vtls.c 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at http://curl.haxx.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. ***************************************************************************/
  22. /* This file is for implementing all "generic" SSL functions that all libcurl
  23. internals should use. It is then responsible for calling the proper
  24. "backend" function.
  25. SSL-functions in libcurl should call functions in this source file, and not
  26. to any specific SSL-layer.
  27. Curl_ssl_ - prefix for generic ones
  28. Curl_ossl_ - prefix for OpenSSL ones
  29. Curl_gtls_ - prefix for GnuTLS ones
  30. Curl_nss_ - prefix for NSS ones
  31. Curl_gskit_ - prefix for GSKit ones
  32. Curl_polarssl_ - prefix for PolarSSL ones
  33. Curl_cyassl_ - prefix for CyaSSL ones
  34. Curl_schannel_ - prefix for Schannel SSPI ones
  35. Curl_darwinssl_ - prefix for SecureTransport (Darwin) ones
  36. Note that this source code uses curlssl_* functions, and they are all
  37. defines/macros #defined by the lib-specific header files.
  38. "SSL/TLS Strong Encryption: An Introduction"
  39. http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html
  40. */
  41. #include "curl_setup.h"
  42. #ifdef HAVE_SYS_TYPES_H
  43. #include <sys/types.h>
  44. #endif
  45. #ifdef HAVE_SYS_STAT_H
  46. #include <sys/stat.h>
  47. #endif
  48. #ifdef HAVE_FCNTL_H
  49. #include <fcntl.h>
  50. #endif
  51. #include "urldata.h"
  52. #include "vtls.h" /* generic SSL protos etc */
  53. #include "slist.h"
  54. #include "sendf.h"
  55. #include "rawstr.h"
  56. #include "url.h"
  57. #include "curl_memory.h"
  58. #include "progress.h"
  59. #include "share.h"
  60. #include "timeval.h"
  61. #include "curl_md5.h"
  62. #include "warnless.h"
  63. #define _MPRINTF_REPLACE /* use our functions only */
  64. #include <curl/mprintf.h>
  65. /* The last #include file should be: */
  66. #include "memdebug.h"
  67. /* convenience macro to check if this handle is using a shared SSL session */
  68. #define SSLSESSION_SHARED(data) (data->share && \
  69. (data->share->specifier & \
  70. (1<<CURL_LOCK_DATA_SSL_SESSION)))
  71. static bool safe_strequal(char* str1, char* str2)
  72. {
  73. if(str1 && str2)
  74. /* both pointers point to something then compare them */
  75. return (0 != Curl_raw_equal(str1, str2)) ? TRUE : FALSE;
  76. else
  77. /* if both pointers are NULL then treat them as equal */
  78. return (!str1 && !str2) ? TRUE : FALSE;
  79. }
  80. bool
  81. Curl_ssl_config_matches(struct ssl_config_data* data,
  82. struct ssl_config_data* needle)
  83. {
  84. if((data->version == needle->version) &&
  85. (data->verifypeer == needle->verifypeer) &&
  86. (data->verifyhost == needle->verifyhost) &&
  87. safe_strequal(data->CApath, needle->CApath) &&
  88. safe_strequal(data->CAfile, needle->CAfile) &&
  89. safe_strequal(data->random_file, needle->random_file) &&
  90. safe_strequal(data->egdsocket, needle->egdsocket) &&
  91. safe_strequal(data->cipher_list, needle->cipher_list))
  92. return TRUE;
  93. return FALSE;
  94. }
  95. bool
  96. Curl_clone_ssl_config(struct ssl_config_data *source,
  97. struct ssl_config_data *dest)
  98. {
  99. dest->sessionid = source->sessionid;
  100. dest->verifyhost = source->verifyhost;
  101. dest->verifypeer = source->verifypeer;
  102. dest->version = source->version;
  103. if(source->CAfile) {
  104. dest->CAfile = strdup(source->CAfile);
  105. if(!dest->CAfile)
  106. return FALSE;
  107. }
  108. else
  109. dest->CAfile = NULL;
  110. if(source->CApath) {
  111. dest->CApath = strdup(source->CApath);
  112. if(!dest->CApath)
  113. return FALSE;
  114. }
  115. else
  116. dest->CApath = NULL;
  117. if(source->cipher_list) {
  118. dest->cipher_list = strdup(source->cipher_list);
  119. if(!dest->cipher_list)
  120. return FALSE;
  121. }
  122. else
  123. dest->cipher_list = NULL;
  124. if(source->egdsocket) {
  125. dest->egdsocket = strdup(source->egdsocket);
  126. if(!dest->egdsocket)
  127. return FALSE;
  128. }
  129. else
  130. dest->egdsocket = NULL;
  131. if(source->random_file) {
  132. dest->random_file = strdup(source->random_file);
  133. if(!dest->random_file)
  134. return FALSE;
  135. }
  136. else
  137. dest->random_file = NULL;
  138. return TRUE;
  139. }
  140. void Curl_free_ssl_config(struct ssl_config_data* sslc)
  141. {
  142. Curl_safefree(sslc->CAfile);
  143. Curl_safefree(sslc->CApath);
  144. Curl_safefree(sslc->cipher_list);
  145. Curl_safefree(sslc->egdsocket);
  146. Curl_safefree(sslc->random_file);
  147. }
  148. /*
  149. * Curl_rand() returns a random unsigned integer, 32bit.
  150. *
  151. * This non-SSL function is put here only because this file is the only one
  152. * with knowledge of what the underlying SSL libraries provide in terms of
  153. * randomizers.
  154. *
  155. * NOTE: 'data' may be passed in as NULL when coming from external API without
  156. * easy handle!
  157. *
  158. */
  159. unsigned int Curl_rand(struct SessionHandle *data)
  160. {
  161. unsigned int r = 0;
  162. static unsigned int randseed;
  163. static bool seeded = FALSE;
  164. #ifdef CURLDEBUG
  165. char *force_entropy = getenv("CURL_ENTROPY");
  166. if(force_entropy) {
  167. if(!seeded) {
  168. size_t elen = strlen(force_entropy);
  169. size_t clen = sizeof(randseed);
  170. size_t min = elen < clen ? elen : clen;
  171. memcpy((char *)&randseed, force_entropy, min);
  172. seeded = TRUE;
  173. }
  174. else
  175. randseed++;
  176. return randseed;
  177. }
  178. #endif
  179. /* data may be NULL! */
  180. if(!Curl_ssl_random(data, (unsigned char *)&r, sizeof(r)))
  181. return r;
  182. /* If Curl_ssl_random() returns non-zero it couldn't offer randomness and we
  183. instead perform a "best effort" */
  184. #ifdef RANDOM_FILE
  185. if(!seeded) {
  186. /* if there's a random file to read a seed from, use it */
  187. int fd = open(RANDOM_FILE, O_RDONLY);
  188. if(fd > -1) {
  189. /* read random data into the randseed variable */
  190. ssize_t nread = read(fd, &randseed, sizeof(randseed));
  191. if(nread == sizeof(randseed))
  192. seeded = TRUE;
  193. close(fd);
  194. }
  195. }
  196. #endif
  197. if(!seeded) {
  198. struct timeval now = curlx_tvnow();
  199. infof(data, "WARNING: Using weak random seed\n");
  200. randseed += (unsigned int)now.tv_usec + (unsigned int)now.tv_sec;
  201. randseed = randseed * 1103515245 + 12345;
  202. randseed = randseed * 1103515245 + 12345;
  203. randseed = randseed * 1103515245 + 12345;
  204. seeded = TRUE;
  205. }
  206. /* Return an unsigned 32-bit pseudo-random number. */
  207. r = randseed = randseed * 1103515245 + 12345;
  208. return (r << 16) | ((r >> 16) & 0xFFFF);
  209. }
  210. int Curl_ssl_backend(void)
  211. {
  212. return (int)CURL_SSL_BACKEND;
  213. }
  214. #ifdef USE_SSL
  215. /* "global" init done? */
  216. static bool init_ssl=FALSE;
  217. /**
  218. * Global SSL init
  219. *
  220. * @retval 0 error initializing SSL
  221. * @retval 1 SSL initialized successfully
  222. */
  223. int Curl_ssl_init(void)
  224. {
  225. /* make sure this is only done once */
  226. if(init_ssl)
  227. return 1;
  228. init_ssl = TRUE; /* never again */
  229. return curlssl_init();
  230. }
  231. /* Global cleanup */
  232. void Curl_ssl_cleanup(void)
  233. {
  234. if(init_ssl) {
  235. /* only cleanup if we did a previous init */
  236. curlssl_cleanup();
  237. init_ssl = FALSE;
  238. }
  239. }
  240. CURLcode
  241. Curl_ssl_connect(struct connectdata *conn, int sockindex)
  242. {
  243. CURLcode result;
  244. /* mark this is being ssl-enabled from here on. */
  245. conn->ssl[sockindex].use = TRUE;
  246. conn->ssl[sockindex].state = ssl_connection_negotiating;
  247. result = curlssl_connect(conn, sockindex);
  248. if(!result)
  249. Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */
  250. return result;
  251. }
  252. CURLcode
  253. Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex,
  254. bool *done)
  255. {
  256. CURLcode result;
  257. /* mark this is being ssl requested from here on. */
  258. conn->ssl[sockindex].use = TRUE;
  259. #ifdef curlssl_connect_nonblocking
  260. result = curlssl_connect_nonblocking(conn, sockindex, done);
  261. #else
  262. *done = TRUE; /* fallback to BLOCKING */
  263. result = curlssl_connect(conn, sockindex);
  264. #endif /* non-blocking connect support */
  265. if(!result && *done)
  266. Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */
  267. return result;
  268. }
  269. /*
  270. * Check if there's a session ID for the given connection in the cache, and if
  271. * there's one suitable, it is provided. Returns TRUE when no entry matched.
  272. */
  273. int Curl_ssl_getsessionid(struct connectdata *conn,
  274. void **ssl_sessionid,
  275. size_t *idsize) /* set 0 if unknown */
  276. {
  277. struct curl_ssl_session *check;
  278. struct SessionHandle *data = conn->data;
  279. size_t i;
  280. long *general_age;
  281. bool no_match = TRUE;
  282. *ssl_sessionid = NULL;
  283. if(!conn->ssl_config.sessionid)
  284. /* session ID re-use is disabled */
  285. return TRUE;
  286. /* Lock if shared */
  287. if(SSLSESSION_SHARED(data)) {
  288. Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
  289. general_age = &data->share->sessionage;
  290. }
  291. else
  292. general_age = &data->state.sessionage;
  293. for(i = 0; i < data->set.ssl.max_ssl_sessions; i++) {
  294. check = &data->state.session[i];
  295. if(!check->sessionid)
  296. /* not session ID means blank entry */
  297. continue;
  298. if(Curl_raw_equal(conn->host.name, check->name) &&
  299. (conn->remote_port == check->remote_port) &&
  300. Curl_ssl_config_matches(&conn->ssl_config, &check->ssl_config)) {
  301. /* yes, we have a session ID! */
  302. (*general_age)++; /* increase general age */
  303. check->age = *general_age; /* set this as used in this age */
  304. *ssl_sessionid = check->sessionid;
  305. if(idsize)
  306. *idsize = check->idsize;
  307. no_match = FALSE;
  308. break;
  309. }
  310. }
  311. /* Unlock */
  312. if(SSLSESSION_SHARED(data))
  313. Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
  314. return no_match;
  315. }
  316. /*
  317. * Kill a single session ID entry in the cache.
  318. */
  319. void Curl_ssl_kill_session(struct curl_ssl_session *session)
  320. {
  321. if(session->sessionid) {
  322. /* defensive check */
  323. /* free the ID the SSL-layer specific way */
  324. curlssl_session_free(session->sessionid);
  325. session->sessionid = NULL;
  326. session->age = 0; /* fresh */
  327. Curl_free_ssl_config(&session->ssl_config);
  328. Curl_safefree(session->name);
  329. }
  330. }
  331. /*
  332. * Delete the given session ID from the cache.
  333. */
  334. void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
  335. {
  336. size_t i;
  337. struct SessionHandle *data=conn->data;
  338. if(SSLSESSION_SHARED(data))
  339. Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
  340. for(i = 0; i < data->set.ssl.max_ssl_sessions; i++) {
  341. struct curl_ssl_session *check = &data->state.session[i];
  342. if(check->sessionid == ssl_sessionid) {
  343. Curl_ssl_kill_session(check);
  344. break;
  345. }
  346. }
  347. if(SSLSESSION_SHARED(data))
  348. Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
  349. }
  350. /*
  351. * Store session id in the session cache. The ID passed on to this function
  352. * must already have been extracted and allocated the proper way for the SSL
  353. * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
  354. * later on.
  355. */
  356. CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
  357. void *ssl_sessionid,
  358. size_t idsize)
  359. {
  360. size_t i;
  361. struct SessionHandle *data=conn->data; /* the mother of all structs */
  362. struct curl_ssl_session *store = &data->state.session[0];
  363. long oldest_age=data->state.session[0].age; /* zero if unused */
  364. char *clone_host;
  365. long *general_age;
  366. /* Even though session ID re-use might be disabled, that only disables USING
  367. IT. We still store it here in case the re-using is again enabled for an
  368. upcoming transfer */
  369. clone_host = strdup(conn->host.name);
  370. if(!clone_host)
  371. return CURLE_OUT_OF_MEMORY; /* bail out */
  372. /* Now we should add the session ID and the host name to the cache, (remove
  373. the oldest if necessary) */
  374. /* If using shared SSL session, lock! */
  375. if(SSLSESSION_SHARED(data)) {
  376. Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
  377. general_age = &data->share->sessionage;
  378. }
  379. else {
  380. general_age = &data->state.sessionage;
  381. }
  382. /* find an empty slot for us, or find the oldest */
  383. for(i = 1; (i < data->set.ssl.max_ssl_sessions) &&
  384. data->state.session[i].sessionid; i++) {
  385. if(data->state.session[i].age < oldest_age) {
  386. oldest_age = data->state.session[i].age;
  387. store = &data->state.session[i];
  388. }
  389. }
  390. if(i == data->set.ssl.max_ssl_sessions)
  391. /* cache is full, we must "kill" the oldest entry! */
  392. Curl_ssl_kill_session(store);
  393. else
  394. store = &data->state.session[i]; /* use this slot */
  395. /* now init the session struct wisely */
  396. store->sessionid = ssl_sessionid;
  397. store->idsize = idsize;
  398. store->age = *general_age; /* set current age */
  399. if(store->name)
  400. /* free it if there's one already present */
  401. free(store->name);
  402. store->name = clone_host; /* clone host name */
  403. store->remote_port = conn->remote_port; /* port number */
  404. /* Unlock */
  405. if(SSLSESSION_SHARED(data))
  406. Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
  407. if(!Curl_clone_ssl_config(&conn->ssl_config, &store->ssl_config)) {
  408. store->sessionid = NULL; /* let caller free sessionid */
  409. free(clone_host);
  410. return CURLE_OUT_OF_MEMORY;
  411. }
  412. return CURLE_OK;
  413. }
  414. void Curl_ssl_close_all(struct SessionHandle *data)
  415. {
  416. size_t i;
  417. /* kill the session ID cache if not shared */
  418. if(data->state.session && !SSLSESSION_SHARED(data)) {
  419. for(i = 0; i < data->set.ssl.max_ssl_sessions; i++)
  420. /* the single-killer function handles empty table slots */
  421. Curl_ssl_kill_session(&data->state.session[i]);
  422. /* free the cache data */
  423. Curl_safefree(data->state.session);
  424. }
  425. curlssl_close_all(data);
  426. }
  427. void Curl_ssl_close(struct connectdata *conn, int sockindex)
  428. {
  429. DEBUGASSERT((sockindex <= 1) && (sockindex >= -1));
  430. curlssl_close(conn, sockindex);
  431. }
  432. CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex)
  433. {
  434. if(curlssl_shutdown(conn, sockindex))
  435. return CURLE_SSL_SHUTDOWN_FAILED;
  436. conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */
  437. conn->ssl[sockindex].state = ssl_connection_none;
  438. conn->recv[sockindex] = Curl_recv_plain;
  439. conn->send[sockindex] = Curl_send_plain;
  440. return CURLE_OK;
  441. }
  442. /* Selects an SSL crypto engine
  443. */
  444. CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine)
  445. {
  446. return curlssl_set_engine(data, engine);
  447. }
  448. /* Selects the default SSL crypto engine
  449. */
  450. CURLcode Curl_ssl_set_engine_default(struct SessionHandle *data)
  451. {
  452. return curlssl_set_engine_default(data);
  453. }
  454. /* Return list of OpenSSL crypto engine names. */
  455. struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data)
  456. {
  457. return curlssl_engines_list(data);
  458. }
  459. /*
  460. * This sets up a session ID cache to the specified size. Make sure this code
  461. * is agnostic to what underlying SSL technology we use.
  462. */
  463. CURLcode Curl_ssl_initsessions(struct SessionHandle *data, size_t amount)
  464. {
  465. struct curl_ssl_session *session;
  466. if(data->state.session)
  467. /* this is just a precaution to prevent multiple inits */
  468. return CURLE_OK;
  469. session = calloc(amount, sizeof(struct curl_ssl_session));
  470. if(!session)
  471. return CURLE_OUT_OF_MEMORY;
  472. /* store the info in the SSL section */
  473. data->set.ssl.max_ssl_sessions = amount;
  474. data->state.session = session;
  475. data->state.sessionage = 1; /* this is brand new */
  476. return CURLE_OK;
  477. }
  478. size_t Curl_ssl_version(char *buffer, size_t size)
  479. {
  480. return curlssl_version(buffer, size);
  481. }
  482. /*
  483. * This function tries to determine connection status.
  484. *
  485. * Return codes:
  486. * 1 means the connection is still in place
  487. * 0 means the connection has been closed
  488. * -1 means the connection status is unknown
  489. */
  490. int Curl_ssl_check_cxn(struct connectdata *conn)
  491. {
  492. return curlssl_check_cxn(conn);
  493. }
  494. bool Curl_ssl_data_pending(const struct connectdata *conn,
  495. int connindex)
  496. {
  497. return curlssl_data_pending(conn, connindex);
  498. }
  499. void Curl_ssl_free_certinfo(struct SessionHandle *data)
  500. {
  501. int i;
  502. struct curl_certinfo *ci = &data->info.certs;
  503. if(ci->num_of_certs) {
  504. /* free all individual lists used */
  505. for(i=0; i<ci->num_of_certs; i++) {
  506. curl_slist_free_all(ci->certinfo[i]);
  507. ci->certinfo[i] = NULL;
  508. }
  509. free(ci->certinfo); /* free the actual array too */
  510. ci->certinfo = NULL;
  511. ci->num_of_certs = 0;
  512. }
  513. }
  514. int Curl_ssl_init_certinfo(struct SessionHandle * data,
  515. int num)
  516. {
  517. struct curl_certinfo * ci = &data->info.certs;
  518. struct curl_slist * * table;
  519. /* Initialize the certificate information structures. Return 0 if OK, else 1.
  520. */
  521. Curl_ssl_free_certinfo(data);
  522. ci->num_of_certs = num;
  523. table = calloc((size_t) num, sizeof(struct curl_slist *));
  524. if(!table)
  525. return 1;
  526. ci->certinfo = table;
  527. return 0;
  528. }
  529. /*
  530. * 'value' is NOT a zero terminated string
  531. */
  532. CURLcode Curl_ssl_push_certinfo_len(struct SessionHandle *data,
  533. int certnum,
  534. const char *label,
  535. const char *value,
  536. size_t valuelen)
  537. {
  538. struct curl_certinfo * ci = &data->info.certs;
  539. char * output;
  540. struct curl_slist * nl;
  541. CURLcode result = CURLE_OK;
  542. size_t labellen = strlen(label);
  543. size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */
  544. output = malloc(outlen);
  545. if(!output)
  546. return CURLE_OUT_OF_MEMORY;
  547. /* sprintf the label and colon */
  548. snprintf(output, outlen, "%s:", label);
  549. /* memcpy the value (it might not be zero terminated) */
  550. memcpy(&output[labellen+1], value, valuelen);
  551. /* zero terminate the output */
  552. output[labellen + 1 + valuelen] = 0;
  553. nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);
  554. if(!nl) {
  555. free(output);
  556. curl_slist_free_all(ci->certinfo[certnum]);
  557. result = CURLE_OUT_OF_MEMORY;
  558. }
  559. ci->certinfo[certnum] = nl;
  560. return result;
  561. }
  562. /*
  563. * This is a convenience function for push_certinfo_len that takes a zero
  564. * terminated value.
  565. */
  566. CURLcode Curl_ssl_push_certinfo(struct SessionHandle *data,
  567. int certnum,
  568. const char *label,
  569. const char *value)
  570. {
  571. size_t valuelen = strlen(value);
  572. return Curl_ssl_push_certinfo_len(data, certnum, label, value, valuelen);
  573. }
  574. int Curl_ssl_random(struct SessionHandle *data,
  575. unsigned char *entropy,
  576. size_t length)
  577. {
  578. return curlssl_random(data, entropy, length);
  579. }
  580. /*
  581. * Generic pinned public key check.
  582. */
  583. CURLcode Curl_pin_peer_pubkey(const char *pinnedpubkey,
  584. const unsigned char *pubkey, size_t pubkeylen)
  585. {
  586. FILE *fp = NULL;
  587. unsigned char *buf = NULL;
  588. long size = 0;
  589. CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
  590. /* if a path wasn't specified, don't pin */
  591. if(!pinnedpubkey)
  592. return CURLE_OK;
  593. if(!pubkey || !pubkeylen)
  594. return result;
  595. fp = fopen(pinnedpubkey, "rb");
  596. if(!fp)
  597. return result;
  598. do {
  599. /* Determine the file's size */
  600. if(fseek(fp, 0, SEEK_END))
  601. break;
  602. size = ftell(fp);
  603. if(fseek(fp, 0, SEEK_SET))
  604. break;
  605. /*
  606. * if the size of our certificate doesn't match the size of
  607. * the file, they can't be the same, don't bother reading it
  608. */
  609. if((long) pubkeylen != size)
  610. break;
  611. /* Allocate buffer for the pinned key. */
  612. buf = malloc(pubkeylen);
  613. if(!buf)
  614. break;
  615. /* Returns number of elements read, which should be 1 */
  616. if((int) fread(buf, pubkeylen, 1, fp) != 1)
  617. break;
  618. /* The one good exit point */
  619. if(!memcmp(pubkey, buf, pubkeylen))
  620. result = CURLE_OK;
  621. } while(0);
  622. Curl_safefree(buf);
  623. fclose(fp);
  624. return result;
  625. }
  626. void Curl_ssl_md5sum(unsigned char *tmp, /* input */
  627. size_t tmplen,
  628. unsigned char *md5sum, /* output */
  629. size_t md5len)
  630. {
  631. #ifdef curlssl_md5sum
  632. curlssl_md5sum(tmp, tmplen, md5sum, md5len);
  633. #else
  634. MD5_context *MD5pw;
  635. (void) md5len;
  636. MD5pw = Curl_MD5_init(Curl_DIGEST_MD5);
  637. Curl_MD5_update(MD5pw, tmp, curlx_uztoui(tmplen));
  638. Curl_MD5_final(MD5pw, md5sum);
  639. #endif
  640. }
  641. #endif /* USE_SSL */