1 #ifndef HEADER_CURL_SSLUSE_H 2 #define HEADER_CURL_SSLUSE_H 3 /*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 11 * 12 * This software is licensed as described in the file COPYING, which 13 * you should have received as part of this distribution. The terms 14 * are also available at https://curl.se/docs/copyright.html. 15 * 16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 17 * copies of the Software, and permit persons to whom the Software is 18 * furnished to do so, under the terms of the COPYING file. 19 * 20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 21 * KIND, either express or implied. 22 * 23 * SPDX-License-Identifier: curl 24 * 25 ***************************************************************************/ 26 27 #include "curl_setup.h" 28 29 #ifdef USE_OPENSSL 30 /* 31 * This header should only be needed to get included by vtls.c, openssl.c 32 * and ngtcp2.c 33 */ 34 #include <openssl/ossl_typ.h> 35 #include <openssl/ssl.h> 36 37 #include "urldata.h" 38 39 /* Struct to hold a Curl OpenSSL instance */ 40 struct ossl_ctx { 41 /* these ones requires specific SSL-types */ 42 SSL_CTX* ssl_ctx; 43 SSL* ssl; 44 X509* server_cert; 45 BIO_METHOD *bio_method; 46 CURLcode io_result; /* result of last BIO cfilter operation */ 47 #ifndef HAVE_KEYLOG_CALLBACK 48 /* Set to true once a valid keylog entry has been created to avoid dupes. */ 49 BIT(keylog_done); 50 #endif 51 BIT(x509_store_setup); /* x509 store has been set up */ 52 BIT(reused_session); /* session-ID was reused for this */ 53 }; 54 55 typedef CURLcode Curl_ossl_ctx_setup_cb(struct Curl_cfilter *cf, 56 struct Curl_easy *data, 57 void *user_data); 58 59 typedef int Curl_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid); 60 61 CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, 62 struct Curl_cfilter *cf, 63 struct Curl_easy *data, 64 struct ssl_peer *peer, 65 int transport, /* TCP or QUIC */ 66 const unsigned char *alpn, size_t alpn_len, 67 Curl_ossl_ctx_setup_cb *cb_setup, 68 void *cb_user_data, 69 Curl_ossl_new_session_cb *cb_new_session, 70 void *ssl_user_data); 71 72 #if (OPENSSL_VERSION_NUMBER < 0x30000000L) 73 #define SSL_get1_peer_certificate SSL_get_peer_certificate 74 #endif 75 76 CURLcode Curl_ossl_verifyhost(struct Curl_easy *data, struct connectdata *conn, 77 struct ssl_peer *peer, X509 *server_cert); 78 extern const struct Curl_ssl Curl_ssl_openssl; 79 80 CURLcode Curl_ossl_set_client_cert(struct Curl_easy *data, 81 SSL_CTX *ctx, char *cert_file, 82 const struct curl_blob *cert_blob, 83 const char *cert_type, char *key_file, 84 const struct curl_blob *key_blob, 85 const char *key_type, char *key_passwd); 86 87 CURLcode Curl_ossl_certchain(struct Curl_easy *data, SSL *ssl); 88 89 /** 90 * Setup the OpenSSL X509_STORE in `ssl_ctx` for the cfilter `cf` and 91 * easy handle `data`. Will allow reuse of a shared cache if suitable 92 * and configured. 93 */ 94 CURLcode Curl_ssl_setup_x509_store(struct Curl_cfilter *cf, 95 struct Curl_easy *data, 96 SSL_CTX *ssl_ctx); 97 98 CURLcode Curl_ossl_ctx_configure(struct Curl_cfilter *cf, 99 struct Curl_easy *data, 100 SSL_CTX *ssl_ctx); 101 102 /* 103 * Add a new session to the cache. Takes ownership of the session. 104 */ 105 CURLcode Curl_ossl_add_session(struct Curl_cfilter *cf, 106 struct Curl_easy *data, 107 const struct ssl_peer *peer, 108 SSL_SESSION *ssl_sessionid); 109 110 /* 111 * Get the server cert, verify it and show it, etc., only call failf() if 112 * ssl config verifypeer or -host is set. Otherwise all this is for 113 * informational purposes only! 114 */ 115 CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf, 116 struct Curl_easy *data, 117 struct ossl_ctx *octx, 118 struct ssl_peer *peer); 119 120 #endif /* USE_OPENSSL */ 121 #endif /* HEADER_CURL_SSLUSE_H */ 122