Lines Matching +full:gnutls +full:- +full:version
21 * SPDX-License-Identifier: curl
26 * Source file for all GnuTLS-specific code for the TLS/SSL layer. No code
29 * Note: don't use the GnuTLS' *_t variable type names in this source code,
37 #include <gnutls/abstract.h>
38 #include <gnutls/gnutls.h>
39 #include <gnutls/x509.h>
40 #include <gnutls/crypto.h>
68 "NORMAL:-VERS-ALL:+VERS-TLS1.3:-CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:" \
69 "+CHACHA20-POLY1305:+AES-128-CCM:-GROUP-ALL:+GROUP-SECP256R1:" \
70 "+GROUP-X25519:+GROUP-SECP384R1:+GROUP-SECP521R1:" \
73 /* Enable GnuTLS debugging by defining GTLSDEBUG */
85 #error "too old GnuTLS version"
88 # include <gnutls/ocsp.h>
97 struct ssl_connect_data *connssl = cf->ctx; in gtls_push()
99 (struct gtls_ssl_backend_data *)connssl->backend; in gtls_push()
105 nwritten = Curl_conn_cf_send(cf->next, data, buf, blen, &result); in gtls_push()
106 CURL_TRC_CF(data, cf, "gtls_push(len=%zu) -> %zd, err=%d", in gtls_push()
108 backend->gtls.io_result = result; in gtls_push()
110 gnutls_transport_set_errno(backend->gtls.session, in gtls_push()
112 nwritten = -1; in gtls_push()
120 struct ssl_connect_data *connssl = cf->ctx; in gtls_pull()
122 (struct gtls_ssl_backend_data *)connssl->backend; in gtls_pull()
128 if(!backend->gtls.trust_setup) { in gtls_pull()
129 result = Curl_gtls_client_trust_setup(cf, data, &backend->gtls); in gtls_pull()
131 gnutls_transport_set_errno(backend->gtls.session, EINVAL); in gtls_pull()
132 backend->gtls.io_result = result; in gtls_pull()
133 return -1; in gtls_pull()
137 nread = Curl_conn_cf_recv(cf->next, data, buf, blen, &result); in gtls_pull()
138 CURL_TRC_CF(data, cf, "glts_pull(len=%zu) -> %zd, err=%d", in gtls_pull()
140 backend->gtls.io_result = result; in gtls_pull()
142 gnutls_transport_set_errno(backend->gtls.session, in gtls_pull()
144 nread = -1; in gtls_pull()
147 connssl->peer_closed = TRUE; in gtls_pull()
153 * Global GnuTLS init, called from Curl_ssl_init(). This calls functions that
154 * are not thread-safe and thus this function itself is not thread-safe and
196 Curl_wkday[tm->tm_wday?tm->tm_wday-1:6], in showtime()
197 tm->tm_mday, in showtime()
198 Curl_month[tm->tm_mon], in showtime()
199 tm->tm_year + 1900, in showtime()
200 tm->tm_hour, in showtime()
201 tm->tm_min, in showtime()
202 tm->tm_sec); in showtime()
240 /* this function does a SSL/TLS (re-)handshake */
246 struct ssl_connect_data *connssl = cf->ctx; in handshake()
248 (struct gtls_ssl_backend_data *)connssl->backend; in handshake()
253 session = backend->gtls.session; in handshake()
269 if(connssl->connecting_state == ssl_connect_2_reading in handshake()
270 || connssl->connecting_state == ssl_connect_2_writing) { in handshake()
273 connssl->connecting_state?sockfd:CURL_SOCKET_BAD; in handshake()
275 connssl->connecting_state?sockfd:CURL_SOCKET_BAD; in handshake()
297 backend->gtls.io_result = CURLE_OK; in handshake()
300 if(!backend->gtls.trust_setup) { in handshake()
303 CURLcode result = Curl_gtls_client_trust_setup(cf, data, &backend->gtls); in handshake()
309 connssl->connecting_state = in handshake()
328 else if((rc < 0) && backend->gtls.io_result) { in handshake()
329 return backend->gtls.io_result; in handshake()
347 connssl->connecting_state = ssl_connect_1; in handshake()
363 #define GNUTLS_CIPHERS "NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509"
364 /* If GnuTLS was compiled without support for SRP it will error out if SRP is
376 long ssl_version = conn_config->version; in set_ssl_version_min_max()
377 long ssl_version_max = conn_config->version_max; in set_ssl_version_min_max()
379 if(peer->transport == TRNSPRT_QUIC) { in set_ssl_version_min_max()
382 failf(data, "QUIC needs at least TLS version 1.3"); in set_ssl_version_min_max()
395 /* If the running GnuTLS doesn't support TLS 1.3, we must not specify a in set_ssl_version_min_max()
396 prioritylist involving that since it will make GnuTLS return an en in set_ssl_version_min_max()
409 *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" in set_ssl_version_min_max()
410 "+VERS-TLS1.0"; in set_ssl_version_min_max()
413 *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" in set_ssl_version_min_max()
414 "+VERS-TLS1.1:+VERS-TLS1.0"; in set_ssl_version_min_max()
417 *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" in set_ssl_version_min_max()
418 "+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0"; in set_ssl_version_min_max()
421 *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" in set_ssl_version_min_max()
422 "+VERS-TLS1.1"; in set_ssl_version_min_max()
425 *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" in set_ssl_version_min_max()
426 "+VERS-TLS1.2:+VERS-TLS1.1"; in set_ssl_version_min_max()
429 *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" in set_ssl_version_min_max()
430 "+VERS-TLS1.2"; in set_ssl_version_min_max()
433 *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" in set_ssl_version_min_max()
434 "+VERS-TLS1.3"; in set_ssl_version_min_max()
437 *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0"; in set_ssl_version_min_max()
440 *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" in set_ssl_version_min_max()
441 "+VERS-TLS1.3:+VERS-TLS1.2:+VERS-TLS1.1"; in set_ssl_version_min_max()
444 *prioritylist = GNUTLS_CIPHERS ":-VERS-SSL3.0:-VERS-TLS-ALL:" in set_ssl_version_min_max()
445 "+VERS-TLS1.3:+VERS-TLS1.2"; in set_ssl_version_min_max()
449 failf(data, "GnuTLS: cannot set ssl protocol"); in set_ssl_version_min_max()
462 if(config->verifypeer) { in Curl_gtls_client_trust_setup()
465 if(ssl_config->native_ca_store) { in Curl_gtls_client_trust_setup()
466 rc = gnutls_certificate_set_x509_system_trust(gtls->cred); in Curl_gtls_client_trust_setup()
477 if(config->CAfile) { in Curl_gtls_client_trust_setup()
479 gnutls_certificate_set_verify_flags(gtls->cred, in Curl_gtls_client_trust_setup()
482 rc = gnutls_certificate_set_x509_trust_file(gtls->cred, in Curl_gtls_client_trust_setup()
483 config->CAfile, in Curl_gtls_client_trust_setup()
487 config->CAfile, gnutls_strerror(rc), in Curl_gtls_client_trust_setup()
490 ssl_config->certverifyresult = rc; in Curl_gtls_client_trust_setup()
495 infof(data, "found %d certificates in %s", rc, config->CAfile); in Curl_gtls_client_trust_setup()
498 if(config->CApath) { in Curl_gtls_client_trust_setup()
500 rc = gnutls_certificate_set_x509_trust_dir(gtls->cred, in Curl_gtls_client_trust_setup()
501 config->CApath, in Curl_gtls_client_trust_setup()
505 config->CApath, gnutls_strerror(rc), in Curl_gtls_client_trust_setup()
508 ssl_config->certverifyresult = rc; in Curl_gtls_client_trust_setup()
513 infof(data, "found %d certificates in %s", rc, config->CApath); in Curl_gtls_client_trust_setup()
517 if(config->CRLfile) { in Curl_gtls_client_trust_setup()
519 rc = gnutls_certificate_set_x509_crl_file(gtls->cred, in Curl_gtls_client_trust_setup()
520 config->CRLfile, in Curl_gtls_client_trust_setup()
524 config->CRLfile, gnutls_strerror(rc)); in Curl_gtls_client_trust_setup()
528 infof(data, "found %d CRL in %s", rc, config->CRLfile); in Curl_gtls_client_trust_setup()
531 gtls->trust_setup = TRUE; in Curl_gtls_client_trust_setup()
546 struct ssl_connect_data *connssl = cf->ctx; in gtls_update_session_id()
549 if(ssl_config->primary.sessionid) { in gtls_update_session_id()
573 incache = !(Curl_ssl_getsessionid(cf, data, &connssl->peer, in gtls_update_session_id()
582 result = Curl_ssl_addsessionid(cf, data, &connssl->peer, in gtls_update_session_id()
635 if(config->version == CURL_SSLVERSION_SSLv2) { in gtls_client_init()
636 failf(data, "GnuTLS does not support SSLv2"); in gtls_client_init()
639 else if(config->version == CURL_SSLVERSION_SSLv3) in gtls_client_init()
643 rc = gnutls_certificate_allocate_credentials(>ls->cred); in gtls_client_init()
650 if(config->username && Curl_auth_allowed_to_host(data)) { in gtls_client_init()
651 infof(data, "Using TLS-SRP username: %s", config->username); in gtls_client_init()
653 rc = gnutls_srp_allocate_client_credentials(>ls->srp_client_cred); in gtls_client_init()
660 rc = gnutls_srp_set_client_credentials(gtls->srp_client_cred, in gtls_client_init()
661 config->username, in gtls_client_init()
662 config->password); in gtls_client_init()
671 ssl_config->certverifyresult = 0; in gtls_client_init()
685 rc = gnutls_init(>ls->session, init_flags); in gtls_client_init()
691 if(sni && peer->sni) { in gtls_client_init()
692 if(gnutls_server_name_set(gtls->session, GNUTLS_NAME_DNS, in gtls_client_init()
693 peer->sni, strlen(peer->sni)) < 0) { in gtls_client_init()
700 rc = gnutls_set_default_priority(gtls->session); in gtls_client_init()
704 /* "In GnuTLS 3.6.5, TLS 1.3 is enabled by default" */ in gtls_client_init()
708 * removed if a run-time error indicates that SRP is not supported by this in gtls_client_init()
709 * GnuTLS version */ in gtls_client_init()
711 if(config->version == CURL_SSLVERSION_SSLv2 || in gtls_client_init()
712 config->version == CURL_SSLVERSION_SSLv3) { in gtls_client_init()
713 failf(data, "GnuTLS does not support SSLv2 or SSLv3"); in gtls_client_init()
717 if(config->version == CURL_SSLVERSION_TLSv1_3) { in gtls_client_init()
719 failf(data, "This GnuTLS installation does not support TLS 1.3"); in gtls_client_init()
724 /* At this point we know we have a supported TLS version, so set it */ in gtls_client_init()
732 * GnuTLS will disable TLS 1.3 support. */ in gtls_client_init()
733 if(config->username) { in gtls_client_init()
737 rc = gnutls_priority_set_direct(gtls->session, prioritysrp, &err); in gtls_client_init()
741 infof(data, "This GnuTLS does not support SRP"); in gtls_client_init()
746 infof(data, "GnuTLS ciphers: %s", prioritylist); in gtls_client_init()
747 rc = gnutls_priority_set_direct(gtls->session, prioritylist, &err); in gtls_client_init()
753 failf(data, "Error %d setting GnuTLS cipher list starting with %s", in gtls_client_init()
758 if(config->clientcert) { in gtls_client_init()
759 if(!gtls->trust_setup) { in gtls_client_init()
764 if(ssl_config->key_passwd) { in gtls_client_init()
771 gtls->cred, in gtls_client_init()
772 config->clientcert, in gtls_client_init()
773 ssl_config->key ? ssl_config->key : config->clientcert, in gtls_client_init()
774 do_file_type(ssl_config->cert_type), in gtls_client_init()
775 ssl_config->key_passwd, in gtls_client_init()
779 "error reading X.509 potentially-encrypted key file: %s", in gtls_client_init()
786 gtls->cred, in gtls_client_init()
787 config->clientcert, in gtls_client_init()
788 ssl_config->key ? ssl_config->key : config->clientcert, in gtls_client_init()
789 do_file_type(ssl_config->cert_type) ) != in gtls_client_init()
799 if(config->username) { in gtls_client_init()
800 rc = gnutls_credentials_set(gtls->session, GNUTLS_CRD_SRP, in gtls_client_init()
801 gtls->srp_client_cred); in gtls_client_init()
810 rc = gnutls_credentials_set(gtls->session, GNUTLS_CRD_CERTIFICATE, in gtls_client_init()
811 gtls->cred); in gtls_client_init()
818 if(config->verifystatus) { in gtls_client_init()
819 rc = gnutls_ocsp_status_request_enable_client(gtls->session, in gtls_client_init()
838 return -1; in keylog_callback()
841 Curl_tls_keylog_write(label, crandom.data, secret->data, secret->size); in keylog_callback()
863 gnutls_session_set_ptr(gctx->session, ssl_user_data); in Curl_gtls_ctx_init()
874 gnutls_session_set_keylog_function(gctx->session, keylog_callback); in Curl_gtls_ctx_init()
878 * that gnutls wants and will convert internally back to this very in Curl_gtls_ctx_init()
892 alen -= (size_t)slen + 1; in Curl_gtls_ctx_init()
896 if(i && gnutls_alpn_set_protocols(gctx->session, in Curl_gtls_ctx_init()
906 if(conn_config->sessionid) { in Curl_gtls_ctx_init()
915 rc = gnutls_session_set_data(gctx->session, ssl_sessionid, ssl_idsize); in Curl_gtls_ctx_init()
929 struct ssl_connect_data *connssl = cf->ctx; in gtls_connect_step1()
931 (struct gtls_ssl_backend_data *)connssl->backend; in gtls_connect_step1()
936 DEBUGASSERT(ssl_connect_1 == connssl->connecting_state); in gtls_connect_step1()
938 if(connssl->state == ssl_connection_complete) in gtls_connect_step1()
944 if(connssl->alpn) { in gtls_connect_step1()
945 result = Curl_alpn_to_proto_buf(&proto, connssl->alpn); in gtls_connect_step1()
952 result = Curl_gtls_ctx_init(&backend->gtls, cf, data, &connssl->peer, in gtls_connect_step1()
957 gnutls_handshake_set_hook_function(backend->gtls.session, in gtls_connect_step1()
962 gnutls_transport_set_ptr(backend->gtls.session, cf); in gtls_connect_step1()
963 gnutls_transport_set_push_function(backend->gtls.session, gtls_push); in gtls_connect_step1()
964 gnutls_transport_set_pull_function(backend->gtls.session, gtls_pull); in gtls_connect_step1()
1050 gnutls_protocol_t version = gnutls_protocol_get_version(session); in Curl_gtls_verifyserver() local
1052 long * const certverifyresult = &ssl_config->certverifyresult; in Curl_gtls_verifyserver()
1061 gnutls_protocol_get_name(version), ptr); in Curl_gtls_verifyserver()
1072 if(config->verifypeer || in Curl_gtls_verifyserver()
1073 config->verifyhost || in Curl_gtls_verifyserver()
1074 config->issuercert) { in Curl_gtls_verifyserver()
1076 if(ssl_config->primary.username && !config->verifypeer && in Curl_gtls_verifyserver()
1093 if(data->set.ssl.certinfo && chainp) { in Curl_gtls_verifyserver()
1110 if(config->verifypeer) { in Curl_gtls_verifyserver()
1129 if(config->verifypeer) { in Curl_gtls_verifyserver()
1131 "CRLfile: %s", config->CAfile ? config->CAfile: in Curl_gtls_verifyserver()
1133 ssl_config->primary.CRLfile ? in Curl_gtls_verifyserver()
1134 ssl_config->primary.CRLfile : "none"); in Curl_gtls_verifyserver()
1146 if(config->verifystatus) { in Curl_gtls_verifyserver()
1257 if(config->issuercert) { in Curl_gtls_verifyserver()
1259 issuerp = load_file(config->issuercert); in Curl_gtls_verifyserver()
1266 config->issuercert?config->issuercert:"none"); in Curl_gtls_verifyserver()
1271 config->issuercert?config->issuercert:"none"); in Curl_gtls_verifyserver()
1290 rc = gnutls_x509_crt_check_hostname(x509_cert, peer->hostname); in Curl_gtls_verifyserver()
1303 if(Curl_inet_pton(AF_INET, peer->hostname, addrbuf) > 0) in Curl_gtls_verifyserver()
1306 else if(Curl_inet_pton(AF_INET6, peer->hostname, addrbuf) > 0) in Curl_gtls_verifyserver()
1334 if(config->verifyhost) { in Curl_gtls_verifyserver()
1336 "target host name '%s'", certname, peer->dispname); in Curl_gtls_verifyserver()
1342 certname, peer->dispname); in Curl_gtls_verifyserver()
1347 /* Check for time-based validity */ in Curl_gtls_verifyserver()
1350 if(certclock == (time_t)-1) { in Curl_gtls_verifyserver()
1351 if(config->verifypeer) { in Curl_gtls_verifyserver()
1362 if(config->verifypeer) { in Curl_gtls_verifyserver()
1377 if(certclock == (time_t)-1) { in Curl_gtls_verifyserver()
1378 if(config->verifypeer) { in Curl_gtls_verifyserver()
1389 if(config->verifypeer) { in Curl_gtls_verifyserver()
1413 - subject in Curl_gtls_verifyserver()
1414 - start date in Curl_gtls_verifyserver()
1415 - expire date in Curl_gtls_verifyserver()
1416 - common name in Curl_gtls_verifyserver()
1417 - issuer in Curl_gtls_verifyserver()
1427 /* version of the X.509 certificate. */ in Curl_gtls_verifyserver()
1428 infof(data, " certificate version: #%d", in Curl_gtls_verifyserver()
1466 struct ssl_connect_data *connssl = cf->ctx; in gtls_verifyserver()
1471 data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]: in gtls_verifyserver()
1472 data->set.str[STRING_SSL_PINNEDPUBLICKEY]; in gtls_verifyserver()
1474 const char *pinned_key = data->set.str[STRING_SSL_PINNEDPUBLICKEY]; in gtls_verifyserver()
1479 &connssl->peer, pinned_key); in gtls_verifyserver()
1483 if(connssl->alpn) { in gtls_verifyserver()
1507 /* We use connssl->connecting_state to keep track of the connection status;
1518 struct ssl_connect_data *connssl = cf->ctx; in gtls_connect_common()
1523 if(ssl_connect_1 == connssl->connecting_state) { in gtls_connect_common()
1539 if(ssl_connect_1 == connssl->connecting_state) { in gtls_connect_common()
1541 (struct gtls_ssl_backend_data *)connssl->backend; in gtls_connect_common()
1544 session = backend->gtls.session; in gtls_connect_common()
1550 connssl->state = ssl_connection_complete; in gtls_connect_common()
1554 *done = ssl_connect_1 == connssl->connecting_state; in gtls_connect_common()
1584 struct ssl_connect_data *ctx = cf->ctx; in gtls_data_pending()
1588 DEBUGASSERT(ctx && ctx->backend); in gtls_data_pending()
1589 backend = (struct gtls_ssl_backend_data *)ctx->backend; in gtls_data_pending()
1590 if(backend->gtls.session && in gtls_data_pending()
1591 0 != gnutls_record_check_pending(backend->gtls.session)) in gtls_data_pending()
1602 struct ssl_connect_data *connssl = cf->ctx; in gtls_send()
1604 (struct gtls_ssl_backend_data *)connssl->backend; in gtls_send()
1609 backend->gtls.io_result = CURLE_OK; in gtls_send()
1610 rc = gnutls_record_send(backend->gtls.session, mem, len); in gtls_send()
1615 (backend->gtls.io_result? backend->gtls.io_result : CURLE_SEND_ERROR); in gtls_send()
1617 rc = -1; in gtls_send()
1626 struct ssl_connect_data *connssl = cf->ctx; in gtls_close()
1628 (struct gtls_ssl_backend_data *)connssl->backend; in gtls_close()
1633 if(backend->gtls.session) { in gtls_close()
1637 (void)gnutls_record_recv(backend->gtls.session, buf, sizeof(buf)); in gtls_close()
1638 gnutls_bye(backend->gtls.session, GNUTLS_SHUT_WR); in gtls_close()
1639 gnutls_deinit(backend->gtls.session); in gtls_close()
1640 backend->gtls.session = NULL; in gtls_close()
1642 if(backend->gtls.cred) { in gtls_close()
1643 gnutls_certificate_free_credentials(backend->gtls.cred); in gtls_close()
1644 backend->gtls.cred = NULL; in gtls_close()
1647 if(backend->gtls.srp_client_cred) { in gtls_close()
1648 gnutls_srp_free_client_credentials(backend->gtls.srp_client_cred); in gtls_close()
1649 backend->gtls.srp_client_cred = NULL; in gtls_close()
1656 * socket open (CCC - Clear Command Channel)
1661 struct ssl_connect_data *connssl = cf->ctx; in gtls_shutdown()
1663 (struct gtls_ssl_backend_data *)connssl->backend; in gtls_shutdown()
1674 if(data->set.ftp_ccc == CURLFTPSSL_CCC_ACTIVE) in gtls_shutdown()
1675 gnutls_bye(backend->gtls.session, GNUTLS_SHUT_WR); in gtls_shutdown()
1678 if(backend->gtls.session) { in gtls_shutdown()
1683 while(!done && !connssl->peer_closed) { in gtls_shutdown()
1689 result = gnutls_record_recv(backend->gtls.session, in gtls_shutdown()
1702 retval = -1; in gtls_shutdown()
1715 retval = -1; in gtls_shutdown()
1719 gnutls_deinit(backend->gtls.session); in gtls_shutdown()
1721 gnutls_certificate_free_credentials(backend->gtls.cred); in gtls_shutdown()
1726 if(ssl_config->primary.username) in gtls_shutdown()
1727 gnutls_srp_free_client_credentials(backend->gtls.srp_client_cred); in gtls_shutdown()
1731 backend->gtls.cred = NULL; in gtls_shutdown()
1732 backend->gtls.session = NULL; in gtls_shutdown()
1743 struct ssl_connect_data *connssl = cf->ctx; in gtls_recv()
1745 (struct gtls_ssl_backend_data *)connssl->backend; in gtls_recv()
1751 backend->gtls.io_result = CURLE_OK; in gtls_recv()
1752 ret = gnutls_record_recv(backend->gtls.session, buf, buffersize); in gtls_recv()
1755 ret = -1; in gtls_recv()
1760 /* BLOCKING call, this is bad but a work-around for now. Fixing this "the in gtls_recv()
1768 ret = -1; in gtls_recv()
1773 failf(data, "GnuTLS recv error (%d): %s", in gtls_recv()
1776 *curlcode = backend->gtls.io_result? in gtls_recv()
1777 backend->gtls.io_result : CURLE_RECV_ERROR; in gtls_recv()
1778 ret = -1; in gtls_recv()
1788 return msnprintf(buffer, size, "GnuTLS/%s", gnutls_check_version(NULL)); in gtls_version()
1822 (struct gtls_ssl_backend_data *)connssl->backend; in gtls_get_internals()
1825 return backend->gtls.session; in gtls_get_internals()
1829 { CURLSSLBACKEND_GNUTLS, "gnutls" }, /* info */
1840 gtls_version, /* version */