openssl.c source code [ClickHouse/contrib/curl/lib/vtls/openssl.c]

1	/***************************************************************************
2	* _ _ ____ _
3	* Project ___\| \| \| \| _ \\| \|
4	* / __\| \| \| \| \|_) \| \|
5	* \| (__\| \|_\| \| _ <\| \|___
6	* \___\|\___/\|_\| \_\_____\|
7	*
8	* Copyright (C) 1998 - 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
9	*
10	* This software is licensed as described in the file COPYING, which
11	* you should have received as part of this distribution. The terms
12	* are also available at https://curl.haxx.se/docs/copyright.html.
13	*
14	* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15	* copies of the Software, and permit persons to whom the Software is
16	* furnished to do so, under the terms of the COPYING file.
17	*
18	* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19	* KIND, either express or implied.
20	*
21	***************************************************************************/
22
23	/*
24	* Source file for all OpenSSL-specific code for the TLS/SSL layer. No code
25	* but vtls.c should ever call or use these functions.
26	*/
27
28	#include "curl_setup.h"
29
30	#ifdef USE_OPENSSL
31
32	#include <limits.h>
33
34	#include "urldata.h"
35	#include "sendf.h"
36	#include "formdata.h" /* for the boundary function */
37	#include "url.h" /* for the ssl config check function */
38	#include "inet_pton.h"
39	#include "openssl.h"
40	#include "connect.h"
41	#include "slist.h"
42	#include "select.h"
43	#include "vtls.h"
44	#include "strcase.h"
45	#include "hostcheck.h"
46	#include "multiif.h"
47	#include "strerror.h"
48	#include "curl_printf.h"
49	#include <openssl/ssl.h>
50	#include <openssl/rand.h>
51	#include <openssl/x509v3.h>
52	#ifndef OPENSSL_NO_DSA
53	#include <openssl/dsa.h>
54	#endif
55	#include <openssl/dh.h>
56	#include <openssl/err.h>
57	#include <openssl/md5.h>
58	#include <openssl/conf.h>
59	#include <openssl/bn.h>
60	#include <openssl/rsa.h>
61	#include <openssl/bio.h>
62	#include <openssl/buffer.h>
63	#include <openssl/pkcs12.h>
64
65	#ifdef USE_AMISSL
66	#include "amigaos.h"
67	#endif
68
69	#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
70	#include <openssl/ocsp.h>
71	#endif
72
73	#if (OPENSSL_VERSION_NUMBER >= 0x0090700fL) && /* 0.9.7 or later */ \
74	!defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_UI_CONSOLE)
75	#define USE_OPENSSL_ENGINE
76	#include <openssl/engine.h>
77	#endif
78
79	#include "warnless.h"
80	#include "non-ascii.h" /* for Curl_convert_from_utf8 prototype */
81
82	/ The last #include files should be: /
83	#include "curl_memory.h"
84	#include "memdebug.h"
85
86	/ Uncomment the ALLOW_RENEG line to a real #define if you want to allow TLS*
87	renegotiations when built with BoringSSL. Renegotiating is non-compliant
88	with HTTP/2 and "an extremely dangerous protocol feature". Beware.
89
90	#define ALLOW_RENEG 1
91	*/
92
93	#ifndef OPENSSL_VERSION_NUMBER
94	#error "OPENSSL_VERSION_NUMBER not defined"
95	#endif
96
97	#ifdef USE_OPENSSL_ENGINE
98	#include <openssl/ui.h>
99	#endif
100
101	#if OPENSSL_VERSION_NUMBER >= 0x00909000L
102	#define SSL_METHOD_QUAL const
103	#else
104	#define SSL_METHOD_QUAL
105	#endif
106
107	#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
108	#define HAVE_ERR_REMOVE_THREAD_STATE 1
109	#endif
110
111	#if !defined(HAVE_SSLV2_CLIENT_METHOD) \|\| \
112	OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0+ has no SSLv2 */
113	#undef OPENSSL_NO_SSL2 /* undef first to avoid compiler warnings */
114	#define OPENSSL_NO_SSL2
115	#endif
116
117	#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && /* OpenSSL 1.1.0+ */ \
118	!(defined(LIBRESSL_VERSION_NUMBER) && \
119	LIBRESSL_VERSION_NUMBER < 0x20700000L)
120	#define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER
121	#define HAVE_X509_GET0_EXTENSIONS 1 /* added in 1.1.0 -pre1 */
122	#define HAVE_OPAQUE_EVP_PKEY 1 /* since 1.1.0 -pre3 */
123	#define HAVE_OPAQUE_RSA_DSA_DH 1 /* since 1.1.0 -pre5 */
124	#define CONST_EXTS const
125	#define HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED 1
126
127	/ funny typecast define due to difference in API /
128	#ifdef LIBRESSL_VERSION_NUMBER
129	#define ARG2_X509_signature_print (X509_ALGOR *)
130	#else
131	#define ARG2_X509_signature_print
132	#endif
133
134	#else
135	/ For OpenSSL before 1.1.0 /
136	#define ASN1_STRING_get0_data(x) ASN1_STRING_data(x)
137	#define X509_get0_notBefore(x) X509_get_notBefore(x)
138	#define X509_get0_notAfter(x) X509_get_notAfter(x)
139	#define CONST_EXTS /* nope */
140	#ifndef LIBRESSL_VERSION_NUMBER
141	#define OpenSSL_version_num() SSLeay()
142	#endif
143	#endif
144
145	#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) && /* 1.0.2 or later */ \
146	!(defined(LIBRESSL_VERSION_NUMBER) && \
147	LIBRESSL_VERSION_NUMBER < 0x20700000L)
148	#define HAVE_X509_GET0_SIGNATURE 1
149	#endif
150
151	#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL) /* 1.0.2 or later */
152	#define HAVE_SSL_GET_SHUTDOWN 1
153	#endif
154
155	#if OPENSSL_VERSION_NUMBER >= 0x10002003L && \
156	OPENSSL_VERSION_NUMBER <= 0x10002FFFL && \
157	!defined(OPENSSL_NO_COMP)
158	#define HAVE_SSL_COMP_FREE_COMPRESSION_METHODS 1
159	#endif
160
161	#if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
162	/ not present in older OpenSSL /
163	#define OPENSSL_load_builtin_modules(x)
164	#endif
165
166	/*
167	* Whether SSL_CTX_set_keylog_callback is available.
168	* OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287
169	* BoringSSL: supported since d28f59c27bac (committed 2015-11-19)
170	* LibreSSL: unsupported in at least 2.7.2 (explicitly check for it since it
171	* lies and pretends to be OpenSSL 2.0.0).
172	*/
173	#if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
174	!defined(LIBRESSL_VERSION_NUMBER)) \|\| \
175	defined(OPENSSL_IS_BORINGSSL)
176	#define HAVE_KEYLOG_CALLBACK
177	#endif
178
179	/ Whether SSL_CTX_set_ciphersuites is available.*
180	* OpenSSL: supported since 1.1.1 (commit a53b5be6a05)
181	* BoringSSL: no
182	* LibreSSL: no
183	*/
184	#if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) && \
185	!defined(LIBRESSL_VERSION_NUMBER) && \
186	!defined(OPENSSL_IS_BORINGSSL))
187	#define HAVE_SSL_CTX_SET_CIPHERSUITES
188	#define HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
189	#endif
190
191	#if defined(LIBRESSL_VERSION_NUMBER)
192	#define OSSL_PACKAGE "LibreSSL"
193	#elif defined(OPENSSL_IS_BORINGSSL)
194	#define OSSL_PACKAGE "BoringSSL"
195	#else
196	#define OSSL_PACKAGE "OpenSSL"
197	#endif
198
199	#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
200	/ up2date versions of OpenSSL maintain the default reasonably secure without*
201	* breaking compatibility, so it is better not to override the default by curl
202	*/
203	#define DEFAULT_CIPHER_SELECTION NULL
204	#else
205	/ ... but it is not the case with old versions of OpenSSL /
206	#define DEFAULT_CIPHER_SELECTION \
207	"ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH"
208	#endif
209
210	#define ENABLE_SSLKEYLOGFILE
211
212	#ifdef ENABLE_SSLKEYLOGFILE
213	typedef struct ssl_tap_state {
214	int master_key_length;
215	unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
216	unsigned char client_random[SSL3_RANDOM_SIZE];
217	} ssl_tap_state_t;
218	#endif /* ENABLE_SSLKEYLOGFILE */
219
220	struct ssl_backend_data {
221	/ these ones requires specific SSL-types /
222	SSL_CTX* ctx;
223	SSL* handle;
224	X509* server_cert;
225	#ifdef ENABLE_SSLKEYLOGFILE
226	/ tap_state holds the last seen master key if we're logging them /
227	ssl_tap_state_t tap_state;
228	#endif
229	};
230
231	#define BACKEND connssl->backend
232
233	/*
234	* Number of bytes to read from the random number seed file. This must be
235	* a finite value (because some entropy "files" like /dev/urandom have
236	* an infinite length), but must be large enough to provide enough
237	* entropy to properly seed OpenSSL's PRNG.
238	*/
239	#define RAND_LOAD_LENGTH 1024
240
241	#ifdef ENABLE_SSLKEYLOGFILE
242	/ The fp for the open SSLKEYLOGFILE, or NULL if not open /
243	static FILE *keylog_file_fp;
244
245	#ifdef HAVE_KEYLOG_CALLBACK
246	static void ossl_keylog_callback(const SSL ssl, const* char *line)
247	{
248	(void)ssl;
249
250	/ Using fputs here instead of fprintf since libcurl's fprintf replacement*
251	may not be thread-safe. /*
252	if(keylog_file_fp && line && *line) {
253	char stackbuf[`256`];
254	char *buf;
255	size_t linelen = strlen(line);
256
257	if(linelen <= sizeof(stackbuf) - `2`)
258	buf = stackbuf;
259	else {
260	buf = malloc(linelen + `2`);
261	if(!buf)
262	return;
263	}
264	memcpy(buf, line, linelen);
265	buf[linelen] = `'\n'`;
266	buf[linelen + `1`] = `'\0'`;
267
268	fputs(buf, keylog_file_fp);
269	if(buf != stackbuf)
270	free(buf);
271	}
272	}
273	#else
274	#define KEYLOG_PREFIX "CLIENT_RANDOM "
275	#define KEYLOG_PREFIX_LEN (sizeof(KEYLOG_PREFIX) - 1)
276	/*
277	* tap_ssl_key is called by libcurl to make the CLIENT_RANDOMs if the OpenSSL
278	* being used doesn't have native support for doing that.
279	*/
280	static void tap_ssl_key(const SSL ssl, ssl_tap_state_t state)
281	{
282	const char *hex = "0123456789ABCDEF";
283	int pos, i;
284	char line[KEYLOG_PREFIX_LEN + `2` * SSL3_RANDOM_SIZE + `1` +
285	`2` * SSL_MAX_MASTER_KEY_LENGTH + `1` + `1`];
286	const SSL_SESSION *session = SSL_get_session(ssl);
287	unsigned char client_random[SSL3_RANDOM_SIZE];
288	unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
289	int master_key_length = `0`;
290
291	if(!session \|\| !keylog_file_fp)
292	return;
293
294	#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \
295	!(defined(LIBRESSL_VERSION_NUMBER) && \
296	LIBRESSL_VERSION_NUMBER < 0x20700000L)
297	/ ssl->s3 is not checked in openssl 1.1.0-pre6, but let's assume that*
298	* we have a valid SSL context if we have a non-NULL session. */
299	SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE);
300	master_key_length = (int)
301	SSL_SESSION_get_master_key(session, master_key, SSL_MAX_MASTER_KEY_LENGTH);
302	#else
303	if(ssl->s3 && session->master_key_length > `0`) {
304	master_key_length = session->master_key_length;
305	memcpy(master_key, session->master_key, session->master_key_length);
306	memcpy(client_random, ssl->s3->client_random, SSL3_RANDOM_SIZE);
307	}
308	#endif
309
310	if(master_key_length <= `0`)
311	return;
312
313	/ Skip writing keys if there is no key or it did not change. /
314	if(state->master_key_length == master_key_length &&
315	!memcmp(state->master_key, master_key, master_key_length) &&
316	!memcmp(state->client_random, client_random, SSL3_RANDOM_SIZE)) {
317	return;
318	}
319
320	state->master_key_length = master_key_length;
321	memcpy(state->master_key, master_key, master_key_length);
322	memcpy(state->client_random, client_random, SSL3_RANDOM_SIZE);
323
324	memcpy(line, KEYLOG_PREFIX, KEYLOG_PREFIX_LEN);
325	pos = KEYLOG_PREFIX_LEN;
326
327	/ Client Random for SSLv3/TLS /
328	for(i = `0`; i < SSL3_RANDOM_SIZE; i++) {
329	line[pos++] = hex[client_random[i] >> `4`];
330	line[pos++] = hex[client_random[i] & `0xF`];
331	}
332	line[pos++] = `' '`;
333
334	/ Master Secret (size is at most SSL_MAX_MASTER_KEY_LENGTH) /
335	for(i = `0`; i < master_key_length; i++) {
336	line[pos++] = hex[master_key[i] >> `4`];
337	line[pos++] = hex[master_key[i] & `0xF`];
338	}
339	line[pos++] = `'\n'`;
340	line[pos] = `'\0'`;
341
342	/ Using fputs here instead of fprintf since libcurl's fprintf replacement*
343	may not be thread-safe. /*
344	fputs(line, keylog_file_fp);
345	}
346	#endif /* !HAVE_KEYLOG_CALLBACK */
347	#endif /* ENABLE_SSLKEYLOGFILE */
348
349	static const char SSL_ERROR_to_str(int* err)
350	{
351	switch(err) {
352	case SSL_ERROR_NONE:
353	return "SSL_ERROR_NONE";
354	case SSL_ERROR_SSL:
355	return "SSL_ERROR_SSL";
356	case SSL_ERROR_WANT_READ:
357	return "SSL_ERROR_WANT_READ";
358	case SSL_ERROR_WANT_WRITE:
359	return "SSL_ERROR_WANT_WRITE";
360	case SSL_ERROR_WANT_X509_LOOKUP:
361	return "SSL_ERROR_WANT_X509_LOOKUP";
362	case SSL_ERROR_SYSCALL:
363	return "SSL_ERROR_SYSCALL";
364	case SSL_ERROR_ZERO_RETURN:
365	return "SSL_ERROR_ZERO_RETURN";
366	case SSL_ERROR_WANT_CONNECT:
367	return "SSL_ERROR_WANT_CONNECT";
368	case SSL_ERROR_WANT_ACCEPT:
369	return "SSL_ERROR_WANT_ACCEPT";
370	#if defined(SSL_ERROR_WANT_ASYNC)
371	case SSL_ERROR_WANT_ASYNC:
372	return "SSL_ERROR_WANT_ASYNC";
373	#endif
374	#if defined(SSL_ERROR_WANT_ASYNC_JOB)
375	case SSL_ERROR_WANT_ASYNC_JOB:
376	return "SSL_ERROR_WANT_ASYNC_JOB";
377	#endif
378	#if defined(SSL_ERROR_WANT_EARLY)
379	case SSL_ERROR_WANT_EARLY:
380	return "SSL_ERROR_WANT_EARLY";
381	#endif
382	default:
383	return "SSL_ERROR unknown";
384	}
385	}
386
387	/ Return error string for last OpenSSL error*
388	*/
389	static char ossl_strerror(unsigned* long error, char *buf, size_t size)
390	{
391	if(size)
392	*buf = `'\0'`;
393
394	#ifdef OPENSSL_IS_BORINGSSL
395	ERR_error_string_n((uint32_t)error, buf, size);
396	#else
397	ERR_error_string_n(error, buf, size);
398	#endif
399
400	if(size > `1` && !*buf) {
401	strncpy(buf, (error ? "Unknown error" : "No error"), size);
402	buf[size - `1`] = `'\0'`;
403	}
404
405	return buf;
406	}
407
408	/ Return an extra data index for the connection data.*
409	* This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
410	*/
411	static int ossl_get_ssl_conn_index(void)
412	{
413	static int ssl_ex_data_conn_index = -`1`;
414	if(ssl_ex_data_conn_index < `0`) {
415	ssl_ex_data_conn_index = SSL_get_ex_new_index(`0`, NULL, NULL, NULL, NULL);
416	}
417	return ssl_ex_data_conn_index;
418	}
419
420	/ Return an extra data index for the sockindex.*
421	* This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
422	*/
423	static int ossl_get_ssl_sockindex_index(void)
424	{
425	static int ssl_ex_data_sockindex_index = -`1`;
426	if(ssl_ex_data_sockindex_index < `0`) {
427	ssl_ex_data_sockindex_index = SSL_get_ex_new_index(`0`, NULL, NULL, NULL,
428	NULL);
429	}
430	return ssl_ex_data_sockindex_index;
431	}
432
433	static int passwd_callback(char buf, int* num, int encrypting,
434	void *global_passwd)
435	{
436	DEBUGASSERT(`0` == encrypting);
437
438	if(!encrypting) {
439	int klen = curlx_uztosi(strlen((char *)global_passwd));
440	if(num > klen) {
441	memcpy(buf, global_passwd, klen + `1`);
442	return klen;
443	}
444	}
445	return `0`;
446	}
447
448	/*
449	* rand_enough() returns TRUE if we have seeded the random engine properly.
450	*/
451	static bool rand_enough(void)
452	{
453	return (`0` != RAND_status()) ? TRUE : FALSE;
454	}
455
456	static CURLcode Curl_ossl_seed(struct Curl_easy *data)
457	{
458	/ we have the "SSL is seeded" boolean static to prevent multiple*
459	time-consuming seedings in vain /*
460	static bool ssl_seeded = FALSE;
461	char fname[`256`];
462
463	if(ssl_seeded)
464	return CURLE_OK;
465
466	if(rand_enough()) {
467	/ OpenSSL 1.1.0+ will return here /
468	ssl_seeded = TRUE;
469	return CURLE_OK;
470	}
471
472	#ifndef RANDOM_FILE
473	/ if RANDOM_FILE isn't defined, we only perform this if an option tells*
474	us to! /*
475	if(data->set.str[STRING_SSL_RANDOM_FILE])
476	#define RANDOM_FILE "" /* doesn't matter won't be used */
477	#endif
478	{
479	/ let the option override the define /
480	RAND_load_file((data->set.str[STRING_SSL_RANDOM_FILE]?
481	data->set.str[STRING_SSL_RANDOM_FILE]:
482	RANDOM_FILE),
483	RAND_LOAD_LENGTH);
484	if(rand_enough())
485	return CURLE_OK;
486	}
487
488	#if defined(HAVE_RAND_EGD)
489	/ only available in OpenSSL 0.9.5 and later /
490	/ EGD_SOCKET is set at configure time or not at all /
491	#ifndef EGD_SOCKET
492	/ If we don't have the define set, we only do this if the egd-option*
493	is set /*
494	if(data->set.str[STRING_SSL_EGDSOCKET])
495	#define EGD_SOCKET "" /* doesn't matter won't be used */
496	#endif
497	{
498	/ If there's an option and a define, the option overrides the*
499	define /*
500	int ret = RAND_egd(data->set.str[STRING_SSL_EGDSOCKET]?
501	data->set.str[STRING_SSL_EGDSOCKET]:EGD_SOCKET);
502	if(-`1` != ret) {
503	if(rand_enough())
504	return CURLE_OK;
505	}
506	}
507	#endif
508
509	/ fallback to a custom seeding of the PRNG using a hash based on a current*
510	time /*
511	do {
512	unsigned char randb[`64`];
513	size_t len = sizeof(randb);
514	size_t i, i_max;
515	for(i = `0`, i_max = len / sizeof(struct curltime); i < i_max; ++i) {
516	struct curltime tv = Curl_now();
517	Curl_wait_ms(`1`);
518	tv.tv_sec *= i + `1`;
519	tv.tv_usec = (unsigned* int)i + `2`;
520	tv.tv_sec ^= ((Curl_now().tv_sec + Curl_now().tv_usec) *
521	(i + `3`)) << `8`;
522	tv.tv_usec ^= (unsigned int) ((Curl_now().tv_sec +
523	Curl_now().tv_usec) *
524	(i + `4`)) << `16`;
525	memcpy(&randb[i * sizeof(struct curltime)], &tv,
526	sizeof(struct curltime));
527	}
528	RAND_add(randb, (int)len, (double)len/`2`);
529	} while(!rand_enough());
530
531	/ generates a default path for the random seed file /
532	fname[`0`] = `0`; / blank it first /
533	RAND_file_name(fname, sizeof(fname));
534	if(fname[`0`]) {
535	/ we got a file name to try /
536	RAND_load_file(fname, RAND_LOAD_LENGTH);
537	if(rand_enough())
538	return CURLE_OK;
539	}
540
541	infof(data, "libcurl is now using a weak random seed!\n");
542	return (rand_enough() ? CURLE_OK :
543	CURLE_SSL_CONNECT_ERROR / confusing error code /);
544	}
545
546	#ifndef SSL_FILETYPE_ENGINE
547	#define SSL_FILETYPE_ENGINE 42
548	#endif
549	#ifndef SSL_FILETYPE_PKCS12
550	#define SSL_FILETYPE_PKCS12 43
551	#endif
552	static int do_file_type(const char *type)
553	{
554	if(!type \|\| !type[`0`])
555	return SSL_FILETYPE_PEM;
556	if(strcasecompare(type, "PEM"))
557	return SSL_FILETYPE_PEM;
558	if(strcasecompare(type, "DER"))
559	return SSL_FILETYPE_ASN1;
560	if(strcasecompare(type, "ENG"))
561	return SSL_FILETYPE_ENGINE;
562	if(strcasecompare(type, "P12"))
563	return SSL_FILETYPE_PKCS12;
564	return -`1`;
565	}
566
567	#ifdef USE_OPENSSL_ENGINE
568	/*
569	* Supply default password to the engine user interface conversation.
570	* The password is passed by OpenSSL engine from ENGINE_load_private_key()
571	* last argument to the ui and can be obtained by UI_get0_user_data(ui) here.
572	*/
573	static int ssl_ui_reader(UI ui, UI_STRING uis)
574	{
575	const char *password;
576	switch(UI_get_string_type(uis)) {
577	case UIT_PROMPT:
578	case UIT_VERIFY:
579	password = (const char *)UI_get0_user_data(ui);
580	if(password && (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
581	UI_set_result(ui, uis, password);
582	return `1`;
583	}
584	default:
585	break;
586	}
587	return (UI_method_get_reader(UI_OpenSSL()))(ui, uis);
588	}
589
590	/*
591	* Suppress interactive request for a default password if available.
592	*/
593	static int ssl_ui_writer(UI ui, UI_STRING uis)
594	{
595	switch(UI_get_string_type(uis)) {
596	case UIT_PROMPT:
597	case UIT_VERIFY:
598	if(UI_get0_user_data(ui) &&
599	(UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD)) {
600	return `1`;
601	}
602	default:
603	break;
604	}
605	return (UI_method_get_writer(UI_OpenSSL()))(ui, uis);
606	}
607
608	/*
609	* Check if a given string is a PKCS#11 URI
610	*/
611	static bool is_pkcs11_uri(const char *string)
612	{
613	return (string && strncasecompare(string, "pkcs11:", `7`));
614	}
615
616	#endif
617
618	static CURLcode Curl_ossl_set_engine(struct Curl_easy *data,
619	const char *engine);
620
621	static
622	int cert_stuff(struct connectdata *conn,
623	SSL_CTX* ctx,
624	char *cert_file,
625	const char *cert_type,
626	char *key_file,
627	const char *key_type,
628	char *key_passwd)
629	{
630	struct Curl_easy *data = conn->data;
631	char error_buffer[`256`];
632	bool check_privkey = TRUE;
633
634	int file_type = do_file_type(cert_type);
635
636	if(cert_file \|\| (file_type == SSL_FILETYPE_ENGINE)) {
637	SSL *ssl;
638	X509 *x509;
639	int cert_done = `0`;
640
641	if(key_passwd) {
642	/ set the password in the callback userdata /
643	SSL_CTX_set_default_passwd_cb_userdata(ctx, key_passwd);
644	/ Set passwd callback: /
645	SSL_CTX_set_default_passwd_cb(ctx, passwd_callback);
646	}
647
648
649	switch(file_type) {
650	case SSL_FILETYPE_PEM:
651	/ SSL_CTX_use_certificate_chain_file() only works on PEM files /
652	if(SSL_CTX_use_certificate_chain_file(ctx,
653	cert_file) != `1`) {
654	failf(data,
655	"could not load PEM client certificate, " OSSL_PACKAGE
656	" error %s, "
657	"(no key found, wrong pass phrase, or wrong file format?)",
658	ossl_strerror(ERR_get_error(), error_buffer,
659	sizeof(error_buffer)) );
660	return `0`;
661	}
662	break;
663
664	case SSL_FILETYPE_ASN1:
665	/ SSL_CTX_use_certificate_file() works with either PEM or ASN1, but*
666	we use the case above for PEM so this can only be performed with
667	ASN1 files. /*
668	if(SSL_CTX_use_certificate_file(ctx,
669	cert_file,
670	file_type) != `1`) {
671	failf(data,
672	"could not load ASN1 client certificate, " OSSL_PACKAGE
673	" error %s, "
674	"(no key found, wrong pass phrase, or wrong file format?)",
675	ossl_strerror(ERR_get_error(), error_buffer,
676	sizeof(error_buffer)) );
677	return `0`;
678	}
679	break;
680	case SSL_FILETYPE_ENGINE:
681	#if defined(USE_OPENSSL_ENGINE) && defined(ENGINE_CTRL_GET_CMD_FROM_NAME)
682	{
683	/ Implicitly use pkcs11 engine if none was provided and the*
684	* cert_file is a PKCS#11 URI */
685	if(!data->state.engine) {
686	if(is_pkcs11_uri(cert_file)) {
687	if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
688	return `0`;
689	}
690	}
691	}
692
693	if(data->state.engine) {
694	const char *cmd_name = "LOAD_CERT_CTRL";
695	struct {
696	const char *cert_id;
697	X509 *cert;
698	} params;
699
700	params.cert_id = cert_file;
701	params.cert = NULL;
702
703	/ Does the engine supports LOAD_CERT_CTRL ? /
704	if(!ENGINE_ctrl(data->state.engine, ENGINE_CTRL_GET_CMD_FROM_NAME,
705	`0`, (void *)cmd_name, NULL)) {
706	failf(data, "ssl engine does not support loading certificates");
707	return `0`;
708	}
709
710	/ Load the certificate from the engine /
711	if(!ENGINE_ctrl_cmd(data->state.engine, cmd_name,
712	`0`, &params, NULL, `1`)) {
713	failf(data, "ssl engine cannot load client cert with id"
714	" '%s' [%s]", cert_file,
715	ossl_strerror(ERR_get_error(), error_buffer,
716	sizeof(error_buffer)));
717	return `0`;
718	}
719
720	if(!params.cert) {
721	failf(data, "ssl engine didn't initialized the certificate "
722	"properly.");
723	return `0`;
724	}
725
726	if(SSL_CTX_use_certificate(ctx, params.cert) != `1`) {
727	failf(data, "unable to set client certificate");
728	X509_free(params.cert);
729	return `0`;
730	}
731	X509_free(params.cert); / we don't need the handle any more... /
732	}
733	else {
734	failf(data, "crypto engine not set, can't load certificate");
735	return `0`;
736	}
737	}
738	break;
739	#else
740	failf(data, "file type ENG for certificate not implemented");
741	return `0`;
742	#endif
743
744	case SSL_FILETYPE_PKCS12:
745	{
746	BIO *fp = NULL;
747	PKCS12 *p12 = NULL;
748	EVP_PKEY *pri;
749	STACK_OF(X509) *ca = NULL;
750
751	fp = BIO_new(BIO_s_file());
752	if(fp == NULL) {
753	failf(data,
754	"BIO_new return NULL, " OSSL_PACKAGE
755	" error %s",
756	ossl_strerror(ERR_get_error(), error_buffer,
757	sizeof(error_buffer)) );
758	return `0`;
759	}
760
761	if(BIO_read_filename(fp, cert_file) <= `0`) {
762	failf(data, "could not open PKCS12 file '%s'", cert_file);
763	BIO_free(fp);
764	return `0`;
765	}
766	p12 = d2i_PKCS12_bio(fp, NULL);
767	BIO_free(fp);
768
769	if(!p12) {
770	failf(data, "error reading PKCS12 file '%s'", cert_file);
771	return `0`;
772	}
773
774	PKCS12_PBE_add();
775
776	if(!PKCS12_parse(p12, key_passwd, &pri, &x509,
777	&ca)) {
778	failf(data,
779	"could not parse PKCS12 file, check password, " OSSL_PACKAGE
780	" error %s",
781	ossl_strerror(ERR_get_error(), error_buffer,
782	sizeof(error_buffer)) );
783	PKCS12_free(p12);
784	return `0`;
785	}
786
787	PKCS12_free(p12);
788
789	if(SSL_CTX_use_certificate(ctx, x509) != `1`) {
790	failf(data,
791	"could not load PKCS12 client certificate, " OSSL_PACKAGE
792	" error %s",
793	ossl_strerror(ERR_get_error(), error_buffer,
794	sizeof(error_buffer)) );
795	goto fail;
796	}
797
798	if(SSL_CTX_use_PrivateKey(ctx, pri) != `1`) {
799	failf(data, "unable to use private key from PKCS12 file '%s'",
800	cert_file);
801	goto fail;
802	}
803
804	if(!SSL_CTX_check_private_key (ctx)) {
805	failf(data, "private key from PKCS12 file '%s' "
806	"does not match certificate in same file", cert_file);
807	goto fail;
808	}
809	/ Set Certificate Verification chain /
810	if(ca) {
811	while(sk_X509_num(ca)) {
812	/*
813	* Note that sk_X509_pop() is used below to make sure the cert is
814	* removed from the stack properly before getting passed to
815	* SSL_CTX_add_extra_chain_cert(), which takes ownership. Previously
816	* we used sk_X509_value() instead, but then we'd clean it in the
817	* subsequent sk_X509_pop_free() call.
818	*/
819	X509 *x = sk_X509_pop(ca);
820	if(!SSL_CTX_add_client_CA(ctx, x)) {
821	X509_free(x);
822	failf(data, "cannot add certificate to client CA list");
823	goto fail;
824	}
825	if(!SSL_CTX_add_extra_chain_cert(ctx, x)) {
826	X509_free(x);
827	failf(data, "cannot add certificate to certificate chain");
828	goto fail;
829	}
830	}
831	}
832
833	cert_done = `1`;
834	fail:
835	EVP_PKEY_free(pri);
836	X509_free(x509);
837	#ifdef USE_AMISSL
838	sk_X509_pop_free(ca, Curl_amiga_X509_free);
839	#else
840	sk_X509_pop_free(ca, X509_free);
841	#endif
842	if(!cert_done)
843	return `0`; / failure! /
844	break;
845	}
846	default:
847	failf(data, "not supported file type '%s' for certificate", cert_type);
848	return `0`;
849	}
850
851	if(!key_file)
852	key_file = cert_file;
853	else
854	file_type = do_file_type(key_type);
855
856	switch(file_type) {
857	case SSL_FILETYPE_PEM:
858	if(cert_done)
859	break;
860	/ FALLTHROUGH /
861	case SSL_FILETYPE_ASN1:
862	if(SSL_CTX_use_PrivateKey_file(ctx, key_file, file_type) != `1`) {
863	failf(data, "unable to set private key file: '%s' type %s",
864	key_file, key_type?key_type:"PEM");
865	return `0`;
866	}
867	break;
868	case SSL_FILETYPE_ENGINE:
869	#ifdef USE_OPENSSL_ENGINE
870	{ / XXXX still needs some work /
871	EVP_PKEY *priv_key = NULL;
872
873	/ Implicitly use pkcs11 engine if none was provided and the*
874	* key_file is a PKCS#11 URI */
875	if(!data->state.engine) {
876	if(is_pkcs11_uri(key_file)) {
877	if(Curl_ossl_set_engine(data, "pkcs11") != CURLE_OK) {
878	return `0`;
879	}
880	}
881	}
882
883	if(data->state.engine) {
884	UI_METHOD *ui_method =
885	UI_create_method((char *)"curl user interface");
886	if(!ui_method) {
887	failf(data, "unable do create " OSSL_PACKAGE
888	" user-interface method");
889	return `0`;
890	}
891	UI_method_set_opener(ui_method, UI_method_get_opener(UI_OpenSSL()));
892	UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
893	UI_method_set_reader(ui_method, ssl_ui_reader);
894	UI_method_set_writer(ui_method, ssl_ui_writer);
895	/ the typecast below was added to please mingw32 /
896	priv_key = (EVP_PKEY *)
897	ENGINE_load_private_key(data->state.engine, key_file,
898	ui_method,
899	key_passwd);
900	UI_destroy_method(ui_method);
901	if(!priv_key) {
902	failf(data, "failed to load private key from crypto engine");
903	return `0`;
904	}
905	if(SSL_CTX_use_PrivateKey(ctx, priv_key) != `1`) {
906	failf(data, "unable to set private key");
907	EVP_PKEY_free(priv_key);
908	return `0`;
909	}
910	EVP_PKEY_free(priv_key); / we don't need the handle any more... /
911	}
912	else {
913	failf(data, "crypto engine not set, can't load private key");
914	return `0`;
915	}
916	}
917	break;
918	#else
919	failf(data, "file type ENG for private key not supported");
920	return `0`;
921	#endif
922	case SSL_FILETYPE_PKCS12:
923	if(!cert_done) {
924	failf(data, "file type P12 for private key not supported");
925	return `0`;
926	}
927	break;
928	default:
929	failf(data, "not supported file type for private key");
930	return `0`;
931	}
932
933	ssl = SSL_new(ctx);
934	if(!ssl) {
935	failf(data, "unable to create an SSL structure");
936	return `0`;
937	}
938
939	x509 = SSL_get_certificate(ssl);
940
941	/ This version was provided by Evan Jordan and is supposed to not*
942	leak memory as the previous version: /*
943	if(x509) {
944	EVP_PKEY *pktmp = X509_get_pubkey(x509);
945	EVP_PKEY_copy_parameters(pktmp, SSL_get_privatekey(ssl));
946	EVP_PKEY_free(pktmp);
947	}
948
949	#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_IS_BORINGSSL)
950	{
951	/ If RSA is used, don't check the private key if its flags indicate*
952	* it doesn't support it. */
953	EVP_PKEY *priv_key = SSL_get_privatekey(ssl);
954	int pktype;
955	#ifdef HAVE_OPAQUE_EVP_PKEY
956	pktype = EVP_PKEY_id(priv_key);
957	#else
958	pktype = priv_key->type;
959	#endif
960	if(pktype == EVP_PKEY_RSA) {
961	RSA *rsa = EVP_PKEY_get1_RSA(priv_key);
962	if(RSA_flags(rsa) & RSA_METHOD_FLAG_NO_CHECK)
963	check_privkey = FALSE;
964	RSA_free(rsa); / Decrement reference count /
965	}
966	}
967	#endif
968
969	SSL_free(ssl);
970
971	/ If we are using DSA, we can copy the parameters from*
972	* the private key */
973
974	if(check_privkey == TRUE) {
975	/ Now we know that a key and cert have been set against*
976	* the SSL context */
977	if(!SSL_CTX_check_private_key(ctx)) {
978	failf(data, "Private key does not match the certificate public key");
979	return `0`;
980	}
981	}
982	}
983	return `1`;
984	}
985
986	/ returns non-zero on failure /
987	static int x509_name_oneline(X509_NAME a, char* *buf, size_t size)
988	{
989	#if 0
990	return X509_NAME_oneline(a, buf, size);
991	#else
992	BIO *bio_out = BIO_new(BIO_s_mem());
993	BUF_MEM *biomem;
994	int rc;
995
996	if(!bio_out)
997	return `1`; / alloc failed! /
998
999	rc = X509_NAME_print_ex(bio_out, a, `0`, XN_FLAG_SEP_SPLUS_SPC);
1000	BIO_get_mem_ptr(bio_out, &biomem);
1001
1002	if((size_t)biomem->length < size)
1003	size = biomem->length;
1004	else
1005	size--; / don't overwrite the buffer end /
1006
1007	memcpy(buf, biomem->data, size);
1008	buf[size] = `0`;
1009
1010	BIO_free(bio_out);
1011
1012	return !rc;
1013	#endif
1014	}
1015
1016	/**
1017	* Global SSL init
1018	*
1019	* @retval 0 error initializing SSL
1020	* @retval 1 SSL initialized successfully
1021	*/
1022	static int Curl_ossl_init(void)
1023	{
1024	#ifdef ENABLE_SSLKEYLOGFILE
1025	char *keylog_file_name;
1026	#endif
1027
1028	OPENSSL_load_builtin_modules();
1029
1030	#ifdef USE_OPENSSL_ENGINE
1031	ENGINE_load_builtin_engines();
1032	#endif
1033
1034	/ CONF_MFLAGS_DEFAULT_SECTION was introduced some time between 0.9.8b and*
1035	0.9.8e /*
1036	#ifndef CONF_MFLAGS_DEFAULT_SECTION
1037	#define CONF_MFLAGS_DEFAULT_SECTION 0x0
1038	#endif
1039
1040	#ifndef CURL_DISABLE_OPENSSL_AUTO_LOAD_CONFIG
1041	CONF_modules_load_file(NULL, NULL,
1042	CONF_MFLAGS_DEFAULT_SECTION\|
1043	CONF_MFLAGS_IGNORE_MISSING_FILE);
1044	#endif
1045
1046	#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
1047	!defined(LIBRESSL_VERSION_NUMBER)
1048	/ OpenSSL 1.1.0+ takes care of initialization itself /
1049	#else
1050	/ Lets get nice error messages /
1051	SSL_load_error_strings();
1052
1053	/ Init the global ciphers and digests /
1054	if(!SSLeay_add_ssl_algorithms())
1055	return `0`;
1056
1057	OpenSSL_add_all_algorithms();
1058	#endif
1059
1060	#ifdef ENABLE_SSLKEYLOGFILE
1061	if(!keylog_file_fp) {
1062	keylog_file_name = curl_getenv("SSLKEYLOGFILE");
1063	if(keylog_file_name) {
1064	keylog_file_fp = fopen(keylog_file_name, FOPEN_APPENDTEXT);
1065	if(keylog_file_fp) {
1066	#ifdef WIN32
1067	if(setvbuf(keylog_file_fp, NULL, _IONBF, `0`))
1068	#else
1069	if(setvbuf(keylog_file_fp, NULL, _IOLBF, `4096`))
1070	#endif
1071	{
1072	fclose(keylog_file_fp);
1073	keylog_file_fp = NULL;
1074	}
1075	}
1076	Curl_safefree(keylog_file_name);
1077	}
1078	}
1079	#endif
1080
1081	/ Initialize the extra data indexes /
1082	if(ossl_get_ssl_conn_index() < `0` \|\| ossl_get_ssl_sockindex_index() < `0`)
1083	return `0`;
1084
1085	return `1`;
1086	}
1087
1088	/ Global cleanup /
1089	static void Curl_ossl_cleanup(void)
1090	{
1091	#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
1092	!defined(LIBRESSL_VERSION_NUMBER)
1093	/ OpenSSL 1.1 deprecates all these cleanup functions and*
1094	turns them into no-ops in OpenSSL 1.0 compatibility mode /*
1095	#else
1096	/ Free ciphers and digests lists /
1097	EVP_cleanup();
1098
1099	#ifdef USE_OPENSSL_ENGINE
1100	/ Free engine list /
1101	ENGINE_cleanup();
1102	#endif
1103
1104	/ Free OpenSSL error strings /
1105	ERR_free_strings();
1106
1107	/ Free thread local error state, destroying hash upon zero refcount /
1108	#ifdef HAVE_ERR_REMOVE_THREAD_STATE
1109	ERR_remove_thread_state(NULL);
1110	#else
1111	ERR_remove_state(`0`);
1112	#endif
1113
1114	/ Free all memory allocated by all configuration modules /
1115	CONF_modules_free();
1116
1117	#ifdef HAVE_SSL_COMP_FREE_COMPRESSION_METHODS
1118	SSL_COMP_free_compression_methods();
1119	#endif
1120	#endif
1121
1122	#ifdef ENABLE_SSLKEYLOGFILE
1123	if(keylog_file_fp) {
1124	fclose(keylog_file_fp);
1125	keylog_file_fp = NULL;
1126	}
1127	#endif
1128	}
1129
1130	/*
1131	* This function is used to determine connection status.
1132	*
1133	* Return codes:
1134	* 1 means the connection is still in place
1135	* 0 means the connection has been closed
1136	* -1 means the connection status is unknown
1137	*/
1138	static int Curl_ossl_check_cxn(struct connectdata *conn)
1139	{
1140	/ SSL_peek takes data out of the raw recv buffer without peeking so we use*
1141	recv MSG_PEEK instead. Bug #795 /*
1142	#ifdef MSG_PEEK
1143	char buf;
1144	ssize_t nread;
1145	nread = recv((RECV_TYPE_ARG1)conn->sock[FIRSTSOCKET], (RECV_TYPE_ARG2)&buf,
1146	(RECV_TYPE_ARG3)`1`, (RECV_TYPE_ARG4)MSG_PEEK);
1147	if(nread == `0`)
1148	return `0`; / connection has been closed /
1149	if(nread == `1`)
1150	return `1`; / connection still in place /
1151	else if(nread == -`1`) {
1152	int err = SOCKERRNO;
1153	if(err == EINPROGRESS \|\|
1154	#if defined(EAGAIN) && (EAGAIN != EWOULDBLOCK)
1155	err == EAGAIN \|\|
1156	#endif
1157	err == EWOULDBLOCK)
1158	return `1`; / connection still in place /
1159	if(err == ECONNRESET \|\|
1160	#ifdef ECONNABORTED
1161	err == ECONNABORTED \|\|
1162	#endif
1163	#ifdef ENETDOWN
1164	err == ENETDOWN \|\|
1165	#endif
1166	#ifdef ENETRESET
1167	err == ENETRESET \|\|
1168	#endif
1169	#ifdef ESHUTDOWN
1170	err == ESHUTDOWN \|\|
1171	#endif
1172	#ifdef ETIMEDOUT
1173	err == ETIMEDOUT \|\|
1174	#endif
1175	err == ENOTCONN)
1176	return `0`; / connection has been closed /
1177	}
1178	#endif
1179	return -`1`; / connection status unknown /
1180	}
1181
1182	/ Selects an OpenSSL crypto engine*
1183	*/
1184	static CURLcode Curl_ossl_set_engine(struct Curl_easy *data,
1185	const char *engine)
1186	{
1187	#ifdef USE_OPENSSL_ENGINE
1188	ENGINE *e;
1189
1190	#if OPENSSL_VERSION_NUMBER >= 0x00909000L
1191	e = ENGINE_by_id(engine);
1192	#else
1193	/ avoid memory leak /
1194	for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
1195	const char *e_id = ENGINE_get_id(e);
1196	if(!strcmp(engine, e_id))
1197	break;
1198	}
1199	#endif
1200
1201	if(!e) {
1202	failf(data, "SSL Engine '%s' not found", engine);
1203	return CURLE_SSL_ENGINE_NOTFOUND;
1204	}
1205
1206	if(data->state.engine) {
1207	ENGINE_finish(data->state.engine);
1208	ENGINE_free(data->state.engine);
1209	data->state.engine = NULL;
1210	}
1211	if(!ENGINE_init(e)) {
1212	char buf[`256`];
1213
1214	ENGINE_free(e);
1215	failf(data, "Failed to initialise SSL Engine '%s':\n%s",
1216	engine, ossl_strerror(ERR_get_error(), buf, sizeof(buf)));
1217	return CURLE_SSL_ENGINE_INITFAILED;
1218	}
1219	data->state.engine = e;
1220	return CURLE_OK;
1221	#else
1222	(void)engine;
1223	failf(data, "SSL Engine not supported");
1224	return CURLE_SSL_ENGINE_NOTFOUND;
1225	#endif
1226	}
1227
1228	/ Sets engine as default for all SSL operations*
1229	*/
1230	static CURLcode Curl_ossl_set_engine_default(struct Curl_easy *data)
1231	{
1232	#ifdef USE_OPENSSL_ENGINE
1233	if(data->state.engine) {
1234	if(ENGINE_set_default(data->state.engine, ENGINE_METHOD_ALL) > `0`) {
1235	infof(data, "set default crypto engine '%s'\n",
1236	ENGINE_get_id(data->state.engine));
1237	}
1238	else {
1239	failf(data, "set default crypto engine '%s' failed",
1240	ENGINE_get_id(data->state.engine));
1241	return CURLE_SSL_ENGINE_SETFAILED;
1242	}
1243	}
1244	#else
1245	(void) data;
1246	#endif
1247	return CURLE_OK;
1248	}
1249
1250	/ Return list of OpenSSL crypto engine names.*
1251	*/
1252	static struct curl_slist Curl_ossl_engines_list(struct* Curl_easy *data)
1253	{
1254	struct curl_slist *list = NULL;
1255	#ifdef USE_OPENSSL_ENGINE
1256	struct curl_slist *beg;
1257	ENGINE *e;
1258
1259	for(e = ENGINE_get_first(); e; e = ENGINE_get_next(e)) {
1260	beg = curl_slist_append(list, ENGINE_get_id(e));
1261	if(!beg) {
1262	curl_slist_free_all(list);
1263	return NULL;
1264	}
1265	list = beg;
1266	}
1267	#endif
1268	(void) data;
1269	return list;
1270	}
1271
1272
1273	static void ossl_close(struct ssl_connect_data *connssl)
1274	{
1275	if(BACKEND->handle) {
1276	(void)SSL_shutdown(BACKEND->handle);
1277	SSL_set_connect_state(BACKEND->handle);
1278
1279	SSL_free(BACKEND->handle);
1280	BACKEND->handle = NULL;
1281	}
1282	if(BACKEND->ctx) {
1283	SSL_CTX_free(BACKEND->ctx);
1284	BACKEND->ctx = NULL;
1285	}
1286	}
1287
1288	/*
1289	* This function is called when an SSL connection is closed.
1290	*/
1291	static void Curl_ossl_close(struct connectdata conn, int* sockindex)
1292	{
1293	ossl_close(&conn->ssl[sockindex]);
1294	ossl_close(&conn->proxy_ssl[sockindex]);
1295	}
1296
1297	/*
1298	* This function is called to shut down the SSL layer but keep the
1299	* socket open (CCC - Clear Command Channel)
1300	*/
1301	static int Curl_ossl_shutdown(struct connectdata conn, int* sockindex)
1302	{
1303	int retval = `0`;
1304	struct ssl_connect_data *connssl = &conn->ssl[sockindex];
1305	struct Curl_easy *data = conn->data;
1306	char buf[`256`]; / We will use this for the OpenSSL error buffer, so it has*
1307	to be at least 256 bytes long. /*
1308	unsigned long sslerror;
1309	ssize_t nread;
1310	int buffsize;
1311	int err;
1312	bool done = FALSE;
1313
1314	#ifndef CURL_DISABLE_FTP
1315	/ This has only been tested on the proftpd server, and the mod_tls code*
1316	sends a close notify alert without waiting for a close notify alert in
1317	response. Thus we wait for a close notify alert from the server, but
1318	we do not send one. Let's hope other servers do the same... /*
1319
1320	if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE)
1321	(void)SSL_shutdown(BACKEND->handle);
1322	#endif
1323
1324	if(BACKEND->handle) {
1325	buffsize = (int)sizeof(buf);
1326	while(!done) {
1327	int what = SOCKET_READABLE(conn->sock[sockindex],
1328	SSL_SHUTDOWN_TIMEOUT);
1329	if(what > `0`) {
1330	ERR_clear_error();
1331
1332	/ Something to read, let's do it and hope that it is the close*
1333	notify alert from the server /*
1334	nread = (ssize_t)SSL_read(BACKEND->handle, buf, buffsize);
1335	err = SSL_get_error(BACKEND->handle, (int)nread);
1336
1337	switch(err) {
1338	case SSL_ERROR_NONE: / this is not an error /
1339	case SSL_ERROR_ZERO_RETURN: / no more data /
1340	/ This is the expected response. There was no data but only*
1341	the close notify alert /*
1342	done = TRUE;
1343	break;
1344	case SSL_ERROR_WANT_READ:
1345	/ there's data pending, re-invoke SSL_read() /
1346	infof(data, "SSL_ERROR_WANT_READ\n");
1347	break;
1348	case SSL_ERROR_WANT_WRITE:
1349	/ SSL wants a write. Really odd. Let's bail out. /
1350	infof(data, "SSL_ERROR_WANT_WRITE\n");
1351	done = TRUE;
1352	break;
1353	default:
1354	/ openssl/ssl.h says "look at error stack/return value/errno" /
1355	sslerror = ERR_get_error();
1356	failf(conn->data, OSSL_PACKAGE " SSL_read on shutdown: %s, errno %d",
1357	(sslerror ?
1358	ossl_strerror(sslerror, buf, sizeof(buf)) :
1359	SSL_ERROR_to_str(err)),
1360	SOCKERRNO);
1361	done = TRUE;
1362	break;
1363	}
1364	}
1365	else if(`0` == what) {
1366	/ timeout /
1367	failf(data, "SSL shutdown timeout");
1368	done = TRUE;
1369	}
1370	else {
1371	/ anything that gets here is fatally bad /
1372	failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
1373	retval = -`1`;
1374	done = TRUE;
1375	}
1376	} / while()-loop for the select() /
1377
1378	if(data->set.verbose) {
1379	#ifdef HAVE_SSL_GET_SHUTDOWN
1380	switch(SSL_get_shutdown(BACKEND->handle)) {
1381	case SSL_SENT_SHUTDOWN:
1382	infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN\n");
1383	break;
1384	case SSL_RECEIVED_SHUTDOWN:
1385	infof(data, "SSL_get_shutdown() returned SSL_RECEIVED_SHUTDOWN\n");
1386	break;
1387	case SSL_SENT_SHUTDOWN\|SSL_RECEIVED_SHUTDOWN:
1388	infof(data, "SSL_get_shutdown() returned SSL_SENT_SHUTDOWN\|"
1389	"SSL_RECEIVED__SHUTDOWN\n");
1390	break;
1391	}
1392	#endif
1393	}
1394
1395	SSL_free(BACKEND->handle);
1396	BACKEND->handle = NULL;
1397	}
1398	return retval;
1399	}
1400
1401	static void Curl_ossl_session_free(void *ptr)
1402	{
1403	/ free the ID /
1404	SSL_SESSION_free(ptr);
1405	}
1406
1407	/*
1408	* This function is called when the 'data' struct is going away. Close
1409	* down everything and free all resources!
1410	*/
1411	static void Curl_ossl_close_all(struct Curl_easy *data)
1412	{
1413	#ifdef USE_OPENSSL_ENGINE
1414	if(data->state.engine) {
1415	ENGINE_finish(data->state.engine);
1416	ENGINE_free(data->state.engine);
1417	data->state.engine = NULL;
1418	}
1419	#else
1420	(void)data;
1421	#endif
1422	#if !defined(HAVE_ERR_REMOVE_THREAD_STATE_DEPRECATED) && \
1423	defined(HAVE_ERR_REMOVE_THREAD_STATE)
1424	/ OpenSSL 1.0.1 and 1.0.2 build an error queue that is stored per-thread*
1425	so we need to clean it here in case the thread will be killed. All OpenSSL
1426	code should extract the error in association with the error so clearing
1427	this queue here should be harmless at worst. /*
1428	ERR_remove_thread_state(NULL);
1429	#endif
1430	}
1431
1432	/ ====================================================== /
1433
1434	/*
1435	* Match subjectAltName against the host name. This requires a conversion
1436	* in CURL_DOES_CONVERSIONS builds.
1437	*/
1438	static bool subj_alt_hostcheck(struct Curl_easy *data,
1439	const char match_pattern, const* char *hostname,
1440	const char *dispname)
1441	#ifdef CURL_DOES_CONVERSIONS
1442	{
1443	bool res = FALSE;
1444
1445	/ Curl_cert_hostcheck uses host encoding, but we get ASCII from*
1446	OpenSSl.
1447	*/
1448	char *match_pattern2 = strdup(match_pattern);
1449
1450	if(match_pattern2) {
1451	if(Curl_convert_from_network(data, match_pattern2,
1452	strlen(match_pattern2)) == CURLE_OK) {
1453	if(Curl_cert_hostcheck(match_pattern2, hostname)) {
1454	res = TRUE;
1455	infof(data,
1456	" subjectAltName: host \"%s\" matched cert's \"%s\"\n",
1457	dispname, match_pattern2);
1458	}
1459	}
1460	free(match_pattern2);
1461	}
1462	else {
1463	failf(data,
1464	"SSL: out of memory when allocating temporary for subjectAltName");
1465	}
1466	return res;
1467	}
1468	#else
1469	{
1470	#ifdef CURL_DISABLE_VERBOSE_STRINGS
1471	(void)dispname;
1472	(void)data;
1473	#endif
1474	if(Curl_cert_hostcheck(match_pattern, hostname)) {
1475	infof(data, " subjectAltName: host \"%s\" matched cert's \"%s\"\n",
1476	dispname, match_pattern);
1477	return TRUE;
1478	}
1479	return FALSE;
1480	}
1481	#endif
1482
1483
1484	/ Quote from RFC2818 section 3.1 "Server Identity"*
1485
1486	If a subjectAltName extension of type dNSName is present, that MUST
1487	be used as the identity. Otherwise, the (most specific) Common Name
1488	field in the Subject field of the certificate MUST be used. Although
1489	the use of the Common Name is existing practice, it is deprecated and
1490	Certification Authorities are encouraged to use the dNSName instead.
1491
1492	Matching is performed using the matching rules specified by
1493	[RFC2459]. If more than one identity of a given type is present in
1494	the certificate (e.g., more than one dNSName name, a match in any one
1495	of the set is considered acceptable.) Names may contain the wildcard
1496	character which is considered to match any single domain name*
1497	component or component fragment. E.g., .a.com matches foo.a.com but*
1498	not bar.foo.a.com. f.com matches foo.com but not bar.com.*
1499
1500	In some cases, the URI is specified as an IP address rather than a
1501	hostname. In this case, the iPAddress subjectAltName must be present
1502	in the certificate and must exactly match the IP in the URI.
1503
1504	*/
1505	static CURLcode verifyhost(struct connectdata conn, X509 server_cert)
1506	{
1507	bool matched = FALSE;
1508	int target = GEN_DNS; / target type, GEN_DNS or GEN_IPADD /
1509	size_t addrlen = `0`;
1510	struct Curl_easy *data = conn->data;
1511	STACK_OF(GENERAL_NAME) *altnames;
1512	#ifdef ENABLE_IPV6
1513	struct in6_addr addr;
1514	#else
1515	struct in_addr addr;
1516	#endif
1517	CURLcode result = CURLE_OK;
1518	bool dNSName = FALSE; / if a dNSName field exists in the cert /
1519	bool iPAddress = FALSE; / if a iPAddress field exists in the cert /
1520	const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
1521	conn->host.name;
1522	const char * const dispname = SSL_IS_PROXY() ?
1523	conn->http_proxy.host.dispname : conn->host.dispname;
1524
1525	#ifdef ENABLE_IPV6
1526	if(conn->bits.ipv6_ip &&
1527	Curl_inet_pton(AF_INET6, hostname, &addr)) {
1528	target = GEN_IPADD;
1529	addrlen = sizeof(struct in6_addr);
1530	}
1531	else
1532	#endif
1533	if(Curl_inet_pton(AF_INET, hostname, &addr)) {
1534	target = GEN_IPADD;
1535	addrlen = sizeof(struct in_addr);
1536	}
1537
1538	/ get a "list" of alternative names /
1539	altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL);
1540
1541	if(altnames) {
1542	#ifdef OPENSSL_IS_BORINGSSL
1543	size_t numalts;
1544	size_t i;
1545	#else
1546	int numalts;
1547	int i;
1548	#endif
1549	bool dnsmatched = FALSE;
1550	bool ipmatched = FALSE;
1551
1552	/ get amount of alternatives, RFC2459 claims there MUST be at least*
1553	one, but we don't depend on it... /*
1554	numalts = sk_GENERAL_NAME_num(altnames);
1555
1556	/ loop through all alternatives - until a dnsmatch /
1557	for(i = `0`; (i < numalts) && !dnsmatched; i++) {
1558	/ get a handle to alternative name number i /
1559	const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
1560
1561	if(check->type == GEN_DNS)
1562	dNSName = TRUE;
1563	else if(check->type == GEN_IPADD)
1564	iPAddress = TRUE;
1565
1566	/ only check alternatives of the same type the target is /
1567	if(check->type == target) {
1568	/ get data and length /
1569	const char altptr = (char* *)ASN1_STRING_get0_data(check->d.ia5);
1570	size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
1571
1572	switch(target) {
1573	case GEN_DNS: / name/pattern comparison /
1574	/ The OpenSSL man page explicitly says: "In general it cannot be*
1575	assumed that the data returned by ASN1_STRING_data() is null
1576	terminated or does not contain embedded nulls." But also that
1577	"The actual format of the data will depend on the actual string
1578	type itself: for example for an IA5String the data will be ASCII"
1579
1580	It has been however verified that in 0.9.6 and 0.9.7, IA5String
1581	is always zero-terminated.
1582	*/
1583	if((altlen == strlen(altptr)) &&
1584	/ if this isn't true, there was an embedded zero in the name*
1585	string and we cannot match it. /*
1586	subj_alt_hostcheck(data, altptr, hostname, dispname)) {
1587	dnsmatched = TRUE;
1588	}
1589	break;
1590
1591	case GEN_IPADD: / IP address comparison /
1592	/ compare alternative IP address if the data chunk is the same size*
1593	our server IP address is /*
1594	if((altlen == addrlen) && !memcmp(altptr, &addr, altlen)) {
1595	ipmatched = TRUE;
1596	infof(data,
1597	" subjectAltName: host \"%s\" matched cert's IP address!\n",
1598	dispname);
1599	}
1600	break;
1601	}
1602	}
1603	}
1604	GENERAL_NAMES_free(altnames);
1605
1606	if(dnsmatched \|\| ipmatched)
1607	matched = TRUE;
1608	}
1609
1610	if(matched)
1611	/ an alternative name matched /
1612	;
1613	else if(dNSName \|\| iPAddress) {
1614	infof(data, " subjectAltName does not match %s\n", dispname);
1615	failf(data, "SSL: no alternative certificate subject name matches "
1616	"target host name '%s'", dispname);
1617	result = CURLE_PEER_FAILED_VERIFICATION;
1618	}
1619	else {
1620	/ we have to look to the last occurrence of a commonName in the*
1621	distinguished one to get the most significant one. /*
1622	int j, i = -`1`;
1623
1624	/ The following is done because of a bug in 0.9.6b /
1625
1626	unsigned char nulstr = (unsigned* char *)"";
1627	unsigned char *peer_CN = nulstr;
1628
1629	X509_NAME *name = X509_get_subject_name(server_cert);
1630	if(name)
1631	while((j = X509_NAME_get_index_by_NID(name, NID_commonName, i)) >= `0`)
1632	i = j;
1633
1634	/ we have the name entry and we will now convert this to a string*
1635	that we can use for comparison. Doing this we support BMPstring,
1636	UTF8 etc. /*
1637
1638	if(i >= `0`) {
1639	ASN1_STRING *tmp =
1640	X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, i));
1641
1642	/ In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input*
1643	is already UTF-8 encoded. We check for this case and copy the raw
1644	string manually to avoid the problem. This code can be made
1645	conditional in the future when OpenSSL has been fixed. /*
1646	if(tmp) {
1647	if(ASN1_STRING_type(tmp) == V_ASN1_UTF8STRING) {
1648	j = ASN1_STRING_length(tmp);
1649	if(j >= `0`) {
1650	peer_CN = OPENSSL_malloc(j + `1`);
1651	if(peer_CN) {
1652	memcpy(peer_CN, ASN1_STRING_get0_data(tmp), j);
1653	peer_CN[j] = `'\0'`;
1654	}
1655	}
1656	}
1657	else / not a UTF8 name /
1658	j = ASN1_STRING_to_UTF8(&peer_CN, tmp);
1659
1660	if(peer_CN && (curlx_uztosi(strlen((char *)peer_CN)) != j)) {
1661	/ there was a terminating zero before the end of string, this*
1662	cannot match and we return failure! /*
1663	failf(data, "SSL: illegal cert name field");
1664	result = CURLE_PEER_FAILED_VERIFICATION;
1665	}
1666	}
1667	}
1668
1669	if(peer_CN == nulstr)
1670	peer_CN = NULL;
1671	else {
1672	/ convert peer_CN from UTF8 /
1673	CURLcode rc = Curl_convert_from_utf8(data, (char *)peer_CN,
1674	strlen((char *)peer_CN));
1675	/ Curl_convert_from_utf8 calls failf if unsuccessful /
1676	if(rc) {
1677	OPENSSL_free(peer_CN);
1678	return rc;
1679	}
1680	}
1681
1682	if(result)
1683	/ error already detected, pass through /
1684	;
1685	else if(!peer_CN) {
1686	failf(data,
1687	"SSL: unable to obtain common name from peer certificate");
1688	result = CURLE_PEER_FAILED_VERIFICATION;
1689	}
1690	else if(!Curl_cert_hostcheck((const char *)peer_CN, hostname)) {
1691	failf(data, "SSL: certificate subject name '%s' does not match "
1692	"target host name '%s'", peer_CN, dispname);
1693	result = CURLE_PEER_FAILED_VERIFICATION;
1694	}
1695	else {
1696	infof(data, " common name: %s (matched)\n", peer_CN);
1697	}
1698	if(peer_CN)
1699	OPENSSL_free(peer_CN);
1700	}
1701
1702	return result;
1703	}
1704
1705	#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
1706	!defined(OPENSSL_NO_OCSP)
1707	static CURLcode verifystatus(struct connectdata *conn,
1708	struct ssl_connect_data *connssl)
1709	{
1710	int i, ocsp_status;
1711	unsigned char *status;
1712	const unsigned char *p;
1713	CURLcode result = CURLE_OK;
1714	struct Curl_easy *data = conn->data;
1715
1716	OCSP_RESPONSE *rsp = NULL;
1717	OCSP_BASICRESP *br = NULL;
1718	X509_STORE *st = NULL;
1719	STACK_OF(X509) *ch = NULL;
1720
1721	long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &status);
1722
1723	if(!status) {
1724	failf(data, "No OCSP response received");
1725	result = CURLE_SSL_INVALIDCERTSTATUS;
1726	goto end;
1727	}
1728	p = status;
1729	rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
1730	if(!rsp) {
1731	failf(data, "Invalid OCSP response");
1732	result = CURLE_SSL_INVALIDCERTSTATUS;
1733	goto end;
1734	}
1735
1736	ocsp_status = OCSP_response_status(rsp);
1737	if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
1738	failf(data, "Invalid OCSP response status: %s (%d)",
1739	OCSP_response_status_str(ocsp_status), ocsp_status);
1740	result = CURLE_SSL_INVALIDCERTSTATUS;
1741	goto end;
1742	}
1743
1744	br = OCSP_response_get1_basic(rsp);
1745	if(!br) {
1746	failf(data, "Invalid OCSP response");
1747	result = CURLE_SSL_INVALIDCERTSTATUS;
1748	goto end;
1749	}
1750
1751	ch = SSL_get_peer_cert_chain(BACKEND->handle);
1752	st = SSL_CTX_get_cert_store(BACKEND->ctx);
1753
1754	#if ((OPENSSL_VERSION_NUMBER <= 0x1000201fL) /* Fixed after 1.0.2a */ \|\| \
1755	(defined(LIBRESSL_VERSION_NUMBER) && \
1756	LIBRESSL_VERSION_NUMBER <= 0x2040200fL))
1757	/ The authorized responder cert in the OCSP response MUST be signed by the*
1758	peer cert's issuer (see RFC6960 section 4.2.2.2). If that's a root cert,
1759	no problem, but if it's an intermediate cert OpenSSL has a bug where it
1760	expects this issuer to be present in the chain embedded in the OCSP
1761	response. So we add it if necessary. /*
1762
1763	/ First make sure the peer cert chain includes both a peer and an issuer,*
1764	and the OCSP response contains a responder cert. /*
1765	if(sk_X509_num(ch) >= `2` && sk_X509_num(br->certs) >= `1`) {
1766	X509 *responder = sk_X509_value(br->certs, sk_X509_num(br->certs) - `1`);
1767
1768	/ Find issuer of responder cert and add it to the OCSP response chain /
1769	for(i = `0`; i < sk_X509_num(ch); i++) {
1770	X509 *issuer = sk_X509_value(ch, i);
1771	if(X509_check_issued(issuer, responder) == X509_V_OK) {
1772	if(!OCSP_basic_add1_cert(br, issuer)) {
1773	failf(data, "Could not add issuer cert to OCSP response");
1774	result = CURLE_SSL_INVALIDCERTSTATUS;
1775	goto end;
1776	}
1777	}
1778	}
1779	}
1780	#endif
1781
1782	if(OCSP_basic_verify(br, ch, st, `0`) <= `0`) {
1783	failf(data, "OCSP response verification failed");
1784	result = CURLE_SSL_INVALIDCERTSTATUS;
1785	goto end;
1786	}
1787
1788	for(i = `0`; i < OCSP_resp_count(br); i++) {
1789	int cert_status, crl_reason;
1790	OCSP_SINGLERESP *single = NULL;
1791
1792	ASN1_GENERALIZEDTIME rev, thisupd, *nextupd;
1793
1794	single = OCSP_resp_get0(br, i);
1795	if(!single)
1796	continue;
1797
1798	cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
1799	&thisupd, &nextupd);
1800
1801	if(!OCSP_check_validity(thisupd, nextupd, `300L`, -`1L`)) {
1802	failf(data, "OCSP response has expired");
1803	result = CURLE_SSL_INVALIDCERTSTATUS;
1804	goto end;
1805	}
1806
1807	infof(data, "SSL certificate status: %s (%d)\n",
1808	OCSP_cert_status_str(cert_status), cert_status);
1809
1810	switch(cert_status) {
1811	case V_OCSP_CERTSTATUS_GOOD:
1812	break;
1813
1814	case V_OCSP_CERTSTATUS_REVOKED:
1815	result = CURLE_SSL_INVALIDCERTSTATUS;
1816
1817	failf(data, "SSL certificate revocation reason: %s (%d)",
1818	OCSP_crl_reason_str(crl_reason), crl_reason);
1819	goto end;
1820
1821	case V_OCSP_CERTSTATUS_UNKNOWN:
1822	result = CURLE_SSL_INVALIDCERTSTATUS;
1823	goto end;
1824	}
1825	}
1826
1827	end:
1828	if(br) OCSP_BASICRESP_free(br);
1829	OCSP_RESPONSE_free(rsp);
1830
1831	return result;
1832	}
1833	#endif
1834
1835	#endif /* USE_OPENSSL */
1836
1837	/ The SSL_CTRL_SET_MSG_CALLBACK doesn't exist in ancient OpenSSL versions*
1838	and thus this cannot be done there. /*
1839	#ifdef SSL_CTRL_SET_MSG_CALLBACK
1840
1841	static const char ssl_msg_type(int* ssl_ver, int msg)
1842	{
1843	#ifdef SSL2_VERSION_MAJOR
1844	if(ssl_ver == SSL2_VERSION_MAJOR) {
1845	switch(msg) {
1846	case SSL2_MT_ERROR:
1847	return "Error";
1848	case SSL2_MT_CLIENT_HELLO:
1849	return "Client hello";
1850	case SSL2_MT_CLIENT_MASTER_KEY:
1851	return "Client key";
1852	case SSL2_MT_CLIENT_FINISHED:
1853	return "Client finished";
1854	case SSL2_MT_SERVER_HELLO:
1855	return "Server hello";
1856	case SSL2_MT_SERVER_VERIFY:
1857	return "Server verify";
1858	case SSL2_MT_SERVER_FINISHED:
1859	return "Server finished";
1860	case SSL2_MT_REQUEST_CERTIFICATE:
1861	return "Request CERT";
1862	case SSL2_MT_CLIENT_CERTIFICATE:
1863	return "Client CERT";
1864	}
1865	}
1866	else
1867	#endif
1868	if(ssl_ver == SSL3_VERSION_MAJOR) {
1869	switch(msg) {
1870	case SSL3_MT_HELLO_REQUEST:
1871	return "Hello request";
1872	case SSL3_MT_CLIENT_HELLO:
1873	return "Client hello";
1874	case SSL3_MT_SERVER_HELLO:
1875	return "Server hello";
1876	#ifdef SSL3_MT_NEWSESSION_TICKET
1877	case SSL3_MT_NEWSESSION_TICKET:
1878	return "Newsession Ticket";
1879	#endif
1880	case SSL3_MT_CERTIFICATE:
1881	return "Certificate";
1882	case SSL3_MT_SERVER_KEY_EXCHANGE:
1883	return "Server key exchange";
1884	case SSL3_MT_CLIENT_KEY_EXCHANGE:
1885	return "Client key exchange";
1886	case SSL3_MT_CERTIFICATE_REQUEST:
1887	return "Request CERT";
1888	case SSL3_MT_SERVER_DONE:
1889	return "Server finished";
1890	case SSL3_MT_CERTIFICATE_VERIFY:
1891	return "CERT verify";
1892	case SSL3_MT_FINISHED:
1893	return "Finished";
1894	#ifdef SSL3_MT_CERTIFICATE_STATUS
1895	case SSL3_MT_CERTIFICATE_STATUS:
1896	return "Certificate Status";
1897	#endif
1898	#ifdef SSL3_MT_ENCRYPTED_EXTENSIONS
1899	case SSL3_MT_ENCRYPTED_EXTENSIONS:
1900	return "Encrypted Extensions";
1901	#endif
1902	#ifdef SSL3_MT_END_OF_EARLY_DATA
1903	case SSL3_MT_END_OF_EARLY_DATA:
1904	return "End of early data";
1905	#endif
1906	#ifdef SSL3_MT_KEY_UPDATE
1907	case SSL3_MT_KEY_UPDATE:
1908	return "Key update";
1909	#endif
1910	#ifdef SSL3_MT_NEXT_PROTO
1911	case SSL3_MT_NEXT_PROTO:
1912	return "Next protocol";
1913	#endif
1914	#ifdef SSL3_MT_MESSAGE_HASH
1915	case SSL3_MT_MESSAGE_HASH:
1916	return "Message hash";
1917	#endif
1918	}
1919	}
1920	return "Unknown";
1921	}
1922
1923	static const char tls_rt_type(int* type)
1924	{
1925	switch(type) {
1926	#ifdef SSL3_RT_HEADER
1927	case SSL3_RT_HEADER:
1928	return "TLS header";
1929	#endif
1930	case SSL3_RT_CHANGE_CIPHER_SPEC:
1931	return "TLS change cipher";
1932	case SSL3_RT_ALERT:
1933	return "TLS alert";
1934	case SSL3_RT_HANDSHAKE:
1935	return "TLS handshake";
1936	case SSL3_RT_APPLICATION_DATA:
1937	return "TLS app data";
1938	default:
1939	return "TLS Unknown";
1940	}
1941	}
1942
1943
1944	/*
1945	* Our callback from the SSL/TLS layers.
1946	*/
1947	static void ssl_tls_trace(int direction, int ssl_ver, int content_type,
1948	const void buf, size_t len, SSL ssl,
1949	void *userp)
1950	{
1951	struct Curl_easy *data;
1952	char unknown[`32`];
1953	const char *verstr = NULL;
1954	struct connectdata *conn = userp;
1955
1956	if(!conn \|\| !conn->data \|\| !conn->data->set.fdebug \|\|
1957	(direction != `0` && direction != `1`))
1958	return;
1959
1960	data = conn->data;
1961
1962	switch(ssl_ver) {
1963	#ifdef SSL2_VERSION /* removed in recent versions */
1964	case SSL2_VERSION:
1965	verstr = "SSLv2";
1966	break;
1967	#endif
1968	#ifdef SSL3_VERSION
1969	case SSL3_VERSION:
1970	verstr = "SSLv3";
1971	break;
1972	#endif
1973	case TLS1_VERSION:
1974	verstr = "TLSv1.0";
1975	break;
1976	#ifdef TLS1_1_VERSION
1977	case TLS1_1_VERSION:
1978	verstr = "TLSv1.1";
1979	break;
1980	#endif
1981	#ifdef TLS1_2_VERSION
1982	case TLS1_2_VERSION:
1983	verstr = "TLSv1.2";
1984	break;
1985	#endif
1986	#ifdef TLS1_3_VERSION
1987	case TLS1_3_VERSION:
1988	verstr = "TLSv1.3";
1989	break;
1990	#endif
1991	case `0`:
1992	break;
1993	default:
1994	msnprintf(unknown, sizeof(unknown), "(%x)", ssl_ver);
1995	verstr = unknown;
1996	break;
1997	}
1998
1999	/ Log progress for interesting records only (like Handshake or Alert), skip*
2000	* all raw record headers (content_type == SSL3_RT_HEADER or ssl_ver == 0).
2001	* For TLS 1.3, skip notification of the decrypted inner Content Type.
2002	*/
2003	if(ssl_ver
2004	#ifdef SSL3_RT_INNER_CONTENT_TYPE
2005	&& content_type != SSL3_RT_INNER_CONTENT_TYPE
2006	#endif
2007	) {
2008	const char msg_name, tls_rt_name;
2009	char ssl_buf[`1024`];
2010	int msg_type, txt_len;
2011
2012	/ the info given when the version is zero is not that useful for us /
2013
2014	ssl_ver >>= `8`; / check the upper 8 bits only below /
2015
2016	/ SSLv2 doesn't seem to have TLS record-type headers, so OpenSSL*
2017	* always pass-up content-type as 0. But the interesting message-type
2018	* is at 'buf[0]'.
2019	*/
2020	if(ssl_ver == SSL3_VERSION_MAJOR && content_type)
2021	tls_rt_name = tls_rt_type(content_type);
2022	else
2023	tls_rt_name = "";
2024
2025	if(content_type == SSL3_RT_CHANGE_CIPHER_SPEC) {
2026	msg_type = (char* *)buf;
2027	msg_name = "Change cipher spec";
2028	}
2029	else if(content_type == SSL3_RT_ALERT) {
2030	msg_type = (((char )buf)[`0`] << `8`) + ((char* *)buf)[`1`];
2031	msg_name = SSL_alert_desc_string_long(msg_type);
2032	}
2033	else {
2034	msg_type = (char* *)buf;
2035	msg_name = ssl_msg_type(ssl_ver, msg_type);
2036	}
2037
2038	txt_len = msnprintf(ssl_buf, sizeof(ssl_buf), "%s (%s), %s, %s (%d):\n",
2039	verstr, direction?"OUT":"IN",
2040	tls_rt_name, msg_name, msg_type);
2041	if(`0` <= txt_len && (unsigned)txt_len < sizeof(ssl_buf)) {
2042	Curl_debug(data, CURLINFO_TEXT, ssl_buf, (size_t)txt_len);
2043	}
2044	}
2045
2046	Curl_debug(data, (direction == `1`) ? CURLINFO_SSL_DATA_OUT :
2047	CURLINFO_SSL_DATA_IN, (char *)buf, len);
2048	(void) ssl;
2049	}
2050	#endif
2051
2052	#ifdef USE_OPENSSL
2053	/ ====================================================== /
2054
2055	#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
2056	# define use_sni(x) sni = (x)
2057	#else
2058	# define use_sni(x) Curl_nop_stmt
2059	#endif
2060
2061	/ Check for OpenSSL 1.0.2 which has ALPN support. /
2062	#undef HAS_ALPN
2063	#if OPENSSL_VERSION_NUMBER >= 0x10002000L \
2064	&& !defined(OPENSSL_NO_TLSEXT)
2065	# define HAS_ALPN 1
2066	#endif
2067
2068	/ Check for OpenSSL 1.0.1 which has NPN support. /
2069	#undef HAS_NPN
2070	#if OPENSSL_VERSION_NUMBER >= 0x10001000L \
2071	&& !defined(OPENSSL_NO_TLSEXT) \
2072	&& !defined(OPENSSL_NO_NEXTPROTONEG)
2073	# define HAS_NPN 1
2074	#endif
2075
2076	#ifdef HAS_NPN
2077
2078	/*
2079	* in is a list of length prefixed strings. this function has to select
2080	* the protocol we want to use from the list and write its string into out.
2081	*/
2082
2083	static int
2084	select_next_protocol(unsigned char *out, unsigned* char *outlen,
2085	const unsigned char in, unsigned* int inlen,
2086	const char key, unsigned* int keylen)
2087	{
2088	unsigned int i;
2089	for(i = `0`; i + keylen <= inlen; i += in[i] + `1`) {
2090	if(memcmp(&in[i + `1`], key, keylen) == `0`) {
2091	out = (unsigned* char *) &in[i + `1`];
2092	*outlen = in[i];
2093	return `0`;
2094	}
2095	}
2096	return -`1`;
2097	}
2098
2099	static int
2100	select_next_proto_cb(SSL *ssl,
2101	unsigned char *out, unsigned* char *outlen,
2102	const unsigned char in, unsigned* int inlen,
2103	void *arg)
2104	{
2105	struct connectdata conn = (struct* connectdata*) arg;
2106
2107	(void)ssl;
2108
2109	#ifdef USE_NGHTTP2
2110	if(conn->data->set.httpversion >= CURL_HTTP_VERSION_2 &&
2111	!select_next_protocol(out, outlen, in, inlen, NGHTTP2_PROTO_VERSION_ID,
2112	NGHTTP2_PROTO_VERSION_ID_LEN)) {
2113	infof(conn->data, "NPN, negotiated HTTP2 (%s)\n",
2114	NGHTTP2_PROTO_VERSION_ID);
2115	conn->negnpn = CURL_HTTP_VERSION_2;
2116	return SSL_TLSEXT_ERR_OK;
2117	}
2118	#endif
2119
2120	if(!select_next_protocol(out, outlen, in, inlen, ALPN_HTTP_1_1,
2121	ALPN_HTTP_1_1_LENGTH)) {
2122	infof(conn->data, "NPN, negotiated HTTP1.1\n");
2123	conn->negnpn = CURL_HTTP_VERSION_1_1;
2124	return SSL_TLSEXT_ERR_OK;
2125	}
2126
2127	infof(conn->data, "NPN, no overlap, use HTTP1.1\n");
2128	out = (unsigned* char *)ALPN_HTTP_1_1;
2129	*outlen = ALPN_HTTP_1_1_LENGTH;
2130	conn->negnpn = CURL_HTTP_VERSION_1_1;
2131
2132	return SSL_TLSEXT_ERR_OK;
2133	}
2134	#endif /* HAS_NPN */
2135
2136	#ifndef CURL_DISABLE_VERBOSE_STRINGS
2137	static const char *
2138	get_ssl_version_txt(SSL *ssl)
2139	{
2140	if(!ssl)
2141	return "";
2142
2143	switch(SSL_version(ssl)) {
2144	#ifdef TLS1_3_VERSION
2145	case TLS1_3_VERSION:
2146	return "TLSv1.3";
2147	#endif
2148	#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2149	case TLS1_2_VERSION:
2150	return "TLSv1.2";
2151	case TLS1_1_VERSION:
2152	return "TLSv1.1";
2153	#endif
2154	case TLS1_VERSION:
2155	return "TLSv1.0";
2156	case SSL3_VERSION:
2157	return "SSLv3";
2158	case SSL2_VERSION:
2159	return "SSLv2";
2160	}
2161	return "unknown";
2162	}
2163	#endif
2164
2165	#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */
2166	static CURLcode
2167	set_ssl_version_min_max(SSL_CTX ctx, struct* connectdata *conn)
2168	{
2169	/ first, TLS min version... /
2170	long curl_ssl_version_min = SSL_CONN_CONFIG(version);
2171	long curl_ssl_version_max;
2172
2173	/ convert cURL min SSL version option to OpenSSL constant /
2174	#if defined(OPENSSL_IS_BORINGSSL) \|\| defined(LIBRESSL_VERSION_NUMBER)
2175	uint16_t ossl_ssl_version_min = `0`;
2176	uint16_t ossl_ssl_version_max = `0`;
2177	#else
2178	long ossl_ssl_version_min = `0`;
2179	long ossl_ssl_version_max = `0`;
2180	#endif
2181	switch(curl_ssl_version_min) {
2182	case CURL_SSLVERSION_TLSv1: / TLS 1.x /
2183	case CURL_SSLVERSION_TLSv1_0:
2184	ossl_ssl_version_min = TLS1_VERSION;
2185	break;
2186	case CURL_SSLVERSION_TLSv1_1:
2187	ossl_ssl_version_min = TLS1_1_VERSION;
2188	break;
2189	case CURL_SSLVERSION_TLSv1_2:
2190	ossl_ssl_version_min = TLS1_2_VERSION;
2191	break;
2192	#ifdef TLS1_3_VERSION
2193	case CURL_SSLVERSION_TLSv1_3:
2194	ossl_ssl_version_min = TLS1_3_VERSION;
2195	break;
2196	#endif
2197	}
2198
2199	/ CURL_SSLVERSION_DEFAULT means that no option was selected.*
2200	We don't want to pass 0 to SSL_CTX_set_min_proto_version as
2201	it would enable all versions down to the lowest supported by
2202	the library.
2203	So we skip this, and stay with the OS default
2204	*/
2205	if(curl_ssl_version_min != CURL_SSLVERSION_DEFAULT) {
2206	if(!SSL_CTX_set_min_proto_version(ctx, ossl_ssl_version_min)) {
2207	return CURLE_SSL_CONNECT_ERROR;
2208	}
2209	}
2210
2211	/ ... then, TLS max version /
2212	curl_ssl_version_max = SSL_CONN_CONFIG(version_max);
2213
2214	/ convert cURL max SSL version option to OpenSSL constant /
2215	ossl_ssl_version_max = `0`;
2216	switch(curl_ssl_version_max) {
2217	case CURL_SSLVERSION_MAX_TLSv1_0:
2218	ossl_ssl_version_max = TLS1_VERSION;
2219	break;
2220	case CURL_SSLVERSION_MAX_TLSv1_1:
2221	ossl_ssl_version_max = TLS1_1_VERSION;
2222	break;
2223	case CURL_SSLVERSION_MAX_TLSv1_2:
2224	ossl_ssl_version_max = TLS1_2_VERSION;
2225	break;
2226	#ifdef TLS1_3_VERSION
2227	case CURL_SSLVERSION_MAX_TLSv1_3:
2228	ossl_ssl_version_max = TLS1_3_VERSION;
2229	break;
2230	#endif
2231	case CURL_SSLVERSION_MAX_NONE: / none selected /
2232	case CURL_SSLVERSION_MAX_DEFAULT: / max selected /
2233	default:
2234	/ SSL_CTX_set_max_proto_version states that:*
2235	setting the maximum to 0 will enable
2236	protocol versions up to the highest version
2237	supported by the library /*
2238	ossl_ssl_version_max = `0`;
2239	break;
2240	}
2241
2242	if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
2243	return CURLE_SSL_CONNECT_ERROR;
2244	}
2245
2246	return CURLE_OK;
2247	}
2248	#endif
2249
2250	#ifdef OPENSSL_IS_BORINGSSL
2251	typedef uint32_t ctx_option_t;
2252	#else
2253	typedef long ctx_option_t;
2254	#endif
2255
2256	#if (OPENSSL_VERSION_NUMBER < 0x10100000L) /* 1.1.0 */
2257	static CURLcode
2258	set_ssl_version_min_max_legacy(ctx_option_t *ctx_options,
2259	struct connectdata conn, int* sockindex)
2260	{
2261	#if (OPENSSL_VERSION_NUMBER < 0x1000100FL) \|\| !defined(TLS1_3_VERSION)
2262	/ convoluted #if condition just to avoid compiler warnings on unused*
2263	variable /*
2264	struct Curl_easy *data = conn->data;
2265	#endif
2266	long ssl_version = SSL_CONN_CONFIG(version);
2267	long ssl_version_max = SSL_CONN_CONFIG(version_max);
2268
2269	switch(ssl_version) {
2270	case CURL_SSLVERSION_TLSv1_3:
2271	#ifdef TLS1_3_VERSION
2272	{
2273	struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2274	SSL_CTX_set_max_proto_version(BACKEND->ctx, TLS1_3_VERSION);
2275	*ctx_options \|= SSL_OP_NO_TLSv1_2;
2276	}
2277	#else
2278	(void)sockindex;
2279	(void)ctx_options;
2280	failf(data, OSSL_PACKAGE " was built without TLS 1.3 support");
2281	return CURLE_NOT_BUILT_IN;
2282	#endif
2283	/ FALLTHROUGH /
2284	case CURL_SSLVERSION_TLSv1_2:
2285	#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2286	*ctx_options \|= SSL_OP_NO_TLSv1_1;
2287	#else
2288	failf(data, OSSL_PACKAGE " was built without TLS 1.2 support");
2289	return CURLE_NOT_BUILT_IN;
2290	#endif
2291	/ FALLTHROUGH /
2292	case CURL_SSLVERSION_TLSv1_1:
2293	#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2294	*ctx_options \|= SSL_OP_NO_TLSv1;
2295	#else
2296	failf(data, OSSL_PACKAGE " was built without TLS 1.1 support");
2297	return CURLE_NOT_BUILT_IN;
2298	#endif
2299	/ FALLTHROUGH /
2300	case CURL_SSLVERSION_TLSv1_0:
2301	case CURL_SSLVERSION_TLSv1:
2302	break;
2303	}
2304
2305	switch(ssl_version_max) {
2306	case CURL_SSLVERSION_MAX_TLSv1_0:
2307	#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2308	*ctx_options \|= SSL_OP_NO_TLSv1_1;
2309	#endif
2310	/ FALLTHROUGH /
2311	case CURL_SSLVERSION_MAX_TLSv1_1:
2312	#if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2313	*ctx_options \|= SSL_OP_NO_TLSv1_2;
2314	#endif
2315	/ FALLTHROUGH /
2316	case CURL_SSLVERSION_MAX_TLSv1_2:
2317	#ifdef TLS1_3_VERSION
2318	*ctx_options \|= SSL_OP_NO_TLSv1_3;
2319	#endif
2320	break;
2321	case CURL_SSLVERSION_MAX_TLSv1_3:
2322	#ifdef TLS1_3_VERSION
2323	break;
2324	#else
2325	failf(data, OSSL_PACKAGE " was built without TLS 1.3 support");
2326	return CURLE_NOT_BUILT_IN;
2327	#endif
2328	}
2329	return CURLE_OK;
2330	}
2331	#endif
2332
2333	/ The "new session" callback must return zero if the session can be removed*
2334	* or non-zero if the session has been put into the session cache.
2335	*/
2336	static int ossl_new_session_cb(SSL ssl, SSL_SESSION ssl_sessionid)
2337	{
2338	int res = `0`;
2339	struct connectdata *conn;
2340	struct Curl_easy *data;
2341	int sockindex;
2342	curl_socket_t *sockindex_ptr;
2343	int connectdata_idx = ossl_get_ssl_conn_index();
2344	int sockindex_idx = ossl_get_ssl_sockindex_index();
2345
2346	if(connectdata_idx < `0` \|\| sockindex_idx < `0`)
2347	return `0`;
2348
2349	conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
2350	if(!conn)
2351	return `0`;
2352
2353	data = conn->data;
2354
2355	/ The sockindex has been stored as a pointer to an array element /
2356	sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
2357	sockindex = (int)(sockindex_ptr - conn->sock);
2358
2359	if(SSL_SET_OPTION(primary.sessionid)) {
2360	bool incache;
2361	void *old_ssl_sessionid = NULL;
2362
2363	Curl_ssl_sessionid_lock(conn);
2364	incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
2365	sockindex));
2366	if(incache) {
2367	if(old_ssl_sessionid != ssl_sessionid) {
2368	infof(data, "old SSL session ID is stale, removing\n");
2369	Curl_ssl_delsessionid(conn, old_ssl_sessionid);
2370	incache = FALSE;
2371	}
2372	}
2373
2374	if(!incache) {
2375	if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
2376	`0` / unknown size /, sockindex)) {
2377	/ the session has been put into the session cache /
2378	res = `1`;
2379	}
2380	else
2381	failf(data, "failed to store ssl session");
2382	}
2383	Curl_ssl_sessionid_unlock(conn);
2384	}
2385
2386	return res;
2387	}
2388
2389	static CURLcode ossl_connect_step1(struct connectdata conn, int* sockindex)
2390	{
2391	CURLcode result = CURLE_OK;
2392	char *ciphers;
2393	struct Curl_easy *data = conn->data;
2394	SSL_METHOD_QUAL SSL_METHOD *req_method = NULL;
2395	X509_LOOKUP *lookup = NULL;
2396	curl_socket_t sockfd = conn->sock[sockindex];
2397	struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2398	ctx_option_t ctx_options = `0`;
2399
2400	#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
2401	bool sni;
2402	const char * const hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
2403	conn->host.name;
2404	#ifdef ENABLE_IPV6
2405	struct in6_addr addr;
2406	#else
2407	struct in_addr addr;
2408	#endif
2409	#endif
2410	long * const certverifyresult = SSL_IS_PROXY() ?
2411	&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
2412	const long int ssl_version = SSL_CONN_CONFIG(version);
2413	#ifdef USE_TLS_SRP
2414	const enum CURL_TLSAUTH ssl_authtype = SSL_SET_OPTION(authtype);
2415	#endif
2416	char * const ssl_cert = SSL_SET_OPTION(cert);
2417	const char * const ssl_cert_type = SSL_SET_OPTION(cert_type);
2418	const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
2419	const char * const ssl_capath = SSL_CONN_CONFIG(CApath);
2420	const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
2421	const char * const ssl_crlfile = SSL_SET_OPTION(CRLfile);
2422	char error_buffer[`256`];
2423
2424	DEBUGASSERT(ssl_connect_1 == connssl->connecting_state);
2425
2426	/ Make funny stuff to get random input /
2427	result = Curl_ossl_seed(data);
2428	if(result)
2429	return result;
2430
2431	*certverifyresult = !X509_V_OK;
2432
2433	/ check to see if we've been told to use an explicit SSL/TLS version /
2434
2435	switch(ssl_version) {
2436	case CURL_SSLVERSION_DEFAULT:
2437	case CURL_SSLVERSION_TLSv1:
2438	case CURL_SSLVERSION_TLSv1_0:
2439	case CURL_SSLVERSION_TLSv1_1:
2440	case CURL_SSLVERSION_TLSv1_2:
2441	case CURL_SSLVERSION_TLSv1_3:
2442	/ it will be handled later with the context options /
2443	#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
2444	req_method = TLS_client_method();
2445	#else
2446	req_method = SSLv23_client_method();
2447	#endif
2448	use_sni(TRUE);
2449	break;
2450	case CURL_SSLVERSION_SSLv2:
2451	#ifdef OPENSSL_NO_SSL2
2452	failf(data, OSSL_PACKAGE " was built without SSLv2 support");
2453	return CURLE_NOT_BUILT_IN;
2454	#else
2455	#ifdef USE_TLS_SRP
2456	if(ssl_authtype == CURL_TLSAUTH_SRP)
2457	return CURLE_SSL_CONNECT_ERROR;
2458	#endif
2459	req_method = SSLv2_client_method();
2460	use_sni(FALSE);
2461	break;
2462	#endif
2463	case CURL_SSLVERSION_SSLv3:
2464	#ifdef OPENSSL_NO_SSL3_METHOD
2465	failf(data, OSSL_PACKAGE " was built without SSLv3 support");
2466	return CURLE_NOT_BUILT_IN;
2467	#else
2468	#ifdef USE_TLS_SRP
2469	if(ssl_authtype == CURL_TLSAUTH_SRP)
2470	return CURLE_SSL_CONNECT_ERROR;
2471	#endif
2472	req_method = SSLv3_client_method();
2473	use_sni(FALSE);
2474	break;
2475	#endif
2476	default:
2477	failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
2478	return CURLE_SSL_CONNECT_ERROR;
2479	}
2480
2481	if(BACKEND->ctx)
2482	SSL_CTX_free(BACKEND->ctx);
2483	BACKEND->ctx = SSL_CTX_new(req_method);
2484
2485	if(!BACKEND->ctx) {
2486	failf(data, "SSL: couldn't create a context: %s",
2487	ossl_strerror(ERR_peek_error(), error_buffer, sizeof(error_buffer)));
2488	return CURLE_OUT_OF_MEMORY;
2489	}
2490
2491	#ifdef SSL_MODE_RELEASE_BUFFERS
2492	SSL_CTX_set_mode(BACKEND->ctx, SSL_MODE_RELEASE_BUFFERS);
2493	#endif
2494
2495	#ifdef SSL_CTRL_SET_MSG_CALLBACK
2496	if(data->set.fdebug && data->set.verbose) {
2497	/ the SSL trace callback is only used for verbose logging /
2498	SSL_CTX_set_msg_callback(BACKEND->ctx, ssl_tls_trace);
2499	SSL_CTX_set_msg_callback_arg(BACKEND->ctx, conn);
2500	}
2501	#endif
2502
2503	/ OpenSSL contains code to work-around lots of bugs and flaws in various*
2504	SSL-implementations. SSL_CTX_set_options() is used to enabled those
2505	work-arounds. The man page for this option states that SSL_OP_ALL enables
2506	all the work-arounds and that "It is usually safe to use SSL_OP_ALL to
2507	enable the bug workaround options if compatibility with somewhat broken
2508	implementations is desired."
2509
2510	The "-no_ticket" option was introduced in Openssl0.9.8j. It's a flag to
2511	disable "rfc4507bis session ticket support". rfc4507bis was later turned
2512	into the proper RFC5077 it seems: https://tools.ietf.org/html/rfc5077
2513
2514	The enabled extension concerns the session management. I wonder how often
2515	libcurl stops a connection and then resumes a TLS session. also, sending
2516	the session data is some overhead. .I suggest that you just use your
2517	proposed patch (which explicitly disables TICKET).
2518
2519	If someone writes an application with libcurl and openssl who wants to
2520	enable the feature, one can do this in the SSL callback.
2521
2522	SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option enabling allowed proper
2523	interoperability with web server Netscape Enterprise Server 2.0.1 which
2524	was released back in 1996.
2525
2526	Due to CVE-2010-4180, option SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG has
2527	become ineffective as of OpenSSL 0.9.8q and 1.0.0c. In order to mitigate
2528	CVE-2010-4180 when using previous OpenSSL versions we no longer enable
2529	this option regardless of OpenSSL version and SSL_OP_ALL definition.
2530
2531	OpenSSL added a work-around for a SSL 3.0/TLS 1.0 CBC vulnerability
2532	(https://www.openssl.org/~bodo/tls-cbc.txt). In 0.9.6e they added a bit to
2533	SSL_OP_ALL that _disables_ that work-around despite the fact that
2534	SSL_OP_ALL is documented to do "rather harmless" workarounds. In order to
2535	keep the secure work-around, the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS bit
2536	must not be set.
2537	*/
2538
2539	ctx_options = SSL_OP_ALL;
2540
2541	#ifdef SSL_OP_NO_TICKET
2542	ctx_options \|= SSL_OP_NO_TICKET;
2543	#endif
2544
2545	#ifdef SSL_OP_NO_COMPRESSION
2546	ctx_options \|= SSL_OP_NO_COMPRESSION;
2547	#endif
2548
2549	#ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
2550	/ mitigate CVE-2010-4180 /
2551	ctx_options &= ~SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG;
2552	#endif
2553
2554	#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2555	/ unless the user explicitly ask to allow the protocol vulnerability we*
2556	use the work-around /*
2557	if(!SSL_SET_OPTION(enable_beast))
2558	ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
2559	#endif
2560
2561	switch(ssl_version) {
2562	/ "--sslv2" option means SSLv2 only, disable all others /
2563	case CURL_SSLVERSION_SSLv2:
2564	#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 */
2565	SSL_CTX_set_min_proto_version(BACKEND->ctx, SSL2_VERSION);
2566	SSL_CTX_set_max_proto_version(BACKEND->ctx, SSL2_VERSION);
2567	#else
2568	ctx_options \|= SSL_OP_NO_SSLv3;
2569	ctx_options \|= SSL_OP_NO_TLSv1;
2570	# if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2571	ctx_options \|= SSL_OP_NO_TLSv1_1;
2572	ctx_options \|= SSL_OP_NO_TLSv1_2;
2573	# ifdef TLS1_3_VERSION
2574	ctx_options \|= SSL_OP_NO_TLSv1_3;
2575	# endif
2576	# endif
2577	#endif
2578	break;
2579
2580	/ "--sslv3" option means SSLv3 only, disable all others /
2581	case CURL_SSLVERSION_SSLv3:
2582	#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 */
2583	SSL_CTX_set_min_proto_version(BACKEND->ctx, SSL3_VERSION);
2584	SSL_CTX_set_max_proto_version(BACKEND->ctx, SSL3_VERSION);
2585	#else
2586	ctx_options \|= SSL_OP_NO_SSLv2;
2587	ctx_options \|= SSL_OP_NO_TLSv1;
2588	# if OPENSSL_VERSION_NUMBER >= 0x1000100FL
2589	ctx_options \|= SSL_OP_NO_TLSv1_1;
2590	ctx_options \|= SSL_OP_NO_TLSv1_2;
2591	# ifdef TLS1_3_VERSION
2592	ctx_options \|= SSL_OP_NO_TLSv1_3;
2593	# endif
2594	# endif
2595	#endif
2596	break;
2597
2598	/ "--tlsv<x.y>" options mean TLS >= version <x.y> /
2599	case CURL_SSLVERSION_DEFAULT:
2600	case CURL_SSLVERSION_TLSv1: / TLS >= version 1.0 /
2601	case CURL_SSLVERSION_TLSv1_0: / TLS >= version 1.0 /
2602	case CURL_SSLVERSION_TLSv1_1: / TLS >= version 1.1 /
2603	case CURL_SSLVERSION_TLSv1_2: / TLS >= version 1.2 /
2604	case CURL_SSLVERSION_TLSv1_3: / TLS >= version 1.3 /
2605	/ asking for any TLS version as the minimum, means no SSL versions*
2606	allowed /*
2607	ctx_options \|= SSL_OP_NO_SSLv2;
2608	ctx_options \|= SSL_OP_NO_SSLv3;
2609
2610	#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) /* 1.1.0 */
2611	result = set_ssl_version_min_max(BACKEND->ctx, conn);
2612	#else
2613	result = set_ssl_version_min_max_legacy(&ctx_options, conn, sockindex);
2614	#endif
2615	if(result != CURLE_OK)
2616	return result;
2617	break;
2618
2619	default:
2620	failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");
2621	return CURLE_SSL_CONNECT_ERROR;
2622	}
2623
2624	SSL_CTX_set_options(BACKEND->ctx, ctx_options);
2625
2626	#ifdef HAS_NPN
2627	if(conn->bits.tls_enable_npn)
2628	SSL_CTX_set_next_proto_select_cb(BACKEND->ctx, select_next_proto_cb, conn);
2629	#endif
2630
2631	#ifdef HAS_ALPN
2632	if(conn->bits.tls_enable_alpn) {
2633	int cur = `0`;
2634	unsigned char protocols[`128`];
2635
2636	#ifdef USE_NGHTTP2
2637	if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
2638	(!SSL_IS_PROXY() \|\| !conn->bits.tunnel_proxy)) {
2639	protocols[cur++] = NGHTTP2_PROTO_VERSION_ID_LEN;
2640
2641	memcpy(&protocols[cur], NGHTTP2_PROTO_VERSION_ID,
2642	NGHTTP2_PROTO_VERSION_ID_LEN);
2643	cur += NGHTTP2_PROTO_VERSION_ID_LEN;
2644	infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
2645	}
2646	#endif
2647
2648	protocols[cur++] = ALPN_HTTP_1_1_LENGTH;
2649	memcpy(&protocols[cur], ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH);
2650	cur += ALPN_HTTP_1_1_LENGTH;
2651	infof(data, "ALPN, offering %s\n", ALPN_HTTP_1_1);
2652
2653	/ expects length prefixed preference ordered list of protocols in wire*
2654	* format
2655	*/
2656	SSL_CTX_set_alpn_protos(BACKEND->ctx, protocols, cur);
2657	}
2658	#endif
2659
2660	if(ssl_cert \|\| ssl_cert_type) {
2661	if(!cert_stuff(conn, BACKEND->ctx, ssl_cert, ssl_cert_type,
2662	SSL_SET_OPTION(key), SSL_SET_OPTION(key_type),
2663	SSL_SET_OPTION(key_passwd))) {
2664	/ failf() is already done in cert_stuff() /
2665	return CURLE_SSL_CERTPROBLEM;
2666	}
2667	}
2668
2669	ciphers = SSL_CONN_CONFIG(cipher_list);
2670	if(!ciphers)
2671	ciphers = (char *)DEFAULT_CIPHER_SELECTION;
2672	if(ciphers) {
2673	if(!SSL_CTX_set_cipher_list(BACKEND->ctx, ciphers)) {
2674	failf(data, "failed setting cipher list: %s", ciphers);
2675	return CURLE_SSL_CIPHER;
2676	}
2677	infof(data, "Cipher selection: %s\n", ciphers);
2678	}
2679
2680	#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
2681	{
2682	char *ciphers13 = SSL_CONN_CONFIG(cipher_list13);
2683	if(ciphers13) {
2684	if(!SSL_CTX_set_ciphersuites(BACKEND->ctx, ciphers13)) {
2685	failf(data, "failed setting TLS 1.3 cipher suite: %s", ciphers13);
2686	return CURLE_SSL_CIPHER;
2687	}
2688	infof(data, "TLS 1.3 cipher selection: %s\n", ciphers13);
2689	}
2690	}
2691	#endif
2692
2693	#ifdef HAVE_SSL_CTX_SET_POST_HANDSHAKE_AUTH
2694	/ OpenSSL 1.1.1 requires clients to opt-in for PHA /
2695	SSL_CTX_set_post_handshake_auth(BACKEND->ctx, `1`);
2696	#endif
2697
2698	#ifdef USE_TLS_SRP
2699	if(ssl_authtype == CURL_TLSAUTH_SRP) {
2700	char * const ssl_username = SSL_SET_OPTION(username);
2701
2702	infof(data, "Using TLS-SRP username: %s\n", ssl_username);
2703
2704	if(!SSL_CTX_set_srp_username(BACKEND->ctx, ssl_username)) {
2705	failf(data, "Unable to set SRP user name");
2706	return CURLE_BAD_FUNCTION_ARGUMENT;
2707	}
2708	if(!SSL_CTX_set_srp_password(BACKEND->ctx, SSL_SET_OPTION(password))) {
2709	failf(data, "failed setting SRP password");
2710	return CURLE_BAD_FUNCTION_ARGUMENT;
2711	}
2712	if(!SSL_CONN_CONFIG(cipher_list)) {
2713	infof(data, "Setting cipher list SRP\n");
2714
2715	if(!SSL_CTX_set_cipher_list(BACKEND->ctx, "SRP")) {
2716	failf(data, "failed setting SRP cipher list");
2717	return CURLE_SSL_CIPHER;
2718	}
2719	}
2720	}
2721	#endif
2722
2723	if(ssl_cafile \|\| ssl_capath) {
2724	/ tell SSL where to find CA certificates that are used to verify*
2725	the servers certificate. /*
2726	if(!SSL_CTX_load_verify_locations(BACKEND->ctx, ssl_cafile, ssl_capath)) {
2727	if(verifypeer) {
2728	/ Fail if we insist on successfully verifying the server. /
2729	failf(data, "error setting certificate verify locations:\n"
2730	" CAfile: %s\n CApath: %s",
2731	ssl_cafile ? ssl_cafile : "none",
2732	ssl_capath ? ssl_capath : "none");
2733	return CURLE_SSL_CACERT_BADFILE;
2734	}
2735	/ Just continue with a warning if no strict certificate verification*
2736	is required. /*
2737	infof(data, "error setting certificate verify locations,"
2738	" continuing anyway:\n");
2739	}
2740	else {
2741	/ Everything is fine. /
2742	infof(data, "successfully set certificate verify locations:\n");
2743	}
2744	infof(data,
2745	" CAfile: %s\n"
2746	" CApath: %s\n",
2747	ssl_cafile ? ssl_cafile : "none",
2748	ssl_capath ? ssl_capath : "none");
2749	}
2750	#ifdef CURL_CA_FALLBACK
2751	else if(verifypeer) {
2752	/ verifying the peer without any CA certificates won't*
2753	work so use openssl's built in default as fallback /*
2754	SSL_CTX_set_default_verify_paths(BACKEND->ctx);
2755	}
2756	#endif
2757
2758	if(ssl_crlfile) {
2759	/ tell SSL where to find CRL file that is used to check certificate*
2760	* revocation */
2761	lookup = X509_STORE_add_lookup(SSL_CTX_get_cert_store(BACKEND->ctx),
2762	X509_LOOKUP_file());
2763	if(!lookup \|\|
2764	(!X509_load_crl_file(lookup, ssl_crlfile, X509_FILETYPE_PEM)) ) {
2765	failf(data, "error loading CRL file: %s", ssl_crlfile);
2766	return CURLE_SSL_CRL_BADFILE;
2767	}
2768	/ Everything is fine. /
2769	infof(data, "successfully load CRL file:\n");
2770	X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
2771	X509_V_FLAG_CRL_CHECK\|X509_V_FLAG_CRL_CHECK_ALL);
2772
2773	infof(data, " CRLfile: %s\n", ssl_crlfile);
2774	}
2775
2776	if(verifypeer) {
2777	/ Try building a chain using issuers in the trusted store first to avoid*
2778	problems with server-sent legacy intermediates. Newer versions of
2779	OpenSSL do alternate chain checking by default which gives us the same
2780	fix without as much of a performance hit (slight), so we prefer that if
2781	available.
2782	https://rt.openssl.org/Ticket/Display.html?id=3621&user=guest&pass=guest
2783	*/
2784	#if defined(X509_V_FLAG_TRUSTED_FIRST) && !defined(X509_V_FLAG_NO_ALT_CHAINS)
2785	X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
2786	X509_V_FLAG_TRUSTED_FIRST);
2787	#endif
2788	#ifdef X509_V_FLAG_PARTIAL_CHAIN
2789	if(!SSL_SET_OPTION(no_partialchain)) {
2790	/ Have intermediate certificates in the trust store be treated as*
2791	trust-anchors, in the same way as self-signed root CA certificates
2792	are. This allows users to verify servers using the intermediate cert
2793	only, instead of needing the whole chain. /*
2794	X509_STORE_set_flags(SSL_CTX_get_cert_store(BACKEND->ctx),
2795	X509_V_FLAG_PARTIAL_CHAIN);
2796	}
2797	#endif
2798	}
2799
2800	/ SSL always tries to verify the peer, this only says whether it should*
2801	* fail to connect if the verification fails, or if it should continue
2802	* anyway. In the latter case the result of the verification is checked with
2803	* SSL_get_verify_result() below. */
2804	SSL_CTX_set_verify(BACKEND->ctx,
2805	verifypeer ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, NULL);
2806
2807	/ Enable logging of secrets to the file specified in env SSLKEYLOGFILE. /
2808	#if defined(ENABLE_SSLKEYLOGFILE) && defined(HAVE_KEYLOG_CALLBACK)
2809	if(keylog_file_fp) {
2810	SSL_CTX_set_keylog_callback(BACKEND->ctx, ossl_keylog_callback);
2811	}
2812	#endif
2813
2814	/ Enable the session cache because it's a prerequisite for the "new session"*
2815	* callback. Use the "external storage" mode to avoid that OpenSSL creates
2816	* an internal session cache.
2817	*/
2818	SSL_CTX_set_session_cache_mode(BACKEND->ctx,
2819	SSL_SESS_CACHE_CLIENT \| SSL_SESS_CACHE_NO_INTERNAL);
2820	SSL_CTX_sess_set_new_cb(BACKEND->ctx, ossl_new_session_cb);
2821
2822	/ give application a chance to interfere with SSL set up. /
2823	if(data->set.ssl.fsslctx) {
2824	Curl_set_in_callback(data, true);
2825	result = (*data->set.ssl.fsslctx)(data, BACKEND->ctx,
2826	data->set.ssl.fsslctxp);
2827	Curl_set_in_callback(data, false);
2828	if(result) {
2829	failf(data, "error signaled by ssl ctx callback");
2830	return result;
2831	}
2832	}
2833
2834	/ Lets make an SSL structure /
2835	if(BACKEND->handle)
2836	SSL_free(BACKEND->handle);
2837	BACKEND->handle = SSL_new(BACKEND->ctx);
2838	if(!BACKEND->handle) {
2839	failf(data, "SSL: couldn't create a context (handle)!");
2840	return CURLE_OUT_OF_MEMORY;
2841	}
2842
2843	#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
2844	!defined(OPENSSL_NO_OCSP)
2845	if(SSL_CONN_CONFIG(verifystatus))
2846	SSL_set_tlsext_status_type(BACKEND->handle, TLSEXT_STATUSTYPE_ocsp);
2847	#endif
2848
2849	#if defined(OPENSSL_IS_BORINGSSL) && defined(ALLOW_RENEG)
2850	SSL_set_renegotiate_mode(BACKEND->handle, ssl_renegotiate_freely);
2851	#endif
2852
2853	SSL_set_connect_state(BACKEND->handle);
2854
2855	BACKEND->server_cert = `0x0`;
2856	#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
2857	if((`0` == Curl_inet_pton(AF_INET, hostname, &addr)) &&
2858	#ifdef ENABLE_IPV6
2859	(`0` == Curl_inet_pton(AF_INET6, hostname, &addr)) &&
2860	#endif
2861	sni &&
2862	!SSL_set_tlsext_host_name(BACKEND->handle, hostname))
2863	infof(data, "WARNING: failed to configure server name indication (SNI) "
2864	"TLS extension\n");
2865	#endif
2866
2867	/ Check if there's a cached ID we can/should use here! /
2868	if(SSL_SET_OPTION(primary.sessionid)) {
2869	void *ssl_sessionid = NULL;
2870	int connectdata_idx = ossl_get_ssl_conn_index();
2871	int sockindex_idx = ossl_get_ssl_sockindex_index();
2872
2873	if(connectdata_idx >= `0` && sockindex_idx >= `0`) {
2874	/ Store the data needed for the "new session" callback.*
2875	* The sockindex is stored as a pointer to an array element. */
2876	SSL_set_ex_data(BACKEND->handle, connectdata_idx, conn);
2877	SSL_set_ex_data(BACKEND->handle, sockindex_idx, conn->sock + sockindex);
2878	}
2879
2880	Curl_ssl_sessionid_lock(conn);
2881	if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
2882	/ we got a session id, use it! /
2883	if(!SSL_set_session(BACKEND->handle, ssl_sessionid)) {
2884	Curl_ssl_sessionid_unlock(conn);
2885	failf(data, "SSL: SSL_set_session failed: %s",
2886	ossl_strerror(ERR_get_error(), error_buffer,
2887	sizeof(error_buffer)));
2888	return CURLE_SSL_CONNECT_ERROR;
2889	}
2890	/ Informational message /
2891	infof(data, "SSL re-using session ID\n");
2892	}
2893	Curl_ssl_sessionid_unlock(conn);
2894	}
2895
2896	if(conn->proxy_ssl[sockindex].use) {
2897	BIO *const bio = BIO_new(BIO_f_ssl());
2898	SSL *handle = conn->proxy_ssl[sockindex].backend->handle;
2899	DEBUGASSERT(ssl_connection_complete == conn->proxy_ssl[sockindex].state);
2900	DEBUGASSERT(handle != NULL);
2901	DEBUGASSERT(bio != NULL);
2902	BIO_set_ssl(bio, handle, FALSE);
2903	SSL_set_bio(BACKEND->handle, bio, bio);
2904	}
2905	else if(!SSL_set_fd(BACKEND->handle, (int)sockfd)) {
2906	/ pass the raw socket into the SSL layers /
2907	failf(data, "SSL: SSL_set_fd failed: %s",
2908	ossl_strerror(ERR_get_error(), error_buffer, sizeof(error_buffer)));
2909	return CURLE_SSL_CONNECT_ERROR;
2910	}
2911
2912	connssl->connecting_state = ssl_connect_2;
2913
2914	return CURLE_OK;
2915	}
2916
2917	static CURLcode ossl_connect_step2(struct connectdata conn, int* sockindex)
2918	{
2919	struct Curl_easy *data = conn->data;
2920	int err;
2921	struct ssl_connect_data *connssl = &conn->ssl[sockindex];
2922	long * const certverifyresult = SSL_IS_PROXY() ?
2923	&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
2924	DEBUGASSERT(ssl_connect_2 == connssl->connecting_state
2925	\|\| ssl_connect_2_reading == connssl->connecting_state
2926	\|\| ssl_connect_2_writing == connssl->connecting_state);
2927
2928	ERR_clear_error();
2929
2930	err = SSL_connect(BACKEND->handle);
2931	/ If keylogging is enabled but the keylog callback is not supported then log*
2932	secrets here, immediately after SSL_connect by using tap_ssl_key. /*
2933	#if defined(ENABLE_SSLKEYLOGFILE) && !defined(HAVE_KEYLOG_CALLBACK)
2934	tap_ssl_key(BACKEND->handle, &BACKEND->tap_state);
2935	#endif
2936
2937	/ 1 is fine*
2938	0 is "not successful but was shut down controlled"
2939	<0 is "handshake was not successful, because a fatal error occurred" /*
2940	if(`1` != err) {
2941	int detail = SSL_get_error(BACKEND->handle, err);
2942
2943	if(SSL_ERROR_WANT_READ == detail) {
2944	connssl->connecting_state = ssl_connect_2_reading;
2945	return CURLE_OK;
2946	}
2947	if(SSL_ERROR_WANT_WRITE == detail) {
2948	connssl->connecting_state = ssl_connect_2_writing;
2949	return CURLE_OK;
2950	}
2951	#ifdef SSL_ERROR_WANT_ASYNC
2952	if(SSL_ERROR_WANT_ASYNC == detail) {
2953	connssl->connecting_state = ssl_connect_2;
2954	return CURLE_OK;
2955	}
2956	#endif
2957	else {
2958	/ untreated error /
2959	unsigned long errdetail;
2960	char error_buffer[`256`]="";
2961	CURLcode result;
2962	long lerr;
2963	int lib;
2964	int reason;
2965
2966	/ the connection failed, we're not waiting for anything else. /
2967	connssl->connecting_state = ssl_connect_2;
2968
2969	/ Get the earliest error code from the thread's error queue and removes*
2970	the entry. /*
2971	errdetail = ERR_get_error();
2972
2973	/ Extract which lib and reason /
2974	lib = ERR_GET_LIB(errdetail);
2975	reason = ERR_GET_REASON(errdetail);
2976
2977	if((lib == ERR_LIB_SSL) &&
2978	(reason == SSL_R_CERTIFICATE_VERIFY_FAILED)) {
2979	result = CURLE_PEER_FAILED_VERIFICATION;
2980
2981	lerr = SSL_get_verify_result(BACKEND->handle);
2982	if(lerr != X509_V_OK) {
2983	*certverifyresult = lerr;
2984	msnprintf(error_buffer, sizeof(error_buffer),
2985	"SSL certificate problem: %s",
2986	X509_verify_cert_error_string(lerr));
2987	}
2988	else
2989	/ strcpy() is fine here as long as the string fits within*
2990	error_buffer /*
2991	strcpy(error_buffer, "SSL certificate verification failed");
2992	}
2993	else {
2994	result = CURLE_SSL_CONNECT_ERROR;
2995	ossl_strerror(errdetail, error_buffer, sizeof(error_buffer));
2996	}
2997
2998	/ detail is already set to the SSL error above /
2999
3000	/ If we e.g. use SSLv2 request-method and the server doesn't like us*
3001	* (RST connection etc.), OpenSSL gives no explanation whatsoever and
3002	* the SO_ERROR is also lost.
3003	*/
3004	if(CURLE_SSL_CONNECT_ERROR == result && errdetail == `0`) {
3005	const char * const hostname = SSL_IS_PROXY() ?
3006	conn->http_proxy.host.name : conn->host.name;
3007	const long int port = SSL_IS_PROXY() ? conn->port : conn->remote_port;
3008	char extramsg[`80`]="";
3009	int sockerr = SOCKERRNO;
3010	if(sockerr && detail == SSL_ERROR_SYSCALL)
3011	Curl_strerror(sockerr, extramsg, sizeof(extramsg));
3012	failf(data, OSSL_PACKAGE " SSL_connect: %s in connection to %s:%ld ",
3013	extramsg[`0`] ? extramsg : SSL_ERROR_to_str(detail),
3014	hostname, port);
3015	return result;
3016	}
3017
3018	/ Could be a CERT problem /
3019	failf(data, "%s", error_buffer);
3020
3021	return result;
3022	}
3023	}
3024	else {
3025	/ we have been connected fine, we're not waiting for anything else. /
3026	connssl->connecting_state = ssl_connect_3;
3027
3028	/ Informational message /
3029	infof(data, "SSL connection using %s / %s\n",
3030	get_ssl_version_txt(BACKEND->handle),
3031	SSL_get_cipher(BACKEND->handle));
3032
3033	#ifdef HAS_ALPN
3034	/ Sets data and len to negotiated protocol, len is 0 if no protocol was*
3035	* negotiated
3036	*/
3037	if(conn->bits.tls_enable_alpn) {
3038	const unsigned char *neg_protocol;
3039	unsigned int len;
3040	SSL_get0_alpn_selected(BACKEND->handle, &neg_protocol, &len);
3041	if(len != `0`) {
3042	infof(data, "ALPN, server accepted to use %.*s\n", len, neg_protocol);
3043
3044	#ifdef USE_NGHTTP2
3045	if(len == NGHTTP2_PROTO_VERSION_ID_LEN &&
3046	!memcmp(NGHTTP2_PROTO_VERSION_ID, neg_protocol, len)) {
3047	conn->negnpn = CURL_HTTP_VERSION_2;
3048	}
3049	else
3050	#endif
3051	if(len == ALPN_HTTP_1_1_LENGTH &&
3052	!memcmp(ALPN_HTTP_1_1, neg_protocol, ALPN_HTTP_1_1_LENGTH)) {
3053	conn->negnpn = CURL_HTTP_VERSION_1_1;
3054	}
3055	}
3056	else
3057	infof(data, "ALPN, server did not agree to a protocol\n");
3058
3059	Curl_multiuse_state(conn, conn->negnpn == CURL_HTTP_VERSION_2 ?
3060	BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
3061	}
3062	#endif
3063
3064	return CURLE_OK;
3065	}
3066	}
3067
3068	static int asn1_object_dump(ASN1_OBJECT a, char* *buf, size_t len)
3069	{
3070	int i, ilen;
3071
3072	ilen = (int)len;
3073	if(ilen < `0`)
3074	return `1`; / buffer too big /
3075
3076	i = i2t_ASN1_OBJECT(buf, ilen, a);
3077
3078	if(i >= ilen)
3079	return `1`; / buffer too small /
3080
3081	return `0`;
3082	}
3083
3084	#define push_certinfo(_label, _num) \
3085	do { \
3086	long info_len = BIO_get_mem_data(mem, &ptr); \
3087	Curl_ssl_push_certinfo_len(data, _num, _label, ptr, info_len); \
3088	if(1 != BIO_reset(mem)) \
3089	break; \
3090	} while(0)
3091
3092	static void pubkey_show(struct Curl_easy *data,
3093	BIO *mem,
3094	int num,
3095	const char *type,
3096	const char *name,
3097	#ifdef HAVE_OPAQUE_RSA_DSA_DH
3098	const
3099	#endif
3100	BIGNUM *bn)
3101	{
3102	char *ptr;
3103	char namebuf[`32`];
3104
3105	msnprintf(namebuf, sizeof(namebuf), "%s(%s)", type, name);
3106
3107	if(bn)
3108	BN_print(mem, bn);
3109	push_certinfo(namebuf, num);
3110	}
3111
3112	#ifdef HAVE_OPAQUE_RSA_DSA_DH
3113	#define print_pubkey_BN(_type, _name, _num) \
3114	pubkey_show(data, mem, _num, #_type, #_name, _name)
3115
3116	#else
3117	#define print_pubkey_BN(_type, _name, _num) \
3118	do { \
3119	if(_type->_name) { \
3120	pubkey_show(data, mem, _num, #_type, #_name, _type->_name); \
3121	} \
3122	} while(0)
3123	#endif
3124
3125	static int X509V3_ext(struct Curl_easy *data,
3126	int certnum,
3127	CONST_EXTS STACK_OF(X509_EXTENSION) *exts)
3128	{
3129	int i;
3130	size_t j;
3131
3132	if((int)sk_X509_EXTENSION_num(exts) <= `0`)
3133	/ no extensions, bail out /
3134	return `1`;
3135
3136	for(i = `0`; i < (int)sk_X509_EXTENSION_num(exts); i++) {
3137	ASN1_OBJECT *obj;
3138	X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
3139	BUF_MEM *biomem;
3140	char buf[`512`];
3141	char *ptr = buf;
3142	char namebuf[`128`];
3143	BIO *bio_out = BIO_new(BIO_s_mem());
3144
3145	if(!bio_out)
3146	return `1`;
3147
3148	obj = X509_EXTENSION_get_object(ext);
3149
3150	asn1_object_dump(obj, namebuf, sizeof(namebuf));
3151
3152	if(!X509V3_EXT_print(bio_out, ext, `0`, `0`))
3153	ASN1_STRING_print(bio_out, (ASN1_STRING *)X509_EXTENSION_get_data(ext));
3154
3155	BIO_get_mem_ptr(bio_out, &biomem);
3156
3157	for(j = `0`; j < (size_t)biomem->length; j++) {
3158	const char *sep = "";
3159	if(biomem->data[j] == `'\n'`) {
3160	sep = ", ";
3161	j++; / skip the newline /
3162	};
3163	while((j<(size_t)biomem->length) && (biomem->data[j] == `' '`))
3164	j++;
3165	if(j<(size_t)biomem->length)
3166	ptr += msnprintf(ptr, sizeof(buf)-(ptr-buf), "%s%c", sep,
3167	biomem->data[j]);
3168	}
3169
3170	Curl_ssl_push_certinfo(data, certnum, namebuf, buf);
3171
3172	BIO_free(bio_out);
3173
3174	}
3175	return `0`; / all is fine /
3176	}
3177
3178	#ifdef OPENSSL_IS_BORINGSSL
3179	typedef size_t numcert_t;
3180	#else
3181	typedef int numcert_t;
3182	#endif
3183
3184	static CURLcode get_cert_chain(struct connectdata *conn,
3185	struct ssl_connect_data *connssl)
3186
3187	{
3188	CURLcode result;
3189	STACK_OF(X509) *sk;
3190	int i;
3191	struct Curl_easy *data = conn->data;
3192	numcert_t numcerts;
3193	BIO *mem;
3194
3195	sk = SSL_get_peer_cert_chain(BACKEND->handle);
3196	if(!sk) {
3197	return CURLE_OUT_OF_MEMORY;
3198	}
3199
3200	numcerts = sk_X509_num(sk);
3201
3202	result = Curl_ssl_init_certinfo(data, (int)numcerts);
3203	if(result) {
3204	return result;
3205	}
3206
3207	mem = BIO_new(BIO_s_mem());
3208
3209	for(i = `0`; i < (int)numcerts; i++) {
3210	ASN1_INTEGER *num;
3211	X509 *x = sk_X509_value(sk, i);
3212	EVP_PKEY *pubkey = NULL;
3213	int j;
3214	char *ptr;
3215	const ASN1_BIT_STRING *psig = NULL;
3216
3217	X509_NAME_print_ex(mem, X509_get_subject_name(x), `0`, XN_FLAG_ONELINE);
3218	push_certinfo("Subject", i);
3219
3220	X509_NAME_print_ex(mem, X509_get_issuer_name(x), `0`, XN_FLAG_ONELINE);
3221	push_certinfo("Issuer", i);
3222
3223	BIO_printf(mem, "%lx", X509_get_version(x));
3224	push_certinfo("Version", i);
3225
3226	num = X509_get_serialNumber(x);
3227	if(num->type == V_ASN1_NEG_INTEGER)
3228	BIO_puts(mem, "-");
3229	for(j = `0`; j < num->length; j++)
3230	BIO_printf(mem, "%02x", num->data[j]);
3231	push_certinfo("Serial Number", i);
3232
3233	#if defined(HAVE_X509_GET0_SIGNATURE) && defined(HAVE_X509_GET0_EXTENSIONS)
3234	{
3235	const X509_ALGOR *sigalg = NULL;
3236	X509_PUBKEY *xpubkey = NULL;
3237	ASN1_OBJECT *pubkeyoid = NULL;
3238
3239	X509_get0_signature(&psig, &sigalg, x);
3240	if(sigalg) {
3241	i2a_ASN1_OBJECT(mem, sigalg->algorithm);
3242	push_certinfo("Signature Algorithm", i);
3243	}
3244
3245	xpubkey = X509_get_X509_PUBKEY(x);
3246	if(xpubkey) {
3247	X509_PUBKEY_get0_param(&pubkeyoid, NULL, NULL, NULL, xpubkey);
3248	if(pubkeyoid) {
3249	i2a_ASN1_OBJECT(mem, pubkeyoid);
3250	push_certinfo("Public Key Algorithm", i);
3251	}
3252	}
3253
3254	X509V3_ext(data, i, X509_get0_extensions(x));
3255	}
3256	#else
3257	{
3258	/ before OpenSSL 1.0.2 /
3259	X509_CINF *cinf = x->cert_info;
3260
3261	i2a_ASN1_OBJECT(mem, cinf->signature->algorithm);
3262	push_certinfo("Signature Algorithm", i);
3263
3264	i2a_ASN1_OBJECT(mem, cinf->key->algor->algorithm);
3265	push_certinfo("Public Key Algorithm", i);
3266
3267	X509V3_ext(data, i, cinf->extensions);
3268
3269	psig = x->signature;
3270	}
3271	#endif
3272
3273	ASN1_TIME_print(mem, X509_get0_notBefore(x));
3274	push_certinfo("Start date", i);
3275
3276	ASN1_TIME_print(mem, X509_get0_notAfter(x));
3277	push_certinfo("Expire date", i);
3278
3279	pubkey = X509_get_pubkey(x);
3280	if(!pubkey)
3281	infof(data, " Unable to load public key\n");
3282	else {
3283	int pktype;
3284	#ifdef HAVE_OPAQUE_EVP_PKEY
3285	pktype = EVP_PKEY_id(pubkey);
3286	#else
3287	pktype = pubkey->type;
3288	#endif
3289	switch(pktype) {
3290	case EVP_PKEY_RSA:
3291	{
3292	RSA *rsa;
3293	#ifdef HAVE_OPAQUE_EVP_PKEY
3294	rsa = EVP_PKEY_get0_RSA(pubkey);
3295	#else
3296	rsa = pubkey->pkey.rsa;
3297	#endif
3298
3299	#ifdef HAVE_OPAQUE_RSA_DSA_DH
3300	{
3301	const BIGNUM *n;
3302	const BIGNUM *e;
3303
3304	RSA_get0_key(rsa, &n, &e, NULL);
3305	BIO_printf(mem, "%d", BN_num_bits(n));
3306	push_certinfo("RSA Public Key", i);
3307	print_pubkey_BN(rsa, n, i);
3308	print_pubkey_BN(rsa, e, i);
3309	}
3310	#else
3311	BIO_printf(mem, "%d", BN_num_bits(rsa->n));
3312	push_certinfo("RSA Public Key", i);
3313	print_pubkey_BN(rsa, n, i);
3314	print_pubkey_BN(rsa, e, i);
3315	#endif
3316
3317	break;
3318	}
3319	case EVP_PKEY_DSA:
3320	{
3321	#ifndef OPENSSL_NO_DSA
3322	DSA *dsa;
3323	#ifdef HAVE_OPAQUE_EVP_PKEY
3324	dsa = EVP_PKEY_get0_DSA(pubkey);
3325	#else
3326	dsa = pubkey->pkey.dsa;
3327	#endif
3328	#ifdef HAVE_OPAQUE_RSA_DSA_DH
3329	{
3330	const BIGNUM *p;
3331	const BIGNUM *q;
3332	const BIGNUM *g;
3333	const BIGNUM *pub_key;
3334
3335	DSA_get0_pqg(dsa, &p, &q, &g);
3336	DSA_get0_key(dsa, &pub_key, NULL);
3337
3338	print_pubkey_BN(dsa, p, i);
3339	print_pubkey_BN(dsa, q, i);
3340	print_pubkey_BN(dsa, g, i);
3341	print_pubkey_BN(dsa, pub_key, i);
3342	}
3343	#else
3344	print_pubkey_BN(dsa, p, i);
3345	print_pubkey_BN(dsa, q, i);
3346	print_pubkey_BN(dsa, g, i);
3347	print_pubkey_BN(dsa, pub_key, i);
3348	#endif
3349	#endif /* !OPENSSL_NO_DSA */
3350	break;
3351	}
3352	case EVP_PKEY_DH:
3353	{
3354	DH *dh;
3355	#ifdef HAVE_OPAQUE_EVP_PKEY
3356	dh = EVP_PKEY_get0_DH(pubkey);
3357	#else
3358	dh = pubkey->pkey.dh;
3359	#endif
3360	#ifdef HAVE_OPAQUE_RSA_DSA_DH
3361	{
3362	const BIGNUM *p;
3363	const BIGNUM *q;
3364	const BIGNUM *g;
3365	const BIGNUM *pub_key;
3366	DH_get0_pqg(dh, &p, &q, &g);
3367	DH_get0_key(dh, &pub_key, NULL);
3368	print_pubkey_BN(dh, p, i);
3369	print_pubkey_BN(dh, q, i);
3370	print_pubkey_BN(dh, g, i);
3371	print_pubkey_BN(dh, pub_key, i);
3372	}
3373	#else
3374	print_pubkey_BN(dh, p, i);
3375	print_pubkey_BN(dh, g, i);
3376	print_pubkey_BN(dh, pub_key, i);
3377	#endif
3378	break;
3379	}
3380	}
3381	EVP_PKEY_free(pubkey);
3382	}
3383
3384	if(psig) {
3385	for(j = `0`; j < psig->length; j++)
3386	BIO_printf(mem, "%02x:", psig->data[j]);
3387	push_certinfo("Signature", i);
3388	}
3389
3390	PEM_write_bio_X509(mem, x);
3391	push_certinfo("Cert", i);
3392	}
3393
3394	BIO_free(mem);
3395
3396	return CURLE_OK;
3397	}
3398
3399	/*
3400	* Heavily modified from:
3401	* https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning#OpenSSL
3402	*/
3403	static CURLcode pkp_pin_peer_pubkey(struct Curl_easy data, X509 cert,
3404	const char *pinnedpubkey)
3405	{
3406	/ Scratch /
3407	int len1 = `0`, len2 = `0`;
3408	unsigned char buff1 = NULL, temp = NULL;
3409
3410	/ Result is returned to caller /
3411	CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
3412
3413	/ if a path wasn't specified, don't pin /
3414	if(!pinnedpubkey)
3415	return CURLE_OK;
3416
3417	if(!cert)
3418	return result;
3419
3420	do {
3421	/ Begin Gyrations to get the subjectPublicKeyInfo /
3422	/ Thanks to Viktor Dukhovni on the OpenSSL mailing list /
3423
3424	/ https://groups.google.com/group/mailing.openssl.users/browse_thread*
3425	/thread/d61858dae102c6c7 /*
3426	len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
3427	if(len1 < `1`)
3428	break; / failed /
3429
3430	buff1 = temp = malloc(len1);
3431	if(!buff1)
3432	break; / failed /
3433
3434	/ https://www.openssl.org/docs/crypto/d2i_X509.html /
3435	len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp);
3436
3437	/*
3438	* These checks are verifying we got back the same values as when we
3439	* sized the buffer. It's pretty weak since they should always be the
3440	* same. But it gives us something to test.
3441	*/
3442	if((len1 != len2) \|\| !temp \|\| ((temp - buff1) != len1))
3443	break; / failed /
3444
3445	/ End Gyrations /
3446
3447	/ The one good exit point /
3448	result = Curl_pin_peer_pubkey(data, pinnedpubkey, buff1, len1);
3449	} while(`0`);
3450
3451	if(buff1)
3452	free(buff1);
3453
3454	return result;
3455	}
3456
3457	/*
3458	* Get the server cert, verify it and show it etc, only call failf() if the
3459	* 'strict' argument is TRUE as otherwise all this is for informational
3460	* purposes only!
3461	*
3462	* We check certificates to authenticate the server; otherwise we risk
3463	* man-in-the-middle attack.
3464	*/
3465	static CURLcode servercert(struct connectdata *conn,
3466	struct ssl_connect_data *connssl,
3467	bool strict)
3468	{
3469	CURLcode result = CURLE_OK;
3470	int rc;
3471	long lerr;
3472	struct Curl_easy *data = conn->data;
3473	X509 *issuer;
3474	BIO *fp = NULL;
3475	char error_buffer[`256`]="";
3476	char buffer[`2048`];
3477	const char *ptr;
3478	long * const certverifyresult = SSL_IS_PROXY() ?
3479	&data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
3480	BIO *mem = BIO_new(BIO_s_mem());
3481
3482	if(data->set.ssl.certinfo)
3483	/ we've been asked to gather certificate info! /
3484	(void)get_cert_chain(conn, connssl);
3485
3486	BACKEND->server_cert = SSL_get_peer_certificate(BACKEND->handle);
3487	if(!BACKEND->server_cert) {
3488	BIO_free(mem);
3489	if(!strict)
3490	return CURLE_OK;
3491
3492	failf(data, "SSL: couldn't get peer certificate!");
3493	return CURLE_PEER_FAILED_VERIFICATION;
3494	}
3495
3496	infof(data, "%s certificate:\n", SSL_IS_PROXY() ? "Proxy" : "Server");
3497
3498	rc = x509_name_oneline(X509_get_subject_name(BACKEND->server_cert),
3499	buffer, sizeof(buffer));
3500	infof(data, " subject: %s\n", rc?"[NONE]":buffer);
3501
3502	#ifndef CURL_DISABLE_VERBOSE_STRINGS
3503	{
3504	long len;
3505	ASN1_TIME_print(mem, X509_get0_notBefore(BACKEND->server_cert));
3506	len = BIO_get_mem_data(mem, (char **) &ptr);
3507	infof(data, " start date: %.*s\n", len, ptr);
3508	(void)BIO_reset(mem);
3509
3510	ASN1_TIME_print(mem, X509_get0_notAfter(BACKEND->server_cert));
3511	len = BIO_get_mem_data(mem, (char **) &ptr);
3512	infof(data, " expire date: %.*s\n", len, ptr);
3513	(void)BIO_reset(mem);
3514	}
3515	#endif
3516
3517	BIO_free(mem);
3518
3519	if(SSL_CONN_CONFIG(verifyhost)) {
3520	result = verifyhost(conn, BACKEND->server_cert);
3521	if(result) {
3522	X509_free(BACKEND->server_cert);
3523	BACKEND->server_cert = NULL;
3524	return result;
3525	}
3526	}
3527
3528	rc = x509_name_oneline(X509_get_issuer_name(BACKEND->server_cert),
3529	buffer, sizeof(buffer));
3530	if(rc) {
3531	if(strict)
3532	failf(data, "SSL: couldn't get X509-issuer name!");
3533	result = CURLE_PEER_FAILED_VERIFICATION;
3534	}
3535	else {
3536	infof(data, " issuer: %s\n", buffer);
3537
3538	/ We could do all sorts of certificate verification stuff here before*
3539	deallocating the certificate. /*
3540
3541	/ e.g. match issuer name with provided issuer certificate /
3542	if(SSL_SET_OPTION(issuercert)) {
3543	fp = BIO_new(BIO_s_file());
3544	if(fp == NULL) {
3545	failf(data,
3546	"BIO_new return NULL, " OSSL_PACKAGE
3547	" error %s",
3548	ossl_strerror(ERR_get_error(), error_buffer,
3549	sizeof(error_buffer)) );
3550	X509_free(BACKEND->server_cert);
3551	BACKEND->server_cert = NULL;
3552	return CURLE_OUT_OF_MEMORY;
3553	}
3554
3555	if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= `0`) {
3556	if(strict)
3557	failf(data, "SSL: Unable to open issuer cert (%s)",
3558	SSL_SET_OPTION(issuercert));
3559	BIO_free(fp);
3560	X509_free(BACKEND->server_cert);
3561	BACKEND->server_cert = NULL;
3562	return CURLE_SSL_ISSUER_ERROR;
3563	}
3564
3565	issuer = PEM_read_bio_X509(fp, NULL, ZERO_NULL, NULL);
3566	if(!issuer) {
3567	if(strict)
3568	failf(data, "SSL: Unable to read issuer cert (%s)",
3569	SSL_SET_OPTION(issuercert));
3570	BIO_free(fp);
3571	X509_free(issuer);
3572	X509_free(BACKEND->server_cert);
3573	BACKEND->server_cert = NULL;
3574	return CURLE_SSL_ISSUER_ERROR;
3575	}
3576
3577	if(X509_check_issued(issuer, BACKEND->server_cert) != X509_V_OK) {
3578	if(strict)
3579	failf(data, "SSL: Certificate issuer check failed (%s)",
3580	SSL_SET_OPTION(issuercert));
3581	BIO_free(fp);
3582	X509_free(issuer);
3583	X509_free(BACKEND->server_cert);
3584	BACKEND->server_cert = NULL;
3585	return CURLE_SSL_ISSUER_ERROR;
3586	}
3587
3588	infof(data, " SSL certificate issuer check ok (%s)\n",
3589	SSL_SET_OPTION(issuercert));
3590	BIO_free(fp);
3591	X509_free(issuer);
3592	}
3593
3594	lerr = *certverifyresult = SSL_get_verify_result(BACKEND->handle);
3595
3596	if(*certverifyresult != X509_V_OK) {
3597	if(SSL_CONN_CONFIG(verifypeer)) {
3598	/ We probably never reach this, because SSL_connect() will fail*
3599	and we return earlier if verifypeer is set? /*
3600	if(strict)
3601	failf(data, "SSL certificate verify result: %s (%ld)",
3602	X509_verify_cert_error_string(lerr), lerr);
3603	result = CURLE_PEER_FAILED_VERIFICATION;
3604	}
3605	else
3606	infof(data, " SSL certificate verify result: %s (%ld),"
3607	" continuing anyway.\n",
3608	X509_verify_cert_error_string(lerr), lerr);
3609	}
3610	else
3611	infof(data, " SSL certificate verify ok.\n");
3612	}
3613
3614	#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
3615	!defined(OPENSSL_NO_OCSP)
3616	if(SSL_CONN_CONFIG(verifystatus)) {
3617	result = verifystatus(conn, connssl);
3618	if(result) {
3619	X509_free(BACKEND->server_cert);
3620	BACKEND->server_cert = NULL;
3621	return result;
3622	}
3623	}
3624	#endif
3625
3626	if(!strict)
3627	/ when not strict, we don't bother about the verify cert problems /
3628	result = CURLE_OK;
3629
3630	ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
3631	data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
3632	if(!result && ptr) {
3633	result = pkp_pin_peer_pubkey(data, BACKEND->server_cert, ptr);
3634	if(result)
3635	failf(data, "SSL: public key does not match pinned public key!");
3636	}
3637
3638	X509_free(BACKEND->server_cert);
3639	BACKEND->server_cert = NULL;
3640	connssl->connecting_state = ssl_connect_done;
3641
3642	return result;
3643	}
3644
3645	static CURLcode ossl_connect_step3(struct connectdata conn, int* sockindex)
3646	{
3647	CURLcode result = CURLE_OK;
3648	struct ssl_connect_data *connssl = &conn->ssl[sockindex];
3649
3650	DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
3651
3652	/*
3653	* We check certificates to authenticate the server; otherwise we risk
3654	* man-in-the-middle attack; NEVERTHELESS, if we're told explicitly not to
3655	* verify the peer ignore faults and failures from the server cert
3656	* operations.
3657	*/
3658
3659	result = servercert(conn, connssl, (SSL_CONN_CONFIG(verifypeer) \|\|
3660	SSL_CONN_CONFIG(verifyhost)));
3661
3662	if(!result)
3663	connssl->connecting_state = ssl_connect_done;
3664
3665	return result;
3666	}
3667
3668	static Curl_recv ossl_recv;
3669	static Curl_send ossl_send;
3670
3671	static CURLcode ossl_connect_common(struct connectdata *conn,
3672	int sockindex,
3673	bool nonblocking,
3674	bool *done)
3675	{
3676	CURLcode result;
3677	struct Curl_easy *data = conn->data;
3678	struct ssl_connect_data *connssl = &conn->ssl[sockindex];
3679	curl_socket_t sockfd = conn->sock[sockindex];
3680	timediff_t timeout_ms;
3681	int what;
3682
3683	/ check if the connection has already been established /
3684	if(ssl_connection_complete == connssl->state) {
3685	*done = TRUE;
3686	return CURLE_OK;
3687	}
3688
3689	if(ssl_connect_1 == connssl->connecting_state) {
3690	/ Find out how much more time we're allowed /
3691	timeout_ms = Curl_timeleft(data, NULL, TRUE);
3692
3693	if(timeout_ms < `0`) {
3694	/ no need to continue if time already is up /
3695	failf(data, "SSL connection timeout");
3696	return CURLE_OPERATION_TIMEDOUT;
3697	}
3698
3699	result = ossl_connect_step1(conn, sockindex);
3700	if(result)
3701	return result;
3702	}
3703
3704	while(ssl_connect_2 == connssl->connecting_state \|\|
3705	ssl_connect_2_reading == connssl->connecting_state \|\|
3706	ssl_connect_2_writing == connssl->connecting_state) {
3707
3708	/ check allowed time left /
3709	timeout_ms = Curl_timeleft(data, NULL, TRUE);
3710
3711	if(timeout_ms < `0`) {
3712	/ no need to continue if time already is up /
3713	failf(data, "SSL connection timeout");
3714	return CURLE_OPERATION_TIMEDOUT;
3715	}
3716
3717	/ if ssl is expecting something, check if it's available. /
3718	if(connssl->connecting_state == ssl_connect_2_reading \|\|
3719	connssl->connecting_state == ssl_connect_2_writing) {
3720
3721	curl_socket_t writefd = ssl_connect_2_writing ==
3722	connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
3723	curl_socket_t readfd = ssl_connect_2_reading ==
3724	connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
3725
3726	what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
3727	nonblocking?`0`:(time_t)timeout_ms);
3728	if(what < `0`) {
3729	/ fatal error /
3730	failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
3731	return CURLE_SSL_CONNECT_ERROR;
3732	}
3733	if(`0` == what) {
3734	if(nonblocking) {
3735	*done = FALSE;
3736	return CURLE_OK;
3737	}
3738	/ timeout /
3739	failf(data, "SSL connection timeout");
3740	return CURLE_OPERATION_TIMEDOUT;
3741	}
3742	/ socket is readable or writable /
3743	}
3744
3745	/ Run transaction, and return to the caller if it failed or if this*
3746	* connection is done nonblocking and this loop would execute again. This
3747	* permits the owner of a multi handle to abort a connection attempt
3748	* before step2 has completed while ensuring that a client using select()
3749	* or epoll() will always have a valid fdset to wait on.
3750	*/
3751	result = ossl_connect_step2(conn, sockindex);
3752	if(result \|\| (nonblocking &&
3753	(ssl_connect_2 == connssl->connecting_state \|\|
3754	ssl_connect_2_reading == connssl->connecting_state \|\|
3755	ssl_connect_2_writing == connssl->connecting_state)))
3756	return result;
3757
3758	} / repeat step2 until all transactions are done. /
3759
3760	if(ssl_connect_3 == connssl->connecting_state) {
3761	result = ossl_connect_step3(conn, sockindex);
3762	if(result)
3763	return result;
3764	}
3765
3766	if(ssl_connect_done == connssl->connecting_state) {
3767	connssl->state = ssl_connection_complete;
3768	conn->recv[sockindex] = ossl_recv;
3769	conn->send[sockindex] = ossl_send;
3770	*done = TRUE;
3771	}
3772	else
3773	*done = FALSE;
3774
3775	/ Reset our connect state machine /
3776	connssl->connecting_state = ssl_connect_1;
3777
3778	return CURLE_OK;
3779	}
3780
3781	static CURLcode Curl_ossl_connect_nonblocking(struct connectdata *conn,
3782	int sockindex,
3783	bool *done)
3784	{
3785	return ossl_connect_common(conn, sockindex, TRUE, done);
3786	}
3787
3788	static CURLcode Curl_ossl_connect(struct connectdata conn, int* sockindex)
3789	{
3790	CURLcode result;
3791	bool done = FALSE;
3792
3793	result = ossl_connect_common(conn, sockindex, FALSE, &done);
3794	if(result)
3795	return result;
3796
3797	DEBUGASSERT(done);
3798
3799	return CURLE_OK;
3800	}
3801
3802	static bool Curl_ossl_data_pending(const struct connectdata *conn,
3803	int connindex)
3804	{
3805	const struct ssl_connect_data *connssl = &conn->ssl[connindex];
3806	const struct ssl_connect_data *proxyssl = &conn->proxy_ssl[connindex];
3807
3808	if(connssl->backend->handle && SSL_pending(connssl->backend->handle))
3809	return TRUE;
3810
3811	if(proxyssl->backend->handle && SSL_pending(proxyssl->backend->handle))
3812	return TRUE;
3813
3814	return FALSE;
3815	}
3816
3817	static size_t Curl_ossl_version(char *buffer, size_t size);
3818
3819	static ssize_t ossl_send(struct connectdata *conn,
3820	int sockindex,
3821	const void *mem,
3822	size_t len,
3823	CURLcode *curlcode)
3824	{
3825	/ SSL_write() is said to return 'int' while write() and send() returns*
3826	'size_t' /*
3827	int err;
3828	char error_buffer[`256`];
3829	unsigned long sslerror;
3830	int memlen;
3831	int rc;
3832	struct ssl_connect_data *connssl = &conn->ssl[sockindex];
3833
3834	ERR_clear_error();
3835
3836	memlen = (len > (size_t)INT_MAX) ? INT_MAX : (int)len;
3837	rc = SSL_write(BACKEND->handle, mem, memlen);
3838
3839	if(rc <= `0`) {
3840	err = SSL_get_error(BACKEND->handle, rc);
3841
3842	switch(err) {
3843	case SSL_ERROR_WANT_READ:
3844	case SSL_ERROR_WANT_WRITE:
3845	/ The operation did not complete; the same TLS/SSL I/O function*
3846	should be called again later. This is basically an EWOULDBLOCK
3847	equivalent. /*
3848	*curlcode = CURLE_AGAIN;
3849	return -`1`;
3850	case SSL_ERROR_SYSCALL:
3851	{
3852	int sockerr = SOCKERRNO;
3853	sslerror = ERR_get_error();
3854	if(sslerror)
3855	ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
3856	else if(sockerr)
3857	Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
3858	else {
3859	strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer));
3860	error_buffer[sizeof(error_buffer) - `1`] = `'\0'`;
3861	}
3862	failf(conn->data, OSSL_PACKAGE " SSL_write: %s, errno %d",
3863	error_buffer, sockerr);
3864	*curlcode = CURLE_SEND_ERROR;
3865	return -`1`;
3866	}
3867	case SSL_ERROR_SSL:
3868	/ A failure in the SSL library occurred, usually a protocol error.*
3869	The OpenSSL error queue contains more information on the error. /*
3870	sslerror = ERR_get_error();
3871	if(ERR_GET_LIB(sslerror) == ERR_LIB_SSL &&
3872	ERR_GET_REASON(sslerror) == SSL_R_BIO_NOT_SET &&
3873	conn->ssl[sockindex].state == ssl_connection_complete &&
3874	conn->proxy_ssl[sockindex].state == ssl_connection_complete) {
3875	char ver[`120`];
3876	Curl_ossl_version(ver, `120`);
3877	failf(conn->data, "Error: %s does not support double SSL tunneling.",
3878	ver);
3879	}
3880	else
3881	failf(conn->data, "SSL_write() error: %s",
3882	ossl_strerror(sslerror, error_buffer, sizeof(error_buffer)));
3883	*curlcode = CURLE_SEND_ERROR;
3884	return -`1`;
3885	}
3886	/ a true error /
3887	failf(conn->data, OSSL_PACKAGE " SSL_write: %s, errno %d",
3888	SSL_ERROR_to_str(err), SOCKERRNO);
3889	*curlcode = CURLE_SEND_ERROR;
3890	return -`1`;
3891	}
3892	*curlcode = CURLE_OK;
3893	return (ssize_t)rc; / number of bytes /
3894	}
3895
3896	static ssize_t ossl_recv(struct connectdata conn, /* connection data /
3897	int num, / socketindex /
3898	char buf, /* store read data here /
3899	size_t buffersize, / max amount to read /
3900	CURLcode *curlcode)
3901	{
3902	char error_buffer[`256`];
3903	unsigned long sslerror;
3904	ssize_t nread;
3905	int buffsize;
3906	struct ssl_connect_data *connssl = &conn->ssl[num];
3907
3908	ERR_clear_error();
3909
3910	buffsize = (buffersize > (size_t)INT_MAX) ? INT_MAX : (int)buffersize;
3911	nread = (ssize_t)SSL_read(BACKEND->handle, buf, buffsize);
3912	if(nread <= `0`) {
3913	/ failed SSL_read /
3914	int err = SSL_get_error(BACKEND->handle, (int)nread);
3915
3916	switch(err) {
3917	case SSL_ERROR_NONE: / this is not an error /
3918	break;
3919	case SSL_ERROR_ZERO_RETURN: / no more data /
3920	/ close_notify alert /
3921	if(num == FIRSTSOCKET)
3922	/ mark the connection for close if it is indeed the control*
3923	connection /*
3924	connclose(conn, "TLS close_notify");
3925	break;
3926	case SSL_ERROR_WANT_READ:
3927	case SSL_ERROR_WANT_WRITE:
3928	/ there's data pending, re-invoke SSL_read() /
3929	*curlcode = CURLE_AGAIN;
3930	return -`1`;
3931	default:
3932	/ openssl/ssl.h for SSL_ERROR_SYSCALL says "look at error stack/return*
3933	value/errno" /*
3934	/ https://www.openssl.org/docs/crypto/ERR_get_error.html /
3935	sslerror = ERR_get_error();
3936	if((nread < `0`) \|\| sslerror) {
3937	/ If the return code was negative or there actually is an error in the*
3938	queue /*
3939	int sockerr = SOCKERRNO;
3940	if(sslerror)
3941	ossl_strerror(sslerror, error_buffer, sizeof(error_buffer));
3942	else if(sockerr && err == SSL_ERROR_SYSCALL)
3943	Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
3944	else {
3945	strncpy(error_buffer, SSL_ERROR_to_str(err), sizeof(error_buffer));
3946	error_buffer[sizeof(error_buffer) - `1`] = `'\0'`;
3947	}
3948	failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d",
3949	error_buffer, sockerr);
3950	*curlcode = CURLE_RECV_ERROR;
3951	return -`1`;
3952	}
3953	/ For debug builds be a little stricter and error on any*
3954	SSL_ERROR_SYSCALL. For example a server may have closed the connection
3955	abruptly without a close_notify alert. For compatibility with older
3956	peers we don't do this by default. #4624
3957
3958	We can use this to gauge how many users may be affected, and
3959	if it goes ok eventually transition to allow in dev and release with
3960	the newest OpenSSL: #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) /*
3961	#ifdef DEBUGBUILD
3962	if(err == SSL_ERROR_SYSCALL) {
3963	int sockerr = SOCKERRNO;
3964	if(sockerr)
3965	Curl_strerror(sockerr, error_buffer, sizeof(error_buffer));
3966	else {
3967	msnprintf(error_buffer, sizeof(error_buffer),
3968	"Connection closed abruptly");
3969	}
3970	failf(conn->data, OSSL_PACKAGE " SSL_read: %s, errno %d"
3971	" (Fatal because this is a curl debug build)",
3972	error_buffer, sockerr);
3973	*curlcode = CURLE_RECV_ERROR;
3974	return -`1`;
3975	}
3976	#endif
3977	}
3978	}
3979	return nread;
3980	}
3981
3982	static size_t Curl_ossl_version(char *buffer, size_t size)
3983	{
3984	#ifdef LIBRESSL_VERSION_NUMBER
3985	#if LIBRESSL_VERSION_NUMBER < 0x2070100fL
3986	return msnprintf(buffer, size, "%s/%lx.%lx.%lx",
3987	OSSL_PACKAGE,
3988	(LIBRESSL_VERSION_NUMBER>>`28`)&`0xf`,
3989	(LIBRESSL_VERSION_NUMBER>>`20`)&`0xff`,
3990	(LIBRESSL_VERSION_NUMBER>>`12`)&`0xff`);
3991	#else /* OpenSSL_version() first appeared in LibreSSL 2.7.1 */
3992	char *p;
3993	int count;
3994	const char *ver = OpenSSL_version(OPENSSL_VERSION);
3995	const char expected[] = OSSL_PACKAGE " "; / ie "LibreSSL " /
3996	if(Curl_strncasecompare(ver, expected, sizeof(expected) - `1`)) {
3997	ver += sizeof(expected) - `1`;
3998	}
3999	count = msnprintf(buffer, size, "%s/%s", OSSL_PACKAGE, ver);
4000	for(p = buffer; *p; ++p) {
4001	if(ISSPACE(*p))
4002	*p = `'_'`;
4003	}
4004	return count;
4005	#endif
4006	#elif defined(OPENSSL_IS_BORINGSSL)
4007	return msnprintf(buffer, size, OSSL_PACKAGE);
4008	#elif defined(HAVE_OPENSSL_VERSION) && defined(OPENSSL_VERSION_STRING)
4009	return msnprintf(buffer, size, "%s/%s",
4010	OSSL_PACKAGE, OpenSSL_version(OPENSSL_VERSION_STRING));
4011	#else
4012	/ not LibreSSL, BoringSSL and not using OpenSSL_version /
4013
4014	char sub[`3`];
4015	unsigned long ssleay_value;
4016	sub[`2`]=`'\0'`;
4017	sub[`1`]=`'\0'`;
4018	ssleay_value = OpenSSL_version_num();
4019	if(ssleay_value < `0x906000`) {
4020	ssleay_value = SSLEAY_VERSION_NUMBER;
4021	sub[`0`]=`'\0'`;
4022	}
4023	else {
4024	if(ssleay_value&`0xff0`) {
4025	int minor_ver = (ssleay_value >> `4`) & `0xff`;
4026	if(minor_ver > `26`) {
4027	/ handle extended version introduced for 0.9.8za /
4028	sub[`1`] = (char) ((minor_ver - `1`) % `26` + `'a'` + `1`);
4029	sub[`0`] = `'z'`;
4030	}
4031	else {
4032	sub[`0`] = (char) (minor_ver + `'a'` - `1`);
4033	}
4034	}
4035	else
4036	sub[`0`]=`'\0'`;
4037	}
4038
4039	return msnprintf(buffer, size, "%s/%lx.%lx.%lx%s"
4040	#ifdef OPENSSL_FIPS
4041	"-fips"
4042	#endif
4043	,
4044	OSSL_PACKAGE,
4045	(ssleay_value>>`28`)&`0xf`,
4046	(ssleay_value>>`20`)&`0xff`,
4047	(ssleay_value>>`12`)&`0xff`,
4048	sub);
4049	#endif /* OPENSSL_IS_BORINGSSL */
4050	}
4051
4052	/ can be called with data == NULL /
4053	static CURLcode Curl_ossl_random(struct Curl_easy *data,
4054	unsigned char *entropy, size_t length)
4055	{
4056	int rc;
4057	if(data) {
4058	if(Curl_ossl_seed(data)) / Initiate the seed if not already done /
4059	return CURLE_FAILED_INIT; / couldn't seed for some reason /
4060	}
4061	else {
4062	if(!rand_enough())
4063	return CURLE_FAILED_INIT;
4064	}
4065	/ RAND_bytes() returns 1 on success, 0 otherwise. /
4066	rc = RAND_bytes(entropy, curlx_uztosi(length));
4067	return (rc == `1` ? CURLE_OK : CURLE_FAILED_INIT);
4068	}
4069
4070	static CURLcode Curl_ossl_md5sum(unsigned char tmp, /* input /
4071	size_t tmplen,
4072	unsigned char md5sum /* output /,
4073	size_t unused)
4074	{
4075	EVP_MD_CTX *mdctx;
4076	unsigned int len = `0`;
4077	(void) unused;
4078
4079	mdctx = EVP_MD_CTX_create();
4080	EVP_DigestInit_ex(mdctx, EVP_md5(), NULL);
4081	EVP_DigestUpdate(mdctx, tmp, tmplen);
4082	EVP_DigestFinal_ex(mdctx, md5sum, &len);
4083	EVP_MD_CTX_destroy(mdctx);
4084	return CURLE_OK;
4085	}
4086
4087	#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
4088	static CURLcode Curl_ossl_sha256sum(const unsigned char tmp, /* input /
4089	size_t tmplen,
4090	unsigned char sha256sum /* output /,
4091	size_t unused)
4092	{
4093	EVP_MD_CTX *mdctx;
4094	unsigned int len = `0`;
4095	(void) unused;
4096
4097	mdctx = EVP_MD_CTX_create();
4098	EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL);
4099	EVP_DigestUpdate(mdctx, tmp, tmplen);
4100	EVP_DigestFinal_ex(mdctx, sha256sum, &len);
4101	EVP_MD_CTX_destroy(mdctx);
4102	return CURLE_OK;
4103	}
4104	#endif
4105
4106	static bool Curl_ossl_cert_status_request(void)
4107	{
4108	#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
4109	!defined(OPENSSL_NO_OCSP)
4110	return TRUE;
4111	#else
4112	return FALSE;
4113	#endif
4114	}
4115
4116	static void Curl_ossl_get_internals(struct* ssl_connect_data *connssl,
4117	CURLINFO info)
4118	{
4119	/ Legacy: CURLINFO_TLS_SESSION must return an SSL_CTX pointer. /
4120	return info == CURLINFO_TLS_SESSION ?
4121	(void )BACKEND->ctx : (void* *)BACKEND->handle;
4122	}
4123
4124	const struct Curl_ssl Curl_ssl_openssl = {
4125	{ CURLSSLBACKEND_OPENSSL, "openssl" }, / info /
4126
4127	SSLSUPP_CA_PATH \|
4128	SSLSUPP_CERTINFO \|
4129	SSLSUPP_PINNEDPUBKEY \|
4130	SSLSUPP_SSL_CTX \|
4131	#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
4132	SSLSUPP_TLS13_CIPHERSUITES \|
4133	#endif
4134	SSLSUPP_HTTPS_PROXY,
4135
4136	sizeof(struct ssl_backend_data),
4137
4138	Curl_ossl_init, / init /
4139	Curl_ossl_cleanup, / cleanup /
4140	Curl_ossl_version, / version /
4141	Curl_ossl_check_cxn, / check_cxn /
4142	Curl_ossl_shutdown, / shutdown /
4143	Curl_ossl_data_pending, / data_pending /
4144	Curl_ossl_random, / random /
4145	Curl_ossl_cert_status_request, / cert_status_request /
4146	Curl_ossl_connect, / connect /
4147	Curl_ossl_connect_nonblocking, / connect_nonblocking /
4148	Curl_ossl_get_internals, / get_internals /
4149	Curl_ossl_close, / close_one /
4150	Curl_ossl_close_all, / close_all /
4151	Curl_ossl_session_free, / session_free /
4152	Curl_ossl_set_engine, / set_engine /
4153	Curl_ossl_set_engine_default, / set_engine_default /
4154	Curl_ossl_engines_list, / engines_list /
4155	Curl_none_false_start, / false_start /
4156	Curl_ossl_md5sum, / md5sum /
4157	#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL) && !defined(OPENSSL_NO_SHA256)
4158	Curl_ossl_sha256sum / sha256sum /
4159	#else
4160	NULL / sha256sum /
4161	#endif
4162	};
4163
4164	#endif /* USE_OPENSSL */
4165

Browse the source code of ClickHouse/contrib/curl/lib/vtls/openssl.c