• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #ifndef HEADER_CURL_SSLUSE_H
2 #define HEADER_CURL_SSLUSE_H
3 /***************************************************************************
4  *                                  _   _ ____  _
5  *  Project                     ___| | | |  _ \| |
6  *                             / __| | | | |_) | |
7  *                            | (__| |_| |  _ <| |___
8  *                             \___|\___/|_| \_\_____|
9  *
10  * Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
11  *
12  * This software is licensed as described in the file COPYING, which
13  * you should have received as part of this distribution. The terms
14  * are also available at https://curl.se/docs/copyright.html.
15  *
16  * You may opt to use, copy, modify, merge, publish, distribute and/or sell
17  * copies of the Software, and permit persons to whom the Software is
18  * furnished to do so, under the terms of the COPYING file.
19  *
20  * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
21  * KIND, either express or implied.
22  *
23  * SPDX-License-Identifier: curl
24  *
25  ***************************************************************************/
26 
27 #include "curl_setup.h"
28 
29 #ifdef USE_OPENSSL
30 /*
31  * This header should only be needed to get included by vtls.c, openssl.c
32  * and ngtcp2.c
33  */
34 #include <openssl/opensslv.h>
35 #include <openssl/ossl_typ.h>
36 #include <openssl/ssl.h>
37 
38 #include "urldata.h"
39 
40 /*
41  * Whether SSL_CTX_set_keylog_callback is available.
42  * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287
43  * BoringSSL: supported since d28f59c27bac (committed 2015-11-19)
44  * LibreSSL: not supported. 3.5.0+ has a stub function that does nothing.
45  */
46 #if (OPENSSL_VERSION_NUMBER >= 0x10101000L && \
47      !defined(LIBRESSL_VERSION_NUMBER)) || \
48     defined(OPENSSL_IS_BORINGSSL)
49 #define HAVE_KEYLOG_CALLBACK
50 #endif
51 
52 struct ssl_peer;
53 
54 /* Struct to hold a curl OpenSSL instance */
55 struct ossl_ctx {
56   /* these ones requires specific SSL-types */
57   SSL_CTX* ssl_ctx;
58   SSL*     ssl;
59   X509*    server_cert;
60   BIO_METHOD *bio_method;
61   CURLcode io_result;       /* result of last BIO cfilter operation */
62 #ifndef HAVE_KEYLOG_CALLBACK
63   /* Set to true once a valid keylog entry has been created to avoid dupes.
64      This is a bool and not a bitfield because it is passed by address. */
65   bool keylog_done;
66 #endif
67   BIT(x509_store_setup);            /* x509 store has been set up */
68   BIT(reused_session);              /* session-ID was reused for this */
69 };
70 
71 size_t Curl_ossl_version(char *buffer, size_t size);
72 
73 typedef CURLcode Curl_ossl_ctx_setup_cb(struct Curl_cfilter *cf,
74                                         struct Curl_easy *data,
75                                         void *user_data);
76 
77 typedef int Curl_ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid);
78 
79 CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx,
80                             struct Curl_cfilter *cf,
81                             struct Curl_easy *data,
82                             struct ssl_peer *peer,
83                             const unsigned char *alpn, size_t alpn_len,
84                             Curl_ossl_ctx_setup_cb *cb_setup,
85                             void *cb_user_data,
86                             Curl_ossl_new_session_cb *cb_new_session,
87                             void *ssl_user_data);
88 
89 #if (OPENSSL_VERSION_NUMBER < 0x30000000L)
90 #define SSL_get1_peer_certificate SSL_get_peer_certificate
91 #endif
92 
93 extern const struct Curl_ssl Curl_ssl_openssl;
94 
95 /**
96  * Setup the OpenSSL X509_STORE in `ssl_ctx` for the cfilter `cf` and
97  * easy handle `data`. Will allow reuse of a shared cache if suitable
98  * and configured.
99  */
100 CURLcode Curl_ssl_setup_x509_store(struct Curl_cfilter *cf,
101                                    struct Curl_easy *data,
102                                    SSL_CTX *ssl_ctx);
103 
104 CURLcode Curl_ossl_ctx_configure(struct Curl_cfilter *cf,
105                                  struct Curl_easy *data,
106                                  SSL_CTX *ssl_ctx);
107 
108 /*
109  * Add a new session to the cache. Takes ownership of the session.
110  */
111 CURLcode Curl_ossl_add_session(struct Curl_cfilter *cf,
112                                struct Curl_easy *data,
113                                const char *ssl_peer_key,
114                                SSL_SESSION *ssl_sessionid,
115                                int ietf_tls_id,
116                                const char *alpn);
117 
118 /*
119  * Get the server cert, verify it and show it, etc., only call failf() if
120  * ssl config verifypeer or -host is set. Otherwise all this is for
121  * informational purposes only!
122  */
123 CURLcode Curl_oss_check_peer_cert(struct Curl_cfilter *cf,
124                                   struct Curl_easy *data,
125                                   struct ossl_ctx *octx,
126                                   struct ssl_peer *peer);
127 
128 #endif /* USE_OPENSSL */
129 #endif /* HEADER_CURL_SSLUSE_H */
130