vtls.c source code [Velox/build/_deps/curl-src/lib/vtls/vtls.c]

1	/***************************************************************************
2	* _ _ ____ _
3	* Project ___\| \| \| \| _ \\| \|
4	* / __\| \| \| \| \|_) \| \|
5	* \| (__\| \|_\| \| _ <\| \|___
6	* \___\|\___/\|_\| \_\_____\|
7	*
8	* Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
9	*
10	* This software is licensed as described in the file COPYING, which
11	* you should have received as part of this distribution. The terms
12	* are also available at https://curl.se/docs/copyright.html.
13	*
14	* You may opt to use, copy, modify, merge, publish, distribute and/or sell
15	* copies of the Software, and permit persons to whom the Software is
16	* furnished to do so, under the terms of the COPYING file.
17	*
18	* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19	* KIND, either express or implied.
20	*
21	* SPDX-License-Identifier: curl
22	*
23	***************************************************************************/
24
25	/ This file is for implementing all "generic" SSL functions that all libcurl*
26	internals should use. It is then responsible for calling the proper
27	"backend" function.
28
29	SSL-functions in libcurl should call functions in this source file, and not
30	to any specific SSL-layer.
31
32	Curl_ssl_ - prefix for generic ones
33
34	Note that this source code uses the functions of the configured SSL
35	backend via the global Curl_ssl instance.
36
37	"SSL/TLS Strong Encryption: An Introduction"
38	https://httpd.apache.org/docs/2.0/ssl/ssl_intro.html
39	*/
40
41	#include "curl_setup.h"
42
43	#ifdef HAVE_SYS_TYPES_H
44	#include <sys/types.h>
45	#endif
46	#ifdef HAVE_SYS_STAT_H
47	#include <sys/stat.h>
48	#endif
49	#ifdef HAVE_FCNTL_H
50	#include <fcntl.h>
51	#endif
52
53	#include "urldata.h"
54	#include "cfilters.h"
55
56	#include "vtls.h" /* generic SSL protos etc */
57	#include "vtls_int.h"
58	#include "slist.h"
59	#include "sendf.h"
60	#include "strcase.h"
61	#include "url.h"
62	#include "progress.h"
63	#include "share.h"
64	#include "multiif.h"
65	#include "timeval.h"
66	#include "curl_md5.h"
67	#include "warnless.h"
68	#include "curl_base64.h"
69	#include "curl_printf.h"
70	#include "strdup.h"
71
72	/ The last #include files should be: /
73	#include "curl_memory.h"
74	#include "memdebug.h"
75
76
77	/ convenience macro to check if this handle is using a shared SSL session /
78	#define SSLSESSION_SHARED(data) (data->share && \
79	(data->share->specifier & \
80	(1<<CURL_LOCK_DATA_SSL_SESSION)))
81
82	#define CLONE_STRING(var) \
83	do { \
84	if(source->var) { \
85	dest->var = strdup(source->var); \
86	if(!dest->var) \
87	return FALSE; \
88	} \
89	else \
90	dest->var = NULL; \
91	} while(0)
92
93	#define CLONE_BLOB(var) \
94	do { \
95	if(blobdup(&dest->var, source->var)) \
96	return FALSE; \
97	} while(0)
98
99	static CURLcode blobdup(struct curl_blob **dest,
100	struct curl_blob *src)
101	{
102	DEBUGASSERT(dest);
103	DEBUGASSERT(!*dest);
104	if(src) {
105	/ only if there's data to dupe! /
106	struct curl_blob *d;
107	d = malloc(sizeof(struct curl_blob) + src->len);
108	if(!d)
109	return CURLE_OUT_OF_MEMORY;
110	d->len = src->len;
111	/ Always duplicate because the connection may survive longer than the*
112	handle that passed in the blob. /*
113	d->flags = CURL_BLOB_COPY;
114	d->data = (void )((char* )d + sizeof(struct* curl_blob));
115	memcpy(dest: d->data, src: src->data, n: src->len);
116	*dest = d;
117	}
118	return CURLE_OK;
119	}
120
121	/ returns TRUE if the blobs are identical /
122	static bool blobcmp(struct curl_blob first, struct* curl_blob *second)
123	{
124	if(!first && !second) / both are NULL /
125	return TRUE;
126	if(!first \|\| !second) / one is NULL /
127	return FALSE;
128	if(first->len != second->len) / different sizes /
129	return FALSE;
130	return !memcmp(s1: first->data, s2: second->data, n: first->len); / same data /
131	}
132
133	#ifdef USE_SSL
134	static const struct alpn_spec ALPN_SPEC_H10 = {
135	{ ALPN_HTTP_1_0 }, `1`
136	};
137	static const struct alpn_spec ALPN_SPEC_H11 = {
138	{ ALPN_HTTP_1_1 }, `1`
139	};
140	#ifdef USE_HTTP2
141	static const struct alpn_spec ALPN_SPEC_H2_H11 = {
142	{ ALPN_H2, ALPN_HTTP_1_1 }, `2`
143	};
144	#endif
145
146	static const struct alpn_spec alpn_get_spec(int* httpwant, bool use_alpn)
147	{
148	if(!use_alpn)
149	return NULL;
150	if(httpwant == CURL_HTTP_VERSION_1_0)
151	return &ALPN_SPEC_H10;
152	#ifdef USE_HTTP2
153	if(httpwant >= CURL_HTTP_VERSION_2)
154	return &ALPN_SPEC_H2_H11;
155	#endif
156	return &ALPN_SPEC_H11;
157	}
158	#endif /* USE_SSL */
159
160
161	bool
162	Curl_ssl_config_matches(struct ssl_primary_config *data,
163	struct ssl_primary_config *needle)
164	{
165	if((data->version == needle->version) &&
166	(data->version_max == needle->version_max) &&
167	(data->ssl_options == needle->ssl_options) &&
168	(data->verifypeer == needle->verifypeer) &&
169	(data->verifyhost == needle->verifyhost) &&
170	(data->verifystatus == needle->verifystatus) &&
171	blobcmp(first: data->cert_blob, second: needle->cert_blob) &&
172	blobcmp(first: data->ca_info_blob, second: needle->ca_info_blob) &&
173	blobcmp(first: data->issuercert_blob, second: needle->issuercert_blob) &&
174	Curl_safecmp(a: data->CApath, b: needle->CApath) &&
175	Curl_safecmp(a: data->CAfile, b: needle->CAfile) &&
176	Curl_safecmp(a: data->issuercert, b: needle->issuercert) &&
177	Curl_safecmp(a: data->clientcert, b: needle->clientcert) &&
178	#ifdef USE_TLS_SRP
179	!Curl_timestrcmp(first: data->username, second: needle->username) &&
180	!Curl_timestrcmp(first: data->password, second: needle->password) &&
181	#endif
182	strcasecompare(data->cipher_list, needle->cipher_list) &&
183	strcasecompare(data->cipher_list13, needle->cipher_list13) &&
184	strcasecompare(data->curves, needle->curves) &&
185	strcasecompare(data->CRLfile, needle->CRLfile) &&
186	strcasecompare(data->pinned_key, needle->pinned_key))
187	return TRUE;
188
189	return FALSE;
190	}
191
192	bool
193	Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
194	struct ssl_primary_config *dest)
195	{
196	dest->version = source->version;
197	dest->version_max = source->version_max;
198	dest->verifypeer = source->verifypeer;
199	dest->verifyhost = source->verifyhost;
200	dest->verifystatus = source->verifystatus;
201	dest->sessionid = source->sessionid;
202	dest->ssl_options = source->ssl_options;
203
204	CLONE_BLOB(cert_blob);
205	CLONE_BLOB(ca_info_blob);
206	CLONE_BLOB(issuercert_blob);
207	CLONE_STRING(CApath);
208	CLONE_STRING(CAfile);
209	CLONE_STRING(issuercert);
210	CLONE_STRING(clientcert);
211	CLONE_STRING(cipher_list);
212	CLONE_STRING(cipher_list13);
213	CLONE_STRING(pinned_key);
214	CLONE_STRING(curves);
215	CLONE_STRING(CRLfile);
216	#ifdef USE_TLS_SRP
217	CLONE_STRING(username);
218	CLONE_STRING(password);
219	#endif
220
221	return TRUE;
222	}
223
224	void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
225	{
226	Curl_safefree(sslc->CApath);
227	Curl_safefree(sslc->CAfile);
228	Curl_safefree(sslc->issuercert);
229	Curl_safefree(sslc->clientcert);
230	Curl_safefree(sslc->cipher_list);
231	Curl_safefree(sslc->cipher_list13);
232	Curl_safefree(sslc->pinned_key);
233	Curl_safefree(sslc->cert_blob);
234	Curl_safefree(sslc->ca_info_blob);
235	Curl_safefree(sslc->issuercert_blob);
236	Curl_safefree(sslc->curves);
237	Curl_safefree(sslc->CRLfile);
238	#ifdef USE_TLS_SRP
239	Curl_safefree(sslc->username);
240	Curl_safefree(sslc->password);
241	#endif
242	}
243
244	#ifdef USE_SSL
245	static int multissl_setup(const struct Curl_ssl *backend);
246	#endif
247
248	curl_sslbackend Curl_ssl_backend(void)
249	{
250	#ifdef USE_SSL
251	multissl_setup(NULL);
252	return Curl_ssl->info.id;
253	#else
254	return CURLSSLBACKEND_NONE;
255	#endif
256	}
257
258	#ifdef USE_SSL
259
260	/ "global" init done? /
261	static bool init_ssl = FALSE;
262
263	/**
264	* Global SSL init
265	*
266	* @retval 0 error initializing SSL
267	* @retval 1 SSL initialized successfully
268	*/
269	int Curl_ssl_init(void)
270	{
271	/ make sure this is only done once /
272	if(init_ssl)
273	return `1`;
274	init_ssl = TRUE; / never again /
275
276	return Curl_ssl->init();
277	}
278
279	#if defined(CURL_WITH_MULTI_SSL)
280	static const struct Curl_ssl Curl_ssl_multi;
281	#endif
282
283	/ Global cleanup /
284	void Curl_ssl_cleanup(void)
285	{
286	if(init_ssl) {
287	/ only cleanup if we did a previous init /
288	Curl_ssl->cleanup();
289	#if defined(CURL_WITH_MULTI_SSL)
290	Curl_ssl = &Curl_ssl_multi;
291	#endif
292	init_ssl = FALSE;
293	}
294	}
295
296	static bool ssl_prefs_check(struct Curl_easy *data)
297	{
298	/ check for CURLOPT_SSLVERSION invalid parameter value /
299	const unsigned char sslver = data->set.ssl.primary.version;
300	if(sslver >= CURL_SSLVERSION_LAST) {
301	failf(data, fmt: "Unrecognized parameter value passed via CURLOPT_SSLVERSION");
302	return FALSE;
303	}
304
305	switch(data->set.ssl.primary.version_max) {
306	case CURL_SSLVERSION_MAX_NONE:
307	case CURL_SSLVERSION_MAX_DEFAULT:
308	break;
309
310	default:
311	if((data->set.ssl.primary.version_max >> `16`) < sslver) {
312	failf(data, fmt: "CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION");
313	return FALSE;
314	}
315	}
316
317	return TRUE;
318	}
319
320	static struct ssl_connect_data cf_ctx_new(struct* Curl_easy *data,
321	const struct alpn_spec *alpn)
322	{
323	struct ssl_connect_data *ctx;
324
325	(void)data;
326	ctx = calloc(`1`, sizeof(*ctx));
327	if(!ctx)
328	return NULL;
329
330	ctx->alpn = alpn;
331	ctx->backend = calloc(`1`, Curl_ssl->sizeof_ssl_backend_data);
332	if(!ctx->backend) {
333	free(ctx);
334	return NULL;
335	}
336	return ctx;
337	}
338
339	static void cf_ctx_free(struct ssl_connect_data *ctx)
340	{
341	if(ctx) {
342	free(ctx->backend);
343	free(ctx);
344	}
345	}
346
347	static CURLcode ssl_connect(struct Curl_cfilter cf, struct* Curl_easy *data)
348	{
349	struct ssl_connect_data *connssl = cf->ctx;
350	CURLcode result;
351
352	if(!ssl_prefs_check(data))
353	return CURLE_SSL_CONNECT_ERROR;
354
355	/ mark this is being ssl-enabled from here on. /
356	connssl->state = ssl_connection_negotiating;
357
358	result = Curl_ssl->connect_blocking(cf, data);
359
360	if(!result) {
361	DEBUGASSERT(connssl->state == ssl_connection_complete);
362	}
363
364	return result;
365	}
366
367	static CURLcode
368	ssl_connect_nonblocking(struct Curl_cfilter cf, struct* Curl_easy *data,
369	bool *done)
370	{
371	if(!ssl_prefs_check(data))
372	return CURLE_SSL_CONNECT_ERROR;
373
374	/ mark this is being ssl requested from here on. /
375	return Curl_ssl->connect_nonblocking(cf, data, done);
376	}
377
378	/*
379	* Lock shared SSL session data
380	*/
381	void Curl_ssl_sessionid_lock(struct Curl_easy *data)
382	{
383	if(SSLSESSION_SHARED(data))
384	Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE);
385	}
386
387	/*
388	* Unlock shared SSL session data
389	*/
390	void Curl_ssl_sessionid_unlock(struct Curl_easy *data)
391	{
392	if(SSLSESSION_SHARED(data))
393	Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION);
394	}
395
396	/*
397	* Check if there's a session ID for the given connection in the cache, and if
398	* there's one suitable, it is provided. Returns TRUE when no entry matched.
399	*/
400	bool Curl_ssl_getsessionid(struct Curl_cfilter *cf,
401	struct Curl_easy *data,
402	void **ssl_sessionid,
403	size_t idsize) /* set 0 if unknown /
404	{
405	struct ssl_connect_data *connssl = cf->ctx;
406	struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
407	struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
408	struct Curl_ssl_session *check;
409	size_t i;
410	long *general_age;
411	bool no_match = TRUE;
412
413	*ssl_sessionid = NULL;
414	if(!ssl_config)
415	return TRUE;
416
417	DEBUGASSERT(ssl_config->primary.sessionid);
418
419	if(!ssl_config->primary.sessionid \|\| !data->state.session)
420	/ session ID reuse is disabled or the session cache has not been*
421	setup /*
422	return TRUE;
423
424	/ Lock if shared /
425	if(SSLSESSION_SHARED(data))
426	general_age = &data->share->sessionage;
427	else
428	general_age = &data->state.sessionage;
429
430	for(i = `0`; i < data->set.general_ssl.max_ssl_sessions; i++) {
431	check = &data->state.session[i];
432	if(!check->sessionid)
433	/ not session ID means blank entry /
434	continue;
435	if(strcasecompare(connssl->hostname, check->name) &&
436	((!cf->conn->bits.conn_to_host && !check->conn_to_host) \|\|
437	(cf->conn->bits.conn_to_host && check->conn_to_host &&
438	strcasecompare(cf->conn->conn_to_host.name, check->conn_to_host))) &&
439	((!cf->conn->bits.conn_to_port && check->conn_to_port == -`1`) \|\|
440	(cf->conn->bits.conn_to_port && check->conn_to_port != -`1` &&
441	cf->conn->conn_to_port == check->conn_to_port)) &&
442	(connssl->port == check->remote_port) &&
443	strcasecompare(cf->conn->handler->scheme, check->scheme) &&
444	Curl_ssl_config_matches(data: conn_config, needle: &check->ssl_config)) {
445	/ yes, we have a session ID! /
446	(general_age)++; /* increase general age /
447	check->age = general_age; /* set this as used in this age /
448	*ssl_sessionid = check->sessionid;
449	if(idsize)
450	*idsize = check->idsize;
451	no_match = FALSE;
452	break;
453	}
454	}
455
456	DEBUGF(infof(data, "%s Session ID in cache for %s %s://%s:%d",
457	no_match? "Didn't find": "Found",
458	Curl_ssl_cf_is_proxy(cf) ? "proxy" : "host",
459	cf->conn->handler->scheme, connssl->hostname, connssl->port));
460	return no_match;
461	}
462
463	/*
464	* Kill a single session ID entry in the cache.
465	*/
466	void Curl_ssl_kill_session(struct Curl_ssl_session *session)
467	{
468	if(session->sessionid) {
469	/ defensive check /
470
471	/ free the ID the SSL-layer specific way /
472	Curl_ssl->session_free(session->sessionid);
473
474	session->sessionid = NULL;
475	session->age = `0`; / fresh /
476
477	Curl_free_primary_ssl_config(sslc: &session->ssl_config);
478
479	Curl_safefree(session->name);
480	Curl_safefree(session->conn_to_host);
481	}
482	}
483
484	/*
485	* Delete the given session ID from the cache.
486	*/
487	void Curl_ssl_delsessionid(struct Curl_easy data, void* *ssl_sessionid)
488	{
489	size_t i;
490
491	for(i = `0`; i < data->set.general_ssl.max_ssl_sessions; i++) {
492	struct Curl_ssl_session *check = &data->state.session[i];
493
494	if(check->sessionid == ssl_sessionid) {
495	Curl_ssl_kill_session(session: check);
496	break;
497	}
498	}
499	}
500
501	/*
502	* Store session id in the session cache. The ID passed on to this function
503	* must already have been extracted and allocated the proper way for the SSL
504	* layer. Curl_XXXX_session_free() will be called to free/kill the session ID
505	* later on.
506	*/
507	CURLcode Curl_ssl_addsessionid(struct Curl_cfilter *cf,
508	struct Curl_easy *data,
509	void *ssl_sessionid,
510	size_t idsize,
511	bool *added)
512	{
513	struct ssl_connect_data *connssl = cf->ctx;
514	struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
515	struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
516	size_t i;
517	struct Curl_ssl_session *store;
518	long oldest_age;
519	char *clone_host;
520	char *clone_conn_to_host;
521	int conn_to_port;
522	long *general_age;
523
524	if(added)
525	*added = FALSE;
526
527	if(!data->state.session)
528	return CURLE_OK;
529
530	store = &data->state.session[`0`];
531	oldest_age = data->state.session[`0`].age; / zero if unused /
532	(void)ssl_config;
533	DEBUGASSERT(ssl_config->primary.sessionid);
534
535	clone_host = strdup(connssl->hostname);
536	if(!clone_host)
537	return CURLE_OUT_OF_MEMORY; / bail out /
538
539	if(cf->conn->bits.conn_to_host) {
540	clone_conn_to_host = strdup(cf->conn->conn_to_host.name);
541	if(!clone_conn_to_host) {
542	free(clone_host);
543	return CURLE_OUT_OF_MEMORY; / bail out /
544	}
545	}
546	else
547	clone_conn_to_host = NULL;
548
549	if(cf->conn->bits.conn_to_port)
550	conn_to_port = cf->conn->conn_to_port;
551	else
552	conn_to_port = -`1`;
553
554	/ Now we should add the session ID and the host name to the cache, (remove*
555	the oldest if necessary) /*
556
557	/ If using shared SSL session, lock! /
558	if(SSLSESSION_SHARED(data)) {
559	general_age = &data->share->sessionage;
560	}
561	else {
562	general_age = &data->state.sessionage;
563	}
564
565	/ find an empty slot for us, or find the oldest /
566	for(i = `1`; (i < data->set.general_ssl.max_ssl_sessions) &&
567	data->state.session[i].sessionid; i++) {
568	if(data->state.session[i].age < oldest_age) {
569	oldest_age = data->state.session[i].age;
570	store = &data->state.session[i];
571	}
572	}
573	if(i == data->set.general_ssl.max_ssl_sessions)
574	/ cache is full, we must "kill" the oldest entry! /
575	Curl_ssl_kill_session(session: store);
576	else
577	store = &data->state.session[i]; / use this slot /
578
579	/ now init the session struct wisely /
580	store->sessionid = ssl_sessionid;
581	store->idsize = idsize;
582	store->age = general_age; /* set current age /
583	/ free it if there's one already present /
584	free(store->name);
585	free(store->conn_to_host);
586	store->name = clone_host; / clone host name /
587	store->conn_to_host = clone_conn_to_host; / clone connect to host name /
588	store->conn_to_port = conn_to_port; / connect to port number /
589	/ port number /
590	store->remote_port = connssl->port;
591	store->scheme = cf->conn->handler->scheme;
592
593	if(!Curl_clone_primary_ssl_config(source: conn_config, dest: &store->ssl_config)) {
594	Curl_free_primary_ssl_config(sslc: &store->ssl_config);
595	store->sessionid = NULL; / let caller free sessionid /
596	free(clone_host);
597	free(clone_conn_to_host);
598	return CURLE_OUT_OF_MEMORY;
599	}
600
601	if(added)
602	*added = TRUE;
603
604	DEBUGF(infof(data, "Added Session ID to cache for %s://%s:%d [%s]",
605	store->scheme, store->name, store->remote_port,
606	Curl_ssl_cf_is_proxy(cf) ? "PROXY" : "server"));
607	return CURLE_OK;
608	}
609
610	void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend)
611	{
612	if(Curl_ssl->free_multi_ssl_backend_data && mbackend)
613	Curl_ssl->free_multi_ssl_backend_data(mbackend);
614	}
615
616	void Curl_ssl_close_all(struct Curl_easy *data)
617	{
618	/ kill the session ID cache if not shared /
619	if(data->state.session && !SSLSESSION_SHARED(data)) {
620	size_t i;
621	for(i = `0`; i < data->set.general_ssl.max_ssl_sessions; i++)
622	/ the single-killer function handles empty table slots /
623	Curl_ssl_kill_session(session: &data->state.session[i]);
624
625	/ free the cache data /
626	Curl_safefree(data->state.session);
627	}
628
629	Curl_ssl->close_all(data);
630	}
631
632	int Curl_ssl_get_select_socks(struct Curl_cfilter cf, struct* Curl_easy *data,
633	curl_socket_t *socks)
634	{
635	struct ssl_connect_data *connssl = cf->ctx;
636	curl_socket_t sock = Curl_conn_cf_get_socket(cf: cf->next, data);
637
638	if(sock == CURL_SOCKET_BAD)
639	return GETSOCK_BLANK;
640
641	if(connssl->connecting_state == ssl_connect_2_writing) {
642	/ we are only interested in writing /
643	socks[`0`] = sock;
644	return GETSOCK_WRITESOCK(`0`);
645	}
646	socks[`0`] = sock;
647	return GETSOCK_READSOCK(`0`);
648	}
649
650	/ Selects an SSL crypto engine*
651	*/
652	CURLcode Curl_ssl_set_engine(struct Curl_easy data, const* char *engine)
653	{
654	return Curl_ssl->set_engine(data, engine);
655	}
656
657	/ Selects the default SSL crypto engine*
658	*/
659	CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data)
660	{
661	return Curl_ssl->set_engine_default(data);
662	}
663
664	/ Return list of OpenSSL crypto engine names. /
665	struct curl_slist Curl_ssl_engines_list(struct* Curl_easy *data)
666	{
667	return Curl_ssl->engines_list(data);
668	}
669
670	/*
671	* This sets up a session ID cache to the specified size. Make sure this code
672	* is agnostic to what underlying SSL technology we use.
673	*/
674	CURLcode Curl_ssl_initsessions(struct Curl_easy *data, size_t amount)
675	{
676	struct Curl_ssl_session *session;
677
678	if(data->state.session)
679	/ this is just a precaution to prevent multiple inits /
680	return CURLE_OK;
681
682	session = calloc(amount, sizeof(struct Curl_ssl_session));
683	if(!session)
684	return CURLE_OUT_OF_MEMORY;
685
686	/ store the info in the SSL section /
687	data->set.general_ssl.max_ssl_sessions = amount;
688	data->state.session = session;
689	data->state.sessionage = `1`; / this is brand new /
690	return CURLE_OK;
691	}
692
693	static size_t multissl_version(char *buffer, size_t size);
694
695	void Curl_ssl_version(char *buffer, size_t size)
696	{
697	#ifdef CURL_WITH_MULTI_SSL
698	(void)multissl_version(buffer, size);
699	#else
700	(void)Curl_ssl->version(buffer, size);
701	#endif
702	}
703
704	void Curl_ssl_free_certinfo(struct Curl_easy *data)
705	{
706	struct curl_certinfo *ci = &data->info.certs;
707
708	if(ci->num_of_certs) {
709	/ free all individual lists used /
710	int i;
711	for(i = `0`; i<ci->num_of_certs; i++) {
712	curl_slist_free_all(list: ci->certinfo[i]);
713	ci->certinfo[i] = NULL;
714	}
715
716	free(ci->certinfo); / free the actual array too /
717	ci->certinfo = NULL;
718	ci->num_of_certs = `0`;
719	}
720	}
721
722	CURLcode Curl_ssl_init_certinfo(struct Curl_easy data, int* num)
723	{
724	struct curl_certinfo *ci = &data->info.certs;
725	struct curl_slist **table;
726
727	/ Free any previous certificate information structures /
728	Curl_ssl_free_certinfo(data);
729
730	/ Allocate the required certificate information structures /
731	table = calloc((size_t) num, sizeof(struct curl_slist *));
732	if(!table)
733	return CURLE_OUT_OF_MEMORY;
734
735	ci->num_of_certs = num;
736	ci->certinfo = table;
737
738	return CURLE_OK;
739	}
740
741	/*
742	* 'value' is NOT a null-terminated string
743	*/
744	CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data,
745	int certnum,
746	const char *label,
747	const char *value,
748	size_t valuelen)
749	{
750	struct curl_certinfo *ci = &data->info.certs;
751	char *output;
752	struct curl_slist *nl;
753	CURLcode result = CURLE_OK;
754	size_t labellen = strlen(s: label);
755	size_t outlen = labellen + `1` + valuelen + `1`; / label:value\0 /
756
757	output = malloc(outlen);
758	if(!output)
759	return CURLE_OUT_OF_MEMORY;
760
761	/ sprintf the label and colon /
762	msnprintf(buffer: output, maxlength: outlen, format: "%s:", label);
763
764	/ memcpy the value (it might not be null-terminated) /
765	memcpy(dest: &output[labellen + `1`], src: value, n: valuelen);
766
767	/ null-terminate the output /
768	output[labellen + `1` + valuelen] = `0`;
769
770	nl = Curl_slist_append_nodup(list: ci->certinfo[certnum], data: output);
771	if(!nl) {
772	free(output);
773	curl_slist_free_all(list: ci->certinfo[certnum]);
774	result = CURLE_OUT_OF_MEMORY;
775	}
776
777	ci->certinfo[certnum] = nl;
778	return result;
779	}
780
781	CURLcode Curl_ssl_random(struct Curl_easy *data,
782	unsigned char *entropy,
783	size_t length)
784	{
785	return Curl_ssl->random(data, entropy, length);
786	}
787
788	/*
789	* Curl_ssl_snihost() converts the input host name to a suitable SNI name put
790	* in data->state.buffer. Returns a pointer to the name (or NULL if a problem)
791	* and stores the new length in 'olen'.
792	*
793	* SNI fields must not have any trailing dot and while RFC 6066 section 3 says
794	* the SNI field is case insensitive, browsers always send the data lowercase
795	* and subsequently there are numerous servers out there that don't work
796	* unless the name is lowercased.
797	*/
798
799	char Curl_ssl_snihost(struct* Curl_easy data, const* char host, size_t olen)
800	{
801	size_t len = strlen(s: host);
802	if(len && (host[len-`1`] == `'.'`))
803	len--;
804	if(len >= data->set.buffer_size)
805	return NULL;
806
807	Curl_strntolower(dest: data->state.buffer, src: host, n: len);
808	data->state.buffer[len] = `0`;
809	if(olen)
810	*olen = len;
811	return data->state.buffer;
812	}
813
814	/*
815	* Public key pem to der conversion
816	*/
817
818	static CURLcode pubkey_pem_to_der(const char *pem,
819	unsigned char *der, size_t der_len)
820	{
821	char stripped_pem, begin_pos, *end_pos;
822	size_t pem_count, stripped_pem_count = `0`, pem_len;
823	CURLcode result;
824
825	/ if no pem, exit. /
826	if(!pem)
827	return CURLE_BAD_CONTENT_ENCODING;
828
829	begin_pos = strstr(haystack: pem, needle: "-----BEGIN PUBLIC KEY-----");
830	if(!begin_pos)
831	return CURLE_BAD_CONTENT_ENCODING;
832
833	pem_count = begin_pos - pem;
834	/ Invalid if not at beginning AND not directly following \n /
835	if(`0` != pem_count && `'\n'` != pem[pem_count - `1`])
836	return CURLE_BAD_CONTENT_ENCODING;
837
838	/ 26 is length of "-----BEGIN PUBLIC KEY-----" /
839	pem_count += `26`;
840
841	/ Invalid if not directly following \n /
842	end_pos = strstr(haystack: pem + pem_count, needle: "\n-----END PUBLIC KEY-----");
843	if(!end_pos)
844	return CURLE_BAD_CONTENT_ENCODING;
845
846	pem_len = end_pos - pem;
847
848	stripped_pem = malloc(pem_len - pem_count + `1`);
849	if(!stripped_pem)
850	return CURLE_OUT_OF_MEMORY;
851
852	/*
853	* Here we loop through the pem array one character at a time between the
854	* correct indices, and place each character that is not '\n' or '\r'
855	* into the stripped_pem array, which should represent the raw base64 string
856	*/
857	while(pem_count < pem_len) {
858	if(`'\n'` != pem[pem_count] && `'\r'` != pem[pem_count])
859	stripped_pem[stripped_pem_count++] = pem[pem_count];
860	++pem_count;
861	}
862	/ Place the null terminator in the correct place /
863	stripped_pem[stripped_pem_count] = `'\0'`;
864
865	result = Curl_base64_decode(src: stripped_pem, outptr: der, outlen: der_len);
866
867	Curl_safefree(stripped_pem);
868
869	return result;
870	}
871
872	/*
873	* Generic pinned public key check.
874	*/
875
876	CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data,
877	const char *pinnedpubkey,
878	const unsigned char *pubkey, size_t pubkeylen)
879	{
880	FILE *fp;
881	unsigned char buf = NULL, pem_ptr = NULL;
882	CURLcode result = CURLE_SSL_PINNEDPUBKEYNOTMATCH;
883	#ifdef CURL_DISABLE_VERBOSE_STRINGS
884	(void)data;
885	#endif
886
887	/ if a path wasn't specified, don't pin /
888	if(!pinnedpubkey)
889	return CURLE_OK;
890	if(!pubkey \|\| !pubkeylen)
891	return result;
892
893	/ only do this if pinnedpubkey starts with "sha256//", length 8 /
894	if(strncmp(s1: pinnedpubkey, s2: "sha256//", n: `8`) == `0`) {
895	CURLcode encode;
896	size_t encodedlen = `0`, pinkeylen;
897	char encoded = NULL, pinkeycopy, begin_pos, end_pos;
898	unsigned char *sha256sumdigest;
899
900	if(!Curl_ssl->sha256sum) {
901	/ without sha256 support, this cannot match /
902	return result;
903	}
904
905	/ compute sha256sum of public key /
906	sha256sumdigest = malloc(CURL_SHA256_DIGEST_LENGTH);
907	if(!sha256sumdigest)
908	return CURLE_OUT_OF_MEMORY;
909	encode = Curl_ssl->sha256sum(pubkey, pubkeylen,
910	sha256sumdigest, CURL_SHA256_DIGEST_LENGTH);
911
912	if(!encode)
913	encode = Curl_base64_encode(inputbuff: (char *)sha256sumdigest,
914	CURL_SHA256_DIGEST_LENGTH, outptr: &encoded,
915	outlen: &encodedlen);
916	Curl_safefree(sha256sumdigest);
917
918	if(encode)
919	return encode;
920
921	infof(data, " public key hash: sha256//%s", encoded);
922
923	/ it starts with sha256//, copy so we can modify it /
924	pinkeylen = strlen(s: pinnedpubkey) + `1`;
925	pinkeycopy = malloc(pinkeylen);
926	if(!pinkeycopy) {
927	Curl_safefree(encoded);
928	return CURLE_OUT_OF_MEMORY;
929	}
930	memcpy(dest: pinkeycopy, src: pinnedpubkey, n: pinkeylen);
931	/ point begin_pos to the copy, and start extracting keys /
932	begin_pos = pinkeycopy;
933	do {
934	end_pos = strstr(haystack: begin_pos, needle: ";sha256//");
935	/*
936	* if there is an end_pos, null terminate,
937	* otherwise it'll go to the end of the original string
938	*/
939	if(end_pos)
940	end_pos[`0`] = `'\0'`;
941
942	/ compare base64 sha256 digests, 8 is the length of "sha256//" /
943	if(encodedlen == strlen(s: begin_pos + `8`) &&
944	!memcmp(s1: encoded, s2: begin_pos + `8`, n: encodedlen)) {
945	result = CURLE_OK;
946	break;
947	}
948
949	/*
950	* change back the null-terminator we changed earlier,
951	* and look for next begin
952	*/
953	if(end_pos) {
954	end_pos[`0`] = `';'`;
955	begin_pos = strstr(haystack: end_pos, needle: "sha256//");
956	}
957	} while(end_pos && begin_pos);
958	Curl_safefree(encoded);
959	Curl_safefree(pinkeycopy);
960	return result;
961	}
962
963	fp = fopen(filename: pinnedpubkey, modes: "rb");
964	if(!fp)
965	return result;
966
967	do {
968	long filesize;
969	size_t size, pem_len;
970	CURLcode pem_read;
971
972	/ Determine the file's size /
973	if(fseek(stream: fp, off: `0`, SEEK_END))
974	break;
975	filesize = ftell(stream: fp);
976	if(fseek(stream: fp, off: `0`, SEEK_SET))
977	break;
978	if(filesize < `0` \|\| filesize > MAX_PINNED_PUBKEY_SIZE)
979	break;
980
981	/*
982	* if the size of our certificate is bigger than the file
983	* size then it can't match
984	*/
985	size = curlx_sotouz(sonum: (curl_off_t) filesize);
986	if(pubkeylen > size)
987	break;
988
989	/*
990	* Allocate buffer for the pinned key
991	* With 1 additional byte for null terminator in case of PEM key
992	*/
993	buf = malloc(size + `1`);
994	if(!buf)
995	break;
996
997	/ Returns number of elements read, which should be 1 /
998	if((int) fread(ptr: buf, size: size, n: `1`, stream: fp) != `1`)
999	break;
1000
1001	/ If the sizes are the same, it can't be base64 encoded, must be der /
1002	if(pubkeylen == size) {
1003	if(!memcmp(s1: pubkey, s2: buf, n: pubkeylen))
1004	result = CURLE_OK;
1005	break;
1006	}
1007
1008	/*
1009	* Otherwise we will assume it's PEM and try to decode it
1010	* after placing null terminator
1011	*/
1012	buf[size] = `'\0'`;
1013	pem_read = pubkey_pem_to_der(pem: (const char *)buf, der: &pem_ptr, der_len: &pem_len);
1014	/ if it wasn't read successfully, exit /
1015	if(pem_read)
1016	break;
1017
1018	/*
1019	* if the size of our certificate doesn't match the size of
1020	* the decoded file, they can't be the same, otherwise compare
1021	*/
1022	if(pubkeylen == pem_len && !memcmp(s1: pubkey, s2: pem_ptr, n: pubkeylen))
1023	result = CURLE_OK;
1024	} while(`0`);
1025
1026	Curl_safefree(buf);
1027	Curl_safefree(pem_ptr);
1028	fclose(stream: fp);
1029
1030	return result;
1031	}
1032
1033	/*
1034	* Check whether the SSL backend supports the status_request extension.
1035	*/
1036	bool Curl_ssl_cert_status_request(void)
1037	{
1038	return Curl_ssl->cert_status_request();
1039	}
1040
1041	/*
1042	* Check whether the SSL backend supports false start.
1043	*/
1044	bool Curl_ssl_false_start(struct Curl_easy *data)
1045	{
1046	(void)data;
1047	return Curl_ssl->false_start();
1048	}
1049
1050	/*
1051	* Default implementations for unsupported functions.
1052	*/
1053
1054	int Curl_none_init(void)
1055	{
1056	return `1`;
1057	}
1058
1059	void Curl_none_cleanup(void)
1060	{ }
1061
1062	int Curl_none_shutdown(struct Curl_cfilter *cf UNUSED_PARAM,
1063	struct Curl_easy *data UNUSED_PARAM)
1064	{
1065	(void)data;
1066	(void)cf;
1067	return `0`;
1068	}
1069
1070	int Curl_none_check_cxn(struct Curl_cfilter cf, struct* Curl_easy *data)
1071	{
1072	(void)cf;
1073	(void)data;
1074	return -`1`;
1075	}
1076
1077	CURLcode Curl_none_random(struct Curl_easy *data UNUSED_PARAM,
1078	unsigned char *entropy UNUSED_PARAM,
1079	size_t length UNUSED_PARAM)
1080	{
1081	(void)data;
1082	(void)entropy;
1083	(void)length;
1084	return CURLE_NOT_BUILT_IN;
1085	}
1086
1087	void Curl_none_close_all(struct Curl_easy *data UNUSED_PARAM)
1088	{
1089	(void)data;
1090	}
1091
1092	void Curl_none_session_free(void *ptr UNUSED_PARAM)
1093	{
1094	(void)ptr;
1095	}
1096
1097	bool Curl_none_data_pending(struct Curl_cfilter *cf UNUSED_PARAM,
1098	const struct Curl_easy *data UNUSED_PARAM)
1099	{
1100	(void)cf;
1101	(void)data;
1102	return `0`;
1103	}
1104
1105	bool Curl_none_cert_status_request(void)
1106	{
1107	return FALSE;
1108	}
1109
1110	CURLcode Curl_none_set_engine(struct Curl_easy *data UNUSED_PARAM,
1111	const char *engine UNUSED_PARAM)
1112	{
1113	(void)data;
1114	(void)engine;
1115	return CURLE_NOT_BUILT_IN;
1116	}
1117
1118	CURLcode Curl_none_set_engine_default(struct Curl_easy *data UNUSED_PARAM)
1119	{
1120	(void)data;
1121	return CURLE_NOT_BUILT_IN;
1122	}
1123
1124	struct curl_slist Curl_none_engines_list(struct* Curl_easy *data UNUSED_PARAM)
1125	{
1126	(void)data;
1127	return (struct curl_slist *)NULL;
1128	}
1129
1130	bool Curl_none_false_start(void)
1131	{
1132	return FALSE;
1133	}
1134
1135	static int multissl_init(void)
1136	{
1137	if(multissl_setup(NULL))
1138	return `1`;
1139	return Curl_ssl->init();
1140	}
1141
1142	static CURLcode multissl_connect(struct Curl_cfilter *cf,
1143	struct Curl_easy *data)
1144	{
1145	if(multissl_setup(NULL))
1146	return CURLE_FAILED_INIT;
1147	return Curl_ssl->connect_blocking(cf, data);
1148	}
1149
1150	static CURLcode multissl_connect_nonblocking(struct Curl_cfilter *cf,
1151	struct Curl_easy *data,
1152	bool *done)
1153	{
1154	if(multissl_setup(NULL))
1155	return CURLE_FAILED_INIT;
1156	return Curl_ssl->connect_nonblocking(cf, data, done);
1157	}
1158
1159	static int multissl_get_select_socks(struct Curl_cfilter *cf,
1160	struct Curl_easy *data,
1161	curl_socket_t *socks)
1162	{
1163	if(multissl_setup(NULL))
1164	return `0`;
1165	return Curl_ssl->get_select_socks(cf, data, socks);
1166	}
1167
1168	static void multissl_get_internals(struct* ssl_connect_data *connssl,
1169	CURLINFO info)
1170	{
1171	if(multissl_setup(NULL))
1172	return NULL;
1173	return Curl_ssl->get_internals(connssl, info);
1174	}
1175
1176	static void multissl_close(struct Curl_cfilter cf, struct* Curl_easy *data)
1177	{
1178	if(multissl_setup(NULL))
1179	return;
1180	Curl_ssl->close(cf, data);
1181	}
1182
1183	static ssize_t multissl_recv_plain(struct Curl_cfilter *cf,
1184	struct Curl_easy *data,
1185	char buf, size_t len, CURLcode code)
1186	{
1187	if(multissl_setup(NULL))
1188	return CURLE_FAILED_INIT;
1189	return Curl_ssl->recv_plain(cf, data, buf, len, code);
1190	}
1191
1192	static ssize_t multissl_send_plain(struct Curl_cfilter *cf,
1193	struct Curl_easy *data,
1194	const void *mem, size_t len,
1195	CURLcode *code)
1196	{
1197	if(multissl_setup(NULL))
1198	return CURLE_FAILED_INIT;
1199	return Curl_ssl->send_plain(cf, data, mem, len, code);
1200	}
1201
1202	static const struct Curl_ssl Curl_ssl_multi = {
1203	{ CURLSSLBACKEND_NONE, "multi" }, / info /
1204	`0`, / supports nothing /
1205	(size_t)-`1`, / something insanely large to be on the safe side /
1206
1207	multissl_init, / init /
1208	Curl_none_cleanup, / cleanup /
1209	multissl_version, / version /
1210	Curl_none_check_cxn, / check_cxn /
1211	Curl_none_shutdown, / shutdown /
1212	Curl_none_data_pending, / data_pending /
1213	Curl_none_random, / random /
1214	Curl_none_cert_status_request, / cert_status_request /
1215	multissl_connect, / connect /
1216	multissl_connect_nonblocking, / connect_nonblocking /
1217	multissl_get_select_socks, / getsock /
1218	multissl_get_internals, / get_internals /
1219	multissl_close, / close_one /
1220	Curl_none_close_all, / close_all /
1221	Curl_none_session_free, / session_free /
1222	Curl_none_set_engine, / set_engine /
1223	Curl_none_set_engine_default, / set_engine_default /
1224	Curl_none_engines_list, / engines_list /
1225	Curl_none_false_start, / false_start /
1226	NULL, / sha256sum /
1227	NULL, / associate_connection /
1228	NULL, / disassociate_connection /
1229	NULL, / free_multi_ssl_backend_data /
1230	multissl_recv_plain, / recv decrypted data /
1231	multissl_send_plain, / send data to encrypt /
1232	};
1233
1234	const struct Curl_ssl *Curl_ssl =
1235	#if defined(CURL_WITH_MULTI_SSL)
1236	&Curl_ssl_multi;
1237	#elif defined(USE_WOLFSSL)
1238	&Curl_ssl_wolfssl;
1239	#elif defined(USE_SECTRANSP)
1240	&Curl_ssl_sectransp;
1241	#elif defined(USE_GNUTLS)
1242	&Curl_ssl_gnutls;
1243	#elif defined(USE_MBEDTLS)
1244	&Curl_ssl_mbedtls;
1245	#elif defined(USE_RUSTLS)
1246	&Curl_ssl_rustls;
1247	#elif defined(USE_OPENSSL)
1248	&Curl_ssl_openssl;
1249	#elif defined(USE_SCHANNEL)
1250	&Curl_ssl_schannel;
1251	#elif defined(USE_BEARSSL)
1252	&Curl_ssl_bearssl;
1253	#else
1254	#error "Missing struct Curl_ssl for selected SSL backend"
1255	#endif
1256
1257	static const struct Curl_ssl *available_backends[] = {
1258	#if defined(USE_WOLFSSL)
1259	&Curl_ssl_wolfssl,
1260	#endif
1261	#if defined(USE_SECTRANSP)
1262	&Curl_ssl_sectransp,
1263	#endif
1264	#if defined(USE_GNUTLS)
1265	&Curl_ssl_gnutls,
1266	#endif
1267	#if defined(USE_MBEDTLS)
1268	&Curl_ssl_mbedtls,
1269	#endif
1270	#if defined(USE_OPENSSL)
1271	&Curl_ssl_openssl,
1272	#endif
1273	#if defined(USE_SCHANNEL)
1274	&Curl_ssl_schannel,
1275	#endif
1276	#if defined(USE_BEARSSL)
1277	&Curl_ssl_bearssl,
1278	#endif
1279	#if defined(USE_RUSTLS)
1280	&Curl_ssl_rustls,
1281	#endif
1282	NULL
1283	};
1284
1285	static size_t multissl_version(char *buffer, size_t size)
1286	{
1287	static const struct Curl_ssl *selected;
1288	static char backends[`200`];
1289	static size_t backends_len;
1290	const struct Curl_ssl *current;
1291
1292	current = Curl_ssl == &Curl_ssl_multi ? available_backends[`0`] : Curl_ssl;
1293
1294	if(current != selected) {
1295	char *p = backends;
1296	char end = backends + sizeof*(backends);
1297	int i;
1298
1299	selected = current;
1300
1301	backends[`0`] = `'\0'`;
1302
1303	for(i = `0`; available_backends[i]; ++i) {
1304	char vb[`200`];
1305	bool paren = (selected != available_backends[i]);
1306
1307	if(available_backends[i]->version(vb, sizeof(vb))) {
1308	p += msnprintf(buffer: p, maxlength: end - p, format: "%s%s%s%s", (p != backends ? " " : ""),
1309	(paren ? "(" : ""), vb, (paren ? ")" : ""));
1310	}
1311	}
1312
1313	backends_len = p - backends;
1314	}
1315
1316	if(!size)
1317	return `0`;
1318
1319	if(size <= backends_len) {
1320	strncpy(dest: buffer, src: backends, n: size - `1`);
1321	buffer[size - `1`] = `'\0'`;
1322	return size - `1`;
1323	}
1324
1325	strcpy(dest: buffer, src: backends);
1326	return backends_len;
1327	}
1328
1329	static int multissl_setup(const struct Curl_ssl *backend)
1330	{
1331	const char *env;
1332	char *env_tmp;
1333
1334	if(Curl_ssl != &Curl_ssl_multi)
1335	return `1`;
1336
1337	if(backend) {
1338	Curl_ssl = backend;
1339	return `0`;
1340	}
1341
1342	if(!available_backends[`0`])
1343	return `1`;
1344
1345	env = env_tmp = curl_getenv(variable: "CURL_SSL_BACKEND");
1346	#ifdef CURL_DEFAULT_SSL_BACKEND
1347	if(!env)
1348	env = CURL_DEFAULT_SSL_BACKEND;
1349	#endif
1350	if(env) {
1351	int i;
1352	for(i = `0`; available_backends[i]; i++) {
1353	if(strcasecompare(env, available_backends[i]->info.name)) {
1354	Curl_ssl = available_backends[i];
1355	free(env_tmp);
1356	return `0`;
1357	}
1358	}
1359	}
1360
1361	/ Fall back to first available backend /
1362	Curl_ssl = available_backends[`0`];
1363	free(env_tmp);
1364	return `0`;
1365	}
1366
1367	/ This function is used to select the SSL backend to use. It is called by*
1368	curl_global_sslset (easy.c) which uses the global init lock. /*
1369	CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
1370	const curl_ssl_backend ***avail)
1371	{
1372	int i;
1373
1374	if(avail)
1375	avail = (const* curl_ssl_backend **)&available_backends;
1376
1377	if(Curl_ssl != &Curl_ssl_multi)
1378	return id == Curl_ssl->info.id \|\|
1379	(name && strcasecompare(name, Curl_ssl->info.name)) ?
1380	CURLSSLSET_OK :
1381	#if defined(CURL_WITH_MULTI_SSL)
1382	CURLSSLSET_TOO_LATE;
1383	#else
1384	CURLSSLSET_UNKNOWN_BACKEND;
1385	#endif
1386
1387	for(i = `0`; available_backends[i]; i++) {
1388	if(available_backends[i]->info.id == id \|\|
1389	(name && strcasecompare(available_backends[i]->info.name, name))) {
1390	multissl_setup(backend: available_backends[i]);
1391	return CURLSSLSET_OK;
1392	}
1393	}
1394
1395	return CURLSSLSET_UNKNOWN_BACKEND;
1396	}
1397
1398	#else /* USE_SSL */
1399	CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name,
1400	const curl_ssl_backend ***avail)
1401	{
1402	(void)id;
1403	(void)name;
1404	(void)avail;
1405	return CURLSSLSET_NO_BACKENDS;
1406	}
1407
1408	#endif /* !USE_SSL */
1409
1410	#ifdef USE_SSL
1411
1412	static void free_hostname(struct ssl_connect_data *connssl)
1413	{
1414	if(connssl->dispname != connssl->hostname)
1415	free(connssl->dispname);
1416	free(connssl->hostname);
1417	connssl->hostname = connssl->dispname = NULL;
1418	}
1419
1420	static void cf_close(struct Curl_cfilter cf, struct* Curl_easy *data)
1421	{
1422	struct ssl_connect_data *connssl = cf->ctx;
1423	if(connssl) {
1424	Curl_ssl->close(cf, data);
1425	connssl->state = ssl_connection_none;
1426	free_hostname(connssl);
1427	}
1428	cf->connected = FALSE;
1429	}
1430
1431	static CURLcode reinit_hostname(struct Curl_cfilter *cf)
1432	{
1433	struct ssl_connect_data *connssl = cf->ctx;
1434	const char ehostname, edispname;
1435	int eport;
1436
1437	/ We need the hostname for SNI negotiation. Once handshaked, this*
1438	* remains the SNI hostname for the TLS connection. But when the
1439	* connection is reused, the settings in cf->conn might change.
1440	* So we keep a copy of the hostname we use for SNI.
1441	*/
1442	#ifndef CURL_DISABLE_PROXY
1443	if(Curl_ssl_cf_is_proxy(cf)) {
1444	ehostname = cf->conn->http_proxy.host.name;
1445	edispname = cf->conn->http_proxy.host.dispname;
1446	eport = cf->conn->http_proxy.port;
1447	}
1448	else
1449	#endif
1450	{
1451	ehostname = cf->conn->host.name;
1452	edispname = cf->conn->host.dispname;
1453	eport = cf->conn->remote_port;
1454	}
1455
1456	/ change if ehostname changed /
1457	if(ehostname && (!connssl->hostname
1458	\|\| strcmp(s1: ehostname, s2: connssl->hostname))) {
1459	free_hostname(connssl);
1460	connssl->hostname = strdup(ehostname);
1461	if(!connssl->hostname) {
1462	free_hostname(connssl);
1463	return CURLE_OUT_OF_MEMORY;
1464	}
1465	if(!edispname \|\| !strcmp(s1: ehostname, s2: edispname))
1466	connssl->dispname = connssl->hostname;
1467	else {
1468	connssl->dispname = strdup(edispname);
1469	if(!connssl->dispname) {
1470	free_hostname(connssl);
1471	return CURLE_OUT_OF_MEMORY;
1472	}
1473	}
1474	}
1475	connssl->port = eport;
1476	return CURLE_OK;
1477	}
1478
1479	static void ssl_cf_destroy(struct Curl_cfilter cf, struct* Curl_easy *data)
1480	{
1481	struct cf_call_data save;
1482
1483	CF_DATA_SAVE(save, cf, data);
1484	cf_close(cf, data);
1485	CF_DATA_RESTORE(cf, save);
1486	cf_ctx_free(ctx: cf->ctx);
1487	cf->ctx = NULL;
1488	}
1489
1490	static void ssl_cf_close(struct Curl_cfilter *cf,
1491	struct Curl_easy *data)
1492	{
1493	struct cf_call_data save;
1494
1495	CF_DATA_SAVE(save, cf, data);
1496	cf_close(cf, data);
1497	if(cf->next)
1498	cf->next->cft->do_close(cf->next, data);
1499	CF_DATA_RESTORE(cf, save);
1500	}
1501
1502	static CURLcode ssl_cf_connect(struct Curl_cfilter *cf,
1503	struct Curl_easy *data,
1504	bool blocking, bool *done)
1505	{
1506	struct ssl_connect_data *connssl = cf->ctx;
1507	struct cf_call_data save;
1508	CURLcode result;
1509
1510	if(cf->connected) {
1511	*done = TRUE;
1512	return CURLE_OK;
1513	}
1514
1515	CF_DATA_SAVE(save, cf, data);
1516	CURL_TRC_CF(data, cf, "cf_connect()");
1517	(void)connssl;
1518	DEBUGASSERT(data->conn);
1519	DEBUGASSERT(data->conn == cf->conn);
1520	DEBUGASSERT(connssl);
1521	DEBUGASSERT(cf->conn->host.name);
1522
1523	result = cf->next->cft->do_connect(cf->next, data, blocking, done);
1524	if(result \|\| !*done)
1525	goto out;
1526
1527	*done = FALSE;
1528	result = reinit_hostname(cf);
1529	if(result)
1530	goto out;
1531
1532	if(blocking) {
1533	result = ssl_connect(cf, data);
1534	*done = (result == CURLE_OK);
1535	}
1536	else {
1537	result = ssl_connect_nonblocking(cf, data, done);
1538	}
1539
1540	if(!result && *done) {
1541	cf->connected = TRUE;
1542	connssl->handshake_done = Curl_now();
1543	DEBUGASSERT(connssl->state == ssl_connection_complete);
1544	}
1545	out:
1546	CURL_TRC_CF(data, cf, "cf_connect() -> %d, done=%d", result, *done);
1547	CF_DATA_RESTORE(cf, save);
1548	return result;
1549	}
1550
1551	static bool ssl_cf_data_pending(struct Curl_cfilter *cf,
1552	const struct Curl_easy *data)
1553	{
1554	struct cf_call_data save;
1555	bool result;
1556
1557	CF_DATA_SAVE(save, cf, data);
1558	if(Curl_ssl->data_pending(cf, data))
1559	result = TRUE;
1560	else
1561	result = cf->next->cft->has_data_pending(cf->next, data);
1562	CF_DATA_RESTORE(cf, save);
1563	return result;
1564	}
1565
1566	static ssize_t ssl_cf_send(struct Curl_cfilter *cf,
1567	struct Curl_easy data, const* void *buf, size_t len,
1568	CURLcode *err)
1569	{
1570	struct cf_call_data save;
1571	ssize_t nwritten;
1572
1573	CF_DATA_SAVE(save, cf, data);
1574	*err = CURLE_OK;
1575	nwritten = Curl_ssl->send_plain(cf, data, buf, len, err);
1576	CF_DATA_RESTORE(cf, save);
1577	return nwritten;
1578	}
1579
1580	static ssize_t ssl_cf_recv(struct Curl_cfilter *cf,
1581	struct Curl_easy data, char* *buf, size_t len,
1582	CURLcode *err)
1583	{
1584	struct cf_call_data save;
1585	ssize_t nread;
1586
1587	CF_DATA_SAVE(save, cf, data);
1588	*err = CURLE_OK;
1589	nread = Curl_ssl->recv_plain(cf, data, buf, len, err);
1590	if(nread > `0`) {
1591	DEBUGASSERT((size_t)nread <= len);
1592	}
1593	else if(nread == `0`) {
1594	/ eof /
1595	*err = CURLE_OK;
1596	}
1597	CURL_TRC_CF(data, cf, "cf_recv(len=%zu) -> %zd, %d", len, nread, *err);
1598	CF_DATA_RESTORE(cf, save);
1599	return nread;
1600	}
1601
1602	static int ssl_cf_get_select_socks(struct Curl_cfilter *cf,
1603	struct Curl_easy *data,
1604	curl_socket_t *socks)
1605	{
1606	struct cf_call_data save;
1607	int fds = GETSOCK_BLANK;
1608
1609	if(!cf->next->connected) {
1610	fds = cf->next->cft->get_select_socks(cf->next, data, socks);
1611	}
1612	else if(!cf->connected) {
1613	CF_DATA_SAVE(save, cf, data);
1614	fds = Curl_ssl->get_select_socks(cf, data, socks);
1615	CF_DATA_RESTORE(cf, save);
1616	}
1617	return fds;
1618	}
1619
1620	static CURLcode ssl_cf_cntrl(struct Curl_cfilter *cf,
1621	struct Curl_easy *data,
1622	int event, int arg1, void *arg2)
1623	{
1624	struct cf_call_data save;
1625
1626	(void)arg1;
1627	(void)arg2;
1628	switch(event) {
1629	case CF_CTRL_DATA_ATTACH:
1630	if(Curl_ssl->attach_data) {
1631	CF_DATA_SAVE(save, cf, data);
1632	Curl_ssl->attach_data(cf, data);
1633	CF_DATA_RESTORE(cf, save);
1634	}
1635	break;
1636	case CF_CTRL_DATA_DETACH:
1637	if(Curl_ssl->detach_data) {
1638	CF_DATA_SAVE(save, cf, data);
1639	Curl_ssl->detach_data(cf, data);
1640	CF_DATA_RESTORE(cf, save);
1641	}
1642	break;
1643	default:
1644	break;
1645	}
1646	return CURLE_OK;
1647	}
1648
1649	static CURLcode ssl_cf_query(struct Curl_cfilter *cf,
1650	struct Curl_easy *data,
1651	int query, int pres1, void* *pres2)
1652	{
1653	struct ssl_connect_data *connssl = cf->ctx;
1654
1655	switch(query) {
1656	case CF_QUERY_TIMER_APPCONNECT: {
1657	struct curltime *when = pres2;
1658	if(cf->connected && !Curl_ssl_cf_is_proxy(cf))
1659	*when = connssl->handshake_done;
1660	return CURLE_OK;
1661	}
1662	default:
1663	break;
1664	}
1665	return cf->next?
1666	cf->next->cft->query(cf->next, data, query, pres1, pres2) :
1667	CURLE_UNKNOWN_OPTION;
1668	}
1669
1670	static bool cf_ssl_is_alive(struct Curl_cfilter cf, struct* Curl_easy *data,
1671	bool *input_pending)
1672	{
1673	struct cf_call_data save;
1674	int result;
1675	/*
1676	* This function tries to determine connection status.
1677	*
1678	* Return codes:
1679	* 1 means the connection is still in place
1680	* 0 means the connection has been closed
1681	* -1 means the connection status is unknown
1682	*/
1683	CF_DATA_SAVE(save, cf, data);
1684	result = Curl_ssl->check_cxn(cf, data);
1685	CF_DATA_RESTORE(cf, save);
1686	if(result > `0`) {
1687	*input_pending = TRUE;
1688	return TRUE;
1689	}
1690	if(result == `0`) {
1691	*input_pending = FALSE;
1692	return FALSE;
1693	}
1694	/ ssl backend does not know /
1695	return cf->next?
1696	cf->next->cft->is_alive(cf->next, data, input_pending) :
1697	FALSE; / pessimistic in absence of data /
1698	}
1699
1700	struct Curl_cftype Curl_cft_ssl = {
1701	"SSL",
1702	CF_TYPE_SSL,
1703	CURL_LOG_LVL_NONE,
1704	ssl_cf_destroy,
1705	ssl_cf_connect,
1706	ssl_cf_close,
1707	Curl_cf_def_get_host,
1708	ssl_cf_get_select_socks,
1709	ssl_cf_data_pending,
1710	ssl_cf_send,
1711	ssl_cf_recv,
1712	ssl_cf_cntrl,
1713	cf_ssl_is_alive,
1714	Curl_cf_def_conn_keep_alive,
1715	ssl_cf_query,
1716	};
1717
1718	struct Curl_cftype Curl_cft_ssl_proxy = {
1719	"SSL-PROXY",
1720	CF_TYPE_SSL,
1721	CURL_LOG_LVL_NONE,
1722	ssl_cf_destroy,
1723	ssl_cf_connect,
1724	ssl_cf_close,
1725	Curl_cf_def_get_host,
1726	ssl_cf_get_select_socks,
1727	ssl_cf_data_pending,
1728	ssl_cf_send,
1729	ssl_cf_recv,
1730	ssl_cf_cntrl,
1731	cf_ssl_is_alive,
1732	Curl_cf_def_conn_keep_alive,
1733	Curl_cf_def_query,
1734	};
1735
1736	static CURLcode cf_ssl_create(struct Curl_cfilter **pcf,
1737	struct Curl_easy *data,
1738	struct connectdata *conn)
1739	{
1740	struct Curl_cfilter *cf = NULL;
1741	struct ssl_connect_data *ctx;
1742	CURLcode result;
1743
1744	DEBUGASSERT(data->conn);
1745
1746	ctx = cf_ctx_new(data, alpn: alpn_get_spec(httpwant: data->state.httpwant,
1747	use_alpn: conn->bits.tls_enable_alpn));
1748	if(!ctx) {
1749	result = CURLE_OUT_OF_MEMORY;
1750	goto out;
1751	}
1752
1753	result = Curl_cf_create(pcf: &cf, cft: &Curl_cft_ssl, ctx);
1754
1755	out:
1756	if(result)
1757	cf_ctx_free(ctx);
1758	*pcf = result? NULL : cf;
1759	return result;
1760	}
1761
1762	CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data,
1763	struct connectdata *conn,
1764	int sockindex)
1765	{
1766	struct Curl_cfilter *cf;
1767	CURLcode result;
1768
1769	result = cf_ssl_create(pcf: &cf, data, conn);
1770	if(!result)
1771	Curl_conn_cf_add(data, conn, sockindex, cf);
1772	return result;
1773	}
1774
1775	CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at,
1776	struct Curl_easy *data)
1777	{
1778	struct Curl_cfilter *cf;
1779	CURLcode result;
1780
1781	result = cf_ssl_create(pcf: &cf, data, conn: cf_at->conn);
1782	if(!result)
1783	Curl_conn_cf_insert_after(cf_at, cf_new: cf);
1784	return result;
1785	}
1786
1787	#ifndef CURL_DISABLE_PROXY
1788
1789	static CURLcode cf_ssl_proxy_create(struct Curl_cfilter **pcf,
1790	struct Curl_easy *data,
1791	struct connectdata *conn)
1792	{
1793	struct Curl_cfilter *cf = NULL;
1794	struct ssl_connect_data *ctx;
1795	CURLcode result;
1796	bool use_alpn = conn->bits.tls_enable_alpn;
1797	int httpwant = CURL_HTTP_VERSION_1_1;
1798
1799	#ifdef USE_HTTP2
1800	if(conn->http_proxy.proxytype == CURLPROXY_HTTPS2) {
1801	use_alpn = TRUE;
1802	httpwant = CURL_HTTP_VERSION_2;
1803	}
1804	#endif
1805
1806	ctx = cf_ctx_new(data, alpn: alpn_get_spec(httpwant, use_alpn));
1807	if(!ctx) {
1808	result = CURLE_OUT_OF_MEMORY;
1809	goto out;
1810	}
1811	result = Curl_cf_create(pcf: &cf, cft: &Curl_cft_ssl_proxy, ctx);
1812
1813	out:
1814	if(result)
1815	cf_ctx_free(ctx);
1816	*pcf = result? NULL : cf;
1817	return result;
1818	}
1819
1820	CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at,
1821	struct Curl_easy *data)
1822	{
1823	struct Curl_cfilter *cf;
1824	CURLcode result;
1825
1826	result = cf_ssl_proxy_create(pcf: &cf, data, conn: cf_at->conn);
1827	if(!result)
1828	Curl_conn_cf_insert_after(cf_at, cf_new: cf);
1829	return result;
1830	}
1831
1832	#endif /* !CURL_DISABLE_PROXY */
1833
1834	bool Curl_ssl_supports(struct Curl_easy data, int* option)
1835	{
1836	(void)data;
1837	return (Curl_ssl->supports & option)? TRUE : FALSE;
1838	}
1839
1840	void Curl_ssl_get_internals(struct* Curl_easy data, int* sockindex,
1841	CURLINFO info, int n)
1842	{
1843	void *result = NULL;
1844	(void)n;
1845	if(data->conn) {
1846	struct Curl_cfilter *cf;
1847	/ get first filter in chain, if any is present /
1848	cf = Curl_ssl_cf_get_ssl(cf: data->conn->cfilter[sockindex]);
1849	if(cf) {
1850	struct cf_call_data save;
1851	CF_DATA_SAVE(save, cf, data);
1852	result = Curl_ssl->get_internals(cf->ctx, info);
1853	CF_DATA_RESTORE(cf, save);
1854	}
1855	}
1856	return result;
1857	}
1858
1859	CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data,
1860	int sockindex)
1861	{
1862	struct Curl_cfilter cf, head;
1863	CURLcode result = CURLE_OK;
1864
1865	(void)data;
1866	head = data->conn? data->conn->cfilter[sockindex] : NULL;
1867	for(cf = head; cf; cf = cf->next) {
1868	if(cf->cft == &Curl_cft_ssl) {
1869	if(Curl_ssl->shut_down(cf, data))
1870	result = CURLE_SSL_SHUTDOWN_FAILED;
1871	Curl_conn_cf_discard_sub(cf: head, discard: cf, data, FALSE);
1872	break;
1873	}
1874	}
1875	return result;
1876	}
1877
1878	static struct Curl_cfilter get_ssl_cf_engaged(struct* connectdata *conn,
1879	int sockindex)
1880	{
1881	struct Curl_cfilter cf, lowest_ssl_cf = NULL;
1882
1883	for(cf = conn->cfilter[sockindex]; cf; cf = cf->next) {
1884	if(cf->cft == &Curl_cft_ssl \|\| cf->cft == &Curl_cft_ssl_proxy) {
1885	lowest_ssl_cf = cf;
1886	if(cf->connected \|\| (cf->next && cf->next->connected)) {
1887	/ connected or about to start /
1888	return cf;
1889	}
1890	}
1891	}
1892	return lowest_ssl_cf;
1893	}
1894
1895	bool Curl_ssl_cf_is_proxy(struct Curl_cfilter *cf)
1896	{
1897	return (cf->cft == &Curl_cft_ssl_proxy);
1898	}
1899
1900	struct ssl_config_data *
1901	Curl_ssl_cf_get_config(struct Curl_cfilter cf, struct* Curl_easy *data)
1902	{
1903	#ifdef CURL_DISABLE_PROXY
1904	(void)cf;
1905	return &data->set.ssl;
1906	#else
1907	return Curl_ssl_cf_is_proxy(cf)? &data->set.proxy_ssl : &data->set.ssl;
1908	#endif
1909	}
1910
1911	struct ssl_config_data *
1912	Curl_ssl_get_config(struct Curl_easy data, int* sockindex)
1913	{
1914	struct Curl_cfilter *cf;
1915
1916	(void)data;
1917	DEBUGASSERT(data->conn);
1918	cf = get_ssl_cf_engaged(conn: data->conn, sockindex);
1919	return cf? Curl_ssl_cf_get_config(cf, data) : &data->set.ssl;
1920	}
1921
1922	struct ssl_primary_config *
1923	Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf)
1924	{
1925	#ifdef CURL_DISABLE_PROXY
1926	return &cf->conn->ssl_config;
1927	#else
1928	return Curl_ssl_cf_is_proxy(cf)?
1929	&cf->conn->proxy_ssl_config : &cf->conn->ssl_config;
1930	#endif
1931	}
1932
1933	struct Curl_cfilter Curl_ssl_cf_get_ssl(struct* Curl_cfilter *cf)
1934	{
1935	for(; cf; cf = cf->next) {
1936	if(cf->cft == &Curl_cft_ssl \|\| cf->cft == &Curl_cft_ssl_proxy)
1937	return cf;
1938	}
1939	return NULL;
1940	}
1941
1942	CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf,
1943	const struct alpn_spec *spec)
1944	{
1945	size_t i, len;
1946	int off = `0`;
1947	unsigned char blen;
1948
1949	memset(s: buf, c: `0`, n: sizeof(*buf));
1950	for(i = `0`; spec && i < spec->count; ++i) {
1951	len = strlen(s: spec->entries[i]);
1952	if(len >= ALPN_NAME_MAX)
1953	return CURLE_FAILED_INIT;
1954	blen = (unsigned char)len;
1955	if(off + blen + `1` >= (int)sizeof(buf->data))
1956	return CURLE_FAILED_INIT;
1957	buf->data[off++] = blen;
1958	memcpy(dest: buf->data + off, src: spec->entries[i], n: blen);
1959	off += blen;
1960	}
1961	buf->len = off;
1962	return CURLE_OK;
1963	}
1964
1965	CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf,
1966	const struct alpn_spec *spec)
1967	{
1968	size_t i, len;
1969	size_t off = `0`;
1970
1971	memset(s: buf, c: `0`, n: sizeof(*buf));
1972	for(i = `0`; spec && i < spec->count; ++i) {
1973	len = strlen(s: spec->entries[i]);
1974	if(len >= ALPN_NAME_MAX)
1975	return CURLE_FAILED_INIT;
1976	if(off + len + `2` >= sizeof(buf->data))
1977	return CURLE_FAILED_INIT;
1978	if(off)
1979	buf->data[off++] = `','`;
1980	memcpy(dest: buf->data + off, src: spec->entries[i], n: len);
1981	off += len;
1982	}
1983	buf->data[off] = `'\0'`;
1984	buf->len = (int)off;
1985	return CURLE_OK;
1986	}
1987
1988	CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf,
1989	struct Curl_easy *data,
1990	const unsigned char *proto,
1991	size_t proto_len)
1992	{
1993	int can_multi = `0`;
1994	unsigned char *palpn =
1995	#ifndef CURL_DISABLE_PROXY
1996	(cf->conn->bits.tunnel_proxy && Curl_ssl_cf_is_proxy(cf))?
1997	&cf->conn->proxy_alpn : &cf->conn->alpn
1998	#else
1999	&cf->conn->alpn
2000	#endif
2001	;
2002
2003	if(proto && proto_len) {
2004	if(proto_len == ALPN_HTTP_1_1_LENGTH &&
2005	!memcmp(ALPN_HTTP_1_1, s2: proto, ALPN_HTTP_1_1_LENGTH)) {
2006	*palpn = CURL_HTTP_VERSION_1_1;
2007	}
2008	else if(proto_len == ALPN_HTTP_1_0_LENGTH &&
2009	!memcmp(ALPN_HTTP_1_0, s2: proto, ALPN_HTTP_1_0_LENGTH)) {
2010	*palpn = CURL_HTTP_VERSION_1_0;
2011	}
2012	#ifdef USE_HTTP2
2013	else if(proto_len == ALPN_H2_LENGTH &&
2014	!memcmp(ALPN_H2, proto, ALPN_H2_LENGTH)) {
2015	*palpn = CURL_HTTP_VERSION_2;
2016	can_multi = `1`;
2017	}
2018	#endif
2019	#ifdef USE_HTTP3
2020	else if(proto_len == ALPN_H3_LENGTH &&
2021	!memcmp(ALPN_H3, proto, ALPN_H3_LENGTH)) {
2022	*palpn = CURL_HTTP_VERSION_3;
2023	can_multi = `1`;
2024	}
2025	#endif
2026	else {
2027	*palpn = CURL_HTTP_VERSION_NONE;
2028	failf(data, fmt: "unsupported ALPN protocol: '%.s'", (int*)proto_len, proto);
2029	/ TODO: do we want to fail this? Previous code just ignored it and*
2030	* some vtls backends even ignore the return code of this function. */
2031	/ return CURLE_NOT_BUILT_IN; /
2032	goto out;
2033	}
2034	infof(data, VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR, (int)proto_len, proto);
2035	}
2036	else {
2037	*palpn = CURL_HTTP_VERSION_NONE;
2038	infof(data, VTLS_INFOF_NO_ALPN);
2039	}
2040
2041	out:
2042	if(!Curl_ssl_cf_is_proxy(cf))
2043	Curl_multiuse_state(data, bundlestate: can_multi?
2044	BUNDLE_MULTIPLEX : BUNDLE_NO_MULTIUSE);
2045	return CURLE_OK;
2046	}
2047
2048	#endif /* USE_SSL */
2049

Browse the source code of Velox/build/_deps/curl-src/lib/vtls/vtls.c