1 #ifndef HEADER_CURL_VTLS_H 2 #define HEADER_CURL_VTLS_H 3 /*************************************************************************** 4 * _ _ ____ _ 5 * Project ___| | | | _ \| | 6 * / __| | | | |_) | | 7 * | (__| |_| | _ <| |___ 8 * \___|\___/|_| \_\_____| 9 * 10 * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 11 * 12 * This software is licensed as described in the file COPYING, which 13 * you should have received as part of this distribution. The terms 14 * are also available at https://curl.se/docs/copyright.html. 15 * 16 * You may opt to use, copy, modify, merge, publish, distribute and/or sell 17 * copies of the Software, and permit persons to whom the Software is 18 * furnished to do so, under the terms of the COPYING file. 19 * 20 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 21 * KIND, either express or implied. 22 * 23 * SPDX-License-Identifier: curl 24 * 25 ***************************************************************************/ 26 #include "curl_setup.h" 27 28 struct connectdata; 29 struct ssl_config_data; 30 struct ssl_primary_config; 31 struct Curl_ssl_session; 32 33 #define SSLSUPP_CA_PATH (1<<0) /* supports CAPATH */ 34 #define SSLSUPP_CERTINFO (1<<1) /* supports CURLOPT_CERTINFO */ 35 #define SSLSUPP_PINNEDPUBKEY (1<<2) /* supports CURLOPT_PINNEDPUBLICKEY */ 36 #define SSLSUPP_SSL_CTX (1<<3) /* supports CURLOPT_SSL_CTX */ 37 #define SSLSUPP_HTTPS_PROXY (1<<4) /* supports access via HTTPS proxies */ 38 #define SSLSUPP_TLS13_CIPHERSUITES (1<<5) /* supports TLS 1.3 ciphersuites */ 39 #define SSLSUPP_CAINFO_BLOB (1<<6) 40 41 #define ALPN_ACCEPTED "ALPN: server accepted " 42 43 #define VTLS_INFOF_NO_ALPN \ 44 "ALPN: server did not agree on a protocol. Uses default." 45 #define VTLS_INFOF_ALPN_OFFER_1STR \ 46 "ALPN: offers %s" 47 #define VTLS_INFOF_ALPN_ACCEPTED_1STR \ 48 ALPN_ACCEPTED "%s" 49 #define VTLS_INFOF_ALPN_ACCEPTED_LEN_1STR \ 50 ALPN_ACCEPTED "%.*s" 51 52 /* Curl_multi SSL backend-specific data; declared differently by each SSL 53 backend */ 54 struct multi_ssl_backend_data; 55 struct Curl_cfilter; 56 57 CURLsslset Curl_init_sslset_nolock(curl_sslbackend id, const char *name, 58 const curl_ssl_backend ***avail); 59 60 #ifndef MAX_PINNED_PUBKEY_SIZE 61 #define MAX_PINNED_PUBKEY_SIZE 1048576 /* 1MB */ 62 #endif 63 64 #ifndef CURL_SHA256_DIGEST_LENGTH 65 #define CURL_SHA256_DIGEST_LENGTH 32 /* fixed size */ 66 #endif 67 68 /* see https://www.iana.org/assignments/tls-extensiontype-values/ */ 69 #define ALPN_HTTP_1_1_LENGTH 8 70 #define ALPN_HTTP_1_1 "http/1.1" 71 #define ALPN_HTTP_1_0_LENGTH 8 72 #define ALPN_HTTP_1_0 "http/1.0" 73 #define ALPN_H2_LENGTH 2 74 #define ALPN_H2 "h2" 75 #define ALPN_H3_LENGTH 2 76 #define ALPN_H3 "h3" 77 78 /* conservative sizes on the ALPN entries and count we are handling, 79 * we can increase these if we ever feel the need or have to accommodate 80 * ALPN strings from the "outside". */ 81 #define ALPN_NAME_MAX 10 82 #define ALPN_ENTRIES_MAX 3 83 #define ALPN_PROTO_BUF_MAX (ALPN_ENTRIES_MAX * (ALPN_NAME_MAX + 1)) 84 85 struct alpn_spec { 86 const char entries[ALPN_ENTRIES_MAX][ALPN_NAME_MAX]; 87 size_t count; /* number of entries */ 88 }; 89 90 struct alpn_proto_buf { 91 unsigned char data[ALPN_PROTO_BUF_MAX]; 92 int len; 93 }; 94 95 CURLcode Curl_alpn_to_proto_buf(struct alpn_proto_buf *buf, 96 const struct alpn_spec *spec); 97 CURLcode Curl_alpn_to_proto_str(struct alpn_proto_buf *buf, 98 const struct alpn_spec *spec); 99 100 CURLcode Curl_alpn_set_negotiated(struct Curl_cfilter *cf, 101 struct Curl_easy *data, 102 const unsigned char *proto, 103 size_t proto_len); 104 105 /** 106 * Get the ALPN specification to use for talking to remote host. 107 * May return NULL if ALPN is disabled on the connection. 108 */ 109 const struct alpn_spec * 110 Curl_alpn_get_spec(struct Curl_easy *data, struct connectdata *conn); 111 112 /** 113 * Get the ALPN specification to use for talking to the proxy. 114 * May return NULL if ALPN is disabled on the connection. 115 */ 116 const struct alpn_spec * 117 Curl_alpn_get_proxy_spec(struct Curl_easy *data, struct connectdata *conn); 118 119 120 char *Curl_ssl_snihost(struct Curl_easy *data, const char *host, size_t *olen); 121 bool Curl_ssl_config_matches(struct ssl_primary_config *data, 122 struct ssl_primary_config *needle); 123 bool Curl_clone_primary_ssl_config(struct ssl_primary_config *source, 124 struct ssl_primary_config *dest); 125 void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc); 126 127 curl_sslbackend Curl_ssl_backend(void); 128 129 #ifdef USE_SSL 130 int Curl_ssl_init(void); 131 void Curl_ssl_cleanup(void); 132 /* tell the SSL stuff to close down all open information regarding 133 connections (and thus session ID caching etc) */ 134 void Curl_ssl_close_all(struct Curl_easy *data); 135 CURLcode Curl_ssl_set_engine(struct Curl_easy *data, const char *engine); 136 /* Sets engine as default for all SSL operations */ 137 CURLcode Curl_ssl_set_engine_default(struct Curl_easy *data); 138 struct curl_slist *Curl_ssl_engines_list(struct Curl_easy *data); 139 140 /* init the SSL session ID cache */ 141 CURLcode Curl_ssl_initsessions(struct Curl_easy *, size_t); 142 void Curl_ssl_version(char *buffer, size_t size); 143 144 /* Certificate information list handling. */ 145 146 void Curl_ssl_free_certinfo(struct Curl_easy *data); 147 CURLcode Curl_ssl_init_certinfo(struct Curl_easy *data, int num); 148 CURLcode Curl_ssl_push_certinfo_len(struct Curl_easy *data, int certnum, 149 const char *label, const char *value, 150 size_t valuelen); 151 CURLcode Curl_ssl_push_certinfo(struct Curl_easy *data, int certnum, 152 const char *label, const char *value); 153 154 /* Functions to be used by SSL library adaptation functions */ 155 156 /* Lock session cache mutex. 157 * Call this before calling other Curl_ssl_*session* functions 158 * Caller should unlock this mutex as soon as possible, as it may block 159 * other SSL connection from making progress. 160 * The purpose of explicitly locking SSL session cache data is to allow 161 * individual SSL engines to manage session lifetime in their specific way. 162 */ 163 void Curl_ssl_sessionid_lock(struct Curl_easy *data); 164 165 /* Unlock session cache mutex */ 166 void Curl_ssl_sessionid_unlock(struct Curl_easy *data); 167 168 /* Kill a single session ID entry in the cache 169 * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). 170 * This will call engine-specific curlssl_session_free function, which must 171 * take sessionid object ownership from sessionid cache 172 * (e.g. decrement refcount). 173 */ 174 void Curl_ssl_kill_session(struct Curl_ssl_session *session); 175 /* delete a session from the cache 176 * Sessionid mutex must be locked (see Curl_ssl_sessionid_lock). 177 * This will call engine-specific curlssl_session_free function, which must 178 * take sessionid object ownership from sessionid cache 179 * (e.g. decrement refcount). 180 */ 181 void Curl_ssl_delsessionid(struct Curl_easy *data, void *ssl_sessionid); 182 183 /* get N random bytes into the buffer */ 184 CURLcode Curl_ssl_random(struct Curl_easy *data, unsigned char *buffer, 185 size_t length); 186 /* Check pinned public key. */ 187 CURLcode Curl_pin_peer_pubkey(struct Curl_easy *data, 188 const char *pinnedpubkey, 189 const unsigned char *pubkey, size_t pubkeylen); 190 191 bool Curl_ssl_cert_status_request(void); 192 193 bool Curl_ssl_false_start(struct Curl_easy *data); 194 195 void Curl_free_multi_ssl_backend_data(struct multi_ssl_backend_data *mbackend); 196 197 #define SSL_SHUTDOWN_TIMEOUT 10000 /* ms */ 198 199 CURLcode Curl_ssl_cfilter_add(struct Curl_easy *data, 200 struct connectdata *conn, 201 int sockindex); 202 203 CURLcode Curl_cf_ssl_insert_after(struct Curl_cfilter *cf_at, 204 struct Curl_easy *data); 205 206 CURLcode Curl_ssl_cfilter_remove(struct Curl_easy *data, 207 int sockindex); 208 209 #ifndef CURL_DISABLE_PROXY 210 CURLcode Curl_ssl_cfilter_proxy_add(struct Curl_easy *data, 211 struct connectdata *conn, 212 int sockindex); 213 CURLcode Curl_cf_ssl_proxy_insert_after(struct Curl_cfilter *cf_at, 214 struct Curl_easy *data); 215 #endif /* !CURL_DISABLE_PROXY */ 216 217 /** 218 * Get the SSL configuration that is used on the connection. 219 * This returns NULL if no SSL is configured. 220 * Otherwise it returns the config of the first (highest) one that is 221 * either connected, in handshake or about to start 222 * (e.g. all filters below it are connected). If SSL filters are present, 223 * but neither can start operating, return the config of the lowest one 224 * that will first come into effect when connecting. 225 */ 226 struct ssl_config_data *Curl_ssl_get_config(struct Curl_easy *data, 227 int sockindex); 228 229 /** 230 * Get the primary SSL configuration from the connection. 231 * This returns NULL if no SSL is configured. 232 * Otherwise it returns the config of the first (highest) one that is 233 * either connected, in handshake or about to start 234 * (e.g. all filters below it are connected). If SSL filters are present, 235 * but neither can start operating, return the config of the lowest one 236 * that will first come into effect when connecting. 237 */ 238 struct ssl_primary_config * 239 Curl_ssl_get_primary_config(struct Curl_easy *data, 240 struct connectdata *conn, 241 int sockindex); 242 243 /** 244 * True iff the underlying SSL implementation supports the option. 245 * Option is one of the defined SSLSUPP_* values. 246 * `data` maybe NULL for the features of the default implementation. 247 */ 248 bool Curl_ssl_supports(struct Curl_easy *data, int ssl_option); 249 250 /** 251 * Get the internal ssl instance (like OpenSSL's SSL*) from the filter 252 * chain at `sockindex` of type specified by `info`. 253 * For `n` == 0, the first active (top down) instance is returned. 254 * 1 gives the second active, etc. 255 * NULL is returned when no active SSL filter is present. 256 */ 257 void *Curl_ssl_get_internals(struct Curl_easy *data, int sockindex, 258 CURLINFO info, int n); 259 260 extern struct Curl_cftype Curl_cft_ssl; 261 extern struct Curl_cftype Curl_cft_ssl_proxy; 262 263 #else /* if not USE_SSL */ 264 265 /* When SSL support is not present, just define away these function calls */ 266 #define Curl_ssl_init() 1 267 #define Curl_ssl_cleanup() Curl_nop_stmt 268 #define Curl_ssl_close_all(x) Curl_nop_stmt 269 #define Curl_ssl_set_engine(x,y) CURLE_NOT_BUILT_IN 270 #define Curl_ssl_set_engine_default(x) CURLE_NOT_BUILT_IN 271 #define Curl_ssl_engines_list(x) NULL 272 #define Curl_ssl_initsessions(x,y) CURLE_OK 273 #define Curl_ssl_free_certinfo(x) Curl_nop_stmt 274 #define Curl_ssl_kill_session(x) Curl_nop_stmt 275 #define Curl_ssl_random(x,y,z) ((void)x, CURLE_NOT_BUILT_IN) 276 #define Curl_ssl_cert_status_request() FALSE 277 #define Curl_ssl_false_start(a) FALSE 278 #define Curl_ssl_get_internals(a,b,c,d) NULL 279 #define Curl_ssl_supports(a,b) FALSE 280 #define Curl_ssl_cfilter_add(a,b,c) CURLE_NOT_BUILT_IN 281 #define Curl_ssl_cfilter_proxy_add(a,b,c) CURLE_NOT_BUILT_IN 282 #define Curl_ssl_get_config(a,b) NULL 283 #define Curl_ssl_cfilter_remove(a,b) CURLE_OK 284 #endif 285 286 #endif /* HEADER_CURL_VTLS_H */ 287