1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) Michael Forney, <mforney@mforney.org>
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24 #include "curl_setup.h"
25
26 #ifdef USE_BEARSSL
27
28 #include <bearssl.h>
29
30 #include "bearssl.h"
31 #include "cipher_suite.h"
32 #include "urldata.h"
33 #include "sendf.h"
34 #include "inet_pton.h"
35 #include "vtls.h"
36 #include "vtls_int.h"
37 #include "connect.h"
38 #include "select.h"
39 #include "multiif.h"
40 #include "curl_printf.h"
41
42 /* The last #include files should be: */
43 #include "curl_memory.h"
44 #include "memdebug.h"
45
46 struct x509_context {
47 const br_x509_class *vtable;
48 br_x509_minimal_context minimal;
49 br_x509_decoder_context decoder;
50 bool verifyhost;
51 bool verifypeer;
52 int cert_num;
53 };
54
55 struct bearssl_ssl_backend_data {
56 br_ssl_client_context ctx;
57 struct x509_context x509;
58 unsigned char buf[BR_SSL_BUFSIZE_BIDI];
59 br_x509_trust_anchor *anchors;
60 size_t anchors_len;
61 const char *protocols[ALPN_ENTRIES_MAX];
62 /* SSL client context is active */
63 bool active;
64 /* size of pending write, yet to be flushed */
65 size_t pending_write;
66 };
67
68 struct cafile_parser {
69 CURLcode err;
70 bool in_cert;
71 br_x509_decoder_context xc;
72 /* array of trust anchors loaded from CAfile */
73 br_x509_trust_anchor *anchors;
74 size_t anchors_len;
75 /* buffer for DN data */
76 unsigned char dn[1024];
77 size_t dn_len;
78 };
79
80 #define CAFILE_SOURCE_PATH 1
81 #define CAFILE_SOURCE_BLOB 2
82 struct cafile_source {
83 int type;
84 const char *data;
85 size_t len;
86 };
87
append_dn(void * ctx,const void * buf,size_t len)88 static void append_dn(void *ctx, const void *buf, size_t len)
89 {
90 struct cafile_parser *ca = ctx;
91
92 if(ca->err != CURLE_OK || !ca->in_cert)
93 return;
94 if(sizeof(ca->dn) - ca->dn_len < len) {
95 ca->err = CURLE_FAILED_INIT;
96 return;
97 }
98 memcpy(ca->dn + ca->dn_len, buf, len);
99 ca->dn_len += len;
100 }
101
x509_push(void * ctx,const void * buf,size_t len)102 static void x509_push(void *ctx, const void *buf, size_t len)
103 {
104 struct cafile_parser *ca = ctx;
105
106 if(ca->in_cert)
107 br_x509_decoder_push(&ca->xc, buf, len);
108 }
109
load_cafile(struct cafile_source * source,br_x509_trust_anchor ** anchors,size_t * anchors_len)110 static CURLcode load_cafile(struct cafile_source *source,
111 br_x509_trust_anchor **anchors,
112 size_t *anchors_len)
113 {
114 struct cafile_parser ca;
115 br_pem_decoder_context pc;
116 br_x509_trust_anchor *ta;
117 size_t ta_size;
118 br_x509_trust_anchor *new_anchors;
119 size_t new_anchors_len;
120 br_x509_pkey *pkey;
121 FILE *fp = 0;
122 unsigned char buf[BUFSIZ];
123 const unsigned char *p = NULL;
124 const char *name;
125 size_t n = 0, i, pushed;
126
127 DEBUGASSERT(source->type == CAFILE_SOURCE_PATH
128 || source->type == CAFILE_SOURCE_BLOB);
129
130 if(source->type == CAFILE_SOURCE_PATH) {
131 fp = fopen(source->data, "rb");
132 if(!fp)
133 return CURLE_SSL_CACERT_BADFILE;
134 }
135
136 if(source->type == CAFILE_SOURCE_BLOB && source->len > (size_t)INT_MAX)
137 return CURLE_SSL_CACERT_BADFILE;
138
139 ca.err = CURLE_OK;
140 ca.in_cert = FALSE;
141 ca.anchors = NULL;
142 ca.anchors_len = 0;
143 br_pem_decoder_init(&pc);
144 br_pem_decoder_setdest(&pc, x509_push, &ca);
145 do {
146 if(source->type == CAFILE_SOURCE_PATH) {
147 n = fread(buf, 1, sizeof(buf), fp);
148 if(n == 0)
149 break;
150 p = buf;
151 }
152 else if(source->type == CAFILE_SOURCE_BLOB) {
153 n = source->len;
154 p = (unsigned char *) source->data;
155 }
156 while(n) {
157 pushed = br_pem_decoder_push(&pc, p, n);
158 if(ca.err)
159 goto fail;
160 p += pushed;
161 n -= pushed;
162
163 switch(br_pem_decoder_event(&pc)) {
164 case 0:
165 break;
166 case BR_PEM_BEGIN_OBJ:
167 name = br_pem_decoder_name(&pc);
168 if(strcmp(name, "CERTIFICATE") && strcmp(name, "X509 CERTIFICATE"))
169 break;
170 br_x509_decoder_init(&ca.xc, append_dn, &ca);
171 ca.in_cert = TRUE;
172 ca.dn_len = 0;
173 break;
174 case BR_PEM_END_OBJ:
175 if(!ca.in_cert)
176 break;
177 ca.in_cert = FALSE;
178 if(br_x509_decoder_last_error(&ca.xc)) {
179 ca.err = CURLE_SSL_CACERT_BADFILE;
180 goto fail;
181 }
182 /* add trust anchor */
183 if(ca.anchors_len == SIZE_MAX / sizeof(ca.anchors[0])) {
184 ca.err = CURLE_OUT_OF_MEMORY;
185 goto fail;
186 }
187 new_anchors_len = ca.anchors_len + 1;
188 new_anchors = realloc(ca.anchors,
189 new_anchors_len * sizeof(ca.anchors[0]));
190 if(!new_anchors) {
191 ca.err = CURLE_OUT_OF_MEMORY;
192 goto fail;
193 }
194 ca.anchors = new_anchors;
195 ca.anchors_len = new_anchors_len;
196 ta = &ca.anchors[ca.anchors_len - 1];
197 ta->dn.data = NULL;
198 ta->flags = 0;
199 if(br_x509_decoder_isCA(&ca.xc))
200 ta->flags |= BR_X509_TA_CA;
201 pkey = br_x509_decoder_get_pkey(&ca.xc);
202 if(!pkey) {
203 ca.err = CURLE_SSL_CACERT_BADFILE;
204 goto fail;
205 }
206 ta->pkey = *pkey;
207
208 /* calculate space needed for trust anchor data */
209 ta_size = ca.dn_len;
210 switch(pkey->key_type) {
211 case BR_KEYTYPE_RSA:
212 ta_size += pkey->key.rsa.nlen + pkey->key.rsa.elen;
213 break;
214 case BR_KEYTYPE_EC:
215 ta_size += pkey->key.ec.qlen;
216 break;
217 default:
218 ca.err = CURLE_FAILED_INIT;
219 goto fail;
220 }
221
222 /* fill in trust anchor DN and public key data */
223 ta->dn.data = malloc(ta_size);
224 if(!ta->dn.data) {
225 ca.err = CURLE_OUT_OF_MEMORY;
226 goto fail;
227 }
228 memcpy(ta->dn.data, ca.dn, ca.dn_len);
229 ta->dn.len = ca.dn_len;
230 switch(pkey->key_type) {
231 case BR_KEYTYPE_RSA:
232 ta->pkey.key.rsa.n = ta->dn.data + ta->dn.len;
233 memcpy(ta->pkey.key.rsa.n, pkey->key.rsa.n, pkey->key.rsa.nlen);
234 ta->pkey.key.rsa.e = ta->pkey.key.rsa.n + ta->pkey.key.rsa.nlen;
235 memcpy(ta->pkey.key.rsa.e, pkey->key.rsa.e, pkey->key.rsa.elen);
236 break;
237 case BR_KEYTYPE_EC:
238 ta->pkey.key.ec.q = ta->dn.data + ta->dn.len;
239 memcpy(ta->pkey.key.ec.q, pkey->key.ec.q, pkey->key.ec.qlen);
240 break;
241 }
242 break;
243 default:
244 ca.err = CURLE_SSL_CACERT_BADFILE;
245 goto fail;
246 }
247 }
248 } while(source->type != CAFILE_SOURCE_BLOB);
249 if(fp && ferror(fp))
250 ca.err = CURLE_READ_ERROR;
251 else if(ca.in_cert)
252 ca.err = CURLE_SSL_CACERT_BADFILE;
253
254 fail:
255 if(fp)
256 fclose(fp);
257 if(ca.err == CURLE_OK) {
258 *anchors = ca.anchors;
259 *anchors_len = ca.anchors_len;
260 }
261 else {
262 for(i = 0; i < ca.anchors_len; ++i)
263 free(ca.anchors[i].dn.data);
264 free(ca.anchors);
265 }
266
267 return ca.err;
268 }
269
x509_start_chain(const br_x509_class ** ctx,const char * server_name)270 static void x509_start_chain(const br_x509_class **ctx,
271 const char *server_name)
272 {
273 struct x509_context *x509 = (struct x509_context *)ctx;
274
275 if(!x509->verifypeer) {
276 x509->cert_num = 0;
277 return;
278 }
279
280 if(!x509->verifyhost)
281 server_name = NULL;
282 x509->minimal.vtable->start_chain(&x509->minimal.vtable, server_name);
283 }
284
x509_start_cert(const br_x509_class ** ctx,uint32_t length)285 static void x509_start_cert(const br_x509_class **ctx, uint32_t length)
286 {
287 struct x509_context *x509 = (struct x509_context *)ctx;
288
289 if(!x509->verifypeer) {
290 /* Only decode the first cert in the chain to obtain the public key */
291 if(x509->cert_num == 0)
292 br_x509_decoder_init(&x509->decoder, NULL, NULL);
293 return;
294 }
295
296 x509->minimal.vtable->start_cert(&x509->minimal.vtable, length);
297 }
298
x509_append(const br_x509_class ** ctx,const unsigned char * buf,size_t len)299 static void x509_append(const br_x509_class **ctx, const unsigned char *buf,
300 size_t len)
301 {
302 struct x509_context *x509 = (struct x509_context *)ctx;
303
304 if(!x509->verifypeer) {
305 if(x509->cert_num == 0)
306 br_x509_decoder_push(&x509->decoder, buf, len);
307 return;
308 }
309
310 x509->minimal.vtable->append(&x509->minimal.vtable, buf, len);
311 }
312
x509_end_cert(const br_x509_class ** ctx)313 static void x509_end_cert(const br_x509_class **ctx)
314 {
315 struct x509_context *x509 = (struct x509_context *)ctx;
316
317 if(!x509->verifypeer) {
318 x509->cert_num++;
319 return;
320 }
321
322 x509->minimal.vtable->end_cert(&x509->minimal.vtable);
323 }
324
x509_end_chain(const br_x509_class ** ctx)325 static unsigned x509_end_chain(const br_x509_class **ctx)
326 {
327 struct x509_context *x509 = (struct x509_context *)ctx;
328
329 if(!x509->verifypeer) {
330 return br_x509_decoder_last_error(&x509->decoder);
331 }
332
333 return x509->minimal.vtable->end_chain(&x509->minimal.vtable);
334 }
335
x509_get_pkey(const br_x509_class * const * ctx,unsigned * usages)336 static const br_x509_pkey *x509_get_pkey(const br_x509_class *const *ctx,
337 unsigned *usages)
338 {
339 struct x509_context *x509 = (struct x509_context *)ctx;
340
341 if(!x509->verifypeer) {
342 /* Nothing in the chain is verified, just return the public key of the
343 first certificate and allow its usage for both TLS_RSA_* and
344 TLS_ECDHE_* */
345 if(usages)
346 *usages = BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN;
347 return br_x509_decoder_get_pkey(&x509->decoder);
348 }
349
350 return x509->minimal.vtable->get_pkey(&x509->minimal.vtable, usages);
351 }
352
353 static const br_x509_class x509_vtable = {
354 sizeof(struct x509_context),
355 x509_start_chain,
356 x509_start_cert,
357 x509_append,
358 x509_end_cert,
359 x509_end_chain,
360 x509_get_pkey
361 };
362
363 static const uint16_t ciphertable[] = {
364 /* RFC 2246 TLS 1.0 */
365 BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA, /* 0x000A */
366
367 /* RFC 3268 TLS 1.0 AES */
368 BR_TLS_RSA_WITH_AES_128_CBC_SHA, /* 0x002F */
369 BR_TLS_RSA_WITH_AES_256_CBC_SHA, /* 0x0035 */
370
371 /* RFC 5246 TLS 1.2 */
372 BR_TLS_RSA_WITH_AES_128_CBC_SHA256, /* 0x003C */
373 BR_TLS_RSA_WITH_AES_256_CBC_SHA256, /* 0x003D */
374
375 /* RFC 5288 TLS 1.2 AES GCM */
376 BR_TLS_RSA_WITH_AES_128_GCM_SHA256, /* 0x009C */
377 BR_TLS_RSA_WITH_AES_256_GCM_SHA384, /* 0x009D */
378
379 /* RFC 4492 TLS 1.0 ECC */
380 BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC003 */
381 BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC004 */
382 BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, /* 0xC005 */
383 BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, /* 0xC008 */
384 BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, /* 0xC009 */
385 BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, /* 0xC00A */
386 BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC00D */
387 BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, /* 0xC00E */
388 BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, /* 0xC00F */
389 BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, /* 0xC012 */
390 BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, /* 0xC013 */
391 BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, /* 0xC014 */
392
393 /* RFC 5289 TLS 1.2 ECC HMAC SHA256/384 */
394 BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, /* 0xC023 */
395 BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, /* 0xC024 */
396 BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, /* 0xC025 */
397 BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, /* 0xC026 */
398 BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, /* 0xC027 */
399 BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, /* 0xC028 */
400 BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, /* 0xC029 */
401 BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, /* 0xC02A */
402
403 /* RFC 5289 TLS 1.2 GCM */
404 BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, /* 0xC02B */
405 BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, /* 0xC02C */
406 BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, /* 0xC02D */
407 BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, /* 0xC02E */
408 BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, /* 0xC02F */
409 BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, /* 0xC030 */
410 BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, /* 0xC031 */
411 BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, /* 0xC032 */
412
413 #ifdef BR_TLS_RSA_WITH_AES_128_CCM
414 /* RFC 6655 TLS 1.2 CCM
415 Supported since BearSSL 0.6 */
416 BR_TLS_RSA_WITH_AES_128_CCM, /* 0xC09C */
417 BR_TLS_RSA_WITH_AES_256_CCM, /* 0xC09D */
418 BR_TLS_RSA_WITH_AES_128_CCM_8, /* 0xC0A0 */
419 BR_TLS_RSA_WITH_AES_256_CCM_8, /* 0xC0A1 */
420
421 /* RFC 7251 TLS 1.2 ECC CCM
422 Supported since BearSSL 0.6 */
423 BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, /* 0xC0AC */
424 BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, /* 0xC0AD */
425 BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, /* 0xC0AE */
426 BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, /* 0xC0AF */
427 #endif
428
429 /* RFC 7905 TLS 1.2 ChaCha20-Poly1305
430 Supported since BearSSL 0.2 */
431 BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCA8 */
432 BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, /* 0xCCA9 */
433 };
434
435 #define NUM_OF_CIPHERS (sizeof(ciphertable) / sizeof(ciphertable[0]))
436
bearssl_set_selected_ciphers(struct Curl_easy * data,br_ssl_engine_context * ssl_eng,const char * ciphers)437 static CURLcode bearssl_set_selected_ciphers(struct Curl_easy *data,
438 br_ssl_engine_context *ssl_eng,
439 const char *ciphers)
440 {
441 uint16_t selected[NUM_OF_CIPHERS];
442 size_t count = 0, i;
443 const char *ptr, *end;
444
445 for(ptr = ciphers; ptr[0] != '\0' && count < NUM_OF_CIPHERS; ptr = end) {
446 uint16_t id = Curl_cipher_suite_walk_str(&ptr, &end);
447
448 /* Check if cipher is supported */
449 if(id) {
450 for(i = 0; i < NUM_OF_CIPHERS && ciphertable[i] != id; i++);
451 if(i == NUM_OF_CIPHERS)
452 id = 0;
453 }
454 if(!id) {
455 if(ptr[0] != '\0')
456 infof(data, "BearSSL: unknown cipher in list: \"%.*s\"",
457 (int) (end - ptr), ptr);
458 continue;
459 }
460
461 /* No duplicates allowed */
462 for(i = 0; i < count && selected[i] != id; i++);
463 if(i < count) {
464 infof(data, "BearSSL: duplicate cipher in list: \"%.*s\"",
465 (int) (end - ptr), ptr);
466 continue;
467 }
468
469 selected[count++] = id;
470 }
471
472 if(count == 0) {
473 failf(data, "BearSSL: no supported cipher in list");
474 return CURLE_SSL_CIPHER;
475 }
476
477 br_ssl_engine_set_suites(ssl_eng, selected, count);
478 return CURLE_OK;
479 }
480
bearssl_connect_step1(struct Curl_cfilter * cf,struct Curl_easy * data)481 static CURLcode bearssl_connect_step1(struct Curl_cfilter *cf,
482 struct Curl_easy *data)
483 {
484 struct ssl_connect_data *connssl = cf->ctx;
485 struct bearssl_ssl_backend_data *backend =
486 (struct bearssl_ssl_backend_data *)connssl->backend;
487 struct ssl_primary_config *conn_config = Curl_ssl_cf_get_primary_config(cf);
488 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
489 const struct curl_blob *ca_info_blob = conn_config->ca_info_blob;
490 const char * const ssl_cafile =
491 /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
492 (ca_info_blob ? NULL : conn_config->CAfile);
493 const char *hostname = connssl->peer.hostname;
494 const bool verifypeer = conn_config->verifypeer;
495 const bool verifyhost = conn_config->verifyhost;
496 CURLcode ret;
497 unsigned version_min, version_max;
498 int session_set = 0;
499
500 DEBUGASSERT(backend);
501 CURL_TRC_CF(data, cf, "connect_step1");
502
503 switch(conn_config->version) {
504 case CURL_SSLVERSION_SSLv2:
505 failf(data, "BearSSL does not support SSLv2");
506 return CURLE_SSL_CONNECT_ERROR;
507 case CURL_SSLVERSION_SSLv3:
508 failf(data, "BearSSL does not support SSLv3");
509 return CURLE_SSL_CONNECT_ERROR;
510 case CURL_SSLVERSION_TLSv1_0:
511 version_min = BR_TLS10;
512 version_max = BR_TLS10;
513 break;
514 case CURL_SSLVERSION_TLSv1_1:
515 version_min = BR_TLS11;
516 version_max = BR_TLS11;
517 break;
518 case CURL_SSLVERSION_TLSv1_2:
519 version_min = BR_TLS12;
520 version_max = BR_TLS12;
521 break;
522 case CURL_SSLVERSION_DEFAULT:
523 case CURL_SSLVERSION_TLSv1:
524 version_min = BR_TLS10;
525 version_max = BR_TLS12;
526 break;
527 default:
528 failf(data, "BearSSL: unknown CURLOPT_SSLVERSION");
529 return CURLE_SSL_CONNECT_ERROR;
530 }
531
532 if(verifypeer) {
533 if(ca_info_blob) {
534 struct cafile_source source;
535 source.type = CAFILE_SOURCE_BLOB;
536 source.data = ca_info_blob->data;
537 source.len = ca_info_blob->len;
538
539 CURL_TRC_CF(data, cf, "connect_step1, load ca_info_blob");
540 ret = load_cafile(&source, &backend->anchors, &backend->anchors_len);
541 if(ret != CURLE_OK) {
542 failf(data, "error importing CA certificate blob");
543 return ret;
544 }
545 }
546
547 if(ssl_cafile) {
548 struct cafile_source source;
549 source.type = CAFILE_SOURCE_PATH;
550 source.data = ssl_cafile;
551 source.len = 0;
552
553 CURL_TRC_CF(data, cf, "connect_step1, load cafile");
554 ret = load_cafile(&source, &backend->anchors, &backend->anchors_len);
555 if(ret != CURLE_OK) {
556 failf(data, "error setting certificate verify locations."
557 " CAfile: %s", ssl_cafile);
558 return ret;
559 }
560 }
561 }
562
563 /* initialize SSL context */
564 br_ssl_client_init_full(&backend->ctx, &backend->x509.minimal,
565 backend->anchors, backend->anchors_len);
566 br_ssl_engine_set_versions(&backend->ctx.eng, version_min, version_max);
567 br_ssl_engine_set_buffer(&backend->ctx.eng, backend->buf,
568 sizeof(backend->buf), 1);
569
570 if(conn_config->cipher_list) {
571 /* Override the ciphers as specified. For the default cipher list see the
572 BearSSL source code of br_ssl_client_init_full() */
573 CURL_TRC_CF(data, cf, "connect_step1, set ciphers");
574 ret = bearssl_set_selected_ciphers(data, &backend->ctx.eng,
575 conn_config->cipher_list);
576 if(ret)
577 return ret;
578 }
579
580 /* initialize X.509 context */
581 backend->x509.vtable = &x509_vtable;
582 backend->x509.verifypeer = verifypeer;
583 backend->x509.verifyhost = verifyhost;
584 br_ssl_engine_set_x509(&backend->ctx.eng, &backend->x509.vtable);
585
586 if(ssl_config->primary.sessionid) {
587 void *session;
588
589 CURL_TRC_CF(data, cf, "connect_step1, check session cache");
590 Curl_ssl_sessionid_lock(data);
591 if(!Curl_ssl_getsessionid(cf, data, &connssl->peer, &session, NULL)) {
592 br_ssl_engine_set_session_parameters(&backend->ctx.eng, session);
593 session_set = 1;
594 infof(data, "BearSSL: reusing session ID");
595 }
596 Curl_ssl_sessionid_unlock(data);
597 }
598
599 if(connssl->alpn) {
600 struct alpn_proto_buf proto;
601 size_t i;
602
603 for(i = 0; i < connssl->alpn->count; ++i) {
604 backend->protocols[i] = connssl->alpn->entries[i];
605 }
606 br_ssl_engine_set_protocol_names(&backend->ctx.eng, backend->protocols,
607 connssl->alpn->count);
608 Curl_alpn_to_proto_str(&proto, connssl->alpn);
609 infof(data, VTLS_INFOF_ALPN_OFFER_1STR, proto.data);
610 }
611
612 if(connssl->peer.type != CURL_SSL_PEER_DNS) {
613 if(verifyhost) {
614 failf(data, "BearSSL: "
615 "host verification of IP address is not supported");
616 return CURLE_PEER_FAILED_VERIFICATION;
617 }
618 hostname = NULL;
619 }
620 else {
621 if(!connssl->peer.sni) {
622 failf(data, "Failed to set SNI");
623 return CURLE_SSL_CONNECT_ERROR;
624 }
625 hostname = connssl->peer.sni;
626 CURL_TRC_CF(data, cf, "connect_step1, SNI set");
627 }
628
629 /* give application a chance to interfere with SSL set up. */
630 if(data->set.ssl.fsslctx) {
631 Curl_set_in_callback(data, true);
632 ret = (*data->set.ssl.fsslctx)(data, &backend->ctx,
633 data->set.ssl.fsslctxp);
634 Curl_set_in_callback(data, false);
635 if(ret) {
636 failf(data, "BearSSL: error signaled by ssl ctx callback");
637 return ret;
638 }
639 }
640
641 if(!br_ssl_client_reset(&backend->ctx, hostname, session_set))
642 return CURLE_FAILED_INIT;
643 backend->active = TRUE;
644
645 connssl->connecting_state = ssl_connect_2;
646
647 return CURLE_OK;
648 }
649
bearssl_adjust_pollset(struct Curl_cfilter * cf,struct Curl_easy * data,struct easy_pollset * ps)650 static void bearssl_adjust_pollset(struct Curl_cfilter *cf,
651 struct Curl_easy *data,
652 struct easy_pollset *ps)
653 {
654 if(!cf->connected) {
655 curl_socket_t sock = Curl_conn_cf_get_socket(cf->next, data);
656 if(sock != CURL_SOCKET_BAD) {
657 struct ssl_connect_data *connssl = cf->ctx;
658 struct bearssl_ssl_backend_data *backend =
659 (struct bearssl_ssl_backend_data *)connssl->backend;
660 unsigned state = br_ssl_engine_current_state(&backend->ctx.eng);
661
662 if(state & BR_SSL_SENDREC) {
663 Curl_pollset_set_out_only(data, ps, sock);
664 }
665 else {
666 Curl_pollset_set_in_only(data, ps, sock);
667 }
668 }
669 }
670 }
671
bearssl_run_until(struct Curl_cfilter * cf,struct Curl_easy * data,unsigned target)672 static CURLcode bearssl_run_until(struct Curl_cfilter *cf,
673 struct Curl_easy *data,
674 unsigned target)
675 {
676 struct ssl_connect_data *connssl = cf->ctx;
677 struct bearssl_ssl_backend_data *backend =
678 (struct bearssl_ssl_backend_data *)connssl->backend;
679 unsigned state;
680 unsigned char *buf;
681 size_t len;
682 ssize_t ret;
683 CURLcode result;
684 int err;
685
686 DEBUGASSERT(backend);
687
688 for(;;) {
689 state = br_ssl_engine_current_state(&backend->ctx.eng);
690 if(state & BR_SSL_CLOSED) {
691 err = br_ssl_engine_last_error(&backend->ctx.eng);
692 switch(err) {
693 case BR_ERR_OK:
694 /* TLS close notify */
695 if(connssl->state != ssl_connection_complete) {
696 failf(data, "SSL: connection closed during handshake");
697 return CURLE_SSL_CONNECT_ERROR;
698 }
699 return CURLE_OK;
700 case BR_ERR_X509_EXPIRED:
701 failf(data, "SSL: X.509 verification: "
702 "certificate is expired or not yet valid");
703 return CURLE_PEER_FAILED_VERIFICATION;
704 case BR_ERR_X509_BAD_SERVER_NAME:
705 failf(data, "SSL: X.509 verification: "
706 "expected server name was not found in the chain");
707 return CURLE_PEER_FAILED_VERIFICATION;
708 case BR_ERR_X509_NOT_TRUSTED:
709 failf(data, "SSL: X.509 verification: "
710 "chain could not be linked to a trust anchor");
711 return CURLE_PEER_FAILED_VERIFICATION;
712 }
713 /* X.509 errors are documented to have the range 32..63 */
714 if(err >= 32 && err < 64)
715 return CURLE_PEER_FAILED_VERIFICATION;
716 return CURLE_SSL_CONNECT_ERROR;
717 }
718 if(state & target)
719 return CURLE_OK;
720 if(state & BR_SSL_SENDREC) {
721 buf = br_ssl_engine_sendrec_buf(&backend->ctx.eng, &len);
722 ret = Curl_conn_cf_send(cf->next, data, (char *)buf, len, &result);
723 CURL_TRC_CF(data, cf, "ssl_send(len=%zu) -> %zd, %d", len, ret, result);
724 if(ret <= 0) {
725 return result;
726 }
727 br_ssl_engine_sendrec_ack(&backend->ctx.eng, ret);
728 }
729 else if(state & BR_SSL_RECVREC) {
730 buf = br_ssl_engine_recvrec_buf(&backend->ctx.eng, &len);
731 ret = Curl_conn_cf_recv(cf->next, data, (char *)buf, len, &result);
732 CURL_TRC_CF(data, cf, "ssl_recv(len=%zu) -> %zd, %d", len, ret, result);
733 if(ret == 0) {
734 failf(data, "SSL: EOF without close notify");
735 return CURLE_RECV_ERROR;
736 }
737 if(ret <= 0) {
738 return result;
739 }
740 br_ssl_engine_recvrec_ack(&backend->ctx.eng, ret);
741 }
742 }
743 }
744
bearssl_connect_step2(struct Curl_cfilter * cf,struct Curl_easy * data)745 static CURLcode bearssl_connect_step2(struct Curl_cfilter *cf,
746 struct Curl_easy *data)
747 {
748 struct ssl_connect_data *connssl = cf->ctx;
749 struct bearssl_ssl_backend_data *backend =
750 (struct bearssl_ssl_backend_data *)connssl->backend;
751 br_ssl_session_parameters session;
752 char cipher_str[64];
753 char ver_str[16];
754 CURLcode ret;
755
756 DEBUGASSERT(backend);
757 CURL_TRC_CF(data, cf, "connect_step2");
758
759 ret = bearssl_run_until(cf, data, BR_SSL_SENDAPP | BR_SSL_RECVAPP);
760 if(ret == CURLE_AGAIN)
761 return CURLE_OK;
762 if(ret == CURLE_OK) {
763 unsigned int tver;
764
765 if(br_ssl_engine_current_state(&backend->ctx.eng) == BR_SSL_CLOSED) {
766 failf(data, "SSL: connection closed during handshake");
767 return CURLE_SSL_CONNECT_ERROR;
768 }
769 connssl->connecting_state = ssl_connect_3;
770 /* Informational message */
771 tver = br_ssl_engine_get_version(&backend->ctx.eng);
772 if(tver == BR_TLS12)
773 strcpy(ver_str, "TLSv1.2");
774 else if(tver == BR_TLS11)
775 strcpy(ver_str, "TLSv1.1");
776 else if(tver == BR_TLS10)
777 strcpy(ver_str, "TLSv1.0");
778 else {
779 msnprintf(ver_str, sizeof(ver_str), "TLS 0x%04x", tver);
780 }
781 br_ssl_engine_get_session_parameters(&backend->ctx.eng, &session);
782 Curl_cipher_suite_get_str(session.cipher_suite, cipher_str,
783 sizeof(cipher_str), true);
784 infof(data, "BearSSL: %s connection using %s", ver_str, cipher_str);
785 }
786 return ret;
787 }
788
bearssl_session_free(void * sessionid,size_t idsize)789 static void bearssl_session_free(void *sessionid, size_t idsize)
790 {
791 (void)idsize;
792 free(sessionid);
793 }
794
bearssl_connect_step3(struct Curl_cfilter * cf,struct Curl_easy * data)795 static CURLcode bearssl_connect_step3(struct Curl_cfilter *cf,
796 struct Curl_easy *data)
797 {
798 struct ssl_connect_data *connssl = cf->ctx;
799 struct bearssl_ssl_backend_data *backend =
800 (struct bearssl_ssl_backend_data *)connssl->backend;
801 struct ssl_config_data *ssl_config = Curl_ssl_cf_get_config(cf, data);
802 CURLcode ret;
803
804 DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
805 DEBUGASSERT(backend);
806 CURL_TRC_CF(data, cf, "connect_step3");
807
808 if(connssl->alpn) {
809 const char *proto;
810
811 proto = br_ssl_engine_get_selected_protocol(&backend->ctx.eng);
812 Curl_alpn_set_negotiated(cf, data, (const unsigned char *)proto,
813 proto? strlen(proto) : 0);
814 }
815
816 if(ssl_config->primary.sessionid) {
817 bool incache;
818 void *oldsession;
819 br_ssl_session_parameters *session;
820
821 session = malloc(sizeof(*session));
822 if(!session)
823 return CURLE_OUT_OF_MEMORY;
824 br_ssl_engine_get_session_parameters(&backend->ctx.eng, session);
825 Curl_ssl_sessionid_lock(data);
826 incache = !(Curl_ssl_getsessionid(cf, data, &connssl->peer,
827 &oldsession, NULL));
828 if(incache)
829 Curl_ssl_delsessionid(data, oldsession);
830
831 ret = Curl_ssl_addsessionid(cf, data, &connssl->peer, session, 0,
832 bearssl_session_free);
833 Curl_ssl_sessionid_unlock(data);
834 if(ret)
835 return ret;
836 }
837
838 connssl->connecting_state = ssl_connect_done;
839
840 return CURLE_OK;
841 }
842
bearssl_send(struct Curl_cfilter * cf,struct Curl_easy * data,const void * buf,size_t len,CURLcode * err)843 static ssize_t bearssl_send(struct Curl_cfilter *cf, struct Curl_easy *data,
844 const void *buf, size_t len, CURLcode *err)
845 {
846 struct ssl_connect_data *connssl = cf->ctx;
847 struct bearssl_ssl_backend_data *backend =
848 (struct bearssl_ssl_backend_data *)connssl->backend;
849 unsigned char *app;
850 size_t applen;
851
852 DEBUGASSERT(backend);
853
854 for(;;) {
855 *err = bearssl_run_until(cf, data, BR_SSL_SENDAPP);
856 if(*err)
857 return -1;
858 app = br_ssl_engine_sendapp_buf(&backend->ctx.eng, &applen);
859 if(!app) {
860 failf(data, "SSL: connection closed during write");
861 *err = CURLE_SEND_ERROR;
862 return -1;
863 }
864 if(backend->pending_write) {
865 applen = backend->pending_write;
866 backend->pending_write = 0;
867 return applen;
868 }
869 if(applen > len)
870 applen = len;
871 memcpy(app, buf, applen);
872 br_ssl_engine_sendapp_ack(&backend->ctx.eng, applen);
873 br_ssl_engine_flush(&backend->ctx.eng, 0);
874 backend->pending_write = applen;
875 }
876 }
877
bearssl_recv(struct Curl_cfilter * cf,struct Curl_easy * data,char * buf,size_t len,CURLcode * err)878 static ssize_t bearssl_recv(struct Curl_cfilter *cf, struct Curl_easy *data,
879 char *buf, size_t len, CURLcode *err)
880 {
881 struct ssl_connect_data *connssl = cf->ctx;
882 struct bearssl_ssl_backend_data *backend =
883 (struct bearssl_ssl_backend_data *)connssl->backend;
884 unsigned char *app;
885 size_t applen;
886
887 DEBUGASSERT(backend);
888
889 *err = bearssl_run_until(cf, data, BR_SSL_RECVAPP);
890 if(*err != CURLE_OK)
891 return -1;
892 app = br_ssl_engine_recvapp_buf(&backend->ctx.eng, &applen);
893 if(!app)
894 return 0;
895 if(applen > len)
896 applen = len;
897 memcpy(buf, app, applen);
898 br_ssl_engine_recvapp_ack(&backend->ctx.eng, applen);
899
900 return applen;
901 }
902
bearssl_connect_common(struct Curl_cfilter * cf,struct Curl_easy * data,bool nonblocking,bool * done)903 static CURLcode bearssl_connect_common(struct Curl_cfilter *cf,
904 struct Curl_easy *data,
905 bool nonblocking,
906 bool *done)
907 {
908 CURLcode ret;
909 struct ssl_connect_data *connssl = cf->ctx;
910 curl_socket_t sockfd = Curl_conn_cf_get_socket(cf, data);
911 timediff_t timeout_ms;
912 int what;
913
914 CURL_TRC_CF(data, cf, "connect_common(blocking=%d)", !nonblocking);
915 /* check if the connection has already been established */
916 if(ssl_connection_complete == connssl->state) {
917 CURL_TRC_CF(data, cf, "connect_common, connected");
918 *done = TRUE;
919 return CURLE_OK;
920 }
921
922 if(ssl_connect_1 == connssl->connecting_state) {
923 ret = bearssl_connect_step1(cf, data);
924 if(ret)
925 return ret;
926 }
927
928 while(ssl_connect_2 == connssl->connecting_state ||
929 ssl_connect_2_reading == connssl->connecting_state ||
930 ssl_connect_2_writing == connssl->connecting_state) {
931 /* check allowed time left */
932 timeout_ms = Curl_timeleft(data, NULL, TRUE);
933
934 if(timeout_ms < 0) {
935 /* no need to continue if time already is up */
936 failf(data, "SSL connection timeout");
937 return CURLE_OPERATION_TIMEDOUT;
938 }
939
940 /* if ssl is expecting something, check if it's available. */
941 if(ssl_connect_2_reading == connssl->connecting_state ||
942 ssl_connect_2_writing == connssl->connecting_state) {
943
944 curl_socket_t writefd = ssl_connect_2_writing ==
945 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
946 curl_socket_t readfd = ssl_connect_2_reading ==
947 connssl->connecting_state?sockfd:CURL_SOCKET_BAD;
948
949 CURL_TRC_CF(data, cf, "connect_common, check socket");
950 what = Curl_socket_check(readfd, CURL_SOCKET_BAD, writefd,
951 nonblocking?0:timeout_ms);
952 CURL_TRC_CF(data, cf, "connect_common, check socket -> %d", what);
953 if(what < 0) {
954 /* fatal error */
955 failf(data, "select/poll on SSL socket, errno: %d", SOCKERRNO);
956 return CURLE_SSL_CONNECT_ERROR;
957 }
958 else if(0 == what) {
959 if(nonblocking) {
960 *done = FALSE;
961 return CURLE_OK;
962 }
963 else {
964 /* timeout */
965 failf(data, "SSL connection timeout");
966 return CURLE_OPERATION_TIMEDOUT;
967 }
968 }
969 /* socket is readable or writable */
970 }
971
972 /* Run transaction, and return to the caller if it failed or if this
973 * connection is done nonblocking and this loop would execute again. This
974 * permits the owner of a multi handle to abort a connection attempt
975 * before step2 has completed while ensuring that a client using select()
976 * or epoll() will always have a valid fdset to wait on.
977 */
978 ret = bearssl_connect_step2(cf, data);
979 if(ret || (nonblocking &&
980 (ssl_connect_2 == connssl->connecting_state ||
981 ssl_connect_2_reading == connssl->connecting_state ||
982 ssl_connect_2_writing == connssl->connecting_state)))
983 return ret;
984 }
985
986 if(ssl_connect_3 == connssl->connecting_state) {
987 ret = bearssl_connect_step3(cf, data);
988 if(ret)
989 return ret;
990 }
991
992 if(ssl_connect_done == connssl->connecting_state) {
993 connssl->state = ssl_connection_complete;
994 *done = TRUE;
995 }
996 else
997 *done = FALSE;
998
999 /* Reset our connect state machine */
1000 connssl->connecting_state = ssl_connect_1;
1001
1002 return CURLE_OK;
1003 }
1004
bearssl_version(char * buffer,size_t size)1005 static size_t bearssl_version(char *buffer, size_t size)
1006 {
1007 return msnprintf(buffer, size, "BearSSL");
1008 }
1009
bearssl_data_pending(struct Curl_cfilter * cf,const struct Curl_easy * data)1010 static bool bearssl_data_pending(struct Curl_cfilter *cf,
1011 const struct Curl_easy *data)
1012 {
1013 struct ssl_connect_data *ctx = cf->ctx;
1014 struct bearssl_ssl_backend_data *backend;
1015
1016 (void)data;
1017 DEBUGASSERT(ctx && ctx->backend);
1018 backend = (struct bearssl_ssl_backend_data *)ctx->backend;
1019 return br_ssl_engine_current_state(&backend->ctx.eng) & BR_SSL_RECVAPP;
1020 }
1021
bearssl_random(struct Curl_easy * data UNUSED_PARAM,unsigned char * entropy,size_t length)1022 static CURLcode bearssl_random(struct Curl_easy *data UNUSED_PARAM,
1023 unsigned char *entropy, size_t length)
1024 {
1025 static br_hmac_drbg_context ctx;
1026 static bool seeded = FALSE;
1027
1028 if(!seeded) {
1029 br_prng_seeder seeder;
1030
1031 br_hmac_drbg_init(&ctx, &br_sha256_vtable, NULL, 0);
1032 seeder = br_prng_seeder_system(NULL);
1033 if(!seeder || !seeder(&ctx.vtable))
1034 return CURLE_FAILED_INIT;
1035 seeded = TRUE;
1036 }
1037 br_hmac_drbg_generate(&ctx, entropy, length);
1038
1039 return CURLE_OK;
1040 }
1041
bearssl_connect(struct Curl_cfilter * cf,struct Curl_easy * data)1042 static CURLcode bearssl_connect(struct Curl_cfilter *cf,
1043 struct Curl_easy *data)
1044 {
1045 CURLcode ret;
1046 bool done = FALSE;
1047
1048 ret = bearssl_connect_common(cf, data, FALSE, &done);
1049 if(ret)
1050 return ret;
1051
1052 DEBUGASSERT(done);
1053
1054 return CURLE_OK;
1055 }
1056
bearssl_connect_nonblocking(struct Curl_cfilter * cf,struct Curl_easy * data,bool * done)1057 static CURLcode bearssl_connect_nonblocking(struct Curl_cfilter *cf,
1058 struct Curl_easy *data,
1059 bool *done)
1060 {
1061 return bearssl_connect_common(cf, data, TRUE, done);
1062 }
1063
bearssl_get_internals(struct ssl_connect_data * connssl,CURLINFO info UNUSED_PARAM)1064 static void *bearssl_get_internals(struct ssl_connect_data *connssl,
1065 CURLINFO info UNUSED_PARAM)
1066 {
1067 struct bearssl_ssl_backend_data *backend =
1068 (struct bearssl_ssl_backend_data *)connssl->backend;
1069 DEBUGASSERT(backend);
1070 return &backend->ctx;
1071 }
1072
bearssl_close(struct Curl_cfilter * cf,struct Curl_easy * data)1073 static void bearssl_close(struct Curl_cfilter *cf, struct Curl_easy *data)
1074 {
1075 struct ssl_connect_data *connssl = cf->ctx;
1076 struct bearssl_ssl_backend_data *backend =
1077 (struct bearssl_ssl_backend_data *)connssl->backend;
1078 size_t i;
1079
1080 DEBUGASSERT(backend);
1081
1082 if(backend->active) {
1083 backend->active = FALSE;
1084 br_ssl_engine_close(&backend->ctx.eng);
1085 (void)bearssl_run_until(cf, data, BR_SSL_CLOSED);
1086 }
1087 if(backend->anchors) {
1088 for(i = 0; i < backend->anchors_len; ++i)
1089 free(backend->anchors[i].dn.data);
1090 Curl_safefree(backend->anchors);
1091 }
1092 }
1093
bearssl_sha256sum(const unsigned char * input,size_t inputlen,unsigned char * sha256sum,size_t sha256len UNUSED_PARAM)1094 static CURLcode bearssl_sha256sum(const unsigned char *input,
1095 size_t inputlen,
1096 unsigned char *sha256sum,
1097 size_t sha256len UNUSED_PARAM)
1098 {
1099 br_sha256_context ctx;
1100
1101 br_sha256_init(&ctx);
1102 br_sha256_update(&ctx, input, inputlen);
1103 br_sha256_out(&ctx, sha256sum);
1104 return CURLE_OK;
1105 }
1106
1107 const struct Curl_ssl Curl_ssl_bearssl = {
1108 { CURLSSLBACKEND_BEARSSL, "bearssl" }, /* info */
1109 SSLSUPP_CAINFO_BLOB | SSLSUPP_SSL_CTX | SSLSUPP_HTTPS_PROXY,
1110 sizeof(struct bearssl_ssl_backend_data),
1111
1112 Curl_none_init, /* init */
1113 Curl_none_cleanup, /* cleanup */
1114 bearssl_version, /* version */
1115 Curl_none_check_cxn, /* check_cxn */
1116 Curl_none_shutdown, /* shutdown */
1117 bearssl_data_pending, /* data_pending */
1118 bearssl_random, /* random */
1119 Curl_none_cert_status_request, /* cert_status_request */
1120 bearssl_connect, /* connect */
1121 bearssl_connect_nonblocking, /* connect_nonblocking */
1122 bearssl_adjust_pollset, /* adjust_pollset */
1123 bearssl_get_internals, /* get_internals */
1124 bearssl_close, /* close_one */
1125 Curl_none_close_all, /* close_all */
1126 Curl_none_set_engine, /* set_engine */
1127 Curl_none_set_engine_default, /* set_engine_default */
1128 Curl_none_engines_list, /* engines_list */
1129 Curl_none_false_start, /* false_start */
1130 bearssl_sha256sum, /* sha256sum */
1131 NULL, /* associate_connection */
1132 NULL, /* disassociate_connection */
1133 NULL, /* free_multi_ssl_backend_data */
1134 bearssl_recv, /* recv decrypted data */
1135 bearssl_send, /* send data to encrypt */
1136 };
1137
1138 #endif /* USE_BEARSSL */
1139