38 #pragma clang diagnostic push 39 #pragma clang diagnostic ignored "-Wtautological-pointer-compare" 46 #include <Security/Security.h> 49 #include <Security/SecureTransport.h> 50 #include <CoreFoundation/CoreFoundation.h> 51 #include <CommonCrypto/CommonDigest.h> 59 #if (TARGET_OS_MAC && !(TARGET_OS_EMBEDDED || TARGET_OS_IPHONE)) 61 #if MAC_OS_X_VERSION_MAX_ALLOWED < 1050 62 #error "The darwinssl back-end requires Leopard or later." 65 #define CURL_BUILD_IOS 0 66 #define CURL_BUILD_IOS_7 0 67 #define CURL_BUILD_MAC 1 69 #define CURL_BUILD_MAC_10_5 MAC_OS_X_VERSION_MAX_ALLOWED >= 1050 70 #define CURL_BUILD_MAC_10_6 MAC_OS_X_VERSION_MAX_ALLOWED >= 1060 71 #define CURL_BUILD_MAC_10_7 MAC_OS_X_VERSION_MAX_ALLOWED >= 1070 72 #define CURL_BUILD_MAC_10_8 MAC_OS_X_VERSION_MAX_ALLOWED >= 1080 73 #define CURL_BUILD_MAC_10_9 MAC_OS_X_VERSION_MAX_ALLOWED >= 1090 78 #define CURL_SUPPORT_MAC_10_5 MAC_OS_X_VERSION_MIN_REQUIRED <= 1050 79 #define CURL_SUPPORT_MAC_10_6 MAC_OS_X_VERSION_MIN_REQUIRED <= 1060 80 #define CURL_SUPPORT_MAC_10_7 MAC_OS_X_VERSION_MIN_REQUIRED <= 1070 81 #define CURL_SUPPORT_MAC_10_8 MAC_OS_X_VERSION_MIN_REQUIRED <= 1080 82 #define CURL_SUPPORT_MAC_10_9 MAC_OS_X_VERSION_MIN_REQUIRED <= 1090 84 #elif TARGET_OS_EMBEDDED || TARGET_OS_IPHONE 85 #define CURL_BUILD_IOS 1 86 #define CURL_BUILD_IOS_7 __IPHONE_OS_VERSION_MAX_ALLOWED >= 70000 87 #define CURL_BUILD_MAC 0 88 #define CURL_BUILD_MAC_10_5 0 89 #define CURL_BUILD_MAC_10_6 0 90 #define CURL_BUILD_MAC_10_7 0 91 #define CURL_BUILD_MAC_10_8 0 92 #define CURL_SUPPORT_MAC_10_5 0 93 #define CURL_SUPPORT_MAC_10_6 0 94 #define CURL_SUPPORT_MAC_10_7 0 95 #define CURL_SUPPORT_MAC_10_8 0 96 #define CURL_SUPPORT_MAC_10_9 0 99 #error "The darwinssl back-end requires iOS or OS X." 103 #include <sys/sysctl.h> 123 struct ssl_backend_data {
124 SSLContextRef ssl_ctx;
127 size_t ssl_write_buffered_length;
130 #define BACKEND connssl->backend 135 #if ((TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MIN_REQUIRED >= 100000) || \ 136 (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED >= 101200)) 137 #define DARWIN_SSL_PINNEDPUBKEY_V1 1 141 #if (!TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1070) 142 #define DARWIN_SSL_PINNEDPUBKEY_V2 1 145 #if defined(DARWIN_SSL_PINNEDPUBKEY_V1) || defined(DARWIN_SSL_PINNEDPUBKEY_V2) 147 #define DARWIN_SSL_PINNEDPUBKEY 1 150 #ifdef DARWIN_SSL_PINNEDPUBKEY 152 static const unsigned char rsa4096SpkiHeader[] = {
153 0x30, 0x82, 0x02, 0x22, 0x30, 0x0d,
154 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
155 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
156 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00};
158 static const unsigned char rsa2048SpkiHeader[] = {
159 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d,
160 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
161 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05,
162 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00};
163 #ifdef DARWIN_SSL_PINNEDPUBKEY_V1 165 static const unsigned char ecDsaSecp256r1SpkiHeader[] = {
166 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
167 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
168 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48,
169 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
172 static const unsigned char ecDsaSecp384r1SpkiHeader[] = {
173 0x30, 0x76, 0x30, 0x10, 0x06, 0x07,
174 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
175 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04,
176 0x00, 0x22, 0x03, 0x62, 0x00};
182 static OSStatus SocketRead(SSLConnectionRef
connection,
188 size_t bytesToGo = *dataLength;
189 size_t initLen = bytesToGo;
190 UInt8 *currData = (UInt8 *)data;
193 int sock = BACKEND->ssl_sockfd;
194 OSStatus rtn = noErr;
203 rrtn = read(sock, currData, bytesToGo);
209 rtn = errSSLClosedGraceful;
215 rtn = errSSLClosedGraceful;
218 rtn = errSSLClosedAbort;
221 rtn = errSSLWouldBlock;
222 BACKEND->ssl_direction =
false;
233 bytesToGo -= bytesRead;
234 currData += bytesRead;
241 *dataLength = initLen - bytesToGo;
246 static OSStatus SocketWrite(SSLConnectionRef connection,
250 size_t bytesSent = 0;
253 int sock = BACKEND->ssl_sockfd;
255 size_t dataLen = *dataLength;
256 const UInt8 *dataPtr = (UInt8 *)data;
264 (
char *)dataPtr + bytesSent,
265 dataLen - bytesSent);
266 }
while((length > 0) &&
267 ( (bytesSent += length) < dataLen) );
272 ortn = errSSLWouldBlock;
273 BACKEND->ssl_direction =
true;
282 *dataLength = bytesSent;
286 #ifndef CURL_DISABLE_VERBOSE_STRINGS 287 CF_INLINE
const char *SSLCipherNameForNumber(SSLCipherSuite cipher)
291 case SSL_RSA_WITH_NULL_MD5:
292 return "SSL_RSA_WITH_NULL_MD5";
294 case SSL_RSA_WITH_NULL_SHA:
295 return "SSL_RSA_WITH_NULL_SHA";
297 case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
298 return "SSL_RSA_EXPORT_WITH_RC4_40_MD5";
300 case SSL_RSA_WITH_RC4_128_MD5:
301 return "SSL_RSA_WITH_RC4_128_MD5";
303 case SSL_RSA_WITH_RC4_128_SHA:
304 return "SSL_RSA_WITH_RC4_128_SHA";
306 case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
307 return "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5";
309 case SSL_RSA_WITH_IDEA_CBC_SHA:
310 return "SSL_RSA_WITH_IDEA_CBC_SHA";
312 case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:
313 return "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA";
315 case SSL_RSA_WITH_DES_CBC_SHA:
316 return "SSL_RSA_WITH_DES_CBC_SHA";
318 case SSL_RSA_WITH_3DES_EDE_CBC_SHA:
319 return "SSL_RSA_WITH_3DES_EDE_CBC_SHA";
321 case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
322 return "SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA";
324 case SSL_DH_DSS_WITH_DES_CBC_SHA:
325 return "SSL_DH_DSS_WITH_DES_CBC_SHA";
327 case SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA:
328 return "SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA";
330 case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
331 return "SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA";
333 case SSL_DH_RSA_WITH_DES_CBC_SHA:
334 return "SSL_DH_RSA_WITH_DES_CBC_SHA";
336 case SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA:
337 return "SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA";
339 case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
340 return "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA";
342 case SSL_DHE_DSS_WITH_DES_CBC_SHA:
343 return "SSL_DHE_DSS_WITH_DES_CBC_SHA";
345 case SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
346 return "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
348 case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
349 return "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA";
351 case SSL_DHE_RSA_WITH_DES_CBC_SHA:
352 return "SSL_DHE_RSA_WITH_DES_CBC_SHA";
354 case SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
355 return "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
357 case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5:
358 return "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5";
360 case SSL_DH_anon_WITH_RC4_128_MD5:
361 return "SSL_DH_anon_WITH_RC4_128_MD5";
363 case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
364 return "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA";
366 case SSL_DH_anon_WITH_DES_CBC_SHA:
367 return "SSL_DH_anon_WITH_DES_CBC_SHA";
369 case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA:
370 return "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA";
372 case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
373 return "SSL_FORTEZZA_DMS_WITH_NULL_SHA";
375 case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
376 return "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA";
380 case TLS_RSA_WITH_AES_128_CBC_SHA:
381 return "TLS_RSA_WITH_AES_128_CBC_SHA";
383 case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
384 return "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
386 case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
387 return "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
389 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
390 return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
392 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
393 return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
395 case TLS_DH_anon_WITH_AES_128_CBC_SHA:
396 return "TLS_DH_anon_WITH_AES_128_CBC_SHA";
398 case TLS_RSA_WITH_AES_256_CBC_SHA:
399 return "TLS_RSA_WITH_AES_256_CBC_SHA";
401 case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
402 return "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
404 case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
405 return "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
407 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
408 return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
410 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
411 return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
413 case TLS_DH_anon_WITH_AES_256_CBC_SHA:
414 return "TLS_DH_anon_WITH_AES_256_CBC_SHA";
417 case SSL_RSA_WITH_RC2_CBC_MD5:
418 return "SSL_RSA_WITH_RC2_CBC_MD5";
420 case SSL_RSA_WITH_IDEA_CBC_MD5:
421 return "SSL_RSA_WITH_IDEA_CBC_MD5";
423 case SSL_RSA_WITH_DES_CBC_MD5:
424 return "SSL_RSA_WITH_DES_CBC_MD5";
426 case SSL_RSA_WITH_3DES_EDE_CBC_MD5:
427 return "SSL_RSA_WITH_3DES_EDE_CBC_MD5";
430 return "SSL_NULL_WITH_NULL_NULL";
433 CF_INLINE
const char *TLSCipherNameForNumber(SSLCipherSuite cipher)
437 case TLS_RSA_WITH_AES_128_CBC_SHA:
438 return "TLS_RSA_WITH_AES_128_CBC_SHA";
440 case TLS_DH_DSS_WITH_AES_128_CBC_SHA:
441 return "TLS_DH_DSS_WITH_AES_128_CBC_SHA";
443 case TLS_DH_RSA_WITH_AES_128_CBC_SHA:
444 return "TLS_DH_RSA_WITH_AES_128_CBC_SHA";
446 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA:
447 return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA";
449 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA:
450 return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA";
452 case TLS_DH_anon_WITH_AES_128_CBC_SHA:
453 return "TLS_DH_anon_WITH_AES_128_CBC_SHA";
455 case TLS_RSA_WITH_AES_256_CBC_SHA:
456 return "TLS_RSA_WITH_AES_256_CBC_SHA";
458 case TLS_DH_DSS_WITH_AES_256_CBC_SHA:
459 return "TLS_DH_DSS_WITH_AES_256_CBC_SHA";
461 case TLS_DH_RSA_WITH_AES_256_CBC_SHA:
462 return "TLS_DH_RSA_WITH_AES_256_CBC_SHA";
464 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA:
465 return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA";
467 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA:
468 return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA";
470 case TLS_DH_anon_WITH_AES_256_CBC_SHA:
471 return "TLS_DH_anon_WITH_AES_256_CBC_SHA";
473 #if CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS 475 case TLS_ECDH_ECDSA_WITH_NULL_SHA:
476 return "TLS_ECDH_ECDSA_WITH_NULL_SHA";
478 case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
479 return "TLS_ECDH_ECDSA_WITH_RC4_128_SHA";
481 case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
482 return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
484 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
485 return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA";
487 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
488 return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA";
490 case TLS_ECDHE_ECDSA_WITH_NULL_SHA:
491 return "TLS_ECDHE_ECDSA_WITH_NULL_SHA";
493 case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
494 return "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
496 case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
497 return "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA";
499 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
500 return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA";
502 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
503 return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA";
505 case TLS_ECDH_RSA_WITH_NULL_SHA:
506 return "TLS_ECDH_RSA_WITH_NULL_SHA";
508 case TLS_ECDH_RSA_WITH_RC4_128_SHA:
509 return "TLS_ECDH_RSA_WITH_RC4_128_SHA";
511 case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
512 return "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA";
514 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
515 return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA";
517 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
518 return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA";
520 case TLS_ECDHE_RSA_WITH_NULL_SHA:
521 return "TLS_ECDHE_RSA_WITH_NULL_SHA";
523 case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
524 return "TLS_ECDHE_RSA_WITH_RC4_128_SHA";
526 case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
527 return "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA";
529 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
530 return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA";
532 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
533 return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA";
535 case TLS_ECDH_anon_WITH_NULL_SHA:
536 return "TLS_ECDH_anon_WITH_NULL_SHA";
538 case TLS_ECDH_anon_WITH_RC4_128_SHA:
539 return "TLS_ECDH_anon_WITH_RC4_128_SHA";
541 case TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA:
542 return "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA";
544 case TLS_ECDH_anon_WITH_AES_128_CBC_SHA:
545 return "TLS_ECDH_anon_WITH_AES_128_CBC_SHA";
547 case TLS_ECDH_anon_WITH_AES_256_CBC_SHA:
548 return "TLS_ECDH_anon_WITH_AES_256_CBC_SHA";
551 #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS 553 case TLS_RSA_WITH_NULL_MD5:
554 return "TLS_RSA_WITH_NULL_MD5";
556 case TLS_RSA_WITH_NULL_SHA:
557 return "TLS_RSA_WITH_NULL_SHA";
559 case TLS_RSA_WITH_RC4_128_MD5:
560 return "TLS_RSA_WITH_RC4_128_MD5";
562 case TLS_RSA_WITH_RC4_128_SHA:
563 return "TLS_RSA_WITH_RC4_128_SHA";
565 case TLS_RSA_WITH_3DES_EDE_CBC_SHA:
566 return "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
568 case TLS_RSA_WITH_NULL_SHA256:
569 return "TLS_RSA_WITH_NULL_SHA256";
571 case TLS_RSA_WITH_AES_128_CBC_SHA256:
572 return "TLS_RSA_WITH_AES_128_CBC_SHA256";
574 case TLS_RSA_WITH_AES_256_CBC_SHA256:
575 return "TLS_RSA_WITH_AES_256_CBC_SHA256";
577 case TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA:
578 return "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA";
580 case TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA:
581 return "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA";
583 case TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA:
584 return "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA";
586 case TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA:
587 return "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA";
589 case TLS_DH_DSS_WITH_AES_128_CBC_SHA256:
590 return "TLS_DH_DSS_WITH_AES_128_CBC_SHA256";
592 case TLS_DH_RSA_WITH_AES_128_CBC_SHA256:
593 return "TLS_DH_RSA_WITH_AES_128_CBC_SHA256";
595 case TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:
596 return "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256";
598 case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:
599 return "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256";
601 case TLS_DH_DSS_WITH_AES_256_CBC_SHA256:
602 return "TLS_DH_DSS_WITH_AES_256_CBC_SHA256";
604 case TLS_DH_RSA_WITH_AES_256_CBC_SHA256:
605 return "TLS_DH_RSA_WITH_AES_256_CBC_SHA256";
607 case TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:
608 return "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256";
610 case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
611 return "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256";
613 case TLS_DH_anon_WITH_RC4_128_MD5:
614 return "TLS_DH_anon_WITH_RC4_128_MD5";
616 case TLS_DH_anon_WITH_3DES_EDE_CBC_SHA:
617 return "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
619 case TLS_DH_anon_WITH_AES_128_CBC_SHA256:
620 return "TLS_DH_anon_WITH_AES_128_CBC_SHA256";
622 case TLS_DH_anon_WITH_AES_256_CBC_SHA256:
623 return "TLS_DH_anon_WITH_AES_256_CBC_SHA256";
626 case TLS_RSA_WITH_AES_128_GCM_SHA256:
627 return "TLS_RSA_WITH_AES_128_GCM_SHA256";
629 case TLS_RSA_WITH_AES_256_GCM_SHA384:
630 return "TLS_RSA_WITH_AES_256_GCM_SHA384";
632 case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:
633 return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
635 case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:
636 return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
638 case TLS_DH_RSA_WITH_AES_128_GCM_SHA256:
639 return "TLS_DH_RSA_WITH_AES_128_GCM_SHA256";
641 case TLS_DH_RSA_WITH_AES_256_GCM_SHA384:
642 return "TLS_DH_RSA_WITH_AES_256_GCM_SHA384";
644 case TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:
645 return "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256";
647 case TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:
648 return "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384";
650 case TLS_DH_DSS_WITH_AES_128_GCM_SHA256:
651 return "TLS_DH_DSS_WITH_AES_128_GCM_SHA256";
653 case TLS_DH_DSS_WITH_AES_256_GCM_SHA384:
654 return "TLS_DH_DSS_WITH_AES_256_GCM_SHA384";
656 case TLS_DH_anon_WITH_AES_128_GCM_SHA256:
657 return "TLS_DH_anon_WITH_AES_128_GCM_SHA256";
659 case TLS_DH_anon_WITH_AES_256_GCM_SHA384:
660 return "TLS_DH_anon_WITH_AES_256_GCM_SHA384";
663 case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
664 return "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256";
666 case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
667 return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384";
669 case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
670 return "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256";
672 case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
673 return "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384";
675 case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
676 return "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256";
678 case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
679 return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384";
681 case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
682 return "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256";
684 case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
685 return "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384";
687 case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
688 return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
690 case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
691 return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
693 case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
694 return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
696 case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
697 return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
699 case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
700 return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
702 case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
703 return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
705 case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
706 return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
708 case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
709 return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
711 case TLS_EMPTY_RENEGOTIATION_INFO_SCSV:
712 return "TLS_EMPTY_RENEGOTIATION_INFO_SCSV";
715 case SSL_RSA_WITH_NULL_MD5:
716 return "TLS_RSA_WITH_NULL_MD5";
718 case SSL_RSA_WITH_NULL_SHA:
719 return "TLS_RSA_WITH_NULL_SHA";
721 case SSL_RSA_WITH_RC4_128_MD5:
722 return "TLS_RSA_WITH_RC4_128_MD5";
724 case SSL_RSA_WITH_RC4_128_SHA:
725 return "TLS_RSA_WITH_RC4_128_SHA";
727 case SSL_RSA_WITH_3DES_EDE_CBC_SHA:
728 return "TLS_RSA_WITH_3DES_EDE_CBC_SHA";
730 case SSL_DH_anon_WITH_RC4_128_MD5:
731 return "TLS_DH_anon_WITH_RC4_128_MD5";
733 case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA:
734 return "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA";
737 #if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 739 case TLS_PSK_WITH_RC4_128_SHA:
740 return "TLS_PSK_WITH_RC4_128_SHA";
742 case TLS_PSK_WITH_3DES_EDE_CBC_SHA:
743 return "TLS_PSK_WITH_3DES_EDE_CBC_SHA";
745 case TLS_PSK_WITH_AES_128_CBC_SHA:
746 return "TLS_PSK_WITH_AES_128_CBC_SHA";
748 case TLS_PSK_WITH_AES_256_CBC_SHA:
749 return "TLS_PSK_WITH_AES_256_CBC_SHA";
751 case TLS_DHE_PSK_WITH_RC4_128_SHA:
752 return "TLS_DHE_PSK_WITH_RC4_128_SHA";
754 case TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA:
755 return "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA";
757 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA:
758 return "TLS_DHE_PSK_WITH_AES_128_CBC_SHA";
760 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA:
761 return "TLS_DHE_PSK_WITH_AES_256_CBC_SHA";
763 case TLS_RSA_PSK_WITH_RC4_128_SHA:
764 return "TLS_RSA_PSK_WITH_RC4_128_SHA";
766 case TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA:
767 return "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA";
769 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA:
770 return "TLS_RSA_PSK_WITH_AES_128_CBC_SHA";
772 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA:
773 return "TLS_RSA_PSK_WITH_AES_256_CBC_SHA";
776 case TLS_PSK_WITH_NULL_SHA:
777 return "TLS_PSK_WITH_NULL_SHA";
779 case TLS_DHE_PSK_WITH_NULL_SHA:
780 return "TLS_DHE_PSK_WITH_NULL_SHA";
782 case TLS_RSA_PSK_WITH_NULL_SHA:
783 return "TLS_RSA_PSK_WITH_NULL_SHA";
786 case TLS_PSK_WITH_AES_128_GCM_SHA256:
787 return "TLS_PSK_WITH_AES_128_GCM_SHA256";
789 case TLS_PSK_WITH_AES_256_GCM_SHA384:
790 return "TLS_PSK_WITH_AES_256_GCM_SHA384";
792 case TLS_DHE_PSK_WITH_AES_128_GCM_SHA256:
793 return "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256";
795 case TLS_DHE_PSK_WITH_AES_256_GCM_SHA384:
796 return "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384";
798 case TLS_RSA_PSK_WITH_AES_128_GCM_SHA256:
799 return "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256";
801 case TLS_RSA_PSK_WITH_AES_256_GCM_SHA384:
802 return "TLS_PSK_WITH_AES_256_GCM_SHA384";
804 case TLS_PSK_WITH_AES_128_CBC_SHA256:
805 return "TLS_PSK_WITH_AES_128_CBC_SHA256";
807 case TLS_PSK_WITH_AES_256_CBC_SHA384:
808 return "TLS_PSK_WITH_AES_256_CBC_SHA384";
810 case TLS_PSK_WITH_NULL_SHA256:
811 return "TLS_PSK_WITH_NULL_SHA256";
813 case TLS_PSK_WITH_NULL_SHA384:
814 return "TLS_PSK_WITH_NULL_SHA384";
816 case TLS_DHE_PSK_WITH_AES_128_CBC_SHA256:
817 return "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256";
819 case TLS_DHE_PSK_WITH_AES_256_CBC_SHA384:
820 return "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384";
822 case TLS_DHE_PSK_WITH_NULL_SHA256:
823 return "TLS_DHE_PSK_WITH_NULL_SHA256";
825 case TLS_DHE_PSK_WITH_NULL_SHA384:
826 return "TLS_RSA_PSK_WITH_NULL_SHA384";
828 case TLS_RSA_PSK_WITH_AES_128_CBC_SHA256:
829 return "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256";
831 case TLS_RSA_PSK_WITH_AES_256_CBC_SHA384:
832 return "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384";
834 case TLS_RSA_PSK_WITH_NULL_SHA256:
835 return "TLS_RSA_PSK_WITH_NULL_SHA256";
837 case TLS_RSA_PSK_WITH_NULL_SHA384:
838 return "TLS_RSA_PSK_WITH_NULL_SHA384";
842 return "TLS_NULL_WITH_NULL_NULL";
847 CF_INLINE
void GetDarwinVersionNumber(
int *major,
int *minor)
851 size_t os_version_len;
852 char *os_version_major, *os_version_minor;
857 mib[1] = KERN_OSRELEASE;
858 if(sysctl(mib, 2, NULL, &os_version_len, NULL, 0) == -1)
860 os_version =
malloc(os_version_len*
sizeof(
char));
863 if(sysctl(mib, 2, os_version, &os_version_len, NULL, 0) == -1) {
869 os_version_major =
strtok_r(os_version,
".", &tok_buf);
870 os_version_minor =
strtok_r(NULL,
".", &tok_buf);
871 *major = atoi(os_version_major);
872 *minor = atoi(os_version_minor);
881 CF_INLINE CFStringRef getsubject(SecCertificateRef cert)
883 CFStringRef server_cert_summary = CFSTR(
"(null)");
887 server_cert_summary = SecCertificateCopySubjectSummary(cert);
889 #if CURL_BUILD_MAC_10_7 891 if(SecCertificateCopyLongDescription != NULL)
892 server_cert_summary =
893 SecCertificateCopyLongDescription(NULL, cert, NULL);
896 #if CURL_BUILD_MAC_10_6 898 if(SecCertificateCopySubjectSummary != NULL)
899 server_cert_summary = SecCertificateCopySubjectSummary(cert);
903 (void)SecCertificateCopyCommonName(cert, &server_cert_summary);
905 return server_cert_summary;
909 SecCertificateRef cert,
char **certp)
911 CFStringRef c = getsubject(cert);
918 failf(data,
"SSL: invalid CA certificate subject");
924 direct = CFStringGetCStringPtr(c, kCFStringEncodingUTF8);
928 failf(data,
"SSL: out of memory");
933 size_t cbuf_size = ((
size_t)CFStringGetLength(c) * 4) + 1;
934 cbuf =
calloc(cbuf_size, 1);
936 if(!CFStringGetCString(c, cbuf, cbuf_size,
937 kCFStringEncodingUTF8)) {
938 failf(data,
"SSL: invalid CA certificate subject");
946 failf(data,
"SSL: couldn't allocate %zu bytes of memory", cbuf_size);
956 #if CURL_SUPPORT_MAC_10_6 959 static OSStatus CopyIdentityWithLabelOldSchool(
char *label,
960 SecIdentityRef *out_c_a_k)
962 OSStatus status = errSecItemNotFound;
963 SecKeychainAttributeList attr_list;
964 SecKeychainAttribute attr;
965 SecKeychainSearchRef
search = NULL;
966 SecCertificateRef cert = NULL;
969 attr_list.count = 1L;
970 attr_list.attr = &attr;
973 attr.tag = kSecLabelItemAttr;
975 attr.length = (
UInt32)strlen(label);
978 status = SecKeychainSearchCreateFromAttributes(NULL,
979 kSecCertificateItemClass,
982 if(status == noErr) {
983 status = SecKeychainSearchCopyNext(search,
984 (SecKeychainItemRef *)&cert);
985 if(status == noErr && cert) {
987 status = SecIdentityCreateWithCertificate(NULL, cert, out_c_a_k);
998 static OSStatus CopyIdentityWithLabel(
char *label,
999 SecIdentityRef *out_cert_and_key)
1001 OSStatus status = errSecItemNotFound;
1003 #if CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS 1004 CFArrayRef keys_list;
1005 CFIndex keys_list_count;
1007 CFStringRef common_name;
1012 if(SecItemCopyMatching != NULL && kSecClassIdentity != NULL) {
1015 CFDictionaryRef query_dict;
1016 CFStringRef label_cf = CFStringCreateWithCString(NULL, label,
1017 kCFStringEncodingUTF8);
1020 values[0] = kSecClassIdentity;
1021 keys[0] = kSecClass;
1022 values[1] = kCFBooleanTrue;
1023 keys[1] = kSecReturnRef;
1024 values[2] = kSecMatchLimitAll;
1026 keys[2] = kSecMatchLimit;
1028 values[3] = SecPolicyCreateSSL(
false, NULL);
1029 keys[3] = kSecMatchPolicy;
1031 values[4] = label_cf;
1032 keys[4] = kSecAttrLabel;
1033 query_dict = CFDictionaryCreate(NULL, (
const void **)keys,
1034 (
const void **)values, 5L,
1035 &kCFCopyStringDictionaryKeyCallBacks,
1036 &kCFTypeDictionaryValueCallBacks);
1037 CFRelease(values[3]);
1040 status = SecItemCopyMatching(query_dict, (CFTypeRef *) &keys_list);
1044 if(status == noErr) {
1045 keys_list_count = CFArrayGetCount(keys_list);
1046 *out_cert_and_key = NULL;
1048 for(i = 0; i<keys_list_count; i++) {
1049 OSStatus err = noErr;
1050 SecCertificateRef cert = NULL;
1051 SecIdentityRef identity =
1052 (SecIdentityRef) CFArrayGetValueAtIndex(keys_list, i);
1053 err = SecIdentityCopyCertificate(identity, &cert);
1056 common_name = SecCertificateCopySubjectSummary(cert);
1057 #elif CURL_BUILD_MAC_10_7 1058 SecCertificateCopyCommonName(cert, &common_name);
1060 if(CFStringCompare(common_name, label_cf, 0) == kCFCompareEqualTo) {
1062 CFRelease(common_name);
1064 *out_cert_and_key = identity;
1068 CFRelease(common_name);
1075 CFRelease(keys_list);
1076 CFRelease(query_dict);
1077 CFRelease(label_cf);
1080 #if CURL_SUPPORT_MAC_10_6 1082 status = CopyIdentityWithLabelOldSchool(label, out_cert_and_key);
1085 #elif CURL_SUPPORT_MAC_10_6 1088 status = CopyIdentityWithLabelOldSchool(label, out_cert_and_key);
1093 static OSStatus CopyIdentityFromPKCS12File(
const char *cPath,
1094 const char *cPassword,
1095 SecIdentityRef *out_cert_and_key)
1097 OSStatus status = errSecItemNotFound;
1098 CFURLRef pkcs_url = CFURLCreateFromFileSystemRepresentation(NULL,
1099 (
const UInt8 *)cPath, strlen(cPath),
false);
1100 CFStringRef
password = cPassword ? CFStringCreateWithCString(NULL,
1101 cPassword, kCFStringEncodingUTF8) : NULL;
1102 CFDataRef pkcs_data = NULL;
1107 #if CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS 1108 if(CFURLCreateDataAndPropertiesFromResource(NULL, pkcs_url, &pkcs_data,
1109 NULL, NULL, &status)) {
1110 const void *cKeys[] = {kSecImportExportPassphrase};
1111 const void *cValues[] = {password};
1112 CFDictionaryRef
options = CFDictionaryCreate(NULL, cKeys, cValues,
1113 password ? 1L : 0L, NULL, NULL);
1114 CFArrayRef items = NULL;
1117 status = SecPKCS12Import(pkcs_data, options, &items);
1118 if(status == errSecSuccess && items && CFArrayGetCount(items)) {
1119 CFDictionaryRef identity_and_trust = CFArrayGetValueAtIndex(items, 0L);
1120 const void *temp_identity = CFDictionaryGetValue(identity_and_trust,
1121 kSecImportItemIdentity);
1124 CFRetain(temp_identity);
1125 *out_cert_and_key = (SecIdentityRef)temp_identity;
1131 CFRelease(pkcs_data);
1135 CFRelease(password);
1136 CFRelease(pkcs_url);
1147 CF_INLINE
bool is_file(
const char *filename)
1151 if(filename == NULL)
1154 if(
stat(filename, &st) == 0)
1155 return S_ISREG(st.st_mode);
1159 #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS 1160 static CURLcode darwinssl_version_from_curl(SSLProtocol *darwinver,
1163 switch(ssl_version) {
1165 *darwinver = kTLSProtocol1;
1168 *darwinver = kTLSProtocol11;
1171 *darwinver = kTLSProtocol12;
1181 set_ssl_version_min_max(
struct connectdata *conn,
int sockindex)
1188 switch(ssl_version) {
1196 switch(ssl_version_max) {
1198 ssl_version_max = ssl_version << 16;
1205 #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS 1206 if(SSLSetProtocolVersionMax != NULL) {
1207 SSLProtocol darwin_ver_min = kTLSProtocol1;
1208 SSLProtocol darwin_ver_max = kTLSProtocol1;
1209 CURLcode result = darwinssl_version_from_curl(&darwin_ver_min,
1212 failf(data,
"unsupported min version passed via CURLOPT_SSLVERSION");
1215 result = darwinssl_version_from_curl(&darwin_ver_max,
1216 ssl_version_max >> 16);
1218 failf(data,
"unsupported max version passed via CURLOPT_SSLVERSION");
1222 (void)SSLSetProtocolVersionMin(BACKEND->ssl_ctx, darwin_ver_min);
1223 (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, darwin_ver_max);
1227 #if CURL_SUPPORT_MAC_10_8 1228 long i = ssl_version;
1229 (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1232 for(; i <= (ssl_version_max >> 16); i++) {
1235 (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1240 (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1245 (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1250 failf(data,
"DarwinSSL: TLS 1.3 is not yet supported");
1258 failf(data,
"DarwinSSL: cannot set SSL protocol");
1276 struct in6_addr addr;
1278 struct in_addr addr;
1280 size_t all_ciphers_count = 0UL, allowed_ciphers_count = 0UL,
i;
1281 SSLCipherSuite *all_ciphers = NULL, *allowed_ciphers = NULL;
1282 OSStatus err = noErr;
1284 int darwinver_maj = 0, darwinver_min = 0;
1286 GetDarwinVersionNumber(&darwinver_maj, &darwinver_min);
1289 #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS 1290 if(SSLCreateContext != NULL) {
1291 if(BACKEND->ssl_ctx)
1292 CFRelease(BACKEND->ssl_ctx);
1293 BACKEND->ssl_ctx = SSLCreateContext(NULL, kSSLClientSide, kSSLStreamType);
1294 if(!BACKEND->ssl_ctx) {
1295 failf(data,
"SSL: couldn't create a context!");
1301 #if CURL_SUPPORT_MAC_10_8 1302 if(BACKEND->ssl_ctx)
1303 (void)SSLDisposeContext(BACKEND->ssl_ctx);
1304 err = SSLNewContext(
false, &(BACKEND->ssl_ctx));
1306 failf(data,
"SSL: couldn't create a context: OSStatus %d", err);
1312 if(BACKEND->ssl_ctx)
1313 (void)SSLDisposeContext(BACKEND->ssl_ctx);
1314 err = SSLNewContext(
false, &(BACKEND->ssl_ctx));
1316 failf(data,
"SSL: couldn't create a context: OSStatus %d", err);
1320 BACKEND->ssl_write_buffered_length = 0UL;
1323 #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS 1324 if(SSLSetProtocolVersionMax != NULL) {
1328 (void)SSLSetProtocolVersionMin(BACKEND->ssl_ctx, kTLSProtocol1);
1329 (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kTLSProtocol12);
1336 CURLcode result = set_ssl_version_min_max(conn, sockindex);
1342 err = SSLSetProtocolVersionMin(BACKEND->ssl_ctx, kSSLProtocol3);
1344 failf(data,
"Your version of the OS does not support SSLv3");
1347 (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kSSLProtocol3);
1350 err = SSLSetProtocolVersionMin(BACKEND->ssl_ctx, kSSLProtocol2);
1352 failf(data,
"Your version of the OS does not support SSLv2");
1355 (void)SSLSetProtocolVersionMax(BACKEND->ssl_ctx, kSSLProtocol2);
1358 failf(data,
"Unrecognized parameter passed via CURLOPT_SSLVERSION");
1363 #if CURL_SUPPORT_MAC_10_8 1364 (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1370 (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1373 (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1376 (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1385 CURLcode result = set_ssl_version_min_max(conn, sockindex);
1391 err = SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1395 failf(data,
"Your version of the OS does not support SSLv3");
1400 err = SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1404 failf(data,
"Your version of the OS does not support SSLv2");
1409 failf(data,
"Unrecognized parameter passed via CURLOPT_SSLVERSION");
1416 failf(data,
"Your version of the OS does not support to set maximum" 1417 " SSL/TLS version");
1420 (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx, kSSLProtocolAll,
false);
1425 (void)SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1430 failf(data,
"Your version of the OS does not support TLSv1.1");
1433 failf(data,
"Your version of the OS does not support TLSv1.2");
1436 failf(data,
"Your version of the OS does not support TLSv1.3");
1439 err = SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1443 failf(data,
"Your version of the OS does not support SSLv2");
1448 err = SSLSetProtocolVersionEnabled(BACKEND->ssl_ctx,
1452 failf(data,
"Your version of the OS does not support SSLv3");
1457 failf(data,
"Unrecognized parameter passed via CURLOPT_SSLVERSION");
1463 infof(data,
"WARNING: SSL: CURLOPT_SSLKEY is ignored by Secure " 1464 "Transport. The private key must be in the Keychain.\n");
1468 SecIdentityRef cert_and_key = NULL;
1469 bool is_cert_file = is_file(ssl_cert);
1477 infof(data,
"WARNING: SSL: Certificate type not set, assuming " 1478 "PKCS#12 format.\n");
1481 infof(data,
"WARNING: SSL: The Security framework only supports " 1482 "loading identities that are in PKCS#12 format.\n");
1484 err = CopyIdentityFromPKCS12File(ssl_cert,
1488 err = CopyIdentityWithLabel(ssl_cert, &cert_and_key);
1490 if(err == noErr && cert_and_key) {
1491 SecCertificateRef cert = NULL;
1492 CFTypeRef certs_c[1];
1496 err = SecIdentityCopyCertificate(cert_and_key, &cert);
1499 CURLcode result = CopyCertSubject(data, cert, &certp);
1501 infof(data,
"Client certificate: %s\n", certp);
1509 certs_c[0] = cert_and_key;
1510 certs = CFArrayCreate(NULL, (
const void **)certs_c, 1L,
1511 &kCFTypeArrayCallBacks);
1512 err = SSLSetCertificate(BACKEND->ssl_ctx, certs);
1516 failf(data,
"SSL: SSLSetCertificate() failed: OSStatus %d", err);
1519 CFRelease(cert_and_key);
1523 case errSecAuthFailed:
case -25264:
1524 failf(data,
"SSL: Incorrect password for the certificate \"%s\" " 1525 "and its private key.", ssl_cert);
1527 case -26275:
case -25257:
1528 failf(data,
"SSL: Couldn't make sense of the data in the " 1529 "certificate \"%s\" and its private key.",
1533 failf(data,
"SSL The certificate \"%s\" requires a password.",
1536 case errSecItemNotFound:
1537 failf(data,
"SSL: Can't find the certificate \"%s\" and its private " 1538 "key in the Keychain.", ssl_cert);
1541 failf(data,
"SSL: Can't load the certificate \"%s\" and its private " 1542 "key: OSStatus %d", ssl_cert, err);
1553 #if CURL_BUILD_MAC_10_6 || CURL_BUILD_IOS 1570 if(SSLSetSessionOption != NULL && darwinver_maj >= 13) {
1572 if(SSLSetSessionOption != NULL) {
1575 err = SSLSetSessionOption(BACKEND->ssl_ctx,
1576 kSSLSessionOptionBreakOnServerAuth,
1579 failf(data,
"SSL: SSLSetSessionOption() failed: OSStatus %d", err);
1584 #if CURL_SUPPORT_MAC_10_8 1585 err = SSLSetEnableCertVerify(BACKEND->ssl_ctx,
1588 failf(data,
"SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err);
1594 err = SSLSetEnableCertVerify(BACKEND->ssl_ctx,
1597 failf(data,
"SSL: SSLSetEnableCertVerify() failed: OSStatus %d", err);
1602 if(ssl_cafile && verifypeer) {
1603 bool is_cert_file = is_file(ssl_cafile);
1606 failf(data,
"SSL: can't load CA certificate file %s", ssl_cafile);
1615 err = SSLSetPeerDomainName(BACKEND->ssl_ctx, hostname,
1619 infof(data,
"WARNING: SSL: SSLSetPeerDomainName() failed: OSStatus %d\n",
1628 infof(data,
"WARNING: using IP address, SNI is being disabled by " 1633 infof(data,
"WARNING: disabling hostname validation also disables SNI.\n");
1641 (void)SSLGetNumberSupportedCiphers(BACKEND->ssl_ctx, &all_ciphers_count);
1642 all_ciphers =
malloc(all_ciphers_count*
sizeof(SSLCipherSuite));
1643 allowed_ciphers =
malloc(all_ciphers_count*
sizeof(SSLCipherSuite));
1644 if(all_ciphers && allowed_ciphers &&
1645 SSLGetSupportedCiphers(BACKEND->ssl_ctx, all_ciphers,
1646 &all_ciphers_count) == noErr) {
1647 for(i = 0UL ; i < all_ciphers_count ; i++) {
1653 if(darwinver_maj == 12 && darwinver_min <= 3 &&
1654 all_ciphers[i] >= 0xC001 && all_ciphers[i] <= 0xC032) {
1658 switch(all_ciphers[i]) {
1660 case SSL_NULL_WITH_NULL_NULL:
1661 case SSL_RSA_WITH_NULL_MD5:
1662 case SSL_RSA_WITH_NULL_SHA:
1664 case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
1679 case SSL_DH_anon_EXPORT_WITH_RC4_40_MD5:
1680 case SSL_DH_anon_WITH_RC4_128_MD5:
1681 case SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA:
1682 case SSL_DH_anon_WITH_DES_CBC_SHA:
1683 case SSL_DH_anon_WITH_3DES_EDE_CBC_SHA:
1684 case TLS_DH_anon_WITH_AES_128_CBC_SHA:
1685 case TLS_DH_anon_WITH_AES_256_CBC_SHA:
1696 case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
1697 case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
1698 case SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:
1699 case SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:
1700 case SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:
1701 case SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:
1702 case SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:
1703 case SSL_RSA_WITH_DES_CBC_SHA:
1704 case SSL_DH_DSS_WITH_DES_CBC_SHA:
1705 case SSL_DH_RSA_WITH_DES_CBC_SHA:
1706 case SSL_DHE_DSS_WITH_DES_CBC_SHA:
1707 case SSL_DHE_RSA_WITH_DES_CBC_SHA:
1709 case SSL_RSA_WITH_IDEA_CBC_SHA:
1710 case SSL_RSA_WITH_IDEA_CBC_MD5:
1712 case SSL_RSA_WITH_RC4_128_MD5:
1713 case SSL_RSA_WITH_RC4_128_SHA:
1723 allowed_ciphers[allowed_ciphers_count++] = all_ciphers[
i];
1727 err = SSLSetEnabledCiphers(BACKEND->ssl_ctx, allowed_ciphers,
1728 allowed_ciphers_count);
1730 failf(data,
"SSL: SSLSetEnabledCiphers() failed: OSStatus %d", err);
1737 failf(data,
"SSL: Failed to allocate memory for allowed ciphers");
1743 #if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 1746 if(SSLSetSessionOption != NULL) {
1748 SSLSetSessionOption(BACKEND->ssl_ctx, kSSLSessionOptionSendOneByteRecord,
1750 SSLSetSessionOption(BACKEND->ssl_ctx, kSSLSessionOptionFalseStart,
1757 char *ssl_sessionid;
1758 size_t ssl_sessionid_len;
1760 Curl_ssl_sessionid_lock(conn);
1761 if(!Curl_ssl_getsessionid(conn, (
void **)&ssl_sessionid,
1762 &ssl_sessionid_len, sockindex)) {
1764 err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
1765 Curl_ssl_sessionid_unlock(conn);
1767 failf(data,
"SSL: SSLSetPeerID() failed: OSStatus %d", err);
1771 infof(data,
"SSL re-using session ID\n");
1778 aprintf(
"%s:%d:%d:%s:%hu", ssl_cafile,
1780 ssl_sessionid_len = strlen(ssl_sessionid);
1782 err = SSLSetPeerID(BACKEND->ssl_ctx, ssl_sessionid, ssl_sessionid_len);
1784 Curl_ssl_sessionid_unlock(conn);
1785 failf(data,
"SSL: SSLSetPeerID() failed: OSStatus %d", err);
1789 result = Curl_ssl_addsessionid(conn, ssl_sessionid, ssl_sessionid_len,
1791 Curl_ssl_sessionid_unlock(conn);
1793 failf(data,
"failed to store ssl session");
1799 err = SSLSetIOFuncs(BACKEND->ssl_ctx, SocketRead, SocketWrite);
1801 failf(data,
"SSL: SSLSetIOFuncs() failed: OSStatus %d", err);
1809 BACKEND->ssl_sockfd = sockfd;
1810 err = SSLSetConnection(BACKEND->ssl_ctx, connssl);
1812 failf(data,
"SSL: SSLSetConnection() failed: %d", err);
1820 static long pem_to_der(
const char *in,
unsigned char **out,
size_t *outlen)
1822 char *sep_start, *sep_end, *cert_start, *cert_end;
1828 sep_start = strstr(in,
"-----");
1829 if(sep_start == NULL)
1831 cert_start = strstr(sep_start + 1,
"-----");
1832 if(cert_start == NULL)
1838 cert_end = strstr(cert_start,
"-----");
1839 if(cert_end == NULL)
1842 sep_end = strstr(cert_end + 1,
"-----");
1847 len = cert_end - cert_start;
1853 for(i = 0, j = 0; i <
len; i++) {
1854 if(cert_start[i] !=
'\r' && cert_start[i] !=
'\n')
1855 b64[j++] = cert_start[
i];
1866 return sep_end - in;
1869 static int read_cert(
const char *file,
unsigned char **out,
size_t *outlen)
1872 ssize_t n, len = 0, cap = 512;
1873 unsigned char buf[512], *
data;
1886 n = read(fd, buf,
sizeof(buf));
1897 if(len + n >= cap) {
1906 memcpy(data + len, buf, n);
1917 static int sslerr_to_curlerr(
struct Curl_easy *data,
int err)
1920 case errSSLXCertChainInvalid:
1921 failf(data,
"SSL certificate problem: Invalid certificate chain");
1923 case errSSLUnknownRootCert:
1924 failf(data,
"SSL certificate problem: Untrusted root certificate");
1926 case errSSLNoRootCert:
1927 failf(data,
"SSL certificate problem: No root certificate");
1929 case errSSLCertExpired:
1930 failf(data,
"SSL certificate problem: Certificate chain had an " 1931 "expired certificate");
1934 failf(data,
"SSL certificate problem: Couldn't understand the server " 1935 "certificate format");
1937 case errSSLHostNameMismatch:
1938 failf(data,
"SSL certificate peer hostname mismatch");
1941 failf(data,
"SSL unexpected certificate error %d", err);
1946 static int append_cert_to_array(
struct Curl_easy *data,
1947 unsigned char *buf,
size_t buflen,
1948 CFMutableArrayRef array)
1950 CFDataRef certdata = CFDataCreate(kCFAllocatorDefault, buf, buflen);
1954 failf(data,
"SSL: failed to allocate array for CA certificate");
1958 SecCertificateRef cacert =
1959 SecCertificateCreateWithData(kCFAllocatorDefault, certdata);
1960 CFRelease(certdata);
1962 failf(data,
"SSL: failed to create SecCertificate from CA certificate");
1967 result = CopyCertSubject(data, cacert, &certp);
1972 CFArrayAppendValue(array, cacert);
1978 static int verify_cert(
const char *cafile,
struct Curl_easy *data,
1983 unsigned char *certbuf, *der;
1984 size_t buflen, derlen, offset = 0;
1986 if(read_cert(cafile, &certbuf, &buflen) < 0) {
1987 failf(data,
"SSL: failed to read or invalid CA certificate");
2000 CFMutableArrayRef array = CFArrayCreateMutable(kCFAllocatorDefault, 0,
2001 &kCFTypeArrayCallBacks);
2004 failf(data,
"SSL: out of memory creating CA certificate array");
2008 while(offset < buflen) {
2015 res = pem_to_der((
const char *)certbuf + offset, &der, &derlen);
2019 failf(data,
"SSL: invalid CA certificate #%d (offset %d) in bundle",
2025 if(res == 0 && offset == 0) {
2027 rc = append_cert_to_array(data, certbuf, buflen, array);
2041 rc = append_cert_to_array(data, der, derlen, array);
2051 OSStatus ret = SSLCopyPeerTrust(ctx, &trust);
2053 failf(data,
"SSL: error getting certificate chain");
2057 else if(ret != noErr) {
2059 return sslerr_to_curlerr(data, ret);
2062 ret = SecTrustSetAnchorCertificates(trust, array);
2065 return sslerr_to_curlerr(data, ret);
2067 ret = SecTrustSetAnchorCertificatesOnly(trust,
true);
2070 return sslerr_to_curlerr(data, ret);
2073 SecTrustResultType trust_eval = 0;
2074 ret = SecTrustEvaluate(trust, &trust_eval);
2078 return sslerr_to_curlerr(data, ret);
2081 switch(trust_eval) {
2082 case kSecTrustResultUnspecified:
2083 case kSecTrustResultProceed:
2086 case kSecTrustResultRecoverableTrustFailure:
2087 case kSecTrustResultDeny:
2089 failf(data,
"SSL: certificate verification failed (result: %d)",
2095 #ifdef DARWIN_SSL_PINNEDPUBKEY 2098 const char *pinnedpubkey)
2100 size_t pubkeylen, realpubkeylen, spkiHeaderLength = 24;
2101 unsigned char *pubkey = NULL, *realpubkey = NULL;
2102 const unsigned char *spkiHeader = NULL;
2103 CFDataRef publicKeyBits = NULL;
2118 OSStatus ret = SSLCopyPeerTrust(ctx, &trust);
2119 if(ret != noErr || trust == NULL)
2122 SecKeyRef keyRef = SecTrustCopyPublicKey(trust);
2127 #ifdef DARWIN_SSL_PINNEDPUBKEY_V1 2129 publicKeyBits = SecKeyCopyExternalRepresentation(keyRef, NULL);
2131 if(publicKeyBits == NULL)
2134 #elif DARWIN_SSL_PINNEDPUBKEY_V2 2136 OSStatus success = SecItemExport(keyRef, kSecFormatOpenSSL, 0, NULL,
2139 if(success != errSecSuccess || publicKeyBits == NULL)
2144 pubkeylen = CFDataGetLength(publicKeyBits);
2145 pubkey = (
unsigned char *)CFDataGetBytePtr(publicKeyBits);
2150 spkiHeader = rsa4096SpkiHeader;
2154 spkiHeader = rsa2048SpkiHeader;
2156 #ifdef DARWIN_SSL_PINNEDPUBKEY_V1 2159 spkiHeader = ecDsaSecp256r1SpkiHeader;
2160 spkiHeaderLength = 26;
2164 spkiHeader = ecDsaSecp384r1SpkiHeader;
2165 spkiHeaderLength = 23;
2168 infof(data,
"SSL: unhandled public key length: %d\n", pubkeylen);
2169 #elif DARWIN_SSL_PINNEDPUBKEY_V2 2175 result = Curl_pin_peer_pubkey(data, pinnedpubkey, pubkey,
2181 realpubkeylen = pubkeylen + spkiHeaderLength;
2182 realpubkey =
malloc(realpubkeylen);
2186 memcpy(realpubkey, spkiHeader, spkiHeaderLength);
2187 memcpy(realpubkey + spkiHeaderLength, pubkey, pubkeylen);
2189 result = Curl_pin_peer_pubkey(data, pinnedpubkey, realpubkey,
2195 if(publicKeyBits != NULL)
2196 CFRelease(publicKeyBits);
2203 darwinssl_connect_step2(
struct connectdata *conn,
int sockindex)
2208 SSLCipherSuite cipher;
2209 SSLProtocol protocol = 0;
2218 err = SSLHandshake(BACKEND->ssl_ctx);
2222 case errSSLWouldBlock:
2237 return darwinssl_connect_step2(conn, sockindex);
2240 case errSSLXCertChainInvalid:
2241 failf(data,
"SSL certificate problem: Invalid certificate chain");
2243 case errSSLUnknownRootCert:
2244 failf(data,
"SSL certificate problem: Untrusted root certificate");
2246 case errSSLNoRootCert:
2247 failf(data,
"SSL certificate problem: No root certificate");
2249 case errSSLCertExpired:
2250 failf(data,
"SSL certificate problem: Certificate chain had an " 2251 "expired certificate");
2254 failf(data,
"SSL certificate problem: Couldn't understand the server " 2255 "certificate format");
2259 case errSecAuthFailed:
2260 failf(data,
"SSL authentication failed");
2262 case errSSLPeerHandshakeFail:
2263 failf(data,
"SSL peer handshake failed, the server most likely " 2264 "requires a client certificate to connect");
2266 case errSSLPeerUnknownCA:
2267 failf(data,
"SSL server rejected the client certificate due to " 2268 "the certificate being signed by an unknown certificate " 2274 case errSSLHostNameMismatch:
2275 failf(data,
"SSL certificate peer verification failed, the " 2276 "certificate did not match \"%s\"\n", conn->
host.
dispname);
2280 case errSSLConnectionRefused:
2281 failf(data,
"Server dropped the connection during the SSL handshake");
2283 case errSSLClosedAbort:
2284 failf(data,
"Server aborted the SSL handshake");
2286 case errSSLNegotiation:
2287 failf(data,
"Could not negotiate an SSL cipher suite with the server");
2290 case paramErr:
case errSSLInternal:
2291 failf(data,
"Internal SSL engine error encountered during the " 2294 case errSSLFatalAlert:
2295 failf(data,
"Fatal SSL engine error encountered during the SSL " 2299 failf(data,
"Unknown SSL protocol error in connection to %s:%d",
2308 #ifdef DARWIN_SSL_PINNEDPUBKEY 2310 CURLcode result = pkp_pin_peer_pubkey(data, BACKEND->ssl_ctx,
2313 failf(data,
"SSL: public key does not match pinned public key!");
2320 (void)SSLGetNegotiatedCipher(BACKEND->ssl_ctx, &cipher);
2321 (void)SSLGetNegotiatedProtocolVersion(BACKEND->ssl_ctx, &protocol);
2324 infof(data,
"SSL 2.0 connection using %s\n",
2325 SSLCipherNameForNumber(cipher));
2328 infof(data,
"SSL 3.0 connection using %s\n",
2329 SSLCipherNameForNumber(cipher));
2332 infof(data,
"TLS 1.0 connection using %s\n",
2333 TLSCipherNameForNumber(cipher));
2335 #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS 2336 case kTLSProtocol11:
2337 infof(data,
"TLS 1.1 connection using %s\n",
2338 TLSCipherNameForNumber(cipher));
2340 case kTLSProtocol12:
2341 infof(data,
"TLS 1.2 connection using %s\n",
2342 TLSCipherNameForNumber(cipher));
2346 infof(data,
"Unknown protocol connection\n");
2354 #ifndef CURL_DISABLE_VERBOSE_STRINGS 2357 show_verbose_server_cert(
struct connectdata *conn,
2362 CFArrayRef server_certs = NULL;
2363 SecCertificateRef server_cert;
2366 SecTrustRef trust = NULL;
2368 if(!BACKEND->ssl_ctx)
2371 #if CURL_BUILD_MAC_10_7 || CURL_BUILD_IOS 2373 #pragma unused(server_certs) 2374 err = SSLCopyPeerTrust(BACKEND->ssl_ctx, &trust);
2377 if(err == noErr && trust) {
2378 count = SecTrustGetCertificateCount(trust);
2379 for(i = 0L ; i < count ; i++) {
2382 server_cert = SecTrustGetCertificateAtIndex(trust, i);
2383 result = CopyCertSubject(data, server_cert, &certp);
2385 infof(data,
"Server certificate: %s\n", certp);
2398 if(SecTrustEvaluateAsync != NULL) {
2399 #pragma unused(server_certs) 2400 err = SSLCopyPeerTrust(BACKEND->ssl_ctx, &trust);
2403 if(err == noErr && trust) {
2404 count = SecTrustGetCertificateCount(trust);
2405 for(i = 0L ; i < count ; i++) {
2408 server_cert = SecTrustGetCertificateAtIndex(trust, i);
2409 result = CopyCertSubject(data, server_cert, &certp);
2411 infof(data,
"Server certificate: %s\n", certp);
2419 #if CURL_SUPPORT_MAC_10_8 2420 err = SSLCopyPeerCertificates(BACKEND->ssl_ctx, &server_certs);
2422 if(err == noErr && server_certs) {
2423 count = CFArrayGetCount(server_certs);
2424 for(i = 0L ; i < count ; i++) {
2427 server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs,
2429 result = CopyCertSubject(data, server_cert, &certp);
2431 infof(data,
"Server certificate: %s\n", certp);
2435 CFRelease(server_certs);
2441 #pragma unused(trust) 2442 err = SSLCopyPeerCertificates(BACKEND->ssl_ctx, &server_certs);
2444 count = CFArrayGetCount(server_certs);
2445 for(i = 0L ; i < count ; i++) {
2448 server_cert = (SecCertificateRef)CFArrayGetValueAtIndex(server_certs, i);
2449 result = CopyCertSubject(data, server_cert, &certp);
2451 infof(data,
"Server certificate: %s\n", certp);
2455 CFRelease(server_certs);
2471 #ifndef CURL_DISABLE_VERBOSE_STRINGS 2473 show_verbose_server_cert(conn, sockindex);
2484 darwinssl_connect_common(
struct connectdata *conn,
2506 if(timeout_ms < 0) {
2508 failf(data,
"SSL connection timeout");
2512 result = darwinssl_connect_step1(conn, sockindex);
2524 if(timeout_ms < 0) {
2526 failf(data,
"SSL connection timeout");
2540 nonblocking?0:timeout_ms);
2546 else if(0 == what) {
2553 failf(data,
"SSL connection timeout");
2566 result = darwinssl_connect_step2(conn, sockindex);
2567 if(result || (nonblocking &&
2577 result = darwinssl_connect_step3(conn, sockindex);
2584 conn->
recv[sockindex] = darwinssl_recv;
2585 conn->
send[sockindex] = darwinssl_send;
2598 int sockindex,
bool *done)
2600 return darwinssl_connect_common(conn, sockindex,
TRUE, done);
2608 result = darwinssl_connect_common(conn, sockindex,
FALSE, &done);
2618 static void Curl_darwinssl_close(
struct connectdata *conn,
int sockindex)
2622 if(BACKEND->ssl_ctx) {
2623 (void)SSLClose(BACKEND->ssl_ctx);
2624 #if CURL_BUILD_MAC_10_8 || CURL_BUILD_IOS 2625 if(SSLCreateContext != NULL)
2626 CFRelease(BACKEND->ssl_ctx);
2627 #if CURL_SUPPORT_MAC_10_8 2629 (
void)SSLDisposeContext(BACKEND->ssl_ctx);
2632 (void)SSLDisposeContext(BACKEND->ssl_ctx);
2634 BACKEND->ssl_ctx = NULL;
2636 BACKEND->ssl_sockfd = 0;
2639 static int Curl_darwinssl_shutdown(
struct connectdata *conn,
int sockindex)
2648 if(!BACKEND->ssl_ctx)
2654 Curl_darwinssl_close(conn, sockindex);
2669 failf(data,
"SSL shutdown timeout");
2676 nread = read(conn->
sock[sockindex], buf,
sizeof(buf));
2679 failf(data,
"read: %s", strerror(errno));
2692 static void Curl_darwinssl_session_free(
void *
ptr)
2703 static size_t Curl_darwinssl_version(
char *
buffer,
size_t size)
2705 return snprintf(buffer, size,
"SecureTransport");
2716 static int Curl_darwinssl_check_cxn(
struct connectdata *conn)
2720 SSLSessionState
state;
2722 if(BACKEND->ssl_ctx) {
2723 err = SSLGetSessionState(BACKEND->ssl_ctx, &state);
2725 return state == kSSLConnected || state == kSSLHandshake;
2731 static bool Curl_darwinssl_data_pending(
const struct connectdata *conn,
2738 if(BACKEND->ssl_ctx) {
2739 err = SSLGetBufferedReadSize(BACKEND->ssl_ctx, &buffer);
2741 return buffer > 0UL;
2749 unsigned char *entropy,
size_t length)
2758 for(i = 0 ; i < length ; i++) {
2760 random_number = arc4random();
2761 entropy[
i] = random_number & 0xFF;
2762 random_number >>= 8;
2764 i = random_number = 0;
2768 static CURLcode Curl_darwinssl_md5sum(
unsigned char *tmp,
2770 unsigned char *md5sum,
2774 (void)CC_MD5(tmp, (CC_LONG)tmplen, md5sum);
2778 static void Curl_darwinssl_sha256sum(
const unsigned char *tmp,
2780 unsigned char *sha256sum,
2784 (void)CC_SHA256(tmp, (CC_LONG)tmplen, sha256sum);
2787 static bool Curl_darwinssl_false_start(
void)
2789 #if CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 2790 if(SSLSetSessionOption != NULL)
2804 size_t processed = 0UL;
2822 if(BACKEND->ssl_write_buffered_length) {
2824 err = SSLWrite(BACKEND->ssl_ctx, NULL, 0UL, &processed);
2829 processed = BACKEND->ssl_write_buffered_length;
2830 BACKEND->ssl_write_buffered_length = 0UL;
2832 case errSSLWouldBlock:
2836 failf(conn->
data,
"SSLWrite() returned error %d", err);
2843 err = SSLWrite(BACKEND->ssl_ctx, mem, len, &processed);
2846 case errSSLWouldBlock:
2849 BACKEND->ssl_write_buffered_length =
len;
2853 failf(conn->
data,
"SSLWrite() returned error %d", err);
2870 size_t processed = 0UL;
2871 OSStatus err = SSLRead(BACKEND->ssl_ctx, buf, buffersize, &processed);
2875 case errSSLWouldBlock:
2886 case errSSLClosedGraceful:
2887 case errSSLClosedNoNotify:
2893 failf(conn->
data,
"SSLRead() return error %d", err);
2902 static void *Curl_darwinssl_get_internals(
struct ssl_connect_data *connssl,
2906 return BACKEND->ssl_ctx;
2909 const struct Curl_ssl Curl_ssl_darwinssl = {
2914 #ifdef DARWIN_SSL_PINNEDPUBKEY 2922 sizeof(
struct ssl_backend_data),
2926 Curl_darwinssl_version,
2927 Curl_darwinssl_check_cxn,
2928 Curl_darwinssl_shutdown,
2929 Curl_darwinssl_data_pending,
2930 Curl_darwinssl_random,
2932 Curl_darwinssl_connect,
2933 Curl_darwinssl_connect_nonblocking,
2934 Curl_darwinssl_get_internals,
2935 Curl_darwinssl_close,
2937 Curl_darwinssl_session_free,
2941 Curl_darwinssl_false_start,
2942 Curl_darwinssl_md5sum,
2943 Curl_darwinssl_sha256sum
2947 #pragma clang diagnostic pop
struct ssl_connect_data ssl[2]
UNITTEST_START const char * values[]
ssize_t( Curl_recv)(struct connectdata *conn, int sockindex, char *buf, size_t len, CURLcode *err)
#define SSL_CONN_CONFIG(var)
CURLcode Curl_base64_decode(const char *src, unsigned char **outptr, size_t *outlen)
int stat(const char *path, struct stat *buffer)
#define SSL_SET_OPTION(var)
ssl_connect_state connecting_state
UNITTEST_START char * ptr
#define realloc(ptr, size)
UNITTEST_START int result
struct ssl_config_data ssl
TypeWithSize< 4 >::UInt UInt32
struct proxy_info http_proxy
ssl_connection_state state
memcpy(filename, filename1, strlen(filename1))
time_t Curl_timeleft(struct Curl_easy *data, struct curltime *nowp, bool duringconnect)
curl_easy_setopt expects a curl_off_t argument for this option curl_easy_setopt expects a curl_write_callback argument for this option curl_easy_setopt expects a curl_ioctl_callback argument for this option curl_easy_setopt expects a curl_opensocket_callback argument for this option curl_easy_setopt expects a curl_debug_callback argument for this option curl_easy_setopt expects a curl_conv_callback argument for this option curl_easy_setopt expects a private data pointer as argument for this option curl_easy_setopt expects a FILE *argument for this option curl_easy_setopt expects a struct curl_httppost *argument for this option curl_easy_setopt expects a struct curl_slist *argument for this option curl_easy_getinfo expects a pointer to char *for this info curl_easy_getinfo expects a pointer to double for this info curl_easy_getinfo expects a pointer to struct curl_tlssessioninfo *for this info curl_easy_getinfo expects a pointer to curl_socket_t for this info size_t
#define SOCKET_READABLE(x, z)
bool Curl_none_cert_status_request(void)
UNITTEST_START struct Curl_easy data
#define CURL_SHA256_DIGEST_LENGTH
void Curl_none_cleanup(void)
ssize_t( Curl_send)(struct connectdata *conn, int sockindex, const void *buf, size_t len, CURLcode *err)
int Curl_inet_pton(int af, const char *src, void *dst)
static unsigned short port
#define Curl_safefree(ptr)
int Curl_socket_check(curl_socket_t readfd0, curl_socket_t readfd1, curl_socket_t writefd, time_t timeout_ms)
CURLcode Curl_none_set_engine(struct Curl_easy *data, const char *engine)
struct ssl_primary_config ssl_config
struct curl_slist * Curl_none_engines_list(struct Curl_easy *data)
TFSIMD_FORCE_INLINE tfScalar length(const Quaternion &q)
ROSCPP_DECL bool search(const std::string &ns, const std::string &key, std::string &result)
CURLcode Curl_none_set_engine_default(struct Curl_easy *data)
void Curl_none_close_all(struct Curl_easy *data)
#define calloc(nbelem, size)