vtls.c 54 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053
  1. /***************************************************************************
  2. * _ _ ____ _
  3. * Project ___| | | | _ \| |
  4. * / __| | | | |_) | |
  5. * | (__| |_| | _ <| |___
  6. * \___|\___/|_| \_\_____|
  7. *
  8. * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
  9. *
  10. * This software is licensed as described in the file COPYING, which
  11. * you should have received as part of this distribution. The terms
  12. * are also available at https://curl.se/docs/copyright.html.
  13. *
  14. * You may opt to use, copy, modify, merge, publish, distribute and/or sell
  15. * copies of the Software, and permit persons to whom the Software is
  16. * furnished to do so, under the terms of the COPYING file.
  17. *
  18. * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
  19. * KIND, either express or implied.
  20. *
  21. * SPDX-License-Identifier: curl
  22. *
  23. ***************************************************************************/
  24. /* This file is for implementing all "generic" SSL functions that all libcurl
  25. internals should use. It is then responsible for calling the proper
  26. "backend" function.
  27. SSL-functions in libcurl should call functions in this source file, and not
  28. to any specific SSL-layer.
  29. Curl_ssl_ - prefix for generic ones
  30. Note that this source code uses the functions of the configured SSL
  31. backend via the global Curl_ssl instance.
  32. "SSL/TLS Strong Encryption: An Introduction"
  33. https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
  34. */
  35. #include "curl_setup.h"
  36. #ifdef HAVE_SYS_TYPES_H
  37. #include <sys/types.h>
  38. #endif
  39. #ifdef HAVE_SYS_STAT_H
  40. #include <sys/stat.h>
  41. #endif
  42. #ifdef HAVE_FCNTL_H
  43. #include <fcntl.h>
  44. #endif
  45. #include "urldata.h"
  46. #include "cfilters.h"
  47. #include "vtls.h" /* generic SSL protos etc */
  48. #include "vtls_int.h"
  49. #include "slist.h"
  50. #include "sendf.h"
  51. #include "strcase.h"
  52. #include "url.h"
  53. #include "progress.h"
  54. #include "share.h"
  55. #include "multiif.h"
  56. #include "timeval.h"
  57. #include "curl_md5.h"
  58. #include "warnless.h"
  59. #include "curl_base64.h"
  60. #include "curl_printf.h"
  61. #include "strdup.h"
  62. /* The last #include files should be: */
  63. #include "curl_memory.h"
  64. #include "memdebug.h"
  65. /* convenience macro to check if this handle is using a shared SSL session */
  66. #define SSLSESSION_SHARED(data) (data->share && \
  67. (data->share->specifier & \
  68. (1<<CURL_LOCK_DATA_SSL_SESSION)))
  69. #define CLONE_STRING(var) \
  70. do { \
  71. if(source->var) { \
  72. dest->var = strdup(source->var); \
  73. if(!dest->var) \
  74. return FALSE; \
  75. } \
  76. else \
  77. dest->var = NULL; \
  78. } while(0)
  79. #define CLONE_BLOB(var) \
  80. do { \
  81. if(blobdup(&dest->var, source->var)) \
  82. return FALSE; \
  83. } while(0)
  84. static CURLcode blobdup(struct curl_blob **dest,
  85. struct curl_blob *src)
  86. {
  87. DEBUGASSERT(dest);
  88. DEBUGASSERT(!*dest);
  89. if(src) {
  90. /* only if there's data to dupe! */
  91. struct curl_blob *d;
  92. d = malloc(sizeof(struct curl_blob) + src->len);
  93. if(!d)
  94. return CURLE_OUT_OF_MEMORY;
  95. d->len = src->len;
  96. /* Always duplicate because the connection may survive longer than the
  97. handle that passed in the blob. */
  98. d->flags = CURL_BLOB_COPY;
  99. d->data = (void *)((char *)d + sizeof(struct curl_blob));
  100. memcpy(d->data, src->data, src->len);
  101. *dest = d;
  102. }
  103. return CURLE_OK;
  104. }
  105. /* returns TRUE if the blobs are identical */
  106. static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
  107. {
  108. if(!first && !second) /* both are NULL */
  109. return TRUE;
  110. if(!first || !second) /* one is NULL */
  111. return FALSE;
  112. if(first->len != second->len) /* different sizes */
  113. return FALSE;
  114. return !memcmp(first->data, second->data, first->len); /* same data */
  115. }
  116. #ifdef USE_SSL
  117. static const struct alpn_spec ALPN_SPEC_H10 = {
  118. { ALPN_HTTP_1_0 }, 1
  119. };
  120. static const struct alpn_spec ALPN_SPEC_H11 = {
  121. { ALPN_HTTP_1_1 }, 1
  122. };
  123. #ifdef USE_HTTP2
  124. static const struct alpn_spec ALPN_SPEC_H2_H11 = {
  125. { ALPN_H2, ALPN_HTTP_1_1 }, 2
  126. };
  127. #endif
  128. static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn)
  129. {
  130. if(!use_alpn)
  131. return NULL;
  132. if(httpwant == CURL_HTTP_VERSION_1_0)
  133. return &ALPN_SPEC_H10;
  134. #ifdef USE_HTTP2
  135. if(httpwant >= CURL_HTTP_VERSION_2)
  136. return &ALPN_SPEC_H2_H11;
  137. #endif
  138. return &ALPN_SPEC_H11;
  139. }
  140. #endif /* USE_SSL */
  141. bool
  142. Curl_ssl_config_matches(struct ssl_primary_config *data,
  143. struct ssl_primary_config *needle)
  144. {
  145. if((data->version == needle->version) &&
  146. (data->version_max == needle->version_max) &&
  147. (data->ssl_options == needle->ssl_options) &&
  148. (data->verifypeer == needle->verifypeer) &&
  149. (data->verifyhost == needle->verifyhost) &&
  150. (data->verifystatus == needle->verifystatus) &&
  151. blobcmp(data->cert_blob, needle->cert_blob) &&
  152. blobcmp(data->ca_info_blob, needle->ca_info_blob) &&
  153. blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
  154. Curl_safecmp(data->CApath, needle->CApath) &&
  155. Curl_safecmp(data->CAfile, needle->CAfile) &&
  156. Curl_safecmp(data->issuercert, needle->issuercert) &&
  157. Curl_safecmp(data->clientcert, needle->clientcert) &&
  158. #ifdef USE_TLS_SRP
  159. !Curl_timestrcmp(data->username, needle->username) &&
  160. !Curl_timestrcmp(data->password, needle->password) &&
  161. #endif
  162. strcasecompare(data->cipher_list, needle->cipher_list) &&
  163. strcasecompare(data->cipher_list13, needle->cipher_list13) &&
  164. strcasecompare(data->curves, needle->curves) &&
  165. strcasecompare(data->CRLfile, needle->CRLfile) &&
  166. strcasecompare(data->pinned_key, needle->pinned_key))
  167. return TRUE;
  168. return FALSE;
  169. }
  170. bool
  171. Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
  172. struct ssl_primary_config *dest)
  173. {
  174. dest->version = source->version;
  175. dest->version_max = source->version_max;
  176. dest->verifypeer = source->verifypeer;
  177. dest->verifyhost = source->verifyhost;
  178. dest->verifystatus = source->verifystatus;
  179. dest->sessionid = source->sessionid;
  180. dest->ssl_options = source->ssl_options;
  181. CLONE_BLOB(cert_blob);
  182. CLONE_BLOB(ca_info_blob);
  183. CLONE_BLOB(issuercert_blob);
  184. CLONE_STRING(CApath);
  185. CLONE_STRING(CAfile);
  186. CLONE_STRING(issuercert);
  187. CLONE_STRING(clientcert);
  188. CLONE_STRING(cipher_list);
  189. CLONE_STRING(cipher_list13);
  190. CLONE_STRING(pinned_key);
  191. CLONE_STRING(curves);
  192. CLONE_STRING(CRLfile);
  193. #ifdef USE_TLS_SRP
  194. CLONE_STRING(username);
  195. CLONE_STRING(password);
  196. #endif
  197. return TRUE;
  198. }
  199. void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
  200. {
  201. Curl_safefree(sslc->CApath);
  202. Curl_safefree(sslc->CAfile);
  203. Curl_safefree(sslc->issuercert);
  204. Curl_safefree(sslc->clientcert);
  205. Curl_safefree(sslc->cipher_list);
  206. Curl_safefree(sslc->cipher_list13);
  207. Curl_safefree(sslc->pinned_key);
  208. Curl_safefree(sslc->cert_blob);
  209. Curl_safefree(sslc->ca_info_blob);
  210. Curl_safefree(sslc->issuercert_blob);
  211. Curl_safefree(sslc->curves);
  212. Curl_safefree(sslc->CRLfile);
  213. #ifdef USE_TLS_SRP
  214. Curl_safefree(sslc->username);
  215. Curl_safefree(sslc->password);
  216. #endif
  217. }
  218. #ifdef USE_SSL
  219. static int multissl_setup(const struct Curl_ssl *backend);
  220. #endif
  221. curl_sslbackend Curl_ssl_backend(void)
  222. {
  223. #ifdef USE_SSL
  224. multissl_setup(NULL);
  225. return Curl_ssl->info.id;
  226. #else
  227. return CURLSSLBACKEND_NONE;
  228. #endif
  229. }
  230. #ifdef USE_SSL
  231. /* "global" init done? */
  232. static bool init_ssl = FALSE;
  233. /**
  234. * Global SSL init
  235. *
  236. * @retval 0 error initializing SSL
  237. * @retval 1 SSL initialized successfully
  238. */
  239. int Curl_ssl_init(void)
  240. {
  241. /* make sure this is only done once */
  242. if(init_ssl)
  243. return 1;
  244. init_ssl = TRUE; /* never again */
  245. return Curl_ssl->init();
  246. }
  247. #if defined(CURL_WITH_MULTI_SSL)
  248. static const struct Curl_ssl Curl_ssl_multi;
  249. #endif
  250. /* Global cleanup */
  251. void Curl_ssl_cleanup(void)
  252. {
  253. if(init_ssl) {
  254. /* only cleanup if we did a previous init */
  255. Curl_ssl->cleanup();
  256. #if defined(CURL_WITH_MULTI_SSL)
  257. Curl_ssl = &Curl_ssl_multi;
  258. #endif
  259. init_ssl = FALSE;
  260. }
  261. }
  262. static bool ssl_prefs_check(struct Curl_easy *data)
  263. {
  264. /* check for CURLOPT_SSLVERSION invalid parameter value */
  265. const unsigned char sslver = data->set.ssl.primary.version;
  266. if(sslver >= CURL_SSLVERSION_LAST) {
  267. failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
  268. return FALSE;
  269. }
  270. switch(data->set.ssl.primary.version_max) {
  271. case CURL_SSLVERSION_MAX_NONE:
  272. case CURL_SSLVERSION_MAX_DEFAULT:
  273. break;
  274. default:
  275. if((data->set.ssl.primary.version_max >> 16) < sslver) {
  276. failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
  277. return FALSE;
  278. }
  279. }
  280. return TRUE;
  281. }
  282. static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
  283. const struct alpn_spec *alpn)
  284. {
  285. struct ssl_connect_data *ctx;
  286. (void)data;
  287. ctx = calloc(1, sizeof(*ctx));
  288. if(!ctx)
  289. return NULL;
  290. ctx->alpn = alpn;
  291. ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data);
  292. if(!ctx->backend) {
  293. free(ctx);
  294. return NULL;
  295. }
  296. return ctx;
  297. }
  298. static void cf_ctx_free(struct ssl_connect_data *ctx)
  299. {
  300. if(ctx) {
  301. free(ctx->backend);
  302. free(ctx);
  303. }
  304. }
  305. static CURLcode ssl_connect(struct Curl_cfilter *cf, struct Curl_easy *data)
  306. {
  307. struct ssl_connect_data *connssl = cf->ctx;
  308. CURLcode result;
  309. if(!ssl_prefs_check(data))
  310. return CURLE_SSL_CONNECT_ERROR;
  311. /* mark this is being ssl-enabled from here on. */
  312. connssl->state = ssl_connection_negotiating;
  313. result = Curl_ssl->connect_blocking(cf, data);
  314. if(!result) {
  315. DEBUGASSERT(connssl->state == ssl_connection_complete);
  316. }
  317. return result;
  318. }
  319. static CURLcode
  320. ssl_connect_nonblocking(struct Curl_cfilter *cf, struct Curl_easy *data,
  321. bool *done)
  322. {
  323. if(!ssl_prefs_check(data))
  324. return CURLE_SSL_CONNECT_ERROR;
  325. /* mark this is being ssl requested from here on. */
  326. return Curl_ssl->connect_nonblocking(cf, data, done);
  327. }
  328. /*
  329. * Lock shared SSL session data
  330. */
  331. void Curl_ssl_sessionid_lock(struct Curl_easy *data)
  332. {
  333. if(SSLSESSION_SHARED(data))
  334. Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
  335. }
  336. /*
  337. * Unlock shared SSL session data
  338. */
  339. void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
  340. {
  341. if(SSLSESSION_SHARED(data))
  342. Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
  343. }
  344. /*
  345. * Check if there's a session ID for the given connection in the cache, and if
  346. * there's one suitable, it is provided. Returns TRUE when no entry matched.
  347. */
  348. bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
  349. struct Curl_easy *data,
  350. void **ssl_sessionid,
  351. size_t *idsize) /* set 0 if unknown */
  352. {
  353. struct ssl_connect_data *connssl = cf->ctx;
  354. struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
  355. struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
  356. struct Curl_ssl_session *check;
  357. size_t i;
  358. long *general_age;
  359. bool no_match = TRUE;
  360. *ssl_sessionid = NULL;
  361. if(!ssl_config)
  362. return TRUE;
  363. DEBUGASSERT(ssl_config->primary.sessionid);
  364. if(!ssl_config->primary.sessionid || !data->state.session)
  365. /* session ID re-use is disabled or the session cache has not been
  366. setup */
  367. return TRUE;
  368. /* Lock if shared */
  369. if(SSLSESSION_SHARED(data))
  370. general_age = &data->share->sessionage;
  371. else
  372. general_age = &data->state.sessionage;
  373. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  374. check = &data->state.session[i];
  375. if(!check->sessionid)
  376. /* not session ID means blank entry */
  377. continue;
  378. if(strcasecompare(connssl->hostname, check->name) &&
  379. ((!cf->conn->bits.conn_to_host && !check->conn_to_host) ||
  380. (cf->conn->bits.conn_to_host && check->conn_to_host &&
  381. strcasecompare(cf->conn->conn_to_host.name, check->conn_to_host))) &&
  382. ((!cf->conn->bits.conn_to_port && check->conn_to_port == -1) ||
  383. (cf->conn->bits.conn_to_port && check->conn_to_port != -1 &&
  384. cf->conn->conn_to_port == check->conn_to_port)) &&
  385. (connssl->port == check->remote_port) &&
  386. strcasecompare(cf->conn->handler->scheme, check->scheme) &&
  387. Curl_ssl_config_matches(conn_config, &check->ssl_config)) {
  388. /* yes, we have a session ID! */
  389. (*general_age)++; /* increase general age */
  390. check->age = *general_age; /* set this as used in this age */
  391. *ssl_sessionid = check->sessionid;
  392. if(idsize)
  393. *idsize = check->idsize;
  394. no_match = FALSE;
  395. break;
  396. }
  397. }
  398. DEBUGF(infof(data, "%s Session ID in cache for %s %s://%s:%d",
  399. no_match? "Didn't find": "Found",
  400. Curl_ssl_cf_is_proxy(cf) ? "proxy" : "host",
  401. cf->conn->handler->scheme, connssl->hostname, connssl->port));
  402. return no_match;
  403. }
  404. /*
  405. * Kill a single session ID entry in the cache.
  406. */
  407. void Curl_ssl_kill_session(struct Curl_ssl_session *session)
  408. {
  409. if(session->sessionid) {
  410. /* defensive check */
  411. /* free the ID the SSL-layer specific way */
  412. Curl_ssl->session_free(session->sessionid);
  413. session->sessionid = NULL;
  414. session->age = 0; /* fresh */
  415. Curl_free_primary_ssl_config(&session->ssl_config);
  416. Curl_safefree(session->name);
  417. Curl_safefree(session->conn_to_host);
  418. }
  419. }
  420. /*
  421. * Delete the given session ID from the cache.
  422. */
  423. void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
  424. {
  425. size_t i;
  426. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
  427. struct Curl_ssl_session *check = &data->state.session[i];
  428. if(check->sessionid == ssl_sessionid) {
  429. Curl_ssl_kill_session(check);
  430. break;
  431. }
  432. }
  433. }
  434. /*
  435. * Store session id in the session cache. The ID passed on to this function
  436. * must already have been extracted and allocated the proper way for the SSL
  437. * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
  438. * later on.
  439. */
  440. CURLcode Curl_ssl_addsessionid(struct Curl_cfilter *cf,
  441. struct Curl_easy *data,
  442. void *ssl_sessionid,
  443. size_t idsize,
  444. bool *added)
  445. {
  446. struct ssl_connect_data *connssl = cf->ctx;
  447. struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
  448. struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
  449. size_t i;
  450. struct Curl_ssl_session *store;
  451. long oldest_age;
  452. char *clone_host;
  453. char *clone_conn_to_host;
  454. int conn_to_port;
  455. long *general_age;
  456. if(added)
  457. *added = FALSE;
  458. if(!data->state.session)
  459. return CURLE_OK;
  460. store = &data->state.session[0];
  461. oldest_age = data->state.session[0].age; /* zero if unused */
  462. (void)ssl_config;
  463. DEBUGASSERT(ssl_config->primary.sessionid);
  464. clone_host = strdup(connssl->hostname);
  465. if(!clone_host)
  466. return CURLE_OUT_OF_MEMORY; /* bail out */
  467. if(cf->conn->bits.conn_to_host) {
  468. clone_conn_to_host = strdup(cf->conn->conn_to_host.name);
  469. if(!clone_conn_to_host) {
  470. free(clone_host);
  471. return CURLE_OUT_OF_MEMORY; /* bail out */
  472. }
  473. }
  474. else
  475. clone_conn_to_host = NULL;
  476. if(cf->conn->bits.conn_to_port)
  477. conn_to_port = cf->conn->conn_to_port;
  478. else
  479. conn_to_port = -1;
  480. /* Now we should add the session ID and the host name to the cache, (remove
  481. the oldest if necessary) */
  482. /* If using shared SSL session, lock! */
  483. if(SSLSESSION_SHARED(data)) {
  484. general_age = &data->share->sessionage;
  485. }
  486. else {
  487. general_age = &data->state.sessionage;
  488. }
  489. /* find an empty slot for us, or find the oldest */
  490. for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
  491. data->state.session[i].sessionid; i++) {
  492. if(data->state.session[i].age < oldest_age) {
  493. oldest_age = data->state.session[i].age;
  494. store = &data->state.session[i];
  495. }
  496. }
  497. if(i == data->set.general_ssl.max_ssl_sessions)
  498. /* cache is full, we must "kill" the oldest entry! */
  499. Curl_ssl_kill_session(store);
  500. else
  501. store = &data->state.session[i]; /* use this slot */
  502. /* now init the session struct wisely */
  503. store->sessionid = ssl_sessionid;
  504. store->idsize = idsize;
  505. store->age = *general_age; /* set current age */
  506. /* free it if there's one already present */
  507. free(store->name);
  508. free(store->conn_to_host);
  509. store->name = clone_host; /* clone host name */
  510. store->conn_to_host = clone_conn_to_host; /* clone connect to host name */
  511. store->conn_to_port = conn_to_port; /* connect to port number */
  512. /* port number */
  513. store->remote_port = connssl->port;
  514. store->scheme = cf->conn->handler->scheme;
  515. if(!Curl_clone_primary_ssl_config(conn_config, &store->ssl_config)) {
  516. Curl_free_primary_ssl_config(&store->ssl_config);
  517. store->sessionid = NULL; /* let caller free sessionid */
  518. free(clone_host);
  519. free(clone_conn_to_host);
  520. return CURLE_OUT_OF_MEMORY;
  521. }
  522. if(added)
  523. *added = TRUE;
  524. DEBUGF(infof(data, "Added Session ID to cache for %s://%s:%d [%s]",
  525. store->scheme, store->name, store->remote_port,
  526. Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server"));
  527. return CURLE_OK;
  528. }
  529. void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend)
  530. {
  531. if(Curl_ssl->free_multi_ssl_backend_data && mbackend)
  532. Curl_ssl->free_multi_ssl_backend_data(mbackend);
  533. }
  534. void Curl_ssl_close_all(struct Curl_easy *data)
  535. {
  536. /* kill the session ID cache if not shared */
  537. if(data->state.session && !SSLSESSION_SHARED(data)) {
  538. size_t i;
  539. for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
  540. /* the single-killer function handles empty table slots */
  541. Curl_ssl_kill_session(&data->state.session[i]);
  542. /* free the cache data */
  543. Curl_safefree(data->state.session);
  544. }
  545. Curl_ssl->close_all(data);
  546. }
  547. int Curl_ssl_get_select_socks(struct Curl_cfilter *cf, struct Curl_easy *data,
  548. curl_socket_t *socks)
  549. {
  550. struct ssl_connect_data *connssl = cf->ctx;
  551. curl_socket_t sock = Curl_conn_cf_get_socket(cf->next, data);
  552. if(sock != CURL_SOCKET_BAD) {
  553. if(connssl->connecting_state == ssl_connect_2_writing) {
  554. /* write mode */
  555. socks[0] = sock;
  556. return GETSOCK_WRITESOCK(0);
  557. }
  558. if(connssl->connecting_state == ssl_connect_2_reading) {
  559. /* read mode */
  560. socks[0] = sock;
  561. return GETSOCK_READSOCK(0);
  562. }
  563. }
  564. return GETSOCK_BLANK;
  565. }
  566. /* Selects an SSL crypto engine
  567. */
  568. CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
  569. {
  570. return Curl_ssl->set_engine(data, engine);
  571. }
  572. /* Selects the default SSL crypto engine
  573. */
  574. CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
  575. {
  576. return Curl_ssl->set_engine_default(data);
  577. }
  578. /* Return list of OpenSSL crypto engine names. */
  579. struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
  580. {
  581. return Curl_ssl->engines_list(data);
  582. }
  583. /*
  584. * This sets up a session ID cache to the specified size. Make sure this code
  585. * is agnostic to what underlying SSL technology we use.
  586. */
  587. CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
  588. {
  589. struct Curl_ssl_session *session;
  590. if(data->state.session)
  591. /* this is just a precaution to prevent multiple inits */
  592. return CURLE_OK;
  593. session = calloc(amount, sizeof(struct Curl_ssl_session));
  594. if(!session)
  595. return CURLE_OUT_OF_MEMORY;
  596. /* store the info in the SSL section */
  597. data->set.general_ssl.max_ssl_sessions = amount;
  598. data->state.session = session;
  599. data->state.sessionage = 1; /* this is brand new */
  600. return CURLE_OK;
  601. }
  602. static size_t multissl_version(char *buffer, size_t size);
  603. void Curl_ssl_version(char *buffer, size_t size)
  604. {
  605. #ifdef CURL_WITH_MULTI_SSL
  606. (void)multissl_version(buffer, size);
  607. #else
  608. (void)Curl_ssl->version(buffer, size);
  609. #endif
  610. }
  611. void Curl_ssl_free_certinfo(struct Curl_easy *data)
  612. {
  613. struct curl_certinfo *ci = &data->info.certs;
  614. if(ci->num_of_certs) {
  615. /* free all individual lists used */
  616. int i;
  617. for(i = 0; i<ci->num_of_certs; i++) {
  618. curl_slist_free_all(ci->certinfo[i]);
  619. ci->certinfo[i] = NULL;
  620. }
  621. free(ci->certinfo); /* free the actual array too */
  622. ci->certinfo = NULL;
  623. ci->num_of_certs = 0;
  624. }
  625. }
  626. CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
  627. {
  628. struct curl_certinfo *ci = &data->info.certs;
  629. struct curl_slist **table;
  630. /* Free any previous certificate information structures */
  631. Curl_ssl_free_certinfo(data);
  632. /* Allocate the required certificate information structures */
  633. table = calloc((size_t) num, sizeof(struct curl_slist *));
  634. if(!table)
  635. return CURLE_OUT_OF_MEMORY;
  636. ci->num_of_certs = num;
  637. ci->certinfo = table;
  638. return CURLE_OK;
  639. }
  640. /*
  641. * 'value' is NOT a null-terminated string
  642. */
  643. CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
  644. int certnum,
  645. const char *label,
  646. const char *value,
  647. size_t valuelen)
  648. {
  649. struct curl_certinfo *ci = &data->info.certs;
  650. char *output;
  651. struct curl_slist *nl;
  652. CURLcode result = CURLE_OK;
  653. size_t labellen = strlen(label);
  654. size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */
  655. output = malloc(outlen);
  656. if(!output)
  657. return CURLE_OUT_OF_MEMORY;
  658. /* sprintf the label and colon */
  659. msnprintf(output, outlen, "%s:", label);
  660. /* memcpy the value (it might not be null-terminated) */
  661. memcpy(&output[labellen + 1], value, valuelen);
  662. /* null-terminate the output */
  663. output[labellen + 1 + valuelen] = 0;
  664. nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);
  665. if(!nl) {
  666. free(output);
  667. curl_slist_free_all(ci->certinfo[certnum]);
  668. result = CURLE_OUT_OF_MEMORY;
  669. }
  670. ci->certinfo[certnum] = nl;
  671. return result;
  672. }
  673. CURLcode Curl_ssl_random(struct Curl_easy *data,
  674. unsigned char *entropy,
  675. size_t length)
  676. {
  677. return Curl_ssl->random(data, entropy, length);
  678. }
  679. /*
  680. * Curl_ssl_snihost() converts the input host name to a suitable SNI name put
  681. * in data->state.buffer. Returns a pointer to the name (or NULL if a problem)
  682. * and stores the new length in 'olen'.
  683. *
  684. * SNI fields must not have any trailing dot and while RFC 6066 section 3 says
  685. * the SNI field is case insensitive, browsers always send the data lowercase
  686. * and subsequently there are numerous servers out there that don't work
  687. * unless the name is lowercased.
  688. */
  689. char *Curl_ssl_snihost(struct Curl_easy *data, const char *host, size_t *olen)
  690. {
  691. size_t len = strlen(host);
  692. if(len && (host[len-1] == '.'))
  693. len--;
  694. if(len >= data->set.buffer_size)
  695. return NULL;
  696. Curl_strntolower(data->state.buffer, host, len);
  697. data->state.buffer[len] = 0;
  698. if(olen)
  699. *olen = len;
  700. return data->state.buffer;
  701. }
  702. /*
  703. * Public key pem to der conversion
  704. */
  705. static CURLcode pubkey_pem_to_der(const char *pem,
  706. unsigned char **der, size_t *der_len)
  707. {
  708. char *stripped_pem, *begin_pos, *end_pos;
  709. size_t pem_count, stripped_pem_count = 0, pem_len;
  710. CURLcode result;
  711. /* if no pem, exit. */
  712. if(!pem)
  713. return CURLE_BAD_CONTENT_ENCODING;
  714. begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
  715. if(!begin_pos)
  716. return CURLE_BAD_CONTENT_ENCODING;
  717. pem_count = begin_pos - pem;
  718. /* Invalid if not at beginning AND not directly following \n */
  719. if(0 != pem_count && '\n' != pem[pem_count - 1])
  720. return CURLE_BAD_CONTENT_ENCODING;
  721. /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
  722. pem_count += 26;
  723. /* Invalid if not directly following \n */
  724. end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
  725. if(!end_pos)
  726. return CURLE_BAD_CONTENT_ENCODING;
  727. pem_len = end_pos - pem;
  728. stripped_pem = malloc(pem_len - pem_count + 1);
  729. if(!stripped_pem)
  730. return CURLE_OUT_OF_MEMORY;
  731. /*
  732. * Here we loop through the pem array one character at a time between the
  733. * correct indices, and place each character that is not '\n' or '\r'
  734. * into the stripped_pem array, which should represent the raw base64 string
  735. */
  736. while(pem_count < pem_len) {
  737. if('\n' != pem[pem_count] && '\r' != pem[pem_count])
  738. stripped_pem[stripped_pem_count++] = pem[pem_count];
  739. ++pem_count;
  740. }
  741. /* Place the null terminator in the correct place */
  742. stripped_pem[stripped_pem_count] = '\0';
  743. result = Curl_base64_decode(stripped_pem, der, der_len);
  744. Curl_safefree(stripped_pem);
  745. return result;
  746. }
  747. /*
  748. * Generic pinned public key check.
  749. */
  750. CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
  751. const char *pinnedpubkey,
  752. const unsigned char *pubkey, size_t pubkeylen)
  753. {
  754. FILE *fp;
  755. unsigned char *buf = NULL, *pem_ptr = NULL;
  756. CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
  757. #ifdef CURL_DISABLE_VERBOSE_STRINGS
  758. (void)data;
  759. #endif
  760. /* if a path wasn't specified, don't pin */
  761. if(!pinnedpubkey)
  762. return CURLE_OK;
  763. if(!pubkey || !pubkeylen)
  764. return result;
  765. /* only do this if pinnedpubkey starts with "sha256//", length 8 */
  766. if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
  767. CURLcode encode;
  768. size_t encodedlen = 0, pinkeylen;
  769. char *encoded = NULL, *pinkeycopy, *begin_pos, *end_pos;
  770. unsigned char *sha256sumdigest;
  771. if(!Curl_ssl->sha256sum) {
  772. /* without sha256 support, this cannot match */
  773. return result;
  774. }
  775. /* compute sha256sum of public key */
  776. sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
  777. if(!sha256sumdigest)
  778. return CURLE_OUT_OF_MEMORY;
  779. encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
  780. sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
  781. if(!encode)
  782. encode = Curl_base64_encode((char *)sha256sumdigest,
  783. CURL_SHA256_DIGEST_LENGTH, &encoded,
  784. &encodedlen);
  785. Curl_safefree(sha256sumdigest);
  786. if(encode)
  787. return encode;
  788. infof(data, " public key hash: sha256//%s", encoded);
  789. /* it starts with sha256//, copy so we can modify it */
  790. pinkeylen = strlen(pinnedpubkey) + 1;
  791. pinkeycopy = malloc(pinkeylen);
  792. if(!pinkeycopy) {
  793. Curl_safefree(encoded);
  794. return CURLE_OUT_OF_MEMORY;
  795. }
  796. memcpy(pinkeycopy, pinnedpubkey, pinkeylen);
  797. /* point begin_pos to the copy, and start extracting keys */
  798. begin_pos = pinkeycopy;
  799. do {
  800. end_pos = strstr(begin_pos, ";sha256//");
  801. /*
  802. * if there is an end_pos, null terminate,
  803. * otherwise it'll go to the end of the original string
  804. */
  805. if(end_pos)
  806. end_pos[0] = '\0';
  807. /* compare base64 sha256 digests, 8 is the length of "sha256//" */
  808. if(encodedlen == strlen(begin_pos + 8) &&
  809. !memcmp(encoded, begin_pos + 8, encodedlen)) {
  810. result = CURLE_OK;
  811. break;
  812. }
  813. /*
  814. * change back the null-terminator we changed earlier,
  815. * and look for next begin
  816. */
  817. if(end_pos) {
  818. end_pos[0] = ';';
  819. begin_pos = strstr(end_pos, "sha256//");
  820. }
  821. } while(end_pos && begin_pos);
  822. Curl_safefree(encoded);
  823. Curl_safefree(pinkeycopy);
  824. return result;
  825. }
  826. fp = fopen(pinnedpubkey, "rb");
  827. if(!fp)
  828. return result;
  829. do {
  830. long filesize;
  831. size_t size, pem_len;
  832. CURLcode pem_read;
  833. /* Determine the file's size */
  834. if(fseek(fp, 0, SEEK_END))
  835. break;
  836. filesize = ftell(fp);
  837. if(fseek(fp, 0, SEEK_SET))
  838. break;
  839. if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
  840. break;
  841. /*
  842. * if the size of our certificate is bigger than the file
  843. * size then it can't match
  844. */
  845. size = curlx_sotouz((curl_off_t) filesize);
  846. if(pubkeylen > size)
  847. break;
  848. /*
  849. * Allocate buffer for the pinned key
  850. * With 1 additional byte for null terminator in case of PEM key
  851. */
  852. buf = malloc(size + 1);
  853. if(!buf)
  854. break;
  855. /* Returns number of elements read, which should be 1 */
  856. if((int) fread(buf, size, 1, fp) != 1)
  857. break;
  858. /* If the sizes are the same, it can't be base64 encoded, must be der */
  859. if(pubkeylen == size) {
  860. if(!memcmp(pubkey, buf, pubkeylen))
  861. result = CURLE_OK;
  862. break;
  863. }
  864. /*
  865. * Otherwise we will assume it's PEM and try to decode it
  866. * after placing null terminator
  867. */
  868. buf[size] = '\0';
  869. pem_read = pubkey_pem_to_der((const char *)buf, &pem_ptr, &pem_len);
  870. /* if it wasn't read successfully, exit */
  871. if(pem_read)
  872. break;
  873. /*
  874. * if the size of our certificate doesn't match the size of
  875. * the decoded file, they can't be the same, otherwise compare
  876. */
  877. if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
  878. result = CURLE_OK;
  879. } while(0);
  880. Curl_safefree(buf);
  881. Curl_safefree(pem_ptr);
  882. fclose(fp);
  883. return result;
  884. }
  885. /*
  886. * Check whether the SSL backend supports the status_request extension.
  887. */
  888. bool Curl_ssl_cert_status_request(void)
  889. {
  890. return Curl_ssl->cert_status_request();
  891. }
  892. /*
  893. * Check whether the SSL backend supports false start.
  894. */
  895. bool Curl_ssl_false_start(struct Curl_easy *data)
  896. {
  897. (void)data;
  898. return Curl_ssl->false_start();
  899. }
  900. /*
  901. * Default implementations for unsupported functions.
  902. */
  903. int Curl_none_init(void)
  904. {
  905. return 1;
  906. }
  907. void Curl_none_cleanup(void)
  908. { }
  909. int Curl_none_shutdown(struct Curl_cfilter *cf UNUSED_PARAM,
  910. struct Curl_easy *data UNUSED_PARAM)
  911. {
  912. (void)data;
  913. (void)cf;
  914. return 0;
  915. }
  916. int Curl_none_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data)
  917. {
  918. (void)cf;
  919. (void)data;
  920. return -1;
  921. }
  922. CURLcode Curl_none_random(struct Curl_easy *data UNUSED_PARAM,
  923. unsigned char *entropy UNUSED_PARAM,
  924. size_t length UNUSED_PARAM)
  925. {
  926. (void)data;
  927. (void)entropy;
  928. (void)length;
  929. return CURLE_NOT_BUILT_IN;
  930. }
  931. void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
  932. {
  933. (void)data;
  934. }
  935. void Curl_none_session_free(void *ptr UNUSED_PARAM)
  936. {
  937. (void)ptr;
  938. }
  939. bool Curl_none_data_pending(struct Curl_cfilter *cf UNUSED_PARAM,
  940. const struct Curl_easy *data UNUSED_PARAM)
  941. {
  942. (void)cf;
  943. (void)data;
  944. return 0;
  945. }
  946. bool Curl_none_cert_status_request(void)
  947. {
  948. return FALSE;
  949. }
  950. CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
  951. const char *engine UNUSED_PARAM)
  952. {
  953. (void)data;
  954. (void)engine;
  955. return CURLE_NOT_BUILT_IN;
  956. }
  957. CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
  958. {
  959. (void)data;
  960. return CURLE_NOT_BUILT_IN;
  961. }
  962. struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
  963. {
  964. (void)data;
  965. return (struct curl_slist *)NULL;
  966. }
  967. bool Curl_none_false_start(void)
  968. {
  969. return FALSE;
  970. }
  971. static int multissl_init(void)
  972. {
  973. if(multissl_setup(NULL))
  974. return 1;
  975. return Curl_ssl->init();
  976. }
  977. static CURLcode multissl_connect(struct Curl_cfilter *cf,
  978. struct Curl_easy *data)
  979. {
  980. if(multissl_setup(NULL))
  981. return CURLE_FAILED_INIT;
  982. return Curl_ssl->connect_blocking(cf, data);
  983. }
  984. static CURLcode multissl_connect_nonblocking(struct Curl_cfilter *cf,
  985. struct Curl_easy *data,
  986. bool *done)
  987. {
  988. if(multissl_setup(NULL))
  989. return CURLE_FAILED_INIT;
  990. return Curl_ssl->connect_nonblocking(cf, data, done);
  991. }
  992. static int multissl_get_select_socks(struct Curl_cfilter *cf,
  993. struct Curl_easy *data,
  994. curl_socket_t *socks)
  995. {
  996. if(multissl_setup(NULL))
  997. return 0;
  998. return Curl_ssl->get_select_socks(cf, data, socks);
  999. }
  1000. static void *multissl_get_internals(struct ssl_connect_data *connssl,
  1001. CURLINFO info)
  1002. {
  1003. if(multissl_setup(NULL))
  1004. return NULL;
  1005. return Curl_ssl->get_internals(connssl, info);
  1006. }
  1007. static void multissl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
  1008. {
  1009. if(multissl_setup(NULL))
  1010. return;
  1011. Curl_ssl->close(cf, data);
  1012. }
  1013. static ssize_t multissl_recv_plain(struct Curl_cfilter *cf,
  1014. struct Curl_easy *data,
  1015. char *buf, size_t len, CURLcode *code)
  1016. {
  1017. if(multissl_setup(NULL))
  1018. return CURLE_FAILED_INIT;
  1019. return Curl_ssl->recv_plain(cf, data, buf, len, code);
  1020. }
  1021. static ssize_t multissl_send_plain(struct Curl_cfilter *cf,
  1022. struct Curl_easy *data,
  1023. const void *mem, size_t len,
  1024. CURLcode *code)
  1025. {
  1026. if(multissl_setup(NULL))
  1027. return CURLE_FAILED_INIT;
  1028. return Curl_ssl->send_plain(cf, data, mem, len, code);
  1029. }
  1030. static const struct Curl_ssl Curl_ssl_multi = {
  1031. { CURLSSLBACKEND_NONE, "multi" }, /* info */
  1032. 0, /* supports nothing */
  1033. (size_t)-1, /* something insanely large to be on the safe side */
  1034. multissl_init, /* init */
  1035. Curl_none_cleanup, /* cleanup */
  1036. multissl_version, /* version */
  1037. Curl_none_check_cxn, /* check_cxn */
  1038. Curl_none_shutdown, /* shutdown */
  1039. Curl_none_data_pending, /* data_pending */
  1040. Curl_none_random, /* random */
  1041. Curl_none_cert_status_request, /* cert_status_request */
  1042. multissl_connect, /* connect */
  1043. multissl_connect_nonblocking, /* connect_nonblocking */
  1044. multissl_get_select_socks, /* getsock */
  1045. multissl_get_internals, /* get_internals */
  1046. multissl_close, /* close_one */
  1047. Curl_none_close_all, /* close_all */
  1048. Curl_none_session_free, /* session_free */
  1049. Curl_none_set_engine, /* set_engine */
  1050. Curl_none_set_engine_default, /* set_engine_default */
  1051. Curl_none_engines_list, /* engines_list */
  1052. Curl_none_false_start, /* false_start */
  1053. NULL, /* sha256sum */
  1054. NULL, /* associate_connection */
  1055. NULL, /* disassociate_connection */
  1056. NULL, /* free_multi_ssl_backend_data */
  1057. multissl_recv_plain, /* recv decrypted data */
  1058. multissl_send_plain, /* send data to encrypt */
  1059. };
  1060. const struct Curl_ssl *Curl_ssl =
  1061. #if defined(CURL_WITH_MULTI_SSL)
  1062. &Curl_ssl_multi;
  1063. #elif defined(USE_WOLFSSL)
  1064. &Curl_ssl_wolfssl;
  1065. #elif defined(USE_SECTRANSP)
  1066. &Curl_ssl_sectransp;
  1067. #elif defined(USE_GNUTLS)
  1068. &Curl_ssl_gnutls;
  1069. #elif defined(USE_GSKIT)
  1070. &Curl_ssl_gskit;
  1071. #elif defined(USE_MBEDTLS)
  1072. &Curl_ssl_mbedtls;
  1073. #elif defined(USE_NSS)
  1074. &Curl_ssl_nss;
  1075. #elif defined(USE_RUSTLS)
  1076. &Curl_ssl_rustls;
  1077. #elif defined(USE_OPENSSL)
  1078. &Curl_ssl_openssl;
  1079. #elif defined(USE_SCHANNEL)
  1080. &Curl_ssl_schannel;
  1081. #elif defined(USE_BEARSSL)
  1082. &Curl_ssl_bearssl;
  1083. #else
  1084. #error "Missing struct Curl_ssl for selected SSL backend"
  1085. #endif
  1086. static const struct Curl_ssl *available_backends[] = {
  1087. #if defined(USE_WOLFSSL)
  1088. &Curl_ssl_wolfssl,
  1089. #endif
  1090. #if defined(USE_SECTRANSP)
  1091. &Curl_ssl_sectransp,
  1092. #endif
  1093. #if defined(USE_GNUTLS)
  1094. &Curl_ssl_gnutls,
  1095. #endif
  1096. #if defined(USE_GSKIT)
  1097. &Curl_ssl_gskit,
  1098. #endif
  1099. #if defined(USE_MBEDTLS)
  1100. &Curl_ssl_mbedtls,
  1101. #endif
  1102. #if defined(USE_NSS)
  1103. &Curl_ssl_nss,
  1104. #endif
  1105. #if defined(USE_OPENSSL)
  1106. &Curl_ssl_openssl,
  1107. #endif
  1108. #if defined(USE_SCHANNEL)
  1109. &Curl_ssl_schannel,
  1110. #endif
  1111. #if defined(USE_BEARSSL)
  1112. &Curl_ssl_bearssl,
  1113. #endif
  1114. #if defined(USE_RUSTLS)
  1115. &Curl_ssl_rustls,
  1116. #endif
  1117. NULL
  1118. };
  1119. static size_t multissl_version(char *buffer, size_t size)
  1120. {
  1121. static const struct Curl_ssl *selected;
  1122. static char backends[200];
  1123. static size_t backends_len;
  1124. const struct Curl_ssl *current;
  1125. current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
  1126. if(current != selected) {
  1127. char *p = backends;
  1128. char *end = backends + sizeof(backends);
  1129. int i;
  1130. selected = current;
  1131. backends[0] = '\0';
  1132. for(i = 0; available_backends[i]; ++i) {
  1133. char vb[200];
  1134. bool paren = (selected != available_backends[i]);
  1135. if(available_backends[i]->version(vb, sizeof(vb))) {
  1136. p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
  1137. (paren ? "(" : ""), vb, (paren ? ")" : ""));
  1138. }
  1139. }
  1140. backends_len = p - backends;
  1141. }
  1142. if(!size)
  1143. return 0;
  1144. if(size <= backends_len) {
  1145. strncpy(buffer, backends, size - 1);
  1146. buffer[size - 1] = '\0';
  1147. return size - 1;
  1148. }
  1149. strcpy(buffer, backends);
  1150. return backends_len;
  1151. }
  1152. static int multissl_setup(const struct Curl_ssl *backend)
  1153. {
  1154. const char *env;
  1155. char *env_tmp;
  1156. if(Curl_ssl != &Curl_ssl_multi)
  1157. return 1;
  1158. if(backend) {
  1159. Curl_ssl = backend;
  1160. return 0;
  1161. }
  1162. if(!available_backends[0])
  1163. return 1;
  1164. env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
  1165. #ifdef CURL_DEFAULT_SSL_BACKEND
  1166. if(!env)
  1167. env = CURL_DEFAULT_SSL_BACKEND;
  1168. #endif
  1169. if(env) {
  1170. int i;
  1171. for(i = 0; available_backends[i]; i++) {
  1172. if(strcasecompare(env, available_backends[i]->info.name)) {
  1173. Curl_ssl = available_backends[i];
  1174. free(env_tmp);
  1175. return 0;
  1176. }
  1177. }
  1178. }
  1179. /* Fall back to first available backend */
  1180. Curl_ssl = available_backends[0];
  1181. free(env_tmp);
  1182. return 0;
  1183. }
  1184. /* This function is used to select the SSL backend to use. It is called by
  1185. curl_global_sslset (easy.c) which uses the global init lock. */
  1186. CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
  1187. const curl_ssl_backend ***avail)
  1188. {
  1189. int i;
  1190. if(avail)
  1191. *avail = (const curl_ssl_backend **)&available_backends;
  1192. if(Curl_ssl != &Curl_ssl_multi)
  1193. return id == Curl_ssl->info.id ||
  1194. (name && strcasecompare(name, Curl_ssl->info.name)) ?
  1195. CURLSSLSET_OK :
  1196. #if defined(CURL_WITH_MULTI_SSL)
  1197. CURLSSLSET_TOO_LATE;
  1198. #else
  1199. CURLSSLSET_UNKNOWN_BACKEND;
  1200. #endif
  1201. for(i = 0; available_backends[i]; i++) {
  1202. if(available_backends[i]->info.id == id ||
  1203. (name && strcasecompare(available_backends[i]->info.name, name))) {
  1204. multissl_setup(available_backends[i]);
  1205. return CURLSSLSET_OK;
  1206. }
  1207. }
  1208. return CURLSSLSET_UNKNOWN_BACKEND;
  1209. }
  1210. #else /* USE_SSL */
  1211. CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
  1212. const curl_ssl_backend ***avail)
  1213. {
  1214. (void)id;
  1215. (void)name;
  1216. (void)avail;
  1217. return CURLSSLSET_NO_BACKENDS;
  1218. }
  1219. #endif /* !USE_SSL */
  1220. #ifdef USE_SSL
  1221. static void free_hostname(struct ssl_connect_data *connssl)
  1222. {
  1223. if(connssl->dispname != connssl->hostname)
  1224. free(connssl->dispname);
  1225. free(connssl->hostname);
  1226. connssl->hostname = connssl->dispname = NULL;
  1227. }
  1228. static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data)
  1229. {
  1230. struct ssl_connect_data *connssl = cf->ctx;
  1231. if(connssl) {
  1232. Curl_ssl->close(cf, data);
  1233. connssl->state = ssl_connection_none;
  1234. free_hostname(connssl);
  1235. }
  1236. cf->connected = FALSE;
  1237. }
  1238. static CURLcode reinit_hostname(struct Curl_cfilter *cf)
  1239. {
  1240. struct ssl_connect_data *connssl = cf->ctx;
  1241. const char *ehostname, *edispname;
  1242. int eport;
  1243. /* We need the hostname for SNI negotiation. Once handshaked, this
  1244. * remains the SNI hostname for the TLS connection. But when the
  1245. * connection is reused, the settings in cf->conn might change.
  1246. * So we keep a copy of the hostname we use for SNI.
  1247. */
  1248. #ifndef CURL_DISABLE_PROXY
  1249. if(Curl_ssl_cf_is_proxy(cf)) {
  1250. ehostname = cf->conn->http_proxy.host.name;
  1251. edispname = cf->conn->http_proxy.host.dispname;
  1252. eport = cf->conn->http_proxy.port;
  1253. }
  1254. else
  1255. #endif
  1256. {
  1257. ehostname = cf->conn->host.name;
  1258. edispname = cf->conn->host.dispname;
  1259. eport = cf->conn->remote_port;
  1260. }
  1261. /* change if ehostname changed */
  1262. if(ehostname && (!connssl->hostname
  1263. || strcmp(ehostname, connssl->hostname))) {
  1264. free_hostname(connssl);
  1265. connssl->hostname = strdup(ehostname);
  1266. if(!connssl->hostname) {
  1267. free_hostname(connssl);
  1268. return CURLE_OUT_OF_MEMORY;
  1269. }
  1270. if(!edispname || !strcmp(ehostname, edispname))
  1271. connssl->dispname = connssl->hostname;
  1272. else {
  1273. connssl->dispname = strdup(edispname);
  1274. if(!connssl->dispname) {
  1275. free_hostname(connssl);
  1276. return CURLE_OUT_OF_MEMORY;
  1277. }
  1278. }
  1279. }
  1280. connssl->port = eport;
  1281. return CURLE_OK;
  1282. }
  1283. static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data)
  1284. {
  1285. struct cf_call_data save;
  1286. CF_DATA_SAVE(save, cf, data);
  1287. cf_close(cf, data);
  1288. CF_DATA_RESTORE(cf, save);
  1289. cf_ctx_free(cf->ctx);
  1290. cf->ctx = NULL;
  1291. }
  1292. static void ssl_cf_close(struct Curl_cfilter *cf,
  1293. struct Curl_easy *data)
  1294. {
  1295. struct cf_call_data save;
  1296. CF_DATA_SAVE(save, cf, data);
  1297. cf_close(cf, data);
  1298. cf->next->cft->do_close(cf->next, data);
  1299. CF_DATA_RESTORE(cf, save);
  1300. }
  1301. static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
  1302. struct Curl_easy *data,
  1303. bool blocking, bool *done)
  1304. {
  1305. struct ssl_connect_data *connssl = cf->ctx;
  1306. struct cf_call_data save;
  1307. CURLcode result;
  1308. if(cf->connected) {
  1309. *done = TRUE;
  1310. return CURLE_OK;
  1311. }
  1312. CF_DATA_SAVE(save, cf, data);
  1313. (void)connssl;
  1314. DEBUGASSERT(data->conn);
  1315. DEBUGASSERT(data->conn == cf->conn);
  1316. DEBUGASSERT(connssl);
  1317. DEBUGASSERT(cf->conn->host.name);
  1318. result = cf->next->cft->do_connect(cf->next, data, blocking, done);
  1319. if(result || !*done)
  1320. goto out;
  1321. *done = FALSE;
  1322. result = reinit_hostname(cf);
  1323. if(result)
  1324. goto out;
  1325. if(blocking) {
  1326. result = ssl_connect(cf, data);
  1327. *done = (result == CURLE_OK);
  1328. }
  1329. else {
  1330. result = ssl_connect_nonblocking(cf, data, done);
  1331. }
  1332. if(!result && *done) {
  1333. cf->connected = TRUE;
  1334. connssl->handshake_done = Curl_now();
  1335. DEBUGASSERT(connssl->state == ssl_connection_complete);
  1336. }
  1337. out:
  1338. CF_DATA_RESTORE(cf, save);
  1339. return result;
  1340. }
  1341. static bool ssl_cf_data_pending(struct Curl_cfilter *cf,
  1342. const struct Curl_easy *data)
  1343. {
  1344. struct cf_call_data save;
  1345. bool result;
  1346. CF_DATA_SAVE(save, cf, data);
  1347. if(Curl_ssl->data_pending(cf, data))
  1348. result = TRUE;
  1349. else
  1350. result = cf->next->cft->has_data_pending(cf->next, data);
  1351. CF_DATA_RESTORE(cf, save);
  1352. return result;
  1353. }
  1354. static ssize_t ssl_cf_send(struct Curl_cfilter *cf,
  1355. struct Curl_easy *data, const void *buf, size_t len,
  1356. CURLcode *err)
  1357. {
  1358. struct cf_call_data save;
  1359. ssize_t nwritten;
  1360. CF_DATA_SAVE(save, cf, data);
  1361. *err = CURLE_OK;
  1362. nwritten = Curl_ssl->send_plain(cf, data, buf, len, err);
  1363. CF_DATA_RESTORE(cf, save);
  1364. return nwritten;
  1365. }
  1366. static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
  1367. struct Curl_easy *data, char *buf, size_t len,
  1368. CURLcode *err)
  1369. {
  1370. struct cf_call_data save;
  1371. ssize_t nread;
  1372. CF_DATA_SAVE(save, cf, data);
  1373. *err = CURLE_OK;
  1374. nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
  1375. if(nread > 0) {
  1376. DEBUGASSERT((size_t)nread <= len);
  1377. }
  1378. else if(nread == 0) {
  1379. /* eof */
  1380. *err = CURLE_OK;
  1381. }
  1382. DEBUGF(LOG_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, nread, *err));
  1383. CF_DATA_RESTORE(cf, save);
  1384. return nread;
  1385. }
  1386. static int ssl_cf_get_select_socks(struct Curl_cfilter *cf,
  1387. struct Curl_easy *data,
  1388. curl_socket_t *socks)
  1389. {
  1390. struct cf_call_data save;
  1391. int result;
  1392. CF_DATA_SAVE(save, cf, data);
  1393. result = Curl_ssl->get_select_socks(cf, data, socks);
  1394. CF_DATA_RESTORE(cf, save);
  1395. return result;
  1396. }
  1397. static CURLcode ssl_cf_cntrl(struct Curl_cfilter *cf,
  1398. struct Curl_easy *data,
  1399. int event, int arg1, void *arg2)
  1400. {
  1401. struct cf_call_data save;
  1402. (void)arg1;
  1403. (void)arg2;
  1404. switch(event) {
  1405. case CF_CTRL_DATA_ATTACH:
  1406. if(Curl_ssl->attach_data) {
  1407. CF_DATA_SAVE(save, cf, data);
  1408. Curl_ssl->attach_data(cf, data);
  1409. CF_DATA_RESTORE(cf, save);
  1410. }
  1411. break;
  1412. case CF_CTRL_DATA_DETACH:
  1413. if(Curl_ssl->detach_data) {
  1414. CF_DATA_SAVE(save, cf, data);
  1415. Curl_ssl->detach_data(cf, data);
  1416. CF_DATA_RESTORE(cf, save);
  1417. }
  1418. break;
  1419. default:
  1420. break;
  1421. }
  1422. return CURLE_OK;
  1423. }
  1424. static CURLcode ssl_cf_query(struct Curl_cfilter *cf,
  1425. struct Curl_easy *data,
  1426. int query, int *pres1, void *pres2)
  1427. {
  1428. struct ssl_connect_data *connssl = cf->ctx;
  1429. switch(query) {
  1430. case CF_QUERY_TIMER_APPCONNECT: {
  1431. struct curltime *when = pres2;
  1432. if(cf->connected && !Curl_ssl_cf_is_proxy(cf))
  1433. *when = connssl->handshake_done;
  1434. return CURLE_OK;
  1435. }
  1436. default:
  1437. break;
  1438. }
  1439. return cf->next?
  1440. cf->next->cft->query(cf->next, data, query, pres1, pres2) :
  1441. CURLE_UNKNOWN_OPTION;
  1442. }
  1443. static bool cf_ssl_is_alive(struct Curl_cfilter *cf, struct Curl_easy *data,
  1444. bool *input_pending)
  1445. {
  1446. struct cf_call_data save;
  1447. int result;
  1448. /*
  1449. * This function tries to determine connection status.
  1450. *
  1451. * Return codes:
  1452. * 1 means the connection is still in place
  1453. * 0 means the connection has been closed
  1454. * -1 means the connection status is unknown
  1455. */
  1456. CF_DATA_SAVE(save, cf, data);
  1457. result = Curl_ssl->check_cxn(cf, data);
  1458. CF_DATA_RESTORE(cf, save);
  1459. if(result > 0) {
  1460. *input_pending = TRUE;
  1461. return TRUE;
  1462. }
  1463. if(result == 0) {
  1464. *input_pending = FALSE;
  1465. return FALSE;
  1466. }
  1467. /* ssl backend does not know */
  1468. return cf->next?
  1469. cf->next->cft->is_alive(cf->next, data, input_pending) :
  1470. FALSE; /* pessimistic in absence of data */
  1471. }
  1472. struct Curl_cftype Curl_cft_ssl = {
  1473. "SSL",
  1474. CF_TYPE_SSL,
  1475. CURL_LOG_DEFAULT,
  1476. ssl_cf_destroy,
  1477. ssl_cf_connect,
  1478. ssl_cf_close,
  1479. Curl_cf_def_get_host,
  1480. ssl_cf_get_select_socks,
  1481. ssl_cf_data_pending,
  1482. ssl_cf_send,
  1483. ssl_cf_recv,
  1484. ssl_cf_cntrl,
  1485. cf_ssl_is_alive,
  1486. Curl_cf_def_conn_keep_alive,
  1487. ssl_cf_query,
  1488. };
  1489. struct Curl_cftype Curl_cft_ssl_proxy = {
  1490. "SSL-PROXY",
  1491. CF_TYPE_SSL,
  1492. CURL_LOG_DEFAULT,
  1493. ssl_cf_destroy,
  1494. ssl_cf_connect,
  1495. ssl_cf_close,
  1496. Curl_cf_def_get_host,
  1497. ssl_cf_get_select_socks,
  1498. ssl_cf_data_pending,
  1499. ssl_cf_send,
  1500. ssl_cf_recv,
  1501. ssl_cf_cntrl,
  1502. cf_ssl_is_alive,
  1503. Curl_cf_def_conn_keep_alive,
  1504. Curl_cf_def_query,
  1505. };
  1506. static CURLcode cf_ssl_create(struct Curl_cfilter **pcf,
  1507. struct Curl_easy *data,
  1508. struct connectdata *conn)
  1509. {
  1510. struct Curl_cfilter *cf = NULL;
  1511. struct ssl_connect_data *ctx;
  1512. CURLcode result;
  1513. DEBUGASSERT(data->conn);
  1514. ctx = cf_ctx_new(data, alpn_get_spec(data->state.httpwant,
  1515. conn->bits.tls_enable_alpn));
  1516. if(!ctx) {
  1517. result = CURLE_OUT_OF_MEMORY;
  1518. goto out;
  1519. }
  1520. result = Curl_cf_create(&cf, &Curl_cft_ssl, ctx);
  1521. out:
  1522. if(result)
  1523. cf_ctx_free(ctx);
  1524. *pcf = result? NULL : cf;
  1525. return result;
  1526. }
  1527. CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
  1528. struct connectdata *conn,
  1529. int sockindex)
  1530. {
  1531. struct Curl_cfilter *cf;
  1532. CURLcode result;
  1533. result = cf_ssl_create(&cf, data, conn);
  1534. if(!result)
  1535. Curl_conn_cf_add(data, conn, sockindex, cf);
  1536. return result;
  1537. }
  1538. CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
  1539. struct Curl_easy *data)
  1540. {
  1541. struct Curl_cfilter *cf;
  1542. CURLcode result;
  1543. result = cf_ssl_create(&cf, data, cf_at->conn);
  1544. if(!result)
  1545. Curl_conn_cf_insert_after(cf_at, cf);
  1546. return result;
  1547. }
  1548. #ifndef CURL_DISABLE_PROXY
  1549. static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
  1550. struct Curl_easy *data,
  1551. struct connectdata *conn)
  1552. {
  1553. struct Curl_cfilter *cf = NULL;
  1554. struct ssl_connect_data *ctx;
  1555. CURLcode result;
  1556. bool use_alpn = conn->bits.tls_enable_alpn;
  1557. int httpwant = CURL_HTTP_VERSION_1_1;
  1558. #ifdef USE_HTTP2
  1559. if(conn->http_proxy.proxytype == CURLPROXY_HTTPS2) {
  1560. use_alpn = TRUE;
  1561. httpwant = CURL_HTTP_VERSION_2;
  1562. }
  1563. #endif
  1564. ctx = cf_ctx_new(data, alpn_get_spec(httpwant, use_alpn));
  1565. if(!ctx) {
  1566. result = CURLE_OUT_OF_MEMORY;
  1567. goto out;
  1568. }
  1569. result = Curl_cf_create(&cf, &Curl_cft_ssl_proxy, ctx);
  1570. out:
  1571. if(result)
  1572. cf_ctx_free(ctx);
  1573. *pcf = result? NULL : cf;
  1574. return result;
  1575. }
  1576. CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
  1577. struct Curl_easy *data)
  1578. {
  1579. struct Curl_cfilter *cf;
  1580. CURLcode result;
  1581. result = cf_ssl_proxy_create(&cf, data, cf_at->conn);
  1582. if(!result)
  1583. Curl_conn_cf_insert_after(cf_at, cf);
  1584. return result;
  1585. }
  1586. #endif /* !CURL_DISABLE_PROXY */
  1587. bool Curl_ssl_supports(struct Curl_easy *data, int option)
  1588. {
  1589. (void)data;
  1590. return (Curl_ssl->supports & option)? TRUE : FALSE;
  1591. }
  1592. void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
  1593. CURLINFO info, int n)
  1594. {
  1595. void *result = NULL;
  1596. (void)n;
  1597. if(data->conn) {
  1598. struct Curl_cfilter *cf;
  1599. /* get first filter in chain, if any is present */
  1600. cf = Curl_ssl_cf_get_ssl(data->conn->cfilter[sockindex]);
  1601. if(cf) {
  1602. struct cf_call_data save;
  1603. CF_DATA_SAVE(save, cf, data);
  1604. result = Curl_ssl->get_internals(cf->ctx, info);
  1605. CF_DATA_RESTORE(cf, save);
  1606. }
  1607. }
  1608. return result;
  1609. }
  1610. CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
  1611. int sockindex)
  1612. {
  1613. struct Curl_cfilter *cf, *head;
  1614. CURLcode result = CURLE_OK;
  1615. (void)data;
  1616. head = data->conn? data->conn->cfilter[sockindex] : NULL;
  1617. for(cf = head; cf; cf = cf->next) {
  1618. if(cf->cft == &Curl_cft_ssl) {
  1619. if(Curl_ssl->shut_down(cf, data))
  1620. result = CURLE_SSL_SHUTDOWN_FAILED;
  1621. Curl_conn_cf_discard_sub(head, cf, data, FALSE);
  1622. break;
  1623. }
  1624. }
  1625. return result;
  1626. }
  1627. static struct Curl_cfilter *get_ssl_cf_engaged(struct connectdata *conn,
  1628. int sockindex)
  1629. {
  1630. struct Curl_cfilter *cf, *lowest_ssl_cf = NULL;
  1631. for(cf = conn->cfilter[sockindex]; cf; cf = cf->next) {
  1632. if(cf->cft == &Curl_cft_ssl || cf->cft == &Curl_cft_ssl_proxy) {
  1633. lowest_ssl_cf = cf;
  1634. if(cf->connected || (cf->next && cf->next->connected)) {
  1635. /* connected or about to start */
  1636. return cf;
  1637. }
  1638. }
  1639. }
  1640. return lowest_ssl_cf;
  1641. }
  1642. bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf)
  1643. {
  1644. return (cf->cft == &Curl_cft_ssl_proxy);
  1645. }
  1646. struct ssl_config_data *
  1647. Curl_ssl_cf_get_config(struct Curl_cfilter *cf, struct Curl_easy *data)
  1648. {
  1649. #ifdef CURL_DISABLE_PROXY
  1650. (void)cf;
  1651. return &data->set.ssl;
  1652. #else
  1653. return Curl_ssl_cf_is_proxy(cf)? &data->set.proxy_ssl : &data->set.ssl;
  1654. #endif
  1655. }
  1656. struct ssl_config_data *
  1657. Curl_ssl_get_config(struct Curl_easy *data, int sockindex)
  1658. {
  1659. struct Curl_cfilter *cf;
  1660. (void)data;
  1661. DEBUGASSERT(data->conn);
  1662. cf = get_ssl_cf_engaged(data->conn, sockindex);
  1663. return cf? Curl_ssl_cf_get_config(cf, data) : &data->set.ssl;
  1664. }
  1665. struct ssl_primary_config *
  1666. Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf)
  1667. {
  1668. #ifdef CURL_DISABLE_PROXY
  1669. return &cf->conn->ssl_config;
  1670. #else
  1671. return Curl_ssl_cf_is_proxy(cf)?
  1672. &cf->conn->proxy_ssl_config : &cf->conn->ssl_config;
  1673. #endif
  1674. }
  1675. struct Curl_cfilter *Curl_ssl_cf_get_ssl(struct Curl_cfilter *cf)
  1676. {
  1677. for(; cf; cf = cf->next) {
  1678. if(cf->cft == &Curl_cft_ssl || cf->cft == &Curl_cft_ssl_proxy)
  1679. return cf;
  1680. }
  1681. return NULL;
  1682. }
  1683. CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf,
  1684. const struct alpn_spec *spec)
  1685. {
  1686. size_t i, len;
  1687. int off = 0;
  1688. unsigned char blen;
  1689. memset(buf, 0, sizeof(*buf));
  1690. for(i = 0; spec && i < spec->count; ++i) {
  1691. len = strlen(spec->entries[i]);
  1692. if(len >= ALPN_NAME_MAX)
  1693. return CURLE_FAILED_INIT;
  1694. blen = (unsigned char)len;
  1695. if(off + blen + 1 >= (int)sizeof(buf->data))
  1696. return CURLE_FAILED_INIT;
  1697. buf->data[off++] = blen;
  1698. memcpy(buf->data + off, spec->entries[i], blen);
  1699. off += blen;
  1700. }
  1701. buf->len = off;
  1702. return CURLE_OK;
  1703. }
  1704. CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
  1705. const struct alpn_spec *spec)
  1706. {
  1707. size_t i, len;
  1708. size_t off = 0;
  1709. memset(buf, 0, sizeof(*buf));
  1710. for(i = 0; spec && i < spec->count; ++i) {
  1711. len = strlen(spec->entries[i]);
  1712. if(len >= ALPN_NAME_MAX)
  1713. return CURLE_FAILED_INIT;
  1714. if(off + len + 2 >= sizeof(buf->data))
  1715. return CURLE_FAILED_INIT;
  1716. if(off)
  1717. buf->data[off++] = ',';
  1718. memcpy(buf->data + off, spec->entries[i], len);
  1719. off += len;
  1720. }
  1721. buf->data[off] = '\0';
  1722. buf->len = (int)off;
  1723. return CURLE_OK;
  1724. }
  1725. CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
  1726. struct Curl_easy *data,
  1727. const unsigned char *proto,
  1728. size_t proto_len)
  1729. {
  1730. int can_multi = 0;
  1731. unsigned char *palpn =
  1732. #ifndef CURL_DISABLE_PROXY
  1733. (cf->conn->bits.tunnel_proxy && Curl_ssl_cf_is_proxy(cf))?
  1734. &cf->conn->proxy_alpn : &cf->conn->alpn
  1735. #else
  1736. &cf->conn->alpn
  1737. #endif
  1738. ;
  1739. if(proto && proto_len) {
  1740. if(proto_len == ALPN_HTTP_1_1_LENGTH &&
  1741. !memcmp(ALPN_HTTP_1_1, proto, ALPN_HTTP_1_1_LENGTH)) {
  1742. *palpn = CURL_HTTP_VERSION_1_1;
  1743. }
  1744. else if(proto_len == ALPN_HTTP_1_0_LENGTH &&
  1745. !memcmp(ALPN_HTTP_1_0, proto, ALPN_HTTP_1_0_LENGTH)) {
  1746. *palpn = CURL_HTTP_VERSION_1_0;
  1747. }
  1748. #ifdef USE_HTTP2
  1749. else if(proto_len == ALPN_H2_LENGTH &&
  1750. !memcmp(ALPN_H2, proto, ALPN_H2_LENGTH)) {
  1751. *palpn = CURL_HTTP_VERSION_2;
  1752. can_multi = 1;
  1753. }
  1754. #endif
  1755. #ifdef USE_HTTP3
  1756. else if(proto_len == ALPN_H3_LENGTH &&
  1757. !memcmp(ALPN_H3, proto, ALPN_H3_LENGTH)) {
  1758. *palpn = CURL_HTTP_VERSION_3;
  1759. can_multi = 1;
  1760. }
  1761. #endif
  1762. else {
  1763. *palpn = CURL_HTTP_VERSION_NONE;
  1764. failf(data, "unsupported ALPN protocol: '%.*s'", (int)proto_len, proto);
  1765. /* TODO: do we want to fail this? Previous code just ignored it and
  1766. * some vtls backends even ignore the return code of this function. */
  1767. /* return CURLE_NOT_BUILT_IN; */
  1768. goto out;
  1769. }
  1770. infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, (int)proto_len, proto);
  1771. }
  1772. else {
  1773. *palpn = CURL_HTTP_VERSION_NONE;
  1774. infof(data, VTLS_INFOF_NO_ALPN);
  1775. }
  1776. out:
  1777. if(!Curl_ssl_cf_is_proxy(cf))
  1778. Curl_multiuse_state(data, can_multi?
  1779. BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
  1780. return CURLE_OK;
  1781. }
  1782. #endif /* USE_SSL */