1 #ifndef HEADER_CURL_VTLS_H 2 #define HEADER_CURL_VTLS_H 3 /*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 11 * 12 * This software is licensed as described in the file COPYING, which 13 * you should have received as part of this distribution. The terms 14 * are also available at https://curl.se/docs/copyright.html. 15 * 16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 17 * copies of the Software, and permit persons to whom the Software is 18 * furnished to do so, under the terms of the COPYING file. 19 * 20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 21 * KIND, either express or implied. 22 * 23 * SPDX-License-Identifier: curl 24 * 25 ***************************************************************************/ 26 #include "curl_setup.h" 27 28 struct connectdata; 29 struct ssl_config_data; 30 struct ssl_primary_config; 31 struct Curl_ssl_session; 32 33 #define SSLSUPP_CA_PATH (1<<0) /* supports CAPATH */ 34 #define SSLSUPP_CERTINFO (1<<1) /* supports CURLOPT_CERTINFO */ 35 #define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */ 36 #define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */ 37 #define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */ 38 #define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */ 39 #define SSLSUPP_CAINFO_BLOB (1<<6) 40 #define SSLSUPP_ECH (1<<7) 41 42 #define ALPN_ACCEPTED "ALPN: server accepted " 43 44 #define VTLS_INFOF_NO_ALPN \ 45 "ALPN: server did not agree on a protocol. Uses default." 46 #define VTLS_INFOF_ALPN_OFFER_1STR \ 47 "ALPN: curl offers %s" 48 #define VTLS_INFOF_ALPN_ACCEPTED_1STR \ 49 ALPN_ACCEPTED "%s" 50 #define VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR \ 51 ALPN_ACCEPTED "%.*s" 52 53 /* Curl_multi SSL backend-specific data; declared differently by each SSL 54 backend */ 55 struct multi_ssl_backend_data; 56 struct Curl_cfilter; 57 58 CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name, 59 const curl_ssl_backend ***avail); 60 61 #ifndef MAX_PINNED_PUBKEY_SIZE 62 #define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */ 63 #endif 64 65 #ifndef CURL_SHA256_DIGEST_LENGTH 66 #define CURL_SHA256_DIGEST_LENGTH 32 /* fixed size */ 67 #endif 68 69 curl_sslbackend Curl_ssl_backend(void); 70 71 /** 72 * Init ssl config for a new easy handle. 73 */ 74 void Curl_ssl_easy_config_init(struct Curl_easy *data); 75 76 /** 77 * Init the `data->set.ssl` and `data->set.proxy_ssl` for 78 * connection matching use. 79 */ 80 CURLcode Curl_ssl_easy_config_complete(struct Curl_easy *data); 81 82 /** 83 * Init SSL configs (main + proxy) for a new connection from the easy handle. 84 */ 85 CURLcode Curl_ssl_conn_config_init(struct Curl_easy *data, 86 struct connectdata *conn); 87 88 /** 89 * Free allocated resources in SSL configs (main + proxy) for 90 * the given connection. 91 */ 92 void Curl_ssl_conn_config_cleanup(struct connectdata *conn); 93 94 /** 95 * Return TRUE iff SSL configuration from `conn` is functionally the 96 * same as the one on `candidate`. 97 * @param proxy match the proxy SSL config or the main one 98 */ 99 bool Curl_ssl_conn_config_match(struct Curl_easy *data, 100 struct connectdata *candidate, 101 bool proxy); 102 103 /* Update certain connection SSL config flags after they have 104 * been changed on the easy handle. Will work for `verifypeer`, 105 * `verifyhost` and `verifystatus`. */ 106 void Curl_ssl_conn_config_update(struct Curl_easy *data, bool for_proxy); 107 108 /** 109 * Init SSL peer information for filter. Can be called repeatedly. 110 */ 111 CURLcode Curl_ssl_peer_init(struct ssl_peer *peer, 112 struct Curl_cfilter *cf, int transport); 113 /** 114 * Free all allocated data and reset peer information. 115 */ 116 void Curl_ssl_peer_cleanup(struct ssl_peer *peer); 117 118 #ifdef USE_SSL 119 int Curl_ssl_init(void); 120 void Curl_ssl_cleanup(void); 121 /* tell the SSL stuff to close down all open information regarding 122 connections (and thus session ID caching etc) */ 123 void Curl_ssl_close_all(struct Curl_easy *data); 124 CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine); 125 /* Sets engine as default for all SSL operations */ 126 CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data); 127 struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data); 128 129 /* init the SSL session ID cache */ 130 CURLcode Curl_ssl_initsessions(struct Curl_easy *, size_t); 131 void Curl_ssl_version(char *buffer, size_t size); 132 133 /* Certificate information list handling. */ 134 135 void Curl_ssl_free_certinfo(struct Curl_easy *data); 136 CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num); 137 CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data, int certnum, 138 const char *label, const char *value, 139 size_t valuelen); 140 CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data, int certnum, 141 const char *label, const char *value); 142 143 /* Functions to be used by SSL library adaptation functions */ 144 145 /* Lock session cache mutex. 146 * Call this before calling other Curl_ssl_*session* functions 147 * Caller should unlock this mutex as soon as possible, as it may block 148 * other SSL connection from making progress. 149 * The purpose of explicitly locking SSL session cache data is to allow 150 * individual SSL engines to manage session lifetime in their specific way. 151 */ 152 void Curl_ssl_sessionid_lock(struct Curl_easy *data); 153 154 /* Unlock session cache mutex */ 155 void Curl_ssl_sessionid_unlock(struct Curl_easy *data); 156 157 /* Kill a single session ID entry in the cache 158 * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). 159 * This will call engine-specific curlssl_session_free function, which must 160 * take sessionid object ownership from sessionid cache 161 * (e.g. decrement refcount). 162 */ 163 void Curl_ssl_kill_session(struct Curl_ssl_session *session); 164 /* delete a session from the cache 165 * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). 166 * This will call engine-specific curlssl_session_free function, which must 167 * take sessionid object ownership from sessionid cache 168 * (e.g. decrement refcount). 169 */ 170 void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid); 171 172 /* get N random bytes into the buffer */ 173 CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer, 174 size_t length); 175 /* Check pinned public key. */ 176 CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, 177 const char *pinnedpubkey, 178 const unsigned char *pubkey, size_t pubkeylen); 179 180 bool Curl_ssl_cert_status_request(void); 181 182 bool Curl_ssl_false_start(struct Curl_easy *data); 183 184 void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend); 185 186 #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ 187 188 CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data, 189 struct connectdata *conn, 190 int sockindex); 191 192 CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at, 193 struct Curl_easy *data); 194 195 CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data, 196 int sockindex); 197 198 #ifndef CURL_DISABLE_PROXY 199 CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at, 200 struct Curl_easy *data); 201 #endif /* !CURL_DISABLE_PROXY */ 202 203 /** 204 * True iff the underlying SSL implementation supports the option. 205 * Option is one of the defined SSLSUPP_* values. 206 * `data` maybe NULL for the features of the default implementation. 207 */ 208 bool Curl_ssl_supports(struct Curl_easy *data, int ssl_option); 209 210 /** 211 * Get the internal ssl instance (like OpenSSL's SSL*) from the filter 212 * chain at `sockindex` of type specified by `info`. 213 * For `n` == 0, the first active (top down) instance is returned. 214 * 1 gives the second active, etc. 215 * NULL is returned when no active SSL filter is present. 216 */ 217 void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex, 218 CURLINFO info, int n); 219 220 /** 221 * Get the ssl_config_data in `data` that is relevant for cfilter `cf`. 222 */ 223 struct ssl_config_data *Curl_ssl_cf_get_config(struct Curl_cfilter *cf, 224 struct Curl_easy *data); 225 226 /** 227 * Get the primary config relevant for the filter from its connection. 228 */ 229 struct ssl_primary_config * 230 Curl_ssl_cf_get_primary_config(struct Curl_cfilter *cf); 231 232 extern struct Curl_cftype Curl_cft_ssl; 233 #ifndef CURL_DISABLE_PROXY 234 extern struct Curl_cftype Curl_cft_ssl_proxy; 235 #endif 236 237 #else /* if not USE_SSL */ 238 239 /* When SSL support is not present, just define away these function calls */ 240 #define Curl_ssl_init() 1 241 #define Curl_ssl_cleanup() Curl_nop_stmt 242 #define Curl_ssl_close_all(x) Curl_nop_stmt 243 #define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN 244 #define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN 245 #define Curl_ssl_engines_list(x) NULL 246 #define Curl_ssl_initsessions(x,y) CURLE_OK 247 #define Curl_ssl_free_certinfo(x) Curl_nop_stmt 248 #define Curl_ssl_kill_session(x) Curl_nop_stmt 249 #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN) 250 #define Curl_ssl_cert_status_request() FALSE 251 #define Curl_ssl_false_start(a) FALSE 252 #define Curl_ssl_get_internals(a,b,c,d) NULL 253 #define Curl_ssl_supports(a,b) FALSE 254 #define Curl_ssl_cfilter_add(a,b,c) CURLE_NOT_BUILT_IN 255 #define Curl_ssl_cfilter_remove(a,b) CURLE_OK 256 #define Curl_ssl_cf_get_config(a,b) NULL 257 #define Curl_ssl_cf_get_primary_config(a) NULL 258 #endif 259 260 #endif /* HEADER_CURL_VTLS_H */ 261