vtls.c 40 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2022, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. /* This file is for implementing all "generic" SSL functions that all libcurl
  25. internals should use. It is then responsible for calling the proper
  26. "backend" function.
  27. SSL-functions in libcurl should call functions in this source file, and not
  28. to any specific SSL-layer.
  29. Curl_ssl_ - prefix for generic ones
  30. Note that this source code uses the functions of the configured SSL
  31. backend via the global Curl_ssl instance.
  32. "SSL/TLS Strong Encryption: An Introduction"
  33. https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
  34. */
  35. #include "curl_setup.h"
  36. #ifdef HAVE_SYS_TYPES_H
  37. #include <sys/types.h>
  38. #endif
  39. #ifdef HAVE_SYS_STAT_H
  40. #include <sys/stat.h>
  41. #endif
  42. #ifdef HAVE_FCNTL_H
  43. #include <fcntl.h>
  44. #endif
  45. #include "urldata.h"
  46. #include "vtls.h" /* generic SSL protos etc */
  47. #include "slist.h"
  48. #include "sendf.h"
  49. #include "strcase.h"
  50. #include "url.h"
  51. #include "progress.h"
  52. #include "share.h"
  53. #include "multiif.h"
  54. #include "timeval.h"
  55. #include "curl_md5.h"
  56. #include "warnless.h"
  57. #include "curl_base64.h"
  58. #include "curl_printf.h"
  59. #include "strdup.h"
  60. /* The last #include files should be: */
  61. #include "curl_memory.h"
  62. #include "memdebug.h"
  63. /* convenience macro to check if this handle is using a shared SSL session */
  64. #define SSLSESSION_SHARED(data) (data->share && \
  65. (data->share->specifier & \
  66. (1<<CURL_LOCK_DATA_SSL_SESSION)))
  67. #define CLONE_STRING(var) \
  68. do { \
  69. if(source->var) { \
  70. dest->var = strdup(source->var); \
  71. if(!dest->var) \
  72. return FALSE; \
  73. } \
  74. else \
  75. dest->var = NULL; \
  76. } while(0)
  77. #define CLONE_BLOB(var) \
  78. do { \
  79. if(blobdup(&dest->var, source->var)) \
  80. return FALSE; \
  81. } while(0)
  82. static CURLcode blobdup(struct curl_blob **dest,
  83. struct curl_blob *src)
  84. {
  85. DEBUGASSERT(dest);
  86. DEBUGASSERT(!*dest);
  87. if(src) {
  88. /* only if there's data to dupe! */
  89. struct curl_blob *d;
  90. d = malloc(sizeof(struct curl_blob) + src->len);
  91. if(!d)
  92. return CURLE_OUT_OF_MEMORY;
  93. d->len = src->len;
  94. /* Always duplicate because the connection may survive longer than the
  95. handle that passed in the blob. */
  96. d->flags = CURL_BLOB_COPY;
  97. d->data = (void *)((char *)d + sizeof(struct curl_blob));
  98. memcpy(d->data, src->data, src->len);
  99. *dest = d;
  100. }
  101. return CURLE_OK;
  102. }
  103. /* returns TRUE if the blobs are identical */
  104. static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
  105. {
  106. if(!first && !second) /* both are NULL */
  107. return TRUE;
  108. if(!first || !second) /* one is NULL */
  109. return FALSE;
  110. if(first->len != second->len) /* different sizes */
  111. return FALSE;
  112. return !memcmp(first->data, second->data, first->len); /* same data */
  113. }
  114. bool
  115. Curl_ssl_config_matches(struct ssl_primary_config *data,
  116. struct ssl_primary_config *needle)
  117. {
  118. if((data->version == needle->version) &&
  119. (data->version_max == needle->version_max) &&
  120. (data->ssl_options == needle->ssl_options) &&
  121. (data->verifypeer == needle->verifypeer) &&
  122. (data->verifyhost == needle->verifyhost) &&
  123. (data->verifystatus == needle->verifystatus) &&
  124. blobcmp(data->cert_blob, needle->cert_blob) &&
  125. blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
  126. blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
  127. Curl_safecmp(data->CApath, needle->CApath) &&
  128. Curl_safecmp(data->CAfile, needle->CAfile) &&
  129. Curl_safecmp(data->issuercert, needle->issuercert) &&
  130. Curl_safecmp(data->clientcert, needle->clientcert) &&
  131. #ifdef USE_TLS_SRP
  132. !Curl_timestrcmp(data->username, needle->username) &&
  133. !Curl_timestrcmp(data->password, needle->password) &&
  134. (data->authtype == needle->authtype) &&
  135. #endif
  136. Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
  137. Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
  138. Curl_safe_strcasecompare(data->curves, needle->curves) &&
  139. Curl_safe_strcasecompare(data->CRLfile, needle->CRLfile) &&
  140. Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
  141. return TRUE;
  142. return FALSE;
  143. }
  144. bool
  145. Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
  146. struct ssl_primary_config *dest)
  147. {
  148. dest->version = source->version;
  149. dest->version_max = source->version_max;
  150. dest->verifypeer = source->verifypeer;
  151. dest->verifyhost = source->verifyhost;
  152. dest->verifystatus = source->verifystatus;
  153. dest->sessionid = source->sessionid;
  154. dest->ssl_options = source->ssl_options;
  155. #ifdef USE_TLS_SRP
  156. dest->authtype = source->authtype;
  157. #endif
  158. CLONE_BLOB(cert_blob);
  159. CLONE_BLOB(ca_info_blob);
  160. CLONE_BLOB(issuercert_blob);
  161. CLONE_STRING(CApath);
  162. CLONE_STRING(CAfile);
  163. CLONE_STRING(issuercert);
  164. CLONE_STRING(clientcert);
  165. CLONE_STRING(cipher_list);
  166. CLONE_STRING(cipher_list13);
  167. CLONE_STRING(pinned_key);
  168. CLONE_STRING(curves);
  169. CLONE_STRING(CRLfile);
  170. #ifdef USE_TLS_SRP
  171. CLONE_STRING(username);
  172. CLONE_STRING(password);
  173. #endif
  174. return TRUE;
  175. }
  176. void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
  177. {
  178. Curl_safefree(sslc->CApath);
  179. Curl_safefree(sslc->CAfile);
  180. Curl_safefree(sslc->issuercert);
  181. Curl_safefree(sslc->clientcert);
  182. Curl_safefree(sslc->cipher_list);
  183. Curl_safefree(sslc->cipher_list13);
  184. Curl_safefree(sslc->pinned_key);
  185. Curl_safefree(sslc->cert_blob);
  186. Curl_safefree(sslc->ca_info_blob);
  187. Curl_safefree(sslc->issuercert_blob);
  188. Curl_safefree(sslc->curves);
  189. Curl_safefree(sslc->CRLfile);
  190. #ifdef USE_TLS_SRP
  191. Curl_safefree(sslc->username);
  192. Curl_safefree(sslc->password);
  193. #endif
  194. }
  195. #ifdef USE_SSL
  196. static int multissl_setup(const struct Curl_ssl *backend);
  197. #endif
  198. curl_sslbackend Curl_ssl_backend(void)
  199. {
  200. #ifdef USE_SSL
  201. multissl_setup(NULL);
  202. return Curl_ssl->info.id;
  203. #else
  204. return CURLSSLBACKEND_NONE;
  205. #endif
  206. }
  207. #ifdef USE_SSL
  208. /* "global" init done? */
  209. static bool init_ssl = FALSE;
  210. /**
  211. * Global SSL init
  212. *
  213. * @retval 0 error initializing SSL
  214. * @retval 1 SSL initialized successfully
  215. */
  216. int Curl_ssl_init(void)
  217. {
  218. /* make sure this is only done once */
  219. if(init_ssl)
  220. return 1;
  221. init_ssl = TRUE; /* never again */
  222. return Curl_ssl->init();
  223. }
  224. #if defined(CURL_WITH_MULTI_SSL)
  225. static const struct Curl_ssl Curl_ssl_multi;
  226. #endif
  227. /* Global cleanup */
  228. void Curl_ssl_cleanup(void)
  229. {
  230. if(init_ssl) {
  231. /* only cleanup if we did a previous init */
  232. Curl_ssl->cleanup();
  233. #if defined(CURL_WITH_MULTI_SSL)
  234. Curl_ssl = &Curl_ssl_multi;
  235. #endif
  236. init_ssl = FALSE;
  237. }
  238. }
  239. static bool ssl_prefs_check(struct Curl_easy *data)
  240. {
  241. /* check for CURLOPT_SSLVERSION invalid parameter value */
  242. const long sslver = data->set.ssl.primary.version;
  243. if((sslver < 0) || (sslver >= CURL_SSLVERSION_LAST)) {
  244. failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
  245. return FALSE;
  246. }
  247. switch(data->set.ssl.primary.version_max) {
  248. case CURL_SSLVERSION_MAX_NONE:
  249. case CURL_SSLVERSION_MAX_DEFAULT:
  250. break;
  251. default:
  252. if((data->set.ssl.primary.version_max >> 16) < sslver) {
  253. failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
  254. return FALSE;
  255. }
  256. }
  257. return TRUE;
  258. }
  259. #ifndef CURL_DISABLE_PROXY
  260. static CURLcode
  261. ssl_connect_init_proxy(struct connectdata *conn, int sockindex)
  262. {
  263. DEBUGASSERT(conn->bits.proxy_ssl_connected[sockindex]);
  264. if(ssl_connection_complete == conn->ssl[sockindex].state &&
  265. !conn->proxy_ssl[sockindex].use) {
  266. struct ssl_backend_data *pbdata;
  267. if(!(Curl_ssl->supports & SSLSUPP_HTTPS_PROXY))
  268. return CURLE_NOT_BUILT_IN;
  269. /* The pointers to the ssl backend data, which is opaque here, are swapped
  270. rather than move the contents. */
  271. pbdata = conn->proxy_ssl[sockindex].backend;
  272. conn->proxy_ssl[sockindex] = conn->ssl[sockindex];
  273. DEBUGASSERT(pbdata != NULL);
  274. memset(&conn->ssl[sockindex], 0, sizeof(conn->ssl[sockindex]));
  275. memset(pbdata, 0, Curl_ssl->sizeof_ssl_backend_data);
  276. conn->ssl[sockindex].backend = pbdata;
  277. }
  278. return CURLE_OK;
  279. }
  280. #endif
  281. CURLcode
  282. Curl_ssl_connect(struct Curl_easy *data, struct connectdata *conn,
  283. int sockindex)
  284. {
  285. CURLcode result;
  286. #ifndef CURL_DISABLE_PROXY
  287. if(conn->bits.proxy_ssl_connected[sockindex]) {
  288. result = ssl_connect_init_proxy(conn, sockindex);
  289. if(result)
  290. return result;
  291. }
  292. #endif
  293. if(!ssl_prefs_check(data))
  294. return CURLE_SSL_CONNECT_ERROR;
  295. /* mark this is being ssl-enabled from here on. */
  296. conn->ssl[sockindex].use = TRUE;
  297. conn->ssl[sockindex].state = ssl_connection_negotiating;
  298. result = Curl_ssl->connect_blocking(data, conn, sockindex);
  299. if(!result)
  300. Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
  301. else
  302. conn->ssl[sockindex].use = FALSE;
  303. return result;
  304. }
  305. CURLcode
  306. Curl_ssl_connect_nonblocking(struct Curl_easy *data, struct connectdata *conn,
  307. bool isproxy, int sockindex, bool *done)
  308. {
  309. CURLcode result;
  310. #ifndef CURL_DISABLE_PROXY
  311. if(conn->bits.proxy_ssl_connected[sockindex]) {
  312. result = ssl_connect_init_proxy(conn, sockindex);
  313. if(result)
  314. return result;
  315. }
  316. #endif
  317. if(!ssl_prefs_check(data))
  318. return CURLE_SSL_CONNECT_ERROR;
  319. /* mark this is being ssl requested from here on. */
  320. conn->ssl[sockindex].use = TRUE;
  321. result = Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
  322. if(result)
  323. conn->ssl[sockindex].use = FALSE;
  324. else if(*done && !isproxy)
  325. Curl_pgrsTime(data, TIMER_APPCONNECT); /* SSL is connected */
  326. return result;
  327. }
  328. /*
  329. * Lock shared SSL session data
  330. */
  331. void Curl_ssl_sessionid_lock(struct Curl_easy *data)
  332. {
  333. if(SSLSESSION_SHARED(data))
  334. Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
  335. }
  336. /*
  337. * Unlock shared SSL session data
  338. */
  339. void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
  340. {
  341. if(SSLSESSION_SHARED(data))
  342. Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
  343. }
  344. /*
  345. * Check if there's a session ID for the given connection in the cache, and if
  346. * there's one suitable, it is provided. Returns TRUE when no entry matched.
  347. */
  348. bool Curl_ssl_getsessionid(struct Curl_easy *data,
  349. struct connectdata *conn,
  350. const bool isProxy,
  351. void **ssl_sessionid,
  352. size_t *idsize, /* set 0 if unknown */
  353. int sockindex)
  354. {
  355. struct Curl_ssl_session *check;
  356. size_t i;
  357. long *general_age;
  358. bool no_match = TRUE;
  359. #ifndef CURL_DISABLE_PROXY
  360. struct ssl_primary_config * const ssl_config = isProxy ?
  361. &conn->proxy_ssl_config :
  362. &conn->ssl_config;
  363. const char * const name = isProxy ?
  364. conn->http_proxy.host.name : conn->host.name;
  365. int port = isProxy ? (int)conn->port : conn->remote_port;
  366. #else
  367. /* no proxy support */
  368. struct ssl_primary_config * const ssl_config = &conn->ssl_config;
  369. const char * const name = conn->host.name;
  370. int port = conn->remote_port;
  371. #endif
  372. (void)sockindex;
  373. *ssl_sessionid = NULL;
  374. #ifdef CURL_DISABLE_PROXY
  375. if(isProxy)
  376. return TRUE;
  377. #endif
  378. DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
  379. if(!SSL_SET_OPTION(primary.sessionid) || !data->state.session)
  380. /* session ID re-use is disabled or the session cache has not been
  381. setup */
  382. return TRUE;
  383. /* Lock if shared */
  384. if(SSLSESSION_SHARED(data))
  385. general_age = &data->share->sessionage;
  386. else
  387. general_age = &data->state.sessionage;
  388. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  389. check = &data->state.session[i];
  390. if(!check->sessionid)
  391. /* not session ID means blank entry */
  392. continue;
  393. if(strcasecompare(name, check->name) &&
  394. ((!conn->bits.conn_to_host && !check->conn_to_host) ||
  395. (conn->bits.conn_to_host && check->conn_to_host &&
  396. strcasecompare(conn->conn_to_host.name, check->conn_to_host))) &&
  397. ((!conn->bits.conn_to_port && check->conn_to_port == -1) ||
  398. (conn->bits.conn_to_port && check->conn_to_port != -1 &&
  399. conn->conn_to_port == check->conn_to_port)) &&
  400. (port == check->remote_port) &&
  401. strcasecompare(conn->handler->scheme, check->scheme) &&
  402. Curl_ssl_config_matches(ssl_config, &check->ssl_config)) {
  403. /* yes, we have a session ID! */
  404. (*general_age)++; /* increase general age */
  405. check->age = *general_age; /* set this as used in this age */
  406. *ssl_sessionid = check->sessionid;
  407. if(idsize)
  408. *idsize = check->idsize;
  409. no_match = FALSE;
  410. break;
  411. }
  412. }
  413. DEBUGF(infof(data, "%s Session ID in cache for %s %s://%s:%d",
  414. no_match? "Didn't find": "Found",
  415. isProxy ? "proxy" : "host",
  416. conn->handler->scheme, name, port));
  417. return no_match;
  418. }
  419. /*
  420. * Kill a single session ID entry in the cache.
  421. */
  422. void Curl_ssl_kill_session(struct Curl_ssl_session *session)
  423. {
  424. if(session->sessionid) {
  425. /* defensive check */
  426. /* free the ID the SSL-layer specific way */
  427. Curl_ssl->session_free(session->sessionid);
  428. session->sessionid = NULL;
  429. session->age = 0; /* fresh */
  430. Curl_free_primary_ssl_config(&session->ssl_config);
  431. Curl_safefree(session->name);
  432. Curl_safefree(session->conn_to_host);
  433. }
  434. }
  435. /*
  436. * Delete the given session ID from the cache.
  437. */
  438. void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
  439. {
  440. size_t i;
  441. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  442. struct Curl_ssl_session *check = &data->state.session[i];
  443. if(check->sessionid == ssl_sessionid) {
  444. Curl_ssl_kill_session(check);
  445. break;
  446. }
  447. }
  448. }
  449. /*
  450. * Store session id in the session cache. The ID passed on to this function
  451. * must already have been extracted and allocated the proper way for the SSL
  452. * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
  453. * later on.
  454. */
  455. CURLcode Curl_ssl_addsessionid(struct Curl_easy *data,
  456. struct connectdata *conn,
  457. const bool isProxy,
  458. void *ssl_sessionid,
  459. size_t idsize,
  460. int sockindex,
  461. bool *added)
  462. {
  463. size_t i;
  464. struct Curl_ssl_session *store;
  465. long oldest_age;
  466. char *clone_host;
  467. char *clone_conn_to_host;
  468. int conn_to_port;
  469. long *general_age;
  470. #ifndef CURL_DISABLE_PROXY
  471. struct ssl_primary_config * const ssl_config = isProxy ?
  472. &conn->proxy_ssl_config :
  473. &conn->ssl_config;
  474. const char *hostname = isProxy ? conn->http_proxy.host.name :
  475. conn->host.name;
  476. #else
  477. struct ssl_primary_config * const ssl_config = &conn->ssl_config;
  478. const char *hostname = conn->host.name;
  479. #endif
  480. (void)sockindex;
  481. if(added)
  482. *added = FALSE;
  483. if(!data->state.session)
  484. return CURLE_OK;
  485. store = &data->state.session[0];
  486. oldest_age = data->state.session[0].age; /* zero if unused */
  487. DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
  488. clone_host = strdup(hostname);
  489. if(!clone_host)
  490. return CURLE_OUT_OF_MEMORY; /* bail out */
  491. if(conn->bits.conn_to_host) {
  492. clone_conn_to_host = strdup(conn->conn_to_host.name);
  493. if(!clone_conn_to_host) {
  494. free(clone_host);
  495. return CURLE_OUT_OF_MEMORY; /* bail out */
  496. }
  497. }
  498. else
  499. clone_conn_to_host = NULL;
  500. if(conn->bits.conn_to_port)
  501. conn_to_port = conn->conn_to_port;
  502. else
  503. conn_to_port = -1;
  504. /* Now we should add the session ID and the host name to the cache, (remove
  505. the oldest if necessary) */
  506. /* If using shared SSL session, lock! */
  507. if(SSLSESSION_SHARED(data)) {
  508. general_age = &data->share->sessionage;
  509. }
  510. else {
  511. general_age = &data->state.sessionage;
  512. }
  513. /* find an empty slot for us, or find the oldest */
  514. for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
  515. data->state.session[i].sessionid; i++) {
  516. if(data->state.session[i].age < oldest_age) {
  517. oldest_age = data->state.session[i].age;
  518. store = &data->state.session[i];
  519. }
  520. }
  521. if(i == data->set.general_ssl.max_ssl_sessions)
  522. /* cache is full, we must "kill" the oldest entry! */
  523. Curl_ssl_kill_session(store);
  524. else
  525. store = &data->state.session[i]; /* use this slot */
  526. /* now init the session struct wisely */
  527. store->sessionid = ssl_sessionid;
  528. store->idsize = idsize;
  529. store->age = *general_age; /* set current age */
  530. /* free it if there's one already present */
  531. free(store->name);
  532. free(store->conn_to_host);
  533. store->name = clone_host; /* clone host name */
  534. store->conn_to_host = clone_conn_to_host; /* clone connect to host name */
  535. store->conn_to_port = conn_to_port; /* connect to port number */
  536. /* port number */
  537. store->remote_port = isProxy ? (int)conn->port : conn->remote_port;
  538. store->scheme = conn->handler->scheme;
  539. if(!Curl_clone_primary_ssl_config(ssl_config, &store->ssl_config)) {
  540. Curl_free_primary_ssl_config(&store->ssl_config);
  541. store->sessionid = NULL; /* let caller free sessionid */
  542. free(clone_host);
  543. free(clone_conn_to_host);
  544. return CURLE_OUT_OF_MEMORY;
  545. }
  546. if(added)
  547. *added = TRUE;
  548. DEBUGF(infof(data, "Added Session ID to cache for %s://%s:%d [%s]",
  549. store->scheme, store->name, store->remote_port,
  550. isProxy ? "PROXY" : "server"));
  551. return CURLE_OK;
  552. }
  553. void Curl_ssl_associate_conn(struct Curl_easy *data,
  554. struct connectdata *conn)
  555. {
  556. if(Curl_ssl->associate_connection) {
  557. Curl_ssl->associate_connection(data, conn, FIRSTSOCKET);
  558. if((conn->sock[SECONDARYSOCKET] != CURL_SOCKET_BAD) &&
  559. conn->bits.sock_accepted)
  560. Curl_ssl->associate_connection(data, conn, SECONDARYSOCKET);
  561. }
  562. }
  563. void Curl_ssl_detach_conn(struct Curl_easy *data,
  564. struct connectdata *conn)
  565. {
  566. if(Curl_ssl->disassociate_connection) {
  567. Curl_ssl->disassociate_connection(data, FIRSTSOCKET);
  568. if((conn->sock[SECONDARYSOCKET] != CURL_SOCKET_BAD) &&
  569. conn->bits.sock_accepted)
  570. Curl_ssl->disassociate_connection(data, SECONDARYSOCKET);
  571. }
  572. }
  573. void Curl_ssl_close_all(struct Curl_easy *data)
  574. {
  575. /* kill the session ID cache if not shared */
  576. if(data->state.session && !SSLSESSION_SHARED(data)) {
  577. size_t i;
  578. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
  579. /* the single-killer function handles empty table slots */
  580. Curl_ssl_kill_session(&data->state.session[i]);
  581. /* free the cache data */
  582. Curl_safefree(data->state.session);
  583. }
  584. Curl_ssl->close_all(data);
  585. }
  586. int Curl_ssl_getsock(struct connectdata *conn, curl_socket_t *socks)
  587. {
  588. struct ssl_connect_data *connssl = &conn->ssl[FIRSTSOCKET];
  589. if(connssl->connecting_state == ssl_connect_2_writing) {
  590. /* write mode */
  591. socks[0] = conn->sock[FIRSTSOCKET];
  592. return GETSOCK_WRITESOCK(0);
  593. }
  594. if(connssl->connecting_state == ssl_connect_2_reading) {
  595. /* read mode */
  596. socks[0] = conn->sock[FIRSTSOCKET];
  597. return GETSOCK_READSOCK(0);
  598. }
  599. return GETSOCK_BLANK;
  600. }
  601. void Curl_ssl_close(struct Curl_easy *data, struct connectdata *conn,
  602. int sockindex)
  603. {
  604. DEBUGASSERT((sockindex <= 1) && (sockindex >= -1));
  605. Curl_ssl->close_one(data, conn, sockindex);
  606. conn->ssl[sockindex].state = ssl_connection_none;
  607. }
  608. CURLcode Curl_ssl_shutdown(struct Curl_easy *data, struct connectdata *conn,
  609. int sockindex)
  610. {
  611. if(Curl_ssl->shut_down(data, conn, sockindex))
  612. return CURLE_SSL_SHUTDOWN_FAILED;
  613. conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */
  614. conn->ssl[sockindex].state = ssl_connection_none;
  615. conn->recv[sockindex] = Curl_recv_plain;
  616. conn->send[sockindex] = Curl_send_plain;
  617. return CURLE_OK;
  618. }
  619. /* Selects an SSL crypto engine
  620. */
  621. CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
  622. {
  623. return Curl_ssl->set_engine(data, engine);
  624. }
  625. /* Selects the default SSL crypto engine
  626. */
  627. CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
  628. {
  629. return Curl_ssl->set_engine_default(data);
  630. }
  631. /* Return list of OpenSSL crypto engine names. */
  632. struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
  633. {
  634. return Curl_ssl->engines_list(data);
  635. }
  636. /*
  637. * This sets up a session ID cache to the specified size. Make sure this code
  638. * is agnostic to what underlying SSL technology we use.
  639. */
  640. CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
  641. {
  642. struct Curl_ssl_session *session;
  643. if(data->state.session)
  644. /* this is just a precaution to prevent multiple inits */
  645. return CURLE_OK;
  646. session = calloc(amount, sizeof(struct Curl_ssl_session));
  647. if(!session)
  648. return CURLE_OUT_OF_MEMORY;
  649. /* store the info in the SSL section */
  650. data->set.general_ssl.max_ssl_sessions = amount;
  651. data->state.session = session;
  652. data->state.sessionage = 1; /* this is brand new */
  653. return CURLE_OK;
  654. }
  655. static size_t multissl_version(char *buffer, size_t size);
  656. void Curl_ssl_version(char *buffer, size_t size)
  657. {
  658. #ifdef CURL_WITH_MULTI_SSL
  659. (void)multissl_version(buffer, size);
  660. #else
  661. (void)Curl_ssl->version(buffer, size);
  662. #endif
  663. }
  664. /*
  665. * This function tries to determine connection status.
  666. *
  667. * Return codes:
  668. * 1 means the connection is still in place
  669. * 0 means the connection has been closed
  670. * -1 means the connection status is unknown
  671. */
  672. int Curl_ssl_check_cxn(struct connectdata *conn)
  673. {
  674. return Curl_ssl->check_cxn(conn);
  675. }
  676. bool Curl_ssl_data_pending(const struct connectdata *conn,
  677. int connindex)
  678. {
  679. return Curl_ssl->data_pending(conn, connindex);
  680. }
  681. void Curl_ssl_free_certinfo(struct Curl_easy *data)
  682. {
  683. struct curl_certinfo *ci = &data->info.certs;
  684. if(ci->num_of_certs) {
  685. /* free all individual lists used */
  686. int i;
  687. for(i = 0; i<ci->num_of_certs; i++) {
  688. curl_slist_free_all(ci->certinfo[i]);
  689. ci->certinfo[i] = NULL;
  690. }
  691. free(ci->certinfo); /* free the actual array too */
  692. ci->certinfo = NULL;
  693. ci->num_of_certs = 0;
  694. }
  695. }
  696. CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
  697. {
  698. struct curl_certinfo *ci = &data->info.certs;
  699. struct curl_slist **table;
  700. /* Free any previous certificate information structures */
  701. Curl_ssl_free_certinfo(data);
  702. /* Allocate the required certificate information structures */
  703. table = calloc((size_t) num, sizeof(struct curl_slist *));
  704. if(!table)
  705. return CURLE_OUT_OF_MEMORY;
  706. ci->num_of_certs = num;
  707. ci->certinfo = table;
  708. return CURLE_OK;
  709. }
  710. /*
  711. * 'value' is NOT a null-terminated string
  712. */
  713. CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
  714. int certnum,
  715. const char *label,
  716. const char *value,
  717. size_t valuelen)
  718. {
  719. struct curl_certinfo *ci = &data->info.certs;
  720. char *output;
  721. struct curl_slist *nl;
  722. CURLcode result = CURLE_OK;
  723. size_t labellen = strlen(label);
  724. size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */
  725. output = malloc(outlen);
  726. if(!output)
  727. return CURLE_OUT_OF_MEMORY;
  728. /* sprintf the label and colon */
  729. msnprintf(output, outlen, "%s:", label);
  730. /* memcpy the value (it might not be null-terminated) */
  731. memcpy(&output[labellen + 1], value, valuelen);
  732. /* null-terminate the output */
  733. output[labellen + 1 + valuelen] = 0;
  734. nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);
  735. if(!nl) {
  736. free(output);
  737. curl_slist_free_all(ci->certinfo[certnum]);
  738. result = CURLE_OUT_OF_MEMORY;
  739. }
  740. ci->certinfo[certnum] = nl;
  741. return result;
  742. }
  743. /*
  744. * This is a convenience function for push_certinfo_len that takes a zero
  745. * terminated value.
  746. */
  747. CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data,
  748. int certnum,
  749. const char *label,
  750. const char *value)
  751. {
  752. size_t valuelen = strlen(value);
  753. return Curl_ssl_push_certinfo_len(data, certnum, label, value, valuelen);
  754. }
  755. CURLcode Curl_ssl_random(struct Curl_easy *data,
  756. unsigned char *entropy,
  757. size_t length)
  758. {
  759. return Curl_ssl->random(data, entropy, length);
  760. }
  761. /*
  762. * Curl_ssl_snihost() converts the input host name to a suitable SNI name put
  763. * in data->state.buffer. Returns a pointer to the name (or NULL if a problem)
  764. * and stores the new length in 'olen'.
  765. *
  766. * SNI fields must not have any trailing dot and while RFC 6066 section 3 says
  767. * the SNI field is case insensitive, browsers always send the data lowercase
  768. * and subsequently there are numerous servers out there that don't work
  769. * unless the name is lowercased.
  770. */
  771. char *Curl_ssl_snihost(struct Curl_easy *data, const char *host, size_t *olen)
  772. {
  773. size_t len = strlen(host);
  774. if(len && (host[len-1] == '.'))
  775. len--;
  776. if(len >= data->set.buffer_size)
  777. return NULL;
  778. Curl_strntolower(data->state.buffer, host, len);
  779. data->state.buffer[len] = 0;
  780. if(olen)
  781. *olen = len;
  782. return data->state.buffer;
  783. }
  784. /*
  785. * Public key pem to der conversion
  786. */
  787. static CURLcode pubkey_pem_to_der(const char *pem,
  788. unsigned char **der, size_t *der_len)
  789. {
  790. char *stripped_pem, *begin_pos, *end_pos;
  791. size_t pem_count, stripped_pem_count = 0, pem_len;
  792. CURLcode result;
  793. /* if no pem, exit. */
  794. if(!pem)
  795. return CURLE_BAD_CONTENT_ENCODING;
  796. begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
  797. if(!begin_pos)
  798. return CURLE_BAD_CONTENT_ENCODING;
  799. pem_count = begin_pos - pem;
  800. /* Invalid if not at beginning AND not directly following \n */
  801. if(0 != pem_count && '\n' != pem[pem_count - 1])
  802. return CURLE_BAD_CONTENT_ENCODING;
  803. /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
  804. pem_count += 26;
  805. /* Invalid if not directly following \n */
  806. end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
  807. if(!end_pos)
  808. return CURLE_BAD_CONTENT_ENCODING;
  809. pem_len = end_pos - pem;
  810. stripped_pem = malloc(pem_len - pem_count + 1);
  811. if(!stripped_pem)
  812. return CURLE_OUT_OF_MEMORY;
  813. /*
  814. * Here we loop through the pem array one character at a time between the
  815. * correct indices, and place each character that is not '\n' or '\r'
  816. * into the stripped_pem array, which should represent the raw base64 string
  817. */
  818. while(pem_count < pem_len) {
  819. if('\n' != pem[pem_count] && '\r' != pem[pem_count])
  820. stripped_pem[stripped_pem_count++] = pem[pem_count];
  821. ++pem_count;
  822. }
  823. /* Place the null terminator in the correct place */
  824. stripped_pem[stripped_pem_count] = '\0';
  825. result = Curl_base64_decode(stripped_pem, der, der_len);
  826. Curl_safefree(stripped_pem);
  827. return result;
  828. }
  829. /*
  830. * Generic pinned public key check.
  831. */
  832. CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
  833. const char *pinnedpubkey,
  834. const unsigned char *pubkey, size_t pubkeylen)
  835. {
  836. FILE *fp;
  837. unsigned char *buf = NULL, *pem_ptr = NULL;
  838. CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
  839. /* if a path wasn't specified, don't pin */
  840. if(!pinnedpubkey)
  841. return CURLE_OK;
  842. if(!pubkey || !pubkeylen)
  843. return result;
  844. /* only do this if pinnedpubkey starts with "sha256//", length 8 */
  845. if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
  846. CURLcode encode;
  847. size_t encodedlen, pinkeylen;
  848. char *encoded, *pinkeycopy, *begin_pos, *end_pos;
  849. unsigned char *sha256sumdigest;
  850. if(!Curl_ssl->sha256sum) {
  851. /* without sha256 support, this cannot match */
  852. return result;
  853. }
  854. /* compute sha256sum of public key */
  855. sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
  856. if(!sha256sumdigest)
  857. return CURLE_OUT_OF_MEMORY;
  858. encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
  859. sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
  860. if(encode != CURLE_OK)
  861. return encode;
  862. encode = Curl_base64_encode((char *)sha256sumdigest,
  863. CURL_SHA256_DIGEST_LENGTH, &encoded,
  864. &encodedlen);
  865. Curl_safefree(sha256sumdigest);
  866. if(encode)
  867. return encode;
  868. infof(data, " public key hash: sha256//%s", encoded);
  869. /* it starts with sha256//, copy so we can modify it */
  870. pinkeylen = strlen(pinnedpubkey) + 1;
  871. pinkeycopy = malloc(pinkeylen);
  872. if(!pinkeycopy) {
  873. Curl_safefree(encoded);
  874. return CURLE_OUT_OF_MEMORY;
  875. }
  876. memcpy(pinkeycopy, pinnedpubkey, pinkeylen);
  877. /* point begin_pos to the copy, and start extracting keys */
  878. begin_pos = pinkeycopy;
  879. do {
  880. end_pos = strstr(begin_pos, ";sha256//");
  881. /*
  882. * if there is an end_pos, null terminate,
  883. * otherwise it'll go to the end of the original string
  884. */
  885. if(end_pos)
  886. end_pos[0] = '\0';
  887. /* compare base64 sha256 digests, 8 is the length of "sha256//" */
  888. if(encodedlen == strlen(begin_pos + 8) &&
  889. !memcmp(encoded, begin_pos + 8, encodedlen)) {
  890. result = CURLE_OK;
  891. break;
  892. }
  893. /*
  894. * change back the null-terminator we changed earlier,
  895. * and look for next begin
  896. */
  897. if(end_pos) {
  898. end_pos[0] = ';';
  899. begin_pos = strstr(end_pos, "sha256//");
  900. }
  901. } while(end_pos && begin_pos);
  902. Curl_safefree(encoded);
  903. Curl_safefree(pinkeycopy);
  904. return result;
  905. }
  906. fp = fopen(pinnedpubkey, "rb");
  907. if(!fp)
  908. return result;
  909. do {
  910. long filesize;
  911. size_t size, pem_len;
  912. CURLcode pem_read;
  913. /* Determine the file's size */
  914. if(fseek(fp, 0, SEEK_END))
  915. break;
  916. filesize = ftell(fp);
  917. if(fseek(fp, 0, SEEK_SET))
  918. break;
  919. if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
  920. break;
  921. /*
  922. * if the size of our certificate is bigger than the file
  923. * size then it can't match
  924. */
  925. size = curlx_sotouz((curl_off_t) filesize);
  926. if(pubkeylen > size)
  927. break;
  928. /*
  929. * Allocate buffer for the pinned key
  930. * With 1 additional byte for null terminator in case of PEM key
  931. */
  932. buf = malloc(size + 1);
  933. if(!buf)
  934. break;
  935. /* Returns number of elements read, which should be 1 */
  936. if((int) fread(buf, size, 1, fp) != 1)
  937. break;
  938. /* If the sizes are the same, it can't be base64 encoded, must be der */
  939. if(pubkeylen == size) {
  940. if(!memcmp(pubkey, buf, pubkeylen))
  941. result = CURLE_OK;
  942. break;
  943. }
  944. /*
  945. * Otherwise we will assume it's PEM and try to decode it
  946. * after placing null terminator
  947. */
  948. buf[size] = '\0';
  949. pem_read = pubkey_pem_to_der((const char *)buf, &pem_ptr, &pem_len);
  950. /* if it wasn't read successfully, exit */
  951. if(pem_read)
  952. break;
  953. /*
  954. * if the size of our certificate doesn't match the size of
  955. * the decoded file, they can't be the same, otherwise compare
  956. */
  957. if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
  958. result = CURLE_OK;
  959. } while(0);
  960. Curl_safefree(buf);
  961. Curl_safefree(pem_ptr);
  962. fclose(fp);
  963. return result;
  964. }
  965. /*
  966. * Check whether the SSL backend supports the status_request extension.
  967. */
  968. bool Curl_ssl_cert_status_request(void)
  969. {
  970. return Curl_ssl->cert_status_request();
  971. }
  972. /*
  973. * Check whether the SSL backend supports false start.
  974. */
  975. bool Curl_ssl_false_start(void)
  976. {
  977. return Curl_ssl->false_start();
  978. }
  979. /*
  980. * Check whether the SSL backend supports setting TLS 1.3 cipher suites
  981. */
  982. bool Curl_ssl_tls13_ciphersuites(void)
  983. {
  984. return Curl_ssl->supports & SSLSUPP_TLS13_CIPHERSUITES;
  985. }
  986. /*
  987. * Default implementations for unsupported functions.
  988. */
  989. int Curl_none_init(void)
  990. {
  991. return 1;
  992. }
  993. void Curl_none_cleanup(void)
  994. { }
  995. int Curl_none_shutdown(struct Curl_easy *data UNUSED_PARAM,
  996. struct connectdata *conn UNUSED_PARAM,
  997. int sockindex UNUSED_PARAM)
  998. {
  999. (void)data;
  1000. (void)conn;
  1001. (void)sockindex;
  1002. return 0;
  1003. }
  1004. int Curl_none_check_cxn(struct connectdata *conn UNUSED_PARAM)
  1005. {
  1006. (void)conn;
  1007. return -1;
  1008. }
  1009. CURLcode Curl_none_random(struct Curl_easy *data UNUSED_PARAM,
  1010. unsigned char *entropy UNUSED_PARAM,
  1011. size_t length UNUSED_PARAM)
  1012. {
  1013. (void)data;
  1014. (void)entropy;
  1015. (void)length;
  1016. return CURLE_NOT_BUILT_IN;
  1017. }
  1018. void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
  1019. {
  1020. (void)data;
  1021. }
  1022. void Curl_none_session_free(void *ptr UNUSED_PARAM)
  1023. {
  1024. (void)ptr;
  1025. }
  1026. bool Curl_none_data_pending(const struct connectdata *conn UNUSED_PARAM,
  1027. int connindex UNUSED_PARAM)
  1028. {
  1029. (void)conn;
  1030. (void)connindex;
  1031. return 0;
  1032. }
  1033. bool Curl_none_cert_status_request(void)
  1034. {
  1035. return FALSE;
  1036. }
  1037. CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
  1038. const char *engine UNUSED_PARAM)
  1039. {
  1040. (void)data;
  1041. (void)engine;
  1042. return CURLE_NOT_BUILT_IN;
  1043. }
  1044. CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
  1045. {
  1046. (void)data;
  1047. return CURLE_NOT_BUILT_IN;
  1048. }
  1049. struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
  1050. {
  1051. (void)data;
  1052. return (struct curl_slist *)NULL;
  1053. }
  1054. bool Curl_none_false_start(void)
  1055. {
  1056. return FALSE;
  1057. }
  1058. static int multissl_init(void)
  1059. {
  1060. if(multissl_setup(NULL))
  1061. return 1;
  1062. return Curl_ssl->init();
  1063. }
  1064. static CURLcode multissl_connect(struct Curl_easy *data,
  1065. struct connectdata *conn, int sockindex)
  1066. {
  1067. if(multissl_setup(NULL))
  1068. return CURLE_FAILED_INIT;
  1069. return Curl_ssl->connect_blocking(data, conn, sockindex);
  1070. }
  1071. static CURLcode multissl_connect_nonblocking(struct Curl_easy *data,
  1072. struct connectdata *conn,
  1073. int sockindex, bool *done)
  1074. {
  1075. if(multissl_setup(NULL))
  1076. return CURLE_FAILED_INIT;
  1077. return Curl_ssl->connect_nonblocking(data, conn, sockindex, done);
  1078. }
  1079. static int multissl_getsock(struct connectdata *conn, curl_socket_t *socks)
  1080. {
  1081. if(multissl_setup(NULL))
  1082. return 0;
  1083. return Curl_ssl->getsock(conn, socks);
  1084. }
  1085. static void *multissl_get_internals(struct ssl_connect_data *connssl,
  1086. CURLINFO info)
  1087. {
  1088. if(multissl_setup(NULL))
  1089. return NULL;
  1090. return Curl_ssl->get_internals(connssl, info);
  1091. }
  1092. static void multissl_close(struct Curl_easy *data, struct connectdata *conn,
  1093. int sockindex)
  1094. {
  1095. if(multissl_setup(NULL))
  1096. return;
  1097. Curl_ssl->close_one(data, conn, sockindex);
  1098. }
  1099. static const struct Curl_ssl Curl_ssl_multi = {
  1100. { CURLSSLBACKEND_NONE, "multi" }, /* info */
  1101. 0, /* supports nothing */
  1102. (size_t)-1, /* something insanely large to be on the safe side */
  1103. multissl_init, /* init */
  1104. Curl_none_cleanup, /* cleanup */
  1105. multissl_version, /* version */
  1106. Curl_none_check_cxn, /* check_cxn */
  1107. Curl_none_shutdown, /* shutdown */
  1108. Curl_none_data_pending, /* data_pending */
  1109. Curl_none_random, /* random */
  1110. Curl_none_cert_status_request, /* cert_status_request */
  1111. multissl_connect, /* connect */
  1112. multissl_connect_nonblocking, /* connect_nonblocking */
  1113. multissl_getsock, /* getsock */
  1114. multissl_get_internals, /* get_internals */
  1115. multissl_close, /* close_one */
  1116. Curl_none_close_all, /* close_all */
  1117. Curl_none_session_free, /* session_free */
  1118. Curl_none_set_engine, /* set_engine */
  1119. Curl_none_set_engine_default, /* set_engine_default */
  1120. Curl_none_engines_list, /* engines_list */
  1121. Curl_none_false_start, /* false_start */
  1122. NULL, /* sha256sum */
  1123. NULL, /* associate_connection */
  1124. NULL /* disassociate_connection */
  1125. };
  1126. const struct Curl_ssl *Curl_ssl =
  1127. #if defined(CURL_WITH_MULTI_SSL)
  1128. &Curl_ssl_multi;
  1129. #elif defined(USE_WOLFSSL)
  1130. &Curl_ssl_wolfssl;
  1131. #elif defined(USE_SECTRANSP)
  1132. &Curl_ssl_sectransp;
  1133. #elif defined(USE_GNUTLS)
  1134. &Curl_ssl_gnutls;
  1135. #elif defined(USE_GSKIT)
  1136. &Curl_ssl_gskit;
  1137. #elif defined(USE_MBEDTLS)
  1138. &Curl_ssl_mbedtls;
  1139. #elif defined(USE_NSS)
  1140. &Curl_ssl_nss;
  1141. #elif defined(USE_RUSTLS)
  1142. &Curl_ssl_rustls;
  1143. #elif defined(USE_OPENSSL)
  1144. &Curl_ssl_openssl;
  1145. #elif defined(USE_SCHANNEL)
  1146. &Curl_ssl_schannel;
  1147. #elif defined(USE_BEARSSL)
  1148. &Curl_ssl_bearssl;
  1149. #else
  1150. #error "Missing struct Curl_ssl for selected SSL backend"
  1151. #endif
  1152. static const struct Curl_ssl *available_backends[] = {
  1153. #if defined(USE_WOLFSSL)
  1154. &Curl_ssl_wolfssl,
  1155. #endif
  1156. #if defined(USE_SECTRANSP)
  1157. &Curl_ssl_sectransp,
  1158. #endif
  1159. #if defined(USE_GNUTLS)
  1160. &Curl_ssl_gnutls,
  1161. #endif
  1162. #if defined(USE_GSKIT)
  1163. &Curl_ssl_gskit,
  1164. #endif
  1165. #if defined(USE_MBEDTLS)
  1166. &Curl_ssl_mbedtls,
  1167. #endif
  1168. #if defined(USE_NSS)
  1169. &Curl_ssl_nss,
  1170. #endif
  1171. #if defined(USE_OPENSSL)
  1172. &Curl_ssl_openssl,
  1173. #endif
  1174. #if defined(USE_SCHANNEL)
  1175. &Curl_ssl_schannel,
  1176. #endif
  1177. #if defined(USE_BEARSSL)
  1178. &Curl_ssl_bearssl,
  1179. #endif
  1180. #if defined(USE_RUSTLS)
  1181. &Curl_ssl_rustls,
  1182. #endif
  1183. NULL
  1184. };
  1185. static size_t multissl_version(char *buffer, size_t size)
  1186. {
  1187. static const struct Curl_ssl *selected;
  1188. static char backends[200];
  1189. static size_t backends_len;
  1190. const struct Curl_ssl *current;
  1191. current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
  1192. if(current != selected) {
  1193. char *p = backends;
  1194. char *end = backends + sizeof(backends);
  1195. int i;
  1196. selected = current;
  1197. backends[0] = '\0';
  1198. for(i = 0; available_backends[i]; ++i) {
  1199. char vb[200];
  1200. bool paren = (selected != available_backends[i]);
  1201. if(available_backends[i]->version(vb, sizeof(vb))) {
  1202. p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
  1203. (paren ? "(" : ""), vb, (paren ? ")" : ""));
  1204. }
  1205. }
  1206. backends_len = p - backends;
  1207. }
  1208. if(!size)
  1209. return 0;
  1210. if(size <= backends_len) {
  1211. strncpy(buffer, backends, size - 1);
  1212. buffer[size - 1] = '\0';
  1213. return size - 1;
  1214. }
  1215. strcpy(buffer, backends);
  1216. return backends_len;
  1217. }
  1218. static int multissl_setup(const struct Curl_ssl *backend)
  1219. {
  1220. const char *env;
  1221. char *env_tmp;
  1222. if(Curl_ssl != &Curl_ssl_multi)
  1223. return 1;
  1224. if(backend) {
  1225. Curl_ssl = backend;
  1226. return 0;
  1227. }
  1228. if(!available_backends[0])
  1229. return 1;
  1230. env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
  1231. #ifdef CURL_DEFAULT_SSL_BACKEND
  1232. if(!env)
  1233. env = CURL_DEFAULT_SSL_BACKEND;
  1234. #endif
  1235. if(env) {
  1236. int i;
  1237. for(i = 0; available_backends[i]; i++) {
  1238. if(strcasecompare(env, available_backends[i]->info.name)) {
  1239. Curl_ssl = available_backends[i];
  1240. free(env_tmp);
  1241. return 0;
  1242. }
  1243. }
  1244. }
  1245. /* Fall back to first available backend */
  1246. Curl_ssl = available_backends[0];
  1247. free(env_tmp);
  1248. return 0;
  1249. }
  1250. /* This function is used to select the SSL backend to use. It is called by
  1251. curl_global_sslset (easy.c) which uses the global init lock. */
  1252. CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
  1253. const curl_ssl_backend ***avail)
  1254. {
  1255. int i;
  1256. if(avail)
  1257. *avail = (const curl_ssl_backend **)&available_backends;
  1258. if(Curl_ssl != &Curl_ssl_multi)
  1259. return id == Curl_ssl->info.id ||
  1260. (name && strcasecompare(name, Curl_ssl->info.name)) ?
  1261. CURLSSLSET_OK :
  1262. #if defined(CURL_WITH_MULTI_SSL)
  1263. CURLSSLSET_TOO_LATE;
  1264. #else
  1265. CURLSSLSET_UNKNOWN_BACKEND;
  1266. #endif
  1267. for(i = 0; available_backends[i]; i++) {
  1268. if(available_backends[i]->info.id == id ||
  1269. (name && strcasecompare(available_backends[i]->info.name, name))) {
  1270. multissl_setup(available_backends[i]);
  1271. return CURLSSLSET_OK;
  1272. }
  1273. }
  1274. return CURLSSLSET_UNKNOWN_BACKEND;
  1275. }
  1276. #else /* USE_SSL */
  1277. CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
  1278. const curl_ssl_backend ***avail)
  1279. {
  1280. (void)id;
  1281. (void)name;
  1282. (void)avail;
  1283. return CURLSSLSET_NO_BACKENDS;
  1284. }
  1285. #endif /* !USE_SSL */