1 #ifndef HEADER_CURL_VTLS_H 2 #define HEADER_CURL_VTLS_H 3 /*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 11 * 12 * This software is licensed as described in the file COPYING, which 13 * you should have received as part of this distribution. The terms 14 * are also available at https://curl.se/docs/copyright.html. 15 * 16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 17 * copies of the Software, and permit persons to whom the Software is 18 * furnished to do so, under the terms of the COPYING file. 19 * 20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 21 * KIND, either express or implied. 22 * 23 * SPDX-License-Identifier: curl 24 * 25 ***************************************************************************/ 26 #include "curl_setup.h" 27 28 struct connectdata; 29 struct ssl_config_data; 30 struct ssl_primary_config; 31 struct Curl_ssl_session; 32 33 #define SSLSUPP_CA_PATH (1<<0) /* supports CAPATH */ 34 #define SSLSUPP_CERTINFO (1<<1) /* supports CURLOPT_CERTINFO */ 35 #define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */ 36 #define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */ 37 #define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */ 38 #define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */ 39 #define SSLSUPP_CAINFO_BLOB (1<<6) 40 41 #define ALPN_ACCEPTED "ALPN: server accepted " 42 43 #define VTLS_INFOF_NO_ALPN \ 44 "ALPN: server did not agree on a protocol. Uses default." 45 #define VTLS_INFOF_ALPN_OFFER_1STR \ 46 "ALPN: curl offers %s" 47 #define VTLS_INFOF_ALPN_ACCEPTED_1STR \ 48 ALPN_ACCEPTED "%s" 49 #define VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR \ 50 ALPN_ACCEPTED "%.*s" 51 52 /* Curl_multi SSL backend-specific data; declared differently by each SSL 53 backend */ 54 struct multi_ssl_backend_data; 55 struct Curl_cfilter; 56 57 CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name, 58 const curl_ssl_backend ***avail); 59 60 #ifndef MAX_PINNED_PUBKEY_SIZE 61 #define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */ 62 #endif 63 64 #ifndef CURL_SHA256_DIGEST_LENGTH 65 #define CURL_SHA256_DIGEST_LENGTH 32 /* fixed size */ 66 #endif 67 68 curl_sslbackend Curl_ssl_backend(void); 69 70 /** 71 * Init ssl config for a new easy handle. 72 */ 73 void Curl_ssl_easy_config_init(struct Curl_easy *data); 74 75 /** 76 * Init the `data->set.ssl` and `data->set.proxy_ssl` for 77 * connection matching use. 78 */ 79 CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data); 80 81 /** 82 * Init SSL configs (main + proxy) for a new connection from the easy handle. 83 */ 84 CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data, 85 struct connectdata *conn); 86 87 /** 88 * Free allocated resources in SSL configs (main + proxy) for 89 * the given connection. 90 */ 91 void Curl_ssl_conn_config_cleanup(struct connectdata *conn); 92 93 /** 94 * Return TRUE iff SSL configuration from `conn` is functionally the 95 * same as the one on `candidate`. 96 * @param proxy match the proxy SSL config or the main one 97 */ 98 bool Curl_ssl_conn_config_match(struct Curl_easy *data, 99 struct connectdata *candidate, 100 bool proxy); 101 102 /* Update certain connection SSL config flags after they have 103 * been changed on the easy handle. Will work for `verifypeer`, 104 * `verifyhost` and `verifystatus`. */ 105 void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy); 106 107 /** 108 * Init SSL peer information for filter. Can be called repeatedly. 109 */ 110 CURLcode Curl_ssl_peer_init(struct ssl_peer *peer, struct Curl_cfilter *cf); 111 /** 112 * Free all allocated data and reset peer information. 113 */ 114 void Curl_ssl_peer_cleanup(struct ssl_peer *peer); 115 116 #ifdef USE_SSL 117 int Curl_ssl_init(void); 118 void Curl_ssl_cleanup(void); 119 /* tell the SSL stuff to close down all open information regarding 120 connections (and thus session ID caching etc) */ 121 void Curl_ssl_close_all(struct Curl_easy *data); 122 CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine); 123 /* Sets engine as default for all SSL operations */ 124 CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data); 125 struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data); 126 127 /* init the SSL session ID cache */ 128 CURLcode Curl_ssl_initsessions(struct Curl_easy *, size_t); 129 void Curl_ssl_version(char *buffer, size_t size); 130 131 /* Certificate information list handling. */ 132 133 void Curl_ssl_free_certinfo(struct Curl_easy *data); 134 CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num); 135 CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data, int certnum, 136 const char *label, const char *value, 137 size_t valuelen); 138 CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data, int certnum, 139 const char *label, const char *value); 140 141 /* Functions to be used by SSL library adaptation functions */ 142 143 /* Lock session cache mutex. 144 * Call this before calling other Curl_ssl_*session* functions 145 * Caller should unlock this mutex as soon as possible, as it may block 146 * other SSL connection from making progress. 147 * The purpose of explicitly locking SSL session cache data is to allow 148 * individual SSL engines to manage session lifetime in their specific way. 149 */ 150 void Curl_ssl_sessionid_lock(struct Curl_easy *data); 151 152 /* Unlock session cache mutex */ 153 void Curl_ssl_sessionid_unlock(struct Curl_easy *data); 154 155 /* Kill a single session ID entry in the cache 156 * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). 157 * This will call engine-specific curlssl_session_free function, which must 158 * take sessionid object ownership from sessionid cache 159 * (e.g. decrement refcount). 160 */ 161 void Curl_ssl_kill_session(struct Curl_ssl_session *session); 162 /* delete a session from the cache 163 * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). 164 * This will call engine-specific curlssl_session_free function, which must 165 * take sessionid object ownership from sessionid cache 166 * (e.g. decrement refcount). 167 */ 168 void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid); 169 170 /* get N random bytes into the buffer */ 171 CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer, 172 size_t length); 173 /* Check pinned public key. */ 174 CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, 175 const char *pinnedpubkey, 176 const unsigned char *pubkey, size_t pubkeylen); 177 178 bool Curl_ssl_cert_status_request(void); 179 180 bool Curl_ssl_false_start(struct Curl_easy *data); 181 182 void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend); 183 184 #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ 185 186 CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data, 187 struct connectdata *conn, 188 int sockindex); 189 190 CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at, 191 struct Curl_easy *data); 192 193 CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data, 194 int sockindex); 195 196 #ifndef CURL_DISABLE_PROXY 197 CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at, 198 struct Curl_easy *data); 199 #endif /* !CURL_DISABLE_PROXY */ 200 201 /** 202 * True iff the underlying SSL implementation supports the option. 203 * Option is one of the defined SSLSUPP_* values. 204 * `data` maybe NULL for the features of the default implementation. 205 */ 206 bool Curl_ssl_supports(struct Curl_easy *data, int ssl_option); 207 208 /** 209 * Get the internal ssl instance (like OpenSSL's SSL*) from the filter 210 * chain at `sockindex` of type specified by `info`. 211 * For `n` == 0, the first active (top down) instance is returned. 212 * 1 gives the second active, etc. 213 * NULL is returned when no active SSL filter is present. 214 */ 215 void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex, 216 CURLINFO info, int n); 217 218 /** 219 * Get the ssl_config_data in `data` that is relevant for cfilter `cf`. 220 */ 221 struct ssl_config_data *Curl_ssl_cf_get_config(struct Curl_cfilter *cf, 222 struct Curl_easy *data); 223 224 /** 225 * Get the primary config relevant for the filter from its connection. 226 */ 227 struct ssl_primary_config * 228 Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf); 229 230 extern struct Curl_cftype Curl_cft_ssl; 231 #ifndef CURL_DISABLE_PROXY 232 extern struct Curl_cftype Curl_cft_ssl_proxy; 233 #endif 234 235 #else /* if not USE_SSL */ 236 237 /* When SSL support is not present, just define away these function calls */ 238 #define Curl_ssl_init() 1 239 #define Curl_ssl_cleanup() Curl_nop_stmt 240 #define Curl_ssl_close_all(x) Curl_nop_stmt 241 #define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN 242 #define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN 243 #define Curl_ssl_engines_list(x) NULL 244 #define Curl_ssl_initsessions(x,y) CURLE_OK 245 #define Curl_ssl_free_certinfo(x) Curl_nop_stmt 246 #define Curl_ssl_kill_session(x) Curl_nop_stmt 247 #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN) 248 #define Curl_ssl_cert_status_request() FALSE 249 #define Curl_ssl_false_start(a) FALSE 250 #define Curl_ssl_get_internals(a,b,c,d) NULL 251 #define Curl_ssl_supports(a,b) FALSE 252 #define Curl_ssl_cfilter_add(a,b,c) CURLE_NOT_BUILT_IN 253 #define Curl_ssl_cfilter_remove(a,b) CURLE_OK 254 #define Curl_ssl_cf_get_config(a,b) NULL 255 #define Curl_ssl_cf_get_primary_config(a) NULL 256 #endif 257 258 #endif /* HEADER_CURL_VTLS_H */ 259