VirtualBox

source: vbox/trunk/src/libs/curl-7.83.1/lib/vtls/openssl.c@ 97623

Last change on this file since 97623 was 95312, checked in by vboxsync, 3 years ago

libs/{curl,libxml2}: OSE export fixes, bugref:8515
  • Property svn:eol-style set to native
File size: 141.1 KB
Line 
1/***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 1998 - 2022, Daniel Stenberg, <[email protected]>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 ***************************************************************************/
22
23/*
24 * Source file for all OpenSSL-specific code for the TLS/SSL layer. No code
25 * but vtls.c should ever call or use these functions.
26 */
27
28#include "curl_setup.h"
29
30#ifdef USE_OPENSSL
31
32#include <limits.h>
33
34/* Wincrypt must be included before anything that could include OpenSSL. */
35#if defined(USE_WIN32_CRYPTO)
36#include <wincrypt.h>
37/* Undefine wincrypt conflicting symbols for BoringSSL. */
38#undef X509_NAME
39#undef X509_EXTENSIONS
40#undef PKCS7_ISSUER_AND_SERIAL
41#undef PKCS7_SIGNER_INFO
42#undef OCSP_REQUEST
43#undef OCSP_RESPONSE
44#endif
45
46#include "urldata.h"
47#include "sendf.h"
48#include "formdata.h" /* for the boundary function */
49#include "url.h" /* for the ssl config check function */
50#include "inet_pton.h"
51#include "openssl.h"
52#include "connect.h"
53#include "slist.h"
54#include "select.h"
55#include "vtls.h"
56#include "keylog.h"
57#include "strcase.h"
58#include "hostcheck.h"
59#include "multiif.h"
60#include "strerror.h"
61#include "curl_printf.h"
62
63#include <openssl/ssl.h>
64#include <openssl/rand.h>
65#include <openssl/x509v3.h>
66#ifndef OPENSSL_NO_DSA
67#include <openssl/dsa.h>
68#endif
69#include <openssl/dh.h>
70#include <openssl/err.h>
71#include <openssl/md5.h>
72#include <openssl/conf.h>
73#include <openssl/bn.h>
74#include <openssl/rsa.h>
75#include <openssl/bio.h>
76#include <openssl/buffer.h>
77#include <openssl/pkcs12.h>
78
79#ifdef USE_AMISSL
80#include "amigaos.h"
81#endif
82
83#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
84#include <openssl/ocsp.h>
85#endif
86
87#if (OPENSSL_VERSION_NUMBER >= 0x0090700fL) && /* 0.9.7 or later */ \
88 !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_UI_CONSOLE)
89#define USE_OPENSSL_ENGINE
90#include <openssl/engine.h>
91#endif
92
93#include "warnless.h"
94
95/* The last #include files should be: */
96#include "curl_memory.h"
97#include "memdebug.h"
98
99/* Uncomment the ALLOW_RENEG line to a real #define if you want to allow TLS
100 renegotiations when built with BoringSSL. Renegotiating is non-compliant
101 with HTTP/2 and "an extremely dangerous protocol feature". Beware.
102
103#define ALLOW_RENEG 1
104 */
105
106#ifndef OPENSSL_VERSION_NUMBER
107#error "OPENSSL_VERSION_NUMBER not defined"
108#endif
109
110#ifdef USE_OPENSSL_ENGINE
111#include <openssl/ui.h>
112#endif
113
114#if OPENSSL_VERSION_NUMBER >= 0x00909000L
115#define SSL_METHOD_QUAL const
116#else
117#define SSL_METHOD_QUAL
118#endif
119
120#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
121#define HAVE_ERR_REMOVE_THREAD_STATE 1
122#endif
123
124#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
125 !(defined(LIBRESSL_VERSION_NUMBER) && \
126 LIBRESSL_VERSION_NUMBER < 0x20700000L)
127#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
128#define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */
129#define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */
130#define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */
131#define CONST_EXTS const
132#define HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED 1
133
134/* funny typecast define due to difference in API */
135#ifdef LIBRESSL_VERSION_NUMBER
136#define ARG2_X509_signature_print (X509_ALGOR *)
137#else
138#define ARG2_X509_signature_print
139#endif
140
141#else
142/* For OpenSSL before 1.1.0 */
143#define ASN1_STRING_get0_data(x) ASN1_STRING_data(x)
144#define X509_get0_notBefore(x) X509_get_notBefore(x)
145#define X509_get0_notAfter(x) X509_get_notAfter(x)
146#define CONST_EXTS /* nope */
147#ifndef LIBRESSL_VERSION_NUMBER
148#define OpenSSL_version_num() SSLeay()
149#endif
150#endif
151
152#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \
153 !(defined(LIBRESSL_VERSION_NUMBER) && \
154 LIBRESSL_VERSION_NUMBER < 0x20700000L)
155#define HAVE_X509_GET0_SIGNATURE 1
156#endif
157
158#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) /* 1.0.2 or later */
159#define HAVE_SSL_GET_SHUTDOWN 1
160#endif
161
162#if OPENSSL_VERSION_NUMBER >= 0x10002003L && \
163 OPENSSL_VERSION_NUMBER <= 0x10002FFFL && \
164 !defined(OPENSSL_NO_COMP)
165#define HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 1
166#endif
167
168#if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
169/* not present in older OpenSSL */
170#define OPENSSL_load_builtin_modules(x)
171#endif
172
173#if (OPENSSL_VERSION_NUMBER >= 0x30000000L)
174#define HAVE_EVP_PKEY_GET_PARAMS 1
175#else
176#define SSL_get1_peer_certificate SSL_get_peer_certificate
177#endif
178
179#ifdef HAVE_EVP_PKEY_GET_PARAMS
180#include <openssl/core_names.h>
181#define DECLARE_PKEY_PARAM_BIGNUM(name) BIGNUM *name = NULL
182#define FREE_PKEY_PARAM_BIGNUM(name) BN_clear_free(name)
183#else
184#define DECLARE_PKEY_PARAM_BIGNUM(name) const BIGNUM *name
185#define FREE_PKEY_PARAM_BIGNUM(name)
186#endif
187
188/*
189 * Whether SSL_CTX_set_keylog_callback is available.
190 * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287
191 * BoringSSL: supported since d28f59c27bac (committed 2015-11-19)
192 * LibreSSL: unsupported in at least 2.7.2 (explicitly check for it since it
193 * lies and pretends to be OpenSSL 2.0.0).
194 */
195#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
196 !defined(LIBRESSL_VERSION_NUMBER)) || \
197 defined(OPENSSL_IS_BORINGSSL)
198#define HAVE_KEYLOG_CALLBACK
199#endif
200
201/* Whether SSL_CTX_set_ciphersuites is available.
202 * OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
203 * BoringSSL: no
204 * LibreSSL: no
205 */
206#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
207 !defined(LIBRESSL_VERSION_NUMBER) && \
208 !defined(OPENSSL_IS_BORINGSSL))
209#define HAVE_SSL_CTX_SET_CIPHERSUITES
210#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
211#endif
212
213/*
214 * Whether SSL_CTX_set1_curves_list is available.
215 * OpenSSL: supported since 1.0.2, see
216 * https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html
217 * BoringSSL: supported since 5fd1807d95f7 (committed 2016-09-30)
218 * LibreSSL: since 2.5.3 (April 12, 2017)
219 */
220#if (OPENSSL_VERSION_NUMBER >= 0x10002000L) || \
221 defined(OPENSSL_IS_BORINGSSL)
222#define HAVE_SSL_CTX_SET_EC_CURVES
223#endif
224
225#if defined(LIBRESSL_VERSION_NUMBER)
226#define OSSL_PACKAGE "LibreSSL"
227#elif defined(OPENSSL_IS_BORINGSSL)
228#define OSSL_PACKAGE "BoringSSL"
229#else
230#define OSSL_PACKAGE "OpenSSL"
231#endif
232
233#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
234/* up2date versions of OpenSSL maintain reasonably secure defaults without
235 * breaking compatibility, so it is better not to override the defaults in curl
236 */
237#define DEFAULT_CIPHER_SELECTION NULL
238#else
239/* ... but it is not the case with old versions of OpenSSL */
240#define DEFAULT_CIPHER_SELECTION \
241 "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
242#endif
243
244#ifdef HAVE_OPENSSL_SRP
245/* the function exists */
246#ifdef USE_TLS_SRP
247/* the functionality is not disabled */
248#define USE_OPENSSL_SRP
249#endif
250#endif
251
252#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
253#define HAVE_RANDOM_INIT_BY_DEFAULT 1
254#endif
255
256#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
257 !(defined(LIBRESSL_VERSION_NUMBER) && \
258 LIBRESSL_VERSION_NUMBER < 0x2070100fL) && \
259 !defined(OPENSSL_IS_BORINGSSL)
260#define HAVE_OPENSSL_VERSION
261#endif
262
263struct ssl_backend_data {
264 struct Curl_easy *logger; /* transfer handle to pass trace logs to, only
265 using sockindex 0 */
266 /* these ones requires specific SSL-types */
267 SSL_CTX* ctx;
268 SSL* handle;
269 X509* server_cert;
270#ifndef HAVE_KEYLOG_CALLBACK
271 /* Set to true once a valid keylog entry has been created to avoid dupes. */
272 bool keylog_done;
273#endif
274};
275
276static bool ossl_associate_connection(struct Curl_easy *data,
277 struct connectdata *conn,
278 int sockindex);
279
280/*
281 * Number of bytes to read from the random number seed file. This must be
282 * a finite value (because some entropy "files" like /dev/urandom have
283 * an infinite length), but must be large enough to provide enough
284 * entropy to properly seed OpenSSL's PRNG.
285 */
286#define RAND_LOAD_LENGTH 1024
287
288#ifdef HAVE_KEYLOG_CALLBACK
289static void ossl_keylog_callback(const SSL *ssl, const char *line)
290{
291 (void)ssl;
292
293 Curl_tls_keylog_write_line(line);
294}
295#else
296/*
297 * ossl_log_tls12_secret is called by libcurl to make the CLIENT_RANDOMs if the
298 * OpenSSL being used doesn't have native support for doing that.
299 */
300static void
301ossl_log_tls12_secret(const SSL *ssl, bool *keylog_done)
302{
303 const SSL_SESSION *session = SSL_get_session(ssl);
304 unsigned char client_random[SSL3_RANDOM_SIZE];
305 unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
306 int master_key_length = 0;
307
308 if(!session || *keylog_done)
309 return;
310
311#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
312 !(defined(LIBRESSL_VERSION_NUMBER) && \
313 LIBRESSL_VERSION_NUMBER < 0x20700000L)
314 /* ssl->s3 is not checked in openssl 1.1.0-pre6, but let's assume that
315 * we have a valid SSL context if we have a non-NULL session. */
316 SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE);
317 master_key_length = (int)
318 SSL_SESSION_get_master_key(session, master_key, SSL_MAX_MASTER_KEY_LENGTH);
319#else
320 if(ssl->s3 && session->master_key_length > 0) {
321 master_key_length = session->master_key_length;
322 memcpy(master_key, session->master_key, session->master_key_length);
323 memcpy(client_random, ssl->s3->client_random, SSL3_RANDOM_SIZE);
324 }
325#endif
326
327 /* The handshake has not progressed sufficiently yet, or this is a TLS 1.3
328 * session (when curl was built with older OpenSSL headers and running with
329 * newer OpenSSL runtime libraries). */
330 if(master_key_length <= 0)
331 return;
332
333 *keylog_done = true;
334 Curl_tls_keylog_write("CLIENT_RANDOM", client_random,
335 master_key, master_key_length);
336}
337#endif /* !HAVE_KEYLOG_CALLBACK */
338
339static const char *SSL_ERROR_to_str(int err)
340{
341 switch(err) {
342 case SSL_ERROR_NONE:
343 return "SSL_ERROR_NONE";
344 case SSL_ERROR_SSL:
345 return "SSL_ERROR_SSL";
346 case SSL_ERROR_WANT_READ:
347 return "SSL_ERROR_WANT_READ";
348 case SSL_ERROR_WANT_WRITE:
349 return "SSL_ERROR_WANT_WRITE";
350 case SSL_ERROR_WANT_X509_LOOKUP:
351 return "SSL_ERROR_WANT_X509_LOOKUP";
352 case SSL_ERROR_SYSCALL:
353 return "SSL_ERROR_SYSCALL";
354 case SSL_ERROR_ZERO_RETURN:
355 return "SSL_ERROR_ZERO_RETURN";
356 case SSL_ERROR_WANT_CONNECT:
357 return "SSL_ERROR_WANT_CONNECT";
358 case SSL_ERROR_WANT_ACCEPT:
359 return "SSL_ERROR_WANT_ACCEPT";
360#if defined(SSL_ERROR_WANT_ASYNC)
361 case SSL_ERROR_WANT_ASYNC:
362 return "SSL_ERROR_WANT_ASYNC";
363#endif
364#if defined(SSL_ERROR_WANT_ASYNC_JOB)
365 case SSL_ERROR_WANT_ASYNC_JOB:
366 return "SSL_ERROR_WANT_ASYNC_JOB";
367#endif
368#if defined(SSL_ERROR_WANT_EARLY)
369 case SSL_ERROR_WANT_EARLY:
370 return "SSL_ERROR_WANT_EARLY";
371#endif
372 default:
373 return "SSL_ERROR unknown";
374 }
375}
376
377/* Return error string for last OpenSSL error
378 */
379static char *ossl_strerror(unsigned long error, char *buf, size_t size)
380{
381 if(size)
382 *buf = '\0';
383
384#ifdef OPENSSL_IS_BORINGSSL
385 ERR_error_string_n((uint32_t)error, buf, size);
386#else
387 ERR_error_string_n(error, buf, size);
388#endif
389
390 if(size > 1 && !*buf) {
391 strncpy(buf, (error ? "Unknown error" : "No error"), size);
392 buf[size - 1] = '\0';
393 }
394
395 return buf;
396}
397
398/* Return an extra data index for the transfer data.
399 * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
400 */
401static int ossl_get_ssl_data_index(void)
402{
403 static int ssl_ex_data_data_index = -1;
404 if(ssl_ex_data_data_index < 0) {
405 ssl_ex_data_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
406 }
407 return ssl_ex_data_data_index;
408}
409
410/* Return an extra data index for the connection data.
411 * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
412 */
413static int ossl_get_ssl_conn_index(void)
414{
415 static int ssl_ex_data_conn_index = -1;
416 if(ssl_ex_data_conn_index < 0) {
417 ssl_ex_data_conn_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
418 }
419 return ssl_ex_data_conn_index;
420}
421
422/* Return an extra data index for the sockindex.
423 * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
424 */
425static int ossl_get_ssl_sockindex_index(void)
426{
427 static int sockindex_index = -1;
428 if(sockindex_index < 0) {
429 sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
430 }
431 return sockindex_index;
432}
433
434/* Return an extra data index for proxy boolean.
435 * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
436 */
437static int ossl_get_proxy_index(void)
438{
439 static int proxy_index = -1;
440 if(proxy_index < 0) {
441 proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
442 }
443 return proxy_index;
444}
445
446static int passwd_callback(char *buf, int num, int encrypting,
447 void *global_passwd)
448{
449 DEBUGASSERT(0 == encrypting);
450
451 if(!encrypting) {
452 int klen = curlx_uztosi(strlen((char *)global_passwd));
453 if(num > klen) {
454 memcpy(buf, global_passwd, klen + 1);
455 return klen;
456 }
457 }
458 return 0;
459}
460
461/*
462 * rand_enough() returns TRUE if we have seeded the random engine properly.
463 */
464static bool rand_enough(void)
465{
466 return (0 != RAND_status()) ? TRUE : FALSE;
467}
468
469static CURLcode ossl_seed(struct Curl_easy *data)
470{
471 /* This might get called before it has been added to a multi handle */
472 if(data->multi && data->multi->ssl_seeded)
473 return CURLE_OK;
474
475 if(rand_enough()) {
476 /* OpenSSL 1.1.0+ should return here */
477 if(data->multi)
478 data->multi->ssl_seeded = TRUE;
479 return CURLE_OK;
480 }
481#ifdef HAVE_RANDOM_INIT_BY_DEFAULT
482 /* with OpenSSL 1.1.0+, a failed RAND_status is a showstopper */
483 failf(data, "Insufficient randomness");
484 return CURLE_SSL_CONNECT_ERROR;
485#else
486
487#ifndef RANDOM_FILE
488 /* if RANDOM_FILE isn't defined, we only perform this if an option tells
489 us to! */
490 if(data->set.str[STRING_SSL_RANDOM_FILE])
491#define RANDOM_FILE "" /* doesn't matter won't be used */
492#endif
493 {
494 /* let the option override the define */
495 RAND_load_file((data->set.str[STRING_SSL_RANDOM_FILE]?
496 data->set.str[STRING_SSL_RANDOM_FILE]:
497 RANDOM_FILE),
498 RAND_LOAD_LENGTH);
499 if(rand_enough())
500 return CURLE_OK;
501 }
502
503#if defined(HAVE_RAND_EGD)
504 /* only available in OpenSSL 0.9.5 and later */
505 /* EGD_SOCKET is set at configure time or not at all */
506#ifndef EGD_SOCKET
507 /* If we don't have the define set, we only do this if the egd-option
508 is set */
509 if(data->set.str[STRING_SSL_EGDSOCKET])
510#define EGD_SOCKET "" /* doesn't matter won't be used */
511#endif
512 {
513 /* If there's an option and a define, the option overrides the
514 define */
515 int ret = RAND_egd(data->set.str[STRING_SSL_EGDSOCKET]?
516 data->set.str[STRING_SSL_EGDSOCKET]:EGD_SOCKET);
517 if(-1 != ret) {
518 if(rand_enough())
519 return CURLE_OK;
520 }
521 }
522#endif
523
524 /* fallback to a custom seeding of the PRNG using a hash based on a current
525 time */
526 do {
527 unsigned char randb[64];
528 size_t len = sizeof(randb);
529 size_t i, i_max;
530 for(i = 0, i_max = len / sizeof(struct curltime); i < i_max; ++i) {
531 struct curltime tv = Curl_now();
532 Curl_wait_ms(1);
533 tv.tv_sec *= i + 1;
534 tv.tv_usec *= (unsigned int)i + 2;
535 tv.tv_sec ^= ((Curl_now().tv_sec + Curl_now().tv_usec) *
536 (i + 3)) << 8;
537 tv.tv_usec ^= (unsigned int) ((Curl_now().tv_sec +
538 Curl_now().tv_usec) *
539 (i + 4)) << 16;
540 memcpy(&randb[i * sizeof(struct curltime)], &tv,
541 sizeof(struct curltime));
542 }
543 RAND_add(randb, (int)len, (double)len/2);
544 } while(!rand_enough());
545
546 {
547 /* generates a default path for the random seed file */
548 char fname[256];
549 fname[0] = 0; /* blank it first */
550 RAND_file_name(fname, sizeof(fname));
551 if(fname[0]) {
552 /* we got a file name to try */
553 RAND_load_file(fname, RAND_LOAD_LENGTH);
554 if(rand_enough())
555 return CURLE_OK;
556 }
557 }
558
559 infof(data, "libcurl is now using a weak random seed");
560 return (rand_enough() ? CURLE_OK :
561 CURLE_SSL_CONNECT_ERROR /* confusing error code */);
562#endif
563}
564
565#ifndef SSL_FILETYPE_ENGINE
566#define SSL_FILETYPE_ENGINE 42
567#endif
568#ifndef SSL_FILETYPE_PKCS12
569#define SSL_FILETYPE_PKCS12 43
570#endif
571static int do_file_type(const char *type)
572{
573 if(!type || !type[0])
574 return SSL_FILETYPE_PEM;
575 if(strcasecompare(type, "PEM"))
576 return SSL_FILETYPE_PEM;
577 if(strcasecompare(type, "DER"))
578 return SSL_FILETYPE_ASN1;
579 if(strcasecompare(type, "ENG"))
580 return SSL_FILETYPE_ENGINE;
581 if(strcasecompare(type, "P12"))
582 return SSL_FILETYPE_PKCS12;
583 return -1;
584}
585
586#ifdef USE_OPENSSL_ENGINE
587/*
588 * Supply default password to the engine user interface conversation.
589 * The password is passed by OpenSSL engine from ENGINE_load_private_key()
590 * last argument to the ui and can be obtained by UI_get0_user_data(ui) here.
591 */
592static int ssl_ui_reader(UI *ui, UI_STRING *uis)
593{
594 const char *password;
595 switch(UI_get_string_type(uis)) {
596 case UIT_PROMPT:
597 case UIT_VERIFY:
598 password = (const char *)UI_get0_user_data(ui);
599 if(password && (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
600 UI_set_result(ui, uis, password);
601 return 1;
602 }
603 default:
604 break;
605 }
606 return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
607}
608
609/*
610 * Suppress interactive request for a default password if available.
611 */
612static int ssl_ui_writer(UI *ui, UI_STRING *uis)
613{
614 switch(UI_get_string_type(uis)) {
615 case UIT_PROMPT:
616 case UIT_VERIFY:
617 if(UI_get0_user_data(ui) &&
618 (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
619 return 1;
620 }
621 default:
622 break;
623 }
624 return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
625}
626
627/*
628 * Check if a given string is a PKCS#11 URI
629 */
630static bool is_pkcs11_uri(const char *string)
631{
632 return (string && strncasecompare(string, "pkcs11:", 7));
633}
634
635#endif
636
637static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine);
638
639static int
640SSL_CTX_use_certificate_blob(SSL_CTX *ctx, const struct curl_blob *blob,
641 int type, const char *key_passwd)
642{
643 int ret = 0;
644 X509 *x = NULL;
645 /* the typecast of blob->len is fine since it is guaranteed to never be
646 larger than CURL_MAX_INPUT_LENGTH */
647 BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
648 if(!in)
649 return CURLE_OUT_OF_MEMORY;
650
651 if(type == SSL_FILETYPE_ASN1) {
652 /* j = ERR_R_ASN1_LIB; */
653 x = d2i_X509_bio(in, NULL);
654 }
655 else if(type == SSL_FILETYPE_PEM) {
656 /* ERR_R_PEM_LIB; */
657 x = PEM_read_bio_X509(in, NULL,
658 passwd_callback, (void *)key_passwd);
659 }
660 else {
661 ret = 0;
662 goto end;
663 }
664
665 if(!x) {
666 ret = 0;
667 goto end;
668 }
669
670 ret = SSL_CTX_use_certificate(ctx, x);
671 end:
672 X509_free(x);
673 BIO_free(in);
674 return ret;
675}
676
677static int
678SSL_CTX_use_PrivateKey_blob(SSL_CTX *ctx, const struct curl_blob *blob,
679 int type, const char *key_passwd)
680{
681 int ret = 0;
682 EVP_PKEY *pkey = NULL;
683 BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
684 if(!in)
685 return CURLE_OUT_OF_MEMORY;
686
687 if(type == SSL_FILETYPE_PEM)
688 pkey = PEM_read_bio_PrivateKey(in, NULL, passwd_callback,
689 (void *)key_passwd);
690 else if(type == SSL_FILETYPE_ASN1)
691 pkey = d2i_PrivateKey_bio(in, NULL);
692 else {
693 ret = 0;
694 goto end;
695 }
696 if(!pkey) {
697 ret = 0;
698 goto end;
699 }
700 ret = SSL_CTX_use_PrivateKey(ctx, pkey);
701 EVP_PKEY_free(pkey);
702 end:
703 BIO_free(in);
704 return ret;
705}
706
707static int
708SSL_CTX_use_certificate_chain_blob(SSL_CTX *ctx, const struct curl_blob *blob,
709 const char *key_passwd)
710{
711/* SSL_CTX_add1_chain_cert introduced in OpenSSL 1.0.2 */
712#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* OpenSSL 1.0.2 or later */ \
713 !(defined(LIBRESSL_VERSION_NUMBER) && \
714 (LIBRESSL_VERSION_NUMBER < 0x2090100fL)) /* LibreSSL 2.9.1 or later */
715 int ret = 0;
716 X509 *x = NULL;
717 void *passwd_callback_userdata = (void *)key_passwd;
718 BIO *in = BIO_new_mem_buf(blob->data, (int)(blob->len));
719 if(!in)
720 return CURLE_OUT_OF_MEMORY;
721
722 ERR_clear_error();
723
724 x = PEM_read_bio_X509_AUX(in, NULL,
725 passwd_callback, (void *)key_passwd);
726
727 if(!x) {
728 ret = 0;
729 goto end;
730 }
731
732 ret = SSL_CTX_use_certificate(ctx, x);
733
734 if(ERR_peek_error() != 0)
735 ret = 0;
736
737 if(ret) {
738 X509 *ca;
739 unsigned long err;
740
741 if(!SSL_CTX_clear_chain_certs(ctx)) {
742 ret = 0;
743 goto end;
744 }
745
746 while((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
747 passwd_callback_userdata))
748 != NULL) {
749
750 if(!SSL_CTX_add0_chain_cert(ctx, ca)) {
751 X509_free(ca);
752 ret = 0;
753 goto end;
754 }
755 }
756
757 err = ERR_peek_last_error();
758 if((ERR_GET_LIB(err) == ERR_LIB_PEM) &&
759 (ERR_GET_REASON(err) == PEM_R_NO_START_LINE))
760 ERR_clear_error();
761 else
762 ret = 0;
763 }
764
765 end:
766 X509_free(x);
767 BIO_free(in);
768 return ret;
769#else
770 (void)ctx; /* unused */
771 (void)blob; /* unused */
772 (void)key_passwd; /* unused */
773 return 0;
774#endif
775}
776
777static
778int cert_stuff(struct Curl_easy *data,
779 SSL_CTX* ctx,
780 char *cert_file,
781 const struct curl_blob *cert_blob,
782 const char *cert_type,
783 char *key_file,
784 const struct curl_blob *key_blob,
785 const char *key_type,
786 char *key_passwd)
787{
788 char error_buffer[256];
789 bool check_privkey = TRUE;
790
791 int file_type = do_file_type(cert_type);
792
793 if(cert_file || cert_blob || (file_type == SSL_FILETYPE_ENGINE)) {
794 SSL *ssl;
795 X509 *x509;
796 int cert_done = 0;
797 int cert_use_result;
798
799 if(key_passwd) {
800 /* set the password in the callback userdata */
801 SSL_CTX_set_default_passwd_cb_userdata(ctx, key_passwd);
802 /* Set passwd callback: */
803 SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
804 }
805
806
807 switch(file_type) {
808 case SSL_FILETYPE_PEM:
809 /* SSL_CTX_use_certificate_chain_file() only works on PEM files */
810 cert_use_result = cert_blob ?
811 SSL_CTX_use_certificate_chain_blob(ctx, cert_blob, key_passwd) :
812 SSL_CTX_use_certificate_chain_file(ctx, cert_file);
813 if(cert_use_result != 1) {
814 failf(data,
815 "could not load PEM client certificate, " OSSL_PACKAGE
816 " error %s, "
817 "(no key found, wrong pass phrase, or wrong file format?)",
818 ossl_strerror(ERR_get_error(), error_buffer,
819 sizeof(error_buffer)) );
820 return 0;
821 }
822 break;
823
824 case SSL_FILETYPE_ASN1:
825 /* SSL_CTX_use_certificate_file() works with either PEM or ASN1, but
826 we use the case above for PEM so this can only be performed with
827 ASN1 files. */
828
829 cert_use_result = cert_blob ?
830 SSL_CTX_use_certificate_blob(ctx, cert_blob,
831 file_type, key_passwd) :
832 SSL_CTX_use_certificate_file(ctx, cert_file, file_type);
833 if(cert_use_result != 1) {
834 failf(data,
835 "could not load ASN1 client certificate, " OSSL_PACKAGE
836 " error %s, "
837 "(no key found, wrong pass phrase, or wrong file format?)",
838 ossl_strerror(ERR_get_error(), error_buffer,
839 sizeof(error_buffer)) );
840 return 0;
841 }
842 break;
843 case SSL_FILETYPE_ENGINE:
844#if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
845 {
846 /* Implicitly use pkcs11 engine if none was provided and the
847 * cert_file is a PKCS#11 URI */
848 if(!data->state.engine) {
849 if(is_pkcs11_uri(cert_file)) {
850 if(ossl_set_engine(data, "pkcs11") != CURLE_OK) {
851 return 0;
852 }
853 }
854 }
855
856 if(data->state.engine) {
857 const char *cmd_name = "LOAD_CERT_CTRL";
858 struct {
859 const char *cert_id;
860 X509 *cert;
861 } params;
862
863 params.cert_id = cert_file;
864 params.cert = NULL;
865
866 /* Does the engine supports LOAD_CERT_CTRL ? */
867 if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
868 0, (void *)cmd_name, NULL)) {
869 failf(data, "ssl engine does not support loading certificates");
870 return 0;
871 }
872
873 /* Load the certificate from the engine */
874 if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
875 0, &params, NULL, 1)) {
876 failf(data, "ssl engine cannot load client cert with id"
877 " '%s' [%s]", cert_file,
878 ossl_strerror(ERR_get_error(), error_buffer,
879 sizeof(error_buffer)));
880 return 0;
881 }
882
883 if(!params.cert) {
884 failf(data, "ssl engine didn't initialized the certificate "
885 "properly.");
886 return 0;
887 }
888
889 if(SSL_CTX_use_certificate(ctx, params.cert) != 1) {
890 failf(data, "unable to set client certificate");
891 X509_free(params.cert);
892 return 0;
893 }
894 X509_free(params.cert); /* we don't need the handle any more... */
895 }
896 else {
897 failf(data, "crypto engine not set, can't load certificate");
898 return 0;
899 }
900 }
901 break;
902#else
903 failf(data, "file type ENG for certificate not implemented");
904 return 0;
905#endif
906
907 case SSL_FILETYPE_PKCS12:
908 {
909 BIO *cert_bio = NULL;
910 PKCS12 *p12 = NULL;
911 EVP_PKEY *pri;
912 STACK_OF(X509) *ca = NULL;
913 if(cert_blob) {
914 cert_bio = BIO_new_mem_buf(cert_blob->data, (int)(cert_blob->len));
915 if(!cert_bio) {
916 failf(data,
917 "BIO_new_mem_buf NULL, " OSSL_PACKAGE
918 " error %s",
919 ossl_strerror(ERR_get_error(), error_buffer,
920 sizeof(error_buffer)) );
921 return 0;
922 }
923 }
924 else {
925 cert_bio = BIO_new(BIO_s_file());
926 if(!cert_bio) {
927 failf(data,
928 "BIO_new return NULL, " OSSL_PACKAGE
929 " error %s",
930 ossl_strerror(ERR_get_error(), error_buffer,
931 sizeof(error_buffer)) );
932 return 0;
933 }
934
935 if(BIO_read_filename(cert_bio, cert_file) <= 0) {
936 failf(data, "could not open PKCS12 file '%s'", cert_file);
937 BIO_free(cert_bio);
938 return 0;
939 }
940 }
941
942 p12 = d2i_PKCS12_bio(cert_bio, NULL);
943 BIO_free(cert_bio);
944
945 if(!p12) {
946 failf(data, "error reading PKCS12 file '%s'",
947 cert_blob ? "(memory blob)" : cert_file);
948 return 0;
949 }
950
951 PKCS12_PBE_add();
952
953 if(!PKCS12_parse(p12, key_passwd, &pri, &x509,
954 &ca)) {
955 failf(data,
956 "could not parse PKCS12 file, check password, " OSSL_PACKAGE
957 " error %s",
958 ossl_strerror(ERR_get_error(), error_buffer,
959 sizeof(error_buffer)) );
960 PKCS12_free(p12);
961 return 0;
962 }
963
964 PKCS12_free(p12);
965
966 if(SSL_CTX_use_certificate(ctx, x509) != 1) {
967 failf(data,
968 "could not load PKCS12 client certificate, " OSSL_PACKAGE
969 " error %s",
970 ossl_strerror(ERR_get_error(), error_buffer,
971 sizeof(error_buffer)) );
972 goto fail;
973 }
974
975 if(SSL_CTX_use_PrivateKey(ctx, pri) != 1) {
976 failf(data, "unable to use private key from PKCS12 file '%s'",
977 cert_file);
978 goto fail;
979 }
980
981 if(!SSL_CTX_check_private_key (ctx)) {
982 failf(data, "private key from PKCS12 file '%s' "
983 "does not match certificate in same file", cert_file);
984 goto fail;
985 }
986 /* Set Certificate Verification chain */
987 if(ca) {
988 while(sk_X509_num(ca)) {
989 /*
990 * Note that sk_X509_pop() is used below to make sure the cert is
991 * removed from the stack properly before getting passed to
992 * SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously
993 * we used sk_X509_value() instead, but then we'd clean it in the
994 * subsequent sk_X509_pop_free() call.
995 */
996 X509 *x = sk_X509_pop(ca);
997 if(!SSL_CTX_add_client_CA(ctx, x)) {
998 X509_free(x);
999 failf(data, "cannot add certificate to client CA list");
1000 goto fail;
1001 }
1002 if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
1003 X509_free(x);
1004 failf(data, "cannot add certificate to certificate chain");
1005 goto fail;
1006 }
1007 }
1008 }
1009
1010 cert_done = 1;
1011 fail:
1012 EVP_PKEY_free(pri);
1013 X509_free(x509);
1014#ifdef USE_AMISSL
1015 sk_X509_pop_free(ca, Curl_amiga_X509_free);
1016#else
1017 sk_X509_pop_free(ca, X509_free);
1018#endif
1019 if(!cert_done)
1020 return 0; /* failure! */
1021 break;
1022 }
1023 default:
1024 failf(data, "not supported file type '%s' for certificate", cert_type);
1025 return 0;
1026 }
1027
1028 if((!key_file) && (!key_blob)) {
1029 key_file = cert_file;
1030 key_blob = cert_blob;
1031 }
1032 else
1033 file_type = do_file_type(key_type);
1034
1035 switch(file_type) {
1036 case SSL_FILETYPE_PEM:
1037 if(cert_done)
1038 break;
1039 /* FALLTHROUGH */
1040 case SSL_FILETYPE_ASN1:
1041 cert_use_result = key_blob ?
1042 SSL_CTX_use_PrivateKey_blob(ctx, key_blob, file_type, key_passwd) :
1043 SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type);
1044 if(cert_use_result != 1) {
1045 failf(data, "unable to set private key file: '%s' type %s",
1046 key_file?key_file:"(memory blob)", key_type?key_type:"PEM");
1047 return 0;
1048 }
1049 break;
1050 case SSL_FILETYPE_ENGINE:
1051#ifdef USE_OPENSSL_ENGINE
1052 { /* XXXX still needs some work */
1053 EVP_PKEY *priv_key = NULL;
1054
1055 /* Implicitly use pkcs11 engine if none was provided and the
1056 * key_file is a PKCS#11 URI */
1057 if(!data->state.engine) {
1058 if(is_pkcs11_uri(key_file)) {
1059 if(ossl_set_engine(data, "pkcs11") != CURLE_OK) {
1060 return 0;
1061 }
1062 }
1063 }
1064
1065 if(data->state.engine) {
1066 UI_METHOD *ui_method =
1067 UI_create_method((char *)"curl user interface");
1068 if(!ui_method) {
1069 failf(data, "unable do create " OSSL_PACKAGE
1070 " user-interface method");
1071 return 0;
1072 }
1073 UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
1074 UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
1075 UI_method_set_reader(ui_method, ssl_ui_reader);
1076 UI_method_set_writer(ui_method, ssl_ui_writer);
1077 /* the typecast below was added to please mingw32 */
1078 priv_key = (EVP_PKEY *)
1079 ENGINE_load_private_key(data->state.engine, key_file,
1080 ui_method,
1081 key_passwd);
1082 UI_destroy_method(ui_method);
1083 if(!priv_key) {
1084 failf(data, "failed to load private key from crypto engine");
1085 return 0;
1086 }
1087 if(SSL_CTX_use_PrivateKey(ctx, priv_key) != 1) {
1088 failf(data, "unable to set private key");
1089 EVP_PKEY_free(priv_key);
1090 return 0;
1091 }
1092 EVP_PKEY_free(priv_key); /* we don't need the handle any more... */
1093 }
1094 else {
1095 failf(data, "crypto engine not set, can't load private key");
1096 return 0;
1097 }
1098 }
1099 break;
1100#else
1101 failf(data, "file type ENG for private key not supported");
1102 return 0;
1103#endif
1104 case SSL_FILETYPE_PKCS12:
1105 if(!cert_done) {
1106 failf(data, "file type P12 for private key not supported");
1107 return 0;
1108 }
1109 break;
1110 default:
1111 failf(data, "not supported file type for private key");
1112 return 0;
1113 }
1114
1115 ssl = SSL_new(ctx);
1116 if(!ssl) {
1117 failf(data, "unable to create an SSL structure");
1118 return 0;
1119 }
1120
1121 x509 = SSL_get_certificate(ssl);
1122
1123 /* This version was provided by Evan Jordan and is supposed to not
1124 leak memory as the previous version: */
1125 if(x509) {
1126 EVP_PKEY *pktmp = X509_get_pubkey(x509);
1127 EVP_PKEY_copy_parameters(pktmp, SSL_get_privatekey(ssl));
1128 EVP_PKEY_free(pktmp);
1129 }
1130
1131#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_IS_BORINGSSL) && \
1132 !defined(OPENSSL_NO_DEPRECATED_3_0)
1133 {
1134 /* If RSA is used, don't check the private key if its flags indicate
1135 * it doesn't support it. */
1136 EVP_PKEY *priv_key = SSL_get_privatekey(ssl);
1137 int pktype;
1138#ifdef HAVE_OPAQUE_EVP_PKEY
1139 pktype = EVP_PKEY_id(priv_key);
1140#else
1141 pktype = priv_key->type;
1142#endif
1143 if(pktype == EVP_PKEY_RSA) {
1144 RSA *rsa = EVP_PKEY_get1_RSA(priv_key);
1145 if(RSA_flags(rsa) & RSA_METHOD_FLAG_NO_CHECK)
1146 check_privkey = FALSE;
1147 RSA_free(rsa); /* Decrement reference count */
1148 }
1149 }
1150#endif
1151
1152 SSL_free(ssl);
1153
1154 /* If we are using DSA, we can copy the parameters from
1155 * the private key */
1156
1157 if(check_privkey == TRUE) {
1158 /* Now we know that a key and cert have been set against
1159 * the SSL context */
1160 if(!SSL_CTX_check_private_key(ctx)) {
1161 failf(data, "Private key does not match the certificate public key");
1162 return 0;
1163 }
1164 }
1165 }
1166 return 1;
1167}
1168
1169CURLcode Curl_ossl_set_client_cert(struct Curl_easy *data, SSL_CTX *ctx,
1170 char *cert_file,
1171 const struct curl_blob *cert_blob,
1172 const char *cert_type, char *key_file,
1173 const struct curl_blob *key_blob,
1174 const char *key_type, char *key_passwd)
1175{
1176 int rv = cert_stuff(data, ctx, cert_file, cert_blob, cert_type, key_file,
1177 key_blob, key_type, key_passwd);
1178 if(rv != 1) {
1179 return CURLE_SSL_CERTPROBLEM;
1180 }
1181
1182 return CURLE_OK;
1183}
1184
1185/* returns non-zero on failure */
1186static int x509_name_oneline(X509_NAME *a, char *buf, size_t size)
1187{
1188 BIO *bio_out = BIO_new(BIO_s_mem());
1189 BUF_MEM *biomem;
1190 int rc;
1191
1192 if(!bio_out)
1193 return 1; /* alloc failed! */
1194
1195 rc = X509_NAME_print_ex(bio_out, a, 0, XN_FLAG_SEP_SPLUS_SPC);
1196 BIO_get_mem_ptr(bio_out, &biomem);
1197
1198 if((size_t)biomem->length < size)
1199 size = biomem->length;
1200 else
1201 size--; /* don't overwrite the buffer end */
1202
1203 memcpy(buf, biomem->data, size);
1204 buf[size] = 0;
1205
1206 BIO_free(bio_out);
1207
1208 return !rc;
1209}
1210
1211/**
1212 * Global SSL init
1213 *
1214 * @retval 0 error initializing SSL
1215 * @retval 1 SSL initialized successfully
1216 */
1217static int ossl_init(void)
1218{
1219#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
1220 !defined(LIBRESSL_VERSION_NUMBER)
1221 const uint64_t flags =
1222#ifdef OPENSSL_INIT_ENGINE_ALL_BUILTIN
1223 /* not present in BoringSSL */
1224 OPENSSL_INIT_ENGINE_ALL_BUILTIN |
1225#endif
1226#ifdef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
1227 OPENSSL_INIT_NO_LOAD_CONFIG |
1228#else
1229 OPENSSL_INIT_LOAD_CONFIG |
1230#endif
1231 0;
1232 OPENSSL_init_ssl(flags, NULL);
1233#else
1234 OPENSSL_load_builtin_modules();
1235
1236#ifdef USE_OPENSSL_ENGINE
1237 ENGINE_load_builtin_engines();
1238#endif
1239
1240/* CONF_MFLAGS_DEFAULT_SECTION was introduced some time between 0.9.8b and
1241 0.9.8e */
1242#ifndef CONF_MFLAGS_DEFAULT_SECTION
1243#define CONF_MFLAGS_DEFAULT_SECTION 0x0
1244#endif
1245
1246#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
1247 CONF_modules_load_file(NULL, NULL,
1248 CONF_MFLAGS_DEFAULT_SECTION|
1249 CONF_MFLAGS_IGNORE_MISSING_FILE);
1250#endif
1251
1252 /* Let's get nice error messages */
1253 SSL_load_error_strings();
1254
1255 /* Init the global ciphers and digests */
1256 if(!SSLeay_add_ssl_algorithms())
1257 return 0;
1258
1259 OpenSSL_add_all_algorithms();
1260#endif
1261
1262 Curl_tls_keylog_open();
1263
1264 /* Initialize the extra data indexes */
1265 if(ossl_get_ssl_data_index() < 0 || ossl_get_ssl_conn_index() < 0 ||
1266 ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
1267 return 0;
1268
1269 return 1;
1270}
1271
1272/* Global cleanup */
1273static void ossl_cleanup(void)
1274{
1275#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
1276 !defined(LIBRESSL_VERSION_NUMBER)
1277 /* OpenSSL 1.1 deprecates all these cleanup functions and
1278 turns them into no-ops in OpenSSL 1.0 compatibility mode */
1279#else
1280 /* Free ciphers and digests lists */
1281 EVP_cleanup();
1282
1283#ifdef USE_OPENSSL_ENGINE
1284 /* Free engine list */
1285 ENGINE_cleanup();
1286#endif
1287
1288 /* Free OpenSSL error strings */
1289 ERR_free_strings();
1290
1291 /* Free thread local error state, destroying hash upon zero refcount */
1292#ifdef HAVE_ERR_REMOVE_THREAD_STATE
1293 ERR_remove_thread_state(NULL);
1294#else
1295 ERR_remove_state(0);
1296#endif
1297
1298 /* Free all memory allocated by all configuration modules */
1299 CONF_modules_free();
1300
1301#ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS
1302 SSL_COMP_free_compression_methods();
1303#endif
1304#endif
1305
1306 Curl_tls_keylog_close();
1307}
1308
1309/*
1310 * This function is used to determine connection status.
1311 *
1312 * Return codes:
1313 * 1 means the connection is still in place
1314 * 0 means the connection has been closed
1315 * -1 means the connection status is unknown
1316 */
1317static int ossl_check_cxn(struct connectdata *conn)
1318{
1319 /* SSL_peek takes data out of the raw recv buffer without peeking so we use
1320 recv MSG_PEEK instead. Bug #795 */
1321#ifdef MSG_PEEK
1322 char buf;
1323 ssize_t nread;
1324 nread = recv((RECV_TYPE_ARG1)conn->sock[FIRSTSOCKET], (RECV_TYPE_ARG2)&buf,
1325 (RECV_TYPE_ARG3)1, (RECV_TYPE_ARG4)MSG_PEEK);
1326 if(nread == 0)
1327 return 0; /* connection has been closed */
1328 if(nread == 1)
1329 return 1; /* connection still in place */
1330 else if(nread == -1) {
1331 int err = SOCKERRNO;
1332 if(err == EINPROGRESS ||
1333#if defined(EAGAIN) && (EAGAIN != EWOULDBLOCK)
1334 err == EAGAIN ||
1335#endif
1336 err == EWOULDBLOCK)
1337 return 1; /* connection still in place */
1338 if(err == ECONNRESET ||
1339#ifdef ECONNABORTED
1340 err == ECONNABORTED ||
1341#endif
1342#ifdef ENETDOWN
1343 err == ENETDOWN ||
1344#endif
1345#ifdef ENETRESET
1346 err == ENETRESET ||
1347#endif
1348#ifdef ESHUTDOWN
1349 err == ESHUTDOWN ||
1350#endif
1351#ifdef ETIMEDOUT
1352 err == ETIMEDOUT ||
1353#endif
1354 err == ENOTCONN)
1355 return 0; /* connection has been closed */
1356 }
1357#endif
1358 return -1; /* connection status unknown */
1359}
1360
1361/* Selects an OpenSSL crypto engine
1362 */
1363static CURLcode ossl_set_engine(struct Curl_easy *data, const char *engine)
1364{
1365#ifdef USE_OPENSSL_ENGINE
1366 ENGINE *e;
1367
1368#if OPENSSL_VERSION_NUMBER >= 0x00909000L
1369 e = ENGINE_by_id(engine);
1370#else
1371 /* avoid memory leak */
1372 for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
1373 const char *e_id = ENGINE_get_id(e);
1374 if(!strcmp(engine, e_id))
1375 break;
1376 }
1377#endif
1378
1379 if(!e) {
1380 failf(data, "SSL Engine '%s' not found", engine);
1381 return CURLE_SSL_ENGINE_NOTFOUND;
1382 }
1383
1384 if(data->state.engine) {
1385 ENGINE_finish(data->state.engine);
1386 ENGINE_free(data->state.engine);
1387 data->state.engine = NULL;
1388 }
1389 if(!ENGINE_init(e)) {
1390 char buf[256];
1391
1392 ENGINE_free(e);
1393 failf(data, "Failed to initialise SSL Engine '%s': %s",
1394 engine, ossl_strerror(ERR_get_error(), buf, sizeof(buf)));
1395 return CURLE_SSL_ENGINE_INITFAILED;
1396 }
1397 data->state.engine = e;
1398 return CURLE_OK;
1399#else
1400 (void)engine;
1401 failf(data, "SSL Engine not supported");
1402 return CURLE_SSL_ENGINE_NOTFOUND;
1403#endif
1404}
1405
1406/* Sets engine as default for all SSL operations
1407 */
1408static CURLcode ossl_set_engine_default(struct Curl_easy *data)
1409{
1410#ifdef USE_OPENSSL_ENGINE
1411 if(data->state.engine) {
1412 if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > 0) {
1413 infof(data, "set default crypto engine '%s'",
1414 ENGINE_get_id(data->state.engine));
1415 }
1416 else {
1417 failf(data, "set default crypto engine '%s' failed",
1418 ENGINE_get_id(data->state.engine));
1419 return CURLE_SSL_ENGINE_SETFAILED;
1420 }
1421 }
1422#else
1423 (void) data;
1424#endif
1425 return CURLE_OK;
1426}
1427
1428/* Return list of OpenSSL crypto engine names.
1429 */
1430static struct curl_slist *ossl_engines_list(struct Curl_easy *data)
1431{
1432 struct curl_slist *list = NULL;
1433#ifdef USE_OPENSSL_ENGINE
1434 struct curl_slist *beg;
1435 ENGINE *e;
1436
1437 for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
1438 beg = curl_slist_append(list, ENGINE_get_id(e));
1439 if(!beg) {
1440 curl_slist_free_all(list);
1441 return NULL;
1442 }
1443 list = beg;
1444 }
1445#endif
1446 (void) data;
1447 return list;
1448}
1449
1450#define set_logger(conn, data) \
1451 conn->ssl[0].backend->logger = data
1452
1453static void ossl_closeone(struct Curl_easy *data,
1454 struct connectdata *conn,
1455 struct ssl_connect_data *connssl)
1456{
1457 struct ssl_backend_data *backend = connssl->backend;
1458
1459 DEBUGASSERT(backend);
1460
1461 if(backend->handle) {
1462 char buf[32];
1463 set_logger(conn, data);
1464 /*
1465 * The conn->sock[0] socket is passed to openssl with SSL_set_fd(). Make
1466 * sure the socket is not closed before calling OpenSSL functions that
1467 * will use it.
1468 */
1469 DEBUGASSERT(conn->sock[FIRSTSOCKET] != CURL_SOCKET_BAD);
1470
1471 /* Maybe the server has already sent a close notify alert.
1472 Read it to avoid an RST on the TCP connection. */
1473 (void)SSL_read(backend->handle, buf, (int)sizeof(buf));
1474
1475 (void)SSL_shutdown(backend->handle);
1476 SSL_set_connect_state(backend->handle);
1477
1478 SSL_free(backend->handle);
1479 backend->handle = NULL;
1480 }
1481 if(backend->ctx) {
1482 SSL_CTX_free(backend->ctx);
1483 backend->ctx = NULL;
1484 }
1485}
1486
1487/*
1488 * This function is called when an SSL connection is closed.
1489 */
1490static void ossl_close(struct Curl_easy *data, struct connectdata *conn,
1491 int sockindex)
1492{
1493 ossl_closeone(data, conn, &conn->ssl[sockindex]);
1494#ifndef CURL_DISABLE_PROXY
1495 ossl_closeone(data, conn, &conn->proxy_ssl[sockindex]);
1496#endif
1497}
1498
1499/*
1500 * This function is called to shut down the SSL layer but keep the
1501 * socket open (CCC - Clear Command Channel)
1502 */
1503static int ossl_shutdown(struct Curl_easy *data,
1504 struct connectdata *conn, int sockindex)
1505{
1506 int retval = 0;
1507 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
1508 char buf[256]; /* We will use this for the OpenSSL error buffer, so it has
1509 to be at least 256 bytes long. */
1510 unsigned long sslerror;
1511 ssize_t nread;
1512 int buffsize;
1513 int err;
1514 bool done = FALSE;
1515 struct ssl_backend_data *backend = connssl->backend;
1516 int loop = 10;
1517
1518 DEBUGASSERT(backend);
1519
1520#ifndef CURL_DISABLE_FTP
1521 /* This has only been tested on the proftpd server, and the mod_tls code
1522 sends a close notify alert without waiting for a close notify alert in
1523 response. Thus we wait for a close notify alert from the server, but
1524 we do not send one. Let's hope other servers do the same... */
1525
1526 if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
1527 (void)SSL_shutdown(backend->handle);
1528#endif
1529
1530 if(backend->handle) {
1531 buffsize = (int)sizeof(buf);
1532 while(!done && loop--) {
1533 int what = SOCKET_READABLE(conn->sock[sockindex],
1534 SSL_SHUTDOWN_TIMEOUT);
1535 if(what > 0) {
1536 ERR_clear_error();
1537
1538 /* Something to read, let's do it and hope that it is the close
1539 notify alert from the server */
1540 nread = (ssize_t)SSL_read(backend->handle, buf, buffsize);
1541 err = SSL_get_error(backend->handle, (int)nread);
1542
1543 switch(err) {
1544 case SSL_ERROR_NONE: /* this is not an error */
1545 case SSL_ERROR_ZERO_RETURN: /* no more data */
1546 /* This is the expected response. There was no data but only
1547 the close notify alert */
1548 done = TRUE;
1549 break;
1550 case SSL_ERROR_WANT_READ:
1551 /* there's data pending, re-invoke SSL_read() */
1552 infof(data, "SSL_ERROR_WANT_READ");
1553 break;
1554 case SSL_ERROR_WANT_WRITE:
1555 /* SSL wants a write. Really odd. Let's bail out. */
1556 infof(data, "SSL_ERROR_WANT_WRITE");
1557 done = TRUE;
1558 break;
1559 default:
1560 /* openssl/ssl.h says "look at error stack/return value/errno" */
1561 sslerror = ERR_get_error();
1562 failf(data, OSSL_PACKAGE " SSL_read on shutdown: %s, errno %d",
1563 (sslerror ?
1564 ossl_strerror(sslerror, buf, sizeof(buf)) :
1565 SSL_ERROR_to_str(err)),
1566 SOCKERRNO);
1567 done = TRUE;
1568 break;
1569 }
1570 }
1571 else if(0 == what) {
1572 /* timeout */
1573 failf(data, "SSL shutdown timeout");
1574 done = TRUE;
1575 }
1576 else {
1577 /* anything that gets here is fatally bad */
1578 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
1579 retval = -1;
1580 done = TRUE;
1581 }
1582 } /* while()-loop for the select() */
1583
1584 if(data->set.verbose) {
1585#ifdef HAVE_SSL_GET_SHUTDOWN
1586 switch(SSL_get_shutdown(backend->handle)) {
1587 case SSL_SENT_SHUTDOWN:
1588 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN");
1589 break;
1590 case SSL_RECEIVED_SHUTDOWN:
1591 infof(data, "SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN");
1592 break;
1593 case SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN:
1594 infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN|"
1595 "SSL_RECEIVED__SHUTDOWN");
1596 break;
1597 }
1598#endif
1599 }
1600
1601 SSL_free(backend->handle);
1602 backend->handle = NULL;
1603 }
1604 return retval;
1605}
1606
1607static void ossl_session_free(void *ptr)
1608{
1609 /* free the ID */
1610 SSL_SESSION_free(ptr);
1611}
1612
1613/*
1614 * This function is called when the 'data' struct is going away. Close
1615 * down everything and free all resources!
1616 */
1617static void ossl_close_all(struct Curl_easy *data)
1618{
1619#ifdef USE_OPENSSL_ENGINE
1620 if(data->state.engine) {
1621 ENGINE_finish(data->state.engine);
1622 ENGINE_free(data->state.engine);
1623 data->state.engine = NULL;
1624 }
1625#else
1626 (void)data;
1627#endif
1628#if !defined(HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED) && \
1629 defined(HAVE_ERR_REMOVE_THREAD_STATE)
1630 /* OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread
1631 so we need to clean it here in case the thread will be killed. All OpenSSL
1632 code should extract the error in association with the error so clearing
1633 this queue here should be harmless at worst. */
1634 ERR_remove_thread_state(NULL);
1635#endif
1636}
1637
1638/* ====================================================== */
1639
1640/*
1641 * Match subjectAltName against the host name.
1642 */
1643static bool subj_alt_hostcheck(struct Curl_easy *data,
1644 const char *match_pattern,
1645 size_t matchlen,
1646 const char *hostname,
1647 size_t hostlen,
1648 const char *dispname)
1649{
1650#ifdef CURL_DISABLE_VERBOSE_STRINGS
1651 (void)dispname;
1652 (void)data;
1653#endif
1654 if(Curl_cert_hostcheck(match_pattern, matchlen, hostname, hostlen)) {
1655 infof(data, " subjectAltName: host \"%s\" matched cert's \"%s\"",
1656 dispname, match_pattern);
1657 return TRUE;
1658 }
1659 return FALSE;
1660}
1661
1662/* Quote from RFC2818 section 3.1 "Server Identity"
1663
1664 If a subjectAltName extension of type dNSName is present, that MUST
1665 be used as the identity. Otherwise, the (most specific) Common Name
1666 field in the Subject field of the certificate MUST be used. Although
1667 the use of the Common Name is existing practice, it is deprecated and
1668 Certification Authorities are encouraged to use the dNSName instead.
1669
1670 Matching is performed using the matching rules specified by
1671 [RFC2459]. If more than one identity of a given type is present in
1672 the certificate (e.g., more than one dNSName name, a match in any one
1673 of the set is considered acceptable.) Names may contain the wildcard
1674 character * which is considered to match any single domain name
1675 component or component fragment. E.g., *.a.com matches foo.a.com but
1676 not bar.foo.a.com. f*.com matches foo.com but not bar.com.
1677
1678 In some cases, the URI is specified as an IP address rather than a
1679 hostname. In this case, the iPAddress subjectAltName must be present
1680 in the certificate and must exactly match the IP in the URI.
1681
1682 This function is now used from ngtcp2 (QUIC) as well.
1683*/
1684CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn,
1685 X509 *server_cert)
1686{
1687 bool matched = FALSE;
1688 int target = GEN_DNS; /* target type, GEN_DNS or GEN_IPADD */
1689 size_t addrlen = 0;
1690 STACK_OF(GENERAL_NAME) *altnames;
1691#ifdef ENABLE_IPV6
1692 struct in6_addr addr;
1693#else
1694 struct in_addr addr;
1695#endif
1696 CURLcode result = CURLE_OK;
1697 bool dNSName = FALSE; /* if a dNSName field exists in the cert */
1698 bool iPAddress = FALSE; /* if a iPAddress field exists in the cert */
1699 const char * const hostname = SSL_HOST_NAME();
1700 const char * const dispname = SSL_HOST_DISPNAME();
1701 size_t hostlen = strlen(hostname);
1702
1703#ifdef ENABLE_IPV6
1704 if(conn->bits.ipv6_ip &&
1705 Curl_inet_pton(AF_INET6, hostname, &addr)) {
1706 target = GEN_IPADD;
1707 addrlen = sizeof(struct in6_addr);
1708 }
1709 else
1710#endif
1711 if(Curl_inet_pton(AF_INET, hostname, &addr)) {
1712 target = GEN_IPADD;
1713 addrlen = sizeof(struct in_addr);
1714 }
1715
1716 /* get a "list" of alternative names */
1717 altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
1718
1719 if(altnames) {
1720#ifdef OPENSSL_IS_BORINGSSL
1721 size_t numalts;
1722 size_t i;
1723#else
1724 int numalts;
1725 int i;
1726#endif
1727 bool dnsmatched = FALSE;
1728 bool ipmatched = FALSE;
1729
1730 /* get amount of alternatives, RFC2459 claims there MUST be at least
1731 one, but we don't depend on it... */
1732 numalts = sk_GENERAL_NAME_num(altnames);
1733
1734 /* loop through all alternatives - until a dnsmatch */
1735 for(i = 0; (i < numalts) && !dnsmatched; i++) {
1736 /* get a handle to alternative name number i */
1737 const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
1738
1739 if(check->type == GEN_DNS)
1740 dNSName = TRUE;
1741 else if(check->type == GEN_IPADD)
1742 iPAddress = TRUE;
1743
1744 /* only check alternatives of the same type the target is */
1745 if(check->type == target) {
1746 /* get data and length */
1747 const char *altptr = (char *)ASN1_STRING_get0_data(check->d.ia5);
1748 size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
1749
1750 switch(target) {
1751 case GEN_DNS: /* name/pattern comparison */
1752 /* The OpenSSL man page explicitly says: "In general it cannot be
1753 assumed that the data returned by ASN1_STRING_data() is null
1754 terminated or does not contain embedded nulls." But also that
1755 "The actual format of the data will depend on the actual string
1756 type itself: for example for an IA5String the data will be ASCII"
1757
1758 It has been however verified that in 0.9.6 and 0.9.7, IA5String
1759 is always null-terminated.
1760 */
1761 if((altlen == strlen(altptr)) &&
1762 /* if this isn't true, there was an embedded zero in the name
1763 string and we cannot match it. */
1764 subj_alt_hostcheck(data,
1765 altptr,
1766 altlen, hostname, hostlen, dispname)) {
1767 dnsmatched = TRUE;
1768 }
1769 break;
1770
1771 case GEN_IPADD: /* IP address comparison */
1772 /* compare alternative IP address if the data chunk is the same size
1773 our server IP address is */
1774 if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
1775 ipmatched = TRUE;
1776 infof(data,
1777 " subjectAltName: host \"%s\" matched cert's IP address!",
1778 dispname);
1779 }
1780 break;
1781 }
1782 }
1783 }
1784 GENERAL_NAMES_free(altnames);
1785
1786 if(dnsmatched || ipmatched)
1787 matched = TRUE;
1788 }
1789
1790 if(matched)
1791 /* an alternative name matched */
1792 ;
1793 else if(dNSName || iPAddress) {
1794 infof(data, " subjectAltName does not match %s", dispname);
1795 failf(data, "SSL: no alternative certificate subject name matches "
1796 "target host name '%s'", dispname);
1797 result = CURLE_PEER_FAILED_VERIFICATION;
1798 }
1799 else {
1800 /* we have to look to the last occurrence of a commonName in the
1801 distinguished one to get the most significant one. */
1802 int i = -1;
1803 unsigned char *peer_CN = NULL;
1804 int peerlen = 0;
1805
1806 /* The following is done because of a bug in 0.9.6b */
1807 X509_NAME *name = X509_get_subject_name(server_cert);
1808 if(name) {
1809 int j;
1810 while((j = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= 0)
1811 i = j;
1812 }
1813
1814 /* we have the name entry and we will now convert this to a string
1815 that we can use for comparison. Doing this we support BMPstring,
1816 UTF8, etc. */
1817
1818 if(i >= 0) {
1819 ASN1_STRING *tmp =
1820 X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
1821
1822 /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input
1823 is already UTF-8 encoded. We check for this case and copy the raw
1824 string manually to avoid the problem. This code can be made
1825 conditional in the future when OpenSSL has been fixed. */
1826 if(tmp) {
1827 if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
1828 peerlen = ASN1_STRING_length(tmp);
1829 if(peerlen >= 0) {
1830 peer_CN = OPENSSL_malloc(peerlen + 1);
1831 if(peer_CN) {
1832 memcpy(peer_CN, ASN1_STRING_get0_data(tmp), peerlen);
1833 peer_CN[peerlen] = '\0';
1834 }
1835 else
1836 result = CURLE_OUT_OF_MEMORY;
1837 }
1838 }
1839 else /* not a UTF8 name */
1840 peerlen = ASN1_STRING_to_UTF8(&peer_CN, tmp);
1841
1842 if(peer_CN && (curlx_uztosi(strlen((char *)peer_CN)) != peerlen)) {
1843 /* there was a terminating zero before the end of string, this
1844 cannot match and we return failure! */
1845 failf(data, "SSL: illegal cert name field");
1846 result = CURLE_PEER_FAILED_VERIFICATION;
1847 }
1848 }
1849 }
1850
1851 if(result)
1852 /* error already detected, pass through */
1853 ;
1854 else if(!peer_CN) {
1855 failf(data,
1856 "SSL: unable to obtain common name from peer certificate");
1857 result = CURLE_PEER_FAILED_VERIFICATION;
1858 }
1859 else if(!Curl_cert_hostcheck((const char *)peer_CN,
1860 peerlen, hostname, hostlen)) {
1861 failf(data, "SSL: certificate subject name '%s' does not match "
1862 "target host name '%s'", peer_CN, dispname);
1863 result = CURLE_PEER_FAILED_VERIFICATION;
1864 }
1865 else {
1866 infof(data, " common name: %s (matched)", peer_CN);
1867 }
1868 if(peer_CN)
1869 OPENSSL_free(peer_CN);
1870 }
1871
1872 return result;
1873}
1874
1875#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
1876 !defined(OPENSSL_NO_OCSP)
1877static CURLcode verifystatus(struct Curl_easy *data,
1878 struct ssl_connect_data *connssl)
1879{
1880 int i, ocsp_status;
1881 unsigned char *status;
1882 const unsigned char *p;
1883 CURLcode result = CURLE_OK;
1884 OCSP_RESPONSE *rsp = NULL;
1885 OCSP_BASICRESP *br = NULL;
1886 X509_STORE *st = NULL;
1887 STACK_OF(X509) *ch = NULL;
1888 struct ssl_backend_data *backend = connssl->backend;
1889 X509 *cert;
1890 OCSP_CERTID *id = NULL;
1891 int cert_status, crl_reason;
1892 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1893 int ret;
1894 long len;
1895
1896 DEBUGASSERT(backend);
1897
1898 len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status);
1899
1900 if(!status) {
1901 failf(data, "No OCSP response received");
1902 result = CURLE_SSL_INVALIDCERTSTATUS;
1903 goto end;
1904 }
1905 p = status;
1906 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1907 if(!rsp) {
1908 failf(data, "Invalid OCSP response");
1909 result = CURLE_SSL_INVALIDCERTSTATUS;
1910 goto end;
1911 }
1912
1913 ocsp_status = OCSP_response_status(rsp);
1914 if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1915 failf(data, "Invalid OCSP response status: %s (%d)",
1916 OCSP_response_status_str(ocsp_status), ocsp_status);
1917 result = CURLE_SSL_INVALIDCERTSTATUS;
1918 goto end;
1919 }
1920
1921 br = OCSP_response_get1_basic(rsp);
1922 if(!br) {
1923 failf(data, "Invalid OCSP response");
1924 result = CURLE_SSL_INVALIDCERTSTATUS;
1925 goto end;
1926 }
1927
1928 ch = SSL_get_peer_cert_chain(backend->handle);
1929 if(!ch) {
1930 failf(data, "Could not get peer certificate chain");
1931 result = CURLE_SSL_INVALIDCERTSTATUS;
1932 goto end;
1933 }
1934 st = SSL_CTX_get_cert_store(backend->ctx);
1935
1936#if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ || \
1937 (defined(LIBRESSL_VERSION_NUMBER) && \
1938 LIBRESSL_VERSION_NUMBER <= 0x2040200fL))
1939 /* The authorized responder cert in the OCSP response MUST be signed by the
1940 peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,
1941 no problem, but if it's an intermediate cert OpenSSL has a bug where it
1942 expects this issuer to be present in the chain embedded in the OCSP
1943 response. So we add it if necessary. */
1944
1945 /* First make sure the peer cert chain includes both a peer and an issuer,
1946 and the OCSP response contains a responder cert. */
1947 if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
1948 X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
1949
1950 /* Find issuer of responder cert and add it to the OCSP response chain */
1951 for(i = 0; i < sk_X509_num(ch); i++) {
1952 X509 *issuer = sk_X509_value(ch, i);
1953 if(X509_check_issued(issuer, responder) == X509_V_OK) {
1954 if(!OCSP_basic_add1_cert(br, issuer)) {
1955 failf(data, "Could not add issuer cert to OCSP response");
1956 result = CURLE_SSL_INVALIDCERTSTATUS;
1957 goto end;
1958 }
1959 }
1960 }
1961 }
1962#endif
1963
1964 if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
1965 failf(data, "OCSP response verification failed");
1966 result = CURLE_SSL_INVALIDCERTSTATUS;
1967 goto end;
1968 }
1969
1970 /* Compute the certificate's ID */
1971 cert = SSL_get1_peer_certificate(backend->handle);
1972 if(!cert) {
1973 failf(data, "Error getting peer certificate");
1974 result = CURLE_SSL_INVALIDCERTSTATUS;
1975 goto end;
1976 }
1977
1978 for(i = 0; i < sk_X509_num(ch); i++) {
1979 X509 *issuer = sk_X509_value(ch, i);
1980 if(X509_check_issued(issuer, cert) == X509_V_OK) {
1981 id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
1982 break;
1983 }
1984 }
1985 X509_free(cert);
1986
1987 if(!id) {
1988 failf(data, "Error computing OCSP ID");
1989 result = CURLE_SSL_INVALIDCERTSTATUS;
1990 goto end;
1991 }
1992
1993 /* Find the single OCSP response corresponding to the certificate ID */
1994 ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
1995 &thisupd, &nextupd);
1996 OCSP_CERTID_free(id);
1997 if(ret != 1) {
1998 failf(data, "Could not find certificate ID in OCSP response");
1999 result = CURLE_SSL_INVALIDCERTSTATUS;
2000 goto end;
2001 }
2002
2003 /* Validate the corresponding single OCSP response */
2004 if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
2005 failf(data, "OCSP response has expired");
2006 result = CURLE_SSL_INVALIDCERTSTATUS;
2007 goto end;
2008 }
2009
2010 infof(data, "SSL certificate status: %s (%d)",
2011 OCSP_cert_status_str(cert_status), cert_status);
2012
2013 switch(cert_status) {
2014 case V_OCSP_CERTSTATUS_GOOD:
2015 break;
2016
2017 case V_OCSP_CERTSTATUS_REVOKED:
2018 result = CURLE_SSL_INVALIDCERTSTATUS;
2019 failf(data, "SSL certificate revocation reason: %s (%d)",
2020 OCSP_crl_reason_str(crl_reason), crl_reason);
2021 goto end;
2022
2023 case V_OCSP_CERTSTATUS_UNKNOWN:
2024 default:
2025 result = CURLE_SSL_INVALIDCERTSTATUS;
2026 goto end;
2027 }
2028
2029end:
2030 if(br)
2031 OCSP_BASICRESP_free(br);
2032 OCSP_RESPONSE_free(rsp);
2033
2034 return result;
2035}
2036#endif
2037
2038#endif /* USE_OPENSSL */
2039
2040/* The SSL_CTRL_SET_MSG_CALLBACK doesn't exist in ancient OpenSSL versions
2041 and thus this cannot be done there. */
2042#ifdef SSL_CTRL_SET_MSG_CALLBACK
2043
2044static const char *ssl_msg_type(int ssl_ver, int msg)
2045{
2046#ifdef SSL2_VERSION_MAJOR
2047 if(ssl_ver == SSL2_VERSION_MAJOR) {
2048 switch(msg) {
2049 case SSL2_MT_ERROR:
2050 return "Error";
2051 case SSL2_MT_CLIENT_HELLO:
2052 return "Client hello";
2053 case SSL2_MT_CLIENT_MASTER_KEY:
2054 return "Client key";
2055 case SSL2_MT_CLIENT_FINISHED:
2056 return "Client finished";
2057 case SSL2_MT_SERVER_HELLO:
2058 return "Server hello";
2059 case SSL2_MT_SERVER_VERIFY:
2060 return "Server verify";
2061 case SSL2_MT_SERVER_FINISHED:
2062 return "Server finished";
2063 case SSL2_MT_REQUEST_CERTIFICATE:
2064 return "Request CERT";
2065 case SSL2_MT_CLIENT_CERTIFICATE:
2066 return "Client CERT";
2067 }
2068 }
2069 else
2070#endif
2071 if(ssl_ver == SSL3_VERSION_MAJOR) {
2072 switch(msg) {
2073 case SSL3_MT_HELLO_REQUEST:
2074 return "Hello request";
2075 case SSL3_MT_CLIENT_HELLO:
2076 return "Client hello";
2077 case SSL3_MT_SERVER_HELLO:
2078 return "Server hello";
2079#ifdef SSL3_MT_NEWSESSION_TICKET
2080 case SSL3_MT_NEWSESSION_TICKET:
2081 return "Newsession Ticket";
2082#endif
2083 case SSL3_MT_CERTIFICATE:
2084 return "Certificate";
2085 case SSL3_MT_SERVER_KEY_EXCHANGE:
2086 return "Server key exchange";
2087 case SSL3_MT_CLIENT_KEY_EXCHANGE:
2088 return "Client key exchange";
2089 case SSL3_MT_CERTIFICATE_REQUEST:
2090 return "Request CERT";
2091 case SSL3_MT_SERVER_DONE:
2092 return "Server finished";
2093 case SSL3_MT_CERTIFICATE_VERIFY:
2094 return "CERT verify";
2095 case SSL3_MT_FINISHED:
2096 return "Finished";
2097#ifdef SSL3_MT_CERTIFICATE_STATUS
2098 case SSL3_MT_CERTIFICATE_STATUS:
2099 return "Certificate Status";
2100#endif
2101#ifdef SSL3_MT_ENCRYPTED_EXTENSIONS
2102 case SSL3_MT_ENCRYPTED_EXTENSIONS:
2103 return "Encrypted Extensions";
2104#endif
2105#ifdef SSL3_MT_SUPPLEMENTAL_DATA
2106 case SSL3_MT_SUPPLEMENTAL_DATA:
2107 return "Supplemental data";
2108#endif
2109#ifdef SSL3_MT_END_OF_EARLY_DATA
2110 case SSL3_MT_END_OF_EARLY_DATA:
2111 return "End of early data";
2112#endif
2113#ifdef SSL3_MT_KEY_UPDATE
2114 case SSL3_MT_KEY_UPDATE:
2115 return "Key update";
2116#endif
2117#ifdef SSL3_MT_NEXT_PROTO
2118 case SSL3_MT_NEXT_PROTO:
2119 return "Next protocol";
2120#endif
2121#ifdef SSL3_MT_MESSAGE_HASH
2122 case SSL3_MT_MESSAGE_HASH:
2123 return "Message hash";
2124#endif
2125 }
2126 }
2127 return "Unknown";
2128}
2129
2130static const char *tls_rt_type(int type)
2131{
2132 switch(type) {
2133#ifdef SSL3_RT_HEADER
2134 case SSL3_RT_HEADER:
2135 return "TLS header";
2136#endif
2137 case SSL3_RT_CHANGE_CIPHER_SPEC:
2138 return "TLS change cipher";
2139 case SSL3_RT_ALERT:
2140 return "TLS alert";
2141 case SSL3_RT_HANDSHAKE:
2142 return "TLS handshake";
2143 case SSL3_RT_APPLICATION_DATA:
2144 return "TLS app data";
2145 default:
2146 return "TLS Unknown";
2147 }
2148}
2149
2150/*
2151 * Our callback from the SSL/TLS layers.
2152 */
2153static void ossl_trace(int direction, int ssl_ver, int content_type,
2154 const void *buf, size_t len, SSL *ssl,
2155 void *userp)
2156{
2157 char unknown[32];
2158 const char *verstr = NULL;
2159 struct connectdata *conn = userp;
2160 struct ssl_connect_data *connssl = &conn->ssl[0];
2161 struct ssl_backend_data *backend = connssl->backend;
2162 struct Curl_easy *data = NULL;
2163
2164 DEBUGASSERT(backend);
2165 data = backend->logger;
2166
2167 if(!conn || !data || !data->set.fdebug ||
2168 (direction != 0 && direction != 1))
2169 return;
2170
2171 switch(ssl_ver) {
2172#ifdef SSL2_VERSION /* removed in recent versions */
2173 case SSL2_VERSION:
2174 verstr = "SSLv2";
2175 break;
2176#endif
2177#ifdef SSL3_VERSION
2178 case SSL3_VERSION:
2179 verstr = "SSLv3";
2180 break;
2181#endif
2182 case TLS1_VERSION:
2183 verstr = "TLSv1.0";
2184 break;
2185#ifdef TLS1_1_VERSION
2186 case TLS1_1_VERSION:
2187 verstr = "TLSv1.1";
2188 break;
2189#endif
2190#ifdef TLS1_2_VERSION
2191 case TLS1_2_VERSION:
2192 verstr = "TLSv1.2";
2193 break;
2194#endif
2195#ifdef TLS1_3_VERSION
2196 case TLS1_3_VERSION:
2197 verstr = "TLSv1.3";
2198 break;
2199#endif
2200 case 0:
2201 break;
2202 default:
2203 msnprintf(unknown, sizeof(unknown), "(%x)", ssl_ver);
2204 verstr = unknown;
2205 break;
2206 }
2207
2208 /* Log progress for interesting records only (like Handshake or Alert), skip
2209 * all raw record headers (content_type == SSL3_RT_HEADER or ssl_ver == 0).
2210 * For TLS 1.3, skip notification of the decrypted inner Content-Type.
2211 */
2212 if(ssl_ver
2213#ifdef SSL3_RT_INNER_CONTENT_TYPE
2214 && content_type != SSL3_RT_INNER_CONTENT_TYPE
2215#endif
2216 ) {
2217 const char *msg_name, *tls_rt_name;
2218 char ssl_buf[1024];
2219 int msg_type, txt_len;
2220
2221 /* the info given when the version is zero is not that useful for us */
2222
2223 ssl_ver >>= 8; /* check the upper 8 bits only below */
2224
2225 /* SSLv2 doesn't seem to have TLS record-type headers, so OpenSSL
2226 * always pass-up content-type as 0. But the interesting message-type
2227 * is at 'buf[0]'.
2228 */
2229 if(ssl_ver == SSL3_VERSION_MAJOR && content_type)
2230 tls_rt_name = tls_rt_type(content_type);
2231 else
2232 tls_rt_name = "";
2233
2234 if(content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
2235 msg_type = *(char *)buf;
2236 msg_name = "Change cipher spec";
2237 }
2238 else if(content_type == SSL3_RT_ALERT) {
2239 msg_type = (((char *)buf)[0] << 8) + ((char *)buf)[1];
2240 msg_name = SSL_alert_desc_string_long(msg_type);
2241 }
2242 else {
2243 msg_type = *(char *)buf;
2244 msg_name = ssl_msg_type(ssl_ver, msg_type);
2245 }
2246
2247 txt_len = msnprintf(ssl_buf, sizeof(ssl_buf), "%s (%s), %s, %s (%d):\n",
2248 verstr, direction?"OUT":"IN",
2249 tls_rt_name, msg_name, msg_type);
2250 if(0 <= txt_len && (unsigned)txt_len < sizeof(ssl_buf)) {
2251 Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len);
2252 }
2253 }
2254
2255 Curl_debug(data, (direction == 1) ? CURLINFO_SSL_DATA_OUT :
2256 CURLINFO_SSL_DATA_IN, (char *)buf, len);
2257 (void) ssl;
2258}
2259#endif
2260
2261#ifdef USE_OPENSSL
2262/* ====================================================== */
2263
2264#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
2265# define use_sni(x) sni = (x)
2266#else
2267# define use_sni(x) Curl_nop_stmt
2268#endif
2269
2270/* Check for OpenSSL 1.0.2 which has ALPN support. */
2271#undef HAS_ALPN
2272#if OPENSSL_VERSION_NUMBER >= 0x10002000L \
2273 && !defined(OPENSSL_NO_TLSEXT)
2274# define HAS_ALPN 1
2275#endif
2276
2277/* Check for OpenSSL 1.0.1 which has NPN support. */
2278#undef HAS_NPN
2279#if OPENSSL_VERSION_NUMBER >= 0x10001000L \
2280 && !defined(OPENSSL_NO_TLSEXT) \
2281 && !defined(OPENSSL_NO_NEXTPROTONEG)
2282# define HAS_NPN 1
2283#endif
2284
2285#ifdef HAS_NPN
2286
2287/*
2288 * in is a list of length prefixed strings. this function has to select
2289 * the protocol we want to use from the list and write its string into out.
2290 */
2291
2292static int
2293select_next_protocol(unsigned char **out, unsigned char *outlen,
2294 const unsigned char *in, unsigned int inlen,
2295 const char *key, unsigned int keylen)
2296{
2297 unsigned int i;
2298 for(i = 0; i + keylen <= inlen; i += in[i] + 1) {
2299 if(memcmp(&in[i + 1], key, keylen) == 0) {
2300 *out = (unsigned char *) &in[i + 1];
2301 *outlen = in[i];
2302 return 0;
2303 }
2304 }
2305 return -1;
2306}
2307
2308static int
2309select_next_proto_cb(SSL *ssl,
2310 unsigned char **out, unsigned char *outlen,
2311 const unsigned char *in, unsigned int inlen,
2312 void *arg)
2313{
2314 struct Curl_easy *data = (struct Curl_easy *)arg;
2315 struct connectdata *conn = data->conn;
2316 (void)ssl;
2317
2318#ifdef USE_HTTP2
2319 if(data->state.httpwant >= CURL_HTTP_VERSION_2 &&
2320 !select_next_protocol(out, outlen, in, inlen, ALPN_H2, ALPN_H2_LENGTH)) {
2321 infof(data, "NPN, negotiated HTTP2 (%s)", ALPN_H2);
2322 conn->negnpn = CURL_HTTP_VERSION_2;
2323 return SSL_TLSEXT_ERR_OK;
2324 }
2325#endif
2326
2327 if(!select_next_protocol(out, outlen, in, inlen, ALPN_HTTP_1_1,
2328 ALPN_HTTP_1_1_LENGTH)) {
2329 infof(data, "NPN, negotiated HTTP1.1");
2330 conn->negnpn = CURL_HTTP_VERSION_1_1;
2331 return SSL_TLSEXT_ERR_OK;
2332 }
2333
2334 infof(data, "NPN, no overlap, use HTTP1.1");
2335 *out = (unsigned char *)ALPN_HTTP_1_1;
2336 *outlen = ALPN_HTTP_1_1_LENGTH;
2337 conn->negnpn = CURL_HTTP_VERSION_1_1;
2338
2339 return SSL_TLSEXT_ERR_OK;
2340}
2341#endif /* HAS_NPN */
2342
2343#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */
2344static CURLcode
2345set_ssl_version_min_max(SSL_CTX *ctx, struct connectdata *conn)
2346{
2347 /* first, TLS min version... */
2348 long curl_ssl_version_min = SSL_CONN_CONFIG(version);
2349 long curl_ssl_version_max;
2350
2351 /* convert curl min SSL version option to OpenSSL constant */
2352#if defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER)
2353 uint16_t ossl_ssl_version_min = 0;
2354 uint16_t ossl_ssl_version_max = 0;
2355#else
2356 long ossl_ssl_version_min = 0;
2357 long ossl_ssl_version_max = 0;
2358#endif
2359 switch(curl_ssl_version_min) {
2360 case CURL_SSLVERSION_TLSv1: /* TLS 1.x */
2361 case CURL_SSLVERSION_TLSv1_0:
2362 ossl_ssl_version_min = TLS1_VERSION;
2363 break;
2364 case CURL_SSLVERSION_TLSv1_1:
2365 ossl_ssl_version_min = TLS1_1_VERSION;
2366 break;
2367 case CURL_SSLVERSION_TLSv1_2:
2368 ossl_ssl_version_min = TLS1_2_VERSION;
2369 break;
2370 case CURL_SSLVERSION_TLSv1_3:
2371#ifdef TLS1_3_VERSION
2372 ossl_ssl_version_min = TLS1_3_VERSION;
2373 break;
2374#else
2375 return CURLE_NOT_BUILT_IN;
2376#endif
2377 }
2378
2379 /* CURL_SSLVERSION_DEFAULT means that no option was selected.
2380 We don't want to pass 0 to SSL_CTX_set_min_proto_version as
2381 it would enable all versions down to the lowest supported by
2382 the library.
2383 So we skip this, and stay with the library default
2384 */
2385 if(curl_ssl_version_min != CURL_SSLVERSION_DEFAULT) {
2386 if(!SSL_CTX_set_min_proto_version(ctx, ossl_ssl_version_min)) {
2387 return CURLE_SSL_CONNECT_ERROR;
2388 }
2389 }
2390
2391 /* ... then, TLS max version */
2392 curl_ssl_version_max = SSL_CONN_CONFIG(version_max);
2393
2394 /* convert curl max SSL version option to OpenSSL constant */
2395 switch(curl_ssl_version_max) {
2396 case CURL_SSLVERSION_MAX_TLSv1_0:
2397 ossl_ssl_version_max = TLS1_VERSION;
2398 break;
2399 case CURL_SSLVERSION_MAX_TLSv1_1:
2400 ossl_ssl_version_max = TLS1_1_VERSION;
2401 break;
2402 case CURL_SSLVERSION_MAX_TLSv1_2:
2403 ossl_ssl_version_max = TLS1_2_VERSION;
2404 break;
2405#ifdef TLS1_3_VERSION
2406 case CURL_SSLVERSION_MAX_TLSv1_3:
2407 ossl_ssl_version_max = TLS1_3_VERSION;
2408 break;
2409#endif
2410 case CURL_SSLVERSION_MAX_NONE: /* none selected */
2411 case CURL_SSLVERSION_MAX_DEFAULT: /* max selected */
2412 default:
2413 /* SSL_CTX_set_max_proto_version states that:
2414 setting the maximum to 0 will enable
2415 protocol versions up to the highest version
2416 supported by the library */
2417 ossl_ssl_version_max = 0;
2418 break;
2419 }
2420
2421 if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
2422 return CURLE_SSL_CONNECT_ERROR;
2423 }
2424
2425 return CURLE_OK;
2426}
2427#endif
2428
2429#ifdef OPENSSL_IS_BORINGSSL
2430typedef uint32_t ctx_option_t;
2431#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
2432typedef uint64_t ctx_option_t;
2433#else
2434typedef long ctx_option_t;
2435#endif
2436
2437#if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* 1.1.0 */
2438static CURLcode
2439set_ssl_version_min_max_legacy(ctx_option_t *ctx_options,
2440 struct Curl_easy *data,
2441 struct connectdata *conn, int sockindex)
2442{
2443 long ssl_version = SSL_CONN_CONFIG(version);
2444 long ssl_version_max = SSL_CONN_CONFIG(version_max);
2445
2446 (void) data; /* In case it's unused. */
2447
2448 switch(ssl_version) {
2449 case CURL_SSLVERSION_TLSv1_3:
2450#ifdef TLS1_3_VERSION
2451 {
2452 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2453 struct ssl_backend_data *backend = connssl->backend;
2454 DEBUGASSERT(backend);
2455 SSL_CTX_set_max_proto_version(backend->ctx, TLS1_3_VERSION);
2456 *ctx_options |= SSL_OP_NO_TLSv1_2;
2457 }
2458#else
2459 (void)sockindex;
2460 (void)ctx_options;
2461 failf(data, OSSL_PACKAGE " was built without TLS 1.3 support");
2462 return CURLE_NOT_BUILT_IN;
2463#endif
2464 /* FALLTHROUGH */
2465 case CURL_SSLVERSION_TLSv1_2:
2466#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2467 *ctx_options |= SSL_OP_NO_TLSv1_1;
2468#else
2469 failf(data, OSSL_PACKAGE " was built without TLS 1.2 support");
2470 return CURLE_NOT_BUILT_IN;
2471#endif
2472 /* FALLTHROUGH */
2473 case CURL_SSLVERSION_TLSv1_1:
2474#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2475 *ctx_options |= SSL_OP_NO_TLSv1;
2476#else
2477 failf(data, OSSL_PACKAGE " was built without TLS 1.1 support");
2478 return CURLE_NOT_BUILT_IN;
2479#endif
2480 /* FALLTHROUGH */
2481 case CURL_SSLVERSION_TLSv1_0:
2482 case CURL_SSLVERSION_TLSv1:
2483 break;
2484 }
2485
2486 switch(ssl_version_max) {
2487 case CURL_SSLVERSION_MAX_TLSv1_0:
2488#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2489 *ctx_options |= SSL_OP_NO_TLSv1_1;
2490#endif
2491 /* FALLTHROUGH */
2492 case CURL_SSLVERSION_MAX_TLSv1_1:
2493#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2494 *ctx_options |= SSL_OP_NO_TLSv1_2;
2495#endif
2496 /* FALLTHROUGH */
2497 case CURL_SSLVERSION_MAX_TLSv1_2:
2498#ifdef TLS1_3_VERSION
2499 *ctx_options |= SSL_OP_NO_TLSv1_3;
2500#endif
2501 break;
2502 case CURL_SSLVERSION_MAX_TLSv1_3:
2503#ifdef TLS1_3_VERSION
2504 break;
2505#else
2506 failf(data, OSSL_PACKAGE " was built without TLS 1.3 support");
2507 return CURLE_NOT_BUILT_IN;
2508#endif
2509 }
2510 return CURLE_OK;
2511}
2512#endif
2513
2514/* The "new session" callback must return zero if the session can be removed
2515 * or non-zero if the session has been put into the session cache.
2516 */
2517static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
2518{
2519 int res = 0;
2520 struct connectdata *conn;
2521 struct Curl_easy *data;
2522 int sockindex;
2523 curl_socket_t *sockindex_ptr;
2524 int data_idx = ossl_get_ssl_data_index();
2525 int connectdata_idx = ossl_get_ssl_conn_index();
2526 int sockindex_idx = ossl_get_ssl_sockindex_index();
2527 int proxy_idx = ossl_get_proxy_index();
2528 bool isproxy;
2529
2530 if(data_idx < 0 || connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
2531 return 0;
2532
2533 conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
2534 data = (struct Curl_easy *) SSL_get_ex_data(ssl, data_idx);
2535 /* The sockindex has been stored as a pointer to an array element */
2536 sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
2537 if(!conn || !data || !sockindex_ptr)
2538 return 0;
2539
2540 sockindex = (int)(sockindex_ptr - conn->sock);
2541
2542 isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
2543
2544 if(SSL_SET_OPTION(primary.sessionid)) {
2545 bool incache;
2546 bool added = FALSE;
2547 void *old_ssl_sessionid = NULL;
2548
2549 Curl_ssl_sessionid_lock(data);
2550 if(isproxy)
2551 incache = FALSE;
2552 else
2553 incache = !(Curl_ssl_getsessionid(data, conn, isproxy,
2554 &old_ssl_sessionid, NULL, sockindex));
2555 if(incache) {
2556 if(old_ssl_sessionid != ssl_sessionid) {
2557 infof(data, "old SSL session ID is stale, removing");
2558 Curl_ssl_delsessionid(data, old_ssl_sessionid);
2559 incache = FALSE;
2560 }
2561 }
2562
2563 if(!incache) {
2564 if(!Curl_ssl_addsessionid(data, conn, isproxy, ssl_sessionid,
2565 0 /* unknown size */, sockindex, &added)) {
2566 if(added) {
2567 /* the session has been put into the session cache */
2568 res = 1;
2569 }
2570 }
2571 else
2572 failf(data, "failed to store ssl session");
2573 }
2574 Curl_ssl_sessionid_unlock(data);
2575 }
2576
2577 return res;
2578}
2579
2580static CURLcode load_cacert_from_memory(SSL_CTX *ctx,
2581 const struct curl_blob *ca_info_blob)
2582{
2583 /* these need to be freed at the end */
2584 BIO *cbio = NULL;
2585 STACK_OF(X509_INFO) *inf = NULL;
2586
2587 /* everything else is just a reference */
2588 int i, count = 0;
2589 X509_STORE *cts = NULL;
2590 X509_INFO *itmp = NULL;
2591
2592 if(ca_info_blob->len > (size_t)INT_MAX)
2593 return CURLE_SSL_CACERT_BADFILE;
2594
2595 cts = SSL_CTX_get_cert_store(ctx);
2596 if(!cts)
2597 return CURLE_OUT_OF_MEMORY;
2598
2599 cbio = BIO_new_mem_buf(ca_info_blob->data, (int)ca_info_blob->len);
2600 if(!cbio)
2601 return CURLE_OUT_OF_MEMORY;
2602
2603 inf = PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL);
2604 if(!inf) {
2605 BIO_free(cbio);
2606 return CURLE_SSL_CACERT_BADFILE;
2607 }
2608
2609 /* add each entry from PEM file to x509_store */
2610 for(i = 0; i < (int)sk_X509_INFO_num(inf); ++i) {
2611 itmp = sk_X509_INFO_value(inf, i);
2612 if(itmp->x509) {
2613 if(X509_STORE_add_cert(cts, itmp->x509)) {
2614 ++count;
2615 }
2616 else {
2617 /* set count to 0 to return an error */
2618 count = 0;
2619 break;
2620 }
2621 }
2622 if(itmp->crl) {
2623 if(X509_STORE_add_crl(cts, itmp->crl)) {
2624 ++count;
2625 }
2626 else {
2627 /* set count to 0 to return an error */
2628 count = 0;
2629 break;
2630 }
2631 }
2632 }
2633
2634 sk_X509_INFO_pop_free(inf, X509_INFO_free);
2635 BIO_free(cbio);
2636
2637 /* if we didn't end up importing anything, treat that as an error */
2638 return (count > 0 ? CURLE_OK : CURLE_SSL_CACERT_BADFILE);
2639}
2640
2641static CURLcode ossl_connect_step1(struct Curl_easy *data,
2642 struct connectdata *conn, int sockindex)
2643{
2644 CURLcode result = CURLE_OK;
2645 char *ciphers;
2646 SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
2647 X509_LOOKUP *lookup = NULL;
2648 curl_socket_t sockfd = conn->sock[sockindex];
2649 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2650 ctx_option_t ctx_options = 0;
2651 void *ssl_sessionid = NULL;
2652
2653#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
2654 bool sni;
2655 const char * const hostname = SSL_HOST_NAME();
2656
2657#ifdef ENABLE_IPV6
2658 struct in6_addr addr;
2659#else
2660 struct in_addr addr;
2661#endif
2662#endif
2663 const long int ssl_version = SSL_CONN_CONFIG(version);
2664#ifdef USE_OPENSSL_SRP
2665 const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(primary.authtype);
2666#endif
2667 char * const ssl_cert = SSL_SET_OPTION(primary.clientcert);
2668 const struct curl_blob *ssl_cert_blob = SSL_SET_OPTION(primary.cert_blob);
2669 const struct curl_blob *ca_info_blob = SSL_CONN_CONFIG(ca_info_blob);
2670 const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
2671 const char * const ssl_cafile =
2672 /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
2673 (ca_info_blob ? NULL : SSL_CONN_CONFIG(CAfile));
2674 const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
2675 const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
2676 const char * const ssl_crlfile = SSL_SET_OPTION(primary.CRLfile);
2677 char error_buffer[256];
2678 struct ssl_backend_data *backend = connssl->backend;
2679 bool imported_native_ca = false;
2680
2681 DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
2682 DEBUGASSERT(backend);
2683
2684 /* Make funny stuff to get random input */
2685 result = ossl_seed(data);
2686 if(result)
2687 return result;
2688
2689 SSL_SET_OPTION_LVALUE(certverifyresult) = !X509_V_OK;
2690
2691 /* check to see if we've been told to use an explicit SSL/TLS version */
2692
2693 switch(ssl_version) {
2694 case CURL_SSLVERSION_DEFAULT:
2695 case CURL_SSLVERSION_TLSv1:
2696 case CURL_SSLVERSION_TLSv1_0:
2697 case CURL_SSLVERSION_TLSv1_1:
2698 case CURL_SSLVERSION_TLSv1_2:
2699 case CURL_SSLVERSION_TLSv1_3:
2700 /* it will be handled later with the context options */
2701#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
2702 req_method = TLS_client_method();
2703#else
2704 req_method = SSLv23_client_method();
2705#endif
2706 use_sni(TRUE);
2707 break;
2708 case CURL_SSLVERSION_SSLv2:
2709 failf(data, "No SSLv2 support");
2710 return CURLE_NOT_BUILT_IN;
2711 case CURL_SSLVERSION_SSLv3:
2712 failf(data, "No SSLv3 support");
2713 return CURLE_NOT_BUILT_IN;
2714 default:
2715 failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
2716 return CURLE_SSL_CONNECT_ERROR;
2717 }
2718
2719 DEBUGASSERT(!backend->ctx);
2720 backend->ctx = SSL_CTX_new(req_method);
2721
2722 if(!backend->ctx) {
2723 failf(data, "SSL: couldn't create a context: %s",
2724 ossl_strerror(ERR_peek_error(), error_buffer, sizeof(error_buffer)));
2725 return CURLE_OUT_OF_MEMORY;
2726 }
2727
2728#ifdef SSL_MODE_RELEASE_BUFFERS
2729 SSL_CTX_set_mode(backend->ctx, SSL_MODE_RELEASE_BUFFERS);
2730#endif
2731
2732#ifdef SSL_CTRL_SET_MSG_CALLBACK
2733 if(data->set.fdebug && data->set.verbose) {
2734 /* the SSL trace callback is only used for verbose logging */
2735 SSL_CTX_set_msg_callback(backend->ctx, ossl_trace);
2736 SSL_CTX_set_msg_callback_arg(backend->ctx, conn);
2737 set_logger(conn, data);
2738 }
2739#endif
2740
2741 /* OpenSSL contains code to work around lots of bugs and flaws in various
2742 SSL-implementations. SSL_CTX_set_options() is used to enabled those
2743 work-arounds. The man page for this option states that SSL_OP_ALL enables
2744 all the work-arounds and that "It is usually safe to use SSL_OP_ALL to
2745 enable the bug workaround options if compatibility with somewhat broken
2746 implementations is desired."
2747
2748 The "-no_ticket" option was introduced in OpenSSL 0.9.8j. It's a flag to
2749 disable "rfc4507bis session ticket support". rfc4507bis was later turned
2750 into the proper RFC5077: https://datatracker.ietf.org/doc/html/rfc5077
2751
2752 The enabled extension concerns the session management. I wonder how often
2753 libcurl stops a connection and then resumes a TLS session. Also, sending
2754 the session data is some overhead. I suggest that you just use your
2755 proposed patch (which explicitly disables TICKET).
2756
2757 If someone writes an application with libcurl and OpenSSL who wants to
2758 enable the feature, one can do this in the SSL callback.
2759
2760 SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
2761 interoperability with web server Netscape Enterprise Server 2.0.1 which
2762 was released back in 1996.
2763
2764 Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
2765 become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
2766 CVE-2010-4180 when using previous OpenSSL versions we no longer enable
2767 this option regardless of OpenSSL version and SSL_OP_ALL definition.
2768
2769 OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
2770 (https://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
2771 SSL_OP_ALL that _disables_ that work-around despite the fact that
2772 SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
2773 keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
2774 must not be set.
2775 */
2776
2777 ctx_options = SSL_OP_ALL;
2778
2779#ifdef SSL_OP_NO_TICKET
2780 ctx_options |= SSL_OP_NO_TICKET;
2781#endif
2782
2783#ifdef SSL_OP_NO_COMPRESSION
2784 ctx_options |= SSL_OP_NO_COMPRESSION;
2785#endif
2786
2787#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2788 /* mitigate CVE-2010-4180 */
2789 ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
2790#endif
2791
2792#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2793 /* unless the user explicitly asks to allow the protocol vulnerability we
2794 use the work-around */
2795 if(!SSL_SET_OPTION(enable_beast))
2796 ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
2797#endif
2798
2799 switch(ssl_version) {
2800 case CURL_SSLVERSION_SSLv2:
2801 case CURL_SSLVERSION_SSLv3:
2802 return CURLE_NOT_BUILT_IN;
2803
2804 /* "--tlsv<x.y>" options mean TLS >= version <x.y> */
2805 case CURL_SSLVERSION_DEFAULT:
2806 case CURL_SSLVERSION_TLSv1: /* TLS >= version 1.0 */
2807 case CURL_SSLVERSION_TLSv1_0: /* TLS >= version 1.0 */
2808 case CURL_SSLVERSION_TLSv1_1: /* TLS >= version 1.1 */
2809 case CURL_SSLVERSION_TLSv1_2: /* TLS >= version 1.2 */
2810 case CURL_SSLVERSION_TLSv1_3: /* TLS >= version 1.3 */
2811 /* asking for any TLS version as the minimum, means no SSL versions
2812 allowed */
2813 ctx_options |= SSL_OP_NO_SSLv2;
2814 ctx_options |= SSL_OP_NO_SSLv3;
2815
2816#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */
2817 result = set_ssl_version_min_max(backend->ctx, conn);
2818#else
2819 result = set_ssl_version_min_max_legacy(&ctx_options, data, conn,
2820 sockindex);
2821#endif
2822 if(result != CURLE_OK)
2823 return result;
2824 break;
2825
2826 default:
2827 failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
2828 return CURLE_SSL_CONNECT_ERROR;
2829 }
2830
2831 SSL_CTX_set_options(backend->ctx, ctx_options);
2832
2833#ifdef HAS_NPN
2834 if(conn->bits.tls_enable_npn)
2835 SSL_CTX_set_next_proto_select_cb(backend->ctx, select_next_proto_cb, data);
2836#endif
2837
2838#ifdef HAS_ALPN
2839 if(conn->bits.tls_enable_alpn) {
2840 int cur = 0;
2841 unsigned char protocols[128];
2842
2843#ifdef USE_HTTP2
2844 if(data->state.httpwant >= CURL_HTTP_VERSION_2
2845#ifndef CURL_DISABLE_PROXY
2846 && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
2847#endif
2848 ) {
2849 protocols[cur++] = ALPN_H2_LENGTH;
2850
2851 memcpy(&protocols[cur], ALPN_H2, ALPN_H2_LENGTH);
2852 cur += ALPN_H2_LENGTH;
2853 infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_H2);
2854 }
2855#endif
2856
2857 protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
2858 memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
2859 cur += ALPN_HTTP_1_1_LENGTH;
2860 infof(data, VTLS_INFOF_ALPN_OFFER_1STR, ALPN_HTTP_1_1);
2861
2862 /* expects length prefixed preference ordered list of protocols in wire
2863 * format
2864 */
2865 if(SSL_CTX_set_alpn_protos(backend->ctx, protocols, cur)) {
2866 failf(data, "Error setting ALPN");
2867 return CURLE_SSL_CONNECT_ERROR;
2868 }
2869 }
2870#endif
2871
2872 if(ssl_cert || ssl_cert_blob || ssl_cert_type) {
2873 if(!result &&
2874 !cert_stuff(data, backend->ctx,
2875 ssl_cert, ssl_cert_blob, ssl_cert_type,
2876 SSL_SET_OPTION(key), SSL_SET_OPTION(key_blob),
2877 SSL_SET_OPTION(key_type), SSL_SET_OPTION(key_passwd)))
2878 result = CURLE_SSL_CERTPROBLEM;
2879 if(result)
2880 /* failf() is already done in cert_stuff() */
2881 return result;
2882 }
2883
2884 ciphers = SSL_CONN_CONFIG(cipher_list);
2885 if(!ciphers)
2886 ciphers = (char *)DEFAULT_CIPHER_SELECTION;
2887 if(ciphers) {
2888 if(!SSL_CTX_set_cipher_list(backend->ctx, ciphers)) {
2889 failf(data, "failed setting cipher list: %s", ciphers);
2890 return CURLE_SSL_CIPHER;
2891 }
2892 infof(data, "Cipher selection: %s", ciphers);
2893 }
2894
2895#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
2896 {
2897 char *ciphers13 = SSL_CONN_CONFIG(cipher_list13);
2898 if(ciphers13) {
2899 if(!SSL_CTX_set_ciphersuites(backend->ctx, ciphers13)) {
2900 failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers13);
2901 return CURLE_SSL_CIPHER;
2902 }
2903 infof(data, "TLS 1.3 cipher selection: %s", ciphers13);
2904 }
2905 }
2906#endif
2907
2908#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
2909 /* OpenSSL 1.1.1 requires clients to opt-in for PHA */
2910 SSL_CTX_set_post_handshake_auth(backend->ctx, 1);
2911#endif
2912
2913#ifdef HAVE_SSL_CTX_SET_EC_CURVES
2914 {
2915 char *curves = SSL_CONN_CONFIG(curves);
2916 if(curves) {
2917 if(!SSL_CTX_set1_curves_list(backend->ctx, curves)) {
2918 failf(data, "failed setting curves list: '%s'", curves);
2919 return CURLE_SSL_CIPHER;
2920 }
2921 }
2922 }
2923#endif
2924
2925#ifdef USE_OPENSSL_SRP
2926 if((ssl_authtype == CURL_TLSAUTH_SRP) &&
2927 Curl_allow_auth_to_host(data)) {
2928 char * const ssl_username = SSL_SET_OPTION(primary.username);
2929 char * const ssl_password = SSL_SET_OPTION(primary.password);
2930 infof(data, "Using TLS-SRP username: %s", ssl_username);
2931
2932 if(!SSL_CTX_set_srp_username(backend->ctx, ssl_username)) {
2933 failf(data, "Unable to set SRP user name");
2934 return CURLE_BAD_FUNCTION_ARGUMENT;
2935 }
2936 if(!SSL_CTX_set_srp_password(backend->ctx, ssl_password)) {
2937 failf(data, "failed setting SRP password");
2938 return CURLE_BAD_FUNCTION_ARGUMENT;
2939 }
2940 if(!SSL_CONN_CONFIG(cipher_list)) {
2941 infof(data, "Setting cipher list SRP");
2942
2943 if(!SSL_CTX_set_cipher_list(backend->ctx, "SRP")) {
2944 failf(data, "failed setting SRP cipher list");
2945 return CURLE_SSL_CIPHER;
2946 }
2947 }
2948 }
2949#endif
2950
2951
2952#if defined(USE_WIN32_CRYPTO)
2953 /* Import certificates from the Windows root certificate store if requested.
2954 https://stackoverflow.com/questions/9507184/
2955 https://github.com/d3x0r/SACK/blob/master/src/netlib/ssl_layer.c#L1037
2956 https://datatracker.ietf.org/doc/html/rfc5280 */
2957 if((SSL_CONN_CONFIG(verifypeer) || SSL_CONN_CONFIG(verifyhost)) &&
2958 (SSL_SET_OPTION(native_ca_store))) {
2959 X509_STORE *store = SSL_CTX_get_cert_store(backend->ctx);
2960 HCERTSTORE hStore = CertOpenSystemStore(0, TEXT("ROOT"));
2961
2962 if(hStore) {
2963 PCCERT_CONTEXT pContext = NULL;
2964 /* The array of enhanced key usage OIDs will vary per certificate and is
2965 declared outside of the loop so that rather than malloc/free each
2966 iteration we can grow it with realloc, when necessary. */
2967 CERT_ENHKEY_USAGE *enhkey_usage = NULL;
2968 DWORD enhkey_usage_size = 0;
2969
2970 /* This loop makes a best effort to import all valid certificates from
2971 the MS root store. If a certificate cannot be imported it is skipped.
2972 'result' is used to store only hard-fail conditions (such as out of
2973 memory) that cause an early break. */
2974 result = CURLE_OK;
2975 for(;;) {
2976 X509 *x509;
2977 FILETIME now;
2978 BYTE key_usage[2];
2979 DWORD req_size;
2980 const unsigned char *encoded_cert;
2981#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
2982 char cert_name[256];
2983#endif
2984
2985 pContext = CertEnumCertificatesInStore(hStore, pContext);
2986 if(!pContext)
2987 break;
2988
2989#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
2990 if(!CertGetNameStringA(pContext, CERT_NAME_SIMPLE_DISPLAY_TYPE, 0,
2991 NULL, cert_name, sizeof(cert_name))) {
2992 strcpy(cert_name, "Unknown");
2993 }
2994 infof(data, "SSL: Checking cert \"%s\"", cert_name);
2995#endif
2996
2997 encoded_cert = (const unsigned char *)pContext->pbCertEncoded;
2998 if(!encoded_cert)
2999 continue;
3000
3001 GetSystemTimeAsFileTime(&now);
3002 if(CompareFileTime(&pContext->pCertInfo->NotBefore, &now) > 0 ||
3003 CompareFileTime(&now, &pContext->pCertInfo->NotAfter) > 0)
3004 continue;
3005
3006 /* If key usage exists check for signing attribute */
3007 if(CertGetIntendedKeyUsage(pContext->dwCertEncodingType,
3008 pContext->pCertInfo,
3009 key_usage, sizeof(key_usage))) {
3010 if(!(key_usage[0] & CERT_KEY_CERT_SIGN_KEY_USAGE))
3011 continue;
3012 }
3013 else if(GetLastError())
3014 continue;
3015
3016 /* If enhanced key usage exists check for server auth attribute.
3017 *
3018 * Note "In a Microsoft environment, a certificate might also have EKU
3019 * extended properties that specify valid uses for the certificate."
3020 * The call below checks both, and behavior varies depending on what is
3021 * found. For more details see CertGetEnhancedKeyUsage doc.
3022 */
3023 if(CertGetEnhancedKeyUsage(pContext, 0, NULL, &req_size)) {
3024 if(req_size && req_size > enhkey_usage_size) {
3025 void *tmp = realloc(enhkey_usage, req_size);
3026
3027 if(!tmp) {
3028 failf(data, "SSL: Out of memory allocating for OID list");
3029 result = CURLE_OUT_OF_MEMORY;
3030 break;
3031 }
3032
3033 enhkey_usage = (CERT_ENHKEY_USAGE *)tmp;
3034 enhkey_usage_size = req_size;
3035 }
3036
3037 if(CertGetEnhancedKeyUsage(pContext, 0, enhkey_usage, &req_size)) {
3038 if(!enhkey_usage->cUsageIdentifier) {
3039 /* "If GetLastError returns CRYPT_E_NOT_FOUND, the certificate is
3040 good for all uses. If it returns zero, the certificate has no
3041 valid uses." */
3042 if((HRESULT)GetLastError() != CRYPT_E_NOT_FOUND)
3043 continue;
3044 }
3045 else {
3046 DWORD i;
3047 bool found = false;
3048
3049 for(i = 0; i < enhkey_usage->cUsageIdentifier; ++i) {
3050 if(!strcmp("1.3.6.1.5.5.7.3.1" /* OID server auth */,
3051 enhkey_usage->rgpszUsageIdentifier[i])) {
3052 found = true;
3053 break;
3054 }
3055 }
3056
3057 if(!found)
3058 continue;
3059 }
3060 }
3061 else
3062 continue;
3063 }
3064 else
3065 continue;
3066
3067 x509 = d2i_X509(NULL, &encoded_cert, pContext->cbCertEncoded);
3068 if(!x509)
3069 continue;
3070
3071 /* Try to import the certificate. This may fail for legitimate reasons
3072 such as duplicate certificate, which is allowed by MS but not
3073 OpenSSL. */
3074 if(X509_STORE_add_cert(store, x509) == 1) {
3075#if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS)
3076 infof(data, "SSL: Imported cert \"%s\"", cert_name);
3077#endif
3078 imported_native_ca = true;
3079 }
3080 X509_free(x509);
3081 }
3082
3083 free(enhkey_usage);
3084 CertFreeCertificateContext(pContext);
3085 CertCloseStore(hStore, 0);
3086
3087 if(result)
3088 return result;
3089 }
3090 if(imported_native_ca)
3091 infof(data, "successfully imported Windows CA store");
3092 else
3093 infof(data, "error importing Windows CA store, continuing anyway");
3094 }
3095#endif
3096
3097 if(ca_info_blob) {
3098 result = load_cacert_from_memory(backend->ctx, ca_info_blob);
3099 if(result) {
3100 if(result == CURLE_OUT_OF_MEMORY ||
3101 (verifypeer && !imported_native_ca)) {
3102 failf(data, "error importing CA certificate blob");
3103 return result;
3104 }
3105 /* Only warn if no certificate verification is required. */
3106 infof(data, "error importing CA certificate blob, continuing anyway");
3107 }
3108 }
3109
3110 if(verifypeer && !imported_native_ca && (ssl_cafile || ssl_capath)) {
3111#if defined(OPENSSL_VERSION_MAJOR) && (OPENSSL_VERSION_MAJOR >= 3)
3112 /* OpenSSL 3.0.0 has deprecated SSL_CTX_load_verify_locations */
3113 if(ssl_cafile &&
3114 !SSL_CTX_load_verify_file(backend->ctx, ssl_cafile)) {
3115 /* Fail if we insist on successfully verifying the server. */
3116 failf(data, "error setting certificate file: %s", ssl_cafile);
3117 return CURLE_SSL_CACERT_BADFILE;
3118 }
3119 if(ssl_capath &&
3120 !SSL_CTX_load_verify_dir(backend->ctx, ssl_capath)) {
3121 /* Fail if we insist on successfully verifying the server. */
3122 failf(data, "error setting certificate path: %s", ssl_capath);
3123 return CURLE_SSL_CACERT_BADFILE;
3124 }
3125#else
3126 /* tell OpenSSL where to find CA certificates that are used to verify the
3127 server's certificate. */
3128 if(!SSL_CTX_load_verify_locations(backend->ctx, ssl_cafile, ssl_capath)) {
3129 /* Fail if we insist on successfully verifying the server. */
3130 failf(data, "error setting certificate verify locations:"
3131 " CAfile: %s CApath: %s",
3132 ssl_cafile ? ssl_cafile : "none",
3133 ssl_capath ? ssl_capath : "none");
3134 return CURLE_SSL_CACERT_BADFILE;
3135 }
3136#endif
3137 infof(data, " CAfile: %s", ssl_cafile ? ssl_cafile : "none");
3138 infof(data, " CApath: %s", ssl_capath ? ssl_capath : "none");
3139 }
3140
3141#ifdef CURL_CA_FALLBACK
3142 if(verifypeer &&
3143 !ca_info_blob && !ssl_cafile && !ssl_capath && !imported_native_ca) {
3144 /* verifying the peer without any CA certificates won't
3145 work so use openssl's built-in default as fallback */
3146 SSL_CTX_set_default_verify_paths(backend->ctx);
3147 }
3148#endif
3149
3150 if(ssl_crlfile) {
3151 /* tell OpenSSL where to find CRL file that is used to check certificate
3152 * revocation */
3153 lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(backend->ctx),
3154 X509_LOOKUP_file());
3155 if(!lookup ||
3156 (!X509_load_crl_file(lookup, ssl_crlfile, X509_FILETYPE_PEM)) ) {
3157 failf(data, "error loading CRL file: %s", ssl_crlfile);
3158 return CURLE_SSL_CRL_BADFILE;
3159 }
3160 /* Everything is fine. */
3161 infof(data, "successfully loaded CRL file:");
3162 X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx),
3163 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
3164
3165 infof(data, " CRLfile: %s", ssl_crlfile);
3166 }
3167
3168 if(verifypeer) {
3169 /* Try building a chain using issuers in the trusted store first to avoid
3170 problems with server-sent legacy intermediates. Newer versions of
3171 OpenSSL do alternate chain checking by default but we do not know how to
3172 determine that in a reliable manner.
3173 https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
3174 */
3175#if defined(X509_V_FLAG_TRUSTED_FIRST)
3176 X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx),
3177 X509_V_FLAG_TRUSTED_FIRST);
3178#endif
3179#ifdef X509_V_FLAG_PARTIAL_CHAIN
3180 if(!SSL_SET_OPTION(no_partialchain) && !ssl_crlfile) {
3181 /* Have intermediate certificates in the trust store be treated as
3182 trust-anchors, in the same way as self-signed root CA certificates
3183 are. This allows users to verify servers using the intermediate cert
3184 only, instead of needing the whole chain.
3185
3186 Due to OpenSSL bug https://github.com/openssl/openssl/issues/5081 we
3187 cannot do partial chains with a CRL check.
3188 */
3189 X509_STORE_set_flags(SSL_CTX_get_cert_store(backend->ctx),
3190 X509_V_FLAG_PARTIAL_CHAIN);
3191 }
3192#endif
3193 }
3194
3195 /* OpenSSL always tries to verify the peer, this only says whether it should
3196 * fail to connect if the verification fails, or if it should continue
3197 * anyway. In the latter case the result of the verification is checked with
3198 * SSL_get_verify_result() below. */
3199 SSL_CTX_set_verify(backend->ctx,
3200 verifypeer ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
3201
3202 /* Enable logging of secrets to the file specified in env SSLKEYLOGFILE. */
3203#ifdef HAVE_KEYLOG_CALLBACK
3204 if(Curl_tls_keylog_enabled()) {
3205 SSL_CTX_set_keylog_callback(backend->ctx, ossl_keylog_callback);
3206 }
3207#endif
3208
3209 /* Enable the session cache because it's a prerequisite for the "new session"
3210 * callback. Use the "external storage" mode to prevent OpenSSL from creating
3211 * an internal session cache.
3212 */
3213 SSL_CTX_set_session_cache_mode(backend->ctx,
3214 SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL);
3215 SSL_CTX_sess_set_new_cb(backend->ctx, ossl_new_session_cb);
3216
3217 /* give application a chance to interfere with SSL set up. */
3218 if(data->set.ssl.fsslctx) {
3219 Curl_set_in_callback(data, true);
3220 result = (*data->set.ssl.fsslctx)(data, backend->ctx,
3221 data->set.ssl.fsslctxp);
3222 Curl_set_in_callback(data, false);
3223 if(result) {
3224 failf(data, "error signaled by ssl ctx callback");
3225 return result;
3226 }
3227 }
3228
3229 /* Let's make an SSL structure */
3230 if(backend->handle)
3231 SSL_free(backend->handle);
3232 backend->handle = SSL_new(backend->ctx);
3233 if(!backend->handle) {
3234 failf(data, "SSL: couldn't create a context (handle)");
3235 return CURLE_OUT_OF_MEMORY;
3236 }
3237
3238#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
3239 !defined(OPENSSL_NO_OCSP)
3240 if(SSL_CONN_CONFIG(verifystatus))
3241 SSL_set_tlsext_status_type(backend->handle, TLSEXT_STATUSTYPE_ocsp);
3242#endif
3243
3244#if defined(OPENSSL_IS_BORINGSSL) && defined(ALLOW_RENEG)
3245 SSL_set_renegotiate_mode(backend->handle, ssl_renegotiate_freely);
3246#endif
3247
3248 SSL_set_connect_state(backend->handle);
3249
3250 backend->server_cert = 0x0;
3251#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
3252 if((0 == Curl_inet_pton(AF_INET, hostname, &addr)) &&
3253#ifdef ENABLE_IPV6
3254 (0 == Curl_inet_pton(AF_INET6, hostname, &addr)) &&
3255#endif
3256 sni) {
3257 char *snihost = Curl_ssl_snihost(data, hostname, NULL);
3258 if(!snihost || !SSL_set_tlsext_host_name(backend->handle, snihost)) {
3259 failf(data, "Failed set SNI");
3260 return CURLE_SSL_CONNECT_ERROR;
3261 }
3262 }
3263#endif
3264
3265 if(!ossl_associate_connection(data, conn, sockindex)) {
3266 /* Maybe the internal errors of SSL_get_ex_new_index or SSL_set_ex_data */
3267 failf(data, "SSL: ossl_associate_connection failed: %s",
3268 ossl_strerror(ERR_get_error(), error_buffer,
3269 sizeof(error_buffer)));
3270 return CURLE_SSL_CONNECT_ERROR;
3271 }
3272
3273 if(SSL_SET_OPTION(primary.sessionid)) {
3274 Curl_ssl_sessionid_lock(data);
3275 if(!Curl_ssl_getsessionid(data, conn, SSL_IS_PROXY() ? TRUE : FALSE,
3276 &ssl_sessionid, NULL, sockindex)) {
3277 /* we got a session id, use it! */
3278 if(!SSL_set_session(backend->handle, ssl_sessionid)) {
3279 Curl_ssl_sessionid_unlock(data);
3280 failf(data, "SSL: SSL_set_session failed: %s",
3281 ossl_strerror(ERR_get_error(), error_buffer,
3282 sizeof(error_buffer)));
3283 return CURLE_SSL_CONNECT_ERROR;
3284 }
3285 /* Informational message */
3286 infof(data, "SSL re-using session ID");
3287 }
3288 Curl_ssl_sessionid_unlock(data);
3289 }
3290
3291#ifndef CURL_DISABLE_PROXY
3292 if(conn->proxy_ssl[sockindex].use) {
3293 BIO *const bio = BIO_new(BIO_f_ssl());
3294 struct ssl_backend_data *proxy_backend;
3295 SSL* handle = NULL;
3296 proxy_backend = conn->proxy_ssl[sockindex].backend;
3297 DEBUGASSERT(proxy_backend);
3298 handle = proxy_backend->handle;
3299 DEBUGASSERT(ssl_connection_complete == conn->proxy_ssl[sockindex].state);
3300 DEBUGASSERT(handle != NULL);
3301 DEBUGASSERT(bio != NULL);
3302 BIO_set_ssl(bio, handle, FALSE);
3303 SSL_set_bio(backend->handle, bio, bio);
3304 }
3305 else
3306#endif
3307 if(!SSL_set_fd(backend->handle, (int)sockfd)) {
3308 /* pass the raw socket into the SSL layers */
3309 failf(data, "SSL: SSL_set_fd failed: %s",
3310 ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer)));
3311 return CURLE_SSL_CONNECT_ERROR;
3312 }
3313
3314 connssl->connecting_state = ssl_connect_2;
3315
3316 return CURLE_OK;
3317}
3318
3319static CURLcode ossl_connect_step2(struct Curl_easy *data,
3320 struct connectdata *conn, int sockindex)
3321{
3322 int err;
3323 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
3324 struct ssl_backend_data *backend = connssl->backend;
3325 DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
3326 || ssl_connect_2_reading == connssl->connecting_state
3327 || ssl_connect_2_writing == connssl->connecting_state);
3328 DEBUGASSERT(backend);
3329
3330 ERR_clear_error();
3331
3332 err = SSL_connect(backend->handle);
3333#ifndef HAVE_KEYLOG_CALLBACK
3334 if(Curl_tls_keylog_enabled()) {
3335 /* If key logging is enabled, wait for the handshake to complete and then
3336 * proceed with logging secrets (for TLS 1.2 or older).
3337 */
3338 ossl_log_tls12_secret(backend->handle, &backend->keylog_done);
3339 }
3340#endif
3341
3342 /* 1 is fine
3343 0 is "not successful but was shut down controlled"
3344 <0 is "handshake was not successful, because a fatal error occurred" */
3345 if(1 != err) {
3346 int detail = SSL_get_error(backend->handle, err);
3347
3348 if(SSL_ERROR_WANT_READ == detail) {
3349 connssl->connecting_state = ssl_connect_2_reading;
3350 return CURLE_OK;
3351 }
3352 if(SSL_ERROR_WANT_WRITE == detail) {
3353 connssl->connecting_state = ssl_connect_2_writing;
3354 return CURLE_OK;
3355 }
3356#ifdef SSL_ERROR_WANT_ASYNC
3357 if(SSL_ERROR_WANT_ASYNC == detail) {
3358 connssl->connecting_state = ssl_connect_2;
3359 return CURLE_OK;
3360 }
3361#endif
3362 else {
3363 /* untreated error */
3364 unsigned long errdetail;
3365 char error_buffer[256]="";
3366 CURLcode result;
3367 long lerr;
3368 int lib;
3369 int reason;
3370
3371 /* the connection failed, we're not waiting for anything else. */
3372 connssl->connecting_state = ssl_connect_2;
3373
3374 /* Get the earliest error code from the thread's error queue and remove
3375 the entry. */
3376 errdetail = ERR_get_error();
3377
3378 /* Extract which lib and reason */
3379 lib = ERR_GET_LIB(errdetail);
3380 reason = ERR_GET_REASON(errdetail);
3381
3382 if((lib == ERR_LIB_SSL) &&
3383 ((reason == SSL_R_CERTIFICATE_VERIFY_FAILED) ||
3384 (reason == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED))) {
3385 result = CURLE_PEER_FAILED_VERIFICATION;
3386
3387 lerr = SSL_get_verify_result(backend->handle);
3388 if(lerr != X509_V_OK) {
3389 SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
3390 msnprintf(error_buffer, sizeof(error_buffer),
3391 "SSL certificate problem: %s",
3392 X509_verify_cert_error_string(lerr));
3393 }
3394 else
3395 /* strcpy() is fine here as long as the string fits within
3396 error_buffer */
3397 strcpy(error_buffer, "SSL certificate verification failed");
3398 }
3399#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
3400 !defined(LIBRESSL_VERSION_NUMBER) && \
3401 !defined(OPENSSL_IS_BORINGSSL))
3402 /* SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED is only available on
3403 OpenSSL version above v1.1.1, not LibreSSL nor BoringSSL */
3404 else if((lib == ERR_LIB_SSL) &&
3405 (reason == SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED)) {
3406 /* If client certificate is required, communicate the
3407 error to client */
3408 result = CURLE_SSL_CLIENTCERT;
3409 ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
3410 }
3411#endif
3412 else {
3413 result = CURLE_SSL_CONNECT_ERROR;
3414 ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
3415 }
3416
3417 /* detail is already set to the SSL error above */
3418
3419 /* If we e.g. use SSLv2 request-method and the server doesn't like us
3420 * (RST connection, etc.), OpenSSL gives no explanation whatsoever and
3421 * the SO_ERROR is also lost.
3422 */
3423 if(CURLE_SSL_CONNECT_ERROR == result && errdetail == 0) {
3424 const char * const hostname = SSL_HOST_NAME();
3425 const long int port = SSL_HOST_PORT();
3426 char extramsg[80]="";
3427 int sockerr = SOCKERRNO;
3428 if(sockerr && detail == SSL_ERROR_SYSCALL)
3429 Curl_strerror(sockerr, extramsg, sizeof(extramsg));
3430 failf(data, OSSL_PACKAGE " SSL_connect: %s in connection to %s:%ld ",
3431 extramsg[0] ? extramsg : SSL_ERROR_to_str(detail),
3432 hostname, port);
3433 return result;
3434 }
3435
3436 /* Could be a CERT problem */
3437 failf(data, "%s", error_buffer);
3438
3439 return result;
3440 }
3441 }
3442 else {
3443 /* we connected fine, we're not waiting for anything else. */
3444 connssl->connecting_state = ssl_connect_3;
3445
3446 /* Informational message */
3447 infof(data, "SSL connection using %s / %s",
3448 SSL_get_version(backend->handle),
3449 SSL_get_cipher(backend->handle));
3450
3451#ifdef HAS_ALPN
3452 /* Sets data and len to negotiated protocol, len is 0 if no protocol was
3453 * negotiated
3454 */
3455 if(conn->bits.tls_enable_alpn) {
3456 const unsigned char *neg_protocol;
3457 unsigned int len;
3458 SSL_get0_alpn_selected(backend->handle, &neg_protocol, &len);
3459 if(len) {
3460 infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, len, neg_protocol);
3461
3462#ifdef USE_HTTP2
3463 if(len == ALPN_H2_LENGTH &&
3464 !memcmp(ALPN_H2, neg_protocol, len)) {
3465 conn->negnpn = CURL_HTTP_VERSION_2;
3466 }
3467 else
3468#endif
3469 if(len == ALPN_HTTP_1_1_LENGTH &&
3470 !memcmp(ALPN_HTTP_1_1, neg_protocol, ALPN_HTTP_1_1_LENGTH)) {
3471 conn->negnpn = CURL_HTTP_VERSION_1_1;
3472 }
3473 }
3474 else
3475 infof(data, VTLS_INFOF_NO_ALPN);
3476
3477 Curl_multiuse_state(data, conn->negnpn == CURL_HTTP_VERSION_2 ?
3478 BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
3479 }
3480#endif
3481
3482 return CURLE_OK;
3483 }
3484}
3485
3486static int asn1_object_dump(ASN1_OBJECT *a, char *buf, size_t len)
3487{
3488 int i, ilen;
3489
3490 ilen = (int)len;
3491 if(ilen < 0)
3492 return 1; /* buffer too big */
3493
3494 i = i2t_ASN1_OBJECT(buf, ilen, a);
3495
3496 if(i >= ilen)
3497 return 1; /* buffer too small */
3498
3499 return 0;
3500}
3501
3502#define push_certinfo(_label, _num) \
3503do { \
3504 long info_len = BIO_get_mem_data(mem, &ptr); \
3505 Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \
3506 if(1 != BIO_reset(mem)) \
3507 break; \
3508} while(0)
3509
3510static void pubkey_show(struct Curl_easy *data,
3511 BIO *mem,
3512 int num,
3513 const char *type,
3514 const char *name,
3515 const BIGNUM *bn)
3516{
3517 char *ptr;
3518 char namebuf[32];
3519
3520 msnprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name);
3521
3522 if(bn)
3523 BN_print(mem, bn);
3524 push_certinfo(namebuf, num);
3525}
3526
3527#ifdef HAVE_OPAQUE_RSA_DSA_DH
3528#define print_pubkey_BN(_type, _name, _num) \
3529 pubkey_show(data, mem, _num, #_type, #_name, _name)
3530
3531#else
3532#define print_pubkey_BN(_type, _name, _num) \
3533do { \
3534 if(_type->_name) { \
3535 pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \
3536 } \
3537} while(0)
3538#endif
3539
3540static void X509V3_ext(struct Curl_easy *data,
3541 int certnum,
3542 CONST_EXTS STACK_OF(X509_EXTENSION) *exts)
3543{
3544 int i;
3545
3546 if((int)sk_X509_EXTENSION_num(exts) <= 0)
3547 /* no extensions, bail out */
3548 return;
3549
3550 for(i = 0; i < (int)sk_X509_EXTENSION_num(exts); i++) {
3551 ASN1_OBJECT *obj;
3552 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
3553 BUF_MEM *biomem;
3554 char namebuf[128];
3555 BIO *bio_out = BIO_new(BIO_s_mem());
3556
3557 if(!bio_out)
3558 return;
3559
3560 obj = X509_EXTENSION_get_object(ext);
3561
3562 asn1_object_dump(obj, namebuf, sizeof(namebuf));
3563
3564 if(!X509V3_EXT_print(bio_out, ext, 0, 0))
3565 ASN1_STRING_print(bio_out, (ASN1_STRING *)X509_EXTENSION_get_data(ext));
3566
3567 BIO_get_mem_ptr(bio_out, &biomem);
3568 Curl_ssl_push_certinfo_len(data, certnum, namebuf, biomem->data,
3569 biomem->length);
3570 BIO_free(bio_out);
3571 }
3572}
3573
3574#ifdef OPENSSL_IS_BORINGSSL
3575typedef size_t numcert_t;
3576#else
3577typedef int numcert_t;
3578#endif
3579
3580static CURLcode get_cert_chain(struct Curl_easy *data,
3581 struct ssl_connect_data *connssl)
3582{
3583 CURLcode result;
3584 STACK_OF(X509) *sk;
3585 int i;
3586 numcert_t numcerts;
3587 BIO *mem;
3588 struct ssl_backend_data *backend = connssl->backend;
3589
3590 DEBUGASSERT(backend);
3591
3592 sk = SSL_get_peer_cert_chain(backend->handle);
3593 if(!sk) {
3594 return CURLE_OUT_OF_MEMORY;
3595 }
3596
3597 numcerts = sk_X509_num(sk);
3598
3599 result = Curl_ssl_init_certinfo(data, (int)numcerts);
3600 if(result) {
3601 return result;
3602 }
3603
3604 mem = BIO_new(BIO_s_mem());
3605 if(!mem) {
3606 return CURLE_OUT_OF_MEMORY;
3607 }
3608
3609 for(i = 0; i < (int)numcerts; i++) {
3610 ASN1_INTEGER *num;
3611 X509 *x = sk_X509_value(sk, i);
3612 EVP_PKEY *pubkey = NULL;
3613 int j;
3614 char *ptr;
3615 const ASN1_BIT_STRING *psig = NULL;
3616
3617 X509_NAME_print_ex(mem, X509_get_subject_name(x), 0, XN_FLAG_ONELINE);
3618 push_certinfo("Subject", i);
3619
3620 X509_NAME_print_ex(mem, X509_get_issuer_name(x), 0, XN_FLAG_ONELINE);
3621 push_certinfo("Issuer", i);
3622
3623 BIO_printf(mem, "%lx", X509_get_version(x));
3624 push_certinfo("Version", i);
3625
3626 num = X509_get_serialNumber(x);
3627 if(num->type == V_ASN1_NEG_INTEGER)
3628 BIO_puts(mem, "-");
3629 for(j = 0; j < num->length; j++)
3630 BIO_printf(mem, "%02x", num->data[j]);
3631 push_certinfo("Serial Number", i);
3632
3633#if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS)
3634 {
3635 const X509_ALGOR *sigalg = NULL;
3636 X509_PUBKEY *xpubkey = NULL;
3637 ASN1_OBJECT *pubkeyoid = NULL;
3638
3639 X509_get0_signature(&psig, &sigalg, x);
3640 if(sigalg) {
3641 i2a_ASN1_OBJECT(mem, sigalg->algorithm);
3642 push_certinfo("Signature Algorithm", i);
3643 }
3644
3645 xpubkey = X509_get_X509_PUBKEY(x);
3646 if(xpubkey) {
3647 X509_PUBKEY_get0_param(&pubkeyoid, NULL, NULL, NULL, xpubkey);
3648 if(pubkeyoid) {
3649 i2a_ASN1_OBJECT(mem, pubkeyoid);
3650 push_certinfo("Public Key Algorithm", i);
3651 }
3652 }
3653
3654 X509V3_ext(data, i, X509_get0_extensions(x));
3655 }
3656#else
3657 {
3658 /* before OpenSSL 1.0.2 */
3659 X509_CINF *cinf = x->cert_info;
3660
3661 i2a_ASN1_OBJECT(mem, cinf->signature->algorithm);
3662 push_certinfo("Signature Algorithm", i);
3663
3664 i2a_ASN1_OBJECT(mem, cinf->key->algor->algorithm);
3665 push_certinfo("Public Key Algorithm", i);
3666
3667 X509V3_ext(data, i, cinf->extensions);
3668
3669 psig = x->signature;
3670 }
3671#endif
3672
3673 ASN1_TIME_print(mem, X509_get0_notBefore(x));
3674 push_certinfo("Start date", i);
3675
3676 ASN1_TIME_print(mem, X509_get0_notAfter(x));
3677 push_certinfo("Expire date", i);
3678
3679 pubkey = X509_get_pubkey(x);
3680 if(!pubkey)
3681 infof(data, " Unable to load public key");
3682 else {
3683 int pktype;
3684#ifdef HAVE_OPAQUE_EVP_PKEY
3685 pktype = EVP_PKEY_id(pubkey);
3686#else
3687 pktype = pubkey->type;
3688#endif
3689 switch(pktype) {
3690 case EVP_PKEY_RSA:
3691 {
3692#ifndef HAVE_EVP_PKEY_GET_PARAMS
3693 RSA *rsa;
3694#ifdef HAVE_OPAQUE_EVP_PKEY
3695 rsa = EVP_PKEY_get0_RSA(pubkey);
3696#else
3697 rsa = pubkey->pkey.rsa;
3698#endif /* HAVE_OPAQUE_EVP_PKEY */
3699#endif /* !HAVE_EVP_PKEY_GET_PARAMS */
3700
3701 {
3702#ifdef HAVE_OPAQUE_RSA_DSA_DH
3703 DECLARE_PKEY_PARAM_BIGNUM(n);
3704 DECLARE_PKEY_PARAM_BIGNUM(e);
3705#ifdef HAVE_EVP_PKEY_GET_PARAMS
3706 EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_N, &n);
3707 EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_RSA_E, &e);
3708#else
3709 RSA_get0_key(rsa, &n, &e, NULL);
3710#endif /* HAVE_EVP_PKEY_GET_PARAMS */
3711 BIO_printf(mem, "%d", BN_num_bits(n));
3712#else
3713 BIO_printf(mem, "%d", BN_num_bits(rsa->n));
3714#endif /* HAVE_OPAQUE_RSA_DSA_DH */
3715 push_certinfo("RSA Public Key", i);
3716 print_pubkey_BN(rsa, n, i);
3717 print_pubkey_BN(rsa, e, i);
3718 FREE_PKEY_PARAM_BIGNUM(n);
3719 FREE_PKEY_PARAM_BIGNUM(e);
3720 }
3721
3722 break;
3723 }
3724 case EVP_PKEY_DSA:
3725 {
3726#ifndef OPENSSL_NO_DSA
3727#ifndef HAVE_EVP_PKEY_GET_PARAMS
3728 DSA *dsa;
3729#ifdef HAVE_OPAQUE_EVP_PKEY
3730 dsa = EVP_PKEY_get0_DSA(pubkey);
3731#else
3732 dsa = pubkey->pkey.dsa;
3733#endif /* HAVE_OPAQUE_EVP_PKEY */
3734#endif /* !HAVE_EVP_PKEY_GET_PARAMS */
3735 {
3736#ifdef HAVE_OPAQUE_RSA_DSA_DH
3737 DECLARE_PKEY_PARAM_BIGNUM(p);
3738 DECLARE_PKEY_PARAM_BIGNUM(q);
3739 DECLARE_PKEY_PARAM_BIGNUM(g);
3740 DECLARE_PKEY_PARAM_BIGNUM(pub_key);
3741#ifdef HAVE_EVP_PKEY_GET_PARAMS
3742 EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_P, &p);
3743 EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_Q, &q);
3744 EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_G, &g);
3745 EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
3746#else
3747 DSA_get0_pqg(dsa, &p, &q, &g);
3748 DSA_get0_key(dsa, &pub_key, NULL);
3749#endif /* HAVE_EVP_PKEY_GET_PARAMS */
3750#endif /* HAVE_OPAQUE_RSA_DSA_DH */
3751 print_pubkey_BN(dsa, p, i);
3752 print_pubkey_BN(dsa, q, i);
3753 print_pubkey_BN(dsa, g, i);
3754 print_pubkey_BN(dsa, pub_key, i);
3755 FREE_PKEY_PARAM_BIGNUM(p);
3756 FREE_PKEY_PARAM_BIGNUM(q);
3757 FREE_PKEY_PARAM_BIGNUM(g);
3758 FREE_PKEY_PARAM_BIGNUM(pub_key);
3759 }
3760#endif /* !OPENSSL_NO_DSA */
3761 break;
3762 }
3763 case EVP_PKEY_DH:
3764 {
3765#ifndef HAVE_EVP_PKEY_GET_PARAMS
3766 DH *dh;
3767#ifdef HAVE_OPAQUE_EVP_PKEY
3768 dh = EVP_PKEY_get0_DH(pubkey);
3769#else
3770 dh = pubkey->pkey.dh;
3771#endif /* HAVE_OPAQUE_EVP_PKEY */
3772#endif /* !HAVE_EVP_PKEY_GET_PARAMS */
3773 {
3774#ifdef HAVE_OPAQUE_RSA_DSA_DH
3775 DECLARE_PKEY_PARAM_BIGNUM(p);
3776 DECLARE_PKEY_PARAM_BIGNUM(q);
3777 DECLARE_PKEY_PARAM_BIGNUM(g);
3778 DECLARE_PKEY_PARAM_BIGNUM(pub_key);
3779#ifdef HAVE_EVP_PKEY_GET_PARAMS
3780 EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_P, &p);
3781 EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_Q, &q);
3782 EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_FFC_G, &g);
3783 EVP_PKEY_get_bn_param(pubkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
3784#else
3785 DH_get0_pqg(dh, &p, &q, &g);
3786 DH_get0_key(dh, &pub_key, NULL);
3787#endif /* HAVE_EVP_PKEY_GET_PARAMS */
3788 print_pubkey_BN(dh, p, i);
3789 print_pubkey_BN(dh, q, i);
3790 print_pubkey_BN(dh, g, i);
3791#else
3792 print_pubkey_BN(dh, p, i);
3793 print_pubkey_BN(dh, g, i);
3794#endif /* HAVE_OPAQUE_RSA_DSA_DH */
3795 print_pubkey_BN(dh, pub_key, i);
3796 FREE_PKEY_PARAM_BIGNUM(p);
3797 FREE_PKEY_PARAM_BIGNUM(q);
3798 FREE_PKEY_PARAM_BIGNUM(g);
3799 FREE_PKEY_PARAM_BIGNUM(pub_key);
3800 }
3801 break;
3802 }
3803 }
3804 EVP_PKEY_free(pubkey);
3805 }
3806
3807 if(psig) {
3808 for(j = 0; j < psig->length; j++)
3809 BIO_printf(mem, "%02x:", psig->data[j]);
3810 push_certinfo("Signature", i);
3811 }
3812
3813 PEM_write_bio_X509(mem, x);
3814 push_certinfo("Cert", i);
3815 }
3816
3817 BIO_free(mem);
3818
3819 return CURLE_OK;
3820}
3821
3822/*
3823 * Heavily modified from:
3824 * https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
3825 */
3826static CURLcode pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert,
3827 const char *pinnedpubkey)
3828{
3829 /* Scratch */
3830 int len1 = 0, len2 = 0;
3831 unsigned char *buff1 = NULL, *temp = NULL;
3832
3833 /* Result is returned to caller */
3834 CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
3835
3836 /* if a path wasn't specified, don't pin */
3837 if(!pinnedpubkey)
3838 return CURLE_OK;
3839
3840 if(!cert)
3841 return result;
3842
3843 do {
3844 /* Begin Gyrations to get the subjectPublicKeyInfo */
3845 /* Thanks to Viktor Dukhovni on the OpenSSL mailing list */
3846
3847 /* https://groups.google.com/group/mailing.openssl.users/browse_thread
3848 /thread/d61858dae102c6c7 */
3849 len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
3850 if(len1 < 1)
3851 break; /* failed */
3852
3853 buff1 = temp = malloc(len1);
3854 if(!buff1)
3855 break; /* failed */
3856
3857 /* https://www.openssl.org/docs/crypto/d2i_X509.html */
3858 len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
3859
3860 /*
3861 * These checks are verifying we got back the same values as when we
3862 * sized the buffer. It's pretty weak since they should always be the
3863 * same. But it gives us something to test.
3864 */
3865 if((len1 != len2) || !temp || ((temp - buff1) != len1))
3866 break; /* failed */
3867
3868 /* End Gyrations */
3869
3870 /* The one good exit point */
3871 result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
3872 } while(0);
3873
3874 if(buff1)
3875 free(buff1);
3876
3877 return result;
3878}
3879
3880/*
3881 * Get the server cert, verify it and show it, etc., only call failf() if the
3882 * 'strict' argument is TRUE as otherwise all this is for informational
3883 * purposes only!
3884 *
3885 * We check certificates to authenticate the server; otherwise we risk
3886 * man-in-the-middle attack.
3887 */
3888static CURLcode servercert(struct Curl_easy *data,
3889 struct connectdata *conn,
3890 struct ssl_connect_data *connssl,
3891 bool strict)
3892{
3893 CURLcode result = CURLE_OK;
3894 int rc;
3895 long lerr;
3896 X509 *issuer;
3897 BIO *fp = NULL;
3898 char error_buffer[256]="";
3899 char buffer[2048];
3900 const char *ptr;
3901 BIO *mem = BIO_new(BIO_s_mem());
3902 struct ssl_backend_data *backend = connssl->backend;
3903
3904 DEBUGASSERT(backend);
3905
3906 if(!mem) {
3907 failf(data,
3908 "BIO_new return NULL, " OSSL_PACKAGE
3909 " error %s",
3910 ossl_strerror(ERR_get_error(), error_buffer,
3911 sizeof(error_buffer)) );
3912 return CURLE_OUT_OF_MEMORY;
3913 }
3914
3915 if(data->set.ssl.certinfo)
3916 /* we've been asked to gather certificate info! */
3917 (void)get_cert_chain(data, connssl);
3918
3919 backend->server_cert = SSL_get1_peer_certificate(backend->handle);
3920 if(!backend->server_cert) {
3921 BIO_free(mem);
3922 if(!strict)
3923 return CURLE_OK;
3924
3925 failf(data, "SSL: couldn't get peer certificate");
3926 return CURLE_PEER_FAILED_VERIFICATION;
3927 }
3928
3929 infof(data, "%s certificate:", SSL_IS_PROXY() ? "Proxy" : "Server");
3930
3931 rc = x509_name_oneline(X509_get_subject_name(backend->server_cert),
3932 buffer, sizeof(buffer));
3933 infof(data, " subject: %s", rc?"[NONE]":buffer);
3934
3935#ifndef CURL_DISABLE_VERBOSE_STRINGS
3936 {
3937 long len;
3938 ASN1_TIME_print(mem, X509_get0_notBefore(backend->server_cert));
3939 len = BIO_get_mem_data(mem, (char **) &ptr);
3940 infof(data, " start date: %.*s", (int)len, ptr);
3941 (void)BIO_reset(mem);
3942
3943 ASN1_TIME_print(mem, X509_get0_notAfter(backend->server_cert));
3944 len = BIO_get_mem_data(mem, (char **) &ptr);
3945 infof(data, " expire date: %.*s", (int)len, ptr);
3946 (void)BIO_reset(mem);
3947 }
3948#endif
3949
3950 BIO_free(mem);
3951
3952 if(SSL_CONN_CONFIG(verifyhost)) {
3953 result = Curl_ossl_verifyhost(data, conn, backend->server_cert);
3954 if(result) {
3955 X509_free(backend->server_cert);
3956 backend->server_cert = NULL;
3957 return result;
3958 }
3959 }
3960
3961 rc = x509_name_oneline(X509_get_issuer_name(backend->server_cert),
3962 buffer, sizeof(buffer));
3963 if(rc) {
3964 if(strict)
3965 failf(data, "SSL: couldn't get X509-issuer name");
3966 result = CURLE_PEER_FAILED_VERIFICATION;
3967 }
3968 else {
3969 infof(data, " issuer: %s", buffer);
3970
3971 /* We could do all sorts of certificate verification stuff here before
3972 deallocating the certificate. */
3973
3974 /* e.g. match issuer name with provided issuer certificate */
3975 if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
3976 if(SSL_CONN_CONFIG(issuercert_blob)) {
3977 fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
3978 (int)SSL_CONN_CONFIG(issuercert_blob)->len);
3979 if(!fp) {
3980 failf(data,
3981 "BIO_new_mem_buf NULL, " OSSL_PACKAGE
3982 " error %s",
3983 ossl_strerror(ERR_get_error(), error_buffer,
3984 sizeof(error_buffer)) );
3985 X509_free(backend->server_cert);
3986 backend->server_cert = NULL;
3987 return CURLE_OUT_OF_MEMORY;
3988 }
3989 }
3990 else {
3991 fp = BIO_new(BIO_s_file());
3992 if(!fp) {
3993 failf(data,
3994 "BIO_new return NULL, " OSSL_PACKAGE
3995 " error %s",
3996 ossl_strerror(ERR_get_error(), error_buffer,
3997 sizeof(error_buffer)) );
3998 X509_free(backend->server_cert);
3999 backend->server_cert = NULL;
4000 return CURLE_OUT_OF_MEMORY;
4001 }
4002
4003 if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
4004 if(strict)
4005 failf(data, "SSL: Unable to open issuer cert (%s)",
4006 SSL_CONN_CONFIG(issuercert));
4007 BIO_free(fp);
4008 X509_free(backend->server_cert);
4009 backend->server_cert = NULL;
4010 return CURLE_SSL_ISSUER_ERROR;
4011 }
4012 }
4013
4014 issuer = PEM_read_bio_X509(fp, NULL, ZERO_NULL, NULL);
4015 if(!issuer) {
4016 if(strict)
4017 failf(data, "SSL: Unable to read issuer cert (%s)",
4018 SSL_CONN_CONFIG(issuercert));
4019 BIO_free(fp);
4020 X509_free(issuer);
4021 X509_free(backend->server_cert);
4022 backend->server_cert = NULL;
4023 return CURLE_SSL_ISSUER_ERROR;
4024 }
4025
4026 if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
4027 if(strict)
4028 failf(data, "SSL: Certificate issuer check failed (%s)",
4029 SSL_CONN_CONFIG(issuercert));
4030 BIO_free(fp);
4031 X509_free(issuer);
4032 X509_free(backend->server_cert);
4033 backend->server_cert = NULL;
4034 return CURLE_SSL_ISSUER_ERROR;
4035 }
4036
4037 infof(data, " SSL certificate issuer check ok (%s)",
4038 SSL_CONN_CONFIG(issuercert));
4039 BIO_free(fp);
4040 X509_free(issuer);
4041 }
4042
4043 lerr = SSL_get_verify_result(backend->handle);
4044 SSL_SET_OPTION_LVALUE(certverifyresult) = lerr;
4045 if(lerr != X509_V_OK) {
4046 if(SSL_CONN_CONFIG(verifypeer)) {
4047 /* We probably never reach this, because SSL_connect() will fail
4048 and we return earlier if verifypeer is set? */
4049 if(strict)
4050 failf(data, "SSL certificate verify result: %s (%ld)",
4051 X509_verify_cert_error_string(lerr), lerr);
4052 result = CURLE_PEER_FAILED_VERIFICATION;
4053 }
4054 else
4055 infof(data, " SSL certificate verify result: %s (%ld),"
4056 " continuing anyway.",
4057 X509_verify_cert_error_string(lerr), lerr);
4058 }
4059 else
4060 infof(data, " SSL certificate verify ok.");
4061 }
4062
4063#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
4064 !defined(OPENSSL_NO_OCSP)
4065 if(SSL_CONN_CONFIG(verifystatus)) {
4066 result = verifystatus(data, connssl);
4067 if(result) {
4068 X509_free(backend->server_cert);
4069 backend->server_cert = NULL;
4070 return result;
4071 }
4072 }
4073#endif
4074
4075 if(!strict)
4076 /* when not strict, we don't bother about the verify cert problems */
4077 result = CURLE_OK;
4078
4079 ptr = SSL_PINNED_PUB_KEY();
4080 if(!result && ptr) {
4081 result = pkp_pin_peer_pubkey(data, backend->server_cert, ptr);
4082 if(result)
4083 failf(data, "SSL: public key does not match pinned public key");
4084 }
4085
4086 X509_free(backend->server_cert);
4087 backend->server_cert = NULL;
4088 connssl->connecting_state = ssl_connect_done;
4089
4090 return result;
4091}
4092
4093static CURLcode ossl_connect_step3(struct Curl_easy *data,
4094 struct connectdata *conn, int sockindex)
4095{
4096 CURLcode result = CURLE_OK;
4097 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
4098
4099 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
4100
4101 /*
4102 * We check certificates to authenticate the server; otherwise we risk
4103 * man-in-the-middle attack; NEVERTHELESS, if we're told explicitly not to
4104 * verify the peer, ignore faults and failures from the server cert
4105 * operations.
4106 */
4107
4108 result = servercert(data, conn, connssl, (SSL_CONN_CONFIG(verifypeer) ||
4109 SSL_CONN_CONFIG(verifyhost)));
4110
4111 if(!result)
4112 connssl->connecting_state = ssl_connect_done;
4113
4114 return result;
4115}
4116
4117static Curl_recv ossl_recv;
4118static Curl_send ossl_send;
4119
4120static CURLcode ossl_connect_common(struct Curl_easy *data,
4121 struct connectdata *conn,
4122 int sockindex,
4123 bool nonblocking,
4124 bool *done)
4125{
4126 CURLcode result;
4127 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
4128 curl_socket_t sockfd = conn->sock[sockindex];
4129 int what;
4130
4131 /* check if the connection has already been established */
4132 if(ssl_connection_complete == connssl->state) {
4133 *done = TRUE;
4134 return CURLE_OK;
4135 }
4136
4137 if(ssl_connect_1 == connssl->connecting_state) {
4138 /* Find out how much more time we're allowed */
4139 const timediff_t timeout_ms = Curl_timeleft(data, NULL, TRUE);
4140
4141 if(timeout_ms < 0) {
4142 /* no need to continue if time is already up */
4143 failf(data, "SSL connection timeout");
4144 return CURLE_OPERATION_TIMEDOUT;
4145 }
4146
4147 result = ossl_connect_step1(data, conn, sockindex);
4148 if(result)
4149 return result;
4150 }
4151
4152 while(ssl_connect_2 == connssl->connecting_state ||
4153 ssl_connect_2_reading == connssl->connecting_state ||
4154 ssl_connect_2_writing == connssl->connecting_state) {
4155
4156 /* check allowed time left */
4157 const timediff_t timeout_ms = Curl_timeleft(data, NULL, TRUE);
4158
4159 if(timeout_ms < 0) {
4160 /* no need to continue if time already is up */
4161 failf(data, "SSL connection timeout");
4162 return CURLE_OPERATION_TIMEDOUT;
4163 }
4164
4165 /* if ssl is expecting something, check if it's available. */
4166 if(connssl->connecting_state == ssl_connect_2_reading ||
4167 connssl->connecting_state == ssl_connect_2_writing) {
4168
4169 curl_socket_t writefd = ssl_connect_2_writing ==
4170 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
4171 curl_socket_t readfd = ssl_connect_2_reading ==
4172 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
4173
4174 what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
4175 nonblocking?0:timeout_ms);
4176 if(what < 0) {
4177 /* fatal error */
4178 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
4179 return CURLE_SSL_CONNECT_ERROR;
4180 }
4181 if(0 == what) {
4182 if(nonblocking) {
4183 *done = FALSE;
4184 return CURLE_OK;
4185 }
4186 /* timeout */
4187 failf(data, "SSL connection timeout");
4188 return CURLE_OPERATION_TIMEDOUT;
4189 }
4190 /* socket is readable or writable */
4191 }
4192
4193 /* Run transaction, and return to the caller if it failed or if this
4194 * connection is done nonblocking and this loop would execute again. This
4195 * permits the owner of a multi handle to abort a connection attempt
4196 * before step2 has completed while ensuring that a client using select()
4197 * or epoll() will always have a valid fdset to wait on.
4198 */
4199 result = ossl_connect_step2(data, conn, sockindex);
4200 if(result || (nonblocking &&
4201 (ssl_connect_2 == connssl->connecting_state ||
4202 ssl_connect_2_reading == connssl->connecting_state ||
4203 ssl_connect_2_writing == connssl->connecting_state)))
4204 return result;
4205
4206 } /* repeat step2 until all transactions are done. */
4207
4208 if(ssl_connect_3 == connssl->connecting_state) {
4209 result = ossl_connect_step3(data, conn, sockindex);
4210 if(result)
4211 return result;
4212 }
4213
4214 if(ssl_connect_done == connssl->connecting_state) {
4215 connssl->state = ssl_connection_complete;
4216 conn->recv[sockindex] = ossl_recv;
4217 conn->send[sockindex] = ossl_send;
4218 *done = TRUE;
4219 }
4220 else
4221 *done = FALSE;
4222
4223 /* Reset our connect state machine */
4224 connssl->connecting_state = ssl_connect_1;
4225
4226 return CURLE_OK;
4227}
4228
4229static CURLcode ossl_connect_nonblocking(struct Curl_easy *data,
4230 struct connectdata *conn,
4231 int sockindex,
4232 bool *done)
4233{
4234 return ossl_connect_common(data, conn, sockindex, TRUE, done);
4235}
4236
4237static CURLcode ossl_connect(struct Curl_easy *data, struct connectdata *conn,
4238 int sockindex)
4239{
4240 CURLcode result;
4241 bool done = FALSE;
4242
4243 result = ossl_connect_common(data, conn, sockindex, FALSE, &done);
4244 if(result)
4245 return result;
4246
4247 DEBUGASSERT(done);
4248
4249 return CURLE_OK;
4250}
4251
4252static bool ossl_data_pending(const struct connectdata *conn,
4253 int connindex)
4254{
4255 const struct ssl_connect_data *connssl = &conn->ssl[connindex];
4256 DEBUGASSERT(connssl->backend);
4257 if(connssl->backend->handle && SSL_pending(connssl->backend->handle))
4258 return TRUE;
4259#ifndef CURL_DISABLE_PROXY
4260 {
4261 const struct ssl_connect_data *proxyssl = &conn->proxy_ssl[connindex];
4262 DEBUGASSERT(proxyssl->backend);
4263 if(proxyssl->backend->handle && SSL_pending(proxyssl->backend->handle))
4264 return TRUE;
4265 }
4266#endif
4267 return FALSE;
4268}
4269
4270static size_t ossl_version(char *buffer, size_t size);
4271
4272static ssize_t ossl_send(struct Curl_easy *data,
4273 int sockindex,
4274 const void *mem,
4275 size_t len,
4276 CURLcode *curlcode)
4277{
4278 /* SSL_write() is said to return 'int' while write() and send() returns
4279 'size_t' */
4280 int err;
4281 char error_buffer[256];
4282 unsigned long sslerror;
4283 int memlen;
4284 int rc;
4285 struct connectdata *conn = data->conn;
4286 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
4287 struct ssl_backend_data *backend = connssl->backend;
4288
4289 DEBUGASSERT(backend);
4290
4291 ERR_clear_error();
4292
4293 memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
4294 set_logger(conn, data);
4295 rc = SSL_write(backend->handle, mem, memlen);
4296
4297 if(rc <= 0) {
4298 err = SSL_get_error(backend->handle, rc);
4299
4300 switch(err) {
4301 case SSL_ERROR_WANT_READ:
4302 case SSL_ERROR_WANT_WRITE:
4303 /* The operation did not complete; the same TLS/SSL I/O function
4304 should be called again later. This is basically an EWOULDBLOCK
4305 equivalent. */
4306 *curlcode = CURLE_AGAIN;
4307 return -1;
4308 case SSL_ERROR_SYSCALL:
4309 {
4310 int sockerr = SOCKERRNO;
4311 sslerror = ERR_get_error();
4312 if(sslerror)
4313 ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
4314 else if(sockerr)
4315 Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
4316 else {
4317 strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer));
4318 error_buffer[sizeof(error_buffer) - 1] = '\0';
4319 }
4320 failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d",
4321 error_buffer, sockerr);
4322 *curlcode = CURLE_SEND_ERROR;
4323 return -1;
4324 }
4325 case SSL_ERROR_SSL:
4326 /* A failure in the SSL library occurred, usually a protocol error.
4327 The OpenSSL error queue contains more information on the error. */
4328 sslerror = ERR_get_error();
4329 if(ERR_GET_LIB(sslerror) == ERR_LIB_SSL &&
4330 ERR_GET_REASON(sslerror) == SSL_R_BIO_NOT_SET &&
4331 conn->ssl[sockindex].state == ssl_connection_complete
4332#ifndef CURL_DISABLE_PROXY
4333 && conn->proxy_ssl[sockindex].state == ssl_connection_complete
4334#endif
4335 ) {
4336 char ver[120];
4337 (void)ossl_version(ver, sizeof(ver));
4338 failf(data, "Error: %s does not support double SSL tunneling.", ver);
4339 }
4340 else
4341 failf(data, "SSL_write() error: %s",
4342 ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)));
4343 *curlcode = CURLE_SEND_ERROR;
4344 return -1;
4345 }
4346 /* a true error */
4347 failf(data, OSSL_PACKAGE " SSL_write: %s, errno %d",
4348 SSL_ERROR_to_str(err), SOCKERRNO);
4349 *curlcode = CURLE_SEND_ERROR;
4350 return -1;
4351 }
4352 *curlcode = CURLE_OK;
4353 return (ssize_t)rc; /* number of bytes */
4354}
4355
4356static ssize_t ossl_recv(struct Curl_easy *data, /* transfer */
4357 int num, /* socketindex */
4358 char *buf, /* store read data here */
4359 size_t buffersize, /* max amount to read */
4360 CURLcode *curlcode)
4361{
4362 char error_buffer[256];
4363 unsigned long sslerror;
4364 ssize_t nread;
4365 int buffsize;
4366 struct connectdata *conn = data->conn;
4367 struct ssl_connect_data *connssl = &conn->ssl[num];
4368 struct ssl_backend_data *backend = connssl->backend;
4369
4370 DEBUGASSERT(backend);
4371
4372 ERR_clear_error();
4373
4374 buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
4375 set_logger(conn, data);
4376 nread = (ssize_t)SSL_read(backend->handle, buf, buffsize);
4377 if(nread <= 0) {
4378 /* failed SSL_read */
4379 int err = SSL_get_error(backend->handle, (int)nread);
4380
4381 switch(err) {
4382 case SSL_ERROR_NONE: /* this is not an error */
4383 break;
4384 case SSL_ERROR_ZERO_RETURN: /* no more data */
4385 /* close_notify alert */
4386 if(num == FIRSTSOCKET)
4387 /* mark the connection for close if it is indeed the control
4388 connection */
4389 connclose(conn, "TLS close_notify");
4390 break;
4391 case SSL_ERROR_WANT_READ:
4392 case SSL_ERROR_WANT_WRITE:
4393 /* there's data pending, re-invoke SSL_read() */
4394 *curlcode = CURLE_AGAIN;
4395 return -1;
4396 default:
4397 /* openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return
4398 value/errno" */
4399 /* https://www.openssl.org/docs/crypto/ERR_get_error.html */
4400 sslerror = ERR_get_error();
4401 if((nread < 0) || sslerror) {
4402 /* If the return code was negative or there actually is an error in the
4403 queue */
4404 int sockerr = SOCKERRNO;
4405 if(sslerror)
4406 ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
4407 else if(sockerr && err == SSL_ERROR_SYSCALL)
4408 Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
4409 else {
4410 strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer));
4411 error_buffer[sizeof(error_buffer) - 1] = '\0';
4412 }
4413 failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d",
4414 error_buffer, sockerr);
4415 *curlcode = CURLE_RECV_ERROR;
4416 return -1;
4417 }
4418 /* For debug builds be a little stricter and error on any
4419 SSL_ERROR_SYSCALL. For example a server may have closed the connection
4420 abruptly without a close_notify alert. For compatibility with older
4421 peers we don't do this by default. #4624
4422
4423 We can use this to gauge how many users may be affected, and
4424 if it goes ok eventually transition to allow in dev and release with
4425 the newest OpenSSL: #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) */
4426#ifdef DEBUGBUILD
4427 if(err == SSL_ERROR_SYSCALL) {
4428 int sockerr = SOCKERRNO;
4429 if(sockerr)
4430 Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
4431 else {
4432 msnprintf(error_buffer, sizeof(error_buffer),
4433 "Connection closed abruptly");
4434 }
4435 failf(data, OSSL_PACKAGE " SSL_read: %s, errno %d"
4436 " (Fatal because this is a curl debug build)",
4437 error_buffer, sockerr);
4438 *curlcode = CURLE_RECV_ERROR;
4439 return -1;
4440 }
4441#endif
4442 }
4443 }
4444 return nread;
4445}
4446
4447static size_t ossl_version(char *buffer, size_t size)
4448{
4449#ifdef LIBRESSL_VERSION_NUMBER
4450#ifdef HAVE_OPENSSL_VERSION
4451 char *p;
4452 int count;
4453 const char *ver = OpenSSL_version(OPENSSL_VERSION);
4454 const char expected[] = OSSL_PACKAGE " "; /* ie "LibreSSL " */
4455 if(Curl_strncasecompare(ver, expected, sizeof(expected) - 1)) {
4456 ver += sizeof(expected) - 1;
4457 }
4458 count = msnprintf(buffer, size, "%s/%s", OSSL_PACKAGE, ver);
4459 for(p = buffer; *p; ++p) {
4460 if(ISSPACE(*p))
4461 *p = '_';
4462 }
4463 return count;
4464#else
4465 return msnprintf(buffer, size, "%s/%lx.%lx.%lx",
4466 OSSL_PACKAGE,
4467 (LIBRESSL_VERSION_NUMBER>>28)&0xf,
4468 (LIBRESSL_VERSION_NUMBER>>20)&0xff,
4469 (LIBRESSL_VERSION_NUMBER>>12)&0xff);
4470#endif
4471#elif defined(OPENSSL_IS_BORINGSSL)
4472 return msnprintf(buffer, size, OSSL_PACKAGE);
4473#elif defined(HAVE_OPENSSL_VERSION) && defined(OPENSSL_VERSION_STRING)
4474 return msnprintf(buffer, size, "%s/%s",
4475 OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING));
4476#else
4477 /* not LibreSSL, BoringSSL and not using OpenSSL_version */
4478
4479 char sub[3];
4480 unsigned long ssleay_value;
4481 sub[2]='\0';
4482 sub[1]='\0';
4483 ssleay_value = OpenSSL_version_num();
4484 if(ssleay_value < 0x906000) {
4485 ssleay_value = SSLEAY_VERSION_NUMBER;
4486 sub[0]='\0';
4487 }
4488 else {
4489 if(ssleay_value&0xff0) {
4490 int minor_ver = (ssleay_value >> 4) & 0xff;
4491 if(minor_ver > 26) {
4492 /* handle extended version introduced for 0.9.8za */
4493 sub[1] = (char) ((minor_ver - 1) % 26 + 'a' + 1);
4494 sub[0] = 'z';
4495 }
4496 else {
4497 sub[0] = (char) (minor_ver + 'a' - 1);
4498 }
4499 }
4500 else
4501 sub[0]='\0';
4502 }
4503
4504 return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s"
4505#ifdef OPENSSL_FIPS
4506 "-fips"
4507#endif
4508 ,
4509 OSSL_PACKAGE,
4510 (ssleay_value>>28)&0xf,
4511 (ssleay_value>>20)&0xff,
4512 (ssleay_value>>12)&0xff,
4513 sub);
4514#endif /* OPENSSL_IS_BORINGSSL */
4515}
4516
4517/* can be called with data == NULL */
4518static CURLcode ossl_random(struct Curl_easy *data,
4519 unsigned char *entropy, size_t length)
4520{
4521 int rc;
4522 if(data) {
4523 if(ossl_seed(data)) /* Initiate the seed if not already done */
4524 return CURLE_FAILED_INIT; /* couldn't seed for some reason */
4525 }
4526 else {
4527 if(!rand_enough())
4528 return CURLE_FAILED_INIT;
4529 }
4530 /* RAND_bytes() returns 1 on success, 0 otherwise. */
4531 rc = RAND_bytes(entropy, curlx_uztosi(length));
4532 return (rc == 1 ? CURLE_OK : CURLE_FAILED_INIT);
4533}
4534
4535#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
4536static CURLcode ossl_sha256sum(const unsigned char *tmp, /* input */
4537 size_t tmplen,
4538 unsigned char *sha256sum /* output */,
4539 size_t unused)
4540{
4541 EVP_MD_CTX *mdctx;
4542 unsigned int len = 0;
4543 (void) unused;
4544
4545 mdctx = EVP_MD_CTX_create();
4546 if(!mdctx)
4547 return CURLE_OUT_OF_MEMORY;
4548 EVP_DigestInit(mdctx, EVP_sha256());
4549 EVP_DigestUpdate(mdctx, tmp, tmplen);
4550 EVP_DigestFinal_ex(mdctx, sha256sum, &len);
4551 EVP_MD_CTX_destroy(mdctx);
4552 return CURLE_OK;
4553}
4554#endif
4555
4556static bool ossl_cert_status_request(void)
4557{
4558#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
4559 !defined(OPENSSL_NO_OCSP)
4560 return TRUE;
4561#else
4562 return FALSE;
4563#endif
4564}
4565
4566static void *ossl_get_internals(struct ssl_connect_data *connssl,
4567 CURLINFO info)
4568{
4569 /* Legacy: CURLINFO_TLS_SESSION must return an SSL_CTX pointer. */
4570 struct ssl_backend_data *backend = connssl->backend;
4571 DEBUGASSERT(backend);
4572 return info == CURLINFO_TLS_SESSION ?
4573 (void *)backend->ctx : (void *)backend->handle;
4574}
4575
4576static bool ossl_associate_connection(struct Curl_easy *data,
4577 struct connectdata *conn,
4578 int sockindex)
4579{
4580 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
4581 struct ssl_backend_data *backend = connssl->backend;
4582 DEBUGASSERT(backend);
4583
4584 /* If we don't have SSL context, do nothing. */
4585 if(!backend->handle)
4586 return FALSE;
4587
4588 if(SSL_SET_OPTION(primary.sessionid)) {
4589 int data_idx = ossl_get_ssl_data_index();
4590 int connectdata_idx = ossl_get_ssl_conn_index();
4591 int sockindex_idx = ossl_get_ssl_sockindex_index();
4592 int proxy_idx = ossl_get_proxy_index();
4593
4594 if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
4595 proxy_idx >= 0) {
4596 int data_status, conn_status, sockindex_status, proxy_status;
4597
4598 /* Store the data needed for the "new session" callback.
4599 * The sockindex is stored as a pointer to an array element. */
4600 data_status = SSL_set_ex_data(backend->handle, data_idx, data);
4601 conn_status = SSL_set_ex_data(backend->handle, connectdata_idx, conn);
4602 sockindex_status = SSL_set_ex_data(backend->handle, sockindex_idx,
4603 conn->sock + sockindex);
4604#ifndef CURL_DISABLE_PROXY
4605 proxy_status = SSL_set_ex_data(backend->handle, proxy_idx,
4606 SSL_IS_PROXY() ? (void *) 1 : NULL);
4607#else
4608 proxy_status = SSL_set_ex_data(backend->handle, proxy_idx, NULL);
4609#endif
4610 if(data_status && conn_status && sockindex_status && proxy_status)
4611 return TRUE;
4612 }
4613 return FALSE;
4614 }
4615 return TRUE;
4616}
4617
4618/*
4619 * Starting with TLS 1.3, the ossl_new_session_cb callback gets called after
4620 * the handshake. If the transfer that sets up the callback gets killed before
4621 * this callback arrives, we must make sure to properly clear the data to
4622 * avoid UAF problems. A future optimization could be to instead store another
4623 * transfer that might still be using the same connection.
4624 */
4625
4626static void ossl_disassociate_connection(struct Curl_easy *data,
4627 int sockindex)
4628{
4629 struct connectdata *conn = data->conn;
4630 struct ssl_connect_data *connssl = &conn->ssl[sockindex];
4631 struct ssl_backend_data *backend = connssl->backend;
4632 DEBUGASSERT(backend);
4633
4634 /* If we don't have SSL context, do nothing. */
4635 if(!backend->handle)
4636 return;
4637
4638 if(SSL_SET_OPTION(primary.sessionid)) {
4639 int data_idx = ossl_get_ssl_data_index();
4640 int connectdata_idx = ossl_get_ssl_conn_index();
4641 int sockindex_idx = ossl_get_ssl_sockindex_index();
4642 int proxy_idx = ossl_get_proxy_index();
4643
4644 if(data_idx >= 0 && connectdata_idx >= 0 && sockindex_idx >= 0 &&
4645 proxy_idx >= 0) {
4646 /* Disable references to data in "new session" callback to avoid
4647 * accessing a stale pointer. */
4648 SSL_set_ex_data(backend->handle, data_idx, NULL);
4649 SSL_set_ex_data(backend->handle, connectdata_idx, NULL);
4650 SSL_set_ex_data(backend->handle, sockindex_idx, NULL);
4651 SSL_set_ex_data(backend->handle, proxy_idx, NULL);
4652 }
4653 }
4654}
4655
4656const struct Curl_ssl Curl_ssl_openssl = {
4657 { CURLSSLBACKEND_OPENSSL, "openssl" }, /* info */
4658
4659 SSLSUPP_CA_PATH |
4660 SSLSUPP_CAINFO_BLOB |
4661 SSLSUPP_CERTINFO |
4662 SSLSUPP_PINNEDPUBKEY |
4663 SSLSUPP_SSL_CTX |
4664#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
4665 SSLSUPP_TLS13_CIPHERSUITES |
4666#endif
4667 SSLSUPP_HTTPS_PROXY,
4668
4669 sizeof(struct ssl_backend_data),
4670
4671 ossl_init, /* init */
4672 ossl_cleanup, /* cleanup */
4673 ossl_version, /* version */
4674 ossl_check_cxn, /* check_cxn */
4675 ossl_shutdown, /* shutdown */
4676 ossl_data_pending, /* data_pending */
4677 ossl_random, /* random */
4678 ossl_cert_status_request, /* cert_status_request */
4679 ossl_connect, /* connect */
4680 ossl_connect_nonblocking, /* connect_nonblocking */
4681 Curl_ssl_getsock, /* getsock */
4682 ossl_get_internals, /* get_internals */
4683 ossl_close, /* close_one */
4684 ossl_close_all, /* close_all */
4685 ossl_session_free, /* session_free */
4686 ossl_set_engine, /* set_engine */
4687 ossl_set_engine_default, /* set_engine_default */
4688 ossl_engines_list, /* engines_list */
4689 Curl_none_false_start, /* false_start */
4690#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
4691 ossl_sha256sum, /* sha256sum */
4692#else
4693 NULL, /* sha256sum */
4694#endif
4695 ossl_associate_connection, /* associate_connection */
4696 ossl_disassociate_connection /* disassociate_connection */
4697};
4698
4699#endif /* USE_OPENSSL */
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette