. /* now init the session struct wisely */
  297. store->sessionid = ssl_sessionid;
  298. store->idsize = idsize;
  299. store->age = data->state.sessionage; /* set current age */
  300. store->name = clone_host; /* clone host name */
  301. store->remote_port = conn->remote_port; /* port number */
  302. if (!Curl_clone_ssl_config(&conn->ssl_config, &store->ssl_config))
  303. return CURLE_OUT_OF_MEMORY;
  304. return CURLE_OK;
  305. }
  306. #endif
  307. void Curl_ssl_close_all(struct SessionHandle *data)
  308. {
  309. #ifdef USE_SSL
  310. int i;
  311. /* kill the session ID cache */
  312. if(data->state.session) {
  313. for(i=0; i< data->set.ssl.numsessions; i++)
  314. /* the single-killer function handles empty table slots */
  315. kill_session(&data->state.session[i]);
  316. /* free the cache data */
  317. free(data->state.session);
  318. data->state.session = NULL;
  319. }
  320. #ifdef USE_SSLEAY
  321. Curl_ossl_close_all(data);
  322. #else
  323. #ifdef USE_GNUTLS
  324. Curl_gtls_close_all(data);
  325. #endif /* USE_GNUTLS */
  326. #endif /* USE_SSLEAY */
  327. #else /* USE_SSL */
  328. (void)data;
  329. #endif /* USE_SSL */
  330. }
  331. void Curl_ssl_close(struct connectdata *conn)
  332. {
  333. if(conn->ssl[FIRSTSOCKET].use) {
  334. #ifdef USE_SSLEAY
  335. Curl_ossl_close(conn);
  336. #else
  337. #ifdef USE_GNUTLS
  338. Curl_gtls_close(conn);
  339. #else
  340. (void)conn;
  341. #endif /* USE_GNUTLS */
  342. #endif /* USE_SSLEAY */
  343. }
  344. }
  345. CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex)
  346. {
  347. if(conn->ssl[sockindex].use) {
  348. #ifdef USE_SSLEAY
  349. if(Curl_ossl_shutdown(conn, sockindex))
  350. return CURLE_SSL_SHUTDOWN_FAILED;
  351. #else
  352. #ifdef USE_GNUTLS
  353. if(Curl_gtls_shutdown(conn, sockindex))
  354. return CURLE_SSL_SHUTDOWN_FAILED;
  355. #else
  356. (void)conn;
  357. (void)sockindex;
  358. #endif /* USE_GNUTLS */
  359. #endif /* USE_SSLEAY */
  360. }
  361. return CURLE_OK;
  362. }
  363. /* Selects an (Open)SSL crypto engine
  364. */
  365. CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine)
  366. {
  367. #ifdef USE_SSLEAY
  368. return Curl_ossl_set_engine(data, engine);
  369. #else
  370. #ifdef USE_GNUTLS
  371. /* FIX: add code here */
  372. (void)data;
  373. (void)engine;
  374. return CURLE_FAILED_INIT;
  375. #else
  376. /* no SSL layer */
  377. (void)data;
  378. (void)engine;
  379. return CURLE_FAILED_INIT;
  380. #endif /* USE_GNUTLS */
  381. #endif /* USE_SSLEAY */
  382. }
  383. /* Selects an (Open?)SSL crypto engine
  384. */
  385. CURLcode Curl_ssl_set_engine_default(struct SessionHandle *data)
  386. {
  387. #ifdef USE_SSLEAY
  388. return Curl_ossl_set_engine_default(data);
  389. #else
  390. #ifdef USE_GNUTLS
  391. /* FIX: add code here */
  392. (void)data;
  393. return CURLE_FAILED_INIT;
  394. #else
  395. /* No SSL layer */
  396. (void)data;
  397. return CURLE_FAILED_INIT;
  398. #endif /* USE_GNUTLS */
  399. #endif /* USE_SSLEAY */
  400. }
  401. /* Return list of OpenSSL crypto engine names. */
  402. struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data)
  403. {
  404. #ifdef USE_SSLEAY
  405. return Curl_ossl_engines_list(data);
  406. #else
  407. #ifdef USE_GNUTLS
  408. /* FIX: add code here? */
  409. (void)data;
  410. return NULL;
  411. #else
  412. (void)data;
  413. return NULL;
  414. #endif /* USE_GNUTLS */
  415. #endif /* USE_SSLEAY */
  416. }
  417. /* return number of sent (non-SSL) bytes */
  418. ssize_t Curl_ssl_send(struct connectdata *conn,
  419. int sockindex,
  420. void *mem,
  421. size_t len)
  422. {
  423. #ifdef USE_SSLEAY
  424. return Curl_ossl_send(conn, sockindex, mem, len);
  425. #else
  426. #ifdef USE_GNUTLS
  427. return Curl_gtls_send(conn, sockindex, mem, len);
  428. #else
  429. (void)conn;
  430. (void)sockindex;
  431. (void)mem;
  432. (void)len;
  433. return 0;
  434. #endif /* USE_GNUTLS */
  435. #endif /* USE_SSLEAY */
  436. }
  437. /* return number of received (decrypted) bytes */
  438. /*
  439. * If the read would block (EWOULDBLOCK) we return -1. Otherwise we return
  440. * a regular CURLcode value.
  441. */
  442. ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */
  443. int sockindex, /* socketindex */
  444. char *mem, /* store read data here */
  445. size_t len) /* max amount to read */
  446. {
  447. #ifdef USE_SSL
  448. ssize_t nread;
  449. bool block = FALSE;
  450. #ifdef USE_SSLEAY
  451. nread = Curl_ossl_recv(conn, sockindex, mem, len, &block);
  452. #else
  453. #ifdef USE_GNUTLS
  454. nread = Curl_gtls_recv(conn, sockindex, mem, len, &block);
  455. #endif /* USE_GNUTLS */
  456. #endif /* USE_SSLEAY */
  457. if(nread == -1) {
  458. if(!block)
  459. return 0; /* this is a true error, not EWOULDBLOCK */
  460. else
  461. return -1;
  462. }
  463. return (int)nread;
  464. #else /* USE_SSL */
  465. (void)conn;
  466. (void)sockindex;
  467. (void)mem;
  468. (void)len;
  469. return 0;
  470. #endif /* USE_SSL */
  471. }
  472. /*
  473. * This sets up a session ID cache to the specified size. Make sure this code
  474. * is agnostic to what underlying SSL technology we use.
  475. */
  476. CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount)
  477. {
  478. #ifdef USE_SSL
  479. struct curl_ssl_session *session;
  480. if(data->state.session)
  481. /* this is just a precaution to prevent multiple inits */
  482. return CURLE_OK;
  483. session = (struct curl_ssl_session *)
  484. calloc(sizeof(struct curl_ssl_session), amount);
  485. if(!session)
  486. return CURLE_OUT_OF_MEMORY;
  487. /* store the info in the SSL section */
  488. data->set.ssl.numsessions = amount;
  489. data->state.session = session;
  490. data->state.sessionage = 1; /* this is brand new */
  491. #else
  492. /* without SSL, do nothing */
  493. (void)data;
  494. (void)amount;
  495. #endif
  496. return CURLE_OK;
  497. }
  498. size_t Curl_ssl_version(char *buffer, size_t size)
  499. {
  500. #ifdef USE_SSLEAY
  501. return Curl_ossl_version(buffer, size);
  502. #else
  503. #ifdef USE_GNUTLS
  504. return Curl_gtls_version(buffer, size);
  505. #else
  506. (void)buffer;
  507. (void)size;
  508. return 0; /* no SSL support */
  509. #endif /* USE_GNUTLS */
  510. #endif /* USE_SSLEAY */
  511. }
  512. /*
  513. * This function tries to determine connection status.
  514. *
  515. * Return codes:
  516. * 1 means the connection is still in place
  517. * 0 means the connection has been closed
  518. * -1 means the connection status is unknown
  519. */
  520. int Curl_ssl_check_cxn(struct connectdata *conn)
  521. {
  522. #ifdef USE_SSLEAY
  523. return Curl_ossl_check_cxn(conn);
  524. #else
  525. (void)conn;
  526. /* TODO: we lack implementation of this for GnuTLS */
  527. return -1; /* connection status unknown */
  528. #endif /* USE_SSLEAY */
  529. }
  530. bool Curl_ssl_data_pending(struct connectdata *conn,
  531. int connindex)
  532. {
  533. #ifdef USE_SSLEAY
  534. /* OpenSSL-specific */
  535. if(conn->ssl[connindex].handle)
  536. /* SSL is in use */
  537. return SSL_pending(conn->ssl[connindex].handle);
  538. #else
  539. (void)conn;
  540. (void)connindex;
  541. #endif
  542. return FALSE; /* nothing pending */
  543. }