vtls.c 38 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. ***************************************************************************/
  22. /* This file is for implementing all "generic" SSL functions that all libcurl
  23. internals should use. It is then responsible for calling the proper
  24. "backend" function.
  25. SSL-functions in libcurl should call functions in this source file, and not
  26. to any specific SSL-layer.
  27. Curl_ssl_ - prefix for generic ones
  28. Note that this source code uses the functions of the configured SSL
  29. backend via the global Curl_ssl instance.
  30. "SSL/TLS Strong Encryption: An Introduction"
  31. https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
  32. */
  33. #include "curl_setup.h"
  34. #ifdef HAVE_SYS_TYPES_H
  35. #include <sys/types.h>
  36. #endif
  37. #ifdef HAVE_SYS_STAT_H
  38. #include <sys/stat.h>
  39. #endif
  40. #ifdef HAVE_FCNTL_H
  41. #include <fcntl.h>
  42. #endif
  43. #include "urldata.h"
  44. #include "vtls.h" /* generic SSL protos etc */
  45. #include "slist.h"
  46. #include "sendf.h"
  47. #include "strcase.h"
  48. #include "url.h"
  49. #include "progress.h"
  50. #include "share.h"
  51. #include "multiif.h"
  52. #include "timeval.h"
  53. #include "curl_md5.h"
  54. #include "warnless.h"
  55. #include "curl_base64.h"
  56. #include "curl_printf.h"
  57. #include "strdup.h"
  58. /* The last #include files should be: */
  59. #include "curl_memory.h"
  60. #include "memdebug.h"
  61. /* convenience macro to check if this handle is using a shared SSL session */
  62. #define SSLSESSION_SHARED(data) (data->share && \
  63. (data->share->specifier & \
  64. (1<<CURL_LOCK_DATA_SSL_SESSION)))
  65. #define CLONE_STRING(var) \
  66. do { \
  67. if(source->var) { \
  68. dest->var = strdup(source->var); \
  69. if(!dest->var) \
  70. return FALSE; \
  71. } \
  72. else \
  73. dest->var = NULL; \
  74. } while(0)
  75. #define CLONE_BLOB(var) \
  76. do { \
  77. if(blobdup(&dest->var, source->var)) \
  78. return FALSE; \
  79. } while(0)
  80. static CURLcode blobdup(struct curl_blob **dest,
  81. struct curl_blob *src)
  82. {
  83. DEBUGASSERT(dest);
  84. DEBUGASSERT(!*dest);
  85. if(src) {
  86. /* only if there's data to dupe! */
  87. struct curl_blob *d;
  88. d = malloc(sizeof(struct curl_blob) + src->len);
  89. if(!d)
  90. return CURLE_OUT_OF_MEMORY;
  91. d->len = src->len;
  92. /* Always duplicate because the connection may survive longer than the
  93. handle that passed in the blob. */
  94. d->flags = CURL_BLOB_COPY;
  95. d->data = (void *)((char *)d + sizeof(struct curl_blob));
  96. memcpy(d->data, src->data, src->len);
  97. *dest = d;
  98. }
  99. return CURLE_OK;
  100. }
  101. /* returns TRUE if the blobs are identical */
  102. static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
  103. {
  104. if(!first && !second) /* both are NULL */
  105. return TRUE;
  106. if(!first || !second) /* one is NULL */
  107. return FALSE;
  108. if(first->len != second->len) /* different sizes */
  109. return FALSE;
  110. return !memcmp(first->data, second->data, first->len); /* same data */
  111. }
  112. bool
  113. Curl_ssl_config_matches(struct ssl_primary_config *data,
  114. struct ssl_primary_config *needle)
  115. {
  116. if((data->version == needle->version) &&
  117. (data->version_max == needle->version_max) &&
  118. (data->verifypeer == needle->verifypeer) &&
  119. (data->verifyhost == needle->verifyhost) &&
  120. (data->verifystatus == needle->verifystatus) &&
  121. blobcmp(data->cert_blob, needle->cert_blob) &&
  122. Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
  123. Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
  124. Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
  125. Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
  126. Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
  127. Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
  128. Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
  129. Curl_safe_strcasecompare(data->curves, needle->curves) &&
  130. Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
  131. return TRUE;
  132. return FALSE;
  133. }
  134. bool
  135. Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
  136. struct ssl_primary_config *dest)
  137. {
  138. dest->version = source->version;
  139. dest->version_max = source->version_max;
  140. dest->verifypeer = source->verifypeer;
  141. dest->verifyhost = source->verifyhost;
  142. dest->verifystatus = source->verifystatus;
  143. dest->sessionid = source->sessionid;
  144. CLONE_BLOB(cert_blob);
  145. CLONE_STRING(CApath);
  146. CLONE_STRING(CAfile);
  147. CLONE_STRING(clientcert);
  148. CLONE_STRING(random_file);
  149. CLONE_STRING(egdsocket);
  150. CLONE_STRING(cipher_list);
  151. CLONE_STRING(cipher_list13);
  152. CLONE_STRING(pinned_key);
  153. CLONE_STRING(curves);
  154. return TRUE;
  155. }
  156. void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
  157. {
  158. Curl_safefree(sslc->CApath);
  159. Curl_safefree(sslc->CAfile);
  160. Curl_safefree(sslc->clientcert);
  161. Curl_safefree(sslc->random_file);
  162. Curl_safefree(sslc->egdsocket);
  163. Curl_safefree(sslc->cipher_list);
  164. Curl_safefree(sslc->cipher_list13);
  165. Curl_safefree(sslc->pinned_key);
  166. Curl_safefree(sslc->cert_blob);
  167. Curl_safefree(sslc->curves);
  168. }
  169. #ifdef USE_SSL
  170. static int multissl_init(const struct Curl_ssl *backend);
  171. #endif
  172. int Curl_ssl_backend(void)
  173. {
  174. #ifdef USE_SSL
  175. multissl_init(NULL);
  176. return Curl_ssl->info.id;
  177. #else
  178. return (int)CURLSSLBACKEND_NONE;
  179. #endif
  180. }
  181. #ifdef USE_SSL
  182. /* "global" init done? */
  183. static bool init_ssl = FALSE;
  184. /**
  185. * Global SSL init
  186. *
  187. * @retval 0 error initializing SSL
  188. * @retval 1 SSL initialized successfully
  189. */
  190. int Curl_ssl_init(void)
  191. {
  192. /* make sure this is only done once */
  193. if(init_ssl)
  194. return 1;
  195. init_ssl = TRUE; /* never again */
  196. return Curl_ssl->init();
  197. }
  198. #if defined(CURL_WITH_MULTI_SSL)
  199. static const struct Curl_ssl Curl_ssl_multi;
  200. #endif
  201. /* Global cleanup */
  202. void Curl_ssl_cleanup(void)
  203. {
  204. if(init_ssl) {
  205. /* only cleanup if we did a previous init */
  206. Curl_ssl->cleanup();
  207. #if defined(CURL_WITH_MULTI_SSL)
  208. Curl_ssl = &Curl_ssl_multi;
  209. #endif
  210. init_ssl = FALSE;
  211. }
  212. }
  213. static bool ssl_prefs_check(struct Curl_easy *data)
  214. {
  215. /* check for CURLOPT_SSLVERSION invalid parameter value */
  216. const long sslver = data->set.ssl.primary.version;
  217. if((sslver < 0) || (sslver >= CURL_SSLVERSION_LAST)) {
  218. failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
  219. return FALSE;
  220. }
  221. switch(data->set.ssl.primary.version_max) {
  222. case CURL_SSLVERSION_MAX_NONE:
  223. case CURL_SSLVERSION_MAX_DEFAULT:
  224. break;
  225. default:
  226. if((data->set.ssl.primary.version_max >> 16) < sslver) {
  227. failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
  228. return FALSE;
  229. }
  230. }
  231. return TRUE;
  232. }
  233. #ifndef CURL_DISABLE_PROXY
  234. static CURLcode
  235. ssl_connect_init_proxy(struct connectdata *conn, int sockindex)
  236. {
  237. DEBUGASSERT(conn->bits.proxy_ssl_connected[sockindex]);
  238. if(ssl_connection_complete == conn->ssl[sockindex].state &&
  239. !conn->proxy_ssl[sockindex].use) {
  240. struct ssl_backend_data *pbdata;
  241. if(!(Curl_ssl->supports & SSLSUPP_HTTPS_PROXY))
  242. return CURLE_NOT_BUILT_IN;
  243. /* The pointers to the ssl backend data, which is opaque here, are swapped
  244. rather than move the contents. */
  245. pbdata = conn->proxy_ssl[sockindex].backend;
  246. conn->proxy_ssl[sockindex] = conn->ssl[sockindex];
  247. memset(&conn->ssl[sockindex], 0, sizeof(conn->ssl[sockindex]));
  248. memset(pbdata, 0, Curl_ssl->sizeof_ssl_backend_data);
  249. conn->ssl[sockindex].backend = pbdata;
  250. }
  251. return CURLE_OK;
  252. }
  253. #endif
  254. CURLcode
  255. Curl_ssl_connect(struct connectdata *conn, int sockindex)
  256. {
  257. CURLcode result;
  258. #ifndef CURL_DISABLE_PROXY
  259. if(conn->bits.proxy_ssl_connected[sockindex]) {
  260. result = ssl_connect_init_proxy(conn, sockindex);
  261. if(result)
  262. return result;
  263. }
  264. #endif
  265. if(!ssl_prefs_check(conn->data))
  266. return CURLE_SSL_CONNECT_ERROR;
  267. /* mark this is being ssl-enabled from here on. */
  268. conn->ssl[sockindex].use = TRUE;
  269. conn->ssl[sockindex].state = ssl_connection_negotiating;
  270. result = Curl_ssl->connect_blocking(conn, sockindex);
  271. if(!result)
  272. Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */
  273. return result;
  274. }
  275. CURLcode
  276. Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex,
  277. bool *done)
  278. {
  279. CURLcode result;
  280. #ifndef CURL_DISABLE_PROXY
  281. if(conn->bits.proxy_ssl_connected[sockindex]) {
  282. result = ssl_connect_init_proxy(conn, sockindex);
  283. if(result)
  284. return result;
  285. }
  286. #endif
  287. if(!ssl_prefs_check(conn->data))
  288. return CURLE_SSL_CONNECT_ERROR;
  289. /* mark this is being ssl requested from here on. */
  290. conn->ssl[sockindex].use = TRUE;
  291. result = Curl_ssl->connect_nonblocking(conn, sockindex, done);
  292. if(!result && *done)
  293. Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */
  294. return result;
  295. }
  296. /*
  297. * Lock shared SSL session data
  298. */
  299. void Curl_ssl_sessionid_lock(struct connectdata *conn)
  300. {
  301. if(SSLSESSION_SHARED(conn->data))
  302. Curl_share_lock(conn->data,
  303. CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
  304. }
  305. /*
  306. * Unlock shared SSL session data
  307. */
  308. void Curl_ssl_sessionid_unlock(struct connectdata *conn)
  309. {
  310. if(SSLSESSION_SHARED(conn->data))
  311. Curl_share_unlock(conn->data, CURL_LOCK_DATA_SSL_SESSION);
  312. }
  313. /*
  314. * Check if there's a session ID for the given connection in the cache, and if
  315. * there's one suitable, it is provided. Returns TRUE when no entry matched.
  316. */
  317. bool Curl_ssl_getsessionid(struct connectdata *conn,
  318. void **ssl_sessionid,
  319. size_t *idsize, /* set 0 if unknown */
  320. int sockindex)
  321. {
  322. struct Curl_ssl_session *check;
  323. struct Curl_easy *data = conn->data;
  324. size_t i;
  325. long *general_age;
  326. bool no_match = TRUE;
  327. #ifndef CURL_DISABLE_PROXY
  328. const bool isProxy = CONNECT_PROXY_SSL();
  329. struct ssl_primary_config * const ssl_config = isProxy ?
  330. &conn->proxy_ssl_config :
  331. &conn->ssl_config;
  332. const char * const name = isProxy ?
  333. conn->http_proxy.host.name : conn->host.name;
  334. int port = isProxy ? (int)conn->port : conn->remote_port;
  335. #else
  336. /* no proxy support */
  337. struct ssl_primary_config * const ssl_config = &conn->ssl_config;
  338. const char * const name = conn->host.name;
  339. int port = conn->remote_port;
  340. (void)sockindex;
  341. #endif
  342. *ssl_sessionid = NULL;
  343. DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
  344. if(!SSL_SET_OPTION(primary.sessionid))
  345. /* session ID re-use is disabled */
  346. return TRUE;
  347. /* Lock if shared */
  348. if(SSLSESSION_SHARED(data))
  349. general_age = &data->share->sessionage;
  350. else
  351. general_age = &data->state.sessionage;
  352. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  353. check = &data->state.session[i];
  354. if(!check->sessionid)
  355. /* not session ID means blank entry */
  356. continue;
  357. if(strcasecompare(name, check->name) &&
  358. ((!conn->bits.conn_to_host && !check->conn_to_host) ||
  359. (conn->bits.conn_to_host && check->conn_to_host &&
  360. strcasecompare(conn->conn_to_host.name, check->conn_to_host))) &&
  361. ((!conn->bits.conn_to_port && check->conn_to_port == -1) ||
  362. (conn->bits.conn_to_port && check->conn_to_port != -1 &&
  363. conn->conn_to_port == check->conn_to_port)) &&
  364. (port == check->remote_port) &&
  365. strcasecompare(conn->handler->scheme, check->scheme) &&
  366. Curl_ssl_config_matches(ssl_config, &check->ssl_config)) {
  367. /* yes, we have a session ID! */
  368. (*general_age)++; /* increase general age */
  369. check->age = *general_age; /* set this as used in this age */
  370. *ssl_sessionid = check->sessionid;
  371. if(idsize)
  372. *idsize = check->idsize;
  373. no_match = FALSE;
  374. break;
  375. }
  376. }
  377. return no_match;
  378. }
  379. /*
  380. * Kill a single session ID entry in the cache.
  381. */
  382. void Curl_ssl_kill_session(struct Curl_ssl_session *session)
  383. {
  384. if(session->sessionid) {
  385. /* defensive check */
  386. /* free the ID the SSL-layer specific way */
  387. Curl_ssl->session_free(session->sessionid);
  388. session->sessionid = NULL;
  389. session->age = 0; /* fresh */
  390. Curl_free_primary_ssl_config(&session->ssl_config);
  391. Curl_safefree(session->name);
  392. Curl_safefree(session->conn_to_host);
  393. }
  394. }
  395. /*
  396. * Delete the given session ID from the cache.
  397. */
  398. void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
  399. {
  400. size_t i;
  401. struct Curl_easy *data = conn->data;
  402. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  403. struct Curl_ssl_session *check = &data->state.session[i];
  404. if(check->sessionid == ssl_sessionid) {
  405. Curl_ssl_kill_session(check);
  406. break;
  407. }
  408. }
  409. }
  410. /*
  411. * Store session id in the session cache. The ID passed on to this function
  412. * must already have been extracted and allocated the proper way for the SSL
  413. * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
  414. * later on.
  415. */
  416. CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
  417. void *ssl_sessionid,
  418. size_t idsize,
  419. int sockindex)
  420. {
  421. size_t i;
  422. struct Curl_easy *data = conn->data; /* the mother of all structs */
  423. struct Curl_ssl_session *store = &data->state.session[0];
  424. long oldest_age = data->state.session[0].age; /* zero if unused */
  425. char *clone_host;
  426. char *clone_conn_to_host;
  427. int conn_to_port;
  428. long *general_age;
  429. #ifndef CURL_DISABLE_PROXY
  430. const bool isProxy = CONNECT_PROXY_SSL();
  431. struct ssl_primary_config * const ssl_config = isProxy ?
  432. &conn->proxy_ssl_config :
  433. &conn->ssl_config;
  434. const char *hostname = isProxy ? conn->http_proxy.host.name :
  435. conn->host.name;
  436. #else
  437. /* proxy support disabled */
  438. const bool isProxy = FALSE;
  439. struct ssl_primary_config * const ssl_config = &conn->ssl_config;
  440. const char *hostname = conn->host.name;
  441. (void)sockindex;
  442. #endif
  443. DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
  444. clone_host = strdup(hostname);
  445. if(!clone_host)
  446. return CURLE_OUT_OF_MEMORY; /* bail out */
  447. if(conn->bits.conn_to_host) {
  448. clone_conn_to_host = strdup(conn->conn_to_host.name);
  449. if(!clone_conn_to_host) {
  450. free(clone_host);
  451. return CURLE_OUT_OF_MEMORY; /* bail out */
  452. }
  453. }
  454. else
  455. clone_conn_to_host = NULL;
  456. if(conn->bits.conn_to_port)
  457. conn_to_port = conn->conn_to_port;
  458. else
  459. conn_to_port = -1;
  460. /* Now we should add the session ID and the host name to the cache, (remove
  461. the oldest if necessary) */
  462. /* If using shared SSL session, lock! */
  463. if(SSLSESSION_SHARED(data)) {
  464. general_age = &data->share->sessionage;
  465. }
  466. else {
  467. general_age = &data->state.sessionage;
  468. }
  469. /* find an empty slot for us, or find the oldest */
  470. for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
  471. data->state.session[i].sessionid; i++) {
  472. if(data->state.session[i].age < oldest_age) {
  473. oldest_age = data->state.session[i].age;
  474. store = &data->state.session[i];
  475. }
  476. }
  477. if(i == data->set.general_ssl.max_ssl_sessions)
  478. /* cache is full, we must "kill" the oldest entry! */
  479. Curl_ssl_kill_session(store);
  480. else
  481. store = &data->state.session[i]; /* use this slot */
  482. /* now init the session struct wisely */
  483. store->sessionid = ssl_sessionid;
  484. store->idsize = idsize;
  485. store->age = *general_age; /* set current age */
  486. /* free it if there's one already present */
  487. free(store->name);
  488. free(store->conn_to_host);
  489. store->name = clone_host; /* clone host name */
  490. store->conn_to_host = clone_conn_to_host; /* clone connect to host name */
  491. store->conn_to_port = conn_to_port; /* connect to port number */
  492. /* port number */
  493. store->remote_port = isProxy ? (int)conn->port : conn->remote_port;
  494. store->scheme = conn->handler->scheme;
  495. if(!Curl_clone_primary_ssl_config(ssl_config, &store->ssl_config)) {
  496. Curl_free_primary_ssl_config(&store->ssl_config);
  497. store->sessionid = NULL; /* let caller free sessionid */
  498. free(clone_host);
  499. free(clone_conn_to_host);
  500. return CURLE_OUT_OF_MEMORY;
  501. }
  502. return CURLE_OK;
  503. }
  504. void Curl_ssl_close_all(struct Curl_easy *data)
  505. {
  506. /* kill the session ID cache if not shared */
  507. if(data->state.session && !SSLSESSION_SHARED(data)) {
  508. size_t i;
  509. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
  510. /* the single-killer function handles empty table slots */
  511. Curl_ssl_kill_session(&data->state.session[i]);
  512. /* free the cache data */
  513. Curl_safefree(data->state.session);
  514. }
  515. Curl_ssl->close_all(data);
  516. }
  517. #if defined(USE_OPENSSL) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \
  518. defined(USE_SECTRANSP) || defined(USE_NSS) || \
  519. defined(USE_MBEDTLS) || defined(USE_WOLFSSL) || defined(USE_BEARSSL)
  520. int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks)
  521. {
  522. struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET];
  523. if(connssl->connecting_state == ssl_connect_2_writing) {
  524. /* write mode */
  525. socks[0] = conn->sock[FIRSTSOCKET];
  526. return GETSOCK_WRITESOCK(0);
  527. }
  528. if(connssl->connecting_state == ssl_connect_2_reading) {
  529. /* read mode */
  530. socks[0] = conn->sock[FIRSTSOCKET];
  531. return GETSOCK_READSOCK(0);
  532. }
  533. return GETSOCK_BLANK;
  534. }
  535. #else
  536. int Curl_ssl_getsock(struct connectdata *conn,
  537. curl_socket_t *socks)
  538. {
  539. (void)conn;
  540. (void)socks;
  541. return GETSOCK_BLANK;
  542. }
  543. /* USE_OPENSSL || USE_GNUTLS || USE_SCHANNEL || USE_SECTRANSP || USE_NSS */
  544. #endif
  545. void Curl_ssl_close(struct connectdata *conn, int sockindex)
  546. {
  547. DEBUGASSERT((sockindex <= 1) && (sockindex >= -1));
  548. Curl_ssl->close_one(conn, sockindex);
  549. conn->ssl[sockindex].state = ssl_connection_none;
  550. }
  551. CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex)
  552. {
  553. if(Curl_ssl->shut_down(conn, sockindex))
  554. return CURLE_SSL_SHUTDOWN_FAILED;
  555. conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */
  556. conn->ssl[sockindex].state = ssl_connection_none;
  557. conn->recv[sockindex] = Curl_recv_plain;
  558. conn->send[sockindex] = Curl_send_plain;
  559. return CURLE_OK;
  560. }
  561. /* Selects an SSL crypto engine
  562. */
  563. CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
  564. {
  565. return Curl_ssl->set_engine(data, engine);
  566. }
  567. /* Selects the default SSL crypto engine
  568. */
  569. CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
  570. {
  571. return Curl_ssl->set_engine_default(data);
  572. }
  573. /* Return list of OpenSSL crypto engine names. */
  574. struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
  575. {
  576. return Curl_ssl->engines_list(data);
  577. }
  578. /*
  579. * This sets up a session ID cache to the specified size. Make sure this code
  580. * is agnostic to what underlying SSL technology we use.
  581. */
  582. CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
  583. {
  584. struct Curl_ssl_session *session;
  585. if(data->state.session)
  586. /* this is just a precaution to prevent multiple inits */
  587. return CURLE_OK;
  588. session = calloc(amount, sizeof(struct Curl_ssl_session));
  589. if(!session)
  590. return CURLE_OUT_OF_MEMORY;
  591. /* store the info in the SSL section */
  592. data->set.general_ssl.max_ssl_sessions = amount;
  593. data->state.session = session;
  594. data->state.sessionage = 1; /* this is brand new */
  595. return CURLE_OK;
  596. }
  597. static size_t Curl_multissl_version(char *buffer, size_t size);
  598. size_t Curl_ssl_version(char *buffer, size_t size)
  599. {
  600. #ifdef CURL_WITH_MULTI_SSL
  601. return Curl_multissl_version(buffer, size);
  602. #else
  603. return Curl_ssl->version(buffer, size);
  604. #endif
  605. }
  606. /*
  607. * This function tries to determine connection status.
  608. *
  609. * Return codes:
  610. * 1 means the connection is still in place
  611. * 0 means the connection has been closed
  612. * -1 means the connection status is unknown
  613. */
  614. int Curl_ssl_check_cxn(struct connectdata *conn)
  615. {
  616. return Curl_ssl->check_cxn(conn);
  617. }
  618. bool Curl_ssl_data_pending(const struct connectdata *conn,
  619. int connindex)
  620. {
  621. return Curl_ssl->data_pending(conn, connindex);
  622. }
  623. void Curl_ssl_free_certinfo(struct Curl_easy *data)
  624. {
  625. struct curl_certinfo *ci = &data->info.certs;
  626. if(ci->num_of_certs) {
  627. /* free all individual lists used */
  628. int i;
  629. for(i = 0; i<ci->num_of_certs; i++) {
  630. curl_slist_free_all(ci->certinfo[i]);
  631. ci->certinfo[i] = NULL;
  632. }
  633. free(ci->certinfo); /* free the actual array too */
  634. ci->certinfo = NULL;
  635. ci->num_of_certs = 0;
  636. }
  637. }
  638. CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
  639. {
  640. struct curl_certinfo *ci = &data->info.certs;
  641. struct curl_slist **table;
  642. /* Free any previous certificate information structures */
  643. Curl_ssl_free_certinfo(data);
  644. /* Allocate the required certificate information structures */
  645. table = calloc((size_t) num, sizeof(struct curl_slist *));
  646. if(!table)
  647. return CURLE_OUT_OF_MEMORY;
  648. ci->num_of_certs = num;
  649. ci->certinfo = table;
  650. return CURLE_OK;
  651. }
  652. /*
  653. * 'value' is NOT a null-terminated string
  654. */
  655. CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
  656. int certnum,
  657. const char *label,
  658. const char *value,
  659. size_t valuelen)
  660. {
  661. struct curl_certinfo *ci = &data->info.certs;
  662. char *output;
  663. struct curl_slist *nl;
  664. CURLcode result = CURLE_OK;
  665. size_t labellen = strlen(label);
  666. size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */
  667. output = malloc(outlen);
  668. if(!output)
  669. return CURLE_OUT_OF_MEMORY;
  670. /* sprintf the label and colon */
  671. msnprintf(output, outlen, "%s:", label);
  672. /* memcpy the value (it might not be null-terminated) */
  673. memcpy(&output[labellen + 1], value, valuelen);
  674. /* null-terminate the output */
  675. output[labellen + 1 + valuelen] = 0;
  676. nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);
  677. if(!nl) {
  678. free(output);
  679. curl_slist_free_all(ci->certinfo[certnum]);
  680. result = CURLE_OUT_OF_MEMORY;
  681. }
  682. ci->certinfo[certnum] = nl;
  683. return result;
  684. }
  685. /*
  686. * This is a convenience function for push_certinfo_len that takes a zero
  687. * terminated value.
  688. */
  689. CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data,
  690. int certnum,
  691. const char *label,
  692. const char *value)
  693. {
  694. size_t valuelen = strlen(value);
  695. return Curl_ssl_push_certinfo_len(data, certnum, label, value, valuelen);
  696. }
  697. CURLcode Curl_ssl_random(struct Curl_easy *data,
  698. unsigned char *entropy,
  699. size_t length)
  700. {
  701. return Curl_ssl->random(data, entropy, length);
  702. }
  703. /*
  704. * Public key pem to der conversion
  705. */
  706. static CURLcode pubkey_pem_to_der(const char *pem,
  707. unsigned char **der, size_t *der_len)
  708. {
  709. char *stripped_pem, *begin_pos, *end_pos;
  710. size_t pem_count, stripped_pem_count = 0, pem_len;
  711. CURLcode result;
  712. /* if no pem, exit. */
  713. if(!pem)
  714. return CURLE_BAD_CONTENT_ENCODING;
  715. begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
  716. if(!begin_pos)
  717. return CURLE_BAD_CONTENT_ENCODING;
  718. pem_count = begin_pos - pem;
  719. /* Invalid if not at beginning AND not directly following \n */
  720. if(0 != pem_count && '\n' != pem[pem_count - 1])
  721. return CURLE_BAD_CONTENT_ENCODING;
  722. /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
  723. pem_count += 26;
  724. /* Invalid if not directly following \n */
  725. end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
  726. if(!end_pos)
  727. return CURLE_BAD_CONTENT_ENCODING;
  728. pem_len = end_pos - pem;
  729. stripped_pem = malloc(pem_len - pem_count + 1);
  730. if(!stripped_pem)
  731. return CURLE_OUT_OF_MEMORY;
  732. /*
  733. * Here we loop through the pem array one character at a time between the
  734. * correct indices, and place each character that is not '\n' or '\r'
  735. * into the stripped_pem array, which should represent the raw base64 string
  736. */
  737. while(pem_count < pem_len) {
  738. if('\n' != pem[pem_count] && '\r' != pem[pem_count])
  739. stripped_pem[stripped_pem_count++] = pem[pem_count];
  740. ++pem_count;
  741. }
  742. /* Place the null terminator in the correct place */
  743. stripped_pem[stripped_pem_count] = '\0';
  744. result = Curl_base64_decode(stripped_pem, der, der_len);
  745. Curl_safefree(stripped_pem);
  746. return result;
  747. }
  748. /*
  749. * Generic pinned public key check.
  750. */
  751. CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
  752. const char *pinnedpubkey,
  753. const unsigned char *pubkey, size_t pubkeylen)
  754. {
  755. FILE *fp;
  756. unsigned char *buf = NULL, *pem_ptr = NULL;
  757. CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
  758. /* if a path wasn't specified, don't pin */
  759. if(!pinnedpubkey)
  760. return CURLE_OK;
  761. if(!pubkey || !pubkeylen)
  762. return result;
  763. /* only do this if pinnedpubkey starts with "sha256//", length 8 */
  764. if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
  765. CURLcode encode;
  766. size_t encodedlen, pinkeylen;
  767. char *encoded, *pinkeycopy, *begin_pos, *end_pos;
  768. unsigned char *sha256sumdigest;
  769. if(!Curl_ssl->sha256sum) {
  770. /* without sha256 support, this cannot match */
  771. return result;
  772. }
  773. /* compute sha256sum of public key */
  774. sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
  775. if(!sha256sumdigest)
  776. return CURLE_OUT_OF_MEMORY;
  777. encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
  778. sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
  779. if(encode != CURLE_OK)
  780. return encode;
  781. encode = Curl_base64_encode(data, (char *)sha256sumdigest,
  782. CURL_SHA256_DIGEST_LENGTH, &encoded,
  783. &encodedlen);
  784. Curl_safefree(sha256sumdigest);
  785. if(encode)
  786. return encode;
  787. infof(data, "\t public key hash: sha256//%s\n", encoded);
  788. /* it starts with sha256//, copy so we can modify it */
  789. pinkeylen = strlen(pinnedpubkey) + 1;
  790. pinkeycopy = malloc(pinkeylen);
  791. if(!pinkeycopy) {
  792. Curl_safefree(encoded);
  793. return CURLE_OUT_OF_MEMORY;
  794. }
  795. memcpy(pinkeycopy, pinnedpubkey, pinkeylen);
  796. /* point begin_pos to the copy, and start extracting keys */
  797. begin_pos = pinkeycopy;
  798. do {
  799. end_pos = strstr(begin_pos, ";sha256//");
  800. /*
  801. * if there is an end_pos, null terminate,
  802. * otherwise it'll go to the end of the original string
  803. */
  804. if(end_pos)
  805. end_pos[0] = '\0';
  806. /* compare base64 sha256 digests, 8 is the length of "sha256//" */
  807. if(encodedlen == strlen(begin_pos + 8) &&
  808. !memcmp(encoded, begin_pos + 8, encodedlen)) {
  809. result = CURLE_OK;
  810. break;
  811. }
  812. /*
  813. * change back the null-terminator we changed earlier,
  814. * and look for next begin
  815. */
  816. if(end_pos) {
  817. end_pos[0] = ';';
  818. begin_pos = strstr(end_pos, "sha256//");
  819. }
  820. } while(end_pos && begin_pos);
  821. Curl_safefree(encoded);
  822. Curl_safefree(pinkeycopy);
  823. return result;
  824. }
  825. fp = fopen(pinnedpubkey, "rb");
  826. if(!fp)
  827. return result;
  828. do {
  829. long filesize;
  830. size_t size, pem_len;
  831. CURLcode pem_read;
  832. /* Determine the file's size */
  833. if(fseek(fp, 0, SEEK_END))
  834. break;
  835. filesize = ftell(fp);
  836. if(fseek(fp, 0, SEEK_SET))
  837. break;
  838. if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
  839. break;
  840. /*
  841. * if the size of our certificate is bigger than the file
  842. * size then it can't match
  843. */
  844. size = curlx_sotouz((curl_off_t) filesize);
  845. if(pubkeylen > size)
  846. break;
  847. /*
  848. * Allocate buffer for the pinned key
  849. * With 1 additional byte for null terminator in case of PEM key
  850. */
  851. buf = malloc(size + 1);
  852. if(!buf)
  853. break;
  854. /* Returns number of elements read, which should be 1 */
  855. if((int) fread(buf, size, 1, fp) != 1)
  856. break;
  857. /* If the sizes are the same, it can't be base64 encoded, must be der */
  858. if(pubkeylen == size) {
  859. if(!memcmp(pubkey, buf, pubkeylen))
  860. result = CURLE_OK;
  861. break;
  862. }
  863. /*
  864. * Otherwise we will assume it's PEM and try to decode it
  865. * after placing null terminator
  866. */
  867. buf[size] = '\0';
  868. pem_read = pubkey_pem_to_der((const char *)buf, &pem_ptr, &pem_len);
  869. /* if it wasn't read successfully, exit */
  870. if(pem_read)
  871. break;
  872. /*
  873. * if the size of our certificate doesn't match the size of
  874. * the decoded file, they can't be the same, otherwise compare
  875. */
  876. if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
  877. result = CURLE_OK;
  878. } while(0);
  879. Curl_safefree(buf);
  880. Curl_safefree(pem_ptr);
  881. fclose(fp);
  882. return result;
  883. }
  884. #ifndef CURL_DISABLE_CRYPTO_AUTH
  885. CURLcode Curl_ssl_md5sum(unsigned char *tmp, /* input */
  886. size_t tmplen,
  887. unsigned char *md5sum, /* output */
  888. size_t md5len)
  889. {
  890. return Curl_ssl->md5sum(tmp, tmplen, md5sum, md5len);
  891. }
  892. #endif
  893. /*
  894. * Check whether the SSL backend supports the status_request extension.
  895. */
  896. bool Curl_ssl_cert_status_request(void)
  897. {
  898. return Curl_ssl->cert_status_request();
  899. }
  900. /*
  901. * Check whether the SSL backend supports false start.
  902. */
  903. bool Curl_ssl_false_start(void)
  904. {
  905. return Curl_ssl->false_start();
  906. }
  907. /*
  908. * Check whether the SSL backend supports setting TLS 1.3 cipher suites
  909. */
  910. bool Curl_ssl_tls13_ciphersuites(void)
  911. {
  912. return Curl_ssl->supports & SSLSUPP_TLS13_CIPHERSUITES;
  913. }
  914. /*
  915. * Default implementations for unsupported functions.
  916. */
  917. int Curl_none_init(void)
  918. {
  919. return 1;
  920. }
  921. void Curl_none_cleanup(void)
  922. { }
  923. int Curl_none_shutdown(struct connectdata *conn UNUSED_PARAM,
  924. int sockindex UNUSED_PARAM)
  925. {
  926. (void)conn;
  927. (void)sockindex;
  928. return 0;
  929. }
  930. int Curl_none_check_cxn(struct connectdata *conn UNUSED_PARAM)
  931. {
  932. (void)conn;
  933. return -1;
  934. }
  935. CURLcode Curl_none_random(struct Curl_easy *data UNUSED_PARAM,
  936. unsigned char *entropy UNUSED_PARAM,
  937. size_t length UNUSED_PARAM)
  938. {
  939. (void)data;
  940. (void)entropy;
  941. (void)length;
  942. return CURLE_NOT_BUILT_IN;
  943. }
  944. void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
  945. {
  946. (void)data;
  947. }
  948. void Curl_none_session_free(void *ptr UNUSED_PARAM)
  949. {
  950. (void)ptr;
  951. }
  952. bool Curl_none_data_pending(const struct connectdata *conn UNUSED_PARAM,
  953. int connindex UNUSED_PARAM)
  954. {
  955. (void)conn;
  956. (void)connindex;
  957. return 0;
  958. }
  959. bool Curl_none_cert_status_request(void)
  960. {
  961. return FALSE;
  962. }
  963. CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
  964. const char *engine UNUSED_PARAM)
  965. {
  966. (void)data;
  967. (void)engine;
  968. return CURLE_NOT_BUILT_IN;
  969. }
  970. CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
  971. {
  972. (void)data;
  973. return CURLE_NOT_BUILT_IN;
  974. }
  975. struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
  976. {
  977. (void)data;
  978. return (struct curl_slist *)NULL;
  979. }
  980. bool Curl_none_false_start(void)
  981. {
  982. return FALSE;
  983. }
  984. #ifndef CURL_DISABLE_CRYPTO_AUTH
  985. CURLcode Curl_none_md5sum(unsigned char *input, size_t inputlen,
  986. unsigned char *md5sum, size_t md5len UNUSED_PARAM)
  987. {
  988. struct MD5_context *MD5pw;
  989. (void)md5len;
  990. MD5pw = Curl_MD5_init(Curl_DIGEST_MD5);
  991. if(!MD5pw)
  992. return CURLE_OUT_OF_MEMORY;
  993. Curl_MD5_update(MD5pw, input, curlx_uztoui(inputlen));
  994. Curl_MD5_final(MD5pw, md5sum);
  995. return CURLE_OK;
  996. }
  997. #else
  998. CURLcode Curl_none_md5sum(unsigned char *input UNUSED_PARAM,
  999. size_t inputlen UNUSED_PARAM,
  1000. unsigned char *md5sum UNUSED_PARAM,
  1001. size_t md5len UNUSED_PARAM)
  1002. {
  1003. (void)input;
  1004. (void)inputlen;
  1005. (void)md5sum;
  1006. (void)md5len;
  1007. return CURLE_NOT_BUILT_IN;
  1008. }
  1009. #endif
  1010. static int Curl_multissl_init(void)
  1011. {
  1012. if(multissl_init(NULL))
  1013. return 1;
  1014. return Curl_ssl->init();
  1015. }
  1016. static CURLcode Curl_multissl_connect(struct connectdata *conn, int sockindex)
  1017. {
  1018. if(multissl_init(NULL))
  1019. return CURLE_FAILED_INIT;
  1020. return Curl_ssl->connect_blocking(conn, sockindex);
  1021. }
  1022. static CURLcode Curl_multissl_connect_nonblocking(struct connectdata *conn,
  1023. int sockindex, bool *done)
  1024. {
  1025. if(multissl_init(NULL))
  1026. return CURLE_FAILED_INIT;
  1027. return Curl_ssl->connect_nonblocking(conn, sockindex, done);
  1028. }
  1029. static void *Curl_multissl_get_internals(struct ssl_connect_data *connssl,
  1030. CURLINFO info)
  1031. {
  1032. if(multissl_init(NULL))
  1033. return NULL;
  1034. return Curl_ssl->get_internals(connssl, info);
  1035. }
  1036. static void Curl_multissl_close(struct connectdata *conn, int sockindex)
  1037. {
  1038. if(multissl_init(NULL))
  1039. return;
  1040. Curl_ssl->close_one(conn, sockindex);
  1041. }
  1042. static const struct Curl_ssl Curl_ssl_multi = {
  1043. { CURLSSLBACKEND_NONE, "multi" }, /* info */
  1044. 0, /* supports nothing */
  1045. (size_t)-1, /* something insanely large to be on the safe side */
  1046. Curl_multissl_init, /* init */
  1047. Curl_none_cleanup, /* cleanup */
  1048. Curl_multissl_version, /* version */
  1049. Curl_none_check_cxn, /* check_cxn */
  1050. Curl_none_shutdown, /* shutdown */
  1051. Curl_none_data_pending, /* data_pending */
  1052. Curl_none_random, /* random */
  1053. Curl_none_cert_status_request, /* cert_status_request */
  1054. Curl_multissl_connect, /* connect */
  1055. Curl_multissl_connect_nonblocking, /* connect_nonblocking */
  1056. Curl_multissl_get_internals, /* get_internals */
  1057. Curl_multissl_close, /* close_one */
  1058. Curl_none_close_all, /* close_all */
  1059. Curl_none_session_free, /* session_free */
  1060. Curl_none_set_engine, /* set_engine */
  1061. Curl_none_set_engine_default, /* set_engine_default */
  1062. Curl_none_engines_list, /* engines_list */
  1063. Curl_none_false_start, /* false_start */
  1064. Curl_none_md5sum, /* md5sum */
  1065. NULL /* sha256sum */
  1066. };
  1067. const struct Curl_ssl *Curl_ssl =
  1068. #if defined(CURL_WITH_MULTI_SSL)
  1069. &Curl_ssl_multi;
  1070. #elif defined(USE_WOLFSSL)
  1071. &Curl_ssl_wolfssl;
  1072. #elif defined(USE_SECTRANSP)
  1073. &Curl_ssl_sectransp;
  1074. #elif defined(USE_GNUTLS)
  1075. &Curl_ssl_gnutls;
  1076. #elif defined(USE_GSKIT)
  1077. &Curl_ssl_gskit;
  1078. #elif defined(USE_MBEDTLS)
  1079. &Curl_ssl_mbedtls;
  1080. #elif defined(USE_NSS)
  1081. &Curl_ssl_nss;
  1082. #elif defined(USE_OPENSSL)
  1083. &Curl_ssl_openssl;
  1084. #elif defined(USE_SCHANNEL)
  1085. &Curl_ssl_schannel;
  1086. #elif defined(USE_MESALINK)
  1087. &Curl_ssl_mesalink;
  1088. #elif defined(USE_BEARSSL)
  1089. &Curl_ssl_bearssl;
  1090. #else
  1091. #error "Missing struct Curl_ssl for selected SSL backend"
  1092. #endif
  1093. static const struct Curl_ssl *available_backends[] = {
  1094. #if defined(USE_WOLFSSL)
  1095. &Curl_ssl_wolfssl,
  1096. #endif
  1097. #if defined(USE_SECTRANSP)
  1098. &Curl_ssl_sectransp,
  1099. #endif
  1100. #if defined(USE_GNUTLS)
  1101. &Curl_ssl_gnutls,
  1102. #endif
  1103. #if defined(USE_GSKIT)
  1104. &Curl_ssl_gskit,
  1105. #endif
  1106. #if defined(USE_MBEDTLS)
  1107. &Curl_ssl_mbedtls,
  1108. #endif
  1109. #if defined(USE_NSS)
  1110. &Curl_ssl_nss,
  1111. #endif
  1112. #if defined(USE_OPENSSL)
  1113. &Curl_ssl_openssl,
  1114. #endif
  1115. #if defined(USE_SCHANNEL)
  1116. &Curl_ssl_schannel,
  1117. #endif
  1118. #if defined(USE_MESALINK)
  1119. &Curl_ssl_mesalink,
  1120. #endif
  1121. #if defined(USE_BEARSSL)
  1122. &Curl_ssl_bearssl,
  1123. #endif
  1124. NULL
  1125. };
  1126. static size_t Curl_multissl_version(char *buffer, size_t size)
  1127. {
  1128. static const struct Curl_ssl *selected;
  1129. static char backends[200];
  1130. static size_t backends_len;
  1131. const struct Curl_ssl *current;
  1132. current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
  1133. if(current != selected) {
  1134. char *p = backends;
  1135. char *end = backends + sizeof(backends);
  1136. int i;
  1137. selected = current;
  1138. backends[0] = '\0';
  1139. for(i = 0; available_backends[i]; ++i) {
  1140. char vb[200];
  1141. bool paren = (selected != available_backends[i]);
  1142. if(available_backends[i]->version(vb, sizeof(vb))) {
  1143. p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
  1144. (paren ? "(" : ""), vb, (paren ? ")" : ""));
  1145. }
  1146. }
  1147. backends_len = p - backends;
  1148. }
  1149. if(!size)
  1150. return 0;
  1151. if(size <= backends_len) {
  1152. strncpy(buffer, backends, size - 1);
  1153. buffer[size - 1] = '\0';
  1154. return size - 1;
  1155. }
  1156. strcpy(buffer, backends);
  1157. return backends_len;
  1158. }
  1159. static int multissl_init(const struct Curl_ssl *backend)
  1160. {
  1161. const char *env;
  1162. char *env_tmp;
  1163. if(Curl_ssl != &Curl_ssl_multi)
  1164. return 1;
  1165. if(backend) {
  1166. Curl_ssl = backend;
  1167. return 0;
  1168. }
  1169. if(!available_backends[0])
  1170. return 1;
  1171. env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
  1172. #ifdef CURL_DEFAULT_SSL_BACKEND
  1173. if(!env)
  1174. env = CURL_DEFAULT_SSL_BACKEND;
  1175. #endif
  1176. if(env) {
  1177. int i;
  1178. for(i = 0; available_backends[i]; i++) {
  1179. if(strcasecompare(env, available_backends[i]->info.name)) {
  1180. Curl_ssl = available_backends[i];
  1181. curl_free(env_tmp);
  1182. return 0;
  1183. }
  1184. }
  1185. }
  1186. /* Fall back to first available backend */
  1187. Curl_ssl = available_backends[0];
  1188. curl_free(env_tmp);
  1189. return 0;
  1190. }
  1191. CURLsslset curl_global_sslset(curl_sslbackend id, const char *name,
  1192. const curl_ssl_backend ***avail)
  1193. {
  1194. int i;
  1195. if(avail)
  1196. *avail = (const curl_ssl_backend **)&available_backends;
  1197. if(Curl_ssl != &Curl_ssl_multi)
  1198. return id == Curl_ssl->info.id ||
  1199. (name && strcasecompare(name, Curl_ssl->info.name)) ?
  1200. CURLSSLSET_OK :
  1201. #if defined(CURL_WITH_MULTI_SSL)
  1202. CURLSSLSET_TOO_LATE;
  1203. #else
  1204. CURLSSLSET_UNKNOWN_BACKEND;
  1205. #endif
  1206. for(i = 0; available_backends[i]; i++) {
  1207. if(available_backends[i]->info.id == id ||
  1208. (name && strcasecompare(available_backends[i]->info.name, name))) {
  1209. multissl_init(available_backends[i]);
  1210. return CURLSSLSET_OK;
  1211. }
  1212. }
  1213. return CURLSSLSET_UNKNOWN_BACKEND;
  1214. }
  1215. #else /* USE_SSL */
  1216. CURLsslset curl_global_sslset(curl_sslbackend id, const char *name,
  1217. const curl_ssl_backend ***avail)
  1218. {
  1219. (void)id;
  1220. (void)name;
  1221. (void)avail;
  1222. return CURLSSLSET_NO_BACKENDS;
  1223. }
  1224. #endif /* !USE_SSL */