Home Explore Help
Register Sign In
Apq
/
CMake
mirror of https://github.com/Kitware/CMake.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 9eb4ae4f64
Branches Tags
CMake
/
Utilities
/
cmcurl
/
lib
/
vtls
/
vtls.c

vtls.c 58 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168 
  1. /***************************************************************************
    2. 

  2.  *                                  _   _ ____  _
    3. 

  3.  *  Project                     ___| | | |  _ \| |
    4. 

  4.  *                             / __| | | | |_) | |
    5. 

  5.  *                            | (__| |_| |  _ <| |___
    6. 

  6.  *                             \___|\___/|_| \_\_____|
    7. 

  7.  *
    8. 

  8.  * Copyright (C) Daniel Stenberg, <[email protected]>, et al.
    9. 

  9.  *
    10. 

  10.  * This software is licensed as described in the file COPYING, which
    11. 

  11.  * you should have received as part of this distribution. The terms
    12. 

  12.  * are also available at https://curl.se/docs/copyright.html.
    13. 

  13.  *
    14. 

  14.  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
    15. 

  15.  * copies of the Software, and permit persons to whom the Software is
    16. 

  16.  * furnished to do so, under the terms of the COPYING file.
    17. 

  17.  *
    18. 

  18.  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
    19. 

  19.  * KIND, either express or implied.
    20. 

  20.  *
    21. 

  21.  * SPDX-License-Identifier: curl
    22. 

  22.  *
    23. 

  23.  ***************************************************************************/
    24. 

  24. 

  25. /* This file is for implementing all "generic" SSL functions that all libcurl
    26. 

  26.    internals should use. It is then responsible for calling the proper
    27. 

  27.    "backend" function.
    28. 

  28. 

  29.    SSL-functions in libcurl should call functions in this source file, and not
    30. 

  30.    to any specific SSL-layer.
    31. 

  31. 

  32.    Curl_ssl_ - prefix for generic ones
    33. 

  33. 

  34.    Note that this source code uses the functions of the configured SSL
    35. 

  35.    backend via the global Curl_ssl instance.
    36. 

  36. 

  37.    "SSL/TLS Strong Encryption: An Introduction"
    38. 

  38.    https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
    39. 

  39. */
    40. 

  40. 

  41. #include "curl_setup.h"
    42. 

  42. 

  43. #ifdef HAVE_SYS_TYPES_H
    44. 

  44. #include <sys/types.h>
    45. 

  45. #endif
    46. 

  46. #ifdef HAVE_SYS_STAT_H
    47. 

  47. #include <sys/stat.h>
    48. 

  48. #endif
    49. 

  49. #ifdef HAVE_FCNTL_H
    50. 

  50. #include <fcntl.h>
    51. 

  51. #endif
    52. 

  52. 

  53. #include "urldata.h"
    54. 

  54. #include "cfilters.h"
    55. 

  55. 

  56. #include "vtls.h" /* generic SSL protos etc */
    57. 

  57. #include "vtls_int.h"
    58. 

  58. #include "slist.h"
    59. 

  59. #include "sendf.h"
    60. 

  60. #include "strcase.h"
    61. 

  61. #include "url.h"
    62. 

  62. #include "progress.h"
    63. 

  63. #include "share.h"
    64. 

  64. #include "multiif.h"
    65. 

  65. #include "timeval.h"
    66. 

  66. #include "curl_md5.h"
    67. 

  67. #include "warnless.h"
    68. 

  68. #include "curl_base64.h"
    69. 

  69. #include "curl_printf.h"
    70. 

  70. #include "inet_pton.h"
    71. 

  71. #include "strdup.h"
    72. 

  72. 

  73. /* The last #include files should be: */
    74. 

  74. #include "curl_memory.h"
    75. 

  75. #include "memdebug.h"
    76. 

  76. 

  77. 

  78. /* convenience macro to check if this handle is using a shared SSL session */
    79. 

  79. #define SSLSESSION_SHARED(data) (data->share &&                        \
    80. 

  80.                                  (data->share->specifier &             \
    81. 

  81.                                   (1<<CURL_LOCK_DATA_SSL_SESSION)))
    82. 

  82. 

  83. #define CLONE_STRING(var)                    \
    84. 

  84.   do {                                       \
    85. 

  85.     if(source->var) {                        \
    86. 

  86.       dest->var = strdup(source->var);       \
    87. 

  87.       if(!dest->var)                         \
    88. 

  88.         return FALSE;                        \
    89. 

  89.     }                                        \
    90. 

  90.     else                                     \
    91. 

  91.       dest->var = NULL;                      \
    92. 

  92.   } while(0)
    93. 

  93. 

  94. #define CLONE_BLOB(var)                        \
    95. 

  95.   do {                                         \
    96. 

  96.     if(blobdup(&dest->var, source->var))       \
    97. 

  97.       return FALSE;                            \
    98. 

  98.   } while(0)
    99. 

  99. 

  100. static CURLcode blobdup(struct curl_blob **dest,
    101. 

  101.                         struct curl_blob *src)
    102. 

  102. {
    103. 

  103.   DEBUGASSERT(dest);
    104. 

  104.   DEBUGASSERT(!*dest);
    105. 

  105.   if(src) {
    106. 

  106.     /* only if there's data to dupe! */
    107. 

  107.     struct curl_blob *d;
    108. 

  108.     d = malloc(sizeof(struct curl_blob) + src->len);
    109. 

  109.     if(!d)
    110. 

  110.       return CURLE_OUT_OF_MEMORY;
    111. 

  111.     d->len = src->len;
    112. 

  112.     /* Always duplicate because the connection may survive longer than the
    113. 

  113.        handle that passed in the blob. */
    114. 

  114.     d->flags = CURL_BLOB_COPY;
    115. 

  115.     d->data = (void *)((char *)d + sizeof(struct curl_blob));
    116. 

  116.     memcpy(d->data, src->data, src->len);
    117. 

  117.     *dest = d;
    118. 

  118.   }
    119. 

  119.   return CURLE_OK;
    120. 

  120. }
    121. 

  121. 

  122. /* returns TRUE if the blobs are identical */
    123. 

  123. static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
    124. 

  124. {
    125. 

  125.   if(!first && !second) /* both are NULL */
    126. 

  126.     return TRUE;
    127. 

  127.   if(!first || !second) /* one is NULL */
    128. 

  128.     return FALSE;
    129. 

  129.   if(first->len != second->len) /* different sizes */
    130. 

  130.     return FALSE;
    131. 

  131.   return !memcmp(first->data, second->data, first->len); /* same data */
    132. 

  132. }
    133. 

  133. 

  134. #ifdef USE_SSL
    135. 

  135. static const struct alpn_spec ALPN_SPEC_H11 = {
    136. 

  136.   { ALPN_HTTP_1_1 }, 1
    137. 

  137. };
    138. 

  138. #ifdef USE_HTTP2
    139. 

  139. static const struct alpn_spec ALPN_SPEC_H2_H11 = {
    140. 

  140.   { ALPN_H2, ALPN_HTTP_1_1 }, 2
    141. 

  141. };
    142. 

  142. #endif
    143. 

  143. 

  144. static const struct alpn_spec *alpn_get_spec(int httpwant, bool use_alpn)
    145. 

  145. {
    146. 

  146.   if(!use_alpn)
    147. 

  147.     return NULL;
    148. 

  148. #ifdef USE_HTTP2
    149. 

  149.   if(httpwant >= CURL_HTTP_VERSION_2)
    150. 

  150.     return &ALPN_SPEC_H2_H11;
    151. 

  151. #else
    152. 

  152.   (void)httpwant;
    153. 

  153. #endif
    154. 

  154.   /* Use the ALPN protocol "http/1.1" for HTTP/1.x.
    155. 

  155.      Avoid "http/1.0" because some servers don't support it. */
    156. 

  156.   return &ALPN_SPEC_H11;
    157. 

  157. }
    158. 

  158. #endif /* USE_SSL */
    159. 

  159. 

  160. 

  161. void Curl_ssl_easy_config_init(struct Curl_easy *data)
    162. 

  162. {
    163. 

  163.   /*
    164. 

  164.    * libcurl 7.10 introduced SSL verification *by default*! This needs to be
    165. 

  165.    * switched off unless wanted.
    166. 

  166.    */
    167. 

  167.   data->set.ssl.primary.verifypeer = TRUE;
    168. 

  168.   data->set.ssl.primary.verifyhost = TRUE;
    169. 

  169.   data->set.ssl.primary.sessionid = TRUE; /* session ID caching by default */
    170. 

  170. #ifndef CURL_DISABLE_PROXY
    171. 

  171.   data->set.proxy_ssl = data->set.ssl;
    172. 

  172. #endif
    173. 

  173. }
    174. 

  174. 

  175. static bool
    176. 

  176. match_ssl_primary_config(struct Curl_easy *data,
    177. 

  177.                          struct ssl_primary_config *c1,
    178. 

  178.                          struct ssl_primary_config *c2)
    179. 

  179. {
    180. 

  180.   (void)data;
    181. 

  181.   if((c1->version == c2->version) &&
    182. 

  182.      (c1->version_max == c2->version_max) &&
    183. 

  183.      (c1->ssl_options == c2->ssl_options) &&
    184. 

  184.      (c1->verifypeer == c2->verifypeer) &&
    185. 

  185.      (c1->verifyhost == c2->verifyhost) &&
    186. 

  186.      (c1->verifystatus == c2->verifystatus) &&
    187. 

  187.      blobcmp(c1->cert_blob, c2->cert_blob) &&
    188. 

  188.      blobcmp(c1->ca_info_blob, c2->ca_info_blob) &&
    189. 

  189.      blobcmp(c1->issuercert_blob, c2->issuercert_blob) &&
    190. 

  190.      Curl_safecmp(c1->CApath, c2->CApath) &&
    191. 

  191.      Curl_safecmp(c1->CAfile, c2->CAfile) &&
    192. 

  192.      Curl_safecmp(c1->issuercert, c2->issuercert) &&
    193. 

  193.      Curl_safecmp(c1->clientcert, c2->clientcert) &&
    194. 

  194. #ifdef USE_TLS_SRP
    195. 

  195.      !Curl_timestrcmp(c1->username, c2->username) &&
    196. 

  196.      !Curl_timestrcmp(c1->password, c2->password) &&
    197. 

  197. #endif
    198. 

  198.      strcasecompare(c1->cipher_list, c2->cipher_list) &&
    199. 

  199.      strcasecompare(c1->cipher_list13, c2->cipher_list13) &&
    200. 

  200.      strcasecompare(c1->curves, c2->curves) &&
    201. 

  201.      strcasecompare(c1->CRLfile, c2->CRLfile) &&
    202. 

  202.      strcasecompare(c1->pinned_key, c2->pinned_key))
    203. 

  203.     return TRUE;
    204. 

  204. 

  205.   return FALSE;
    206. 

  206. }
    207. 

  207. 

  208. bool Curl_ssl_conn_config_match(struct Curl_easy *data,
    209. 

  209.                                 struct connectdata *candidate,
    210. 

  210.                                 bool proxy)
    211. 

  211. {
    212. 

  212. #ifndef CURL_DISABLE_PROXY
    213. 

  213.   if(proxy)
    214. 

  214.     return match_ssl_primary_config(data, &data->set.proxy_ssl.primary,
    215. 

  215.                                     &candidate->proxy_ssl_config);
    216. 

  216. #else
    217. 

  217.   (void)proxy;
    218. 

  218. #endif
    219. 

  219.   return match_ssl_primary_config(data, &data->set.ssl.primary,
    220. 

  220.                                   &candidate->ssl_config);
    221. 

  221. }
    222. 

  222. 

  223. static bool clone_ssl_primary_config(struct ssl_primary_config *source,
    224. 

  224.                                      struct ssl_primary_config *dest)
    225. 

  225. {
    226. 

  226.   dest->version = source->version;
    227. 

  227.   dest->version_max = source->version_max;
    228. 

  228.   dest->verifypeer = source->verifypeer;
    229. 

  229.   dest->verifyhost = source->verifyhost;
    230. 

  230.   dest->verifystatus = source->verifystatus;
    231. 

  231.   dest->sessionid = source->sessionid;
    232. 

  232.   dest->ssl_options = source->ssl_options;
    233. 

  233. 

  234.   CLONE_BLOB(cert_blob);
    235. 

  235.   CLONE_BLOB(ca_info_blob);
    236. 

  236.   CLONE_BLOB(issuercert_blob);
    237. 

  237.   CLONE_STRING(CApath);
    238. 

  238.   CLONE_STRING(CAfile);
    239. 

  239.   CLONE_STRING(issuercert);
    240. 

  240.   CLONE_STRING(clientcert);
    241. 

  241.   CLONE_STRING(cipher_list);
    242. 

  242.   CLONE_STRING(cipher_list13);
    243. 

  243.   CLONE_STRING(pinned_key);
    244. 

  244.   CLONE_STRING(curves);
    245. 

  245.   CLONE_STRING(CRLfile);
    246. 

  246. #ifdef USE_TLS_SRP
    247. 

  247.   CLONE_STRING(username);
    248. 

  248.   CLONE_STRING(password);
    249. 

  249. #endif
    250. 

  250. 

  251.   return TRUE;
    252. 

  252. }
    253. 

  253. 

  254. static void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
    255. 

  255. {
    256. 

  256.   Curl_safefree(sslc->CApath);
    257. 

  257.   Curl_safefree(sslc->CAfile);
    258. 

  258.   Curl_safefree(sslc->issuercert);
    259. 

  259.   Curl_safefree(sslc->clientcert);
    260. 

  260.   Curl_safefree(sslc->cipher_list);
    261. 

  261.   Curl_safefree(sslc->cipher_list13);
    262. 

  262.   Curl_safefree(sslc->pinned_key);
    263. 

  263.   Curl_safefree(sslc->cert_blob);
    264. 

  264.   Curl_safefree(sslc->ca_info_blob);
    265. 

  265.   Curl_safefree(sslc->issuercert_blob);
    266. 

  266.   Curl_safefree(sslc->curves);
    267. 

  267.   Curl_safefree(sslc->CRLfile);
    268. 

  268. #ifdef USE_TLS_SRP
    269. 

  269.   Curl_safefree(sslc->username);
    270. 

  270.   Curl_safefree(sslc->password);
    271. 

  271. #endif
    272. 

  272. }
    273. 

  273. 

  274. CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data)
    275. 

  275. {
    276. 

  276.   data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
    277. 

  277.   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
    278. 

  278.   data->set.ssl.primary.CRLfile = data->set.str[STRING_SSL_CRLFILE];
    279. 

  279.   data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
    280. 

  280.   data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
    281. 

  281.   data->set.ssl.primary.cipher_list =
    282. 

  282.     data->set.str[STRING_SSL_CIPHER_LIST];
    283. 

  283.   data->set.ssl.primary.cipher_list13 =
    284. 

  284.     data->set.str[STRING_SSL_CIPHER13_LIST];
    285. 

  285.   data->set.ssl.primary.pinned_key =
    286. 

  286.     data->set.str[STRING_SSL_PINNEDPUBLICKEY];
    287. 

  287.   data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT];
    288. 

  288.   data->set.ssl.primary.ca_info_blob = data->set.blobs[BLOB_CAINFO];
    289. 

  289.   data->set.ssl.primary.curves = data->set.str[STRING_SSL_EC_CURVES];
    290. 

  290. #ifdef USE_TLS_SRP
    291. 

  291.   data->set.ssl.primary.username = data->set.str[STRING_TLSAUTH_USERNAME];
    292. 

  292.   data->set.ssl.primary.password = data->set.str[STRING_TLSAUTH_PASSWORD];
    293. 

  293. #endif
    294. 

  294.   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
    295. 

  295.   data->set.ssl.key = data->set.str[STRING_KEY];
    296. 

  296.   data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
    297. 

  297.   data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
    298. 

  298.   data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
    299. 

  299.   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
    300. 

  300. 

  301. #ifndef CURL_DISABLE_PROXY
    302. 

  302.   data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
    303. 

  303.   data->set.proxy_ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_PROXY];
    304. 

  304.   data->set.proxy_ssl.primary.cipher_list =
    305. 

  305.     data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
    306. 

  306.   data->set.proxy_ssl.primary.cipher_list13 =
    307. 

  307.     data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
    308. 

  308.   data->set.proxy_ssl.primary.pinned_key =
    309. 

  309.     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
    310. 

  310.   data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
    311. 

  311.   data->set.proxy_ssl.primary.ca_info_blob =
    312. 

  312.     data->set.blobs[BLOB_CAINFO_PROXY];
    313. 

  313.   data->set.proxy_ssl.primary.issuercert =
    314. 

  314.     data->set.str[STRING_SSL_ISSUERCERT_PROXY];
    315. 

  315.   data->set.proxy_ssl.primary.issuercert_blob =
    316. 

  316.     data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
    317. 

  317.   data->set.proxy_ssl.primary.CRLfile =
    318. 

  318.     data->set.str[STRING_SSL_CRLFILE_PROXY];
    319. 

  319.   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
    320. 

  320.   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
    321. 

  321.   data->set.proxy_ssl.key_type = data->set.str[STRING_KEY_TYPE_PROXY];
    322. 

  322.   data->set.proxy_ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_PROXY];
    323. 

  323.   data->set.proxy_ssl.primary.clientcert = data->set.str[STRING_CERT_PROXY];
    324. 

  324.   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
    325. 

  325. #ifdef USE_TLS_SRP
    326. 

  326.   data->set.proxy_ssl.primary.username =
    327. 

  327.     data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
    328. 

  328.   data->set.proxy_ssl.primary.password =
    329. 

  329.     data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
    330. 

  330. #endif
    331. 

  331. #endif /* CURL_DISABLE_PROXY */
    332. 

  332. 

  333.   return CURLE_OK;
    334. 

  334. }
    335. 

  335. 

  336. CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data,
    337. 

  337.                                    struct connectdata *conn)
    338. 

  338. {
    339. 

  339.   /* Clone "primary" SSL configurations from the esay handle to
    340. 

  340.    * the connection. They are used for connection cache matching and
    341. 

  341.    * probably outlive the easy handle */
    342. 

  342.   if(!clone_ssl_primary_config(&data->set.ssl.primary, &conn->ssl_config))
    343. 

  343.     return CURLE_OUT_OF_MEMORY;
    344. 

  344. #ifndef CURL_DISABLE_PROXY
    345. 

  345.   if(!clone_ssl_primary_config(&data->set.proxy_ssl.primary,
    346. 

  346.                                &conn->proxy_ssl_config))
    347. 

  347.     return CURLE_OUT_OF_MEMORY;
    348. 

  348. #endif
    349. 

  349.   return CURLE_OK;
    350. 

  350. }
    351. 

  351. 

  352. void Curl_ssl_conn_config_cleanup(struct connectdata *conn)
    353. 

  353. {
    354. 

  354.   Curl_free_primary_ssl_config(&conn->ssl_config);
    355. 

  355. #ifndef CURL_DISABLE_PROXY
    356. 

  356.   Curl_free_primary_ssl_config(&conn->proxy_ssl_config);
    357. 

  357. #endif
    358. 

  358. }
    359. 

  359. 

  360. void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy)
    361. 

  361. {
    362. 

  362.   /* May be called on an easy that has no connection yet */
    363. 

  363.   if(data->conn) {
    364. 

  364.     struct ssl_primary_config *src, *dest;
    365. 

  365. #ifndef CURL_DISABLE_PROXY
    366. 

  366.     src = for_proxy? &data->set.proxy_ssl.primary : &data->set.ssl.primary;
    367. 

  367.     dest = for_proxy? &data->conn->proxy_ssl_config : &data->conn->ssl_config;
    368. 

  368. #else
    369. 

  369.     (void)for_proxy;
    370. 

  370.     src = &data->set.ssl.primary;
    371. 

  371.     dest = &data->conn->ssl_config;
    372. 

  372. #endif
    373. 

  373.     dest->verifyhost = src->verifyhost;
    374. 

  374.     dest->verifypeer = src->verifypeer;
    375. 

  375.     dest->verifystatus = src->verifystatus;
    376. 

  376.   }
    377. 

  377. }
    378. 

  378. 

  379. #ifdef USE_SSL
    380. 

  380. static int multissl_setup(const struct Curl_ssl *backend);
    381. 

  381. #endif
    382. 

  382. 

  383. curl_sslbackend Curl_ssl_backend(void)
    384. 

  384. {
    385. 

  385. #ifdef USE_SSL
    386. 

  386.   multissl_setup(NULL);
    387. 

  387.   return Curl_ssl->info.id;
    388. 

  388. #else
    389. 

  389.   return CURLSSLBACKEND_NONE;
    390. 

  390. #endif
    391. 

  391. }
    392. 

  392. 

  393. #ifdef USE_SSL
    394. 

  394. 

  395. /* "global" init done? */
    396. 

  396. static bool init_ssl = FALSE;
    397. 

  397. 

  398. /**
    399. 

  399.  * Global SSL init
    400. 

  400.  *
    401. 

  401.  * @retval 0 error initializing SSL
    402. 

  402.  * @retval 1 SSL initialized successfully
    403. 

  403.  */
    404. 

  404. int Curl_ssl_init(void)
    405. 

  405. {
    406. 

  406.   /* make sure this is only done once */
    407. 

  407.   if(init_ssl)
    408. 

  408.     return 1;
    409. 

  409.   init_ssl = TRUE; /* never again */
    410. 

  410. 

  411.   return Curl_ssl->init();
    412. 

  412. }
    413. 

  413. 

  414. #if defined(CURL_WITH_MULTI_SSL)
    415. 

  415. static const struct Curl_ssl Curl_ssl_multi;
    416. 

  416. #endif
    417. 

  417. 

  418. /* Global cleanup */
    419. 

  419. void Curl_ssl_cleanup(void)
    420. 

  420. {
    421. 

  421.   if(init_ssl) {
    422. 

  422.     /* only cleanup if we did a previous init */
    423. 

  423.     Curl_ssl->cleanup();
    424. 

  424. #if defined(CURL_WITH_MULTI_SSL)
    425. 

  425.     Curl_ssl = &Curl_ssl_multi;
    426. 

  426. #endif
    427. 

  427.     init_ssl = FALSE;
    428. 

  428.   }
    429. 

  429. }
    430. 

  430. 

  431. static bool ssl_prefs_check(struct Curl_easy *data)
    432. 

  432. {
    433. 

  433.   /* check for CURLOPT_SSLVERSION invalid parameter value */
    434. 

  434.   const unsigned char sslver = data->set.ssl.primary.version;
    435. 

  435.   if(sslver >= CURL_SSLVERSION_LAST) {
    436. 

  436.     failf(data, "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
    437. 

  437.     return FALSE;
    438. 

  438.   }
    439. 

  439. 

  440.   switch(data->set.ssl.primary.version_max) {
    441. 

  441.   case CURL_SSLVERSION_MAX_NONE:
    442. 

  442.   case CURL_SSLVERSION_MAX_DEFAULT:
    443. 

  443.     break;
    444. 

  444. 

  445.   default:
    446. 

  446.     if((data->set.ssl.primary.version_max >> 16) < sslver) {
    447. 

  447.       failf(data, "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
    448. 

  448.       return FALSE;
    449. 

  449.     }
    450. 

  450.   }
    451. 

  451. 

  452.   return TRUE;
    453. 

  453. }
    454. 

  454. 

  455. static struct ssl_connect_data *cf_ctx_new(struct Curl_easy *data,
    456. 

  456.                                      const struct alpn_spec *alpn)
    457. 

  457. {
    458. 

  458.   struct ssl_connect_data *ctx;
    459. 

  459. 

  460.   (void)data;
    461. 

  461.   ctx = calloc(1, sizeof(*ctx));
    462. 

  462.   if(!ctx)
    463. 

  463.     return NULL;
    464. 

  464. 

  465.   ctx->alpn = alpn;
    466. 

  466.   ctx->backend = calloc(1, Curl_ssl->sizeof_ssl_backend_data);
    467. 

  467.   if(!ctx->backend) {
    468. 

  468.     free(ctx);
    469. 

  469.     return NULL;
    470. 

  470.   }
    471. 

  471.   return ctx;
    472. 

  472. }
    473. 

  473. 

  474. static void cf_ctx_free(struct ssl_connect_data *ctx)
    475. 

  475. {
    476. 

  476.   if(ctx) {
    477. 

  477.     free(ctx->backend);
    478. 

  478.     free(ctx);
    479. 

  479.   }
    480. 

  480. }
    481. 

  481. 

  482. static CURLcode ssl_connect(struct Curl_cfilter *cf, struct Curl_easy *data)
    483. 

  483. {
    484. 

  484.   struct ssl_connect_data *connssl = cf->ctx;
    485. 

  485.   CURLcode result;
    486. 

  486. 

  487.   if(!ssl_prefs_check(data))
    488. 

  488.     return CURLE_SSL_CONNECT_ERROR;
    489. 

  489. 

  490.   /* mark this is being ssl-enabled from here on. */
    491. 

  491.   connssl->state = ssl_connection_negotiating;
    492. 

  492. 

  493.   result = Curl_ssl->connect_blocking(cf, data);
    494. 

  494. 

  495.   if(!result) {
    496. 

  496.     DEBUGASSERT(connssl->state == ssl_connection_complete);
    497. 

  497.   }
    498. 

  498. 

  499.   return result;
    500. 

  500. }
    501. 

  501. 

  502. static CURLcode
    503. 

  503. ssl_connect_nonblocking(struct Curl_cfilter *cf, struct Curl_easy *data,
    504. 

  504.                         bool *done)
    505. 

  505. {
    506. 

  506.   if(!ssl_prefs_check(data))
    507. 

  507.     return CURLE_SSL_CONNECT_ERROR;
    508. 

  508. 

  509.   /* mark this is being ssl requested from here on. */
    510. 

  510.   return Curl_ssl->connect_nonblocking(cf, data, done);
    511. 

  511. }
    512. 

  512. 

  513. /*
    514. 

  514.  * Lock shared SSL session data
    515. 

  515.  */
    516. 

  516. void Curl_ssl_sessionid_lock(struct Curl_easy *data)
    517. 

  517. {
    518. 

  518.   if(SSLSESSION_SHARED(data))
    519. 

  519.     Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
    520. 

  520. }
    521. 

  521. 

  522. /*
    523. 

  523.  * Unlock shared SSL session data
    524. 

  524.  */
    525. 

  525. void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
    526. 

  526. {
    527. 

  527.   if(SSLSESSION_SHARED(data))
    528. 

  528.     Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
    529. 

  529. }
    530. 

  530. 

  531. /*
    532. 

  532.  * Check if there's a session ID for the given connection in the cache, and if
    533. 

  533.  * there's one suitable, it is provided. Returns TRUE when no entry matched.
    534. 

  534.  */
    535. 

  535. bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
    536. 

  536.                            struct Curl_easy *data,
    537. 

  537.                            void **ssl_sessionid,
    538. 

  538.                            size_t *idsize) /* set 0 if unknown */
    539. 

  539. {
    540. 

  540.   struct ssl_connect_data *connssl = cf->ctx;
    541. 

  541.   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
    542. 

  542.   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
    543. 

  543.   struct Curl_ssl_session *check;
    544. 

  544.   size_t i;
    545. 

  545.   long *general_age;
    546. 

  546.   bool no_match = TRUE;
    547. 

  547. 

  548.   *ssl_sessionid = NULL;
    549. 

  549.   if(!ssl_config)
    550. 

  550.     return TRUE;
    551. 

  551. 

  552.   DEBUGASSERT(ssl_config->primary.sessionid);
    553. 

  553. 

  554.   if(!ssl_config->primary.sessionid || !data->state.session)
    555. 

  555.     /* session ID reuse is disabled or the session cache has not been
    556. 

  556.        setup */
    557. 

  557.     return TRUE;
    558. 

  558. 

  559.   /* Lock if shared */
    560. 

  560.   if(SSLSESSION_SHARED(data))
    561. 

  561.     general_age = &data->share->sessionage;
    562. 

  562.   else
    563. 

  563.     general_age = &data->state.sessionage;
    564. 

  564. 

  565.   for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
    566. 

  566.     check = &data->state.session[i];
    567. 

  567.     if(!check->sessionid)
    568. 

  568.       /* not session ID means blank entry */
    569. 

  569.       continue;
    570. 

  570.     if(strcasecompare(connssl->peer.hostname, check->name) &&
    571. 

  571.        ((!cf->conn->bits.conn_to_host && !check->conn_to_host) ||
    572. 

  572.         (cf->conn->bits.conn_to_host && check->conn_to_host &&
    573. 

  573.          strcasecompare(cf->conn->conn_to_host.name, check->conn_to_host))) &&
    574. 

  574.        ((!cf->conn->bits.conn_to_port && check->conn_to_port == -1) ||
    575. 

  575.         (cf->conn->bits.conn_to_port && check->conn_to_port != -1 &&
    576. 

  576.          cf->conn->conn_to_port == check->conn_to_port)) &&
    577. 

  577.        (connssl->port == check->remote_port) &&
    578. 

  578.        strcasecompare(cf->conn->handler->scheme, check->scheme) &&
    579. 

  579.        match_ssl_primary_config(data, conn_config, &check->ssl_config)) {
    580. 

  580.       /* yes, we have a session ID! */
    581. 

  581.       (*general_age)++;          /* increase general age */
    582. 

  582.       check->age = *general_age; /* set this as used in this age */
    583. 

  583.       *ssl_sessionid = check->sessionid;
    584. 

  584.       if(idsize)
    585. 

  585.         *idsize = check->idsize;
    586. 

  586.       no_match = FALSE;
    587. 

  587.       break;
    588. 

  588.     }
    589. 

  589.   }
    590. 

  590. 

  591.   DEBUGF(infof(data, "%s Session ID in cache for %s %s://%s:%d",
    592. 

  592.                no_match? "Didn't find": "Found",
    593. 

  593.                Curl_ssl_cf_is_proxy(cf) ? "proxy" : "host",
    594. 

  594.                cf->conn->handler->scheme, connssl->peer.hostname,
    595. 

  595.                connssl->port));
    596. 

  596.   return no_match;
    597. 

  597. }
    598. 

  598. 

  599. /*
    600. 

  600.  * Kill a single session ID entry in the cache.
    601. 

  601.  */
    602. 

  602. void Curl_ssl_kill_session(struct Curl_ssl_session *session)
    603. 

  603. {
    604. 

  604.   if(session->sessionid) {
    605. 

  605.     /* defensive check */
    606. 

  606. 

  607.     /* free the ID the SSL-layer specific way */
    608. 

  608.     Curl_ssl->session_free(session->sessionid);
    609. 

  609. 

  610.     session->sessionid = NULL;
    611. 

  611.     session->age = 0; /* fresh */
    612. 

  612. 

  613.     Curl_free_primary_ssl_config(&session->ssl_config);
    614. 

  614. 

  615.     Curl_safefree(session->name);
    616. 

  616.     Curl_safefree(session->conn_to_host);
    617. 

  617.   }
    618. 

  618. }
    619. 

  619. 

  620. /*
    621. 

  621.  * Delete the given session ID from the cache.
    622. 

  622.  */
    623. 

  623. void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid)
    624. 

  624. {
    625. 

  625.   size_t i;
    626. 

  626. 

  627.   for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++) {
    628. 

  628.     struct Curl_ssl_session *check = &data->state.session[i];
    629. 

  629. 

  630.     if(check->sessionid == ssl_sessionid) {
    631. 

  631.       Curl_ssl_kill_session(check);
    632. 

  632.       break;
    633. 

  633.     }
    634. 

  634.   }
    635. 

  635. }
    636. 

  636. 

  637. /*
    638. 

  638.  * Store session id in the session cache. The ID passed on to this function
    639. 

  639.  * must already have been extracted and allocated the proper way for the SSL
    640. 

  640.  * layer. Curl_XXXX_session_free() will be called to free/kill the session ID
    641. 

  641.  * later on.
    642. 

  642.  */
    643. 

  643. CURLcode Curl_ssl_addsessionid(struct Curl_cfilter *cf,
    644. 

  644.                                struct Curl_easy *data,
    645. 

  645.                                void *ssl_sessionid,
    646. 

  646.                                size_t idsize,
    647. 

  647.                                bool *added)
    648. 

  648. {
    649. 

  649.   struct ssl_connect_data *connssl = cf->ctx;
    650. 

  650.   struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
    651. 

  651.   struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
    652. 

  652.   size_t i;
    653. 

  653.   struct Curl_ssl_session *store;
    654. 

  654.   long oldest_age;
    655. 

  655.   char *clone_host;
    656. 

  656.   char *clone_conn_to_host;
    657. 

  657.   int conn_to_port;
    658. 

  658.   long *general_age;
    659. 

  659. 

  660.   if(added)
    661. 

  661.     *added = FALSE;
    662. 

  662. 

  663.   if(!data->state.session)
    664. 

  664.     return CURLE_OK;
    665. 

  665. 

  666.   store = &data->state.session[0];
    667. 

  667.   oldest_age = data->state.session[0].age; /* zero if unused */
    668. 

  668.   (void)ssl_config;
    669. 

  669.   DEBUGASSERT(ssl_config->primary.sessionid);
    670. 

  670. 

  671.   clone_host = strdup(connssl->peer.hostname);
    672. 

  672.   if(!clone_host)
    673. 

  673.     return CURLE_OUT_OF_MEMORY; /* bail out */
    674. 

  674. 

  675.   if(cf->conn->bits.conn_to_host) {
    676. 

  676.     clone_conn_to_host = strdup(cf->conn->conn_to_host.name);
    677. 

  677.     if(!clone_conn_to_host) {
    678. 

  678.       free(clone_host);
    679. 

  679.       return CURLE_OUT_OF_MEMORY; /* bail out */
    680. 

  680.     }
    681. 

  681.   }
    682. 

  682.   else
    683. 

  683.     clone_conn_to_host = NULL;
    684. 

  684. 

  685.   if(cf->conn->bits.conn_to_port)
    686. 

  686.     conn_to_port = cf->conn->conn_to_port;
    687. 

  687.   else
    688. 

  688.     conn_to_port = -1;
    689. 

  689. 

  690.   /* Now we should add the session ID and the host name to the cache, (remove
    691. 

  691.      the oldest if necessary) */
    692. 

  692. 

  693.   /* If using shared SSL session, lock! */
    694. 

  694.   if(SSLSESSION_SHARED(data)) {
    695. 

  695.     general_age = &data->share->sessionage;
    696. 

  696.   }
    697. 

  697.   else {
    698. 

  698.     general_age = &data->state.sessionage;
    699. 

  699.   }
    700. 

  700. 

  701.   /* find an empty slot for us, or find the oldest */
    702. 

  702.   for(i = 1; (i < data->set.general_ssl.max_ssl_sessions) &&
    703. 

  703.         data->state.session[i].sessionid; i++) {
    704. 

  704.     if(data->state.session[i].age < oldest_age) {
    705. 

  705.       oldest_age = data->state.session[i].age;
    706. 

  706.       store = &data->state.session[i];
    707. 

  707.     }
    708. 

  708.   }
    709. 

  709.   if(i == data->set.general_ssl.max_ssl_sessions)
    710. 

  710.     /* cache is full, we must "kill" the oldest entry! */
    711. 

  711.     Curl_ssl_kill_session(store);
    712. 

  712.   else
    713. 

  713.     store = &data->state.session[i]; /* use this slot */
    714. 

  714. 

  715.   /* now init the session struct wisely */
    716. 

  716.   store->sessionid = ssl_sessionid;
    717. 

  717.   store->idsize = idsize;
    718. 

  718.   store->age = *general_age;    /* set current age */
    719. 

  719.   /* free it if there's one already present */
    720. 

  720.   free(store->name);
    721. 

  721.   free(store->conn_to_host);
    722. 

  722.   store->name = clone_host;               /* clone host name */
    723. 

  723.   store->conn_to_host = clone_conn_to_host; /* clone connect to host name */
    724. 

  724.   store->conn_to_port = conn_to_port; /* connect to port number */
    725. 

  725.   /* port number */
    726. 

  726.   store->remote_port = connssl->port;
    727. 

  727.   store->scheme = cf->conn->handler->scheme;
    728. 

  728. 

  729.   if(!clone_ssl_primary_config(conn_config, &store->ssl_config)) {
    730. 

  730.     Curl_free_primary_ssl_config(&store->ssl_config);
    731. 

  731.     store->sessionid = NULL; /* let caller free sessionid */
    732. 

  732.     free(clone_host);
    733. 

  733.     free(clone_conn_to_host);
    734. 

  734.     return CURLE_OUT_OF_MEMORY;
    735. 

  735.   }
    736. 

  736. 

  737.   if(added)
    738. 

  738.     *added = TRUE;
    739. 

  739. 

  740.   DEBUGF(infof(data, "Added Session ID to cache for %s://%s:%d [%s]",
    741. 

  741.                store->scheme, store->name, store->remote_port,
    742. 

  742.                Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server"));
    743. 

  743.   return CURLE_OK;
    744. 

  744. }
    745. 

  745. 

  746. void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend)
    747. 

  747. {
    748. 

  748.   if(Curl_ssl->free_multi_ssl_backend_data && mbackend)
    749. 

  749.     Curl_ssl->free_multi_ssl_backend_data(mbackend);
    750. 

  750. }
    751. 

  751. 

  752. void Curl_ssl_close_all(struct Curl_easy *data)
    753. 

  753. {
    754. 

  754.   /* kill the session ID cache if not shared */
    755. 

  755.   if(data->state.session && !SSLSESSION_SHARED(data)) {
    756. 

  756.     size_t i;
    757. 

  757.     for(i = 0; i < data->set.general_ssl.max_ssl_sessions; i++)
    758. 

  758.       /* the single-killer function handles empty table slots */
    759. 

  759.       Curl_ssl_kill_session(&data->state.session[i]);
    760. 

  760. 

  761.     /* free the cache data */
    762. 

  762.     Curl_safefree(data->state.session);
    763. 

  763.   }
    764. 

  764. 

  765.   Curl_ssl->close_all(data);
    766. 

  766. }
    767. 

  767. 

  768. void Curl_ssl_adjust_pollset(struct Curl_cfilter *cf, struct Curl_easy *data,
    769. 

  769.                               struct easy_pollset *ps)
    770. 

  770. {
    771. 

  771.   if(!cf->connected) {
    772. 

  772.     struct ssl_connect_data *connssl = cf->ctx;
    773. 

  773.     curl_socket_t sock = Curl_conn_cf_get_socket(cf->next, data);
    774. 

  774.     if(sock != CURL_SOCKET_BAD) {
    775. 

  775.       if(connssl->connecting_state == ssl_connect_2_writing) {
    776. 

  776.         Curl_pollset_set_out_only(data, ps, sock);
    777. 

  777.         CURL_TRC_CF(data, cf, "adjust_pollset, POLLOUT fd=%"
    778. 

  778.                     CURL_FORMAT_SOCKET_T, sock);
    779. 

  779.       }
    780. 

  780.       else {
    781. 

  781.         Curl_pollset_set_in_only(data, ps, sock);
    782. 

  782.         CURL_TRC_CF(data, cf, "adjust_pollset, POLLIN fd=%"
    783. 

  783.                     CURL_FORMAT_SOCKET_T, sock);
    784. 

  784.       }
    785. 

  785.     }
    786. 

  786.   }
    787. 

  787. }
    788. 

  788. 

  789. /* Selects an SSL crypto engine
    790. 

  790.  */
    791. 

  791. CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine)
    792. 

  792. {
    793. 

  793.   return Curl_ssl->set_engine(data, engine);
    794. 

  794. }
    795. 

  795. 

  796. /* Selects the default SSL crypto engine
    797. 

  797.  */
    798. 

  798. CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
    799. 

  799. {
    800. 

  800.   return Curl_ssl->set_engine_default(data);
    801. 

  801. }
    802. 

  802. 

  803. /* Return list of OpenSSL crypto engine names. */
    804. 

  804. struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data)
    805. 

  805. {
    806. 

  806.   return Curl_ssl->engines_list(data);
    807. 

  807. }
    808. 

  808. 

  809. /*
    810. 

  810.  * This sets up a session ID cache to the specified size. Make sure this code
    811. 

  811.  * is agnostic to what underlying SSL technology we use.
    812. 

  812.  */
    813. 

  813. CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
    814. 

  814. {
    815. 

  815.   struct Curl_ssl_session *session;
    816. 

  816. 

  817.   if(data->state.session)
    818. 

  818.     /* this is just a precaution to prevent multiple inits */
    819. 

  819.     return CURLE_OK;
    820. 

  820. 

  821.   session = calloc(amount, sizeof(struct Curl_ssl_session));
    822. 

  822.   if(!session)
    823. 

  823.     return CURLE_OUT_OF_MEMORY;
    824. 

  824. 

  825.   /* store the info in the SSL section */
    826. 

  826.   data->set.general_ssl.max_ssl_sessions = amount;
    827. 

  827.   data->state.session = session;
    828. 

  828.   data->state.sessionage = 1; /* this is brand new */
    829. 

  829.   return CURLE_OK;
    830. 

  830. }
    831. 

  831. 

  832. static size_t multissl_version(char *buffer, size_t size);
    833. 

  833. 

  834. void Curl_ssl_version(char *buffer, size_t size)
    835. 

  835. {
    836. 

  836. #ifdef CURL_WITH_MULTI_SSL
    837. 

  837.   (void)multissl_version(buffer, size);
    838. 

  838. #else
    839. 

  839.   (void)Curl_ssl->version(buffer, size);
    840. 

  840. #endif
    841. 

  841. }
    842. 

  842. 

  843. void Curl_ssl_free_certinfo(struct Curl_easy *data)
    844. 

  844. {
    845. 

  845.   struct curl_certinfo *ci = &data->info.certs;
    846. 

  846. 

  847.   if(ci->num_of_certs) {
    848. 

  848.     /* free all individual lists used */
    849. 

  849.     int i;
    850. 

  850.     for(i = 0; i<ci->num_of_certs; i++) {
    851. 

  851.       curl_slist_free_all(ci->certinfo[i]);
    852. 

  852.       ci->certinfo[i] = NULL;
    853. 

  853.     }
    854. 

  854. 

  855.     free(ci->certinfo); /* free the actual array too */
    856. 

  856.     ci->certinfo = NULL;
    857. 

  857.     ci->num_of_certs = 0;
    858. 

  858.   }
    859. 

  859. }
    860. 

  860. 

  861. CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num)
    862. 

  862. {
    863. 

  863.   struct curl_certinfo *ci = &data->info.certs;
    864. 

  864.   struct curl_slist **table;
    865. 

  865. 

  866.   /* Free any previous certificate information structures */
    867. 

  867.   Curl_ssl_free_certinfo(data);
    868. 

  868. 

  869.   /* Allocate the required certificate information structures */
    870. 

  870.   table = calloc((size_t) num, sizeof(struct curl_slist *));
    871. 

  871.   if(!table)
    872. 

  872.     return CURLE_OUT_OF_MEMORY;
    873. 

  873. 

  874.   ci->num_of_certs = num;
    875. 

  875.   ci->certinfo = table;
    876. 

  876. 

  877.   return CURLE_OK;
    878. 

  878. }
    879. 

  879. 

  880. /*
    881. 

  881.  * 'value' is NOT a null-terminated string
    882. 

  882.  */
    883. 

  883. CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
    884. 

  884.                                     int certnum,
    885. 

  885.                                     const char *label,
    886. 

  886.                                     const char *value,
    887. 

  887.                                     size_t valuelen)
    888. 

  888. {
    889. 

  889.   struct curl_certinfo *ci = &data->info.certs;
    890. 

  890.   struct curl_slist *nl;
    891. 

  891.   CURLcode result = CURLE_OK;
    892. 

  892.   struct dynbuf build;
    893. 

  893. 

  894.   Curl_dyn_init(&build, 10000);
    895. 

  895. 

  896.   if(Curl_dyn_add(&build, label) ||
    897. 

  897.      Curl_dyn_addn(&build, ":", 1) ||
    898. 

  898.      Curl_dyn_addn(&build, value, valuelen))
    899. 

  899.     return CURLE_OUT_OF_MEMORY;
    900. 

  900. 

  901.   nl = Curl_slist_append_nodup(ci->certinfo[certnum],
    902. 

  902.                                Curl_dyn_ptr(&build));
    903. 

  903.   if(!nl) {
    904. 

  904.     Curl_dyn_free(&build);
    905. 

  905.     curl_slist_free_all(ci->certinfo[certnum]);
    906. 

  906.     result = CURLE_OUT_OF_MEMORY;
    907. 

  907.   }
    908. 

  908. 

  909.   ci->certinfo[certnum] = nl;
    910. 

  910.   return result;
    911. 

  911. }
    912. 

  912. 

  913. CURLcode Curl_ssl_random(struct Curl_easy *data,
    914. 

  914.                          unsigned char *entropy,
    915. 

  915.                          size_t length)
    916. 

  916. {
    917. 

  917.   return Curl_ssl->random(data, entropy, length);
    918. 

  918. }
    919. 

  919. 

  920. /*
    921. 

  921.  * Public key pem to der conversion
    922. 

  922.  */
    923. 

  923. 

  924. static CURLcode pubkey_pem_to_der(const char *pem,
    925. 

  925.                                   unsigned char **der, size_t *der_len)
    926. 

  926. {
    927. 

  927.   char *stripped_pem, *begin_pos, *end_pos;
    928. 

  928.   size_t pem_count, stripped_pem_count = 0, pem_len;
    929. 

  929.   CURLcode result;
    930. 

  930. 

  931.   /* if no pem, exit. */
    932. 

  932.   if(!pem)
    933. 

  933.     return CURLE_BAD_CONTENT_ENCODING;
    934. 

  934. 

  935.   begin_pos = strstr(pem, "-----BEGIN PUBLIC KEY-----");
    936. 

  936.   if(!begin_pos)
    937. 

  937.     return CURLE_BAD_CONTENT_ENCODING;
    938. 

  938. 

  939.   pem_count = begin_pos - pem;
    940. 

  940.   /* Invalid if not at beginning AND not directly following \n */
    941. 

  941.   if(0 != pem_count && '\n' != pem[pem_count - 1])
    942. 

  942.     return CURLE_BAD_CONTENT_ENCODING;
    943. 

  943. 

  944.   /* 26 is length of "-----BEGIN PUBLIC KEY-----" */
    945. 

  945.   pem_count += 26;
    946. 

  946. 

  947.   /* Invalid if not directly following \n */
    948. 

  948.   end_pos = strstr(pem + pem_count, "\n-----END PUBLIC KEY-----");
    949. 

  949.   if(!end_pos)
    950. 

  950.     return CURLE_BAD_CONTENT_ENCODING;
    951. 

  951. 

  952.   pem_len = end_pos - pem;
    953. 

  953. 

  954.   stripped_pem = malloc(pem_len - pem_count + 1);
    955. 

  955.   if(!stripped_pem)
    956. 

  956.     return CURLE_OUT_OF_MEMORY;
    957. 

  957. 

  958.   /*
    959. 

  959.    * Here we loop through the pem array one character at a time between the
    960. 

  960.    * correct indices, and place each character that is not '\n' or '\r'
    961. 

  961.    * into the stripped_pem array, which should represent the raw base64 string
    962. 

  962.    */
    963. 

  963.   while(pem_count < pem_len) {
    964. 

  964.     if('\n' != pem[pem_count] && '\r' != pem[pem_count])
    965. 

  965.       stripped_pem[stripped_pem_count++] = pem[pem_count];
    966. 

  966.     ++pem_count;
    967. 

  967.   }
    968. 

  968.   /* Place the null terminator in the correct place */
    969. 

  969.   stripped_pem[stripped_pem_count] = '\0';
    970. 

  970. 

  971.   result = Curl_base64_decode(stripped_pem, der, der_len);
    972. 

  972. 

  973.   Curl_safefree(stripped_pem);
    974. 

  974. 

  975.   return result;
    976. 

  976. }
    977. 

  977. 

  978. /*
    979. 

  979.  * Generic pinned public key check.
    980. 

  980.  */
    981. 

  981. 

  982. CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
    983. 

  983.                               const char *pinnedpubkey,
    984. 

  984.                               const unsigned char *pubkey, size_t pubkeylen)
    985. 

  985. {
    986. 

  986.   FILE *fp;
    987. 

  987.   unsigned char *buf = NULL, *pem_ptr = NULL;
    988. 

  988.   CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
    989. 

  989. #ifdef CURL_DISABLE_VERBOSE_STRINGS
    990. 

  990.   (void)data;
    991. 

  991. #endif
    992. 

  992. 

  993.   /* if a path wasn't specified, don't pin */
    994. 

  994.   if(!pinnedpubkey)
    995. 

  995.     return CURLE_OK;
    996. 

  996.   if(!pubkey || !pubkeylen)
    997. 

  997.     return result;
    998. 

  998. 

  999.   /* only do this if pinnedpubkey starts with "sha256//", length 8 */
    1000. 

  1000.   if(strncmp(pinnedpubkey, "sha256//", 8) == 0) {
    1001. 

  1001.     CURLcode encode;
    1002. 

  1002.     size_t encodedlen = 0;
    1003. 

  1003.     char *encoded = NULL, *pinkeycopy, *begin_pos, *end_pos;
    1004. 

  1004.     unsigned char *sha256sumdigest;
    1005. 

  1005. 

  1006.     if(!Curl_ssl->sha256sum) {
    1007. 

  1007.       /* without sha256 support, this cannot match */
    1008. 

  1008.       return result;
    1009. 

  1009.     }
    1010. 

  1010. 

  1011.     /* compute sha256sum of public key */
    1012. 

  1012.     sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
    1013. 

  1013.     if(!sha256sumdigest)
    1014. 

  1014.       return CURLE_OUT_OF_MEMORY;
    1015. 

  1015.     encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
    1016. 

  1016.                                  sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
    1017. 

  1017. 

  1018.     if(!encode)
    1019. 

  1019.       encode = Curl_base64_encode((char *)sha256sumdigest,
    1020. 

  1020.                                   CURL_SHA256_DIGEST_LENGTH, &encoded,
    1021. 

  1021.                                   &encodedlen);
    1022. 

  1022.     Curl_safefree(sha256sumdigest);
    1023. 

  1023. 

  1024.     if(encode)
    1025. 

  1025.       return encode;
    1026. 

  1026. 

  1027.     infof(data, " public key hash: sha256//%s", encoded);
    1028. 

  1028. 

  1029.     /* it starts with sha256//, copy so we can modify it */
    1030. 

  1030.     pinkeycopy = strdup(pinnedpubkey);
    1031. 

  1031.     if(!pinkeycopy) {
    1032. 

  1032.       Curl_safefree(encoded);
    1033. 

  1033.       return CURLE_OUT_OF_MEMORY;
    1034. 

  1034.     }
    1035. 

  1035.     /* point begin_pos to the copy, and start extracting keys */
    1036. 

  1036.     begin_pos = pinkeycopy;
    1037. 

  1037.     do {
    1038. 

  1038.       end_pos = strstr(begin_pos, ";sha256//");
    1039. 

  1039.       /*
    1040. 

  1040.        * if there is an end_pos, null terminate,
    1041. 

  1041.        * otherwise it'll go to the end of the original string
    1042. 

  1042.        */
    1043. 

  1043.       if(end_pos)
    1044. 

  1044.         end_pos[0] = '\0';
    1045. 

  1045. 

  1046.       /* compare base64 sha256 digests, 8 is the length of "sha256//" */
    1047. 

  1047.       if(encodedlen == strlen(begin_pos + 8) &&
    1048. 

  1048.          !memcmp(encoded, begin_pos + 8, encodedlen)) {
    1049. 

  1049.         result = CURLE_OK;
    1050. 

  1050.         break;
    1051. 

  1051.       }
    1052. 

  1052. 

  1053.       /*
    1054. 

  1054.        * change back the null-terminator we changed earlier,
    1055. 

  1055.        * and look for next begin
    1056. 

  1056.        */
    1057. 

  1057.       if(end_pos) {
    1058. 

  1058.         end_pos[0] = ';';
    1059. 

  1059.         begin_pos = strstr(end_pos, "sha256//");
    1060. 

  1060.       }
    1061. 

  1061.     } while(end_pos && begin_pos);
    1062. 

  1062.     Curl_safefree(encoded);
    1063. 

  1063.     Curl_safefree(pinkeycopy);
    1064. 

  1064.     return result;
    1065. 

  1065.   }
    1066. 

  1066. 

  1067.   fp = fopen(pinnedpubkey, "rb");
    1068. 

  1068.   if(!fp)
    1069. 

  1069.     return result;
    1070. 

  1070. 

  1071.   do {
    1072. 

  1072.     long filesize;
    1073. 

  1073.     size_t size, pem_len;
    1074. 

  1074.     CURLcode pem_read;
    1075. 

  1075. 

  1076.     /* Determine the file's size */
    1077. 

  1077.     if(fseek(fp, 0, SEEK_END))
    1078. 

  1078.       break;
    1079. 

  1079.     filesize = ftell(fp);
    1080. 

  1080.     if(fseek(fp, 0, SEEK_SET))
    1081. 

  1081.       break;
    1082. 

  1082.     if(filesize < 0 || filesize > MAX_PINNED_PUBKEY_SIZE)
    1083. 

  1083.       break;
    1084. 

  1084. 

  1085.     /*
    1086. 

  1086.      * if the size of our certificate is bigger than the file
    1087. 

  1087.      * size then it can't match
    1088. 

  1088.      */
    1089. 

  1089.     size = curlx_sotouz((curl_off_t) filesize);
    1090. 

  1090.     if(pubkeylen > size)
    1091. 

  1091.       break;
    1092. 

  1092. 

  1093.     /*
    1094. 

  1094.      * Allocate buffer for the pinned key
    1095. 

  1095.      * With 1 additional byte for null terminator in case of PEM key
    1096. 

  1096.      */
    1097. 

  1097.     buf = malloc(size + 1);
    1098. 

  1098.     if(!buf)
    1099. 

  1099.       break;
    1100. 

  1100. 

  1101.     /* Returns number of elements read, which should be 1 */
    1102. 

  1102.     if((int) fread(buf, size, 1, fp) != 1)
    1103. 

  1103.       break;
    1104. 

  1104. 

  1105.     /* If the sizes are the same, it can't be base64 encoded, must be der */
    1106. 

  1106.     if(pubkeylen == size) {
    1107. 

  1107.       if(!memcmp(pubkey, buf, pubkeylen))
    1108. 

  1108.         result = CURLE_OK;
    1109. 

  1109.       break;
    1110. 

  1110.     }
    1111. 

  1111. 

  1112.     /*
    1113. 

  1113.      * Otherwise we will assume it's PEM and try to decode it
    1114. 

  1114.      * after placing null terminator
    1115. 

  1115.      */
    1116. 

  1116.     buf[size] = '\0';
    1117. 

  1117.     pem_read = pubkey_pem_to_der((const char *)buf, &pem_ptr, &pem_len);
    1118. 

  1118.     /* if it wasn't read successfully, exit */
    1119. 

  1119.     if(pem_read)
    1120. 

  1120.       break;
    1121. 

  1121. 

  1122.     /*
    1123. 

  1123.      * if the size of our certificate doesn't match the size of
    1124. 

  1124.      * the decoded file, they can't be the same, otherwise compare
    1125. 

  1125.      */
    1126. 

  1126.     if(pubkeylen == pem_len && !memcmp(pubkey, pem_ptr, pubkeylen))
    1127. 

  1127.       result = CURLE_OK;
    1128. 

  1128.   } while(0);
    1129. 

  1129. 

  1130.   Curl_safefree(buf);
    1131. 

  1131.   Curl_safefree(pem_ptr);
    1132. 

  1132.   fclose(fp);
    1133. 

  1133. 

  1134.   return result;
    1135. 

  1135. }
    1136. 

  1136. 

  1137. /*
    1138. 

  1138.  * Check whether the SSL backend supports the status_request extension.
    1139. 

  1139.  */
    1140. 

  1140. bool Curl_ssl_cert_status_request(void)
    1141. 

  1141. {
    1142. 

  1142.   return Curl_ssl->cert_status_request();
    1143. 

  1143. }
    1144. 

  1144. 

  1145. /*
    1146. 

  1146.  * Check whether the SSL backend supports false start.
    1147. 

  1147.  */
    1148. 

  1148. bool Curl_ssl_false_start(struct Curl_easy *data)
    1149. 

  1149. {
    1150. 

  1150.   (void)data;
    1151. 

  1151.   return Curl_ssl->false_start();
    1152. 

  1152. }
    1153. 

  1153. 

  1154. /*
    1155. 

  1155.  * Default implementations for unsupported functions.
    1156. 

  1156.  */
    1157. 

  1157. 

  1158. int Curl_none_init(void)
    1159. 

  1159. {
    1160. 

  1160.   return 1;
    1161. 

  1161. }
    1162. 

  1162. 

  1163. void Curl_none_cleanup(void)
    1164. 

  1164. { }
    1165. 

  1165. 

  1166. int Curl_none_shutdown(struct Curl_cfilter *cf UNUSED_PARAM,
    1167. 

  1167.                        struct Curl_easy *data UNUSED_PARAM)
    1168. 

  1168. {
    1169. 

  1169.   (void)data;
    1170. 

  1170.   (void)cf;
    1171. 

  1171.   return 0;
    1172. 

  1172. }
    1173. 

  1173. 

  1174. int Curl_none_check_cxn(struct Curl_cfilter *cf, struct Curl_easy *data)
    1175. 

  1175. {
    1176. 

  1176.   (void)cf;
    1177. 

  1177.   (void)data;
    1178. 

  1178.   return -1;
    1179. 

  1179. }
    1180. 

  1180. 

  1181. CURLcode Curl_none_random(struct Curl_easy *data UNUSED_PARAM,
    1182. 

  1182.                           unsigned char *entropy UNUSED_PARAM,
    1183. 

  1183.                           size_t length UNUSED_PARAM)
    1184. 

  1184. {
    1185. 

  1185.   (void)data;
    1186. 

  1186.   (void)entropy;
    1187. 

  1187.   (void)length;
    1188. 

  1188.   return CURLE_NOT_BUILT_IN;
    1189. 

  1189. }
    1190. 

  1190. 

  1191. void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
    1192. 

  1192. {
    1193. 

  1193.   (void)data;
    1194. 

  1194. }
    1195. 

  1195. 

  1196. void Curl_none_session_free(void *ptr UNUSED_PARAM)
    1197. 

  1197. {
    1198. 

  1198.   (void)ptr;
    1199. 

  1199. }
    1200. 

  1200. 

  1201. bool Curl_none_data_pending(struct Curl_cfilter *cf UNUSED_PARAM,
    1202. 

  1202.                             const struct Curl_easy *data UNUSED_PARAM)
    1203. 

  1203. {
    1204. 

  1204.   (void)cf;
    1205. 

  1205.   (void)data;
    1206. 

  1206.   return 0;
    1207. 

  1207. }
    1208. 

  1208. 

  1209. bool Curl_none_cert_status_request(void)
    1210. 

  1210. {
    1211. 

  1211.   return FALSE;
    1212. 

  1212. }
    1213. 

  1213. 

  1214. CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
    1215. 

  1215.                               const char *engine UNUSED_PARAM)
    1216. 

  1216. {
    1217. 

  1217.   (void)data;
    1218. 

  1218.   (void)engine;
    1219. 

  1219.   return CURLE_NOT_BUILT_IN;
    1220. 

  1220. }
    1221. 

  1221. 

  1222. CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
    1223. 

  1223. {
    1224. 

  1224.   (void)data;
    1225. 

  1225.   return CURLE_NOT_BUILT_IN;
    1226. 

  1226. }
    1227. 

  1227. 

  1228. struct curl_slist *Curl_none_engines_list(struct Curl_easy *data UNUSED_PARAM)
    1229. 

  1229. {
    1230. 

  1230.   (void)data;
    1231. 

  1231.   return (struct curl_slist *)NULL;
    1232. 

  1232. }
    1233. 

  1233. 

  1234. bool Curl_none_false_start(void)
    1235. 

  1235. {
    1236. 

  1236.   return FALSE;
    1237. 

  1237. }
    1238. 

  1238. 

  1239. static int multissl_init(void)
    1240. 

  1240. {
    1241. 

  1241.   if(multissl_setup(NULL))
    1242. 

  1242.     return 1;
    1243. 

  1243.   return Curl_ssl->init();
    1244. 

  1244. }
    1245. 

  1245. 

  1246. static CURLcode multissl_connect(struct Curl_cfilter *cf,
    1247. 

  1247.                                  struct Curl_easy *data)
    1248. 

  1248. {
    1249. 

  1249.   if(multissl_setup(NULL))
    1250. 

  1250.     return CURLE_FAILED_INIT;
    1251. 

  1251.   return Curl_ssl->connect_blocking(cf, data);
    1252. 

  1252. }
    1253. 

  1253. 

  1254. static CURLcode multissl_connect_nonblocking(struct Curl_cfilter *cf,
    1255. 

  1255.                                              struct Curl_easy *data,
    1256. 

  1256.                                              bool *done)
    1257. 

  1257. {
    1258. 

  1258.   if(multissl_setup(NULL))
    1259. 

  1259.     return CURLE_FAILED_INIT;
    1260. 

  1260.   return Curl_ssl->connect_nonblocking(cf, data, done);
    1261. 

  1261. }
    1262. 

  1262. 

  1263. static void multissl_adjust_pollset(struct Curl_cfilter *cf,
    1264. 

  1264.                                      struct Curl_easy *data,
    1265. 

  1265.                                      struct easy_pollset *ps)
    1266. 

  1266. {
    1267. 

  1267.   if(multissl_setup(NULL))
    1268. 

  1268.     return;
    1269. 

  1269.   Curl_ssl->adjust_pollset(cf, data, ps);
    1270. 

  1270. }
    1271. 

  1271. 

  1272. static void *multissl_get_internals(struct ssl_connect_data *connssl,
    1273. 

  1273.                                     CURLINFO info)
    1274. 

  1274. {
    1275. 

  1275.   if(multissl_setup(NULL))
    1276. 

  1276.     return NULL;
    1277. 

  1277.   return Curl_ssl->get_internals(connssl, info);
    1278. 

  1278. }
    1279. 

  1279. 

  1280. static void multissl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
    1281. 

  1281. {
    1282. 

  1282.   if(multissl_setup(NULL))
    1283. 

  1283.     return;
    1284. 

  1284.   Curl_ssl->close(cf, data);
    1285. 

  1285. }
    1286. 

  1286. 

  1287. static ssize_t multissl_recv_plain(struct Curl_cfilter *cf,
    1288. 

  1288.                                    struct Curl_easy *data,
    1289. 

  1289.                                    char *buf, size_t len, CURLcode *code)
    1290. 

  1290. {
    1291. 

  1291.   if(multissl_setup(NULL))
    1292. 

  1292.     return CURLE_FAILED_INIT;
    1293. 

  1293.   return Curl_ssl->recv_plain(cf, data, buf, len, code);
    1294. 

  1294. }
    1295. 

  1295. 

  1296. static ssize_t multissl_send_plain(struct Curl_cfilter *cf,
    1297. 

  1297.                                    struct Curl_easy *data,
    1298. 

  1298.                                    const void *mem, size_t len,
    1299. 

  1299.                                    CURLcode *code)
    1300. 

  1300. {
    1301. 

  1301.   if(multissl_setup(NULL))
    1302. 

  1302.     return CURLE_FAILED_INIT;
    1303. 

  1303.   return Curl_ssl->send_plain(cf, data, mem, len, code);
    1304. 

  1304. }
    1305. 

  1305. 

  1306. static const struct Curl_ssl Curl_ssl_multi = {
    1307. 

  1307.   { CURLSSLBACKEND_NONE, "multi" },  /* info */
    1308. 

  1308.   0, /* supports nothing */
    1309. 

  1309.   (size_t)-1, /* something insanely large to be on the safe side */
    1310. 

  1310. 

  1311.   multissl_init,                     /* init */
    1312. 

  1312.   Curl_none_cleanup,                 /* cleanup */
    1313. 

  1313.   multissl_version,                  /* version */
    1314. 

  1314.   Curl_none_check_cxn,               /* check_cxn */
    1315. 

  1315.   Curl_none_shutdown,                /* shutdown */
    1316. 

  1316.   Curl_none_data_pending,            /* data_pending */
    1317. 

  1317.   Curl_none_random,                  /* random */
    1318. 

  1318.   Curl_none_cert_status_request,     /* cert_status_request */
    1319. 

  1319.   multissl_connect,                  /* connect */
    1320. 

  1320.   multissl_connect_nonblocking,      /* connect_nonblocking */
    1321. 

  1321.   multissl_adjust_pollset,          /* adjust_pollset */
    1322. 

  1322.   multissl_get_internals,            /* get_internals */
    1323. 

  1323.   multissl_close,                    /* close_one */
    1324. 

  1324.   Curl_none_close_all,               /* close_all */
    1325. 

  1325.   Curl_none_session_free,            /* session_free */
    1326. 

  1326.   Curl_none_set_engine,              /* set_engine */
    1327. 

  1327.   Curl_none_set_engine_default,      /* set_engine_default */
    1328. 

  1328.   Curl_none_engines_list,            /* engines_list */
    1329. 

  1329.   Curl_none_false_start,             /* false_start */
    1330. 

  1330.   NULL,                              /* sha256sum */
    1331. 

  1331.   NULL,                              /* associate_connection */
    1332. 

  1332.   NULL,                              /* disassociate_connection */
    1333. 

  1333.   NULL,                              /* free_multi_ssl_backend_data */
    1334. 

  1334.   multissl_recv_plain,               /* recv decrypted data */
    1335. 

  1335.   multissl_send_plain,               /* send data to encrypt */
    1336. 

  1336. };
    1337. 

  1337. 

  1338. const struct Curl_ssl *Curl_ssl =
    1339. 

  1339. #if defined(CURL_WITH_MULTI_SSL)
    1340. 

  1340.   &Curl_ssl_multi;
    1341. 

  1341. #elif defined(USE_WOLFSSL)
    1342. 

  1342.   &Curl_ssl_wolfssl;
    1343. 

  1343. #elif defined(USE_SECTRANSP)
    1344. 

  1344.   &Curl_ssl_sectransp;
    1345. 

  1345. #elif defined(USE_GNUTLS)
    1346. 

  1346.   &Curl_ssl_gnutls;
    1347. 

  1347. #elif defined(USE_MBEDTLS)
    1348. 

  1348.   &Curl_ssl_mbedtls;
    1349. 

  1349. #elif defined(USE_RUSTLS)
    1350. 

  1350.   &Curl_ssl_rustls;
    1351. 

  1351. #elif defined(USE_OPENSSL)
    1352. 

  1352.   &Curl_ssl_openssl;
    1353. 

  1353. #elif defined(USE_SCHANNEL)
    1354. 

  1354.   &Curl_ssl_schannel;
    1355. 

  1355. #elif defined(USE_BEARSSL)
    1356. 

  1356.   &Curl_ssl_bearssl;
    1357. 

  1357. #else
    1358. 

  1358. #error "Missing struct Curl_ssl for selected SSL backend"
    1359. 

  1359. #endif
    1360. 

  1360. 

  1361. static const struct Curl_ssl *available_backends[] = {
    1362. 

  1362. #if defined(USE_WOLFSSL)
    1363. 

  1363.   &Curl_ssl_wolfssl,
    1364. 

  1364. #endif
    1365. 

  1365. #if defined(USE_SECTRANSP)
    1366. 

  1366.   &Curl_ssl_sectransp,
    1367. 

  1367. #endif
    1368. 

  1368. #if defined(USE_GNUTLS)
    1369. 

  1369.   &Curl_ssl_gnutls,
    1370. 

  1370. #endif
    1371. 

  1371. #if defined(USE_MBEDTLS)
    1372. 

  1372.   &Curl_ssl_mbedtls,
    1373. 

  1373. #endif
    1374. 

  1374. #if defined(USE_OPENSSL)
    1375. 

  1375.   &Curl_ssl_openssl,
    1376. 

  1376. #endif
    1377. 

  1377. #if defined(USE_SCHANNEL)
    1378. 

  1378.   &Curl_ssl_schannel,
    1379. 

  1379. #endif
    1380. 

  1380. #if defined(USE_BEARSSL)
    1381. 

  1381.   &Curl_ssl_bearssl,
    1382. 

  1382. #endif
    1383. 

  1383. #if defined(USE_RUSTLS)
    1384. 

  1384.   &Curl_ssl_rustls,
    1385. 

  1385. #endif
    1386. 

  1386.   NULL
    1387. 

  1387. };
    1388. 

  1388. 

  1389. static size_t multissl_version(char *buffer, size_t size)
    1390. 

  1390. {
    1391. 

  1391.   static const struct Curl_ssl *selected;
    1392. 

  1392.   static char backends[200];
    1393. 

  1393.   static size_t backends_len;
    1394. 

  1394.   const struct Curl_ssl *current;
    1395. 

  1395. 

  1396.   current = Curl_ssl == &Curl_ssl_multi ? available_backends[0] : Curl_ssl;
    1397. 

  1397. 

  1398.   if(current != selected) {
    1399. 

  1399.     char *p = backends;
    1400. 

  1400.     char *end = backends + sizeof(backends);
    1401. 

  1401.     int i;
    1402. 

  1402. 

  1403.     selected = current;
    1404. 

  1404. 

  1405.     backends[0] = '\0';
    1406. 

  1406. 

  1407.     for(i = 0; available_backends[i]; ++i) {
    1408. 

  1408.       char vb[200];
    1409. 

  1409.       bool paren = (selected != available_backends[i]);
    1410. 

  1410. 

  1411.       if(available_backends[i]->version(vb, sizeof(vb))) {
    1412. 

  1412.         p += msnprintf(p, end - p, "%s%s%s%s", (p != backends ? " " : ""),
    1413. 

  1413.                        (paren ? "(" : ""), vb, (paren ? ")" : ""));
    1414. 

  1414.       }
    1415. 

  1415.     }
    1416. 

  1416. 

  1417.     backends_len = p - backends;
    1418. 

  1418.   }
    1419. 

  1419. 

  1420.   if(size) {
    1421. 

  1421.     if(backends_len < size)
    1422. 

  1422.       strcpy(buffer, backends);
    1423. 

  1423.     else
    1424. 

  1424.       *buffer = 0; /* did not fit */
    1425. 

  1425.   }
    1426. 

  1426.   return 0;
    1427. 

  1427. }
    1428. 

  1428. 

  1429. static int multissl_setup(const struct Curl_ssl *backend)
    1430. 

  1430. {
    1431. 

  1431.   const char *env;
    1432. 

  1432.   char *env_tmp;
    1433. 

  1433. 

  1434.   if(Curl_ssl != &Curl_ssl_multi)
    1435. 

  1435.     return 1;
    1436. 

  1436. 

  1437.   if(backend) {
    1438. 

  1438.     Curl_ssl = backend;
    1439. 

  1439.     return 0;
    1440. 

  1440.   }
    1441. 

  1441. 

  1442.   if(!available_backends[0])
    1443. 

  1443.     return 1;
    1444. 

  1444. 

  1445.   env = env_tmp = curl_getenv("CURL_SSL_BACKEND");
    1446. 

  1446. #ifdef CURL_DEFAULT_SSL_BACKEND
    1447. 

  1447.   if(!env)
    1448. 

  1448.     env = CURL_DEFAULT_SSL_BACKEND;
    1449. 

  1449. #endif
    1450. 

  1450.   if(env) {
    1451. 

  1451.     int i;
    1452. 

  1452.     for(i = 0; available_backends[i]; i++) {
    1453. 

  1453.       if(strcasecompare(env, available_backends[i]->info.name)) {
    1454. 

  1454.         Curl_ssl = available_backends[i];
    1455. 

  1455.         free(env_tmp);
    1456. 

  1456.         return 0;
    1457. 

  1457.       }
    1458. 

  1458.     }
    1459. 

  1459.   }
    1460. 

  1460. 

  1461.   /* Fall back to first available backend */
    1462. 

  1462.   Curl_ssl = available_backends[0];
    1463. 

  1463.   free(env_tmp);
    1464. 

  1464.   return 0;
    1465. 

  1465. }
    1466. 

  1466. 

  1467. /* This function is used to select the SSL backend to use. It is called by
    1468. 

  1468.    curl_global_sslset (easy.c) which uses the global init lock. */
    1469. 

  1469. CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
    1470. 

  1470.                                    const curl_ssl_backend ***avail)
    1471. 

  1471. {
    1472. 

  1472.   int i;
    1473. 

  1473. 

  1474.   if(avail)
    1475. 

  1475.     *avail = (const curl_ssl_backend **)&available_backends;
    1476. 

  1476. 

  1477.   if(Curl_ssl != &Curl_ssl_multi)
    1478. 

  1478.     return id == Curl_ssl->info.id ||
    1479. 

  1479.            (name && strcasecompare(name, Curl_ssl->info.name)) ?
    1480. 

  1480.            CURLSSLSET_OK :
    1481. 

  1481. #if defined(CURL_WITH_MULTI_SSL)
    1482. 

  1482.            CURLSSLSET_TOO_LATE;
    1483. 

  1483. #else
    1484. 

  1484.            CURLSSLSET_UNKNOWN_BACKEND;
    1485. 

  1485. #endif
    1486. 

  1486. 

  1487.   for(i = 0; available_backends[i]; i++) {
    1488. 

  1488.     if(available_backends[i]->info.id == id ||
    1489. 

  1489.        (name && strcasecompare(available_backends[i]->info.name, name))) {
    1490. 

  1490.       multissl_setup(available_backends[i]);
    1491. 

  1491.       return CURLSSLSET_OK;
    1492. 

  1492.     }
    1493. 

  1493.   }
    1494. 

  1494. 

  1495.   return CURLSSLSET_UNKNOWN_BACKEND;
    1496. 

  1496. }
    1497. 

  1497. 

  1498. #else /* USE_SSL */
    1499. 

  1499. CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
    1500. 

  1500.                                    const curl_ssl_backend ***avail)
    1501. 

  1501. {
    1502. 

  1502.   (void)id;
    1503. 

  1503.   (void)name;
    1504. 

  1504.   (void)avail;
    1505. 

  1505.   return CURLSSLSET_NO_BACKENDS;
    1506. 

  1506. }
    1507. 

  1507. 

  1508. #endif /* !USE_SSL */
    1509. 

  1509. 

  1510. #ifdef USE_SSL
    1511. 

  1511. 

  1512. void Curl_ssl_peer_cleanup(struct ssl_peer *peer)
    1513. 

  1513. {
    1514. 

  1514.   if(peer->dispname != peer->hostname)
    1515. 

  1515.     free(peer->dispname);
    1516. 

  1516.   free(peer->sni);
    1517. 

  1517.   free(peer->hostname);
    1518. 

  1518.   peer->hostname = peer->sni = peer->dispname = NULL;
    1519. 

  1519.   peer->type = CURL_SSL_PEER_DNS;
    1520. 

  1520. }
    1521. 

  1521. 

  1522. static void cf_close(struct Curl_cfilter *cf, struct Curl_easy *data)
    1523. 

  1523. {
    1524. 

  1524.   struct ssl_connect_data *connssl = cf->ctx;
    1525. 

  1525.   if(connssl) {
    1526. 

  1526.     Curl_ssl->close(cf, data);
    1527. 

  1527.     connssl->state = ssl_connection_none;
    1528. 

  1528.     Curl_ssl_peer_cleanup(&connssl->peer);
    1529. 

  1529.   }
    1530. 

  1530.   cf->connected = FALSE;
    1531. 

  1531. }
    1532. 

  1532. 

  1533. static ssl_peer_type get_peer_type(const char *hostname)
    1534. 

  1534. {
    1535. 

  1535.   if(hostname && hostname[0]) {
    1536. 

  1536. #ifdef ENABLE_IPV6
    1537. 

  1537.     struct in6_addr addr;
    1538. 

  1538. #else
    1539. 

  1539.     struct in_addr addr;
    1540. 

  1540. #endif
    1541. 

  1541.     if(Curl_inet_pton(AF_INET, hostname, &addr))
    1542. 

  1542.       return CURL_SSL_PEER_IPV4;
    1543. 

  1543. #ifdef ENABLE_IPV6
    1544. 

  1544.     else if(Curl_inet_pton(AF_INET6, hostname, &addr)) {
    1545. 

  1545.       return CURL_SSL_PEER_IPV6;
    1546. 

  1546.     }
    1547. 

  1547. #endif
    1548. 

  1548.   }
    1549. 

  1549.   return CURL_SSL_PEER_DNS;
    1550. 

  1550. }
    1551. 

  1551. 

  1552. CURLcode Curl_ssl_peer_init(struct ssl_peer *peer, struct Curl_cfilter *cf)
    1553. 

  1553. {
    1554. 

  1554.   struct ssl_connect_data *connssl = cf->ctx;
    1555. 

  1555.   const char *ehostname, *edispname;
    1556. 

  1556.   int eport;
    1557. 

  1557. 

  1558.   /* We need the hostname for SNI negotiation. Once handshaked, this
    1559. 

  1559.    * remains the SNI hostname for the TLS connection. But when the
    1560. 

  1560.    * connection is reused, the settings in cf->conn might change.
    1561. 

  1561.    * So we keep a copy of the hostname we use for SNI.
    1562. 

  1562.    */
    1563. 

  1563. #ifndef CURL_DISABLE_PROXY
    1564. 

  1564.   if(Curl_ssl_cf_is_proxy(cf)) {
    1565. 

  1565.     ehostname = cf->conn->http_proxy.host.name;
    1566. 

  1566.     edispname = cf->conn->http_proxy.host.dispname;
    1567. 

  1567.     eport = cf->conn->http_proxy.port;
    1568. 

  1568.   }
    1569. 

  1569.   else
    1570. 

  1570. #endif
    1571. 

  1571.   {
    1572. 

  1572.     ehostname = cf->conn->host.name;
    1573. 

  1573.     edispname = cf->conn->host.dispname;
    1574. 

  1574.     eport = cf->conn->remote_port;
    1575. 

  1575.   }
    1576. 

  1576. 

  1577.   /* change if ehostname changed */
    1578. 

  1578.   DEBUGASSERT(!ehostname || ehostname[0]);
    1579. 

  1579.   if(ehostname && (!peer->hostname
    1580. 

  1580.                    || strcmp(ehostname, peer->hostname))) {
    1581. 

  1581.     Curl_ssl_peer_cleanup(peer);
    1582. 

  1582.     peer->hostname = strdup(ehostname);
    1583. 

  1583.     if(!peer->hostname) {
    1584. 

  1584.       Curl_ssl_peer_cleanup(peer);
    1585. 

  1585.       return CURLE_OUT_OF_MEMORY;
    1586. 

  1586.     }
    1587. 

  1587.     if(!edispname || !strcmp(ehostname, edispname))
    1588. 

  1588.       peer->dispname = peer->hostname;
    1589. 

  1589.     else {
    1590. 

  1590.       peer->dispname = strdup(edispname);
    1591. 

  1591.       if(!peer->dispname) {
    1592. 

  1592.         Curl_ssl_peer_cleanup(peer);
    1593. 

  1593.         return CURLE_OUT_OF_MEMORY;
    1594. 

  1594.       }
    1595. 

  1595.     }
    1596. 

  1596. 

  1597.     peer->sni = NULL;
    1598. 

  1598.     peer->type = get_peer_type(peer->hostname);
    1599. 

  1599.     if(peer->type == CURL_SSL_PEER_DNS && peer->hostname[0]) {
    1600. 

  1600.       /* not an IP address, normalize according to RCC 6066 ch. 3,
    1601. 

  1601.        * max len of SNI is 2^16-1, no trailing dot */
    1602. 

  1602.       size_t len = strlen(peer->hostname);
    1603. 

  1603.       if(len && (peer->hostname[len-1] == '.'))
    1604. 

  1604.         len--;
    1605. 

  1605.       if(len < USHRT_MAX) {
    1606. 

  1606.         peer->sni = calloc(1, len + 1);
    1607. 

  1607.         if(!peer->sni) {
    1608. 

  1608.           Curl_ssl_peer_cleanup(peer);
    1609. 

  1609.           return CURLE_OUT_OF_MEMORY;
    1610. 

  1610.         }
    1611. 

  1611.         Curl_strntolower(peer->sni, peer->hostname, len);
    1612. 

  1612.         peer->sni[len] = 0;
    1613. 

  1613.       }
    1614. 

  1614.     }
    1615. 

  1615. 

  1616.   }
    1617. 

  1617.   connssl->port = eport;
    1618. 

  1618.   return CURLE_OK;
    1619. 

  1619. }
    1620. 

  1620. 

  1621. static void ssl_cf_destroy(struct Curl_cfilter *cf, struct Curl_easy *data)
    1622. 

  1622. {
    1623. 

  1623.   struct cf_call_data save;
    1624. 

  1624. 

  1625.   CF_DATA_SAVE(save, cf, data);
    1626. 

  1626.   cf_close(cf, data);
    1627. 

  1627.   CF_DATA_RESTORE(cf, save);
    1628. 

  1628.   cf_ctx_free(cf->ctx);
    1629. 

  1629.   cf->ctx = NULL;
    1630. 

  1630. }
    1631. 

  1631. 

  1632. static void ssl_cf_close(struct Curl_cfilter *cf,
    1633. 

  1633.                          struct Curl_easy *data)
    1634. 

  1634. {
    1635. 

  1635.   struct cf_call_data save;
    1636. 

  1636. 

  1637.   CF_DATA_SAVE(save, cf, data);
    1638. 

  1638.   cf_close(cf, data);
    1639. 

  1639.   if(cf->next)
    1640. 

  1640.     cf->next->cft->do_close(cf->next, data);
    1641. 

  1641.   CF_DATA_RESTORE(cf, save);
    1642. 

  1642. }
    1643. 

  1643. 

  1644. static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
    1645. 

  1645.                                struct Curl_easy *data,
    1646. 

  1646.                                bool blocking, bool *done)
    1647. 

  1647. {
    1648. 

  1648.   struct ssl_connect_data *connssl = cf->ctx;
    1649. 

  1649.   struct cf_call_data save;
    1650. 

  1650.   CURLcode result;
    1651. 

  1651. 

  1652.   if(cf->connected) {
    1653. 

  1653.     *done = TRUE;
    1654. 

  1654.     return CURLE_OK;
    1655. 

  1655.   }
    1656. 

  1656. 

  1657.   CF_DATA_SAVE(save, cf, data);
    1658. 

  1658.   CURL_TRC_CF(data, cf, "cf_connect()");
    1659. 

  1659.   (void)connssl;
    1660. 

  1660.   DEBUGASSERT(data->conn);
    1661. 

  1661.   DEBUGASSERT(data->conn == cf->conn);
    1662. 

  1662.   DEBUGASSERT(connssl);
    1663. 

  1663.   DEBUGASSERT(cf->conn->host.name);
    1664. 

  1664. 

  1665.   result = cf->next->cft->do_connect(cf->next, data, blocking, done);
    1666. 

  1666.   if(result || !*done)
    1667. 

  1667.     goto out;
    1668. 

  1668. 

  1669.   *done = FALSE;
    1670. 

  1670.   result = Curl_ssl_peer_init(&connssl->peer, cf);
    1671. 

  1671.   if(result)
    1672. 

  1672.     goto out;
    1673. 

  1673. 

  1674.   if(blocking) {
    1675. 

  1675.     result = ssl_connect(cf, data);
    1676. 

  1676.     *done = (result == CURLE_OK);
    1677. 

  1677.   }
    1678. 

  1678.   else {
    1679. 

  1679.     result = ssl_connect_nonblocking(cf, data, done);
    1680. 

  1680.   }
    1681. 

  1681. 

  1682.   if(!result && *done) {
    1683. 

  1683.     cf->connected = TRUE;
    1684. 

  1684.     connssl->handshake_done = Curl_now();
    1685. 

  1685.     DEBUGASSERT(connssl->state == ssl_connection_complete);
    1686. 

  1686.   }
    1687. 

  1687. out:
    1688. 

  1688.   CURL_TRC_CF(data, cf, "cf_connect() -> %d, done=%d", result, *done);
    1689. 

  1689.   CF_DATA_RESTORE(cf, save);
    1690. 

  1690.   return result;
    1691. 

  1691. }
    1692. 

  1692. 

  1693. static bool ssl_cf_data_pending(struct Curl_cfilter *cf,
    1694. 

  1694.                                 const struct Curl_easy *data)
    1695. 

  1695. {
    1696. 

  1696.   struct cf_call_data save;
    1697. 

  1697.   bool result;
    1698. 

  1698. 

  1699.   CF_DATA_SAVE(save, cf, data);
    1700. 

  1700.   if(Curl_ssl->data_pending(cf, data))
    1701. 

  1701.     result = TRUE;
    1702. 

  1702.   else
    1703. 

  1703.     result = cf->next->cft->has_data_pending(cf->next, data);
    1704. 

  1704.   CF_DATA_RESTORE(cf, save);
    1705. 

  1705.   return result;
    1706. 

  1706. }
    1707. 

  1707. 

  1708. static ssize_t ssl_cf_send(struct Curl_cfilter *cf,
    1709. 

  1709.                            struct Curl_easy *data, const void *buf, size_t len,
    1710. 

  1710.                            CURLcode *err)
    1711. 

  1711. {
    1712. 

  1712.   struct cf_call_data save;
    1713. 

  1713.   ssize_t nwritten;
    1714. 

  1714. 

  1715.   CF_DATA_SAVE(save, cf, data);
    1716. 

  1716.   *err = CURLE_OK;
    1717. 

  1717.   nwritten = Curl_ssl->send_plain(cf, data, buf, len, err);
    1718. 

  1718.   CF_DATA_RESTORE(cf, save);
    1719. 

  1719.   return nwritten;
    1720. 

  1720. }
    1721. 

  1721. 

  1722. static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
    1723. 

  1723.                            struct Curl_easy *data, char *buf, size_t len,
    1724. 

  1724.                            CURLcode *err)
    1725. 

  1725. {
    1726. 

  1726.   struct cf_call_data save;
    1727. 

  1727.   ssize_t nread;
    1728. 

  1728. 

  1729.   CF_DATA_SAVE(save, cf, data);
    1730. 

  1730.   *err = CURLE_OK;
    1731. 

  1731.   nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
    1732. 

  1732.   if(nread > 0) {
    1733. 

  1733.     DEBUGASSERT((size_t)nread <= len);
    1734. 

  1734.   }
    1735. 

  1735.   else if(nread == 0) {
    1736. 

  1736.     /* eof */
    1737. 

  1737.     *err = CURLE_OK;
    1738. 

  1738.   }
    1739. 

  1739.   CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len,
    1740. 

  1740.               nread, *err);
    1741. 

  1741.   CF_DATA_RESTORE(cf, save);
    1742. 

  1742.   return nread;
    1743. 

  1743. }
    1744. 

  1744. 

  1745. static void ssl_cf_adjust_pollset(struct Curl_cfilter *cf,
    1746. 

  1746.                                    struct Curl_easy *data,
    1747. 

  1747.                                    struct easy_pollset *ps)
    1748. 

  1748. {
    1749. 

  1749.   struct cf_call_data save;
    1750. 

  1750. 

  1751.   if(!cf->connected) {
    1752. 

  1752.     CF_DATA_SAVE(save, cf, data);
    1753. 

  1753.     Curl_ssl->adjust_pollset(cf, data, ps);
    1754. 

  1754.     CF_DATA_RESTORE(cf, save);
    1755. 

  1755.   }
    1756. 

  1756. }
    1757. 

  1757. 

  1758. static CURLcode ssl_cf_cntrl(struct Curl_cfilter *cf,
    1759. 

  1759.                              struct Curl_easy *data,
    1760. 

  1760.                              int event, int arg1, void *arg2)
    1761. 

  1761. {
    1762. 

  1762.   struct cf_call_data save;
    1763. 

  1763. 

  1764.   (void)arg1;
    1765. 

  1765.   (void)arg2;
    1766. 

  1766.   switch(event) {
    1767. 

  1767.   case CF_CTRL_DATA_ATTACH:
    1768. 

  1768.     if(Curl_ssl->attach_data) {
    1769. 

  1769.       CF_DATA_SAVE(save, cf, data);
    1770. 

  1770.       Curl_ssl->attach_data(cf, data);
    1771. 

  1771.       CF_DATA_RESTORE(cf, save);
    1772. 

  1772.     }
    1773. 

  1773.     break;
    1774. 

  1774.   case CF_CTRL_DATA_DETACH:
    1775. 

  1775.     if(Curl_ssl->detach_data) {
    1776. 

  1776.       CF_DATA_SAVE(save, cf, data);
    1777. 

  1777.       Curl_ssl->detach_data(cf, data);
    1778. 

  1778.       CF_DATA_RESTORE(cf, save);
    1779. 

  1779.     }
    1780. 

  1780.     break;
    1781. 

  1781.   default:
    1782. 

  1782.     break;
    1783. 

  1783.   }
    1784. 

  1784.   return CURLE_OK;
    1785. 

  1785. }
    1786. 

  1786. 

  1787. static CURLcode ssl_cf_query(struct Curl_cfilter *cf,
    1788. 

  1788.                              struct Curl_easy *data,
    1789. 

  1789.                              int query, int *pres1, void *pres2)
    1790. 

  1790. {
    1791. 

  1791.   struct ssl_connect_data *connssl = cf->ctx;
    1792. 

  1792. 

  1793.   switch(query) {
    1794. 

  1794.   case CF_QUERY_TIMER_APPCONNECT: {
    1795. 

  1795.     struct curltime *when = pres2;
    1796. 

  1796.     if(cf->connected && !Curl_ssl_cf_is_proxy(cf))
    1797. 

  1797.       *when = connssl->handshake_done;
    1798. 

  1798.     return CURLE_OK;
    1799. 

  1799.   }
    1800. 

  1800.   default:
    1801. 

  1801.     break;
    1802. 

  1802.   }
    1803. 

  1803.   return cf->next?
    1804. 

  1804.     cf->next->cft->query(cf->next, data, query, pres1, pres2) :
    1805. 

  1805.     CURLE_UNKNOWN_OPTION;
    1806. 

  1806. }
    1807. 

  1807. 

  1808. static bool cf_ssl_is_alive(struct Curl_cfilter *cf, struct Curl_easy *data,
    1809. 

  1809.                             bool *input_pending)
    1810. 

  1810. {
    1811. 

  1811.   struct cf_call_data save;
    1812. 

  1812.   int result;
    1813. 

  1813.   /*
    1814. 

  1814.    * This function tries to determine connection status.
    1815. 

  1815.    *
    1816. 

  1816.    * Return codes:
    1817. 

  1817.    *     1 means the connection is still in place
    1818. 

  1818.    *     0 means the connection has been closed
    1819. 

  1819.    *    -1 means the connection status is unknown
    1820. 

  1820.    */
    1821. 

  1821.   CF_DATA_SAVE(save, cf, data);
    1822. 

  1822.   result = Curl_ssl->check_cxn(cf, data);
    1823. 

  1823.   CF_DATA_RESTORE(cf, save);
    1824. 

  1824.   if(result > 0) {
    1825. 

  1825.     *input_pending = TRUE;
    1826. 

  1826.     return TRUE;
    1827. 

  1827.   }
    1828. 

  1828.   if(result == 0) {
    1829. 

  1829.     *input_pending = FALSE;
    1830. 

  1830.     return FALSE;
    1831. 

  1831.   }
    1832. 

  1832.   /* ssl backend does not know */
    1833. 

  1833.   return cf->next?
    1834. 

  1834.     cf->next->cft->is_alive(cf->next, data, input_pending) :
    1835. 

  1835.     FALSE; /* pessimistic in absence of data */
    1836. 

  1836. }
    1837. 

  1837. 

  1838. struct Curl_cftype Curl_cft_ssl = {
    1839. 

  1839.   "SSL",
    1840. 

  1840.   CF_TYPE_SSL,
    1841. 

  1841.   CURL_LOG_LVL_NONE,
    1842. 

  1842.   ssl_cf_destroy,
    1843. 

  1843.   ssl_cf_connect,
    1844. 

  1844.   ssl_cf_close,
    1845. 

  1845.   Curl_cf_def_get_host,
    1846. 

  1846.   ssl_cf_adjust_pollset,
    1847. 

  1847.   ssl_cf_data_pending,
    1848. 

  1848.   ssl_cf_send,
    1849. 

  1849.   ssl_cf_recv,
    1850. 

  1850.   ssl_cf_cntrl,
    1851. 

  1851.   cf_ssl_is_alive,
    1852. 

  1852.   Curl_cf_def_conn_keep_alive,
    1853. 

  1853.   ssl_cf_query,
    1854. 

  1854. };
    1855. 

  1855. 

  1856. #ifndef CURL_DISABLE_PROXY
    1857. 

  1857. 

  1858. struct Curl_cftype Curl_cft_ssl_proxy = {
    1859. 

  1859.   "SSL-PROXY",
    1860. 

  1860.   CF_TYPE_SSL,
    1861. 

  1861.   CURL_LOG_LVL_NONE,
    1862. 

  1862.   ssl_cf_destroy,
    1863. 

  1863.   ssl_cf_connect,
    1864. 

  1864.   ssl_cf_close,
    1865. 

  1865.   Curl_cf_def_get_host,
    1866. 

  1866.   ssl_cf_adjust_pollset,
    1867. 

  1867.   ssl_cf_data_pending,
    1868. 

  1868.   ssl_cf_send,
    1869. 

  1869.   ssl_cf_recv,
    1870. 

  1870.   ssl_cf_cntrl,
    1871. 

  1871.   cf_ssl_is_alive,
    1872. 

  1872.   Curl_cf_def_conn_keep_alive,
    1873. 

  1873.   Curl_cf_def_query,
    1874. 

  1874. };
    1875. 

  1875. 

  1876. #endif /* !CURL_DISABLE_PROXY */
    1877. 

  1877. 

  1878. static CURLcode cf_ssl_create(struct Curl_cfilter **pcf,
    1879. 

  1879.                               struct Curl_easy *data,
    1880. 

  1880.                               struct connectdata *conn)
    1881. 

  1881. {
    1882. 

  1882.   struct Curl_cfilter *cf = NULL;
    1883. 

  1883.   struct ssl_connect_data *ctx;
    1884. 

  1884.   CURLcode result;
    1885. 

  1885. 

  1886.   DEBUGASSERT(data->conn);
    1887. 

  1887. 

  1888.   ctx = cf_ctx_new(data, alpn_get_spec(data->state.httpwant,
    1889. 

  1889.                                        conn->bits.tls_enable_alpn));
    1890. 

  1890.   if(!ctx) {
    1891. 

  1891.     result = CURLE_OUT_OF_MEMORY;
    1892. 

  1892.     goto out;
    1893. 

  1893.   }
    1894. 

  1894. 

  1895.   result = Curl_cf_create(&cf, &Curl_cft_ssl, ctx);
    1896. 

  1896. 

  1897. out:
    1898. 

  1898.   if(result)
    1899. 

  1899.     cf_ctx_free(ctx);
    1900. 

  1900.   *pcf = result? NULL : cf;
    1901. 

  1901.   return result;
    1902. 

  1902. }
    1903. 

  1903. 

  1904. CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
    1905. 

  1905.                               struct connectdata *conn,
    1906. 

  1906.                               int sockindex)
    1907. 

  1907. {
    1908. 

  1908.   struct Curl_cfilter *cf;
    1909. 

  1909.   CURLcode result;
    1910. 

  1910. 

  1911.   result = cf_ssl_create(&cf, data, conn);
    1912. 

  1912.   if(!result)
    1913. 

  1913.     Curl_conn_cf_add(data, conn, sockindex, cf);
    1914. 

  1914.   return result;
    1915. 

  1915. }
    1916. 

  1916. 

  1917. CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
    1918. 

  1918.                                   struct Curl_easy *data)
    1919. 

  1919. {
    1920. 

  1920.   struct Curl_cfilter *cf;
    1921. 

  1921.   CURLcode result;
    1922. 

  1922. 

  1923.   result = cf_ssl_create(&cf, data, cf_at->conn);
    1924. 

  1924.   if(!result)
    1925. 

  1925.     Curl_conn_cf_insert_after(cf_at, cf);
    1926. 

  1926.   return result;
    1927. 

  1927. }
    1928. 

  1928. 

  1929. #ifndef CURL_DISABLE_PROXY
    1930. 

  1930. 

  1931. static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
    1932. 

  1932.                                     struct Curl_easy *data,
    1933. 

  1933.                                     struct connectdata *conn)
    1934. 

  1934. {
    1935. 

  1935.   struct Curl_cfilter *cf = NULL;
    1936. 

  1936.   struct ssl_connect_data *ctx;
    1937. 

  1937.   CURLcode result;
    1938. 

  1938.   bool use_alpn = conn->bits.tls_enable_alpn;
    1939. 

  1939.   int httpwant = CURL_HTTP_VERSION_1_1;
    1940. 

  1940. 

  1941. #ifdef USE_HTTP2
    1942. 

  1942.   if(conn->http_proxy.proxytype == CURLPROXY_HTTPS2) {
    1943. 

  1943.     use_alpn = TRUE;
    1944. 

  1944.     httpwant = CURL_HTTP_VERSION_2;
    1945. 

  1945.   }
    1946. 

  1946. #endif
    1947. 

  1947. 

  1948.   ctx = cf_ctx_new(data, alpn_get_spec(httpwant, use_alpn));
    1949. 

  1949.   if(!ctx) {
    1950. 

  1950.     result = CURLE_OUT_OF_MEMORY;
    1951. 

  1951.     goto out;
    1952. 

  1952.   }
    1953. 

  1953.   result = Curl_cf_create(&cf, &Curl_cft_ssl_proxy, ctx);
    1954. 

  1954. 

  1955. out:
    1956. 

  1956.   if(result)
    1957. 

  1957.     cf_ctx_free(ctx);
    1958. 

  1958.   *pcf = result? NULL : cf;
    1959. 

  1959.   return result;
    1960. 

  1960. }
    1961. 

  1961. 

  1962. CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
    1963. 

  1963.                                         struct Curl_easy *data)
    1964. 

  1964. {
    1965. 

  1965.   struct Curl_cfilter *cf;
    1966. 

  1966.   CURLcode result;
    1967. 

  1967. 

  1968.   result = cf_ssl_proxy_create(&cf, data, cf_at->conn);
    1969. 

  1969.   if(!result)
    1970. 

  1970.     Curl_conn_cf_insert_after(cf_at, cf);
    1971. 

  1971.   return result;
    1972. 

  1972. }
    1973. 

  1973. 

  1974. #endif /* !CURL_DISABLE_PROXY */
    1975. 

  1975. 

  1976. bool Curl_ssl_supports(struct Curl_easy *data, int option)
    1977. 

  1977. {
    1978. 

  1978.   (void)data;
    1979. 

  1979.   return (Curl_ssl->supports & option)? TRUE : FALSE;
    1980. 

  1980. }
    1981. 

  1981. 

  1982. static struct Curl_cfilter *get_ssl_filter(struct Curl_cfilter *cf)
    1983. 

  1983. {
    1984. 

  1984.   for(; cf; cf = cf->next) {
    1985. 

  1985.     if(cf->cft == &Curl_cft_ssl)
    1986. 

  1986.       return cf;
    1987. 

  1987. #ifndef CURL_DISABLE_PROXY
    1988. 

  1988.     if(cf->cft == &Curl_cft_ssl_proxy)
    1989. 

  1989.       return cf;
    1990. 

  1990. #endif
    1991. 

  1991.   }
    1992. 

  1992.   return NULL;
    1993. 

  1993. }
    1994. 

  1994. 

  1995. 

  1996. void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex,
    1997. 

  1997.                              CURLINFO info, int n)
    1998. 

  1998. {
    1999. 

  1999.   void *result = NULL;
    2000. 

  2000.   (void)n;
    2001. 

  2001.   if(data->conn) {
    2002. 

  2002.     struct Curl_cfilter *cf;
    2003. 

  2003.     /* get first SSL filter in chain, if any is present */
    2004. 

  2004.     cf = get_ssl_filter(data->conn->cfilter[sockindex]);
    2005. 

  2005.     if(cf) {
    2006. 

  2006.       struct cf_call_data save;
    2007. 

  2007.       CF_DATA_SAVE(save, cf, data);
    2008. 

  2008.       result = Curl_ssl->get_internals(cf->ctx, info);
    2009. 

  2009.       CF_DATA_RESTORE(cf, save);
    2010. 

  2010.     }
    2011. 

  2011.   }
    2012. 

  2012.   return result;
    2013. 

  2013. }
    2014. 

  2014. 

  2015. CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
    2016. 

  2016.                                  int sockindex)
    2017. 

  2017. {
    2018. 

  2018.   struct Curl_cfilter *cf, *head;
    2019. 

  2019.   CURLcode result = CURLE_OK;
    2020. 

  2020. 

  2021.   (void)data;
    2022. 

  2022.   head = data->conn? data->conn->cfilter[sockindex] : NULL;
    2023. 

  2023.   for(cf = head; cf; cf = cf->next) {
    2024. 

  2024.     if(cf->cft == &Curl_cft_ssl) {
    2025. 

  2025.       if(Curl_ssl->shut_down(cf, data))
    2026. 

  2026.         result = CURLE_SSL_SHUTDOWN_FAILED;
    2027. 

  2027.       Curl_conn_cf_discard_sub(head, cf, data, FALSE);
    2028. 

  2028.       break;
    2029. 

  2029.     }
    2030. 

  2030.   }
    2031. 

  2031.   return result;
    2032. 

  2032. }
    2033. 

  2033. 

  2034. bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf)
    2035. 

  2035. {
    2036. 

  2036. #ifndef CURL_DISABLE_PROXY
    2037. 

  2037.   return (cf->cft == &Curl_cft_ssl_proxy);
    2038. 

  2038. #else
    2039. 

  2039.   (void)cf;
    2040. 

  2040.   return FALSE;
    2041. 

  2041. #endif
    2042. 

  2042. }
    2043. 

  2043. 

  2044. struct ssl_config_data *
    2045. 

  2045. Curl_ssl_cf_get_config(struct Curl_cfilter *cf, struct Curl_easy *data)
    2046. 

  2046. {
    2047. 

  2047. #ifdef CURL_DISABLE_PROXY
    2048. 

  2048.   (void)cf;
    2049. 

  2049.   return &data->set.ssl;
    2050. 

  2050. #else
    2051. 

  2051.   return Curl_ssl_cf_is_proxy(cf)? &data->set.proxy_ssl : &data->set.ssl;
    2052. 

  2052. #endif
    2053. 

  2053. }
    2054. 

  2054. 

  2055. struct ssl_primary_config *
    2056. 

  2056. Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf)
    2057. 

  2057. {
    2058. 

  2058. #ifdef CURL_DISABLE_PROXY
    2059. 

  2059.   return &cf->conn->ssl_config;
    2060. 

  2060. #else
    2061. 

  2061.   return Curl_ssl_cf_is_proxy(cf)?
    2062. 

  2062.     &cf->conn->proxy_ssl_config : &cf->conn->ssl_config;
    2063. 

  2063. #endif
    2064. 

  2064. }
    2065. 

  2065. 

  2066. CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf,
    2067. 

  2067.                                 const struct alpn_spec *spec)
    2068. 

  2068. {
    2069. 

  2069.   size_t i, len;
    2070. 

  2070.   int off = 0;
    2071. 

  2071.   unsigned char blen;
    2072. 

  2072. 

  2073.   memset(buf, 0, sizeof(*buf));
    2074. 

  2074.   for(i = 0; spec && i < spec->count; ++i) {
    2075. 

  2075.     len = strlen(spec->entries[i]);
    2076. 

  2076.     if(len >= ALPN_NAME_MAX)
    2077. 

  2077.       return CURLE_FAILED_INIT;
    2078. 

  2078.     blen = (unsigned  char)len;
    2079. 

  2079.     if(off + blen + 1 >= (int)sizeof(buf->data))
    2080. 

  2080.       return CURLE_FAILED_INIT;
    2081. 

  2081.     buf->data[off++] = blen;
    2082. 

  2082.     memcpy(buf->data + off, spec->entries[i], blen);
    2083. 

  2083.     off += blen;
    2084. 

  2084.   }
    2085. 

  2085.   buf->len = off;
    2086. 

  2086.   return CURLE_OK;
    2087. 

  2087. }
    2088. 

  2088. 

  2089. CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
    2090. 

  2090.                                 const struct alpn_spec *spec)
    2091. 

  2091. {
    2092. 

  2092.   size_t i, len;
    2093. 

  2093.   size_t off = 0;
    2094. 

  2094. 

  2095.   memset(buf, 0, sizeof(*buf));
    2096. 

  2096.   for(i = 0; spec && i < spec->count; ++i) {
    2097. 

  2097.     len = strlen(spec->entries[i]);
    2098. 

  2098.     if(len >= ALPN_NAME_MAX)
    2099. 

  2099.       return CURLE_FAILED_INIT;
    2100. 

  2100.     if(off + len + 2 >= sizeof(buf->data))
    2101. 

  2101.       return CURLE_FAILED_INIT;
    2102. 

  2102.     if(off)
    2103. 

  2103.       buf->data[off++] = ',';
    2104. 

  2104.     memcpy(buf->data + off, spec->entries[i], len);
    2105. 

  2105.     off += len;
    2106. 

  2106.   }
    2107. 

  2107.   buf->data[off] = '\0';
    2108. 

  2108.   buf->len = (int)off;
    2109. 

  2109.   return CURLE_OK;
    2110. 

  2110. }
    2111. 

  2111. 

  2112. CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
    2113. 

  2113.                                   struct Curl_easy *data,
    2114. 

  2114.                                   const unsigned char *proto,
    2115. 

  2115.                                   size_t proto_len)
    2116. 

  2116. {
    2117. 

  2117.   int can_multi = 0;
    2118. 

  2118.   unsigned char *palpn =
    2119. 

  2119. #ifndef CURL_DISABLE_PROXY
    2120. 

  2120.     (cf->conn->bits.tunnel_proxy && Curl_ssl_cf_is_proxy(cf))?
    2121. 

  2121.     &cf->conn->proxy_alpn : &cf->conn->alpn
    2122. 

  2122. #else
    2123. 

  2123.     &cf->conn->alpn
    2124. 

  2124. #endif
    2125. 

  2125.     ;
    2126. 

  2126. 

  2127.   if(proto && proto_len) {
    2128. 

  2128.     if(proto_len == ALPN_HTTP_1_1_LENGTH &&
    2129. 

  2129.        !memcmp(ALPN_HTTP_1_1, proto, ALPN_HTTP_1_1_LENGTH)) {
    2130. 

  2130.       *palpn = CURL_HTTP_VERSION_1_1;
    2131. 

  2131.     }
    2132. 

  2132. #ifdef USE_HTTP2
    2133. 

  2133.     else if(proto_len == ALPN_H2_LENGTH &&
    2134. 

  2134.             !memcmp(ALPN_H2, proto, ALPN_H2_LENGTH)) {
    2135. 

  2135.       *palpn = CURL_HTTP_VERSION_2;
    2136. 

  2136.       can_multi = 1;
    2137. 

  2137.     }
    2138. 

  2138. #endif
    2139. 

  2139. #ifdef USE_HTTP3
    2140. 

  2140.     else if(proto_len == ALPN_H3_LENGTH &&
    2141. 

  2141.             !memcmp(ALPN_H3, proto, ALPN_H3_LENGTH)) {
    2142. 

  2142.       *palpn = CURL_HTTP_VERSION_3;
    2143. 

  2143.       can_multi = 1;
    2144. 

  2144.     }
    2145. 

  2145. #endif
    2146. 

  2146.     else {
    2147. 

  2147.       *palpn = CURL_HTTP_VERSION_NONE;
    2148. 

  2148.       failf(data, "unsupported ALPN protocol: '%.*s'", (int)proto_len, proto);
    2149. 

  2149.       /* TODO: do we want to fail this? Previous code just ignored it and
    2150. 

  2150.        * some vtls backends even ignore the return code of this function. */
    2151. 

  2151.       /* return CURLE_NOT_BUILT_IN; */
    2152. 

  2152.       goto out;
    2153. 

  2153.     }
    2154. 

  2154.     infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, (int)proto_len, proto);
    2155. 

  2155.   }
    2156. 

  2156.   else {
    2157. 

  2157.     *palpn = CURL_HTTP_VERSION_NONE;
    2158. 

  2158.     infof(data, VTLS_INFOF_NO_ALPN);
    2159. 

  2159.   }
    2160. 

  2160. 

  2161. out:
    2162. 

  2162.   if(!Curl_ssl_cf_is_proxy(cf))
    2163. 

  2163.     Curl_multiuse_state(data, can_multi?
    2164. 

  2164.                         BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
    2165. 

  2165.   return CURLE_OK;
    2166. 

  2166. }
    2167. 

  2167. 

  2168. #endif /* USE_SSL */
    2169.