54 #include <openssl/ssl.h> 55 #ifdef HAVE_OPENSSL_ENGINE_H 56 #include <openssl/engine.h> 58 #include <openssl/rand.h> 59 #include <openssl/x509v3.h> 60 #ifndef OPENSSL_NO_DSA 61 #include <openssl/dsa.h> 63 #include <openssl/dh.h> 64 #include <openssl/err.h> 65 #include <openssl/md5.h> 66 #include <openssl/conf.h> 67 #include <openssl/bn.h> 68 #include <openssl/rsa.h> 69 #include <openssl/bio.h> 70 #include <openssl/buffer.h> 72 #ifdef HAVE_OPENSSL_PKCS12_H 73 #include <openssl/pkcs12.h> 76 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP) 77 #include <openssl/ocsp.h> 87 #ifndef OPENSSL_VERSION_NUMBER 88 #error "OPENSSL_VERSION_NUMBER not defined" 91 #if defined(HAVE_OPENSSL_ENGINE_H) 92 #include <openssl/ui.h> 95 #if OPENSSL_VERSION_NUMBER >= 0x00909000L 96 #define SSL_METHOD_QUAL const 98 #define SSL_METHOD_QUAL 101 #if (OPENSSL_VERSION_NUMBER >= 0x10000000L) 102 #define HAVE_ERR_REMOVE_THREAD_STATE 1 105 #if !defined(HAVE_SSLV2_CLIENT_METHOD) || \ 106 OPENSSL_VERSION_NUMBER >= 0x10100000L 107 #undef OPENSSL_NO_SSL2 108 #define OPENSSL_NO_SSL2 111 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ 112 !defined(LIBRESSL_VERSION_NUMBER) 113 #define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER 114 #define HAVE_X509_GET0_EXTENSIONS 1 115 #define HAVE_OPAQUE_EVP_PKEY 1 116 #define HAVE_OPAQUE_RSA_DSA_DH 1 117 #define CONST_EXTS const 118 #define HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED 1 121 #define ASN1_STRING_get0_data(x) ASN1_STRING_data(x) 122 #define X509_get0_notBefore(x) X509_get_notBefore(x) 123 #define X509_get0_notAfter(x) X509_get_notAfter(x) 125 #ifdef LIBRESSL_VERSION_NUMBER 126 static unsigned long OpenSSL_version_num(
void)
128 return LIBRESSL_VERSION_NUMBER;
131 #define OpenSSL_version_num() SSLeay() 135 #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && \ 136 !defined(LIBRESSL_VERSION_NUMBER) 137 #define HAVE_X509_GET0_SIGNATURE 1 140 #if OPENSSL_VERSION_NUMBER >= 0x10002003L && \ 141 OPENSSL_VERSION_NUMBER <= 0x10002FFFL && \ 142 !defined(OPENSSL_NO_COMP) 143 #define HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 1 146 #if (OPENSSL_VERSION_NUMBER < 0x0090808fL) 148 #define OPENSSL_load_builtin_modules(x) 159 #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \ 160 !defined(LIBRESSL_VERSION_NUMBER)) || \ 161 defined(BORINGSSL_201512) 162 #define HAVE_KEYLOG_CALLBACK 165 #if defined(LIBRESSL_VERSION_NUMBER) 166 #define OSSL_PACKAGE "LibreSSL" 167 #elif defined(OPENSSL_IS_BORINGSSL) 168 #define OSSL_PACKAGE "BoringSSL" 170 #define OSSL_PACKAGE "OpenSSL" 173 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) 177 #define DEFAULT_CIPHER_SELECTION NULL 180 #define DEFAULT_CIPHER_SELECTION \ 181 "ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH" 184 #ifdef ENABLE_SSLKEYLOGFILE 185 typedef struct ssl_tap_state {
186 int master_key_length;
187 unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
188 unsigned char client_random[SSL3_RANDOM_SIZE];
192 struct ssl_backend_data {
197 #ifdef ENABLE_SSLKEYLOGFILE 199 ssl_tap_state_t tap_state;
203 #define BACKEND connssl->backend 211 #define RAND_LOAD_LENGTH 1024 213 #ifdef ENABLE_SSLKEYLOGFILE 215 static FILE *keylog_file_fp;
217 #ifdef HAVE_KEYLOG_CALLBACK 218 static void ossl_keylog_callback(
const SSL *ssl,
const char *line)
224 if(keylog_file_fp && line && *line) {
227 size_t linelen = strlen(line);
229 if(linelen <=
sizeof(stackbuf) - 2)
232 buf =
malloc(linelen + 2);
236 strncpy(buf, line, linelen);
238 buf[linelen + 1] =
'\0';
240 fputs(buf, keylog_file_fp);
246 #define KEYLOG_PREFIX "CLIENT_RANDOM " 247 #define KEYLOG_PREFIX_LEN (sizeof(KEYLOG_PREFIX) - 1) 252 static void tap_ssl_key(
const SSL *ssl, ssl_tap_state_t *
state)
254 const char *hex =
"0123456789ABCDEF";
256 char line[KEYLOG_PREFIX_LEN + 2 * SSL3_RANDOM_SIZE + 1 +
257 2 * SSL_MAX_MASTER_KEY_LENGTH + 1 + 1];
259 unsigned char client_random[SSL3_RANDOM_SIZE];
260 unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
261 int master_key_length = 0;
263 if(!session || !keylog_file_fp)
266 #if OPENSSL_VERSION_NUMBER >= 0x10100000L 269 SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE);
271 SSL_SESSION_get_master_key(session, master_key, SSL_MAX_MASTER_KEY_LENGTH);
273 if(ssl->s3 && session->master_key_length > 0) {
274 master_key_length = session->master_key_length;
275 memcpy(master_key, session->master_key, session->master_key_length);
276 memcpy(client_random, ssl->s3->client_random, SSL3_RANDOM_SIZE);
280 if(master_key_length <= 0)
284 if(state->master_key_length == master_key_length &&
285 !memcmp(state->master_key, master_key, master_key_length) &&
286 !memcmp(state->client_random, client_random, SSL3_RANDOM_SIZE)) {
290 state->master_key_length = master_key_length;
291 memcpy(state->master_key, master_key, master_key_length);
292 memcpy(state->client_random, client_random, SSL3_RANDOM_SIZE);
294 memcpy(line, KEYLOG_PREFIX, KEYLOG_PREFIX_LEN);
295 pos = KEYLOG_PREFIX_LEN;
298 for(i = 0; i < SSL3_RANDOM_SIZE; i++) {
299 line[pos++] = hex[client_random[
i] >> 4];
300 line[pos++] = hex[client_random[
i] & 0xF];
305 for(i = 0; i < master_key_length; i++) {
306 line[pos++] = hex[master_key[
i] >> 4];
307 line[pos++] = hex[master_key[
i] & 0xF];
314 fputs(line, keylog_file_fp);
319 static const char *SSL_ERROR_to_str(
int err)
323 return "SSL_ERROR_NONE";
325 return "SSL_ERROR_SSL";
326 case SSL_ERROR_WANT_READ:
327 return "SSL_ERROR_WANT_READ";
328 case SSL_ERROR_WANT_WRITE:
329 return "SSL_ERROR_WANT_WRITE";
330 case SSL_ERROR_WANT_X509_LOOKUP:
331 return "SSL_ERROR_WANT_X509_LOOKUP";
332 case SSL_ERROR_SYSCALL:
333 return "SSL_ERROR_SYSCALL";
334 case SSL_ERROR_ZERO_RETURN:
335 return "SSL_ERROR_ZERO_RETURN";
336 case SSL_ERROR_WANT_CONNECT:
337 return "SSL_ERROR_WANT_CONNECT";
338 case SSL_ERROR_WANT_ACCEPT:
339 return "SSL_ERROR_WANT_ACCEPT";
340 #if defined(SSL_ERROR_WANT_ASYNC) 341 case SSL_ERROR_WANT_ASYNC:
342 return "SSL_ERROR_WANT_ASYNC";
344 #if defined(SSL_ERROR_WANT_ASYNC_JOB) 345 case SSL_ERROR_WANT_ASYNC_JOB:
346 return "SSL_ERROR_WANT_ASYNC_JOB";
348 #if defined(SSL_ERROR_WANT_EARLY) 349 case SSL_ERROR_WANT_EARLY:
350 return "SSL_ERROR_WANT_EARLY";
353 return "SSL_ERROR unknown";
359 static char *ossl_strerror(
unsigned long error,
char *buf,
size_t size)
365 static int passwd_callback(
char *buf,
int num,
int encrypting,
373 memcpy(buf, global_passwd, klen + 1);
383 static bool rand_enough(
void)
392 static bool ssl_seeded =
FALSE;
408 #define RANDOM_FILE "" 420 #if defined(HAVE_RAND_EGD) 427 #define EGD_SOCKET "" 444 unsigned char randb[64];
445 size_t len =
sizeof(randb);
447 for(i = 0, i_max = len /
sizeof(
struct curltime); i < i_max; ++
i) {
451 tv.
tv_usec *= (
unsigned int)i + 2;
460 RAND_add(randb, (
int)len, (
double)len/2);
461 }
while(!rand_enough());
473 infof(data,
"libcurl is now using a weak random seed!\n");
478 #ifndef SSL_FILETYPE_ENGINE 479 #define SSL_FILETYPE_ENGINE 42 481 #ifndef SSL_FILETYPE_PKCS12 482 #define SSL_FILETYPE_PKCS12 43 484 static int do_file_type(
const char *type)
486 if(!type || !type[0])
487 return SSL_FILETYPE_PEM;
489 return SSL_FILETYPE_PEM;
491 return SSL_FILETYPE_ASN1;
493 return SSL_FILETYPE_ENGINE;
495 return SSL_FILETYPE_PKCS12;
499 #if defined(HAVE_OPENSSL_ENGINE_H) 505 static int ssl_ui_reader(UI *ui, UI_STRING *uis)
525 static int ssl_ui_writer(UI *ui, UI_STRING *uis)
545 const char *cert_type,
547 const char *key_type,
551 char error_buffer[256];
552 bool check_privkey =
TRUE;
554 int file_type = do_file_type(cert_type);
556 if(cert_file || (file_type == SSL_FILETYPE_ENGINE)) {
563 SSL_CTX_set_default_passwd_cb_userdata(ctx, key_passwd);
570 case SSL_FILETYPE_PEM:
572 if(SSL_CTX_use_certificate_chain_file(ctx,
575 "could not load PEM client certificate, " OSSL_PACKAGE
577 "(no key found, wrong pass phrase, or wrong file format?)",
579 sizeof(error_buffer)) );
584 case SSL_FILETYPE_ASN1:
592 "could not load ASN1 client certificate, " OSSL_PACKAGE
594 "(no key found, wrong pass phrase, or wrong file format?)",
596 sizeof(error_buffer)) );
600 case SSL_FILETYPE_ENGINE:
601 #if defined(HAVE_OPENSSL_ENGINE_H) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME) 603 if(data->
state.engine) {
604 const char *cmd_name =
"LOAD_CERT_CTRL";
610 params.cert_id = cert_file;
615 0, (
void *)cmd_name, NULL)) {
616 failf(data,
"ssl engine does not support loading certificates");
622 0, ¶ms, NULL, 1)) {
623 failf(data,
"ssl engine cannot load client cert with id" 624 " '%s' [%s]", cert_file,
626 sizeof(error_buffer)));
631 failf(data,
"ssl engine didn't initialized the certificate " 637 failf(data,
"unable to set client certificate");
644 failf(data,
"crypto engine not set, can't load certificate");
650 failf(data,
"file type ENG for certificate not implemented");
654 case SSL_FILETYPE_PKCS12:
656 #ifdef HAVE_OPENSSL_PKCS12_H 660 STACK_OF(X509) *ca = NULL;
662 f = fopen(cert_file,
"rb");
664 failf(data,
"could not open PKCS12 file '%s'", cert_file);
671 failf(data,
"error reading PKCS12 file '%s'", cert_file);
680 "could not parse PKCS12 file, check password, " OSSL_PACKAGE
683 sizeof(error_buffer)) );
692 "could not load PKCS12 client certificate, " OSSL_PACKAGE
695 sizeof(error_buffer)) );
700 failf(data,
"unable to use private key from PKCS12 file '%s'",
706 failf(data,
"private key from PKCS12 file '%s' " 707 "does not match certificate in same file", cert_file);
712 while(sk_X509_num(ca)) {
720 X509 *
x = sk_X509_pop(ca);
723 failf(data,
"cannot add certificate to client CA list");
726 if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
728 failf(data,
"cannot add certificate to certificate chain");
744 failf(data,
"file type P12 for certificate not supported");
749 failf(data,
"not supported file type '%s' for certificate", cert_type);
753 file_type = do_file_type(key_type);
756 case SSL_FILETYPE_PEM:
761 key_file = cert_file;
763 case SSL_FILETYPE_ASN1:
765 failf(data,
"unable to set private key file: '%s' type %s",
766 key_file, key_type?key_type:
"PEM");
770 case SSL_FILETYPE_ENGINE:
771 #ifdef HAVE_OPENSSL_ENGINE_H 773 EVP_PKEY *priv_key = NULL;
774 if(data->
state.engine) {
775 UI_METHOD *ui_method =
778 failf(data,
"unable do create " OSSL_PACKAGE
779 " user-interface method");
787 priv_key = (EVP_PKEY *)
793 failf(data,
"failed to load private key from crypto engine");
797 failf(data,
"unable to set private key");
804 failf(data,
"crypto engine not set, can't load private key");
810 failf(data,
"file type ENG for private key not supported");
813 case SSL_FILETYPE_PKCS12:
815 failf(data,
"file type P12 for private key not supported");
820 failf(data,
"not supported file type for private key");
826 failf(data,
"unable to create an SSL structure");
840 #ifndef OPENSSL_NO_RSA 845 if(EVP_PKEY_id(priv_key) == EVP_PKEY_RSA) {
846 RSA *rsa = EVP_PKEY_get1_RSA(priv_key);
847 if(RSA_flags(rsa) & RSA_METHOD_FLAG_NO_CHECK)
848 check_privkey =
FALSE;
859 if(check_privkey ==
TRUE) {
863 failf(data,
"Private key does not match the certificate public key");
872 static int x509_name_oneline(X509_NAME *
a,
char *buf,
size_t size)
875 return X509_NAME_oneline(a, buf, size);
885 BIO_get_mem_ptr(bio_out, &biomem);
887 if((
size_t)biomem->length < size)
888 size = biomem->length;
892 memcpy(buf, biomem->data, size);
907 static int Curl_ossl_init(
void)
909 #ifdef ENABLE_SSLKEYLOGFILE 910 const char *keylog_file_name;
915 #ifdef HAVE_ENGINE_LOAD_BUILTIN_ENGINES 927 #ifndef CONF_MFLAGS_DEFAULT_SECTION 928 #define CONF_MFLAGS_DEFAULT_SECTION 0x0 932 CONF_MFLAGS_DEFAULT_SECTION|
933 CONF_MFLAGS_IGNORE_MISSING_FILE);
935 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ 936 !defined(LIBRESSL_VERSION_NUMBER) 943 if(!SSLeay_add_ssl_algorithms())
946 OpenSSL_add_all_algorithms();
949 #ifdef ENABLE_SSLKEYLOGFILE 951 if(keylog_file_name && !keylog_file_fp) {
954 if(setvbuf(keylog_file_fp, NULL, _IOLBF, 4096)) {
955 fclose(keylog_file_fp);
956 keylog_file_fp = NULL;
966 static void Curl_ossl_cleanup(
void)
968 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ 969 !defined(LIBRESSL_VERSION_NUMBER) 976 #ifdef HAVE_ENGINE_CLEANUP 985 #ifdef HAVE_ERR_REMOVE_THREAD_STATE 986 ERR_remove_thread_state(NULL);
994 #ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 995 SSL_COMP_free_compression_methods();
999 #ifdef ENABLE_SSLKEYLOGFILE 1000 if(keylog_file_fp) {
1001 fclose(keylog_file_fp);
1002 keylog_file_fp = NULL;
1015 static int Curl_ossl_check_cxn(
struct connectdata *conn)
1028 else if(nread == -1) {
1030 if(err == EINPROGRESS ||
1036 if(err == ECONNRESET ||
1038 err == ECONNABORTED ||
1064 #if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_ENGINE_H) 1067 #if OPENSSL_VERSION_NUMBER >= 0x00909000L 1068 e = ENGINE_by_id(engine);
1073 if(!strcmp(engine, e_id))
1079 failf(data,
"SSL Engine '%s' not found", engine);
1083 if(data->
state.engine) {
1086 data->
state.engine = NULL;
1092 failf(data,
"Failed to initialise SSL Engine '%s':\n%s",
1096 data->
state.engine = e;
1100 failf(data,
"SSL Engine not supported");
1109 #ifdef HAVE_OPENSSL_ENGINE_H 1110 if(data->
state.engine) {
1112 infof(data,
"set default crypto engine '%s'\n",
1116 failf(data,
"set default crypto engine '%s' failed",
1132 #if defined(USE_OPENSSL) && defined(HAVE_OPENSSL_ENGINE_H) 1152 if(BACKEND->handle) {
1157 BACKEND->handle = NULL;
1161 BACKEND->ctx = NULL;
1168 static void Curl_ossl_close(
struct connectdata *conn,
int sockindex)
1170 ossl_close(&conn->
ssl[sockindex]);
1171 ossl_close(&conn->
proxy_ssl[sockindex]);
1178 static int Curl_ossl_shutdown(
struct connectdata *conn,
int sockindex)
1185 unsigned long sslerror;
1199 if(BACKEND->handle) {
1200 buffsize = (int)
sizeof(buf);
1203 SSL_SHUTDOWN_TIMEOUT);
1213 case SSL_ERROR_NONE:
1214 case SSL_ERROR_ZERO_RETURN:
1219 case SSL_ERROR_WANT_READ:
1221 infof(data,
"SSL_ERROR_WANT_READ\n");
1223 case SSL_ERROR_WANT_WRITE:
1225 infof(data,
"SSL_ERROR_WANT_WRITE\n");
1231 failf(conn->
data, OSSL_PACKAGE
" SSL_read on shutdown: %s, errno %d",
1233 ossl_strerror(sslerror, buf,
sizeof(buf)) :
1234 SSL_ERROR_to_str(err)),
1240 else if(0 == what) {
1242 failf(data,
"SSL shutdown timeout");
1254 #ifdef HAVE_SSL_GET_SHUTDOWN 1256 case SSL_SENT_SHUTDOWN:
1257 infof(data,
"SSL_get_shutdown() returned SSL_SENT_SHUTDOWN\n");
1259 case SSL_RECEIVED_SHUTDOWN:
1260 infof(data,
"SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN\n");
1262 case SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN:
1263 infof(data,
"SSL_get_shutdown() returned SSL_SENT_SHUTDOWN|" 1264 "SSL_RECEIVED__SHUTDOWN\n");
1271 BACKEND->handle = NULL;
1276 static void Curl_ossl_session_free(
void *
ptr)
1286 static void Curl_ossl_close_all(
struct Curl_easy *data)
1288 #ifdef HAVE_OPENSSL_ENGINE_H 1289 if(data->
state.engine) {
1292 data->
state.engine = NULL;
1297 #if !defined(HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED) && \ 1298 defined(HAVE_ERR_REMOVE_THREAD_STATE) 1303 ERR_remove_thread_state(NULL);
1333 bool matched =
FALSE;
1334 int target = GEN_DNS;
1337 STACK_OF(GENERAL_NAME) *altnames;
1339 struct in6_addr addr;
1341 struct in_addr addr;
1344 bool dNSName =
FALSE;
1345 bool iPAddress =
FALSE;
1355 addrlen =
sizeof(
struct in6_addr);
1361 addrlen =
sizeof(
struct in_addr);
1365 altnames =
X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
1370 bool dnsmatched =
FALSE;
1371 bool ipmatched =
FALSE;
1375 numalts = sk_GENERAL_NAME_num(altnames);
1378 for(i = 0; (i < numalts) && !dnsmatched; i++) {
1380 const GENERAL_NAME *
check = sk_GENERAL_NAME_value(altnames, i);
1382 if(check->type == GEN_DNS)
1384 else if(check->type == GEN_IPADD)
1388 if(check->type == target) {
1390 const char *altptr = (
char *)ASN1_STRING_get0_data(check->d.ia5);
1405 if((altlen == strlen(altptr)) &&
1411 " subjectAltName: host \"%s\" matched cert's \"%s\"\n",
1419 if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
1422 " subjectAltName: host \"%s\" matched cert's IP address!\n",
1431 if(dnsmatched || ipmatched)
1438 else if(dNSName || iPAddress) {
1439 infof(data,
" subjectAltName does not match %s\n", dispname);
1440 failf(data,
"SSL: no alternative certificate subject name matches " 1441 "target host name '%s'", dispname);
1451 unsigned char *nulstr = (
unsigned char *)
"";
1452 unsigned char *peer_CN = nulstr;
1476 peer_CN = OPENSSL_malloc(j + 1);
1478 memcpy(peer_CN, ASN1_STRING_get0_data(tmp), j);
1486 if(peer_CN && (
curlx_uztosi(strlen((
char *)peer_CN)) != j)) {
1489 failf(data,
"SSL: illegal cert name field");
1495 if(peer_CN == nulstr)
1500 strlen((
char *)peer_CN));
1503 OPENSSL_free(peer_CN);
1513 "SSL: unable to obtain common name from peer certificate");
1517 failf(data,
"SSL: certificate subject name '%s' does not match " 1518 "target host name '%s'", peer_CN, dispname);
1522 infof(data,
" common name: %s (matched)\n", peer_CN);
1525 OPENSSL_free(peer_CN);
1531 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ 1532 !defined(OPENSSL_NO_OCSP) 1537 const unsigned char *
p;
1541 OCSP_RESPONSE *rsp = NULL;
1542 OCSP_BASICRESP *br = NULL;
1543 X509_STORE *st = NULL;
1544 STACK_OF(X509) *ch = NULL;
1546 long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p);
1549 failf(data,
"No OCSP response received");
1554 rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1556 failf(data,
"Invalid OCSP response");
1561 ocsp_status = OCSP_response_status(rsp);
1562 if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1563 failf(data,
"Invalid OCSP response status: %s (%d)",
1564 OCSP_response_status_str(ocsp_status), ocsp_status);
1569 br = OCSP_response_get1_basic(rsp);
1571 failf(data,
"Invalid OCSP response");
1579 #if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) || \ 1580 (defined(LIBRESSL_VERSION_NUMBER) && \ 1581 LIBRESSL_VERSION_NUMBER <= 0x2040200fL)) 1590 if(sk_X509_num(ch) >= 2 && sk_X509_num(br->certs) >= 1) {
1591 X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - 1);
1594 for(i = 0; i < sk_X509_num(ch); i++) {
1595 X509 *issuer = sk_X509_value(ch, i);
1597 if(!OCSP_basic_add1_cert(br, issuer)) {
1598 failf(data,
"Could not add issuer cert to OCSP response");
1607 if(OCSP_basic_verify(br, ch, st, 0) <= 0) {
1608 failf(data,
"OCSP response verification failed");
1613 for(i = 0; i < OCSP_resp_count(br); i++) {
1614 int cert_status, crl_reason;
1615 OCSP_SINGLERESP *single = NULL;
1617 ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
1619 single = OCSP_resp_get0(br, i);
1623 cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
1624 &thisupd, &nextupd);
1626 if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
1627 failf(data,
"OCSP response has expired");
1632 infof(data,
"SSL certificate status: %s (%d)\n",
1633 OCSP_cert_status_str(cert_status), cert_status);
1635 switch(cert_status) {
1636 case V_OCSP_CERTSTATUS_GOOD:
1639 case V_OCSP_CERTSTATUS_REVOKED:
1642 failf(data,
"SSL certificate revocation reason: %s (%d)",
1643 OCSP_crl_reason_str(crl_reason), crl_reason);
1646 case V_OCSP_CERTSTATUS_UNKNOWN:
1653 if(br) OCSP_BASICRESP_free(br);
1654 OCSP_RESPONSE_free(rsp);
1664 #ifdef SSL_CTRL_SET_MSG_CALLBACK 1666 static const char *ssl_msg_type(
int ssl_ver,
int msg)
1668 #ifdef SSL2_VERSION_MAJOR 1669 if(ssl_ver == SSL2_VERSION_MAJOR) {
1673 case SSL2_MT_CLIENT_HELLO:
1674 return "Client hello";
1675 case SSL2_MT_CLIENT_MASTER_KEY:
1676 return "Client key";
1677 case SSL2_MT_CLIENT_FINISHED:
1678 return "Client finished";
1679 case SSL2_MT_SERVER_HELLO:
1680 return "Server hello";
1681 case SSL2_MT_SERVER_VERIFY:
1682 return "Server verify";
1683 case SSL2_MT_SERVER_FINISHED:
1684 return "Server finished";
1685 case SSL2_MT_REQUEST_CERTIFICATE:
1686 return "Request CERT";
1687 case SSL2_MT_CLIENT_CERTIFICATE:
1688 return "Client CERT";
1693 if(ssl_ver == SSL3_VERSION_MAJOR) {
1695 case SSL3_MT_HELLO_REQUEST:
1696 return "Hello request";
1697 case SSL3_MT_CLIENT_HELLO:
1698 return "Client hello";
1699 case SSL3_MT_SERVER_HELLO:
1700 return "Server hello";
1701 #ifdef SSL3_MT_NEWSESSION_TICKET 1702 case SSL3_MT_NEWSESSION_TICKET:
1703 return "Newsession Ticket";
1705 case SSL3_MT_CERTIFICATE:
1706 return "Certificate";
1707 case SSL3_MT_SERVER_KEY_EXCHANGE:
1708 return "Server key exchange";
1709 case SSL3_MT_CLIENT_KEY_EXCHANGE:
1710 return "Client key exchange";
1711 case SSL3_MT_CERTIFICATE_REQUEST:
1712 return "Request CERT";
1713 case SSL3_MT_SERVER_DONE:
1714 return "Server finished";
1715 case SSL3_MT_CERTIFICATE_VERIFY:
1716 return "CERT verify";
1717 case SSL3_MT_FINISHED:
1719 #ifdef SSL3_MT_CERTIFICATE_STATUS 1720 case SSL3_MT_CERTIFICATE_STATUS:
1721 return "Certificate Status";
1728 static const char *tls_rt_type(
int type)
1731 #ifdef SSL3_RT_HEADER 1732 case SSL3_RT_HEADER:
1733 return "TLS header";
1735 case SSL3_RT_CHANGE_CIPHER_SPEC:
1736 return "TLS change cipher";
1739 case SSL3_RT_HANDSHAKE:
1740 return "TLS handshake";
1741 case SSL3_RT_APPLICATION_DATA:
1742 return "TLS app data";
1744 return "TLS Unknown";
1752 static void ssl_tls_trace(
int direction,
int ssl_ver,
int content_type,
1753 const void *buf,
size_t len,
SSL *ssl,
1757 const char *msg_name, *tls_rt_name;
1761 const char *verstr = NULL;
1765 (direction != 0 && direction != 1))
1784 #ifdef TLS1_1_VERSION 1785 case TLS1_1_VERSION:
1789 #ifdef TLS1_2_VERSION 1790 case TLS1_2_VERSION:
1794 #ifdef TLS1_3_VERSION 1795 case TLS1_3_VERSION:
1802 snprintf(unknown,
sizeof(unknown),
"(%x)", ssl_ver);
1816 if(ssl_ver == SSL3_VERSION_MAJOR && content_type)
1817 tls_rt_name = tls_rt_type(content_type);
1821 msg_type = *(
char *)buf;
1822 msg_name = ssl_msg_type(ssl_ver, msg_type);
1824 txt_len =
snprintf(ssl_buf,
sizeof(ssl_buf),
"%s (%s), %s, %s (%d):\n",
1825 verstr, direction?
"OUT":
"IN",
1826 tls_rt_name, msg_name, msg_type);
1839 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 1840 # define use_sni(x) sni = (x) 1842 # define use_sni(x) Curl_nop_stmt 1847 #if OPENSSL_VERSION_NUMBER >= 0x10002000L \ 1848 && !defined(OPENSSL_NO_TLSEXT) 1854 #if OPENSSL_VERSION_NUMBER >= 0x10001000L \ 1855 && !defined(OPENSSL_NO_TLSEXT) \ 1856 && !defined(OPENSSL_NO_NEXTPROTONEG) 1868 select_next_protocol(
unsigned char **out,
unsigned char *outlen,
1869 const unsigned char *in,
unsigned int inlen,
1870 const char *
key,
unsigned int keylen)
1873 for(i = 0; i + keylen <= inlen; i += in[
i] + 1) {
1874 if(memcmp(&in[i + 1], key, keylen) == 0) {
1875 *out = (
unsigned char *) &in[i + 1];
1884 select_next_proto_cb(
SSL *ssl,
1885 unsigned char **out,
unsigned char *outlen,
1886 const unsigned char *in,
unsigned int inlen,
1895 !select_next_protocol(out, outlen, in, inlen, NGHTTP2_PROTO_VERSION_ID,
1896 NGHTTP2_PROTO_VERSION_ID_LEN)) {
1897 infof(conn->
data,
"NPN, negotiated HTTP2 (%s)\n",
1898 NGHTTP2_PROTO_VERSION_ID);
1900 return SSL_TLSEXT_ERR_OK;
1904 if(!select_next_protocol(out, outlen, in, inlen,
ALPN_HTTP_1_1,
1906 infof(conn->
data,
"NPN, negotiated HTTP1.1\n");
1908 return SSL_TLSEXT_ERR_OK;
1911 infof(conn->
data,
"NPN, no overlap, use HTTP1.1\n");
1916 return SSL_TLSEXT_ERR_OK;
1921 get_ssl_version_txt(
SSL *ssl)
1927 #ifdef TLS1_3_VERSION 1928 case TLS1_3_VERSION:
1931 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL 1932 case TLS1_2_VERSION:
1934 case TLS1_1_VERSION:
1948 set_ssl_version_min_max(
long *ctx_options,
struct connectdata *conn,
1951 #if (OPENSSL_VERSION_NUMBER < 0x1000100FL) || !defined(TLS1_3_VERSION) 1960 ssl_version_max = ssl_version << 16;
1963 switch(ssl_version) {
1965 #ifdef TLS1_3_VERSION 1968 SSL_CTX_set_max_proto_version(BACKEND->ctx, TLS1_3_VERSION);
1969 *ctx_options |= SSL_OP_NO_TLSv1_2;
1973 failf(data, OSSL_PACKAGE
" was built without TLS 1.3 support");
1978 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL 1979 *ctx_options |= SSL_OP_NO_TLSv1_1;
1981 failf(data, OSSL_PACKAGE
" was built without TLS 1.2 support");
1986 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL 1987 *ctx_options |= SSL_OP_NO_TLSv1;
1989 failf(data, OSSL_PACKAGE
" was built without TLS 1.1 support");
1994 *ctx_options |= SSL_OP_NO_SSLv2;
1995 *ctx_options |= SSL_OP_NO_SSLv3;
1999 switch(ssl_version_max) {
2001 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL 2002 *ctx_options |= SSL_OP_NO_TLSv1_1;
2006 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL 2007 *ctx_options |= SSL_OP_NO_TLSv1_2;
2012 #ifdef TLS1_3_VERSION 2013 *ctx_options |= SSL_OP_NO_TLSv1_3;
2017 #ifdef TLS1_3_VERSION 2020 failf(data, OSSL_PACKAGE
" was built without TLS 1.3 support");
2032 SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
2033 X509_LOOKUP *lookup = NULL;
2036 long ctx_options = 0;
2037 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 2042 struct in6_addr addr;
2044 struct in_addr addr;
2059 char error_buffer[256];
2064 result = Curl_ossl_seed(data);
2068 *certverifyresult = !X509_V_OK;
2072 switch(ssl_version) {
2080 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ 2081 !defined(LIBRESSL_VERSION_NUMBER) 2082 req_method = TLS_client_method();
2089 #ifdef OPENSSL_NO_SSL2 2090 failf(data, OSSL_PACKAGE
" was built without SSLv2 support");
2097 req_method = SSLv2_client_method();
2102 #ifdef OPENSSL_NO_SSL3_METHOD 2103 failf(data, OSSL_PACKAGE
" was built without SSLv3 support");
2115 failf(data,
"Unrecognized parameter passed via CURLOPT_SSLVERSION");
2124 failf(data,
"SSL: couldn't create a context: %s",
2125 ossl_strerror(
ERR_peek_error(), error_buffer,
sizeof(error_buffer)));
2129 #ifdef SSL_MODE_RELEASE_BUFFERS 2130 SSL_CTX_set_mode(BACKEND->ctx, SSL_MODE_RELEASE_BUFFERS);
2133 #ifdef SSL_CTRL_SET_MSG_CALLBACK 2137 SSL_CTX_set_msg_callback_arg(BACKEND->ctx, conn);
2177 ctx_options = SSL_OP_ALL;
2179 #ifdef SSL_OP_NO_TICKET 2180 ctx_options |= SSL_OP_NO_TICKET;
2183 #ifdef SSL_OP_NO_COMPRESSION 2184 ctx_options |= SSL_OP_NO_COMPRESSION;
2187 #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 2189 ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
2192 #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS 2196 ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
2199 switch(ssl_version) {
2203 infof(data,
"Set version TLSv1.x for SRP authorisation\n");
2206 ctx_options |= SSL_OP_NO_SSLv2;
2207 ctx_options |= SSL_OP_NO_TLSv1;
2208 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL 2209 ctx_options |= SSL_OP_NO_TLSv1_1;
2210 ctx_options |= SSL_OP_NO_TLSv1_2;
2211 #ifdef TLS1_3_VERSION 2212 ctx_options |= SSL_OP_NO_TLSv1_3;
2219 ctx_options |= SSL_OP_NO_SSLv2;
2220 ctx_options |= SSL_OP_NO_SSLv3;
2227 result = set_ssl_version_min_max(&ctx_options, conn, sockindex);
2233 #ifndef OPENSSL_NO_SSL2 2234 ctx_options |= SSL_OP_NO_SSLv3;
2235 ctx_options |= SSL_OP_NO_TLSv1;
2236 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL 2237 ctx_options |= SSL_OP_NO_TLSv1_1;
2238 ctx_options |= SSL_OP_NO_TLSv1_2;
2239 #ifdef TLS1_3_VERSION 2240 ctx_options |= SSL_OP_NO_TLSv1_3;
2245 failf(data, OSSL_PACKAGE
" was built without SSLv2 support");
2250 failf(data,
"Unrecognized parameter passed via CURLOPT_SSLVERSION");
2254 SSL_CTX_set_options(BACKEND->ctx, ctx_options);
2258 SSL_CTX_set_next_proto_select_cb(BACKEND->ctx, select_next_proto_cb, conn);
2269 protocols[cur++] = NGHTTP2_PROTO_VERSION_ID_LEN;
2271 memcpy(&protocols[cur], NGHTTP2_PROTO_VERSION_ID,
2272 NGHTTP2_PROTO_VERSION_ID_LEN);
2273 cur += NGHTTP2_PROTO_VERSION_ID_LEN;
2274 infof(data,
"ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
2286 SSL_CTX_set_alpn_protos(BACKEND->ctx, protocols, cur);
2290 if(ssl_cert || ssl_cert_type) {
2291 if(!cert_stuff(conn, BACKEND->ctx, ssl_cert, ssl_cert_type,
2301 ciphers = (
char *)DEFAULT_CIPHER_SELECTION;
2304 failf(data,
"failed setting cipher list: %s", ciphers);
2307 infof(data,
"Cipher selection: %s\n", ciphers);
2314 infof(data,
"Using TLS-SRP username: %s\n", ssl_username);
2316 if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) {
2317 failf(data,
"Unable to set SRP user name");
2320 if(!SSL_CTX_set_srp_password(BACKEND->ctx,
SSL_SET_OPTION(password))) {
2321 failf(data,
"failed setting SRP password");
2325 infof(data,
"Setting cipher list SRP\n");
2328 failf(data,
"failed setting SRP cipher list");
2335 if(ssl_cafile || ssl_capath) {
2341 failf(data,
"error setting certificate verify locations:\n" 2342 " CAfile: %s\n CApath: %s",
2343 ssl_cafile ? ssl_cafile :
"none",
2344 ssl_capath ? ssl_capath :
"none");
2349 infof(data,
"error setting certificate verify locations," 2350 " continuing anyway:\n");
2354 infof(data,
"successfully set certificate verify locations:\n");
2359 ssl_cafile ? ssl_cafile :
"none",
2360 ssl_capath ? ssl_capath :
"none");
2362 #ifdef CURL_CA_FALLBACK 2363 else if(verifypeer) {
2366 SSL_CTX_set_default_verify_paths(BACKEND->ctx);
2377 failf(data,
"error loading CRL file: %s", ssl_crlfile);
2381 infof(data,
"successfully load CRL file:\n");
2383 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
2385 infof(data,
" CRLfile: %s\n", ssl_crlfile);
2395 #if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS) 2398 X509_V_FLAG_TRUSTED_FIRST);
2407 verifypeer ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
2410 #if defined(ENABLE_SSLKEYLOGFILE) && defined(HAVE_KEYLOG_CALLBACK) 2412 SSL_CTX_set_keylog_callback(connssl->ctx, ossl_keylog_callback);
2421 failf(data,
"error signaled by ssl ctx callback");
2429 BACKEND->handle =
SSL_new(BACKEND->ctx);
2430 if(!BACKEND->handle) {
2431 failf(data,
"SSL: couldn't create a context (handle)!");
2435 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ 2436 !defined(OPENSSL_NO_OCSP) 2438 SSL_set_tlsext_status_type(BACKEND->handle, TLSEXT_STATUSTYPE_ocsp);
2443 BACKEND->server_cert = 0x0;
2444 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME 2450 !SSL_set_tlsext_host_name(BACKEND->handle, hostname))
2451 infof(data,
"WARNING: failed to configure server name indication (SNI) " 2457 void *ssl_sessionid = NULL;
2459 Curl_ssl_sessionid_lock(conn);
2460 if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
2463 Curl_ssl_sessionid_unlock(conn);
2464 failf(data,
"SSL: SSL_set_session failed: %s",
2466 sizeof(error_buffer)));
2470 infof(data,
"SSL re-using session ID\n");
2472 Curl_ssl_sessionid_unlock(conn);
2476 BIO *
const bio =
BIO_new(BIO_f_ssl());
2477 SSL *handle = conn->
proxy_ssl[sockindex].backend->handle;
2481 BIO_set_ssl(bio, handle,
FALSE);
2482 SSL_set_bio(BACKEND->handle, bio, bio);
2484 else if(!
SSL_set_fd(BACKEND->handle, (
int)sockfd)) {
2486 failf(data,
"SSL: SSL_set_fd failed: %s",
2487 ossl_strerror(
ERR_get_error(), error_buffer,
sizeof(error_buffer)));
2512 #if defined(ENABLE_SSLKEYLOGFILE) && !defined(HAVE_KEYLOG_CALLBACK) 2513 tap_ssl_key(BACKEND->handle, &BACKEND->tap_state);
2522 if(SSL_ERROR_WANT_READ == detail) {
2526 if(SSL_ERROR_WANT_WRITE == detail) {
2532 unsigned long errdetail;
2533 char error_buffer[256]=
"";
2547 lib = ERR_GET_LIB(errdetail);
2548 reason = ERR_GET_REASON(errdetail);
2550 if((lib == ERR_LIB_SSL) &&
2551 (reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) {
2555 if(lerr != X509_V_OK) {
2556 *certverifyresult = lerr;
2557 snprintf(error_buffer,
sizeof(error_buffer),
2558 "SSL certificate problem: %s",
2564 strcpy(error_buffer,
"SSL certificate verification failed");
2568 ossl_strerror(errdetail, error_buffer,
sizeof(error_buffer));
2581 failf(data, OSSL_PACKAGE
" SSL_connect: %s in connection to %s:%ld ",
2582 SSL_ERROR_to_str(detail), hostname, port);
2587 failf(data,
"%s", error_buffer);
2597 infof(data,
"SSL connection using %s / %s\n",
2598 get_ssl_version_txt(BACKEND->handle),
2599 SSL_get_cipher(BACKEND->handle));
2606 const unsigned char *neg_protocol;
2608 SSL_get0_alpn_selected(BACKEND->handle, &neg_protocol, &len);
2610 infof(data,
"ALPN, server accepted to use %.*s\n", len, neg_protocol);
2613 if(len == NGHTTP2_PROTO_VERSION_ID_LEN &&
2614 !memcmp(NGHTTP2_PROTO_VERSION_ID, neg_protocol, len)) {
2625 infof(data,
"ALPN, server did not agree to a protocol\n");
2633 static int asn1_object_dump(ASN1_OBJECT *a,
char *buf,
size_t len)
2649 #define push_certinfo(_label, _num) \ 2651 long info_len = BIO_get_mem_data(mem, &ptr); \ 2652 Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \ 2653 if(1 != BIO_reset(mem)) \ 2657 static void pubkey_show(
struct Curl_easy *data,
2662 #ifdef HAVE_OPAQUE_RSA_DSA_DH
2670 snprintf(namebuf,
sizeof(namebuf),
"%s(%s)", type, name);
2674 push_certinfo(namebuf, num);
2677 #ifdef HAVE_OPAQUE_RSA_DSA_DH 2678 #define print_pubkey_BN(_type, _name, _num) \ 2679 pubkey_show(data, mem, _num, #_type, #_name, _name) 2682 #define print_pubkey_BN(_type, _name, _num) \ 2684 if(_type->_name) { \ 2685 pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \ 2690 static int X509V3_ext(
struct Curl_easy *data,
2692 CONST_EXTS STACK_OF(X509_EXTENSION) *exts)
2697 if((
int)sk_X509_EXTENSION_num(exts) <= 0)
2701 for(i = 0; i < (int)sk_X509_EXTENSION_num(exts); i++) {
2703 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
2715 asn1_object_dump(obj, namebuf,
sizeof(namebuf));
2720 BIO_get_mem_ptr(bio_out, &biomem);
2722 for(j = 0; j < (
size_t)biomem->length; j++) {
2723 const char *sep =
"";
2724 if(biomem->data[j] ==
'\n') {
2728 while((j<(
size_t)biomem->length) && (biomem->data[
j] ==
' '))
2730 if(j<(
size_t)biomem->length)
2731 ptr +=
snprintf(ptr,
sizeof(buf)-(ptr-
buf),
"%s%c", sep,
2735 Curl_ssl_push_certinfo(data, certnum, namebuf, buf);
2759 numcerts = sk_X509_num(sk);
2761 result = Curl_ssl_init_certinfo(data, numcerts);
2768 for(i = 0; i < numcerts; i++) {
2770 X509 *x = sk_X509_value(sk, i);
2771 EVP_PKEY *pubkey = NULL;
2774 const ASN1_BIT_STRING *psig = NULL;
2777 push_certinfo(
"Subject", i);
2780 push_certinfo(
"Issuer", i);
2782 BIO_printf(mem,
"%lx", X509_get_version(x));
2783 push_certinfo(
"Version", i);
2786 if(num->type == V_ASN1_NEG_INTEGER)
2788 for(j = 0; j < num->length; j++)
2789 BIO_printf(mem,
"%02x", num->data[j]);
2790 push_certinfo(
"Serial Number", i);
2792 #if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS) 2794 const X509_ALGOR *palg = NULL;
2795 ASN1_STRING *a = ASN1_STRING_new();
2797 X509_get0_signature(&psig, &palg, x);
2798 X509_signature_print(mem, palg, a);
2799 ASN1_STRING_free(a);
2802 i2a_ASN1_OBJECT(mem, palg->algorithm);
2803 push_certinfo(
"Public Key Algorithm", i);
2806 X509V3_ext(data, i, X509_get0_extensions(x));
2811 X509_CINF *cinf = x->cert_info;
2813 i2a_ASN1_OBJECT(mem, cinf->signature->algorithm);
2814 push_certinfo(
"Signature Algorithm", i);
2816 i2a_ASN1_OBJECT(mem, cinf->key->algor->algorithm);
2817 push_certinfo(
"Public Key Algorithm", i);
2819 X509V3_ext(data, i, cinf->extensions);
2821 psig = x->signature;
2825 ASN1_TIME_print(mem, X509_get0_notBefore(x));
2826 push_certinfo(
"Start date", i);
2828 ASN1_TIME_print(mem, X509_get0_notAfter(x));
2829 push_certinfo(
"Expire date", i);
2833 infof(data,
" Unable to load public key\n");
2836 #ifdef HAVE_OPAQUE_EVP_PKEY 2837 pktype = EVP_PKEY_id(pubkey);
2839 pktype = pubkey->type;
2845 #ifdef HAVE_OPAQUE_EVP_PKEY 2846 rsa = EVP_PKEY_get0_RSA(pubkey);
2848 rsa = pubkey->pkey.rsa;
2851 #ifdef HAVE_OPAQUE_RSA_DSA_DH 2856 RSA_get0_key(rsa, &n, &e, NULL);
2858 push_certinfo(
"RSA Public Key", i);
2859 print_pubkey_BN(rsa, n, i);
2860 print_pubkey_BN(rsa, e, i);
2864 push_certinfo(
"RSA Public Key", i);
2865 print_pubkey_BN(rsa, n, i);
2866 print_pubkey_BN(rsa, e, i);
2873 #ifndef OPENSSL_NO_DSA 2875 #ifdef HAVE_OPAQUE_EVP_PKEY 2876 dsa = EVP_PKEY_get0_DSA(pubkey);
2878 dsa = pubkey->pkey.dsa;
2880 #ifdef HAVE_OPAQUE_RSA_DSA_DH 2885 const BIGNUM *pub_key;
2887 DSA_get0_pqg(dsa, &p, &q, &g);
2888 DSA_get0_key(dsa, &pub_key, NULL);
2890 print_pubkey_BN(dsa, p, i);
2891 print_pubkey_BN(dsa, q, i);
2892 print_pubkey_BN(dsa, g, i);
2893 print_pubkey_BN(dsa, pub_key, i);
2896 print_pubkey_BN(dsa, p, i);
2897 print_pubkey_BN(dsa, q, i);
2898 print_pubkey_BN(dsa, g, i);
2899 print_pubkey_BN(dsa, pub_key, i);
2907 #ifdef HAVE_OPAQUE_EVP_PKEY 2908 dh = EVP_PKEY_get0_DH(pubkey);
2910 dh = pubkey->pkey.dh;
2912 #ifdef HAVE_OPAQUE_RSA_DSA_DH 2917 const BIGNUM *pub_key;
2918 DH_get0_pqg(dh, &p, &q, &g);
2919 DH_get0_key(dh, &pub_key, NULL);
2920 print_pubkey_BN(dh, p, i);
2921 print_pubkey_BN(dh, q, i);
2922 print_pubkey_BN(dh, g, i);
2923 print_pubkey_BN(dh, pub_key, i);
2926 print_pubkey_BN(dh, p, i);
2927 print_pubkey_BN(dh, g, i);
2928 print_pubkey_BN(dh, pub_key, i);
2942 for(j = 0; j < psig->length; j++)
2943 BIO_printf(mem,
"%02x:", psig->data[j]);
2944 push_certinfo(
"Signature", i);
2948 push_certinfo(
"Cert", i);
2961 const char *pinnedpubkey)
2964 int len1 = 0, len2 = 0;
2965 unsigned char *buff1 = NULL, *temp = NULL;
2988 buff1 = temp =
malloc(len1);
3000 if((len1 != len2) || !temp || ((temp - buff1) != len1))
3006 result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
3042 (void)get_cert_chain(conn, connssl);
3045 if(!BACKEND->server_cert) {
3050 failf(data,
"SSL: couldn't get peer certificate!");
3057 buffer,
sizeof(buffer));
3058 infof(data,
" subject: %s\n", rc?
"[NONE]":buffer);
3060 ASN1_TIME_print(mem, X509_get0_notBefore(BACKEND->server_cert));
3061 len = BIO_get_mem_data(mem, (
char **) &ptr);
3062 infof(data,
" start date: %.*s\n", len, ptr);
3063 rc = BIO_reset(mem);
3065 ASN1_TIME_print(mem, X509_get0_notAfter(BACKEND->server_cert));
3066 len = BIO_get_mem_data(mem, (
char **) &ptr);
3067 infof(data,
" expire date: %.*s\n", len, ptr);
3068 rc = BIO_reset(mem);
3073 result = verifyhost(conn, BACKEND->server_cert);
3076 BACKEND->server_cert = NULL;
3082 buffer,
sizeof(buffer));
3085 failf(data,
"SSL: couldn't get X509-issuer name!");
3089 infof(data,
" issuer: %s\n", buffer);
3099 failf(data,
"SSL: Unable to open issuer cert (%s)",
3102 BACKEND->server_cert = NULL;
3109 failf(data,
"SSL: Unable to read issuer cert (%s)",
3121 failf(data,
"SSL: Certificate issuer check failed (%s)",
3125 BACKEND->server_cert = NULL;
3129 infof(data,
" SSL certificate issuer check ok (%s)\n",
3136 if(*certverifyresult != X509_V_OK) {
3141 failf(data,
"SSL certificate verify result: %s (%ld)",
3146 infof(data,
" SSL certificate verify result: %s (%ld)," 3147 " continuing anyway.\n",
3151 infof(data,
" SSL certificate verify ok.\n");
3154 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ 3155 !defined(OPENSSL_NO_OCSP) 3157 result = verifystatus(conn, connssl);
3160 BACKEND->server_cert = NULL;
3172 if(!result && ptr) {
3173 result = pkp_pin_peer_pubkey(data, BACKEND->server_cert, ptr);
3175 failf(data,
"SSL: public key does not match pinned public key!");
3179 BACKEND->server_cert = NULL;
3195 SSL_SESSION *our_ssl_sessionid;
3196 void *old_ssl_sessionid = NULL;
3204 Curl_ssl_sessionid_lock(conn);
3205 incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
3208 if(old_ssl_sessionid != our_ssl_sessionid) {
3209 infof(data,
"old SSL session ID is stale, removing\n");
3210 Curl_ssl_delsessionid(conn, old_ssl_sessionid);
3216 result = Curl_ssl_addsessionid(conn, our_ssl_sessionid,
3219 Curl_ssl_sessionid_unlock(conn);
3220 failf(data,
"failed to store ssl session");
3231 Curl_ssl_sessionid_unlock(conn);
3275 if(timeout_ms < 0) {
3277 failf(data,
"SSL connection timeout");
3281 result = ossl_connect_step1(conn, sockindex);
3293 if(timeout_ms < 0) {
3295 failf(data,
"SSL connection timeout");
3309 nonblocking?0:timeout_ms);
3321 failf(data,
"SSL connection timeout");
3333 result = ossl_connect_step2(conn, sockindex);
3334 if(result || (nonblocking &&
3343 result = ossl_connect_step3(conn, sockindex);
3350 conn->
recv[sockindex] = ossl_recv;
3351 conn->
send[sockindex] = ossl_send;
3367 return ossl_connect_common(conn, sockindex,
TRUE, done);
3375 result = ossl_connect_common(conn, sockindex,
FALSE, &done);
3384 static bool Curl_ossl_data_pending(
const struct connectdata *conn,
3392 (proxyssl->backend->handle &&
3398 static size_t Curl_ossl_version(
char *buffer,
size_t size);
3409 char error_buffer[256];
3410 unsigned long sslerror;
3417 memlen = (len > (
size_t)INT_MAX) ? INT_MAX : (int)len;
3418 rc =
SSL_write(BACKEND->handle, mem, memlen);
3424 case SSL_ERROR_WANT_READ:
3425 case SSL_ERROR_WANT_WRITE:
3431 case SSL_ERROR_SYSCALL:
3432 failf(conn->
data,
"SSL_write() returned SYSCALL, errno = %d",
3440 if(ERR_GET_LIB(sslerror) == ERR_LIB_SSL &&
3441 ERR_GET_REASON(sslerror) == SSL_R_BIO_NOT_SET &&
3445 Curl_ossl_version(ver, 120);
3446 failf(conn->
data,
"Error: %s does not support double SSL tunneling.",
3450 failf(conn->
data,
"SSL_write() error: %s",
3451 ossl_strerror(sslerror, error_buffer,
sizeof(error_buffer)));
3456 failf(conn->
data, OSSL_PACKAGE
" SSL_write: %s, errno %d",
3471 char error_buffer[256];
3472 unsigned long sslerror;
3479 buffsize = (buffersize > (
size_t)INT_MAX) ? INT_MAX : (int)buffersize;
3486 case SSL_ERROR_NONE:
3487 case SSL_ERROR_ZERO_RETURN:
3489 case SSL_ERROR_WANT_READ:
3490 case SSL_ERROR_WANT_WRITE:
3499 if((nread < 0) || sslerror) {
3502 failf(conn->
data, OSSL_PACKAGE
" SSL_read: %s, errno %d",
3504 ossl_strerror(sslerror, error_buffer,
sizeof(error_buffer)) :
3505 SSL_ERROR_to_str(err)),
3515 static size_t Curl_ossl_version(
char *buffer,
size_t size)
3517 #ifdef OPENSSL_IS_BORINGSSL 3518 return snprintf(buffer, size, OSSL_PACKAGE);
3521 unsigned long ssleay_value;
3524 ssleay_value = OpenSSL_version_num();
3525 if(ssleay_value < 0x906000) {
3526 ssleay_value = SSLEAY_VERSION_NUMBER;
3530 if(ssleay_value&0xff0) {
3531 int minor_ver = (ssleay_value >> 4) & 0xff;
3532 if(minor_ver > 26) {
3534 sub[1] = (char) ((minor_ver - 1) % 26 +
'a' + 1);
3538 sub[0] = (char) (minor_ver +
'a' - 1);
3545 return snprintf(buffer, size,
"%s/%lx.%lx.%lx%s",
3547 (ssleay_value>>28)&0xf,
3548 (ssleay_value>>20)&0xff,
3549 (ssleay_value>>12)&0xff,
3556 unsigned char *entropy,
size_t length)
3560 if(Curl_ossl_seed(data))
3572 static CURLcode Curl_ossl_md5sum(
unsigned char *tmp,
3574 unsigned char *md5sum ,
3585 #if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256) 3586 static void Curl_ossl_sha256sum(
const unsigned char *tmp,
3588 unsigned char *sha256sum ,
3591 SHA256_CTX SHA256pw;
3599 static bool Curl_ossl_cert_status_request(
void)
3601 #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ 3602 !defined(OPENSSL_NO_OCSP) 3614 (
void *)BACKEND->ctx : (
void *)BACKEND->handle;
3617 const struct Curl_ssl Curl_ssl_openssl = {
3626 sizeof(
struct ssl_backend_data),
3631 Curl_ossl_check_cxn,
3633 Curl_ossl_data_pending,
3635 Curl_ossl_cert_status_request,
3637 Curl_ossl_connect_nonblocking,
3638 Curl_ossl_get_internals,
3640 Curl_ossl_close_all,
3641 Curl_ossl_session_free,
3642 Curl_ossl_set_engine,
3643 Curl_ossl_set_engine_default,
3644 Curl_ossl_engines_list,
3647 #
if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
#define PEM_write_bio_X509
int Curl_debug(struct Curl_easy *data, curl_infotype type, char *ptr, size_t size, struct connectdata *conn)
struct ssl_connect_data ssl[2]
#define SSL_CTX_use_PrivateKey
#define X509_NAME_ENTRY_get_data
ssize_t( Curl_recv)(struct connectdata *conn, int sockindex, char *buf, size_t len, CURLcode *err)
#define UI_get_string_type
#define UI_method_set_reader
#define ENGINE_load_builtin_engines
#define SSL_CTX_add_client_CA
#define X509_EXTENSION_get_data
#define SSL_CONN_CONFIG(var)
struct curltime curlx_tvnow(void)
struct ssl_config_data proxy_ssl
#define SSL_SET_OPTION(var)
#define SSL_get_verify_result
ssl_connect_state connecting_state
UNITTEST_START char * ptr
#define UI_method_get_writer
static const struct Curl_handler *const protocols[]
#define GENERAL_NAMES_free
#define X509_NAME_get_index_by_NID
#define X509_get_subject_name
#define SSL_get_peer_cert_chain
#define SSL_CTX_use_PrivateKey_file
if(strcmp(arg,"1305")!=0)
#define SSL_CTX_set_cipher_list
#define SSL_get_peer_certificate
#define strcasecompare(a, b)
int curlx_uztosi(size_t uznum)
CURL_EXTERN char * curl_getenv(const char *variable)
#define EVP_PKEY_copy_parameters
#define UI_method_get_reader
#define SSL_CTX_load_verify_locations
UNITTEST_START int result
struct ssl_config_data ssl
#define ENGINE_load_private_key
struct proxy_info http_proxy
ssl_connection_state state
#define X509_get_serialNumber
memcpy(filename, filename1, strlen(filename1))
#define ERR_error_string_n
#define X509_NAME_get_entry
#define SSL_CTX_use_certificate_file
#define X509_EXTENSION_get_object
int Curl_wait_ms(int timeout_ms)
#define ALPN_HTTP_1_1_LENGTH
#define ASN1_STRING_print
time_t Curl_timeleft(struct Curl_easy *data, struct curltime *nowp, bool duringconnect)
#define UI_method_get_opener
curl_easy_setopt expects a curl_off_t argument for this option curl_easy_setopt expects a curl_write_callback argument for this option curl_easy_setopt expects a curl_ioctl_callback argument for this option curl_easy_setopt expects a curl_opensocket_callback argument for this option curl_easy_setopt expects a curl_debug_callback argument for this option curl_easy_setopt expects a curl_conv_callback argument for this option curl_easy_setopt expects a private data pointer as argument for this option curl_easy_setopt expects a FILE *argument for this option curl_easy_setopt expects a struct curl_httppost *argument for this option curl_easy_setopt expects a struct curl_slist *argument for this option curl_easy_getinfo expects a pointer to char *for this info curl_easy_getinfo expects a pointer to double for this info curl_easy_getinfo expects a pointer to struct curl_tlssessioninfo *for this info curl_easy_getinfo expects a pointer to curl_socket_t for this info size_t
bool Curl_none_false_start(void)
#define SSL_get_certificate
CURL_EXTERN struct curl_slist * curl_slist_append(struct curl_slist *, const char *)
#define SOCKET_READABLE(x, z)
#define CONF_modules_load_file
UNITTEST_START struct Curl_easy data
#define SSL_CTX_get_cert_store
#define UI_destroy_method
TFSIMD_FORCE_INLINE const tfScalar & x() const
#define SSL_CTX_set_verify
curl_ssl_ctx_callback fsslctx
#define SSL_CTX_use_certificate
ssize_t( Curl_send)(struct connectdata *conn, int sockindex, const void *buf, size_t len, CURLcode *err)
#define ENGINE_set_default
int Curl_inet_pton(int af, const char *src, void *dst)
static unsigned short port
#define UI_method_set_writer
#define Curl_convert_from_utf8(a, b, c)
int Curl_socket_check(curl_socket_t readfd0, curl_socket_t readfd1, curl_socket_t writefd, time_t timeout_ms)
#define ASN1_STRING_to_UTF8
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
#define SSL_load_error_strings
#define X509_check_issued
#define UI_get0_user_data
#define SSL_CTX_check_private_key
#define SSL_get_privatekey
#define UI_method_get_closer
#define X509_STORE_add_lookup
struct ssl_connect_data proxy_ssl[2]
curl_debug_callback fdebug
#define CURL_HTTP_VERSION_2
#define SSL_CTX_set_default_passwd_cb
#define OPENSSL_load_builtin_modules
#define UI_method_set_opener
#define X509_load_crl_file
#define X509_verify_cert_error_string
#define SSLv23_client_method
#define SSL_CTX_set_msg_callback
#define X509_NAME_print_ex
CURL_EXTERN void curl_slist_free_all(struct curl_slist *)
#define UI_get_input_flags
#define ASN1_STRING_length
#define X509_get_issuer_name
#define UI_method_set_closer
#define SSLv3_client_method
#define X509_STORE_set_flags
#define SSL_set_connect_state